signature creation with des-ede3-cbc encrypted private key resulting in error
KaffeeJunky opened this issue · comments
Hi there!
i'm currently having an issue with my ede3-cbc encrypted private key and signature creation.
i use the crypto modules to sign a string - this is being used in a node environment and working perfectly fine.
Unfortunately i cannot use the nodeJS environment for a specific call in a seperate system. So i need to use the browserified-version of it.
Unfortunately this is always ending in the following error:
algo is undefined
This is the part where the error occurs:
function decrypt (data, password) {
var salt = data.algorithm.decrypt.kde.kdeparams.salt
var iters = parseInt(data.algorithm.decrypt.kde.kdeparams.iters.toString(), 10)
var algo = aesid[data.algorithm.decrypt.cipher.algo.join('.')]
var iv = data.algorithm.decrypt.cipher.iv
var cipherText = data.subjectPrivateKey
var keylen = parseInt(algo.split('-')[1], 10) / 8
var key = compat.pbkdf2Sync(password, salt, iters, keylen, 'sha1')
var cipher = ciphers.createDecipheriv(algo, key, iv)
var out = []
out.push(cipher.update(cipherText))
out.push(cipher.final())
return Buffer.concat(out)
}
the array aesid holds the following values
aes{"2.16.840.1.101.3.4.1.1":"aes-128-ecb","2.16.840.1.101.3.4.1.2":"aes-128-cbc","2.16.840.1.101.3.4.1.3":"aes-128-ofb","2.16.840.1.101.3.4.1.4":"aes-128-cfb","2.16.840.1.101.3.4.1.21":"aes-192-ecb","2.16.840.1.101.3.4.1.22":"aes-192-cbc","2.16.840.1.101.3.4.1.23":"aes-192-ofb","2.16.840.1.101.3.4.1.24":"aes-192-cfb","2.16.840.1.101.3.4.1.41":"aes-256-ecb","2.16.840.1.101.3.4.1.42":"aes-256-cbc","2.16.840.1.101.3.4.1.43":"aes-256-ofb","2.16.840.1.101.3.4.1.44":"aes-256-cfb"}
which means my algorithm 1.2.840.113549.3.7 is not available.
Is this even supported? Or am i doing something horribly wrong? :D
The code i use for creation is:
let signer = crypto.createSign(this.algorithm).update(this.stringToSign);
return signer.sign({
key: this.privateKey,
padding: this.signaturePadding,
saltLength: this.saltLength,
passphrase: this.privateKeyPassPhrase
}, 'base64');
}
thanks in advance!
Best regards
Pascal
des isn't supported here, you can convert it to aes with the openssl command openssl rsa -aes256 -in old.pem -out new.pem or omit the -aes256 to just strip the password since the actual protections offered by the basic key encryption isn't great
oh boy.. unfortunately my ASN1 export is the following:
0:d=0 hl=4 l=1308 cons: SEQUENCE
4:d=1 hl=2 l= 78 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT :PBES2
17:d=2 hl=2 l= 65 cons: SEQUENCE
19:d=3 hl=2 l= 41 cons: SEQUENCE
21:d=4 hl=2 l= 9 prim: OBJECT :PBKDF2
32:d=4 hl=2 l= 28 cons: SEQUENCE
34:d=5 hl=2 l= 8 prim: OCTET STRING
44:d=5 hl=2 l= 2 prim: INTEGER :0800
48:d=5 hl=2 l= 12 cons: SEQUENCE
50:d=6 hl=2 l= 8 prim: OBJECT :hmacWithSHA256
60:d=6 hl=2 l= 0 prim: NULL
62:d=3 hl=2 l= 20 cons: SEQUENCE
64:d=4 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
74:d=4 hl=2 l= 8 prim: OCTET STRING
84:d=1 hl=4 l=1224 prim: OCTET STRING
openssl rsa-aes256 -in old.pem -out new.pem did not work because it is not an RSA-Key. It's RSA with PSS padding. Got the following error:
140077085471872:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:469:
i used openssl pkey -in oldkey.pem -out newkey.pem to decrypt it using the passphrase.
But i get the following error at signature creating:
unknown key id 1.2.840.113549.1.1.10
Do you have another tip for me? Unfortunately im not that deep into encryption/certificates/signatures ... which i kind of regret right now :D