Closed fhars closed 1 year ago
I see similar behaviour (i.e. plain text keys and the tpm2tss engine work, while the tpm2_openssl provider doesn't) with pkeyutl -sign
:
$ openssl pkeyutl -engine libtpm2tss -keyform engine -sign -in foo.hash -inkey 0x81008000 -out sig.engine
Engine "tpm2tss" set.
$ openssl pkeyutl -verify -in foo.hash -sigfile sig.engine -pubin -inkey Pub.pem
Signature Verified Successfully
$ openssl pkeyutl -provider tpm2 -provider default -sign -in foo.hash -inkey handle:0x81008000 -out sig.provider
WARNING:esys:../git/src/tss2-esys/api/Esys_Sign.c:311:Esys_Sign_Finish() Received TPM Error
ERROR:esys:../git/src/tss2-esys/api/Esys_Sign.c:105:Esys_Sign() Esys Finish ErrorCode (0x000001d5)
Public Key operation error
40076724327F0000:error:4000000F:tpm2::cannot sign::-1:469 tpm:parameter(1):structure is the wrong size
The outlier is cms -decrypt
, where neiter the provider nor the engine work in OpenSSL 3.0.9, while the engine worked in OpenSSL 1.1.1:
$ openssl cms -encrypt -recip Cert.pem -in foo.txt -out foo.enc
$ openssl cms -decrypt -in foo.enc -inkey Priv.pem
Foo
$ openssl cms -engine libtpm2tss -keyform engine -decrypt -in foo.enc -inkey 0x81008000
Engine "tpm2tss" set.
Error decrypting CMS using private key
40375679817F0000:error:170000BA:CMS routines:ecdh_cms_set_shared_info:kdf parameter error:../openssl-3.0.9/crypto/cms/cms_ec.c:174:
40375679817F0000:error:170000BD:CMS routines:ecdh_cms_decrypt:shared info error:../openssl-3.0.9/crypto/cms/cms_ec.c:243:
$ openssl cms -provider default -provider tpm2 -decrypt -in foo.enc -inkey handle:0x81008000
Error decrypting CMS using private key
40578484777F0000:error:03000099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:../openssl-3.0.9/crypto/evp/p_lib.c:174:
40578484777F0000:error:170000BC:CMS routines:ecdh_cms_decrypt:peer key error:../openssl-3.0.9/crypto/cms/cms_ec.c:237:
$
The pkeyutil -sign
and cms -decrypt
issues seem to be gone from 1.2.0-rc1, but the cms -sign
behaviour still seems to be broken.
This is just a symptom of #81.
I am using tpm-openssl 1.1.1 with openssl 3.0.9 (on a custom yocto build) and try to cms sign a file using a key stored in the TPM and a certificate in the file system So far, I had no luck:
One might also say that the error messages leave a bit to be desired...
I don't know if this is a problem in tpm2_openssl or with providers in general or just a case of not finding things in the documentation, but given this comment I file it here first:
The cofiguration used is
The key itself works, and I can use it with the old engine: