crypto.privateDecrypt - padding issue

[rensrongen]

• Version: v7+
• Platform: Win10x64
• Subsystem: crypto

crypto.privateDecrypt does not accept RSA_PKCS1_OAEP_PADDING and RSA_PKCS1_PADDING option.

Using either of them produces the following error:

Error: error:0408F090:rsa routines:PKEY_RSA_CTRL:illegal or unsupported padding mode

It does accept RSA_NO_PADDING, but when I decrypt an sha256 signature, it will produce a 256 character string, the final 64 characters contained the actual hash.

For example, I have to do the following to successfully decrypt and read the sha256 signature:

var signature = Crypto.publicDecrypt(
            {
                'key': SessionManager.PublicKey, //buffer
                'padding': Constants.RSA_NO_PADDING
            },
            Buffer.from(ciphertext, 'hex')
        ).toString().substr(192);

Everything works as expected when using privateDecrypt.

[mscdex]

Can you provide a complete, simple, standalone example that reproduces the issue?

[shigeki]

I also would like you to confirm if you really set RSA_PKCS1_PADDING notRSA_PKCS1_PSS_PADDING in case of the error of illegal or unsupported padding mode.
There is not a code path to show the unsupported padding mode error in using RSA_PKCS1_PADDING as https://github.com/nodejs/node/blob/master/deps/openssl/openssl/crypto/rsa/rsa_pmeth.c#L499-L508 .
And the same error would be shown in the case when RSA_PKCS1_OAEP_PADDING is used in sign()/verity(). We can clarify the issue after you provide a complete example.

[rensrongen]

Alright, I'll look into this later today when I have time.

[rensrongen]

Example:

var crypto = require('crypto');
var path = require('path');
var constants = require('constants');
var fs = require('fs');

var privateEncryptString = function(str, key) {
    var absolutePath = path.resolve(key);
    var privateKey = fs.readFileSync(absolutePath, 'utf8');
    var encrypted = crypto.privateEncrypt(
    {
        key: privateKey,
        padding: constants.RSA_NO_PADDING 
    }, new Buffer(str));
    return encrypted.toString('base64');
};

var hash = '122e4e90223ff56eb3490debebc64a17502e9025deb0ab56dcd2e4c67ef583f2';
var encypted = privateEncryptString(hash, './privatekey');
console.log(encypted);

Running this produces the following error:

Error: error:0406B07A:rsa routines:RSA_padding_add_none:data too small for key size

Providing RSA_PKCS1_PADDING works as expected, RSA_PKCS1_OAEP_PADDING doesn't work either. (PKEY_RSA_CTRL:illegal or unsupported padding mode)

[mscdex]

A couple of things to note here:

• If you're using no padding, then you need to manually pad the input yourself so that it matches the key size. For example, if your key is 1024 bits, you need to make sure the input is 128 bytes. In your example, you could do this by simply adding .repeat(2) to the end of your hash declaration, since it is 64 bytes long already. Generally you should avoid using RSA_NO_PADDING unless you really know what you're doing.
  • I noticed that your hash string seems to be hex. If you meant to use the actual bytes represented by the hex characters, you will need to pass 'hex' as the second argument to new Buffer(). Keep in mind though that this will halve your input size, so you will need to double the size of your input.
• You should avoid deprecated APIs:
  • Buffer.from() should be used instead of new Buffer() in this case
  • crypto.constants should be used instead of just constants, as the latter is deprecated in favor of per-module constants
• RSA_PKCS1_OAEP_PADDING can only be used for encryption with public keys, not private keys.

So the crypto documentation needs to be updated to remove RSA_PKCS1_OAEP_PADDING from the list of possible paddings for privateEncrypt().

[rensrongen]

Thanks for the info.

I don't actually intend to use RSA_NO_PADDING though.
The example, unlike my initial comment, is based off older code.

Shouldn't RSA_PKCS1_OAEP_PADDING still work in the example I provided?

[mscdex]

@rensrongen Not with a private key. If you use a public key and crypto.publicEncrypt() it should work (OAEP padding is actually the default for that function).

[rensrongen]

Never mind, it's clarified! I was about to comment on the docs but I missed the last line of your previous comment.

[mscdex]

I've opened a separate issue for the docs: #9609

[mv2050arshad]

Dear friends, i have same problem but when i using RSA_PKCS1_PADDING, just the message can be decrypted(public-key) that they are encrypted(private-key) in 256 byte. some time encrypted message is 257 or 258 or 59 byte, then it failed to decryption. can you tell me whats my wrong and problem ?