Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2008
Views
0
Helpful
3
Replies

NGE: IOS ECC Key-pair Import Issue

Go to solution
austin.ensminger
Level 1
Level 1

‎03-10-2017 07:16 AM - edited ‎03-10-2019 12:47 AM

Hello,

I'm working on an automation script to generate EC key pairs with OpenSSL to import into a ESR router at a later time. However I'm having some trouble importing the key. When I try to import the key pair it will always fail. A moment after attempting to import the key an error gets printed they says, "Error in parsing."

Anyone have some insight in to this?

I was able to find out what curve is in use by IOS by doing 'openssl asn1parse':

root@qemu1:~# openssl asn1parse -in good.pub 
 0:d=0 hl=2 l= 89 cons: SEQUENCE 
 2:d=1 hl=2 l= 19 cons: SEQUENCE 
 4:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
 13:d=2 hl=2 l= 8 prim: OBJECT :prime256v1
 23:d=1 hl=2 l= 66 prim: BIT STRING

When using that curve the key import fails:

Router(config)#crypto key import ec ec-test terminal <redacted>
% Enter PEM-formatted public Signature key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEm3b940n7sin8SEE2U6TN/gyPKSRs
o6Khy1J/mxJ2kSSvBZRuyBnrL5jFoutjsRn6j6rTO5/1vEeN64wDJVK3VQ==
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private Signature key.
% End with "quit" on a line by itself.
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,16B60A2A186C4B82

DGbtlaIa/8/EoHfbOl8fu4JxrgjxyDm14UbM+p6vGFKD9dTjFUMer479xXGmEJUC
KFQdiYrIKGHjjJ2JnLQKeLEpOWd7pBUknW7D9E68kjIWSueCAUivKJkq6o+dIgNL
oXNLN4CeMXWhfcFJmJyuKkJ+DfmkeUNl/UzLHJjngYM=
-----END EC PRIVATE KEY-----
quit
% Key pair import failed.

Router(config)#
*Mar 10 16:28:20.886: Error in parsing 524

This is the OpenSSL commands used:

openssl ecparam -genkey -name prime256v1 -noout -out test.prv
openssl ec -in test.prv -pubout -out test.pub
openssl ec -in test.prv -out test.prv.enc -des -passout pass:<redacted>
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
austin.ensminger
Level 1
Level 1

‎03-24-2017 07:32 AM

So I contacted TAC and they notified me that IOS will not accept OpenSSL generated key-pairs.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-10-2017 07:21 PM

EC key support is quite new.  What device are you using, and what software version are you running on it?

0 Helpful

Go to solution
austin.ensminger
Level 1
Level 1
In response to Philip D'Ath

‎03-17-2017 04:22 PM

The device I'm trying to implement this on is a 5915 Embedded Service Router running 15.2(2)GC.

However, I've also tried it on an ASR 1002-X running 3.16.2bS as well as a 3925 ISR and got the same results.

0 Helpful

Go to solution
austin.ensminger
Level 1
Level 1

‎03-24-2017 07:32 AM

So I contacted TAC and they notified me that IOS will not accept OpenSSL generated key-pairs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents