[openssl-users] rsaOAEP OID in X509 certificate
Ken Goldman
kgoldman at us.ibm.com
Thu Aug 9 16:52:12 UTC 2018
On 8/9/2018 10:51 AM, Stephane van Hardeveld wrote:
>
> I will discuss this, but as far as I understand, these OID are allowed by
> the X 509 standard:
> 4.1.2.7. Subject Public Key Info
>
> [snip]
>
> And in rfc4055, 4.1
>
> Openssl is capable of parsing it, only retrieving it gives an error on
> unknown algorithm (which is correct, since only rsaEncryption OID is
> recognized). Java I did not try yet, but the online ASN.1 parsers were also
> capable of decoding it, see enclosed png.
I understand that the X509 standard permits it.
However, I'm looking at the practical side - crypto libraries.
If openssl, Java, etc. can't use the results, and a typical CA can't
create the certificate, then you require custom code.
The drawback is that custom code, especially DER parsing code, is a
security risk. It's hard to get correct when facing an attacker sending
malformed certificates.
You have to decide whether the benefit to this "meets the X509 standard
but isn't supported" OID is worth the potential for an exploitable bug.
More information about the openssl-users
mailing list