Creating message with SHA256 RSA 2048 bits

Pieter_Boots · April 1, 2022, 2:22pm

I have to create an appliccation that must sent a message with with SHA256 RSA 2048 bits and receive messages to decrypt. Can I use TMS Cryptography Pack for it. Is it a part of the UI pack or do I have to buy it separatly?

brunofierens · April 2, 2022, 7:33am

TMS Cryptography Pack is a separate product. It is not part of TMS VCL UI Pack.
The support center category for it is:

Pieter_Boots · April 4, 2022, 11:51am

Thank you for your answer. I try to open a new ticket in Cryptography Pack but this is button is disabled, so I try it this way.

When I using chilkat I can encrypt en decrypt a message without probrems. Bu we're using TMS components, so it's logical to get it work in the Cryptography Pack.
If I convert my message to rsa 2056, there's a difference in the encrypted message (TMS and chilkat are not the same). Also when I want to decrypt, procedure RSA.FromPrivateKey() gives an error message: raised exception class ECryptoPack with message 'RSA Key Length not supported'.

How do I get the same results with my chilkat demo?

this is the result of chilkat:

encrypted

xIawYWsk1clicyOxSn6PyHPmvHcBMqXDw9f+ExpjttwgDOCujBwj2rllhaeISRvWzCM2IfqMqG/DqpM5GE1UlF4hsqCz6OrbgZh7qg9YFXAV4HFzHLdpb3CLKvbmyNydyPJ9MjYoVJqzC3RrNVCJ5rND4R/EbgGg/KlXFxLC3KcD/CsnUd+A94a9OGjq5r9HWrMjGXiCwVvBIwz8pSQ51VCfkXLHFE6Td6SjJveIL4nz6VtrNdtfKvEMmCTK9CG2d1/fadHir4CVPYY7HP4k0Wnq9cZnwRuGr2amArd+oQGSkpOHWTiTR5DuczPPM1r1pNFWCtXFUcsc8zYx+gDhjg==

decrypted

Dit is mijn eerste bericht

This is my code in Delphi with TMS

procedure TForm1.Button1Click(Sender: TObject);
var publickey  : string;
    privatekey : string;
    Mijnbericht: string;
    rsa, rsa2 : TRSAEncSign;

begin
  rsa  := TRSAEncSign.create;
  rsa2 := TRSAEncSign.create;
  publickey := '';
  privatekey := '';
  for var t1 := 0 to mmopublic.Lines.Count - 1 do
    publickey := publickey + mmopublic.Lines[t1];
  for var t2 := 0 to mmopublic.Lines.Count - 1 do
    privatekey := privatekey + mmoprivate.Lines[t2];
  mijnbericht := 'Dit is mijn eerste bericht';

  RSA.KeyLength := kl2048;
  RSA.OutputFormat := base64;
  RSA.Unicode := yesUni;
  RSA.FromPublicKey(publickey);

//  RSA.encType := TRSAEncType(0);
  mmoencrypt.lines.Text := RSA.Encrypt(mmoplain.lines.text);

  RSA.KeyLength := kl2048;
  RSA.OutputFormat := base64;
  RSA.Unicode := yesUni;
  RSA.FromPrivateKey(privatekey);
  MMOPlain.lines.Text := RSA.Decrypt(mmoencrypt.lines.text);

  rsa.free;
  rsa2.free;

end;

Bernard · April 4, 2022, 12:26pm

Hi Pieter,
Do you confirm you are using RSA 2056 with Chilkat?
"If I convert my message to rsa 2056, there's a difference in the encrypted message"
Regards,
bernard

Pieter_Boots · April 5, 2022, 6:42am

I'm sorry. Should be 2048. My mistake

Bernard · April 5, 2022, 10:12am

No problem.

Not knowing Chilkat, the next question is: what is their key format? Is it identical (including byte ordering) to TMS CP RSA key format?

Pieter_Boots · April 5, 2022, 11:56am

I looked at my code again and notised it was generating its own public and private and shouldn't suppost to be.

To the basics.
I have a public and private key in string format. This is I want to use. with the chilkat tool I created this code:

procedure TForm2.Button1Click(Sender: TObject);
var
rsa: HCkRsa;
success: Boolean;
plainText: string;
rsaEncryptor: HCkRsa;
usePrivateKey: Boolean;
encryptedStr: PWideChar;
rsaDecryptor: HCkRsa;
decryptedStr: PWideChar;
jsontext : string;
mysignature : string;
signatureEncoded : string;


pubKey: HCkPublicKey;
sbPem: HCkStringBuilder;

privKey: HCkPrivateKey;
sbPem2: HCkStringBuilder;


begin
//unlock;

//lees the public key vanuit de memo
pubKey := CkPublicKey_Create();
sbPem := CkStringBuilder_Create();
CkStringBuilder_AppendLine(sbPem,'-----BEGIN PUBLIC KEY-----',True);
for var t  := 0 to mmoprivate.lines.Count - 1 do
  CkStringBuilder_AppendLine(sbPem,pchar(mmopublic.lines[t]),True);
CkStringBuilder_AppendLine(sbPem,'-----END PUBLIC KEY-----',True);

success := CkPublicKey_LoadFromString(PubKey,CkStringBuilder__getAsString(sbPem));
if (success <> True) then
begin
  mmolog.Lines.Add(CkPrivateKey__lastErrorText(PubKey));
  Exit;
end;

// lees provate key
privKey := CkPrivateKey_Create();

sbPem2 := CkStringBuilder_Create();
CkStringBuilder_AppendLine(sbPem2,'-----BEGIN RSA PRIVATE KEY-----',True);
for var t  := 0 to mmoprivate.lines.Count - 1 do
  CkStringBuilder_AppendLine(sbPem2,pchar(mmoprivate.lines[t]),True);
CkStringBuilder_AppendLine(sbPem2,'-----END RSA PRIVATE KEY-----',True);

success := CkPrivateKey_LoadPem(privKey,CkStringBuilder__getAsString(sbPem2));
if (success <> True) then
begin
  mmolog.Lines.Add(CkPrivateKey__lastErrorText(privKey));
  Exit;
end;

mmoencrypted.lines.Clear;
mmoDecrypted.lines.Clear;
mmojson.lines.Clear;

rsa := CkRsa_Create();
plainText := 'Dit is mijn eerste bericht';

var MyBase64 : string := plaintext ; //TBase64Encoding.base64.Encode(plainText);

// Start with a new RSA object to demonstrate that all we
// need are the keys previously exported:
rsaEncryptor := CkRsa_Create();

// Encrypted output is always binary.  In this case, we want
// to encode the encrypted bytes in a printable string.
// Our choices are "hex", "base64", "url", "quoted-printable".
CkRsa_putEncodingMode(rsaEncryptor,'base64');

// We'll encrypt with the public key and decrypt with the private
// key.  It's also possible to do the reverse.
success := CkRsa_ImportPublicKeyObj(rsaEncryptor,pubKey);

usePrivateKey := false;
encryptedStr := CkRsa__encryptStringENC(rsaEncryptor,pchar(MyBase64),usePrivateKey);
mmoencrypted.Lines.text := encryptedStr;

mysignature :=  'administratie@gsn.nl' + 'staging@infomedics.nl';

signatureEncoded := sign2(mysignature, encryptedStr);

// Now decrypt:
rsaDecryptor := CkRsa_Create();

CkRsa_putEncodingMode(rsaDecryptor,'base64');
success := CkRsa_ImportPrivateKeyObj(rsaDecryptor,privKey);

usePrivateKey := True;
decryptedStr := CkRsa__decryptStringENC(rsaDecryptor,encryptedStr,usePrivateKey);

mmodecrypted.Lines.text := decryptedStr; //TBase64Encoding.base64.Decode(decryptedStr);

CreateJSon(JSONText, signatureEncoded);
startrequest(JSonText);

mmojson.lines.Text := JSONText;

CkRsa_Dispose(rsa);
CkRsa_Dispose(rsaEncryptor);
CkRsa_Dispose(rsaDecryptor);
CkPublicKey_Dispose(pubKey);
CkPrivateKey_Dispose(privKey);
CkStringBuilder_Dispose(sbPem);

end;


function TForm2.Sign2(aSignature : string; aEncrypted : string) : string;
var
privKey: HCkPrivateKey;
success: Boolean;
sbPem: HCkStringBuilder;
rsa: HCkRsa;
strSigned: PWideChar;
strOriginal: PWideChar;

begin
//  This requires the Chilkat API to have been previously unlocked.
//  See Global Unlock Sample for sample code.

privKey := CkPrivateKey_Create();

sbPem := CkStringBuilder_Create();
CkStringBuilder_AppendLine(sbPem,'-----BEGIN RSA PRIVATE KEY-----',True);
for var t  := 0 to mmoprivate.lines.Count - 1 do
  CkStringBuilder_AppendLine(sbPem,pchar(mmoprivate.lines[t]),True);
CkStringBuilder_AppendLine(sbPem,'-----END RSA PRIVATE KEY-----',True);

success := CkPrivateKey_LoadPem(privKey,CkStringBuilder__getAsString(sbPem));
if (success <> True) then
  begin
    mmolog.Lines.Add(CkPrivateKey__lastErrorText(privKey));
    Exit;
  end;

rsa := CkRsa_Create();

success := CkRsa_ImportPrivateKeyObj(rsa,privKey);
if (success <> True) then
  begin
    Mmolog.Lines.Add(CkRsa__lastErrorText(rsa));
    Exit;
  end;

var test : string := aSignature + aEncrypted;

//CkRsa_putCharset(rsa,'iso--8859-1');
CkRsa_putEncodingMode(rsa,'base64');
strSigned := CkRsa__SignStringENC(rsa,pwidechar(test),'sha256');

mmosignature.Lines.text := strSigned;

result := string(strSigned);

CkPrivateKey_Dispose(privKey);
CkStringBuilder_Dispose(sbPem);
CkRsa_Dispose(rsa);

end;

With this code I can read my public / privatekey from string, encode a message with the public key and signed it with my private key with the tool chilkat. Is it possible to do this with TMS?

TMS is much faster than chilkat and want to use the rsa because all other componments we're using are from TMS

Pieter_Boots · April 5, 2022, 11:59am

I looked at my code again and notised it was generating its own public and private and shouldn't suppost to be.

To the basics.
I have a public and private key in string format. This is I want to use. with the chilkat tool I created this code:

procedure TForm2.Button1Click(Sender: TObject);
var
rsa: HCkRsa;
success: Boolean;
plainText: string;
rsaEncryptor: HCkRsa;
usePrivateKey: Boolean;
encryptedStr: PWideChar;
rsaDecryptor: HCkRsa;
decryptedStr: PWideChar;
jsontext : string;
mysignature : string;
signatureEncoded : string;


pubKey: HCkPublicKey;
sbPem: HCkStringBuilder;

privKey: HCkPrivateKey;
sbPem2: HCkStringBuilder;


begin
//unlock;

//lees the public key vanuit de memo
pubKey := CkPublicKey_Create();
sbPem := CkStringBuilder_Create();
CkStringBuilder_AppendLine(sbPem,'-----BEGIN PUBLIC KEY-----',True);
for var t  := 0 to mmoprivate.lines.Count - 1 do
  CkStringBuilder_AppendLine(sbPem,pchar(mmopublic.lines[t]),True);
CkStringBuilder_AppendLine(sbPem,'-----END PUBLIC KEY-----',True);

success := CkPublicKey_LoadFromString(PubKey,CkStringBuilder__getAsString(sbPem));
if (success <> True) then
begin
  mmolog.Lines.Add(CkPrivateKey__lastErrorText(PubKey));
  Exit;
end;

// lees provate key
privKey := CkPrivateKey_Create();

sbPem2 := CkStringBuilder_Create();
CkStringBuilder_AppendLine(sbPem2,'-----BEGIN RSA PRIVATE KEY-----',True);
for var t  := 0 to mmoprivate.lines.Count - 1 do
  CkStringBuilder_AppendLine(sbPem2,pchar(mmoprivate.lines[t]),True);
CkStringBuilder_AppendLine(sbPem2,'-----END RSA PRIVATE KEY-----',True);

success := CkPrivateKey_LoadPem(privKey,CkStringBuilder__getAsString(sbPem2));
if (success <> True) then
begin
  mmolog.Lines.Add(CkPrivateKey__lastErrorText(privKey));
  Exit;
end;

mmoencrypted.lines.Clear;
mmoDecrypted.lines.Clear;
mmojson.lines.Clear;

rsa := CkRsa_Create();
plainText := 'Dit is mijn eerste bericht';

var MyBase64 : string := plaintext ; //TBase64Encoding.base64.Encode(plainText);

// Start with a new RSA object to demonstrate that all we
// need are the keys previously exported:
rsaEncryptor := CkRsa_Create();

// Encrypted output is always binary.  In this case, we want
// to encode the encrypted bytes in a printable string.
// Our choices are "hex", "base64", "url", "quoted-printable".
CkRsa_putEncodingMode(rsaEncryptor,'base64');

// We'll encrypt with the public key and decrypt with the private
// key.  It's also possible to do the reverse.
success := CkRsa_ImportPublicKeyObj(rsaEncryptor,pubKey);

usePrivateKey := false;
encryptedStr := CkRsa__encryptStringENC(rsaEncryptor,pchar(MyBase64),usePrivateKey);
mmoencrypted.Lines.text := encryptedStr;

mysignature :=  'administratie@gsn.nl' + 'staging@infomedics.nl';

signatureEncoded := sign2(mysignature, encryptedStr);

// Now decrypt:
rsaDecryptor := CkRsa_Create();

CkRsa_putEncodingMode(rsaDecryptor,'base64');
success := CkRsa_ImportPrivateKeyObj(rsaDecryptor,privKey);

usePrivateKey := True;
decryptedStr := CkRsa__decryptStringENC(rsaDecryptor,encryptedStr,usePrivateKey);

mmodecrypted.Lines.text := decryptedStr; //TBase64Encoding.base64.Decode(decryptedStr);

CreateJSon(JSONText, signatureEncoded);
startrequest(JSonText);

mmojson.lines.Text := JSONText;

CkRsa_Dispose(rsa);
CkRsa_Dispose(rsaEncryptor);
CkRsa_Dispose(rsaDecryptor);
CkPublicKey_Dispose(pubKey);
CkPrivateKey_Dispose(privKey);
CkStringBuilder_Dispose(sbPem);

end;


function TForm2.Sign2(aSignature : string; aEncrypted : string) : string;
var
privKey: HCkPrivateKey;
success: Boolean;
sbPem: HCkStringBuilder;
rsa: HCkRsa;
strSigned: PWideChar;
strOriginal: PWideChar;

begin
//  This requires the Chilkat API to have been previously unlocked.
//  See Global Unlock Sample for sample code.

privKey := CkPrivateKey_Create();

sbPem := CkStringBuilder_Create();
CkStringBuilder_AppendLine(sbPem,'-----BEGIN RSA PRIVATE KEY-----',True);
for var t  := 0 to mmoprivate.lines.Count - 1 do
  CkStringBuilder_AppendLine(sbPem,pchar(mmoprivate.lines[t]),True);
CkStringBuilder_AppendLine(sbPem,'-----END RSA PRIVATE KEY-----',True);

success := CkPrivateKey_LoadPem(privKey,CkStringBuilder__getAsString(sbPem));
if (success <> True) then
  begin
    mmolog.Lines.Add(CkPrivateKey__lastErrorText(privKey));
    Exit;
  end;

rsa := CkRsa_Create();

success := CkRsa_ImportPrivateKeyObj(rsa,privKey);
if (success <> True) then
  begin
    Mmolog.Lines.Add(CkRsa__lastErrorText(rsa));
    Exit;
  end;

var test : string := aSignature + aEncrypted;

//CkRsa_putCharset(rsa,'iso--8859-1');
CkRsa_putEncodingMode(rsa,'base64');
strSigned := CkRsa__SignStringENC(rsa,pwidechar(test),'sha256');

mmosignature.Lines.text := strSigned;

result := string(strSigned);

CkPrivateKey_Dispose(privKey);
CkStringBuilder_Dispose(sbPem);
CkRsa_Dispose(rsa);

end;

With this code I can read my public / privatekey from string, encode a message with the public key and signed it with my private key with the chilkat tool. Is it possible to do this with TMS?

TMS is much faster than chilkat and want to use the rsa because all other componments we're using are from TMS

Bernard · April 5, 2022, 12:59pm

You will need to use:
procedure FromOpenSSLPrivateKey(filePath: string); to import a key pair from an OpenSSL private key (PEM format)
and then sign with the extracted private key.
I don't understand what you mean by " encode a message with the public key".

Pieter_Boots · April 6, 2022, 7:19am

Probeer het even in het Nederlands. Als dat niet kan, vertaal ik het verhaal wel in het Engels.

Wij hebben een restserver gebouwd, waarbij berichten verstuurd kunnen worden binnen verschillende applicaties. Zo kan een bijvoorbeeld een tandarts met pakket A communiceren met een orthondotist met pakket B. Dit bericht wordt versleuteld. Daar heb ik een public key en private key voor nodig. Om alles secure te houden qua beveiliging wordt het bericht op basis encryptie. van Alle encryptie en ondertekening gebeurt middels (OpenSSL) SHA256 RSA 2048 bits. Als ik een bericht verstuur, maak ik gebruik van de public key. Dit is niet een bestand, maar een string (al weet ik niet zeker of dit zo blijft). De restserver verwacht ook een signature. Deze wordt opgebouwd op basis van mailadres van afzender en ontvanger en het versleutelde bericht. Deze wordt encrypted met de private key. Als dit allemaal is geregeld, wordt een JSON naar de restserver gestuurd.

Dit heb ik werkend met de Chilkat tool. Echter wil ik dat TMS doen (ook vanwege de snelheid). De demo heeft wel een RSA optie, maar klaagt over de lengte van de private key. Als ik deze met kopiëren en plakken in de juiste velden zet, wordt deze afgekort, waardoor er geen volledige sleutel is.

Mijn vraag: hoe realiseer ik dit met TMS en is daar een goede voorbeeld van?

Bernard · April 7, 2022, 7:24am

Most likely, the key is not a 2048 string and you get an error message. Do you try to use a base64 encoded key from OpenSSL?

Pieter_Boots · April 7, 2022, 8:41am

I don't think we understand each other.

(This is an example and not the real one)
I have a public key file:

the private key file

Can I read these two files with the TMS components and encode text with the public key file and sign it with the private key file?

Bernard · April 7, 2022, 9:28am

You will need to use the following procedures from the TRSAEncSign class:

procedure FromCertificateFile(CertFile: string); import a public key from a PEM certificate file
procedure FromPrivateKeyFile(KeyFile: string); import a private key from a PEM private key file

and then sign with the extracted private key. The public key is used to verify your signature and shall be provided to whomever needs to verify it.

Pieter_Boots · April 8, 2022, 7:05am

Okay.
Is het also possible to use a stream?
My problem is every receiver has his own public key. With this key a message will be encrypted. It's not logical to save the public key from the messageserver and to read it as PEM to encrypt the message.

Bernard · April 8, 2022, 10:19am

Unfortunately, you can't use a steam with this prodecure.

Pieter_Boots · April 11, 2022, 2:59pm

okay. I load the public and private with a (PEM) file. It's working when I encrypt a single line. But when I have a JSON to encrypt, the following message occurred:

exception class ECryptoPack with message 'error : in RSA, the message is too long!'.

But my JSON is not very long and can have more characters (especially by info:).

This is my JSON

{
    "Message": {
        "Type": "test",
        "Version": "1"
    },
    "Patient": {
        "Id": 1,
        "Check": ""
    },
    "Project": {
        "Id": 1,
        "Status": "1",
        "Info": "Dit is een test met TMS RSA"
    }
}

Why can't I encrypt this file. Do I get the same error when I sign it?

I use this peace of code:

procedure TTMSRSA.EncryptMessage(aAfzender : TAfzender; const aKey : String; const aOntvanger, PlainText : string);
var rsa       : TRSAEncSign;
    Afzender  : string;
begin
  Afzender := aAfzender.email;
  rsa  := TRSAEncSign.create;
  RSA.KeyLength := kl2048;
  RSA.OutputFormat := base64;
  RSA.Unicode := yesUni;
  RSA.FromPublicKeyFile(akey);
  RSA.FromPrivateKeyFile('c:\temp\myprivate.key');
  fEncodedMsg := RSA.Encrypt(plaintext);
  var mysignature : string :=  Afzender + aOntvanger;
  mysignature := mysignature + fEncodedMsg;
  RSA.signType := TRSASignType(base64);
  fsignatureEncoded := RSA.Sign(mysignature);
  rsa.free;
end;

Bernard · April 12, 2022, 7:34am

This error usually stems from a padding issue.

RSA is not meant to encrypt data, although you can encrypt anythong with it. It is very slow compared to symmetric encryption algorithm such as AES.

If you do want to encrypt, you need to do so with the recipient's public key. This recipient can then decrypt with his/her private key. You may want to add:

rsa.encType := oaep;

in your code before you encrypt.

Signing uses the sender's private key and can be verified by anyone have the signer's public key.

Pieter_Boots · April 12, 2022, 8:50am

I know that, Bernard and all this comes from the management. It should be compatible with other applications. The message will be idenpendently read without notice of the application itself.

Your option to choose oaep is not resolving the problem. with base64 the restserver can check if the payload and signing are compatible. The restserver is linux / php.

Is there an maximum of characters by TMS. Chilkat is just doing fine.

Bernard · April 13, 2022, 7:22am

In our C code, the limit is checked with the module size and the padding size:

if (messageLength > modulusSizeBytes - paddingSizeByte) {
	return RSA_MESSAGE_TOO_LONG_XX;
}

XX is a function identifier as there are several locations where this condition is checked.
Basically, I don't know how to fix your problem, except for slicing the initial message or writing a completely new function.