Verify return code: 7 (certificate signature failure) only when using zymkey_ssl

1

I use a smallstep default pki to protect my exposed services. I’m attempting to use zymkey on a client to access one of those protected services. The mtls is implemented through the standard nginx configuration, and known working with all step cert pairs, which default to the p256 curve. Here is an example of those certs working, to connect to a LAN resource named “zero”

openssl s_client -CAfile ca.crt -showcerts -check_ss_sig -key test.key -cert test.crt -tls1_2  -connect zero:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 O = Testing, CN = Testing Root CA
verify return:1
depth=1 O = Testing, CN = Testing Intermediate CA
verify return:1
depth=0 CN = zero
verify return:1
---
Certificate chain
 0 s:CN = zero
   i:O = Testing, CN = Testing Intermediate CA
-----BEGIN CERTIFICATE-----
MIICGTCCAb+gAwIBAgIRAICMk7ZHMmzKBRkvIOiY/bYwCgYIKoZIzj0EAwIwNDEQ
MA4GA1UEChMHVGVzdGluZzEgMB4GA1UEAxMXVGVzdGluZyBJbnRlcm1lZGlhdGUg
Q0EwHhcNMjExMTI0MDAwNDI0WhcNMjExMTI1MDAwNTI0WjAPMQ0wCwYDVQQDEwR6
ZXJvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0nl7s7B1JRokfwCFWgZ6eAaz
YWCHbOAy+KnYFPecdMCeQHlu2+IYXKpfABQZeUKM7LjFvGLtqQA/n/4wmmuTF6OB
1jCB0zAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMB0GA1UdDgQWBBQZeFg23/py67255uYySWj1l8fArjAfBgNVHSMEGDAWgBTp
un+zbfKhDMqdkrKV3Rz41dazszAPBgNVHREECDAGggR6ZXJvMFEGDCsGAQQBgqRk
xihAAQRBMD8CAQEEDXlvdUBsb2NhbGhvc3QEK281cjdkX2FTbkZJNE9pc3VuZXFQ
VXExTy05YzBIbnFZZTVnUVBsYkRHZVEwCgYIKoZIzj0EAwIDSAAwRQIhAPgVgqNJ
Ay2i59ajcQY5wHE658Ch9KsQOxIHlkyigWhDAiALBy1qm/xLs+ttFjLc4oaUja21
I8YipognwXkunHNl4A==
-----END CERTIFICATE-----
 1 s:O = Testing, CN = Testing Intermediate CA
   i:O = Testing, CN = Testing Root CA
-----BEGIN CERTIFICATE-----
MIIBxTCCAWugAwIBAgIRAKJofglAtvth+Zw2dMq/nc8wCgYIKoZIzj0EAwIwLDEQ
MA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMB4XDTIx
MTExNzA2NTExOFoXDTMxMTExNTA2NTExOFowNDEQMA4GA1UEChMHVGVzdGluZzEg
MB4GA1UEAxMXVGVzdGluZyBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAAQLpxl3+QZ7BQs/XhypVHk/ZF6MHF+y1Pvw1AlYrrg4C0ZY/9Pe
/CHUtM0j0uSDwUrjgzQ6DYt94Fx9PtnkiaZbo2YwZDAOBgNVHQ8BAf8EBAMCAQYw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6bp/s23yoQzKnZKyld0c+NXW
s7MwHwYDVR0jBBgwFoAUpfD8yvmobeSHc9BMk00tQHRccfcwCgYIKoZIzj0EAwID
SAAwRQIgG4zOfaWe11DvG7DG7bjhh28q0TkGH66l7OupNgnFtxgCIQD8R7JSCGBl
ZvYGOuSAnDaH+jwIBjZZwgssRR7YlgmmZg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = zero

issuer=O = Testing, CN = Testing Intermediate CA

---
Acceptable client certificate CA names
O = Testing, CN = Testing Root CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2123 bytes and written 922 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: BA70E584C11D4CBD2F3D692AF3392073F15E8964DF834B77CA6636F088B223FE
    Session-ID-ctx: 
    Master-Key: 83E4CA86BBBF370B40479910B536F29AF0DED1E1F87B60E1BDC601AE67C6E3886796691E20A8C71F527C40627BB5F084
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b9 4f 11 3a c4 08 fd 63-5d 05 6c 8a ff 3d 0a 01   .O.:...c].l..=..
    0010 - 34 5a fa 2c 33 99 de 2f-78 f9 d5 98 8b 2e b0 df   4Z.,3../x.......
    0020 - ac ac ea 28 33 25 e2 cb-32 f0 4b ff cb eb 3b 24   ...(3%..2.K...;$
    0030 - e1 25 81 6f 64 ef 36 d0-0c 72 b8 d8 26 0c 16 e7   .%.od.6..r..&...
    0040 - cb f8 be 0b 0e 91 ca e2-57 a0 ae 8a 2e b0 89 5e   ........W......^
    0050 - b4 c2 bf 04 99 a0 18 79-9d 41 73 4f 21 fb 22 19   .......y.AsO!.".
    0060 - 0d e2 ee f3 75 31 19 ba-ce 0a c3 d9 49 70 b5 98   ....u1......Ip..
    0070 - 8f 17 23 b2 b8 5a f3 f7-ff 88 e2 bc 88 6b 66 f1   ..#..Z.......kf.
    0080 - d2 d3 5b 00 dd 8f 12 27-46 51 37 1d 34 63 a5 08   ..[....'FQ7.4c..
    0090 - a3 31 f8 f3 e9 80 a4 ee-75 57 b7 bf b8 a0 0c bf   .1......uW......
    00a0 - 3f 49 c3 30 9b f1 ee 7f-d4 b3 53 2e 75 09 3c f0   ?I.0......S.u.<.
    00b0 - 73 55 d7 37 4e 71 44 fa-14 61 bf 21 37 9d 90 28   sU.7NqD..a.!7..(
    00c0 - 2b cf fd 21 27 b2 c5 c4-0d 46 f5 9a 5c e3 a4 77   +..!'....F..\..w
    00d0 - 81 f7 69 55 b1 4f 1e b5-08 c7 aa 9c 66 93 41 ad   ..iU.O......f.A.
    00e0 - c4 75 46 dc d3 7c 9a 46-6a 2a 9f b3 3a 69 44 56   .uF..|.Fj*..:iDV
    00f0 - 8d ce a0 56 58 4e 76 8c-64 dd 3b e9 b5 f2 9c 1c   ...VXNv.d.;.....
    0100 - 3e af 8a d2 d8 86 dc ab-bf 55 c8 ed 95 4f 6f 3d   >........U...Oo=
    0110 - de eb 06 b4 e0 ce ea 85-5d a3 13 e1 6b 94 f8 e8   ........]...k...
    0120 - b2 3e 66 f9 f0 cb 71 6c-b8 64 de 5f 12 a1 f8 10   .>f...ql.d._....
    0130 - e6 66 f1 a9 44 c4 d9 1b-6b 27 f9 0a 65 96 c1 a2   .f..D...k'..e...
    0140 - c0 5b ee 31 2a bd 89 2d-cb 2c 05 9d 4b 9c f3 4d   .[.1*..-.,..K..M
    0150 - 06 8a 4c 44 cb e9 02 a8-e2 cb f2 d4 c1 2a bd f2   ..LD.........*..
    0160 - 84 d3 7c af ea 7e 85 4f-99 f5 7c 9e 8d 25 7b 36   ..|..~.O..|..%{6
    0170 - 74 e1 76 3d 12 56 e7 9c-76 4d b8 48 bc 76 1e 64   t.v=.V..vM.H.v.d
    0180 - 09 2f 9d 03 72 e6 0b 39-0f 2f 3b 24 cd d4 7b 6a   ./..r..9./;$..{j
    0190 - 1d f6 2d 48 80 22 a2 ac-a2 e4 69 00 ff 1f 42 68   ..-H."....i...Bh
    01a0 - 77 3a a1 9c da 1f bb 19-14 d4 ee ca 8d e9 f9 64   w:.............d
    01b0 - 4c 64 70 da 90 b8 8d 9d-b9 38 e1 e3 8e 38 a6 5a   Ldp......8...8.Z
    01c0 - 64 94 fd 1c f0 e7 98 04-72 82 38 2c 8b 83 56 a5   d.......r.8,..V.
    01d0 - 42 c2 f0 50 4b 99 a9 76-07 13 af 42 0f 54 63 3a   B..PK..v...B.Tc:
    01e0 - 04 84 5a 3c 21 7e 00 0a-4a 12 f6 36 50 08 eb 48   ..Z<!~..J..6P..H
    01f0 - a8 d4 b4 33 76 e2 dc 0c-d1 0c f1 78 34 14 96 e0   ...3v......x4...
    0200 - f5 e6 f7 e4 a8 3e 21 47-30 ae ff f7 2d b4 9a e2   .....>!G0...-...
    0210 - e0 cb 25 bf ee 24 d1 b2-f5 db 2d 5e 62 68 94 6b   ..%..$....-^bh.k
    0220 - 37 9d f9 ff cb 97 ee 3e-26 70 d7 43 2b 7e 87 60   7......>&p.C+~.`
    0230 - fa 95 00 e1 15 43 59 0b-02 cf 5d 8e 1f dd 01 84   .....CY...].....
    0240 - 7a 97 c9 65 02 3c e2 1b-27 b2 11 8c 00 6b 47 74   z..e.<..'....kGt
    0250 - 3d 62 f7 86 b1 64 86 cb-ad 6d ef d8 1d a4 9d 55   =b...d...m.....U
    0260 - 21 ce 0d 3d af 4f d0 33-52 1c 95 6e 4e fa 7a ea   !..=.O.3R..nN.z.
    0270 - 2e 0e 0a 20 69 51 c6 57-5c 83 d9 3f 62 e8 7e 9b   ... iQ.W\..?b.~.
    0280 - 2f 9b 0e ae 6d 6e 69 62-b2 e4 21 e0 e0 d9 09 6c   /...mnib..!....l
    0290 - c7 c6 7c fc f3 49 44 1b-8a 70 00 a8 75 7c bc 65   ..|..ID..p..u|.e
    02a0 - 1c 68 51 e1 ac 12 0c 7c-ab a3 62 01 d8 70 f5 ad   .hQ....|..b..p..
    02b0 - b4 b3 8a 33 9c c4 90 75-f4 de 25 24 a7 51 22 bf   ...3...u..%$.Q".
    02c0 - 8b 1a 89 a5 7e 10 9b 31-5c 29 55 5c 4e 59 aa 58   ....~..1\)U\NY.X
    02d0 - 00 99 18 97 8a 24 d9 8d-e6 2d 7e 63 6a ae 62 ed   .....$...-~cj.b.

    Start Time: 1637714153
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

So, we know that the servers certs and our certs are good, and that everything can work. There is nothing wrong with the server’s certificate signatures.
Now, if we try to use the engine, deriving our flags from the zymbit documentation, like so:

openssl s_client -CAfile ca.crt -showcerts  -engine zymkey_ssl -cert bridget.crt -key bogus.key --tls1_2  -connect zero:443

Then we will get “Expecting Any Private Key” errors, regardless of whether bogus.key is made with touch or openssl ecparam. That’s no big deal, openssl just thinks that the key is a pem. so we change it up to be:

openssl s_client -CAfile ca.crt -showcerts  -engine zymkey_ssl -keyform engine -cert bridget.crt -key bogus.key --tls1_2  -connect zero:443

where “bridget.crt” is a crt created by generating a zymkey csr and signing it with step-ca.
And in response we get the failed signature verification:

-connect zero:443
engine "zymkey_ssl" set.
CONNECTED(00000008)
Can't use SSL_get_servername
depth=2 O = Testing, CN = Testing Root CA
verify return:1
depth=1 O = Testing, CN = Testing Intermediate CA
verify error:num=7:certificate signature failure
verify return:1
depth=1 O = Testing, CN = Testing Intermediate CA
verify return:1
depth=0 CN = zero
verify error:num=7:certificate signature failure
verify return:1
depth=0 CN = zero
verify return:1
281473869740512:error:1416D07B:SSL routines:tls_process_key_exchange:bad signature:../ssl/statem/statem_clnt.c:2405:
---
Certificate chain
 0 s:CN = zero
   i:O = Testing, CN = Testing Intermediate CA
-----BEGIN CERTIFICATE-----
MIICGTCCAb+gAwIBAgIRAICMk7ZHMmzKBRkvIOiY/bYwCgYIKoZIzj0EAwIwNDEQ
MA4GA1UEChMHVGVzdGluZzEgMB4GA1UEAxMXVGVzdGluZyBJbnRlcm1lZGlhdGUg
Q0EwHhcNMjExMTI0MDAwNDI0WhcNMjExMTI1MDAwNTI0WjAPMQ0wCwYDVQQDEwR6
ZXJvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0nl7s7B1JRokfwCFWgZ6eAaz
YWCHbOAy+KnYFPecdMCeQHlu2+IYXKpfABQZeUKM7LjFvGLtqQA/n/4wmmuTF6OB
1jCB0zAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMB0GA1UdDgQWBBQZeFg23/py67255uYySWj1l8fArjAfBgNVHSMEGDAWgBTp
un+zbfKhDMqdkrKV3Rz41dazszAPBgNVHREECDAGggR6ZXJvMFEGDCsGAQQBgqRk
xihAAQRBMD8CAQEEDXlvdUBsb2NhbGhvc3QEK281cjdkX2FTbkZJNE9pc3VuZXFQ
VXExTy05YzBIbnFZZTVnUVBsYkRHZVEwCgYIKoZIzj0EAwIDSAAwRQIhAPgVgqNJ
Ay2i59ajcQY5wHE658Ch9KsQOxIHlkyigWhDAiALBy1qm/xLs+ttFjLc4oaUja21
I8YipognwXkunHNl4A==
-----END CERTIFICATE-----
 1 s:O = Testing, CN = Testing Intermediate CA
   i:O = Testing, CN = Testing Root CA
-----BEGIN CERTIFICATE-----
MIIBxTCCAWugAwIBAgIRAKJofglAtvth+Zw2dMq/nc8wCgYIKoZIzj0EAwIwLDEQ
MA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBSb290IENBMB4XDTIx
MTExNzA2NTExOFoXDTMxMTExNTA2NTExOFowNDEQMA4GA1UEChMHVGVzdGluZzEg
MB4GA1UEAxMXVGVzdGluZyBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAAQLpxl3+QZ7BQs/XhypVHk/ZF6MHF+y1Pvw1AlYrrg4C0ZY/9Pe
/CHUtM0j0uSDwUrjgzQ6DYt94Fx9PtnkiaZbo2YwZDAOBgNVHQ8BAf8EBAMCAQYw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6bp/s23yoQzKnZKyld0c+NXW
s7MwHwYDVR0jBBgwFoAUpfD8yvmobeSHc9BMk00tQHRccfcwCgYIKoZIzj0EAwID
SAAwRQIgG4zOfaWe11DvG7DG7bjhh28q0TkGH66l7OupNgnFtxgCIQD8R7JSCGBl
ZvYGOuSAnDaH+jwIBjZZwgssRR7YlgmmZg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = zero

issuer=O = Testing, CN = Testing Intermediate CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1206 bytes and written 195 bytes
Verification error: certificate signature failure
---
New, (NONE), Cipher is (NONE)
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1637716381
    Timeout   : 7200 (sec)
    Verify return code: 7 (certificate signature failure)
    Extended master secret: yes
---

No syntactical variations get any further than this point. This error is consistent with the server failing to provide a valid chain, but in this case we know for a fact that the server does return a valid one. What gives?

OpenSSL 1.1.1f  31 Mar 2020