> From: owner-openssl-us...@openssl.org On Behalf Of Amir Reda > Sent: Wednesday, November 05, 2014 02:42
> 1- i generate rsa key pairs and try to print it in a pem file but when i open > the file it was empty You never close or even flush the file. openssl uses C I/O and C I/O by default is usually buffered and not actually written until the file is closed, flushed, repositioned, direction changed on an "update: file, or the buffer is filled. Details vary depending on your C implementation which you don't identify. For file-BIO, the generic BIO_free does the close, otherwise see the manpage. Also, you tell BIO_new_file to open in mode wb. PEM data is text not binary, and on implementations where these are different (mostly Windows) writing PEM as binary will produce a file that other tools may not handle correctly (Notepad is particularly bad) although other programs using C including those using openssl file-BIO will probably read okay and that may be enough. > 2- when i use function RSA_public_encrypt () to encrypt some data it does > nothing because > i print the data using cout<< before encryption then print it after > encryption it was the same You generate a key of 2048 *bits* and then try to encrypt 256 *bytes* of data. You can’t do that much; the data you encrypt plus some overhead determined by the padding must be smaller than the modulus. For RSA "PKCS1" padding (actually retronymed PKCS1-v1.5 or some variant) this is 11 bytes; see rsa.h. If you checked the return code from RSA_public_encrypt you would know it had an error. When any openssl routine returns an error indication, you should call the ERR_ routines to get and usually display details about the error, usually after loading error strings, except that some SSL_ routines you should first check SSL_get_error to see if it's a "real" openssl error, a system call (I/O) error, or a nonblocking case like WANT_READ. See https://www.openssl.org/support/faq.html#PROG6 and https://www.openssl.org/support/faq.html#PROG7 Most real systems use "hybrid" encryption: the "bulk" data is encrypted by a symmetric cipherusing a newly generated symmetric key (and usually IV if applicable), and the symmetric key which is a fixed size always small enough is encrypted with RSA. See the PKCS7_ and CMS_ routines as one example, although these also protect the publickey with a certificate so that the encrypted data has a decent chance of actually being safe against attacks, which is usually the desired result of using cryptography. > - the sign function RSA_sign () has a problem Similarly you try to sign 256 bytes, which won't work. Again real systems generate a *hash* of the data, which is a small fixed size, and RSA-sign the hash with padding, except that here the padding also includes adding (and removing/checking) an ASN.1 header that identifies the hash algorithm. The EVP_Digest{Sign,Verify} and EVP_{Seal,Open} series of routines handle these details for you and are usually better than "rolling your own" crypto. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
