03-10-2017 07:16 AM - edited 03-10-2019 12:47 AM
Hello,
I'm working on an automation script to generate EC key pairs with OpenSSL to import into a ESR router at a later time. However I'm having some trouble importing the key. When I try to import the key pair it will always fail. A moment after attempting to import the key an error gets printed they says, "Error in parsing."
Anyone have some insight in to this?
I was able to find out what curve is in use by IOS by doing 'openssl asn1parse':
root@qemu1:~# openssl asn1parse -in good.pub
0:d=0 hl=2 l= 89 cons: SEQUENCE
2:d=1 hl=2 l= 19 cons: SEQUENCE
4:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
13:d=2 hl=2 l= 8 prim: OBJECT :prime256v1
23:d=1 hl=2 l= 66 prim: BIT STRING
When using that curve the key import fails:
Router(config)#crypto key import ec ec-test terminal <redacted>
% Enter PEM-formatted public Signature key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEm3b940n7sin8SEE2U6TN/gyPKSRs
o6Khy1J/mxJ2kSSvBZRuyBnrL5jFoutjsRn6j6rTO5/1vEeN64wDJVK3VQ==
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private Signature key.
% End with "quit" on a line by itself.
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,16B60A2A186C4B82
DGbtlaIa/8/EoHfbOl8fu4JxrgjxyDm14UbM+p6vGFKD9dTjFUMer479xXGmEJUC
KFQdiYrIKGHjjJ2JnLQKeLEpOWd7pBUknW7D9E68kjIWSueCAUivKJkq6o+dIgNL
oXNLN4CeMXWhfcFJmJyuKkJ+DfmkeUNl/UzLHJjngYM=
-----END EC PRIVATE KEY-----
quit
% Key pair import failed.
Router(config)#
*Mar 10 16:28:20.886: Error in parsing 524
This is the OpenSSL commands used:
openssl ecparam -genkey -name prime256v1 -noout -out test.prv
openssl ec -in test.prv -pubout -out test.pub
openssl ec -in test.prv -out test.prv.enc -des -passout pass:<redacted>
Solved! Go to Solution.
03-24-2017 07:32 AM
So I contacted TAC and they notified me that IOS will not accept OpenSSL generated key-pairs.
03-10-2017 07:21 PM
EC key support is quite new. What device are you using, and what software version are you running on it?
03-17-2017 04:22 PM
The device I'm trying to implement this on is a 5915 Embedded Service Router running 15.2(2)GC.
However, I've also tried it on an ASR 1002-X running 3.16.2bS as well as a 3925 ISR and got the same results.
03-24-2017 07:32 AM
So I contacted TAC and they notified me that IOS will not accept OpenSSL generated key-pairs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide