Skip to content

crypto/rsa: extend EncryptOAEP to accept a different maskgen hashing as parameter #34233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ribeiroit opened this issue Sep 11, 2019 · 5 comments
Closed

crypto/rsa: extend EncryptOAEP to accept a different maskgen hashing as parameter #34233

ribeiroit opened this issue Sep 11, 2019 · 5 comments
Labels
FrozenDueToAge

Comments

@ribeiroit
Copy link

ribeiroit commented Sep 11, 2019
edited
Loading

What version of Go are you using (go version)?

$ go version
go1.12.4 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"

What did you do?

Tried to use the rsa.EncryptOAEP function to generate a ciphertext to be opened by an Android Keystore.

What did you expect to see?

https://play.golang.org/p/Ms7ocbI-IE1

What did you see instead?

https://play.golang.org/p/BSnw2Q7ngNO
@mdempsky mdempsky changed the title Extend RSA-OEAP encrypt function to accept a different maskgen hashing as parameter crypto/rsa: extend EncryptOAEP to accept a different maskgen hashing as parameter Sep 11, 2019
@mdempsky
Copy link
Contributor

Awesome:

For Android Keystore, SHA-1 is used for the MGF1 digest, whereas for other Android cryptographic providers, the two digests are the same.

--https://developer.android.com/guide/topics/security/cryptography#oaep-mgf1-digest [emphasis added]

It seems like the easy solution here is to add a MGF1Hash hash.Hash field to OAEPOptions, and then fall back to EncryptOAEP's hash parameter when it's nil.

/cc @agl @FiloSottile

@mdempsky
Copy link
Contributor

RFC 2437 theoretically allows maskGenFunc to not even be MGF1-based. So an alternative option here would be to add a Mask func(out, seed []byte) field to OAEPOptions.

This would probably merit exposing mgf1XOR.

@ribeiroit
Copy link
Author

Alright!

I'd like to suggest this hypotesis as a valid implementation, but I've read that OAEPOptions was just related to decrypt function.

So I changed my mind and I decided to add an optional parameter at the end of the function EncryptOEAP to be not confused.

As I'm new here, my question is that should I submit a PR with the resolution, or assume that you gonna fix that.

Thanks for the answer.

@mdempsky
Copy link
Contributor

I'd like to suggest this hypotesis as a valid implementation, but I've read that OAEPOptions was just related to decrypt function.

Yes, you're right. Sorry, I didn't look closely enough at the API to see how OAEPOptions is actually used.

I think OAEPOptions will probably need to be extended, but then EncryptOAEP and DecryptOAEP also need variants that take the additional MGF parameter (either simply the underlying hash to use with MGF1, or a substitute for MGF1 entirely).

For backwards compatibility though, we can't add parameters to existing functions.

@FiloSottile
Copy link
Contributor

Duplicate of #19974

@FiloSottile FiloSottile marked this as a duplicate of #19974 Sep 11, 2019
@golang golang locked and limited conversation to collaborators Sep 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mdempsky @FiloSottile @ribeiroit @gopherbot