Re: [openssl-dev] rsautl.c incorrectly processes "-oaep" flag

Thu, 13 Apr 2017 14:42:06 -0700 


On 4/13/2017 4:18 PM, Richard Levitte wrote:

In message <1ef605ec-d2dd-4d15-a27f-1e1ce7956...@ll.mit.edu> on Thu, 13 Apr 2017 20:55:36 
+0000, "Blumenthal, Uri - 0553 - MITLL" <u...@ll.mit.edu> said:

uri> I am trying to use “openssl rsautl” to wrap/unwrap symmetric keys in a 
script. Decryption (and encryption too, but that isn’t relevant) is done using a 
token accessible via pkcs11 engine (libp11).
uri>
uri> The problem is: “rsautl” appears to assume that if “-oaep” flag is given, 
then the engine is going to handle OAEP padding. This is the screen log:
uri>
uri> $ openssl rsautl -engine pkcs11 -keyform ENGINE -encrypt -pubin -inkey 
"pkcs11:manufacturer=piv_II;object=KEY%20MAN%20pubkey;type=public" -oaep -in 
t256.dat -out t256.dat.enc
uri> engine "pkcs11" set.
uri> $ ls -l t256.dat.enc
uri> -rw-r--r--  1 mouse   256 Apr 10 17:34 t256.dat.enc
uri> $ openssl rsautl -engine pkcs11 -keyform ENGINE -decrypt -inkey 
"pkcs11:manufacturer=piv_II;object=KEY%20MAN%20key;type=private" -oaep -in 
t256.dat.enc -out t256.dat.dec
uri> engine "pkcs11" set.
uri> PKCS#11 token PIN:
uri> PKCS#11: Unsupported padding type
uri> RSA operation error
uri> $
uri>
uri> libp11 does not know how to deal with OAEP padding, so it returns an error.
uri>
uri> Desired solution: in case of “-oaep” pass “RSA_NO_PADDING” to the engine 
(aka to libp11), and strip the padding using OpenSSL mechanisms.
uri>
uri> I’d like to see that fixed in both 1.1 and 1.0.2 branches.

Wouldn't it be muuuuuch easier to add the following lines:

        case RSA_PKCS1_OAEP_PADDING:
                mechanism->mechanism = CKM_RSA_PKCS_OAEP;
                break;

right about here?
https://github.com/OpenSC/libp11/blob/master/src/p11_rsa.c#L72

What you propose for OpenSSL is quite a lot harder to implement well,
and one might also wonder why the OAEP padding should have that
special treatment and no other?



Because there are parameters to the OAEP, and rsautl.c does not set it.

when not using an engine, rsa/rsa_pmeth.c in pkey_rsa_decrypt does something 
similar:

300 if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {

304         ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
305                                   ctx->pkey->pkey.rsa, RSA_NO_PADDING);

312         ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf + i,
313                                                 ret - i, ret,
314                                                 rctx->oaep_label,
315                                                 rctx->oaep_labellen,
316                                                 rctx->md, rctx->mgf1md);





Cheers,
Richard



--

 Douglas E. Engert  <deeng...@gmail.com>

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev






















					Reply via email to