Re: RSA quintuple vs. xmldsig mismatch
I'm afraid RSAKeyValue may represent both public, or private key, but that's not the point. The RFC itself defines 2 forms of representation of private key, but openssl works only with the second one, the encryption works fine when I pushed zeroes to the RSA structure, but I didn't find any example or documentation about what may go wrong when the RSA key is incomplete (filled values are modulus, private exponent and public exponent) Thanks, Miro On 29. 10. 2012 18:32, Wim Lewis wrote: On 29 Oct 2012, at 8:44 AM, Miroslav Mikluš wrote: The xmldsig (http://www.w3.org/TR/xmldsig-core/#sec-RSAKeyValue) use the first form of RSA representation with respect to the : http://tools.ietf.org/html/rfc3447#section-3.2 The RSAKeyValue element contains a public key, but the quintuple representation is a way to represent a private key. So RSAKeyValue corresponds to (n,e) from RFC3447 section 3.1, not 3.2. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA quintuple vs. xmldsig mismatch
(continuing TOFU posting to match the OP) A private/public RSA key pair in (n,e)+(n,d) format can be converted to (n,p,q,e,d,d%(p-1),d%(q-1), (1/q)%p) form by using well known mathematical steps that are fairly cheap. A private RSA key in (n,d) format with no information on e cannot be converted to (n,p,q,...) form without the ability to crack an (n,e) RSA public key where e happens to be the d of the key you want to convert. If this was easy, the key is useless and there is no point doing the conversion in the first place. The core RSA private key operations in crypt/rsa/rsa_eay.c (function names RSA_eay_private_encrypt() and RSA_eay_private_decrypt()) automatically checks if the RSA structure provided contains the full set of extra fields needed or not and then uses either the fast Chinese remainder method or the slower straight exponentiation method to apply the private key. Interestingly, that part of the code does not include logic to fill out the rest of the Chinese Remainder parameters given enough of the parameter values (for example (n,p,e) or (n,e,d)), but such code may be elsewhere in OpenSSL. P.S. My favorite storage form for RSA private keys is encrypt((symkey|n|e), trunc(p)), where trunc(p) simply chops off the top and bottom bits. This form passes high entropy (about 1 Sh/bit) as the plaintext to encrypt, and forces any search for symkey to be repeated for each target public key. Correct decryption is confirmed by checking that the decrypted p divides n. I have my own code to reconstruct the full set of private key fields from this, given symkey, n and e. On 10/30/2012 10:37 AM, Miroslav Mikluš wrote: I'm afraid RSAKeyValue may represent both public, or private key, but that's not the point. The RFC itself defines 2 forms of representation of private key, but openssl works only with the second one, the encryption works fine when I pushed zeroes to the RSA structure, but I didn't find any example or documentation about what may go wrong when the RSA key is incomplete (filled values are modulus, private exponent and public exponent) Thanks, Miro On 29. 10. 2012 18:32, Wim Lewis wrote: On 29 Oct 2012, at 8:44 AM, Miroslav Mikluš wrote: The xmldsig (http://www.w3.org/TR/xmldsig-core/#sec-RSAKeyValue) use the first form of RSA representation with respect to the : http://tools.ietf.org/html/rfc3447#section-3.2 The RSAKeyValue element contains a public key, but the quintuple representation is a way to represent a private key. So RSAKeyValue corresponds to (n,e) from RFC3447 section 3.1, not 3.2. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA quintuple vs. xmldsig mismatch
+1 Thanks, M. On 30. 10. 2012 15:36, Jakob Bohm wrote: (continuing TOFU posting to match the OP) A private/public RSA key pair in (n,e)+(n,d) format can be converted to (n,p,q,e,d,d%(p-1),d%(q-1), (1/q)%p) form by using well known mathematical steps that are fairly cheap. A private RSA key in (n,d) format with no information on e cannot be converted to (n,p,q,...) form without the ability to crack an (n,e) RSA public key where e happens to be the d of the key you want to convert. If this was easy, the key is useless and there is no point doing the conversion in the first place. The core RSA private key operations in crypt/rsa/rsa_eay.c (function names RSA_eay_private_encrypt() and RSA_eay_private_decrypt()) automatically checks if the RSA structure provided contains the full set of extra fields needed or not and then uses either the fast Chinese remainder method or the slower straight exponentiation method to apply the private key. Interestingly, that part of the code does not include logic to fill out the rest of the Chinese Remainder parameters given enough of the parameter values (for example (n,p,e) or (n,e,d)), but such code may be elsewhere in OpenSSL. P.S. My favorite storage form for RSA private keys is encrypt((symkey|n|e), trunc(p)), where trunc(p) simply chops off the top and bottom bits. This form passes high entropy (about 1 Sh/bit) as the plaintext to encrypt, and forces any search for symkey to be repeated for each target public key. Correct decryption is confirmed by checking that the decrypted p divides n. I have my own code to reconstruct the full set of private key fields from this, given symkey, n and e. On 10/30/2012 10:37 AM, Miroslav Mikluš wrote: I'm afraid RSAKeyValue may represent both public, or private key, but that's not the point. The RFC itself defines 2 forms of representation of private key, but openssl works only with the second one, the encryption works fine when I pushed zeroes to the RSA structure, but I didn't find any example or documentation about what may go wrong when the RSA key is incomplete (filled values are modulus, private exponent and public exponent) Thanks, Miro On 29. 10. 2012 18:32, Wim Lewis wrote: On 29 Oct 2012, at 8:44 AM, Miroslav Mikluš wrote: The xmldsig (http://www.w3.org/TR/xmldsig-core/#sec-RSAKeyValue) use the first form of RSA representation with respect to the : http://tools.ietf.org/html/rfc3447#section-3.2 The RSAKeyValue element contains a public key, but the quintuple representation is a way to represent a private key. So RSAKeyValue corresponds to (n,e) from RFC3447 section 3.1, not 3.2. Enjoy Jakob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RSA quintuple vs. xmldsig mismatch
Hi all, The xmldsig (http://www.w3.org/TR/xmldsig-core/#sec-RSAKeyValue) use the first form of RSA representation with respect to the : http://tools.ietf.org/html/rfc3447#section-3.2 It looks like rsa.h use the quintuple representation only, is there a way how to work with the (n, d) form in openssl ? Or there is a way how to transform the first form to the second one ? nice day, Miro __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA quintuple vs. xmldsig mismatch
On 29 Oct 2012, at 8:44 AM, Miroslav Mikluš wrote: The xmldsig (http://www.w3.org/TR/xmldsig-core/#sec-RSAKeyValue) use the first form of RSA representation with respect to the : http://tools.ietf.org/html/rfc3447#section-3.2 The RSAKeyValue element contains a public key, but the quintuple representation is a way to represent a private key. So RSAKeyValue corresponds to (n,e) from RFC3447 section 3.1, not 3.2. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org