Re: RSA encryption/signing needed -- RPG400-L

Whenever I have to do something like this that is outside the scope of
RPG/SQL/etc I do it in Node web service. I create a node web service to do
the work, then use GETURI to make a call to that server (still local to my
machine) and return the data I need.

The positive is it's a lot easier to do than trying to use a complicated
and confusing API. The downside is it's another link in the chain that
could fail, and learning something new and keeping that node server up and
running can be challenging (I like PM2).

So far it's worked out ok for the projects I have done it with.

On Fri, Jun 23, 2023 at 10:05 AM Luc De Groote <Degroote.luc@xxxxxxxxxx>
wrote:

Hi,

for a project with an external supplier I have to do some encryption. I
received a java script as example.Have no knowledge of JS .

We are trying to write this in RPG , but because we have no knowledge on
crypto API's we get stuck.

the js looks like

//Prepare RSA public key and encrypt details
console.log(this.publicKey);
let publicKey = forge.util.decode64(this.publicKey);
console.log(publicKey);
let rsaPublicKey = forge.pki.publicKeyFromPem(publicKey);
console.log(JSON.parse(JSON.stringify(rsaPublicKey)));
let keyString = rsaPublicKey.toLocaleString();
console.log(keyString);
let encryptedDetails = rsaPublicKey.encrypt(details, 'RSA-OAEP', {
md: forge.md.sha256.create()
});
console.log(encryptedDetails);
let encodedDetails = forge.util.encode64(encryptedDetails);
console.log(encodedDetails);

The public key we receive looks like

:LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUEzbm1YdUxRN0RGa2JlZC8rcGdBKwpqUGNPZ2pYaGxEaXVYRFVZNThBVGU0SDF3ZWxJalVBTTNyZkZsd3RVUVhXQ1NTeGtNb0NPK016V1pTblpOdFYxCm9BZnZ4a2t6MFErQkpUSENCTHpzMnpvUzlrMXM3cVZEbUJVdnV2VmVrZUZBUkkzV2lOeE52RTdWYTJWU1dqRjcKZ3hYTDBTVTFKUk8xTFJSb0N4WTI4dFFFcTg1bXVJUmpFQXNjLzRkL0hjY1NWUkRTaDFuQmNsMVVjZWxQVW9HZgpObjlCODBBZXJlMnBJYWRiQXVBSEZBZWc1WnUyb2haOGNXVHhKUUVJQlMwZFlyWWN6ZTZXdVBiRk9OYWpacXN6CnFqTWhLblV1bTV4Q1U2YXZRZUxJc0JoUlNkVEpBN09IVFJwemgvSlBuYzJUYXpxYlFVWVR0R1Iwb1BHRmQwaEIKSjZpMjAwdVgxSWcybURQZGRGd1EzZk1nYWxUSVcyeTNDMEhjR0JMbVQrUjVGZkh0c0dpanVTdG5zZTU3NFdSQQpUaDNFaURxSk03TXY4eWdVQUNSZWxaKzNlZEJoTnBWNFEwZS95aHp5ZGRvMFRQMmFDaExPb0dlQ0xEU3IxcTFRCnFJZnNjSWp2VGwvMVdoYVU2aXlYc0t3Yjl5SkJiNGpuQjBvVm5YS25SVzNRd1B1d1QzNG9oc2REZkV1dmwxWVMKU09CSDNRWHcxTWp1TjFXL251NkFtN1pobFdPM3ArNFlNMDdnVGFlcjNwTFljK1JnbnZ3V3IvL3IxenRSakhwUgo2UlZYS0ZDRW5SUWQzSUtDY01WM3RjQzFlU1RuOWh5Z0kybStoTC9abWpoeDIvdW04MXlYdWJnSERIUmNCZ3lPCnZpdVh4ZzI5VFZSSFZvM0FNZDArK2RFQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=

We are able to do the decode by using sql base64_decode:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3nmXuLQ7DFkbed/+pgA+
jPcOgjXhlDiuXDUY58ATe4H1welIjUAM3rfFlwtUQXWCSSxkMoCO+MzWZSnZNtV1
oAfvxkkz0Q+BJTHCBLzs2zoS9k1s7qVDmBUvuvVekeFARI3WiNxNvE7Va2VSWjF7
gxXL0SU1JRO1LRRoCxY28tQEq85muIRjEAsc/4d/HccSVRDSh1nBcl1UcelPUoGf
Nn9B80Aere2pIadbAuAHFAeg5Zu2ohZ8cWTxJQEIBS0dYrYcze6WuPbFONajZqsz
qjMhKnUum5xCU6avQeLIsBhRSdTJA7OHTRpzh/JPnc2TazqbQUYTtGR0oPGFd0hB
J6i200uX1Ig2mDPddFwQ3fMgalTIW2y3C0HcGBLmT+R5FfHtsGijuStnse574WRA
Th3EiDqJM7Mv8ygUACRelZ+3edBhNpV4Q0e/yhzyddo0TP2aChLOoGeCLDSr1q1Q
qIfscIjvTl/1WhaU6iyXsKwb9yJBb4jnB0oVnXKnRW3QwPuwT34ohsdDfEuvl1YS
SOBH3QXw1MjuN1W/nu6Am7ZhlWO3p+4YM07gTaer3pLYc+RgnvwWr//r1ztRjHpR
6RVXKFCEnRQd3IKCcMV3tcC1eSTn9hygI2m+hL/Zmjhx2/um81yXubgHDHRcBgyO
viuXxg29TVRHVo3AMd0++dECAwEAAQ==
-----END PUBLIC KEY-----

From what I understand from the js I need to encrypt my data with the
given key and a signing hash SHA256

I tried this with QC3CalculateSignature. Is this the API to use ?

Always get error

Message ID . . . . . . . . . : CPF9DDB

Message file . . . . . . . . : QCPFMSG

Library . . . . . . . . . : QSYS

Message . . . . : The key string or Diffie-Hellman parameter string is
not

valid.

Cause . . . . . : Either there is an error in the BER encoding or the BER

encoded string describes an object not valid for this operation.

Recovery . . . : Correct the string and try the request again.

my code :

Dcl-proc Sign_RSA_SHA_256 Export;

Dcl-pi Sign_RSA_SHA_256 varchar(65535);
Message varchar(65535) const;
MessageKey varchar(65535) const CCSID(*UTF8);
KeyInstance varchar(255) const;
end-pi;

Dcl-pr CalculateSignature ExtProc('Qc3CalculateSignature');
InputData Like(#$$aBase.BigCharacter) options(*varsize);
InputDataLn Like(#$$iBase.Integer);
InputDataFmt Char(8);
Algorithm Like(#$$aBase.BigCharacter) options(*varsize);
AlgorithmFmt Char(8);
Key Like(#$$aBase.BigCharacter) options(*varsize);
KeyFmt Char(8);
SrvProvider Like(#$$aBase.SingleCharacter);
DeviceName Char(10);
SignatureData Like(#$$aBase.BigCharacter) ;
SignatureDataSz Like(#$$iBase.Integer);
SignatureDataLn Like(#$$iBase.Integer);
API Like(#$$aBase.Character) ;
End-pr;

dcl-s aInputData Like(#$$aBase.BigCharacter);
dcl-s aInputDataFmt Char(8) inz('DATA0100');
dcl-s iInputDataLn Like(#$$iBase.Integer);

Dcl-ds dsAlgorithm Qualified inz;
Cipher Like(#$$iBase.Integer) inz(50); // RSA
PKABlockFormat Like(#$$aBase.SingleCharacter) inz('1'); // OAEP
not available
Reserved char(3) inz(X'000000');
SigningHash Like(#$$iBase.Integer) inz(3); //
SHA-256
End-ds;

dcl-s aAlgorithm Char(12);
dcl-s aAlgorithmFmt Char(8) inz('ALGD0400');

Dcl-ds dsKey Qualified inz;
iKeyType Like(#$$iBase.Integer) inz(51); //RSA Private
RSA public not allowe ???
iKeySz Like(#$$iBase.Integer) inz(32);
aKeyFormat Like(#$$aBase.SingleCharacter) inz('1');
aReserved char(3) inz;
aKeyString Like(#$$aBase.BigCharacter) inz ccsid(*UTF8);
end-ds;

Dcl-ds dsKey600 Qualified inz;
iPEMLength Like(#$$iBase.Integer) ;
aReserved char(4) inz(X'00000000');
aPEMString Like(#$$aBase.BigCharacter) ccsid(*UTF8) inz;
end-ds;

dcl-ds dsApi likeds(#$dsApi) inz(*likeds);

dcl-s aKey Like(#$$aBase.BigCharacter);
dcl-s aKeyFmt Char(8) inz('KEYD0200');
dcl-s aSrvProvider Like(#$$aBase.SingleCharacter) inz('0');
dcl-s aDeviceName Char(10);
dcl-s aSignatureData Like(#$$aBase.BigCharacter);
dcl-s iSignatureDataSz Like(#$$iBase.Integer);
dcl-s iSignatureDataLn Like(#$$iBase.Integer);
dcl-s aAPI Like(#$$aBase.Character);

aInputData = Message;
iInputDataLn = %Len(Message);

aAlgorithm = dsAlgorithm;

If aKeyFMt = 'KEYD0200';
Reset dsKey;
dsKey.aKeyString = MessageKey;
dsKey.iKeySz = %len(MessageKey);
dsKey.aKeyString = aExtractPublicKey(MessageKey);
dsKey.iKeySz = %len(dsKey.aKeyString);
aKey = dskey;
Endif;

iSignatureDataSz = %Size(aSignatureData);

aApi = dsApi;

CalculateSignature(aInputData:
iInputDataLn:
aInputDataFmt:
aAlgorithm:
aAlgorithmFmt:
aKey:
aKeyFmt:
aSrvProvider:
aDeviceName:
aSignatureData:
iSignatureDataSz:
iSignatureDataLn:
aAPI);

dsApi = aApi;

If dsApi.iRtnLength = 0;
return %subst(aSignatureData:1:iSignatureDataLn);
endif;

return '';

End-proc;

Any suggestions on what I have to do to get my key accepted ?

Other question : is it possible to call a JS routine from RPG with in and
output parameters ?

Kind regards,

Luc.

--
Dit e-mailbericht is met Avast-antivirussoftware gecontroleerd op virussen.
www.avast.com
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.