[openssl-users] rsaOAEP OID in X509 certificate
Stephane van Hardeveld
stephane at codingwizard.nl
Thu Aug 9 20:15:51 UTC 2018
> Keys in X.509 certiificates are mostly used for signing (e.g. TLS with
> DHE or ECDHE key agreement). But I guess you could mint an encryption-
> certificate that is not useful for signing, and use it exclusively for
> key wrapping.
That is exactly the use case ;-)
I don't know whether marking the key as an RSA-OAEP key
> would then have the effect of restricting its usage by various libraries
> to OAEP. In the case of OpenSSL such an SPKI would simply not work at
> all. :-( If someone contributed a quality implementation of this key
> type, it would probably be a good candidate for inclusion in libcrypto.
> More typically (e.g. IN CMS), the fact that OAEP was used to encrypt
> the message is part of the message metadata, and so decryption will
> automatically use OAEP when it is was explicitly selected at the time
> the message was created. Thus OAEP is baked into the message, rather
> than the certificate.
That is a perfect reason to use rsaEncryption as PKI OID then.
> OpenSSL supports "oaep" in cms(1), pkeyutl(1) and rsautl(1) which
> can create RSA encrypted objects, but does not presently support
> X.509 certificates with RFC4055/RFC5756 OAEP SPKI.
Thanks for clearing that up. Ken Goldman mentioned it as well.
Only broader used implementation until now (besides some proprietary
implementations) I have seen supporting this kind of certificates is
wincrypt. But not without flaws, especially in the masking function.
More information about the openssl-users