[openssl-users] rsaOAEP OID in X509 certificate

Viktor Dukhovni openssl-users at dukhovni.org
Thu Aug 9 20:01:25 UTC 2018

> On Aug 9, 2018, at 3:21 PM, Stephane van Hardeveld <stephane at codingwizard.nl> wrote:
> The certificate is signed with PSS. However, I try to indicate that the
> public key enclosed IN the certificate should be used with the OAEP padding
> mode while decrypting a separate message

Keys in X.509 certiificates are mostly used for signing (e.g. TLS with
DHE or ECDHE key agreement).  But I guess you could mint an encryption-only
certificate that is not useful for signing, and use it exclusively for
key wrapping.  I don't know whether marking the key as an RSA-OAEP key
would then have the effect of restricting its usage by various libraries
to OAEP.  In the case of OpenSSL such an SPKI would simply not work at
all. :-(  If someone contributed a quality implementation of this key
type, it would probably be a good candidate for inclusion in libcrypto.

More typically (e.g. IN CMS), the fact that OAEP was used to encrypt
the message is part of the message metadata, and so decryption will
automatically use OAEP when it is was explicitly selected at the time
the message was created.  Thus OAEP is baked into the message, rather
than the certificate.

OpenSSL supports "oaep" in cms(1), pkeyutl(1) and rsautl(1) which
can create RSA encrypted objects, but does not presently support
X.509 certificates with RFC4055/RFC5756 OAEP SPKI.



More information about the openssl-users mailing list