Reading and writing OpenSSL ECDSA keys to PEM file

Question

I want to generate an ecdsa key pair and save it to PEM file. Here's the code that I generate the key.

#include <openssl/ec.h>      // for EC_GROUP_new_by_curve_name, EC_GROUP_free, EC_KEY_new, EC_KEY_set_group, EC_KEY_generate_key, EC_KEY_free
#include <openssl/ecdsa.h>   // for ECDSA_do_sign, ECDSA_do_verify
#include <openssl/obj_mac.h> // for NID_secp256k1

/*
* Function generate_eckey
* -----------------------
*
* This function generates an EC_Key object that stores the ECDSA key pair.
*
* return: ec key pair
*/
EC_KEY * generate_eckey() {
    EC_KEY *eckey=EC_KEY_new();
    EC_GROUP *ecgroup= EC_GROUP_new_by_curve_name(NID_secp256k1);
    EC_KEY_set_group(eckey, ecgroup);
    EC_KEY_generate_key(eckey);

    return eckey;
}


int main() {

    // generate a eckey used to produce signatures
    EC_KEY *eckey = generate_eckey();

    return 0;
}

Now I have this key pair that can be used to sign and verify messages. What I want to do is save the information to a file so next time I can simply load it and use it.

I want to know how can I write and load the keys to a PEM file? Does openssl have an existing function to do so? I have no preference whether the keys are encoded in any format, as long as after loading I can use it. Any example would be great.

Answer 1

I want to know how can I write and load the keys to a PEM file? Does openssl have an existing function to do so?

Yes, OpenSSL has existing functions. For ASN.1/DER, use d2i_ECPrivateKey and d2i_EC_PUBKEY; and for PEM use PEM_read_ECPrivateKey and PEM_read_EC_PUBKEY. The write functions are similar and documented in the man pages.

d2i_* is "DER to internal", and its used to read ASN.1/DER keys. The write functions use i2d_* and its "internal to DER". PEM does not use a cryptic prefix.

For an example of using d2i_* and PEM_* with RSA keys in a C++ program with the output, see Use OpenSSL RSA key with .Net. You can just swap-in your EC functions in place of the RSA ones.

---

EC_KEY * generate_eckey() {
    EC_KEY *eckey=EC_KEY_new();
    EC_GROUP *ecgroup= EC_GROUP_new_by_curve_name(NID_secp256k1);
    EC_KEY_set_group(eckey, ecgroup);
    EC_KEY_generate_key(eckey);

    return eckey;
}

Related, when you write your EC keys, be sure to use a named curve by callingEC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE). If you don't then the keys could be of limited use. Also see Elliptic Curve Cryptography | Named Curves on the OpenSSL wiki.

Also, you are ignoring return values from functions like EC_KEY_new and EC_KEY_generate_key. You might want to rethink that strategy since those function can fail for non-obvious reasons, like a policy setting. Also see EC_KEY_new man pages.