PEM and DER keys import test vectors

[dikel]

Problem

Currently the SDKs are not compatible with ECDSA keys generated by OpenSSL. This can be confusing for users that reuse their keys on different chains and have used OpenSSL to generate their keys.

Solution

We need to support importing both the current and the OpenSSL versions keys. We provide test vectors for checking if the implementation is correct:

Test vector for ED25519 private key

PEM import

Test unencrypted PEM private key

PEM:

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIOgbjaHgEqF7PY0t2dUf2VU0u1MRoKii/fywDlze4lvl
-----END PRIVATE KEY-----

Private key: e81b8da1e012a17b3d8d2dd9d51fd95534bb5311a0a8a2fdfcb00e5cdee25be5

Public key: f7b9aa4a8e4eee94e4277dfe757d8d7cde027e7cd5349b7d8e6ee21c9b9395be

Test encrypted PEM private key

Encrypted PEM:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIGbMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAiho4GvPxvL6wICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEIdsubXR0QvxXGSprqDuDXwEQJZl
OBtwm2p2P7WrWE0OnjGxUe24fWwdrvJUuguFtH3FVWc8C5Jbxgbyxsuzbf+utNL6
0ey+WdbGL06Bw0HGqs8=
-----END ENCRYPTED PRIVATE KEY-----

Passphrase: asdasd123

Private key: fa0857e963946d5f5e035684c40354d3cd3dcc80c0fb77beac2ef7c4b5271599

Public key: 202af61e141465d4bf2c356d37d18bd026c246bde4eb73258722ad11f790be4e

DER import

Test OpenSSL DER private key

Private key DER:

302e020100300506032b657004220420feb858a4a69600a5eef2d9c76f7fb84fc0b6627f29e0ab17e160f640c267d404

Private key: feb858a4a69600a5eef2d9c76f7fb84fc0b6627f29e0ab17e160f640c267d404

Public key: 8ccd31b53d1835b467aac795dab19b274dd3b37e3daf12fcec6bc02bac87b53d

Test OpenSSL DER public key

Public key DER:

302a300506032b65700321008ccd31b53d1835b467aac795dab19b274dd3b37e3daf12fcec6bc02bac87b53d

Public key: 8ccd31b53d1835b467aac795dab19b274dd3b37e3daf12fcec6bc02bac87b53d

Test vector for ECDSA private key

PEM import

Test unencrypted uncompressed PEM

PEM:

-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIG8I+jKi+iGVa7ttbfnlnML5AdvPugbgBWnseYjrle6qoAcGBSuBBAAK
oUQDQgAEqf5BmMeBzkU1Ra9UAbZJo3tytVOlb7erTc36LRLP20mOLU7+mFY+3Cfe
fAZgBtPXRAmDtRvYGODswAalW85GKA==
-----END EC PRIVATE KEY-----

Private key: 6f08fa32a2fa21956bbb6d6df9e59cc2f901dbcfba06e00569ec7988eb95eeaa

Public key: 02a9fe4198c781ce453545af5401b649a37b72b553a56fb7ab4dcdfa2d12cfdb49

Test unencrypted compressed PEM

PEM:

-----BEGIN EC PRIVATE KEY-----
MFQCAQEEIOHyhclwHbha3f281Kvd884rhBzltxGJxCZyaQCagH9joAcGBSuBBAAK
oSQDIgACREr6gFZa4K7hBP+bA25VdgQ+0ABFgM+g5RYw/W6T1Og=
-----END EC PRIVATE KEY-----

Private key: e1f285c9701db85addfdbcd4abddf3ce2b841ce5b71189c4267269009a807f63

Public key: 02444afa80565ae0aee104ff9b036e5576043ed0004580cfa0e51630fd6e93d4e8

Test encrypted uncompressed PEM

Encrypted PEM:

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,0046A9EED8D16F0CAA66A197CE8BE8BD

9VU9gReUmrn4XywjMx0F0A3oGzpHIksEXma72TCSdcxI7zHy0mtzuGq4Wd25O38s
H9c6kvhTPS1N/c6iNhx154B0HUoND8jvAvfxbGR/R87vpZJsOoKCmRxGqrxG8HER
FIHQ1jy16DrAbU95kDyLsiF1dy2vUY/HoqFZwxl/IVc=
-----END EC PRIVATE KEY-----

Passphrase: asdasd123

Private key: cf49eb5206c1b0468854d6ea7b370590619625514f71ff93608a18465e4012ad

Public key: 025f0d14a7562d6319e5b8f91620d2ce9ad13d9abf21cfe9bd0a092c0f35bf1701

Test encrypted compressed PEM

Encrypted PEM:

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,4A9B3B987EC2EFFA405818327D14FFF7

Wh756RkK5fn1Ke2denR1OYfqE9Kr4BXhgrEMTU/6o0SNhMULUhWGHrCWvmNeEQwp
ZVZYUxgYoTlJBeREzKAZithcvxIcTbQfLABo1NZbjA6YKqAqlGpM6owwL/f9e2ST
-----END EC PRIVATE KEY-----

Passphrase: asdasd123

Private key: c0d3e16ba5a1abbeac4cd327a3c3c1cc10438431d0bac019054e573e67768bb5

Public key: 02065f736378134c53c7a2ee46f199fb93b9b32337be4e95660677046476995544

DER import

Test legacy DER private key

Private key DER:

3030020100300706052b8104000a042204208c2cdc9575fe67493443967d74958fd7808a3787fd3337e99cfeebbc7566b586

Private key: 8c2cdc9575fe67493443967d74958fd7808a3787fd3337e99cfeebbc7566b586

Public key: 028173079d2e996ef6b2d064fc82d5fc7094367211e28422bec50a2f75c365f5fd

Test legacy DER public key

Public key DER:

302d300706052b8104000a032200028173079d2e996ef6b2d064fc82d5fc7094367211e28422bec50a2f75c365f5fd

Public key: 028173079d2e996ef6b2d064fc82d5fc7094367211e28422bec50a2f75c365f5fd

Test OpenSSL compatible compressed DER private key

Private key DER:

30540201010420ac318ea8ff8d991ab2f16172b4738e74dc35a56681199cfb1c0cb2e7cb560ffda00706052b8104000aa124032200036843f5cb338bbb4cdb21b0da4ea739d910951d6e8a5f703d313efe31afe788f4

Private key: ac318ea8ff8d991ab2f16172b4738e74dc35a56681199cfb1c0cb2e7cb560ffd

Public key: 036843f5cb338bbb4cdb21b0da4ea739d910951d6e8a5f703d313efe31afe788f4

Test OpenSSL compatible compressed DER public key

Public key DER:

3036301006072a8648ce3d020106052b8104000a032200036843f5cb338bbb4cdb21b0da4ea739d910951d6e8a5f703d313efe31afe788f4

Public key: 036843f5cb338bbb4cdb21b0da4ea739d910951d6e8a5f703d313efe31afe788f4

Test OpenSSL compatible uncompressed DER private key

Private key DER:

307402010104208927647ad12b29646a1d051da8453462937bb2c813c6815cac6c0b720526ffc6a00706052b8104000aa14403420004aaac1c3ac1bea0245b8e00ce1e2018f9eab61b6331fbef7266f2287750a6597795f855ddcad2377e22259d1fcb4e0f1d35e8f2056300c15070bcbfce3759cc9d

Private key: 8927647ad12b29646a1d051da8453462937bb2c813c6815cac6c0b720526ffc6

Public key: 03aaac1c3ac1bea0245b8e00ce1e2018f9eab61b6331fbef7266f2287750a65977

Test OpenSSL compatible uncompressed DER public key

Public key DER:

3056301006072a8648ce3d020106052b8104000a03420004aaac1c3ac1bea0245b8e00ce1e2018f9eab61b6331fbef7266f2287750a6597795f855ddcad2377e22259d1fcb4e0f1d35e8f2056300c15070bcbfce3759cc9d

Public key: 03aaac1c3ac1bea0245b8e00ce1e2018f9eab61b6331fbef7266f2287750a65977

Test OpenSSL compatible DER private key without public key

Private key DER:

302e0201010420a6170a6aa6389a5bd3a3a8f9375f57bd91aa7f7d8b8b46ce0b702e000a21a5fea00706052b8104000a

Private key: a6170a6aa6389a5bd3a3a8f9375f57bd91aa7f7d8b8b46ce0b702e000a21a5fe

Public key: 03b69a75a5ddb1c0747e995d47555019e5d8a28003ab5202bd92f534361fb4ec8a

Alternatives

No response

[dikel]

Hey @ochikov @petreze @bamzedev @deyanzz @rwalworth @SimiHunjan @rbair23 @izik1

We've created test vectors for PEM and DER key import. Please comment if you think we should add more tests

[izik1]

hi!

I mostly agree with these as-is, but I wanted to share some findings so that others don't have to go finding the same information again:

1. The format being referred to as legacy is not a "legacy" format and is very much still in use (pkcs#8 PrivateKeyInfo) versions 1 and 2 as described by RFC 5208 and RFC 5958 respectively, and can very much be used by EC private keys- although you'd typically package them in a nested EcPrivateKey (I'll attach an example of such a key below).
2. The openssl format is "EcPrivateKey" as described by https://www.secg.org/sec1-v2.pdf and https://datatracker.ietf.org/doc/html/rfc5915#section-3 (these two sources have slightly different but almost identical descriptions, the former is what openssl technically uses.)
3. PRIVATE KEY vs EC PRIVATE KEY is a little confusing, because you'd assume they're the same format but they aren't (the first one is pkcs#8, the second is sec1)

An example of wrapping an EcPrivateKey into a PrivateKeyInfo is as follows (note, there's no public key here because it's isn't required, if I included it, the public key would go in the EcPrivateKey not the PrivateKeyInfo):

-----BEGIN PRIVATE KEY-----
MEcCAQAwEAYHKoZIzj0CAQYFK4EEAAoEMDAuAgEBBCBvCPoyovohlWu7bW355ZzC
+QHbz7oG4AVp7HmI65XuqqAHBgUrgQQACg==
-----END PRIVATE KEY-----

Which should leave you with this key private key:

6f08fa32a2fa21956bbb6d6df9e59cc2f901dbcfba06e00569ec7988eb95eeaa

(same key as "Test unencrypted uncompressed PEM")

edit: I'm not sure we need to support that format of key, to be clear, I'm mostly just mentioning it because it exists.