ECDsa - ASN1 corrupted data

Question

I created a ECDsa private with this command:

openssl ecparam -name prime256v1 -genkey -out private-key-02.der -outform DER -noout

and want to import it like this:

let es = ECDsa.Create()
let privKey = System.IO.File.ReadAllBytes "Path\To\file\priate-key-02.der"
es.ImportPkcs8PrivateKey privKey |> ignore

when I run the last line, I get this error:

System.Security.Cryptography.CryptographicException: ASN1 corrupted data.
 ---> System.Formats.Asn1.AsnContentException: The provided data is tagged with 'Universal' class value '4', but it should have been 'Universal' class value '16'.
   at System.Formats.Asn1.AsnDecoder.CheckExpectedTag(Asn1Tag tag, Asn1Tag expectedTag, UniversalTagNumber tagNumber)     
   at System.Formats.Asn1.AsnDecoder.ReadSequence(ReadOnlySpan`1 source, AsnEncodingRules ruleSet, Int32& contentOffset, Int32& contentLength, Int32& bytesConsumed, Nullable`1 expectedTag)
   at System.Formats.Asn1.AsnValueReader.ReadSequence(Nullable`1 expectedTag)
   at System.Security.Cryptography.Asn1.AlgorithmIdentifierAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory`1 rebind, AlgorithmIdentifierAsn& decoded)
   at System.Security.Cryptography.Asn1.AlgorithmIdentifierAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory`1 rebind, AlgorithmIdentifierAsn& decoded)
   --- End of inner exception stack trace ---
   at System.Security.Cryptography.Asn1.AlgorithmIdentifierAsn.Decode(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory`1 rebind, AlgorithmIdentifierAsn& decoded)
   at System.Security.Cryptography.Asn1.AlgorithmIdentifierAsn.Decode(AsnValueReader& reader, ReadOnlyMemory`1 rebind, AlgorithmIdentifierAsn& decoded)
   at System.Security.Cryptography.Asn1.PrivateKeyInfoAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory`1 rebind, PrivateKeyInfoAsn& decoded)
   at System.Security.Cryptography.Asn1.PrivateKeyInfoAsn.Decode(Asn1Tag expectedTag, ReadOnlyMemory`1 encoded, AsnEncodingRules ruleSet)
   at System.Security.Cryptography.Asn1.PrivateKeyInfoAsn.Decode(ReadOnlyMemory`1 encoded, AsnEncodingRules ruleSet)      
   at System.Security.Cryptography.CngPkcs8.RewritePkcs8ECPrivateKeyWithZeroPublicKey(ReadOnlySpan`1 source)
   at System.Security.Cryptography.CngPkcs8.ImportPkcs8PrivateKey(ReadOnlySpan`1 source, Int32& bytesRead)
   at System.Security.Cryptography.ECDsaImplementation.ECDsaCng.ImportPkcs8PrivateKey(ReadOnlySpan`1 source, Int32& bytesRead)
   at <StartupCode$FSI_0011>.$FSI_0011.main@() in c:\Users\xxx.fs:line 13 
Stopped due to error

I am creating the ECDsa private key wrong or do I use the ECDsa class incorrectly?

Answer 1

The OpenSSL statement generates a private EC key in SEC1 format, while ImportPkcs8PrivateKey imports a private key in PKCS#8 format.

A SEC1 key can be imported with ImportECPrivateKey , ie replace ImportPkcs8PrivateKey with ImportECPrivateKey in the F# code.

Alternatively, the SEC1 key can be converted to a PKCS#8 key using OpenSSL:

openssl pkcs8 -topk8 -nocrypt -in <path to input-sec1-der> -inform DER -out <path to output-pkcs8-der> -outform DER