tpm2-tss-engine icon indicating copy to clipboard operation
tpm2-tss-engine copied to clipboard

Published 20 hours ago verified publisher icon tpm2-software

Verifying with openssl dgst command

Open GrafWaldemar opened this issue 6 years ago • 7 comments

The openssl dgst command currently does not work for the verification of a signature and prints out an error. This problem occurs regardless of the type of key in use (ecdsa / rsa or public / private). You can find below the commands used and the verification error (identical for all types of keys).

sudo tpm2tss-genkey -a ecdsa mykey
openssl ec -engine tpm2tss -inform engine -in mykey -pubout -outform pem -out mykey.pub
 
sudo openssl dgst -engine tpm2tss -keyform engine -sha256 -sign mykey -out mydatasig mydata
 
sudo openssl dgst -engine tpm2tss -keyform engine -sha256 -verify mykey -signature mydatasig mydata
sudo openssl dgst -engine tpm2tss -keyform engine -sha256 -verify mykey.pub -signature mydatasig mydata
 
engine "tpm2tss" set.
cannot load key file from engine
139991405261248:error:2609707D:engine routines:ENGINE_load_public_key:no load function:../crypto/engine/eng_pkey.c:102:
unable to load key file```

GrafWaldemar avatar Feb 05 '19 14:02 GrafWaldemar

would you run openssl dgst -sha256 -keyform pem -verify mykey.pub -signature mydatasig mydata ? the mykey.pub is not a tpm-key anymore, but just a regular pem key.

Could you also tell me, if the openssl dgst -engine tpm2tss -keyform engine -sha256 -verify mykey.pub -signature mydatasig mydata worked or not ?

AndreasFuchsTPM avatar Feb 05 '19 16:02 AndreasFuchsTPM

Your first command is working fine, but the second command has still the same error as mentioned above:

cannot load key file from engine
139991405261248:error:2609707D:engine routines:ENGINE_load_public_key:no load function:../crypto/engine/eng_pkey.c:102:
unable to load key file```

GrafWaldemar avatar Feb 06 '19 14:02 GrafWaldemar

Oh, sorry, I copied the wrong one... Does openssl dgst -engine tpm2tss -keyform engine -sha256 -verify mykey -signature mydatasig mydata work ?

AndreasFuchsTPM avatar Feb 06 '19 15:02 AndreasFuchsTPM

No, same error again.

GrafWaldemar avatar Feb 06 '19 15:02 GrafWaldemar

Could you compile the engine with --enable-debug and run the command again ?

AndreasFuchsTPM avatar Feb 06 '19 15:02 AndreasFuchsTPM

Sure. Unfortunately only Initializing is printed before the error from above.

GrafWaldemar avatar Feb 06 '19 19:02 GrafWaldemar

Ok, so this seems do be related to dgst requiring the PKEY functions as implemented in #89 This will be part of the 1.1.0 release after 1.0.0 is out the door.

If you could test that branch, that would already help.

Until then, you will have to use the pkeyutl of openssl that does not hash on the fly:

$ openssl pkeyutl -keyform engine -engine tpm2tss -inkey mykey -sign -in mydata -out mysig
$ openssl pkeyutl -keyform engine -engine tpm2tss -inkey mykey -verify -in mydata -sigfile mysig

So mydata is already the digest of whatever your actual payload data is.

Hope this helps for now and sorry for not supporting it yet. Hoping for you testing...

AndreasFuchsTPM avatar Mar 19 '19 14:03 AndreasFuchsTPM