I didn’t have alot of time to look at this today. But, looking at
tegrasign_v3_internal.py I do see some
*_hsm() functions. For PKC signing it seems to go here:
def do_rsa_pss_hsm(buf, p_key):
tmpf_in = 'tmp_rsa_pss.in'
tmpf_out = 'tmp_rsa_pss.sig'
tmpf_hash = 'tmp_sha256.hash'
priv_keyf = p_key.filename
with open_file(tmpf_in, 'wb') as f:
# rsa_pss_saltlen:-1 means the same length of hash (sha256) here
# single line execution:
# runcmd = "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign %s -out %s %s" % (priv_keyf, tmpf_out, tmpf_in)
# two separate line execution with intermediate sha256 output
runcmd1 = "openssl dgst -sha256 -binary -out %s %s" % (tmpf_hash, tmpf_in)
runcmd2 = "openssl pkeyutl -sign -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:sha256 -in %s -out %s -inkey %s" % (tmpf_hash, tmpf_out, priv_keyf)
privkeyf pointing to the private signing key which is directly exposed on the filesystem?