RSA encryption compatibility problem

Hi!

I use RSA encryption in server authorization request. For version 4.3.3 works good. After upgrade to 5.0.6 server rejects my request with message "Incorrect encryption". When this happen I tryed to test compatibility RSA encryption between demos for both versions. When generate public and private keys and encrypt test data in demo 4.3.3 it is unable decrypt it in demo 5.0.6. When try to decrypt demo display folowing message:

Hi,
What are the outputFormat value in 4.3.3 and the inputFormat and outputFormat values in 5.0?

Hi!

In both version OutputFormat = Base64. I can't see settings for InputFormat in 5.0.6 demo.

Make sure your key pair and message are in base64 in 5.0, then:

RSA.inputFormat := base64; // if you change this, make sur that YourMessage and the keys have the selected format
RSA.outputFormat := base64;

Either generate a key pair or:
RSA.publicKey := YourPublicKey;
RSA.privateKey := YourPrivateKey;

RSA.Sign(YourBase64Message, YourBase64Signature)

To verify, rekey (keys are converted when used):
RSA.publicKey := YourPublicKey;
RSA.privateKey := YourPrivateKey;

IntegerValue := RSA.verify(YourBase64Message, YourBase64Signature);
IntegerValue must be 0

There is no inputFormat property in 4.3.3 and it may be the reason for the mismatch between the two versions as the key/message formats have to match the one for inputFormat in 5.0

Hi!

O.K. I use RSA to encrypt (not sign) AES Key used to encrypt transfered data. Result in Base64 format is part of request to server. For version 4.3.3 works folowing code:

function TXmlInitReq.EncryptAesKeyByRSA(AES_Key : String) : String ;
var
RSAEnc : TRSAEncSign ;

begin
RSAEnc := TRSAEncSign.Create ;

try
RSAEnc.KeyLength := kl2048 ;
RSAEnc.OutputFormat := base64 ;
RSAEnc.Unicode := noUni ;
RSAEnc.EncType := epkcs1_5 ;
RSAEnc.FromPublicKeyFile('publicKey.pem') ;

Result := RSAEnc.Encrypt(AES_Key) ;

finally
RSAEnc.Free ;
end ; { try .. finally }

end ; { TXmlInitReq.EncryptAesKeyByRSA }

AESKey is string 32bytes ASCII
PublicKey is file in format *.PEM

Please tell me what I must change in this code to get result like in v4.3.3

What is the format of the AES key? Raw string (256 bits) or hex string (128 bits)?

If raw:
conv: TConvert;
MyKey: string;

conv := TConvert.Create(base64);
MyKey := conv.CharToFormat(AES_Key);
conv.Free;

Result := RSAEnc.Encrypt(MyKey) ;

If hex:
conv := TConvert.Create(hexa);
MyKey := conv.FormatToChar(AES_Key);
conv.AType := base64;
MyKey := conv.CharToFormat(MyKey);
conv.Free;

Hi!

AESKey is raw 256bits

like this

AESKey := '123456789012345678901234567890AB' ;

InputFormat := base64 ;

Unfortunatelly Your last solution not help. Server stil report "Incorrect encryption"l

Do you know what hash function the server is expecting for RSA ?

Hi!

All I know is that RSA must comply with RSA/ECB/PKCS1Padding (PKCS#1).

OK. It is difficult to figure out what can go wrong without the code.
Can you send me your project file at bernard@tmssoftware.com?

Hi!

You want to send test request to server?

if you provide the code, yes.

Hi!

It's not that simple.

I can share the source code but it is not enough to send requests to the server. The application I am currently working on is used to communicate with the government's system for issuing invoices by entrepreneurs. Even to work in a test environment, it is required to register with the system and have a tax ID assigned by the tax administration and a qualified signature with the ID encoded in it. The signature is needed to authorize each request sent to the server. the request is in the format of an XML file, which, after filling in the data of the actual transmission, must be signed (XAdES/BES) and sent using REST to the test gateway.

Another problem is the interaction of the application with other applications in my package. All in all, it's a rather complex system of several databases from which data is collected and sent.

I can send a sample invoice and Unit, which compresses it, encrypts it and builds the request to the server but I can only send it by having a test environment set up. I undertake to send any number of sample requests.

To close this issue, here is the explanation.

The error was due to a double conversion in LoadFromPublicKeyFile that was useless and causing the the public exponent to be in base64 (because outputFormat was set to base64) instead of being #1#0#1 (X509 mandatory value). Then encryption was giving a valid result for the incorrect public exponent but definitely invalid for #1#0#1. So decryption with the expected public exponent was failing on the server side.

Version 5.0.8 fixes this and has other features:

  • ed511187 added back
  • SHA3 fixes in XOF functions
  • AES fix in EncryptStream (key conversion)
  • RSA fix in LoadFromPublicKeyFile (as described)
  • AES performance improvement