are able to do it with:
openssl-1.0.2u-x64_86-win64\openssl.exe rsautl -oaep -encrypt -pubin -inkey test.pem -in req.txt -out req.sign
openssl.exe base64 -A -in req.sign -out res.txt
but are getting error: RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error
from supplier, so some thought on this?
I've tried all kind of combination without any luck.
I cant get it to work, but I've tried by creating a sample project:
object rsa: TRSAEncSign
Version = '4.3.3.0'
pssSaltLen = 0
Left = 304
Top = 224
end
procedure test;
var
s,pw:string;
fs:TMemoryStream;
begin
pw := 'my test text';
RSA.withOpenSSL := true;
RSA.FromPublicKeyFile('public-key.pem');
s := rsa.Encrypt(pw);
fs := TMemoryStream.Create;
fs.Size := length(s) div 2;
HexToBin(pansichar(s),fs.Memory,fs.Size);
fs.SaveToFile('C:\openssl\test\encoded.txt');
end;
I couldn't make it work either, so I tried to decrypt with TMS CP and found and issue with the key format in SetPrivateExponent. A key provided in hex shall not be converted to hex again.
Once fixed, I could decrypt.
I'll do more tests to understand what's wrong.
Hi, thank you for new version, but still i cant get this to work, so tried with the demo i made over, outcome of openssl is:
10616:error:04065084:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data too large for modulus:.\crypto\rsa\rsa_eay.c:519:
tried with the demo application to encrypt and decrypt base64 code between openssl and application but failes all the time. Could you verify a working setup for rsa 2048 oaep with a public/private pem certificate?
begin
pw := 'my test text';
RSA.withOpenSSL := true;
RSA.FromPublicKeyFile('public-key.pem');
s := rsa.Encrypt(pw);
fs := TMemoryStream.Create;
fs.Size := length(s) div 2;
HexToBin(pansichar(s),fs.Memory,fs.Size);
fs.SaveToFile('C:\openssl\test\encoded.txt');
end;
The error message looks like the outcome of a conversion (or lack of) issue.
And also, nothing to do with your example, but the RSACore.pas file needs to be edited on line 2912:
writeln(S1, ':', S2, ':', S3); needs to be commented or deleted
This section is used to clock the sequence and is useless for normal use.
After a few conversion corrections, I get (using openSSL):
304C0000:error:02000079:rsa routines:RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error:crypto\rsa\rsa_oaep.c:308:
This needs to be investigated further as the OAEP padding doesn't seem to be correct.
Hello, I have now validated all modes (OAEP/PSS), key sizes (2048, 3072 and 4096) and hash algorithms (sha256, 384 and 512) combinations and TMS CP is fully interoperable with openSSL.
I will upload the updated source code today and it should be released next week.
did try to change inputtype to raw, but that just result in
openssl rsautl -inkey private-key.pem -decrypt -oaep -in test3.enc
RSA operation error
7204:error:04065084:rsa routines:RSA_EAY_PRIVATE_DECRYPT:data too large for modulus:.\crypto\rsa\rsa_eay.c:519:
Sorry, I gave a PSS example instead of an OAEP example. Here is what i just did.
// DELPHI code
// encrypt with a public key
pw := 'my very long beautiful test text';
MyRSA.encType := oaep; // the other option is epkcs1_5;
MyRSA.FromOpenSSLPrivateKey('....\Cert\private-key4096.pem'); // The public key is in the list of keys and parameters - this one has 4096 bits
MyRSA.outputFormat := hexa; // that's the default value but we set it for the example
MyRSA.hashFunction := sha512; // 256 and 384 are valid options too
s := MyRSA.Encrypt(pw);
MainMemo.Lines.Add('Input text: ' + pw);
MainMemo.Lines.Add('Cryptogram: ' + s);
Conv := TConvert.Create(hexa);
s := Conv.FormatToChar(s);
o := Conv.StringToTBytes(s); // OpenSSL requires raw data
f := FileOpen('....\Cert\encoded4096.txt', fmOpenWrite); // We will decrypt this file with OpenSSL
I := FileWrite(f, o, 0, Length(o));
FileClose(f);
if I <> Length(o) then
MainMemo.Lines.Add('file not properly saved')
else
MainMemo.Lines.Add('encoded4096.txt properly saved');
// END DELPHI code
This is the OpenSSL command line to decrypt the file:
Note 1: sha512 is used twice: for the MGF1 and for the message digest.
Note 2: you cannot technically encrypt a message that is longer than the modulus size minus a constant that depends on the hash function that is used (because of the type of padding - see RFC 8017 for details). If you need to encrypt longer messages, you should use the AES
Thank you that made this clearer, but my main problem still exist, as the bank provider require an encrypted text with openssl rsautl -oaep -encrypt command, and that uses sha1
trying to use sha1 with your library fails. Would it be possible to get sha1 working too?