[openssl-users] rsaOAEP OID in X509 certificate

Stephane van Hardeveld stephane at codingwizard.nl
Tue Aug 14 20:55:38 UTC 2018

> > On Aug 9, 2018, at 3:21 PM, Stephane van Hardeveld
> <stephane at codingwizard.nl> wrote:
> >
> > The certificate is signed with PSS. However, I try to indicate that the
> > public key enclosed IN the certificate should be used with the OAEP
> padding
> > mode while decrypting a separate message
> Keys in X.509 certiificates are mostly used for signing (e.g. TLS with
> DHE or ECDHE key agreement).  But I guess you could mint an encryption-
> only
> certificate that is not useful for signing, and use it exclusively for
> key wrapping.  I don't know whether marking the key as an RSA-OAEP key
> would then have the effect of restricting its usage by various libraries
> to OAEP.  In the case of OpenSSL such an SPKI would simply not work at
> all. :-(  If someone contributed a quality implementation of this key
> type, it would probably be a good candidate for inclusion in libcrypto.
> More typically (e.g. IN CMS), the fact that OAEP was used to encrypt
> the message is part of the message metadata, and so decryption will
> automatically use OAEP when it is was explicitly selected at the time
> the message was created.  Thus OAEP is baked into the message, rather
> than the certificate.
> OpenSSL supports "oaep" in cms(1), pkeyutl(1) and rsautl(1) which
> can create RSA encrypted objects, but does not presently support
> X.509 certificates with RFC4055/RFC5756 OAEP SPKI.
> 	https://tools.ietf.org/html/rfc4055#section-4.1
> 	https://tools.ietf.org/html/rfc5756#section-4

If I would try this endeavour, what would be the best interface to set this?
For creation, use the EVP_PKEY type with the EVP_PKEY_CTX, and set
attributes there?
Something like:
res = X509_set_pubkey(cert, contentKey);
EVP_DigestSignInit(ctx, &pkey_ctx, EVP_sha256(), NULL, contentKey);
EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING);
EVP_PKEY_CTX_set_signature_md(pkey_ctx, EVP_sha256());


And support RSA_PKCS1_PSS_PADDING  as well, to indicate the key in the
certificate should only be used for verification purposes?

Retrieval of these keys should then automatically get the ameth struct
filled with the appropriate RSA encryption and verification functions, so
the rsa_asn1_meths should be extended with 
a set for RSA_OAEP encryption and RSA_PSS verification?

Or am I going at this completely wrong?


More information about the openssl-users mailing list