Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Failure to load seemingly correct EC keypairs

Description

Several attempts to generate usable EC key/cert pairs have been failing with an error indicating the public and private keys don't match (both cryptacular and the KeySupport class's method to check that fail the same way).

Following a readme from Ian from an xmlsectool test case, I was able to generate a pair that worked:

$ openssl ecparam -name secp384r1 -out secp384r1.pem $ openssl req -newkey ec:secp384r1.pem -nodes -new -x509 \ -keyout ecsign384.key -out ecsign384.crt

One of my attempts, similar, but slightly different:

$ openssl ecparam -name secp256k1 -genkey -out ec-signing.key $ openssl req -x509 -key credentials/ec-signing.key -out ec-signing.crt

I'm going to try again my way with the same curve as Ian's, but if that works, then the bug is really more that we're not able to detect an unsupported curve with an appropriate message, and I would have expected the key to just not load at all.

I'll attach test cases once I try a bit more.

Environment

Similar results on Java 8 under RH7 and OS X.

Activity

Show:

Scott CantorMay 4, 2018 at 6:43 PM
Edited

I added a keypair generated using the method I tried originally, and added unit tests that are passing now.

I don't think we're issuing an OpenSAML update to 3.3.2, so I left the fix version 3.4.0.

Daniel FisherApril 27, 2018 at 2:10 PM

Updated opensaml with latest cryptacular:

http://git.shibboleth.net/view/?p=java-opensaml.git;a=commit;h=329872d6f92c383d66ee7f64f7bd52494868a726

 

can you retry the keypairs that failed for you?

 

Daniel FisherMarch 19, 2018 at 12:58 AM

Scott's keypair works because it is PKCS8 encoded.

Rod's keypair fails because BC doesn't support super-non standard curves:

http://www.bouncycastle.org/wiki/pages/viewpage.action?pageId=362269

 

I believe the primary issue is that cryptacular doesn't decode "traditional" openssl pem encoded EC keys correctly.

 

Rod WiddowsonMarch 17, 2018 at 10:01 AM

dunno if it helps but  here are an ec key/cert pair with a super-non standard curve in them.

Scott CantorMarch 16, 2018 at 3:49 PM

A working key example:

-----BEGIN PRIVATE KEY----- MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAGJjEIHP3P1fDZV9lG lVfblOulUksJ+QdX9SeOswKIiQ9Oc5l6NTswN2bm+IRhaouhZANiAARrJ/UeKETr cFdFSM9sjB31PDIB6IdjtwyzMUIAJHlqoQ6IJo3887jvgUZyevY0+CUoS0N3L+9W mPgOiq9TRw6O5mrjSk1rmCx+2o2bnk+tWEysp7AWswUgNGgVkhumq9A= -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICCzCCAZKgAwIBAgIJAPUX5afo8F1EMAoGCCqGSM49BAMCMEQxCzAJBgNVBAYT AlVTMQwwCgYDVQQKDANPU1UxJzAlBgNVBAMMHndlYmF1dGguc2VydmljZS5vaGlv LXN0YXRlLmVkdTAeFw0xNzExMjkxNzMyNTFaFw0xNzEyMjkxNzMyNTFaMEQxCzAJ BgNVBAYTAlVTMQwwCgYDVQQKDANPU1UxJzAlBgNVBAMMHndlYmF1dGguc2Vydmlj ZS5vaGlvLXN0YXRlLmVkdTB2MBAGByqGSM49AgEGBSuBBAAiA2IABGsn9R4oROtw V0VIz2yMHfU8MgHoh2O3DLMxQgAkeWqhDogmjfzzuO+BRnJ69jT4JShLQ3cv71aY +A6Kr1NHDo7mauNKTWuYLH7ajZueT61YTKynsBazBSA0aBWSG6ar0KNQME4wHQYD VR0OBBYEFIJhJfmqd44FPXqmML5KtDTva7pYMB8GA1UdIwQYMBaAFIJhJfmqd44F PXqmML5KtDTva7pYMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDZwAwZAIwSo06 irETLCF1kcS7qskjd+rjsHlCn0AgyPN9Qh5yHyJycCtSKGvsDHPwwLDRpL/wAjA/ wvI1WbBT5S//OcQRItDZnuVTeJiITETjkWA//zbdA4rEzYpDgo4nZIWgE8LRpao= -----END CERTIFICATE-----
Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created November 29, 2017 at 5:23 PM
Updated October 9, 2018 at 6:01 PM
Resolved May 4, 2018 at 6:43 PM