CMS decryption of message with OAEP using Hardware security module

RudyAC rpo at
Mon Feb 17 13:52:15 UTC 2020


I have the requirement to decrypt e-mails where RSA-OAEP padding is used. I
use the library openssl-1.0.2k and decrypt with CMS container (CMS_decrypt).
This works very well unless the private key is stored in a Hardware security
module and the cryptographic operation is performed via the PKCS11 engine
from openssl.

When decrypting an email which uses OAEP I got the error message:
47235129370352:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:

To analyze the problem I encrypted an clear text using OAEP padding and
setup a decryption function using 
RSA_private_decrypt(). Here I use padding mode "RSA_NO_PADDING" and the
decryption also works with the PKCS11 engine. Unfortunately CMS does not
support setting the padding mode.

For any comments I would be very grateful 

Regards Rudy 

Sent from:

More information about the openssl-users mailing list