[botan-devel] import openssl pkcs8 ecdsa key with Botan 1.10.1

Jack Lloyd lloyd at randombit.net
Mon Jul 9 15:25:49 EDT 2012


On Mon, Jul 09, 2012 at 09:08:41PM +0200, tobeki at gmx.de wrote:
> Thank's Jack,
> 
> >However that is not the case for the 5915 extensions,
> >they are for data we already have or can easily rederive, so they can
> >be safely ignored.
> 
> parameters [0] ECParameters {{ NamedCurve }} OPTIONAL
> publicKey  [1] BIT STRING OPTIONAL
> 
> so this optional parameters in 5915 are just needed for performance reasons?

The publicKey is purely an optimization which is useful in cases where
only the private key is conveyed but the public key is also needed.
In cases where it is not there and one needs the public key as well a
point multiplication is required to rederive it.

Having the ECParameters available would be potentially useful in some
cases, for instance if someone was literally passing around an
ECPrivateKey. It is certainly important to know the precise curve that
the private key is associated with and not use it with multiple
curves, in which case having the curve included would be important.
However ordinarily a ECPrivateKey would not be passed around as is but
be packed into a PKCS #8 structure (or PKCS #12 or something). And at
least for PKCS #8 the paramters are already available at an outer
layer of the encoding, so including the parameters again would be
redundant (which is probably why OpenSSL includes the public key,
which is a SHOULD include per RFC 5915, but not the parameter set,
which is a MUST include).

-Jack



More information about the botan-devel mailing list