Related
I have a simple program that encrypts files in a directory. I can iterate through and everything works perfectly. This is using pub/priv key pair. When decrypting one file at a time, it works as it should. However, if there are multiple files in a directory, or even if I put the filenames in a vector and fopen them for reading/writing respectively, it ONLY decrypts the LAST file in the vector/directory. How is this even possible? It fails on everyone of them on OpenFinal(). Here is the function and heart of the program. Everything else is solid. As stated, it works as a standalone program if I just decrypt one file manually or if there is just ONE file in the directory or vector.
Any help would be appreciated. This makes no sense at all. It seems like an implementation issue on their end.
void handleErrors(void)
{
// perror("Error: ");
ERR_print_errors_fp(stderr);
abort();
}
int envelope_open(EVP_PKEY *priv_key, unsigned char *ciphertext,
int ciphertext_len, unsigned char *encrypted_key,
int encrypted_key_len, unsigned char *iv,
unsigned char **plaintext, int *plaintext_len)
{
EVP_CIPHER_CTX *ctx;
int len = 0, ret = 0;
unsigned char *tmpptxt = NULL;
if((ctx = EVP_CIPHER_CTX_new()) == NULL)
return 0;
if ((tmpptxt = (unsigned char*)malloc(ciphertext_len)) == NULL)
{
printf("tmptxt error!\n");
handleErrors();
}
if(EVP_OpenInit(ctx, EVP_aes_256_cbc(), encrypted_key, encrypted_key_len,
iv, priv_key) != 1)
{
printf("OpenInit error\n");
handleErrors();
}
if(EVP_OpenUpdate(ctx, tmpptxt, &len, ciphertext, ciphertext_len) != 1)
{
printf("OpenUpdate error\n");
handleErrors();
}
*plaintext_len = len;
if(EVP_OpenFinal(ctx, tmpptxt + len, &len) != 1)
{
printf("OpenFinal error\n");
handleErrors();
}
*plaintext_len += len;
*plaintext = tmpptxt;
tmpptxt = NULL;
ret = 1;
err:
EVP_CIPHER_CTX_free(ctx);
free(tmpptxt);
return ret;
}
I was overwriting the key and iv returned from envelope_seal(). I looked over the fact it was unique. Each file must have this key and iv along with the private key and passphrase on the key to be able to decrypt a file. So this is definitely secure ... until someone cracks AES 256 of course.
I have some openssl code that encrypts and decrypts a file.
Initially I wrote it so the encrypted file is base64 encoded. The problem is certain file sizes are reduced on decryption. i.e I lose upto 16 characters in the decrypted based on the original file
If the file is less that 16 bytes it is fine, greater than that and I start losing characters on decryption with and error on the final decrypt step.
I assumed initially it was a padding issue, but adding padding does bot fix however If I remove the base64 encoding it is fine however.
This is based on open_ssl 1.1.1s
int BIO_enc_header(BIO* file, unsigned char* Salt)
{
RAND_bytes(Salt, SALTSIZE);
int len=BIO_write(file,MAGIC, MAGIC_SIZE);
len=BIO_write(file,Salt, SALTSIZE);
return 0;
}
int BIO_dec_header(BIO* file, unsigned char* Salt)
{
int mlen = 0;
char mBuff[MAGIC_SIZE + 1] = { 0 };
mlen = BIO_read(file,mBuff, MAGIC_SIZE);
if (mlen == MAGIC_SIZE) {
/* Check Magic size */
int salt_len = BIO_read(file,Salt,SALTSIZE);
if (salt_len != SALTSIZE) {
return -1;
}
}
return 0;
}
//#define BASE64 1
int do_crypt_bio(BIO* bio_in, BIO* bio_out, int do_encrypt, unsigned char* szPassword)
{
int Result = OK;
unsigned char salt[8] = { 0 };
int inByte = 0, outByte = 0;
//int Padding;
#ifdef BASE64
BIO *b64 = BIO_new(BIO_f_base64());
if (!b64) {
return ERROR;
}
#endif
#ifdef BASE64
if (do_encrypt) {
/*out base64*/
bio_out = BIO_push(b64, bio_out);
BIO_set_flags(bio_out, BIO_FLAGS_BASE64_NO_NL);
}else {
/* read base 64*/
bio_in = BIO_push(b64, bio_in);
BIO_set_flags(bio_in, BIO_FLAGS_BASE64_NO_NL);
}
#endif
/* Allow enough space in output buffer for additional block */
unsigned char inbuf[ENC_BUFF_SIZE+ EVP_MAX_BLOCK_LENGTH], outbuf[ENC_BUFF_SIZE + EVP_MAX_BLOCK_LENGTH];
int inlen, outlen;
EVP_CIPHER_CTX* ctx=NULL;
#define AES_256_KEY_SIZE 32
unsigned char key[AES_256_KEY_SIZE] = { 0 };
unsigned char iv[AES_BLOCK_SIZE] = { 0 };
int rounds = 5;
int Size=EVP_CIPHER_block_size(EVP_aes_256_cbc());
if (do_encrypt) {
BIO_enc_header(bio_out, salt);
}else {
BIO_dec_header(bio_in, salt);
}
if (!EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha256(), salt, szPassword, strlen((char*)szPassword), rounds, key, iv)) {
#ifdef BASE64
BIO_free(b64);
#endif
return ERROR;
}
/* Don't set key or IV right away; we want to check lengths */
ctx = EVP_CIPHER_CTX_new();
if (!ctx) {
#ifdef BASE64
BIO_free(b64);
#endif
return ERROR;
}
int CipherResult=EVP_CipherInit_ex(ctx, EVP_aes_256_cbc(), NULL, NULL, NULL, do_encrypt);
CipherResult =EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt); /* Now we can set key and IV */
//EVP_CIPHER_CTX_set_padding(ctx, 32);
int len;
for (;;) {
memset(inbuf, 0, ENC_BUFF_SIZE+EVP_MAX_BLOCK_LENGTH);
inlen = BIO_read(bio_in,inbuf, ENC_BUFF_SIZE);
//inByte += inlen;
if (inlen <= 0)break;
if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) {
/* Error */
Result = ERROR;
goto error;
}
len=BIO_write(bio_out,outbuf,outlen);
//outByte += outlen;
}
int f_len;
if (!EVP_CipherFinal_ex(ctx, outbuf, &f_len)) {
/* Error */
Result = ERROR;
ERR_print_errors_fp(stderr);
goto error;
}
len= BIO_write(bio_out, outbuf, f_len);
//outByte += f_len;
len = len;
error:
EVP_CIPHER_CTX_free(ctx);
#ifdef BASE64
BIO_free(b64);
#endif
return Result;
}
int EncryptFile(char* input, char *encrypted,char* password)
{
int Result = OK;
BIO* bio_in = BIO_new_file(input, "rb");
if (!bio_in) {
return ERROR;
}
BIO* bio_out = BIO_new_file(encrypted, "wb+");
if (!bio_out) {
BIO_free(bio_in);
return ERROR;
}
Result=do_crypt_bio(bio_in, bio_out, 1, (unsigned char*)password);
BIO_free(bio_in);
BIO_free(bio_out);
return Result;
}
int DecryptFile(char* encrypted, char* output, char* password)
{
int Result = OK;
BIO* bio_in = BIO_new_file(encrypted, "rb");
if (!bio_in) {
return ERROR;
}
BIO* bio_out = BIO_new_file(output, "wb+");
if (!bio_out) {
BIO_free(bio_in);
return ERROR;
}
Result=do_crypt_bio(bio_in, bio_out, 0, (unsigned char*)password);
BIO_free(bio_in);
BIO_free(bio_out);
return Result;
}
Got "Invalid JWT Signature". It's seems like only signing is wrong. But I just don't know what to do. Please help!
Curl works 100%
Base64 seems like works fine. Header and Claim decodes is OK.
It has some info here (REST) if it will help.
bool RSASign( RSA* rsa, const unsigned char* Msg, size_t MsgLen, unsigned char** EncMsg, size_t* MsgLenEnc)
{
EVP_MD_CTX* m_RSASignCtx = EVP_MD_CTX_create();
EVP_PKEY* priKey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(priKey, rsa);
if (EVP_DigestSignInit(m_RSASignCtx,NULL, EVP_sha256(), NULL,priKey)<=0) { std::cout << "BAD! " << std::endl; return false; }
if (EVP_DigestSignUpdate(m_RSASignCtx, Msg, MsgLen) <= 0) { std::cout << "BAD! " << std::endl; return false; }
if (EVP_DigestSignFinal(m_RSASignCtx, NULL, MsgLenEnc) <=0) { std::cout << "BAD! " << std::endl; return false; }
*EncMsg = (unsigned char*)malloc(*MsgLenEnc);
if (EVP_DigestSignFinal(m_RSASignCtx, *EncMsg, MsgLenEnc) <= 0) { std::cout << "BAD! " << std::endl; return false; }
EVP_MD_CTX_free(m_RSASignCtx);
return true;
}
// JWT HEADER
std::string jwtHeader = base64_encode( "{\"alg\":\"RS256\",\"typ\":\"JWT\"}" );
// JWT CLAIM
std::string jwtClaim = base64_encode( ... );
// JWT SIGNATURE
std::string JWS = jwtHeader + "." + jwtClaim;
const char* privateKey = "-----BEGIN PRIVATE KEY-----\n...";
// HASH
SHA256_CTX sha_ctx = { 0 };
unsigned char digest[SHA256_DIGEST_LENGTH];
SHA256_Init(&sha_ctx);
SHA256_Update(&sha_ctx, JWS.c_str(), JWS.size());
SHA256_Final(digest, &sha_ctx);
// SIGN
FILE *file = nullptr;
file = fopen("file.key", "r");
if (!file) { std::cout << "BAD FILE" << std::endl; }
RSA* rsa = PEM_read_RSAPrivateKey(file, NULL, NULL, NULL);
fclose(file);
if(!rsa)
std::cout << "BAD KEY" << std::endl;
// there is no luck with or without sha256 before signing
if (RSASign( rsa, (const unsigned char*) JWS.c_str(), JWS.length(), &sig, (size_t*)&slen))
std::cout << "SIGNED size: " << slen << std::endl;
// TOKEN REQUEST
std::string sign = base64_encode(sig, slen);
std::string requestStr = "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=" + JWS + "." + sign;
headers = curl_slist_append(headers, "Content-Type: application/x-www-form-urlencoded");
curl_easy_setopt(curl_handle, CURLOPT_URL, "https://oauth2.googleapis.com/token");
curl_easy_setopt( ... CURLOPT_POST, CURLOPT_HTTPHEADER, CURLOPT_POSTFIELDS ... );
UPDATE:
Ok. Now I know that I need SHA256withRSA. But problem is still there.
Thank You Botje! Thank You very much for trying to help me.
But I have no time anymore for learning openssl. So I found a great one:
https://github.com/Thalhammer/jwt-cpp
from here
jwt.io
It doesn't support the 'scope' field for the jwt-claim, so I just added a method into a class into a header: 'set_scope(...);'.
Ten, 10... Nooo, You just can't feel my pain beacuse of openssl_from_devs_with_crooked_hands_with_no_human_docs.
10 strings of a code and it's done!
It has simple sources, so You can find out how to work with ssl from there.
If You want to use OpenSSL lib and don't know how it works - think twice, may be it's the worst choice of Your life. Good luck!
Just for future people looking this up and struggle how to compute a RS256 (SHA256WithRSA)-Hash in OpenSSL, since I spent about 5 hours researching the error. The code from Botje is quite close, but is missing the Finalize method (and the destructors).
#include <OpenSSL/obj_mac.h>
#include <OpenSSL/evp.h>
#include <OpenSSL/pem.h>
#include <OpenSSL/bio.h>
bool SHA256WithRSA(const std::string RSAKey, const std::string Data)
{
struct bio_st* pem_BIO = BIO_new(BIO_s_mem());
if (BIO_write(pem_BIO, RSAKey.data(), RSAKey.size()) != RSAKey.size())
{
BIO_free_all(pem_BIO);
return false;
}
struct evp_pkey_st* signing_key = PEM_read_bio_PrivateKey(pem_BIO, nullptr, nullptr, nullptr);
if(signing_key == nullptr)
{
BIO_free_all(pem_BIO);
EVP_PKEY_free(signing_key);
return false;
}
std::string ResultBuffer(EVP_PKEY_size(signing_key), '\0');
unsigned int len = 0;
struct evp_md_ctx_st * MD_ctx = EVP_MD_CTX_new();
if (!EVP_SignInit(MD_ctx, EVP_get_digestbyname(SN_sha256WithRSAEncryption)) ||
!EVP_SignUpdate(MD_ctx, Data.data(), Data.size()) ||
EVP_SignFinal(MD_ctx, (unsigned char*)ResultBuffer.data(), &len, signing_key) == 0)
{
BIO_free_all(pem_BIO);
EVP_PKEY_free(signing_key);
EVP_MD_CTX_free(MD_ctx);
return false;
}
ResultBuffer.resize(len);
/* Do something with the ResultBuffer */
BIO_free_all(pem_BIO);
EVP_PKEY_free(signing_key);
EVP_MD_CTX_free(MD_ctx);
return true;
}
No need to mark this answer as accepted, yours is by far the easier solution. I'm posting this for future readers to find.
For what it's worth, I was able to reproduce the raw hash in the RS256 test case with the following:
void die() {
for (int err = ERR_get_error(); err != 0; err = ERR_get_error()) {
fprintf(stderr, "%s\n", ERR_error_string(err, nullptr));
}
exit(1);
}
int main() {
/* md is a SHA-256 digest in this example. */
BIO *pem_BIO = BIO_new_mem_buf(RSA_pem, sizeof(RSA_pem));
EVP_PKEY *signing_key = PEM_read_bio_PrivateKey(pem_BIO, nullptr, nullptr, nullptr);
const unsigned char header_payload[] = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9";
EVP_MD_CTX * MD_ctx = EVP_MD_CTX_new();
bool success = true;
success = EVP_DigestSignInit(MD_ctx, nullptr, EVP_get_digestbyname(SN_sha256WithRSAEncryption), nullptr, signing_key);
if (!success) die();
unsigned char sigbuf[512];
size_t siglen = sizeof(sigbuf);
success = EVP_DigestSign(MD_ctx, sigbuf, &siglen, header_payload, sizeof(header_payload)-1);
if (!success) die();
fwrite(sigbuf, 1, siglen, stdout);
}
The end result still has to be base64-encoded (with the url-safe alphabet), though.
I am using the EVP Symmetric Encryption and Decryption algorithm to encrypt and decrypt a file of text.
The encryption works file, a new encrypted file is generated, but when I try to decrypt the file back it always crashes when EVP_DecryptFinal_ex is called the first time.
I am using two Visual Studio projects: one for encryption and one for decryption.
The libraries I am using I presumed they are build in DEBUG mode (because they have the .pdb files), so that is how my project is also build. (if I choose release mode, the compiler cannot find the openssl include header anymore).
This is the error I get:
digital envelope routines:EVP_DecryptFinal_ex:wrong final block length
I am using the C++11 version, here is my code:
void Cipher::Encrypt(const byte key[KEY_SIZE], const byte iv[BLOCK_SIZE], const secure_string& ptext, secure_string& ctext) {
EVP_CIPHER_CTX_free_ptr ctx(EVP_CIPHER_CTX_new(), ::EVP_CIPHER_CTX_free);
int rc = EVP_EncryptInit_ex(ctx.get(), EVP_aes_256_cbc(), NULL, key, iv);
if (rc != 1)
throw std::runtime_error("EVP_EncryptInit_ex failed");
// Recovered text expands upto BLOCK_SIZE
ctext.resize(ptext.size() + BLOCK_SIZE);
int out_len1 = (int)ctext.size();
rc = EVP_EncryptUpdate(ctx.get(), (byte*)&ctext[0], &out_len1, (const byte*)&ptext[0], (int)ptext.size());
if (rc != 1)
throw std::runtime_error("EVP_EncryptUpdate failed");
int out_len2 = (int)ctext.size() - out_len1;
rc = EVP_EncryptFinal_ex(ctx.get(), (byte*)&ctext[0] + out_len1, &out_len2);
if (rc != 1)
throw std::runtime_error("EVP_EncryptFinal_ex failed");
// Set cipher text size now that we know it
ctext.resize(out_len1 + out_len2);
}
void Cipher::Decrypt(const byte key[KEY_SIZE], const byte iv[BLOCK_SIZE], const secure_string& ctext, secure_string& rtext) {
EVP_CIPHER_CTX_free_ptr ctx(EVP_CIPHER_CTX_new(), ::EVP_CIPHER_CTX_free);
int rc = EVP_DecryptInit_ex(ctx.get(), EVP_aes_256_cbc(), NULL, key, iv);
if (rc != 1)
throw std::runtime_error("EVP_DecryptInit_ex failed");
// Recovered text contracts upto BLOCK_SIZEB
rtext.resize(ctext.size());
int out_len1 = (int)rtext.size();
rc = EVP_DecryptUpdate(ctx.get(), (byte*)&rtext[0], &out_len1, (const byte*)&ctext[0], (int)ctext.size());
if (rc != 1)
throw std::runtime_error("EVP_DecryptUpdate failed");
int out_len2 = (int)rtext.size() - out_len1;
rc = EVP_DecryptFinal_ex(ctx.get(), (byte*)&rtext[0] + out_len1, &out_len2);
if (rc != 1) {
ERR_print_errors_fp(stderr);
throw std::runtime_error("EVP_DecryptFinal_ex failed");
}
// Set recovered text size now that we know it
rtext.resize(out_len1 + out_len2);
}
int main(int argc, char* argv[])
{
// Load the necessary cipher
EVP_add_cipher(EVP_aes_256_cbc());
// create Cipher object
Cipher cipher;
ifstream f("d:/temp.YML");
ofstream out("d:/tempDecrypt.YML");
byte key[KEY_SIZE] = {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2};
byte iv[BLOCK_SIZE] = {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
//cipher.gen_params(key, iv);
secure_string line;
secure_string temp;
while (getline(f, line)) {
cipher.Decrypt(key, iv, line, temp);
std::cout << temp << std::endl;
out << temp;
}
OPENSSL_cleanse(key, KEY_SIZE);
OPENSSL_cleanse(iv, BLOCK_SIZE);
return 0;
}
I also read that it could be a padding issue, not sure if that is the case and what should I do. I am not that good with encryption.
Any pointers on how to proceed further would be welcomed. If you need more information let me know.
I am trying to get my head around public key encryption using the openssl implementation of rsa in C++. Can you help? So far these are my thoughts (please do correct if necessary)
Alice is connected to Bob over a network
Alice and Bob want secure communications
Alice generates a public / private key pair and sends public key to Bob
Bob receives public key and encrypts a randomly generated symmetric cypher key (e.g. blowfish) with the public key and sends the result to Alice
Alice decrypts the ciphertext with the originally generated private key and obtains the symmetric blowfish key
Alice and Bob now both have knowledge of symmetric blowfish key and can establish a secure communication channel
Now, I have looked at the openssl/rsa.h rsa implementation (since I already have practical experience with openssl/blowfish.h), and I see these two functions:
int RSA_public_encrypt(int flen, unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
int RSA_private_decrypt(int flen, unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
If Alice is to generate *rsa, how does this yield the rsa key pair? Is there something like rsa_public and rsa_private which are derived from rsa? Does *rsa contain both public and private key and the above function automatically strips out the necessary key depending on whether it requires the public or private part? Should two unique *rsa pointers be generated so that actually, we have the following:
int RSA_public_encrypt(int flen, unsigned char *from,
unsigned char *to, RSA *rsa_public, int padding);
int RSA_private_decrypt(int flen, unsigned char *from,
unsigned char *to, RSA *rsa_private, int padding);
Secondly, in what format should the *rsa public key be sent to Bob? Must it be reinterpreted in to a character array and then sent the standard way? I've heard something about certificates -- are they anything to do with it?
Sorry for all the questions,
Best Wishes,
Ben.
EDIT: Coe I am currently employing:
/*
* theEncryptor.cpp
*
*
* Created by ben on 14/01/2010.
* Copyright 2010 __MyCompanyName__. All rights reserved.
*
*/
#include "theEncryptor.h"
#include <iostream>
#include <sys/socket.h>
#include <sstream>
theEncryptor::theEncryptor()
{
}
void
theEncryptor::blowfish(unsigned char *data, int data_len, unsigned char* key, int enc)
{
// hash the key first!
unsigned char obuf[20];
bzero(obuf,20);
SHA1((const unsigned char*)key, 64, obuf);
BF_KEY bfkey;
int keySize = 16;//strlen((char*)key);
BF_set_key(&bfkey, keySize, obuf);
unsigned char ivec[16];
memset(ivec, 0, 16);
unsigned char* out=(unsigned char*) malloc(data_len);
bzero(out,data_len);
int num = 0;
BF_cfb64_encrypt(data, out, data_len, &bfkey, ivec, &num, enc);
//for(int i = 0;i<data_len;i++)data[i]=out[i];
memcpy(data, out, data_len);
free(out);
}
void
theEncryptor::generateRSAKeyPair(int bits)
{
rsa = RSA_generate_key(bits, 65537, NULL, NULL);
}
int
theEncryptor::publicEncrypt(unsigned char* data, unsigned char* dataEncrypted,int dataLen)
{
return RSA_public_encrypt(dataLen, data, dataEncrypted, rsa, RSA_PKCS1_OAEP_PADDING);
}
int
theEncryptor::privateDecrypt(unsigned char* dataEncrypted,
unsigned char* dataDecrypted)
{
return RSA_private_decrypt(RSA_size(rsa), dataEncrypted,
dataDecrypted, rsa, RSA_PKCS1_OAEP_PADDING);
}
void
theEncryptor::receivePublicKeyAndSetRSA(int sock, int bits)
{
int max_hex_size = (bits / 4) + 1;
char keybufA[max_hex_size];
bzero(keybufA,max_hex_size);
char keybufB[max_hex_size];
bzero(keybufB,max_hex_size);
int n = recv(sock,keybufA,max_hex_size,0);
n = send(sock,"OK",2,0);
n = recv(sock,keybufB,max_hex_size,0);
n = send(sock,"OK",2,0);
rsa = RSA_new();
BN_hex2bn(&rsa->n, keybufA);
BN_hex2bn(&rsa->e, keybufB);
}
void
theEncryptor::transmitPublicKey(int sock, int bits)
{
const int max_hex_size = (bits / 4) + 1;
long size = max_hex_size;
char keyBufferA[size];
char keyBufferB[size];
bzero(keyBufferA,size);
bzero(keyBufferB,size);
sprintf(keyBufferA,"%s\r\n",BN_bn2hex(rsa->n));
sprintf(keyBufferB,"%s\r\n",BN_bn2hex(rsa->e));
int n = send(sock,keyBufferA,size,0);
char recBuf[2];
n = recv(sock,recBuf,2,0);
n = send(sock,keyBufferB,size,0);
n = recv(sock,recBuf,2,0);
}
void
theEncryptor::generateRandomBlowfishKey(unsigned char* key, int bytes)
{
/*
srand( (unsigned)time( NULL ) );
std::ostringstream stm;
for(int i = 0;i<bytes;i++){
int randomValue = 65 + rand()% 26;
stm << (char)((int)randomValue);
}
std::string str(stm.str());
const char* strs = str.c_str();
for(int i = 0;bytes;i++)key[i]=strs[i];
*/
int n = RAND_bytes(key, bytes);
if(n==0)std::cout<<"Warning key was generated with bad entropy. You should not consider communication to be secure"<<std::endl;
}
theEncryptor::~theEncryptor(){}
You should actually be using the higher-level "Envelope Encryption" functions from openssl/evp.h, rather than the low-level RSA functions directly. These do most of the work for you and mean you don't have to reinvent the wheel.
In this case, you'd use the EVP_SealInit(), EVP_SealUpdate() and EVP_SealFinal() functions. The corresponding decryption functions are EVP_OpenInit(), EVP_OpenUpdate() and EVP_OpenFinal(). I would suggest using EVP_aes_128_cbc() as the value of the cipher type parameter.
Once you've got the public key loaded into an RSA * handle, you use EVP_PKEY_assign_RSA() to put it into an EVP_PKEY * handle for the EVP functions.
Once you've got this going, to solve the authentication problem I mentioned in my comment, you'll need to established a trusted authority ("Trent"). Trent's public key is known to all users (distributed with the application or similar - just load it from a PEM file). Instead of exchanging bare RSA parameters, Alice and Bob exchange x509 certificates that contain their RSA public keys together with their name, and are signed by Trent. Alice and Bob then each verify the certificate they recieved from the other (using Trent's public key, which they already know), including checking that the associated name is the right one, before continuing the protocol. OpenSSL includes functions for loading and verifying certificates in the x509.h header.
Here's an example of how to use EVP_Seal*() to encrypt a file given the recipient's public key. It takes the PEM RSA Public Key file (ie as generated by openssl rsa -pubout) as a command line argument, reads the source data from stdin and writes the encrypted data to stdout. To decrypt, use EVP_Open*() instead, and PEM_read_RSAPrivateKey() to read a private key rather than public key.
It's not really that hard - and certainly less error prone than messing about generating padding, IVs and so on yourself (the Seal function does both the RSA and AES parts of the deal). Anyway, the code:
#include <stdio.h>
#include <stdlib.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <openssl/err.h>
#include <arpa/inet.h> /* For htonl() */
int do_evp_seal(FILE *rsa_pkey_file, FILE *in_file, FILE *out_file)
{
int retval = 0;
RSA *rsa_pkey = NULL;
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_CIPHER_CTX ctx;
unsigned char buffer[4096];
unsigned char buffer_out[4096 + EVP_MAX_IV_LENGTH];
size_t len;
int len_out;
unsigned char *ek;
int eklen;
uint32_t eklen_n;
unsigned char iv[EVP_MAX_IV_LENGTH];
if (!PEM_read_RSA_PUBKEY(rsa_pkey_file, &rsa_pkey, NULL, NULL))
{
fprintf(stderr, "Error loading RSA Public Key File.\n");
ERR_print_errors_fp(stderr);
retval = 2;
goto out;
}
if (!EVP_PKEY_assign_RSA(pkey, rsa_pkey))
{
fprintf(stderr, "EVP_PKEY_assign_RSA: failed.\n");
retval = 3;
goto out;
}
EVP_CIPHER_CTX_init(&ctx);
ek = malloc(EVP_PKEY_size(pkey));
if (!EVP_SealInit(&ctx, EVP_aes_128_cbc(), &ek, &eklen, iv, &pkey, 1))
{
fprintf(stderr, "EVP_SealInit: failed.\n");
retval = 3;
goto out_free;
}
/* First we write out the encrypted key length, then the encrypted key,
* then the iv (the IV length is fixed by the cipher we have chosen).
*/
eklen_n = htonl(eklen);
if (fwrite(&eklen_n, sizeof eklen_n, 1, out_file) != 1)
{
perror("output file");
retval = 5;
goto out_free;
}
if (fwrite(ek, eklen, 1, out_file) != 1)
{
perror("output file");
retval = 5;
goto out_free;
}
if (fwrite(iv, EVP_CIPHER_iv_length(EVP_aes_128_cbc()), 1, out_file) != 1)
{
perror("output file");
retval = 5;
goto out_free;
}
/* Now we process the input file and write the encrypted data to the
* output file. */
while ((len = fread(buffer, 1, sizeof buffer, in_file)) > 0)
{
if (!EVP_SealUpdate(&ctx, buffer_out, &len_out, buffer, len))
{
fprintf(stderr, "EVP_SealUpdate: failed.\n");
retval = 3;
goto out_free;
}
if (fwrite(buffer_out, len_out, 1, out_file) != 1)
{
perror("output file");
retval = 5;
goto out_free;
}
}
if (ferror(in_file))
{
perror("input file");
retval = 4;
goto out_free;
}
if (!EVP_SealFinal(&ctx, buffer_out, &len_out))
{
fprintf(stderr, "EVP_SealFinal: failed.\n");
retval = 3;
goto out_free;
}
if (fwrite(buffer_out, len_out, 1, out_file) != 1)
{
perror("output file");
retval = 5;
goto out_free;
}
out_free:
EVP_PKEY_free(pkey);
free(ek);
out:
return retval;
}
int main(int argc, char *argv[])
{
FILE *rsa_pkey_file;
int rv;
if (argc < 2)
{
fprintf(stderr, "Usage: %s <PEM RSA Public Key File>\n", argv[0]);
exit(1);
}
rsa_pkey_file = fopen(argv[1], "rb");
if (!rsa_pkey_file)
{
perror(argv[1]);
fprintf(stderr, "Error loading PEM RSA Public Key File.\n");
exit(2);
}
rv = do_evp_seal(rsa_pkey_file, stdin, stdout);
fclose(rsa_pkey_file);
return rv;
}
The code you've posted illustrates nicely why you should use the higher-level functions - you've fallen into a couple of pitfalls:
rand() is emphatically not a cryptographically strong random number generator! Generating your symmetric key using rand() is enough to make the entire system completely insecure. (The EVP_*() functions generate the necessary random numbers themselves, using a cryptographically strong RNG, seeded from an appropriate entropy source).
You are setting the IV for CFB mode to a fixed value (zero). This negates any advantage of using CFB mode in the first place (allowing attackers to trivially perform block-replacement attacks and worse). (The EVP_*() functions generate an appropriate IV for you, when required).
RSA_PKCS1_OAEP_PADDING should be used if you're defining a new protocol, rather than interoperating with an existing protocol.
The corresponding decryption code, for posterity:
#include <stdio.h>
#include <stdlib.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <openssl/err.h>
#include <arpa/inet.h> /* For htonl() */
int do_evp_unseal(FILE *rsa_pkey_file, FILE *in_file, FILE *out_file)
{
int retval = 0;
RSA *rsa_pkey = NULL;
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_CIPHER_CTX ctx;
unsigned char buffer[4096];
unsigned char buffer_out[4096 + EVP_MAX_IV_LENGTH];
size_t len;
int len_out;
unsigned char *ek;
unsigned int eklen;
uint32_t eklen_n;
unsigned char iv[EVP_MAX_IV_LENGTH];
if (!PEM_read_RSAPrivateKey(rsa_pkey_file, &rsa_pkey, NULL, NULL))
{
fprintf(stderr, "Error loading RSA Private Key File.\n");
ERR_print_errors_fp(stderr);
retval = 2;
goto out;
}
if (!EVP_PKEY_assign_RSA(pkey, rsa_pkey))
{
fprintf(stderr, "EVP_PKEY_assign_RSA: failed.\n");
retval = 3;
goto out;
}
EVP_CIPHER_CTX_init(&ctx);
ek = malloc(EVP_PKEY_size(pkey));
/* First need to fetch the encrypted key length, encrypted key and IV */
if (fread(&eklen_n, sizeof eklen_n, 1, in_file) != 1)
{
perror("input file");
retval = 4;
goto out_free;
}
eklen = ntohl(eklen_n);
if (eklen > EVP_PKEY_size(pkey))
{
fprintf(stderr, "Bad encrypted key length (%u > %d)\n", eklen,
EVP_PKEY_size(pkey));
retval = 4;
goto out_free;
}
if (fread(ek, eklen, 1, in_file) != 1)
{
perror("input file");
retval = 4;
goto out_free;
}
if (fread(iv, EVP_CIPHER_iv_length(EVP_aes_128_cbc()), 1, in_file) != 1)
{
perror("input file");
retval = 4;
goto out_free;
}
if (!EVP_OpenInit(&ctx, EVP_aes_128_cbc(), ek, eklen, iv, pkey))
{
fprintf(stderr, "EVP_OpenInit: failed.\n");
retval = 3;
goto out_free;
}
while ((len = fread(buffer, 1, sizeof buffer, in_file)) > 0)
{
if (!EVP_OpenUpdate(&ctx, buffer_out, &len_out, buffer, len))
{
fprintf(stderr, "EVP_OpenUpdate: failed.\n");
retval = 3;
goto out_free;
}
if (fwrite(buffer_out, len_out, 1, out_file) != 1)
{
perror("output file");
retval = 5;
goto out_free;
}
}
if (ferror(in_file))
{
perror("input file");
retval = 4;
goto out_free;
}
if (!EVP_OpenFinal(&ctx, buffer_out, &len_out))
{
fprintf(stderr, "EVP_OpenFinal: failed.\n");
retval = 3;
goto out_free;
}
if (fwrite(buffer_out, len_out, 1, out_file) != 1)
{
perror("output file");
retval = 5;
goto out_free;
}
out_free:
EVP_PKEY_free(pkey);
free(ek);
out:
return retval;
}
int main(int argc, char *argv[])
{
FILE *rsa_pkey_file;
int rv;
if (argc < 2)
{
fprintf(stderr, "Usage: %s <PEM RSA Private Key File>\n", argv[0]);
exit(1);
}
rsa_pkey_file = fopen(argv[1], "rb");
if (!rsa_pkey_file)
{
perror(argv[1]);
fprintf(stderr, "Error loading PEM RSA Private Key File.\n");
exit(2);
}
rv = do_evp_unseal(rsa_pkey_file, stdin, stdout);
fclose(rsa_pkey_file);
return rv;
}
Actually, no problem, I have just read that basically, the RSA object is a structure that contains both public and private fields. One can extract the public field data and only send that to Bob.
I.e. basically, to extract the public fields from rsa and store each in two different buffers (which are char arrays and can then be sent to Bob), you do:
sprintf(keyBufferA,"%s\r\n",BN_bn2hex(rsa->n));
sprintf(keyBufferB,"%s\r\n",BN_bn2hex(rsa->e));
And then Bob, on the receiving end, reconstructs as follows:
rsa = RSA_new();
BN_hex2bn(&rsa->n, keybufA);
BN_hex2bn(&rsa->e, keybufB);
Bob can then use rsa* to publicly encrypt the symmetric cypher key which can then be sent to Alice. Alice can then decrypt with the private key
Ben.
I write two examples around CAF's code. They are heavily modifed and uses OpenSSL's BIO container for more abstraction.
One example uses a file as input and the other example uses a string buffer. It uses RSA and DES, however you can easily change it from the code. Compile instructions are inside the code. I needed a working example, I hope someone find this useful. I also commented the code. You can get it from here:
Take file as input:
https://github.com/farslan/snippets/blob/master/hybrid_file.c
Take string buffer as input:
https://github.com/farslan/snippets/blob/master/hybrid_data.c
Thanks #Caf. Your post helped. However I got
The program '[7056] Encryption2.exe: Native' has exited with code -1073741811 (0xc000000d) for the line
PEM_read_RSA_PUBKEY(rsa_pkey_file, &rsa_pkey, NULL, NULL)
I changed to
BIO *bio;
X509 *certificate;
bio = BIO_new(BIO_s_mem());
BIO_puts(bio, (const char*)data);
certificate = PEM_read_bio_X509(bio, NULL, NULL, NULL);
EVP_PKEY *pubkey = X509_get_pubkey (certificate);
rsa_pkey = EVP_PKEY_get1_RSA(pubkey);
Where data has the PEM file with only public key. My challenge was to encrypt in C++ and decrypt in java. I transmitted the base64 encoded ek of size eklen (i did not use eklen_n) and decrypted to get the AES key using the RSA private key. Then I decrypted the cipher file using this AES key. It worked fine.