Topic: ERROR: 2 way SSL with EC keys

I have tried creating EC certs and keys with curve secp384r1 & prime256v1 mbed M3 for embedded SSL.  I'm getting error while loading key as below. Can someone throw some light on it ?

-4 means invalid file. But doesn;t seems so as i have used same process for RSA and it does load key.

CyaSSL_CTX_use_PrivateKey_buffer(ctx, CAKey, sizeof(CAKey), SSL_FILETYPE_ASN1);

CYASSL logs:
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
ECDSA cert signature
CyaSSL Entering CyaSSL_CTX_use_PrivateKey_buffer
CyaSSL Entering GetMyVersion
[color="red"]Error loading ClientKey , ret = -4[/color]


Re: ERROR: 2 way SSL with EC keys

Hi Amit,

Can you show how you generated your test key?  And if you could send the test key to us, that would be helpful as well.

We have successfully tested loading our own ECC key (./certs/ecc-key.der) in buffer form with CyaSSL_CTX_use_PrivateKey_buffer().  Have you tried loading our test key?


3 (edited by amitsehgal 2014-11-14 11:30:06)

Re: ERROR: 2 way SSL with EC keys

Chris: Its the same error with your key:

openssl ec -in ecc-key.pem -outform DER | xxd -i
read EC key
writing EC key
  0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x45, 0xb6, 0x69, 0x02, 0x73,
  0x9c, 0x6c, 0x85, 0xa1, 0x38, 0x5b, 0x72, 0xe8, 0xe8, 0xc7, 0xac, 0xc4,
  0x03, 0x8d, 0x53, 0x35, 0x04, 0xfa, 0x6c, 0x28, 0xdc, 0x34, 0x8d, 0xe1,
  0xa8, 0x09, 0x8c, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
  0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xbb, 0x33, 0xac,
  0x4c, 0x27, 0x50, 0x4a, 0xc6, 0x4a, 0xa5, 0x04, 0xc3, 0x3c, 0xde, 0x9f,
  0x36, 0xdb, 0x72, 0x2d, 0xce, 0x94, 0xea, 0x2b, 0xfa, 0xcb, 0x20, 0x09,
  0x39, 0x2c, 0x16, 0xe8, 0x61, 0x02, 0xe9, 0xaf, 0x4d, 0xd3, 0x02, 0x93,
  0x9a, 0x31, 0x5b, 0x97, 0x92, 0x21, 0x7f, 0xf0, 0xcf, 0x18, 0xda, 0x91,
  0x11, 0x02, 0x34, 0x86, 0xe8, 0x20, 0x58, 0x33, 0x0b, 0x80, 0x34, 0x89,

CyaSSL Leaving AddCA, return 0
CyaSSL Entering CyaSSL_CTX_use_PrivateKey_buffer
CyaSSL Entering GetMyVersion
CyaSSL Entering GetMyVersion
Error loading ClientKey , ret = -4

Here are Steps used to generate key and created buffer array with xxd:

generate pvt key:

openssl ecparam -name secp384r1   -genkey -noout -out ca-root.key

generate cert:
openssl req -new -x509 -key ca-root.key -out  ca-root..crt  -days 3650 -subj /

openssl x509 -in ca-root.crt  -outform DER | xxd -i

openssl ec -in ca-root.key -outform DER | xxd -i

read EC key
writing EC key
  0x30, 0x81, 0xa4, 0x02, 0x01, 0x01, 0x04, 0x30, 0xf3, 0x8c, 0x4b, 0x19,
  0x8c, 0x45, 0x05, 0x69, 0xdc, 0xaf, 0x4e, 0xce, 0xb8, 0x59, 0x75, 0x65,
  0xb4, 0x3b, 0xbe, 0xa3, 0x84, 0x5b, 0xc1, 0x3b, 0x5b, 0xe7, 0x5a, 0x18,
  0x33, 0x1d, 0xd2, 0x55, 0x54, 0x3c, 0x16, 0xd8, 0x96, 0xc8, 0x98, 0x1a,
  0x21, 0xaf, 0x6f, 0x38, 0x77, 0x60, 0x03, 0x51, 0xa0, 0x07, 0x06, 0x05,
  0x2b, 0x81, 0x04, 0x00, 0x22, 0xa1, 0x64, 0x03, 0x62, 0x00, 0x04, 0x3c,
  0xc0, 0x1c, 0xe8, 0xc8, 0x6c, 0x27, 0x58, 0xad, 0x07, 0xf5, 0x9c, 0xe9,
  0x8f, 0x8b, 0xdb, 0x2f, 0xca, 0x74, 0x27, 0xfd, 0x22, 0xcd, 0xdd, 0x2e,
  0x01, 0xb5, 0x8a, 0xb9, 0x51, 0x45, 0x6d, 0x38, 0x03, 0x57, 0x67, 0xa1,
  0x43, 0x4a, 0xb0, 0x4e, 0x1c, 0xd9, 0x21, 0xdd, 0x14, 0xe6, 0xfd, 0x6b,
  0xb7, 0xd0, 0x2f, 0xba, 0xc4, 0x77, 0x9c, 0xb7, 0x73, 0xcb, 0x85, 0x6f,
  0x8f, 0x66, 0x7c, 0x01, 0x82, 0xd0, 0xed, 0x10, 0xd0, 0x58, 0xa4, 0x9d,
  0xed, 0x0e, 0x9d, 0x40, 0x9a, 0x6d, 0xc0, 0x9b, 0x0d, 0x9b, 0x33, 0xfa,
  0x9d, 0x4b, 0x77, 0x26, 0x2c, 0xe4, 0x05, 0xc1, 0xc4, 0xda, 0x6b


Re: ERROR: 2 way SSL with EC keys

Hi Amit,

just throw my thought, hope it helps.

Could you have test using below example codes?
It's trying to load ECC key pairs, then decode -> export private key.
the private key will be exported to derKey, and length is derKeySz.

========= Examples ==============
ecc_key priKey;
int derKeySz;
FILE* priFile;
byte tmp[TWOK_BUF];
word32  idx = 0;
int ret;

priFile= fopen(xxx.key, "rb");
    if (!priFile)
        printf("\r\nLoad Private Key fail.");

    derKeySz = fread(tmp, 1, TWOK_BUF, priFile);

    ret = EccPrivateKeyDecode(tmp, &idx, &priKey, (word32)derKeySz);
    if (ret != 0) {
        printf("\r\nEccPrivateKeyDecode fail.");

    ret = ecc_export_private_only (&priKey, derKey, &derKeySz);

    if (ret != 0)
        printf ("<%s> Fail!\n", __func__);