Re: RSA OAEP with sha256

Thu, 16 Aug 2012 15:06:07 -0700 

Hi Martin,
In OpenSSL implementation of OAEP, MGF1 is hardcoded with SHA-1 (look at the end of the file rsa_oaep.c). Moreover, the function RSA_padding_add_PKCS1_OAEP is using explicitly SHA-1 as the unique possible hash. That's why your results are incorrect. 


Personally, I overcame these limitations by implementing my own version 
of RSA_padding_add_PKCS1_OAEP that accepts any hash and any MGF 
implementation. I guess you should do the same.


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr


On 8/16/2012 11:27 PM, Martin Kaiser wrote:

Dear all,

I'd like to encrypt some bytes using RSA OAEP with MGF1. Both OAEP and
MGF1 should use sha256 instead of the default sha1.

Does openssl support this at all? I tried something along the lines of

    size_t outlen;
    int ret;
    EVP_PKEY_CTX *ctx;
    unsigned char in[] = { .... some bytes ... };

    EVP_PKEY *key = NULL;
    RSA *r = NULL;

    unsigned char n[] = { ... };   /* 128 bytes */
    unsigned char e[] = { 0x01, 0x00, 0x01 };

    key = EVP_PKEY_new();
    r = RSA_new();
    assert(r);
    EVP_PKEY_assign_RSA(key, r);
    key->pkey.rsa->n = BN_bin2bn(n, sizeof(n), NULL);
    key->pkey.rsa->e = BN_bin2bn(e, sizeof(e), NULL);

    ctx = EVP_PKEY_CTX_new(key, NULL);
    assert(ctx);

    ret = EVP_PKEY_encrypt_init(ctx);
    assert(ret>=0);

    ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
    assert(ret>=0);

    ret = EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_CRYPT,
             EVP_PKEY_CTRL_MD, 0, (void *)EVP_sha256);
    assert(ret>=0);

    ret = EVP_PKEY_encrypt(ctx, out, &outlen, in, sizeof(in));
    assert(ret>=0);
    assert(outlen==128);


This doesn't fail on any asserts. I tried

ret = EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256());

instead of EVP_PKEY_CTX_ctrl().
This would not work because of a EVP_PKEY_OP_TYPE_... mismatch.

Unfortunately, the output does not seem to be correct, I can't produce
valid messages that are recognized by a receiving side that's known to
work with oeap sha256.

Does anyone see what I'm doing wrong here? Or does anyone have test
vectors so that I can verify my code? I know there's test vectors from
rsasecurity but they're only for oaep sha1.

Thanks in advance for your help,

    Martin
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to