1

I have an Ethereum private key which consists of 64 bytes. I need to use this key for asymmetric encryption using p256k1 elliptic curve (the signing algorithm used on Ethereum).

This is supported on KMS now in the process of importing my key, I came across the following section in the GCP KMS documentation.

enter image description here

It stipulates the key must be in PKCS#8 format. I have tried a couple of commands using openssl. like the following

openssl pkcs8 -topk8 -in ./private.pem -outform DER -out ./private.key

Here is my private.pem format

-----BEGIN PRIVATE KEY-----
64_CHAR_PRIVATE_KEY_PASTED_HERE
-----END PRIVATE KEY-----

I understand this might not be the correct way to convert as errors happen when I run this command.

unable to load key
4456490668:error:0DFFF07B:asn1 encoding routines:CRYPTO_internal:header too long:/System/Volumes/Data/SWE/macOS/BuildRoots/b8ff8433dc/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75/libressl-2.8/crypto/asn1/asn1_lib.c:152:
4456490668:error:0DFFF066:asn1 encoding routines:CRYPTO_internal:bad object header:/System/Volumes/Data/SWE/macOS/BuildRoots/b8ff8433dc/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75/libressl-2.8/crypto/asn1/tasn_dec.c:1132:
4456490668:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/System/Volumes/Data/SWE/macOS/BuildRoots/b8ff8433dc/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75/libressl-2.8/crypto/asn1/tasn_dec.c:317:Type=PKCS8_PRIV_KEY_INFO
4456490668:error:09FFF00D:PEM routines:CRYPTO_internal:ASN1 lib:/System/Volumes/Data/SWE/macOS/BuildRoots/b8ff8433dc/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75/libressl-2.8/crypto/pem/pem_pkey.c:143:

My goal remains to be able to import the key into KMS as securely as possible. Thank you in advance for your responses :D

khalilw1
  • 174
  • 11
  • Well, I am not 100% sure this key is the private key I get from my wallet provided which seems to be a 64 bytes key. From some looking around Ethereum, I can't seem to find if there is encoding or format to this generated key. It seems to be a randomly generated 64 bytes. – khalilw1 May 24 '22 at 09:25
  • 2
    Use **openssl asn1parse** to see if ASN1 is the format. – John Hanley May 24 '22 at 09:30
  • 1
    The details in this answer should help: https://stackoverflow.com/a/48102827/8016720 – John Hanley May 24 '22 at 09:34
  • Hello guys, so here is an example of what I have 9f455578d02d6a4d0568a719bfdce8fa233eea74b6d814e6fb7bb355f6e61b42 This is the key I have the file format, I made myself since I was trying out the openssl pkcs#8 format. I tried to use asn1parse in vain (header too long in some of my attempts - probably some formatting) – khalilw1 May 24 '22 at 09:58
  • 1
    ok so I understand a bit more now thanks to your link @JohnHanley I will try the provided details and update you guys. Thank again – khalilw1 May 24 '22 at 10:02

2 Answers2

3

So for anyone, who might deal with something similar. John Hanley pointed me to this link which describes the process of basically converting a Ethereum private key into a EC PEM or DER encoded key file.

A couple of strings need to be added (The linked answer does a good job at explaining it). I was able to then convert EC PEM to PKCS#8 DER format which is what I needed for importing the key to GCP KMS.

khalilw1
  • 174
  • 11
0

I have a complete solution for this, but it uses python instead of openssl.
It has 4 main functions.
1 - Create an Import job in GCP KMS
2 - Convert the Ethereum key to PKCS#8 DER and wrap it with the Import job's wrapping key
3 - Upload it to GCP KMS
4 - Send a GCP-KMS-HSM-signed test transaction on your choice of chain.

I suggest converting the key and wrapping it offline or on a secure boot image like Tails.
Read the code first, and use a throwaway pk to test. I hope this helps.
https://github.com/TMCTG/GCP-KMS-ETH-Private-Key-Import-Sign-Tx

Tim
  • 1
  • 1