6

The data decryption will run in JAVA using RSA/ECB/OAEPWithSHA-256AndMGF1Padding algorithm. So I have to encrypt the data with public key using the algorithm equivalent to RSA/ECB/OAEPWithSHA-256AndMGF1Padding in node.js.

I tried with crypto.publicEncrypt(key, buffer) which uses crypto.constants.RSA_PKCS1_OAEP_PADDING which is not similar to the above algorithm. So I need algorithm equivalent to "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" or how to achieve the same in node.js

tim
  • 303
  • 4
  • 14
  • And what is your question? – LLJ97 Dec 18 '18 at 14:22
  • I didn't find any documentation on what hash functions node uses for OAEP. This means it 1) likely uses SHA1 for both the MGF1 hash and the constant hash, and 2) there is no way to change it. You'll have to modify your Java to use SHA1. – President James K. Polk Dec 18 '18 at 15:36
  • @JamesKPolk+ according to https://stackoverflow.com/questions/35544547/encrypting-using-node-forge-and-decrypting-using-python-with-rsa-oaep and https://stackoverflow.com/questions/33532091/rsa-crypto-between-node-js-and-webcrypto node-forge (instead of node-crypto) can select OAEP hashes. OP: what provider are you using in Java, or are you using `OAEPParameterSpec`? IIRC the Suncle/Open provider and the BouncyCastle provider default 'MGF1with$hash' differently. – dave_thompson_085 Dec 18 '18 at 21:46
  • @dave_thompson_085: Thanks, that is good information. In [this](https://stackoverflow.com/a/50299291/238704) answer my conclusion was the Bouncycastle uses the hash alg specified in the transformation string for both hashes while Suncle uses the specified hash for the constant and always use SHA1 for the MGF1 hash. – President James K. Polk Dec 19 '18 at 00:01

2 Answers2

8

I finally found the answer. Equivalent to "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" can be achieved via node-forge npm module. https://www.npmjs.com/package/node-forge#rsa

    // encrypt data with a public key using RSAES-OAEP/SHA-256/MGF1-SHA-1
// compatible with Java's RSA/ECB/OAEPWithSHA-256AndMGF1Padding
var encrypted = publicKey.encrypt(bytes, 'RSA-OAEP', {
  md: forge.md.sha256.create(),
  mgf1: {
    md: forge.md.sha256.create()
  }
});

Thank you

tim
  • 303
  • 4
  • 14
  • 1
    Thanks!!. For `RSA/ECB/OAEPWithSHA-1AndMGF1Padding` i tried it without the `md` and `mgf1` and it works!. – Alejandro Barone Aug 26 '19 at 13:37
  • 2
    Isn't there a typo here? Shouldn't the `md` of `mgf1` be `forge.md.sha1.create()` to fit the comment above? – JHH Mar 17 '20 at 09:24
-3

Firstly, you shouldn't use "ECB" mode cipher, because:

  1. ECB is a block cipher mode, RSA isn't an algorithm based on that mode of operation.
  2. If you use an algorithm based on that mode of operation (for example AES), you shouldn't use ECB, because it doesn't have IV (Initialization Vector), so it's insecure and a crypto analyzer could break the cipher. You could use CBC, it has IV, or GCM, if you want to share sensitive information to external systems and prevent Oracle Padding. I recommend you visit the following link:

MSC61-J. Do not use insecure or weak cryptographic algorithms

So, in this case, you just need to use OAEP for RSA encryption, because it's a padding scheme and it helpts to prevent Oracle Padding for asymetric algorithms, then change your code for: RSA/None/OAEPWithSHA-256AndMGF1Padding. Maybe, you could get compatibility with Node.js. Also, I recommend you visit the official web site:

JCA Reference Guide

I hope this information helps you.

Good luck.

hmrojas.p
  • 562
  • 1
  • 5
  • 15
  • 3
    As the JCA page you link (and also its non-obsolete versions) says, Java/JCA uses the syntax `algorithm/mode/padding` for Cipher even when the algorithm does not use modes, like RSA (as you correctly say), so the Suncle provider (SunJCE) requires 'ECB' as a placeholder which really means 'no mode'. BouncyCastle allows either 'ECB' or 'NONE' (case-insensitive, like most names in JCA). – dave_thompson_085 Dec 18 '18 at 21:43