[openssl-users] rsaOAEP OID in X509 certificate

Ken Goldman kgoldman at us.ibm.com
Thu Aug 9 16:52:12 UTC 2018

On 8/9/2018 10:51 AM, Stephane van Hardeveld wrote:
> I will discuss this, but as far as I understand, these OID are allowed by
> the X 509 standard:
>  Subject Public Key Info
>  [snip]
> And in rfc4055, 4.1
>   Openssl is capable of parsing it, only retrieving it gives an error on
> unknown algorithm (which is correct, since only rsaEncryption OID is
> recognized). Java I did not try yet, but the online ASN.1 parsers were also
> capable of decoding it, see enclosed png.

I understand that the X509 standard permits it.

However, I'm looking at the practical side - crypto libraries.

If openssl, Java, etc. can't use the results, and a typical CA can't 
create the certificate, then you require custom code.

The drawback is that custom code, especially DER parsing code, is a 
security risk.  It's hard to get correct when facing an attacker sending 
malformed certificates.

You have to decide whether the benefit to this "meets the X509 standard 
but isn't supported" OID is worth the potential for an exploitable bug.

More information about the openssl-users mailing list