Ubuntu
openssl package

openssl cms -decrypt doesn't work properly when using an engine

Bug #1962549 reported by Jim Sievert
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
New
Undecided
Unassigned

Bug Description

I'm using:

bsci@ip-10-132-42-225:~/test$ lsb_release -rd
Description: Ubuntu 20.04.3 LTS
Release: 20.04

bsci@ip-10-132-42-225:~/test$ apt-cache policy openssl
openssl:
  Installed: 1.1.1f-1ubuntu2.10
  Candidate: 1.1.1f-1ubuntu2.10
  Version table:
 *** 1.1.1f-1ubuntu2.10 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1f-1ubuntu2.8 500
        500 http://archive.ubuntu.com/ubuntu focal-security/main amd64 Packages
     1.1.1f-1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages

I have a private EC key held in a TPM 2.0 platform hierarchy. I'm encrypting a message like this:

openssl cms -encrypt -in message.txt -out message.cipher transport.pem

Here, transport.pem is the cert. for the EC key held in the TPM. I'm attempting to decrypt like this:

openssl cms -decrypt -in message.cipher -out /dev/stdout -inkey 0x81800001 -keyform engine -engine tpm2tss -recip transport.pem

Instead of seeing the original message text, I'm getting the following error:
engine "tpm2tss" set.
Error decrypting CMS using private key
139626757388096:error:1010107D:elliptic curve routines:ecdh_simple_compute_key:missing private key:../crypto/ec/ecdh_ossl.c:61:

It seems that the code is expecting the actual private key instead of using the key held in the TPM?

Revision history for this message
Adrien Nader (adrien) wrote :

Hi, I've been trying to understand this but I've been unsuccessful so far.

Does it still happen on Ubuntu 22.04 (and 23.04)? Can you reproduce it without the engine?

Changed in openssl (Ubuntu):
status: New → Incomplete
Revision history for this message
Jim Sievert (james-sievert) wrote :

> Does it still happen on Ubuntu 22.04 (and 23.04)?

22.04 deprecates engines, so this ticket is not relevant beyond Focal.

> Can you reproduce it without the engine?

Nope, you have to use the TPM engine.

To replicate, you need to generate a key pair in the TPM. Persist the private key into TPM NVRAM at 0x81800001. Extract the public key and self-sign it. At that point, you should be able to use the commands in the description to reproduce.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssl (Ubuntu) because there has been no activity for 60 days.]

Changed in openssl (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Adrien Nader (adrien) wrote :

I don't know why LP expired this bug since you commented after I changed the its status...

Anyway, I'm going to mark it as New again. Unfortunately, I haven't had time to try to reproduce this again and I won't have time before at least two weeks due to some time off and Canonical events. It would be tremendously helpful if you manage to directly provide the comments for the steps.

Changed in openssl (Ubuntu):
status: Expired → New
Revision history for this message
Simon Chopin (schopin) wrote : RE: [Bug 1962549] Re: openssl cms -decrypt doesn't work properly when using an engine

> I don't know why LP expired this bug since you commented after I changed
> the its status...

AFAIK, LP will not switch back the status to anything after a comment has been
left. That makes sense, as it wouldn't know what the new status is
supposed to be.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.