Sorry , I am a bit new to OPENSSL and engines, @9:05 , during the verification, you didn't update the URL of the public key to incorporate "type = public" , yet it still verified the signature as OK,does that mean that we just need to make sure that the object type is set to rsa-pub for verification ?
Yikes!, I didn't notice that. You're right, type should have been public.. not private. I believe the reason why verification still worked was because it read the public key modulus from the private key, else I'd expect failed signature verification.
Upon further inspection using debug logs, the PKCS#11 engine appears to be ignoring the "type" option. It searches for the public key and reads its modulus. This modulus is later used by OpenSSL to verify the signature. My initial assumption that PKCS#11 reads the modulus from the private key was incorrect.
Hi @Cyber Hashira, Thanks for the video. It is really good. Actually, I am looking for the same set of operations with nginx ingress controller. Do you have any idea, if yes, could you please share some docs related to the same.
Hi, I haven't got the chance to work on nginx that much, so I can't help much. But I do know that the docs provided by nginx are really good. Perhaps you could check some of their docs?
Thanks for the video, I was stuck whilet trying openssl engine commands for straight 2 days and this video came as a rescue. Thanks a ton !!
You're welcome, thanks..
Sorry , I am a bit new to OPENSSL and engines, @9:05 , during the verification, you didn't update the URL of the public key to incorporate "type = public" , yet it still verified the signature as OK,does that mean that we just need to make sure that the object type is set to rsa-pub for verification ?
Yikes!, I didn't notice that.
You're right, type should have been public.. not private. I believe the reason why verification still worked was because it read the public key modulus from the private key, else I'd expect failed signature verification.
Upon further inspection using debug logs, the PKCS#11 engine appears to be ignoring the "type" option. It searches for the public key and reads its modulus. This modulus is later used by OpenSSL to verify the signature.
My initial assumption that PKCS#11 reads the modulus from the private key was incorrect.
Very good video , Proper explanation of Gem egine
Glad to know that this video was useful to you..
Hi @Cyber Hashira, Thanks for the video. It is really good. Actually, I am looking for the same set of operations with nginx ingress controller. Do you have any idea, if yes, could you please share some docs related to the same.
Hi, I haven't got the chance to work on nginx that much, so I can't help much. But I do know that the docs provided by nginx are really good. Perhaps you could check some of their docs?
If you set DisableCheckFinalize=0 in the Chrystoki.conf, you will get rid of the Seg fault.
excellent! Thanks for sharing..