php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65193 openssl_private_encrypt OAEP only works AFTER PKCS1
Submitted: 2013-07-03 15:04 UTC Modified: 2013-07-03 17:24 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: lynch@php.net Assigned:
Status: Not a bug Package: OpenSSL related
PHP Version: 5.4.11 OS: CentOS 2.6.18
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2013-07-03 15:04 UTC] lynch@php.net 
Description:
------------
A call to openssl_private_encrypt(..., OPENSSL_PKCS1_OAEP_PADDING) fails
unless you call it AFTER openssl_private_encrypt(..., OPENSSL_PKCS1_PADDING)


Test script:
---------------
$private_key_text = file_get_contents('private.pem');

openssl_private_encrypt($decrypted_message, $encrypted_message, $private_key_text, OPENSSL_PKCS1_OAEP_PADDING);
echo "PKCS1_OAEP fails:\n";
var_dump(base64_encode($encrypted_message));
echo "\n";


openssl_private_encrypt($decrypted_message, $encrypted_message, $private_key_text, OPENSSL_PKCS1_PADDING);
echo "PKCS1 works:\n";
var_dump(base64_encode($encrypted_message));
echo "\n";


openssl_private_encrypt($decrypted_message, $encrypted_message, $private_key_text, OPENSSL_PKCS1_OAEP_PADDING);
echo "PKCS1_OAEP works only AFTER PKCS1:\n";
var_dump(base64_encode($encrypted_message));
echo "\n";



Expected result:
----------------
All three outputs the same.

Actual result:
--------------
First output is blank string.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-03 15:09 UTC] lynch@php.net
-PHP Version: 5.3.26 +PHP Version: 5.4.11
 [2013-07-03 15:09 UTC] lynch@php.net 
The PHP Version popup in report form was in a time warp... Corrected here.

OpenSSL version: 0.9.8b

Actual output:

PKCS1_OAEP fails:
string(0) ""

PKCS1 works:
string(172) "gVJcDQJnKJG7PX3+axZMyjph5xi3TFMLWXY2OLD4d62YYhlAmCUnr+WQP/F6//ykx3L/rXS7zfjXFPoyzn5v7dwysM107fS0tXwzngZ1fRjH5iU+1Dv4TJf4dXRZXzYKClDSSiQ0ZrmoGhVo5wx3PY61mEkBLNbS5IvZ75rCLSo="

PKCS1_OAEP works only AFTER PKCS1:
string(172) "gVJcDQJnKJG7PX3+axZMyjph5xi3TFMLWXY2OLD4d62YYhlAmCUnr+WQP/F6//ykx3L/rXS7zfjXFPoyzn5v7dwysM107fS0tXwzngZ1fRjH5iU+1Dv4TJf4dXRZXzYKClDSSiQ0ZrmoGhVo5wx3PY61mEkBLNbS5IvZ75rCLSo="
 [2013-07-03 17:03 UTC] felipe@php.net 
It looks an issue on openssl library.
According to http://openssl.6102.n7.nabble.com/Proplem-with-RSA-private-encrypt-and-OAEP-td45517.html RSA_PKCS1_OAEP_PADDING is not intended to be used with RSA_private_encrypt() function. Probably the lib is ignoring the padding passed after you set a right one.
 [2013-07-03 17:24 UTC] felipe@php.net
-Status: Open +Status: Not a bug
 [2013-07-03 17:24 UTC] felipe@php.net 
Just read the code again, the problem is that the 3th try fails, but the extension does not clean $encrypted_message string. Causing a false positive for you. Just clean the variable before calling the function again.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 19:01:28 2024 UTC