crypto/rsa: allow hash.Hash for OAEP and MGF1 to be specified independently for encryption

[mmauv]

Proposal Details

It is currently impossible to independently choose the hash functions used by rsa.EncryptOAEP for OAEP and MGF1. The issue was already raised in #19974; however, it has only been fixed in the decryption functions.

This functionality is needed to wrap keys for the Android Keystore secure import. The Android developer documentation specifies that encryptedTransportKey is a 256-bit AES key, [...] encrypted in RSA-OAEP mode (SHA-256 digest, SHA-1 MGF1 digest) (https://developer.android.com/reference/android/security/keystore/WrappedKeyEntry). This specification requires being able to encrypt using RSA-OAEP with different algorithms for OAEP and MGF1.

[gopherbot]

Change https://go.dev/cl/564755 mentions this issue: crypto/rsa: allow hash.Hash for OAEP and MGF1 to be specified independently for encryption

[mauri870]

cc @FiloSottile @rolandshoemaker

[feyounger]

The current go has not been modified yet. You can copy the required functions from the crypto/rsa package and adjust them rsa-ecb.

[mmauv]

The current go has not been modified yet. You can copy the required functions from the crypto/rsa package and adjust them rsa-ecb.

Thanks, that's the only solution I found while waiting for the change...

[rsc]

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

[rolandshoemaker]

It seems like what we probably want to do here is to add a PublicKey.Encrypt method that can then mirror the PrivateKey.Decrypt method, which can then take the pre-existing OAEPOptions struct.

Concretely the API change would be:

func (*PublicKey) Encrypt(rand io.Reader, plaintext []byte, opts crypto.EncrypterOpts) (ciphertext []byte, err error)

This would also require that we define crypto.EncrypterOpts in crypto as any. Possibly we may also want to define a crypto.Encrypter interface, to match crypto.Decrypter?

[rsc]

/cc @FiloSottile

[aclements]

It sounds like there's some need for this, albeit niche. There's still a question of whether we want to do this or not. We should check if Android actually cares about the MGF1 hash.

What would the documentation be for (*PublicKey).Encrypt? How would the documentation for the top-level EncryptOAEP function change?