openssl cms -decrypt doesn't work properly when using an engine

Bug #1962549 reported by Jim Sievert

This bug report was marked for expiration 265 days ago. (find out why)

This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)

Bug Description

I'm using:

bsci@ip-10-132-42-225:~/test$ lsb_release -rd
Description: Ubuntu 20.04.3 LTS
Release: 20.04

bsci@ip-10-132-42-225:~/test$ apt-cache policy openssl
  Installed: 1.1.1f-1ubuntu2.10
  Candidate: 1.1.1f-1ubuntu2.10
  Version table:
 *** 1.1.1f-1ubuntu2.10 500
        500 focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1f-1ubuntu2.8 500
        500 focal-security/main amd64 Packages
     1.1.1f-1ubuntu2 500
        500 focal/main amd64 Packages

I have a private EC key held in a TPM 2.0 platform hierarchy. I'm encrypting a message like this:

openssl cms -encrypt -in message.txt -out message.cipher transport.pem

Here, transport.pem is the cert. for the EC key held in the TPM. I'm attempting to decrypt like this:

openssl cms -decrypt -in message.cipher -out /dev/stdout -inkey 0x81800001 -keyform engine -engine tpm2tss -recip transport.pem

Instead of seeing the original message text, I'm getting the following error:
engine "tpm2tss" set.
Error decrypting CMS using private key
139626757388096:error:1010107D:elliptic curve routines:ecdh_simple_compute_key:missing private key:../crypto/ec/ecdh_ossl.c:61:

It seems that the code is expecting the actual private key instead of using the key held in the TPM?

Revision history for this message
Adrien Nader (adrien-n) wrote :

Hi, I've been trying to understand this but I've been unsuccessful so far.

Does it still happen on Ubuntu 22.04 (and 23.04)? Can you reproduce it without the engine?

Changed in openssl (Ubuntu):
status: New → Incomplete
Revision history for this message
Jim Sievert (james-sievert) wrote :

> Does it still happen on Ubuntu 22.04 (and 23.04)?

22.04 deprecates engines, so this ticket is not relevant beyond Focal.

> Can you reproduce it without the engine?

Nope, you have to use the TPM engine.

To replicate, you need to generate a key pair in the TPM. Persist the private key into TPM NVRAM at 0x81800001. Extract the public key and self-sign it. At that point, you should be able to use the commands in the description to reproduce.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.