mORMot Open Source

Sabbiolina

Member

Registered: 2014-05-20

Posts: 120

ECC public key export

Hi, yesterday I tried to write this export for ECC keys generated by the library to be able to use jwt signed with ES256.

But something does not work, the DER is correct, but the tests say the points are not on the curve.

does anyone have any ideas?

some links:
https://8gwifi.org/PemParserFunctions.jsp
try:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYjcE4dwT3NRf8Zd5Edl7zih3O8JJeXjdevwI3HaJmgO2VsSx2Lq7+FDpEghPKj1xNqU4jPMTz7apH5inrNYi6Q==
-----END PUBLIC KEY-----

answer:
unable to convert key pair: encoded key spec not recognized: Invalid point coordinates

asn.1 inspector:
https://lapo.it/asn1js/

function TECCCertificateSecret.SaveToDER64:RawByteString;
const DER_SEQUENCE = $30;
      DER_INTEGER  = $02;
      DER_BIT       =$03;
      DER_OBJECT   = $06;
var RPrefix,SPrefix: integer;
    P,PU: PByteArray;
    Point: TEccPoint;
begin
  SetLength(result,91);
  fillchar(result[1],91,0);

  P := pointer(result);
  P[0]:=DER_SEQUENCE;
  P[1]:=$59; // total length
  p[2]:=DER_SEQUENCE;
  p[3]:=$13; // Length OIDs

  p[4]:=DER_OBJECT;
  p[5]:=$07; // length OID 1.2.840.10045.2.1ecPublicKey(ANSI X9.62 public key type)

  p[6]:=$2A;
  p[7]:=$86;
  P[8]:=$48;
  P[9]:=$CE;
  P[10]:=$3D;
  P[11]:=$02;
  P[12]:=$01;

  p[13]:=DER_OBJECT;
  p[14]:=$08;  // length OID 1.2.840.10045.3.1.7prime256v1(ANSI X9.62 named elliptic curve)

  p[15]:=$2A;
  p[16]:=$86;
  P[17]:=$48;
  P[18]:=$CE;
  P[19]:=$3D;
  P[20]:=$03;
  P[21]:=$01;
  P[22]:=$07;

  p[23]:=DER_BIT;   // bit sequence
  p[24]:=$42; // length Bit string

  p[25]:=$00; // Fixed
  p[26]:=$04; // Fixed
  inc(PByte(P),26+1);

  _clear(Point.x);
  _clear(Point.y);
  EccPointDecompress(Point,@fContent.Signed.PublicKey); // extract point x.y

  MoveFast(Point,p[0],ECC_BYTES*2); // on buffer

  result:='-----BEGIN PUBLIC KEY-----'+#13#10+binToBase64(result)+#13#10+'-----END PUBLIC KEY-----'+#13#10;
end;

MrWaz

Member

Registered: 2019-08-13

Posts: 4

Re: ECC public key export

Hi, sorry for resurrecting an old topic but I'm facing the exact same issue.

I can use SynECC to perform JWT authentication between delphi clients, it works pretty fine exchanging the public part of the ECCCertificate as base64.
But I also would like to let non delphi clients (java & javascript) use my mormot services.

I can't find a way to export the public key so that its usable by other standard jwt libs (e.g auth0:jwt in java).

What would be the proper way to deal with this issue?

igors233

Member

Registered: 2012-09-10

Posts: 234

Re: ECC public key export

Take a look at: https://synopse.info/forum/viewtopic.php?id=4840