Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: [1.0.1f] Building a certificate request with RSA-OAEP as Public Key Algorithm
341 views
Skip to first unread message
Kevin Le Gouguec
Apr 17, 2014, 5:40:59 AM4/17/14
to
Hello all,
Trying to build a Certificate Signing Request using external means for crypto operations (eg key pair generation, signing). I'm relying on demos/x509/mkreq.c and the code in crypto/x509/.
What I want to do is:
- use external engine to generate RSA key pair
- build X509_REQ as per mkreq.c
- sign its X509_REQ_INFO with my external engine (RSA PKCS #1 w/ SHA-256)
- plug this signature into X509_REQ
Now before digging further into the code, I was wondering if anyone could explain, on the spot:
1) how to set the CSR's (Subject-Public-Key-Info)->(Public-Key-Algorithm) to RSA-OAEP (this key pair is to be used for encryption/decryption) ; I see X509_PUBKEY_set, but is there any way I can just change the EVP structure to specify OAEP and just call X509_REQ_set_pubkey as in the example? I'm assuming EVP_CTX_ctrl only works for initialized contexts.
2) the exact sequence of d2i/i2d/getters/setters to:
- turn my X509_REQ_INFO into bytes, which I'll sign with my other engine
- turn those bytes into an ASN1_BIT_STRING which I'll plug into my X509_REQ
- set X509_REQ's sig_alg to something corresponding to "RSA PKCS #1 w/ SHA-256"
Thanks in advance :)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Trying to build a Certificate Signing Request using external means for crypto operations (eg key pair generation, signing). I'm relying on demos/x509/mkreq.c and the code in crypto/x509/.
What I want to do is:
- use external engine to generate RSA key pair
- build X509_REQ as per mkreq.c
- sign its X509_REQ_INFO with my external engine (RSA PKCS #1 w/ SHA-256)
- plug this signature into X509_REQ
Now before digging further into the code, I was wondering if anyone could explain, on the spot:
1) how to set the CSR's (Subject-Public-Key-Info)->(Public-Key-Algorithm) to RSA-OAEP (this key pair is to be used for encryption/decryption) ; I see X509_PUBKEY_set, but is there any way I can just change the EVP structure to specify OAEP and just call X509_REQ_set_pubkey as in the example? I'm assuming EVP_CTX_ctrl only works for initialized contexts.
2) the exact sequence of d2i/i2d/getters/setters to:
- turn my X509_REQ_INFO into bytes, which I'll sign with my other engine
- turn those bytes into an ASN1_BIT_STRING which I'll plug into my X509_REQ
- set X509_REQ's sig_alg to something corresponding to "RSA PKCS #1 w/ SHA-256"
Thanks in advance :)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Kevin Le Gouguec
Apr 17, 2014, 8:35:23 AM4/17/14
to
tl;dr: is it worth using OpenSSL to build a CMS EnvelopedData message when the key transport algorithm is RSA-OAEP? If so, how?
Long version:
After some more digging, I'll try to make my request more precise.
Some context: I am generating a RSA key pair with an external engine (say a HSM with PKCS #11). This key pair will be used to wrap/unwrap symmetric keys with RSAES-OAEP. RFC 4055 specifies some algorithm identifiers for use with CMS, RSAES-OAEP being one of them (§4). I'm making a certificate signing request for the public key, and of course I'd want its Public Key Algorithm to be RSAES-OAEP (probably with hash = SHA1, mgf = SHA1, param = none, since currently only those parameters are implemented with 1.0.1f).
The idea is to use CMS to envelop some content (i.e. encrypt it with a symmetric key generated on-the-fly, and wrap this key with the public RSA key). The content-encryption-key will be unwrapped by the external engine.
So essentially, I want to use OpenSSL to:
- on the client side, build a CMS structure to hold an EnvelopedData type, the content-key being wrapped with OAEP, and export that to DER/PEM/whatever.
- on the server side, parse the CMS structure, get the wrapped key and the encrypted message. The actual unwrapping/decryption will be made by the external engine.
(Add some signing/verifying to the mix, i.e. encapsulate the EnvelopedData into a SignedData ; OpenSSL will then be used server-side to parse 1) the signature 2) the encapsulated-content-info out of the CMS, the actual verification will be made by the external engine)
Is OpenSSL a good choice here? Client-side, I'll have to build a CMS structure ; demos/cms/cms_enc.c makes it look simple, but the key wrapping mechanism is chosen on the basis of the recipient's certificate... And using OpenSSL, building a CSR saying "THIS KEY IS MEANT TO BE USED WITH OAEP" seems tedious.
I'm not even sure 1.0.1 supports OAEP as a method for key transport though: cms_RecipientInfo_ktri_encrypt() calls EVP_PKEY_CTX_ctrl, which I guess resolves to pkey_rsa_ctrl() ; OAEP padding is only set for EVP_PKEY_CTRL_CMS_DECRYPT. (I... don't really understand this part of the code (rsa_pmeth.c:580). When decrypting, the RecipientInfo structure is parsed and OAEP padding is specified ; but when it comes to encrypting the function just returns 1? ...)
Server-side, I expect I'll only use the crypto library as a CMS/X.509 parser to get the bytes I'm interested in (i.e. the actual signature, wrapped key, encrypted message). Which means struggling with the ASN.1 API to find the correct functions for getting my content back from the internal structures.
In the end I'll mostly use OpenSSL as a glorified CMS parser. Client-side, OAEP support for key wrapping seems unavailable (and if it is, I still don't know how to generate a certificate which actually reads "OAEP" as Public Key Algorithm) ; this means, I guess, that I'll use standard EVP functions to build my encrypted content/wrapped key, and then manually stuff them inside a CMS structure, bypassing the fancy CMS_encrypt function (haven't looked yet but I expect CMS_sign() should be able to handle ECDSA/SHA1... ?).
(If I go for the "manual stuffing" option, I guess I can stop worrying about my Public Key Algorithm not reading "OAEP" and just have my client application "know" that it should wrap with OAEP, whatever the certificate says... After all, the server application will do exactly that, although it would be nice if it could decide the unwrapping mechanism based on the cert)
When I ask if OpenSSL is a "good choice", I don't mean to troll, I just figure some people must have faced the same problems (RFC 4055 has been out since 2005). So I assume those people chose to 1/ use a patched OpenSSL to support their particular mechanism choice (like that guy[1]) 2/ go for the "manual stuffing" option 3/ stop caring about standards and use their own conventions for encrypted content/wrapped key/signature transport, or 4/ find some other framework which actually supports all these algorithms and provides a nice CMS-building/parsing interface.
(Or maybe 5/ they just use XMLENC/XMLDSIG)
[1] http://stackoverflow.com/questions/22373305/rsa-public-key-encryption-openssl
Long version:
After some more digging, I'll try to make my request more precise.
Some context: I am generating a RSA key pair with an external engine (say a HSM with PKCS #11). This key pair will be used to wrap/unwrap symmetric keys with RSAES-OAEP. RFC 4055 specifies some algorithm identifiers for use with CMS, RSAES-OAEP being one of them (§4). I'm making a certificate signing request for the public key, and of course I'd want its Public Key Algorithm to be RSAES-OAEP (probably with hash = SHA1, mgf = SHA1, param = none, since currently only those parameters are implemented with 1.0.1f).
The idea is to use CMS to envelop some content (i.e. encrypt it with a symmetric key generated on-the-fly, and wrap this key with the public RSA key). The content-encryption-key will be unwrapped by the external engine.
So essentially, I want to use OpenSSL to:
- on the client side, build a CMS structure to hold an EnvelopedData type, the content-key being wrapped with OAEP, and export that to DER/PEM/whatever.
- on the server side, parse the CMS structure, get the wrapped key and the encrypted message. The actual unwrapping/decryption will be made by the external engine.
(Add some signing/verifying to the mix, i.e. encapsulate the EnvelopedData into a SignedData ; OpenSSL will then be used server-side to parse 1) the signature 2) the encapsulated-content-info out of the CMS, the actual verification will be made by the external engine)
Is OpenSSL a good choice here? Client-side, I'll have to build a CMS structure ; demos/cms/cms_enc.c makes it look simple, but the key wrapping mechanism is chosen on the basis of the recipient's certificate... And using OpenSSL, building a CSR saying "THIS KEY IS MEANT TO BE USED WITH OAEP" seems tedious.
I'm not even sure 1.0.1 supports OAEP as a method for key transport though: cms_RecipientInfo_ktri_encrypt() calls EVP_PKEY_CTX_ctrl, which I guess resolves to pkey_rsa_ctrl() ; OAEP padding is only set for EVP_PKEY_CTRL_CMS_DECRYPT. (I... don't really understand this part of the code (rsa_pmeth.c:580). When decrypting, the RecipientInfo structure is parsed and OAEP padding is specified ; but when it comes to encrypting the function just returns 1? ...)
Server-side, I expect I'll only use the crypto library as a CMS/X.509 parser to get the bytes I'm interested in (i.e. the actual signature, wrapped key, encrypted message). Which means struggling with the ASN.1 API to find the correct functions for getting my content back from the internal structures.
In the end I'll mostly use OpenSSL as a glorified CMS parser. Client-side, OAEP support for key wrapping seems unavailable (and if it is, I still don't know how to generate a certificate which actually reads "OAEP" as Public Key Algorithm) ; this means, I guess, that I'll use standard EVP functions to build my encrypted content/wrapped key, and then manually stuff them inside a CMS structure, bypassing the fancy CMS_encrypt function (haven't looked yet but I expect CMS_sign() should be able to handle ECDSA/SHA1... ?).
(If I go for the "manual stuffing" option, I guess I can stop worrying about my Public Key Algorithm not reading "OAEP" and just have my client application "know" that it should wrap with OAEP, whatever the certificate says... After all, the server application will do exactly that, although it would be nice if it could decide the unwrapping mechanism based on the cert)
When I ask if OpenSSL is a "good choice", I don't mean to troll, I just figure some people must have faced the same problems (RFC 4055 has been out since 2005). So I assume those people chose to 1/ use a patched OpenSSL to support their particular mechanism choice (like that guy[1]) 2/ go for the "manual stuffing" option 3/ stop caring about standards and use their own conventions for encrypted content/wrapped key/signature transport, or 4/ find some other framework which actually supports all these algorithms and provides a nice CMS-building/parsing interface.
(Or maybe 5/ they just use XMLENC/XMLDSIG)
[1] http://stackoverflow.com/questions/22373305/rsa-public-key-encryption-openssl
0 new messages