SHA-1 is in secure, instead you should use the SHA-256 variant of SHA-2.
And the command to generate the wrapping material would be:
openssl pkeyutl -in PlaintextKeyMaterial.bin -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
2 Answers
Hey Nick, this worked great on my linux system, I was able to encrypt and upload with the wrapping file, but I needed to modify the command to include underscores for each of the -pkeyopt arguments (below- ref. https://superuser.com/questions/1016696/using-a-hash-other-than-sha1-for-oaep-with-openssl-cli ).
I’m guessing that acloudguru wanted to just use the "stock/proof-of-concept" example provided by Amazon to have people get this working quickly, but yeah, it would be great to provide this command as an alternative for people not wanting to use the sha-1 example. Replace the dashes in "rsa-padding-mode" and "rsa-oaep-md" with the "underscore" character. For some reason, underscores are converted in this editor…
There should be a "noformat" option to paste code snips into here- if this exists, someone please reply. Back to cramming 🙂
openssl pkeyutl -encrypt -in PlaintextKeyMaterial.bin -pkeyopt rsa-padding-mode:oaep -pkeyopt rsa-oaep-md:sha256 -inkey wrappingKey_9d48d805-xxxx-xxxx-xxxx-xxxxxxxxxxxx-_xxxxxxxx -keyform DER -pubin -out EncryptedKeyMaterial.bin
I second both of the answers above. I get that for video-lecture purposes the simpler is better, but best to avoid SHA-1 in the real world. If it’s important enough to encrypt, it’s important enough to use 256