Re: Is there a simple implementation of hooking external private key with openssl-3.0 API?
On Mon, Apr 11, 2022 at 11:52 AM Matt Caswell wrote: > > > > On 10/04/2022 19:18, Alon Bar-Lev wrote: > > Hello, > > > > I am trying to migrate to openssl-3.0 API, it seems to be very > > complicated to hook primitive private key usage to a custom function. > > This is required, for example, to use private keys that reside on > > hardware devices or when an application wishes to externalize private > > key operations to other programs using IPC. > > > > I hope I am wrong but it seems like an entirely new provider must be > > implemented with complete reimplementation of the default providers, > > including serialization, padding etc... While in openssl-0/1 it was > > quite easy. > > > > You will need to implement a provider, and include a key manager plus an > implementation of whatever operations you want to support, e.g. > signature or asymcipher. Typically where a private key resides on a > hardware device then you don't need to support > serialization/deserialization because the keys can't be > serialized/deserialized anyway. If you do want to support that then the > key manager just needs to be able to import or export keys using the > standard parameters for the algorithm and it will automatically be able > to use the default provider's encoders and decoders. Support for key > generation is also probably optional. You would need to support any > padding that you need - that's considered part of the low level > algorithm implementation. > Thank you Matt, I am aware I can implement new three providers from scratch. However, I was hopping you will show me a way to cascade the existing providers just like we have done in the past with the RSA_METHOD. I would like the exact behavior of the existing providers while overriding the low level RSA operations. Even if I would implement an entirely new provider I guess I need to keep using deprecated low level RSA_* functions for the public key part. OpenVPN had brute forced this[1][2] in about 1500 lines of code of what used to be about 120 lines of code. I would like to raise my concern that this openssl-3.0 provider interface may need some improvement to allow easier integration, similar to what we had in openssl since about ever. Are you opened for a discussion for improving this? [1] https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/xkey_provider.c [2] https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/xkey_helper.c > > > I wrote a testcase program using openssl-1 APIs[1] which also works > > using openssl-3, in this testcase I prepare a new RSA method based on > > the default method, hook the private operations and then hook the RSA > > object to use the custom method. > > > > I am looking for a way to implement the __hook_evp_pkey function in > > openssl-3 api, so that when a private key operation is executed on the > > EVP_PKEY or EVP_PKEY_CTX a custom callback will be executed while > > public key operation continue to be executed normally. > > > > While looking into the existing RSA providers I can see that the > > providers continue to use the deprecated RSA_* functions with the > > following comment: > > > > /* > > * RSA low level APIs are deprecated for public use, but still ok for > > * internal use. > > */ > > > > This is exactly what I need... :) To have the RSA low level API be > > redirected back to the application so that I can enjoy the default > > implementation of signature/rsa_sig.c padding etc while being able to > > override the private encrypt. But these low level functions are hidden > > from the user. > > As the comment says, RSA low level APIs are deprecated. Deprecated does > *not* mean removed. So you can still use them for now, although expect > them to be removed from some future version of OpenSSL. Marking deprecated APIs is announcing your intentions and gives enough time for everyone to workout the gaps (if any). I believe there is a gap which will introduce a great burden for developers in the existing design, I would like to work with you to reach similar solution we had in prior openssl versions by leveraging the current provider approach and create a reference implementation similar to what I've provided. If I understand the design correctly the missing bits are the ability to cascade a provider and access low level primitives, maybe as its own provider. > Matt > Thanks, Alon > > > > Can anyone help us to create a testcase of openssl-3? This will help > > many applications such as opensc/libp11 opensc/pkcs11-helper openvpn > > and probably more. > > > > For your convenience, you may find the program here[1]. > >
Is there a simple implementation of hooking external private key with openssl-3.0 API?
Hello,
I am trying to migrate to openssl-3.0 API, it seems to be very
complicated to hook primitive private key usage to a custom function.
This is required, for example, to use private keys that reside on
hardware devices or when an application wishes to externalize private
key operations to other programs using IPC.
I hope I am wrong but it seems like an entirely new provider must be
implemented with complete reimplementation of the default providers,
including serialization, padding etc... While in openssl-0/1 it was
quite easy.
I wrote a testcase program using openssl-1 APIs[1] which also works
using openssl-3, in this testcase I prepare a new RSA method based on
the default method, hook the private operations and then hook the RSA
object to use the custom method.
I am looking for a way to implement the __hook_evp_pkey function in
openssl-3 api, so that when a private key operation is executed on the
EVP_PKEY or EVP_PKEY_CTX a custom callback will be executed while
public key operation continue to be executed normally.
While looking into the existing RSA providers I can see that the
providers continue to use the deprecated RSA_* functions with the
following comment:
/*
* RSA low level APIs are deprecated for public use, but still ok for
* internal use.
*/
This is exactly what I need... :) To have the RSA low level API be
redirected back to the application so that I can enjoy the default
implementation of signature/rsa_sig.c padding etc while being able to
override the private encrypt. But these low level functions are hidden
from the user.
Can anyone help us to create a testcase of openssl-3? This will help
many applications such as opensc/libp11 opensc/pkcs11-helper openvpn
and probably more.
For your convenience, you may find the program here[1].
Regards,
Alon Bar-Lev
[1] https://github.com/alonbl/openssl-external/blob/master/example.c
---
#include
#include
#include
#include
#include
#include
static RSA_METHOD *__example_rsa_method;
static int __example_rsa_index;
static int __example_rsa_priv_enc(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding) {
const RSA_METHOD *rsa_method = NULL;
int ret = -1;
if ((rsa_method = RSA_get_method(rsa)) == NULL) {
goto cleanup;
}
/*
* Do it.
*/
printf("ENCRYPT\n");
memset(to, 0, flen);
ret = 1;
cleanup:
return ret;
}
static int __example_rsa_priv_dec(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding) {
const RSA_METHOD *rsa_method = NULL;
int ret = -1;
if ((rsa_method = RSA_get_method(rsa)) == NULL) {
goto cleanup;
}
/*
* Do it.
*/
printf("DECRYPT\n");
memset(to, 0, flen);
ret = 1;
cleanup:
return ret;
}
static int __prepare_method(void) {
int ret = 0;
if ((__example_rsa_method =
RSA_meth_dup(RSA_get_default_method())) == NULL) {
goto cleanup;
}
if (!RSA_meth_set1_name(__example_rsa_method, "example")) {
goto cleanup;
}
if (!RSA_meth_set_priv_dec(__example_rsa_method, __example_rsa_priv_dec)) {
goto cleanup;
}
if (!RSA_meth_set_priv_enc(__example_rsa_method, __example_rsa_priv_enc)) {
goto cleanup;
}
if ((__example_rsa_index = RSA_get_ex_new_index(0, "example",
NULL, NULL, NULL)) == -1) {
goto cleanup;
}
ret = 1;
cleanup:
return ret;
}
static int __free_method(void) {
RSA_meth_free(__example_rsa_method);
}
static int __hook_evp_pkey(EVP_PKEY *evp_pkey) {
RSA *rsa = NULL;
int ret = 0;
/*
* Hook private key methods
*/
if (EVP_PKEY_id(evp_pkey) != EVP_PKEY_RSA) {
goto cleanup;
}
if ((rsa = EVP_PKEY_get1_RSA(evp_pkey)) == NULL) {
goto cleanup;
}
if (!RSA_set_method(rsa, __example_rsa_method)) {
goto cleanup;
}
if (!RSA_set_ex_data(rsa, __example_rsa_index, "mystate")) {
goto cleanup;
}
if (EVP_PKEY_set1_RSA(evp_pkey, rsa) != 1) {
goto cleanup;
}
ret = 1;
cleanup:
RSA_free(rsa);
return ret;
}
const static char *pem = (
"-BEGIN CERTIFICATE-\n"
"MIIFMDCCBBigAwIBAgISA6sbShb1HQ3TpSVvhSPOS4JJMA0GCSqGSIb3DQEBCwUA\n"
"MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
"EwJSMzAeFw0yMjAzMTAxNzQ4MDdaFw0yMjA2MDgxNzQ4MDZaMBoxGDAWBgNVBAMT\n"
"D210YS5vcGVuc3NsLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
"AMZvA0BbvdyVc+06j5e5k6dUr8gqL0KZw0w4xJ0QD6jD/o+czNEMz13YDxuZ5utL\n"
"YGq8uohlK8l2DWqvDfGfm1T4VYQhD2z0Ky0JDTsxDIb5i6kKA+o2j2VPAivfMkBp\n"
"f47rLITa4vqZ8/aro3E0ZVWfbpOOGASteM/g9mLEpRLJQA2/o4uu9xLCsyJkLG8F\n"
"8eTCHUJ8388ZO/3fv8LnN1+/WwciSYcZcZNN44OsrgLNoLh6dzSY+oNZyVGdqxUy\n"
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
Done[1] [1] https://github.com/openssl/openssl/issues/14257 On Fri, Feb 19, 2021 at 11:09 PM Dmitry Belyavsky wrote: > > Would you mind to raise the issue on GitHub with the reproduction? > > On Fri, 19 Feb 2021, 21:44 Alon Bar-Lev, wrote: >> >> Hi, >> >> I am trying to analyze openssl sources, and it looks like the resign >> is implemented in an naive path that does not handle all cases. >> >> In other words, the CMS resign is not working in any case other than >> the default execution path. >> >> For example the -noattr is also not working. >> >> I updated my reproduction project[1] to show all cases of resign that >> do not work CMS_NO_ATTR, CMS_KEY_PARAM. >> >> I believe the root cause is that when resign is executed the >> CMS_final() is not called and instead the i2d_CMS_bio() is called, >> while its logic is incomplete. >> >> I hope this will ring a bell to people who are maintaining the >> crypto/cms/* implementation. >> >> Tested [fails] with: >> OpenSSL_1_1_1-stable >> master >> >> Regards, >> Alon >> >> [1] https://github.com/alonbl/openssl-cms-pss >> >> On Fri, Feb 19, 2021 at 10:06 PM Alon Bar-Lev wrote: >> > >> > Thanks. >> > I managed to narrow this, it is not related to pss also if I pass pkcs1 I >> > can reproduce. It has something to do with CMS_KEY_PARAM flag and add >> > signer. >> > >> > On Fri, 19 Feb 2021 at 22:03 Thulasi Goriparthi >> > wrote: >> >> >> >> With PSS, for the first signature, PSS alg ID and params are encoded >> >> correctly, but not for the second signature(resign). >> >> >> >> 2542:d=7 hl=2 l= 9 prim: OBJECT:S/MIME Capabilities >> >> >> >> 2553:d=7 hl=2 l= 108 cons: SET >> >> >> >> 2555:d=8 hl=2 l= 106 cons: SEQUENCE >> >> >> >> 2557:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2559:d=10 hl=2 l= 9 prim: OBJECT:aes-256-cbc >> >> >> >> 2570:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2572:d=10 hl=2 l= 9 prim: OBJECT:aes-192-cbc >> >> >> >> 2583:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2585:d=10 hl=2 l= 9 prim: OBJECT:aes-128-cbc >> >> >> >> 2596:d=9 hl=2 l= 10 cons: SEQUENCE >> >> >> >> 2598:d=10 hl=2 l= 8 prim: OBJECT:des-ede3-cbc >> >> >> >> 2608:d=9 hl=2 l= 14 cons: SEQUENCE >> >> >> >> 2610:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc >> >> >> >> 2620:d=10 hl=2 l= 2 prim: INTEGER :80 >> >> >> >> 2624:d=9 hl=2 l= 13 cons: SEQUENCE >> >> >> >> 2626:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc >> >> >> >> 2636:d=10 hl=2 l= 1 prim: INTEGER :40 >> >> >> >> 2639:d=9 hl=2 l= 7 cons: SEQUENCE >> >> >> >> 2641:d=10 hl=2 l= 5 prim: OBJECT:des-cbc >> >> >> >> 2648:d=9 hl=2 l= 13 cons: SEQUENCE >> >> >> >> 2650:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc >> >> >> >> 2660:d=10 hl=2 l= 1 prim: INTEGER :28 >> >> >> >> 2663:d=5 hl=2 l= 0 cons: SEQUENCE >> >> >> >> 2665:d=5 hl=2 l= 0 prim: OCTET STRING >> >> >> >> 2667:d=4 hl=4 l= 723 cons: SEQUENCE >> >> >> >> 2671:d=5 hl=2 l= 1 prim: INTEGER :01 >> >> >> >> 2674:d=5 hl=3 l= 149 cons: SEQUENCE >> >> >> >> 2677:d=6 hl=3 l= 143 cons: SEQUENCE >> >> >> >> 2680:d=7 hl=2 l= 11 cons: SET >> >> >> >> 2682:d=8 hl=2 l= 9 cons: SEQUENCE >> >> >> >> 2684:d=9 hl=2 l= 3 prim: OBJECT:countryName >> >> >> >> 2689:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IN >> >> >> >> 2693:d=7 hl=2 l= 11 cons: SET >> >> >> >> ==multiple lines truncated== >> >> >> >> 2949:d=7 hl=2 l= 9 prim: OBJECT:S/MIME Capabilities >> >> >> >> 2960:d=7 hl=2 l= 108 cons: SET >> >> >> >> 2962:d=8 hl=2 l= 106 cons: SEQUENCE >> >> >> >> 2964:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2966:d=10 hl=2
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
Hi, I am trying to analyze openssl sources, and it looks like the resign is implemented in an naive path that does not handle all cases. In other words, the CMS resign is not working in any case other than the default execution path. For example the -noattr is also not working. I updated my reproduction project[1] to show all cases of resign that do not work CMS_NO_ATTR, CMS_KEY_PARAM. I believe the root cause is that when resign is executed the CMS_final() is not called and instead the i2d_CMS_bio() is called, while its logic is incomplete. I hope this will ring a bell to people who are maintaining the crypto/cms/* implementation. Tested [fails] with: OpenSSL_1_1_1-stable master Regards, Alon [1] https://github.com/alonbl/openssl-cms-pss On Fri, Feb 19, 2021 at 10:06 PM Alon Bar-Lev wrote: > > Thanks. > I managed to narrow this, it is not related to pss also if I pass pkcs1 I can > reproduce. It has something to do with CMS_KEY_PARAM flag and add signer. > > On Fri, 19 Feb 2021 at 22:03 Thulasi Goriparthi > wrote: >> >> With PSS, for the first signature, PSS alg ID and params are encoded >> correctly, but not for the second signature(resign). >> >> 2542:d=7 hl=2 l= 9 prim: OBJECT:S/MIME Capabilities >> >> 2553:d=7 hl=2 l= 108 cons: SET >> >> 2555:d=8 hl=2 l= 106 cons: SEQUENCE >> >> 2557:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2559:d=10 hl=2 l= 9 prim: OBJECT:aes-256-cbc >> >> 2570:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2572:d=10 hl=2 l= 9 prim: OBJECT:aes-192-cbc >> >> 2583:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2585:d=10 hl=2 l= 9 prim: OBJECT:aes-128-cbc >> >> 2596:d=9 hl=2 l= 10 cons: SEQUENCE >> >> 2598:d=10 hl=2 l= 8 prim: OBJECT:des-ede3-cbc >> >> 2608:d=9 hl=2 l= 14 cons: SEQUENCE >> >> 2610:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc >> >> 2620:d=10 hl=2 l= 2 prim: INTEGER :80 >> >> 2624:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 2626:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc >> >> 2636:d=10 hl=2 l= 1 prim: INTEGER :40 >> >> 2639:d=9 hl=2 l= 7 cons: SEQUENCE >> >> 2641:d=10 hl=2 l= 5 prim: OBJECT:des-cbc >> >> 2648:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 2650:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc >> >> 2660:d=10 hl=2 l= 1 prim: INTEGER :28 >> >> 2663:d=5 hl=2 l= 0 cons: SEQUENCE >> >> 2665:d=5 hl=2 l= 0 prim: OCTET STRING >> >> 2667:d=4 hl=4 l= 723 cons: SEQUENCE >> >> 2671:d=5 hl=2 l= 1 prim: INTEGER :01 >> >> 2674:d=5 hl=3 l= 149 cons: SEQUENCE >> >> 2677:d=6 hl=3 l= 143 cons: SEQUENCE >> >> 2680:d=7 hl=2 l= 11 cons: SET >> >> 2682:d=8 hl=2 l= 9 cons: SEQUENCE >> >> 2684:d=9 hl=2 l= 3 prim: OBJECT:countryName >> >> 2689:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IN >> >> 2693:d=7 hl=2 l= 11 cons: SET >> >> ==multiple lines truncated== >> >> 2949:d=7 hl=2 l= 9 prim: OBJECT:S/MIME Capabilities >> >> 2960:d=7 hl=2 l= 108 cons: SET >> >> 2962:d=8 hl=2 l= 106 cons: SEQUENCE >> >> 2964:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2966:d=10 hl=2 l= 9 prim: OBJECT:aes-256-cbc >> >> 2977:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2979:d=10 hl=2 l= 9 prim: OBJECT:aes-192-cbc >> >> 2990:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2992:d=10 hl=2 l= 9 prim: OBJECT:aes-128-cbc >> >> 3003:d=9 hl=2 l= 10 cons: SEQUENCE >> >> 3005:d=10 hl=2 l= 8 prim: OBJECT:des-ede3-cbc >> >> 3015:d=9 hl=2 l= 14 cons: SEQUENCE >> >> 3017:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc >> >> 3027:d=10 hl=2 l= 2 prim: INTEGER :80 >> >> 3031:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 3033:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc >> >> 3043:d=10 hl=2 l= 1 prim: INTEGER :40 >> >> 3046:d=9 hl=2 l= 7 cons: SEQUENCE >> >> 3048:d=10 hl=2 l= 5 prim: OBJECT:des-cbc >> >> 3055:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 3057:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc >> >> 3067:d=10 hl=2 l= 1 prim: INTEGER :28 >> >&g
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
Thanks. I managed to narrow this, it is not related to pss also if I pass pkcs1 I can reproduce. It has something to do with CMS_KEY_PARAM flag and add signer. On Fri, 19 Feb 2021 at 22:03 Thulasi Goriparthi < thulasi.goripar...@gmail.com> wrote: > With PSS, for the first signature, PSS alg ID and params are encoded > correctly, but not for the second signature(resign). > > 2542:d=7 hl=2 l= 9 prim: OBJECT:S/MIME Capabilities > > 2553:d=7 hl=2 l= 108 cons: SET > > 2555:d=8 hl=2 l= 106 cons: SEQUENCE > > 2557:d=9 hl=2 l= 11 cons: SEQUENCE > > 2559:d=10 hl=2 l= 9 prim: OBJECT:aes-256-cbc > > 2570:d=9 hl=2 l= 11 cons: SEQUENCE > > 2572:d=10 hl=2 l= 9 prim: OBJECT:aes-192-cbc > > 2583:d=9 hl=2 l= 11 cons: SEQUENCE > > 2585:d=10 hl=2 l= 9 prim: OBJECT:aes-128-cbc > > 2596:d=9 hl=2 l= 10 cons: SEQUENCE > > 2598:d=10 hl=2 l= 8 prim: OBJECT:des-ede3-cbc > > 2608:d=9 hl=2 l= 14 cons: SEQUENCE > > 2610:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc > > 2620:d=10 hl=2 l= 2 prim: INTEGER :80 > > 2624:d=9 hl=2 l= 13 cons: SEQUENCE > > 2626:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc > > 2636:d=10 hl=2 l= 1 prim: INTEGER :40 > > 2639:d=9 hl=2 l= 7 cons: SEQUENCE > > 2641:d=10 hl=2 l= 5 prim: OBJECT:des-cbc > > 2648:d=9 hl=2 l= 13 cons: SEQUENCE > > 2650:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc > > 2660:d=10 hl=2 l= 1 prim: INTEGER :28 > > 2663:d=5 hl=2 l= 0 cons: SEQUENCE > > 2665:d=5 hl=2 l= 0 prim: OCTET STRING > > 2667:d=4 hl=4 l= 723 cons: SEQUENCE > > 2671:d=5 hl=2 l= 1 prim: INTEGER :01 > > 2674:d=5 hl=3 l= 149 cons: SEQUENCE > > 2677:d=6 hl=3 l= 143 cons: SEQUENCE > > 2680:d=7 hl=2 l= 11 cons: SET > > 2682:d=8 hl=2 l= 9 cons: SEQUENCE > > 2684:d=9 hl=2 l= 3 prim: OBJECT:countryName > > 2689:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IN > > 2693:d=7 hl=2 l= 11 cons: SET > ==multiple lines truncated== > > 2949:d=7 hl=2 l= 9 prim: OBJECT:S/MIME Capabilities > > 2960:d=7 hl=2 l= 108 cons: SET > > 2962:d=8 hl=2 l= 106 cons: SEQUENCE > > 2964:d=9 hl=2 l= 11 cons: SEQUENCE > > 2966:d=10 hl=2 l= 9 prim: OBJECT:aes-256-cbc > > 2977:d=9 hl=2 l= 11 cons: SEQUENCE > > 2979:d=10 hl=2 l= 9 prim: OBJECT:aes-192-cbc > > 2990:d=9 hl=2 l= 11 cons: SEQUENCE > > 2992:d=10 hl=2 l= 9 prim: OBJECT:aes-128-cbc > > 3003:d=9 hl=2 l= 10 cons: SEQUENCE > > 3005:d=10 hl=2 l= 8 prim: OBJECT:des-ede3-cbc > > 3015:d=9 hl=2 l= 14 cons: SEQUENCE > > 3017:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc > > 3027:d=10 hl=2 l= 2 prim: INTEGER :80 > > 3031:d=9 hl=2 l= 13 cons: SEQUENCE > > 3033:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc > > 3043:d=10 hl=2 l= 1 prim: INTEGER :40 > > 3046:d=9 hl=2 l= 7 cons: SEQUENCE > > 3048:d=10 hl=2 l= 5 prim: OBJECT:des-cbc > > 3055:d=9 hl=2 l= 13 cons: SEQUENCE > > 3057:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc > > 3067:d=10 hl=2 l= 1 prim: INTEGER :28 > > 3070:d=5 hl=2 l= 62 cons: SEQUENCE > > 3072:d=6 hl=2 l= 9 prim: OBJECT:rsassaPss > > 3083:d=6 hl=2 l= 49 cons: SEQUENCE > > 3085:d=7 hl=2 l= 13 cons: cont [ 0 ] > > 3087:d=8 hl=2 l= 11 cons: SEQUENCE > > 3089:d=9 hl=2 l= 9 prim: OBJECT:sha256 > > 3100:d=7 hl=2 l= 26 cons: cont [ 1 ] > > 3102:d=8 hl=2 l= 24 cons: SEQUENCE > > 3104:d=9 hl=2 l= 9 prim: OBJECT:mgf1 > > 3115:d=9 hl=2 l= 11 cons: SEQUENCE > > 3117:d=10 hl=2 l= 9 prim: OBJECT:sha256 > > 3128:d=7 hl=2 l= 4 cons: cont [ 2 ] > > 3130:d=8 hl=2 l= 2 prim: INTEGER :DE > > 3134:d=5 hl=4 l= 256 prim: OCTET STRING [HEX > DUMP]:66C7A406905E0BEF3BE8A55B8BA05915020B6960BDE4700C3C3FB2F115FE5BA60B453EFF39BA37E4D16CA3A86582B3057D05875766BE99C51BC5BEC9CD1AAE3BEC34943160BB06784209F1A3773E07A101BA3E2231FDF85FAB91872A081E37410905A09DAF530600BF9099B054B1DF869826E864A95F5D55DAE84A0CEC43E52F6D13574E1EF66A4E3A65883788E265D6C174211ADBCFEA96A9DD186887BFE040D6D0B59547D8763157D322F0307D7AF31 > 23B0ECFB11E1E7EA228861F4363DBA8D478A7E44F1DEB77A3904FBD90CAA41E291A2E094ABCBD5134146FB1C0F42BC8D7B4829DEFEE7BACDFC024FB8B9FAF16F225EB3C96D866C535B2A06E83DCF007 > > > Thanks, > > Thulasi. > > > On Sat, 20 Feb 2021 at 00:40, Alon Bar-Lev wrote: > >> Thanks
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
Thanks! Was about to write... I tested both 1.1 and master branches and result is the same. On Fri, 19 Feb 2021 at 21:04 Thulasi Goriparthi < thulasi.goripar...@gmail.com> wrote: > I am able to reproduce this issue with 1.1.1j too. > > openssl version -a > > OpenSSL 1.1.1j 16 Feb 2021 > > built on: Fri Feb 19 18:56:06 2021 UTC > > platform: darwin64-x86_64-cc > > options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) > > compiler: cc -fPIC -arch x86_64 -g -Wall -DL_ENDIAN -DOPENSSL_PIC > -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM > -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT > -DNDEBUG > > OPENSSLDIR: "/usr/local/ssl" > > ENGINESDIR: "/usr/local/lib/engines-1.1" > > Seeding source: os-specific > > openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt > rsa_padding_mode:pss > > openssl cms -verify -in 1.cms -CAfile ca.pem > > Content-Type: text/plain > > > hello world > > Verification successful > > openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt > rsa_padding_mode:pss > > openssl cms -verify -in 2.cms -CAfile ca.pem > > Error reading S/MIME message > > 4757167552:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field > missing:crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR > > 4757167552:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, > Type=CMS_SignerInfo > > 4757167552:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:crypto/asn1/tasn_dec.c:615:Field=signerInfos, Type=CMS_SignedData > > 4757167552:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:crypto/asn1/tasn_dec.c:646: > > 4757167552:error:0D08403A:asn1 encoding > routines:asn1_template_ex_d2i:nested asn1 > error:crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo > > 4757167552:error:0D0D106E:asn1 encoding routines:b64_read_asn1:decode > error:crypto/asn1/asn_mime.c:143: > > 4757167552:error:0D0D40CC:asn1 encoding routines:SMIME_read_ASN1:asn1 sig > parse error:crypto/asn1/asn_mime.c:451: > > > Thanks, > > Thulasi. > > On Sat, 20 Feb 2021 at 00:09, Viktor Dukhovni > wrote: > >> On Fri, Feb 19, 2021 at 11:19:42PM +0530, Thulasi Goriparthi wrote: >> >> > I am able to reproduce this issue with 1.1.1i >> >> OpenSSL 1.1.1j has been released. Do you still see the problem with >> 1.1.1j? >> >> -- >> Viktor. >> >
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
Hello OpenSSL masters, Can someone please try to reproduce the below issue? Thanks, Alon On Sat, 13 Feb 2021 at 23:23 Alon Bar-Lev wrote: > Hello, > > I am trying to resign a CMS using the openssl tool. > > When I use RSA-PKCS1 everything is working fine. > > When I use RSA-PSS it seems like the asn1 is produced corrupted, I do not > see the signature in asn1dump. > > I prepared a demo[1] to help people reproduce the issue, tested with > openssl-1.1.1i. > > The script output pasted below shows that CMS resign without PSS works > correctly, while the same sequence with PSS produces a corrupted CMS file. > > What am I doing wrong? > > Regards, > Alon Bar-Lev > > [1] https://github.com/alonbl/openssl-cms-pss > > --- > > === > CMS without PSS > === > cms -sign 1.cms > cms -verify 1.cms > hello world > Verification successful > cms -resign 1.cms to 2.cms > cms -verify 2.cms > hello world > Verification successful > === > CMS with PSS > === > cms -sign 1.cms > cms -verify 1.cms > hello world > Verification successful > cms -resign 1.cms to 2.cms > cms -verify 2.cms > Error reading S/MIME message > 140438977062208:error:0D078079:asn1 encoding > routines:asn1_item_embed_d2i:field > missing:../crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR > 140438977062208:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:../crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, > Type=CMS_SignerInfo > 140438977062208:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:../crypto/asn1/tasn_dec.c:614:Field=signerInfos, Type=CMS_SignedData > 140438977062208:error:0D08303A:asn1 encoding > routines:asn1_template_noexp_d2i:nested asn1 > error:../crypto/asn1/tasn_dec.c:646: > 140438977062208:error:0D08403A:asn1 encoding > routines:asn1_template_ex_d2i:nested asn1 > error:../crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo > FATAL: verify 2.cms failed > > >
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
On Sat, Feb 13, 2021 at 11:34 PM Quanah Gibson-Mount wrote: > --On Saturday, February 13, 2021 11:23 PM +0200 Alon Bar-Lev > wrote: > > > I prepared a demo[1] to help people reproduce the issue, tested with > > openssl-1.1.1i. > > Maybe <https://github.com/openssl/openssl/issues/13931> ? > Thanks Quanah, I tested OpenSSL_1_1_1-stable branch which should have fixed the issue, the result is the same. Regards, Alon
openssl cms resign with RSA-PSS corrupts the CMS(?)
Hello, I am trying to resign a CMS using the openssl tool. When I use RSA-PKCS1 everything is working fine. When I use RSA-PSS it seems like the asn1 is produced corrupted, I do not see the signature in asn1dump. I prepared a demo[1] to help people reproduce the issue, tested with openssl-1.1.1i. The script output pasted below shows that CMS resign without PSS works correctly, while the same sequence with PSS produces a corrupted CMS file. What am I doing wrong? Regards, Alon Bar-Lev [1] https://github.com/alonbl/openssl-cms-pss --- === CMS without PSS === cms -sign 1.cms cms -verify 1.cms hello world Verification successful cms -resign 1.cms to 2.cms cms -verify 2.cms hello world Verification successful === CMS with PSS === cms -sign 1.cms cms -verify 1.cms hello world Verification successful cms -resign 1.cms to 2.cms cms -verify 2.cms Error reading S/MIME message 140438977062208:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:../crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR 140438977062208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, Type=CMS_SignerInfo 140438977062208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:614:Field=signerInfos, Type=CMS_SignedData 140438977062208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646: 140438977062208:error:0D08403A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo FATAL: verify 2.cms failed
