如何使用OpenSSL为DNSSEC生成ECDSA私钥和公钥? [英] How to generate ECDSA private and public key for DNSSEC using OpenSSL?
问题描述
我正在尝试为DNSSEC算法13创建私钥和公钥:
I am trying to create private and public keys for DNSSEC algorithm 13:
#include <stdio.h>
#include <stdlib.h>
#include <openssl/ec.h>
#include <openssl/obj_mac.h>
#include <openssl/bn.h>
int main()
{
EC_KEY *eckey = NULL;
const EC_POINT *pub_key = NULL;
const EC_GROUP *group = NULL;
const BIGNUM *res;
BN_CTX *ctx;
ctx = BN_CTX_new();
eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
EC_KEY_generate_key(eckey);
res = EC_KEY_get0_private_key(eckey);
printf("Private: %s\n", BN_bn2hex(res));
group = EC_KEY_get0_group(eckey);
pub_key = EC_KEY_get0_public_key(eckey);
printf("Public: %s\n", EC_POINT_point2hex(group, pub_key, 4, ctx));
return 0;
}
测试:
$ gcc -lcrypto test.c
$ ./a.out | perl -MMIME::Base64 -pe 's/(?<=:\s)(.+)/encode_base64(pack "H*", $1)/e'
Private: PgO6atAv+YEuyvRvvuTyDf8kz7vp/hQKNdKJyvVVBoQ=
Public: BAPe3AhjpcMCQPpZzZeFRwVuR4su/cmd3Vl2zn+i2izEWxOdbww/3fw4yAi0yQUUhlvXZqTnaeol
OK03LOdsKkk=
(Perl行仅将十六进制表示法转换为二进制,然后转换为base64.)
(Perl line just converts hex notation to binary and then to base64.)
但是,如果我将此私钥设置为DNS服务器(仅接受私钥并即时生成公共密钥),它将返回与OpenSSL返回的公钥不匹配的公钥.
But if I set this private key to DNS server (which accepts only private key and generates public on the fly) it returns public key which doesn't match this one returned by OpenSSL
Key inside DNS server (PowerDNS):
Private-key-format: v1.2
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: PgO6atAv+YEuyvRvvuTyDf8kz7vp/hQKNdKJyvVVBoQ=
$ dig @127.0.0.1 +short example.com DNSKEY
257 3 13 A97cCGOlwwJA+lnNl4VHBW5Hiy79yZ3dWXbOf6LaLMRbE51vDD/d/DjI CLTJBRSGW9dmpOdp6iU4rTcs52wqSQ==
所以,我得到了与BAPe3AhjpcMCQPpZzZeFRwVuR4su/cmd3Vl2zn+i2izEWxOdbww/3fw4yAi0yQUUhlvXZqTnaeol
OK03LOdsKkk=不匹配的A97cCGOlwwJA+lnNl4VHBW5Hiy79yZ3dWXbOf6LaLMRbE51vDD/d/DjI CLTJBRSGW9dmpOdp6iU4rTcs52wqSQ==.
So, I got A97cCGOlwwJA+lnNl4VHBW5Hiy79yZ3dWXbOf6LaLMRbE51vDD/d/DjI CLTJBRSGW9dmpOdp6iU4rTcs52wqSQ== which doesn't match BAPe3AhjpcMCQPpZzZeFRwVuR4su/cmd3Vl2zn+i2izEWxOdbww/3fw4yAi0yQUUhlvXZqTnaeol
OK03LOdsKkk=.
为什么会这样?
推荐答案
这两个值实际上是相同的,只是OpenSSL添加了0x04前缀字节.这是一种标准格式,0x04指示该点为未压缩形式,其后是该点的X坐标的32个字节,然后是Y坐标的32个字节,共65个字节总共字节.
The two values are actually the same, except that OpenSSL adds a 0x04 prefix byte. This is a standard format, the 0x04 indicates that the point is in uncompressed form, it is followed by 32 bytes of the X coordinate of the point and then 32 bytes for the Y coordinate, for 65 bytes total.
DNS条目仅具有X和Y坐标,没有前缀字节,总共64个字节.
The DNS entry just has the X and Y coordinates, without the prefix byte, for 64 bytes total.
由于这个额外的字节是 first 字节,因此它更改了以64为基数的编码的对齐方式,并且两个编码值看起来完全不同.
Since this extra byte is the first byte, it changes the alignment of the base 64 encoding and the two encoded values look quite different.
比较这些值,首先从OpenSSL获取您的值:
Comparing the values, first your value from OpenSSL:
$ echo BAPe3AhjpcMCQPpZzZeFRwVuR4su/cmd3Vl2zn+i2izEWxOdbww/3fw4yAi0yQUUhlvXZqTnaeolOK03LOdsKkk= | base64 -D | xxd
00000000: 0403 dedc 0863 a5c3 0240 fa59 cd97 8547 .....c...@.Y...G
00000010: 056e 478b 2efd c99d dd59 76ce 7fa2 da2c .nG......Yv....,
00000020: c45b 139d 6f0c 3fdd fc38 c808 b4c9 0514 .[..o.?..8......
00000030: 865b d766 a4e7 69ea 2538 ad37 2ce7 6c2a .[.f..i.%8.7,.l*
00000040: 49
下一步来自DNS的值:
Next the value from DNS:
echo A97cCGOlwwJA+lnNl4VHBW5Hiy79yZ3dWXbOf6LaLMRbE51vDD/d/DjICLTJBRSGW9dmpOdp6iU4rTcs52wqSQ== | base64 -D | xxd
00000000: 03de dc08 63a5 c302 40fa 59cd 9785 4705 ....c...@.Y...G.
00000010: 6e47 8b2e fdc9 9ddd 5976 ce7f a2da 2cc4 nG......Yv....,.
00000020: 5b13 9d6f 0c3f ddfc 38c8 08b4 c905 1486 [..o.?..8.......
00000030: 5bd7 66a4 e769 ea25 38ad 372c e76c 2a49 [.f..i.%8.7,.l*I
您可以看到,除了多余的0x04之外,这两个值是相同的.
You can see that except for the extra 0x04 the two values are the same.
这篇关于如何使用OpenSSL为DNSSEC生成ECDSA私钥和公钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
