Error with "dgst -sign"
Nacho Álvarez
Hello, when I run:
openssl dgst -sha1 -sign
<id_of_private_key> -keyform engine -out
<file> -engine
<id-engine> <file-with-data>
In OpenSSL 0.9.8
when the load privkey function ends, OpenSSL is
waiting and do
nothing (doesn't invoke rsa_sign), it doesn't do
anything more.
In openSSL 1.0.0a when the load privkey function ends, OpenSSL throws
the next error:
Error setting context
3916:error:260C0065:engine routines:ENGINE_get_pkey_meth:unimplemented
public key method:.\crypto\engine\tb_pkmeth.c:127:
3916:error:0609D09C:digital envelope routines:INT_CTX_NEW:unsupported
algorithm:.\crypto\evp\pmeth_lib.c:161:
error in dgst
Do
I have to do something further define rsa sign function and link it
in the RSA_METHOD?.
Dr. Stephen Henson
Is this a custom ENGINE or a standard one?
Which "load privkey" function do you mean? The one in the ENGINE? Are you
assigning the key to an EVP_PKEY correctly? You *must* use
EVP_PKEY_assign_RSA() or similar in 1.0.0 as other structures get initialised
at the same time.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Nacho Álvarez
load privkey is the pointer to function used as argument in the call:
ENGINE_set_load_privkey_function (e, load_private_key);
This function is called when OpenSSL try to get the command line "key" argument.
In that function I assign the RSA private key (get it from hardware, only modulus and public exponent) to the EVP with:
EVP_PKEY_assign_RSA (pk, rsa);
where pk is EVP_PKEY *pk; and rsa is RSA *rsa;
Everything goes well until the load_private_key function ends and returns the EVP_PKEY. When that call ends, OpenSSL throws the error I said before.
2010/6/28 Dr. Stephen Henson <st...@openssl.org>
Dr. Stephen Henson
> It's a custom engine.
> load privkey is the pointer to function used as argument in the call:
> ENGINE_set_load_privkey_function (e, load_private_key);
> This function is called when OpenSSL try to get the command line "key"
> argument.
> In that function I assign the RSA private key (get it from hardware, only
> modulus and public exponent) to the EVP with:
> EVP_PKEY_assign_RSA (pk, rsa);
> where pk is EVP_PKEY *pk; and rsa is RSA *rsa;
> Everything goes well until the load_private_key function ends and returns
> the EVP_PKEY. When that call ends, OpenSSL throws the error I said before.
>
Hmm.... that's a bug. In apps/dgst.c there are calls to EVP_DigestVerifyInit()
and EVP_DigestSignInit(). Try changing the "e" parameter to NULL in both
cases.
I've checked this against the CryptoAPI ENGINE and it seems to work OK now.
Nacho Álvarez
Do you say me who change
if (do_verify)
r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
else
r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
for
if (do_verify)
r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
else
r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
in the dgst.c file?
I tryed it but unfortunatly I could not compile. I downloaded the source code (1.0.0a) and I tryed to compiled OpenSSL with Mingw, Msys and Active Perl.
1st: perl Configure minwg shared. This ends ok, (Configured for mingw).
2nd: make. This make a lot of things, but at the end:
Creating library file: libcrypto.dll.a
libcrypto.a(c_enc.o):c_enc.c:(.text+0x0): multiple definition of `_CAST_encrypt'
libcrypto.a(cast-586.o):cast-586.s:(.text+0x0): first defined here
libcrypto.a(c_enc.o):c_enc.c:(.text+0x420): multiple definition of `_CAST_decrypt'
libcrypto.a(cast-586.o):cast-586.s:(.text+0x4b0): first defined here
libcrypto.a(c_enc.o):c_enc.c:(.text+0x840): multiple definition of `_CAST_cbc_encrypt'
libcrypto.a(cast-586.o):cast-586.s:(.text+0x950): first defined here
collect2: ld returned 1 exit status
make[4]: *** [link_a.cygwin] Error 1
make[4]: Leaving directory `/c/openssl-1.0.0a'
make[3]: *** [do_cygwin-shared] Error 2
make[3]: Leaving directory `/c/openssl-1.0.0a'
make[2]: *** [libcrypto.dll.a] Error 2
make[2]: Leaving directory `/c/openssl-1.0.0a'
make[1]: *** [shared] Error 2
make[1]: Leaving directory `/c/openssl-1.0.0a/crypto'
make: *** [build_crypto] Error 1
3rd: make install. The same (it ends with erros, obviously)
e_capi.c: In function `capi_get_pkey':
e_capi.c:671: error: `DSSPUBKEY' undeclared (first use in this function)
e_capi.c:671: error: (Each undeclared identifier is reported only once
e_capi.c:671: error: for each function it appears in.)
e_capi.c:671: error: `dp' undeclared (first use in this function)
e_capi.c:674: error: syntax error before ')' token
e_capi.c:718: warning: long unsigned int format, ALG_ID arg (arg 4)
e_capi.c: In function `capi_rsa_sign':
e_capi.c:818: warning: long unsigned int format, int arg (arg 4)
e_capi.c: In function `capi_rsa_priv_dec':
e_capi.c:912: warning: passing arg 6 of `CryptDecrypt' from incompatible pointer type
e_capi.c: In function `capi_get_provname':
e_capi.c:1090: warning: implicit declaration of function `CryptEnumProvidersA'
e_capi.c: In function `capi_list_providers':
e_capi.c:1129: warning: int format, DWORD arg (arg 3)
e_capi.c:1129: warning: int format, DWORD arg (arg 5)
e_capi.c: In function `capi_list_containers':
e_capi.c:1188: warning: int format, DWORD arg (arg 3)
e_capi.c: In function `capi_dump_prov_info':
e_capi.c:1239: warning: int format, DWORD arg (arg 4)
e_capi.c:1240: warning: int format, DWORD arg (arg 4)
e_capi.c: In function `capi_dump_cert':
e_capi.c:1290: warning: passing arg 2 of `d2i_X509' from incompatible pointer type
e_capi.c: In function `capi_open_store':
e_capi.c:1328: error: `CERT_STORE_PROV_SYSTEM_A' undeclared (first use in this function)
e_capi.c: In function `capi_list_certs':
e_capi.c:1369: warning: unused variable `fname'
e_capi.c: In function `capi_ctx_new':
e_capi.c:1529: error: `CERT_STORE_READONLY_FLAG' undeclared (first use in this function)
e_capi.c: In function `capi_load_ssl_client_cert':
e_capi.c:1633: warning: passing arg 2 of `d2i_X509' from incompatible pointer type
make[1]: *** [e_capi.o] Error 1
make[1]: Leaving directory `/c/openssl-1.0.0a/engines'
make: *** [build_engines] Error 1
On Mon, Jun 28, 2010, Nacho lvarez wrote:
Dr. Stephen Henson
Try including disable-capieng on the command line to config.
Nacho Álvarez
Error setting context
295228:error:260C0065:engine routines:ENGINE_get_pkey_meth:unimplemented public key method:tb_pkmeth.c:127:
295228:error:0609D09C:digital envelope routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:161:
error in dgst
Dr. Stephen Henson
> Ok, with option disable-capieng (I didn't know it) OpenSSL compiles... but I
> changed "e" for NULL in those calls (EVP_Digest... in dgst.c file) and the
> same error occurs:
>
> Error setting context
> 295228:error:260C0065:engine routines:ENGINE_get_pkey_meth:unimplemented
> public key method:tb_pkmeth.c:127:
> 295228:error:0609D09C:digital envelope routines:INT_CTX_NEW:unsupported
> algorithm:pmeth_lib.c:161:
> error in dgst
>
>
Hmm... that works for me. Check you aren't using the old version of openssl
with:
openssl version -a
Nacho Álvarez
In last version I did the changes, compiled and ran OK.
thank you very much for your help.
On Tue, Jun 29, 2010, Nacho lvarez wrote: