Bug: digest parameter is rejected

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug: digest parameter is rejected

Blumenthal, Uri - 0553 - MITLL

RSA-OAEP supports different hash functions and MGF. SHA-1 is the default.

 

OpenSSL implementation of OAEP wrongly refuses to set the hash algorithm, preventing one from using SHA-2 family:

 

$ openssl version

OpenSSL 1.0.2l  25 May 2017

$ openssl pkeyutl -encrypt -in t1264.dat -out t1264.dat.enc2.oaep -keyform DER -pubin -inkey rsa3072pub.der -pkeyopt rsa_padding_mode:oaep

$ openssl pkeyutl -encrypt -in t1264.dat -out t1264.dat.enc2.oaep -keyform DER -pubin -inkey rsa3072pub.der -pkeyopt rsa_padding_mode:oaep -pkeyopt digest:sha256

parameter setting error

140736155067400:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:376:

$ ~/openssl-1.1/bin/openssl version

OpenSSL 1.1.0g-dev  xx XXX xxxx

$ ~/openssl-1.1/bin/openssl pkeyutl -encrypt -in t1264.dat -out t1264.dat.enc2.oaep -keyform DER -pubin -inkey rsa3072pub.der -pkeyopt rsa_padding_mode:oaep

$ ~/openssl-1.1/bin/openssl pkeyutl -encrypt -in t1264.dat -out t1264.dat.enc2.oaep -keyform DER -pubin -inkey rsa3072pub.der -pkeyopt rsa_padding_mode:oaep -pkeyopt digest:sha256

pkeyutl: Can't set parameter:

140736155067328:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:crypto/evp/pmeth_lib.c:312:

$

 

It seems that OpenSSL tries to enforce the incorrect assumption that digest/hash is only applicable to signature padding, but not to encryption padding?

--

Regards,

Uri Blumenthal


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bug: digest parameter is rejected

OpenSSL - Dev mailing list
On 09/18/2017 09:32 AM, Blumenthal, Uri - 0553 - MITLL wrote:

RSA-OAEP supports different hash functions and MGF. SHA-1 is the default.

 

OpenSSL implementation of OAEP wrongly refuses to set the hash algorithm, preventing one from using SHA-2 family:



You'll probably need to pick up master and its -rsa_mgf1_md argument to pkeyutl.

-Ben

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Bug: digest parameter is rejected

Blumenthal, Uri - 0553 - MITLL

OpenSSL implementation of OAEP wrongly refuses to set the hash algorithm, preventing one from using SHA-2 family:


You'll probably need to pick up master and its -rsa_mgf1_md argument to pkeyutl.

Thank you – better with “-pkeyopt rsa_mgf1_md:sha256”. But still broken – as it affects only the MGF1 setting, but not the hash setting. I’d say it still needs to allow “-pkeyutl digest:xxx” parameter.

 

$ ~/openssl-1.1/bin/openssl version

OpenSSL 1.1.1-dev  xx XXX xxxx

$ ~/openssl-1.1/bin/openssl pkeyutl -encrypt -in t1264.dat -out t1264.dat.enc2.oaep -keyform DER -pubin -inkey rsa3072pub.der -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_mgf1_md:sha256

$ yhsm2-tool --decrypt -m RSA-PKCS-OAEP --id 0301 -i t1264.dat.enc2.oaep -o t1264.dat.dec2 --hash-algorithm SHA256

Using slot 0 with a present token (0x0)

Logging in to "YubiHSM".

Please enter User PIN:

Using decrypt algorithm RSA-PKCS-OAEP

OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=0x0, source_len=0

error: PKCS11 function C_Decrypt failed: rv = CKR_FUNCTION_FAILED (0x6)

Aborting.

$ yhsm2-tool --decrypt -m RSA-PKCS-OAEP --id 0301 -i t1264.dat.enc2.oaep -o t1264.dat.dec2 --hash-algorithm SHA-1 --mgf MGF1-SHA256

Using slot 0 with a present token (0x0)

Logging in to "YubiHSM".

Please enter User PIN:

Using decrypt algorithm RSA-PKCS-OAEP

OAEP parameters: hashAlg=SHA-1, mgf=MGF1-SHA256, source_type=0, source_ptr=0x0, source_len=0

$ cmp t1264.dat t1264.dat.dec2

$


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bug: digest parameter is rejected

Douglas E Engert
Can you also add -pkeyopt rsa_oaep_md:sah256
See crypto/rsa/rsa_pmeth.c pkey_rsa_ctrl_str for the options.
There is also rsa_oaep_label


On 9/18/2017 10:46 AM, Blumenthal, Uri - 0553 - MITLL wrote:

> OpenSSL implementation of OAEP wrongly refuses to set the hash algorithm, preventing one from using SHA-2 family:
>
>
> You'll probably need to pick up master and its -rsa_mgf1_md argument to pkeyutl.
>
> *Thank you – better with “**-pkeyopt rsa_mgf1_md:sha256**”. But still broken – as it affects only the MGF1 setting, but _not_ the hash setting. I’d say it still needs to allow “**-pkeyutl
> digest:xxx**” parameter.***
>
> $ ~/openssl-1.1/bin/openssl version
>
> OpenSSL 1.1.1-dev  xx XXX xxxx
>
> $ ~/openssl-1.1/bin/openssl pkeyutl -encrypt -in t1264.dat -out t1264.dat.enc2.oaep -keyform DER -pubin -inkey rsa3072pub.der -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_mgf1_md:sha256
>
> $ yhsm2-tool --decrypt -m RSA-PKCS-OAEP --id 0301 -i t1264.dat.enc2.oaep -o t1264.dat.dec2 --hash-algorithm SHA256
>
> Using slot 0 with a present token (0x0)
>
> Logging in to "YubiHSM".
>
> Please enter User PIN:
>
> Using decrypt algorithm RSA-PKCS-OAEP
>
> *OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256*, source_type=0, source_ptr=0x0, source_len=0
>
> *error*: PKCS11 function C_Decrypt failed: rv = CKR_FUNCTION_FAILED (0x6)
>
> Aborting.
>
> $ yhsm2-tool --decrypt -m RSA-PKCS-OAEP --id 0301 -i t1264.dat.enc2.oaep -o t1264.dat.dec2 *--hash-algorithm SHA-1* --mgf MGF1-SHA256
>
> Using slot 0 with a present token (0x0)
>
> Logging in to "YubiHSM".
>
> Please enter User PIN:
>
> Using decrypt algorithm RSA-PKCS-OAEP
>
> *OAEP parameters: hashAlg=SHA-1, mgf=MGF1-SHA256*, source_type=0, source_ptr=0x0, source_len=0
>
> $ cmp t1264.dat t1264.dat.dec2
>
> $
>
>
>

--

  Douglas E. Engert  <[hidden email]>

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Bug: digest parameter is rejected

Blumenthal, Uri - 0553 - MITLL
On 9/18/17, 14:50, "openssl-dev on behalf of Douglas E Engert" <[hidden email] on behalf of [hidden email]> wrote:

    Can you also add -pkeyopt rsa_oaep_md:sah256
    See crypto/rsa/rsa_pmeth.c pkey_rsa_ctrl_str for the options.
    There is also rsa_oaep_label

Thank you!! That saved the day:

$ ~/openssl-1.1/bin/openssl pkeyutl -encrypt -in t1264.dat -out t1264.dat.enc2.oaep -keyform DER -pubin -inkey rsa3072pub.der -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_mgf1_md:sha256
$ ~/openssl-1.1/bin/openssl pkeyutl -encrypt -in t1264.dat -out t1264.dat.enc2.oaep -keyform DER -pubin -inkey rsa3072pub.der -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_mgf1_md:sha256 -pkeyopt rsa_oaep_md:sha256
$ yhsm2-tool --decrypt -m RSA-PKCS-OAEP --id 0301 -i t1264.dat.enc2.oaep -o t1264.dat.dec2 --hash-algorithm SHA256
Using slot 0 with a present token (0x0)
Logging in to "YubiHSM".
Please enter User PIN:
Using decrypt algorithm RSA-PKCS-OAEP
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=0x0, source_len=0
$ cmp t1264.dat t1264.dat.dec2
$

Where can I see the complete list of the options that “-pkeyopt” supports now?
   

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bug: digest parameter is rejected

Blumenthal, Uri - 0553 - MITLL
        See crypto/rsa/rsa_pmeth.c pkey_rsa_ctrl_str for the options.
        There is also rsa_oaep_label
   
    Thank you!! That saved the day:
    . . . . .
    Where can I see the complete list of the options that “-pkeyopt” supports now?

I missed the crypto/rsa/rsa_pmeth.c pkey_rsa_ctrl_str part. ;-(
Apology for not paying attention.

The label is supplied as the initial hash, hex-encoded, right?

Oh, it would be nice to add “rsa_oaep_md:digest” and “rsa_oaep_label:hexstring” to the man page. ;-)
       
   

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

smime.p7s (6K) Download Attachment