If you generated a keypair in a smartcard, how did you extract the private key out of it??? The whole point of a smartcard is to prevent that from being possible.
So, like Ken suggested, I’ve no idea where the private key you posted was coming from – but reasonably sure it has no relation to what’s in the smartcard. To use keys on the smartcard, you need libp11 package, something like (my test-script uses RSA-PSS, but that doesn’t matter – adjust the OpenSSL parameters): $ pkcs11-rsa-pss-sign-demo2 This is not a CAC Generating ephemeral file /tmp/derive.20560.text to test RSA-PSS signature... openssl rand -engine rdrand -hex -out /tmp/derive.20560.text 5120 engine "rdrand" set. Signing file /tmp/derive.20560.text... openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out /tmp/derive.20560.text.sig /tmp/derive.20560.text engine "pkcs11" set. Enter PKCS#11 token PIN for XXXXXXXXXXXX: Signature for /tmp/derive.20560.text is stored in /tmp/derive.20560.text.sig Verifying signature: openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -sha384 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature /tmp/derive.20560.text.sig /tmp/derive.20560.text engine "pkcs11" set. Verified OK $ IMHO, it is a bad idea to use “rsautl” here – better to follow my example above. But if you must – here it is: $ openssl rand -hex -out /tmp/t.text 24 $ openssl rsautl -engine pkcs11 -keyform engine -sign -inkey "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -in /tmp/t.text -out /tmp/t.text.sig engine "pkcs11" set. Enter PKCS#11 token PIN for Blumenthal, Uri (UR20980): $ openssl rsautl -engine pkcs11 -keyform engine -pubin -verify -inkey "pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -in /tmp/t.text.sig engine "pkcs11" set. c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03 $ cat /tmp/t.text c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03 $ From: openssl-users <openssl-users-boun...@openssl.org> on behalf of Pedro Lopes <pedroterrosolo...@gmail.com> Date: Thursday, February 13, 2020 at 12:40 PM To: openssl-users <openssl-users@openssl.org> Subject: Fails on verifying signature - RSA_padding_check_PKCS1_type_1:invalid padding Hello, I'm generating a key pair in a smartcard (as a session object), then I convert both keys to RSA openssl objects. Then I save both into different files. I tried use these keys to sign and verify (private encrypts and public decrypts). When I try to verify the signature, fails with RSA_padding_check_PKCS1_type_1:invalid padding. I run following commands: echo "test" > "test.txt" openssl rsautl -sign -in test.txt -inkey privKey.pem -out sig openssl rsautl -verify -in sig -inkey pubKeyp8.pem -pubin Below pub and priv key: -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDsCXvs8rmEDP+NuB4mCvztondC+yfzy6DYswE6jvSJdgZe8PAh kNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ8vpu+yhqujRlwill+T9JCtA+ DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxoc5GAc7UhAy7VZyj6jQIDAQAB AoGBALWREhgSGqy+hvKQN/jRqQBvYkhPBMufzwoCoKZYAzmeZYYw1rcrQD6Nq0fL vOSttuT+o3OplNarfdk/dToy0qfnDcNqmY3XTQbhn5SG/R8Ye5qFmyP/lZuN4NYI TGiPO6Dt7y6IUp2inhAUkWcqMlr/5y2Kg6/Mh5CtghuhGriBAkEA+xht1GA7gc/N pfam97iwlj6EBQUk8sX1UjSHWy5vH6RHNW0w1hDq9PrBYTT8mFuDMKA3kNdTw3JZ 2vTce4QELQJBAPClwe40HA9RKHfn5RjEFvvf0rt4/4LU3TAnmWZRuF+KU2JoxSs8 Ue+jx82PeqyH4KAD0tTboJBFt5PJLDz86+ECQHoiydmR7aAY+kkODu1UMuECC6l9 dRl53PhdgLGDhp33hIOiVyzpEcCT8FheM7fQW6HdbOnRM3dQOhDdJhoWfwkCQH+g GTLAliUVcLXu2VSCIoJgWP2uFSyIwenZBoT6UCLzVHe7gt4ENpw2Ky/8qR25Tkru 3DChbg01vD93kKujo2ECQFQH9eMd1jr8K+/AZKdVUU0Nd3aSq3se+g25bTLBPt7k x0yYAdd3XrfAys55ujSFEwFL9eGzNWXrBN9S2/yS8kU= -----END RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- MIGHAoGBAOwJe+zyuYQM/424HiYK/O2id0L7J/PLoNizATqO9Il2Bl7w8CGQ1qDK hawI0ao0SqlCZdjVR+bGHi10ieh38rJPi5ny+m77KGq6NGXCKWX5P0kK0D4OdRKf RCI5Xs5UVEySV4ZbQAOvUtSn7BF7hpL/HGhzkYBztSEDLtVnKPqNAgEB -----END RSA PUBLIC KEY----- -----BEGIN PUBLIC KEY----- MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDsCXvs8rmEDP+NuB4mCvztondC +yfzy6DYswE6jvSJdgZe8PAhkNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ 8vpu+yhqujRlwill+T9JCtA+DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxo c5GAc7UhAy7VZyj6jQIBAQ== -----END PUBLIC KEY----- Could you please help me with this? Thanks in advance. -- Regards, Pedro Lopes
smime.p7s
Description: S/MIME cryptographic signature
