[openssl-users] rsaOAEP OID in X509 certificate

Stephane van Hardeveld stephane at codingwizard.nl
Thu Aug 9 14:51:46 UTC 2018 

> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Ken Goldman
> Sent: donderdag 9 augustus 2018 14:56
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] rsaOAEP OID in X509 certificate
> 
> On 8/9/2018 4:14 AM, Stephane van Hardeveld wrote:
> > Hi Ken,
> >
> > I am trying to do two thing:
> > 1: Generate X 509 certificates, with RSA-PSS signing, with different
Hashing
> > and Masking (SHA1 and SHA256), including an RSA Public key as content.
> This
> > RSA 'content key' should specify it will be used for RSA-OAEP
decryption.
> > 2: Verify X 509 certificates, produced by other tools, which have the
same
> > format
> 
> Do you really have to use a non-standard OID for the public key?
> 
> If you do, you will be creating a certificate that cannot be parsed by
> openssl, Java's crypto library, and perhaps others.  Your users will
> have to write custom code to validate the certificate and to extract the
> public key.
> 
> In addition, you'll need custom CA code to create the certificates.
> 
> I worry that custom crypto code can open attack surfaces compared
> to using well tested standards.  Parsing DER securely is known to be
> hard.
> 
> 
Hi Ken,

I will discuss this, but as far as I understand, these OID are allowed by
the X 509 standard:
4.1.2.7.  Subject Public Key Info

   This field is used to carry the public key and identify the algorithm
   with which the key is used (e.g., RSA, DSA, or Diffie-Hellman).  The
   algorithm is identified using the AlgorithmIdentifier structure
   specified in Section 4.1.1.2.  The object identifiers for the
   supported algorithms and the methods for encoding the public key
   materials (public key and parameters) are specified in [RFC3279],
   [RFC4055], and [RFC4491].

And in rfc4055, 4.1

 Openssl is capable of parsing it, only retrieving it gives an error on
unknown algorithm (which is correct, since only rsaEncryption OID is
recognized). Java I did not try yet, but the online ASN.1 parsers were also
capable of decoding it, see enclosed png.

Regards,
Stephane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: certificate_asndecoded.png
Type: image/png
Size: 58716 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180809/0f368faa/attachment-0001.png>

More information about the openssl-users mailing list