Re: Help A Newbie , Please
From: Hammad Bhutta hammadbhu...@gmail.com Whenever i type https://bhutta.com my browser pops up eror. when i type http://bhutta.com/file.php everything works It seems apache is listening on 80 and not 443... Maybe ask on the apache mailing list. JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help A Newbie , Please
thanks for your reply but can you direct me with the link. Plus how can i make the appache listne to port 443 On Wed, Feb 23, 2011 at 4:40 PM, John Doe jd...@yahoo.com wrote: From: Hammad Bhutta hammadbhu...@gmail.com Whenever i type https://bhutta.com my browser pops up eror. when i type http://bhutta.com/file.php everything works It seems apache is listening on 80 and not 443... Maybe ask on the apache mailing list. JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: HELP!!!! mod_tsa:could not load X.509 certificate
Hello! Thanks for your help and monitoring. Yes, I get the same error, I also throws the same when tested with the files you sent me. I think there must be something I missed or did wrong in the installation. Which version did you use for this package: openssl mod_tsa Apache mod_ssl mysql ts-patch_ Another thing, to generate the certificate for the extension tsa with Time Stamping, which. cnf did you use? The openssl.cnf or one created for you? Very grateful! Thanks 2011/2/22 Mounir IDRASSI mounir.idra...@idrix.net Hi, Are you sure you have the same error description (lib(47):func(131):reason(117):ts_rsp_sign.c:206:)? I have tested here with a certificate containing Digital Signature, Non Repudiation key usage and OpenSSL doesn't complain. I'm attaching the timestamp certificate (with its key and its CA certificate) that I used. Can you see if it is working for you? Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/22/2011 3:11 PM, Yessica De Ascencao wrote: Hi Mounir IDRASSI! I generated the certificate with ONLY Digital Signature, Non Repudiation but I still have the same problem. Thanks! Certificate: Data: Version: 3 (0x2) Serial Number: d8:e6:a3:f6:22:c7:a4:0c Signature Algorithm: sha1WithRSAEncryption Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve mailto:a...@suscerte.gob.ve Validity Not Before: Feb 22 14:08:20 2011 GMT Not After : Feb 22 14:08:20 2012 GMT Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, CN=tsscompany/emailAddress=t...@company.com mailto:t...@company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7: 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd: 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37: 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7: 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40: b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac: 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b: 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e: 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71: 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc: f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb: 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b: 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c: 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c: 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19: 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8: 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7: 7a:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17 X509v3 Authority Key Identifier: keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76 X509v3 Subject Alternative Name: email:t...@company.com mailto:email%3a...@company.com X509v3 Extended Key Usage: critical Time Stamping Signature Algorithm: sha1WithRSAEncryption 3d:d4:76:9a:d7:2d:6a:93:62:d7:2c:29:87:cc:9c:72:97:19: 1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8: 50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1: 19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6: b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a: 04:66:f5:24:0b:25:25:69:a5:66:30:c1:4a:b8:cf:c7:51:e1: 5a:a0:a6:51:cf:b0:26:05:8d:c4:66:cd:3b:c6:08:a5:de:57: 81:af 2011/2/22 Mounir IDRASSI mounir.idra...@idrix.net mailto: mounir.idra...@idrix.net Hi, I don't agree : from the error description (lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is clear that OpenSSL loaded the certificate but the X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed. Actaully, reading the certificate dump shows that the problem is coming from the certificate Key Usage : it MUST NOT contain Key Encipherment. So, to resolve your problem, set the Key Usage to ONLY Digital Signature, Non Repudiation. I hope this will help. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/22/2011 2:40 PM, Patrick Patterson wrote: Hi Yessica:
Re: Help A Newbie , Please
From: Hammad Bhutta hammadbhu...@gmail.com On Wed, Feb 23, 2011 at 4:40 PM, John Doe jd...@yahoo.com wrote: It seems apache is listening on 80 and not 443... Maybe ask on the apache mailing list. thanks for your reply but can you direct me with the link. Plus how can i make the appache listne to port 443 http://tinyurl.com/4o645yo JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help A Newbie , Please
wao .. thanks :D On Wed, Feb 23, 2011 at 7:44 PM, John Doe jd...@yahoo.com wrote: From: Hammad Bhutta hammadbhu...@gmail.com On Wed, Feb 23, 2011 at 4:40 PM, John Doe jd...@yahoo.com wrote: It seems apache is listening on 80 and not 443... Maybe ask on the apache mailing list. thanks for your reply but can you direct me with the link. Plus how can i make the appache listne to port 443 http://tinyurl.com/4o645yo JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ecdsa_method missing?
Thanks Mounir,
I'd like to use ECDSA_METHOD to implement a dynamic engine for
ecdsa. I want to avoid copying the header files from the upstream
source so that my engine package can compile stand-alone. This should
be in line with the way dynamic engines have worked for other
algorithms since 0.9.8, if I understand correctly.
Should I open an item in the issue tracker for this?
Thanks,
Kent
On Tue, Feb 22, 2011 at 8:04 PM, Mounir IDRASSI
mounir.idra...@idrix.net wrote:
Hi,
In the case of RSA_METHOD, it is working because the underlying type
rsa_meth_st is defined in rsa.h, whereas for ECDSA_METHOD, the underlying
type ecdsa_method is not exported by the public headers: it is defined in
the internal OpenSSL header ecs_locl.h found in the source distribution.
That explains why you are getting the compile error.
I don't know why it was done like this, but if you really need this
structure then you'll have to copy its definition from the header I
mentioned above.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 2/22/2011 6:14 PM, Kent Yoder wrote:
Hi,
The following RSA code compiles:
#includeopenssl/rsa.h
main() { RSA_METHOD rsa = { test }; }
but this ECDSA code doesn't:
#includeopenssl/ecdsa.h
main() { ECDSA_METHOD ecdsa = { test }; }
Am I missing a declaration, or is this perhaps a bug?
Thanks,
Kent
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: ecdsa_method missing?
Yes, you should open a ticket on the issue tracker. However, I'm not
sure if Dr. Stephen Henson will agree to add this change to the current
stable versions (0.9.8x and 1.0.0x) as he usually delays header changes
till the 1.1.0 release.
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 2/23/2011 4:44 PM, Kent Yoder wrote:
Thanks Mounir,
I'd like to use ECDSA_METHOD to implement a dynamic engine for
ecdsa. I want to avoid copying the header files from the upstream
source so that my engine package can compile stand-alone. This should
be in line with the way dynamic engines have worked for other
algorithms since 0.9.8, if I understand correctly.
Should I open an item in the issue tracker for this?
Thanks,
Kent
On Tue, Feb 22, 2011 at 8:04 PM, Mounir IDRASSI
mounir.idra...@idrix.net wrote:
Hi,
In the case of RSA_METHOD, it is working because the underlying type
rsa_meth_st is defined in rsa.h, whereas for ECDSA_METHOD, the underlying
type ecdsa_method is not exported by the public headers: it is defined in
the internal OpenSSL header ecs_locl.h found in the source distribution.
That explains why you are getting the compile error.
I don't know why it was done like this, but if you really need this
structure then you'll have to copy its definition from the header I
mentioned above.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 2/22/2011 6:14 PM, Kent Yoder wrote:
Hi,
The following RSA code compiles:
#includeopenssl/rsa.h
main() { RSA_METHOD rsa = { test }; }
but this ECDSA code doesn't:
#includeopenssl/ecdsa.h
main() { ECDSA_METHOD ecdsa = { test }; }
Am I missing a declaration, or is this perhaps a bug?
Thanks,
Kent
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Help A Newbie , Please
On Wed February 23 2011, Hammad Bhutta wrote: thanks for your reply but can you direct me with the link. Plus how can i make the appache listne to port 443 Here is a good starting point: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html Google can probably answer anything you don't find a link for on that page. Mike On Wed, Feb 23, 2011 at 4:40 PM, John Doe jd...@yahoo.com wrote: From: Hammad Bhutta hammadbhu...@gmail.com Whenever i type https://bhutta.com my browser pops up eror. when i type http://bhutta.com/file.php everything works It seems apache is listening on 80 and not 443... Maybe ask on the apache mailing list. JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help A Newbie , Please
Thanks alot Mike it turns out all that googling is not gold after all...! On Wed, Feb 23, 2011 at 7:33 PM, Michael S. Zick open...@morethan.orgwrote: On Wed February 23 2011, Hammad Bhutta wrote: thanks for your reply but can you direct me with the link. Plus how can i make the appache listne to port 443 Here is a good starting point: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html Google can probably answer anything you don't find a link for on that page. Mike On Wed, Feb 23, 2011 at 4:40 PM, John Doe jd...@yahoo.com wrote: From: Hammad Bhutta hammadbhu...@gmail.com Whenever i type https://bhutta.com my browser pops up eror. when i type http://bhutta.com/file.php everything works It seems apache is listening on 80 and not 443... Maybe ask on the apache mailing list. JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSH key verification fails in FIPS mode with 0.9.8q + FIPS
We recently built FIPS compliant openssl 0.9.8q. Earlier we were using 0.9.8l . With ssh binaries linked to FIPS compliant OpenSSL 0.9.8q, when running the OpenSSH client, connection setup fails during verification of the server key. We did not not run into this SSH issue with 0.9.8l. Has anything changed between 0.9.8l and 0.9.8q that would cause this? The call to OpenSSL that ultimately fails is RSA_public_decrypt(). Has it somehow been tightened up . Below is the snippet of SSH debug logs debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'vos-cm130' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:2 debug2: bits set: 1020/2048 bad decrypted len: 0 != 20 + 15 debug1: ssh_rsa_verify: signature incorrect key_verify failed for server_host_key Any help would be greatly appreciated. Thanks Anamitra
Re: OpenSSH key verification fails in FIPS mode with 0.9.8q + FIPS
On Wed, Feb 23, 2011, anmajumd wrote: We recently built FIPS compliant openssl 0.9.8q. Earlier we were using 0.9.8l . With ssh binaries linked to FIPS compliant OpenSSL 0.9.8q, when running the OpenSSH client, connection setup fails during verification of the server key. We did not not run into this SSH issue with 0.9.8l. Has anything changed between 0.9.8l and 0.9.8q that would cause this? The call to OpenSSL that ultimately fails is RSA_public_decrypt(). Has it somehow been tightened up . Yes, you aren't allowed to call RSA_public_decrypt() directly in FIPS mode: instead you have to use the EVP interface for EVP_Verify*(). There is a patch which changes the ssh code to use EVP instead (while still being compatible with other versions of OpenSSL). Due to a bug the restriction wasn't enforced in some versions of OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSH key verification fails in FIPS mode with 0.9.8q + FIPS
Thanks for your prompt response . Do you have the name of the patch to share with us? Thanks Anamitra On 2/23/11 1:42 PM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Feb 23, 2011, anmajumd wrote: We recently built FIPS compliant openssl 0.9.8q. Earlier we were using 0.9.8l . With ssh binaries linked to FIPS compliant OpenSSL 0.9.8q, when running the OpenSSH client, connection setup fails during verification of the server key. We did not not run into this SSH issue with 0.9.8l. Has anything changed between 0.9.8l and 0.9.8q that would cause this? The call to OpenSSL that ultimately fails is RSA_public_decrypt(). Has it somehow been tightened up . Yes, you aren't allowed to call RSA_public_decrypt() directly in FIPS mode: instead you have to use the EVP interface for EVP_Verify*(). There is a patch which changes the ssh code to use EVP instead (while still being compatible with other versions of OpenSSL). Due to a bug the restriction wasn't enforced in some versions of OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RSA_private_decrypt without e and d
Hi, I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). I'm trying to do something like: If (!(new_key = RSA_new())) return -1; new_key-n = BN_bin2bn(n_data, n_data_len, NULL); new_key-p = BN_bin2bn(p_data, p_data_len, NULL); new_key-q = BN_bin2bn(q_data, q_data_len, NULL); new_key-dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL); new_key-dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL); new_key-iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL); resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, decrypted, new_key, RSA_PKCS1_PADDING); This decrypt fails with error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 Supplying the correct e and d component causes it work properly, but I will not have those under normal circumstances. Is there any way to do this without d and e?
RE: RSA_private_decrypt without e and d
Just to be clear, below is not the actual code, but what I would *like* to be able to do (or something close). From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Shaheed Bacchus (sbacchus) Sent: Wednesday, February 23, 2011 9:47 PM To: openssl-users@openssl.org Subject: RSA_private_decrypt without e and d Hi, I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). I'm trying to do something like: If (!(new_key = RSA_new())) return -1; new_key-n = BN_bin2bn(n_data, n_data_len, NULL); new_key-p = BN_bin2bn(p_data, p_data_len, NULL); new_key-q = BN_bin2bn(q_data, q_data_len, NULL); new_key-dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL); new_key-dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL); new_key-iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL); resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted, decrypted, new_key, RSA_PKCS1_PADDING); This decrypt fails with error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 Supplying the correct e and d component causes it work properly, but I will not have those under normal circumstances. Is there any way to do this without d and e?
Re: RSA_private_decrypt without e and d
On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would *like* to be able to do (or something close). What you are asking to do is not possible, not because of API limitations, but as a matter of principle (mathematical property of RSA). I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). The RSA algorithm computes a ciphertext M' from a plaintext M via M' = (M)^e mod n (i.e. mod pq). decryption is possible when p, q (and implicitly e) are known because M = (M')^d mod n provided: - M n (e.g. the message is shorter than the key bit length), thus computing the result mod n loses no information. - d*e = 1 mod phi(n) = (p-1)(q-1) http://en.wikipedia.org/wiki/Euler%27s_totient_function when e, p and q are known, d can be computed via Euclid's algorithm for finding the multiplicative inverse of a mod b, when a is co-prime to b. When e is unknown, any M'' obtained from M via some exponent e' is as a good a plaintext as M since, if e'*d' = 1 mod phi(n), we have: M' = (M^e) = ((M^e')^d')^e = (M'')^(d'*e) therefore if the public exponent were (d'*e) instead of e, the same message M' decrypts to M' instead of M. There is no well-defined inverse to RSA without e, since e is fundamental parameter of the operation you want to invert. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_private_decrypt without e and d
Hello, If you have on the receiving site n, p, q, dmp1, dmq1, and iqmp components then you may decrypt message M from ciphertext C with CRT: Cp = C mod p Cq = C mod q Mp = Cp^dmp1 mod p Mq = Cq^dmq1 mod q h = (Mp?Mq) * iqmp mod p M = Mq + qh where: dmp1= d mod (p?1) dmq1= d mod (q?1) iqmp = q^?1 mod p you have recomputed. You do not need d on the receiving site if you have this parameters. Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 02/24/2011 05:48:19 AM: Victor Duchovni victor.ducho...@morganstanley.com Sent by: owner-openssl-us...@openssl.org 02/24/2011 05:50 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: RSA_private_decrypt without e and d On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would *like* to be able to do (or something close). What you are asking to do is not possible, not because of API limitations, but as a matter of principle (mathematical property of RSA). I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). The RSA algorithm computes a ciphertext M' from a plaintext M via M' = (M)^e mod n (i.e. mod pq). decryption is possible when p, q (and implicitly e) are known because M = (M')^d mod n provided: - M n (e.g. the message is shorter than the key bit length), thus computing the result mod n loses no information. - d*e = 1 mod phi(n) = (p-1)(q-1) http://en.wikipedia.org/wiki/Euler%27s_totient_function when e, p and q are known, d can be computed via Euclid's algorithm for finding the multiplicative inverse of a mod b, when a is co-prime to b. When e is unknown, any M'' obtained from M via some exponent e' is as a good a plaintext as M since, if e'*d' = 1 mod phi(n), we have: M' = (M^e) = ((M^e')^d')^e = (M'')^(d'*e) therefore if the public exponent were (d'*e) instead of e, the same message M' decrypts to M' instead of M. There is no well-defined inverse to RSA without e, since e is fundamental parameter of the operation you want to invert. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_private_decrypt without e and d
Hello,
Try to disable RSA blinding with:
RSA_blinding_off(new_key);
before RSA_private_decrypt().
Best regards,
--
Marek Marcola marek.marc...@malkom.pl
owner-openssl-us...@openssl.org wrote on 02/24/2011 03:46:53 AM:
Shaheed Bacchus (sbacchus) sbacc...@cisco.com
Sent by: owner-openssl-us...@openssl.org
02/24/2011 03:52 AM
Please respond to
openssl-users@openssl.org
To
openssl-users@openssl.org
cc
Subject
RSA_private_decrypt without e and d
Hi,
I have a situation where I have a message that has been encrypted via
RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1,
dmq1, and iqmp
components (I know it might sound odd that I don’t have the e and d
components but that
is the case). I’m trying to do something like:
If (!(new_key = RSA_new()))
return -1;
new_key-n = BN_bin2bn(n_data, n_data_len, NULL);
new_key-p = BN_bin2bn(p_data, p_data_len, NULL);
new_key-q = BN_bin2bn(q_data, q_data_len, NULL);
new_key-dmp1 = BN_bin2bn(dmp1_data, dmp1_data_len, NULL);
new_key-dmq1 = BN_bin2bn(dmq1_data, dmq1_data_len, NULL);
new_key-iqmp = BN_bin2bn(iqmp_data, iqmp1_data_len, NULL);
resultDecrypt = RSA_private_decrypt(encrypted_size, encrypted,
decrypted, new_key,
RSA_PKCS1_PADDING);
This decrypt fails with
error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is
not 02
Supplying the correct e and d component causes it work properly, but I
will not have
those under normal circumstances. Is there any way to do this without d
and e?
:��IϮ��r�m
(Z+�K
�+1���x
��h[�z�(Z+�
��f�y��
�f���h��)z{,���
Re: RSA_private_decrypt without e and d
Hi Victor, Your analysis is not true because the original poster says he has dmp1, dmq1 and iqmp, not only p and q. With these 5 parameters, it is possible to recover the plain text from the ciphered text thanks to the Chinese Reminder Transformation (CRT). Moreover, it is possible to recover the pubic exponent e and the private exponent d from these 5 parameters using a mathematical transformation. I have implemented such a transformation in an open source tool that I put on SourceForge : you can get it along with the mathematics behind it from the following link : http://rsaconverter.sourceforge.net/ . Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/24/2011 5:48 AM, Victor Duchovni wrote: On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote: Just to be clear, below is not the actual code, but what I would *like* to be able to do (or something close). What you are asking to do is not possible, not because of API limitations, but as a matter of principle (mathematical property of RSA). I have a situation where I have a message that has been encrypted via RSA_public_encrypt. On the receiving end I have the n, p, q, dmp1, dmq1, and iqmp components (I know it might sound odd that I don't have the e and d components but that is the case). The RSA algorithm computes a ciphertext M' from a plaintext M via M' = (M)^e mod n (i.e. mod pq). decryption is possible when p, q (and implicitly e) are known because M = (M')^d mod n provided: - M n (e.g. the message is shorter than the key bit length), thus computing the result mod n loses no information. - d*e = 1 mod phi(n) = (p-1)(q-1) http://en.wikipedia.org/wiki/Euler%27s_totient_function when e, p and q are known, d can be computed via Euclid's algorithm for finding the multiplicative inverse of a mod b, when a is co-prime to b. When e is unknown, any M'' obtained from M via some exponent e' is as a good a plaintext as M since, if e'*d' = 1 mod phi(n), we have: M' = (M^e) = ((M^e')^d')^e = (M'')^(d'*e) therefore if the public exponent were (d'*e) instead of e, the same message M' decrypts to M' instead of M. There is no well-defined inverse to RSA without e, since e is fundamental parameter of the operation you want to invert. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
