Topic: wc_PrivateKeyDecrypt issue

Hello All,

I'm a new user of Wolfssl, and am achieving pretty good results using it with my embedded units.

I'm now trying to cipher & sign my files from embedded units to server.
My setup is the following (quite classic, keypairs RSA 2048bits)
* Unit has public key from server
* file is ciphered using aes key (256bit CBC)
* the aes key is ciphered with the server public key. (wc_publickeyencrypt)
* all this is put to a file (ciphered aes key, iv and binary file)

this files is sent over to server and it seems to go well.

Server side :
* I load the private key related to the server public key
*  I open the file and read my 256 byte ciphered key.
* I try to get the aes key with wc_privatekeydecrypt
--> I get an error code : -236 ? I just dont quite get what it means...

openssl seems to work fine (ciphered key is manually extracted and decrypted with RSA Private key with no issue)

Can you get me some clues about this error code?
Any working example with wc_privatekeydecrypt ?

I'm quite sure the rsa key is loaded fine, since I could do some rsa signing operation with wolf...

Thanks for your help




Re: wc_PrivateKeyDecrypt issue

Hello all,

Well, I went through the source code, and it seems that the error code I get is "missing rng" (mp_rand in wolfmath.c)
And this rng is always null for the PrivateDecrypt function.

Do you confirm this point or am I out of scope ?

I guess I will rely on Openssl for my operations...




3 (edited by Kaleb J. Himes 2018-02-13 15:58:03)

Re: wc_PrivateKeyDecrypt issue

Hi ppommarel,

Thank you for your questions and interest in wolfSSL. Sorry for the delay.

I have coded up an example here that will perform the same steps as openssl sign op (Not sure if you are doing signatures or otherwise) but this example shows the flow and how to initialize the RNG for calling wc_PrivateKeyDecode.

Let us know if you continue to have any issues and for much faster response time please shoot an email to anytime.

/* To compile:
 * gcc -Wall main.c -lwolfssl

#include <stdio.h>
#include <stdlib.h>

#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/rsa.h>
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/rsa.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/coding.h>
#include <wolfssl/wolfcrypt/sha256.h>

static void err_sys(const char* msg, int ret)
    if (ret) {
        printf("ERROR: %s, ret = %d\n", msg, ret);
    } else {
        printf("ERROR: %s\n", msg);

int main(void)
    int  ret;
    int  derKeySz;
    byte derKey[4096];

    FILE*  file;
    RNG    rng;
    RsaKey privKey;
    word32 idx = 0;

    Sha256  sha;
    byte hash[SHA256_DIGEST_SIZE];
    byte sig[1024];

    int  inSz;
    byte in[1024];
    int encodedSz;
    byte encoded[1024];
    byte base64[1024];
    word32 base64Len = sizeof(base64);

    file = fopen("./input.txt", "rb");
    if (!file)
        err_sys("failed to open input.txt", 0);

    inSz = fread(in, 1, sizeof(in), file);

    /* init RNG */
    ret = wc_InitRng(&rng);
    if (ret != 0)
        err_sys("wc_InitRng failed", ret);

    /* import DER-encoded private key into RsaKey structure */
    file = fopen("./key.der", "rb");
    if (!file)
        err_sys("can't open key file", 0);

    derKeySz = fread(derKey, 1, sizeof(derKey), file);

    wc_InitRsaKey(&privKey, 0);
    ret = wc_RsaPrivateKeyDecode(derKey, &idx, &privKey, derKeySz);
    if (ret != 0)
        err_sys("wc_RsaPrivateKeyDecode failed", ret);

    /* hash data */
    wc_Sha256Update(&sha, in, inSz);
    wc_Sha256Final(&sha, hash);

    /* write hash to "hash-wolfssl" file */
    file = fopen("./hash-wolfssl", "wb");
    if (!file)
        err_sys("failed to open hash-wolfssl file", 0);

    ret = (int)fwrite(hash, 1, SHA256_DIGEST_SIZE, file);

    /* Encode the signature before signing */
    encodedSz = wc_EncodeSignature(encoded, hash, SHA256_DIGEST_SIZE, SHA256h);
    if (ret < 0)
        err_sys("failed to encode signature", ret);

    /* sign hash */
    ret = wc_RsaSSL_Sign(encoded, encodedSz, sig, sizeof(sig), &privKey,
    if (ret < 0)
        err_sys("wc_RsaSSL_Sign failed", ret);

     ret = Base64_Encode(sig, ret, base64, &base64Len);                  
     if (ret != 0)                                                               
         printf("ERROR %d\n", ret);

    /* write signature to "signature-wolfssl" file */
    file = fopen("./signature-wolfssl", "wb");
    if (!file)
        err_sys("failed to open signature-wolfssl file", 0);

    ret = (int)fwrite(base64, 1, base64Len, file);

    return 0;

Warm Regards,


Post's attachments 2.4 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Re: wc_PrivateKeyDecrypt issue

Hi ppommarel,

Just as a note here you had wc_PrivateKeyDecrypt so I assumed you meant wc_PrivateKeyDecode and sent you a relevant example. I did want to check though, is it possible you may have meant wc_PrivateDecrypt instead? If that is the case then you may not have called:

         ret = wc_RsaSetRNG(&key, &rng);
         if (ret < 0) {
             // ERROR OUT CASE

This could also cause that error to occur.

Warm Regards,


Re: wc_PrivateKeyDecrypt issue

Hello Kaleb,

Thanks for the reply and sorry for the delay.
In fact I did not get any info that you posted

I'll try on my code

Thanks for your time,

Best Regards,