Open daverodgman opened 10 months ago
We still require PKCS #1.5 for supporting OPCUA https://reference.opcfoundation.org/Core/Part7/v104/docs/6.6.165.
The title is indeed a bit ambiguous, but I believe we are considering removing RSAES-PKCS1-v1_5 (RSA encryption v1.5).
Looking at the OPCUA table, it requires RSAES-OAEP (RSA encryption v2.1) and RSASSA-PKCS1-v1_5 (RSA signature 1.5), both of which we intend to keep.
@mschulz-at-hilscher can you confirm that you don't need RSAES-PKCS1-v1_5?
@mschulz-at-hilscher can you confirm that you don't need RSAES-PKCS1-v1_5?
correct, we do not need RSAES-PKCS1-v1_5
Architectural decision: given that we are removing TLS key exchanges that use RSAES-PKCS1-v1_5, we don't have another reason to keep RSAES-PKCS1-v1_5 around. So we are removing PSA_ALG_RSA_PKCS1V15_CRYPT
and the underlying code in the RSA module (PKCS#1v1.5 encryption). (To be clear, we're keeping PKCS#1v1.5 signature, PSS, and OAEP.)
Prerequisite: https://github.com/Mbed-TLS/mbedtls/issues/8170