Hello,
I'm working with an ERP system built in RPG and due to legal requirements we must now generate, via OpenSSL, a key for each sales invoice produced in the system and store in in the database.
Anyone had experience with this and what would be the best approach?
thanks
Nuno
Topic
-
Re: RPG and OpenSSL
2010-10-25T17:54:17ZThis is the accepted answer. This is the accepted answer.
I haven't done this with OpenSSL in RPG -- I find it more elegant to use the IBM APIs to do the same thing.
But, at the same time, I don't see why using OpenSSL couldn't be done. Just call the OpenSSL command-line tool via PASE, read back the results into your RPG program, and put it into the database.
Can you explain where you're stuck? -
Re: RPG and OpenSSL
2010-10-25T21:35:52ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-10-25T17:54:17Z
I haven't done this with OpenSSL in RPG -- I find it more elegant to use the IBM APIs to do the same thing.
But, at the same time, I don't see why using OpenSSL couldn't be done. Just call the OpenSSL command-line tool via PASE, read back the results into your RPG program, and put it into the database.
Can you explain where you're stuck?
But, really what we have to do is generate hashes for each invoice via a RSA encryption with a given private key, is there any iSeries API that provides RSA encryption?
thanks
Nuno -
Re: RPG and OpenSSL
2010-10-27T17:51:21ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin
- 2010-10-25T21:35:52Z
OpenSSL is the prefered method suggested by tax authority and I never used OpenSSL in iSeries, do you have any example?
But, really what we have to do is generate hashes for each invoice via a RSA encryption with a given private key, is there any iSeries API that provides RSA encryption?
thanks
Nuno
> OpenSSL is the prefered method suggested by tax authority and I never used OpenSSL in iSeries, do you have any example?
Can you be more specific? There are thousands and thousands of things that you can do in OpenSSL. If you can provide the command-line for openssl that you'd use on a Linux or Windows machine, I can tell you how to run it on IBM i.
>
> But, really what we have to do is generate hashes for each invoice via a RSA
> encryption with a given private key, is there any iSeries API that provides RSA
> encryption?
>
Sure. But, handling this with OpenSSL is probably easier. Again, see if you can get an example of how to do the openssl logic on another platform, and then maybe I can show you how to do the same on IBM i. -
Re: RPG and OpenSSL
2010-10-28T08:33:07ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-10-27T17:51:21Z
> 9USU_Nuno_Carriço wrote:
> OpenSSL is the prefered method suggested by tax authority and I never used OpenSSL in iSeries, do you have any example?
Can you be more specific? There are thousands and thousands of things that you can do in OpenSSL. If you can provide the command-line for openssl that you'd use on a Linux or Windows machine, I can tell you how to run it on IBM i.
>
> But, really what we have to do is generate hashes for each invoice via a RSA
> encryption with a given private key, is there any iSeries API that provides RSA
> encryption?
>
Sure. But, handling this with OpenSSL is probably easier. Again, see if you can get an example of how to do the openssl logic on another platform, and then maybe I can show you how to do the same on IBM i.
Details for the RSA hash generation:
Format = x.509
Charset = UTF-8
Encoding = Base-64
Endianess = Little Endian
OAEP Padding = PKCS1 v1.5 padding
Private Key Size = 1024 bytes
Message Has Format = SHA-1
In OpenSSL I do the following as an example:
cmd> echo "2010-05-18;2010-05-18T11:22:19;FAC 001/14;3.12; " | openssl dgst -sha1 -sign privatekey.pem | openssl enc -base64
Thanks for your help.
Nuno -
Re: RPG and OpenSSL
2010-10-28T21:31:55ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin
- 2010-10-28T08:33:07Z
Hi Scott,
Details for the RSA hash generation:
Format = x.509
Charset = UTF-8
Encoding = Base-64
Endianess = Little Endian
OAEP Padding = PKCS1 v1.5 padding
Private Key Size = 1024 bytes
Message Has Format = SHA-1
In OpenSSL I do the following as an example:
cmd> echo "2010-05-18;2010-05-18T11:22:19;FAC 001/14;3.12; " | openssl dgst -sha1 -sign privatekey.pem | openssl enc -base64
Thanks for your help.
Nuno
PGM DCL VAR(&INPUT) TYPE(*CHAR) LEN(48) + VALUE( '2010-05-18;2010-05-18T11:22:19;FAC 001/14;3.12; ') DCL VAR(&RESULT) TYPE(*CHAR) LEN(172) DLTDTAARA SHA1OUTPUT MONMSG CPF2105 CRTDTAARA DTAARA(SHA1OUTPUT) TYPE(*CHAR) LEN(172) ADDENVVAR ENVVAR(TESTME) VALUE(&INPUT) REPLACE(*YES) ADDENVVAR ENVVAR(KEYFILE) REPLACE(*YES) + VALUE( '/home/klemscot/server.key') QSH CMD( 'PATH=$PATH:/QOpenSys/usr/bin && + echo "$TESTME" | + openssl dgst -sha1 -sign "$KEYFILE" | + openssl enc -base64 | + tr -d ''\n '' | + datarea -wl sha1output ') RTVDTAARA DTAARA(SHA1OUTPUT) RTNVAR(&RESULT) SNDUSRMSG MSG( 'Result is =' *BCAT &RESULT) ENDPGM
-
Re: RPG and OpenSSL
2010-10-29T15:32:57ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-10-28T21:31:55Z
couldn't you just do something like this?
<pre class="jive-pre">PGM DCL VAR(&INPUT) TYPE(*CHAR) LEN(48) + VALUE( '2010-05-18;2010-05-18T11:22:19;FAC 001/14;3.12; ') DCL VAR(&RESULT) TYPE(*CHAR) LEN(172) DLTDTAARA SHA1OUTPUT MONMSG CPF2105 CRTDTAARA DTAARA(SHA1OUTPUT) TYPE(*CHAR) LEN(172) ADDENVVAR ENVVAR(TESTME) VALUE(&INPUT) REPLACE(*YES) ADDENVVAR ENVVAR(KEYFILE) REPLACE(*YES) + VALUE( '/home/klemscot/server.key') QSH CMD( 'PATH=$PATH:/QOpenSys/usr/bin && + echo "$TESTME" | + openssl dgst -sha1 -sign "$KEYFILE" | + openssl enc -base64 | + tr -d ''\n '' | + datarea -wl sha1output ') RTVDTAARA DTAARA(SHA1OUTPUT) RTNVAR(&RESULT) SNDUSRMSG MSG( 'Result is =' *BCAT &RESULT) ENDPGM
</pre>
To do that you must have product 5733SC1 installed right?
I'm trying also to use Qc3EncryptData API but no sucess until now:)
thanks
Nuno -
Re: RPG and OpenSSL
2010-11-01T17:34:59ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin
- 2010-10-29T15:32:57Z
Hi Scott,
To do that you must have product 5733SC1 installed right?
I'm trying also to use Qc3EncryptData API but no sucess until now:)
thanks
Nuno -
Re: RPG and OpenSSL
2010-11-02T17:22:09ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-11-01T17:34:59Z
Yep, 5733SC1 contains OpenSSL, so you can't use OpenSSL without it. You also need PASE and QShell to use my example.
I already got the openssl to work, thanks for the input.
But I think on your example:
QSH CMD('PATH=$PATH:/QOpenSys/usr/bin && +
echo "$TESTME" | +
openssl dgst -sha1 -sign "$KEYFILE" | +
openssl enc -base64 | +
tr -d ''\n'' | +
datarea -wl sha1output')
it is encrypting the string "$TESTEME" and not the value of the env. variable $TESTEME, no?
regards
Nuno -
Re: RPG and OpenSSL
2010-11-02T18:13:40ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin
- 2010-11-02T17:22:09Z
Hi Scott,
I already got the openssl to work, thanks for the input.
But I think on your example:
QSH CMD('PATH=$PATH:/QOpenSys/usr/bin && +
echo "$TESTME" | +
openssl dgst -sha1 -sign "$KEYFILE" | +
openssl enc -base64 | +
tr -d ''\n'' | +
datarea -wl sha1output')
it is encrypting the string "$TESTEME" and not the value of the env. variable $TESTEME, no?
regards
Nuno
ChavePrivada.pem is the private key file
input.txt is a text file where i put the text to be excrypted, in this case "EXAMPLE" with no quotes.
so in qshell I type
/QOpenSys/usr/bin/openssl dgst -sha1 -sign ChavePrivada.pem input.txt | /QOpenSys/usr/bin/openssl enc -base64 -A | tr -d ''\n''
I get the result:
EPSO9dOOkekaI9SXIFYLf+vzBITtsBZbT/LKxFzs08Owf57vra43kym2ughLN/l3PRY1L2igSD11S
RFZbf49VDUbDdva5Yuwy1Wh9Xfu7R4q5EitLu5gmUGo8CFN+FGjSRNVC1eHfyRGESF7hgOrotfJ18
but if I run the program with same values or type in qshell I get the same wrong result:
ECHO EXAMPLE | /QOpenSys/usr/bin/openssl dgst -sha1 -sign ChavePrivada.pem |
/QOpenSys/usr/bin/openssl enc -base64 -A | tr -d ''\n''
I get:
CaXuLyIQP8egLMcEJTCtgBZ/BSg8cmcHeYiJetsRBegT4pWK7dtc8pdHK0VmuWw8pkgwyu3Im9Soo
yceAiCfiE5X/vzFpaUBrx7jlYchd6PDOdHhUjxCX8DxI+Ushi5yBHsoXsvwpHxHzapGMd66DlBIpe
that is wrong, I tried with or without quotes, do you have any idea what might be the problem? -
Re: RPG and OpenSSL
2010-11-03T15:08:20ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin
- 2010-11-02T18:13:40Z
I think I found the problem:
ChavePrivada.pem is the private key file
input.txt is a text file where i put the text to be excrypted, in this case "EXAMPLE" with no quotes.
so in qshell I type
/QOpenSys/usr/bin/openssl dgst -sha1 -sign ChavePrivada.pem input.txt | /QOpenSys/usr/bin/openssl enc -base64 -A | tr -d ''\n''
I get the result:
EPSO9dOOkekaI9SXIFYLf+vzBITtsBZbT/LKxFzs08Owf57vra43kym2ughLN/l3PRY1L2igSD11S
RFZbf49VDUbDdva5Yuwy1Wh9Xfu7R4q5EitLu5gmUGo8CFN+FGjSRNVC1eHfyRGESF7hgOrotfJ18
but if I run the program with same values or type in qshell I get the same wrong result:
ECHO EXAMPLE | /QOpenSys/usr/bin/openssl dgst -sha1 -sign ChavePrivada.pem |
/QOpenSys/usr/bin/openssl enc -base64 -A | tr -d ''\n''
I get:
CaXuLyIQP8egLMcEJTCtgBZ/BSg8cmcHeYiJetsRBegT4pWK7dtc8pdHK0VmuWw8pkgwyu3Im9Soo
yceAiCfiE5X/vzFpaUBrx7jlYchd6PDOdHhUjxCX8DxI+Ushi5yBHsoXsvwpHxHzapGMd66DlBIpe
that is wrong, I tried with or without quotes, do you have any idea what might be the problem?
How do you know which is right and which is wrong? -
Re: RPG and OpenSSL
2010-11-03T17:19:21ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-11-03T15:08:20Z
You say that you get the "same wrong result", but the two results look different to me. Is one of these examples right, and the other one wrong? Or are they both wrong, but different?
How do you know which is right and which is wrong?
Found the problem, you can't do it with "echo", if we use "print -nr" it works fine!
thanks for your help
Nuno -
Re: RPG and OpenSSL
2010-11-04T16:22:53ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin
- 2010-11-03T17:19:21Z
I have a program issued by tax authority that validates the hash against the invoice number/date/value and public key, eg the string used to generate the hash.
Found the problem, you can't do it with "echo", if we use "print -nr" it works fine!
thanks for your help
Nuno
But if echo was the problem (perhaps because it adds a newline) then the one where you read the data from a file should've solved the problem? But you said it didn't. -
Re: RPG and OpenSSL
2010-11-04T18:14:45ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-11-04T16:22:53Z
The only reason I used 'echo' is because I was copying the example you posted. You say "this is what I want to do", and showed the use of the 'echo' command.
But if echo was the problem (perhaps because it adds a newline) then the one where you read the data from a file should've solved the problem? But you said it didn't.
QSH CMD('PATH=$PATH:$PATH/QOpenSys/usr/bin && +
print -nr "$TESTME"| openssl dgst -sha1 -sign +
"$KEYFILE" | openssl enc -base64 -A | tr +
-d ''\n'' | datarea -wl sha1output')
once again thanks!
Nuno -
Re: RPG and OpenSSL
2010-11-08T15:09:29ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin
- 2010-11-04T18:14:45Z
Yes, reading the data from the file works with echo, here is how it is working:
QSH CMD('PATH=$PATH:$PATH/QOpenSys/usr/bin && +
print -nr "$TESTME"| openssl dgst -sha1 -sign +
"$KEYFILE" | openssl enc -base64 -A | tr +
-d ''\n'' | datarea -wl sha1output')
once again thanks!
Nuno
(we are both doing the same work in order to certify our program...)
Have you tryed to execute that command in a CL program?
When I do it, it gets different results that when used in the command line.
Regards -
Re: RPG and OpenSSL
2010-11-08T16:46:57ZThis is the accepted answer. This is the accepted answer.
- RuiCardoso
- 2010-11-08T15:09:29Z
Hi Nuno,
(we are both doing the same work in order to certify our program...)
Have you tryed to execute that command in a CL program?
When I do it, it gets different results that when used in the command line.
Regards
Yes, i got it working now.
drop me an email if you want some help ncarrico (at) glintt (dot) com
regards
Nuno -
Re: RPG and OpenSSL
2010-11-08T19:39:50ZThis is the accepted answer. This is the accepted answer.
- RuiCardoso
- 2010-11-08T15:09:29Z
Hi Nuno,
(we are both doing the same work in order to certify our program...)
Have you tryed to execute that command in a CL program?
When I do it, it gets different results that when used in the command line.
Regards
RuiCardoso also sent me an e-mail showing me an interactive session vs. a CL program, and showing that they were different -- but Rui's CL program didn't run the same commands as the interactive job, and I suspect that's the problem.
You folks might also be interested in the solution that I posted at the following link, since it's something that will work in multiple simultaneous jobs, plus it does more error handling:
http://forums.systeminetwork.com/isnetforums/showthread.php?t=114941 -
Re: RPG and OpenSSL
2010-11-09T07:26:32ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-11-08T19:39:50Z
I get the same result when I run this interactively or when I run it from a CL program.
RuiCardoso also sent me an e-mail showing me an interactive session vs. a CL program, and showing that they were different -- but Rui's CL program didn't run the same commands as the interactive job, and I suspect that's the problem.
You folks might also be interested in the solution that I posted at the following link, since it's something that will work in multiple simultaneous jobs, plus it does more error handling:
http://forums.systeminetwork.com/isnetforums/showthread.php?t=114941
As Scott said to me, I was converting data twice...
Now it's working ok.
Thanks -
Re: RPG and OpenSSL
2010-11-09T07:26:44ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-11-08T19:39:50Z
I get the same result when I run this interactively or when I run it from a CL program.
RuiCardoso also sent me an e-mail showing me an interactive session vs. a CL program, and showing that they were different -- but Rui's CL program didn't run the same commands as the interactive job, and I suspect that's the problem.
You folks might also be interested in the solution that I posted at the following link, since it's something that will work in multiple simultaneous jobs, plus it does more error handling:
http://forums.systeminetwork.com/isnetforums/showthread.php?t=114941
As Scott said to me, I was converting data twice...
Now it's working ok.
Thanks -
Re: RPG and OpenSSL
2010-11-09T14:46:23ZThis is the accepted answer. This is the accepted answer.
- RuiCardoso
- 2010-11-09T07:26:44Z
Yes, my CL was wrong.
As Scott said to me, I was converting data twice...
Now it's working ok.
Thanks
Or should we store it encrypted in a physical file?
regards
Nuno -
Re: RPG and OpenSSL
2010-11-09T16:59:39ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin
- 2010-11-09T14:46:23Z
Following the conversation what would be the best way to protect the privacy of the private key file as it is in the IFS?
Or should we store it encrypted in a physical file?
regards
Nuno
If you encrypt it, then you're going to need to store another key that's used to decrypt the first key, and you'll face the same problem with the second key that you faced with the first one... how to protect it. Eventually, you'll either end up with a passphrase typed by the user (used as a weak encryption key) or you'll end up with object-level security. And if you need to sign documents that are created in batch, or you need many users to access the software, then the passphrase idea quickly becomes impractical. -
Re: RPG and OpenSSL
2010-11-09T17:21:05ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-11-09T16:59:39Z
I would use object-level security to protect the private key. I would lock it down so only those who absolutely need it have access to it. (And I'd give those users read-only access.)
If you encrypt it, then you're going to need to store another key that's used to decrypt the first key, and you'll face the same problem with the second key that you faced with the first one... how to protect it. Eventually, you'll either end up with a passphrase typed by the user (used as a weak encryption key) or you'll end up with object-level security. And if you need to sign documents that are created in batch, or you need many users to access the software, then the passphrase idea quickly becomes impractical. -
Re: RPG and OpenSSL
2010-11-10T23:36:38ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin
- 2010-11-09T17:21:05Z
Problem is then I must grant acess to the private key file to every user that can issue invoices, I already tried WRKLNK to remove auth to the file in IFS but then the qshell commands can't acess it.
If you revoke people's authority to the files in the IFS, of course they won't be able to access the data through QShell. (Or any other means.) What you need to do is grant access only to those users who need access to it!
You say that you have to grant access to every user that can issue invoices. Okay, that sounds true. What's the problem with that? What would you rather do? -
Re: RPG and OpenSSL
2010-11-11T13:04:07ZThis is the accepted answer. This is the accepted answer.
- scott_klement
- 2010-11-10T23:36:38Z
I don't understand.
If you revoke people's authority to the files in the IFS, of course they won't be able to access the data through QShell. (Or any other means.) What you need to do is grant access only to those users who need access to it!
You say that you have to grant access to every user that can issue invoices. Okay, that sounds true. What's the problem with that? What would you rather do?
That way I could use adopted authority that I think doesn't work with IFS files, right? -
Re: RPG and OpenSSL
2010-11-11T13:25:57ZThis is the accepted answer. This is the accepted answer.
Guys!
we are all doing the same and thanks a lot Scott who is helping us to solve this problem!
I see th eonly way to protect private key is - to put it into code and remove observability from the program.
Dear, Scott!
In order to protect private key, I want to place it into RPG procedure and call it from CL to get the key. When I did it, the CL got an error - from QShell command - requiring file with the stored key. So th ecode is wrong if I keep th eprivate key in CL variable.
How QSH command must be changed in order to use key from the program variable?
I was trying the following code:
PGM PARM(&SIGDATA &SIGOUT &ERRORF)
DCL VAR(&SIGDATA) TYPE(*CHAR) LEN(1024)
DCL VAR(&SIGOUT) TYPE(*CHAR) LEN(1024)
DCL VAR(&ERROR) TYPE(*LGL) VALUE('0')
DCL VAR(&ERRORF) TYPE(*CHAR)
DCL VAR(&TYPE) TYPE(*CHAR) LEN(1)
DCL VAR(&W1A) TYPE(*CHAR) LEN(1024)
DCLF FILE(QTEMP/SIGNF)
DLTF FILE(QTEMP/SIGNF)
MONMSG MSGID(CPF2105)
CRTPF FILE(QTEMP/SIGNF) RCDLEN(1024)
MONMSG MSGID(CPF0000)
CHGVAR VAR(&ERRORF) VALUE(' ')
/* Get a private key from RPG rpocedure */
CALLPRC PRC(SRVSIGN) RTNVAL(&W1A)
ADDENVVAR ENVVAR('_SIGIN') REPLACE(*YES) VALUE(&SIGDATA)
ADDENVVAR ENVVAR('_KEYFILE') REPLACE(*YES) VALUE(&W1A)
ADDENVVAR ENVVAR(QIBM_QSH_CMD_OUTPUT) REPLACE(*YES) +
VALUE('FILE=/QSYS.LIB/QTEMP.LIB/SIGNF.FILE/SIGNF.M+
BR')
ADDENVVAR ENVVAR(QIBM_QSH_CMD_ESCAPE_MSG) REPLACE(*YES) +
VALUE(Y)
QSH CMD('PATH=$PATH:/QOpenSys/usr/bin && print -nr +
"$_SIGIN" | openssl dgst -sha1 -sign "$_KEYFILE" +
| openssl enc -base64 -A ')
MONMSG QSH0005 EXEC(DO)
CHGVAR VAR(&ERROR) VALUE('1')
ENDDO
so on.....
but it returns error in the hush field.
So, is there any way to use variable instead of IFS file?
How the QSH command code must be changed?
I would preciate your advices!
thanks a lot,
Vlad