Quantcast

RSA_PKCS1_OAEP_PADDING

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RSA_PKCS1_OAEP_PADDING

RudyAC
Hello,

I have the requirement to encrypt e-mails using RSA-OAEP padding. I use the library openssl-1.0.2k and encrypt with CMS container. The following function describes my method. My problem is that I'm not sure if this method really uses the RSA-OAEP padding.

bool
smime_encrypt_cms(const std::string& infile, const std::string& outfile)
{
    bool                bResult = false;
    const char*         inmode = "r";
    const char*         outmode = "w";
    const EVP_CIPHER*   cipher = NULL;


    STACK_OF(X509)*     encerts = NULL;
    BIO*                in = NULL;
    BIO*                out = NULL;
    BIO*                bio_err = NULL;
    int                 flags = 0;

        X509 *recip;
        int i = 0;
        unsigned char *oaep_label = NULL;
        int oaep_label_l = 0;
        int nflags = CMS_PARTIAL | CMS_KEY_PARAM;
        CMS_ContentInfo* cms = CMS_encrypt(NULL, NULL, cipher, nflags);
        EVP_PKEY_CTX* wrap_ctx = NULL;

    KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () started" );

    cipher = get_cipher();
    SMTPD_RAND_load_file ( NULL , bio_err , 0 );

    encerts = sk_X509_new_null();

    FOR_CONST_IT(EmailAndCertList, itRecip, _m_recipCertsList)
    {
        SMIME_key_list recip_encerts = (*itRecip)->smime_enc();

        FOR_CONST_IT(SMIME_key_list, iter, recip_encerts)
        {
            sk_X509_push( encerts, (*iter).dup_cert());
        }
    }


    if ( ! ( in = BIO_new_file ( infile.c_str() , inmode ))) {
        KWlog_appl ( EV_E_APPL_INFO , "Can't open input file %s", infile.c_str() );
        _error_messages.push_back("Internal Error");
        goto exit;
    }

    if ( ! ( out = BIO_new_file ( outfile.c_str() , outmode ))) {
        KWlog_appl ( EV_E_APPL_INFO , "Can't open output file %s", outfile.c_str() );
        _error_messages.push_back("Internal Error");
        goto exit;
    }

    for (i = 0; i < sk_X509_num(encerts); i++) {

    CMS_RecipientInfo* r_info;

                recip = sk_X509_value(encerts, i);
                r_info = CMS_add1_recipient_cert(cms, recip, nflags);
                if (!r_info) {
                                KWlog_appl(EV_E_APPL_INFO,
                                                "smime_encrypt_cms(): Error while adding recipient certs to CMS info structure");
                                return false;
                }
                wrap_ctx = CMS_RecipientInfo_get0_pkey_ctx(r_info);
                KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () Set OAEP Padding");
                EVP_PKEY_CTX_set_rsa_padding(wrap_ctx, RSA_PKCS1_OAEP_PADDING);
                EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, oaep_label_l);
        }

       CMS_final(cms, in, NULL, nflags);

    /* encrypt content */
    cms = CMS_encrypt(encerts, in, cipher, flags);


    if( ! cms ) {
        KWlog ( EV_E_APPL_INFO , "Error creating CMS structure");
        KWlog_SSL ;
        _error_messages.push_back("Internal Error");
        goto exit;
    }

    flags |= SMIME_OLDMIME;

    /* Write out S/MIME message */
    if (!SMIME_write_CMS(out, cms, in, flags))
    goto exit;

    bResult = true;

 exit:
    SMTPD_RAND_write_file (NULL, bio_err);
    sk_X509_pop_free(encerts, X509_free);
    if (cms)
    CMS_ContentInfo_free(cms);
    BIO_free(in);
    BIO_free_all(out);

    KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () finished" );
    return ( bResult );
}

When using this function to encrypt an e-mail Thunderbird can decrypt the message. But is RSA-OAEP padding really used or is the default padding still used? How can I check this?

For comments I would be very grateful

Regards Rudy

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RSA_PKCS1_OAEP_PADDING

Dr. Stephen Henson
On Thu, May 11, 2017, RudyAC wrote:

> Hello,
>
> I have the requirement to encrypt e-mails using RSA-OAEP padding. I use the
> library openssl-1.0.2k and encrypt with CMS container. The following
> function describes my method. My problem is that I'm not sure if this method
> really uses the RSA-OAEP padding.
>
> bool
> smime_encrypt_cms(const std::string& infile, const std::string& outfile)
> {
>     bool                bResult = false;
>     const char*         inmode = "r";
>     const char*         outmode = "w";
>     const EVP_CIPHER*   cipher = NULL;
>
>
>     STACK_OF(X509)*     encerts = NULL;
>     BIO*                in = NULL;
>     BIO*                out = NULL;
>     BIO*                bio_err = NULL;
>     int                 flags = 0;
>
> X509 *recip;
> int i = 0;
> unsigned char *oaep_label = NULL;
> int oaep_label_l = 0;
> int nflags = CMS_PARTIAL | CMS_KEY_PARAM;
> CMS_ContentInfo* cms = CMS_encrypt(NULL, NULL, cipher, nflags);
> EVP_PKEY_CTX* wrap_ctx = NULL;
>
>     KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () started" );
>
>     cipher = get_cipher();
>     SMTPD_RAND_load_file ( NULL , bio_err , 0 );
>
>     encerts = sk_X509_new_null();
>
>     FOR_CONST_IT(EmailAndCertList, itRecip, _m_recipCertsList)
>     {
>         SMIME_key_list recip_encerts = (*itRecip)->smime_enc();
>
>         FOR_CONST_IT(SMIME_key_list, iter, recip_encerts)
>         {
>             sk_X509_push( encerts, (*iter).dup_cert());
>         }
>     }
>
>
>     if ( ! ( in = BIO_new_file ( infile.c_str() , inmode ))) {
>         KWlog_appl ( EV_E_APPL_INFO , "Can't open input file %s",
> infile.c_str() );
>         _error_messages.push_back("Internal Error");
>         goto exit;
>     }
>
>     if ( ! ( out = BIO_new_file ( outfile.c_str() , outmode ))) {
>         KWlog_appl ( EV_E_APPL_INFO , "Can't open output file %s",
> outfile.c_str() );
>         _error_messages.push_back("Internal Error");
>         goto exit;
>     }
>
>     for (i = 0; i < sk_X509_num(encerts); i++) {
>
>     CMS_RecipientInfo* r_info;
>
> recip = sk_X509_value(encerts, i);
> r_info = CMS_add1_recipient_cert(cms, recip, nflags);
> if (!r_info) {
> KWlog_appl(EV_E_APPL_INFO,
> "smime_encrypt_cms(): Error while adding recipient certs to CMS info
> structure");
> return false;
> }
> wrap_ctx = CMS_RecipientInfo_get0_pkey_ctx(r_info);
> KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () Set OAEP Padding");
> EVP_PKEY_CTX_set_rsa_padding(wrap_ctx, RSA_PKCS1_OAEP_PADDING);
> EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
> EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
> EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, oaep_label_l);
> }
>
>        CMS_final(cms, in, NULL, nflags);
>
>     /* encrypt content */
>     cms = CMS_encrypt(encerts, in, cipher, flags);
>
>
>     if( ! cms ) {
>         KWlog ( EV_E_APPL_INFO , "Error creating CMS structure");
>         KWlog_SSL ;
>         _error_messages.push_back("Internal Error");
>         goto exit;
>     }
>
>     flags |= SMIME_OLDMIME;
>
>     /* Write out S/MIME message */
>     if (!SMIME_write_CMS(out, cms, in, flags))
>     goto exit;
>
>     bResult = true;
>
>  exit:
>     SMTPD_RAND_write_file (NULL, bio_err);
>     sk_X509_pop_free(encerts, X509_free);
>     if (cms)
>     CMS_ContentInfo_free(cms);
>     BIO_free(in);
>     BIO_free_all(out);
>
>     KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () finished" );
>     return ( bResult );
> }
>
> When using this function to encrypt an e-mail Thunderbird can decrypt the
> message. But is RSA-OAEP padding really used or is the default padding still
> used? How can I check this?
>
> For comments I would be very grateful
>

You can try printing out all the fields of the message with:

        openssl cms -cmsout -noout -print

Near the top you should see:

        keyEncryptionAlgorithm:
          algorithm: rsaesOaep (1.2.840.113549.1.1.7)

while the default padding give:

        keyEncryptionAlgorithm:
          algorithm: rsaEncryption (1.2.840.113549.1.1.1)

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RSA_PKCS1_OAEP_PADDING

RudyAC
Hello Steve,

first of all thanks for helpful advice. When printing out all the fields of the message with the openssl command
I got for every recipient two blocks. One block includes the OAEP padding and the other block (same recipient) includes the default padding.

d.ktri:
        version: <ABSENT>
        d.issuerAndSerialNumber:
          issuer: C=DE, O=extern, OU=host3, CN=CA - host3
          serialNumber: 12302977334217659119
        keyEncryptionAlgorithm:
          algorithm: rsaEncryption (1.2.840.113549.1.1.1)
          parameter: NULL

d.ktri:
        version: <ABSENT>
        d.issuerAndSerialNumber:
          issuer: C=DE, O=extern, OU=host3, CN=CA - host3
          serialNumber: 12302977334217659119
        keyEncryptionAlgorithm:
          algorithm: rsaesOaep (1.2.840.113549.1.1.7)
          parameter: SEQUENCE:
    0:d=0  hl=2 l=  43 cons: SEQUENCE          
    2:d=1  hl=2 l=  13 cons:  cont [ 0 ]        
    4:d=2  hl=2 l=  11 cons:   SEQUENCE          
    6:d=3  hl=2 l=   9 prim:    OBJECT            :sha256
   17:d=1  hl=2 l=  26 cons:  cont [ 1 ]        
   19:d=2  hl=2 l=  24 cons:   SEQUENCE          
   21:d=3  hl=2 l=   9 prim:    OBJECT            :mgf1
   32:d=3  hl=2 l=  11 cons:    SEQUENCE          
   34:d=4  hl=2 l=   9 prim:     OBJECT            :sha256

How can I make sure that only the OAEP padding is used?

Regards
Rudy
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RSA_PKCS1_OAEP_PADDING

Dr. Stephen Henson
On Mon, May 15, 2017, RudyAC wrote:

> Hello Steve,
>
> first of all thanks for helpful advice. When printing out all the fields of
> the message with the openssl command
> I got for every recipient two blocks. One block includes the OAEP padding
> and the other block (same recipient) includes the default padding.
>
> d.ktri:
>         version: <ABSENT>
>         d.issuerAndSerialNumber:
>           issuer: C=DE, O=extern, OU=host3, CN=CA - host3
>           serialNumber: 12302977334217659119
>         keyEncryptionAlgorithm:
>           algorithm: rsaEncryption (1.2.840.113549.1.1.1)
>           parameter: NULL
>
> d.ktri:
>         version: <ABSENT>
>         d.issuerAndSerialNumber:
>           issuer: C=DE, O=extern, OU=host3, CN=CA - host3
>           serialNumber: 12302977334217659119
>         keyEncryptionAlgorithm:
>           algorithm: rsaesOaep (1.2.840.113549.1.1.7)
>           parameter: SEQUENCE:
>     0:d=0  hl=2 l=  43 cons: SEQUENCE          
>     2:d=1  hl=2 l=  13 cons:  cont [ 0 ]        
>     4:d=2  hl=2 l=  11 cons:   SEQUENCE          
>     6:d=3  hl=2 l=   9 prim:    OBJECT            :sha256
>    17:d=1  hl=2 l=  26 cons:  cont [ 1 ]        
>    19:d=2  hl=2 l=  24 cons:   SEQUENCE          
>    21:d=3  hl=2 l=   9 prim:    OBJECT            :mgf1
>    32:d=3  hl=2 l=  11 cons:    SEQUENCE          
>    34:d=4  hl=2 l=   9 prim:     OBJECT            :sha256
>
> How can I make sure that only the OAEP padding is used?
>

What code are you using? The original you posted had a bug:

       CMS_final(cms, in, NULL, nflags);

    /* encrypt content */
    cms = CMS_encrypt(encerts, in, cipher, flags);

Which will overwrite the created cms structure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RSA_PKCS1_OAEP_PADDING

RudyAC
Hello Steve,

you are right. I corrected the code (see below). Now it works!
Thank you very much for your quick response.

...

/* encrypt content */
    cms = CMS_encrypt(NULL, in, cipher, nflags);
    if(!cms)
    {
    KWlog_appl ( EV_D_APPL_INFO , "CMS not allocated!" );
    }

    for (i = 0; i < sk_X509_num(encerts); i++) {

    CMS_RecipientInfo* r_info;
    EVP_PKEY_CTX* wrap_ctx = NULL;


    nflags |= CMS_KEY_PARAM;


                recip = sk_X509_value(encerts, i);
                r_info = CMS_add1_recipient_cert(cms, recip, nflags);
                if (!r_info) {
                                KWlog_appl(EV_E_APPL_INFO,
                                                "smime_encrypt_cms(): Error while adding recipient certs to CMS info structure");
                                return false;
                }
                wrap_ctx = CMS_RecipientInfo_get0_pkey_ctx(r_info);
                KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () Set OAEP Padding");
                if (EVP_PKEY_CTX_set_rsa_padding(wrap_ctx, RSA_PKCS1_OAEP_PADDING) <= 0)
                {
                        KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () Error while setting OAEP Padding");
                }
                EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
                EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, oaep_label_l);

        }



        KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () CMS_final");
        CMS_final(cms, in, NULL, nflags);

...

Regards
Rudy
Loading...