<div dir="ltr"><div>Hi Ben,<br><br></div><div>I've replicated your console commands (see end of mail) and continued with steps which end with a successful verification of the signature with the EC Public Key.<br>Some duplicated commands is removed from the log but it should still contain all the necessary steps.<br>
<br></div><div>Some things I noticed:<br><br></div><div>* There is one SubjectPublicKeyInfo which contains another SubjectPublicKeyInfo.<br>   This doesn't seem correct and I'm not really sure where the error causing this is.<br>
</div><div><br>* The EC Public Key type in public_key is defined as:<br><pre>ec_public_key()  = {#'ECPoint'{}, #'EcpkParameters'{} | {namedCurve, oid()}}<br><br></pre></div><div>But the EC Public Key Parameters are actually returned as a 'OTPEcpkParameters' PEM entry (record)<br>
whose record definition is missing. I suspect this could be a bug in public_key.<br><br></div><div>* I didn't find a way to get a #'ECPoint' record back from decoding, so I manually created it by<br></div><div>
   matching out the ECPoint octets from the SPKI record.<br><br></div><div>* As the EC parameters was in the private key file, they had to be manually combined with the ECPoint<br></div><div>   to form the EC Public Key. Maybe it's possible to tell openssl to include the EC parameters in the public<br>
</div><div>   key file with some option?<br><br></div><div>Test keys where generated with:<br><br>openssl ecparam -out ec_key_priv.pem -name prime192v1 -genkey<br>openssl ec -pubout -in ec_key_priv.pem -out ec_key_pub.pem<br>
<br></div><div>Cheers,<br></div><div>Gustav Simonsson<br></div><div><br></div><div>Erlang console log:<br></div><div>==================<br><br>Erlang R16B01 (erts-5.10.2) [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false]<br>
<br>Eshell V5.10.2  (abort with ^G)<br>1> rr(public_key).<br>['AAControls','ACClearAttrs','AccessDescription',<br> 'Algorithm','AlgorithmIdentifier',<br> 'AlgorithmIdentifierPKCS-10','AlgorithmIdentifierPKCS-8',<br>
 'AlgorithmIdentifierPKCS5v2-0','AlgorithmIdentifierPKSC-7',<br> 'AlgorithmNull','AnotherName','AttCertValidityPeriod',<br> 'Attribute','AttributeCertificate',<br> 'AttributeCertificateInfo','AttributePKCS-10',<br>
 'AttributePKCS-7','AttributeTypeAndValue',<br> 'Attributes_SETOF',<br> 'Attributes_SETOF_valuesWithContext_SETOF',<br> 'AuthorityKeyIdentifier','BasicConstraints',<br> 'BuiltInDomainDefinedAttribute','BuiltInStandardAttributes',<br>
 'Certificate','CertificateList','CertificationRequest',<br> 'CertificationRequestInfo',<br> 'CertificationRequestInfo_attributes_SETOF'|...]<br>2> {ok, Bin} = file:read_file("ec_key_priv.pem").<br>
{ok,<<"-----BEGIN EC PARAMETERS-----\nBggqhkjOPQMBAQ==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMF"...>>}<br>3> {ok, Bin2} = file:read_file("ec_key_pub.pem").<br>{ok,<<"-----BEGIN PUBLIC KEY-----\nMEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEUzzXw5xYnyZKIzSIo1xKN3enUe3M\nWSURKrWKOUB+Of+e"...>>}<br>
4> [OTPEcpkParamsPem, ECPrivateKeyPem] = public_key:pem_decode(Bin).<br>[{'OTPEcpkParameters',<<6,8,42,134,72,206,61,3,1,1>>,<br>                      not_encrypted},<br> {'ECPrivateKey',<<48,95,2,1,1,4,24,233,53,27,191,96,145,<br>
                   18,240,229,16,151,232,48,95,167,203,176,<br>                   145,...>>,<br>                 not_encrypted}]<br>5> ECPrivateKey = public_key:pem_entry_decode(ECPrivateKeyPem).<br>#'ECPrivateKey'{version = 1,<br>
                privateKey = [233,53,27,191,96,145,18,240,229,16,151,232,48,<br>                              95,167,203,176,145,117,205,108,210,242,204],<br>                parameters = {namedCurve,{1,2,840,10045,3,1,1}},<br>
                publicKey = {0,<br>                             <<4,83,60,215,195,156,88,159,38,74,35,52,136,163,92,<br>                               74,55,119,167,81,237,204,...>>}}<br>6> {_, ParamsBin, ParamsEnc} = OTPEcpkParamsPem.<br>
{'OTPEcpkParameters',<<6,8,42,134,72,206,61,3,1,1>>,<br>                     not_encrypted}<br>7> EcpkParametersPem = {'EcpkParameters', ParamsBin, ParamsEnc}.<br>{'EcpkParameters',<<6,8,42,134,72,206,61,3,1,1>>,<br>
                  not_encrypted}<br>8> ECParams = public_key:pem_entry_decode(EcpkParametersPem).<br>{namedCurve,{1,2,840,10045,3,1,1}}<br>9> Msg = <<"The superhamster strikes again at 7PM">>.<br>
<<"The superhamster strikes again at 7PM">><br>10> Sig = public_key:sign(Msg, sha256, ECPrivateKey).<br><<48,53,2,25,0,233,72,76,239,158,251,181,114,254,166,85,<br>  195,11,179,248,53,150,58,138,93,86,76,171,41,...>><br>
11> [SPKI] = public_key:pem_decode(Bin2).<br>[#'SubjectPublicKeyInfo'{algorithm = <<48,73,48,19,6,7,42,<br>                                       134,72,206,61,2,1,<br>                                       6,8,42,134,72,206,<br>
                                       61,3,1,1,3,50,0,...>>,<br>                         subjectPublicKey = not_encrypted}]<br>12> #'SubjectPublicKeyInfo'{algorithm = Der} = SPKI.<br>#'SubjectPublicKeyInfo'{algorithm = <<48,73,48,19,6,7,42,<br>
                                      134,72,206,61,2,1,6,<br>                                      8,42,134,72,206,61,<br>                                      3,1,1,3,50,0,4,...>>,<br>                        subjectPublicKey = not_encrypted}<br>
14> RealSPKI = public_key:der_decode('SubjectPublicKeyInfo', Der).<br>#'SubjectPublicKeyInfo'{<br>    algorithm = <br>        #'AlgorithmIdentifier'{<br>            algorithm = {1,2,840,10045,2,1},<br>
            parameters = <<6,8,42,134,72,206,61,3,1,1>>},<br>    subjectPublicKey = <br>        {0,<br>         <<4,83,60,215,195,156,88,159,38,74,35,52,136,163,92,74,<br>           55,119,167,81,237,204,89,37,...>>}}<br>
15> #'SubjectPublicKeyInfo'{subjectPublicKey = {_, Octets}} = RealSPKI.<br>#'SubjectPublicKeyInfo'{<br>    algorithm = <br>        #'AlgorithmIdentifier'{<br>            algorithm = {1,2,840,10045,2,1},<br>
            parameters = <<6,8,42,134,72,206,61,3,1,1>>},<br>    subjectPublicKey = <br>        {0,<br>         <<4,83,60,215,195,156,88,159,38,74,35,52,136,163,92,74,<br>           55,119,167,81,237,204,89,37,...>>}}<br>
16> ECPoint = #'ECPoint'{point = Octets}.<br>#'ECPoint'{point = <<4,83,60,215,195,156,88,159,38,74,35,<br>                     52,136,163,92,74,55,119,167,81,237,<br>                     204,89,37,17,42,181,...>>}<br>
18> ECPublicKey = {ECPoint, ECParams}.<br>{#'ECPoint'{point = <<4,83,60,215,195,156,88,159,38,74,<br>                      35,52,136,163,92,74,55,119,167,81,<br>                      237,204,89,37,17,42,...>>},<br>
 {namedCurve,{1,2,840,10045,3,1,1}}}<br>19> public_key:verify(Msg, sha256, Sig, ECPublicKey).<br>true<br><br>=============================<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jul 26, 2013 at 7:38 PM, Ben Hood <span dir="ltr"><<a href="mailto:0x6e6562@gmail.com" target="_blank">0x6e6562@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I'd like to verify signatures signed with ec keys generated by openssl<br>
in Erlang.<br>
<br>
Using R16B01 I've been able to convince the public_key module to sign<br>
some data with an openssl generated private key thusly:<br>
<br>
{ok, Pem} = file:read_file("ec_private_key.pem"),<br>
[ECParameters,ECPrivateKey] = public_key:pem_decode(Pem),<br>
PrivateKey = public_key:pem_entry_decode(ECPrivateKey),<br>
Curve = public_key:pem_entry_decode({'EcpkParameters', Params, Enc}),<br>
Sig = public_key:sign(Message, sha512, PrivateKey).<br>
<br>
But when it comes to processing the public key, it is not entirely<br>
clear how to decode it. This is where I got to:<br>
<br>
{ok, Pem} = file:read_file("ec_public_key.pem"),<br>
[{_,Der,_}] = public_key:pem_decode(Pem),<br>
{_, _, {0, KeyDer}} = public_key:der_decode('SubjectPublicKeyInfo', Der),<br>
[179,52,127,201] = public_key:der_decode('ECPoint', KeyDer)<br>
%% This is where the story ends<br>
<br>
I've looked through the ASN.1 types available and there doesn't seem<br>
to be anything that resembles an ECPublicKey.<br>
<br>
Could anybody point me to working example?<br>
<br>
Cheers,<br>
<br>
Ben<br>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</blockquote></div><br></div>