OpenSSL RSA signature verification: hash and padding? - c

I am trying to write code to verify some RSA signatures. The signatures were made using the OpenSSL command-line tool, using the equivalent of this command line:
openssl dgst -sha1 -sign private_key_file.pem < binary_data_file > sig
I am trying to use libtomcrypt to do the verify:
https://www.libtom.net/
Here is the calling signature of the RSA verification function in libtomcrypt:
int rsa_verify_hash_ex(
const unsigned char *sig, unsigned long siglen, // signature to verify
const unsigned char *hash, unsigned long hashlen, // hash value to check against sig
int padding, // defined constant value, see below
int hash_idx, // identifies which hash algorithm, see below
unsigned long saltlen, // specify salt length, see below
int *stat, // output parameter, returns whether verify succeeded or not
rsa_key *key); // RSA public key to use for verify
This function returns a 0 if it operates without error, otherwise returns an error code. If it operates without error, the stat output parameter indicates whether the signature verified.
Most of the arguments seem straightforward: pass in the signature to check, the hash value to use to compare it, and the RSA key to use for the check. hash_idx is clear from the example code included with libtomcrypt; it is an index into a table of supported hash algorithms, and I can find the correct value to use with this code snippet: hash_idx = find_hash("sha1")
But I'm wondering about the padding and saltlen values. padding doesn't worry me too much, as there are only two possible values, and I can just try them both. But what should I pass for saltlen?
The OpenSSL documentation for the OpenSSL functions for RSA verify don't show a saltlen parameter. The man page for openssl dgst (i.e. the result of man dgst) does not discuss salt.
So my questions:
How can I determine the correct salt length to use?
Does OpenSSL's dgst command insert any extra stuff in the input, such as: (stdin)=
(I found that (stdin)= thing by searching StackOverflow: Why are the RSA-SHA256 signatures I generate with OpenSSL and Java different?)
libtomcrypt also has a function called pkcs_1_pss_decode() which is documented to "decode a PSS encoded signature block". Is there any chance that this is the function I need to call?
Thanks for any help you can give me.
EDIT: thanks to the help below, from #Jonathan Ben-Avraham, I was able to get this working today. The answers to my questions are, respectively:
Use length 0 for the salt, no salt at all.
No, OpenSSL did not insert anything extra such as (stdin)=
I needed to call rsa_verify_hash_ex(), and I needed to specify the padding argument as LTC_LTC_PKCS_1_V1_5.

No salt:
First, generate a binary SHA1 hash of your data:
openssl dgst -sha1 -binary -out hash1 some_data_file
This is an SHA1 hash or digest. There is no salt prependended to the file some_data_file. The openssl dgst -sha1 itself does not add salt. Note that the output file is just a 20 byte SHA1 hash with no salt. If there were salt, the hash would have to include it, probably prepended before the last 20 bytes that hold the SHA1 hash.
Next, sign the SHA1 hash file hash1 with your private key:
openssl pkeyutl -sign -in hash1 -inkey privkey.pem -pkeyopt digest:sha1 -out sig1
Now sign the some_data_file with openssl dgst:
openssl dgst -sha1 -sign privkey.pem < some_data_file > sig2
Finally, compare the two signatures:
diff sig1 sig2
and you should see that they are the same. This tells us that signing the raw SHA1 hash of a file with no salt is the same as using the openssl dgst -sha1 -sign command to sign the file, so it must be that the openssl dgst -sha1 -sign command also did not use any salt when generating its SHA1 hash for sig2.
Note also that you cannot achieve the same result using the deprecated rsautl:
openssl rsautl -sign -in hash1 -inkey privkey.pem -out sig1
instead of openssl pkeyutl, because openssl rsautl -sign does not do the ASN.1 encoding of DigestInfo as required by RSASSA-PKCS1-v1_5 defined in e.g. RFC3447 section 9.2 step 2. (This is why you need -pkeyopt digest: even though pkeyutl -sign itself doesn't do any hashing.) See this SE post for details.

One thing to emphasize: Be sure to pass the hash instead of the actual data. That threw me off for some time. Here's a snippet that works (but use sha256):
void
verify_tomcrypt(unsigned char *keyblob, size_t klen,
unsigned char *payload, size_t dlen,
unsigned char *signature, size_t slen)
{
rsa_key key;
int stat;
unsigned long len;
unsigned char digest2[SHA256_DIGEST_LENGTH];
ltc_mp = ltm_desc;
register_hash(&sha256_desc);
/* try reading the key */
if (rsa_import(keyblob, klen, &key) != CRYPT_OK) {
printf("Error reading key\n");
exit(-1);
}
int hash_idx = find_hash("sha256");
if (hash_idx == -1) {
printf("LTC_SHA256 not found...?\n");
exit(-1);
}
len = sizeof(digest2);
if (hash_memory(hash_idx, payload, dlen, digest2, &len) != CRYPT_OK) {
printf("sha256 fails...?\n");
exit(-1);
}
if (rsa_verify_hash_ex(signature, slen, digest2, sizeof(digest2), LTC_LTC_PKCS_1_V1_5, hash_idx, 0, &stat, &key) == CRYPT_OK) {
if (stat == 1)
printf("Tomcrypt: Signature OK!\n");
else
printf("Tomcrypt: Signature NOK?\n");
} else {
printf("Tomcrypt: Signature error\n");
}
}

Related

What default parameters uses OpenSSL -pbkdf2?

I encrypted a file with this command:
openssl enc -aes-192-cbc -e -pbkdf2 -in <infile> -out <outfile> -pass pass: <password>
Now I'm trying to do decrypt it in c and to take advantage of pbkdf2 I'm using the function:
int PKCS5_PBKDF2_HMAC (const char * pass, int passlen,
                        const unsigned char * salt, int saltlen, int iter,
                        const EVP_MD * digest,
                        int keylen, unsigned char * out);
But the problem is: I know the parameters pass, passlen, keyless and *out...
How do I know what are the parameters for the salt, iter and digest that correspond to the command written above?
The openssl enc command is not a straight encryption of the input file. It adds a "magic" value on the front along with the salt. The magic value is the string "Salted__" (note the double underscore) followed by 8 bytes which is a randomly generated salt. Alternatively you can specify your own salt on the command line with the "-S" option (specified in hex). You can specify the digest to use with the "-md" argument. The default is sha256. You can specify the number of iterations with the "-iter" argument. The default is 10000.

Cant get password hash via openssl in c same format as crypt, mkpasswd or openssl via cmdline

I need to create a hashed password via the openssl lib in C. Unfortunately, I'm not able to get the expected result
This is the code I`m using:
unsigned char hash[SHA256_DIGEST_LENGTH];
SHA256_CTX sha256;
SHA256_Init(&sha256);
SHA256_Update(&sha256, "xxx", 3);
SHA256_Update(&sha256, "11111111", 8);
SHA256_Final(hash, &sha256);
for(int i = 0; i < SHA256_DIGEST_LENGTH; i++)
{
printf("%02x", hash[i]);
}
The output will be
57b2e9dd7f27e02ce026c1a40c7685b4658c2dff55e3a9de93186e545d1c4af1
but i expected
EDgBhRzUlXHcobBLtDfoWalyRFoSMnO1/q.s10aKSY7
since this is the output the crypt lib will produce as well as mkpasswd or openssl via shell.
See:
mkpasswd -m sha-256 --salt=11111111 xxx
$5$11111111$EDgBhRzUlXHcobBLtDfoWalyRFoSMnO1/q.s10aKSY7
or
openssl passwd -5 -salt 11111111 xxx
$5$11111111$EDgBhRzUlXHcobBLtDfoWalyRFoSMnO1/q.s10aKSY7
or
printf("%s\n", crypt("xxx", "$5$11111111"));
// also prints $5$11111111$EDgBhRzUlXHcobBLtDfoWalyRFoSMnO1/q.s10aKSY7
I need to get this working with the openssl lib.
Am I completely wrong with creating the hash and salt, or is this just a dump formatting issue?
The algorithm is not just a simple SHA256 hash.
As reference the OpenSSL implementation can be found on github (shacrypt(...)).

RSA verification failed when I use some code from xlnx uboot

I'm trying porting some code to do RSA verification. I googled ,and found some code in xlnx u-boot .
I put this rsa-mod-exp.c in my code and of course with some other .h files. My SOC is little endian ,so I use the little endian definitions.
After all above are done , I try to create a signature to verify my code.
Before that , I noticed that the u-boot rsa structure is different from openssl RSA structure. So to get the u-boot rsa structure , I need to install a tool called dumppublickey . I found one from here and installed.
OpenSSL RSA public key structure:
struct {
BIGNUM *n; // public modulus
BIGNUM *e; // public exponent
BIGNUM *d; // private exponent
BIGNUM *p; // secret prime factor
BIGNUM *q; // secret prime factor
BIGNUM *dmp1; // d mod (p-1)
BIGNUM *dmq1; // d mod (q-1)
BIGNUM *iqmp; // q^-1 mod p
// ...
};RSA
U-boot RSA public key structure:
struct rsa_public_key {
uint len; /* len of modulus[] in number of uint32_t */
uint32_t n0inv; /* -1 / modulus[0] mod 2^32 */
uint32_t modulus; / modulus as little endian array */
uint32_t rr; / R^2 as little endian array */
uint64_t exponent; /* public exponent */
};
Now, every thing is ready beside a signature. Here is the step I create my signature.
1. Create private key.It's a 2048 bit and the public exponent is three.
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
2. Create cert file.
openssl req -new -x509 -key key.pem -out newcert.pem -days 3650
3. Get the U-boot structure public key.
dumppublickey newcert.pem
I got :
{
64, //lenth
0x63b40d47, //n0inv
{2799858569,......,1105502226,1577608370,1150603850,3030884821}, // modules (N)
{909785043,.......,3050452165,3418434484,2529136815,837355943}, // r^2
3 //exponent
}
4. Sign my file using the private key.
echo "hello world" > a.txt
openssl dgst -sign key.pem -sha256 -hex a.txt
I got :
RSA-SHA256(a.txt)= 157eb60ad0c77427cd....6b02b5d331d610b27f32aaa0
I put key length, n0inv, modulus, rr, exponent and the signature in my code. Notice that modulus and rr I useu_int32 array like I showed above while signature I use a u_int8 array like below.
{0x15,0x7e.0xb6,0x0a,.......0xaa,0xa0}
Here is what I think the rsa-mod-exp.c (function rsa_mod_exp_sw) will give me . I thought I will get the result of the sha256 hash value of file a.txt. Same as the result I did using openssl.
openssl dgst -sha256 a.txt
However, I did't get this sha256 hash value . I got something strange.
Could anyone point which part is wrong and how to correct it ?
It seems struct key_prop argument of rsa_mod_exp_sw assumes that modulus and rr are big-endian.
So modulus and rr generated by dumppublickey should be converted to big-endian.
I could decrypt sign and confirmed that decrypted data contains pkcs v1.5 padding format.

Transform xorcrypto encryption module to AES encryption module

I have been given a sample encryption module which simply xor a key with the packet data and place the result in data field of constructed packet itself....
The code for xoricv module is here.
void
xorcrypto(uint8_t *key, uint32_t keylen,
uint8_t *data, uint32_t datalen)
{
int d, k;
for (d=0, k=0; d < datalen; ++d, k = (k+1)%keylen) {
data[d] ^= key[k];
}
}
Now i need to change the module so that it performed the AES Encryption rather than simple xor operation.
Would you suggest possible transformation i need to do ????
It is a small part of my project and i am stuck in between..
The AES Command I have used on command line for encryption
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc
Daily i am going through plenty of errors when i tried to implement it by my own and i have very limited time so please help me.......
Here is my implementation ...... although i am adding it here in answer column because may be there is small bug in my implementation which i could be able to solve through some valuable suggestions but still If any other way is possible please suggest and provide me some implementation code...
/* u_int8_t ... etc all are typedefs for uint8_t....etc
so don't bother about them */
void xorcrypto(u_int8_t *key, u_int32_t keylen,u_int8_t *data,
u_int32_t datalen)
{
int ch,i,j;
uint8_t modata[100];
FILE *fp,*fr,*fq,*ft;
fp=fopen("key","w");
fputs((char *)key,fp);
fq=fopen("file.txt","w");
fputs((char *)data,fq);
fclose(fp);
fclose(fq);
system("sudo openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass file:key");
fr=fopen("file.enc","r");
memset(data,0,sizeof(data));
i=0;
while( (ch=fgetc(fr))==EOF) {
data[i]=ch;
i++;
}
fclose(fr);
system("sudo openssl enc -d -aes-256-cbc -salt -in file.enc
-out file1.txt -pass file:key");
ft=fopen("file1.txt","r");
memset(modata,0,sizeof(modata));
j=0;
while( (ch=fgetc(ft)) != EOF) {
modata[j]=ch;
j++;
}
fclose(ft);
}
Call to function in module is described as -
bool
espcrypto(esp_private *epriv, sendip_data *data, sendip_data *pack)
{
u_int32_t keylen;
u_int8_t *key;
static u_int8_t fakekey;
struct ip_esp_hdr *esp = (struct ip_esp_hdr *)pack->data;
if (!epriv->keylen) { /* This isn't going to be very productive... */
key = &fakekey;
keylen = 1;
} else {
key = (u_int8_t *)epriv->key;
keylen = epriv->keylen;
}
/* Encrypt everything past the ESP header */
xorcrypto(key, keylen,
(u_int8_t *)esp->enc_data,
pack->alloc_len + data->alloc_len -
sizeof(struct ip_esp_hdr));
return TRUE;
}
This is code in the xorcrypto.c file in packet generator tool i am using which is linked during packet construction through command line as -am xorcrypto.so .That is the reason why I was being so lazy.I am first looking for an implementation which can act as proof of concept .Rest all optimizations can be done later.
The output I am getting is - encryption not performed at all the data is still in plain text in packet.
udit#udit-Dabba ~/Downloads/sendip-2.5-mec-2/mec $ cat file.txt
udit#udit-Dabba ~/Downloads/sendip-2.5-mec-2/mec $ cat file.enc
Salted__����
}�#��G�����0����iudit#udit-Dabba ~/Downloads/sendip-2.5-mec-2/mec $ cat file1.txt
udit#udit-Dabba ~/Downloads/sendip-2.5-mec-2/mec $
Why file.txt is null even key file is not updated ???
If any other information needed i will add it here......but please help me getting out of the mesh .
This may not even be possible without making some additional changes to your software. It doesn't look like your function allows for the resulting encrypted data to be larger than the unencrypted data, for one, which will be required for RSA.
The key you pass to your function will also be quite different; one side of an RSA key will consist of the modulus and an exponent. The modulus will be a large number (not representable with the normal integer types), and the exponent is typically a large number for one side and a (relatively) small one for the other.
Aside from that, there are a number of issues and difficulties with RSA. You could try to deal with these yourself, but you'd probably be better off using an existing library like OpenSSL. Some of these issues include:
Implementing RSA (with usefully long keys) requires modular arithmetic on very large numbers, far larger than any of the normal integer types. You'd either have to write functions for this, or find a library.
The data has to be broken into pieces that are shorter than the modulus (part of the key), including whatever padding and such is encrypted along with the data. The length of each piece after encryption will be the length of the modulus. That's why the resulting encrypted data will be longer than the original data (and also padding).
Avoiding certain vulnerabilities requires additional steps, such as adding random padding into each piece of data and ensuring that the padded data, raised to the exponent from the key, would exceed the modulus (if it weren't done as modular exponentiation).
So first, you'll need to make it possible for your encryption function to return more data than you gave it. Then you should probably look at using an encryption library to do the actual encryption, to save a lot of work and reduce the chances of letting vulnerabilities slip through.
Well,
I feel the line :
while( (ch=fgetc(fr))==EOF)
// Also, Similar statements that you have used many times.
You are reading 1 character from the file and comparing that to EOF. That works fine untill you are working with normal text files.
But here you are working with an encrypted file, file.enc which can contain anything at all.
It can even posses EOF character itself as data content.
That means if file has 100 characters and 2nd character is EOF then it will terminate at 2nd character itself.
I feel this as a possible problem.
Remains.. the other problems - I suggest using fprintf() instead of fputs(), these are easy to use and hence avoids unseen bugs. Since you are working on strings instead of characters logically.
Moreover, using these you also get an advantage of string formatting when needed.
Try out and then get back.. :)

AES Encryption -Key Generation with OpenSSL

As a reference and as continuation to the post:
how to use OpenSSL to decrypt Java AES-encrypted data?
I have the following questions.
I am using OpenSSL libs and programming in C for encrypting data in aes-cbc-128.
I am given any input binary data and I have to encrypt this.
I learn that Java has a CipherParameters interface to set IV and KeyParameters too.
Is there a way to generate IV and a key using openSSL? In short how could one use in a C program to call the random generator of openSSL for these purposes. Can any of you provide some docs/examples/links on this?
Thanks
An AES key, and an IV for symmetric encryption, are just bunchs of random bytes. So any cryptographically strong random number generator will do the trick. OpenSSL provides such a random number generator (which itself feeds on whatever the operating system provides, e.g. CryptGenRandom() on Windows or /dev/random and /dev/urandom on Linux). The function is RAND_bytes(). So the code would look like this:
#include <openssl/rand.h>
/* ... */
unsigned char key[16], iv[16];
if (!RAND_bytes(key, sizeof key)) {
/* OpenSSL reports a failure, act accordingly */
}
if (!RAND_bytes(iv, sizeof iv)) {
/* OpenSSL reports a failure, act accordingly */
}
Assuming AES-128:
unsigned char key[16];
RAND_bytes(key, sizeof(key));
unsigned char iv[16];
RAND_bytes(iv, sizeof(iv));
The random generator needs to be seeded before using one of those.

Resources