[英]Why ECDSA public key generated by OpenSSL doesn't match DNSKEY generated by DNS server?
我正在嘗試從 DNSSEC 算法 13 (ECDSAP256SHA256) 的已知私鑰中獲取公鑰。 我用了這個例子: https : //stackoverflow.com/a/17062076/3090865
為我的密鑰修改的內容如下:
// using figures on: https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses
// gcc -Wall ecdsapubkey.c -o ecdsapubkey -lcrypto
#include <stdio.h>
#include <stdlib.h>
#include <openssl/ec.h>
#include <openssl/obj_mac.h>
#include <openssl/bn.h>
int main()
{
EC_KEY *eckey = NULL;
EC_POINT *pub_key = NULL;
const EC_GROUP *group = NULL;
BIGNUM start;
BIGNUM *res;
BN_CTX *ctx;
BN_init(&start);
ctx = BN_CTX_new(); // ctx is an optional buffer to save time from allocating and deallocating memory whenever required
res = &start;
BN_hex2bn(&res,"589c51d2b528a99c1d19702f865284ec09e3e080606ddc3f56f0906268fd25e3");
eckey = EC_KEY_new_by_curve_name(NID_secp256k1);
group = EC_KEY_get0_group(eckey);
pub_key = EC_POINT_new(group);
EC_KEY_set_private_key(eckey, res);
/* pub_key is a new uninitialized `EC_POINT*`. priv_key res is a `BIGNUM*`. */
if (!EC_POINT_mul(group, pub_key, res, NULL, NULL, ctx))
printf("Error at EC_POINT_mul.\n");
EC_KEY_set_public_key(eckey, pub_key);
char *cc = EC_POINT_point2hex(group, pub_key, 4, ctx);
printf("%s", cc);
BN_CTX_free(ctx);
free(cc);
return 0;
}
試:
$ gcc -lcrypto t.c
$ ./a.out | perl -e 'print pack "H*", <>' | base64
BDdZbz79hEKFi9bIlExzZEqPQVhNqcjJqaWSWnoBTYn21XEL7y4YQXnB8N4JWAy33inTD1CyEI20
TusbH6MSxyc=
這是我在 DNS 服務器(PowerDNS)中的內容:
Private-key-format: v1.2
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: WJxR0rUoqZwdGXAvhlKE7Anj4IBgbdw/VvCQYmj9JeM=
獲取 DNSKEY 記錄:
$ dig @127.0.0.1 +short example.com DNSKEY
257 3 13 JELaKnxPV49rnxShsHbS8MX9rfJZcpRKgqCHUn1WYyDLcXGDYYEQ8soL I9OLVJFN5Gn/4TjXF6g0T1IEBsuFew==
而且它絕對與我使用 OpenSSL 獲得的密鑰不匹配。 為什么?
我沒有考慮到的主要問題是這些密鑰的長度不同:從 openssl 返回的密鑰是 65 字節長的二進制格式,而來自 DNS 服務器的密鑰是 64 字節長。 如果我在十六進制編輯器中查看兩個鍵的二進制表示,我可以看到它們僅在第一個字節上有所不同。 一些更詳細的解釋可以在這里找到: https : //stackoverflow.com/a/43742420/3090865
所以,這個C代碼可能會改寫成這樣(還有一點是使用了錯誤的曲線,應該是NID_X9_62_prime256v1):
#include <stdio.h>
#include <stdlib.h>
#include <openssl/ec.h>
#include <openssl/obj_mac.h>
#include <openssl/bn.h>
int main()
{
EC_KEY *eckey = NULL;
EC_POINT *pub_key = NULL;
const EC_GROUP *group = NULL;
BIGNUM start;
BIGNUM *res;
BN_CTX *ctx;
BN_init(&start);
ctx = BN_CTX_new(); // ctx is an optional buffer to save time from allocating and deallocating memory whenever required
res = &start;
BN_hex2bn(&res,"589c51d2b528a99c1d19702f865284ec09e3e080606ddc3f56f0906268fd25e3");
eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
group = EC_KEY_get0_group(eckey);
pub_key = EC_POINT_new(group);
EC_KEY_set_private_key(eckey, res);
/* pub_key is a new uninitialized `EC_POINT*`. priv_key res is a `BIGNUM*`. */
if (!EC_POINT_mul(group, pub_key, res, NULL, NULL, ctx))
printf("Error at EC_POINT_mul.\n");
EC_KEY_set_public_key(eckey, pub_key);
char *cc = EC_POINT_point2hex(group, pub_key, 4, ctx);
printf("%s", cc+2);
BN_CTX_free(ctx);
free(cc);
return 0;
}
現在它匹配:
$ ./a.out | perl -e 'print pack "H*", <>' | base64
JELaKnxPV49rnxShsHbS8MX9rfJZcpRKgqCHUn1WYyDLcXGDYYEQ8soLI9OLVJFN5Gn/4TjXF6g0
T1IEBsuFew==
為什么我無法使用 PEM_read_RSAPublicKey 讀取 openssl 生成的 RSA 公鑰?
[英]Why I can't read openssl generated RSA pub key with PEM_read_RSAPublicKey?
如何使用 OpenSSL 為 DNSSEC 生成 ECDSA 私鑰和公鑰?
[英]How to generate ECDSA private and public key for DNSSEC using OpenSSL?
為什么相同的生成匯編代碼不會導致相同的 output?
[英]Why doesn't the same generated assembler code lead to the same output?
用C / C ++生成的RSA OpenSSL密鑰可以用PHP解密嗎?
[英]Can an RSA OpenSSL key generated with C/C++ be decrypted with PHP?
為什么php通過mcrypt_encrypt()生成的密文長度與C通過openssl加密庫生成的密文長度不同
[英]Why the length of cipher text generated by php via mcrypt_encrypt() is different from the one generated by C via openssl encryption library
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.