Menu
▾
▴
Re: [Ejbca-develop] Problem verifying RSA signature generated using nCipher HSM and EJBCA's PKCS11HSMKeyTool
|
From: Tomas G. <to...@pr...> - 2013-06-25 13:43:11
|
I think you need to check what is the actual output of the clientToolBox sign command. It is probably not the same as the input required by openssl rsautl. There is no such thing as a "standard" here, if there is EJBCA follows it :-) Cheers, Tomas On 06/25/2013 02:54 AM, Robbie Gill wrote: > > I have EJBCA running with nCipher HSM and I am using EJBCA's > PKCS11HSMKeyTool to generate a Module key and then generate a RSA > signature. I am successful in generating the RSA signature but when I > try to verify the generated signature using openssl's rsautl, it fails > !!! What am I missing ? The verification succeeds if I use EJBCA's > PKCS11HSMKeyTool tool, but I need to be able to verify using openssl. > > Any ideas would be much appreciated. Below are the detailed steps I > carried out… > > > 1) Generate 2048 bit PKCS11 RSA Key on HSM (nCiher) - Module key > > $ /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool > generate /home/rgill/pkcs11_config/CodeSigningServer1_pkcs11.cnf 2048 > TestingKey > 2013-06-24 17:19:04,381 INFO [org.ejbca.util.keystore.KeyTools] Using > SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11 > Created certificate with entry TestingKey. > > 2) Generate CSR > > $ /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool > certreq /opt/nfast/toolkits/pkcs11/libcknfast.so i0 TestingKey > 2013-06-24 17:19:17,495 INFO [org.ejbca.util.keystore.KeyTools] Using > SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11 > 2013-06-24 17:19:17,657 INFO > [org.ejbca.util.keystore.KeyStoreContainerBase] Using named curve > parameter encoding for ECC key. > 2013-06-24 17:19:17,742 INFO > [org.ejbca.util.keystore.KeyStoreContainerBase] Wrote csr to file: > TestingKey.pem > > 3) Extract public key from CSR > > $ openssl req -pubkey -in Testing.pem -out PubKey-TestingKey.pem > > 4) Generate digest to be signed > > $ openssl dgst -binary -sha1 -out /tmp/t.dgst.sha1 < /tmp/t.txt > > > 5) Sign using private key on HSM (PKCS11) > > $ /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool > sign /opt/nfast/toolkits/pkcs11/libcknfast.so i0 /tmp/t.dgst.sha1 > /tmp/t.dgst.sha1.HSMsigned TestingKey > 2013-06-24 17:20:12,678 INFO [org.ejbca.util.keystore.KeyTools] Using > SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11 > > > 6) Try and verify using openssl …!!!FAILS!!! > $ openssl rsautl -in /tmp/t.dgst.sha1.HSMsigned -out > /tmp/t.dgst.sha1.OUTfromsig -inkey PubKey-TestingKey.pem -pubin -verify > RSA operation error > 23304:error:0406706C:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data greater > than mod len:rsa_eay.c:656: > > > # Check the public key > $ openssl rsa -in PubKey-TestingKey.pem -text -pubin > Public-Key: (2048 bit) > Modulus: > 00:b2:b6:de:b6:4c:1f:56:e2:7d:17:e6:f6:b8:d7: > a0:0d:49:f2:42:ba:16:a7:9f:b9:7e:e1:80:8b:eb: > 7b:27:a9:b9:be:db:b1:a9:3d:d5:7f:ae:a0:c5:9b: > a6:5f:33:dd:13:fd:e9:87:27:82:ba:94:97:ef:8a: > 4c:df:5d:6c:1a:fc:f9:cd:7b:29:3f:a2:2b:7d:03: > 30:7f:d4:e2:db:34:a8:da:08:8b:1e:c7:4f:e0:81: > 76:20:1c:5a:a5:57:c2:ff:d1:16:bd:6a:24:a3:c3: > 1d:91:10:46:9e:ec:ea:d4:c5:d6:f0:8a:7e:a7:bb: > dc:75:44:99:24:ea:8a:b6:c8:98:dd:fb:76:8e:f2: > e1:82:89:1d:55:99:fb:9c:d3:41:cb:64:ec:61:3f: > 7e:77:38:6f:9a:2c:1e:27:01:83:7b:e7:ab:6b:ee: > 27:f3:41:23:06:87:a1:ec:2c:65:c3:58:69:c8:c1: > 54:6e:76:1d:ea:39:d8:05:72:b4:3e:71:dc:59:6d: > 46:17:61:4f:1d:72:26:69:ed:00:11:d9:50:bb:8d: > 95:77:53:69:7d:ed:30:ea:ab:90:db:57:13:6d:21: > 73:f1:45:25:7b:02:c2:48:78:6d:45:96:aa:63:fa: > 19:64:4b:8e:47:59:61:0b:22:58:19:b6:e0:b9:47: > a7:2d > Exponent: 65537 (0x10001) > > Regards > Robbie > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
