RSA OAEP with sha256

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

RSA OAEP with sha256

Martin Kaiser-5
Dear all,

I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and
MGF1 should use sha256 instead of the default sha1.

Does openssl support this at all? I tried something along the lines of

   size_t outlen;
   int ret;
   EVP_PKEY_CTX *ctx;
   unsigned char in[] = { .... some bytes ... };

   EVP_PKEY *key = NULL;
   RSA *r = NULL;

   unsigned char n[] = { ... };   /* 128 bytes */
   unsigned char e[] = { 0x01, 0x00, 0x01 };

   key = EVP_PKEY_new();
   r = RSA_new();
   assert(r);
   EVP_PKEY_assign_RSA(key, r);
   key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL);
   key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL);

   ctx = EVP_PKEY_CTX_new(key, NULL);
   assert(ctx);

   ret = EVP_PKEY_encrypt_init(ctx);
   assert(ret>=0);

   ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
   assert(ret>=0);

   ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT,  
            EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256);
   assert(ret>=0);

   ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in));
   assert(ret>=0);
   assert(outlen==128);


This doesn't fail on any asserts. I tried

ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256());

instead of EVP_PKEY_CTX_ctrl().
This would not work because of a EVP_PKEY_OP_TYPE_... mismatch.

Unfortunately, the output does not seem to be correct, I can't produce
valid messages that are recognized by a receiving side that's known to
work with oeap sha256.

Does anyone see what I'm doing wrong here? Or does anyone have test
vectors so that I can verify my code? I know there's test vectors from
rsasecurity but they're only for oaep sha1.

Thanks in advance for your help,

   Martin
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: RSA OAEP with sha256

Mounir IDRASSI
Hi Martin,

In OpenSSL implementation of OAEP, MGF1 is hardcoded with SHA-1 (look at
the end of the file rsa_oaep.c). Moreover, the function
RSA_padding_add_PKCS1_OAEP is using explicitly SHA-1 as the unique
possible hash. That's why your results are incorrect.

Personally, I overcame these limitations by implementing my own version
of RSA_padding_add_PKCS1_OAEP that accepts any hash and any MGF
implementation. I guess you should do the same.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr


On 8/16/2012 11:27 PM, Martin Kaiser wrote:

> Dear all,
>
> I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and
> MGF1 should use sha256 instead of the default sha1.
>
> Does openssl support this at all? I tried something along the lines of
>
>     size_t outlen;
>     int ret;
>     EVP_PKEY_CTX *ctx;
>     unsigned char in[] = { .... some bytes ... };
>
>     EVP_PKEY *key = NULL;
>     RSA *r = NULL;
>
>     unsigned char n[] = { ... };   /* 128 bytes */
>     unsigned char e[] = { 0x01, 0x00, 0x01 };
>
>     key = EVP_PKEY_new();
>     r = RSA_new();
>     assert(r);
>     EVP_PKEY_assign_RSA(key, r);
>     key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL);
>     key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL);
>
>     ctx = EVP_PKEY_CTX_new(key, NULL);
>     assert(ctx);
>
>     ret = EVP_PKEY_encrypt_init(ctx);
>     assert(ret>=0);
>
>     ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
>     assert(ret>=0);
>
>     ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT,
>              EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256);
>     assert(ret>=0);
>
>     ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in));
>     assert(ret>=0);
>     assert(outlen==128);
>
>
> This doesn't fail on any asserts. I tried
>
> ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256());
>
> instead of EVP_PKEY_CTX_ctrl().
> This would not work because of a EVP_PKEY_OP_TYPE_... mismatch.
>
> Unfortunately, the output does not seem to be correct, I can't produce
> valid messages that are recognized by a receiving side that's known to
> work with oeap sha256.
>
> Does anyone see what I'm doing wrong here? Or does anyone have test
> vectors so that I can verify my code? I know there's test vectors from
> rsasecurity but they're only for oaep sha1.
>
> Thanks in advance for your help,
>
>     Martin
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: RSA OAEP with sha256

Dr. Stephen Henson
In reply to this post by Martin Kaiser-5
On Thu, Aug 16, 2012, Martin Kaiser wrote:

> Dear all,
>
> I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and
> MGF1 should use sha256 instead of the default sha1.
>
> Does openssl support this at all? I tried something along the lines of
>
>    size_t outlen;
>    int ret;
>    EVP_PKEY_CTX *ctx;
>    unsigned char in[] = { .... some bytes ... };
>
>    EVP_PKEY *key = NULL;
>    RSA *r = NULL;
>
>    unsigned char n[] = { ... };   /* 128 bytes */
>    unsigned char e[] = { 0x01, 0x00, 0x01 };
>
>    key = EVP_PKEY_new();
>    r = RSA_new();
>    assert(r);
>    EVP_PKEY_assign_RSA(key, r);
>    key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL);
>    key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL);
>
>    ctx = EVP_PKEY_CTX_new(key, NULL);
>    assert(ctx);
>
>    ret = EVP_PKEY_encrypt_init(ctx);
>    assert(ret>=0);
>
>    ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
>    assert(ret>=0);
>
>    ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT,  
>             EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256);
>    assert(ret>=0);
>
>    ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in));
>    assert(ret>=0);
>    assert(outlen==128);
>
>
> This doesn't fail on any asserts. I tried
>
> ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256());
>
> instead of EVP_PKEY_CTX_ctrl().
> This would not work because of a EVP_PKEY_OP_TYPE_... mismatch.
>
> Unfortunately, the output does not seem to be correct, I can't produce
> valid messages that are recognized by a receiving side that's known to
> work with oeap sha256.
>
> Does anyone see what I'm doing wrong here? Or does anyone have test
> vectors so that I can verify my code? I know there's test vectors from
> rsasecurity but they're only for oaep sha1.
>

You aren't doing anything wrong, it's just that OpenSSL currently is hard
coded with sha1 for OAEP. This will be addressed at some point.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]