1. James Moore
  2. PowerBuilder
  3. Tuesday, 22 October 2019 18:27 PM UTC

I'm trying to generate and sign a JWT using a RSA private key generated from an external source in PB2017 R3. When I call AsymmetricSign, I get an "Invalid 'privKey' in AsymmetricSign" error.

I've read the article here, but it leaves out the part that prepares the RSA private key (of_getrsakey).

 

What am I missing?

 

Thanks,

James

 

Sample code:

blob lblb_priv, lblb_SHA

string ls_key

coderobject l_Coder
crypterobject l_Crypt


l_Crypt = create crypterobject
l_Coder = create coderobject


ls_key = &
"MIIEowIBAAKCAQEAtTQvE7WxbNX8ULDifGJLLs69A3xWLUqx5s6/i47v9bMVAVMY" +&
"89msItFXHDbH0Jg41y7eHjQnIPrb0jz3naIpr1aiA95e3d2JqjPWjIY4vjwP6SUN" +&
"UHI8NVV/9C9khZBYU+rvfi2jeRRXAC+VMTvh/Wh+DRgc0tLMbOm8iKVehQDgGYQn" +&
"JT7lPm4z2kl35e1r8rox01el476NTL0/ES3cn+uORkxaqvqC4fokP9jZk7KeEsXI" +&
"7t9LmdqoBoNcZDlP63eX81qkQsEBt/7r5ssLISJgDfYJ8C6mKRvxqUefflbMjZNZ" +&
"z7OTA/KECktsq6r4U9u1gIMH+QZmdAC14Iy4rwIDAQABAoIBAFnIOWsyo26huBrj" +&
"CdVHfqj6lnybprdaQztxRUcI06yRxt6ZJcvtFnVJ9DdujSK1ybQU7MlaXejhYvmQ" +&
"a8AXEUBnVG9GRwr3Mba7aJrIBmV7rQZ/7VDmyR5D9tougUgMdTdfOLr0MgNUKKdW" +&
"7D0wxpCgrZQfVmi/ObrdNSUfiu2q41lZ1np67Q3iRaE1laFWrRP1AI6c/wCT4xQf" +&
"yBgVDRLm9QqAFqRY2D91p72ZGi27AI5UYTl+iGUxvPmvCJcDfrcBotf9lWoZJ4Bc" +&
"3kDdp/msyOC0x4FExVM8bZms1eeyH7uL6LY83lpzYWha3J21f2tt+K6+PQY3ChO8" +&
"LZm5GMECgYEA5/az1hd/u0+fDz1FyaeK7DuLWaBV4CdCaOllUPdGbgrVt0KpmDOl" +&
"sslVCbHOOFH9TrsQz0pXppUeJJ5Soq73jD5fbOkmJE+quymw6gasj/1adgmREkYH" +&
"2j1BNneeuDPKhos92Qk5Vm8KNoScgXhYj96Lgov+5/DRn4XgqQvkt2UCgYEAx/r5" +&
"0V3VjqYYVto60A67sSQ20ZyKty+wxsrhpB8ZJ0A5ia3iMuJtf/7Niah2ChZ28o55" +&
"wZcpNt6P+A8asjfXkqa4uqMFB1zdwKWbJwqY5IjYGlktt3meAmnamTbgF8GPbnSG" +&
"SRFcPgmixQKHFSMozf5CGiGuuwW24zoDBwt5YIMCgYEAvQM/guJfCKhWebp51Vma" +&
"T+gtInkNwLr82DPmhNUZJK3be5rsSsM677YyftXNrgLRH4g6qE5xoaG8kCYaO8nK" +&
"mRJx+3L3y3rHKf9M00Vg82uEfM5K0dMSrvhe3R0Xzg0VqBBp8yIbAJ02ezoPtUf1" +&
"EjZLA7NDoIeQqCYU7GpukikCgYBdGgQaK/RTkBI+xSSiXmmVY8W9uoJ+HE7RjfyU" +&
"uwGr22OuLGzlwbK25zprfylNMv43mIsozKYcbGtcUjPcitDq7oGMKn8Z2WtH2BGu" +&
"kGlz5B2vzprRE2azuvJRaFHV3YBYLRmjhNiL7VKBI9cdyRujI19E6S9+1H87tHNa" +&
"YUYl3wKBgEQPatE3miykvD+g46XJAOmEBwcuaRI8Q+MyC1oTrCK85ZUb8azHOPCi" +&
"BsDODpEJnY3uyh0Pe+zwxBKfKXhsNyDo1HgOO6Mkr6qBRGk9iYy/edSwaP+wtcNj" +&
"REQFAIo/6a+Olpx7+CCZChe0fFx5v3k6bXZPTLHplHqV6RQiNQEJ"

lblb_priv = l_Coder.base64Decode(ls_key)

lblb_SHA = l_Crypt.SHA(SHA256!, blob("TEST.TEST", encodingUTF8!))

l_Crypt.AsymmetricSign(RSA!, lblb_SHA, lblb_priv) //<-- privKey Error


destroy l_Crypt
destroy l_Coder

Accepted Answer
Bruce Armstrong Accepted Answer Pending Moderation
  1. Wednesday, 23 October 2019 14:41 PM UTC
  2. PowerBuilder
  3. # Permalink

The of_getrsakey method just does what you're doing in your code (see below).  The important this (the part you're missing) is in the comment.  The CryptoObject expects the key in PKCS#8 format, and you were given the key in PKCS#1 format.  You need to convert the key to PKCS#8 format.  There are a number of utilities for doing that.  I mention one in the comment, but that one is online so it means that you'd have to post your private key to it.  But then you've already posted it here...tongue-out  Once you get it working though I'd recommend getting a new key.  That's why I didn't post the of_getrsakey method in that article, and truncated the private key value here.

String ls_key
Blob key

CoderObject coder
coder = create CoderObject

//Need to use a utility like https://decoder.link/rsa_converter to convert the BEGIN RSA PRIVATE KEY (PKCS#1) format to the BEGIN PRIVATE KEY (PKCS#8) format

ls_key = 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwyDxOW7uqAAAH'
ls_key += 'ANp7MTWHOUkC8qCs8IEu/7F6lYM5LBGqslrGqYvRw5qhSzyvfUeM/9dql0QTW97I'
ls_key += '6CBNkSEQgHrw81gPzntJ5LYoU7+WxCBB45ELtDlBeKcVoc3d6V/K7YDVEGK0gWpC'
ls_key += 'FV+2hvrwp9i8aLmCI/PiFG6eTcJ77B/O0yy7ZmBbtSs3sO1+8dJ7QVjkzdslBmW2'
ls_key += 'cTljMzKoVJtPGIrDW1f0B6XsEytMt3dU0TRdxy8ahvbwJuyNUb129z5M8UbHGRIg'

etc, etc, etc.

key = coder.Base64decode( ls_key )

Return key

Comment
  1. James Moore
  2. Wednesday, 23 October 2019 18:59 PM UTC
I can't thank you enough! Thanks!
  1. Helpful
  1. Eric Nieva
  2. Thursday, 1 October 2020 09:36 AM UTC
Hi Bruce,



Will this work for an encrypted private key? I am required to generate an AES-256 encrypted private key:

openssl genrsa -aes256 -passout pass:{password} -out {location} 2048

which is then converted to PKCS#8 format also using openssl.

But I still get the 'invalid privKey' error when I call AsymmetricSign using the PKCS#8 private key.

Or are there additional steps for this case?



Thanks!
  1. Helpful
  1. Bruce Armstrong
  2. Friday, 2 October 2020 16:41 PM UTC
I think you're conflating a couple of things here. AES is a symmetric encryption method, you wouldn't use an AES key to do asymmetric encryption/decryption.



I covered the topic in an Elevate session, and it's described briefly in this article (not by me): https://www.precisely.com/blog/data-security/aes-vs-rsa-encryption-differences



Symmetric encryption is fast and can handle large amounts of data, but is somewhat unsecure because of the shared key

Asymmetric encryption is more secure, but is slow and can only handle small amounts of data.



What a lot of people use is a hybrid of the two. They use symmetric encryption to encrypt a large block of data. But then they take the symmetric key they used and perform asymmetric encryption on that. They then pass both the asymmetrically encrypted key and the symmetrically encrypted data to the receiver. The receiver then needs to asymmetrically decrypt they key (using their private key) and then symmetrically decrypt the data using that encrypted symmetric key.
  1. Helpful
There are no comments made yet.
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Tuesday, 22 October 2019 20:02 PM UTC
  2. PowerBuilder
  3. # 1

Hi James;

   In your code somewhere, do you use the AsymmetricGenerateKey command to get the correct private & public key values?

Regards ... Chris

Comment
There are no comments made yet.
James Moore Accepted Answer Pending Moderation
  1. Tuesday, 22 October 2019 20:06 PM UTC
  2. PowerBuilder
  3. # 2

No, I will not be generating keys. A webservice has supplied the private/public key pairs that we will use to authenticate. I included the private key in the sample code section of my question. 

Comment
  1. Chris Pollach @Appeon
  2. Tuesday, 22 October 2019 20:13 PM UTC
That would be no problem but ... make sure that the keys are in UTF-8 format and have exact lengths of either: 512, 1024, or 2048 bytes.
  1. Helpful
There are no comments made yet.
James Moore Accepted Answer Pending Moderation
  1. Wednesday, 23 October 2019 14:47 PM UTC
  2. PowerBuilder
  3. # 3

AHHH! Thank you, Bruce and Chris! I'll try converting the key format and post back.

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.