dpj997991 2018-04-05 17:19
浏览 302
已采纳

RSA OAEP,Golang加密,Java Decrypt -BadPaddingException:解密错误

I'm trying to decrypt a string which is encrypted in Golang using RSA-OAEP. but getting BadPaddingException: Decryption error. Having hard time to figure out what am I missing..

Here is the Golang encrypt method

func encryptString() {
rootPEM := io_related.ReadFile("../../resources/pubkey.pem")
    //fmt.Printf("Cert String %q 
", rootPEM)

    block, _ := pem.Decode([]byte(rootPEM))
    var cert *x509.Certificate
    cert, _ = x509.ParseCertificate(block.Bytes)
    rsaPublicKey := cert.PublicKey.(*rsa.PublicKey)

    secretMessage := []byte("password")
    label := []byte("")

    // crypto/rand.Reader is a good source of entropy for randomizing the
    // encryption function.
    rng := rand.Reader

    ciphertext, err := rsa.EncryptOAEP(sha256.New(), rng, rsaPublicKey, secretMessage, label)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error from encryption: %s
", err)
        return
    }

    // Since encryption is a randomized function, ciphertext will be
    // different each time.

    base64EncodedString := base64.StdEncoding.EncodeToString(ciphertext)
    fmt.Println(base64EncodedString)
}

and my java decrypt method as

public void decryptString(String base64String) throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException, UnrecoverableKeyException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{
        FileInputStream is = new FileInputStream("priv.p12");
        KeyStore keystore = KeyStore.getInstance("PKCS12");
        keystore.load(is, "".toCharArray());
        System.out.println("Successfully loaded");


        String keyAlias = "1";


        PrivateKey key = (PrivateKey)keystore.getKey(keyAlias, "".toCharArray());

        System.out.println("key "+Base64.encodeBase64String(key.getEncoded()));
        Cipher rsaDecryptCipher;
        rsaDecryptCipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
        rsaDecryptCipher.init(Cipher.DECRYPT_MODE, key);
        final byte[] plainText = rsaDecryptCipher.doFinal(Base64.decodeBase64(base64String));

        System.out.println("Plain   : " + new String(plainText));

    }
  1. I made sure I'm using the same key pair and not a different private key
  2. Made sure hash algorithm used same in both encrypt and decrypt "SHA256"

I might be missing something, Please let me know if anyone need more details. Appreciate the help!!. Thanks

  • 写回答

1条回答 默认 最新

  • dsjpqpdm620596 2018-04-05 23:46
    关注

    OAEP uses two hash algorithms: one on the label (fka parameters) and one within the Mask Generation Function (MGF1); these can be different. See 7.1.1 and B.2.1 in rfc8017.

    I don't know whether that Go code sets one (and which) or both, but what Java does with that getInstance varies depending on which provider you are using, which in turn depends at least partly on what implementation of Java you are using. The SunJCE provider configured by default in Sun/Oracle and OpenJDK implementations changes only the label hash, keeping MGF1 at SHA1; the BouncyCastle provider changes both. I don't know what IBM and Android do here.

    Once you determine (or guess) what Go is doing you can match it by adding to your .init call an appropriate OAEPParameterSpec and related MGF1ParameterSpec.

    Mostly dupe OAEPwithMD5andMGF1Padding in node-rsa
    and breaking down RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
    (copied at https://security.stackexchange.com/questions/97548/breaking-down-rsa-ecb-oaepwithsha-256andmgf1padding )

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?