cryptoapi and openssl

Question

I'm trying to encrypt and sign a file with cryptoapi with some X.509 certificates. I want to verify and decrypt this file with openssl.

On windows I think I need to use the CryptSignAndEncryptMessage function to encrypt and sign data. I used this example from MSDN to create a signed and encrypted message.

How can I decrypt/verify this file using openssl? I removed the first 4 bytes from the message since it contained the length of the message (from the windows blob). When I call openssl -asn1parse I get some output that indicates it to be parsable by openssl.

When trying to verify the signature with openssl I recieve an error:

openssl rsautl -verify -inkey AlonsoCert.pem -keyform pem -certin -in sandvout-without-4byte.txt
RSA operation error
3073579208:error:0406706C:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data greater than mod len:rsa_eay.c:680:

Why not encrypt and sign using OpenSSL. Then you avoid all the 2 tool set issues. — brian beuning
@brianbeuning I want to use non exportable keys from the windows keystore for en/decryption. — David Feurle

Nickolay Olshevsky Nickolay Olshevsky · Accepted Answer · 2012-12-05T19:16:41

CryptSignAndEncrypt message seems to use RC4 cipher with empty ASN.1 parameters field and, looking at OpenSSL sources, openssl chokes on try to generate IV (which is not needed for RC4).

Try to use other cipher (AES for example) in CryptAndSignMessage. Anyway, RC4 is very old, insecure, and obsolete.

cryptoapi and openssl

3 Answers