OpenSSL解密错误-填充与原始 [英] OpenSSL decrypt error - Padding versus Raw

问题描述

我正在从合作伙伴那里收到一个加密的文件及其密钥。密钥本身已使用我们的数字证书公共密钥加密。

I am receiving an encrypted file and it's key from a partner. The Key has itself been encrypted using our Digital Certificate Public Key.

当我尝试使用以下和我们的私钥解密密钥时，出现填充错误，如下所示：

When I attempt to decrypt the key using the following and our private key, I get a padding error as shown below:

C:\openssl rsautl -decrypt -in xxxx_Key -inkey xxxxprivatekey.pem -hexdump -out aeskey.txt
Loading 'screen' into random state - done
RSA operation error
5612:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding er
ror:.\crypto\rsa\rsa_pk1.c:273:
5612:error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:.\
crypto\rsa\rsa_eay.c:602:

如果将 -Raw 开关添加到解密，它似乎可以正常工作，但是生成的十六进制转储比我大我期待。任何人都可以提供有关这里可能发生的情况的建议吗？谢谢！

If I add the -Raw switch to the decrypt, it appears to work but the resulting hexdump is WAY larger than I'm expecting. Can anyone offer advice as to what may be going on here? Thanks!

推荐答案

我的猜测是您使用错误的私钥解密或密文已损坏。

My guess is that you are decrypting with the wrong private key or your ciphertext is corrupted.

在RSA中，填充用于将要加密的消息的长度扩展到与模数相同的大小（因此1024位RSA将消息填充到1024位）。 （我相信）PKCS1类型2是PKCS＃1 v1.5的另一个名称，它添加了填充 0x00 ||。 0x02 || （随机字节）|| 0x00 到消息的开头。解密时，首先要进行的检查是消息的开头为 0x00 0x02 。然后，剥离掉直到第二个 0x00 的所有字节，并产生原始消息。如果起始地址不是 0x00 0x02 或没有第二个 0x00 字节，则存在填充错误。

In RSA, padding is used to extend the length of the message being encrypted to be the same size as the modulus (so 1024 bit RSA pads messages to 1024 bits). PKCS1 type 2 is (I believe) another name for PKCS#1 v1.5 which adds the padding 0x00 || 0x02 || (random bytes) || 0x00 to the start of the message. When decrypting the first check that is done is that the start of the message is 0x00 0x02. Then all bytes up to and including the second 0x00 are stripped off, yielding the original message. If the start is not 0x00 0x02 or there is no second 0x00 byte then there is a padding error.

如果您忽略填充检查，则很可能会收到与RSA模数大小相同的消息，因为没有剥离填充。考虑到大多数RSA模数至少为1024位，这将比AES密钥大得多。

If you ignore the padding check you most likely will get a message the same size as the RSA modulus since no padding is stripped off. Considering most RSA moduli are at least 1024 bit this will be much larger than an AES key.

这篇关于OpenSSL解密错误-填充与原始的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！