Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I need to create ECDSA keys and used old OpenSSL code until now, which dosn't compile any more under OpenSSL3, there are now lots of deprecation errors. I invested now several days with search & try, but I can't solve it. I am trying the simple example [https://fm4dd.com/openssl/eckeycreate.shtm][1], but already the first lines create these errors:

WorkerThread.cpp(34,2): error C4996: 'ERR_load_BIO_strings': Since OpenSSL 3.0

WorkerThread.cpp(47,19): error C4996: 'EC_KEY_new_by_curve_name': Since OpenSSL 3.0

WorkerThread.cpp(54,2): error C4996: 'EC_KEY_free': Since OpenSSL 3.0

So the first idea would be to eliminate these compiler errors somehow. I found the switches

#define OPENSSL_API_COMPAT 30000

#define OPENSSL_NO_DEPRECATED

but they create even more errors, because now suddenly even the EC_KEY is unknown to the compiler. No solution.

So there stays the hard way to try to migrate the code somehow to OpenSSL3, because there seems to be no example code in the whole internet for simply creating an ECDSA key with OpenSSL3, and extract the private and public part. But just changing single functions with an OpenSSL3 matching function doesn't solve it, because the whole concept changes (switching from low level API to high level, with a completely different programming model).

I have tried fiddling around with lots of examples, but it looks like my programming task that seems so simple is a very complicated thing. Any help is appreciated, but I want to stay in C/C++ because my application is performance critical.

Environment: MS Win10, MS Visual Studio 2019, latest OpenSSL 3 [1]: https://fm4dd.com/openssl/eckeycreate.shtm

WorkerThread.cpp(34,2): error C4996: 'ERR_load_BIO_strings': Since OpenSSL 3.0

You don't need to call any of those initialisation functions. Just remove them from your code. They are not needed with any version of OpenSSL from 1.1.0 onwards.

In the example, all of the code for getting an EC_GROUP, creating an EC_KEY, generating a key, setting the OPENSSL_EC_NAMED_CURVE flag and assigning it to an EVP_PKEY can be completely removed. Replace it with a simple call to EVP_EC_gen() . See the man page here:

https://www.openssl.org/docs/man3.0/man3/EVP_EC_gen.html

E.g. all of that code can be replaced with something like

pkey = EVP_EC_gen("secp521r1");
if (pkey == NULL) {
    BIO_printf(outbio, "Error generating the ECC key.");
    abort();
                Thanks for that hint, Matt! The function yields no error. But how to extract the private and public key out of the pkey, as EC_KEY_get0_public_key() wants a low level EC_KEY, and is deprecated (your link declares this)?
– TheRealAlex
                Jan 7, 2022 at 19:34
                In what format do you want the private key and public key? The example code you linked to already shows you how to write them out as a PEM file (PEM_write_bio_PrivateKey() and PEM_write_bio_PUBKEY()). Or you can get the public key in an encoded point format, and the private key as a BIGNUM using the OSSL_PKEY_PARAM_PUB_KEY and OSSL_PKEY_PARAM_PRIV_KEY parameters. See these man pages: openssl.org/docs/man3.0/man3/EVP_PKEY_get_bn_param.html and openssl.org/docs/man3.0/man7/EVP_PKEY-EC.html
– Matt Caswell
                Jan 7, 2022 at 22:19
                Where did you find that "secp521r1" is an acceptable argument? Is there a list that's available somehow?
– Paul Rubel
                Mar 23, 2022 at 17:16
                Hmm. It seems the man pages don't list this (I raised an issue about it: github.com/openssl/openssl/issues/17953). In practice OpenSSL supports all the recommended NIST curves (nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf), any SEC curve (secg.org/sec2-v2.pdf) and any Brainpool curve (datatracker.ietf.org/doc/html/rfc5639) as well as various miscellaneous others. Just use the standard NIST, SEC or Brainpool name and OpenSSL will find it.
– Matt Caswell
                Mar 23, 2022 at 23:21
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.