i try import my pem key to Google KMS(with hsm support). I have google guide how it create with openssl:
Wrap the key
Generate a temporary random AES key that is 32 bytes long.
openssl rand -out temp_aes_key.bin 32
Wrap the temporary AES key with the wrapping public key using CKM_RSA_PKCS_OAEP.
openssl rsautl -encrypt
-pubin -inkey wrap_pub_key.pub
-in temp_aes_key.bin
-out temp_aes_key_wrapped.bin
-oaep
Wrap the target key with the temporary AES key using CKM_AES_KEY_WRAP_PAD.
openssl enc -id-aes256-wrap-pad -K $( hexdump -v -e '/1
"%02x"' < "temp_aes_key.bin" ) -iv A65959A6 -in my_key.pem
-out target_key_wrapped.bin
Note the use of -iv A65959A6 sets A65959A6 as the Alternate Initial Value as required by the RFC 5649 specification.
I have wrap_pub_key.pub and my_key.pem, where wrap_pub_key.pub:
-----BEGIN PUBLIC KEY-----
...........key...........
-----END PUBLIC KEY-----
How to programm this steps in nodeJs with cryto lib(without openssl)?
I think you are following this guide I'm not familiar with NodeJs, however I found the next documentation that It could be helpful,
I found the github repo list of each language supported for the Cloud Platform services/APIs!
I think that you can start with this available examples
If you need more details you can use these references:
Google KMS Node.js io Samples
KMS Node.js Client Library
Finally I understand that when you import this kind of key you need to choose a key wrapping algorithms
I hope you find this information helpful
Related
I'm trying to create a Postman pre-request script that will hash the request. I am able to use a bash script to do this using this command
SIG=$(echo -n ${CONTENT} | openssl dgst -sha1 -hmac ${PRIVATE_KEY} -binary | openssl enc -base64)
So far I have been unable to replicate this using CryptoJs to do the same, does anyone know how this can be done?
This is what I have tried
CryptoJS.HmacSHA1(CONTENT, pm.environment.get(PRIVATE_KEY)).toString(CryptoJS.enc.Base64)
I'm trying to use crypto.js with openssl, so I would like to encrypt a message with one of them and decrypt with the other.
I included crypto.js from here: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js
I tried in js:
CryptoJS.AES.encrypt("This is a message", "secret").toString()
The result is:
"U2FsdGVkX1+BK06UxXoEdF5CkAhhxRPAN5r+XYLse/PSgtWI5e9BX3pkMBRpF6Te"
Then with openssl I do:
echo "U2FsdGVkX1+BK06UxXoEdF5CkAhhxRPAN5r+XYLse/PSgtWI5e9BX3pkMBRpF6Te" | openssl enc -d -a -aes-256-cbc -k "secret"
And I get this error:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140411423139136:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:
��+|�W��ۿ��4~
I also tried to add option -pbkdf2 to the openssl command, but I get a similar result.
And I also tried the other way like this:
echo "This is a message" | openssl enc -e -a -aes-256-cbc -k "secret" -pbkdf2
I get this result:
U2FsdGVkX1/QYJ+ZdUeun6mZn2aS+XxpnCTE3/50wc46Tvc3+JJxq+1rR3nS+4cP
Then in js I do:
CryptoJS.AES.decrypt("U2FsdGVkX1/QYJ+ZdUeun6mZn2aS+XxpnCTE3/50wc46Tvc3+JJxq+1rR3nS+4cP", "secret").toString(CryptoJS.enc.Utf8)
And I get:
""
I also tried to remove option -pbkdf2 in openssl command but I get the same result.
I spent hours on this problem, trying to change the algorithm, size key, etc. without finding any solution. Stack overflow is my last hope.
Thanks in advance.
I'd like to parse the below certificate using nodeJS. It is a Hyperledger Fabric certificate using ECDSA. I've tried node-forge but it doesn't support ECC (https://github.com/digitalbazaar/forge/issues/116).
-----BEGIN CERTIFICATE-----
MIICKjCCAdCgAwIBAgIRANez5iZg7HjAPv3jEqpTzGgwCgYIKoZIzj0EAwIwczEL MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG cmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh Lm9yZzEuZXhhbXBsZS5jb20wHhcNMjAwOTE1MTY1ODAwWhcNMzAwOTEzMTY1ODAw WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN U2FuIEZyYW5jaXNjbzEOMAwGA1UECxMFYWRtaW4xHzAdBgNVBAMMFkFkbWluQG9y ZzEuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARelGSQYlaf khorFSFeWLOjtxVsNlQB0sZBYhEVhqhqnEnJGxa4YJ+wLg6lc7ssYuJNrU1JGba7 lB3HZvHts9+Io00wSzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADArBgNV HSMEJDAigCDHGn/NTq1dt3sUaasmpGS+ZuklWO6uLS7KnJRPkOwwbzAKBggqhkjO PQQDAgNIADBFAiEA2gESuA96ivKNLqBj07gpk2akypZwFEBcgW8Fv36g4kMCIDtr kOkQzcVu4f8uIQqQj+3Gf232J5tFc1rB2WYPwZeL
-----END CERTIFICATE-----
There are several other libraries out there which you can use:
PKI.js
#ampretia/x509 (actually used in the fabric-sdk-node)
jsrsasign
to name a few.
I want to encrypt text with RSA using Public.pem and private.pem
I generated these files with openssl
openssl genrsa -out private.pem 2048
openssl rsa -pubout -in private.pem -out public.pem
I need to encrypt the text in javascript (I use this Library) only for encryption.
This text in base64 is sent to the server in C#, I use RSACryptoServiceProvider, but I only saw that is possible load public key with:
RSAParameters RSAParams = RSA.ExportParameters(false);
RSAParams.Modulus = privateKey;
RSA.ImportParameters(RSAParams);
But I need use my own private.pem file to decrypt my text and use it after.
How can I make this?
I know there are a bunch of similar questions here but after hours of reading I cannot find a solution to mine. So:
I am trying to use jwk-to-pem for signing a JSON web token using jsonwebtoken. I have previously achieved this but now the same code does not work. After calling jwt.sign with the generated pem I get error:0906D06C:PEM routines:PEM_read_bio:no start line.
I know that common reasons would include wrong linebreaks like \r or generally wrong format. I actually even dug through the core nodejs code and found the line throwing this error.
Countless adjustments and attempts brought no solution. Specifically:
I made sure that all linebreaks are \n
I tried different strings for the first and last line, e.g. -----BEGIN PUBLIC KEY----- or -----BEGIN RSA PUBLIC KEY-----
I made sure that the last line contains a \n as last character
I tried to write the pem string to disk and re-reading it, using node's fs.
I compared the pem file to several other files with several editors e.g. using vi -b or regex.
I tried handing the raw file buffer with the pem content to jwt.sign as well as pem.toString('utf8') as well as every other string encouding supported by node
I tried to generate a random pem file using linux tools and give that to jwt.sign. Specifically: ssh-keygen -t rsa -b 2048 -f jwtRS256.key
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.pem
What am I missing here? What possible causes I did not think of can this have?
I found a very simple explanation: I was by mistake using the public instead of the private key. The error thrown by openssl/crypto is very misleading.
Using a private pem/key the signing works as expected.