Re: RSA encryption/signing needed

[Brad Stone <bvstone@xxxxxxxxx>]

Whenever I have to do something like this that is outside the scope of
RPG/SQL/etc I do it in Node web service.  I create a node web service to do
the work, then use GETURI to make a call to that server (still local to my
machine) and return the data I need.

The positive is it's a lot easier to do than trying to use a complicated
and confusing API.  The downside is it's another link in the chain that
could fail, and learning something new and keeping that node server up and
running can  be challenging (I like PM2).

So far it's worked out ok for the projects I have done it with.

On Fri, Jun 23, 2023 at 10:05 AM Luc De Groote <Degroote.luc@xxxxxxxxxx>
wrote:

> Hi,
>
> for a project with an external supplier I have to do some encryption. I
> received a java script as example.Have no knowledge of JS .
>
> We are trying to write this in RPG , but because we have no knowledge on
> crypto API's we get stuck.
>
> the js looks like
>
>         //Prepare RSA public key and encrypt details
>          console.log(this.publicKey);
>          let publicKey = forge.util.decode64(this.publicKey);
>          console.log(publicKey);
>          let rsaPublicKey = forge.pki.publicKeyFromPem(publicKey);
>          console.log(JSON.parse(JSON.stringify(rsaPublicKey)));
>          let keyString = rsaPublicKey.toLocaleString();
>          console.log(keyString);
>          let encryptedDetails = rsaPublicKey.encrypt(details, 'RSA-OAEP', {
>              md: forge.md.sha256.create()
>          });
>          console.log(encryptedDetails);
>          let encodedDetails = forge.util.encode64(encryptedDetails);
>          console.log(encodedDetails);
>
> The public key we receive looks like
>
> :LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUEzbm1YdUxRN0RGa2JlZC8rcGdBKwpqUGNPZ2pYaGxEaXVYRFVZNThBVGU0SDF3ZWxJalVBTTNyZkZsd3RVUVhXQ1NTeGtNb0NPK016V1pTblpOdFYxCm9BZnZ4a2t6MFErQkpUSENCTHpzMnpvUzlrMXM3cVZEbUJVdnV2VmVrZUZBUkkzV2lOeE52RTdWYTJWU1dqRjcKZ3hYTDBTVTFKUk8xTFJSb0N4WTI4dFFFcTg1bXVJUmpFQXNjLzRkL0hjY1NWUkRTaDFuQmNsMVVjZWxQVW9HZgpObjlCODBBZXJlMnBJYWRiQXVBSEZBZWc1WnUyb2haOGNXVHhKUUVJQlMwZFlyWWN6ZTZXdVBiRk9OYWpacXN6CnFqTWhLblV1bTV4Q1U2YXZRZUxJc0JoUlNkVEpBN09IVFJwemgvSlBuYzJUYXpxYlFVWVR0R1Iwb1BHRmQwaEIKSjZpMjAwdVgxSWcybURQZGRGd1EzZk1nYWxUSVcyeTNDMEhjR0JMbVQrUjVGZkh0c0dpanVTdG5zZTU3NFdSQQpUaDNFaURxSk03TXY4eWdVQUNSZWxaKzNlZEJoTnBWNFEwZS95aHp5ZGRvMFRQMmFDaExPb0dlQ0xEU3IxcTFRCnFJZnNjSWp2VGwvMVdoYVU2aXlYc0t3Yjl5SkJiNGpuQjBvVm5YS25SVzNRd1B1d1QzNG9oc2REZkV1dmwxWVMKU09CSDNRWHcxTWp1TjFXL251NkFtN1pobFdPM3ArNFlNMDdnVGFlcjNwTFljK1JnbnZ3V3IvL3IxenRSakhwUgo2UlZYS0ZDRW5SUWQzSUtDY01WM3RjQzFlU1RuOWh5Z0kybStoTC9abWpoeDIvdW04MXlYdWJnSERIUmNCZ3lPCnZpdVh4ZzI5VFZSSFZvM0FNZDArK2RFQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
>
> We are able to do the decode by using sql base64_decode:
>
> -----BEGIN PUBLIC KEY-----
> MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3nmXuLQ7DFkbed/+pgA+
> jPcOgjXhlDiuXDUY58ATe4H1welIjUAM3rfFlwtUQXWCSSxkMoCO+MzWZSnZNtV1
> oAfvxkkz0Q+BJTHCBLzs2zoS9k1s7qVDmBUvuvVekeFARI3WiNxNvE7Va2VSWjF7
> gxXL0SU1JRO1LRRoCxY28tQEq85muIRjEAsc/4d/HccSVRDSh1nBcl1UcelPUoGf
> Nn9B80Aere2pIadbAuAHFAeg5Zu2ohZ8cWTxJQEIBS0dYrYcze6WuPbFONajZqsz
> qjMhKnUum5xCU6avQeLIsBhRSdTJA7OHTRpzh/JPnc2TazqbQUYTtGR0oPGFd0hB
> J6i200uX1Ig2mDPddFwQ3fMgalTIW2y3C0HcGBLmT+R5FfHtsGijuStnse574WRA
> Th3EiDqJM7Mv8ygUACRelZ+3edBhNpV4Q0e/yhzyddo0TP2aChLOoGeCLDSr1q1Q
> qIfscIjvTl/1WhaU6iyXsKwb9yJBb4jnB0oVnXKnRW3QwPuwT34ohsdDfEuvl1YS
> SOBH3QXw1MjuN1W/nu6Am7ZhlWO3p+4YM07gTaer3pLYc+RgnvwWr//r1ztRjHpR
> 6RVXKFCEnRQd3IKCcMV3tcC1eSTn9hygI2m+hL/Zmjhx2/um81yXubgHDHRcBgyO
> viuXxg29TVRHVo3AMd0++dECAwEAAQ==
> -----END PUBLIC KEY-----
>
>  From what I understand from the js I need to encrypt my data with the
> given key and a signing hash SHA256
>
> I tried this with QC3CalculateSignature. Is this the API to use ?
>
> Always get error
>
> Message ID . . . . . . . . . : CPF9DDB
>
> Message file . . . . . . . . : QCPFMSG
>
>    Library  . . . . . . . . . : QSYS
>
> Message . . . . :   The key string or Diffie-Hellman parameter string is
> not
>
> valid.
>
> Cause . . . . . :   Either there is an error in the BER encoding or the BER
>
>    encoded string describes an object not valid for this operation.
>
> Recovery  . . . :   Correct the string and try the request again.
>
> my code :
>
>         Dcl-proc Sign_RSA_SHA_256 Export;
>
>         Dcl-pi Sign_RSA_SHA_256 varchar(65535);
>           Message varchar(65535) const;
>           MessageKey varchar(65535) const CCSID(*UTF8);
>           KeyInstance varchar(255) const;
>         end-pi;
>
>         Dcl-pr CalculateSignature ExtProc('Qc3CalculateSignature');
>           InputData        Like(#$$aBase.BigCharacter) options(*varsize);
>           InputDataLn      Like(#$$iBase.Integer);
>           InputDataFmt     Char(8);
>           Algorithm        Like(#$$aBase.BigCharacter) options(*varsize);
>           AlgorithmFmt     Char(8);
>           Key              Like(#$$aBase.BigCharacter) options(*varsize);
>           KeyFmt           Char(8);
>           SrvProvider      Like(#$$aBase.SingleCharacter);
>           DeviceName       Char(10);
>           SignatureData    Like(#$$aBase.BigCharacter) ;
>           SignatureDataSz  Like(#$$iBase.Integer);
>           SignatureDataLn  Like(#$$iBase.Integer);
>           API              Like(#$$aBase.Character) ;
>         End-pr;
>
>
>
>         dcl-s aInputData        Like(#$$aBase.BigCharacter);
>         dcl-s aInputDataFmt     Char(8) inz('DATA0100');
>         dcl-s iInputDataLn      Like(#$$iBase.Integer);
>
>         Dcl-ds dsAlgorithm Qualified inz;
>           Cipher Like(#$$iBase.Integer) inz(50);                   // RSA
>           PKABlockFormat Like(#$$aBase.SingleCharacter) inz('1');  // OAEP
> not available
>           Reserved    char(3) inz(X'000000');
>           SigningHash Like(#$$iBase.Integer) inz(3);               //
> SHA-256
>         End-ds;
>
>         dcl-s aAlgorithm Char(12);
>         dcl-s aAlgorithmFmt     Char(8) inz('ALGD0400');
>
>         Dcl-ds dsKey Qualified inz;
>           iKeyType   Like(#$$iBase.Integer) inz(51);      //RSA Private
> RSA public not allowe ???
>           iKeySz     Like(#$$iBase.Integer) inz(32);
>           aKeyFormat Like(#$$aBase.SingleCharacter) inz('1');
>           aReserved  char(3) inz;
>           aKeyString Like(#$$aBase.BigCharacter) inz ccsid(*UTF8);
>         end-ds;
>
>         Dcl-ds dsKey600 Qualified inz;
>           iPEMLength Like(#$$iBase.Integer) ;
>           aReserved  char(4) inz(X'00000000');
>           aPEMString Like(#$$aBase.BigCharacter) ccsid(*UTF8) inz;
>         end-ds;
>
>         dcl-ds dsApi likeds(#$dsApi) inz(*likeds);
>
>         dcl-s aKey              Like(#$$aBase.BigCharacter);
>         dcl-s aKeyFmt           Char(8) inz('KEYD0200');
>         dcl-s aSrvProvider      Like(#$$aBase.SingleCharacter) inz('0');
>         dcl-s aDeviceName       Char(10);
>         dcl-s aSignatureData      Like(#$$aBase.BigCharacter);
>         dcl-s iSignatureDataSz    Like(#$$iBase.Integer);
>         dcl-s iSignatureDataLn    Like(#$$iBase.Integer);
>         dcl-s aAPI              Like(#$$aBase.Character);
>
>         aInputData = Message;
>         iInputDataLn = %Len(Message);
>
>         aAlgorithm = dsAlgorithm;
>
>         If aKeyFMt = 'KEYD0200';
>         Reset dsKey;
>         dsKey.aKeyString = MessageKey;
>         dsKey.iKeySz = %len(MessageKey);
>         dsKey.aKeyString = aExtractPublicKey(MessageKey);
>         dsKey.iKeySz = %len(dsKey.aKeyString);
>         aKey = dskey;
>         Endif;
>
>         iSignatureDataSz = %Size(aSignatureData);
>
>         aApi = dsApi;
>
>         CalculateSignature(aInputData:
>                           iInputDataLn:
>                           aInputDataFmt:
>                           aAlgorithm:
>                           aAlgorithmFmt:
>                           aKey:
>                           aKeyFmt:
>                           aSrvProvider:
>                           aDeviceName:
>                           aSignatureData:
>                           iSignatureDataSz:
>                           iSignatureDataLn:
>                           aAPI);
>
>         dsApi = aApi;
>
>         If dsApi.iRtnLength = 0;
>           return %subst(aSignatureData:1:iSignatureDataLn);
>         endif;
>
>         return '';
>
>         End-proc;
>
> Any suggestions on what I have to do to get my key accepted ?
>
> Other question : is it possible to call a JS routine from RPG with in and
> output parameters ?
>
> Kind regards,
>
> Luc.
>
>
>
> --
> Dit e-mailbericht is met Avast-antivirussoftware gecontroleerd op virussen.
> www.avast.com
> --
> This is the RPG programming on IBM i (RPG400-L) mailing list
> To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
> or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at https://archive.midrange.com/rpg400-l.
>
> Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
> questions.