Browse Source

pkey: additional EC related options

Add options to change the parameter encoding and point conversions for EC
public and private keys.  These options are present in the deprecated 'ec'
utility.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11113)
master
Pauli 2 years ago
parent
commit
92fee4213b
2 changed files with 102 additions and 1 deletions
  1. +68
    -1
      apps/pkey.c
  2. +34
    -0
      doc/man1/openssl-pkey.pod.in

+ 68
- 1
apps/pkey.c View File

@ -15,11 +15,29 @@
#include <openssl/err.h>
#include <openssl/evp.h>
#ifndef OPENSSL_NO_EC
# include <openssl/ec.h>
static OPT_PAIR ec_conv_forms[] = {
{"compressed", POINT_CONVERSION_COMPRESSED},
{"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
{"hybrid", POINT_CONVERSION_HYBRID},
{NULL}
};
static OPT_PAIR ec_param_enc[] = {
{"named_curve", OPENSSL_EC_NAMED_CURVE},
{"explicit", 0},
{NULL}
};
#endif
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK
OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK,
OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM
} OPTION_CHOICE;
const OPTIONS pkey_options[] = {
@ -31,6 +49,10 @@ const OPTIONS pkey_options[] = {
{"check", OPT_CHECK, '-', "Check key consistency"},
{"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"},
{"", OPT_MD, '-', "Any supported cipher"},
{"ec_param_enc", OPT_EC_PARAM_ENC, 's',
"Specifies the way the ec parameters are encoded"},
{"ec_conv_form", OPT_EC_CONV_FORM, 's',
"Specifies the point conversion form "},
OPT_SECTION("Input"),
{"in", OPT_IN, 's', "Input key"},
@ -65,6 +87,12 @@ int pkey_main(int argc, char **argv)
int informat = FORMAT_PEM, outformat = FORMAT_PEM;
int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1;
int private = 0, traditional = 0, check = 0, pub_check = 0;
#ifndef OPENSSL_NO_EC
EC_KEY *eckey;
int ec_asn1_flag = OPENSSL_EC_NAMED_CURVE, new_ec_asn1_flag = 0;
int i, new_ec_form = 0;
point_conversion_form_t ec_form = POINT_CONVERSION_UNCOMPRESSED;
#endif
prog = opt_init(argc, argv, pkey_options);
while ((o = opt_next()) != OPT_EOF) {
@ -128,6 +156,27 @@ int pkey_main(int argc, char **argv)
case OPT_MD:
if (!opt_cipher(opt_unknown(), &cipher))
goto opthelp;
break;
case OPT_EC_CONV_FORM:
#ifdef OPENSSL_NO_EC
goto opthelp;
#else
if (!opt_pair(opt_arg(), ec_conv_forms, &i))
goto opthelp;
new_ec_form = 1;
ec_form = i;
break;
#endif
case OPT_EC_PARAM_ENC:
#ifdef OPENSSL_NO_EC
goto opthelp;
#else
if (!opt_pair(opt_arg(), ec_param_enc, &i))
goto opthelp;
new_ec_asn1_flag = 1;
ec_asn1_flag = i;
break;
#endif
}
}
argc = opt_num_rest();
@ -154,6 +203,24 @@ int pkey_main(int argc, char **argv)
if (pkey == NULL)
goto end;
#ifndef OPENSSL_NO_EC
/*
* TODO: remove this and use a set params call with a 'pkeyopt' command
* line option instead.
*/
if (new_ec_form || new_ec_asn1_flag) {
if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (new_ec_form)
EC_KEY_set_conv_form(eckey, ec_form);
if (new_ec_asn1_flag)
EC_KEY_set_asn1_flag(eckey, ec_asn1_flag);
}
#endif
if (check || pub_check) {
int r;
EVP_PKEY_CTX *ctx;


+ 34
- 0
doc/man1/openssl-pkey.pod.in View File

@ -28,6 +28,8 @@ B<openssl> B<pkey>
[B<-pubout>]
[B<-check>]
[B<-pubcheck>]
[B<-ec_conv_form> I<arg>]
[B<-ec_param_enc> I<arg>]
{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
@ -114,6 +116,30 @@ components.
This option checks the correctness of either a public key or the public component
of a key pair.
=item B<-ec_conv_form> I<arg>
This option only applies to elliptic curve based public and private keys.
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed> (the default
value), B<uncompressed> and B<hybrid>. For more information regarding
the point conversion forms please read the X9.62 standard.
B<Note> Due to patent issues the B<compressed> option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
=item B<-ec_param_enc> I<arg>
This option only applies to elliptic curve based public and private keys.
This specifies how the elliptic curve parameters are encoded.
Possible value are: B<named_curve>, i.e. the ec parameters are
specified by an OID, or B<explicit> where the ec parameters are
explicitly given (see RFC 3279 for the definition of the
EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
is currently not implemented in OpenSSL.
{- $OpenSSL::safe::opt_engine_item -}
=back
@ -144,6 +170,14 @@ To just output the public part of a private key:
openssl pkey -in key.pem -pubout -out pubkey.pem
To change the EC parameters encoding to B<explicit>:
openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem
To change the EC point conversion form to B<compressed>:
openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem
=head1 SEE ALSO
L<openssl(1)>,


Loading…
Cancel
Save