Botan: serialize ECDH private key

Question

I created a new key pair using

  Botan::EC_Group ecgroup("brainpool512r1");
  Botan::ECDH_PrivateKey privKey(CBotanInitEx::RNG(), ecgroup);

(compared to RSA, that was fast!)

Trying to serialize it using PKCS#8, as per recommendations here: https://botan.randombit.net/manual/pubkey.html#serializing-public-keys

  datPubKey  = Botan::X509::BER_encode(privKey);
  txtPubKey  = Botan::X509::PEM_encode(privKey);

  datPrivKey = Botan::PKCS8::BER_encode(privKey, CBotanInitEx::RNG(), pwd);
  txtPrivKey = Botan::PKCS8::PEM_encode(privKey, CBotanInitEx::RNG(), pwd);

I get an exception:

PK algo ECDH has no defined OIDs

even though botan initialization does pass this line:

add_oid(config, "1.3.36.3.3.2.8.1.1.13", "brainpool512r1");

---

How do I serialize a ECDH_PrivateKey?

Answer 1

RSA - your previous algorithm - is used for authentication / signing, so I'd assume ECDSA here. In that case you should use ECDSA_PrivateKey instead of ECDH_PrivateKey. ECDSA can be used for authentication and signing, while ECDH is used for key agreement.

Diffie-Hellman key agreement is usually performed without static key pairs (the E in ECDHE and DHE in the SSL/TLS ciphersuites stands for ephemeral). So there should be no reason to serialize / store private keys for key agreement.

In a sense you do need to think ahead and question yourself if you need serialization at all. You shouldn't serialize keys - especially private keys - if serialization isn't needed. Instead you could just pass on the object handle.