Develop Reference

MBED TLS Symetric Key Wrap

I'm trying to use MBED TLS cryptography functions to unwrap a key which has been encrypted using AES-128 key wrapping using a symmetric key, which I have.
I'm new to encryption and my understanding is that key wrapping/unwrapping is different to encrypting/decrypting. Is this correct?
There are examples listed on this page but the aes examples are doing decryption rather than key unwrapping, and the wrap examples are using public keys rather than symmetrical keys.
Is there some reference or example for using MBED TLS to do key-unwrapping using AES-128 encryption?
I have tried simply using the decryption function and I do not get the correct data as a result. See below.
//Initialise AES context
mbedtls_aes_init( &aes_ctx );
//Set-up the context
mbedtls_aes_setkey_dec( &aes_ctx, AES_key, 128 );
//Process the encrypted data in blocks of 16 bytes
for(i = 0; i< encryptedDataLength; i+= 16)
{
mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_DECRYPT, pEncryptedData + i, pPlainValue + i);
}
//Free the context
mbedtls_aes_free( &aes_ctx );
Thanks!

I found a solution, using the nist_kw interface
//Initialise key-wrap context
mbedtls_nist_kw_init(&kw_ctx);
//Set up the context
mbedtls_nist_kw_setkey(&kw_ctx, MBEDTLS_CIPHER_ID_AES, AES_key, 128, 0);
//Process the encrypted data
mbedtls_nist_kw_unwrap(&kw_ctx, MBEDTLS_KW_MODE_KW,
pEncryptedData, encrypted_length,
pPlainValue, &decrypted_length,
encryptedDataLength);
//Free the context
mbedtls_nist_kw_free(&kw_ctx);
This decrypts the data correctly for me. Thanks for being my rubber ducky!

looking for C w/openssl equivalent of java bouncycastle SHA256withRSA signing

ok ive been banging my head on this for over two days now. I need to code in c, using openssl library, the equivalent for the following java code :
byte[] result = null;
Signature st = Signature.getInstance(BC_PROV_ALGORITHM_SHA256RSA, "BC");
st.initSign(privateKey);
st.update(data);
result = st.sign();
return result;
The most obvious approach was this
RSA_sign( NID_sha256, ( const BYTE* ) pszMessage256Hash,
strlen( pszMessage256Hash), ( unsigned char *) pSignature,
&iSignLen, pPrivateMerchantKey )
Already checked that the key is the same and the content of the pszMessage256Hash is identical to the "data" variable from java. Due to padding the result is different every time however the server-side verification is rejecting the second signature.
Any help would be appreciated, as i said, i have been wasting way too much time on this.

How to calculate SHA512/224 and SHA512/256 hashes using OpenSSL?

Here's how I calculate a SHA512 hash in C.
#include <openssl/sha.h>
#include <stdio.h>
char *calc_sha512(char *data) {
SHA512_CTX ctx;
char *md = malloc(sizeof(char)*(SHA512_DIGEST_LENGTH+1));
SHA512_Init(&ctx);
SHA512_Update(&ctx, data, strlen(data));
SHA512_Final(md, &ctx);
md[SHA512_DIGEST_LENGTH] = '\0';
return md;
}
int main() {
printf("%s\n", calc_sha512("foo"));
return 1;
}
Now when I try to transform it to 512/t (either 512/224 or 512/256), it doesn't work. I initially thought that for calculating a 512/t hash, you'd simply have to truncate the output to t bits, but upon further reading, it doesn't only truncate the output, it also have different initial constant values. So I'm trying to figure out any function in OpenSSL that supports that? So far I have looked into docs and header files, I can't find such method under either SHA or EVP. Does OpenSSL even support SHA512/t hashing algorithms? Does it provide the functionality out of the box? Any pointers to that would be helpful.

As you noticed, those truncated sha512 hashes use different initalisation vectors, probably to avoid giving away part of the actual sha512 hash if they would just literally truncate those bytes.
Support for sha512_256 has been implemented in the OpenSSL master tree a few months ago and will likely be in OpenSSL 1.1.1.
Check the changelog:
https://www.openssl.org/news/changelog.txt
Or the commit on Github:
https://github.com/openssl/openssl/commit/4bed94f0c11ef63587c6b2edb03c3c438e221604
... so depending on the platform you're on, you could use those new functions in the near future just like you are doing with the sha512 example you provided.

this function should return the SHA512/256 hash (binary form, not printable)
char *calc_sha512_256(char *data, unsigned int data_len) {
char *hash = malloc(SHA256_DIGEST_LENGTH);
if (!EVP_Digest(data, data_len, hash, NULL, EVP_sha512_256(), NULL)) {
free(hash);
hash = NULL;
}
return hash;
}

Openssl how to find out what the bit size of the public key in an X509 certificate is

If I have an X509* that openssl has provided me, what's the best way to figure out the bit-ness of the RSA public key in the certificate? I can't quite figure this out. I'm pretty sure that if I'm in the SSL certificate verification callback, I can get the X509 ptr with
X509 * cert = X509_STORE_CTX_get_current_cert(the_x509_store_ctx);
and I would surmise I get the public key like this
EVP_PKEY *public_key = X509_get_pubkey(cert);
and then I need to check whether it's RSA, presumably?
if (public_key && (EVP_PKEY_RSA == public_key->type))
and once I know that I got a public key back and that it's RSA, I'd like to do this:
int key_length = BN_num_bits(public_key->pkey.rsa->n);
but I've found that while this works quite nicely on openssl 0.9.8, on 1.0.1h it segfaults on Windows. The BIGNUM 'n' doesn't seem to be valid - the data ptr in it has a garbage pointer.
Any idea what's wrong?

As already suggested, to get the RSA modulus size in bytes (so not "bit size"...) use:
EVP_PKEY * public_key = X509_get_pubkey(cert);
RSA *rsa_key = EVP_PKEY_get1_RSA(public_key);
int key_length = RSA_size(rsa_key);
...
RSA_free(rsa_key);

How to encrypt data using RSA, with SHA-256 as hash function and MGF1 as mask generating function?

I was doing some experiments with cryptography. Now I have the public key of receiver and i want to encrypt some data and pass to the receiver.
I want to use RSAES-OAEP algorithm. with SHA-256 as hash function and MGF1 as mask generation function.
I want do this using openssl. I found a function RSA_public_encrypt() with this function we can specify the padding. One of the padding option available was
RSA_PKCS1_OAEP_PADDING
EME-OAEP as defined in PKCS #1 v2.0 with SHA-1 , MGF1 .
they are using sha-1.
I want to reconfigure the function to use SHA256 as hash function ans MGF1 as hash function. How can I do it ?

The following excerpt allows using OAEP with SHA256 for both the MGF and hash function. Tested with OpenSSL 1.0.2L
int flags = CMS_BINARY | CMS_PARTIAL | CMS_KEY_PARAM;
cms = CMS_encrypt(NULL, in, cipher, flags)
ri = CMS_add1_recipient_cert(cms, cert, flags);
pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_OAEP_PADDING);
EVP_PKEY_CTX_set_rsa_oaep_md(pctx, EVP_sha256());
EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, EVP_sha256());

With a newer OpenSSL 1.0.2+ you can do it using the command:
openssl pkeyutl -in PlaintextKeyMaterial.bin -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER -pubin -encrypt -pkeyopt rsa_padding_mode:oaep
-pkeyopt rsa_oaep_md:sha256
This is taken from AWS KMS doc here: https://aws.amazon.com/es/premiumsupport/knowledge-center/invalidciphertext-kms/

OpenSSL uses definitions from PKCS #1 v2.0 and so the default for EME-OAEP is SHA-1 and MGF1. If you need to use SHA-256, you'll need to do the encoding yourself. This isn't terribly difficult however, see PKCS #1 v2.2 PDF Page 18 for details.

In the latest version of Openssl(1.0.2k) the signature of the API is changed which gives us more flexibility. Please find the details below,
int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
const unsigned char *from, int flen,
int num, const unsigned char *param,
int plen, const EVP_MD *md,
const EVP_MD *mgf1md)
You can pass the EVP_MD structure to invoke the SHA-256 hashing using this.

The PKCS#1 doc referred to above is more mathematical and doesn't give coding examples, and the CMS answer is for ASN.1/SMIME data and not really relevant for the question asked, which was how to replace RSA_public_encrypt() which deals with simple binary/text data. I spent a whole day with trial and error and online searching to find the answer to this, and eventually got the answer (which was to use OpenSSL's EVP API) from looking at the source code of "openssl pkeyutl" - once I discovered that it was not difficult.
In my case I was looking to replace RSA_private_decrypt() for decryption using the private key and this is how to do that - it should be pretty easy to put to together an RSA_public_encrypt() replacement based on this:
EVP_PKEY *privKey = NULL;
BIO *bioPrivKey;
int outLen = 0, ret;
if ((bioPrivKey = BIO_new(BIO_s_mem())))
{
// Read the private key from the RSA context into the memory BIO,
// then convert it to an EVP_PKEY:
if ((ret = PEM_write_bio_RSAPrivateKey(bioPrivKey, rsaCtxt, NULL, NULL, 0, NULL, NULL)) &&
(privKey = PEM_read_bio_PrivateKey(bioPrivKey, NULL, NULL, NULL)))
{
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(privKey, NULL);
EVP_PKEY_free(privKey);
if (ctx)
{
if (EVP_PKEY_decrypt_init(ctx) > 0)
{
EVP_PKEY_CTX_ctrl_str(ctx, "rsa_padding_mode", "oaep");
EVP_PKEY_CTX_ctrl_str(ctx, "rsa_oaep_md", "sha256");
EVP_PKEY_CTX_ctrl_str(ctx, "rsa_mgf1_md", "sha256");
outLen = dataOutMax;
ret = EVP_PKEY_decrypt(ctx, dataOut, &outLen, dataIn, inDataLen);
if (ret > 0 && outLen > 0 && outLen <= dataOutMax)
{
// Success :-)
}
}
EVP_PKEY_CTX_free(ctx);
}
}
BIO_free_all(bioPrivKey);
}
You can add error handling for the failure cases using ERR_get_error().