According to OpenSSL ChangeLog, OpenSSL 1.1.1 added support for EdDSA (which includes Ed25519). I'm running PHP 7.3.5 with OpenSSL 1.1.1b, which should support it. I tried to use an Ed25519 (the ones from https://www.rfc-editor.org/rfc/rfc8410#section-10.3). That got me the following error (as returned by openssl_error_string()) with the "Ed25519 private key without the public key" key.
error:0608D096:digital envelope routines:EVP_PKEY_sign_init:operation not supported for this keytype
The "Ed25519 private key encoded with an attribute and the public key" key got me a different error.
Warning: openssl_sign(): supplied key param cannot be coerced into a private key in /path/to/test.php on line 3 bad error:0D078094:asn1 encoding routines:asn1_item_embed_d2i:sequence length mismatch
This the code I used.
$r = openssl_sign('hello, world!', $signature, '-----BEGIN PRIVATE KEY-----
MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
Z9w7lshQhqowtrbLDFw4rXAxZuE=
-----END PRIVATE KEY-----');
echo $r ? 'good' : 'bad';
echo "\n";
echo openssl_error_string();
I guess PHP just doesn't yet support Ed25519.
I guess not, if we go by the documentation, it looks like the signing/verification requirements are different from the normal usage of the openssl library.
The Ed25519 and Ed448 EVP_PKEY implementation supports key generation,
one-shot digest sign and digest verify using PureEdDSA and Ed25519 or
Ed448 (see RFC8032).
and comments like:
The PureEdDSA algorithm does not support the streaming mechanism of other signature algorithms using, for example, EVP_DigestUpdate(). The message to sign or verify must be passed using the one-shot EVP_DigestSign() and EVP_DigestVerify() functions.
When calling EVP_DigestSignInit() or EVP_DigestVerifyInit(), the digest type parameter MUST be set to NULL.
So, unless you can call the openssl api directly or can add more openssl glue functions to support one-shot signing/verification support then I guess not.
Related
I'm trying to make security communicate with S.A.M.(Secure Access Module)
Firstly I send this MSE:SET APDU for External Authenticate:
//83 is my private key's ID. F8 is algorithm identifier
OutgoingAPDU : 002281A4068001F8840183
ResponseSW1SW2 : 9000
Before send external auth. documents says encrypt with RSAES-OAEP PKCS #1 so I'm using this openssl command for encryption.
openssl_public_encrypt($dataForEncryption, $output, $publicKey['key'], OPENSSL_PKCS1_OAEP_PADDING);
//$firstPartOfData => first 488 of $output
//$secondPartOfData => last 24 of $output
//total $output is 512
First of all is that true padding for RSAES-OAEP PKCS #1.
And then external auth. APDU commands.
//strlen($firstPartOfData) = 488
OutgoingAPDU : 10820000F4.$firstPartOfData
ResponseSW1SW2 : 9000
//strlen($firstPartOfData) = 24
OutgoingAPDU : 008200000C.$secondPartOfData
ResponseSW1SW2 : 6982
Where am I missing ? Or where is the mistake. I could'n find out the problem.
RSA / OAEP requires the configuration of a type of Mask Generation Function to create the OAEP padding. This Mask Generation Function type has only one real member: MGF1, so in general this configuration is implicit (i.e. you don't have to configure it yourself). MGF1 itself however allows the user to configure the hash used internally. MGF1 uses SHA-1 by default (in a secure fashion) but it can be configured with SHA-256 or any other hash as well.
In your case OAEP with SHA-256 was used within the smart card, which will result in an error during decryption (the unpadding of the message after modular exponentiation with the private exponent) if you used the SHA-1 default in PHP.
To set the hash correctly you can use phpseclib with the following code:
$phpsec->setMGFHash('sha256');
$phpsec->setHash('sha256');
$phpsec->loadKey($cer["key"]);
$phpsec->encrypt($plaintext);
The error generated status word 6982 on the smart card. This is a rather badly chosen status word as it means "security conditions not satisfied", which you would expect if the access conditions for the decryption operation are not satisfied. However, ISO/IEC 7816-4 doesn't really specify when the status words should be generated (which is just stupid, but that's how it is).
I need to use pkcs8 private key in my project as example below, I can't found any library or method relate to pkcs8 signature only pkcs1 are available for the Crypto.Signature.
My python code example:
from Crypto.Signature import PKCS1_v1_5
from Crypto.Hash import SHA
from Crypto.PublicKey import RSA
privatekey='''-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOuxJs5RD6s2ECEV
C38Jfj6xBBrcX6W1Qy+GLiXhh+wKj650BPSerQNQI+XPx/+uUemk/dJM3RMm75Di
mXJlp7/5LY11VyKSqS+x6ELIvWz8lo2OhHW6/wU4jiQ1MlburYbn/pRRClGGA8i4
FjHMvMu9/QCNPlNTlf7qJDO6lDVlAgMBAAECgYB0iP76/DGXIgAPm2w3v+Xf8X5q
GZRhRqKVmO6wZDbkisRIKa1ZlitNfA6DzpzA2tw9fgrSNJcKpTHGnYPpgEHUQrcw
t471yuAvzAOBffaqVjIt7vKyL3QnkNfxWenliasacX3olwBpKPrkvG75H2KBe9S0
WKpju1Cm6MebAJ3z8QJBAP8gSx3l9nNTqJcBBmP+TGDcTL9Sif2nBZrU/pWnzzop
HolaFIQTYXPIj8rMoVT/c0gLo1gcdHoSUJTbB0WO7V8CQQDsf9FAWCI3fkWgS/fW
21ApO6B07/388CpNHOTjvfsdlent4yXLL+Guh5apMH4Oq0tkGkEij5YPG1EZSYXi
48+7AkEAiX3m3ZMMMXTZe5/CyOrIUL8I4WbjFP8JJzs4hICuTmLQoScZvWAQeeyR
ibKkE4GjqCUVf6u+Hfd20/ICRjtTswJANCjEh8JoWYDZ7k6S7KoV9eIWs3OyurRl
P/idarUdyxqjKzorvbJjvdBdpBbz1lxlFkDMGMk+OTq3GjKi+rVvvQJAGhBieR2Q
69JNeoOg7J8Xk7evNBJHwtJfRDQXKJpN5YZsKclf6oRaYFEQOM6ThuNoYHISfGKw
UbDoUsPZoQFPtQ==
-----END PRIVATE KEY-----'''
signstr = testdata123
key = RSA.importKey(privatekey)
h = SHA.new(signstr)
signer = PKCS1_v1_5.new(key)
signature = signer.sign(h)
sign = base64.b64encode(signature)
The signature generated by code above do not match the public key in the api system I am using.
For PHP side I am able to sign correctly. The working code for PHP as below:
$private_key= openssl_get_privatekey($private_key);
openssl_sign($signStr,$sign_info,$private_key,OPENSSL_ALGO_MD5);
$sign = base64_encode($sign_info);
Any advice on how to sign with RSA pkcs8 format private key using python is much appreciated.
Hash algorithm
Of course, it must be different, because you're using different hash algorithms.
Your Python code uses SHA-1 and your PHP code uses MD5. The default hash algorithm in PHP is OPENSSL_ALGO_SHA1 as the documentation describes:
if (!openssl_sign($signStr, $sign_info, $private_key)) {
echo "Failed to sign";
}
Key encoding
There are many ways of encoding a private key. Two of the most common ways are PKCS#1 and PKCS#8 encodings. See more information on that here.
The key encoding is not a concern here, because both pycrypto and openssl use the correct one here.
Padding
There are two common padding schemes that are used for signing: PKCS#1 v1.5 padding and RSA-PSS (technically RSASSA-PKCS1-V1_5 and RSASSA-PSS). Both of them are defined in PKCS#1, but the latter was introduced in PKCS#1 v2.x.
Pycrypto supports both padding schemes, but openssl only supports PKCS#1 v1.5 in PHP.
Compatibility
If you want to check for compatibility of the same algorithm between different languages, you need to sign in one using the private key and verify the signature in the other using the public key. After you've done that, you can try the other way around if you also need the other direction.
This is only relevant for RSA-PSS, because that is randomized.
If you're using PKCS#1 v1.5 padding which is not randomized, you should be able to create a signature in both Python and PHP and compare them directly to check for compatibility.
I have an OpenPGP message which looks something like this given to me in a file:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32)
jA0EAgMCtCzaGHIQXY9g0sBnAeDOQ9GuVA/uICuP+7Z2dnjNCLgRN0J/TzJs1qcW
aJYBTkH5KQCClCxjwTYbHZCox1sENfIS+KxpCKJQqAX3SNEFm0ORNE6RNwEgb1Zj
uOdIw8auxUsjmQKFLAcZIPKjBjyJqSQVfmEoteVn1n+pwm8RdIZevCHwLF2URStB
nBVuycaxcaxcaxcxccxcxacqweqweqwe123fsMqQPaTusOBGpEQrWC9jArtvYEUpY
aNF6BfQ0y2CYrZrmzRoQnmtnVu10PagEuWmVxCucyhVwlthVgN0iBog9jhjliQkc
rrDTupqB4IimMEjElGUHtkuvrCQ0jQnOHEAJmmefMDH0NkYKGd5Ngt21I5ge5tob
/uBjHKMxjNgg1nWfg6Lz4jqoKe/EweuEeg==
=+N9N
-----END PGP MESSAGE-----
and was given a 15 character passphrase to decrypt it, I suppose. But I really don't have any idea to decrypt the file using PHP. I take a look at PHP's GnuPG manual page and under the gnugpg_decrypt() example it gives this code:
$res = gnupg_init();
gnupg_adddecryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC","test");
$plain = gnupg_decrypt($res,$encrypted_text);
echo $plain;
So taking a look at this function gnupg_adddecryptkey, it mentioned I need a fingerprint. What is that actually? And where can I get it?
The fingerprint is a hash sum calculated on the public key and some meta data like key creation time. It is also returned after importing a key through gnupg_import as fingerprint attribute.
This is for public/private key cryptography, which you're seemingly not using: when encrypting with a passphrase, you're omitting the public/private key cryptography part and directly use symmetric encryption for the message, with a session key (sometimes also called cipher block or symmetric key) derived from your passphrase.
Symmetric encryption is not supported by PHP's GnuPG module. There are no functions to perform symmetric decryption, and this limitation is also described in the module's source documentation:
This class provides an object oriented interface to GNU Privacy Guard (GPG).
Though GPG can support symmetric-key cryptography, this class is intended only to facilitate public-key cryptography.
You will have to perform decryption manually by calling gpg. An example command line would be
gpg --symmetric --decrypt [file]
(alternatively, you can also provide the input through STDIN). For handing over the passphrase, have a look at GnuPG's --passphrase... options:
--passphrase-fd n
Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, the passphrase will be read from STDIN. This can
only be used if only one passphrase is supplied.
--passphrase-file file
Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase
stored in a file is of questionable security if other users can read this file. Don't use this option if you can avoid it.
--passphrase string
Use string as the passphrase. This can only be used if only one passphrase is supplied. Obviously, this is of very questionable security on a multi-user system. Don't use
this option if you can avoid it.
Be aware that all other users of a computer can read all other user's command line arguments, so especially for shared hosting platforms, --passphrase is a definite no-go.
This answer is compatible with not just PHP, but GnuGPG in general. To summarize Jens Erat's answer and adding the encryption step for anyone else who comes across this question, here's a solution, assuming a file exists called passwords.txt:
// encrypt
gpg --output passwords.gpg --symmetric passwords.txt
// decrypt
gpg —decrypt passwords.gpg
I'm creating a an X509 certificate using phpseclib and all of that seems to be fine. Once I've created the certificate, I save it down as a pkcs12 file in PHP using the private key associated with my certificate. However, once I read that file, the private key I get back is different. Shouldn't the key be the same?
For instance, let's say I call:
openssl_pkcs12_export_to_file($cert , $write_loc, $priv_key , $pass);
Works great, now when I read the file with:
openssl_pkcs12_read($write_loc, $certs, $pass);
The output in $certs['pkey'] differs from the $priv_key I passed to the export_to_file method above.
Surely they must be the same, or am I mixing up 2 completely different things?
Thank you!
I think what's going is explained at PHP RSA key creation
Basically, you're using a key that starts off with -----BEGIN RSA PRIVATE KEY----- and the key you're getting back starts off with -----BEGIN PRIVATE KEY-----.
The former is a PKCS1 formatted private key and the latter is a PKCS8 formatted private key. The latter has the private key type embedded within the base64-encoded data itself whereas the former has the private key type embedded in the human readable string.
Some versions of PHP / OpenSSL output the PKCS8 key and others output the PKCS1 key..
I have an applet that uses a "foo.key" file and a string password to generate a privateKey object, using BouncyCastle apis. Then a signature is created using this privateKey object and a string such as "MYNAMEHERE". All I know is that the algorythm used to generate this signature is RSA.
What I want to do is to decrypt (or verify) this signature in PHP. I have both files publicKey (file.cer) and privateKey (file.key) that where used to generate the privateKey object in Java.
Im trying using the openssl_verify functions in PHP, passing the values:
openssl_verify("MYNAMEHERE", $signature, "file.cer"), where $signature contains the String representation of the signature object generated in Java: new String (signature).
I dont know if this process is correct to verify the signature, or what kind of encoding/decoding process i have to do before using this function.
I hope somebody points me the right direction!
Thanks in advance!
You haven't given enough information, such as the actual signature or how it is encoded. Normally RSA means RSA in PKCS#1 1.5 mode using SHA-1 (Google it) which is more or less the default signature generation/verification algorithm in use today. In that case, the verify should proceed as you've described. The password is not needed anymore, it might just be used to decrypt the private key. You can still use the private key to see if an sign in PHP/openssl does create the same data. If not, a different hash or PKCS#1 v2.1 signature may have been used.