Quantcast

PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

revolct
After countless hours spent with this library I still can't get it work.
I want to send smime messages with the bouncy castle library, signed with the RSASSA-PSS, encrypted with AES, where the key transport should be RSAES-OAEP, all P1#v2.1 with the SHA-256 hash function

Signer first, this is how it's created:

    SMIMESignedGenerator gen = new SMIMESignedGenerator();
           SignerInfoGenerator signer
       = new JcaSimpleSignerInfoGeneratorBuilder()
       .setProvider("BC")
       .build("SHA256withRSAAndMGF1", pk.getPrivateKey(), pk.getCertificate()
       );
    gen.addSignerInfoGenerator(signer);
       gen.addCertificates(certStore);
       MimeMultipart mmp = gen.generate(message);


So now when it should be signed, encrypting and using OAEP padding:

        OutputEncryptor enc = new BcCMSContentEncryptorBuilder(CMSAlgorithm.AES192_CBC).build();
            SMIMEEnvelopedGenerator gen = new SMIMEEnvelopedGenerator();
           
            for (X509Certificate nCert : certs) {
                    RecipientInfoGenerator keyTransportRecipient =
                    new JceKeyTransRecipientInfoGenerator(nCert).setProvider("BC").
    setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption, "RSA/ECB/OAEPWithSHA256AndMGF1Padding");
            gen.addRecipientInfoGenerator(keyTransportRecipient);
            }
               MimeBodyPart encryptedMimeBodyPart = gen.generate(message, enc);


I could not find the proper setAlgorithmMapping() description, so I did try following combinations:

    .setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption, "RSA/NONE/PKCS1Padding");
    .setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption, "RSA/ECB/OAEPWithSHA256AndMGF1Padding");
    .setAlgorithmMapping(PKCSObjectIdentifiers.id_RSAES_OAEP, "RSA/ECB/OAEPWithSHA56AndMGF1Padding");


btw, can anyone please explain, what exactly this pattern means here -  "RSA/ECB/OAEPWithSHA256AndMGF1Padding"?
Am I right if the first param is the public key algorithm, second "ECB" is I suppose ECB AES mode? (I tried CBC mode also, but got no such algorithm exception, triend NONE also) And the last ("OAEPWithSHA56AndMGF1Padding") is apparently OAEP p1#v2.1, which I actually want.

So, at this point messages should be signed & encrypted.
When I check my mailbox now (with Thunderbird), it says: "Thunderbird cannot decrypt this message", "The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key."

But, when I was signing with old signer

    build("SHA256withRSAEncryption", pk.getPrivateKey(), pk.getCertificate()

and used the old key transpport scheme, which was

    setProvider("BC").setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption, "RSA/NONE/PKCS1Padding");

everything worked fine. So apparently my self-signed x509 certificate is not the problem here, please correct me if I'm whong here.

I also tested it with Outlook (2013)

Old scheme (SHA256withRSAEncryption signing + PKCS1Padding key transport) -> Everything is fine.

New scheme (SHA256withRSAAndMGF1 signing + RSA/ECB/OAEPWithSHA256AndMGF1Padding) -> "Your Digital ID name cannot be found by the underlying security system" Error.

At this point I have no idea what's is actually wrong.
This is how I create certificate with openssl:

    openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -out certificate.cer -keyout private.key -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -passin pass:mypass -utf8 -config _openssl.cfg -extensions v3_req
    openssl pkcs12 -export -out certificate.pfx -name "testname" -inkey private.key -in certificate.cer








Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

David Hook-3
     
Something like the following would do the encryption correctly - where
the public key certificate doesn't contain the algorithm and parameters
you wish to use, you need to specify an AlgorithmIdentifier to be stored
against the key in the recipient. e.g.

         JcaAlgorithmParametersConverter paramsConverter = new
JcaAlgorithmParametersConverter();

        OAEPParameterSpec oaepSpec = new OAEPParameterSpec("SHA-256,
"MGF1", new MGF1ParameterSpec("SHA-256"), PSource.PSpecified.DEFAULT);
        AlgorithmIdentifier oaepAlgId =
paramsConverter.getAlgorithmIdentifier(PKCSObjectIdentifiers.id_RSAES_OAEP,
oaepSpec);

        edGen.addRecipientInfoGenerator(new
JceKeyTransRecipientInfoGenerator(nCert, oaepAlgId).setProvider(BC));

The purpose of setAlgorithmMapping() is to provide a mechanism where the
library can work out what algorithm to use in a provider where there is
no mapping in the provider for a given OID.

Regards,

David

On 05/04/17 16:02, revolct wrote:

> After countless hours spent with this library I still can't get it work.
> I want to send smime messages with the bouncy castle library, signed with
> the RSASSA-PSS, encrypted with AES, where the key transport should be
> RSAES-OAEP, all P1#v2.1 with the SHA-256 hash function
>
> Signer first, this is how it's created:
>
> /    SMIMESignedGenerator gen = new SMIMESignedGenerator();
>            SignerInfoGenerator signer
>        = new JcaSimpleSignerInfoGeneratorBuilder()
>        .setProvider("BC")
>        .build("SHA256withRSAAndMGF1", pk.getPrivateKey(),
> pk.getCertificate()
>        );
>     gen.addSignerInfoGenerator(signer);
>        gen.addCertificates(certStore);
>        MimeMultipart mmp = gen.generate(message);/
>
> So now when it should be signed, encrypting and using OAEP padding:
>
> /        OutputEncryptor enc = new
> BcCMSContentEncryptorBuilder(CMSAlgorithm.AES192_CBC).build();
>             SMIMEEnvelopedGenerator gen = new SMIMEEnvelopedGenerator();
>            
>             for (X509Certificate nCert : certs) {
>                     RecipientInfoGenerator keyTransportRecipient =
>                     new
> JceKeyTransRecipientInfoGenerator(nCert).setProvider("BC").
>     setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption,
> "RSA/ECB/OAEPWithSHA256AndMGF1Padding");
>             gen.addRecipientInfoGenerator(keyTransportRecipient);
>             }
>                MimeBodyPart encryptedMimeBodyPart = gen.generate(message,
> enc);/
>
> I could not find the proper setAlgorithmMapping() description, so I did try
> following combinations:
>
> /    .setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption,
> "RSA/NONE/PKCS1Padding");
>     .setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption,
> "RSA/ECB/OAEPWithSHA256AndMGF1Padding");
>     .setAlgorithmMapping(PKCSObjectIdentifiers.id_RSAES_OAEP,
> "RSA/ECB/OAEPWithSHA56AndMGF1Padding");/
>
> btw, can anyone please explain, what exactly this pattern means here -
> "RSA/ECB/OAEPWithSHA256AndMGF1Padding"?
> Am I right if the first param is the public key algorithm, second "ECB" is I
> suppose ECB AES mode? (I tried CBC mode also, but got no such algorithm
> exception, triend NONE also) And the last ("OAEPWithSHA56AndMGF1Padding") is
> apparently OAEP p1#v2.1, which I actually want.
>
> So, at this point messages should be signed & encrypted.
> When I check my mailbox now (with *Thunderbird*), it says: "Thunderbird
> cannot decrypt this message", "The sender encrypted this message to you
> using one of your digital certificates, however Thunderbird was not able to
> find this certificate and corresponding private key."
>
> But, when I was signing with old signer
>
> /    build("SHA256withRSAEncryption", pk.getPrivateKey(),
> pk.getCertificate()/
>
> and used the old key transpport scheme, which was
>
>    /
> setProvider("BC").setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption,
> "RSA/NONE/PKCS1Padding");/
>
> everything worked fine. So apparently my self-signed x509 certificate is not
> the problem here, please correct me if I'm whong here.
>
> I also tested it with *Outlook (2013)*
>
> /Old scheme (SHA256withRSAEncryption signing + PKCS1Padding key transport)/
> -> Everything is fine.
>
> /New scheme (SHA256withRSAAndMGF1 signing +
> RSA/ECB/OAEPWithSHA256AndMGF1Padding)/ -> "Your Digital ID name cannot be
> found by the underlying security system" Error.
>
> At this point I have no idea what's is actually wrong.
> This is how I create certificate with openssl:
>
> /    openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -out
> certificate.cer -keyout private.key -sigopt rsa_padding_mode:pss -sigopt
> rsa_pss_saltlen:32 -passin pass:mypass -utf8 -config _openssl.cfg
> -extensions v3_req
>     openssl pkcs12 -export -out certificate.pfx -name "testname" -inkey
> private.key -in certificate.cer/
>
>
>
>
>
>
>
>
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/PKCS-1-v2-1-Signing-with-RSASSA-PSS-Encrypting-with-AES-CBC-with-RSAES-OAEP-tp4658634.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

revolct
Thanks for the answer, David!
There must be something wrong though, could it be in my certificate maybe?

Here is the stack trace:

org.bouncycastle.mail.smime.SMIMEException: Encryption Error
        at mail.service.CustomerMail.encrypt(CustomerMail.java:552)
        at mail.service.CustomerMail.send(MailService.java:625)
        at mail.service.CustomerMail.run(MailService.java:195)
Caused by: org.bouncycastle.mail.smime.SMIMEEnvelopedGenerator$WrappingIOException: org.bouncycastle.cms.CMSException: exception wrapping content key: unable to encrypt contents key
        at org.bouncycastle.mail.smime.SMIMEEnvelopedGenerator$ContentEncryptor.write(Unknown Source)
        at org.bouncycastle.mail.smime.handlers.PKCS7ContentHandler.writeTo(Unknown Source)
        at javax.activation.ObjectDataContentHandler.writeTo(Unknown Source)
        at javax.activation.DataHandler.writeTo(Unknown Source)
        at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1593)
        at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1839)
        at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1815)
        at mail.service.CustomerMail.encrypt(CustomerMail.java:546)
        ... 2 more
Caused by: org.bouncycastle.cms.CMSException: exception wrapping content key: unable to encrypt contents key
        at org.bouncycastle.cms.KeyTransRecipientInfoGenerator.generate(Unknown Source)
        at org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator.doOpen(Unknown Source)
        at org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator.open(Unknown Source)
        ... 10 more
Caused by: org.bouncycastle.operator.OperatorException: unable to encrypt contents key
        at org.bouncycastle.operator.jcajce.JceAsymmetricKeyWrapper.generateWrappedKey(Unknown Source)
        ... 13 more
Caused by: java.security.InvalidKeyException: Illegal key size or default parameters
        at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
        at javax.crypto.Cipher.init(Cipher.java:1245)
        ... 14 more
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

David Hook-3

http://www.bouncycastle.org/wiki/display/JA1/Frequently+Asked+Questions

Question/Answer 1.

Regards,

David

On 06/04/17 16:59, revolct wrote:

> Thanks for the answer, David!
> There must be something wrong though, could it be in my certificate maybe?
>
> Here is the stack trace:
>
> org.bouncycastle.mail.smime.SMIMEException: Encryption Error
> at mail.service.CustomerMail.encrypt(CustomerMail.java:552)
> at mail.service.CustomerMail.send(MailService.java:625)
> at mail.service.CustomerMail.run(MailService.java:195)
> Caused by:
> org.bouncycastle.mail.smime.SMIMEEnvelopedGenerator$WrappingIOException:
> org.bouncycastle.cms.CMSException: exception wrapping content key: unable to
> encrypt contents key
> at
> org.bouncycastle.mail.smime.SMIMEEnvelopedGenerator$ContentEncryptor.write(Unknown
> Source)
> at org.bouncycastle.mail.smime.handlers.PKCS7ContentHandler.writeTo(Unknown
> Source)
> at javax.activation.ObjectDataContentHandler.writeTo(Unknown Source)
> at javax.activation.DataHandler.writeTo(Unknown Source)
> at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1593)
> at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1839)
> at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1815)
> at mail.service.CustomerMail.encrypt(CustomerMail.java:546)
> ... 2 more
> Caused by: org.bouncycastle.cms.CMSException: exception wrapping content
> key: unable to encrypt contents key
> at org.bouncycastle.cms.KeyTransRecipientInfoGenerator.generate(Unknown
> Source)
> at org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator.doOpen(Unknown
> Source)
> at org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator.open(Unknown
> Source)
> ... 10 more
> Caused by: org.bouncycastle.operator.OperatorException: unable to encrypt
> contents key
> at
> org.bouncycastle.operator.jcajce.JceAsymmetricKeyWrapper.generateWrappedKey(Unknown
> Source)
> ... 13 more
> Caused by: java.security.InvalidKeyException: Illegal key size or default
> parameters
> at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
> at javax.crypto.Cipher.init(Cipher.java:1245)
> ... 14 more
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/PKCS-1-v2-1-Signing-with-RSASSA-PSS-Encrypting-with-AES-CBC-with-RSAES-OAEP-tp4658634p4658645.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

revolct
Unfortunately, the JCE Unlimited Strength is installed.
System.out.println(Integer.MAX_VALUE == Cipher.getMaxAllowedKeyLength("RSA")); -> true
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

David Hook-3
Not everywhere. There's no other explanation for this:

Caused by: org.bouncycastle.operator.OperatorException: unable to encrypt
contents key
        at
org.bouncycastle.operator.jcajce.JceAsymmetricKeyWrapper.generateWrappedKey(Unknown
Source)
        ... 13 more
Caused by: java.security.InvalidKeyException: Illegal key size or default
parameters
        at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
        at javax.crypto.Cipher.init(Cipher.java:1245)
        ... 14 more

If you're on Windows it's worth keeping in mind the default install puts
in 2 JVMs. One for development (the full JDK) and one for applications
(just a JRE).

Regards,

David

On 06/04/17 21:01, revolct wrote:

> Unfortunately, the JCE Unlimited Strength is installed.
> System.out.println(Integer.MAX_VALUE ==
> Cipher.getMaxAllowedKeyLength("RSA")); -> true
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/PKCS-1-v2-1-Signing-with-RSASSA-PSS-Encrypting-with-AES-CBC-with-RSAES-OAEP-tp4658634p4658649.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

revolct
Didn't know that.
After I changed the local_policy and US_export_policy jars to the unlimited strength jars everywhere it worked!
Thank you very much, David!

Now I have the following problem: only outlook(2013) can access signed and encrypted mails, it's good on the encryption layer, but there is still an error on the signature layer - "Error: the message contents may have been altered."  And with Thunderbird I can't even open mails - "The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key. "

I don't think it's the bouncycastle related problem though. But if anyone knows solution, I'd really appreciate any help.
Thanks again!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

revolct
In reply to this post by David Hook-3
I just tried "The Bat!" mail client and got the same invalid signature error, as it was in outlook, apparently there is something wrong with the signature. "This message has invalid signature: Error=-1073700864".
When I was looking through the pkcs7 I noticed that it doesn't contain the trailer Field parameter, although I'm not very good at this, may it be that the problem is here?
https://ghostbin.com/paste/pytgu





Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

David Hook-3

The definition for the parameters is:

RSASSA-PSS-params ::= SEQUENCE {
       hashAlgorithm      [0] OAEP-PSSDigestAlgorithms  DEFAULT sha1,
       maskGenAlgorithm   [1] PKCS1MGFAlgorithms  DEFAULT mgf1SHA1,
       saltLength         [2] INTEGER  DEFAULT 20,
       trailerField       [3] TrailerField  DEFAULT trailerFieldBC
 }

In ASN.1 "DEFAULT" is actually referring to an encoding rule - the idea
being that if the field value is the default value there is no need to
encode it. I don't believe anyone has defined an alternative trailer in
this case, so you would expect the field to be absent where the
structure has been DER encoded (of course if someone hasn't understood
that, that is another story...)

Regards,

David

On 12/04/17 22:29, revolct wrote:

> I just tried "The Bat!" mail client and got the same invalid signature error,
> as it was in outlook, apparently there is something wrong with the
> signature. "This message has invalid signature: Error=-1073700864".
> When I was looking through the pkcs7 I noticed that it doesn't contain the
> trailer Field parameter, although I'm not very good at this, may it be that
> the problem is here?
> https://ghostbin.com/paste/pytgu
>
>
>
>
>
>
>
>
>
> --
> View this message in context: http://bouncy-castle.1462172.n4.nabble.com/PKCS-1-v2-1-Signing-with-RSASSA-PSS-Encrypting-with-AES-CBC-with-RSAES-OAEP-tp4658634p4658675.html
> Sent from the Bouncy Castle - Dev mailing list archive at Nabble.com.
>
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PKCS #1 v2.1, Signing with RSASSA-PSS & Encrypting with AES CBC with RSAES-OAEP

martijn.list
In reply to this post by revolct
On 04/07/2017 09:08 AM, revolct wrote:

> Didn't know that.
> After I changed the /local_policy/ and /US_export_policy/ jars to the
> unlimited strength jars everywhere it worked!
> Thank you very much, David!
>
> Now I have the following problem: only outlook(2013) can access signed and
> encrypted mails, it's good on the encryption layer, but there is still an
> error on the signature layer - "Error: the message contents may have been
> altered."  And with Thunderbird I can't even open mails - "The sender
> encrypted this message to you using one of your digital certificates,
> however Thunderbird was not able to find this certificate and corresponding
> private key. "
>
> I don't think it's the bouncycastle related problem though. But if anyone
> knows solution, I'd really appreciate any help.
> Thanks again!

The problem I think is that most S/MIME clients do not support
RSASSA-PSS. The only tool (besides BC) I found that supports verifying
S/MIME RSASSA-PSS signatures is a recent version of openssl.

According to the openssl documentation, this requires openssl >= 1.1.0.

openssl cms -verify -in email.eml -CAfile root.pem

This only works with the openssl cms command and not with the openssl
smime command.

Kind regards,

Martijn

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

Loading...