How to Encrypt and Decrypt the Data Using PKCS1 Padding in Mule 4 using Asymmetric key

What is PKCS #1?

PKCS stands for Public-Key Cryptography Standards. In cryptography, PKCS #1 is the first cryptography standard. It provides the basic definitions and implements the RSA algorithm for public-key cryptography. PKCS #1 does not work on files, it works completely on data.

How Does PKCS Padding Work?

Padding bytes are always added to the clear text before it is encrypted. Each padding byte has a value equal to the total number of padding bytes that are added. For example, if 6 padding bytes must be added, each of those bytes will have the value 0x06. The total number of padding bytes is at least one and is the number that is required in order to bring the data length up to a multiple of the cypher algorithm block size.

Please see this link for more information on the PKCS padding method.

Prerequisites

• Download Crypto Module from the Exchange
• Generate JKS file using KeyStore explorer

Installation:

Step-1:

To use the Crypto Module, first download the module from the Exchange. Click on Search in Exchange -> Search for Cryptography Module -> Select Add >. Then click Finish.

The Crypto module exists in the Mule palette.

Step-2:

Download KeyStore Explorer from the browser. Now, we generate the JKS file.

Create a new KeyStore with the type JKS.

Generate a key pair and select the algorithm.

Generate key pair certificate.

Enter the key pair alias name.

Enter the key pair password.

Key pair generated successfully.

Demo:

Encrypt the Data Using PKCS1 Padding in the JCE Cryptography Module

Step-1:

Configure the “Jce encrypt” component first to encrypt the data using PKCS1 padding.

Follow the steps below to configure the KeyStore as global.

Step-2:

Refer to the KeyStore configuration using Keyid in the JCE component, as highlighted below.

Step-3:

Now, write the following “RSA/ECB/PKCS1Padding” in the algorithm selection to encrypt the payload using the PKCS#1.

Note: if we write the cipher, we should not select the algorithm in the selection. We should select any one from the algorithm selection.

Step-4:

The figure below represents the flow to encrypt the payload using PKCS1 in the JCE encrypt component.

Step-5:

The figure below shows what you will see if the application is successfully deployed.

Step-6:

Below are the steps to test the flow.

Input:

Payload before encryption.

Output:

Payload after encryption.

Now, converting octet-stream encrypted data to Base64.

Decrypt the Data Using PKCS1 Padding in the JCE Cryptography Module

Step-1:

Configure the “Jce encrypt” component first to encrypt the data using PKCS1 padding.

Follow the steps below to configure the KeyStore as global.

Step-2:

Refer to the KeyStore configuration using Keyid in the JCE component, as highlighted below.

Step-3:

Now, write the following “RSA/ECB/PKCS1Padding” in the algorithm selection to encrypt the payload using the PKCS#1.

Note: if we write the cipher, we should not select the algorithm in the selection. We should select any one from the algorithm selection.

Step-4:

The figure below represents the flow to encrypt and decrypt the payload using PKCS1.

<?xml version="1.0" encoding="UTF-8"?>

<mule xmlns:ftp="http://www.mulesoft.org/schema/mule/ftp" xmlns:file="http://www.mulesoft.org/schema/mule/file"
 xmlns:ee="http://www.mulesoft.org/schema/mule/ee/core"
 xmlns:secure-properties="http://www.mulesoft.org/schema/mule/secure-properties" xmlns:crypto="http://www.mulesoft.org/schema/mule/crypto" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/crypto http://www.mulesoft.org/schema/mule/crypto/current/mule-crypto.xsd
http://www.mulesoft.org/schema/mule/secure-properties http://www.mulesoft.org/schema/mule/secure-properties/current/mule-secure-properties.xsd
http://www.mulesoft.org/schema/mule/ee/core http://www.mulesoft.org/schema/mule/ee/core/current/mule-ee.xsd
http://www.mulesoft.org/schema/mule/file http://www.mulesoft.org/schema/mule/file/current/mule-file.xsd
http://www.mulesoft.org/schema/mule/ftp http://www.mulesoft.org/schema/mule/ftp/current/mule-ftp.xsd">
 <http:listener-config name="HTTP_Listener_config" doc:name="HTTP Listener config" doc:id="1c49b52e-5464-4430-af9d-554bbf1d3c66" >
  <http:listener-connection host="0.0.0.0" port="8081" />
 </http:listener-config>
 <crypto:jce-config name="Crypto_Jce" doc:name="Crypto Jce" doc:id="d04dc163-cf01-42c4-9756-52d659dd48b0" keystore="certificates\pkcs1.jks" password="${secure::certificate.pwd}" >
  <crypto:jce-key-infos >
   <crypto:jce-asymmetric-key-info keyId="pkcs1" alias="pkcs1" password="pkcs1" />
  </crypto:jce-key-infos>
 </crypto:jce-config>
 
 <secure-properties:config name="Secure_Properties_Config" doc:name="Secure Properties Config" doc:id="9f644392-f932-4664-bc7b-5b13df77b8c2" file="Cert_Password.properties" key="${certificate.pwd}" >
  <secure-properties:encrypt algorithm="Blowfish" />
 </secure-properties:config>
 <configuration-properties doc:name="Configuration properties" doc:id="014651c3-e13f-4403-9c9c-a8f18d8b136d" file="Cert_Password.properties" />
 <file:config name="File_Config" doc:name="File Config" doc:id="7b770cd2-2669-4c7e-8d1b-d0c960988d53" >
  <file:connection workingDir="D:\SABBMT940" />
 </file:config>
 <flow name="pkcs1paddingFlow" doc:id="9609b1a6-caf1-4e8d-80cd-2893854e57a1" >
  <http:listener doc:name="Listener" doc:id="a79621f9-9e13-433f-8f7f-06d6bd2bbf25" config-ref="HTTP_Listener_config" path="pkcs1"/>
  <logger level="INFO" doc:name="Payload Before Encryption" doc:id="181aa852-140b-48b5-9262-6f30262b403d" message="#[Before_Encryption: payload]"/>
  <crypto:jce-encrypt doc:name="Encryption Using PKCS1 Algorithm" doc:id="51e1dae9-b49a-4387-be1f-dc4ead0c716b" config-ref="Crypto_Jce" cipher='#["RSA/ECB/PKCS1Padding"]' keyId="pkcs1"/>
  <logger level="INFO" doc:name="Payload After Encryption" doc:id="a02e3019-2aea-4b0f-a379-36cab33f4b84" message="#[After_Encryption:payload]"/>
  <ee:transform doc:name="Transform Message" doc:id="e03b8235-127a-44c0-93f4-6783815053fd" >
   <ee:message >
    <ee:set-payload ><![CDATA[%dw 2.0
import * from dw::core::Binaries
output text/plain
---
toBase64(payload as Binary)]]></ee:set-payload>
   </ee:message>
  </ee:transform>
  <ee:transform doc:name="Transform Message" doc:id="26ea7eff-6073-4494-8be6-5795a84eb7d0" >
   <ee:message >
    <ee:set-payload ><![CDATA[%dw 2.0
import * from dw::core::Binaries
output application/octet-stream
---
fromBase64(payload as String) as Binary]]></ee:set-payload>
   </ee:message>
  </ee:transform>
  <crypto:jce-decrypt doc:name="Decryption Using PKCS1 Algorithm" doc:id="da955d04-b8e1-4799-b553-5a185f46cf89" config-ref="Crypto_Jce" cipher='#["RSA/ECB/PKCS1Padding"]' keyId="pkcs1"/>
 
</flow>
</mule>

Step-5:

The figure below shows what you will see if the application is successfully deployed.

Step-6:

Below are the steps to test the flow.

Input:

Payload before encryption.

Payload after encryption.

Now, converting octet-stream encrypted data to Base64.

Output:

We should pass the same key ID along with the certificate and the same cipher for the decryption as well.

Now, converting Base64-encoded octet-stream encrypted data to decrypted data

Payload after Decryption.

Conclusion:

In this article, we learned how to encrypt data using PKCS1 padding in the Mule 4.

How to decrypt the data using PKCS1 padding in the Mule 4

We also learned how to generate the keypair (certificate) using KeyStore explorer.

Thanks for reading my post and I hope it will be helpful.

-Sudheer Kumar N