Reading and writing OpenSSL ECDSA keys to PEM file

Question

I want to generate an ecdsa key pair and save it to PEM file. Here's the code that I generate the key.

#include <openssl/ec.h>      // for EC_GROUP_new_by_curve_name, EC_GROUP_free, EC_KEY_new, EC_KEY_set_group, EC_KEY_generate_key, EC_KEY_free
#include <openssl/ecdsa.h>   // for ECDSA_do_sign, ECDSA_do_verify
#include <openssl/obj_mac.h> // for NID_secp256k1

/*
* Function generate_eckey
* -----------------------
*
* This function generates an EC_Key object that stores the ECDSA key pair.
*
* return: ec key pair
*/
EC_KEY * generate_eckey() {
    EC_KEY *eckey=EC_KEY_new();
    EC_GROUP *ecgroup= EC_GROUP_new_by_curve_name(NID_secp256k1);
    EC_KEY_set_group(eckey, ecgroup);
    EC_KEY_generate_key(eckey);

    return eckey;
}


int main() {

    // generate a eckey used to produce signatures
    EC_KEY *eckey = generate_eckey();

    return 0;
}

Now I have this key pair that can be used to sign and verify messages. What I want to do is save the information to a file so next time I can simply load it and use it.

I want to know how can I write and load the keys to a PEM file? Does openssl have an existing function to do so? I have no preference whether the keys are encoded in any format, as long as after loading I can use it. Any example would be great.

This is from 2009 (and the OP had problems), but it does look like there are function calls that will do what you want. Exploring some of what the OP has done will probably lead to a solution: http://openssl.6102.n7.nabble.com/Can-not-write-a-EC-KEY-to-a-PEM-file-td23490.html — yano, Jul 08 '16 at 15:14

score 1 · Answer 1 · edited May 23 '17 at 11:53

I want to know how can I write and load the keys to a PEM file? Does openssl have an existing function to do so?

Yes, OpenSSL has existing functions. For ASN.1/DER, use d2i_ECPrivateKey and d2i_EC_PUBKEY; and for PEM use PEM_read_ECPrivateKey and PEM_read_EC_PUBKEY. The write functions are similar and documented in the man pages.

d2i_* is "DER to internal", and its used to read ASN.1/DER keys. The write functions use i2d_* and its "internal to DER". PEM does not use a cryptic prefix.

For an example of using d2i_* and PEM_* with RSA keys in a C++ program with the output, see Use OpenSSL RSA key with .Net. You can just swap-in your EC functions in place of the RSA ones.

EC_KEY * generate_eckey() {
    EC_KEY *eckey=EC_KEY_new();
    EC_GROUP *ecgroup= EC_GROUP_new_by_curve_name(NID_secp256k1);
    EC_KEY_set_group(eckey, ecgroup);
    EC_KEY_generate_key(eckey);

    return eckey;
}

Related, when you write your EC keys, be sure to use a named curve by callingEC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE). If you don't then the keys could be of limited use. Also see Elliptic Curve Cryptography | Named Curves on the OpenSSL wiki.

Also, you are ignoring return values from functions like EC_KEY_new and EC_KEY_generate_key. You might want to rethink that strategy since those function can fail for non-obvious reasons, like a policy setting. Also see EC_KEY_new man pages.

I saw in your previous post you first convert RSA key to PKEY. Do I also need to apply that for EC_KEY? BTW I don't know c++ so it's a bitter for me to read the code. — Luke, Jul 08 '16 at 21:42

Reading and writing OpenSSL ECDSA keys to PEM file

1 Answers1