I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :). This works:
$ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out sig1.out ~/src/wtls-verifier engine "pkcs11" set. $ pkcs15-tool --read-public-key 02 -o 02.pem Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID Please enter PIN [PIV Card Holder pin]: $ openssl dgst -keyform PEM -verify 02.pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier Verified OK $ But this doesn’t: $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file $ And this one doesn’t either: $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6d87283aaed2e 6a5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20pub key;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:object=SIGN%20pubkey;type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file Is it a bug, or what am I doing wrong? Thanks! -- Regards, Uri Blumenthal On 12/10/15, 17:17 , "openssl-dev on behalf of Blumenthal, Uri - 0553 - MITLL" <openssl-dev-boun...@openssl.org on behalf of u...@ll.mit.edu> wrote: >On 12/10/15, 16:56 , "openssl-dev on behalf of Dr. Stephen Henson" ><openssl-dev-boun...@openssl.org on behalf of st...@openssl.org> wrote: > >>>>Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL >>> >in pkeyutl.c >>> >>> With your proposed (temporary) fix, the signature both generated and >>> verified successfully (see below). Could I ask to push this fix to the >>> master, and maybe/hopefully to 1_0_2 branch? >>> >> >>As I indicated the fix I suggested it temporary. Sometimes a user will >>want that behaviour so we'd need a new command line option indicating the >>private key engine only. > >Ideally engine_pkcs11 should do it automatically, but I see your point. >Perhaps the code in pkeyutl.c could check if (a) engine is set, and (b) >the engine is PKCS11? And if so - automatically do the right thing? Do you >envision other engines with similar needs? My assumption was that the only >engine that talks to smart cards is pkcs11... > >In the meanwhile, in your opinion should rsautl need a similar patch, or >would it work out of box, like dgst did? > >Thank you!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev