How to use openssl to output encrypted/decrypted message to stdout - bash

I am just trying to encrypt/decrypt a password with the shell (non-interactively - it's for an automated script). I am following this example:
https://superuser.com/a/20552/362669
I tried converting it to this so that it doesn't use a file output.bin to store the encrypted text:
#!/usr/bin/env bash
cd `dirname "$BASH_SOURCE"`
# generate a 2048-bit RSA key and store it in key.txt
openssl genrsa -out key.txt 2048
# encrypt "hello world" using the RSA key in key.txt
encrypted="$(echo "hello world" | openssl rsautl -inkey key.txt -encrypt)"
echo "encrypted: $encrypted"
# decrypt the message and output to stdout
decrypted="$(echo "$encrypted" | openssl rsautl -inkey key.txt -decrypt)"
echo "decrypted: $decrypted";
but all I get is this garbully-guk:
Generating RSA private key, 2048 bit long modulus
........................................................................................................................+++
............................+++
e is 65537 (0x10001)
��◆J��┌ܥײ��R▒��%⎽F�� 1l�}�%��?�0���+��%���C�8|_/!�A"Ꜵ:�������.��W2Pras��1���� ��(�a
��]�[�남␍◆�=┬─�з≤�ɦ�;�└�1MFP��^␋�#D� �T_⎺F�Eπ�2��U2Ÿ┌π��N│�� ⎽��_\2�� 8V��%��(�^���␍4�#�π���*^D ���/�└�
RSA ⎺⎻␊⎼▒├␋⎺┼ ␊⎼⎼⎺⎼
4662363756:␊⎼⎼⎺⎼:04FFF06B:⎼⎽▒ ⎼⎺┤├␋┼␊⎽:CRYPTO_␋┼├␊⎼┼▒┌:␉┌⎺␌┐ ├≤⎻␊ ␋⎽ ┼⎺├ 02:/B┤␋┌␍R⎺⎺├/L␋␉⎼▒⎼≤/C▒␌␤␊⎽/␌⎺└.▒⎻⎻┌␊.│␉⎽/S⎺┤⎼␌␊⎽/┌␋␉⎼␊⎽⎽┌/┌␋␉⎼␊⎽⎽┌-22.260.1/┌␋␉⎼␊⎽⎽┌-2.6/␌⎼≤⎻├⎺/⎼⎽▒/⎼⎽▒_⎻┐1.␌:185:
4662363756:␊⎼⎼⎺⎼:04FFF072:⎼⎽▒ ⎼⎺┤├␋┼␊⎽:CRYPTO_␋┼├␊⎼┼▒┌:⎻▒␍␍␋┼± ␌␤␊␌┐ °▒␋┌␊␍:/B┤␋┌␍R⎺⎺├/L␋␉⎼▒⎼≤/C▒␌␤␊⎽/␌⎺└.▒⎻⎻┌␊.│␉⎽/S⎺┤⎼␌␊⎽/┌␋␉⎼␊⎽⎽┌/┌␋␉⎼␊⎽⎽┌-22.260.1/┌␋␉⎼␊⎽⎽┌-2.6/␌⎼≤⎻├⎺/⎼⎽▒/⎼⎽▒_␊▒≤.␌:580:
␍␊␌⎼≤⎻├␊␍:
▒┌␊│⎽-└▒␌:␋┼├␊⎼⎺⎽ ▒┌␊│$
and my shell session is basically messed up.
Anyone know what that is? Maybe it's outputting characters that the shell can't handle?
Update: if I don't log the encrypted value, then I get this:
Generating RSA private key, 2048 bit long modulus
........................+++
..........+++
e is 65537 (0x10001)
RSA operation error
4558829164:error:04FFF06B:rsa routines:CRYPTO_internal:block type is not 02:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/rsa/rsa_pk1.c:185:
4558829164:error:04FFF072:rsa routines:CRYPTO_internal:padding check failed:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/rsa/rsa_eay.c:580:
decrypted:

I think the best idea would be to convert the binary to/from base64.
Just pipe output through a "openssl base64" to command to enable and "openssl base64 -d" command to decode.
so:
encrypted="$(echo "hello world" | openssl rsautl -inkey key.txt
-encrypt | openssl base64)"
and
decrypted="$(echo "$encrypted" | openssl base64 -d | openssl rsautl
-inkey key.txt -decrypt)"

Related

HMAC SHA-256 for a signed AWS request

EDIT: The issue is that I'm using hex encoded strings as the keys and I should be using raw bytes. How can I get the raw bytes out of the openssl command?
--- Original question ---
I'm attempting to follow the instructions for creating a signed iam request found here: https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html.
It basically says to produce the signing key and signature you follow these steps:
signing key = HMAC(HMAC(HMAC(HMAC("AWS4wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY","20150830"),"us-east-1"),"iam"),"aws4_request")
signature = HexEncode(HMAC(signing key, "AWS4-HMAC-SHA256\n20150830T123600Z\n20150830/us-east-1/iam/aws4_request\nf536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59"))
I've created the following shell script as a test:
#!/usr/bin/env bash
set -euo pipefail
stringToSign="AWS4-HMAC-SHA256\n20150830T123600Z\n20150830/us-east-1/iam/aws4_request\nf536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59"
dateKey=$(echo -n "20150830" | openssl dgst -sha256 -hmac "AWS4wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY")
regionKey=$(echo -n "us-east-1" | openssl dgst -sha256 -hmac "$dateKey")
serviceKey=$(echo -n "iam" | openssl dgst -sha256 -hmac "$regionKey")
signingKey=$(echo -n "aws4_request" | openssl dgst -sha256 -hmac "$serviceKey")
echo "signing key: $signingKey"
signature=$(echo -n "$stringToSign" | openssl dgst -sha256 -hmac "$signingKey")
echo "signature: $signature"
The output is:
signing key: 8c028f7953b7f2b9fa6d2e816f7b15675dc2329c139e293b383759c5ba8af679
signature: 9fd29d6aaac30d0747da90c23a4b883a8bc02b439f35df255fa2f93f6c99f46f
dateKey is 45fb073b035485bb42f64d8d242984f3431d02e31c35ba4b661d31bbec45378d
However the document linked above says that it should be:
signing key: c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9
signature: 5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
How can I produce the correct key and signature?
EDIT -- openssl version:
$ openssl version -a
LibreSSL 2.6.5
built on: date not available
platform: information not available
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"
How can I get the raw bytes out of the openssl command?
Use -binary option. From manpage for openssl dgst:
openssl dgst [-cd] [-binary] [-digest] [-hex] [-hmac key] ...
-binary
Output the digest or signature in binary form.
To get the correct signature, I also had to replace the \n characters in the string to sign with actual newline characters.
Working script:
#!/usr/bin/env bash
set -euo pipefail
stringToSign="AWS4-HMAC-SHA256
20150830T123600Z
20150830/us-east-1/iam/aws4_request
f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59"
dateKey=$(echo -n "20150830" | openssl dgst -sha256 -binary -hmac "AWS4wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY")
regionKey=$(echo -n "us-east-1" | openssl dgst -sha256 -binary -hmac "$dateKey")
serviceKey=$(echo -n "iam" | openssl dgst -sha256 -binary -hmac "$regionKey")
signingKey=$(echo -n "aws4_request" | openssl dgst -sha256 -binary -hmac "$serviceKey")
signature=$(echo -n "$stringToSign" | openssl dgst -sha256 -hmac "$signingKey")
echo "signature: $signature"
# signature: 5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7

AES 256 CBC encrypt with Ruby with OpenSSL not working

I'm trying to encrypt data with OpenSSL library in Ruby using passphrase.
Ruby code looks like this:
require('openssl')
require('base64')
cipher = OpenSSL::Cipher.new ('AES-256-CBC')
cipher.encrypt
cipher.iv = iv = cipher.random_iv
pwd = 'topsecret'
salt = OpenSSL::Random.random_bytes 8
iter = 10000
key_len = cipher.key_len
digest = OpenSSL::Digest::SHA256.new
key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
cipher.key = key
puts "salt=#{salt.unpack('H*')[0]}"
puts "key=#{key.unpack('H*')[0]}"
puts "iv=#{iv.unpack('H*')[0]}"
encrypted = cipher.update 'my data to encrypt'
encrypted << cipher.final
puts "encrypted=#{Base64.strict_encode64(encrypted)}"
# it returns:
# salt=1332e5603cbc018a
# key=11a168cf01556a5ee3e22e049f0e65d3adcd75f39e32c7d19aec32a0ccb40d93
# iv=35a08f2d3e719abbee78a0f4fe47c938
# encrypted=E3Ag6cRL2R+xytgw01i6tKSFpV7s7bKoiiWvPA1FYxM=
Unfortunately, when I try to decrypt this, I get error bad magic number:
$ echo "E3Ag6cRL2R+xytgw01i6tKSFpV7s7bKoiiWvPA1FYxM=" | openssl enc -aes-256-cbc -base64 -d -p -pass pass:topsecret
bad magic number
However, when I try this in terminal by running openssl enc command, it works:
$ echo 'my data' | openssl enc -aes-256-cbc -base64 -p -pass pass:topsecret
salt=8135837A305553F2
key=8B4373ABD786BAC107F4112640E95E920C77C017FCEC18E1BD919CED42F0298E
iv =910637CE50FADF27D944B7A8DD239E6D
U2FsdGVkX1+BNYN6MFVT8oWa5P/oxZFwzMk1DRCSSGg=
$ echo "U2FsdGVkX1+BNYN6MFVT8oWa5P/oxZFwzMk1DRCSSGg=" | openssl enc - aes-256-cbc -d -p -base64 -pass pass:topsecret
salt=8135837A305553F2
key=8B4373ABD786BAC107F4112640E95E920C77C017FCEC18E1BD919CED42F0298E
iv =910637CE50FADF27D944B7A8DD239E6D
my data
I think I tried every possible combination of generating key/IV from passphrase but I get error every time. Is anyone able to spot where is the problem with this way? I've spent entire day on this.

Padding errors using OpenSSL for encrypt/decrypt with Keys extracted from Digital Cert

I am using some command line Open SSL commands to encrypt and decrypt data using Public and Private keys extracted from a Digital Cert. When I try to decrypt I get PKCS padding errors. Can someone tell me where I'm going wrong?
These are the command I've been using:
a) Extract Public key: openssl x509 -pubkey -noout -in xxxxx.cer > xxxxxpublickey.pem
b) Extract Private Key:openssl pkcs12 -in xxxxxx.pfx -nocerts -out xxxxxprivatekey.pem -nodes
c) Encypt a key (.bin file): openssl enc -aes-256-cbc -in kenkey.bin -out kenkey_Key -pass file:xxxxxpublickey.pem
d) Decrypt key produced in c) openssl rsautl -decrypt -hexdump -in kenkey_key -inkey xxxxxprivatekey.key -out aeskey.txt
This produces errors like this:
RSA operation error 3248:error:0407109F:rsa
routines:RSA_padding_check_PKCS1_type_2:pkcs decoding
error:.\crypto\rsa\rsa_pk1.c:273: 3248:error:04065072:rsa
routines:RSA_EAY_PRIVATE_DECRYPT:padding check
failed:.\crypto\rsa\rsa_eay.c:602:

openssl smime in ruby/rails

So, i have this application that creates a zip file with images and stuff
and i want to sign it using smime.
if i use the terminal command:
openssl smime -binary -sign -passin "pass:MYPASS" -signer ./MyCertificate.pem -inkey ./MyKey.pem -in ./manifest.in -out ./signature.out -outform DER
Formated:
openssl smime -binary -sign -passin "pass:MYPASS" \
-signer ./MyCertificate.pem -inkey ./MyKey.pem \
-in ./manifest.in -out ./signature.out -outform DER
the manifest.in is the file witch contains the text to be signed and signature.out is the output file.
i don't know a lot about signing but i believe this code is signing my file using PKCS7
how can i recreate the same result with ruby/rails?
i have tried to look in the documentation of OpenSSL but i couldn't find anything usefull for me
EDIT
if this helps someone,
this is what the documentation says
i need to build a:
A detached PKCS#7 signature of the manifest
Found a way.
like this:
require 'secure_digest'
def sign_manifest(manifest = {})
manifest_str = manifest.to_json
key4_pem = File.read Rails.root.join("lib", "keys", "key.pem")
pass_phrase = "supera"
key = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
cert = OpenSSL::X509::Certificate.new File.read Rails.root.join("lib", "keys", "certificate.pem")
sign = OpenSSL::PKCS7.sign(cert, key, manifest_str, nil, OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::NOATTR | OpenSSL::PKCS7::DETACHED).to_der
sign
end
Just to clarify my code, manifest param is a hash witch i want to sign it using this code. if i want another item, like a image, string or file i just need do read it as string

Invalid public keys when using the Ruby OpenSSL library

I'm trying to generate RSA keypairs in Ruby, mostly using the examples from this blog post. Here is my slightly modified code:
def generate_keypair(passphrase)
rsa_key = OpenSSL::PKey::RSA.new(2048)
cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
private_key = rsa_key.to_pem(cipher, passphrase)
public_key = rsa_key.public_key.to_pem
return private_key, public_key
end
This successfully generates a private key and a public key, and I can write those out to files on the filesystem.
irb(main):002:0> private_key1, public_key1 = generate_keypair('test')
[...output of keys...]
irb(main):003:0> File.open("key.pem","w") {|f| f.write(private_key1) }
=> 1766
irb(main):004:0> File.open("pubkey.pem","w") {|f| f.write(public_key1) }
=> 426
However, OpenSSL complains when I try to use this public key:
$ openssl rsautl -encrypt -inkey pubkey.pem -pubin -in text.txt -out text.ssl
unable to load Public Key
If I use the openssl tool to extract the public key from the private key then everything works:
$ openssl rsa -in key.pem -pubout -out pubkey2.pem
Enter pass phrase for key.pem:
writing RSA key
$ openssl rsautl -encrypt -inkey pubkey2.pem -pubin -in text.txt -out text.ssl
$ openssl rsautl -decrypt -inkey key.pem -in text.ssl
Enter pass phrase for key.pem:
this is a
file that
needs to be
encrypted
The public key that the Ruby OpenSSL library produced is different from the public key that the openssl cli tool extracted from the private key:
$ cat pubkey.pem
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzgNcsEL7yGBoLBYBXFYrDL6oLP8ZbW9+VwdoXyNG6Qt/NEhEx4Ww
5yOxtXAbqeUwyvbTUxRrJ02dQcb4FGcSMDgz2QHIZyCuDJkgC9Wj7KI1Q7g0GV+7
DcZvLcwPZOhLXqUzlcZXjDWM1PZ+az734qEribgyI+87LB8TujG8v5iOvdzT/Je4
JAllToZVGC3RddfTc6ww37gB39B++FYNzPg+nrIEU45KgEWPo2eJxBpX29lACh6q
EEBCQr9xyLxOC2eomYIl3dG2dV7nGGH7Pur2HjppgJphBvNkwxIWUa/pD6hAnOQ4
MkDDFGwWv7eJLb4UZuZjafTbqokHved3bwIDAQAB
-----END RSA PUBLIC KEY-----
$ cat pubkey2.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzgNcsEL7yGBoLBYBXFYr
DL6oLP8ZbW9+VwdoXyNG6Qt/NEhEx4Ww5yOxtXAbqeUwyvbTUxRrJ02dQcb4FGcS
MDgz2QHIZyCuDJkgC9Wj7KI1Q7g0GV+7DcZvLcwPZOhLXqUzlcZXjDWM1PZ+az73
4qEribgyI+87LB8TujG8v5iOvdzT/Je4JAllToZVGC3RddfTc6ww37gB39B++FYN
zPg+nrIEU45KgEWPo2eJxBpX29lACh6qEEBCQr9xyLxOC2eomYIl3dG2dV7nGGH7
Pur2HjppgJphBvNkwxIWUa/pD6hAnOQ4MkDDFGwWv7eJLb4UZuZjafTbqokHved3
bwIDAQAB
-----END PUBLIC KEY-----
I'm not quite sure what is going on here, but it seems as if the Ruby OpenSSL library is producing an invalid public key pem file. Am I doing something wrong?
It seems that OSSL doesn't support that format. What "openssl rsa" generates is an RSA_PUBKEY structure: a PUBKEY record which is ASN.1-"tagged" (with an OID) to indicate that it's an RSA key. What Ruby generates is a "raw" RSA key (where the bytes don't indicate that it is RSA; so you have to declare that in the PEM header).
OSSL should use an API function like PEM_write_bio_RSA_PUBKEY (or the generic PEM_write_bio_PUBKEY), instead of/in addition to PEM_write_bio_RSAPublicKey.

Resources