[openssl-users] rsaOAEP OID in X509 certificate
kgoldman at us.ibm.com
Thu Aug 9 12:56:01 UTC 2018
On 8/9/2018 4:14 AM, Stephane van Hardeveld wrote:
> Hi Ken,
> I am trying to do two thing:
> 1: Generate X 509 certificates, with RSA-PSS signing, with different Hashing
> and Masking (SHA1 and SHA256), including an RSA Public key as content. This
> RSA 'content key' should specify it will be used for RSA-OAEP decryption.
> 2: Verify X 509 certificates, produced by other tools, which have the same
Do you really have to use a non-standard OID for the public key?
If you do, you will be creating a certificate that cannot be parsed by
openssl, Java's crypto library, and perhaps others. Your users will
have to write custom code to validate the certificate and to extract the
In addition, you'll need custom CA code to create the certificates.
I worry that custom crypto code can open attack surfaces compared
to using well tested standards. Parsing DER securely is known to be
More information about the openssl-users