Extracting EC Public Keys with OpenSSL

Posted on by Eric Ma In Software, Tutorial

In the realm of cryptography, handling and managing keys is a crucial task. The command provided is a series of operations using OpenSSL and other command-line utilities to extract and format an elliptic curve (EC) public key. Let’s break down the command to understand its purpose and functionality.

The Command Extracting EC Public Keys with OpenSSL

The primary purpose of this command is to extract the raw hexadecimal representation of an EC public key from a PEM file and format it into a single continuous string. This format is often used for further processing or integration into systems that require a specific key format.

$ openssl ec -pubin -in key.pem -noout -text 2>/dev/null \
  | grep '^    ' \
  | tr -d ' ' | tr -d ':' | tr -d '\n'

Commmands Explained

OpenSSL EC Command

  • openssl ec: This is a command to process elliptic curve keys. It can be used to manage EC parameters and keys.
  • -pubin: Specifies that the input file is a public key. This flag tells OpenSSL to interpret the input as a public key rather than a private key.
  • -in key.pem: Indicates the input file containing the EC public key. Here, key.pem is the file where the key is stored.
  • -noout: Prevents OpenSSL from outputting the encoded version of the key. This is useful when you only want the textual representation.
  • -text: Outputs the key in a human-readable text format, displaying the key parameters and values.

Redirection and Piping

  • 2>/dev/null: Redirects error messages to /dev/null, effectively silencing any errors. This is useful if you want to suppress any unnecessary error output.
  • |: Pipes the output of one command to the input of the next. In this case, it passes the formatted key output to grep.

Grep Command

  • grep '^ ': Searches for lines that start with four spaces. This pattern typically matches the lines containing the actual key data in the output of the openssl ec -text command.

tr Command

  • tr -d ' ': Removes all spaces from the input.
  • tr -d ':': Removes all colons from the input. Colons often separate bytes in the key output.
  • tr -d '\n': Removes newline characters, resulting in a continuous string of hex digits.

Example Usage

We generate a ECDSA K1 key and extract the public key. By executing the command, you would get an output that is a single line of hexadecimal digits representing the key.

$ openssl ecparam -genkey -name secp256k1 -noout -out pri.pem
$ openssl ec -in pri.pem -pubout -out pub.pem

$ cat pri.pem 
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEILEaQWeTSkT/I8u/0A50pijmod/rmLYatdXqym871HytoAcGBSuBBAAK
oUQDQgAEyYiCja6tRkZJ2PSjafu6alQbYUHuKj4EhsU0wps0l5A8m1iEo6wfIwXR
v7cKQ02RB/WmSBuqDHKMvDlUISpo+Q==
-----END EC PRIVATE KEY-----

$ cat pub.pem 
-----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEyYiCja6tRkZJ2PSjafu6alQbYUHuKj4E
hsU0wps0l5A8m1iEo6wfIwXRv7cKQ02RB/WmSBuqDHKMvDlUISpo+Q==
-----END PUBLIC KEY-----

$ openssl ec -pubin -in pub.pem -noout -text 
read EC key
Public-Key: (256 bit)
pub:
    04:c9:88:82:8d:ae:ad:46:46:49:d8:f4:a3:69:fb:
    ba:6a:54:1b:61:41:ee:2a:3e:04:86:c5:34:c2:9b:
    34:97:90:3c:9b:58:84:a3:ac:1f:23:05:d1:bf:b7:
    0a:43:4d:91:07:f5:a6:48:1b:aa:0c:72:8c:bc:39:
    54:21:2a:68:f9
ASN1 OID: secp256k1

$ openssl ec -pubin -in pub.pem -noout -text 2>/dev/null | grep '^    ' | tr -d ' ' | tr -d ':' | tr -d '\n'
04c988828daead464649d8f4a369fbba6a541b6141ee2a3e0486c534c29b3497903c9b5884a3ac1f2305d1bfb70a434d9107f5a6481baa0c728cbc3954212a68f9

This string can be used wherever a compact representation of the public key is needed, such as in certain cryptographic protocols or APIs.

Read more:

Eric Ma

Eric is a systems guy. Eric is interested in building high-performance and scalable distributed systems and related technologies. The views or opinions expressed here are solely Eric's own and do not necessarily represent those of any third parties.

Leave a Reply

Your email address will not be published. Required fields are marked *