ECDH using OpenSSL
-
Can anyone help me with the Ecdh openssl command prompt code for generating shared secret. I have used this, but i got error message openssl pkeyutl -derive -inkey musicpriv.pem -peerkey pubeckey.pem -out sharedsecret.bin | openssl dgst -sha256
-
Can anyone help me with the Ecdh openssl command prompt code for generating shared secret. I have used this, but i got error message openssl pkeyutl -derive -inkey musicpriv.pem -peerkey pubeckey.pem -out sharedsecret.bin | openssl dgst -sha256
When having such problems it is always helpful to show the error message. First step is reading the manual page for the commands and understand what they are doing: pkeyutl(1): public key algorithm utility - Linux man page[^] dgst(1): message digests - Linux man page[^]. You can read them also at a shell prompt by entering
man pkeyutlresp.man dgst. You should also know about shell commands (piping in your case). The pipe operator|sends the standard output of the first command to the standard input of the second. So a first check might be executing the first command only to see if the error occurs there. You are writing the result of the first command to a file (option-out sharedsecret.bin). So the output on screen are just error or success messages. Passing these to another program using the pipe operator makes usually no sense. So a possible solution might be omitting the output to file for the first command (untested):openssl pkeyutl -derive -inkey musicpriv.pem -peerkey pubeckey.pem | openssl dgst -sha256
Another solution might be using the created file as input for the second command:
openssl pkeyutl -derive -inkey musicpriv.pem -peerkey pubeckey.pem -out sharedsecret.bin && openssl dgst -sha256 sharedsecret.bin
Note the usage of the
&&operator here. It is a shell command concatenation where the second command is only executed when the first was successful. -
When having such problems it is always helpful to show the error message. First step is reading the manual page for the commands and understand what they are doing: pkeyutl(1): public key algorithm utility - Linux man page[^] dgst(1): message digests - Linux man page[^]. You can read them also at a shell prompt by entering
man pkeyutlresp.man dgst. You should also know about shell commands (piping in your case). The pipe operator|sends the standard output of the first command to the standard input of the second. So a first check might be executing the first command only to see if the error occurs there. You are writing the result of the first command to a file (option-out sharedsecret.bin). So the output on screen are just error or success messages. Passing these to another program using the pipe operator makes usually no sense. So a possible solution might be omitting the output to file for the first command (untested):openssl pkeyutl -derive -inkey musicpriv.pem -peerkey pubeckey.pem | openssl dgst -sha256
Another solution might be using the created file as input for the second command:
openssl pkeyutl -derive -inkey musicpriv.pem -peerkey pubeckey.pem -out sharedsecret.bin && openssl dgst -sha256 sharedsecret.bin
Note the usage of the
&&operator here. It is a shell command concatenation where the second command is only executed when the first was successful.Hi Jochen for the response, I use windows (not linux) and I have read through the manual page on "www.openssl.org" but i dont quite understand the basic uses of the "pkeyutl command" This was command line used and the error message I got when I used it openssl pkeyutl -derive -inkey musicpriv.pem -peerkey pubeckey.pem -out sharedsecret.bin | openssl dgst -sha256 Error Message = openssl:Error: 'pkeyutl' is an invalid command. NB: Though an hash value was generated, but not as specified. Thank you again for your great help.
-
Hi Jochen for the response, I use windows (not linux) and I have read through the manual page on "www.openssl.org" but i dont quite understand the basic uses of the "pkeyutl command" This was command line used and the error message I got when I used it openssl pkeyutl -derive -inkey musicpriv.pem -peerkey pubeckey.pem -out sharedsecret.bin | openssl dgst -sha256 Error Message = openssl:Error: 'pkeyutl' is an invalid command. NB: Though an hash value was generated, but not as specified. Thank you again for your great help.
What I have said about piping and command concatenation applies also to the Windows command interpreter. So you should follow my advice about using piping or files, but not mixing them. However, your actual problem is not related to that but occurs before. It looks like your openssl.exe does not support the
pkeyutlcommand. To check this you can list the available commands:openssl list-standard-commands
All I can suggest is to check your Windows OpenSSL installation and try to ask where you got it from. BTW: There is no
-peerkeyoption for thepkeyutlcommand (OpenSSL 1.0.1f on Ubuntu 14.04):joe@raspi-cross:~$ openssl pkeyutl -help
Usage: pkeyutl [options]
-in file input file
-out file output file
-sigfile file signature file (verify operation only)
-inkey file input key
-keyform arg private key format - default PEM
-pubin input is a public key
-certin input is a certificate carrying a public key
-pkeyopt X:Y public key options
-sign sign with private key
-verify verify with public key
-verifyrecover verify with public key, recover original data
-encrypt encrypt with public key
-decrypt decrypt with private key
-derive derive shared secret
-hexdump hex dump output
-engine e use engine e, possibly a hardware device.
-passin arg pass phrase source