Re: Testing encrypt with RSA-OAEP from Jason Proctor on 2016-06-02 (public-webcrypto@w3.org from June 2016)

From: Jason Proctor <jason@mono.hm>
Date: Thu, 2 Jun 2016 12:32:43 -0700
To: Eric Roman <ericroman@google.com>
Cc: Jason Proctor <jason@mono.hm>, Charles Engelke <w3c@engelke.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CALQanALzec1rzM8bBGzfLJoqb0hj7reOOL6uHaODSSqqagaoOw@mail.gmail.com>

On Thu, Jun 2, 2016 at 12:01 PM, Eric Roman <ericroman@google.com> wrote:

>
>
> On Thu, Jun 2, 2016 at 11:16 AM, Jason Proctor <jason@mono.hm> wrote:
>
>> hi Charlie
>>
>> i've been using WebCrypto's RSA-OAEP/SHA-256 interchangeably with OpenSSL
>> and Bouncy Castle, with complete success.
>>
>> for OpenSSL, i use RSA_PKCS1_OAEP_PADDING, but set the digest function to
>> SHA-256 using EVP_PKEY_CTX_set_rsa_oaep_md(). this function is
>> comparitively new in OpenSSL, AFAICS. note i didn't need to use the
>> corresponding mgf function, though i'm not clear why.
>>
>
> If you don't set the MGF using  EVP_PKEY_CTX_set_rsa_mgf1_md(), then it
> looks like OpenSSL will just default to using the digest function set by
> EVP_PKEY_CTX_set_rsa_oaep_md() [1]. Should probably just explicitly set
> both anyway, for clarity if nothing else :)
>
> [1]
> https://github.com/openssl/openssl/blob/2039c421b0e5b75ffcf6a88e39cc09089b4303dc/crypto/rsa/rsa_oaep.c#L53
>
>
thanks for the feedback. that does seem sensible - so much so, in fact,
that i just did it.

regards
J



>
>> for Bouncy Castle i just use RSA/NONE/OAEPWithSHA256AndMGF1Padding as the
>> PK cipher algorithm.
>>
>> anyway, let me know if i can be of any assistance.
>>
>> regards
>> Jason
>>
>>
>>
>> On Thu, Jun 2, 2016 at 10:44 AM, Charles Engelke <w3c@engelke.com> wrote:
>>
>>> I think I'm done testing encrypt for the various AES modes, and just
>>> have RSA-OAEP to go. But I'm running into a problem: RSA-OAEP injects
>>> randomness when encrypting, so the only way to check that encryption
>>> worked is to see if the result can be decrypted.
>>>
>>> I see three options:
>>>
>>> - assume that if encrypt doesn't throw and exception, it passes
>>>
>>> - check the result of encrypt by using subtleCrypto decrypt to see if
>>> you get the same plaintext back (note that decrypt can be tested with
>>> sample ciphertext so we can tell if it's working separately)
>>>
>>> - check the result of encrypt by using an external program to decrypt
>>> its result
>>>
>>> The third option seems to be the best in a perfect world. But it would
>>> require the test framework to have an external program that can do
>>> RSA-OAEP decryption with all the options subtleCrypto is supposed to
>>> to have: any of the four supported hash functions, and with and
>>> without the optional label. OpenSSL, for example, seems to only
>>> support SHA-1 and no label.
>>>
>>> I'd appreciate any suggestions on how to proceed (and would also
>>> appreciate pointers on how to extend the framework to use an external
>>> program if that's the needed solution).
>>>
>>> Thanks,
>>>
>>> Charlie
>>>
>>>
>>
>

Received on Thursday, 2 June 2016 19:33:12 UTC