Hi Matt, I'm trying to craft a client hello packet using a C program. I'm learning about these keys, openssl, TLS etc.
So openssl ecparam -name secp256r1 -genkey -out pvtkey.pem openssl ec -in pvtkey.pem -pubout -out pubkey.pem openssl pkey -in pubkey.pem -pubin -noout -text will give me the 65 bytes. Understood. Thanks alot. Now I need to explore C APIs for getting those keys as hex array. Could you please suggest any good references for beginners. Regards -- Lokesh Chakka. On Wed, Jun 19, 2024 at 4:21 PM Matt Caswell <m...@openssl.org> wrote: > > > On 19/06/2024 09:15, Lokesh Chakka wrote: > > hello, > > > > I'm trying to generate public/private keys with following commands: > > > > openssl ecparam -name secp256r1 -genkey -out pvtkey.pem > > openssl ec -in pvtkey.pem -pubout > > > > I'm seeing the sizeof private key as 164 bytes and public key as 124 > bytes. > > > > In a wireshark capture( attached ), I'm seeing key length as 65 bytes. > > What you are doing is confusing. You have generated public/private key > pair for secp256r1 - but the wireshark capture you show seems to be the > key share from a TLSv1.3 handshake. TLSv1.3 key shares are ephemeral so > - you'll get a different key share every time. You don't need to create > a public/private key for this. OpenSSL does it for you. > > Anyway. Taking the key that you generated: > > -----BEGIN PUBLIC KEY----- > MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVSmp4UnlQbzbe6eopByeEUzkmYHP > GgaKvSt/xdAgvDp7FXKTpST8UM9LpF8f4JETOXgDDGvNlIDqVFo+T0hdtQ== > -----END PUBLIC KEY----- > > This is just a PEM encoding of the real key (base 64 encoding of DER > structured data in PEM headers). Not sure where you get 124 bytes from, > but you can look take a look at the actual key data like this: > > $ openssl pkey -in /tmp/key.pem -pubin -noout -text > Public-Key: (256 bit) > pub: > 04:55:29:a9:e1:49:e5:41:bc:db:7b:a7:a8:a4:1c: > 9e:11:4c:e4:99:81:cf:1a:06:8a:bd:2b:7f:c5:d0: > 20:bc:3a:7b:15:72:93:a5:24:fc:50:cf:4b:a4:5f: > 1f:e0:91:13:39:78:03:0c:6b:cd:94:80:ea:54:5a: > 3e:4f:48:5d:b5 > ASN1 OID: prime256v1 > NIST CURVE: P-256 > > This shows you the 65 bytes of raw public key data contained within the > key file. > > This key is in "uncompressed" format (the 04 byte at the start indicates > this). Since it is uncompressed we then get an x and a y value to > indicate the point on the curve. Each of these are 32 bytes long (256 > bits) - so this gives you 65 bytes in total. > > Matt > > > > > > > Can someone help me understand why the difference? > > > > Thanks & Regards > > -- > > Lokesh Chakka. >
