Will it work even if i use Tspi_Hash_Sign to sign my message?
On Fri, Mar 11, 2016 at 12:47 PM, Dmitri Toubelis <
[email protected]> wrote:
> Same thing - you just extract public key from the certificate and use it
> to verify signature. You don't need TPM to validate signature and you don't
> even need TSS - everything can be done in OpenSSL. The key thing to keep in
> mind is that "verify" == "decrypt_with_public_key" . Here is working
> example:
>
> gboolean
> ak_crypto_verify_sha1_with_rsa (RSA *rsa, gpointer data, gsize data_len,
> gpointer sig, gsize sig_len)
> {
> g_return_val_if_fail (rsa != NULL, FALSE);
> g_return_val_if_fail (data != NULL, FALSE);
> g_return_val_if_fail (data_len > 0, FALSE);
> g_return_val_if_fail (sig != NULL, FALSE);
> g_return_val_if_fail (sig_len == 256, FALSE);
>
> gboolean ret = FALSE;
>
> gsize msg_buf_size = 512;
> gchar msg_buf[msg_buf_size];
>
> /* calculated digest of the provided data */
> guint8 digest_info_der[35] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
> 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
> SHA1 (data, data_len, &digest_info_der[15]);
>
> /* decrypt signature and remove PKCS#1 v1.5 padding */
> guint8 digest[256];
> gsize digest_size = RSA_public_decrypt (sig_len, sig, digest, rsa,
> RSA_PKCS1_PADDING);
> if (digest_size == -1) {
> ERR_error_string_n (ERR_get_error (), msg_buf, sizeof (msg_buf));
> g_critical (G_STRLOC ": %s", msg_buf);
> goto done;
> }
>
> if (digest_size == sizeof(digest_info_der) && memcmp (digest_info_der,
> digest, digest_size) == 0) {
> ret = TRUE;
> }
>
> done:
>
> return ret;
> }
>
> ------------------------------
>
> *From: *"eye two are" <[email protected]>
> *To: *"David Challener" <[email protected]>
> *Cc: *"Ken Goldman" <[email protected]>,
> [email protected]
> *Sent: *Thursday, March 10, 2016 11:27:30 PM
> *Subject: *Re: [TrouSerS-users] Verifying a signature using public key
> from X509 certificate
>
>
> I am not trying to verify the certificate though. I am trying to verify a
> message that was signed using the tpm with the private key generated for
> the certificate. Is that possible? If so what are the steps required to
> verify the message using the certificate?
>
> On Wed, Mar 9, 2016 at 11:19 AM, David Challener <
> [email protected]> wrote:
>
>> Actually TPM 1.2 *does* verify signatures - but it requires owner auth.
>> You use one of those CMK commands to do it.
>> And you *can* load in the public key without loading in the private key
>> to do it. I have some code around somewhere... I will try to find it
>> tomorrow....
>>
>> On Tue, Mar 8, 2016 at 6:29 PM, Tadd Seiff <[email protected]> wrote:
>>
>>> TPM 1.2 doesn't verify signatures, but TSS 1.2 does.
>>>
>>> Trousers does all of the verification in software via openssl, it's not
>>> using the hardware, so this does make sense.
>>>
>>> That said, do you even need to load the key? Maybe you can just
>>> leverage the software? As long as the key you are using meets the PKCSv1.5
>>> criteria.
>>>
>>> To address why your key won't load: I'm not sure you can just
>>> arbitrarily create keys and load them, the key must be in the SRK
>>> hierarchy. In other words, the TPM creates keys and TELLS YOU the RSA pub
>>> key, no the other way around.
>>>
>>> -Tadd
>>>
>>>
>>> On Tue, Mar 8, 2016 at 2:43 PM Ken Goldman <[email protected]> wrote:
>>>
>>>> On 3/8/2016 3:24 AM, eye two are wrote:
>>>> > I am trying to verify a signature using a public key from an X509
>>>> > certificate generated with the tpm engine.
>>>> >
>>>>
>>>> I'm not a trousers expert, but I will note that:
>>>>
>>>> 1 - TPM 1.2 cannot do signature verification.
>>>>
>>>> 2- With TPM 1.2, one cannot load a key unless you have both the public
>>>> and (wrapped) private part.
>>>>
>>>> Could #2 be related to your problem?
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Transform Data into Opportunity.
>>>> Accelerate data analysis in your applications with
>>>> Intel Data Analytics Acceleration Library.
>>>> Click to learn more.
>>>> http://makebettercode.com/inteldaal-eval
>>>> _______________________________________________
>>>> TrouSerS-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/trousers-users
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Transform Data into Opportunity.
>>> Accelerate data analysis in your applications with
>>> Intel Data Analytics Acceleration Library.
>>> Click to learn more.
>>> http://makebettercode.com/inteldaal-eval
>>> _______________________________________________
>>> TrouSerS-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/trousers-users
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
>> _______________________________________________
>> TrouSerS-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/trousers-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
>
>
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
