Is there anyway to generate, sign, verify, and use ECDH keys with OpenSSL on the command line? I'm somewhat familiar with the normal Diffie-Hellman facilities that the utility provides, but I cannot see anything about the elliptic curve variant.
1 Answer
For signatures you would need ECDSA, not ECDH – the latter is a key exchange algorithm, mostly used for encryption.
There's openssl dgst -sign
:
openssl dgst -sha256 -sign <priv_key_file> -out <sig_file> <data_file>
There's also openssl pkeyutl
:
openssl pkeyutl -sign -in <data_file> -inkey <priv_key_file> -out <sig_file>
(Note that pkeyutl
only supports SHA1 with ECDSA; -pkeyopt digest:sha256
is only accepted with RSA keys. Meanwhile dgst
seems to work with all digests, but I'm not 100% sure about it.)
Other tools exist, such as ecdsatool.
If you have an ECDSA-based X.509 certificate, you would want openssl cms
.
-
-
-
Yes, the elliptic curve Diffie-Hellman public key file so it can be verified by the receiving party.– MelabCommented Apr 6, 2016 at 20:16
-
Well, you sign DH keys just like you would sign any other data. And that depends on what kind of signing key you have... Commented Apr 6, 2016 at 20:17
-