Of course, it wasnt generated in a smartcard, so stupid, it was a misunderstanding. I'm generating the key with RSA_generate_key_ex function. Thanks for your examples, i'll try it.
Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> escreveu no dia quinta, 13/02/2020 à(s) 18:46: > If you generated a keypair *in a smartcard*, how did you extract the > private key out of it??? The whole point of a smartcard is to prevent that > from being possible. > > > > So, like Ken suggested, I’ve no idea where the private key you posted was > coming from – but reasonably sure it has no relation to what’s in the > smartcard. > > > > To use keys on the smartcard, you need libp11 package, something like (my > test-script uses RSA-PSS, but that doesn’t matter – adjust the OpenSSL > parameters): > > > > $ pkcs11-rsa-pss-sign-demo2 > > This is not a CAC > > Generating ephemeral file /tmp/derive.20560.text to test RSA-PSS > signature... > > > > openssl rand -engine rdrand -hex -out /tmp/derive.20560.text 5120 > > engine "rdrand" set. > > > > Signing file /tmp/derive.20560.text... > > openssl dgst -engine pkcs11 -keyform engine -sign > "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384 -sigopt > rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out > /tmp/derive.20560.text.sig /tmp/derive.20560.text > > engine "pkcs11" set. > > Enter PKCS#11 token PIN for XXXXXXXXXXXX: > > Signature for /tmp/derive.20560.text is stored in > /tmp/derive.20560.text.sig > > > > Verifying signature: > > openssl dgst -engine pkcs11 -keyform engine -verify > "pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -sha384 > -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature > /tmp/derive.20560.text.sig /tmp/derive.20560.text > > engine "pkcs11" set. > > Verified OK > > > > $ > > > > IMHO, it is a bad idea to use “rsautl” here – better to follow my example > above. But if you must – here it is: > > > > $ openssl rand -hex -out /tmp/t.text 24 > > $ openssl rsautl -engine pkcs11 -keyform engine -sign -inkey > "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -in /tmp/t.text > -out /tmp/t.text.sig > > engine "pkcs11" set. > > Enter PKCS#11 token PIN for Blumenthal, Uri (UR20980): > > $ openssl rsautl -engine pkcs11 -keyform engine -pubin -verify -inkey > "pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -in > /tmp/t.text.sig > > engine "pkcs11" set. > > c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03 > > $ cat /tmp/t.text > > c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03 > > $ > > > > > > *From: *openssl-users <openssl-users-boun...@openssl.org> on behalf of > Pedro Lopes <pedroterrosolo...@gmail.com> > *Date: *Thursday, February 13, 2020 at 12:40 PM > *To: *openssl-users <openssl-users@openssl.org> > *Subject: *Fails on verifying signature - > RSA_padding_check_PKCS1_type_1:invalid padding > > > > Hello, > > > > I'm generating a key pair in a smartcard (as a session object), then I > convert both keys to RSA openssl objects. > > > > Then I save both into different files. > > I tried use these keys to sign and verify (private encrypts and public > decrypts). > > When I try to verify the signature, fails > with RSA_padding_check_PKCS1_type_1:invalid padding. > > > > I run following commands: > > > *echo "test" > "test.txt"openssl rsautl -sign -in test.txt -inkey > privKey.pem -out sigopenssl rsautl -verify -in sig -inkey pubKeyp8.pem > -pubin* > > > > Below pub and priv key: > > > > -----BEGIN RSA PRIVATE KEY----- > MIICXAIBAAKBgQDsCXvs8rmEDP+NuB4mCvztondC+yfzy6DYswE6jvSJdgZe8PAh > kNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ8vpu+yhqujRlwill+T9JCtA+ > DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxoc5GAc7UhAy7VZyj6jQIDAQAB > AoGBALWREhgSGqy+hvKQN/jRqQBvYkhPBMufzwoCoKZYAzmeZYYw1rcrQD6Nq0fL > vOSttuT+o3OplNarfdk/dToy0qfnDcNqmY3XTQbhn5SG/R8Ye5qFmyP/lZuN4NYI > TGiPO6Dt7y6IUp2inhAUkWcqMlr/5y2Kg6/Mh5CtghuhGriBAkEA+xht1GA7gc/N > pfam97iwlj6EBQUk8sX1UjSHWy5vH6RHNW0w1hDq9PrBYTT8mFuDMKA3kNdTw3JZ > 2vTce4QELQJBAPClwe40HA9RKHfn5RjEFvvf0rt4/4LU3TAnmWZRuF+KU2JoxSs8 > Ue+jx82PeqyH4KAD0tTboJBFt5PJLDz86+ECQHoiydmR7aAY+kkODu1UMuECC6l9 > dRl53PhdgLGDhp33hIOiVyzpEcCT8FheM7fQW6HdbOnRM3dQOhDdJhoWfwkCQH+g > GTLAliUVcLXu2VSCIoJgWP2uFSyIwenZBoT6UCLzVHe7gt4ENpw2Ky/8qR25Tkru > 3DChbg01vD93kKujo2ECQFQH9eMd1jr8K+/AZKdVUU0Nd3aSq3se+g25bTLBPt7k > x0yYAdd3XrfAys55ujSFEwFL9eGzNWXrBN9S2/yS8kU= > -----END RSA PRIVATE KEY----- > > > > -----BEGIN RSA PUBLIC KEY----- > MIGHAoGBAOwJe+zyuYQM/424HiYK/O2id0L7J/PLoNizATqO9Il2Bl7w8CGQ1qDK > hawI0ao0SqlCZdjVR+bGHi10ieh38rJPi5ny+m77KGq6NGXCKWX5P0kK0D4OdRKf > RCI5Xs5UVEySV4ZbQAOvUtSn7BF7hpL/HGhzkYBztSEDLtVnKPqNAgEB > -----END RSA PUBLIC KEY----- > > > > -----BEGIN PUBLIC KEY----- > MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDsCXvs8rmEDP+NuB4mCvztondC > +yfzy6DYswE6jvSJdgZe8PAhkNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ > 8vpu+yhqujRlwill+T9JCtA+DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxo > c5GAc7UhAy7VZyj6jQIBAQ== > -----END PUBLIC KEY----- > > > > Could you please help me with this? > > Thanks in advance. > > -- > > Regards, > > Pedro Lopes > -- Cumprimentos, Pedro Lopes
