aspose file tools*
The moose likes Security and the fly likes Bad Padding Exception - RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING in pkcs11 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Bad Padding Exception - RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING in pkcs11" Watch "Bad Padding Exception - RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING in pkcs11" New topic
Author

Bad Padding Exception - RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING in pkcs11

Manish Sahni
Ranch Hand

Joined: Sep 09, 2009
Posts: 41

I have developed an application and using the following keys for digital signatures those of which were placed in a file path (Directory) in testing environment.

1) XXX.p12 file - for Digital signature.

2) XXX.p12 file - for decryption of XML response.

3) XXX.cer file - for encrypting the session keys , input XML etc.

Since the files are on a particular file path location , the code is running fine.So for in the pre-production environment we have procured the CryptoGraphic Token from a CA and imported the XXX.p12 file for testing of the same, i am successfully able to digitally sign the request , However in case of decrypting the session key that is encrypted by the server using "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" i am getting the error as :-




My Testing Method is :-



I have found the issue is that the implementation of SunJCE's Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" is not compatible with other implementations (BouncyCastle/IAIK/PKCS11)

When setting AlgorithmParameters (with OAEPParameterSpec) an exception is thrown (javax.crypto.BadPaddingException)

Refer : Problems with Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" Bug Details: https://bugs.openjdk.java.net/browse/JDK-7038158?page=com.atlassian.jira.plugin.system.issuetabpanels%3aworklog-tabpanel

Is their any way that i can decrypt the data for RSA-OAEP padding.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

I have read your post several times and I'm thoroughly confused; what am I missing? I don't see how the testEncryption() method which uses "RSA/ECB/PKCS1Padding" has anything to do with "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" . Can you explain how the testEncryption() method relates to the problem you have?
Manish Sahni
Ranch Hand

Joined: Sep 09, 2009
Posts: 41

Sorry for the wrong version.Updated with Correct version as follows :-


Manish Sahni wrote: I have developed an application and using the following keys for digital signatures those of which were placed in a file path (Directory) in testing environment.

1) XXX.p12 file - for Digital signature.

2) XXX.p12 file - for decryption of XML response.

3) XXX.cer file - for encrypting the session keys , input XML etc.

Since the files are on a particular file path location , the code is running fine.So for in the pre-production environment we have procured the CryptoGraphic Token from a CA and imported the XXX.p12 file for testing of the same, i am successfully able to digitally sign the request , However in case of decrypting the session key that is encrypted by the server using "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" i am getting the error as :-




My Testing Method is :-



I have found the issue is that the implementation of SunJCE's Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" is not compatible with other implementations (BouncyCastle/IAIK/PKCS11)

When setting AlgorithmParameters (with OAEPParameterSpec) an exception is thrown (javax.crypto.BadPaddingException)

Refer : Problems with Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" Bug Details: https://bugs.openjdk.java.net/browse/JDK-7038158?page=com.atlassian.jira.plugin.system.issuetabpanels%3aworklog-tabpanel

Is their any way that i can decrypt the data for RSA-OAEP padding.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

Once again I don't understand! You encrypt using "OAEPWITHSHA-256ANDMGF1PADDING" and then decrypt using "PKCS1Padding" and wonder why you get a javax.crypto.BadPaddingException ! Also, you say the problem is due to SunJCE's Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" but you are using bcProvider which presumably means BouncyCastle!

These inconsistencies make it difficult for anyone to take your problem seriously!

P.S. Did you look at the end of the bug report for a suggested way round the SunJCE provider bug?
Manish Sahni
Ranch Hand

Joined: Sep 09, 2009
Posts: 41

whether the encryption Scheme is using SunJCE or BC for RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING transformation , my requirement is to decrypt the response coming from the server and that too by accessing the key stored in the Hard token.
Since i am using SunPKCS11 Provider, it does not provide the support for decrypting OAEP padding coming from the server end, hence i need to know is it possible that i can decrypt the response with such a Transformation in SunPKCS11.


Thanks



Richard Tookey wrote:Once again I don't understand! You encrypt using "OAEPWITHSHA-256ANDMGF1PADDING" and then decrypt using "PKCS1Padding" and wonder why you get a javax.crypto.BadPaddingException ! Also, you say the problem is due to SunJCE's Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" but you are using bcProvider which presumably means BouncyCastle!

These inconsistencies make it difficult for anyone to take your problem seriously!

P.S. Did you look at the end of the bug report for a suggested way round the SunJCE provider bug?
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1083
    
  10

The BUG report you cited refers to the SunJCE provider and not the SunPKCS11 provider but since it is possible that the padding code it common to both then the BUG may be applicable. If you read to the end of the BUG report then you will see that a suggested work around for dealing with the BUG is to decrypt with no padding and write code to remove the MGF1 padding. The specification for MGF1 padding is available in rfc2437 which Google will find. As an alternative to coding MGF1 from scratch you could look at the Bouncy Castle source and extract the bits you need.




Manish Sahni
Ranch Hand

Joined: Sep 09, 2009
Posts: 41

Thanks for your response BTW , SunPKCS11 does not support NoPadding in version less than JDK 7 and only JDK 7 32 bit JRE (Windows Environment) and 32/64 Bit JDK 7 for Linux Environment.

For such a Transformation , OAEP padding removal becomes a mandate , i also do think that i need to remove it manually in the code itself after decryption.

RSAPadding.unpad might do the trick.

Thanks

Richard Tookey wrote:The BUG report you cited refers to the SunJCE provider and not the SunPKCS11 provider but since it is possible that the padding code it common to both then the BUG may be applicable. If you read to the end of the BUG report then you will see that a suggested work around for dealing with the BUG is to decrypt with no padding and write code to remove the MGF1 padding. The specification for MGF1 padding is available in rfc2437 which Google will find. As an alternative to coding MGF1 from scratch you could look at the Bouncy Castle source and extract the bits you need.




 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Bad Padding Exception - RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING in pkcs11