Re: RSA OAEP with sha256
Hi Martin,
In OpenSSL implementation of OAEP, MGF1 is hardcoded with SHA-1 (look at
the end of the file rsa_oaep.c). Moreover, the function
RSA_padding_add_PKCS1_OAEP is using explicitly SHA-1 as the unique
possible hash. That's why your results are incorrect.
Personally, I overcame these limitations by implementing my own version
of RSA_padding_add_PKCS1_OAEP that accepts any hash and any MGF
implementation. I guess you should do the same.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 8/16/2012 11:27 PM, Martin Kaiser wrote:
Dear all,
I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and
MGF1 should use sha256 instead of the default sha1.
Does openssl support this at all? I tried something along the lines of
size_t outlen;
int ret;
EVP_PKEY_CTX *ctx;
unsigned char in[] = { some bytes ... };
EVP_PKEY *key = NULL;
RSA *r = NULL;
unsigned char n[] = { ... }; /* 128 bytes */
unsigned char e[] = { 0x01, 0x00, 0x01 };
key = EVP_PKEY_new();
r = RSA_new();
assert(r);
EVP_PKEY_assign_RSA(key, r);
key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL);
key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL);
ctx = EVP_PKEY_CTX_new(key, NULL);
assert(ctx);
ret = EVP_PKEY_encrypt_init(ctx);
assert(ret>=0);
ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
assert(ret>=0);
ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT,
EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256);
assert(ret>=0);
ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in));
assert(ret>=0);
assert(outlen==128);
This doesn't fail on any asserts. I tried
ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256());
instead of EVP_PKEY_CTX_ctrl().
This would not work because of a EVP_PKEY_OP_TYPE_... mismatch.
Unfortunately, the output does not seem to be correct, I can't produce
valid messages that are recognized by a receiving side that's known to
work with oeap sha256.
Does anyone see what I'm doing wrong here? Or does anyone have test
vectors so that I can verify my code? I know there's test vectors from
rsasecurity but they're only for oaep sha1.
Thanks in advance for your help,
Martin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: RSA OAEP with sha256
On Thu, Aug 16, 2012, Martin Kaiser wrote:
> Dear all,
>
> I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and
> MGF1 should use sha256 instead of the default sha1.
>
> Does openssl support this at all? I tried something along the lines of
>
>size_t outlen;
>int ret;
>EVP_PKEY_CTX *ctx;
>unsigned char in[] = { some bytes ... };
>
>EVP_PKEY *key = NULL;
>RSA *r = NULL;
>
>unsigned char n[] = { ... }; /* 128 bytes */
>unsigned char e[] = { 0x01, 0x00, 0x01 };
>
>key = EVP_PKEY_new();
>r = RSA_new();
>assert(r);
>EVP_PKEY_assign_RSA(key, r);
>key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL);
>key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL);
>
>ctx = EVP_PKEY_CTX_new(key, NULL);
>assert(ctx);
>
>ret = EVP_PKEY_encrypt_init(ctx);
>assert(ret>=0);
>
>ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
>assert(ret>=0);
>
>ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT,
> EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256);
>assert(ret>=0);
>
>ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in));
>assert(ret>=0);
>assert(outlen==128);
>
>
> This doesn't fail on any asserts. I tried
>
> ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256());
>
> instead of EVP_PKEY_CTX_ctrl().
> This would not work because of a EVP_PKEY_OP_TYPE_... mismatch.
>
> Unfortunately, the output does not seem to be correct, I can't produce
> valid messages that are recognized by a receiving side that's known to
> work with oeap sha256.
>
> Does anyone see what I'm doing wrong here? Or does anyone have test
> vectors so that I can verify my code? I know there's test vectors from
> rsasecurity but they're only for oaep sha1.
>
You aren't doing anything wrong, it's just that OpenSSL currently is hard
coded with sha1 for OAEP. This will be addressed at some point.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RSA OAEP with sha256
Dear all,
I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and
MGF1 should use sha256 instead of the default sha1.
Does openssl support this at all? I tried something along the lines of
size_t outlen;
int ret;
EVP_PKEY_CTX *ctx;
unsigned char in[] = { some bytes ... };
EVP_PKEY *key = NULL;
RSA *r = NULL;
unsigned char n[] = { ... }; /* 128 bytes */
unsigned char e[] = { 0x01, 0x00, 0x01 };
key = EVP_PKEY_new();
r = RSA_new();
assert(r);
EVP_PKEY_assign_RSA(key, r);
key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL);
key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL);
ctx = EVP_PKEY_CTX_new(key, NULL);
assert(ctx);
ret = EVP_PKEY_encrypt_init(ctx);
assert(ret>=0);
ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
assert(ret>=0);
ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT,
EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256);
assert(ret>=0);
ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in));
assert(ret>=0);
assert(outlen==128);
This doesn't fail on any asserts. I tried
ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256());
instead of EVP_PKEY_CTX_ctrl().
This would not work because of a EVP_PKEY_OP_TYPE_... mismatch.
Unfortunately, the output does not seem to be correct, I can't produce
valid messages that are recognized by a receiving side that's known to
work with oeap sha256.
Does anyone see what I'm doing wrong here? Or does anyone have test
vectors so that I can verify my code? I know there's test vectors from
rsasecurity but they're only for oaep sha1.
Thanks in advance for your help,
Martin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
