Topic
  • 50 replies
  • Latest Post - ‏2014-12-16T04:18:54Z by sakthisudhan
SystemAdmin
SystemAdmin
535 Posts

Pinned topic RPG and OpenSSL

‏2010-10-25T14:37:34Z |
Hello,

I'm working with an ERP system built in RPG and due to legal requirements we must now generate, via OpenSSL, a key for each sales invoice produced in the system and store in in the database.
Anyone had experience with this and what would be the best approach?

thanks
Nuno
Updated on 2011-04-08T11:41:40Z at 2011-04-08T11:41:40Z by SystemAdmin
  • scott_klement
    scott_klement
    244 Posts

    Re: RPG and OpenSSL

    ‏2010-10-25T17:54:17Z  
    I haven't done this with OpenSSL in RPG -- I find it more elegant to use the IBM APIs to do the same thing.

    But, at the same time, I don't see why using OpenSSL couldn't be done. Just call the OpenSSL command-line tool via PASE, read back the results into your RPG program, and put it into the database.

    Can you explain where you're stuck?
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-10-25T21:35:52Z  
    I haven't done this with OpenSSL in RPG -- I find it more elegant to use the IBM APIs to do the same thing.

    But, at the same time, I don't see why using OpenSSL couldn't be done. Just call the OpenSSL command-line tool via PASE, read back the results into your RPG program, and put it into the database.

    Can you explain where you're stuck?
    OpenSSL is the prefered method suggested by tax authority and I never used OpenSSL in iSeries, do you have any example?

    But, really what we have to do is generate hashes for each invoice via a RSA encryption with a given private key, is there any iSeries API that provides RSA encryption?

    thanks
    Nuno
  • scott_klement
    scott_klement
    244 Posts

    Re: RPG and OpenSSL

    ‏2010-10-27T17:51:21Z  
    OpenSSL is the prefered method suggested by tax authority and I never used OpenSSL in iSeries, do you have any example?

    But, really what we have to do is generate hashes for each invoice via a RSA encryption with a given private key, is there any iSeries API that provides RSA encryption?

    thanks
    Nuno
    > 9USU_Nuno_Carriço wrote:
    > OpenSSL is the prefered method suggested by tax authority and I never used OpenSSL in iSeries, do you have any example?
    Can you be more specific? There are thousands and thousands of things that you can do in OpenSSL. If you can provide the command-line for openssl that you'd use on a Linux or Windows machine, I can tell you how to run it on IBM i.

    >
    > But, really what we have to do is generate hashes for each invoice via a RSA
    > encryption with a given private key, is there any iSeries API that provides RSA
    > encryption?
    >

    Sure. But, handling this with OpenSSL is probably easier. Again, see if you can get an example of how to do the openssl logic on another platform, and then maybe I can show you how to do the same on IBM i.
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-10-28T08:33:07Z  
    > 9USU_Nuno_Carriço wrote:
    > OpenSSL is the prefered method suggested by tax authority and I never used OpenSSL in iSeries, do you have any example?
    Can you be more specific? There are thousands and thousands of things that you can do in OpenSSL. If you can provide the command-line for openssl that you'd use on a Linux or Windows machine, I can tell you how to run it on IBM i.

    >
    > But, really what we have to do is generate hashes for each invoice via a RSA
    > encryption with a given private key, is there any iSeries API that provides RSA
    > encryption?
    >

    Sure. But, handling this with OpenSSL is probably easier. Again, see if you can get an example of how to do the openssl logic on another platform, and then maybe I can show you how to do the same on IBM i.
    Hi Scott,

    Details for the RSA hash generation:
    Format = x.509
    Charset = UTF-8
    Encoding = Base-64
    Endianess = Little Endian
    OAEP Padding = PKCS1 v1.5 padding
    Private Key Size = 1024 bytes
    Message Has Format = SHA-1

    In OpenSSL I do the following as an example:

    cmd> echo "2010-05-18;2010-05-18T11:22:19;FAC 001/14;3.12; " | openssl dgst -sha1 -sign privatekey.pem | openssl enc -base64
    Thanks for your help.
    Nuno
  • scott_klement
    scott_klement
    244 Posts

    Re: RPG and OpenSSL

    ‏2010-10-28T21:31:55Z  
    Hi Scott,

    Details for the RSA hash generation:
    Format = x.509
    Charset = UTF-8
    Encoding = Base-64
    Endianess = Little Endian
    OAEP Padding = PKCS1 v1.5 padding
    Private Key Size = 1024 bytes
    Message Has Format = SHA-1

    In OpenSSL I do the following as an example:

    cmd> echo "2010-05-18;2010-05-18T11:22:19;FAC 001/14;3.12; " | openssl dgst -sha1 -sign privatekey.pem | openssl enc -base64
    Thanks for your help.
    Nuno
    couldn't you just do something like this?

    
    PGM DCL VAR(&INPUT) TYPE(*CHAR) LEN(48) + VALUE(
    '2010-05-18;2010-05-18T11:22:19;FAC 001/14;3.12; ') DCL VAR(&RESULT) TYPE(*CHAR) LEN(172)   DLTDTAARA SHA1OUTPUT MONMSG CPF2105   CRTDTAARA DTAARA(SHA1OUTPUT) TYPE(*CHAR) LEN(172)   ADDENVVAR ENVVAR(TESTME) VALUE(&INPUT) REPLACE(*YES) ADDENVVAR ENVVAR(KEYFILE) REPLACE(*YES) + VALUE(
    '/home/klemscot/server.key')   QSH CMD(
    'PATH=$PATH:/QOpenSys/usr/bin && + echo 
    "$TESTME" | + openssl dgst -sha1 -sign 
    "$KEYFILE" | + openssl enc -base64 | + tr -d 
    ''\n
    '' | + datarea -wl sha1output
    ')   RTVDTAARA  DTAARA(SHA1OUTPUT) RTNVAR(&RESULT)   SNDUSRMSG  MSG(
    'Result is =' *BCAT &RESULT)   ENDPGM
    
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-10-29T15:32:57Z  
    couldn't you just do something like this?

    <pre class="jive-pre"> PGM DCL VAR(&INPUT) TYPE(*CHAR) LEN(48) + VALUE( '2010-05-18;2010-05-18T11:22:19;FAC 001/14;3.12; ') DCL VAR(&RESULT) TYPE(*CHAR) LEN(172) DLTDTAARA SHA1OUTPUT MONMSG CPF2105 CRTDTAARA DTAARA(SHA1OUTPUT) TYPE(*CHAR) LEN(172) ADDENVVAR ENVVAR(TESTME) VALUE(&INPUT) REPLACE(*YES) ADDENVVAR ENVVAR(KEYFILE) REPLACE(*YES) + VALUE( '/home/klemscot/server.key') QSH CMD( 'PATH=$PATH:/QOpenSys/usr/bin && + echo "$TESTME" | + openssl dgst -sha1 -sign "$KEYFILE" | + openssl enc -base64 | + tr -d ''\n '' | + datarea -wl sha1output ') RTVDTAARA DTAARA(SHA1OUTPUT) RTNVAR(&RESULT) SNDUSRMSG MSG( 'Result is =' *BCAT &RESULT) ENDPGM </pre>
    Hi Scott,

    To do that you must have product 5733SC1 installed right?
    I'm trying also to use Qc3EncryptData API but no sucess until now:)

    thanks
    Nuno
  • scott_klement
    scott_klement
    244 Posts

    Re: RPG and OpenSSL

    ‏2010-11-01T17:34:59Z  
    Hi Scott,

    To do that you must have product 5733SC1 installed right?
    I'm trying also to use Qc3EncryptData API but no sucess until now:)

    thanks
    Nuno
    Yep, 5733SC1 contains OpenSSL, so you can't use OpenSSL without it. You also need PASE and QShell to use my example.
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-11-02T17:22:09Z  
    Yep, 5733SC1 contains OpenSSL, so you can't use OpenSSL without it. You also need PASE and QShell to use my example.
    Hi Scott,

    I already got the openssl to work, thanks for the input.

    But I think on your example:
    QSH CMD('PATH=$PATH:/QOpenSys/usr/bin && +
    echo "$TESTME" | +
    openssl dgst -sha1 -sign "$KEYFILE" | +
    openssl enc -base64 | +
    tr -d ''\n'' | +
    datarea -wl sha1output')

    it is encrypting the string "$TESTEME" and not the value of the env. variable $TESTEME, no?

    regards
    Nuno
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-11-02T18:13:40Z  
    Hi Scott,

    I already got the openssl to work, thanks for the input.

    But I think on your example:
    QSH CMD('PATH=$PATH:/QOpenSys/usr/bin && +
    echo "$TESTME" | +
    openssl dgst -sha1 -sign "$KEYFILE" | +
    openssl enc -base64 | +
    tr -d ''\n'' | +
    datarea -wl sha1output')

    it is encrypting the string "$TESTEME" and not the value of the env. variable $TESTEME, no?

    regards
    Nuno
    I think I found the problem:

    ChavePrivada.pem is the private key file
    input.txt is a text file where i put the text to be excrypted, in this case "EXAMPLE" with no quotes.

    so in qshell I type

    /QOpenSys/usr/bin/openssl dgst -sha1 -sign ChavePrivada.pem input.txt | /QOpenSys/usr/bin/openssl enc -base64 -A | tr -d ''\n''

    I get the result:
    EPSO9dOOkekaI9SXIFYLf+vzBITtsBZbT/LKxFzs08Owf57vra43kym2ughLN/l3PRY1L2igSD11S
    RFZbf49VDUbDdva5Yuwy1Wh9Xfu7R4q5EitLu5gmUGo8CFN+FGjSRNVC1eHfyRGESF7hgOrotfJ18

    but if I run the program with same values or type in qshell I get the same wrong result:

    ECHO EXAMPLE | /QOpenSys/usr/bin/openssl dgst -sha1 -sign ChavePrivada.pem |
    /QOpenSys/usr/bin/openssl enc -base64 -A | tr -d ''\n''

    I get:
    CaXuLyIQP8egLMcEJTCtgBZ/BSg8cmcHeYiJetsRBegT4pWK7dtc8pdHK0VmuWw8pkgwyu3Im9Soo
    yceAiCfiE5X/vzFpaUBrx7jlYchd6PDOdHhUjxCX8DxI+Ushi5yBHsoXsvwpHxHzapGMd66DlBIpe

    that is wrong, I tried with or without quotes, do you have any idea what might be the problem?
  • scott_klement
    scott_klement
    244 Posts

    Re: RPG and OpenSSL

    ‏2010-11-03T15:08:20Z  
    I think I found the problem:

    ChavePrivada.pem is the private key file
    input.txt is a text file where i put the text to be excrypted, in this case "EXAMPLE" with no quotes.

    so in qshell I type

    /QOpenSys/usr/bin/openssl dgst -sha1 -sign ChavePrivada.pem input.txt | /QOpenSys/usr/bin/openssl enc -base64 -A | tr -d ''\n''

    I get the result:
    EPSO9dOOkekaI9SXIFYLf+vzBITtsBZbT/LKxFzs08Owf57vra43kym2ughLN/l3PRY1L2igSD11S
    RFZbf49VDUbDdva5Yuwy1Wh9Xfu7R4q5EitLu5gmUGo8CFN+FGjSRNVC1eHfyRGESF7hgOrotfJ18

    but if I run the program with same values or type in qshell I get the same wrong result:

    ECHO EXAMPLE | /QOpenSys/usr/bin/openssl dgst -sha1 -sign ChavePrivada.pem |
    /QOpenSys/usr/bin/openssl enc -base64 -A | tr -d ''\n''

    I get:
    CaXuLyIQP8egLMcEJTCtgBZ/BSg8cmcHeYiJetsRBegT4pWK7dtc8pdHK0VmuWw8pkgwyu3Im9Soo
    yceAiCfiE5X/vzFpaUBrx7jlYchd6PDOdHhUjxCX8DxI+Ushi5yBHsoXsvwpHxHzapGMd66DlBIpe

    that is wrong, I tried with or without quotes, do you have any idea what might be the problem?
    You say that you get the "same wrong result", but the two results look different to me. Is one of these examples right, and the other one wrong? Or are they both wrong, but different?

    How do you know which is right and which is wrong?
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-11-03T17:19:21Z  
    You say that you get the "same wrong result", but the two results look different to me. Is one of these examples right, and the other one wrong? Or are they both wrong, but different?

    How do you know which is right and which is wrong?
    I have a program issued by tax authority that validates the hash against the invoice number/date/value and public key, eg the string used to generate the hash.

    Found the problem, you can't do it with "echo", if we use "print -nr" it works fine!

    thanks for your help
    Nuno
  • scott_klement
    scott_klement
    244 Posts

    Re: RPG and OpenSSL

    ‏2010-11-04T16:22:53Z  
    I have a program issued by tax authority that validates the hash against the invoice number/date/value and public key, eg the string used to generate the hash.

    Found the problem, you can't do it with "echo", if we use "print -nr" it works fine!

    thanks for your help
    Nuno
    The only reason I used 'echo' is because I was copying the example you posted. You say "this is what I want to do", and showed the use of the 'echo' command.

    But if echo was the problem (perhaps because it adds a newline) then the one where you read the data from a file should've solved the problem? But you said it didn't.
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-11-04T18:14:45Z  
    The only reason I used 'echo' is because I was copying the example you posted. You say "this is what I want to do", and showed the use of the 'echo' command.

    But if echo was the problem (perhaps because it adds a newline) then the one where you read the data from a file should've solved the problem? But you said it didn't.
    Yes, reading the data from the file works with echo, here is how it is working:

    QSH CMD('PATH=$PATH:$PATH/QOpenSys/usr/bin && +
    print -nr "$TESTME"| openssl dgst -sha1 -sign +
    "$KEYFILE" | openssl enc -base64 -A | tr +
    -d ''\n'' | datarea -wl sha1output')

    once again thanks!
    Nuno
  • RuiCardoso
    RuiCardoso
    3 Posts

    Re: RPG and OpenSSL

    ‏2010-11-08T15:09:29Z  
    Yes, reading the data from the file works with echo, here is how it is working:

    QSH CMD('PATH=$PATH:$PATH/QOpenSys/usr/bin && +
    print -nr "$TESTME"| openssl dgst -sha1 -sign +
    "$KEYFILE" | openssl enc -base64 -A | tr +
    -d ''\n'' | datarea -wl sha1output')

    once again thanks!
    Nuno
    Hi Nuno,

    (we are both doing the same work in order to certify our program...)

    Have you tryed to execute that command in a CL program?

    When I do it, it gets different results that when used in the command line.

    Regards
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-11-08T16:46:57Z  
    Hi Nuno,

    (we are both doing the same work in order to certify our program...)

    Have you tryed to execute that command in a CL program?

    When I do it, it gets different results that when used in the command line.

    Regards
    Hi,

    Yes, i got it working now.
    drop me an email if you want some help ncarrico (at) glintt (dot) com

    regards
    Nuno
  • scott_klement
    scott_klement
    244 Posts

    Re: RPG and OpenSSL

    ‏2010-11-08T19:39:50Z  
    Hi Nuno,

    (we are both doing the same work in order to certify our program...)

    Have you tryed to execute that command in a CL program?

    When I do it, it gets different results that when used in the command line.

    Regards
    I get the same result when I run this interactively or when I run it from a CL program.

    RuiCardoso also sent me an e-mail showing me an interactive session vs. a CL program, and showing that they were different -- but Rui's CL program didn't run the same commands as the interactive job, and I suspect that's the problem.

    You folks might also be interested in the solution that I posted at the following link, since it's something that will work in multiple simultaneous jobs, plus it does more error handling:
    http://forums.systeminetwork.com/isnetforums/showthread.php?t=114941
  • RuiCardoso
    RuiCardoso
    3 Posts

    Re: RPG and OpenSSL

    ‏2010-11-09T07:26:32Z  
    I get the same result when I run this interactively or when I run it from a CL program.

    RuiCardoso also sent me an e-mail showing me an interactive session vs. a CL program, and showing that they were different -- but Rui's CL program didn't run the same commands as the interactive job, and I suspect that's the problem.

    You folks might also be interested in the solution that I posted at the following link, since it's something that will work in multiple simultaneous jobs, plus it does more error handling:
    http://forums.systeminetwork.com/isnetforums/showthread.php?t=114941
    Yes, my CL was wrong.
    As Scott said to me, I was converting data twice...
    Now it's working ok.

    Thanks
  • RuiCardoso
    RuiCardoso
    3 Posts

    Re: RPG and OpenSSL

    ‏2010-11-09T07:26:44Z  
    I get the same result when I run this interactively or when I run it from a CL program.

    RuiCardoso also sent me an e-mail showing me an interactive session vs. a CL program, and showing that they were different -- but Rui's CL program didn't run the same commands as the interactive job, and I suspect that's the problem.

    You folks might also be interested in the solution that I posted at the following link, since it's something that will work in multiple simultaneous jobs, plus it does more error handling:
    http://forums.systeminetwork.com/isnetforums/showthread.php?t=114941
    Yes, my CL was wrong.
    As Scott said to me, I was converting data twice...
    Now it's working ok.

    Thanks
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-11-09T14:46:23Z  
    Yes, my CL was wrong.
    As Scott said to me, I was converting data twice...
    Now it's working ok.

    Thanks
    Following the conversation what would be the best way to protect the privacy of the private key file as it is in the IFS?

    Or should we store it encrypted in a physical file?

    regards
    Nuno
  • scott_klement
    scott_klement
    244 Posts

    Re: RPG and OpenSSL

    ‏2010-11-09T16:59:39Z  
    Following the conversation what would be the best way to protect the privacy of the private key file as it is in the IFS?

    Or should we store it encrypted in a physical file?

    regards
    Nuno
    I would use object-level security to protect the private key. I would lock it down so only those who absolutely need it have access to it. (And I'd give those users read-only access.)

    If you encrypt it, then you're going to need to store another key that's used to decrypt the first key, and you'll face the same problem with the second key that you faced with the first one... how to protect it. Eventually, you'll either end up with a passphrase typed by the user (used as a weak encryption key) or you'll end up with object-level security. And if you need to sign documents that are created in batch, or you need many users to access the software, then the passphrase idea quickly becomes impractical.
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-11-09T17:21:05Z  
    I would use object-level security to protect the private key. I would lock it down so only those who absolutely need it have access to it. (And I'd give those users read-only access.)

    If you encrypt it, then you're going to need to store another key that's used to decrypt the first key, and you'll face the same problem with the second key that you faced with the first one... how to protect it. Eventually, you'll either end up with a passphrase typed by the user (used as a weak encryption key) or you'll end up with object-level security. And if you need to sign documents that are created in batch, or you need many users to access the software, then the passphrase idea quickly becomes impractical.
    Problem is then I must grant acess to the private key file to every user that can issue invoices, I already tried WRKLNK to remove auth to the file in IFS but then the qshell commands can't acess it.
  • scott_klement
    scott_klement
    244 Posts

    Re: RPG and OpenSSL

    ‏2010-11-10T23:36:38Z  
    Problem is then I must grant acess to the private key file to every user that can issue invoices, I already tried WRKLNK to remove auth to the file in IFS but then the qshell commands can't acess it.
    I don't understand.

    If you revoke people's authority to the files in the IFS, of course they won't be able to access the data through QShell. (Or any other means.) What you need to do is grant access only to those users who need access to it!

    You say that you have to grant access to every user that can issue invoices. Okay, that sounds true. What's the problem with that? What would you rather do?
  • SystemAdmin
    SystemAdmin
    535 Posts

    Re: RPG and OpenSSL

    ‏2010-11-11T13:04:07Z  
    I don't understand.

    If you revoke people's authority to the files in the IFS, of course they won't be able to access the data through QShell. (Or any other means.) What you need to do is grant access only to those users who need access to it!

    You say that you have to grant access to every user that can issue invoices. Okay, that sounds true. What's the problem with that? What would you rather do?
    Is it possible to store the private key in a physical file or a data area?
    That way I could use adopted authority that I think doesn't work with IFS files, right?
  • VladDemchenko
    VladDemchenko
    4 Posts

    Re: RPG and OpenSSL

    ‏2010-11-11T13:25:57Z  
    Guys!
    we are all doing the same and thanks a lot Scott who is helping us to solve this problem!

    I see th eonly way to protect private key is - to put it into code and remove observability from the program.

    Dear, Scott!
    In order to protect private key, I want to place it into RPG procedure and call it from CL to get the key. When I did it, the CL got an error - from QShell command - requiring file with the stored key. So th ecode is wrong if I keep th eprivate key in CL variable.
    How QSH command must be changed in order to use key from the program variable?

    I was trying the following code:
    PGM PARM(&SIGDATA &SIGOUT &ERRORF)

    DCL VAR(&SIGDATA) TYPE(*CHAR) LEN(1024)

    DCL VAR(&SIGOUT) TYPE(*CHAR) LEN(1024)
    DCL VAR(&ERROR) TYPE(*LGL) VALUE('0')
    DCL VAR(&ERRORF) TYPE(*CHAR)
    DCL VAR(&TYPE) TYPE(*CHAR) LEN(1)
    DCL VAR(&W1A) TYPE(*CHAR) LEN(1024)
    DCLF FILE(QTEMP/SIGNF)

    DLTF FILE(QTEMP/SIGNF)
    MONMSG MSGID(CPF2105)

    CRTPF FILE(QTEMP/SIGNF) RCDLEN(1024)

    MONMSG MSGID(CPF0000)
    CHGVAR VAR(&ERRORF) VALUE(' ')
    /* Get a private key from RPG rpocedure */
    CALLPRC PRC(SRVSIGN) RTNVAL(&W1A)
    ADDENVVAR ENVVAR('_SIGIN') REPLACE(*YES) VALUE(&SIGDATA)
    ADDENVVAR ENVVAR('_KEYFILE') REPLACE(*YES) VALUE(&W1A)

    ADDENVVAR ENVVAR(QIBM_QSH_CMD_OUTPUT) REPLACE(*YES) +
    VALUE('FILE=/QSYS.LIB/QTEMP.LIB/SIGNF.FILE/SIGNF.M+
    BR')
    ADDENVVAR ENVVAR(QIBM_QSH_CMD_ESCAPE_MSG) REPLACE(*YES) +
    VALUE(Y)

    QSH CMD('PATH=$PATH:/QOpenSys/usr/bin && print -nr +
    "$_SIGIN" | openssl dgst -sha1 -sign "$_KEYFILE" +
    | openssl enc -base64 -A ')
    MONMSG QSH0005 EXEC(DO)
    CHGVAR VAR(&ERROR) VALUE('1')
    ENDDO
    so on.....
    but it returns error in the hush field.
    So, is there any way to use variable instead of IFS file?
    How the QSH command code must be changed?
    I would preciate your advices!
    thanks a lot,
    Vlad