Re: [openssl-dev] rsautl.c incorrectly processes "-oaep" flag

Thu, 13 Apr 2017 14:32:21 -0700 

On 4/13/17, 5:18 PM, "Richard Levitte" <levi...@openssl.org> wrote:

    uri> . . . . .
    uri> libp11 does not know how to deal with OAEP padding, so it returns an 
error.
    uri> 
    uri> Desired solution: in case of “-oaep” pass “RSA_NO_PADDING” to the 
engine (aka to libp11), and strip the padding using OpenSSL mechanisms.
    uri> 
    uri> I’d like to see that fixed in both 1.1 and 1.0.2 branches.
    
    Wouldn't it be muuuuuch easier to add the following lines [to 
libp11/src/p11_rsa.c]:
    
        case RSA_PKCS1_OAEP_PADDING:
                mechanism->mechanism = CKM_RSA_PKCS_OAEP;
                break;
    

I’m afraid not – because currently OpenSSL does have full support for OAEP, and 
OpenSC has none. This is what causes the problem: OpenSSL expects the engine 
(libp11 and OpenSC) to handle OAEP, which they cannot do.

    What you propose for OpenSSL is quite a lot harder to implement well,

I agree that it’s harder to implement *well*, but it is a lot simpler and 
shorter to implement in rsautl.c (a few lines of code), as compared to adding 
the whole support for OAEP to OpenSC (which – I agree – would be great to have, 
but let’s be realistic: it’s not there now).

    and one might also wonder why the OAEP padding should have that
    special treatment and no other?

I’d say the same treatment is applicable to any padding that is supported by 
OpenSSL but not by (the majority of) PKCS#11 devices (and OpenSC). 

What OpenSSL does programmatically with this is (IMHO) perfect. This code works 
correctly with the token that only does raw RSA (the original had a lot more of 
error checking stuff ():

        privkey = ENGINE_load_private_key(e, KeyManPrivKey, NULL, &cb_data);

        ctx = EVP_PKEY_CTX_new(privkey, NULL);
        EVP_PKEY_free(privkey);

        rv = EVP_PKEY_decrypt_init(ctx);
        if (rv <= 0) goto end;
        rv = EVP_PKEY_CTX_set_rsa_padding(ctx, PADDING);

        *olen = 0;
        rv = EVP_PKEY_decrypt(ctx, NULL, olen, in, inlen);

        *out = OPENSSL_malloc(*olen);
        rv = EVP_PKEY_decrypt(ctx, *out, olen, in, inlen);
    end:

Perhaps rsautl.c could do the same? Instead of what it’s doing now (aka calling 
RSA_private_decrypt())?

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to