RSA PSS signing with openssl and engine_pkcs11

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

RSA PSS signing with openssl and engine_pkcs11

Stéphane Adenot
Hi,

Using engine_pkcs11 0.1.8 and libp11-0.2.8, I want to do the following
command which gives an error:

$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib64/engines/engine_pkcs11.so
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:/usr/lib64/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib64/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib64/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> sha512 -engine pkcs11 -sign slot_1-id_1001 -keyform engine
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-2 -out foo.sig foo.dat
engine "pkcs11" set.
PKCS#11 token PIN:
pkcs11 engine: only RSA_PKCS1_PADDING allowed so far
Error Signing Data
error in sha512
OpenSSL> quit

After looking into the code, I can see that PKCS11_private_encrypt()
function in libp11-0.2.8/src/p11_ops.c is only allowing
RSA_PKCS1_PADDING. But openssl wants here to do a raw RSA sign/encrypt
operation (RSA_NO_PADDING) as it wants to do the padding itself
(AFAICU). So I patched the code (see attachement) to allow
RSA_NO_PADDING and it seems to solve the problem. Do you think this is
correct to allow RSA_NO_PADDING in this case?

Regards,
Stephane






------------------------------------------------------------------------------
Slashdot TV.  Video for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

libp11-0.2.8-sla.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RSA PSS signing with openssl and engine_pkcs11

Douglas E Engert
I have not tried it, but it Looks reasonable to me.
Can you submit as a pull request?

On 9/19/2014 9:37 AM, Stéphane Adenot wrote:

> Hi,
>
> Using engine_pkcs11 0.1.8 and libp11-0.2.8, I want to do the following
> command which gives an error:
>
> $ openssl
> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib64/engines/engine_pkcs11.so
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
> MODULE_PATH:/usr/lib64/opensc-pkcs11.so
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib64/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib64/opensc-pkcs11.so
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL> sha512 -engine pkcs11 -sign slot_1-id_1001 -keyform engine
> -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-2 -out foo.sig foo.dat
> engine "pkcs11" set.
> PKCS#11 token PIN:
> pkcs11 engine: only RSA_PKCS1_PADDING allowed so far
> Error Signing Data
> error in sha512
> OpenSSL> quit
>
> After looking into the code, I can see that PKCS11_private_encrypt()
> function in libp11-0.2.8/src/p11_ops.c is only allowing
> RSA_PKCS1_PADDING. But openssl wants here to do a raw RSA sign/encrypt
> operation (RSA_NO_PADDING) as it wants to do the padding itself
> (AFAICU). So I patched the code (see attachement) to allow
> RSA_NO_PADDING and it seems to solve the problem. Do you think this is
> correct to allow RSA_NO_PADDING in this case?
>
> Regards,
> Stephane
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.  Video for Nerds.  Stuff that Matters.
> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Slashdot TV.  Video for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: RSA PSS signing with openssl and engine_pkcs11

Stéphane Adenot
On 09/20/2014 07:08 PM, Douglas E Engert wrote:
> I have not tried it, but it Looks reasonable to me.
> Can you submit as a pull request?

Of course: https://github.com/OpenSC/libp11/pull/11

Regards,
Stephane

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel