Topic: Wolfssl cannot decode ECC private key generated by openssl

Hi all,

I am having a hard time to decode a ecc private key with wolfssl.

Here how my key must be generated (It has to be this way, it is a requirement)

openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem
openssl ec -in ec_private.pem -pubout -out ec_public.pem


const char* private_key_pem = private_key_data->crypto_key_union.key_pem.key;

output private key:
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIB9OmcdEpovFHYwrKwb/0LAShWskWY8GJbEz8zRDmNdzoAoGCCqGSM49
AwEHoUQDQgAEj89fqBfGJRtV37F6+peeEwNbQx5D5NnkoFJPyfE54UAWKM+6zTc/
EZQ6egk/k8Kh+VYJE+bak9x8Qo45yrZelw==
-----END EC PRIVATE KEY-----

DerBuffer* pDer = NULL;
ret = PemToDer((unsigned char*)private_key_pem, strlen(private_key_pem),
                 ECC_PRIVATEKEY_TYPE, &pDer, NULL, NULL, NULL);

decode to DER format:
307702010104201f4e99c744a68bc51d8c2b2b06ffd0b012856b24598f0625b133f3344
398d773a00a06082a8648ce3d030107a144034200048fcf5fa817c6251b55dfb17afa97
9e13035b431e43e4d9e4a0524fc9f139e1401628cfbacd373f11943a7a093f93c2a1f95
60913e6da93dc7c428e39cab65e97

then decode the private key to be stored into the structure:

ecc_key ecc_key_private;
  wc_ecc_init(&ecc_key_private);

  word32 in_out_idx = 0;
  ret = wc_EccPrivateKeyDecode(pDer->buffer, &in_out_idx, &ecc_key_private,
                               pDer->length);


the error is here= -140 => ASN Parsing error.

Can anyone help me?
wolfssl version: 4.7.0-stable

Thanks
Remy

Share

2 (edited by jeff 2021-05-07 13:20:41)

Re: Wolfssl cannot decode ECC private key generated by openssl

Hi Remy,

I was not able to reproduce. Can you share you configuration of wolfssl?

I've attached the program I used to build. I configured v4.7.0-stable with `./configure` (no options) and compiled `gcc -o forum_ec forum_ec.c -lwolfssl -I .` I used `wc_PemToDer`and did not get a matching DER buffer

Cheers,
Jeff

Post's attachments

forum_ec.c 998 b, 7 downloads since 2021-05-07 

You don't have the permssions to download the attachments of this post.

Share

3 (edited by saksikremy 2021-05-10 03:05:01)

Re: Wolfssl cannot decode ECC private key generated by openssl

Hi Jeff,

Thanks for your help yes i share my conf:
./configure --enable-sni --enable-debug=yes --enable-static=yes --enable-shared=no --disable-examples --disable-filesystem --enable-ocspstapling --disable-oldtls --enable-ecc --enable-harden --enable-coding --enable-base64encode

The code i have is strictly the same as your attached.
The wolfssl is also the same 4.7.0-stable

Maybe I need to find a better corresponding configuration option..
Something important i forgot to mention is that i am using wolfssl on a raspberry pi platform.
I can see there are some issue on the google report for this platform..



Thanks
Remy

Share

Re: Wolfssl cannot decode ECC private key generated by openssl

Remy,

I ran with your configuration on a raspberry Pi 3 B+ and saw no error.

$ gcc ../forum_ec.c -o forum_ec -I . -L src/.libs/ -lwolfssl -lm
$ ./forum_ec 
convert 0
30772114201f4e99c744a68bc51d8c2b2b6ffd0b012856b24598f625b133f3344398d773a0a682a8648ce3d317a144342048fcf5fa817c6251b55dfb17afa979e1335b431e43e4d9e4a0524fc9f139e1401628cfbacd373f11943a7a93f93c2a1f956913e6da93dc7c428e39cab65e97
decode 0
$ cat /proc/cpuinfo | tail -n3
Hardware        : BCM2835
Revision        : a020d3
$ git describe --tag
v4.7.0-stable
$ ./config.status --c
'--enable-sni' '--enable-debug=yes' '--enable-static=yes' '--enable-shared=no' '--disable-examples' '--disable-filesystem' '--enable-ocspstapling' '--disable-oldtls' '--enable-ecc' '--enable-harden' '--enable-coding' '--enable-base64encode'

When you run code, what is the output?

Share

5 (edited by saksikremy 2021-05-14 02:27:15)

Re: Wolfssl cannot decode ECC private key generated by openssl

Hi Jeff,

the thing is that this private key :
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIB9OmcdEpovFHYwrKwb/0LAShWskWY8GJbEz8zRDmNdzoAoGCCqGSM49
AwEHoUQDQgAEj89fqBfGJRtV37F6+peeEwNbQx5D5NnkoFJPyfE54UAWKM+6zTc/
EZQ6egk/k8Kh+VYJE+bak9x8Qo45yrZelw==
-----END EC PRIVATE KEY-----

gives:
30 77 21 14 20 1f 4e99c744a68bc51d8c2b2b6ffd0b012856b24598f625b133f3344398d773a0a682a8648ce3d317a1443420
48fcf5fa817c6251b55dfb17afa979e1335b431e43e4d9e4a0524fc9f139e1401628cfbacd373f11943a7a93f93c2a1f956913
e6da93dc7c428e39cab65e97

with wolfSSL.

But now when I use an ASN1 parser, such as lapo.it, I have different results.
i have the following DER:
30 77 02 01 01 04 20 1F  4E 99 C7 44 A6 8B C5 1D
8C 2B 2B 06 FF D0 B0 12  85 6B 24 59 8F 06 25 B1
33 F3 34 43 98 D7 73 A0  0A 06 08 2A 86 48 CE 3D
03 01 07 A1 44 03 42 00  04 8F CF 5F A8 17 C6 25
1B 55 DF B1 7A FA 97 9E  13 03 5B 43 1E 43 E4 D9
E4 A0 52 4F C9 F1 39 E1  40 16 28 CF BA CD 37 3F
11 94 3A 7A 09 3F 93 C2  A1 F9 56 09 13 E6 DA 93
DC 7C 42 8E 39 CA B6 5E  97

It is almost the same, but the header is quite different. So I am not sure which one to trust... Wolfssl or lapo.it parser.

Remy

Share

Re: Wolfssl cannot decode ECC private key generated by openssl

Hey Remy,

Looks like I had a mistake in my code that prints the the buffer in hex. hmm

23c23
<     printf("%02x ", pDer->buffer[i]);
---
>     printf("%x", pDer->buffer[i]);

Updated file attached.

comparing to openssl

$ openssl ec -in forum_ec.pem -outform der -out /dev/stdout | od -An -tx1
read EC key
writing EC key
 30 77 02 01 01 04 20 1f 4e 99 c7 44 a6 8b c5 1d
 8c 2b 2b 06 ff d0 b0 12 85 6b 24 59 8f 06 25 b1
 33 f3 34 43 98 d7 73 a0 0a 06 08 2a 86 48 ce 3d
 03 01 07 a1 44 03 42 00 04 8f cf 5f a8 17 c6 25
 1b 55 df b1 7a fa 97 9e 13 03 5b 43 1e 43 e4 d9
 e4 a0 52 4f c9 f1 39 e1 40 16 28 cf ba cd 37 3f
 11 94 3a 7a 09 3f 93 c2 a1 f9 56 09 13 e6 da 93
 dc 7c 42 8e 39 ca b6 5e 97
$ ./forum_ec 
convert 0
 30 77 02 01 01 04 20 1f 4e 99 c7 44 a6 8b c5 1d
 8c 2b 2b 06 ff d0 b0 12 85 6b 24 59 8f 06 25 b1
 33 f3 34 43 98 d7 73 a0 0a 06 08 2a 86 48 ce 3d
 03 01 07 a1 44 03 42 00 04 8f cf 5f a8 17 c6 25
 1b 55 df b1 7a fa 97 9e 13 03 5b 43 1e 43 e4 d9
 e4 a0 52 4f c9 f1 39 e1 40 16 28 cf ba cd 37 3f
 11 94 3a 7a 09 3f 93 c2 a1 f9 56 09 13 e6 da 93
 dc 7c 42 8e 39 ca b6 5e 97
decode 0

or better yet

diff --side-by-side --width 100  <(openssl ec -in forum_ec.pem -outform der -out /dev/stdout 2>/dev/null | od -An -tx1) <(./forum_ec)
                                              > convert 0
 30 77 02 01 01 04 20 1f 4e 99 c7 44 a6 8b c5    30 77 02 01 01 04 20 1f 4e 99 c7 44 a6 8b c5
 8c 2b 2b 06 ff d0 b0 12 85 6b 24 59 8f 06 25    8c 2b 2b 06 ff d0 b0 12 85 6b 24 59 8f 06 25
 33 f3 34 43 98 d7 73 a0 0a 06 08 2a 86 48 ce    33 f3 34 43 98 d7 73 a0 0a 06 08 2a 86 48 ce
 03 01 07 a1 44 03 42 00 04 8f cf 5f a8 17 c6    03 01 07 a1 44 03 42 00 04 8f cf 5f a8 17 c6
 1b 55 df b1 7a fa 97 9e 13 03 5b 43 1e 43 e4    1b 55 df b1 7a fa 97 9e 13 03 5b 43 1e 43 e4
 e4 a0 52 4f c9 f1 39 e1 40 16 28 cf ba cd 37    e4 a0 52 4f c9 f1 39 e1 40 16 28 cf ba cd 37
 11 94 3a 7a 09 3f 93 c2 a1 f9 56 09 13 e6 da    11 94 3a 7a 09 3f 93 c2 a1 f9 56 09 13 e6 da
 dc 7c 42 8e 39 ca b6 5e 97                      dc 7c 42 8e 39 ca b6 5e 97
                                              > decode 0
Post's attachments

forum_ec.c 1.02 kb, 1 downloads since 2021-05-14 

You don't have the permssions to download the attachments of this post.

Share

Re: Wolfssl cannot decode ECC private key generated by openssl

Ok great Jeff,
I will study this and post back here.

Remy

Share

Re: Wolfssl cannot decode ECC private key generated by openssl

Hi Jeff,

Thanks a lot for your help, it seems it was a encoding issue, now the output from wolfssl and lapo.it is consistent.

Thanks a lot for your time.
Remy

Share

Re: Wolfssl cannot decode ECC private key generated by openssl

Great! glad to hear that

Share