[proposed label: documentation] Is the implementation of the OAEPEncoding class really incompatible with PKCS#1 v2.1 or later?

[user163]

There is a warning in the RSA/OAEP documentation that the implementation is based on PKCS#1 v2.0 and is not compatible with PKCS#1 v2.1 or later, see e.g. rsa.md/sec. Standards supported, docs of OAEPEncoding class or in the code. The documentation even talks about a breaking change (from RFC2437 to RFC3447 and later RFCs).

On closer examination of these RFCs, this supposed breaking change does not seem to exist. The additional 0x00 byte is rather cosmetic (i.e. was added for consistency reasons (padding to the key size)). During encryption it has no effect on the ciphertext, during decryption it has no effect on the decrypted data (s. also this SO post). This is supported by tests: Ciphertexts generated with Dart/PointyCastle can be decrypted with implementations based on RFC8017 (the current PKCS#1 RFC and compatible with RFC3447 regarding the 0x00 byte). And also the reverse direction works.

So is this warning still up to date? If so, please describe in more detail what this incompatibility is (the leading 0x00 byte does not result in compatibility problems) and under what conditions it causes problems (my compatibility tests between Dart/PointyCastle and RFC8017 implementations showed no problems). If not, the warnings should be removed as it only confuses, s. e.g. Support for RFC 3447 (RSAES-OAEP - 2.1) #95.

[jakobleck]

+1

This remark in the doc confused me/made me hesitate, but after trying it out I was able to use pointycastle to decrypt a message that was RSA/OAEP-encrypted via JS's subtle crypto, which according to the doc (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt) works with the RFC3447 specification.