[Bug 1962549] Re: openssl cms -decrypt doesn't work properly when using an engine

Adrien Nader 1962549 at bugs.launchpad.net
Tue Aug 29 14:40:02 UTC 2023 

Hi, I've been trying to understand this but I've been unsuccessful so
far.

Does it still happen on Ubuntu 22.04 (and 23.04)? Can you reproduce it
without the engine?

** Changed in: openssl (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1962549

Title:
  openssl cms -decrypt doesn't work properly when using an engine

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  I'm using:

  bsci at ip-10-132-42-225:~/test$ lsb_release -rd
  Description:    Ubuntu 20.04.3 LTS
  Release:        20.04

  bsci at ip-10-132-42-225:~/test$ apt-cache policy openssl
  openssl:
    Installed: 1.1.1f-1ubuntu2.10
    Candidate: 1.1.1f-1ubuntu2.10
    Version table:
   *** 1.1.1f-1ubuntu2.10 500
          500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.1.1f-1ubuntu2.8 500
          500 http://archive.ubuntu.com/ubuntu focal-security/main amd64 Packages
       1.1.1f-1ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages

  
  I have a private EC key held in a TPM 2.0 platform hierarchy.  I'm encrypting a message like this:

  openssl cms -encrypt -in message.txt -out message.cipher transport.pem

  Here, transport.pem is the cert. for the EC key held in the TPM.  I'm
  attempting to decrypt like this:

  openssl cms -decrypt -in message.cipher -out /dev/stdout -inkey
  0x81800001 -keyform engine -engine tpm2tss -recip transport.pem

  Instead of seeing the original message text, I'm getting the following error:
  engine "tpm2tss" set.
  Error decrypting CMS using private key
  139626757388096:error:1010107D:elliptic curve routines:ecdh_simple_compute_key:missing private key:../crypto/ec/ecdh_ossl.c:61:

  It seems that the code is expecting the actual private key instead of
  using the key held in the TPM?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1962549/+subscriptions

More information about the foundations-bugs mailing list