1

I have managed to generate a RSA keypair in softHSM with pkcs11-tool, and do verification og signed data with that using openssl.

pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l --token-label token-label -k --key-type rsa:2048      --usage-sign --id 1002 --label rsatest     --pin mysecret1
pkcs11-tool --modul /usr/lib/softhsm/libsofthsm2.so --id 1002 --read-object --type pubkey -o rsa.der
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --login --pin mysecret1 --sign --id 1002 -m SHA512-RSA-PKCS   --input text.txt --output rsa.signature
openssl dgst -verify rsa.der            -sha512 -keyform DER -signature rsa.signature text.txt

However I want to do an elliptic curve, and that fails

pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l --token-label token-label -k --key-type EC:prime256v1 --usage-sign --id 1001 --label ed25519test --pin mysecret1
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --id 1001 --read-object --type pubkey -o prime256v1-pub.der
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --login --pin mysecret1 --sign --id 1001 -m ECDSA --input text.txt --output ed25519.signature
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --id 1001  --verify -m ECDSA --input-file text.txt --signature-file  ed25519.signature
openssl dgst -verify prime256v1-pub.der -sha512 -keyform DER -signature ed25519.signature text.txt

I just get Error verifying data

pkcs11-tool does a neat verification, but I cannot use the HSM on my target.

Openssl can do a verification - if it has generated the certificate and signing it self.

openssl ecparam -in openssl_prime256v1.pem -genkey -noout -out openssl_prime256v1-key.pem
openssl ec -in openssl_prime256v1-key.pem -pubout -out openssl_prime256v1-pub.pem

openssl dgst -sign openssl_prime256v1-key.pem -sha256 -keyform PEM -out openssldemo.txt.sign -binary openssldemo.txt

openssl dgst -verify openssl_prime256v1-pub.pem -sha256 -keyform PEM -signature openssldemo.txt.sign -binary openssldemo.txt

I had trouble with the RSA part making the certificate types match. Perhaps I have the same problem here, but just cannot see.

Kjeld Flarup
  • 1,471
  • 10
  • 15

0 Answers0