ed25519 key generation

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

ed25519 key generation

Jeremy Harris
On spotting the example code in Ed25519(7)
I tried it, and it segfaulted:

#0  0x00007fcedd3e47e0 in PEM_write_bio_PrivateKey () from
/lib64/libcrypto.so.1.1
#1  0x00007fcedd3e4afb in PEM_write_PrivateKey () from
/lib64/libcrypto.so.1.1
#2  0x0000000000400744 in main () at src/ed25519_gen_privkey.c:11

This a self-built openssl from today's master.  I'm unsure how
to get debuginfo for it, for better detail.  Given how simple
PEM_write_bio_PrivateKey() is, I assume it's gone on to
PEM_write_bio_PrivateKey_traditional().


Any clues?
--
Thanks,
  Jeremy
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Jeremy Harris
On 24/03/18 18:59, Jeremy Harris wrote:
> On spotting the example code in Ed25519(7)
> I tried it, and it segfaulted:

Cancel that.  My compile wasn't picking up
my fresh-built library version.
--
Cheers,
  Jeremy

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Viktor Dukhovni
In reply to this post by Jeremy Harris


> On Mar 24, 2018, at 2:59 PM, Jeremy Harris <[hidden email]> wrote:
>
> On spotting the example code in Ed25519(7)

FWIW, "openssl genpkey" supports "-algorithm ed25519" (not yet
documented.  So if you're not specifically looking to do this
in C, you can use the CLI.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Jeremy Harris
On 24/03/18 22:57, Viktor Dukhovni wrote:
> FWIW, "openssl genpkey" supports "-algorithm ed25519" (not yet
> documented.  So if you're not specifically looking to do this
> in C, you can use the CLI.

That's certainly preferable, thanks.

Is there a way yet to get the raw public-key out,
documented or not?  As you may guess, this is for DKIM.
--
Cheers,
  Jeremy

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

OpenSSL - User mailing list
>    Is there a way yet to get the raw public-key out,
    documented or not?  As you may guess, this is for DKIM.
 
Ask Murray; he's had some off-list discussions :)

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Viktor Dukhovni
In reply to this post by Jeremy Harris


> On Mar 24, 2018, at 7:28 PM, Jeremy Harris <[hidden email]> wrote:
>
> Is there a way yet to get the raw public-key out,
> documented or not?  As you may guess, this is for DKIM.

Not sure what format DKIM wants the key in, but if it is SKPI
in base64 form then:

$ openssl genpkey -algorithm Ed25519 -out /tmp/key.pem
$ openssl pkey -in /tmp/key.pem -pubout |
  openssl pkey -pubin -text
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA92VFLCjUOrNcediYNNr6z9ZU/cqnJoKHA75Pp9rT7u8=
-----END PUBLIC KEY-----
ED25519 Public-Key:
pub:
    f7:65:45:2c:28:d4:3a:b3:5c:79:d8:98:34:da:fa:
    cf:d6:54:fd:ca:a7:26:82:87:03:be:4f:a7:da:d3:
    ee:ef

So for just the base64:

$ openssl pkey -in /tmp/key.pem -pubout |
  openssl pkey -pubin -outform DER |
  openssl base64 -A; echo
MCowBQYDK2VwAyEA92VFLCjUOrNcediYNNr6z9ZU/cqnJoKHA75Pp9rT7u8=

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Jeremy Harris
On 25/03/18 02:05, Viktor Dukhovni wrote:
>> Is there a way yet to get the raw public-key out,
>> documented or not?  As you may guess, this is for DKIM.
>
> Not sure what format DKIM wants the key in, but if it is SKPI
> in base64 form

It is not.  The _raw_ pubkey, base64'd is what is wanted.
No ASN.1 wrapping; that's why I said "raw".
--
Jeremy
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Jeremy Harris
In reply to this post by OpenSSL - User mailing list
On 24/03/18 23:44, Salz, Rich via openssl-users wrote:
>>    Is there a way yet to get the raw public-key out,
>     documented or not?  As you may guess, this is for DKIM.
>  
> Ask Murray; he's had some off-list discussions :)

I might, but people using envelope-from <[hidden email]>
are not very contactable :(
--
Jeremy

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Viktor Dukhovni
In reply to this post by Jeremy Harris


> On Mar 25, 2018, at 7:46 AM, Jeremy Harris <[hidden email]> wrote:
>
>> Not sure what format DKIM wants the key in, but if it is SKPI
>> in base64 form
>
> It is not.  The _raw_ pubkey, base64'd is what is wanted.
> No ASN.1 wrapping; that's why I said "raw".

I'm afraid you're wrong about that:

  $ dig +noall +ans +nocl +nottl +nosplit -t txt 20161025._domainkey.gmail.com
  20161025._domainkey.gmail.com. TXT "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqR" "tqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpbq4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB"

$ printf "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqRtqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpbq4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB" | openssl base64 -A -d | openssl asn1parse -inform DER
    0:d=0  hl=4 l= 290 cons: SEQUENCE          
    4:d=1  hl=2 l=  13 cons: SEQUENCE          
    6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   17:d=2  hl=2 l=   0 prim: NULL              
   19:d=1  hl=4 l= 271 prim: BIT STRING

That's an ASN1 encoding of X.509 SPKI object.  Which is
not surprising, even for RSA one must still encode the
modulus and exponent somehow, and other algorithms might
have parameters...  So ASN.1 it is.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Jeremy Harris
On 26/03/18 06:13, Viktor Dukhovni wrote:

>> On Mar 25, 2018, at 7:46 AM, Jeremy Harris <[hidden email]> wrote:
>>
>>> Not sure what format DKIM wants the key in, but if it is SKPI
>>> in base64 form
>>
>> It is not.  The _raw_ pubkey, base64'd is what is wanted.
>> No ASN.1 wrapping; that's why I said "raw".
>
> I'm afraid you're wrong about that:
>
>   $ dig +noall +ans +nocl +nottl +nosplit -t txt 20161025._domainkey.gmail.com
>   20161025._domainkey.gmail.com. TXT "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqR" "tqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpbq4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB"
>
> $ printf "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqRtqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpbq4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB" | openssl base64 -A -d | openssl asn1parse -inform DER
>     0:d=0  hl=4 l= 290 cons: SEQUENCE          
>     4:d=1  hl=2 l=  13 cons: SEQUENCE          
>     6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
>    17:d=2  hl=2 l=   0 prim: NULL              
>    19:d=1  hl=4 l= 271 prim: BIT STRING
>
> That's an ASN1 encoding of X.509 SPKI object.  Which is
> not surprising, even for RSA one must still encode the
> modulus and exponent somehow, and other algorithms might
> have parameters...  So ASN.1 it is.

That is an RSA key.  We're talking about Ed25519 keys.
--
Jeremy
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Matt Caswell-2
In reply to this post by Jeremy Harris


On 25/03/18 12:46, Jeremy Harris wrote:

> On 25/03/18 02:05, Viktor Dukhovni wrote:
>>> Is there a way yet to get the raw public-key out,
>>> documented or not?  As you may guess, this is for DKIM.
>>
>> Not sure what format DKIM wants the key in, but if it is SKPI
>> in base64 form
>
> It is not.  The _raw_ pubkey, base64'd is what is wanted.
> No ASN.1 wrapping; that's why I said "raw".
>

I just had the exact same conversation off-list...

To generate an Ed25519 private key:

$ openssl genpkey -algorithm ed25519 -outform PEM -out test25519.pem

OpenSSL does not support outputting only the raw key from the command
line. You *can* get it in SubjectPublicKeyInfo format which, for an
Ed25519 key will always consist of 12 bytes of ASN.1 header followed by
32 bytes of raw key. Therefore to get a base64 encoded raw public key:

$ openssl pkey -outform DER -pubout -in test25519.pem | tail -c +13 |
openssl base64


Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Jeremy Harris
On 26/03/18 11:46, Matt Caswell wrote:
> $ openssl pkey -outform DER -pubout -in test25519.pem | tail -c +13 |
> openssl base64

Thanks!
--
Jeremy
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

OpenSSL - User mailing list
In reply to this post by Jeremy Harris
>    I might, but people using envelope-from <[hidden email]>
    are not very contactable :(
 
Did you try?  That address works.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

OpenSSL - User mailing list
In reply to this post by Viktor Dukhovni
For RSA it's the ASN1 sequence of the key.  For Ed25519 it's just the 40 bytes of the raw key.
 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Jeremy Harris
In reply to this post by OpenSSL - User mailing list
On 26/03/18 13:55, Salz, Rich via openssl-users wrote:
>>    I might, but people using envelope-from <[hidden email]>
>     are not very contactable :(
>  
> Did you try?  That address works.

I tried somebody, possibly somebody else (it could
have been Brandon) using that moniker, some time ago.
Got no response; assumed it to be a spam-dump.

But perhaps my question was uninteresting that time.
--
Cheers,
  Jeremy


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Matt Caswell-2
In reply to this post by OpenSSL - User mailing list


On 26/03/18 13:58, Salz, Rich via openssl-users wrote:
> For RSA it's the ASN1 sequence of the key.  For Ed25519 it's just the 40 bytes of the raw key.
>  
>

Note that for Ed25519 the raw public key is 32 bytes not 40.

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ed25519 key generation

Viktor Dukhovni


> On Mar 26, 2018, at 10:08 AM, Matt Caswell <[hidden email]> wrote:
>
> Note that for Ed25519 the raw public key is 32 bytes not 40.

I see so the DKIM key encoding for Ed25519 was slimmed down
to bare essentials, which slightly complicates the interface
for using it on the verifier side (at least for OpenSSL),
since now one needs to create the SPKI key handle in an
algorithm-specific manner, loading the public key into
a new Ed25519 public key object, ...

https://tools.ietf.org/html/draft-ietf-dcrup-dkim-crypto-08#section-4.2

   The p= value in the key record is the ed25519 public key encoded in
   base64.  Since the key is 256 bits long, the base64 text is 44 octets
   long.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users