[openssl-users] rsaOAEP OID in X509 certificate

Stephane van Hardeveld stephane at codingwizard.nl
Thu Aug 9 20:15:51 UTC 2018

> Keys in X.509 certiificates are mostly used for signing (e.g. TLS with
> DHE or ECDHE key agreement).  But I guess you could mint an encryption-
> only
> certificate that is not useful for signing, and use it exclusively for
> key wrapping.

That is exactly the use case ;-)

  I don't know whether marking the key as an RSA-OAEP key
> would then have the effect of restricting its usage by various libraries
> to OAEP.  In the case of OpenSSL such an SPKI would simply not work at
> all. :-(  If someone contributed a quality implementation of this key
> type, it would probably be a good candidate for inclusion in libcrypto.
> More typically (e.g. IN CMS), the fact that OAEP was used to encrypt
> the message is part of the message metadata, and so decryption will
> automatically use OAEP when it is was explicitly selected at the time
> the message was created.  Thus OAEP is baked into the message, rather
> than the certificate.

That is a perfect reason to use rsaEncryption as PKI OID then.

> OpenSSL supports "oaep" in cms(1), pkeyutl(1) and rsautl(1) which
> can create RSA encrypted objects, but does not presently support
> X.509 certificates with RFC4055/RFC5756 OAEP SPKI.

Thanks for clearing that up. Ken Goldman mentioned it as well.
Only broader used implementation until now (besides some proprietary
implementations) I have seen supporting this kind of certificates is
wincrypt. But not without flaws, especially in the masking function.


More information about the openssl-users mailing list