Skip Menu |
 

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 115697
Status: open
Priority: 0/
Queue: Net-SSLeay

People
Owner: Nobody in particular
Requestors: Steffen_Ullrich [...] genua.de
Cc:
AdminCc:

Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)



Subject: generate EC keys with Net::SSLeay, similar to RSA keys - working patch included
Download (untitled) / with headers
text/plain 780b
Hi, Given that ECDSA certificates get more important it would be nice if Net::SSLeay has an easy way to create the necessary keys, similar to how it works with RSA keys. The attached patch implements a function EC_KEY_generate_key similar to RSA_generate_key and a function EVP_PKEY_assign_EC_KEY similar to EVP_PKEY_assign_RSA. Using these functions it is easy to create and use EC keys in the same way as RSA keys. Support for this functionality based on this patch is already included in a pre-release of IO::Socket::SSL::Utils and it makes it possible to easily create EC keys and ECDSA certificates on the fly: https://github.com/noxxi/p5-io-socket-ssl/commit/781c5a54. It would be nice if the patch would be included in the next version of Net::SSLeay. Regards, Steffen
Subject: SSLeay.xs.patch
Download SSLeay.xs.patch
text/x-diff 1.1k
Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 466) +++ SSLeay.xs (working copy) @@ -4640,10 +4640,51 @@ EC_KEY * key long -SSL_CTX_set_tmp_ecdh(ctx,ecdh); +SSL_CTX_set_tmp_ecdh(ctx,ecdh) SSL_CTX * ctx EC_KEY * ecdh +int +EVP_PKEY_assign_EC_KEY(pkey,key) + EVP_PKEY * pkey + EC_KEY * key + + +EC_KEY * +EC_KEY_generate_key(curve) + SV *curve; + CODE: + EC_GROUP *group = NULL; + EC_KEY *eckey = NULL; + int nid; + + RETVAL = 0; + if (SvIOK(curve)) { + nid = SvIV(curve); + } else { + nid = OBJ_sn2nid(SvPV_nolen(curve)); + if (!nid) nid = EC_curve_nist2nid(SvPV_nolen(curve)); + if (!nid) croak("unkown curve %s",SvPV_nolen(curve)); + } + + group = EC_GROUP_new_by_curve_name(nid); + if (!group) croak("unkown curve nid=%d",nid); + EC_GROUP_set_asn1_flag(group,OPENSSL_EC_NAMED_CURVE); + + eckey = EC_KEY_new(); + if ( eckey + && EC_KEY_set_group(eckey, group) + && EC_KEY_generate_key(eckey)) { + RETVAL = eckey; + } else { + if (eckey) EC_KEY_free(eckey); + } + if (group) EC_GROUP_free(group); + + OUTPUT: + RETVAL + + #endif void *
Subject: Re: [rt.cpan.org #115697] generate EC keys with Net::SSLeay, similar to RSA keys - working patch included
Date: Wed, 29 Jun 2016 09:30:03 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] airspayce.com>
Download (untitled) / with headers
text/plain 1.6k
Hi Steffen, thanks for your patch. If you can send a patch with documentation and a test suite it will make it easier to consider adding. BTW, have you see my Crypt-OpenSSL-ECDSA? Would it suit your needs instead? Cheers. On Tuesday, June 28, 2016 11:23:29 AM you wrote: Show quoted text
> Tue Jun 28 11:23:28 2016: Request 115697 was acted upon. > Transaction: Ticket created by SULLR > Queue: Net-SSLeay > Subject: generate EC keys with Net::SSLeay, similar to RSA keys - > working patch included > Broken in: (no value) > Severity: Wishlist > Owner: Nobody > Requestors: Steffen_Ullrich@genua.de > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=115697 > > > > Hi, > Given that ECDSA certificates get more important it would be nice if > Net::SSLeay has an easy way to create the necessary keys, similar to how it > works with RSA keys. > > The attached patch implements a function EC_KEY_generate_key similar to > RSA_generate_key and a function EVP_PKEY_assign_EC_KEY similar to > EVP_PKEY_assign_RSA. Using these functions it is easy to create and use EC > keys in the same way as RSA keys. > > Support for this functionality based on this patch is already included in a > pre-release of IO::Socket::SSL::Utils and it makes it possible to easily > create EC keys and ECDSA certificates on the fly: > https://github.com/noxxi/p5-io-socket-ssl/commit/781c5a54. > > It would be nice if the patch would be included in the next version of > Net::SSLeay. Regards, > Steffen
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474
Download (untitled) / with headers
text/plain 1.5k
Am Di 28. Jun 2016, 19:30:18, mikem@airspayce.com schrieb: Show quoted text
> Hi Steffen, > > thanks for your patch. > > If you can send a patch with documentation and a test suite it will > make it > easier to consider adding.
You are damn right :) The attached new patch adds test and documentation. It contains also fixes for the documentation of EVP_PKEY_assign_RSA which referred to EVP_PKEY_set1_RSA instead of EVP_PKEY_assign_RSA and thus suggested that the reference counter got increased. Show quoted text
> > BTW, have you see my Crypt-OpenSSL-ECDSA? Would it suit your needs > instead?
Yes, I've had a look and Crypt::OpenSSL::ECDSA does not offer the functionality. But Crypt::OpenSSL::EC offers at least the functionality to create a EC_KEY but misses a way to make a EVP_PKEY out of it which is needed to use this key for creating a certificate or for direct use in IO::Socket::SSL. Apart from that Crypt::OpenSSL::EC creates objects which gets automatically destroyed when out of scope. While this is definitely a nice thing it does not fit well when used together with Net::SSLeay where everything must be explicitly freed. So this would get very confusing for a developer in which case a XXX_dup call is needed and when not. That's why I suggest to make a simple way to create a EC_KEY in Net::SSLeay. For the more complex setups Crypt::OpenSSL::EC is the right choice and when combining Crypt::OpenSSL::EC::dup with the new Net::SSLeay::EVP_PKEY_assign_EC_KEY one could even use the more complex EC key setups together with Net::SSLeay. Regards, Steffen
Subject: SSLeay.patch
Download SSLeay.patch
text/x-diff 4.5k
Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 466) +++ SSLeay.xs (working copy) @@ -4640,10 +4640,51 @@ EC_KEY * key long -SSL_CTX_set_tmp_ecdh(ctx,ecdh); +SSL_CTX_set_tmp_ecdh(ctx,ecdh) SSL_CTX * ctx EC_KEY * ecdh +int +EVP_PKEY_assign_EC_KEY(pkey,key) + EVP_PKEY * pkey + EC_KEY * key + + +EC_KEY * +EC_KEY_generate_key(curve) + SV *curve; + CODE: + EC_GROUP *group = NULL; + EC_KEY *eckey = NULL; + int nid; + + RETVAL = 0; + if (SvIOK(curve)) { + nid = SvIV(curve); + } else { + nid = OBJ_sn2nid(SvPV_nolen(curve)); + if (!nid) nid = EC_curve_nist2nid(SvPV_nolen(curve)); + if (!nid) croak("unkown curve %s",SvPV_nolen(curve)); + } + + group = EC_GROUP_new_by_curve_name(nid); + if (!group) croak("unkown curve nid=%d",nid); + EC_GROUP_set_asn1_flag(group,OPENSSL_EC_NAMED_CURVE); + + eckey = EC_KEY_new(); + if ( eckey + && EC_KEY_set_group(eckey, group) + && EC_KEY_generate_key(eckey)) { + RETVAL = eckey; + } else { + if (eckey) EC_KEY_free(eckey); + } + if (group) EC_GROUP_free(group); + + OUTPUT: + RETVAL + + #endif void * Index: lib/Net/SSLeay.pod =================================================================== --- lib/Net/SSLeay.pod (revision 466) +++ lib/Net/SSLeay.pod (working copy) @@ -1395,8 +1395,8 @@ Set the key referenced by $pkey to $key -B<NOTE:> In accordance with the OpenSSL naming convention the $key assigned -to the $pkey using the "1" functions must be freed as well as $pkey. +B<NOTE:> No reference counter will be increased, i.e. $key will be freed if +$pkey is freed. my $rv = Net::SSLeay::EVP_PKEY_assign_RSA($pkey, $key); # $pkey - value corresponding to openssl's EVP_PKEY structure @@ -1404,8 +1404,26 @@ # # returns: 1 on success, 0 on failure -Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_set1_RSA.html|http://www.openssl.org/docs/crypto/EVP_PKEY_set1_RSA.html> +Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html|http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html> +=item * EVP_PKEY_assign_EC_KEY + +B<COMPATIBILITY:> not available in Net-SSLeay-1.74 and before + +Set the key referenced by $pkey to $key + +B<NOTE:> No reference counter will be increased, i.e. $key will be freed if +$pkey is freed. + + my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($pkey, $key); + # $pkey - value corresponding to openssl's EVP_PKEY structure + # $key - value corresponding to openssl's EC_KEY structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html|http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html> + + =item * EVP_PKEY_bits B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before @@ -7995,6 +8013,23 @@ TBA +=item * EC_KEY_generate_key + +Generates a EC key and returns it in a newly allocated EC_KEY structure. +The EC key then can be used to create a PKEY which can be used in calls +like X509_set_pubkey. + + my $key = Net::SSLeay::EVP_PKEY_new(); + my $ec = Net::SSLeay::EC_KEY_generate_key($curve); + Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec); + + # $curve - curve name like 'secp521r1' or the matching Id (integer) of the curve + # + # returns: value corresponding to openssl's EC_KEY structure (0 on failure) + +This function has no equivalent in OpenSSL but combines multiple OpenSSL +functions for an easier interface. + =back Index: t/local/63_ec_key_generate_key.t =================================================================== --- t/local/63_ec_key_generate_key.t (nonexistent) +++ t/local/63_ec_key_generate_key.t (working copy) @@ -0,0 +1,36 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Test::More; +use Net::SSLeay; + +if (!defined &Net::SSLeay::EC_KEY_generate_key) { + plan skip_all => "no suport for ECC in your OpenSSL"; + exit(0); +} + +plan tests => 4; + +Net::SSLeay::randomize(); +Net::SSLeay::load_error_strings(); +Net::SSLeay::ERR_load_crypto_strings(); +Net::SSLeay::SSLeay_add_ssl_algorithms(); + +my $ec = Net::SSLeay::EC_KEY_generate_key('prime256v1'); +ok($ec,'EC key created'); + +if ($ec) { + my $key = Net::SSLeay::EVP_PKEY_new(); + my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec); + ok($rv,'EC key assigned to PKEY'); + + my $pem = Net::SSLeay::PEM_get_string_PrivateKey($key); + ok( $pem =~m{^---.* PRIVATE KEY}m, "output key as PEM"); + + my $bio = Net::SSLeay::BIO_new( Net::SSLeay::BIO_s_mem()); + Net::SSLeay::BIO_write($bio,$pem); + my $newkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio); + ok($newkey,"read key again from PEM"); +} +
Subject: Re: [rt.cpan.org #115697] generate EC keys with Net::SSLeay, similar to RSA keys - working patch included
Date: Thu, 30 Jun 2016 10:32:59 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] airspayce.com>
Download (untitled) / with headers
text/plain 2.7k
Hi Steffen, thanks for the full patch. But: I dont think the conditionals around EC_KEY_generate_key and friends are correct: #if OPENSSL_VERSION_NUMBER > 0x10000000L && !defined OPENSSL_NO_EC but when I build your patch with OpenSSL 1.0.1k 8 Jan 2015 I get: SSLeay.xs:4666:6: warning: implicit declaration of function ‘EC_curve_nist2nid’ [-Wimplicit-function-declaration] if (!nid) nid = EC_curve_nist2nid(SvPV_nolen(curve)); and a subsequent link error on the same symbol and indeed EC_curve_nist2nid is not present in my 1.0.1k headers and library. It builds OK and tests OK with 1.0.2x According to this: http://permalink.gmane.org/gmane.comp.encryption.openssl.cvs/13181 EC_curve_nist2nid was added in 1.0.2 Is there a better/different solution? Or does it really need to be conditional on 1.0.2, not 1.0 Cheers. On Wednesday, June 29, 2016 02:12:35 AM Steffen Ullrich via RT wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=115697 > > > Am Di 28. Jun 2016, 19:30:18, mikem@airspayce.com schrieb:
> > Hi Steffen, > > > > thanks for your patch. > > > > If you can send a patch with documentation and a test suite it will > > make it > > easier to consider adding.
> > You are damn right :) > The attached new patch adds test and documentation. It contains also fixes > for the documentation of EVP_PKEY_assign_RSA which referred to > EVP_PKEY_set1_RSA instead of EVP_PKEY_assign_RSA and thus suggested that > the reference counter got increased.
> > BTW, have you see my Crypt-OpenSSL-ECDSA? Would it suit your needs > > instead?
> > Yes, I've had a look and Crypt::OpenSSL::ECDSA does not offer the > functionality. But Crypt::OpenSSL::EC offers at least the functionality to > create a EC_KEY but misses a way to make a EVP_PKEY out of it which is > needed to use this key for creating a certificate or for direct use in > IO::Socket::SSL. Apart from that Crypt::OpenSSL::EC creates objects which > gets automatically destroyed when out of scope. While this is definitely a > nice thing it does not fit well when used together with Net::SSLeay where > everything must be explicitly freed. So this would get very confusing for a > developer in which case a XXX_dup call is needed and when not. > > That's why I suggest to make a simple way to create a EC_KEY in Net::SSLeay. > For the more complex setups Crypt::OpenSSL::EC is the right choice and when > combining Crypt::OpenSSL::EC::dup with the new > Net::SSLeay::EVP_PKEY_assign_EC_KEY one could even use the more complex EC > key setups together with Net::SSLeay. > > Regards, > Steffen
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474
Download (untitled) / with headers
text/plain 419b
Show quoted text
> Is there a better/different solution? Or does it really need to be > conditional > on 1.0.2, not 1.0
It looks like that EC_curve_nist2nid was added with 1.0.2 but that the code works too, if EC_curve_nist2nid is not used, only that it will not know about the NIST curves. I've updated the patch so that it will use EC_curve_nist2nid with 1.0.2 and skip it otherwise. Tested with OpenSSL 1.0.1 too. Regards, Steffen
Subject: SSLeay.patch
Download SSLeay.patch
text/x-diff 9k
Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 466) +++ SSLeay.xs (working copy) @@ -4640,12 +4640,55 @@ EC_KEY * key long -SSL_CTX_set_tmp_ecdh(ctx,ecdh); +SSL_CTX_set_tmp_ecdh(ctx,ecdh) SSL_CTX * ctx EC_KEY * ecdh +int +EVP_PKEY_assign_EC_KEY(pkey,key) + EVP_PKEY * pkey + EC_KEY * key + + +EC_KEY * +EC_KEY_generate_key(curve) + SV *curve; + CODE: + EC_GROUP *group = NULL; + EC_KEY *eckey = NULL; + int nid; + + RETVAL = 0; + if (SvIOK(curve)) { + nid = SvIV(curve); + } else { + nid = OBJ_sn2nid(SvPV_nolen(curve)); +#if OPENSSL_VERSION_NUMBER > 0x10002000L + if (!nid) nid = EC_curve_nist2nid(SvPV_nolen(curve)); #endif + if (!nid) croak("unkown curve %s",SvPV_nolen(curve)); + } + group = EC_GROUP_new_by_curve_name(nid); + if (!group) croak("unkown curve nid=%d",nid); + EC_GROUP_set_asn1_flag(group,OPENSSL_EC_NAMED_CURVE); + + eckey = EC_KEY_new(); + if ( eckey + && EC_KEY_set_group(eckey, group) + && EC_KEY_generate_key(eckey)) { + RETVAL = eckey; + } else { + if (eckey) EC_KEY_free(eckey); + } + if (group) EC_GROUP_free(group); + + OUTPUT: + RETVAL + + +#endif + void * SSL_get_app_data(s) SSL * s Index: inc/Module/Install/PRIVATE/Net/SSLeay.pm =================================================================== --- inc/Module/Install/PRIVATE/Net/SSLeay.pm (revision 466) +++ inc/Module/Install/PRIVATE/Net/SSLeay.pm (working copy) @@ -1,5 +1,6 @@ #line 1 #line 1 +#line 1 package Module::Install::PRIVATE::Net::SSLeay; use strict; @@ -68,7 +69,7 @@ for ("$prefix/include", "$prefix/inc32", '/usr/kerberos/include') { push @{$opts->{inc_paths}}, $_ if -f "$_/openssl/ssl.h"; } - for ($prefix, "$prefix/lib64", "$prefix/lib", "$prefix/out32dll") { + for ($prefix, "$prefix/lib", "$prefix/out32dll") { push @{$opts->{lib_paths}}, $_ if -d $_; } @@ -96,10 +97,11 @@ @pairs = (['libeay32','ssleay32'],['libeay32MD','ssleay32MD'],['libeay32MT','ssleay32MT']) if $Config{cc} =~ /cl/; for my $dir (@{$opts->{lib_paths}}) { for my $p (@pairs) { - $found = 1 if ($Config{cc} =~ /gcc/ && -f "$dir/lib$p->[0].a" && -f "$dir/lib$p->[1].a"); - $found = 1 if ($Config{cc} =~ /cl/ && -f "$dir/$p->[0].lib" && -f "$dir/p->[1].lib"); + my ($s_lib_found, $s_lib_found); + $found = 1 if $Config{cc} =~ /gcc/ && -f "$dir/lib$p->[0].a" && -f "$dir/lib$p->[1].a"; + $found = 1 if $Config{cc} =~ /cl/ && -f "$dir/$p->[0].lib" && -f "$dir/$p->[1].lib"; if ($found) { - $opts->{lib_links} = [$p->[0], $p->[1], 'crypt32']; # Some systems need this system lib crypt32 too + $opts->{lib_links} = [$p->[0], $p->[1]]; $opts->{lib_paths} = [$dir]; last; } @@ -107,7 +109,7 @@ } if (!$found) { #fallback to the old behaviour - push @{ $opts->{lib_links} }, qw( libeay32MD ssleay32MD libeay32 ssleay32 libssl32 crypt32); + push @{ $opts->{lib_links} }, qw( libeay32MD ssleay32MD libeay32 ssleay32 libssl32); } } elsif ($^O eq 'VMS') { @@ -138,12 +140,7 @@ $opts->{cccdlflags} .= '-fPIC'; } } - # From HMBRAND to handle multple version of OPENSSL installed - if (my $lp = join " " => map { "-L$_" } @{$opts->{lib_paths} || []}) - { - my $mma = $self->makemaker_args; - ($mma->{uc $_} = $Config{$_}) =~ s/-L/$lp -L/ for qw( lddlflags ldflags ); - } + return $opts; } @@ -179,23 +176,19 @@ } my @guesses = ( - '/usr/local/opt/openssl/bin/openssl' => '/usr/local/opt/openssl', # OSX homebrew openssl - '/usr/local/bin/openssl' => '/usr/local', # OSX homebrew openssl - '/opt/local/bin/openssl' => '/opt/local', # Macports openssl - '/usr/bin/openssl' => '/usr', - '/usr/sbin/openssl' => '/usr', - '/opt/ssl/bin/openssl' => '/opt/ssl', - '/opt/ssl/sbin/openssl' => '/opt/ssl', - '/usr/local/ssl/bin/openssl' => '/usr/local/ssl', - '/usr/local/openssl/bin/openssl' => '/usr/local/openssl', - '/apps/openssl/std/bin/openssl' => '/apps/openssl/std', - '/usr/sfw/bin/openssl' => '/usr/sfw', # Open Solaris - 'C:\OpenSSL\bin\openssl.exe' => 'C:\OpenSSL', - 'C:\OpenSSL-Win32\bin\openssl.exe' => 'C:\OpenSSL-Win32', - $Config{prefix} . '\bin\openssl.exe' => $Config{prefix}, # strawberry perl - $Config{prefix} . '\..\c\bin\openssl.exe' => $Config{prefix} . '\..\c', # strawberry perl - '/sslexe/openssl.exe' => '/sslroot', # VMS, openssl.org - '/ssl$exe/openssl.exe' => '/ssl$root', # VMS, HP install + '/usr/bin/openssl' => '/usr', + '/usr/sbin/openssl' => '/usr', + '/opt/ssl/bin/openssl' => '/opt/ssl', + '/opt/ssl/sbin/openssl' => '/opt/ssl', + '/usr/local/ssl/bin/openssl' => '/usr/local/ssl', + '/usr/local/openssl/bin/openssl' => '/usr/local/openssl', + '/apps/openssl/std/bin/openssl' => '/apps/openssl/std', + '/usr/sfw/bin/openssl' => '/usr/sfw', # Open Solaris + 'C:\OpenSSL\bin\openssl.exe' => 'C:\OpenSSL', + $Config{prefix} . '\bin\openssl.exe' => $Config{prefix}, # strawberry perl + $Config{prefix} . '\..\c\bin\openssl.exe' => $Config{prefix} . '\..\c', # strawberry perl + '/sslexe/openssl.exe' => '/sslroot', # VMS, openssl.org + '/ssl$exe/openssl.exe' => '/ssl$root', # VMS, HP install ); while (my $k = shift @guesses Index: lib/Net/SSLeay.pod =================================================================== --- lib/Net/SSLeay.pod (revision 466) +++ lib/Net/SSLeay.pod (working copy) @@ -1395,8 +1395,8 @@ Set the key referenced by $pkey to $key -B<NOTE:> In accordance with the OpenSSL naming convention the $key assigned -to the $pkey using the "1" functions must be freed as well as $pkey. +B<NOTE:> No reference counter will be increased, i.e. $key will be freed if +$pkey is freed. my $rv = Net::SSLeay::EVP_PKEY_assign_RSA($pkey, $key); # $pkey - value corresponding to openssl's EVP_PKEY structure @@ -1404,8 +1404,26 @@ # # returns: 1 on success, 0 on failure -Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_set1_RSA.html|http://www.openssl.org/docs/crypto/EVP_PKEY_set1_RSA.html> +Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html|http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html> +=item * EVP_PKEY_assign_EC_KEY + +B<COMPATIBILITY:> not available in Net-SSLeay-1.74 and before + +Set the key referenced by $pkey to $key + +B<NOTE:> No reference counter will be increased, i.e. $key will be freed if +$pkey is freed. + + my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($pkey, $key); + # $pkey - value corresponding to openssl's EVP_PKEY structure + # $key - value corresponding to openssl's EC_KEY structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html|http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html> + + =item * EVP_PKEY_bits B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before @@ -7995,6 +8013,23 @@ TBA +=item * EC_KEY_generate_key + +Generates a EC key and returns it in a newly allocated EC_KEY structure. +The EC key then can be used to create a PKEY which can be used in calls +like X509_set_pubkey. + + my $key = Net::SSLeay::EVP_PKEY_new(); + my $ec = Net::SSLeay::EC_KEY_generate_key($curve); + Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec); + + # $curve - curve name like 'secp521r1' or the matching Id (integer) of the curve + # + # returns: value corresponding to openssl's EC_KEY structure (0 on failure) + +This function has no equivalent in OpenSSL but combines multiple OpenSSL +functions for an easier interface. + =back Index: t/local/63_ec_key_generate_key.t =================================================================== --- t/local/63_ec_key_generate_key.t (nonexistent) +++ t/local/63_ec_key_generate_key.t (working copy) @@ -0,0 +1,36 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Test::More; +use Net::SSLeay; + +if (!defined &Net::SSLeay::EC_KEY_generate_key) { + plan skip_all => "no suport for ECC in your OpenSSL"; + exit(0); +} + +plan tests => 4; + +Net::SSLeay::randomize(); +Net::SSLeay::load_error_strings(); +Net::SSLeay::ERR_load_crypto_strings(); +Net::SSLeay::SSLeay_add_ssl_algorithms(); + +my $ec = Net::SSLeay::EC_KEY_generate_key('prime256v1'); +ok($ec,'EC key created'); + +if ($ec) { + my $key = Net::SSLeay::EVP_PKEY_new(); + my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec); + ok($rv,'EC key assigned to PKEY'); + + my $pem = Net::SSLeay::PEM_get_string_PrivateKey($key); + ok( $pem =~m{^---.* PRIVATE KEY}m, "output key as PEM"); + + my $bio = Net::SSLeay::BIO_new( Net::SSLeay::BIO_s_mem()); + Net::SSLeay::BIO_write($bio,$pem); + my $newkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio); + ok($newkey,"read key again from PEM"); +} +
Subject: Re: [rt.cpan.org #115697] generate EC keys with Net::SSLeay, similar to RSA keys - working patch included
Date: Thu, 30 Jun 2016 18:54:14 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] airspayce.com>
Thanks Steffen that looks good. Your patch is now in SVN 467. I would appreciate it if you can test it. SVN also currently includes support for the forthcoming version of openssl 1.1, and Im keen to have some people test that too before the next release. Cheers. On Thursday, June 30, 2016 03:57:27 AM Steffen Ullrich via RT wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=115697 > >
> > Is there a better/different solution? Or does it really need to be > > conditional > > on 1.0.2, not 1.0
> > It looks like that EC_curve_nist2nid was added with 1.0.2 but that the code > works too, if EC_curve_nist2nid is not used, only that it will not know > about the NIST curves. I've updated the patch so that it will use > EC_curve_nist2nid with 1.0.2 and skip it otherwise. Tested with OpenSSL > 1.0.1 too. > > Regards, > Steffen
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.