OpenSSL - Encrypt plain text using RSAES_OAEP_SHA_256 - encryption

I want to encrypt local plain text file using openssl and RSAES_OAEP_SHA_256 algorithm.
I tried to use the same approach with this blog entry but it did not work.
https://europatech.co.uk/encryption-decryption-with-kms-and-openssl/
$ echo "hello" > plaintext.txt
$ openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \
-in plaintext.txt -pubin -inkey pubkey.pem -out plaintext.bin
-pkeyopt command before -inkey
Usage: pkeyutl [options]
-in file input file
-out file output file
-sigfile file signature file (verify operation only)
-inkey file input key
-keyform arg private key format - default PEM
-pubin input is a public key
-certin input is a certificate carrying a public key
-pkeyopt X:Y public key options
-sign sign with private key
-verify verify with public key
-verifyrecover verify with public key, recover original data
-encrypt encrypt with public key
-decrypt decrypt with private key
-derive derive shared secret
-hexdump hex dump output
-passin arg pass phrase source
am I missing something?

I was looking for the same openssl command and this worked for me:
openssl pkeyutl -in data.txt -encrypt -pubin -inkey Oaep_Pub_Rsa.pem -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -out enc.pem

Related

OpenSSL, decrypting with a private key

Okay, so I have a text file named Kryptert that is encrypted.
A key file named private with the private key. I want the output to be in a text file named Klartext.
I am about to rip my hair out, because I cannot seem to figure this out.
openssl rsautl -decrypt -inkey C:\private.key -in C:\Kryptert.txt -out C:\Klartext.txt
The command above is what I use, and I get the following output in the CMD windows:
C:\Users\Marco>openssl rsautl -decrypt -inkey C:\private.key -in C:\Kryptert.txt -out C:\Klartext.txt
Loading 'screen' into random state - done
RSA operation error
8560:error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02:.\crypto\rsa\rsa_pk1.c:190:
8560:error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:.\crypto\rsa\rsa_eay.c:592:
Anyone able to help me understand what is wrong, and how I could fix it? Thank you.
Here you have the commands you need to encrypt or decrypt using openssl:
Decrypt:
$ openssl rsautl -decrypt -in $ENCRYPTED -out $PLAINTEXT -inkey keys/privkey.pem
Encrypt:
$ openssl rsautl -encrypt -in $PLAINTEXT -out $PLAINTEXT.encrypt -pubin -inkey keys/pubkey.pem
Hope this helps! :)
For encryption:
openssl rsautl -encrypt -in /path/to/your/file -out /path/to/your/encrypted -pubin -inkey /path/to/your/public_key.pem
For decryption:
openssl rsautl -decrypt -in /path/to/your/encrypted -out /path/where/you/want/your/decrypted.txt -inkey /path/to/your/private_key.pem
Note: If you have this decryption error: RSA_EAY_PRIVATE_DECRYPT:data greater than mod len try this command before decrypt your file:
cat yourEncryptedFile| base64 -D > yourEncryptedRawFile
More information here

Is RSA Encrypt & Decrypt only with Private Key by openssl, correct?

This is my testcase.
$ openssl genrsa -out private.pem 2048
$ openssl rsa -in private.pem -outform PEM -pubout -out public.pem # but I don't use it.
$ touch raw_data.log && echo 123456 >> raw_data.log
$ openssl rsautl -encrypt -in raw_data.log -inkey private.pem > enc.raw_data.log
$ openssl rsautl -decrypt -in enc.raw_data.log -inkey private.pem > dec.raw_data.log
$ cat raw_data.log
$ cat dec.raw_data.log
Why I can encrypt & decrypt data only with rsa private key.(not public key to encrypt data)
Is it correct?
If you read the man page for openssl rsautl, you will find that you can use the pubin option to encrypt using the public key
-inkey file the input key file, by default it should be an RSA private key.
-pubin the input file is an RSA public key.
So you can encrypt either using the private key (default) or the public key (with the pubin option)
openssl rsautl -encrypt -inkey pubkey.pem -pubin -in raw_data.log -out enc.raw_data.log

Buffer overflow OpenSSL Encryption/Decryption problems

I am currently trying to use OpenSSL to encrypt and decrypt a file, using (encrypt):
openssl rsautl -encrypt -pubin -inkey public.pem -in plaintext.txt -out encyrptiontext.txt
and for the decrypting I am using:
openssl rsautl -decrypt -inkey private.pem -in encyrptiontext.txt
The keys have been generated from the same file, though when I try and decrypt a single line I receive this error:
8952:error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02:.\crypto\rsa\rs
a_pk1.c:190:
8952:error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:.\crypto\rsa\rsa_eay.c
:592:
I am not sure why I am getting this as they are using the default settings and the keys have been generated from the same generator.

Creating RSA Private Key from PFX (PKCS #12) file

I'm trying to get a private RSA key from a pkcs #12 file.
I've tried running the standard
openssl pkcs12 -nocerts -out priv.pem -in domain.com.pfx
However this results in a key file like the one below:
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: xxxxxxxx
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-----BEGIN ENCRYPTED PRIVATE KEY-----
The server that I need to put it into canot handle the key file, and when I look at the examples data I see a file like below
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2CF27DD60B8BB3FF
And of cause the key is present in both files.
However it seems the server will only accept RSA Private key file, and it seems to me like the output I get is a X509v3 file, any one know how to get this to an RSA Private key file?
Well - using a text editor to remove the offending lines may be easiest. Otherwise below will clean up the bag attributes:
openssl pkcs12 -in x.pfx -nocerts -nodes -passin pass:123456 | openssl rsa -out privkey.pem
and can also be used to get der/net
openssl pkcs12 -in x-fred.p12 -nocerts -nodes -passin pass: | openssl rsa -outform DER -out privkey.der
which may be in fact the format you want. It is fairly common for tools to not accept a password less private key though (and a lot of tools will silently fail if the # of chars are not at least 4 or 6). So in those cases change the tailend to:
.... | openssl rsa -passout pass:123456 -out privkey.pem
.... | openssl rsa -passout pass:123456 -out privkey.der -outform der
On windows 7 64bit, you can simply use your command.But in mac and linux, you should do the following steps:
1, create your pem file:
openssl pkcs12 -in xxx.pfx -out xxx.pem
2, create your rsa private key :
openssl pkcs12 -in xxx.pfx -passin pass:yourpassword | openssl rsa -des3 -passout pass:yourpassowrd -out xxx.key
this step will create the key file with the conten:"
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2CF27DD60B8BB3FF"
3, open your .pem and .key file in a text editor, and replace the origin key"
-----BEGIN ENCRYPTED PRIVATE KEY-----" in the .pem file
with the rsa key in the .key file.
This works for me:
openssl pkcs12 -in "$1" \
-nocerts -nomacver \
-passin file:<(cat "$pw") \
-passout file:<(cat "$pw") |
sed -n '/^-----BEGIN ENCRYPTED PRIVATE KEY-----/,/^-----END ENCRYPTED PRIVATE KEY-----/p'

How can I use OpenSSL to encrypt a message using my public key and then decrypt it using my private key?

Here is what I've tried:
Encrypt message w/ my public key
openssl enc -aes-256-cbc -salt -kfile key.pub -in message.txt -out message.enc
Decrypt message using my private key
openssl enc -d -aes-256-cbc -salt -in message.enc -pass file:mykey.pem
Error from decryption
bad decrypt
452:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:
This code works:
openssl rsautl -pubin -inkey key.pub -encrypt -in message.txt -out message.enc
openssl rsautl -inkey privkey.pem -decrypt -in message.enc -out message.dec
For use
openssl rsautl -pubin -inkey key.pub -encrypt -in message.txt -out message.enc
You need define option -raw to ignore padding :)
openssl rsautl -pubin -inkey key.pub -encrypt -in message.txt -out message.enc -raw
enc - symmetric cipher routines so you should use rsautl
Correct solutions:
On sender side
Generate passphrase
Encrypt your message using enc with passphrase
Encrypt passphrase using rsautl with public key
Send encoded message and encoded passphrase
On receiver side
Decrypt passphrase using rsautl with private key
Decrypt message using enc with passphrase
Encrypt:
openssl enc -aes-256-cbc -salt -pass file:password.txt -in message.txt -out message.enc
Decrypt:
openssl enc -aes-256-cbc -d -salt -pass file:password.txt -in message.enc -out message.dec
Where the first line of the file password.txt contains your password.

Resources