This bug prevents normal working of EVP_DigestSignInit() and subsequent calls when pkcs11 engine is involved.
Scenario: hashing and signing data, when signing is done on a token that
supports only internal padding (aka it performs RSA-PSS padding on-board,
rather than letting software such as OpenSSL do the PSS padding for it).
The current implementation works if either the token (pkcs11 engine) can do the
digest (data hashing) on-board, or when it doesn’t do anything on-board except
for the raw RSA.
For a pkcs11 device that does not hash data on-board, but does the padding
on-board, one needs to pass two contexts to EVP_DigestSignInit(): md_ctx that
does not point at an engine, and “signing context” ctx that was created with
the engine so it can pass signing request to it.
The nature of this bug is that EVP_DigestSignInit() ignores provided ctx. Then
if you provide the engine, it is used for both digest and signature – which
fails on the attempt to off-load digest to the engine (HSM device that does not
hash data). If you don’t provide the engine, then everything is done in
software, and the engine receives only the very last raw RSA request – which
gets rejected as this HSM device does not support raw RSA.
Here’s the patch:
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -19,8 +19,12 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX
**pctx,
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey,
int ver)
{
- if (ctx->pctx == NULL)
- ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
+ if (ctx->pctx == NULL) {
+ if (pctx && *pctx)
+ ctx->pctx = *pctx;
+ else
+ ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
+ }
if (ctx->pctx == NULL)
return 0;
I’ve tested with and without this patch. Here are the results (debugging
information is from the libp11 pkcs11 engine):
Without the patch:
$ ./t2
Using YubiHSM device...
Signature padding is RSA-PSS padding
Enter PKCS#11 token PIN for YubiHSM:
Set RSA signature padding to RSA-PSS padding
t2.c:178 sign: EVP_DigestSignFinal() failed olen=512 (rv=0)
140736410264512:error:8207A070:PKCS#11 module:pkcs11_private_encrypt:Mechanism
invalid:p11_rsa.c:140:
Mechanism invalid because raw RSA operation is requested, and the device does
not support it.
With the above patch:
$ ./t2
Using YubiHSM device...
Signature padding is RSA-PSS padding
Enter PKCS#11 token PIN for YubiHSM:
Set RSA signature padding to RSA-PSS padding
p11_pkey.c:171 pkcs11_pkey_rsa_sign(): sig=0x7fa38f645cd0 *siglen=512
tbs=0x7fff51d83d40 tbslen=32
p11_pkey.c:215 saltlen=478 hashAlg=SHA256 mgf=MGF1-SHA256
p11_pkey.c:513 hashAlg=SHA256 mgf=MGF1-SHA256
Signed (data len=83, sig len=512):
1b d9 56 0e 80 80 7d 3b 29 0a 93 34 7d c5 27 7b
54 d3 c8 2d 59 3d 08 fc 59 d4 62 64 ce 1c 73 51
d9 9f 87 41 2e 2b 6c 2c d6 7e 9f 30 60 cf 0c 99
4e 85 b4 7b 9e 82 63 40 ce 33 27 4c 13 aa 3c b7
ba 8f 77 e1 5e 32 7c 70 78 e8 74 5a 6f cf 0f f3
5c 56 91 c9 62 46 a4 c2 3e 7d 54 2b ed a5 e1 ec
ff a1 54 29 f2 ac d6 91 09 98 3a 8f 99 1b 22 32
c0 a5 84 ce a8 ee fc 89 db 6e 82 50 0b 62 57 1b
09 cc 70 f6 57 27 b3 e4 4f fe 8d 65 e5 4c 61 ad
0b a8 77 97 22 14 59 6d 25 28 b2 8a 3f ee 63 a1
fc fa ab 20 f3 68 37 65 b2 3a c6 71 75 ac 2d fd
79 67 17 27 62 b2 26 35 0b 84 9b 1a db d7 23 c1
cb de 7d 29 5d 87 24 7b f5 88 45 82 d9 7a 84 e8
80 36 35 f8 a6 79 a5 54 98 4b 37 e0 1d b2 ff 4f
0e d2 f5 a2 b7 21 26 96 8c b8 f4 c2 32 6d 7b 62
16 57 de 29 b9 f9 df 6d db 9b 4e 8b b5 00 c5 3f
7b 21 03 36 10 50 e6 e3 93 52 07 15 c1 15 7d 92
02 8e 89 df d3 63 0d 8d d3 ca 22 bb 7f d1 1d c2
9c d8 e9 3b 7a c4 52 de 5d 71 a4 08 6e 18 a9 ff
4a 36 7f 54 c3 ae 1d 91 f1 aa 46 30 b6 ba 0b cb
46 fc bb de bb d5 5e e5 aa 9e f4 93 9b 6f 68 dc
83 20 b0 e0 74 be 1b c7 87 f9 8e ef 47 eb 1a 7d
93 0d be e8 66 ca 4a ff c0 f7 66 58 32 39 2d 84
9f 0c 63 53 11 4e 92 44 a1 83 59 09 1a 86 04 21
05 c5 35 6c f7 46 96 08 ff 2c 37 3b 48 a2 28 50
60 2d 1e 54 ce 4f d5 00 c8 58 86 6e 61 ca 68 d6
16 f6 16 60 22 9e 9a 64 f2 1a ff 87 1d 56 59 48
c8 c6 c7 eb 43 0a 02 10 a9 6e fa d1 86 32 a0 c4
f2 de d6 94 e1 4a cd 41 64 73 e3 85 0f 07 57 f9
85 ef 38 8f f9 01 6d 94 28 c7 a3 51 8f b5 47 16
b7 15 d7 0b b6 c1 58 26 5a 2c 18 b4 ca 9a ab d1
8b d8 b9 d6 03 80 7e c4 a6 28 27 6b 51 dd 3e 41
$
Digest is correctly performed by OpenSSL, and the entire RSA-PSS operation is
sent to the engine. HSM device completes it successfully.
I’d really appreciate if you could apply it.
--
Regards,
Uri Blumenthal
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
