[tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider... / openssl cms

[Petr Gotthard <petr.gotthard at centrum.cz>]

[-- Attachment #1: Type: text/plain, Size: 3268 bytes --]

Thank you, James.

Debugging openssl is tricky when it fails without any error message. :-/ This happens especially when the provider does not supply openssl with something that the default provider usually supplies-- in this case the MD algorithm.

The command
> openssl cms -sign -provider tpm2 -provider default -in file.txt -inkey handle:0x81800002 -signer handle:0x01000013
was failing because the key had no mandatory digest and there was no digest specified via the command line.

Adding "-md sha256" fixed the issue for me. If you create e.g. a RSA-PSS key restricted to a specific hash-algorithm you shouldn't need this extra argument, because openssl will ask the key for the digest algorithm.

Based on the commands you sent I made a new test for 'openssl cms'. Have a look here:
https://github.com/tpm2-software/tpm2-openssl/blob/master/test/rsa_genpkey_x509_cms.sh
This should show a full test scenario for CMS. I can add more if you think something is missing, or when you encounter another weird behaviour.


Regards,
Petr
______________________________________________________________
> Od: "Sievert, James" <james.sievert(a)bsci.com>
> Komu: "tpm2(a)lists.01.org" <tpm2(a)lists.01.org>
> Datum: 26.04.2022 16:24
> Předmět: [tpm2] Re: {External} Re: OpenSSL 3 and tpm2 provider...
>
>> Could you please suggest a sequence of openssl (and other commands) to verify all required CMS functions?
>
>Tell you what, I'll frame the test sequences in terms of the tpm2tss engine commands as I can verify correct syntax and command operation.  I'll assume for the time being that the necessary keys and certs are stored in TPM NVRAM through tpm2_* commands.
>
>The a good start to testing would be something to the effect:
>
>	echo "this is some text" >file.txt
>
>	openssl cms -sign -engine tpm2tss -keyform engine -inkey 0x81800002 -signer signer.pem -in file.txt -binary -nodetach -out file.sig
>
>	(note that although the tpm2tss engine doesn't support it, the signer could also be given as a handle to the tpm2 provider)
>
>	openssl cms -verify -in file.sig -binary -noverify
>
>	(note that you can remove the -noverify and point to a truststore if necessary with -CApath /somewhere/truststore)
>
>	openssl cms -encrypt -recip signer.pem -in file.txt -out file.enc
>
>	(note that although the tpm2tss engine doesn't support it, the recip could also be given as a handle to the tpm2 provider)
>
>	openssl cms -decrypt -engine tpm2tss -keyform engine -inkey 0x81800002 -in file.enc -recip signer.pem
>
>	(note that this command doesn't work with the tpm2tss engine.  See:  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1962549.)
>
>	openssl cms  -encrypt  -sign...
>
>	(the cms command can encrypt, sign, and bundle everything into an output with a single command -- the syntax is a combination of what's above)
>
>	openssl cms -verify -decrypt ...
>
>	(the cms command can verify and decrypt an input with a single command -- the syntax is a combination of what's above)
>
>	 
>_______________________________________________
>tpm2 mailing list -- tpm2(a)lists.01.org
>To unsubscribe send an email to tpm2-leave(a)lists.01.org
>%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
>
>