Identify EC curve in certificate using openssl api

Question

I am trying to display some certificate information on the screen and curve used for key generation is giving me trouble. In the certificate example curve used is properly identified as prime256v1. However I would like to obtain this information using the the OpenSsl api. What function accomplishes this?

I am using ManagedOpenSsl but it does not really matter. The thing is I could find examples in C for every other problem I had, but not for this one.

Answer 1

The OpenSSL wiki has a page with some of this stuff at Elliptic Curve Cryptography. Most of the EC functions you need are in <openssl src dir>/crypto/ec/ec.h.

You have to extract the public key from the certificate with EVP_PKEY* pkey=X509_get_pubkey(x509).

Check the key type with EVP_PKEY_get_type(pkey). It should return EVP_PKEY_EC. You need to write EVP_PKEY_get_type. Here it is:

int EVP_PKEY_get_type(EVP_PKEY *pkey)
{
    ASSERT(pkey);
    if (!pkey)
        return NID_undef;

    return EVP_PKEY_type(pkey->type);
}

You fetch the key with EC_KEY* key = EVP_PKEY_get1_EC_KEY(pkey). Since its a get1, it bumps the reference count on the EC_KEY*. Be sure to call EC_KEY_free on it. (A get0 would not require a free).

If OPENSSL_EC_NAMED_CURVE is set, then you can use EC_GROUP_get_curve_name. It will return a NID for for the curve used (more correctly, the domain parameters). For example, prime256v1 will return NID_X9_62_prime256v1.

Otherwise, you need to fetch the domain parameters like curve, G, h, etc one-by-one with EC_GROUP_get_curve_GFp (or EC_GROUP_get_curve_GF2m), EC_GROUP_get_order, and friends.

OPENSSL_EC_NAMED_CURVE is a flag. You can fetch the flags with EC_GROUP_get_asn1_flag and test for it with flag & OPENSSL_EC_NAMED_CURVE.

You can see an example of both named curves and non-named curves at Named Curves. More than likely, you will have a named curve. In the case of OpenSSL, omitting the OPENSSL_EC_NAMED_CURVE flag results in a handshake failure.