If you generated a keypair in a smartcard, how did you extract the private key out of it??? The whole point of a smartcard is to prevent that from being possible. So, like Ken suggested, I’ve no idea where the private key you posted was coming from – but reasonably sure it has no relation to what’s in the smartcard. To use keys on the smartcard, you need libp11 package, something like (my test-script uses RSA-PSS, but that doesn’t matter – adjust the OpenSSL parameters): $ pkcs11-rsa-pss-sign-demo2 This is not a CAC Generating ephemeral file /tmp/derive.20560.text to test RSA-PSS signature... openssl rand -engine rdrand -hex -out /tmp/derive.20560.text 5120 engine "rdrand" set. Signing file /tmp/derive.20560.text... openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out /tmp/derive.20560.text.sig /tmp/derive.20560.text engine "pkcs11" set. Enter PKCS#11 token PIN for XXXXXXXXXXXX: Signature for /tmp/derive.20560.text is stored in /tmp/derive.20560.text.sig Verifying signature: openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -sha384 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature /tmp/derive.20560.text.sig /tmp/derive.20560.text engine "pkcs11" set. Verified OK $ IMHO, it is a bad idea to use “rsautl” here – better to follow my example above. But if you must – here it is: $ openssl rand -hex -out /tmp/t.text 24 $ openssl rsautl -engine pkcs11 -keyform engine -sign -inkey "pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -in /tmp/t.text -out /tmp/t.text.sig engine "pkcs11" set. Enter PKCS#11 token PIN for Blumenthal, Uri (UR20980): $ openssl rsautl -engine pkcs11 -keyform engine -pubin -verify -inkey "pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -in /tmp/t.text.sig engine "pkcs11" set. c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03 $ cat /tmp/t.text c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03 $ From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> on behalf of Pedro Lopes <pedroterrosolopes@xxxxxxxxx> Hello, I'm generating a key pair in a smartcard (as a session object), then I convert both keys to RSA openssl objects. Then I save both into different files. I tried use these keys to sign and verify (private encrypts and public decrypts). When I try to verify the signature, fails with RSA_padding_check_PKCS1_type_1:invalid padding. I run following commands: Below pub and priv key: -----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- -----BEGIN PUBLIC KEY----- Could you please help me with this? Thanks in advance. -- Regards, Pedro Lopes |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
