> From: owner-openssl-us...@openssl.org On Behalf Of Carlos Saldaña
> Sent: Monday, 12 July, 2010 10:50
> Here's another approach for the same porpuse and it seems to work!,
> can you please help me to optimize my implementation?
Do you mean 'optimize' as just 'make better', or in the specific (and
common) sense of 'highest performance' or specifically 'fastest'?
I make some comments below on good (in my opinion) coding. For speed:
if you will do multiple encryptions per program/process, it will save
a little time if you read/parse the key once and save and re-use it.
But most of your encryption time will be in the actual RSA computation,
and you can't reduce that. Except by using a smaller key, which would be
insecure; even RSA 1024 is now being worried about a little by experts.
Or by going to the symmetric + RSA scheme as previously described and
again below, since then you only need one RSA for any amount of data
that is going together from the same source to the same destination.
> void encryptThis () {
> FILE *fp;
> RSA *rsa_rpu=NULL;
> fp = fopen([[[NSBundle mainBundle]
pathForResource:@"publickey" ofType:@"pem"]UTF8String],"r");
> rsa_rpu = PEM_read_RSA_PUBKEY(fp,NULL, NULL, NULL);
> if (rsa_rpu==NULL){
> printf("Reading of public key failed");
> }
Yes, I was focussed on your questions as stated and forgot to mention
that just using PEM_read_ routine(s) is another and simpler approach.
Should check if fp is null (fopen failed) before calling PEM_read_.
If it failed, look at errno (usually with strerror or perror).
And either return or skip the rest, see below.
Aside- I'm guessing the NS stuff means MacOSX? Just in case you are
(or this program will be) on Windows, *if* you use DLLs not a
static library, there are some issues about passing C library FILE
pointers across modules, including to OpenSSL here. In that case
it can be easier to create a BIO to read the file and use PEM_read_bio_
to read from the BIO, instead of reading from the file directly.
If the PEM_read_ return is null, I repeat my suggestion to look at
the error queue, see FAQ #PROG6. That's much more likely to help
you or even a user solve the problem than just "failed". And you
should not continue into code which tries to use the nonexistent key;
either return early, or put the alternative within the else branch.
(This is a coding style issue, where the second way is commonly
called 'single-entry single-exit' aka SESE; some people have strong
opinions on the subject, but this isn't the place to discuss them.)
In fact, you might want to make this function return a value
that indicates success or error (and possibly which error)
(not void) so the caller can proceed differently (if appropriate).
> else{
> printf("Reading of public key successful");
> }
> const char text[] = "Aloha vengo de implementar RSA
encryption!!!";
> unsigned char encrypted[2560] = { 0 };
> int resultEncrypt = 0;
> resultEncrypt = RSA_public_encrypt ( strlen(text) + 1 , (unsigned
char *)text, encrypted, rsa_rpu, RSA_PKCS1_OAEP_PADDING );
> NSLog(@"%d from encrypt.", resultEncrypt);
> //This line prints 128
That is the length of the encrypted data, in bytes. The key you are using
is apparently 1024 bits. Note the most data you can encrypt per call
is keysize=128 - about 40 bytes overhead = about 85 bytes.
> NSLog(@"encrypted message %i", (int)encrypted);
> //Here I get a large negative number (- 974687...)
It's not an int. It's 'resultEncrypt' bytes, here 128. Do something
with the bytes. Maybe you want to send them to your server. Maybe you want
to base64 them and send that to the server, maybe with some tags. Maybe
you want to convert them into XML and send that to the server. What does
the server want? What do you or your boss/customers/users want?
If you do need to encrypt more data than fits in one key-sized call,
you and the server will need some protocol to deal with it.
As noted, most people instead symmetric-encrypt (e.g. AES) the data
(which has no limit, or extremely large limits like exabytes(?))
and only RSA-encrypt the symmetric key, so don't have this issue.
> if (resultEncrypt == -1){
> printf("encryption failed ");
> }
> else{
> printf("Encryption success");
> }
> }
Same about error handling, although an error here is less likely.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
