Fails on verifying signature - RSA_padding_check_PKCS1_type_1:invalid padding
Pedro Lopes
pedroterrosolopes at gmail.com
Fri Feb 14 09:31:56 UTC 2020
Of course, it wasnt generated in a smartcard, so stupid, it was a
misunderstanding. I'm generating the key with RSA_generate_key_ex function.
Thanks for your examples, i'll try it.
Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> escreveu no dia quinta,
13/02/2020 à(s) 18:46:
> If you generated a keypair *in a smartcard*, how did you extract the
> private key out of it??? The whole point of a smartcard is to prevent that
> from being possible.
>
>
>
> So, like Ken suggested, I’ve no idea where the private key you posted was
> coming from – but reasonably sure it has no relation to what’s in the
> smartcard.
>
>
>
> To use keys on the smartcard, you need libp11 package, something like (my
> test-script uses RSA-PSS, but that doesn’t matter – adjust the OpenSSL
> parameters):
>
>
>
> $ pkcs11-rsa-pss-sign-demo2
>
> This is not a CAC
>
> Generating ephemeral file /tmp/derive.20560.text to test RSA-PSS
> signature...
>
>
>
> openssl rand -engine rdrand -hex -out /tmp/derive.20560.text 5120
>
> engine "rdrand" set.
>
>
>
> Signing file /tmp/derive.20560.text...
>
> openssl dgst -engine pkcs11 -keyform engine -sign
> "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384 -sigopt
> rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out
> /tmp/derive.20560.text.sig /tmp/derive.20560.text
>
> engine "pkcs11" set.
>
> Enter PKCS#11 token PIN for XXXXXXXXXXXX:
>
> Signature for /tmp/derive.20560.text is stored in
> /tmp/derive.20560.text.sig
>
>
>
> Verifying signature:
>
> openssl dgst -engine pkcs11 -keyform engine -verify
> "pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -sha384
> -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature
> /tmp/derive.20560.text.sig /tmp/derive.20560.text
>
> engine "pkcs11" set.
>
> Verified OK
>
>
>
> $
>
>
>
> IMHO, it is a bad idea to use “rsautl” here – better to follow my example
> above. But if you must – here it is:
>
>
>
> $ openssl rand -hex -out /tmp/t.text 24
>
> $ openssl rsautl -engine pkcs11 -keyform engine -sign -inkey
> "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -in /tmp/t.text
> -out /tmp/t.text.sig
>
> engine "pkcs11" set.
>
> Enter PKCS#11 token PIN for Blumenthal, Uri (UR20980):
>
> $ openssl rsautl -engine pkcs11 -keyform engine -pubin -verify -inkey
> "pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -in
> /tmp/t.text.sig
>
> engine "pkcs11" set.
>
> c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03
>
> $ cat /tmp/t.text
>
> c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03
>
> $
>
>
>
>
>
> *From: *openssl-users <openssl-users-bounces at openssl.org> on behalf of
> Pedro Lopes <pedroterrosolopes at gmail.com>
> *Date: *Thursday, February 13, 2020 at 12:40 PM
> *To: *openssl-users <openssl-users at openssl.org>
> *Subject: *Fails on verifying signature -
> RSA_padding_check_PKCS1_type_1:invalid padding
>
>
>
> Hello,
>
>
>
> I'm generating a key pair in a smartcard (as a session object), then I
> convert both keys to RSA openssl objects.
>
>
>
> Then I save both into different files.
>
> I tried use these keys to sign and verify (private encrypts and public
> decrypts).
>
> When I try to verify the signature, fails
> with RSA_padding_check_PKCS1_type_1:invalid padding.
>
>
>
> I run following commands:
>
>
> *echo "test" > "test.txt"openssl rsautl -sign -in test.txt -inkey
> privKey.pem -out sigopenssl rsautl -verify -in sig -inkey pubKeyp8.pem
> -pubin*
>
>
>
> Below pub and priv key:
>
>
>
> -----BEGIN RSA PRIVATE KEY-----
> MIICXAIBAAKBgQDsCXvs8rmEDP+NuB4mCvztondC+yfzy6DYswE6jvSJdgZe8PAh
> kNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ8vpu+yhqujRlwill+T9JCtA+
> DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxoc5GAc7UhAy7VZyj6jQIDAQAB
> AoGBALWREhgSGqy+hvKQN/jRqQBvYkhPBMufzwoCoKZYAzmeZYYw1rcrQD6Nq0fL
> vOSttuT+o3OplNarfdk/dToy0qfnDcNqmY3XTQbhn5SG/R8Ye5qFmyP/lZuN4NYI
> TGiPO6Dt7y6IUp2inhAUkWcqMlr/5y2Kg6/Mh5CtghuhGriBAkEA+xht1GA7gc/N
> pfam97iwlj6EBQUk8sX1UjSHWy5vH6RHNW0w1hDq9PrBYTT8mFuDMKA3kNdTw3JZ
> 2vTce4QELQJBAPClwe40HA9RKHfn5RjEFvvf0rt4/4LU3TAnmWZRuF+KU2JoxSs8
> Ue+jx82PeqyH4KAD0tTboJBFt5PJLDz86+ECQHoiydmR7aAY+kkODu1UMuECC6l9
> dRl53PhdgLGDhp33hIOiVyzpEcCT8FheM7fQW6HdbOnRM3dQOhDdJhoWfwkCQH+g
> GTLAliUVcLXu2VSCIoJgWP2uFSyIwenZBoT6UCLzVHe7gt4ENpw2Ky/8qR25Tkru
> 3DChbg01vD93kKujo2ECQFQH9eMd1jr8K+/AZKdVUU0Nd3aSq3se+g25bTLBPt7k
> x0yYAdd3XrfAys55ujSFEwFL9eGzNWXrBN9S2/yS8kU=
> -----END RSA PRIVATE KEY-----
>
>
>
> -----BEGIN RSA PUBLIC KEY-----
> MIGHAoGBAOwJe+zyuYQM/424HiYK/O2id0L7J/PLoNizATqO9Il2Bl7w8CGQ1qDK
> hawI0ao0SqlCZdjVR+bGHi10ieh38rJPi5ny+m77KGq6NGXCKWX5P0kK0D4OdRKf
> RCI5Xs5UVEySV4ZbQAOvUtSn7BF7hpL/HGhzkYBztSEDLtVnKPqNAgEB
> -----END RSA PUBLIC KEY-----
>
>
>
> -----BEGIN PUBLIC KEY-----
> MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDsCXvs8rmEDP+NuB4mCvztondC
> +yfzy6DYswE6jvSJdgZe8PAhkNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ
> 8vpu+yhqujRlwill+T9JCtA+DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxo
> c5GAc7UhAy7VZyj6jQIBAQ==
> -----END PUBLIC KEY-----
>
>
>
> Could you please help me with this?
>
> Thanks in advance.
>
> --
>
> Regards,
>
> Pedro Lopes
>
--
Cumprimentos,
Pedro Lopes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200214/87a9cd40/attachment.html>
More information about the openssl-users
mailing list