[CryptoAPI] Encryption in SHA256 format

Forge Component
(26)
Published on 3 Mar by Ricardo Silva
26 votes
Published on 3 Mar by Ricardo Silva

Hello again,


I tested and can not encrypt the way the authentication server waits.


Here is an excerpt from the PHP code that formats the password for submission. 

This way it works:


$rsa = new Crypt_RSA();

     $rsa->setHash('sha256');

     $rsa->setMGFHash('sha256');

     $rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_OAEP);

     $rsa->setPrivateKeyFormat(CRYPT_RSA_PRIVATE_FORMAT_PKCS1);

     $rsa->setPublicKeyFormat(CRYPT_RSA_PUBLIC_FORMAT_PKCS1);

$rsa->loadKey(PUBLIC_KEY);

$EndKeyCript = $rsa->encrypt($password);

$EndKeyCript is the variable sent to the server.


How can I configure CryptoAPI to do something similar to what my code does?
Thank you!

I think the problem is your use of sha256 as the MGF hash.

Is that a requirement? I think my code currently supports using the default parameters for OAEP padding.


It's a yes requirement. Do you know how I could do this?

Hi Ricardo,

Talking with the staff that makes Webservice available, I was informed that the requirements for the criteria are:

OAEP With SHA256 And MGF1 Padding


I'll attach the file I made. 

I can not see where I'm going wrong.


Thank you for your help!

You're not doing anything wrong, the RSA_Encrypt method uses OAEP padding but with the default parameters, which I believe are with SHA1 hash, not SHA256.

The .NET API I'm using on that method does not seem to support parametrizing the OAEP hash, but there's another one which seems to allow it (RSACng). In order to move this along, you can either wait for me to look into this and properly include this capability on the CryptoAPI, which I can't promise to do in the next couple of days, or you can grab Integration Studio, get your hands dirty and override the implementation to do just what you need while you wait for the above capability.

Hello Thiago,

I have just published version 2.2 of CryptoAPI which now supports specifying the hash algorithm to use with OAEP padding in RSA encryption and decryption. Default is still SHA1.


All you need to do is pass on the argument "OAEPSHA256" to the new Padding parameter in the RSA_Encrypt and RSA_Decrypt actions.


Let me know if this allowed you to overcome the difficulties you were having.

Ricardo Silva wrote:

Hello Thiago,

I have just published version 2.2 of CryptoAPI which now supports specifying the hash algorithm to use with OAEP padding in RSA encryption and decryption. Default is still SHA1.


All you need to do is pass on the argument "OAEPSHA256" to the new Padding parameter in the RSA_Encrypt and RSA_Decrypt actions.


Let me know if this allowed you to overcome the difficulties you were having.

Hello Ricardo,

I'm going to thank you. Thank you very much.
I believe the improvement will work yes.
But the version of the platform that we acquired here in the company for our five environments is Outsystems 10, I tried to install the update, but even downloading the .OAP file, I could not install. Is there any limitation for the improvement to work also in version 10? Is there anything I can do? Tks!

Hello Thiago,

CryptoAPI 2.0 is only being developed for O11 and I have no plans to backport further changes to O10.

One thing  you can do, which will net you some problems when you eventually upgrade to O11, is backport the changes to your environment yourself.

Hello Ricardo, 

sorry for the long delay in answering here. So we're looking at the possibility of upgrading the platform to version 11. If it works out, the first thing I'm going to test is the encryption component. Thank you so far. Coming soon with news.