Menu
▾
▴
Re: [Opensc-devel] Issues verifying PIV signatures
|
From: Douglas E. E. <dee...@an...> - 2013-08-26 14:57:00
|
On 8/23/2013 10:27 AM, Charlie Bancroft wrote: > Hi, > I am not sure if this is more of a question for the OpenSC-devel or for the OpenSSL lists but here it goes. > > I have been working on integrating PIV cards into our software program architecture and have run into an issue verifying the signatures generated by PIV cards. I have generated the signature using > openssl through engine_pkcs11 and opensc-pkcs11 and I cannot get it to verify. No matter what I do the output from OpenSSL returns with: > > 139868424963728:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: > 139868424963728:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721: > > The script I am using to sign and verify this is: > > #!/bin/bash > # Usage: $0 <name of file to sign> <private key identifier for engine> > > cat >asn1.conf <<EOF > asn1 = SEQUENCE:digest_info_and_digest > > [digest_info_and_digest] > dinfo = SEQUENCE:digest_info > digest = FORMAT:HEX,OCT:`openssl dgst -sha1 $1 |cut -f 2 -d ' '` > > [digest_info] > algid = OID:1.3.14.3.2.26 > params = NULL > > EOF > > openssl << EOT > engine dynamic -vvvv -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \ > -pre ID:pkcs11 -pre NO_VCHECK:1 \ > -pre LIST_ADD:1 -pre LOAD \ > -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so > > asn1parse -i -genconf asn1.conf -out $1.dgst.asn1 > rsautl -engine pkcs11 -keyform engine -sign -in $1.dgst.asn1 -inkey $2 -out $1.sig.rsa > rsautl -engine pkcs11 -keyform engine -verify -in $1.sig.rsa -inkey $2 -out $1.dgst.asn1_v > EOT > > Note that this script was created to replicate an issue being seen in our code trying to verify using the EVP_Verify* API calls once the signature was generated and uses the script from > http://stackoverflow.com/questions/9951559/difference-between-openssl-rsautl-and-dgst as reference material. The above script was to show how rsautl has issues. Have your tried using the dgst instead, which will create the hash and then sign it. See this example: http://stackoverflow.com/questions/5140425/openssl-command-line-to-verify-the-signature Also note that the PIV card has 4 certs and keys. The id=02 to use the 9C key and signature certificate. Also see the attached test.sig.2.sh script that uses dgst and slot_1-id_02 to identify the cert to use. If you want to see what is actually sent to and from the card. you can use pcscd debugging: pcscd -f -d -a or add to the opensc.conf something like: debug = 7; debug_file = /tmp/opensc.debug.txt; > > Am I doing something incorrect to generate the signature so that is can't be verified? Or could there be an issue with the signature generation from the card?? > Charles Bancroft > Software Engineer > Raytheon BBN Technologies > > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
