RSA, Private and Public Key and Digital Signature

[pvaz]

I have searched and searched, and made many attempts to solve this, but until now I cannot solve this situation.

I need a code, that must be cross platform, since I must use it in Linux and Windows, that having a RSA Private and Public Key, that I can generate using openssl, I must be have to create a digital signature using the Private Key with the following parameters: x.509, UTF-8, Base 64, Little Endian, PKCS1 v1.5 padding, 1024 bytes size and Hash format SHA-1.

I already made some attempts to include openssl in QT, but I cannot find after hours searching good examples that can help me to solve this.

Any help will be great.

Paulo

[wysota]

What exactly are you having problems with?

[ChrisW67]

What do you mean by "include openssl in QT"? Using OpenSSL from any C/C++ program should be trivially straightforward, and has nothing to do with Qt. Here's the process to build one of the examples shipped with OpenSSL using QMake.

Qt Code:

Switch view

$ cd /tmp/example
 
# extract and build OpenSSL
$ tar xzf openssl-1.0.0d.tar.gz
$ cd openssl-1.0.0d
$ less INSTALL
$ ./config --prefix=/tmp/example/ssl     # statically linked libs only
$ make
$ make test
$ make install
$ cd ..
 
# Grab a small example code that comes with OpenSSL but leave the Makefile behind
$ cp openssl-1.0.0d/demos/sign/{sign.c,*.pem,*.txt}  .
# make a PRO file 
$ cat example.pro
TEMPLATE = app
TARGET = 
INCLUDEPATH += /tmp/example/ssl/include
LIBS += -L/tmp/example/ssl/lib -lcrypto
# Input
SOURCES += sign.c
 
$ qmake
$ make
...
$ ./example
Signature Verified Ok.

$ cd /tmp/example

# extract and build OpenSSL
$ tar xzf openssl-1.0.0d.tar.gz
$ cd openssl-1.0.0d
$ less INSTALL
$ ./config --prefix=/tmp/example/ssl     # statically linked libs only
$ make
$ make test
$ make install
$ cd ..

# Grab a small example code that comes with OpenSSL but leave the Makefile behind
$ cp openssl-1.0.0d/demos/sign/{sign.c,*.pem,*.txt}  .
# make a PRO file 
$ cat example.pro
TEMPLATE = app
TARGET = 
INCLUDEPATH += /tmp/example/ssl/include
LIBS += -L/tmp/example/ssl/lib -lcrypto
# Input
SOURCES += sign.c

$ qmake
$ make
...
$ ./example
Signature Verified Ok.

To copy to clipboard, switch view to plain text mode 

Then add whatever Qt code you like.

If you want a Qt-style wrapper around OpenSSL then there is always QCA, but that is just another layer of stuff to get built correctly.

[pvaz]

What to say, I need a solution since I could not make any progress.

I was looking on one possibility that is using QCryptographicHash, but really do not know if it will make possible to do what I really need.

Do you know if this is a good way to go and also I have to try to find a good example on how to use it.

Any help will be great.

Thanks,
Paulo

[wysota]

QCryptographicHash by itself will not be enough. You should know that if you have knowledge of appropriate theory. If you don't then I suggest you start with filling this gap.

[pvaz]

Thank you Chris

After a huge fight with my computer and with many attempts, finally I get it all working on my windows qt.

Now comes another question, this example, uses files to read the private and public key, but in my application, I need to have stored inside the C the private and public key.

How can I make it ? Can you help me on this task ?

Paulo

Thank you wysota

[wysota]

If you intend to store the private key inside your application code then you may as well don't do anything as extracting your private key from within the code is a matter of seconds.

[pvaz]

Hi,

what is the best to do it, since I need to digital sign parts of outputs, using the Private Key.

Paulo

[squidge]

Why do you need to use the private key? Encrypt the output using the public key and decrypt it using the private key.

[wysota]

Why do you need to use the private key?

If he wants a signature then it's done using the private key (since only the owner of the private key is able to perform the operation it is certain that if the signature can be decrypted using the public key and the hash is verified, the sender and the plain text contents are correct).

[squidge]

Yes, I wasn't thinking correctly when I wrote that. It would be pretty pointless to sign with a public key that everyone has access too.

I was thinking more along the lines of encrypting the contents rather than generating a signature.

[ChrisW67]

Now comes another question, this example, uses files to read the private and public key, but in my application, I need to have stored inside the C the private and public key.

Don't. Store the files outside the application. Protect the private key with a good pass phrase and use that with PEM_read_PrivateKey. The user must supply the pass phrase. This has the advantage that the pass phrase or keys can be changed, and all the security is being managed by OpenSSL code.

I guess you could embed an ENCRYPTED private key and require the user to provide the pass phrase at run time. You should look at the other variants of the key handling routines to see if this is possible.

[pvaz]

I have found one example that does what I need, but I am having trouble trying to make it compatible with QT:

Qt Code:

Switch view

#include "openssl\pem.h" // should pullin all the others
#pragma comment(lib, "libeay32MT.lib")
// C++ Linker, delay load DLL: libeay32.dll
 
bool OpenSSLSign(TMemoryStream *in, TMemoryStream *out)
{
  bool Result = false;
 
  // LEFT AS AN EXERCISE TO THE READER: 
  // >>> Load Private Key into "out" stream *HERE* before proceeding any further <<<
 
  BIO *bKey = BIO_new(BIO_s_mem());
  BIO_write(bKey, out->Memory, out->Size);
  BIO_flush(bKey);
  EVP_PKEY *pKey = PEM_read_bio_PrivateKey(bKey, NULL, NULL, NULL);
  BIO_free(bKey);
 
  if (pKey) {
    EVP_MD_CTX mdctx;
    EVP_MD_CTX_init(&mdctx);
    EVP_SignInit_ex(&mdctx, EVP_sha1(), NULL);
    EVP_SignUpdate(&mdctx, (System::PByte)in->Memory, in->Size);
    out->Size = EVP_PKEY_size(pKey);
    unsigned int out_len;
    Result = EVP_SignFinal(&mdctx, (System::PByte)out->Memory, &out_len, pKey);
    SecureZeroMemory(pKey, sizeof(*pKey));
    EVP_MD_CTX_cleanup(&mdctx);
  }
  return Result;
}
//---------------------------------------------------------------------------

#include "openssl\pem.h" // should pullin all the others
#pragma comment(lib, "libeay32MT.lib")
// C++ Linker, delay load DLL: libeay32.dll

bool OpenSSLSign(TMemoryStream *in, TMemoryStream *out)
{
  bool Result = false;

  // LEFT AS AN EXERCISE TO THE READER: 
  // >>> Load Private Key into "out" stream *HERE* before proceeding any further <<<

  BIO *bKey = BIO_new(BIO_s_mem());
  BIO_write(bKey, out->Memory, out->Size);
  BIO_flush(bKey);
  EVP_PKEY *pKey = PEM_read_bio_PrivateKey(bKey, NULL, NULL, NULL);
  BIO_free(bKey);

  if (pKey) {
    EVP_MD_CTX mdctx;
    EVP_MD_CTX_init(&mdctx);
    EVP_SignInit_ex(&mdctx, EVP_sha1(), NULL);
    EVP_SignUpdate(&mdctx, (System::PByte)in->Memory, in->Size);
    out->Size = EVP_PKEY_size(pKey);
    unsigned int out_len;
    Result = EVP_SignFinal(&mdctx, (System::PByte)out->Memory, &out_len, pKey);
    SecureZeroMemory(pKey, sizeof(*pKey));
    EVP_MD_CTX_cleanup(&mdctx);
  }
  return Result;
}
//---------------------------------------------------------------------------

To copy to clipboard, switch view to plain text mode 

Problem is on TMemoryStream, EVP_SignUpdate(&mdctx, (System::PByte)in->Memory, in->Size) and SecureZeroMemory(pKey, sizeof(*pKey));

How can I adapt this function is order to use in QT, to be one function that I send the line I want to digitally sign and in return I will receive the hash ?

Thanks,


Paulo

[wysota]

You can use it as it is, you don't have to "adapt" anything.

[pvaz]

Dear wysota,

Its incompatible with QT.

Paulo

[wysota]

What is incompatible with Qt?

[pvaz]

TMemoryStream <- Does not exist
EVP_SignUpdate(&mdctx, (System::PByte)in->Memory, in->Size) <-(System::PByte)in->Memory, in->Size not compativel
SecureZeroMemory(pKey, sizeof(*pKey)); <- This function does not exist

[wysota]

Well... to me it seems natural that if you copy and paste a part of some program into your own, you will encounter classes and calls that do not exist in your program. This doesn't make this snippet "incompatible with Qt", it makes it incompatible with your program. I'm assuming you can substitute TMemoryStream with QByteArray and SecureZeroMemory() with memset() or an equivalent function from OpenSSL that will wipe out the key from memory.

[ChrisW67]

Paulo,
Qt is a library of GUI and other classes that can be used in your program. OpenSSL is a library of cryptographic routines that can be used in your program. You can use either, or both, libraries from C++ code but you have to provide the compiler with correct C++ code.

Your problems are all related to providing your C++ compiler with syntactically complete and correct code and nothing to do with the Qt or OpenSSL libraries. As you pointed out, you are missing a declaration and implementation of the TMemoryStream class and other bits. You need to supply the compiler with include files and matching libraries that define TMemoryStream, or substitute something for the TMemoryStream class (as Wysota is saying above).

TMemoryStream looks like it part of Borland C++ Builder
SecureZeroMemory is a Windows API call.

Using the C memset() function is not a secure erase mechanism unless precautions are taken to ensure that the compiler does not optimise the call out (because you typically don't use the erased memory again before discarding it).