Merge pull request #128 from dgarske/ecc_key_export

ECC Key Export Example
2019-02-20 11:04:01 -08:00 · 2019-02-20 11:04:01 -08:00 · 1ba591f2dd
parent 41c8caf9d5 7a984d96e2
commit 1ba591f2dd
5 changed files with 245 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -34,11 +34,15 @@ android/wolfssljni-ndk-sample/obj
 android/wolfssljni-ndk-sample/proguard-project.txt

 # Example executables
+/dtls/client-dtls-callback
+/dtls/client-dtls-ipv6
 /dtls/client-dtls-nonblocking
 /dtls/client-dtls-resume
 /dtls/client-dtls-shared
 /dtls/client-dtls
 /dtls/client-udp
+/dtls/server-dtls-callback
+/dtls/server-dtls-ipv6
 /dtls/server-dtls-nonblocking
 /dtls/server-dtls-threaded
 /dtls/server-dtls
@ -104,9 +108,12 @@ signature/rsa_buffer/sign
 signature/rsa_buffer/verify

 ecc/ecc-key-decode
+ecc/ecc-key-export
 ecc/ecc-sign
 ecc/ecc-stack
 ecc/ecc-verify
+ecc/*.der
+ecc/*.pem
 pkcs7/pkcs7-verify
 pkcs7/authEnvelopedData-kari
 pkcs7/authEnvelopedData-ktri
--- a/ecc/Makefile
+++ b/ecc/Makefile
@ -34,3 +34,5 @@ debug: all

 clean:
 	rm -f $(TARGETS)
+	rm -f ECC*.der
+	rm -f ECC*.pem
--- a/ecc/README.md
+++ b/ecc/README.md
@ -5,14 +5,14 @@
 ### Build and install wolfSSL

 ```
-./configure --enable-ecc --enable-ecccustcurves CFLAGS="-DWOLFSSL_TEST_CERT" && make && sudo make install
+./configure --enable-ecc --enable-ecccustcurves CFLAGS="-DWOLFSSL_TEST_CERT -DWOLFSSL_DER_TO_PEM -DHAVE_ECC_KOBLITZ" && make && sudo make install
 ```

 ### Build Example

 ```
 make
-
+gcc -o ecc-key-decode ecc-key-decode.c -Wall -I/usr/local/include -Os -L/usr/local/lib -lm -lwolfssl
 gcc -o ecc-key-decode ecc-key-decode.c -Wall -I/usr/local/include -Os -L/usr/local/lib -lm -lwolfssl
 gcc -o ecc-sign ecc-sign.c -Wall -I/usr/local/include -Os -L/usr/local/lib -lm -lwolfssl
 gcc -o ecc-stack ecc-stack.c -Wall -I/usr/local/include -Os -L/usr/local/lib -lm -lwolfssl
@ -28,7 +28,16 @@ CFLAGS+=$(DEBUG_FLAGS)
 #CFLAGS+=$(OPTIMIZE)
 ```

-Build wolfSSL using: `./configure --enable-ecc --enable-ecccustcurves --enable-debug CFLAGS="-DWOLFSSL_TEST_CERT" && make && sudo make install`
+Build wolfSSL adding `--enable-debug` to the ./configure.
+
+To enable using the static library change the Makefile to:
+
+```
+LIBS+=$(STATIC_LIB)
+#LIBS+=$(DYN_LIB)
+```
+
+Build wolfSSL adding `--disable-shared` to the ./configure.


 ## Usage
@ -43,7 +52,6 @@ bytes = 781
 decodedCert.pubKeySize 91
 publickey size: 32
 Success
-
 ```

 ### `ecc-sign`
@ -83,7 +91,6 @@ Firmware Signature 8: Ret 0, HashLen 32, SigLen 103
 Sign ret 0, sigLen 102
 Verify ret 0, is_valid_sig 1
 Firmware Signature 9: Ret 0, HashLen 32, SigLen 102
-
 ```

 ### `ecc-stack`
@ -110,3 +117,31 @@ This example demonstrates using a Koblitz (SECP256K1) curve.
 ./ecc-verify
 hash_firmware_verify: 0
 ```
+
+### `ecc-key-decode`
+
+This example shows exporting an ECC private key and public key.
+
+```
+./ecc-key-export
+ECC Key Generated: 256 bits, curve ECC_SECP256K1
+ECC Private Key Exported to ./ECC_SECP256K1.der
+ECC Private Key Exported to ./ECC_SECP256K1.pem
+ECC Public Key Exported to ./ECC_SECP256K1_pub.der
+ECC Public Key Exported to ./ECC_SECP256K1_pub.pem
+```
+
+Example commands for parsing the generated ECC keys (see `./parsekeys.sh`):
+
+```
+openssl ec -inform der -in ECC_SECP256K1.der -text
+openssl ec -inform pem -in ECC_SECP256K1.pem -text
+
+openssl ec -inform der -in ECC_SECP256K1_pub.der -text -pubin
+openssl ec -inform pem -in ECC_SECP256K1_pub.pem -text -pubin
+```
+
+
+## Support
+
+For questions please email us at support@wolfssl.com.
--- a/ecc/ecc-key-export.c
+++ b/ecc/ecc-key-export.c
@ -0,0 +1,164 @@
+#include <stdio.h>
+#include <stdint.h>
+
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/ecc.h>
+#include <wolfssl/wolfcrypt/random.h>
+#include <wolfssl/wolfcrypt/asn_public.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+
+/* Build wolfSSL with:
+./configure --enable-ecccustcurves CFLAGS="-DWOLFSSL_DER_TO_PEM -DHAVE_ECC_KOBLITZ"
+make
+sudo make install
+*/
+
+#define MAX_CERT_SIZE       4096
+#define TEST_ECC_KEY_SZ     32
+#ifdef HAVE_ECC_KOBLITZ
+#define TEST_ECC_KEY_CURVE  ECC_SECP256K1
+#else
+#define TEST_ECC_KEY_CURVE  ECC_SECP256R1
+#endif
+
+#define XSTRINGIFY(a) STRINGIFY(a)
+#define STRINGIFY(a) #a
+
+int main(void)
+{
+    int ret;
+    byte der[MAX_CERT_SIZE];
+    word32 derSz;
+#ifdef WOLFSSL_DER_TO_PEM
+    byte pem[MAX_CERT_SIZE];
+    word32 pemSz;
+#endif
+    WC_RNG rng;
+    ecc_key key;
+    FILE *fp;
+
+    wolfSSL_Debugging_ON();
+
+    ret = wolfCrypt_Init();
+    if (ret != 0) {
+        printf("wolfCrypt_Init error %s (%d)\n", wc_GetErrorString(ret), ret);
+        return -1;
+    }
+
+    ret = wc_InitRng(&rng);
+    if (ret != 0) {
+        printf("wc_InitRng error %s (%d)\n", wc_GetErrorString(ret), ret);
+        return -1;
+    }
+
+    ret = wc_ecc_init(&key);
+    if (ret != 0) {
+        printf("wc_ecc_init error %s (%d)\n", wc_GetErrorString(ret), ret);
+        return -1;
+    }
+
+    ret = wc_ecc_make_key_ex(&rng, TEST_ECC_KEY_SZ, &key, TEST_ECC_KEY_CURVE);
+    if (ret != 0) {
+        printf("wc_ecc_make_key_ex error %s (%d)\n", wc_GetErrorString(ret), ret);
+        return -1;
+    }
+    printf("ECC Key Generated: %d bits, curve %s\n", TEST_ECC_KEY_SZ * 8, XSTRINGIFY(TEST_ECC_KEY_CURVE));
+
+    memset(der, 0, sizeof(der));
+    ret = wc_EccKeyToDer(&key, der, sizeof(der));
+    if (ret < 0) {
+        printf("wc_EccKeyToDer error %s (%d)\n", wc_GetErrorString(ret), ret);
+        return -1;
+    }
+    derSz = ret;
+
+    fp = fopen("./" XSTRINGIFY(TEST_ECC_KEY_CURVE) ".der", "wb");
+    if (!fp) {
+        printf("Error openening %s for write\n",
+            "./" XSTRINGIFY(TEST_ECC_KEY_CURVE) ".der");
+        return -1;
+    }
+    fwrite(der, derSz, 1, fp);
+    fclose(fp);
+
+    printf("ECC Private Key Exported to %s\n",
+        "./" XSTRINGIFY(TEST_ECC_KEY_CURVE) ".der");
+
+#ifdef WOLFSSL_DER_TO_PEM
+    memset(pem, 0, sizeof(pem));
+    ret = wc_DerToPem(der, derSz, pem, sizeof(pem), ECC_PRIVATEKEY_TYPE);
+    if (ret < 0) {
+        printf("wc_DerToPem error %s (%d)\n", wc_GetErrorString(ret), ret);
+        return -1;
+    }
+    pemSz = ret;
+
+    fp = fopen("./" XSTRINGIFY(TEST_ECC_KEY_CURVE) ".pem", "wb");
+    if (!fp) {
+        printf("Error openening %s for write\n",
+            "./" XSTRINGIFY(TEST_ECC_KEY_CURVE) ".pem");
+        return -1;
+    }
+    fwrite(pem, pemSz, 1, fp);
+    fclose(fp);
+
+    printf("ECC Private Key Exported to %s\n",
+        "./" XSTRINGIFY(TEST_ECC_KEY_CURVE) ".pem");
+#endif
+
+    memset(der, 0, sizeof(der));
+    ret = wc_EccPublicKeyToDer(&key, der, sizeof(der), TEST_ECC_KEY_CURVE);
+    if (ret < 0) {
+        printf("wc_EccPublicKeyToDer error %s (%d)\n", wc_GetErrorString(ret), ret);
+        return -1;
+    }
+    derSz = ret;
+
+    fp = fopen("./" XSTRINGIFY(TEST_ECC_KEY_CURVE) "_pub.der", "wb");
+    if (!fp) {
+        printf("Error openening %s for write\n",
+            "./" XSTRINGIFY(TEST_ECC_KEY_CURVE) "_pub.der");
+        return -1;
+    }
+    fwrite(der, derSz, 1, fp);
+    fclose(fp);
+
+    printf("ECC Public Key Exported to %s\n",
+        "./" XSTRINGIFY(TEST_ECC_KEY_CURVE) "_pub.der");
+
+#ifdef WOLFSSL_DER_TO_PEM
+    memset(pem, 0, sizeof(pem));
+    ret = wc_DerToPem(der, derSz, pem, sizeof(pem), ECC_PUBLICKEY_TYPE);
+    if (ret < 0) {
+        /* try old type */
+        ret = wc_DerToPem(der, derSz, pem, sizeof(pem), PUBLICKEY_TYPE);
+    }
+    if (ret < 0) {
+        printf("wc_DerToPem error %s (%d)\n", wc_GetErrorString(ret), ret);
+        return -1;
+    }
+    pemSz = ret;
+
+    fp = fopen("./" XSTRINGIFY(TEST_ECC_KEY_CURVE) "_pub.pem", "wb");
+    if (!fp) {
+        printf("Error openening %s for write\n",
+            "./" XSTRINGIFY(TEST_ECC_KEY_CURVE) "_pub.pem");
+        return -1;
+    }
+    fwrite(pem, pemSz, 1, fp);
+    fclose(fp);
+
+    printf("ECC Public Key Exported to %s\n",
+        "./" XSTRINGIFY(TEST_ECC_KEY_CURVE) "_pub.pem");
+#endif
+
+    wc_ecc_free(&key);
+    wc_FreeRng(&rng);
+    wolfCrypt_Cleanup();
+
+    return 0;
+}
--- a/ecc/parsekeys.sh
+++ b/ecc/parsekeys.sh
@ -0,0 +1,32 @@
+#!/bin/sh
+
+# SECP256R1
+if [ -f ECC_SECP256R1.der ]; then
+	openssl ec -inform der -in ECC_SECP256R1.der -text
+fi
+if [ -f ECC_SECP256R1_pub.der ]; then
+	openssl ec -inform der -in ECC_SECP256R1_pub.der -text -pubin
+fi
+
+if [ -f ECC_SECP256R1.pem ]; then
+	openssl ec -inform pem -in ECC_SECP256R1.pem -text
+fi
+if [ -f ECC_SECP256R1_pub.pem ]; then
+	openssl ec -inform pem -in ECC_SECP256K1_pub.pem -text -pubin
+fi
+
+
+# SECP256K1
+if [ -f ECC_SECP256K1.der ]; then
+	openssl ec -inform der -in ECC_SECP256K1.der -text
+fi
+if [ -f ECC_SECP256K1_pub.der ]; then
+	openssl ec -inform der -in ECC_SECP256K1_pub.der -text -pubin
+fi
+
+if [ -f ECC_SECP256K1.pem ]; then
+	openssl ec -inform pem -in ECC_SECP256K1.pem -text
+fi
+if [ -f ECC_SECP256K1_pub.pem ]; then
+	openssl ec -inform pem -in ECC_SECP256K1_pub.pem -text -pubin
+fi