How to encrypt with sha256 given a public key ?

[bedipr...@gmail.com]

Hi All

I need to encrypt some information, mostly 13 charatcter strings through Sha_256 algorithm supplying its public key.

Any help is apppreciated.

Pritpal Bedi

[marcos...@gmail.com]

Hi

"I need to encrypt some information, mostly 13 charatcter strings through Sha_256 algorithm supplying its public key."

What you are asking for cannot be done; they are two types of encryption for different needs.

Harbour has SHA, but it does not have RSA, which is the standard for asymmetric encryption.

These are the SHA algorithm functions that Harbour has:

PROCEDURE Main()

   ? "hb_SHA1"
   ?  hb_SHA1("The world is unique and colorful")
   ?
   ? "hb_SHA224"
   ? hb_SHA224("The world is unique and colorful")
   ?
   ? "hb_SHA256"
   ? hb_SHA256("The world is unique and colorful")
   ?
   ? "hb_SHA384"
   ? hb_SHA384("The world is unique and colorful")
   ?
   ? "hb_SHA512"
   ? hb_SHA512("The world is unique and colorful")
   ?
    wait

RETURN

Output:

hb_SHA1
9990a8e1901bc063cdabac5f6307dd32ecf5b1ec

hb_SHA224
29e549fa1d3fff8dd7d2a11866b648f62d81f9ae6bb9349ef6f7a344

hb_SHA256
fec0ed8762f3cad9b2206cc8befad0b1d9002b48191c2f929e7461ae711d52a5

hb_SHA384
4761b630c1e128fabf30a9675624a13439d8cb1174b12c3fa9b583101d833a2ea81753501e57370f990a75febb7cc148

hb_SHA512
6e75d9444dbe323bf618482ff2a0fec255143b649d3930b3dc87f0dd00aa90bc937e8dfe1a131d21290cf255639ee8867433ab70c69023ffc7afb137fe71432a

Press any key to continue...


hb_SHA1(<cBuffer> [, <lBin>]) ➜ cDigest
hb_SHA224(<cBuffer> [, <lBin>]) ➜ cDigest
hb_SHA256(<cBuffer> [, <lBin>]) ➜ cDigest
hb_SHA384(<cBuffer> [, <lBin>]) ➜ cDigest
hb_SHA512(<cBuffer> [, <lBin>]) ➜ cDigest

Above functions are used to calculate hash value (digest) of given <cBuffer> according to SHA-1, SHA-2, SHA-3 Secure Hash Algorithms.

<lBin> flag controls whether to return binary data or hexadecimal string, default .F., that is, return hexadecimal string.

https://en.wikipedia.org/wiki/Secure_Hash_Algorithms
https://www.cohesity.com/glossary/rsa-encryption/

The RSA algorithm would have to be implemented in C so that Harbour can handle public and private keys.

Sincerely,

Marcos Jarrin

[bedipr...@gmail.com]

I know hb_sha??? usage and employ them signing AWS cloud signature version 4.

My question was different and now seems that can't be materialized as you already mentioned. I probably used wrong terminology.  My requirement belongs to RSA encryption applying sha protocol.

Thanks

Pritpal Bedi

a student of software analysis & concepts

[Przemyslaw Czerpak]

Hi Pritpal,

   /* general version */
   function encryptAsync( cPubKeyFile, cData, /*@*/cDataEnc )
   local pPubKey, pPubKeyCTX
      if empty( pPubKey := PEM_READ_PUBKEY( cPubKeyFile ) )
         outErr( "Cannot read public key: " + cPubKeyFile + hb_eol() )
      elseif empty( pPubKeyCTX := EVP_PKEY_CTX_new( pPubKey ) )
         outErr( "Public key context initialization error." + hb_eol() )
      elseif EVP_PKEY_encrypt_init( pPubKeyCTX ) <= 0
         outErr( "Public key encryption initialization error." + hb_eol() )
      elseif EVP_PKEY_encrypt( pPubKeyCTX, @cDataEnc, cData ) <= 0
         outErr( "Encryption with publiv key error." + hb_eol() )
      else
         return .t.
      endif
   return .f.

   /* RSA only version */
   function encryptRSA( cPubKeyFile, cData, /*@*/cDataEnc )
   local pRSAPubKey
      if empty( pRSAPubKey := PEM_READ_BIO_RSA_PUBKEY( cPubKeyFile ) )
         outErr( "Cannot read RSA public key: " + cPubKeyFile + hb_eol() )
      elseif RSA_public_encrypt( pRSAPubKey, cData, @cDataEnc ) <= 0
         outErr( "Encryption with RSA publiv key error." + hb_eol() )
      else
         return .t.
      endif
   return .f.

best regards,
Przemek

W dniu 13.09.2025 o 02:41, bedipr...@gmail.com pisze:

--
You received this message because you are subscribed to the Google Groups "Harbour Users" group.
Unsubscribe: harbour-user...@googlegroups.com
Web: https://groups.google.com/group/harbour-users
---
You received this message because you are subscribed to the Google Groups "Harbour Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to harbour-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/harbour-users/ce7c7fcc-ba3a-4abf-8030-de1702f5c2e0n%40googlegroups.com.

[marcos...@gmail.com]

Hello

You can consult with this AI about RSA in Harbour

https://deepwiki.com/harbour/core

Sincerely

Marcos Jarrin

[bedipr...@gmail.com]

Thank you very much Przemek

Another question, can we provide publickey content as a buffer also instead of a file ?

Thanks again.

Pritpal Bedi

a student of software analysis & concepts

[Przemyslaw Czerpak]

Hi Pritpal,

cPubKeyData := hb_memoRead( cPubKeyFile )
cPubKeyBIO := BIO_new_mem_buf( cPubKeyData )

and then use cPubKeyBIO just like cPubKeyFile, i.e.

    encryptAsync( cPubKeyBIO, cData, @cDataEnc )
    encryptRSA( cPubKeyBIO, cData, @cDataEnc )

best regards,
Przemek

W dniu 15.09.2025 o 04:27, bedipr...@gmail.com pisze:

To view this discussion visit https://groups.google.com/d/msgid/harbour-users/8d6d859d-7971-4408-9c41-1ba82108ea74n%40googlegroups.com.

[bedipr...@gmail.com]

Perfect !!!

Thanks Przemek.

Pritpal Bedi

a student of software analysis & concepts

[Przemyslaw Czerpak]

Hi Maciej,

The KSeF certificates of Polish Ministry of Finance taken with method
/security/public-key-certificates are RSA certificates in DER format.
The RSA encryption algorithm have to use RSA-OAEP-SHA256 encoding.
The code below extract the key and creates encryption context:

   function KSeF_loadKeyRSA( cCertBodyDER )
   local cErrorMsg, pX509, pPubKey, pKeyCTX
   if empty( pX509 := d2i_X509( cCertBodyDER ) )
      cErrorMsg := "Public key decoding error."
   elseif empty( pPubKey := X509_get_PubKey( pX509 ) )
      cErrorMsg := "Public key extracting error."
   elseif empty( pKeyCTX := EVP_PKEY_CTX_new( pPubKey ) )
      cErrorMsg := "Cannot create encryption context."
   elseif EVP_PKEY_encrypt_init( pKeyCTX ) <= 0
      cErrorMsg := "Cannot initialize public key encryption."
   elseif EVP_PKEY_CTX_set_rsa_padding( pKeyCTX, ;
                                        HB_RSA_PKCS1_OAEP_PADDING ) <= 0
      cErrorMsg := "Error setting public key padding."
   elseif EVP_PKEY_CTX_set_rsa_oaep_md( pKeyCTX, HB_EVP_MD_SHA256 ) <= 0
      cErrorMsg := "Error setting public key hash function."
   else
      return pKeyCTX
   endif
   alert( cErrorMsg )
   return nil
   
Then to encrypt data use:

   function KSeF_encryptRSA( pKeyCTX, cData )
   local cDataEnc
   if EVP_PKEY_encrypt( pKeyCTX, @cDataEnc, cData ) > 0
      return cData
   endif
   alert( "RSA encryption error." )
   return nil

best regards,
Przemek

W dniu 18.01.2026 o 13:42, maciejjwoj...@gmail.com pisze:

Przemek 

Found this discussion - Thank You for examples.

Trying to implement it with RSA key file (of course using MF keys from JPK and KSEF) - I'm able to read key from files and also ising BIO - both  procedures stop on EVP_PKEY_encrypt and  RSA_public_encrypt returning -1 when trying to crypt some XML data.

Trying to use HB32 night builds and compiled from sources using mingw and OpenSSL 3.6 (MSYS) - the same results

Regards,

Maciej 

To view this discussion visit https://groups.google.com/d/msgid/harbour-users/295b5159-151b-4ec7-8bde-1bdc09708b6an%40googlegroups.com.

[maciejjwoj...@gmail.com]

Przemek 

Thank You :)

In the meantime found, how to do that - exactly the same:

EVP_PKEY_CTX_set_RSA_MGF1_md( pPubKeyCTX, HB_EVP_MD_SHA256 )
EVP_PKEY_CTX_set_RSA_padding( pPubKeyCTX, HB_RSA_PKCS1_OAEP_PADDING )

Also found that IV is string of zeros (replicate(chr(0),16)) in communication.

And now I'm able to full implement KSEF communication based on tokens in Harbour.

Thank You for Your work and time spent on this project.

Maciej

PS: Using Clipper since Nantucket  Summer'87 version - I was "changing" libraries to proper index NTX and then CDX in Mazovia then Latin2, also was prepared te same in Clipper 5 ;) 

I switched my few Clipper programs to Harbour when was no possibility to run Clipper programs on new processors. Now time to add addn'l functions ;)

[Przemyslaw Czerpak]

Hi Maciej,

Just to clarify. IV vector is random vector and can be initialized
with any data and ti will work but in fact _IT_SHOULD_BE_ initialized
with random data (or with some agreed by both sides not fixed
value, i.e. generated by known for them algorithm) otherwise it
will not introduce enough entropy to make cracker life harder.
Technically you can use anything for IV startup value and it will
work but you shouldn't and it's much safer to use some random
string just like for encryption key, i.e.:
    cKeyVal := HB_RANDSTR( 32 )
    cKeyIV  := HB_RANDSTR( 16 )

BTW Please remember that certificates generated by KSeF for
invoice "CERTIFICATE" QRs are not RSA but ECDSA public/private
key pairs so to work with them use general PEM functions
instead of dedicated RSA ones and you have to initialize the key
context for signing not encryption.

best regards,
Przemek

W dniu 8.02.2026 o 14:18, maciejjwoj...@gmail.com pisze:

To view this discussion visit https://groups.google.com/d/msgid/harbour-users/80a8bcc7-7e62-49e8-a7e0-2a841d2e6faan%40googlegroups.com.

[maciejjwoj...@gmail.com]

Hi Przemek

I know that IV have to be set - also found similar discussion with this question.

I'm using Encryptasync function based on Your example, but don't know how to set IV for EVP_PKEY_encrypt() - found that IV as zeros string is working and send data is accepted.

Could You help how set IV for EVP_PKEY_encrypt() for proper implementation ?

Maybe You extend Your example with this parameter ?

Regards,

Maciej

[Przemyslaw Czerpak]

The IV in KSeF communication is used in AES-256-CBC symmetric
key encryption. You are sending it together with 256-bit symmetric
key encrypted by MF RSA public key for later encryption/decryption
of sent and exported invoices with AES algorithm with CBC padding.
The symmetric key with its IV vector are generated by you so initialize
them with random data as I showed in the previous message.
To create symmetric key encryption/decryption context use:

    if empty( pSymCtx := EVP_CIPHER_CTX_new() )
        cErrorMsg := "Cannot create cipher context."
    elseif EVP_CIPHER_CTX_init( ::symEncCtx ) <= 0
        cErrorMsg := "Cannot initialize CIPHER context."
    else
        return pSymCtx
    endif
    alert( cErrorMsg )

Then for encryption of sent invoices use:

    if EVP_EncryptInit( pSymCtx, HB_EVP_CIPHER_AES_256_CBC, ;
                        cKeyVal, cKeyIV ) <= 0
        cErrorMsg := "Cannot initialize AES encryption."
    elseif EVP_EncryptUpdate( pSymCtx, @cResult, cData ) <= 0 .or. ;
           EVP_EncryptFinal( pSymCtx, @cRest ) <= 0
        cErrorMsg := "AES encryption error."
    else
        return cResult + cRest
    endif
    alert( cErrorMsg )

and for decryption of received invoices use:

    if EVP_DecryptInit( pSymCtx, HB_EVP_CIPHER_AES_256_CBC, ;
                        cKeyVal, cKeyIV ) <= 0
        cErrorMsg := "Cannot initialize AES decryption."
    elseif EVP_DecryptUpdate( pSymCtx, @cResult, cData ) <= 0 .or. ;
           EVP_DecryptFinal( pSymCtx, @cRest ) <= 0
        cErrorMsg := "AES decryption error."
    else
        return cResult + cRest
    endif
    alert( cErrorMsg )

best regards,
Przemek

W dniu 8.02.2026 o 16:26, maciejjwoj...@gmail.com pisze:

To view this discussion visit https://groups.google.com/d/msgid/harbour-users/982b8a6d-7992-4695-ada3-adabbdcc353dn%40googlegroups.com.

[maciejjwoj...@gmail.com]

Przemek

Thank You once more time. 

Was hard to find specyfication for EVP_EncryptInit - always trying to solve problems by myself then asking ;) - and also don't want disturb You with "all those simple things".

Kind regards,

Maciej