Naming of methods in RSA_METHOD

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Naming of methods in RSA_METHOD

Rafael Ferrer
I implemented some custom engines and RSA_meth_set_priv_enc seems to map
to other libraries' RSA decrypt operation (NCryptDecrypt ||||on Windows
CNG, Cipher class with Cipher.DECRYPT_MODE on Android). They can do a
TLS connection just fine with a self-signed cert.


I looked at another custom engine and they seem to also use RSA decrypt for
RSA_meth_set_priv_enc:

https://github.com/tpm2-software/tpm2-tss-engine/blob/master/src/tpm2-tss-engine-rsa.c#L163

BoringSSL's (deprecated) rsa_meth_st only has a sign and a decrypt,
having no encrypt operation:

https://commondatastorage.googleapis.com/chromium-boringssl-docs/rsa.h.html#rsa_meth_st


Is this just a naming quirk? I want to put down the nagging feeling I
have a bug somewhere.

Reply | Threaded
Open this post in threaded view
|

Re: Naming of methods in RSA_METHOD

Thulasi Goriparthi
Operations that a private key can do are decrypt and sign. Similarly, operations that a public key can do are encrypt and verify.

The legacy priv_enc(raw) just refers to raw signing, and is almost same as sign(with proper padding mechanisms). 

It is just a misnomer, as data encrypted with a private key can be decrypted by everyone with the corresponding public key. It is actually a sign operation, that lets everyone verify the signature.

Thanks,
Thulasi.


On Sat, 8 Feb, 2020, 08:17 Rafael Ferrer, <[hidden email]> wrote:
I implemented some custom engines and RSA_meth_set_priv_enc seems to map
to other libraries' RSA decrypt operation (NCryptDecrypt ||||on Windows
CNG, Cipher class with Cipher.DECRYPT_MODE on Android). They can do a
TLS connection just fine with a self-signed cert.


I looked at another custom engine and they seem to also use RSA decrypt for
RSA_meth_set_priv_enc:

https://github.com/tpm2-software/tpm2-tss-engine/blob/master/src/tpm2-tss-engine-rsa.c#L163

BoringSSL's (deprecated) rsa_meth_st only has a sign and a decrypt,
having no encrypt operation:

https://commondatastorage.googleapis.com/chromium-boringssl-docs/rsa.h.html#rsa_meth_st


Is this just a naming quirk? I want to put down the nagging feeling I
have a bug somewhere.

Reply | Threaded
Open this post in threaded view
|

Re: Naming of methods in RSA_METHOD

Rafael Ferrer
So I went back to this and I think the problem is we are forced to
create a RSA_private_encrypt function even if all we want to do is sign.

https://github.com/openssl/openssl/blob/master/crypto/rsa/rsa_pmeth.c#L184

That branch gets hit on doing a TLS connection but not on creating a
certificate. Ideally, shouldn't RSA_PKCS1_PSS_PADDING (and the other
padding mode) also be handled by the RSA_sign of the engine
implementation? I mean it is inside a function called pkey_rsa_sign.
Though the RSA_sign function signature doesn't seem to allow specifying
the padding.

Reply | Threaded
Open this post in threaded view
|

Re: Naming of methods in RSA_METHOD

Rafael Ferrer
 > Though the RSA_sign function signature doesn't seem to allow specifying
the padding.

Sorry I meant the hashing algorithm.