Re: RSA OAEP with sha256
Hi Martin, In OpenSSL implementation of OAEP, MGF1 is hardcoded with SHA-1 (look at the end of the file rsa_oaep.c). Moreover, the function RSA_padding_add_PKCS1_OAEP is using explicitly SHA-1 as the unique possible hash. That's why your results are incorrect. Personally, I overcame these limitations by implementing my own version of RSA_padding_add_PKCS1_OAEP that accepts any hash and any MGF implementation. I guess you should do the same. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 8/16/2012 11:27 PM, Martin Kaiser wrote: Dear all, I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and MGF1 should use sha256 instead of the default sha1. Does openssl support this at all? I tried something along the lines of size_t outlen; int ret; EVP_PKEY_CTX *ctx; unsigned char in[] = { some bytes ... }; EVP_PKEY *key = NULL; RSA *r = NULL; unsigned char n[] = { ... }; /* 128 bytes */ unsigned char e[] = { 0x01, 0x00, 0x01 }; key = EVP_PKEY_new(); r = RSA_new(); assert(r); EVP_PKEY_assign_RSA(key, r); key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL); key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL); ctx = EVP_PKEY_CTX_new(key, NULL); assert(ctx); ret = EVP_PKEY_encrypt_init(ctx); assert(ret>=0); ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING); assert(ret>=0); ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256); assert(ret>=0); ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in)); assert(ret>=0); assert(outlen==128); This doesn't fail on any asserts. I tried ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()); instead of EVP_PKEY_CTX_ctrl(). This would not work because of a EVP_PKEY_OP_TYPE_... mismatch. Unfortunately, the output does not seem to be correct, I can't produce valid messages that are recognized by a receiving side that's known to work with oeap sha256. Does anyone see what I'm doing wrong here? Or does anyone have test vectors so that I can verify my code? I know there's test vectors from rsasecurity but they're only for oaep sha1. Thanks in advance for your help, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA OAEP with sha256
On Thu, Aug 16, 2012, Martin Kaiser wrote: > Dear all, > > I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and > MGF1 should use sha256 instead of the default sha1. > > Does openssl support this at all? I tried something along the lines of > >size_t outlen; >int ret; >EVP_PKEY_CTX *ctx; >unsigned char in[] = { some bytes ... }; > >EVP_PKEY *key = NULL; >RSA *r = NULL; > >unsigned char n[] = { ... }; /* 128 bytes */ >unsigned char e[] = { 0x01, 0x00, 0x01 }; > >key = EVP_PKEY_new(); >r = RSA_new(); >assert(r); >EVP_PKEY_assign_RSA(key, r); >key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL); >key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL); > >ctx = EVP_PKEY_CTX_new(key, NULL); >assert(ctx); > >ret = EVP_PKEY_encrypt_init(ctx); >assert(ret>=0); > >ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING); >assert(ret>=0); > >ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT, > EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256); >assert(ret>=0); > >ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in)); >assert(ret>=0); >assert(outlen==128); > > > This doesn't fail on any asserts. I tried > > ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()); > > instead of EVP_PKEY_CTX_ctrl(). > This would not work because of a EVP_PKEY_OP_TYPE_... mismatch. > > Unfortunately, the output does not seem to be correct, I can't produce > valid messages that are recognized by a receiving side that's known to > work with oeap sha256. > > Does anyone see what I'm doing wrong here? Or does anyone have test > vectors so that I can verify my code? I know there's test vectors from > rsasecurity but they're only for oaep sha1. > You aren't doing anything wrong, it's just that OpenSSL currently is hard coded with sha1 for OAEP. This will be addressed at some point. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RSA OAEP with sha256
Dear all, I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and MGF1 should use sha256 instead of the default sha1. Does openssl support this at all? I tried something along the lines of size_t outlen; int ret; EVP_PKEY_CTX *ctx; unsigned char in[] = { some bytes ... }; EVP_PKEY *key = NULL; RSA *r = NULL; unsigned char n[] = { ... }; /* 128 bytes */ unsigned char e[] = { 0x01, 0x00, 0x01 }; key = EVP_PKEY_new(); r = RSA_new(); assert(r); EVP_PKEY_assign_RSA(key, r); key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL); key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL); ctx = EVP_PKEY_CTX_new(key, NULL); assert(ctx); ret = EVP_PKEY_encrypt_init(ctx); assert(ret>=0); ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING); assert(ret>=0); ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256); assert(ret>=0); ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in)); assert(ret>=0); assert(outlen==128); This doesn't fail on any asserts. I tried ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()); instead of EVP_PKEY_CTX_ctrl(). This would not work because of a EVP_PKEY_OP_TYPE_... mismatch. Unfortunately, the output does not seem to be correct, I can't produce valid messages that are recognized by a receiving side that's known to work with oeap sha256. Does anyone see what I'm doing wrong here? Or does anyone have test vectors so that I can verify my code? I know there's test vectors from rsasecurity but they're only for oaep sha1. Thanks in advance for your help, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org