CMS decryption of message with OAEP using Hardware security module

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

CMS decryption of message with OAEP using Hardware security module

RudyAC
Hi,

I have the requirement to decrypt e-mails where RSA-OAEP padding is used. I
use the library openssl-1.0.2k and decrypt with CMS container (CMS_decrypt).
This works very well unless the private key is stored in a Hardware security
module and the cryptographic operation is performed via the PKCS11 engine
from openssl.

When decrypting an email which uses OAEP I got the error message:
 
47235129370352:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:

To analyze the problem I encrypted an clear text using OAEP padding and
setup a decryption function using
RSA_private_decrypt(). Here I use padding mode "RSA_NO_PADDING" and the
decryption also works with the PKCS11 engine. Unfortunately CMS does not
support setting the padding mode.

For any comments I would be very grateful

Regards Rudy



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: CMS decryption of message with OAEP using Hardware security module

Thulasi Goriparthi
Do you mean RSA OAEP decryption done by HSM fails?

Possible tests:
1. Try RSA OAEP encryption/decryption with HSM. - basic test.
2. Encrypt with HSM and decrypt using openssl crypto library. - To make sure RSA OAEP encryption of the HSM works fine.
3. If test 2 fails, check if all the parameters (hash, mgf, salt length) used for OAEP are same on both sides. If they match and decryption still fails, check with your HSM vendor. If they don't, try fixing the parameters and repeat test 2.

RSA_NO_PADDING always works as all it does is modular exponentiation.

Thanks,
Thulasi.

On Mon, 17 Feb, 2020, 19:22 RudyAC, <[hidden email]> wrote:
Hi,

I have the requirement to decrypt e-mails where RSA-OAEP padding is used. I
use the library openssl-1.0.2k and decrypt with CMS container (CMS_decrypt).
This works very well unless the private key is stored in a Hardware security
module and the cryptographic operation is performed via the PKCS11 engine
from openssl.

When decrypting an email which uses OAEP I got the error message:

47235129370352:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:

To analyze the problem I encrypted an clear text using OAEP padding and
setup a decryption function using
RSA_private_decrypt(). Here I use padding mode "RSA_NO_PADDING" and the
decryption also works with the PKCS11 engine. Unfortunately CMS does not
support setting the padding mode.

For any comments I would be very grateful

Regards Rudy



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: CMS decryption of message with OAEP using Hardware security module

RudyAC
Hello Thulasi,

thank you for your quick response.

the encryption takes not place in the HSM because we only store the private
keys inside the HSM. For encryption we use the openssl CMS_encrypt()
function. In case of OAEP I use the parameters:
                EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, oaep_label_l);
and call CMS_final() at last.
For decryption we use the HSM where the private keys are stored and the
openssl PKCS11 engine is used.
Therefore we call CMS_decrypt(). Unfortunately there are no OAEP parameters
that can be specified at CMS_decrypt().

By default we do encryption and decryption without HSM. Using the same
functions (CMS_encrypt(),CMS_decrypt()) it works very well. But now it is my
job to do decryption with a HSM (Utimaco).

My question is if there is a possibility to tell CMS_decrypt() that the
encrypted email uses OAEP padding or is there only a problem at the side of
the HSM provider.

Best regards
Rudy



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: CMS decryption of message with OAEP using Hardware security module

Thulasi Goriparthi

On Tue, 18 Feb, 2020, 16:43 RudyAC, <[hidden email]> wrote:
Hello Thulasi,

thank you for your quick response.

the encryption takes not place in the HSM because we only store the private
keys inside the HSM. For encryption we use the openssl CMS_encrypt()
function. In case of OAEP I use the parameters:
                EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, oaep_label_l);
and call CMS_final() at last.
For decryption we use the HSM where the private keys are stored and the
openssl PKCS11 engine is used.
Therefore we call CMS_decrypt(). Unfortunately there are no OAEP parameters
that can be specified at CMS_decrypt().

By default we do encryption and decryption without HSM. Using the same
functions (CMS_encrypt(),CMS_decrypt()) it works very well. But now it is my
job to do decryption with a HSM (Utimaco).

My question is if there is a possibility to tell CMS_decrypt() that the
encrypted email uses OAEP padding or is there only a problem at the side of
the HSM provider.

Best regards
Rudy



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: CMS decryption of message with OAEP using Hardware security module

Thulasi Goriparthi
Sorry for this. I see that you already knew about it.

On Tue, 18 Feb, 2020, 17:08 Thulasi Goriparthi, <[hidden email]> wrote:

On Tue, 18 Feb, 2020, 16:43 RudyAC, <[hidden email]> wrote:
Hello Thulasi,

thank you for your quick response.

the encryption takes not place in the HSM because we only store the private
keys inside the HSM. For encryption we use the openssl CMS_encrypt()
function. In case of OAEP I use the parameters:
                EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, oaep_label_l);
and call CMS_final() at last.
For decryption we use the HSM where the private keys are stored and the
openssl PKCS11 engine is used.
Therefore we call CMS_decrypt(). Unfortunately there are no OAEP parameters
that can be specified at CMS_decrypt().

By default we do encryption and decryption without HSM. Using the same
functions (CMS_encrypt(),CMS_decrypt()) it works very well. But now it is my
job to do decryption with a HSM (Utimaco).

My question is if there is a possibility to tell CMS_decrypt() that the
encrypted email uses OAEP padding or is there only a problem at the side of
the HSM provider.

Best regards
Rudy



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: CMS decryption of message with OAEP using Hardware security module

Thulasi Goriparthi
CMS_Decrypt doesn't need to feed this information explicitly and it will part of CMS envelope of the encrypted data.
Thanks,
Thulasi.

On Tue, 18 Feb 2020 at 17:16, Thulasi Goriparthi <[hidden email]> wrote:
Sorry for this. I see that you already knew about it.

On Tue, 18 Feb, 2020, 17:08 Thulasi Goriparthi, <[hidden email]> wrote:

On Tue, 18 Feb, 2020, 16:43 RudyAC, <[hidden email]> wrote:
Hello Thulasi,

thank you for your quick response.

the encryption takes not place in the HSM because we only store the private
keys inside the HSM. For encryption we use the openssl CMS_encrypt()
function. In case of OAEP I use the parameters:
                EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, oaep_label_l);
and call CMS_final() at last.
For decryption we use the HSM where the private keys are stored and the
openssl PKCS11 engine is used.
Therefore we call CMS_decrypt(). Unfortunately there are no OAEP parameters
that can be specified at CMS_decrypt().

By default we do encryption and decryption without HSM. Using the same
functions (CMS_encrypt(),CMS_decrypt()) it works very well. But now it is my
job to do decryption with a HSM (Utimaco).

My question is if there is a possibility to tell CMS_decrypt() that the
encrypted email uses OAEP padding or is there only a problem at the side of
the HSM provider.

Best regards
Rudy



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html