Using openssl-rsautl for verifying signatures

[Philip Prindeville]

Hi,

I did the following in trying to build some validation steps to use against my 
own rewrite of the crypto functions in Asterisk (to use EVP-PKEY).

% echo -n "Mary had a little lamb." | openssl sha1 -binary > digest

% od -t x1 digest
000 4e 07 b8 c7 aa f2 a4 ed 4c e3 9e 76 f6 5d 2a 04
020 bd ef 57 00
024

% openssl rsautl -sign -inkey tests/keys/rsa_key1.key -pkcs -in digest > signing

% openssl rsautl -verify -inkey tests/keys/rsa_key1.pub -pubin -pkcs -in 
signing > digest2

% od -t x1 digest
000 4e 07 b8 c7 aa f2 a4 ed 4c e3 9e 76 f6 5d 2a 04
020 bd ef 57 00
024

And all of that looks good.

But when I take the result of calling:

const char msg[] = "Mary had a little lamb.";
unsigned msglen = sizeof(msg) - 1;
char digest[20];

/* Calculate digest of message */
SHA1((unsigned char *)msg, msglen, digest);

res = RSA_sign(NID_sha1, digest, sizeof(digest), dsig, , 
key->rsa);

And write that (dsig, siglen) to a file (signing2) and then try to verify that, 
I get very different results:

openssl rsautl -verify -inkey tests/keys/rsa_key1.pub -pubin -pkcs -in signing2 
 -asn1parse
0:d=0  hl=2 l=  33 cons: SEQUENCE  
2:d=1  hl=2 l=   9 cons:  SEQUENCE  
4:d=2  hl=2 l=   5 prim:   OBJECT:sha1
   11:d=2  hl=2 l=   0 prim:   NULL  
   13:d=1  hl=2 l=  20 prim:  OCTET STRING  
   - 4e 07 b8 c7 aa f2 a4 ed-4c e3 9e 76 f6 5d 2a 04   N...L..v.]*.
  0010 - bd ef 57 00   ..W.

Why is RSA_sign() wrapping the signature in ASN.1?

Or, put a different way, how do I reproduce what RSA_sign() is doing from the 
command line?

Is there another command that does RSA signing besides rsautl?

Thanks,

-Philip

Re: EC_POINT_get_affine_coordinates replacement in 3.0

[Kory Hamzeh]

You would have to use EVP_PKEY key type. You can use EVP_PKEY_get* to get key 
params.




> On May 3, 2022, at 1:56 PM, Chris Bare  wrote:
> 
> Thanks, I'll check those out.
> 
> On Tue, May 3, 2022 at 4:53 PM William Roberts  > wrote:
> On Tue, May 3, 2022 at 3:18 PM Chris Bare  > wrote:
> >
> >
> > On Tue, May 3, 2022 at 3:10 PM William Roberts  > > wrote:
> >>
> >> On Tue, May 3, 2022 at 1:14 PM Chris Bare  >> > wrote:
> >> >
> >> > I'm converting some openssl 1.0 code to 3.0 and I don't know how to get 
> >> > the coordinates
> >> > in a 3.0 way.
> >> > The old code is:
> >> > BN_CTX *ctx = BN_CTX_new ();
> >> > BIGNUM *X = NULL, *Y = NULL;
> >> > const EC_POINT *pubkey;
> >> > const EC_GROUP *group;
> >> > BN_CTX_start (ctx);
> >> > X = BN_CTX_get (ctx);
> >> > Y = BN_CTX_get (ctx);
> >> > pubkey = EC_KEY_get0_public_key ((EC_KEY *) EVP_PKEY_get0 (pkey));
> >> > group = EC_KEY_get0_group ((EC_KEY *) EVP_PKEY_get0 (cvr->sm_pkey));
> >> > EC_POINT_get_affine_coordinates_GFp (group, pubkey, X, Y, ctx)
> >> >
> >> > What would be the 3.0 way to get X and Y without using deprecated 
> >> > functions?
> >>
> >> For EC_POINT_get_affine_coordinates_GFp it goes to
> >> EC_POINT_get_affine_coordinates, see:
> >>   - 
> >> https://www.openssl.org/docs/man3.0/man3/EC_POINT_get_affine_coordinates.html
> >>  
> >> 
> >>
> >> Offhand I don't see any other deprecated functions, was that the only one?
> >>
> >> Thanks,
> >> Bill
> >
> >
> > all the EC_KEY_get0_ functions are deprecated. Is there a new way to access 
> > the internals of
> > the opaque structures, or am I stuck with the deprecated ones for this?
> 
> I think you want the from and to data routines that provide the
> components from an EVP PKEY or produce an EVP_PKEY
> from the components:
>   - https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_todata.html 
> 
>   - https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_fromdata.html 
> 
> 
> 
> -- 
> Chris Bare

Re: EC_POINT_get_affine_coordinates replacement in 3.0

[Chris Bare]

Thanks, I'll check those out.

On Tue, May 3, 2022 at 4:53 PM William Roberts 
wrote:

> On Tue, May 3, 2022 at 3:18 PM Chris Bare  wrote:
> >
> >
> > On Tue, May 3, 2022 at 3:10 PM William Roberts 
> wrote:
> >>
> >> On Tue, May 3, 2022 at 1:14 PM Chris Bare  wrote:
> >> >
> >> > I'm converting some openssl 1.0 code to 3.0 and I don't know how to
> get the coordinates
> >> > in a 3.0 way.
> >> > The old code is:
> >> > BN_CTX *ctx = BN_CTX_new ();
> >> > BIGNUM *X = NULL, *Y = NULL;
> >> > const EC_POINT *pubkey;
> >> > const EC_GROUP *group;
> >> > BN_CTX_start (ctx);
> >> > X = BN_CTX_get (ctx);
> >> > Y = BN_CTX_get (ctx);
> >> > pubkey = EC_KEY_get0_public_key ((EC_KEY *) EVP_PKEY_get0 (pkey));
> >> > group = EC_KEY_get0_group ((EC_KEY *) EVP_PKEY_get0 (cvr->sm_pkey));
> >> > EC_POINT_get_affine_coordinates_GFp (group, pubkey, X, Y, ctx)
> >> >
> >> > What would be the 3.0 way to get X and Y without using deprecated
> functions?
> >>
> >> For EC_POINT_get_affine_coordinates_GFp it goes to
> >> EC_POINT_get_affine_coordinates, see:
> >>   -
> https://www.openssl.org/docs/man3.0/man3/EC_POINT_get_affine_coordinates.html
> >>
> >> Offhand I don't see any other deprecated functions, was that the only
> one?
> >>
> >> Thanks,
> >> Bill
> >
> >
> > all the EC_KEY_get0_ functions are deprecated. Is there a new way to
> access the internals of
> > the opaque structures, or am I stuck with the deprecated ones for this?
>
> I think you want the from and to data routines that provide the
> components from an EVP PKEY or produce an EVP_PKEY
> from the components:
>   - https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_todata.html
>   - https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_fromdata.html
>


-- 
Chris Bare

Re: EC_POINT_get_affine_coordinates replacement in 3.0

[William Roberts]

On Tue, May 3, 2022 at 3:18 PM Chris Bare  wrote:
>
>
> On Tue, May 3, 2022 at 3:10 PM William Roberts  
> wrote:
>>
>> On Tue, May 3, 2022 at 1:14 PM Chris Bare  wrote:
>> >
>> > I'm converting some openssl 1.0 code to 3.0 and I don't know how to get 
>> > the coordinates
>> > in a 3.0 way.
>> > The old code is:
>> > BN_CTX *ctx = BN_CTX_new ();
>> > BIGNUM *X = NULL, *Y = NULL;
>> > const EC_POINT *pubkey;
>> > const EC_GROUP *group;
>> > BN_CTX_start (ctx);
>> > X = BN_CTX_get (ctx);
>> > Y = BN_CTX_get (ctx);
>> > pubkey = EC_KEY_get0_public_key ((EC_KEY *) EVP_PKEY_get0 (pkey));
>> > group = EC_KEY_get0_group ((EC_KEY *) EVP_PKEY_get0 (cvr->sm_pkey));
>> > EC_POINT_get_affine_coordinates_GFp (group, pubkey, X, Y, ctx)
>> >
>> > What would be the 3.0 way to get X and Y without using deprecated 
>> > functions?
>>
>> For EC_POINT_get_affine_coordinates_GFp it goes to
>> EC_POINT_get_affine_coordinates, see:
>>   - 
>> https://www.openssl.org/docs/man3.0/man3/EC_POINT_get_affine_coordinates.html
>>
>> Offhand I don't see any other deprecated functions, was that the only one?
>>
>> Thanks,
>> Bill
>
>
> all the EC_KEY_get0_ functions are deprecated. Is there a new way to access 
> the internals of
> the opaque structures, or am I stuck with the deprecated ones for this?

I think you want the from and to data routines that provide the
components from an EVP PKEY or produce an EVP_PKEY
from the components:
  - https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_todata.html
  - https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_fromdata.html

Re: EC_POINT_get_affine_coordinates replacement in 3.0

[Chris Bare]

On Tue, May 3, 2022 at 3:10 PM William Roberts 
wrote:

> On Tue, May 3, 2022 at 1:14 PM Chris Bare  wrote:
> >
> > I'm converting some openssl 1.0 code to 3.0 and I don't know how to get
> the coordinates
> > in a 3.0 way.
> > The old code is:
> > BN_CTX *ctx = BN_CTX_new ();
> > BIGNUM *X = NULL, *Y = NULL;
> > const EC_POINT *pubkey;
> > const EC_GROUP *group;
> > BN_CTX_start (ctx);
> > X = BN_CTX_get (ctx);
> > Y = BN_CTX_get (ctx);
> > pubkey = EC_KEY_get0_public_key ((EC_KEY *) EVP_PKEY_get0 (pkey));
> > group = EC_KEY_get0_group ((EC_KEY *) EVP_PKEY_get0 (cvr->sm_pkey));
> > EC_POINT_get_affine_coordinates_GFp (group, pubkey, X, Y, ctx)
> >
> > What would be the 3.0 way to get X and Y without using deprecated
> functions?
>
> For EC_POINT_get_affine_coordinates_GFp it goes to
> EC_POINT_get_affine_coordinates, see:
>   -
> https://www.openssl.org/docs/man3.0/man3/EC_POINT_get_affine_coordinates.html
>
> Offhand I don't see any other deprecated functions, was that the only one?
>
> Thanks,
> Bill
>

all the EC_KEY_get0_ functions are deprecated. Is there a new way to access
the internals of
the opaque structures, or am I stuck with the deprecated ones for this?

-- 
Chris Bare

Re: EC_POINT_get_affine_coordinates replacement in 3.0

[William Roberts]

On Tue, May 3, 2022 at 1:14 PM Chris Bare  wrote:
>
> I'm converting some openssl 1.0 code to 3.0 and I don't know how to get the 
> coordinates
> in a 3.0 way.
> The old code is:
> BN_CTX *ctx = BN_CTX_new ();
> BIGNUM *X = NULL, *Y = NULL;
> const EC_POINT *pubkey;
> const EC_GROUP *group;
> BN_CTX_start (ctx);
> X = BN_CTX_get (ctx);
> Y = BN_CTX_get (ctx);
> pubkey = EC_KEY_get0_public_key ((EC_KEY *) EVP_PKEY_get0 (pkey));
> group = EC_KEY_get0_group ((EC_KEY *) EVP_PKEY_get0 (cvr->sm_pkey));
> EC_POINT_get_affine_coordinates_GFp (group, pubkey, X, Y, ctx)
>
> What would be the 3.0 way to get X and Y without using deprecated functions?

For EC_POINT_get_affine_coordinates_GFp it goes to
EC_POINT_get_affine_coordinates, see:
  - 
https://www.openssl.org/docs/man3.0/man3/EC_POINT_get_affine_coordinates.html

Offhand I don't see any other deprecated functions, was that the only one?

Thanks,
Bill

EC_POINT_get_affine_coordinates replacement in 3.0

[Chris Bare]

I'm converting some openssl 1.0 code to 3.0 and I don't know how to get the
coordinates
in a 3.0 way.
The old code is:
BN_CTX *ctx = BN_CTX_new ();
BIGNUM *X = NULL, *Y = NULL;
const EC_POINT *pubkey;
const EC_GROUP *group;
BN_CTX_start (ctx);
X = BN_CTX_get (ctx);
Y = BN_CTX_get (ctx);
pubkey = EC_KEY_get0_public_key ((EC_KEY *) EVP_PKEY_get0 (pkey));
group = EC_KEY_get0_group ((EC_KEY *) EVP_PKEY_get0 (cvr->sm_pkey));
EC_POINT_get_affine_coordinates_GFp (group, pubkey, X, Y, ctx)

What would be the 3.0 way to get X and Y without using deprecated functions?
-- 
Chris Bare

Re: openssl 3.0 fips provider and low level APIs

[Tomas Mraz]

All the providers can use the low-level APIs internally to implement
crypto algorithms. The FIPS provider however includes all the low level
implementations as a separately built and statically linked code.

That means you cannot use the low-level calls in an application and
still be FIPS compliant as the low-level API calls called from an
application are implemented by the libcrypto library and not the FIPS
provider.

Tomas Mraz, OpenSSL

On Tue, 2022-05-03 at 10:12 -0500, Joy Latten wrote:
> Hi,
> I understand that low-level APIs have been deprecated in version 3. I
> have been playing some with the fips provider trying to understand
> the config options to use with it. I noticed that the fips provider
> source code includes a few low level APIs like SHA256_Init(). 
> Is it correct to conclude that although use of the low level APIs are
> deprecated, perhaps for a grace period for transitioning they are
> permitted in the fips provider?
> 
> Thanks for all help!
> regards,
> Joy
>   
>    

-- 
Tomáš Mráz, OpenSSL

openssl 3.0 fips provider and low level APIs

[Joy Latten]

Hi,
I understand that low-level APIs have been deprecated in version 3. I have
been playing some with the fips provider trying to understand the config
options to use with it. I noticed that the fips provider source code
includes a few low level APIs like SHA256_Init().
Is it correct to conclude that although use of the low level APIs are
deprecated, perhaps for a grace period for transitioning they are permitted
in the fips provider?

Thanks for all help!
regards,
Joy

OpenSSL Security Advisory

[Matt Caswell]

users should upgrade to 3.0.3

This issue was reported to OpenSSL on the 14th April 2022 by Tom Colley
(Broadcom). The fix was developed by Matt Caswell from OpenSSL.

Resource leakage when decoding certificates and keys (CVE-2022-1473)


Severity: Low

The OPENSSL_LH_flush() function, which empties a hash table, contains
a bug that breaks reuse of the memory occuppied by the removed hash
table entries.

This function is used when decoding certificates or keys. If a long lived
process periodically decodes certificates or keys its memory usage will
expand without bounds and the process might be terminated by the operating
system causing a denial of service. Also traversing the empty hash table
entries will take increasingly more time.

Typically such long lived processes might be TLS clients or TLS servers
configured to accept client certificate authentication.

The function was added in the OpenSSL 3.0 version thus older releases
are not affected by the issue.

It was addressed in the 3.0.3 release on the 3rd May 2022. The fix can be
found in git commit 64c85430f.

OpenSSL 1.0.2 users are not affected.
OpenSSL 1.1.1 users are not affected.
OpenSSL 3.0 users should upgrade to 3.0.3.

This issue was reported to OpenSSL on the 21st April 2022 by Aliaksei Levin.
The fix was developed by Hugo Landau from OpenSSL.

Note


OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of these issues on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220503.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmJxQVkACgkQ2cTSbQ5g
RJHdIAgAtRiH/X2IPccQ5XuTz8zoQWOkb9sfl4c9vTsRMteWtlW05ppPK4fpfHvM
ZCUsSA8Fw7R+PNUR0x9PB6acRjCXtqcNinELwKnZjU7QcsKeePoE3LzgQZCh2ogX
Q5p//eC5KUAZM2F1+jztw3eFupC3Og5hEj32JSaCVKQVK5sByR8/XEw7E8zARQdF
5I8qsUIasFem6R6STFQwKYHyvyWH0MH4KJvlYATqz6kdiokpIzMMJC3N7Q3VCuaG
ag/jzIdgPDLQNFbdOCZX7l2Njrp6iehPKg+7Ynft/j0XzLwXkPDQMMwrZaby7dLP
GQ+r6e/ZAX1b62cUhfa0L6s394fPDw==
=d89i
-END PGP SIGNATURE-

OpenSSL version 1.1.1o published

[Matt Caswell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1o released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1o of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1o is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1o.tar.gz
  Size: 9856386
  SHA1 checksum: 860fa10381ff0a121833583ccaa011bf266bcc63
  SHA256 checksum: 
9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1o.tar.gz
openssl sha256 openssl-1.1.1o.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmJxMQAACgkQ2cTSbQ5g
RJH4Tgf/QsyDzhnR6G+WdEb7HYGHvVhHrmI+aJ7X+h4pmySoLUQ6bFIfRowndsyl
0sfpkmMTqbRBS6B5buehZYyL7pN1VMizOOvYtXznw5iRM6gTMZNSioD775pglp2H
K1JMiWHUFrfcFwukr82F8L7YO19vRf6QC1FQAoA3qBKhrW9t67ihyrJMWtISYNS1
gu7B2Mu5cGlur+V9wlJDqSA9vc8gXRNIhc7bzTTtIv/zrhXGi/izTgruj9XCe5rA
JiWMm4qpa/IRlpsdHTOcAglbNbumC0mCLUig4UFCpK0T9d/h2eBeXQH+dKmUPV73
iV+sJay2B3B6vlmywKp91C29LIzwRw==
=GnSQ
-END PGP SIGNATURE-

OpenSSL version 3.0.3 published

[Matt Caswell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0.3 released
   ==

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 3.0.3 of our open source toolkit for SSL/TLS.
   For details of the changes, see the release notes at:

https://www.openssl.org/news/openssl-3.0-notes.html

   Specific notes on upgrading to OpenSSL 3.0 from previous versions are
   available in the OpenSSL Migration Guide, here:

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

   OpenSSL 3.0.3 is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.3.tar.gz
  Size: 15058905
  SHA1 checksum:  1138de3f1a2f573ae69302ab52ecd9bbf5e063ca
  SHA256 checksum:  
ee0078adcef1de5f003c62c80cc96527721609c6f3bb42b7795df31f8b558c0b

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.3.tar.gz
openssl sha256 openssl-3.0.3.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmJxLtUACgkQ2cTSbQ5g
RJFbOAgAktEl5DvfJrwinwX7AJmS77kgDKwgFYJo9RgKzSPUOzFJVMxrmrMH2uzF
hErm1DgaWMKFChI1Vb3d29gblvT43hDDG77yEH4qVHx0bWpUc8fr9JHfUyEz3ziQ
66V7t4NhHo67ifw2YOgiA/9wOGLvIxRYKGKLVBRnn+Jckz6uo3qZ0HS/irgqjREs
lVt775WtXdH/RWkEpLSRFMVo77HaGLFzMv9qZ/jKB0TgjW+QuoET34x61+iLc5x0
SqdKWr7YZzR7ixmoiumBpICcvzXZEdeFicvrdut2uyOD7EyIbuX5kY3S7TopDw2p
HrIsnnUXqOvipX4VqFF/txW/zA4gfw==
=Ydig
-END PGP SIGNATURE-