> > Keys in X.509 certiificates are mostly used for signing (e.g. TLS with > DHE or ECDHE key agreement). But I guess you could mint an encryption- > only > certificate that is not useful for signing, and use it exclusively for > key wrapping.
That is exactly the use case ;-) I don't know whether marking the key as an RSA-OAEP key > would then have the effect of restricting its usage by various libraries > to OAEP. In the case of OpenSSL such an SPKI would simply not work at > all. :-( If someone contributed a quality implementation of this key > type, it would probably be a good candidate for inclusion in libcrypto. > > More typically (e.g. IN CMS), the fact that OAEP was used to encrypt > the message is part of the message metadata, and so decryption will > automatically use OAEP when it is was explicitly selected at the time > the message was created. Thus OAEP is baked into the message, rather > than the certificate. That is a perfect reason to use rsaEncryption as PKI OID then. > > OpenSSL supports "oaep" in cms(1), pkeyutl(1) and rsautl(1) which > can create RSA encrypted objects, but does not presently support > X.509 certificates with RFC4055/RFC5756 OAEP SPKI. Thanks for clearing that up. Ken Goldman mentioned it as well. Only broader used implementation until now (besides some proprietary implementations) I have seen supporting this kind of certificates is wincrypt. But not without flaws, especially in the masking function. Regards, Stephane -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
