Fork me on GitHub

ABAP RSA 加密

最近出现一些SAP ABAP RSA加密的需求,这里搬运一篇文章,用于学习参考。

 

本文链接:https://www.cnblogs.com/hhelibeb/p/14952732.html

原文标题:RSA Encryption in ABAP

 

最近我偶然在SAP社区发现了很多关于RSA加密的未解答的问题。在这里我将尝试提供一些例子,说明如何在ABAP中使用公钥/私钥加密。

所有的间接问题,如证书、信任、撤销和密钥生成,在本文中不会涉及。密钥将用openssl生成。

例子1 – 用自己的ABAP RSA实现

RSA加密是非常简单的。只需要整数算术--主要是模幂运算。唯一的问题是,所涉及的整数比ABAP和大多数其他语言默认能处理的长。幸运的是,这个问题被Harry Boeck用Z04_BIGINTX类解决了,可以在这里找到(出色的工作)。

备注:评论区提到另一个解决方案abapPGP

生成RSA key

创建一个工作目录,并进入,

mkdir -p /tmp/rsa
cd /tmp/rsa

生成2048位RSA密钥。

/tmp/rsa > openssl genrsa -out rsa.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................+++++
.......+++++
e is 65537 (0x010001)

用纯文本输出公钥和私钥。我们只需要模数(modulus)、公钥指数(publicExponent)和私钥指数(privateExponent)。

/tmp/rsa > openssl pkey -in rsa.key -text
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDiBbntt4wk807Q
Bzh0gdwwXFyxe1/a41dDZeekgxC5p649B1pT6Ft7P6eSmZqDdZ6t04JpzAdyHjzj
2DMPt6VpAkXyaQSXLHd7dKWYnw2b/akWptd761zx9oIY1tHz0y4VbfkX0yt7FwvP
jUK6XfpcyYymJ1KMmG/UhsIENLxhaU56/gnKdl01XTcKe+JkBpv02dpw+bw6BE34
21FXFmSpoduAHA8/lm+9U6PqdvxU6IDB16n5X74IyUCTQsMW7XQgaw3cqVWTYigU
sZFbHPEddfkCZDNfSodmRd+WZTuCRjD6+K/9+K1j7Kk4a2LMC7r0bPOIYcrW+0VC
+ykiz8QTAgMBAAECggEBAL27/tt+FEhEcymQliS/in6SWkGnBs1xwKRUXEMuvxCK
oWqbzIjZakopIlufVCT8zMqw3i4/1xRGK+k8aYjNKi7feKZI4FCjRF2/iu92vW7w
XkwknIlrB6gavhVp5+9dnLbijZMhcsOukfyWYaifEXdovggQxGw/3siyoxXyyxyd
PSB1Wf+LdZ1EOTaEfk3+lgEpEUzdFTNEC/jwrQJiXzSB+nP5bB0Az3kMcbhxwa01
hAUylXCNtnrRJv0sMvQJOy59gBjiPn3GW62t8Kf/km3IlDRKE7h9xYECafQabaXR
0q6swX09YpdKKBEHYLE9ArpamJtJYPtlA2XSvsfBqkECgYEA84Bt20EpBPldrUFN
GLb7qKNPawRbMff204xx7OtzHD77Th6hcvaXU0C/D4c+DMZNQ/2M4xbLoZWPTOnK
BxOhpbZMH4prxLA4U/6TDQwo9F3kW/1zPcYKfxOgW6tlVHWnLR4Kd1+W7ygNOhjV
El6lWwi008547z05w5ZQ2T+U3OECgYEA7Z+fO6ZWIRqHJq1MCzStTtS+hGkwJArj
DGy8AbvGV7LScmH31sxRJqZp6jHMOICBjgwAPN0VE5eq+xUcPs0p5/seTy/MzSbf
uRG+A//PIG/yUVuOV6nuCYKsY2v2oTUF+v8HGMkfa7WkEhD5S5lZ+oA8gVMXQ4Ey
J235xfPu63MCgYEA4qA+HljX14RK1kw3d/Ad6ocMDDsCsU/qDlvhUDKWcMyBUeSa
OIgesOJKsCYb7wHEuanKrTPzE5FBzMCuQcXYpYUz9gr7YBTuZ+ZAcF1H5J9aQO9z
iSO/cyQOFCNB7MiPbiNOdGmn7S/ml5KzBCTIWyCQQ60fyvG9yDYnSvqtDqECgYBk
29Cxd9us916QKxRQ2U4KXMB04VTep4RRnMF8FuCMDsnGZRDWKijzt8TS88oT3W+g
BDYBn3E3vLOFGSPBAEIeRfdKcyaBmVNycTZu6iBXS0zV/X+AdA8mGEHlfUjUifX8
4Ex517wvcoyuYmf+D5wieFW2KreAHpFULRjMTcqGQwKBgQCMrLoC1dasdvcQ/d9r
sd1AlGjSjoVhGeb19NYQMdOxx29vExP45ClSmnTCTZIZFVpeXHQ4X3ALq2uK4bQp
Cyqrz+4TRLY9e9qgTqNsWkhyke9YSAYNxCb17ZXf7rtHgTJeGbnDvrKC8xa2EvgR
sZknhXCegj6UBsECwPBrYZoDag==
-----END PRIVATE KEY-----
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:e2:05:b9:ed:b7:8c:24:f3:4e:d0:07:38:74:81:
    dc:30:5c:5c:b1:7b:5f:da:e3:57:43:65:e7:a4:83:
    10:b9:a7:ae:3d:07:5a:53:e8:5b:7b:3f:a7:92:99:
    9a:83:75:9e:ad:d3:82:69:cc:07:72:1e:3c:e3:d8:
    33:0f:b7:a5:69:02:45:f2:69:04:97:2c:77:7b:74:
    a5:98:9f:0d:9b:fd:a9:16:a6:d7:7b:eb:5c:f1:f6:
    82:18:d6:d1:f3:d3:2e:15:6d:f9:17:d3:2b:7b:17:
    0b:cf:8d:42:ba:5d:fa:5c:c9:8c:a6:27:52:8c:98:
    6f:d4:86:c2:04:34:bc:61:69:4e:7a:fe:09:ca:76:
    5d:35:5d:37:0a:7b:e2:64:06:9b:f4:d9:da:70:f9:
    bc:3a:04:4d:f8:db:51:57:16:64:a9:a1:db:80:1c:
    0f:3f:96:6f:bd:53:a3:ea:76:fc:54:e8:80:c1:d7:
    a9:f9:5f:be:08:c9:40:93:42:c3:16:ed:74:20:6b:
    0d:dc:a9:55:93:62:28:14:b1:91:5b:1c:f1:1d:75:
    f9:02:64:33:5f:4a:87:66:45:df:96:65:3b:82:46:
    30:fa:f8:af:fd:f8:ad:63:ec:a9:38:6b:62:cc:0b:
    ba:f4:6c:f3:88:61:ca:d6:fb:45:42:fb:29:22:cf:
    c4:13
publicExponent: 65537 (0x10001)
privateExponent:
    00:bd:bb:fe:db:7e:14:48:44:73:29:90:96:24:bf:
    8a:7e:92:5a:41:a7:06:cd:71:c0:a4:54:5c:43:2e:
    bf:10:8a:a1:6a:9b:cc:88:d9:6a:4a:29:22:5b:9f:
    54:24:fc:cc:ca:b0:de:2e:3f:d7:14:46:2b:e9:3c:
    69:88:cd:2a:2e:df:78:a6:48:e0:50:a3:44:5d:bf:
    8a:ef:76:bd:6e:f0:5e:4c:24:9c:89:6b:07:a8:1a:
    be:15:69:e7:ef:5d:9c:b6:e2:8d:93:21:72:c3:ae:
    91:fc:96:61:a8:9f:11:77:68:be:08:10:c4:6c:3f:
    de:c8:b2:a3:15:f2:cb:1c:9d:3d:20:75:59:ff:8b:
    75:9d:44:39:36:84:7e:4d:fe:96:01:29:11:4c:dd:
    15:33:44:0b:f8:f0:ad:02:62:5f:34:81:fa:73:f9:
    6c:1d:00:cf:79:0c:71:b8:71:c1:ad:35:84:05:32:
    95:70:8d:b6:7a:d1:26:fd:2c:32:f4:09:3b:2e:7d:
    80:18:e2:3e:7d:c6:5b:ad:ad:f0:a7:ff:92:6d:c8:
    94:34:4a:13:b8:7d:c5:81:02:69:f4:1a:6d:a5:d1:
    d2:ae:ac:c1:7d:3d:62:97:4a:28:11:07:60:b1:3d:
    02:ba:5a:98:9b:49:60:fb:65:03:65:d2:be:c7:c1:
    aa:41
.
.
.
key

现在有了key和类Z04_BIGINTX,我们可以写程序了。

ABAP程序

在下面的程序中,我们用公钥加密,用私钥签署"Thirty-two bytes secret message!"这个信息。结果显示在屏幕上。它们被保存在生成密钥的相同文件夹中。

签名通常包括对消息进行散列(hash),并对散列值进行签名,但是因为我们的消息足够小,我们跳过散列步骤,直接对消息本身进行签名。作为概念证明,这样做应该是足够的。
实际的工作只是几行代码而已。


加密:

msg_encr_bi = msg_plain_bi->powmod( x = publicExponent
                                    m = pub_modulus_bi ).

签名:

msg_encr_bi = msg_plain_bi->powmod( x = priv_exponent_bi
                                    m = pub_modulus_bi ).

剩下的就是将十六进制转换为十进制,然后再转换回来。

 

REPORT Z_RSA.

data: bi1     type ref to z04_BigIntX,
      bi2     type ref to z04_BigIntX,
      bi256   type ref to z04_BigIntX,

      s  type string,

      i1 type I,
      i2 type I,
      i3 type I value 0,

      x1 type X,

      publicExponent   type ref to z04_BigIntX,

      pub_modulus_s    type string,
      pub_modulus_x    type xstring,
      pub_modulus_bi   type ref to z04_BigIntX,

      priv_exponent_s  type string,
      priv_exponent_x  type xstring,
      priv_exponent_bi type ref to z04_BigIntX,

      msg_text         type string,
      msg_plain_bi     type ref to z04_BigIntX,
      msg_encr_bi      type ref to z04_BigIntX,
      msg_encr_x       type xstring,
      msg_sign_x       type xstring,

      pkcs_rnd         type xstring,
      pkcs_ff_s        type string,
      pkcs_ff_x        type xstring,
      pkcs_head_sign   type xstring value '0001',
      pkcs_head_encr   type xstring value '0002',
      pkcs_zero        type xstring value '00',
      pkcs_one         type xstring value '01',
      msg_xstr         type xstring,
      msg_xstr_e       type xstring,
      msg_xstr_s       type xstring,

      msg_file_name    type string value '/tmp/rsa/encrypted_msg',
      msg_file_name_s  type string value '/tmp/rsa/signed_msg'.

create object msg_plain_bi.
create object bi1.
create object bi2.
create object bi256.
create object publicExponent.
create object pub_modulus_bi.
create object priv_exponent_bi.
create object msg_encr_bi.


DATA: T1 TYPE I, T2 TYPE I, T3 TYPE I.

bi256->seti( 256 ).

*---------------------
* PREPARE THE KEY
*---------------------

" public exponent
publicExponent->setstr( '65537' ).

" private exponent
CONCATENATE
  '00:bd:bb:fe:db:7e:14:48:44:73:29:90:96:24:bf:'
  '8a:7e:92:5a:41:a7:06:cd:71:c0:a4:54:5c:43:2e:'
  'bf:10:8a:a1:6a:9b:cc:88:d9:6a:4a:29:22:5b:9f:'
  '54:24:fc:cc:ca:b0:de:2e:3f:d7:14:46:2b:e9:3c:'
  '69:88:cd:2a:2e:df:78:a6:48:e0:50:a3:44:5d:bf:'
  '8a:ef:76:bd:6e:f0:5e:4c:24:9c:89:6b:07:a8:1a:'
  'be:15:69:e7:ef:5d:9c:b6:e2:8d:93:21:72:c3:ae:'
  '91:fc:96:61:a8:9f:11:77:68:be:08:10:c4:6c:3f:'
  'de:c8:b2:a3:15:f2:cb:1c:9d:3d:20:75:59:ff:8b:'
  '75:9d:44:39:36:84:7e:4d:fe:96:01:29:11:4c:dd:'
  '15:33:44:0b:f8:f0:ad:02:62:5f:34:81:fa:73:f9:'
  '6c:1d:00:cf:79:0c:71:b8:71:c1:ad:35:84:05:32:'
  '95:70:8d:b6:7a:d1:26:fd:2c:32:f4:09:3b:2e:7d:'
  '80:18:e2:3e:7d:c6:5b:ad:ad:f0:a7:ff:92:6d:c8:'
  '94:34:4a:13:b8:7d:c5:81:02:69:f4:1a:6d:a5:d1:'
  'd2:ae:ac:c1:7d:3d:62:97:4a:28:11:07:60:b1:3d:'
  '02:ba:5a:98:9b:49:60:fb:65:03:65:d2:be:c7:c1:'
  'aa:41'
into priv_exponent_s.
replace ALL OCCURRENCES OF REGEX '(:)' in priv_exponent_s with ''.
TRANSLATE priv_exponent_s TO UPPER CASE.
priv_exponent_x = priv_exponent_s.
" Convert the modulus from HEX to DEC
bi2->seti( 1 ).
i1 = xstrlen( priv_exponent_x ).
WHILE ( i1 > 0 ).
  i1 = i1 - 1.
  i2 = priv_exponent_x+i1(1).
  bi1->seti( i2 ).
  bi1->mul( bi2 ).
  bi2->mul( bi256 ).
  priv_exponent_bi = priv_exponent_bi->add( bi1 ).
ENDWHILE.

" public key
CONCATENATE
  '00:e2:05:b9:ed:b7:8c:24:f3:4e:d0:07:38:74:81:'
  'dc:30:5c:5c:b1:7b:5f:da:e3:57:43:65:e7:a4:83:'
  '10:b9:a7:ae:3d:07:5a:53:e8:5b:7b:3f:a7:92:99:'
  '9a:83:75:9e:ad:d3:82:69:cc:07:72:1e:3c:e3:d8:'
  '33:0f:b7:a5:69:02:45:f2:69:04:97:2c:77:7b:74:'
  'a5:98:9f:0d:9b:fd:a9:16:a6:d7:7b:eb:5c:f1:f6:'
  '82:18:d6:d1:f3:d3:2e:15:6d:f9:17:d3:2b:7b:17:'
  '0b:cf:8d:42:ba:5d:fa:5c:c9:8c:a6:27:52:8c:98:'
  '6f:d4:86:c2:04:34:bc:61:69:4e:7a:fe:09:ca:76:'
  '5d:35:5d:37:0a:7b:e2:64:06:9b:f4:d9:da:70:f9:'
  'bc:3a:04:4d:f8:db:51:57:16:64:a9:a1:db:80:1c:'
  '0f:3f:96:6f:bd:53:a3:ea:76:fc:54:e8:80:c1:d7:'
  'a9:f9:5f:be:08:c9:40:93:42:c3:16:ed:74:20:6b:'
  '0d:dc:a9:55:93:62:28:14:b1:91:5b:1c:f1:1d:75:'
  'f9:02:64:33:5f:4a:87:66:45:df:96:65:3b:82:46:'
  '30:fa:f8:af:fd:f8:ad:63:ec:a9:38:6b:62:cc:0b:'
  'ba:f4:6c:f3:88:61:ca:d6:fb:45:42:fb:29:22:cf:'
  'c4:13'
into pub_modulus_s.
replace ALL OCCURRENCES OF REGEX '(:)' in pub_modulus_s with ''.
TRANSLATE pub_modulus_s TO UPPER CASE.
pub_modulus_x = pub_modulus_s.
" Convert the modulus from HEX to DEC
bi2->seti( 1 ).
i1 = xstrlen( pub_modulus_x ).
WHILE ( i1 > 0 ).
  i1 = i1 - 1.
  i2 = pub_modulus_x+i1(1).
  bi1->seti( i2 ).
  bi1->mul( bi2 ).
  bi2->mul( bi256 ).
  pub_modulus_bi = pub_modulus_bi->add( bi1 ).
ENDWHILE.

*---------------------
* END PREPARE THE KEY
*---------------------

msg_text = 'Thirty-two bytes secret message!'.
write: / 'Plain message:'.
write: / msg_text.
SKIP.

*---------------------
* START ENCRYPTION
*---------------------

CALL FUNCTION 'SCMS_STRING_TO_XSTRING'
  EXPORTING
    text = msg_text
  IMPORTING
    buffer = msg_xstr.

write: / 'Plain message in HEX:'.
PERFORM SHOW_DATA USING msg_xstr.
SKIP.

i1 = 256 - 3 - xstrlen( msg_xstr ).

CALL FUNCTION 'GENERATE_SEC_RANDOM'
  EXPORTING
    length = i1
  IMPORTING
    random = pkcs_rnd
  EXCEPTIONS
    INVALID_LENGTH = 1
    NO_MEMORY = 2
    INTERNAL_ERROR = 3.

  do i1 TIMES.
    CONCATENATE 'FF' pkcs_ff_s INTO pkcs_ff_s.
  enddo.
  pkcs_ff_x = pkcs_ff_s.

REPLACE ALL OCCURRENCES OF pkcs_zero in pkcs_rnd with pkcs_one IN BYTE MODE.

CONCATENATE
 pkcs_head_encr
 pkcs_rnd
 pkcs_zero
 msg_xstr
into msg_xstr_e in byte mode.

write: / 'Plain message PKCS1-V1.5 padded for encryption in HEX:'.
PERFORM SHOW_DATA USING msg_xstr_e.
SKIP.

" Convert the padded plain text message from HEX to DEC
i1 = xstrlen( msg_xstr_e ).
bi2->seti( 1 ).
WHILE ( i1 > 0 ).
  i1 = i1 - 1.
  i2 = msg_xstr_e+i1(1).
  bi1->seti( i2 ).
  bi1->mul( bi2 ).
  bi2->mul( bi256 ).
  msg_plain_bi = msg_plain_bi->add( bi1 ).
ENDWHILE.

" Encrypt the message
GET RUN TIME FIELD T1.
msg_encr_bi = msg_plain_bi->powmod( x = publicExponent
                                    m = pub_modulus_bi ).
GET RUN TIME FIELD T2.
T3 = T2 - T1.
write: / 'Encryption time:', T3.

" Convert the encrypted message from DEC to HEX
WHILE ( s <> '0' ).
  i1 = bi2->setobj( msg_encr_bi )->mod( bi256 )->getstr( 0 ) + i3.
  if i1 = 256.
     i3 = 1.
  else.
     i3 = 0.
  endif.
  x1 = i1.
  s = msg_encr_bi->div( bi256 )->getstr( 0 ).
  CONCATENATE x1 msg_encr_x INTO msg_encr_x IN BYTE MODE.
ENDWHILE.

" output encrypted message
OPEN DATASET msg_file_name FOR OUTPUT IN BINARY MODE.
TRANSFER msg_encr_x TO msg_file_name.
CLOSE DATASET msg_file_name.

write: / 'RSA encrypted message:'.
PERFORM SHOW_DATA USING msg_encr_x.
SKIP.

*---------------------
* END ENCRYPTION
*---------------------


*---------------------
* START SIGNING
*---------------------
" Message PKCS#1 padding for signing
CONCATENATE
 pkcs_head_sign
 pkcs_ff_x
 pkcs_zero
 msg_xstr
into msg_xstr_s in byte mode.
write: / 'Plain message PKCS1-V1.5 padded for signing in HEX:'.
PERFORM SHOW_DATA USING msg_xstr_s.
SKIP.

" Convert the padded plain text message from HEX to DEC
msg_plain_bi->seti( 0 ).
i1 = xstrlen( msg_xstr_s ).
bi2->seti( 1 ).
WHILE ( i1 > 0 ).
  i1 = i1 - 1.
  i2 = msg_xstr_s+i1(1).
  bi1->seti( i2 ).
  bi1->mul( bi2 ).
  bi2->mul( bi256 ).
  msg_plain_bi = msg_plain_bi->add( bi1 ).
ENDWHILE.

" Sign the message
GET RUN TIME FIELD T1.
msg_encr_bi = msg_plain_bi->powmod( x = priv_exponent_bi
                                    m = pub_modulus_bi ).
GET RUN TIME FIELD T2.
i1 = T2 - T1.
write: / 'Signing time:', i1.

s = ''.
msg_sign_x = ''.

" Convert the encrypted message from DEC to HEX
WHILE ( s <> '0' ).
  i1 = bi2->setobj( msg_encr_bi )->mod( bi256 )->getstr( 0 ) + i3.
  if i1 = 256.
     i3 = 1.
  else.
     i3 = 0.
  endif.
  x1 = i1.
  s = msg_encr_bi->div( bi256 )->getstr( 0 ).
  CONCATENATE x1 msg_sign_x INTO msg_sign_x IN BYTE MODE.
ENDWHILE.

" Output signed message
OPEN DATASET msg_file_name_s FOR OUTPUT IN BINARY MODE.
TRANSFER msg_sign_x TO msg_file_name_s.
CLOSE DATASET msg_file_name_s.

write: / 'RSA signed message:'.
PERFORM SHOW_DATA USING msg_sign_x.

*---------------------
* END SIGNING
*---------------------

FORM SHOW_DATA USING  data_x TYPE xstring.
  DATA: data_len TYPE I
      , i1       TYPE I value 0
      , i2       TYPE I value 32.
  data_len = xstrlen( data_x ).
  WHILE ( i1 < data_len ).
    i2 = nmin( val1 = i2
               val2 = data_len ).
    WRITE: / data_x+i1(i2).
    i1 = i1 + 32.
  ENDWHILE.
ENDFORM.

 输出如下,

 我们看到用公钥指数加密,几乎总是65537,需要约0.2秒,而用私钥指数签名需要30秒。

现在让我们用openssl检查一下结果。

解密,

/tmp/rsa >xxd encrypted_msg
00000000: dd64 ff4c f19e 6274 b3fd aa8b ecc2 9fe0  .d.L..bt........
00000010: 6d87 760f 1239 d01f 81ce e53b 3587 f601  m.v..9.....;5...
00000020: 8e03 4099 a582 bbdd e45b 7cf7 be79 76b9  ..@......[|..yv.
00000030: 7068 3cd5 2b72 a7d6 2c51 e805 36d3 3eb8  ph<.+r..,Q..6.>.
00000040: c11c 4584 01f3 3bfd d265 1bf7 aff1 d97a  ..E...;..e.....z
00000050: aded 0b4a b59d 3c3c 4675 e38d 8409 aedc  ...J..<<Fu......
00000060: 1242 b562 5ced 9662 c9f3 5974 4cc3 3227  .B.b\..b..YtL.2'
00000070: b750 6cea e244 892b 873f 32e7 c4fd 4f78  .Pl..D.+.?2...Ox
00000080: 6a5e 7063 d0fe c5ef 9219 8549 b025 47c9  j^pc.......I.%G.
00000090: 0b3a 5598 d780 aab4 ab5a 6bb0 8ba5 f822  .:U......Zk...."
000000a0: 735f 2b43 68e6 5630 9c90 1712 6196 6d06  s_+Ch.V0....a.m.
000000b0: e2fc 87c1 db42 554f 3688 929a 6550 5173  .....BUO6...ePQs
000000c0: b951 30f6 ca5b a60a 2cc7 5710 915a 2809  .Q0..[..,.W..Z(.
000000d0: c6d8 60ba 3eac bcc1 9814 cc6a e777 757f  ..`.>......j.wu.
000000e0: 44ae ce00 3869 a275 4c4b 3f8e e5e2 eb67  D...8i.uLK?....g
000000f0: 34ac 13cb f89e 5edc 9d67 d5e8 704e d9c6  4.....^..g..pN..
/tmp/rsa >
/tmp/rsa >openssl rsautl -decrypt -in encrypted_msg -inkey rsa.key | xxd
00000000: 5468 6972 7479 2d74 776f 2062 7974 6573  Thirty-two bytes
00000010: 2073 6563 7265 7420 6d65 7373 6167 6521   secret message!
Decrypt

添加raw参数,让openssl显示完整消息,

/tmp/rsa >openssl rsautl -decrypt -in encrypted_msg -inkey rsa.key -raw | xxd
00000000: 0002 4316 8cf2 e289 8dc4 67cf be1b f547  ..C.......g....G
00000010: ae0b b98b 8ef8 79ba 9b98 ac20 3660 d6ac  ......y.... 6`..
00000020: 3330 e613 752c a9ab 3f88 368b 223b 050b  30..u,..?.6.";..
00000030: b79d 40c2 2ef9 9de9 e363 10d1 199b 97f0  ..@......c......
00000040: 33da b96d e3fc 62d6 06c4 ebb5 3ee2 b823  3..m..b.....>..#
00000050: 4f22 d924 ac1d dd89 0215 889f 4c1f 9364  O".$........L..d
00000060: 1220 81bd 21d7 1dd2 280e d74a 4024 99ae  . ..!...(..J@$..
00000070: a8ed 3fad 30aa e281 db4c 5454 c237 9bc0  ..?.0....LTT.7..
00000080: 9338 2a39 197b 9972 4c11 b260 7f31 e407  .8*9.{.rL..`.1..
00000090: 81ea 2be7 a9da 336b 6b66 8bde 1774 3bd0  ..+...3kkf...t;.
000000a0: 0ccd 3b93 983c 1c51 b32d a31b 06f6 533e  ..;..<.Q.-....S>
000000b0: 144a 1c2a f32d 875f 4873 8b41 dcc7 8b18  .J.*.-._Hs.A....
000000c0: 40e4 4414 bd7e c49a 5282 b165 3698 fdf6  @.D..~..R..e6...
000000d0: 9e20 b83b 3185 c7ee 962a 9bb5 f173 8900  . .;1....*...s..
000000e0: 5468 6972 7479 2d74 776f 2062 7974 6573  Thirty-two bytes
000000f0: 2073 6563 7265 7420 6d65 7373 6167 6521   secret message!
View Code

验证,

/tmp/rsa >xxd signed_msg
00000000: d540 f2b5 1e7e bb83 aa6e d099 1ad6 ee1e  .@...~...n......
00000010: ccdb ffaf e579 0e98 323e b055 7164 4b71  .....y..2>.UqdKq
00000020: a71c 0e6e 5e74 3fdb c914 97ac e063 8ece  ...n^t?......c..
00000030: 086e d8ac fad9 14a7 7f47 bd34 22a9 d0ab  .n.......G.4"...
00000040: 73e7 80fc 65af fbd7 d3df 7672 1d31 88e7  s...e.....vr.1..
00000050: b489 311c eb36 25bf 3e8b 4efb b97c df96  ..1..6%.>.N..|..
00000060: 5440 165b a820 514d 9649 531f 402c 5767  T@.[. QM.IS.@,Wg
00000070: 508c adeb 1954 e14f e2ce d64e ba30 0c4a  P....T.O...N.0.J
00000080: aeca 0927 7823 9bc6 0083 99f7 e605 ae9d  ...'x#..........
00000090: 2cd9 205e 41f4 1587 5b3f 1574 047d 42b3  ,. ^A...[?.t.}B.
000000a0: 6e5a a74b cfaa fde5 4d09 26f9 82ca f1b5  nZ.K....M.&.....
000000b0: 9299 f2df 7444 472d 1554 3378 c544 7f20  ....tDG-.T3x.D.
000000c0: b6b0 80be a241 2d24 c561 da69 522d 86db  .....A-$.a.iR-..
000000d0: 2388 cbe5 15fe 9967 3bbd 36f5 5a70 8a05  #......g;.6.Zp..
000000e0: a30c 2c89 2f05 b470 15d3 482f e53b 947a  ..,./..p..H/.;.z
000000f0: c7f5 feba bd41 a877 750e c9f8 cb7a c7b1  .....A.wu....z..
/tmp/rsa >
/tmp/rsa >openssl rsautl -verify -in signed_msg -inkey rsa.key | xxd
00000000: 5468 6972 7479 2d74 776f 2062 7974 6573  Thirty-two bytes
00000010: 2073 6563 7265 7420 6d65 7373 6167 6521   secret message!
/tmp/rsa >
/tmp/rsa >openssl rsautl -verify -in signed_msg -inkey rsa.key -raw | xxd
00000000: 0001 ffff ffff ffff ffff ffff ffff ffff  ................
00000010: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000020: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000030: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000040: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000050: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000060: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000070: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000080: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000090: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000a0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000b0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000c0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000d0: ffff ffff ffff ffff ffff ffff ffff ff00  ................
000000e0: 5468 6972 7479 2d74 776f 2062 7974 6573  Thirty-two bytes
000000f0: 2073 6563 7265 7420 6d65 7373 6167 6521   secret message!
Verify

例子2 – 使用CommonCryptoLib

所有RSA的东西都可以用函数组SSFW - SSF Function for Web Services Security轻松完成。除了你可以用openssl中的(-raw)开关得到的东西外,其他的都可以。例如,如果你想使用非标准的padding,这应该是很少见的情况。


为了方便,我将从例1中使用的密钥创建一个PSE并使用该PSE。
在生产中,你可以考虑通过SSFA、STRUST和SSF_GET_PARAMETER来进行。

 

创建PSE,

/tmp/rsa > openssl req -x509 -sha256 -key rsa.key -out user1.cer -days 3650 -subj '/CN=user1'
/tmp/rsa > openssl pkcs12 -export -inkey rsa.key -in user1.cer -out user1.pfx -nodes
Enter Export Password:
Verifying - Enter Export Password:
/tmp/rsa > setenv SECUDIR $PWD
/tmp/rsa > sapgenpse import_p12 -x "" -p user1.pse user1.pfx
Found key 'INDEX=0,SIG=YES,ENC=YES,MD5-FINGERPRINT=3B9E 77DD E5E4 3371 19FA 2FCF D1CA 512F,KEYID=3D1E2BC7E33500A3D2A098B63FE9962A6B63318C'

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

PSE "/tmp/rsa/user1.pse" was written

ABAP程序,

REPORT Z_RSA_CCL.

DATA: lf_output        TYPE xstring.
DATA: lf_plain_input_x TYPE xstring.
DATA: lf_plain_input   TYPE string.
DATA: msg_file_name    TYPE STRING.

DATA: T1 TYPE I, T2 TYPE I, T3 TYPE I.


lf_plain_input = 'Thirty-two bytes secret message.'.
CALL FUNCTION 'SCMS_STRING_TO_XSTRING'
  EXPORTING
      text = lf_plain_input
  IMPORTING
    buffer = lf_plain_input_x.

DATA: it_recipient_list   TYPE STANDARD TABLE OF ssfinfo,
      wa_recipient_list   LIKE LINE OF it_recipient_list.
wa_recipient_list-id = 'CN=user1'.
APPEND wa_recipient_list TO it_recipient_list.

GET RUN TIME FIELD T1.
CALL FUNCTION 'SSFW_KRN_ENVELOPE'
  EXPORTING
    STR_FORMAT       = 'PKCS1-V1.5'
    STR_PAB          = '/tmp/rsa/user1.pse'
    ostr_input_data  = lf_plain_input_x
  IMPORTING
     OSTR_ENVELOPED_DATA = lf_output
  TABLES
      RECIPIENT_LIST = it_recipient_list
  EXCEPTIONS
      OTHERS = 1.
GET RUN TIME FIELD T2.
T3 = T2 - T1.
write: / 'Encryption time:', T3.

msg_file_name = '/tmp/rsa/ccl_encrypted_msg'.
OPEN DATASET msg_file_name FOR OUTPUT IN BINARY MODE.
TRANSFER lf_output TO msg_file_name.
CLOSE DATASET msg_file_name.

write: / 'RSA CCL encrypted message:'.
PERFORM SHOW_DATA USING lf_output.
skip.

DATA: lf_signer          TYPE ssfinfo.
DATA: lt_signer TYPE STANDARD TABLE OF ssfinfo." WITH HEADER LINE.
lf_signer-id = 'CN=user1'.
lf_signer-profile = '/tmp/rsa/user1.pse'.
APPEND lf_signer TO lt_signer.

GET RUN TIME FIELD T1.
CALL FUNCTION 'SSFW_KRN_SIGN'
  EXPORTING
    str_format       = 'PKCS1-V1.5'
    str_chainfmt     = 'X509v3'
    STR_HASHALG      = 'SHA256'
    ostr_input_data  = lf_plain_input_x
  IMPORTING
    ostr_signed_data = lf_output
  TABLES
    signer           = lt_signer
  EXCEPTIONS
    OTHERS =              1.
GET RUN TIME FIELD T2.
T3 = T2 - T1.
write: / 'Signing time:', T3.


msg_file_name = '/tmp/rsa/ccl_signed_msg'.
OPEN DATASET msg_file_name FOR OUTPUT IN BINARY MODE.
TRANSFER lf_output TO msg_file_name.
CLOSE DATASET msg_file_name.

write: / 'RSA CCL signed message:'.
PERFORM SHOW_DATA USING lf_output.


FORM SHOW_DATA USING  data_x TYPE xstring.
  DATA: data_len TYPE I
      , i1       TYPE I value 0
      , i2       TYPE I value 32.
  data_len = xstrlen( data_x ).
  WHILE ( i1 < data_len ).
    i2 = nmin( val1 = i2
               val2 = data_len ).
    WRITE: / data_x+i1(i2).
    i1 = i1 + 32.
  ENDWHILE.
ENDFORM.

 

运行后,

 

 

解密,

/tmp/rsa > xxd ccl_encrypted_msg
00000000: 3c5b 4c97 0c5c 0e68 1f84 7ced 4f01 e11c  <[L..\.h..|.O...
00000010: 3bce b761 a03e ad15 2f9d 5836 f187 1e44  ;..a.>../.X6...D
00000020: ca71 7cfb 84ef 0b2d 2203 fe6a 502e f065  .q|....-"..jP..e
00000030: 9790 c4cd 8164 912b 8b13 926b 4537 b953  .....d.+...kE7.S
00000040: a3d1 1f15 0919 ccf4 d3af 9e2b 6bfb 7e61  ...........+k.~a
00000050: 1f25 6d70 c9d5 c48e b38b aa6c 5300 d22b  .%mp.......lS..+
00000060: aaac e4b5 6dc5 cb66 39a2 86e2 a41d 96ab  ....m..f9.......
00000070: 6901 ade9 8a17 74df 8237 a963 73a4 4da9  i.....t..7.cs.M.
00000080: bf13 7be2 704a fc8c 8889 1fad 279e 6397  ..{.pJ......'.c.
00000090: 2d13 d0d1 22a2 c0de 8c72 b12f bd90 31ec  -..."....r./..1.
000000a0: ef98 0a7f f971 5f71 4a9f 4060 0715 4c40  .....q_qJ.@`..L@
000000b0: 1397 09c8 333b df8a 3243 2db3 c276 d875  ....3;..2C-..v.u
000000c0: 6cad 5dcb af41 f00c 2cad 4053 da72 158c  l.]..A..,.@S.r..
000000d0: ac67 52ad 6940 8049 4c3c 727a a19e a513  .gR.i@.IL<rz....
000000e0: 716d a4eb 0826 07c4 1624 307f 68d6 3014  qm...&...$0.h.0.
000000f0: 43ec 2cb8 ea44 2868 1a24 e1aa 594b e646  C.,..D(h.$..YK.F

/tmp/rsa > openssl rsautl -decrypt -in ccl_encrypted_msg -inkey rsa.key | xxd
00000000: 5468 6972 7479 2d74 776f 2062 7974 6573  Thirty-two bytes
00000010: 2073 6563 7265 7420 6d65 7373 6167 652e   secret message.

/tmp/rsa > openssl rsautl -decrypt -in ccl_encrypted_msg -inkey rsa.key -raw | xxd
00000000: 0002 da46 9aee 3bb8 53e7 9ecf 99a0 0a60  ...F..;.S......`
00000010: e8cc 89e5 56ad 4c10 d2a5 6a62 6612 068e  ....V.L...jbf...
00000020: 9f7a e956 4325 0b32 7e75 457a ac75 639c  .z.VC%.2~uEz.uc.
00000030: 64a5 17b7 5c1c 721a d2d3 1a2b 1770 0a73  d...\.r....+.p.s
00000040: ccec 5802 66b7 d2e3 2f96 11bd 6708 2d3d  ..X.f.../...g.-=
00000050: 298c 76ce 02f9 7b84 4a36 911b 81ad d047  ).v...{.J6.....G
00000060: 5452 6e64 2d0d f55a c048 9f13 2aef ff70  TRnd-..Z.H..*..p
00000070: ff2d 7c5d 0162 a8d0 82d2 5c64 bf3c e380  .-|].b....\d.<..
00000080: b93d 4d98 a1b6 164c 8ded 016d ad94 9fd2  .=M....L...m....
00000090: 7632 e64c 080f 7728 5817 0f50 1d9c cfd3  v2.L..w(X..P....
000000a0: f67e 5ccb eafb 9cc9 9916 4bd4 c64e 1494  .~\.......K..N..
000000b0: f47f e38e 33f4 2121 91df d9f9 7233 f182  ....3.!!....r3..
000000c0: 2008 bb21 654d 0fd3 482d da42 8cfb b4c1   ..!eM..H-.B....
000000d0: a267 78ae e55e cde5 1f8d e3e6 d5df 1000  .gx..^..........
000000e0: 5468 6972 7479 2d74 776f 2062 7974 6573  Thirty-two bytes
000000f0: 2073 6563 7265 7420 6d65 7373 6167 652e   secret message.
Decrypt

验证,

/tmp/rsa > xxd ccl_signed_msg
00000000: 9e8f 2678 2ed6 3d6d ae74 16f6 4101 75ed  ..&x..=m.t..A.u.
00000010: 3fd0 d962 7f2b 7d46 f3b7 8097 7411 37f3  ?..b.+}F....t.7.
00000020: 89c6 e3fc 81b7 93a6 7814 020b 9b3a 8ebd  ........x....:..
00000030: 9e9f 3549 e521 a7ff 27ef aef5 10f5 dada  ..5I.!..'.......
00000040: e2cb f6b9 8cf4 c663 43f2 98d7 2127 040d  .......cC...!'..
00000050: 6b4e 7c23 bad7 db40 7442 9c4d d6b4 b0f9  kN|#...@tB.M....
00000060: 2e35 5500 1499 c938 536f 6763 99b5 895b  .5U....8Sogc...[
00000070: 2b57 5b81 f757 ffee f7fa dc8c b447 afd8  +W[..W.......G..
00000080: 1630 ac6f 5621 8fc1 c3ab ed7f 1893 3b91  .0.oV!........;.
00000090: 9575 055c 7a9e 6a76 b5ce 000e 5ab2 3eae  .u.\z.jv....Z.>.
000000a0: 5574 2a8e f0fa 3f2e 9897 2c95 4e64 16bc  Ut*...?...,.Nd..
000000b0: 0040 00fd 3202 d458 8c1f 45da 7f1c f238  .@..2..X..E....8
000000c0: 8e68 0dc1 b692 d1bb 48c2 2f0d a429 eaa8  .h......H./..)..
000000d0: b962 05ba 0a7b b246 7719 1406 5649 0681  .b...{.Fw...VI..
000000e0: fae5 dadd 7946 1775 5e2d eff7 2d95 993a  ....yF.u^-..-..:
000000f0: 9a6f 4e7b 0770 b887 b34f 271a 43af 8e68  .oN{.p...O'.C..h

/tmp/rsa > openssl rsautl -verify -in ccl_signed_msg -inkey rsa.key | xxd
00000000: 3031 300d 0609 6086 4801 6503 0402 0105  010...`.H.e.....
00000010: 0004 20c0 4726 d78a 7628 27e3 dffe 9f42  .. .G&..v('....B
00000020: c2fe e624 7a2e 59f7 a0c9 85ef 7728 a5d4  ...$z.Y.....w(..
00000030: a106 8f                                  ...

/tmp/rsa > openssl rsautl -verify -in ccl_signed_msg -inkey rsa.key -raw | xxd
00000000: 0001 ffff ffff ffff ffff ffff ffff ffff  ................
00000010: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000020: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000030: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000040: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000050: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000060: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000070: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000080: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000090: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000a0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000b0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000c0: ffff ffff ffff ffff ffff ffff 0030 3130  .............010
000000d0: 0d06 0960 8648 0165 0304 0201 0500 0420  ...`.H.e.......
000000e0: c047 26d7 8a76 2827 e3df fe9f 42c2 fee6  .G&..v('....B...
000000f0: 247a 2e59 f7a0 c985 ef77 28a5 d4a1 068f  $z.Y.....w(.....

/tmp/rsa > echo -n 'Thirty-two bytes secret message.' | sha256sum
c04726d78a762827e3dffe9f42c2fee6247a2e59f7a0c985ef7728a5d4a1068f  -
Verify

 

这里我们看到消息的SHA散列值被签名了。

总结

在这里我们学习了如何在ABAP中使用2种不同的方法对短信息进行RSA加密/签名。

    1,纯粹的ABAP实现。它在性能(和安全性)上远远比不上CommonCryptoLib。它的意义在于,让我们更好地了解什么是RSA加密。
    2,CommonCryptoLib。这里的例子是一个基本的例子。还有很多东西可以做。可能会在下一篇博客中介绍。

 

posted @ 2021-06-30 06:13  氢氦  阅读(2831)  评论(0编辑  收藏  举报