Loading ECC PKCS8 keys generated by go

Question

Loading ECC PKCS8 keys generated by go

wbl opened this issue 6 years ago · 5 comments

We have been having lots of problems and have been unable to get ECC to work. First off the PEM lines are subtly different: go includes EC PRIVATE KEY, but rustls expects only PRIVATE KEY. I don't think it pays to be pedantic about that. But after changing that by hand we get errors about the private key being invalid due to ASN.1 issues. I'm not sure which part actually has the bug between go and this project but I am not an ASN.1 expert enough to figure that out.

Answer 1 · 2019-04-17T22:07:57.000Z

Please generate a dummy PKCS#8 key from Go that fails to parse in Rustls and post the PEM here.

Answer 2 · 2019-04-17T22:09:45.000Z

Also, read the documentation here at https://briansmith.org/rustdoc/ring/signature/struct.EcdsaKeyPair.html#method.from_pkcs8 and see if that narrows down the issue. For example, does the PKCS#8 document contain the public key? Is it using named curve AlgorithmIdentifiers or the other kind?

Answer 3 · 2019-04-17T22:56:26.000Z

Answer 4 · 2019-04-18T07:44:58.000Z

First off the PEM lines are subtly different: go includes EC PRIVATE KEY, but rustls expects only PRIVATE KEY

"EC PRIVATE KEY" introduces a SEC1-style private key (its the encoding ECPrivateKey in SEC1v2 section C.4 -- http://www.secg.org/sec1-v2.pdf )

You can convert these to PKCS#8 with openssl pkcs8 -topk8 -nocrypt -in sec1.pem -out pkcs8.pem

Answer 5 · 2019-04-19T00:20:22.000Z

Ah, thank you!