Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verifying with openssl dgst command #75

Open
GrafWaldemar opened this issue Feb 5, 2019 · 7 comments
Open

Verifying with openssl dgst command #75

GrafWaldemar opened this issue Feb 5, 2019 · 7 comments
Labels
enhancement New feature or request

Comments

@GrafWaldemar
Copy link

The openssl dgst command currently does not work for the verification of a signature and prints out an error. This problem occurs regardless of the type of key in use (ecdsa / rsa or public / private). You can find below the commands used and the verification error (identical for all types of keys).

sudo tpm2tss-genkey -a ecdsa mykey
openssl ec -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub
 
sudo openssl dgst -engine tpm2tss -keyform engine -sha256 -sign mykey -out mydatasig mydata
 
sudo openssl dgst -engine tpm2tss -keyform engine -sha256 -verify mykey -signature mydatasig mydata
sudo openssl dgst -engine tpm2tss -keyform engine -sha256 -verify mykey.pub -signature mydatasig mydata
 
engine "tpm2tss" set.
cannot load key file from engine
139991405261248:error:2609707D:engine routines:ENGINE_load_public_key:no load function:../crypto/engine/eng_pkey.c:102:
unable to load key file```
@AndreasFuchsTPM
Copy link
Member

would you run openssl dgst -sha256 -keyform pem -verify mykey.pub -signature mydatasig mydata ?
the mykey.pub is not a tpm-key anymore, but just a regular pem key.

Could you also tell me, if the openssl dgst -engine tpm2tss -keyform engine -sha256 -verify mykey.pub -signature mydatasig mydata worked or not ?

@GrafWaldemar
Copy link
Author

Your first command is working fine, but the second command has still the same error as mentioned above:

cannot load key file from engine
139991405261248:error:2609707D:engine routines:ENGINE_load_public_key:no load function:../crypto/engine/eng_pkey.c:102:
unable to load key file```

@AndreasFuchsTPM
Copy link
Member

Oh, sorry, I copied the wrong one...
Does
openssl dgst -engine tpm2tss -keyform engine -sha256 -verify mykey -signature mydatasig mydata
work ?

@GrafWaldemar
Copy link
Author

No, same error again.

@AndreasFuchsTPM
Copy link
Member

Could you compile the engine with --enable-debug and run the command again ?

@GrafWaldemar
Copy link
Author

Sure. Unfortunately only Initializing is printed before the error from above.

@AndreasFuchsTPM
Copy link
Member

Ok, so this seems do be related to dgst requiring the PKEY functions as implemented in #89
This will be part of the 1.1.0 release after 1.0.0 is out the door.

If you could test that branch, that would already help.

Until then, you will have to use the pkeyutl of openssl that does not hash on the fly:

$ openssl pkeyutl -keyform engine -engine tpm2tss -inkey mykey -sign -in mydata -out mysig
$ openssl pkeyutl -keyform engine -engine tpm2tss -inkey mykey -verify -in mydata -sigfile mysig

So mydata is already the digest of whatever your actual payload data is.

Hope this helps for now and sorry for not supporting it yet.
Hoping for you testing...

@AndreasFuchsTPM AndreasFuchsTPM added the enhancement New feature or request label Mar 19, 2019
@AndreasFuchsTPM AndreasFuchsTPM modified the milestones: v1.1, v1.1_feature-freeze Mar 19, 2019
@AndreasFuchsTPM AndreasFuchsTPM removed this from the feature-wanted milestone Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GrafWaldemar @AndreasFuchsTPM