opensslhyperledger-fabric

Any openssl command line to verify ECDSA prime256v1 certificate and private key match?


I'm now testing the hyperledger/fabric/core/comm/testdata/certs/generate.go to get the ECDSA prime256v1 certificate(Org1-cert.pem) and private key(Org1-key.pem). I want to use a openssl command line to test if the Org1-cert.pem mathes the Org1-key.pem, but don't know how? Any help appreciated. I've used the command, but the results don't match the same.

# openssl x509 -pubkey -in Org1-cert.pem -noout | openssl md5

(stdin)= 4f8782bbec9d258553f0c0c7c6879fef

# openssl pkey -pubout -in Org1-key.pem | openssl md5

(stdin)= 98c3ec3c2971648f2721915ff7e80479

more info about Org1-cert.pem and Org1-key.pem below:

# openssl x509 -in Org1-cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:0a:7a:e4:31:6e:1b:57:68:48:26:d7:a0:c5:9c:da
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = California, L = San Francisco, O = Org1, CN = Org1
        Validity
            Not Before: Nov 13 09:09:06 2017 GMT
            Not After : Nov 11 09:09:06 2027 GMT
        Subject: C = US, ST = California, L = San Francisco, O = Org1, CN = Org1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:ac:bb:17:91:91:1e:72:38:d2:aa:9a:2d:17:c8:
                    50:80:18:58:4a:a8:6a:40:0a:a8:2a:a8:58:33:46:
                    ae:2c:48:67:28:c7:af:59:09:92:01:68:15:cd:e5:
                    c0:84:d1:1e:3e:03:60:25:8b:55:89:3e:e9:e2:f1:
                    23:3e:e4:c4:c8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                Any Extended Key Usage
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                01:02:03:04
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:b4:81:76:75:fe:a1:1c:14:94:3e:d6:eb:b3:
         43:02:27:32:46:2e:c0:6d:b7:94:3b:9d:a9:05:ad:c9:10:29:
         34:02:21:00:80:31:3c:00:18:b3:c0:be:1d:73:dc:ab:9b:aa:
         28:75:86:bc:2a:97:64:9d:65:5f:6f:6f:a0:c8:38:aa:2c:35

    # more Org1-key.pem

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIDgnuzTIxFYZorg/lKBQxwpyXWH7zREzuO8Gle9p8CzQoAoGCCqGSM49
AwEHoUQDQgAEsYeTGiApHX1SJAZ7HmroVR1YNBH6wc0WqiNWO/N3XG/aWxksYLA8
s2asE88Z5EOWs1qMLig2nyv3CL0H2VI0zg==
-----END EC PRIVATE KEY-----

    # more Org1-cert.pem

-----BEGIN CERTIFICATE-----
MIIB8jCCAZegAwIBAgIQUAp65DFuG1doSCbXoMWc2jAKBggqhkjOPQQDAjBYMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
YW5jaXNjbzENMAsGA1UEChMET3JnMTENMAsGA1UEAxMET3JnMTAeFw0xNzExMTMw
OTA5MDZaFw0yNzExMTEwOTA5MDZaMFgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRPcmcx
MQ0wCwYDVQQDEwRPcmcxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLsXkZEe
cjjSqpotF8hQgBhYSqhqQAqoKqhYM0auLEhnKMevWQmSAWgVzeXAhNEePgNgJYtV
iT7p4vEjPuTEyKNDMEEwDgYDVR0PAQH/BAQDAgGmMA8GA1UdJQQIMAYGBFUdJQAw
DwYDVR0TAQH/BAUwAwEB/zANBgNVHQ4EBgQEAQIDBDAKBggqhkjOPQQDAgNJADBG
AiEAtIF2df6hHBSUPtbrs0MCJzJGLsBtt5Q7nakFrckQKTQCIQCAMTwAGLPAvh1z
3Kubqih1hrwql2SdZV9vb6DIOKosNQ==
-----END CERTIFICATE-----

Solution

  • You can verify that a certificate and any supported key (including an ECDSA prime256v1 key) match using OpenSSL.

    This command will get the public key from the certificate:

    openssl x509 -noout -pubkey -in Org1-cert.pem
    

    This command will get the public key from the key:

    openssl pkey -pubout -in Org1-key.pem
    

    You can compare them visually...

    OR you can automate the comparison of any cert and key as follows with Bash:

    1. Create a script called verify-cert-key:

      #!/usr/bin/env bash
      certFile="${1}"
      keyFile="${2}"
      certPubKey="$(openssl x509 -noout -pubkey -in "${certFile}")"
      keyPubKey="$(openssl pkey -pubout -in "${keyFile}")"
      if [[ "${certPubKey}" == "${keyPubKey}" ]]
      then
        echo "PASS: key and cert match"
      else
        echo "FAIL: key and cert DO NOT match"
      fi
      
    2. Make the script executable:

      chmod +x verify-cert-key
      
    3. Run it:

      ./verify-cert-key Org1-cert.pem Org1-key.pem
      

    CAVEAT: openssl on macOS Sierra doesn't have pkey

    On macOS Sierra, the script may say "FAIL: key and cert DO NOT match" even if they do.

    Verify that pkey is missing:

    openssl pkey -in
    

    If it is missing, you will see this:

    openssl:Error: 'pkey' is an invalid command.
    

    Followed by tons of other usage summary output from OpenSSL.

    You may also see "openssl:Error: 'pkey' is an invalid command."

    If pkey is missing, you'll need install a newer openssl and set your PATH accordingly.

    I installed a newer OpenSSL with Homebrew and set my PATH like this:

    export PATH=/usr/local/Cellar/openssl/1.0.2m/bin/:$PATH
    

    Verify that pkey is available:

    openssl pkey -in
    

    This should show pkey usage summary:

    Usage pkey [options]
    where options are
    

    Now the script should work as expected.