That is the entire purpose of this code - to validate signatures created with
TPM on a host that does not have TSS libraries installed. Just make sure that
you use consistent padding.
----- Original Message -----
> From: "eye two are" <[email protected]>
> To: "Dmitri Toubelis" <[email protected]>
> Cc: "Ken Goldman" <[email protected]>,
> [email protected], "David Challener"
> <[email protected]>
> Sent: Friday, March 11, 2016 12:24:06 AM
> Subject: Re: [TrouSerS-users] Verifying a signature using public key
> from X509 certificate
> Will it work even if i use Tspi_Hash_Sign to sign my message?
> On Fri, Mar 11, 2016 at 12:47 PM, Dmitri Toubelis <
> [email protected] > wrote:
> > Same thing - you just extract public key from the certificate and
> > use
> > it to verify signature. You don't need TPM to validate signature
> > and
> > you don't even need TSS - everything can be done in OpenSSL. The
> > key
> > thing to keep in mind is that "verify" == "decrypt_with_public_key"
> > . Here is working example:
>
> > gboolean
>
> > ak_crypto_verify_sha1_with_rsa (RSA *rsa, gpointer data, gsize
> > data_len, gpointer sig, gsize sig_len)
>
> > {
>
> > g_return_val_if_fail (rsa != NULL, FALSE);
>
> > g_return_val_if_fail (data != NULL, FALSE);
>
> > g_return_val_if_fail (data_len > 0, FALSE);
>
> > g_return_val_if_fail (sig != NULL, FALSE);
>
> > g_return_val_if_fail (sig_len == 256, FALSE);
>
> > gboolean ret = FALSE;
>
> > gsize msg_buf_size = 512;
>
> > gchar msg_buf[msg_buf_size];
>
> > /* calculated digest of the provided data */
>
> > guint8 digest_info_der[35] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
> > 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
>
> > SHA1 (data, data_len, &digest_info_der[15]);
>
> > /* decrypt signature and remove PKCS#1 v1.5 padding */
>
> > guint8 digest[256];
>
> > gsize digest_size = RSA_public_decrypt (sig_len, sig, digest, rsa,
> > RSA_PKCS1_PADDING);
>
> > if (digest_size == -1) {
>
> > ERR_error_string_n (ERR_get_error (), msg_buf, sizeof (msg_buf));
>
> > g_critical (G_STRLOC ": %s", msg_buf);
>
> > goto done;
>
> > }
>
> > if (digest_size == sizeof(digest_info_der) && memcmp
> > (digest_info_der, digest, digest_size) == 0) {
>
> > ret = TRUE;
>
> > }
>
> > done:
>
> > return ret;
>
> > }
>
> > > From: "eye two are" < [email protected] >
> >
>
> > > To: "David Challener" < [email protected] >
> >
>
> > > Cc: "Ken Goldman" < [email protected] >,
> > > [email protected]
> >
>
> > > Sent: Thursday, March 10, 2016 11:27:30 PM
> >
>
> > > Subject: Re: [TrouSerS-users] Verifying a signature using public
> > > key
> > > from X509 certificate
> >
>
> > > I am not trying to verify the certificate though. I am trying to
> > > verify a message that was signed using the tpm with the private
> > > key
> > > generated for the certificate. Is that possible? If so what are
> > > the
> > > steps required to verify the message using the certificate?
> >
>
> > > On Wed, Mar 9, 2016 at 11:19 AM, David Challener <
> > > [email protected] > wrote:
> >
>
> > > > Actually TPM 1.2 *does* verify signatures - but it requires
> > > > owner
> > > > auth. You use one of those CMK commands to do it.
> > >
> >
>
> > > > And you *can* load in the public key without loading in the
> > > > private
> > > > key to do it. I have some code around somewhere... I will try
> > > > to
> > > > find it tomorrow....
> > >
> >
>
> > > > On Tue, Mar 8, 2016 at 6:29 PM, Tadd Seiff <
> > > > [email protected]
> > > > >
> > > > wrote:
> > >
> >
>
> > > > > TPM 1.2 doesn't verify signatures, but TSS 1.2 does.
> > > >
> > >
> >
>
> > > > > Trousers does all of the verification in software via
> > > > > openssl,
> > > > > it's
> > > > > not using the hardware, so this does make sense.
> > > >
> > >
> >
>
> > > > > That said, do you even need to load the key? Maybe you can
> > > > > just
> > > > > leverage the software? As long as the key you are using meets
> > > > > the
> > > > > PKCSv1.5 criteria.
> > > >
> > >
> >
>
> > > > > To address why your key won't load: I'm not sure you can just
> > > > > arbitrarily create keys and load them, the key must be in the
> > > > > SRK
> > > > > hierarchy. In other words, the TPM creates keys and TELLS YOU
> > > > > the
> > > > > RSA pub key, no the other way around.
> > > >
> > >
> >
>
> > > > > -Tadd
> > > >
> > >
> >
>
> > > > > On Tue, Mar 8, 2016 at 2:43 PM Ken Goldman <
> > > > > [email protected]
> > > > > >
> > > > > wrote:
> > > >
> > >
> >
>
> > > > > > On 3/8/2016 3:24 AM, eye two are wrote:
> > > > >
> > > >
> > >
> >
>
> > > > > > > I am trying to verify a signature using a public key from
> > > > > > > an
> > > > > > > X509
> > > > >
> > > >
> > >
> >
>
> > > > > > > certificate generated with the tpm engine.
> > > > >
> > > >
> > >
> >
>
> > > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > I'm not a trousers expert, but I will note that:
> > > > >
> > > >
> > >
> >
>
> > > > > > 1 - TPM 1.2 cannot do signature verification.
> > > > >
> > > >
> > >
> >
>
> > > > > > 2- With TPM 1.2, one cannot load a key unless you have both
> > > > > > the
> > > > > > public
> > > > >
> > > >
> > >
> >
>
> > > > > > and (wrapped) private part.
> > > > >
> > > >
> > >
> >
>
> > > > > > Could #2 be related to your problem?
> > > > >
> > > >
> > >
> >
>
> > > > > > ------------------------------------------------------------------------------
> > > > >
> > > >
> > >
> >
>
> > > > > > Transform Data into Opportunity.
> > > > >
> > > >
> > >
> >
>
> > > > > > Accelerate data analysis in your applications with
> > > > >
> > > >
> > >
> >
>
> > > > > > Intel Data Analytics Acceleration Library.
> > > > >
> > > >
> > >
> >
>
> > > > > > Click to learn more.
> > > > >
> > > >
> > >
> >
>
> > > > > > http://makebettercode.com/inteldaal-eval
> > > > >
> > > >
> > >
> >
>
> > > > > > _______________________________________________
> > > > >
> > > >
> > >
> >
>
> > > > > > TrouSerS-users mailing list
> > > > >
> > > >
> > >
> >
>
> > > > > > [email protected]
> > > > >
> > > >
> > >
> >
>
> > > > > > https://lists.sourceforge.net/lists/listinfo/trousers-users
> > > > >
> > > >
> > >
> >
>
> > > > > ------------------------------------------------------------------------------
> > > >
> > >
> >
>
> > > > > Transform Data into Opportunity.
> > > >
> > >
> >
>
> > > > > Accelerate data analysis in your applications with
> > > >
> > >
> >
>
> > > > > Intel Data Analytics Acceleration Library.
> > > >
> > >
> >
>
> > > > > Click to learn more.
> > > >
> > >
> >
>
> > > > > http://makebettercode.com/inteldaal-eval
> > > >
> > >
> >
>
> > > > > _______________________________________________
> > > >
> > >
> >
>
> > > > > TrouSerS-users mailing list
> > > >
> > >
> >
>
> > > > > [email protected]
> > > >
> > >
> >
>
> > > > > https://lists.sourceforge.net/lists/listinfo/trousers-users
> > > >
> > >
> >
>
> > > > ------------------------------------------------------------------------------
> > >
> >
>
> > > > Transform Data into Opportunity.
> > >
> >
>
> > > > Accelerate data analysis in your applications with
> > >
> >
>
> > > > Intel Data Analytics Acceleration Library.
> > >
> >
>
> > > > Click to learn more.
> > >
> >
>
> > > > http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
> > >
> >
>
> > > > _______________________________________________
> > >
> >
>
> > > > TrouSerS-users mailing list
> > >
> >
>
> > > > [email protected]
> > >
> >
>
> > > > https://lists.sourceforge.net/lists/listinfo/trousers-users
> > >
> >
>
> > > ------------------------------------------------------------------------------
> >
>
> > > Transform Data into Opportunity.
> >
>
> > > Accelerate data analysis in your applications with
> >
>
> > > Intel Data Analytics Acceleration Library.
> >
>
> > > Click to learn more.
> >
>
> > > http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
> >
>
> > > _______________________________________________
> >
>
> > > TrouSerS-users mailing list
> >
>
> > > [email protected]
> >
>
> > > https://lists.sourceforge.net/lists/listinfo/trousers-users
> >
>
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
