I'm trying to generate and sign a JWT using a RSA private key generated from an external source in PB2017 R3. When I call AsymmetricSign, I get an "Invalid 'privKey' in AsymmetricSign" error.
I've read the article here, but it leaves out the part that prepares the RSA private key (of_getrsakey).
What am I missing?
Thanks,
James
Sample code:
blob lblb_priv, lblb_SHA
string ls_key
coderobject l_Coder
crypterobject l_Crypt
l_Crypt = create crypterobject
l_Coder = create coderobject
ls_key = &
"MIIEowIBAAKCAQEAtTQvE7WxbNX8ULDifGJLLs69A3xWLUqx5s6/i47v9bMVAVMY" +&
"89msItFXHDbH0Jg41y7eHjQnIPrb0jz3naIpr1aiA95e3d2JqjPWjIY4vjwP6SUN" +&
"UHI8NVV/9C9khZBYU+rvfi2jeRRXAC+VMTvh/Wh+DRgc0tLMbOm8iKVehQDgGYQn" +&
"JT7lPm4z2kl35e1r8rox01el476NTL0/ES3cn+uORkxaqvqC4fokP9jZk7KeEsXI" +&
"7t9LmdqoBoNcZDlP63eX81qkQsEBt/7r5ssLISJgDfYJ8C6mKRvxqUefflbMjZNZ" +&
"z7OTA/KECktsq6r4U9u1gIMH+QZmdAC14Iy4rwIDAQABAoIBAFnIOWsyo26huBrj" +&
"CdVHfqj6lnybprdaQztxRUcI06yRxt6ZJcvtFnVJ9DdujSK1ybQU7MlaXejhYvmQ" +&
"a8AXEUBnVG9GRwr3Mba7aJrIBmV7rQZ/7VDmyR5D9tougUgMdTdfOLr0MgNUKKdW" +&
"7D0wxpCgrZQfVmi/ObrdNSUfiu2q41lZ1np67Q3iRaE1laFWrRP1AI6c/wCT4xQf" +&
"yBgVDRLm9QqAFqRY2D91p72ZGi27AI5UYTl+iGUxvPmvCJcDfrcBotf9lWoZJ4Bc" +&
"3kDdp/msyOC0x4FExVM8bZms1eeyH7uL6LY83lpzYWha3J21f2tt+K6+PQY3ChO8" +&
"LZm5GMECgYEA5/az1hd/u0+fDz1FyaeK7DuLWaBV4CdCaOllUPdGbgrVt0KpmDOl" +&
"sslVCbHOOFH9TrsQz0pXppUeJJ5Soq73jD5fbOkmJE+quymw6gasj/1adgmREkYH" +&
"2j1BNneeuDPKhos92Qk5Vm8KNoScgXhYj96Lgov+5/DRn4XgqQvkt2UCgYEAx/r5" +&
"0V3VjqYYVto60A67sSQ20ZyKty+wxsrhpB8ZJ0A5ia3iMuJtf/7Niah2ChZ28o55" +&
"wZcpNt6P+A8asjfXkqa4uqMFB1zdwKWbJwqY5IjYGlktt3meAmnamTbgF8GPbnSG" +&
"SRFcPgmixQKHFSMozf5CGiGuuwW24zoDBwt5YIMCgYEAvQM/guJfCKhWebp51Vma" +&
"T+gtInkNwLr82DPmhNUZJK3be5rsSsM677YyftXNrgLRH4g6qE5xoaG8kCYaO8nK" +&
"mRJx+3L3y3rHKf9M00Vg82uEfM5K0dMSrvhe3R0Xzg0VqBBp8yIbAJ02ezoPtUf1" +&
"EjZLA7NDoIeQqCYU7GpukikCgYBdGgQaK/RTkBI+xSSiXmmVY8W9uoJ+HE7RjfyU" +&
"uwGr22OuLGzlwbK25zprfylNMv43mIsozKYcbGtcUjPcitDq7oGMKn8Z2WtH2BGu" +&
"kGlz5B2vzprRE2azuvJRaFHV3YBYLRmjhNiL7VKBI9cdyRujI19E6S9+1H87tHNa" +&
"YUYl3wKBgEQPatE3miykvD+g46XJAOmEBwcuaRI8Q+MyC1oTrCK85ZUb8azHOPCi" +&
"BsDODpEJnY3uyh0Pe+zwxBKfKXhsNyDo1HgOO6Mkr6qBRGk9iYy/edSwaP+wtcNj" +&
"REQFAIo/6a+Olpx7+CCZChe0fFx5v3k6bXZPTLHplHqV6RQiNQEJ"
lblb_priv = l_Coder.base64Decode(ls_key)
lblb_SHA = l_Crypt.SHA(SHA256!, blob("TEST.TEST", encodingUTF8!))
l_Crypt.AsymmetricSign(RSA!, lblb_SHA, lblb_priv) //<-- privKey Error
destroy l_Crypt
destroy l_Coder
Once you get it working though I'd recommend getting a new key. That's why I didn't post the of_getrsakey method in that article, and truncated the private key value here.
Will this work for an encrypted private key? I am required to generate an AES-256 encrypted private key:
openssl genrsa -aes256 -passout pass:{password} -out {location} 2048
which is then converted to PKCS#8 format also using openssl.
But I still get the 'invalid privKey' error when I call AsymmetricSign using the PKCS#8 private key.
Or are there additional steps for this case?
Thanks!
I covered the topic in an Elevate session, and it's described briefly in this article (not by me): https://www.precisely.com/blog/data-security/aes-vs-rsa-encryption-differences
Symmetric encryption is fast and can handle large amounts of data, but is somewhat unsecure because of the shared key
Asymmetric encryption is more secure, but is slow and can only handle small amounts of data.
What a lot of people use is a hybrid of the two. They use symmetric encryption to encrypt a large block of data. But then they take the symmetric key they used and perform asymmetric encryption on that. They then pass both the asymmetrically encrypted key and the symmetrically encrypted data to the receiver. The receiver then needs to asymmetrically decrypt they key (using their private key) and then symmetrically decrypt the data using that encrypted symmetric key.