Re: Code Review Request: ASN1 bad tag value met on EnvelopedData.Decrypt
From: Kristine (wingsforwheels_at_hotmail.com)
Date: 10/08/04
- Next message: Sergio Dutra [MS]: "Re: CertOpenStore with"
- Previous message: Narva: "CryptImportKey fails"
- In reply to: Valery Pryamikov: "Re: Code Review Request: ASN1 bad tag value met on EnvelopedData.Decrypt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 8 Oct 2004 07:58:15 -0700
Valery,
Thanks for your suggestions and for offering code, I do appreciate it!
Due to time constraints we decided to implement MD5 as a short term
solution, while we continue to work out the PKCS7 issues.
We have used MD5 in the past, but when we tried to match hash values
with this client they were different! After 13 elegant character set
conversion functions and 6 hours of searching, they discovered that
they needed to type in "UnicodeLittleUnmarked" in part of their
hashing function.
What was that you said about "it takes whole a lot to get all things
right"...I'm finding this to be so very true!
Many thanks,
Kristine
"Valery Pryamikov" <Valery@nospam.harper.no> wrote in message news:<uwsQKj6qEHA.3748@TK2MSFTNGP09.phx.gbl>...
> Kristine,
> I see your problem. If you can switch from using ASP to ASP.NET - use code
> from Michel Gallant's page for plain RSA encryption.
> They are not sending you PKCS#7 messages and I don't think that you can use
> CAPICOM for plain RSA... but I can't say that for sure, because I always
> used CAPI and never CAPICOM (if I'm wrong about CAPICOM ability to do plain
> RSA, I hope that someone will chime in). Of course I can send you C/C++ CAPI
> sample, but I suspect that you have no use for that...
>
> -Valery.
> http://www.harper.no/valery
>
>
> "Kristine" <wingsforwheels@hotmail.com> wrote in message
> news:37603010.0410051905.5668e687@posting.google.com...
> > Thanks Again Valery!
> >
> > I had told them to send the encryption in PKCS7 format, and sent them
> > Mr. Gallant's link. They said they made code changes, but I was still
> > getting the ASN1 error. I sent them your more detailed reply, and
> > they seem to better understand now what it is they need to do. Here's
> > hoping!
> >
> > I really appreciate your help!
> >
> > Many thanks,
> >
> > Kristine
> >
> > "Valery Pryamikov" <Valery@nospam.harper.no> wrote in message
> > news:<#8ANOMrqEHA.1296@TK2MSFTNGP12.phx.gbl>...
> >> Kristine,
> >> here is what causing your problems:
> >>
> >> They send you plain RSA encryption;
> >>
> >> While as CAPICOM's EnvelopedData object expects PKCS#7 enveloped data in
> >> structure containing:
> >> - one element for each recipient with recipient certificate's issuer and
> >> serial number, content encryption algorithm identification, content
> >> encryption key (symmetric encryption algorithm) that is RSA encrypted
> >> (PKCS
> >> 1.5 padding) with public keys of each message recipient;
> >> - content encrypted with symmetric encryption algorithm(content
> >> encryption
> >> key) and stored as octet stream;
> >>
> >> (and that is why your data is larger that their)
> >>
> >>
> >> To solve your problem you have only two choices:
> >> 1. convince your partner to change from plain RSA encryption to use of
> >> PKCS#7 enveloped data (preferred solution if you care about security and
> >> want to use encryption instead of encraption).
> >> 2. don't use EnvelopedData, but use plain RSA encryption/decryption.
> >>
> >> no other choices exists.
> >>
> >> -Valery.
> >> http://www.harper.no/valery
> >>
> >>
> >> "Kristine" <wingsforwheels@hotmail.com> wrote in message
> >> news:37603010.0410041356.14b16957@posting.google.com...
> >> >I had posted this problem previously, but thought I should start a new
> >> > thread since this one will be more code specific. Another website is
> >> > enccrypting data (using BouncyCastle) and passing it to us from a link
> >> > on their site (parameter on the URL). I am using CAPICOM on my side
> >> > and get the "ASN1 bad tag value met error" when I call
> >> > EnvelopedData.Decrypt. I thought it was due to line feeds in the URL,
> >> > but I parse those out and still get the error. I've posted their code
> >> > and my code below. Does anyone see anything wrong?
> >> >
> >> >
> >> > Their BouncyCastle Code:
> >> >
> >> > public String loadEncryptedData(HttpServletRequest request){
> >> >
> >> > Employee employeesss=(Employee)getEmployee(request);
> >> > EmployeeXXX employee=(EmployeeXXX)employeesss;
> >> > SimpleDateFormat sdf = new SimpleDateFormat("EEE MMM dd HH:mm:ss
> >> > yyyy");
> >> > sdf.setTimeZone( TimeZone.getTimeZone("GMT"));
> >> > String GMTDate = sdf.format(new Date());
> >> > StringBuffer buf=new StringBuffer();
> >> > buf.append("employeeId="+employee.getEmployeeId());
> >> > buf.append("&");
> >> > buf.append("employeeRecN="+employee.getEmployeeRecNbr());
> >> > buf.append("&");
> >> >
> >> > buf.append("lang="+com.dsm.clients.xxxus.utilities.ResourceBundlesXXXUS.getStaticResourceMessage(request,"languageCode"));
> >> > buf.append("&");
> >> >
> >> > buf.append("currencyformat="+employee.getUserPreferedCurrencyFormat());
> >> > buf.append("&");
> >> > buf.append("dateformat="+employee.getUserPreferedDateFormat());
> >> > buf.append("&");
> >> > buf.append("stampedAt="+GMTDate);
> >> >
> >> > return buf.toString();
> >> > }
> >> >
> >> > public static String getEncryption(HttpServletRequest request){
> >> > SecurityOperationXXXUS sec=new SecurityOperationXXXUS();
> >> > String encrypted=null;
> >> >
> >> > String vendorEnc = "US-ASCII";
> >> > String
> >> > hhh=request.getRealPath("/WEB-INF/classes/com/dsm/clients/xxxus/resources/us2them.ks");
> >> > String one=MasterDM.getColumnName("them");
> >> > try{
> >> >
> >> > String token=sec.loadEncryptedData(request);
> >> > System.out.println(token);
> >> > String tokenssss=sec.getEncryptedData(token,hhh);
> >> >
> >> > String encoded=URLEncoder.encode(tokenssss,vendorEnc);
> >> > encrypted=one+"?query="+encoded;
> >> > System.out.println(encrypted);
> >> >
> >> > }catch(Exception ex){
> ex.printStackTrace();
> >> > }
> >> > return encrypted;
> >> >
> >> > }
> >> >
> >> > public String getEncryptedData(String token,String file) {
> >> > String base64Token = null;
> >> > try
> >> > {
> >> > getKeys(file);
> >> > Provider rsaProvider = new
> >> > org.bouncycastle.jce.provider.BouncyCastleProvider();
> >> > java.security.Security.addProvider(rsaProvider);
> >> > c1 = Cipher.getInstance(encryptionAlgo,encryptionProvider);
> >> > c1.init(Cipher.ENCRYPT_MODE,PROVIDER_PUB_KEY);
> >> > byte[] utf8 = token.getBytes("UTF8");
> >> > byte[] enc = c1.doFinal(utf8);
> >> > base64Token = new BASE64Encoder().encode(enc);
> >> > }
> >> > catch(Exception e)
> >> > {
> >> > e.printStackTrace();
> >> > }
> return base64Token;
> >> > }
> >> >
> >> > public String getDecryptedData(String token, String file){
> >> >
> >> > String dValue=null;
> >> > getKeysDec(file);
> >> > Provider rsaProvider = new
> >> > org.bouncycastle.jce.provider.BouncyCastleProvider();
> >> > try{
> >> >
> >> > java.security.Security.addProvider(rsaProvider);
> >> > String URLdecodedES = URLDecoder.decode(token);
> >> > URLdecodedES = URLdecodedES.replace(' ','+');
> >> > c1 = Cipher.getInstance(encryptionAlgo,encryptionProvider);
> >> > c1.init(Cipher.DECRYPT_MODE,THEM_PRIVATE_KEY);
> >> >
> >> > byte[] dec = new sun.misc.BASE64Decoder().decodeBuffer(URLdecodedES);
> >> > byte[] utf8 = c1.doFinal(dec);
> >> > dValue = new String(utf8, "UTF8");
> >> > }
> >> > catch(Exception e)
> >> > {
> >> > e.printStackTrace();
> >> > }
> return dValue;
> >> > }
> >> >
> >> >
> >> > My CAPICOM Code:
> >> >
> >> > <%
> >> > function URLDecode(sText)
> >> > sDecoded = sText
> >> > Set oRegExpr = Server.CreateObject("VBScript.RegExp")
> >> > oRegExpr.Pattern = "%[0-9,A-F]{2}"
> >> > oRegExpr.Global = True
> >> > Set oMatchCollection = oRegExpr.Execute(sText)
> >> > For Each oMatch In oMatchCollection
> >> > sDecoded = Replace(sDecoded,oMatch.value,Chr(CInt("&H" &
> >> > Right(oMatch.Value,2))))
> >> > Next
> >> > URLDecode = sDecoded
> >> > End function
> >> > %>
> >> >
> >> > <%
> >> > Dim Store, Certificates, Certificate
> >> >
> >> > 'Store Options
> >> > Const CAPICOM_MEMORY_STORE = 0
> >> > Const CAPICOM_LOCAL_MACHINE_STORE = 1
> >> > Const CAPICOM_CURRENT_USER_STORE = 2
> >> > Const CAPICOM_MY_STORE = "My"
> >> > Const CAPICOM_STORE_OPEN_READ_ONLY = 0
> >> >
> >> >
> >> > 'Create Store and EnvelopedData
> >> > Set Store = Server.CreateObject("CAPICOM.Store")
> >> > Store.Open CAPICOM_LOCAL_MACHINE_STORE, CAPICOM_MY_STORE,
> >> > CAPICOM_STORE_OPEN_READ_ONLY 'Open LocalMachine store for read
> >> > Set EnvelopedData = Server.CreateObject("CAPICOM.EnvelopedData")
> >> >
> >> > If Store.Certificates.Count > 0 then
> >> > For Each Cert in Store.Certificates
> >> > If Store.Certificates(iCnt).ThumbPrint = TheirThumbprint then
> >> > EnvelopedData.Recipients.Add Store.Certificates(iCnt)
> >> > ElseIf Store.Certificates(iCnt).ThumbPrint = OurThumbprint then
> >> > EnvelopedData.Recipients.Add Store.Certificates(iCnt)
> >> > Else
> >> > 'Cert not needed
> >> > End If
> >> > Next
> >> >
> >> > response.write "<P>EnvelopedData.Recipients.Count=" &
> >> > EnvelopedData.Recipients.Count
> >> > Message2 = server.URLEncode(Request.QueryString("query"))
> >> > tmpMsg = Message2
> >> > Message3 = Replace(tmpMsg,"%0A","")
> >> > tmpEncode = Message3
> >> > Message4 = URLDecode(tmpEncode)
> >> > tmpDecode = Message4
> >> > EnvelopedData.Decrypt Message4 <--ERROR HERE
> >> > str_out = EnvelopedData.Content
> >> > response.write "<p>Decrypt= " & str_out
> >> > Else
> >> > response.write "<P>Could not find certificate."
> >> > End If
> >> > response.write "<P>Done"
> >> > %>
> >> >
> >> > Additional Info:
> >> > I am able to encrypt and decrypt text successfully on my side and they
> >> > are able to encrypt and decrypt on their side, too. But our sites
> >> > aren't "communicating". Also, when I encrypt the same text on my side
> >> > that they are on their side my result is much larger.
> >> > My encryption:
> >> > MIIDBwYJKoZIhvcNAQcDoIIC+DCCAvQCAQAxggH8MIHZAgEAMEIwLjEMMAoGA1UE
> >> > ChMDQURQMQswCQYDVQQLEwJQRDERMA8GA1UEAxMIS3Jpc3RpbmUCEH/LWPkcF+2h
> >> > QbJS8824FHgwDQYJKoZIhvcNAQEBBQAEgYC8xgzToTknaJBOcGLMuxaug02EXYQM
> >> > rKVe2pFyZ2CKd6QwjqusO3ZrnqYX+kdFIHeIj84G+ZTix+q7/xrpLjpgD5L+j2qV
> >> > IsrsfKJrcIxcR3F7SZKYhZ3wHef39BF36JLRJBTH0fpqc5pD01tbwYtRl1CyhN3z
> >> > uL10DynFuY1JszCCARwCAQAwgYQwfDEiMCAGCSqGSIb3DQEJARYTcmpfbGF0aGVy
> >> > b3dAYWRwLmNvbTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlB
> >> > Tk4gQVJCT1IxDDAKBgNVBAoTA0FEUDEMMAoGA1UECxMDSE9QMQwwCgYDVQQDEwNB
> >> > RFACBEEuahswDQYJKoZIhvcNAQEBBQAEgYA4EM81wX6z0ASz6lrNj6R2qp9s0P8P
> >> > SR5mFat6zPGqSmYzyX7l+fBhqNrwPPLWjvXZmGrJIQk0k4z6THCNyj58jmzMV1DN
> >> > QcUtt0pZM3n7Y2i3a0881lwpdacXlxDg7RsXpYhL7csEFsU5jGPxKseXHlzPlZfb
> >> > JMbzwWeC8p6w+zCB7gYJKoZIhvcNAQcBMAwGCCqGSIb3DQMEBQCAgdIx+P9BpAdS
> >> > dSXDDaYQEaAR9pQj7jZfFNebTh80GNKbEE8Vl6b0GmpaY9TDvxSbbWutm4MzIh9w
> >> > 5bZyFQ7/dChEz8BegIACOdcSQw5Sd2XVJn7AxUUQYyzk8kur+13bbekmvm38X67g
> >> > PDqnHXa/FyG6laL4WIqrnawKXtfDBFMW3wZd93HJeS5shkl+wRSJkQnsZ0sE9Izv
> >> > 9Abk6SPgzjje2Mwd5rqTqwJRoIwKHK7eZ8TSluKTGKSAETjPHg9JJ6dY6Ms76628
> >> > 1WW1M8AlX3o4aQM=
> >> >
> >> > Their encryption:
> >> > KO5o9cjJiVKZgH7GMwHvSlPRBB8eR51y09gkZ0E/tSR9CQRzJxyocFwsd2sTiFBbg5qZ6iZRuBO6xceBT/sDPipezv1N0Y2dOpZ3GqKIu2sxNkpDyGCLWQhmHV+m8qzvgy3AevRQWI4qa1D5azZXyz4fqCPCXSFDEnuOVyt2ruU=
- Next message: Sergio Dutra [MS]: "Re: CertOpenStore with"
- Previous message: Narva: "CryptImportKey fails"
- In reply to: Valery Pryamikov: "Re: Code Review Request: ASN1 bad tag value met on EnvelopedData.Decrypt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
