[openssl-users] rsaOAEP OID in X509 certificate

Viktor Dukhovni openssl-users at dukhovni.org
Thu Aug 9 19:05:23 UTC 2018

> On Aug 8, 2018, at 12:01 PM, Stephane van Hardeveld <stephane at codingwizard.nl> wrote:
> By default, if I create an X 509 certificate with a public key in it, the
> object identifier is rsaEncyption (1.2.840.113549.1.1.1). Is it possible to
> specify a different object identifier, e.g. rsaOAEP (1.2.840.113549.1.1.7)?
> I looked into the various EVP_PKEY and EVP_PKEY_CTX functions, and other
> places in code, but the only place this object ID is specified is in
> obj_dat.h, and not used anywhere else (as far as I can see...)

This request is a bit puzzling, since OAEP is a padding mode for RSA
*encryption*, not RSA signatures.  For the latter, once typically
goes with PSS if one wants a more modern signature scheme.

OpenSSL supports OAEP for RSA encryption (e.g. in CMS), but in X.509,
where the task at hand is signing...  So it is not clear that what
you're looking for makes sense.


More information about the openssl-users mailing list