# Introduction

This document serves to provide an orientation to differnet OpenSSL commands.

## Computing Environment

Some basic information about the environment in which the Nobeook is executing.

In [1]:
#!/bin/bash
# This script is used to print the system information of the current machine
# It is useful to know the system information when debugging issues


! echo "Kernel:" && uname -a && echo ""
! echo "MacOS Version:" && sw_vers && echo ""
! echo "OpenSSL Version:" && openssl version && echo ""
! echo "Python Version:" && python --version && echo ""



Kernel:
Darwin USWSA220038.local 24.0.0 Darwin Kernel Version 24.0.0: Tue Sep 24 23:39:07 PDT 2024; root:xnu-11215.1.12~1/RELEASE_ARM64_T6000 arm64

MacOS Version:
ProductName:		macOS
ProductVersion:		15.0.1
BuildVersion:		24A348

OpenSSL Version:
OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.3.2 3 Sep 2024)

Python Version:
Python 3.11.6



## Available RSA Key Sizes

Below are the exponents associated with given RSA key lengths. 

In [2]:
#python
# Some possible RSA key lenths.
for exponent in range(7,16):
    print("2^{0:3d} = {1:5d} bits".format(exponent, 2**exponent))

2^  7 =   128 bits
2^  8 =   256 bits
2^  9 =   512 bits
2^ 10 =  1024 bits
2^ 11 =  2048 bits
2^ 12 =  4096 bits
2^ 13 =  8192 bits
2^ 14 = 16384 bits
2^ 15 = 32768 bits


Note, that 3072-bit (2048+1024) keys are not referenced in this list.  It is likely that 3072-bit is trying to strike a cost/performance balance between weak 2048-bit and high computation cost of 4096-bit RSA keys.  So where to 3072-bit RSA keys come from?

In [None]:
# RSA key sizes are often represented as exponents to 2.
print(f"2048-bit RSA keys are derived from 2^11 = {2**11}.")
print(f"Where does 3072-bit RSA keys come from?")
print(f"- 3072-bit RSA keys might be 2^11.584962501 = {2**11.584962501}.")
print(f"- Or simply 2048*1.5 = {2048*1.5}.")

## Available Elliptic Curves

Some resources on about elliptic curves applied to TLS protocol.   
* [RFC 8422, Section 5.1.1 Supported Elliptic Curves Extensions](https://www.rfc-editor.org/rfc/rfc8422.html#section-5.1.1) namely `secp256r1`, `secp384r1`, `secp521r1` and a few others.
* [AWS Security Blog](https://aws.amazon.com/blogs/security/) discusses [How to evaluate and use ECDSA certificates in AWS Certificate Manager](https://aws.amazon.com/blogs/security/how-to-evaluate-and-use-ecdsa-certificates-in-aws-certificate-manager/).  It is acknowledged this article discusses ECDSA and not EC. It was just an simple read on EC curve options.

For the sake of simplicity and scoping, will focus on `prime256v1` and `secp384r1` curves only.  The tool `openssl` offers support for several different elliptic curves as noted below.

In [3]:
#!/bin/bash
# What are the EC Curves supported by OpenSSL?
!openssl ecparam -list_curves

  secp112r1 : SECG/WTLS curve over a 112 bit prime field
  secp112r2 : SECG curve over a 112 bit prime field
  secp128r1 : SECG curve over a 128 bit prime field
  secp128r2 : SECG curve over a 128 bit prime field
  secp160k1 : SECG curve over a 160 bit prime field
  secp160r1 : SECG curve over a 160 bit prime field
  secp160r2 : SECG/WTLS curve over a 160 bit prime field
  secp192k1 : SECG curve over a 192 bit prime field
  secp224k1 : SECG curve over a 224 bit prime field
  secp224r1 : NIST/SECG curve over a 224 bit prime field
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
  prime192v2: X9.62 curve over a 192 bit prime field
  prime192v3: X9.62 curve over a 192 bit prime field
  prime239v1: X9.62 curve over a 239 bit prime field
  prime239v2: X9.62 curve over a 239 bit prime field
  prime239v3: X9.62 curv

# X.509 Key Types

The goal of this section is to demonstrate the differences between message digests (or thumbprints) between two different (but related) data structures with X.509 certificates.  
* Thumbprint of the signed certificate.
* Thumbprint of the cryptographic public key.

In the following sections we use RSA and ECC X.509 key types to perform the following tasks.
1. Create an single private key.
2. Derive from this private key the corresponding private key.
3. Generate multiple certificate signing requesest based on the single private key.
4. Self-sign each signing request with the private key.
5. We then extract the SubjectPublicKeyInfo from each signing request and self-signed certificate.
6. Finally, we compare the SubjectPublicKeyeInfo across all the various exports.

File names follow a mixed combination of hyphens (`-`) to separate words within a given field (e.g. `private-key`) and underscores (`_`) to separate fields (e.g. `rsa_private-key`).  


## RSA

Resources
1. [openssl-asn1parse](https://docs.openssl.org/master/man1/openssl-asn1parse/) processing ASN.1 files
2. [openssl-pkey](https://docs.openssl.org/master/man1/openssl-pkey/) interacting with private keys
3. [openssl-req](https://docs.openssl.org/master/man1/openssl-req/) processing signing-requests
4. [openssl-rsa](https://docs.openssl.org/master/man1/openssl-rsa/) generating RSA private keys
5. [openssl-x509](https://docs.openssl.org/master/man1/openssl-x509/) processing X.509 certificates

### Generate RSA Private Key

For illustration purposes, let us create a single RSA private key. 

> Warning: Please do not use these keys in any production or live environment as they are intended for demonstration purposes only.  As a _demo_, you have no control over who may have viewed or obtain a copy of this key material making these private keys potentially _public_.

In [15]:
%%bash
# preamble
FOLDER="data/poc"
mkdir -p "${FOLDER}"
RSA_PRIVATE_KEY_PEM="${FOLDER}/rsa_private-key.pem"
RSA_PRIVATE_KEY_DER="${FOLDER}/rsa_private-key.der"
KEYLENGTH="2048" # Typical sizes: 2048, 3072, 4096`

# validate environment
echo "Environment:"
echo "  Working Folder: '${FOLDER}'"
echo "  Private Key PEM: '${RSA_PRIVATE_KEY_PEM}'"
echo "  Private Key DER: '${RSA_PRIVATE_KEY_DER}'"
echo "  Key Length: '${KEYLENGTH}'"
echo ""

# execute
echo "Generating RSA Private Key:"

# create the private key in PEM form.
openssl genrsa -out "${RSA_PRIVATE_KEY_PEM}" "${KEYLENGTH}"

# convert private key from PEM (ASCII) to DER (binary)
openssl rsa -inform PEM -in "${RSA_PRIVATE_KEY_PEM}" -outform DER -out "${RSA_PRIVATE_KEY_DER}"
echo ""

# valdiate result
echo "Files:"
ls -l -go "${FOLDER}"/rsa_private-key.*
echo ""

echo "File Types:"
file "${RSA_PRIVATE_KEY_PEM}" "${RSA_PRIVATE_KEY_DER}"
echo ""

echo "File Digests (SHA256):"
sha256sum "${FOLDER}"/rsa_private-key.*

Environment:
  Working Folder: 'data/poc'
  Private Key PEM: 'data/poc/rsa_private-key.pem'
  Private Key DER: 'data/poc/rsa_private-key.der'
  Key Length: '2048'

Generating RSA Private Key:


writing RSA key



Files:
-rw-------@ 1   1217 Oct 25 13:54 data/poc/rsa_private-key.der
-rw-------@ 1   1704 Oct 25 13:54 data/poc/rsa_private-key.pem

File Types:
data/poc/rsa_private-key.pem: ASCII text
data/poc/rsa_private-key.der: data

File Digests (SHA256):
9b98f748eb3189d561bca2dae9d4818eb92298b6057288b4f09dc31d696ce8ad  data/poc/rsa_private-key.der
e1b7eb6ddff58ccf3568a5f1f036f33ca66a6c66845ab168d01171ed29cf24ea  data/poc/rsa_private-key.pem


### Derive the RSA Public Key

The raw private key material itself does not contain the public key.  However we can derive the cryptographic public key material from the private key using one of the `openssl` command options.  
1. `openssl rsa -pubout ...`
2. `openssl pkey -pubout ...`

In [None]:
%%bash
# preamble
FOLDER="data/poc"
mkdir -p "${FOLDER}"
RSA_PRIVATE_KEY_PEM="${FOLDER}/rsa_private-key.pem"
RSA_PRIVATE_KEY_DER="${FOLDER}/rsa_private-key.der"


# validate environment
echo "Environment:"
echo "  RSA Private Key PEM: '${RSA_PRIVATE_KEY_PEM}'"
echo "  RSA Private Key DER: '${RSA_PRIVATE_KEY_DER}'"
echo ""

# execute
echo "Deriving the RSA Public Key using the corresponding Private Key (rsa):"
openssl rsa -pubout -inform PEM -in "${RSA_PRIVATE_KEY_PEM}" \
    -outform PEM -out "${FOLDER}/rsa_public-key-info_via_private-key_rsa.pem"
openssl rsa -pubout -inform DER -in "${RSA_PRIVATE_KEY_DER}" \
    -outform DER -out "${FOLDER}/rsa_public-key-info_via_private-key_rsa.der"
echo ""

echo "Deriving the RSA Public Key using the corresponding Private Key (rsa):"
openssl pkey -pubout -inform PEM -in "${RSA_PRIVATE_KEY_PEM}" \
    -outform PEM -out "${FOLDER}/rsa_public-key-info_via_private-key_pkey.pem"
openssl pkey -pubout -inform DER -in "${RSA_PRIVATE_KEY_DER}" \
    -outform DER -out "${FOLDER}/rsa_public-key-info_via_private-key_pkey.der"
echo ""

# validate results
echo "RSA Files:"
ls -l -go "${FOLDER}"/rsa_public-key-info_via_private-key*
echo ""

echo "RSA File Types:"
file "${FOLDER}"/rsa_public-key-info_via_private-key*
echo ""

echo "RSA File Digests (SHA256):"
sha256sum "${FOLDER}"/rsa_public-key-info_via_private-key*.der
echo "---"
sha256sum "${FOLDER}"/rsa_public-key-info_via_private-key*.pem

### Generate RSA Signing Requests

Our goal is to create multiple unique signed public certificates each based on the single private key we just created.  To begin, we must create a set of _certificate signing requests_, each provided with a unique name.  

To uniquely identify each signing request (and later the certificate) we apply a unique ID to the request `CommonName` field of the `Subject`.

In [None]:
%%bash
FOLDER="data/poc"
RSA_PRIVATE_KEY_PEM="${FOLDER}/rsa_private-key.pem"
MAX_SIGNING_REQUESTS=5

echo "Environment:"
echo "  Signing Request Count: ${MAX_SIGNING_REQUESTS}"
echo ""

for ((i=1; i<="${MAX_SIGNING_REQUESTS}"; i++)); do
    GUID=$(uuidgen)
    RSA_SIGNING_REQUEST_PEM="${FOLDER}/rsa_signing-request_${GUID}.pem"
    RSA_SIGNING_REQUEST_DER="${FOLDER}/rsa_signing-request_${GUID}.der"
    
    # creates PEM signing request
    echo "Creating PEM: ${RSA_SIGNING_REQUEST_PEM}"
    openssl req -new -sha256 -inform pem -key "${RSA_PRIVATE_KEY_PEM}" \
      -outform pem -out "${RSA_SIGNING_REQUEST_PEM}" -subj "/O=WARNING\: PRIVATE KEY MADE PUBLIC/CN=${GUID}"

    # converts PEM to DER signing request
    echo "Creating DER: ${RSA_SIGNING_REQUEST_DER}"
    openssl req -inform PEM -in "${RSA_SIGNING_REQUEST_PEM}" \
      -outform DER -out "${RSA_SIGNING_REQUEST_DER}"

done
echo ""

echo "RSA Signing Requests:"
ls -l -go "${FOLDER}"/rsa_signing-request*
echo ""

echo "RSA File Types:"
file "${FOLDER}"/rsa_signing-request*
echo ""

echo "RSA Signing Request Digests (SHA256):"
sha256sum "${FOLDER}"/rsa_signing-request*.der
echo "---"
sha256sum "${FOLDER}"/rsa_signing-request*.pem
echo ""


### Self-Sign RSA Signing Requests

Using the single private key, we can self-sign each of the signing requests to create a completed signed certificate for analysis.  For added variability with our certificates, each has a unique validity duration.

In [None]:
%%bash
FOLDER="data/poc"
RSA_PRIVATE_KEY_PEM="${FOLDER}/rsa_private-key.pem"
VALIDITY_DURATION=30
VALIDITY_INCREMENT=10

for RSA_SIGNING_REQUEST_PEM in "${FOLDER}"/rsa_signing-request_*.pem; do
    VALIDITY_DURATION=$((VALIDITY_DURATION+VALIDITY_INCREMENT))
    GUID=$(openssl req -noout -in "${RSA_SIGNING_REQUEST_PEM}" -subject | awk -F 'CN=' '{print $2}')
    RSA_SELF_SIGNED_PUBLIC_KEY_PEM="${FOLDER}/rsa_self-signed-public-key_${GUID}.pem" 
    RSA_SELF_SIGNED_PUBLIC_KEY_DER="${FOLDER}/rsa_self-signed-public-key_${GUID}.der"  

    # creating PEM signed certificate
    echo "Creating Self-Signed PEM: ${RSA_SELF_SIGNED_PUBLIC_KEY_PEM}"
    openssl x509 -req -sha256 -days ${VALIDITY_DURATION} \
        -keyform PEM -signkey "${RSA_PRIVATE_KEY_PEM}" \
        -inform PEM -in "${RSA_SIGNING_REQUEST_PEM}" \
        -outform PEM -out "${RSA_SELF_SIGNED_PUBLIC_KEY_PEM}"

    # converting PEM to DER
    echo "Converting PEM to DER: ${RSA_SELF_SIGNED_PUBLIC_KEY_DER}"
    openssl x509 -inform PEM -in "${RSA_SELF_SIGNED_PUBLIC_KEY_PEM}" \
        -outform DER -out "${RSA_SELF_SIGNED_PUBLIC_KEY_DER}"
    echo ""
done
echo ""

echo "RSA Self-Signed Certificates:"
ls -l -go "${FOLDER}"/rsa_self-signed-public-key*
echo ""

echo "RSA Self-Signed Certificate File Types:"
file "${FOLDER}"/rsa_self-signed-public-key*
echo ""

echo "RSA Self-Signed Certificate Digests (SHA256):"
sha256sum "${FOLDER}"/rsa_self-signed-public-key*.der
echo "---"
sha256sum "${FOLDER}"/rsa_self-signed-public-key*.pem
echo ""


### Display Certificate Details (Briefly)

Confirming our certificates have unique names and validity periods.

In [None]:
%%bash
FOLDER="data/poc"

# from signed certificates
echo "Basic Certificate Details:"
for RSA_SELF_SIGNED_PUBLIC_KEY_PEM in "${FOLDER}"/rsa_self-signed-public-key*.pem; do
    echo "--------------------------------------------"
    openssl x509 -noout -in "${RSA_SELF_SIGNED_PUBLIC_KEY_PEM}" \
        -subject -serial -startdate -enddate
done
echo ""

### Extract RSA SubjectPublicKeyInfo

We already derived the raw public key material earlier by accessing the private key for this information.  Here, we'll shift our focus to both the signing requests and self-signed certificates for analysis.

First, we'll access the signing requests to extract the `SubjectPublicKeyInfo` data and convert it to DER (binary) format.  Then we'll access each self-signed certificate to perform a similar action.

> Note: when using the `-pubkey` option, the output will often contain two sections, in ASCII format, defining the `PUBLIC KEY` and `CERTIFICATE REQUEST`.  We use `sed` to parse out only the `PUBLIC KEY` portion of this output.

In [None]:
%%bash
FOLDER="data/poc"

echo "Extracting the SubjectPublicKeyInfo from RSA Signing Requests:"
echo "--------------------------------------------"
# from signing request
for RSA_SIGNING_REQUEST_PEM in "${FOLDER}"/rsa_signing-request*.pem; do
    GUID=$(openssl req -noout -in "${RSA_SIGNING_REQUEST_PEM}" -subject | awk -F 'CN=' '{print $2}')
    RSA_PUBLIC_KEY_INFO_SIGNING_REQUEST_PEM="${FOLDER}/rsa_public-key-info_via_signing-request_${GUID}.pem" 
    RSA_PUBLIC_KEY_INFO_SIGNING_REQUEST_DER="${FOLDER}/rsa_public-key-info_via_signing-request_${GUID}.der"  

    # creating PEM signed certificate
    echo "Creating Public Key Info PEM: ${RSA_PUBLIC_KEY_INFO_SIGNING_REQUEST_PEM}"
    openssl req -pubkey -inform PEM -in "${RSA_SIGNING_REQUEST_PEM}" | \
        sed -n '/BEGIN\ PUBLIC\ KEY/,/END\ PUBLIC\ KEY/p' > "${RSA_PUBLIC_KEY_INFO_SIGNING_REQUEST_PEM}"

    # converting PEM to DER
    echo "Converting PEM to DER: ${RSA_PUBLIC_KEY_INFO_SIGNING_REQUEST_DER}"
    openssl asn1parse -inform PEM -in "${RSA_PUBLIC_KEY_INFO_SIGNING_REQUEST_PEM}" -out "${RSA_PUBLIC_KEY_INFO_SIGNING_REQUEST_DER}"
    echo ""
done
echo ""

echo "Extracting the SubjectPublicKeyInfo from RSA Self-Signed Certificates:"
echo "--------------------------------------------"
# from self-signed public key
for RSA_SELF_SIGNED_PUBLIC_KEY_PEM in "${FOLDER}"/rsa_self-signed-public-key*.pem; do
    GUID=$(openssl x509 -noout -in "${RSA_SELF_SIGNED_PUBLIC_KEY_PEM}" -subject | awk -F 'CN=' '{print $2}')
    RSA_PUBLIC_KEY_INFO_SELF_SIGNED_PEM="${FOLDER}/rsa_public-key-info_via_self-signed_${GUID}.pem" 
    RSA_PUBLIC_KEY_INFO_SELF_SIGNED_DER="${FOLDER}/rsa_public-key-info_via_self-signed_${GUID}.der"  

    # creating PEM signed certificate
    echo "Creating Public Key Info PEM: ${RSA_PUBLIC_KEY_INFO_SELF_SIGNED_PEM}"
    openssl x509 -pubkey -inform PEM -in "${RSA_SELF_SIGNED_PUBLIC_KEY_PEM}" | \
        sed -n '/BEGIN\ PUBLIC\ KEY/,/END\ PUBLIC\ KEY/p' > "${RSA_PUBLIC_KEY_INFO_SELF_SIGNED_PEM}"

    # converting PEM to DER
    echo "Converting PEM to DER: ${RSA_PUBLIC_KEY_INFO_SELF_SIGNED_DER}"
    openssl asn1parse -inform PEM -in "${RSA_PUBLIC_KEY_INFO_SELF_SIGNED_PEM}" -out "${RSA_PUBLIC_KEY_INFO_SELF_SIGNED_DER}"
    echo ""
done
echo ""


### Compare PublicKeyInfo Digests

In summary, we've performed the following actions:
1. Derived the public key from a single private key 
<br>(see `*public-key-info_via_private_key*.der`).
2. Extracted the public key material from multiple certificate signing requests
<br>(see `*public-key-info_via_signing-request*.der`).
3. Extracted the public key material from multiple self-signed certificates 
<br>(see `*public-key-info_via_self-signed*.der`).

Do we have message digests which match across all these different exports?

> Note 1: If you do not see the results you expect, make sure you are [Erase All RSA Key Data](#Erase-All-RSA-Key-Data) between test runs.

If you want more samples, then follow these steps without erasing or resetting the RSA data.
1. Run [Generate RSA Signing Requests](#generate-rsa-signing-requests) multiple times.  e.g. 4 more times for a total of 25 signing requests.
2. Run [Self-Sign RSA Signing Requests](#self-sign-rsa-signing-requests) just once.  
3. Run [Extract RSA SubjectPublicKeyInfo](#extract-rsa-subjectpublickeyinfo) just once.
4. Run this cell again.

In [None]:
%%bash
FOLDER="data/poc"

# basic error checking
if ! find "${FOLDER}" -type f -name "rsa_self-signed-public-key*.der" | grep -q .; then
    echo "WARNING: No RSA Self-Signed Certificates found."
    echo "         Please run the previous cells to generate RSA content."
    exit
fi

UNIQUE_DER_DIGEST_COUNT=$(sha256sum "${FOLDER}"/rsa_self-signed-public-key*.der \
    | awk '{print $1}' | sort | uniq | wc -l | awk '{print $1}')

UNIQUE_SPKI_DIGEST_COUNT=$(sha256sum "${FOLDER}"/rsa_public-key-info*.der \
    | awk '{print $1}' | sort | uniq | wc -l | awk '{print $1}')

# if UNIQUE_SPKI_DIGEST_COUNT greater than 1 then issue a warning
if [ "${UNIQUE_SPKI_DIGEST_COUNT}" -gt 1 ]; then
    echo "WARNING: Multiple SubjectPublicKeyInfo Digests found."
    echo "         Did you forget to erase all key data between runs?"
    echo ""
fi

echo "Summary of Unique RSA Key Data:"
echo "   Signed Certificates: ${UNIQUE_DER_DIGEST_COUNT}"
echo "  SubjectPublicKeyInfo: ${UNIQUE_SPKI_DIGEST_COUNT}"
echo ""

echo "Certificate (DER) Digests (SHA256):"
sha256sum "${FOLDER}"/rsa_self-signed-public-key*.der
echo ""

echo "SubjectPublicKeyInfo Digests (SHA256):"
echo "[SubjectPublicKeyInfo derived from the Private Key]"
sha256sum "${FOLDER}"/rsa_public-key-info_via_private-key*.der | sort
echo "[SubjectPublicKeyInfo extracted from Signing Requests]"
sha256sum "${FOLDER}"/rsa_public-key-info_via_signing-request*.der | sort
echo "[SubjectPublicKeyInfo extracted from Self-Signed Certificates]"
sha256sum "${FOLDER}"/rsa_public-key-info_via_self-signed*.der | sort


### Erase All RSA Key Data

Use this to reset the proof-of-concept data related to RSA key data.

In [4]:
%%bash
FOLDER="data/poc"

# if folder exists, remove it
rm -rf "${FOLDER}"/rsa_*

## EC

Resources:

1. [openssl-asn1parse](https://docs.openssl.org/master/man1/openssl-asn1parse/) processing ASN.1 files
2. [openssl-ec](https://docs.openssl.org/master/man1/openssl-ec/) generating elliptic curve private keys
3. [openssl-pkey](https://docs.openssl.org/master/man1/openssl-pkey/) interacting with private keys
4. [openssl-req](https://docs.openssl.org/master/man1/openssl-req/) processing signing-requests
5. [openssl-x509](https://docs.openssl.org/master/man1/openssl-x509/) processing X.509 certificates


### Generate EC Private Key

For illustration purposes, let us create a single RSA private key. 

> Warning: Please do not use these keys in any production or live environment as they are intended for demonstration purposes only.  As a _demo_, you have no control over who may have viewed or obtain a copy of this key material making these private keys potentially _public_.

In [8]:
%%bash
# preamble
FOLDER="data/poc"
mkdir -p "${FOLDER}"
EC_PRIVATE_KEY_PEM="${FOLDER}/ec_private-key.pem"
EC_PRIVATE_KEY_DER="${FOLDER}/ec_private-key.der"
EC_CURVE="prime256v1" # `prime256v1` and `secp384r1`

# validate environment
echo "Environment:"
echo "  Working Folder:  '${FOLDER}'"
echo "  Private Key PEM: '${EC_PRIVATE_KEY_PEM}'"
echo "  Private Key DER: '${EC_PRIVATE_KEY_DER}'"
echo "  Elliptic Curve:  '${EC_CURVE}'"
echo ""

# execute
echo "Generating EC Private Key:"

# create the private key in PEM form.
openssl ecparam -genkey -name "${EC_CURVE}" -noout -out "${EC_PRIVATE_KEY_PEM}"

# convert private key from PEM (ASCII) to DER (binary)
openssl ec -inform pem -in "${EC_PRIVATE_KEY_PEM}" -outform der -out "${EC_PRIVATE_KEY_DER}"
echo ""

# valdiate result
echo "Files:"
ls -l -go "${FOLDER}"/ec_private-key.*
echo ""

echo "File Types:"
file "${FOLDER}"/ec_private-key.*
echo ""

echo "File Digests (SHA256):"
sha256sum "${FOLDER}"/ec_private-key.*


Environment:
  Working Folder:  'data/poc'
  Private Key PEM: 'data/poc/ec_private-key.pem'
  Private Key DER: 'data/poc/ec_private-key.der'
  Elliptic Curve:  'prime256v1'

Generating EC Private Key:


read EC key
writing EC key



Files:
-rw-------@ 1   121 Oct 25 12:30 data/poc/ec_private-key.der
-rw-------@ 1   227 Oct 25 12:30 data/poc/ec_private-key.pem

File Types:
data/poc/ec_private-key.der: data
data/poc/ec_private-key.pem: PEM EC private key

File Digests (SHA256):
a116cecdd2a93e54f8fc1cf153f6bdcbd69dcee3b7046d021b323f364b004b04  data/poc/ec_private-key.der
8dac1db20be517ce72176e9c4099b5a5142c5ec9d7917b092946da9d33abfd9d  data/poc/ec_private-key.pem


### Derive the EC Public Key

The raw private key material itself does not contain the public key.  However we can derive the cryptographic public key material from the private key using one of the `openssl` command options.  
1. `openssl ec -pubout ...`
2. `openssl pkey -pubout ...`

In [9]:
%%bash
# preamble
FOLDER="data/poc"
EC_PRIVATE_KEY_PEM="${FOLDER}/ec_private-key.pem"
EC_PRIVATE_KEY_DER="${FOLDER}/ec_private-key.der"

# validate environment
echo "Environment:"
echo "  EC Private Key PEM: '${EC_PRIVATE_KEY_PEM}'"
echo "  EC Private Key DER: '${EC_PRIVATE_KEY_DER}'"
echo ""

# execute
echo "Deriving the EC Public Key using the corresponding Private Key (ec):"
openssl ec -pubout -inform PEM -in "${EC_PRIVATE_KEY_PEM}" \
    -outform PEM -out "${FOLDER}/ec_public-key-info_via_private-key_ec.pem"
openssl ec -pubout -inform DER -in "${EC_PRIVATE_KEY_DER}" \
    -outform DER -out "${FOLDER}/ec_public-key-info_via_private-key_ec.der"
echo ""

echo "Deriving the EC Public Key using the corresponding Private Key (pkey):"
openssl pkey -pubout -inform PEM -in "${EC_PRIVATE_KEY_PEM}" \
    -outform PEM -out "${FOLDER}"/ec_public-key-info_via_private-key_pkey.pem
openssl pkey -pubout -inform DER -in "${EC_PRIVATE_KEY_DER}" \
    -outform DER -out "${FOLDER}"/ec_public-key-info_via_private-key_pkey.der
echo ""

# validate results
echo "EC Files:"
ls -l -go "${FOLDER}"/ec_public-key-info_via_private-key*
echo ""

echo "EC File Types:"
file "${FOLDER}"/ec_public-key-info_via_private-key*
echo ""

echo "EC File Digests (SHA256):"
sha256sum "${FOLDER}"/ec_public-key-info_via_private-key*.der
echo "---"
sha256sum "${FOLDER}"/ec_public-key-info_via_private-key*.pem

Environment:
  EC Private Key PEM: 'data/poc/ec_private-key.pem'
  EC Private Key DER: 'data/poc/ec_private-key.der'

Deriving the EC Public Key using the corresponding Private Key (ec):


read EC key
writing EC key
read EC key
writing EC key



Deriving the EC Public Key using the corresponding Private Key (pkey):

EC Files:
-rw-r--r--@ 1    91 Oct 25 12:30 data/poc/ec_public-key-info_via_private-key_ec.der
-rw-r--r--@ 1   178 Oct 25 12:30 data/poc/ec_public-key-info_via_private-key_ec.pem
-rw-r--r--@ 1    91 Oct 25 12:30 data/poc/ec_public-key-info_via_private-key_pkey.der
-rw-r--r--@ 1   178 Oct 25 12:30 data/poc/ec_public-key-info_via_private-key_pkey.pem

EC File Types:
data/poc/ec_public-key-info_via_private-key_ec.der:   data
data/poc/ec_public-key-info_via_private-key_ec.pem:   ASCII text
data/poc/ec_public-key-info_via_private-key_pkey.der: data
data/poc/ec_public-key-info_via_private-key_pkey.pem: ASCII text

EC File Digests (SHA256):
38edbd60a30b13e4eb42d5423a468448c82ff800378fc8043ea1c3d67d7b77f4  data/poc/ec_public-key-info_via_private-key_ec.der
38edbd60a30b13e4eb42d5423a468448c82ff800378fc8043ea1c3d67d7b77f4  data/poc/ec_public-key-info_via_private-key_pkey.der
---
c9ed0a6f28443c9db31d886a1a06494b478ba989650b2d

### Generate EC Signing Requests

Our goal is to create multiple unique signed public certificates each based on the single private key we just created.  To begin, we must create a set of _certificate signing requests_, each provided with a unique name.

To uniquely identify each signing request (and later the certificate) we apply a unique ID to the request `CommonName` field of the `Subject`.

In [10]:
%%bash
# preamble
FOLDER="data/poc"
EC_PRIVATE_KEY_PEM="${FOLDER}/ec_private-key.pem"
MAX_SIGNING_REQUESTS=5


echo "Environment:"
echo "  Signing Request Count: ${MAX_SIGNING_REQUESTS}"
echo ""

for ((i=1; i<="${MAX_SIGNING_REQUESTS}"; i++)); do
    GUID=$(uuidgen)
    EC_SIGNING_REQUEST_PEM="${FOLDER}/ec_signing-request_${GUID}.pem"
    EC_SIGNING_REQUEST_DER="${FOLDER}/ec_signing-request_${GUID}.der"
    
    # creates PEM signing request
    echo "Creating PEM: ${EC_SIGNING_REQUEST_PEM}"
    openssl req -new -sha256 -inform pem -key "${EC_PRIVATE_KEY_PEM}" \
      -outform pem -out "${EC_SIGNING_REQUEST_PEM}" -subj "/O=WARNING\: PRIVATE KEY MADE PUBLIC/CN=${GUID}"

    # converts PEM to DER signing request
    echo "Creating DER: ${EC_SIGNING_REQUEST_DER}"
    openssl req -inform PEM -in "${EC_SIGNING_REQUEST_PEM}" \
      -outform DER -out "${EC_SIGNING_REQUEST_DER}"

done
echo ""

echo "EC Signing Requests:"
ls -l -go "${FOLDER}"/ec_signing-request*
echo ""

echo "EC File Types:"
file "${FOLDER}"/ec_signing-request*
echo ""

echo "EC Signing Request Digests (SHA256):"
sha256sum "${FOLDER}"/ec_signing-request*.der
echo "---"
sha256sum "${FOLDER}"/ec_signing-request*.pem
echo ""


Environment:
  Signing Request Count: 5

Creating PEM: data/poc/ec_signing-request_12BBE9DD-2880-4B0B-833B-5C44278197F5.pem
Creating DER: data/poc/ec_signing-request_12BBE9DD-2880-4B0B-833B-5C44278197F5.der
Creating PEM: data/poc/ec_signing-request_34CA6B97-F809-4DDE-B6C2-8EFE67740E86.pem
Creating DER: data/poc/ec_signing-request_34CA6B97-F809-4DDE-B6C2-8EFE67740E86.der
Creating PEM: data/poc/ec_signing-request_5087EA02-1A13-4214-838B-34E9524934C0.pem
Creating DER: data/poc/ec_signing-request_5087EA02-1A13-4214-838B-34E9524934C0.der
Creating PEM: data/poc/ec_signing-request_29B02F0C-0A2C-4A78-918E-46CB37A44CC7.pem
Creating DER: data/poc/ec_signing-request_29B02F0C-0A2C-4A78-918E-46CB37A44CC7.der
Creating PEM: data/poc/ec_signing-request_E07EF164-86A1-48FB-A9FD-68FE1AF256C8.pem
Creating DER: data/poc/ec_signing-request_E07EF164-86A1-48FB-A9FD-68FE1AF256C8.der

EC Signing Requests:
-rw-r--r--@ 1   281 Oct 25 12:31 data/poc/ec_signing-request_12BBE9DD-2880-4B0B-833B-5C44278197F5.der
-rw-r

### Self-Sign EC Signing Requests

Using the single private key, we can self-sign each of the signing requests to create a completed signed certificate for analysis.

In [11]:
%%bash
# preamble
FOLDER="data/poc"
EC_PRIVATE_KEY_PEM="${FOLDER}/ec_private-key.pem"
VALIDITY_DURATION=30
VALIDITY_INCREMENT=10

for EC_SIGNING_REQUEST_PEM in "${FOLDER}"/ec_signing-request*.pem; do
    VALIDITY_DURATION=$((VALIDITY_DURATION+VALIDITY_INCREMENT))
    GUID=$(openssl req -noout -in "${EC_SIGNING_REQUEST_PEM}" -subject | awk -F 'CN=' '{print $2}')
    EC_SELF_SIGNED_PUBLIC_KEY_PEM="${FOLDER}/ec_self-signed-public-key_${GUID}.pem" 
    EC_SELF_SIGNED_PUBLIC_KEY_DER="${FOLDER}/ec_self-signed-public-key_${GUID}.der"  

    # creating PEM signed certificate
    echo "Creating Self-Signed PEM: ${EC_SELF_SIGNED_PUBLIC_KEY_PEM}"
    openssl x509 -req -sha256 -days ${VALIDITY_DURATION} \
        -keyform PEM -signkey "${EC_PRIVATE_KEY_PEM}" \
        -inform PEM -in "${EC_SIGNING_REQUEST_PEM}" \
        -outform PEM -out "${EC_SELF_SIGNED_PUBLIC_KEY_PEM}"

    # converting PEM to DER
    echo "Converting PEM to DER: ${EC_SELF_SIGNED_PUBLIC_KEY_DER}"
    openssl x509 -inform PEM -in "${EC_SELF_SIGNED_PUBLIC_KEY_PEM}" \
        -outform DER -out "${EC_SELF_SIGNED_PUBLIC_KEY_DER}"
done
echo ""

echo "EC Self-Signed Certificates:"
ls -l -go "${FOLDER}"/ec_self-signed-public-key*
echo ""

echo "EC Self-Signed Certificate File Types:"
file "${FOLDER}"/ec_self-signed-public-key*
echo ""

echo "EC Self-Signed Certificate SHA256 Digests:"
sha256sum "${FOLDER}"/ec_self-signed-public-key*.der
echo "---"
sha256sum "${FOLDER}"/ec_self-signed-public-key*.pem
echo ""


Creating Self-Signed PEM: data/poc/ec_self-signed-public-key_12BBE9DD-2880-4B0B-833B-5C44278197F5.pem


Certificate request self-signature ok


Converting PEM to DER: data/poc/ec_self-signed-public-key_12BBE9DD-2880-4B0B-833B-5C44278197F5.der
Creating Self-Signed PEM: data/poc/ec_self-signed-public-key_29B02F0C-0A2C-4A78-918E-46CB37A44CC7.pem


Certificate request self-signature ok


Converting PEM to DER: data/poc/ec_self-signed-public-key_29B02F0C-0A2C-4A78-918E-46CB37A44CC7.der
Creating Self-Signed PEM: data/poc/ec_self-signed-public-key_34CA6B97-F809-4DDE-B6C2-8EFE67740E86.pem


Certificate request self-signature ok


Converting PEM to DER: data/poc/ec_self-signed-public-key_34CA6B97-F809-4DDE-B6C2-8EFE67740E86.der
Creating Self-Signed PEM: data/poc/ec_self-signed-public-key_5087EA02-1A13-4214-838B-34E9524934C0.pem


Certificate request self-signature ok


Converting PEM to DER: data/poc/ec_self-signed-public-key_5087EA02-1A13-4214-838B-34E9524934C0.der
Creating Self-Signed PEM: data/poc/ec_self-signed-public-key_E07EF164-86A1-48FB-A9FD-68FE1AF256C8.pem


Certificate request self-signature ok


Converting PEM to DER: data/poc/ec_self-signed-public-key_E07EF164-86A1-48FB-A9FD-68FE1AF256C8.der

EC Self-Signed Certificates:
-rw-r--r--@ 1   474 Oct 25 12:31 data/poc/ec_self-signed-public-key_12BBE9DD-2880-4B0B-833B-5C44278197F5.der
-rw-r--r--@ 1   696 Oct 25 12:31 data/poc/ec_self-signed-public-key_12BBE9DD-2880-4B0B-833B-5C44278197F5.pem
-rw-r--r--@ 1   474 Oct 25 12:31 data/poc/ec_self-signed-public-key_29B02F0C-0A2C-4A78-918E-46CB37A44CC7.der
-rw-r--r--@ 1   696 Oct 25 12:31 data/poc/ec_self-signed-public-key_29B02F0C-0A2C-4A78-918E-46CB37A44CC7.pem
-rw-r--r--@ 1   475 Oct 25 12:31 data/poc/ec_self-signed-public-key_34CA6B97-F809-4DDE-B6C2-8EFE67740E86.der
-rw-r--r--@ 1   700 Oct 25 12:31 data/poc/ec_self-signed-public-key_34CA6B97-F809-4DDE-B6C2-8EFE67740E86.pem
-rw-r--r--@ 1   476 Oct 25 12:31 data/poc/ec_self-signed-public-key_5087EA02-1A13-4214-838B-34E9524934C0.der
-rw-r--r--@ 1   700 Oct 25 12:31 data/poc/ec_self-signed-public-key_5087EA02-1A13-4214-838B-34E9524934C0.pem

### Display Certificate Details (Briefly)

Confirming our certificates have unique names and validity periods.

In [12]:
%%bash
FOLDER="data/poc"

# from signed certificates
echo "Basic Certificate Details:"
for EC_SELF_SIGNED_PUBLIC_KEY_PEM in "${FOLDER}"/ec_self-signed-public-key*.pem; do
    echo "--------------------------------------------"
    openssl x509 -noout -in "${EC_SELF_SIGNED_PUBLIC_KEY_PEM}" \
        -subject -serial -startdate -enddate
done
echo ""

Basic Certificate Details:
--------------------------------------------
serial=6345F769188EE917C6641C6C2374A98708E33C9F
notBefore=Oct 25 16:31:44 2024 GMT
notAfter=Dec  4 16:31:44 2024 GMT
--------------------------------------------
serial=6D46F12266922667CC9E26BEC7C81996949FB27C
notBefore=Oct 25 16:31:44 2024 GMT
notAfter=Dec 14 16:31:44 2024 GMT
--------------------------------------------
serial=7C772B0B1858D8FD09848C3C3CDCB795FD990DF6
notBefore=Oct 25 16:31:45 2024 GMT
notAfter=Dec 24 16:31:45 2024 GMT
--------------------------------------------
serial=6C241FA829B327888E4D9DD33F1DB908C37F52D0
notBefore=Oct 25 16:31:45 2024 GMT
notAfter=Jan  3 16:31:45 2025 GMT
--------------------------------------------
serial=599B5023D23CE5061EC7577766BAF935C25B7942
notBefore=Oct 25 16:31:45 2024 GMT
notAfter=Jan 13 16:31:45 2025 GMT



### Extract EC SubjectPublicKeyInfo

We already derived the raw public key material earlier by accessing the private key for this information.  Here, we'll shift our focus to both the signing requests and self-signed certificates for analysis.

First, we'll access the signing requests to extract the `SubjectPublicKeyInfo` data and convert it to DER (binary) format.  Then we'll access each self-signed certificate to perform a similar action.

> Note: when using the `-pubkey` option, the output will often contain two sections, in ASCII format, defining the `PUBLIC KEY` and `CERTIFICATE REQUEST`.  We use `sed` to parse out only the `PUBLIC KEY` portion of this output.

In [13]:
%%bash
FOLDER="data/poc"

echo "Extracting the SubjectPublicKeyInfo from EC Signing Requests:"
echo "--------------------------------------------"
# from signing request
for EC_SIGNING_REQUEST_PEM in "${FOLDER}"/ec_signing-request*.pem; do
    GUID=$(openssl req -noout -in "${EC_SIGNING_REQUEST_PEM}" -subject | awk -F 'CN=' '{print $2}')
    EC_PUBLIC_KEY_INFO_SIGNING_REQUEST_PEM="${FOLDER}/ec_public-key-info_via_signing-request_${GUID}.pem" 
    EC_PUBLIC_KEY_INFO_SIGNING_REQUEST_DER="${FOLDER}/ec_public-key-info_via_signing-request_${GUID}.der"  

    # creating PEM signed certificate
    echo "Creating Public Key Info PEM: ${EC_PUBLIC_KEY_INFO_SIGNING_REQUEST_PEM}"
    openssl req -pubkey -inform PEM -in "${EC_SIGNING_REQUEST_PEM}" | \
        sed -n '/BEGIN\ PUBLIC\ KEY/,/END\ PUBLIC\ KEY/p' > "${EC_PUBLIC_KEY_INFO_SIGNING_REQUEST_PEM}"

    # converting PEM to DER
    echo "Converting PEM to DER: ${EC_PUBLIC_KEY_INFO_SIGNING_REQUEST_DER}"
    openssl asn1parse -inform PEM -in "${EC_PUBLIC_KEY_INFO_SIGNING_REQUEST_PEM}" \
        -out "${EC_PUBLIC_KEY_INFO_SIGNING_REQUEST_DER}"
done
echo ""

echo "Extracting the SubjectPublicKeyInfo from EC Self-Signed Certificates:"
echo "--------------------------------------------"
# from self-signed public key
for EC_SELF_SIGNED_PUBLIC_KEY_PEM in "${FOLDER}"/ec_self-signed-public-key*.pem; do
    echo "Self-Signed Key: ${EC_SELF_SIGNED_PUBLIC_KEY_PEM}"
    GUID=$(openssl x509 -noout -in "${EC_SELF_SIGNED_PUBLIC_KEY_PEM}" -subject | awk -F 'CN=' '{print $2}')
    EC_PUBLIC_KEY_INFO_SELF_SIGNED_PEM="${FOLDER}/ec_public-key-info_via_self-signed_${GUID}.pem" 
    EC_PUBLIC_KEY_INFO_SELF_SIGNED_DER="${FOLDER}/ec_public-key-info_via_self-signed_${GUID}.der"  

    # creating PEM signed certificate
    echo "Creating Public Key Info PEM: ${EC_PUBLIC_KEY_INFO_SELF_SIGNED_PEM}"
    openssl x509 -pubkey -inform PEM -in "${EC_SELF_SIGNED_PUBLIC_KEY_PEM}" | \
        sed -n '/BEGIN\ PUBLIC\ KEY/,/END\ PUBLIC\ KEY/p' > "${EC_PUBLIC_KEY_INFO_SELF_SIGNED_PEM}"

    # converting PEM to DER
    echo "Converting PEM to DER: ${EC_PUBLIC_KEY_INFO_SELF_SIGNED_DER}"
    openssl asn1parse -inform PEM -in "${EC_PUBLIC_KEY_INFO_SELF_SIGNED_PEM}" \
        -out "${EC_PUBLIC_KEY_INFO_SELF_SIGNED_DER}"
done
echo ""

Extracting the SubjectPublicKeyInfo from EC Signing Requests:
--------------------------------------------
Creating Public Key Info PEM: data/poc/ec_public-key-info_via_signing-request_12BBE9DD-2880-4B0B-833B-5C44278197F5.pem
Converting PEM to DER: data/poc/ec_public-key-info_via_signing-request_12BBE9DD-2880-4B0B-833B-5C44278197F5.der
    0:d=0  hl=2 l=  89 cons: SEQUENCE          
    2:d=1  hl=2 l=  19 cons: SEQUENCE          
    4:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
   13:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
   23:d=1  hl=2 l=  66 prim: BIT STRING        
Creating Public Key Info PEM: data/poc/ec_public-key-info_via_signing-request_29B02F0C-0A2C-4A78-918E-46CB37A44CC7.pem
Converting PEM to DER: data/poc/ec_public-key-info_via_signing-request_29B02F0C-0A2C-4A78-918E-46CB37A44CC7.der
    0:d=0  hl=2 l=  89 cons: SEQUENCE          
    2:d=1  hl=2 l=  19 cons: SEQUENCE          
    4:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
   13:

### Compare PublicKeyInfo Digests

In summary, we've performed the following actions:
1. Derived the public key from a single private key 
<br>(see `ec_public-key-info_via_private_key*.der`).
2. Extracted the public key material from multiple certificate signing requests
<br>(see `ec_public-key-info_via_signing-request*.der`).
3. Extracted the public key material from multiple self-signed certificates 
<br>(see `ec_public-key-info_via_self-signed*.der`).

Do we have message digests which match across all these different exports?

> Note: If you do not see the results you expect, make sure you are [Erase All EC Key Data](#erase-all-ec-key-data)) between test runs.

If you want more samples, then follow these steps without erasing or resetting the EC data.
1. Run [Generate EC Signing Requests](#generate-ec-signing-requests) multiple times.  e.g. 4 more times for a total of 25 signing requests.
2. Run [Self-Sign EC Signing Requests](#self-sign-ec-signing-requests) just once.  
3. Run [Extract EC SubjectPublicKeyInfo](#extract-ec-subjectpublickeyinfo) just once.
4. Run this cell again.

In [14]:
%%bash
FOLDER="data/poc"

# basic error checking
if ! find "${FOLDER}" -type f -name "ec_self-signed-public-key*.der" | grep -q .; then
    echo "WARNING: No EC Self-Signed Certificates found."
    echo "         Please run the previous cells to generate EC content."
    exit
fi

UNIQUE_DER_DIGEST_COUNT=$(sha256sum "${FOLDER}"/ec_self-signed-public-key*.der \
    | awk '{print $1}' | sort | uniq | wc -l | awk '{print $1}')

UNIQUE_SPKI_DIGEST_COUNT=$(sha256sum "${FOLDER}"/ec_public-key-info*.der \
    | awk '{print $1}' | sort | uniq | wc -l | awk '{print $1}')

if [ "${UNIQUE_SPKI_DIGEST_COUNT}" -gt 1 ]; then
    echo "WARNING: Multiple SubjectPublicKeyInfo Digests found."
    echo "         Did you forget to erase all key data between runs?"
    echo ""
fi

echo "Summary of Unique EC Key Data:"
echo "   Signed Certificates: ${UNIQUE_DER_DIGEST_COUNT}"
echo "  SubjectPublicKeyInfo: ${UNIQUE_SPKI_DIGEST_COUNT}"
echo ""

echo "Certificate (DER) Digests (SHA256):"
sha256sum "${FOLDER}"/ec_self-signed-public-key*.der
echo ""

echo "SubjectPublicKeyInfo Digests (SHA256):"
echo "[SubjectPublicKeyInfo derived from the Private Key]"
sha256sum "${FOLDER}"/ec_public-key-info_via_private-key*.der | sort
echo "[SubjectPublicKeyInfo extracted from Signing Requests]"
sha256sum "${FOLDER}"/ec_public-key-info_via_signing-request*.der | sort
echo "[SubjectPublicKeyInfo extracted from Self-Signed Certificates]"
sha256sum "${FOLDER}"/ec_public-key-info_via_self-signed*.der | sort

Summary of Unique EC Key Data:
   Signed Certificates: 5
  SubjectPublicKeyInfo: 1

Certificate (DER) Digests (SHA256):
d83d38a3860cb41cbfc494aefc2e08476caab9bbb19dfcc48983c9d496dff513  data/poc/ec_self-signed-public-key_12BBE9DD-2880-4B0B-833B-5C44278197F5.der
7be2d9495585ebe345db2ddfafa26b544a787c1d0917941a08da97740e27c78d  data/poc/ec_self-signed-public-key_29B02F0C-0A2C-4A78-918E-46CB37A44CC7.der
24d470bd24b95fe7fc683e3ea455ab3c7caa6b51051bc2c5e80bf3f3355ad591  data/poc/ec_self-signed-public-key_34CA6B97-F809-4DDE-B6C2-8EFE67740E86.der
821d9bb7fbf1d657875b3a0f2289502f3f1cce87bdc460137505ea5a711d4095  data/poc/ec_self-signed-public-key_5087EA02-1A13-4214-838B-34E9524934C0.der
2afacf68ba9f35f379a2c7b4656be3d62f45dfdab99ccb022bdc0077dfba9b5a  data/poc/ec_self-signed-public-key_E07EF164-86A1-48FB-A9FD-68FE1AF256C8.der

SubjectPublicKeyInfo Digests (SHA256):
[SubjectPublicKeyInfo derived from the Private Key]
38edbd60a30b13e4eb42d5423a468448c82ff800378fc8043ea1c3d67d7b77f4  data/poc/ec_

### Erase All EC Key Data

Use this to reset the proof-of-concept data related to EC key data.

In [7]:
%%bash
FOLDER="data/poc"

# if folder exists, remove it
rm -rf "${FOLDER}"/ec_*

# Additional OpenSSL Commands and Data


## Cipher Suites

How to check cipher suite support, which should correlate with certificate type (`RSA` vs `ECDSA`).  List of available cipher suites from OpenSSL or OpenSSL compatible (e.g. LibreSSL).   Note, these are based on _your_ local OpenSSL installation.

In [None]:
%%bash
openssl ciphers -v

## OpenSSL Cipher Suites to JSON

In [6]:
import json

def openssl_cipher_suites_to_json(openssl_result:list) -> list:
    """Convers OpenSSL verbose cipher suite output to JSON.
    
    cipher_suites = [
        {
            "Cipher Suite": str,
            "Protocol": str,
            "Key Exchange": str,
            "Authentication": str,
            "Encryption": str,
            "MAC": str
        },
        {...}
    ]

    Args:
        openssl_result (list): list of lines from 'openssl ciphers -v'

    Returns:
        list: list of dictionaries
    """
    cipher_suites = []
    for line in openssl_result:
        fields = line.split()
        cipher_suite = {}
        cipher_suite['Cipher Suite'] = fields[0]
        cipher_suite['Protocol'] = fields[1]
        cipher_suite['Key Exchange'] = fields[2].split('=')[1]
        cipher_suite['Authentication'] = fields[3].split('=')[1]
        cipher_suite['Encryption'] = fields[4].split('=')[1]
        cipher_suite['MAC'] = fields[5].split('=')[1]

        cipher_suites.append(cipher_suite)
    return cipher_suites

# using a Jupyter 'feature'.  Caution executing external code or binaries from within your notebooks.
openssl_result = !openssl ciphers -v # use 'RSA' or 'AES' or other filter keywords

suites_json = openssl_cipher_suites_to_json(openssl_result)

print(json.dumps(suites_json, indent=2))


[
  {
    "Cipher Suite": "TLS_AES_256_GCM_SHA384",
    "Protocol": "TLSv1.3",
    "Key Exchange": "any",
    "Authentication": "any",
    "Encryption": "AESGCM(256)",
    "MAC": "AEAD"
  },
  {
    "Cipher Suite": "TLS_CHACHA20_POLY1305_SHA256",
    "Protocol": "TLSv1.3",
    "Key Exchange": "any",
    "Authentication": "any",
    "Encryption": "CHACHA20/POLY1305(256)",
    "MAC": "AEAD"
  },
  {
    "Cipher Suite": "TLS_AES_128_GCM_SHA256",
    "Protocol": "TLSv1.3",
    "Key Exchange": "any",
    "Authentication": "any",
    "Encryption": "AESGCM(128)",
    "MAC": "AEAD"
  },
  {
    "Cipher Suite": "ECDHE-ECDSA-AES256-GCM-SHA384",
    "Protocol": "TLSv1.2",
    "Key Exchange": "ECDH",
    "Authentication": "ECDSA",
    "Encryption": "AESGCM(256)",
    "MAC": "AEAD"
  },
  {
    "Cipher Suite": "ECDHE-RSA-AES256-GCM-SHA384",
    "Protocol": "TLSv1.2",
    "Key Exchange": "ECDH",
    "Authentication": "RSA",
    "Encryption": "AESGCM(256)",
    "MAC": "AEAD"
  },
  {
    "Cipher Suit

OpenSSL RSA Cipher Suites

We can query `openssl` for various cipher suites based on one or more cipher string values.  See [OpenSSL man page on Ciphers: Cipher Strings](https://docs.openssl.org/1.1.1/man1/ciphers/)

In [7]:
%%bash

# create an array of strings "RSA", "ECDH", "DHE", "ECDSA", "AES", "RSA"
CIPHERS=("ECDH" "DHE" "ECDSA" "AES" "RSA")

# iterate over the array with openssl ciphers -v
for CIPHER in "${CIPHERS[@]}"; do
    echo "Ciphers: '${CIPHER}'"
    openssl ciphers -V "${CIPHER}"
    echo ""
done


Ciphers: 'ECDH'
          0x13,0x02 - TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
          0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0x13,0x01 - TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
          0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
          0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
          0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2 Kx=ECDH     Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xC0,0xAD - ECDHE-ECDSA-AES256-CCM         TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256)            Mac=AEAD
          0xC0,0x5D - ECDHE-ECDSA-ARIA25

Using `openssl` to connect to a web site and display the certificate in an on-demand fashion.

> Note: Web sites can be load balanced across many IPv4 and IPv6 addresses.  This example merely accesses the first available.

In [None]:
#!/bin/bash

#cipher_suite="\'ECDHE-ECDSA-AES128-SHA\'" # RSA key type
# cipher_suite='ECDHE-ECDSA-AES256-GCM-SHA384' # EC key type

! echo "[ OpenSSL - Connection Details ]============================"
! echo | openssl s_client -showcerts -cipher "ECDHE-ECDSA-AES128-SHA" -servername www.google.com -connect www.google.com:443 2>&1
! echo ""
! echo "[ OpenSSL - Certificate Details ]==========================="
! echo | openssl s_client -showcerts -cipher 'ECDHE-ECDSA-AES128-SHA' -servername www.google.com -connect www.google.com:443 2>&1 | openssl x509 -noout -text


Connecting to 64.233.180.103
CONNECTED(00000006)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=www.google.com
verify return:1
---
Certificate chain
 0 s:CN=www.google.com
   i:C=US, O=Google Trust Services, CN=WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 16 09:36:05 2024 GMT; NotAfter: Dec  9 09:36:04 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEVzCCAz+gAwIBAgIRALInSnyU/zjpCrMQnoGLTR8wDQYJKoZIhvcNAQELBQAw
OzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEM
MAoGA1UEAxMDV1IyMB4XDTI0MDkxNjA5MzYwNVoXDTI0MTIwOTA5MzYwNFowGTEX
MBUGA1UEAxMOd3d3Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AATAyTv9baLYfSH5V1zIYM8wLxBwYOI2W0wgDy5Ca8Umx6TKzH4hSsfWUXYyjzpb
HYbvQFWm/XoM4rwKk390xHIYo4ICQTCCAj0wDgYDVR0PAQH/BAQDAgeAMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHc4VhHAg7F2
N6+5qEQjxfvlX6pmMB8GA1UdIwQYMBaAFN4bHu15FdQ+NyTDIbvsNDltQrIwMFgG
CCs