The transit secrets engine does not support RSA padding scheme pkcs1v15 for encryption.

[marcellanz]

Is your feature request related to a problem? Please describe.

Yes it is. We'd like to use the Vault transit secrets engine to sign and decrypt with an RSA padding scheme of pkcs1v15 for a usecase where we can't choose an another padding scheme. This is, because we have to work with a given signing and decryption scheme by a standard we have to use for a use case in fintech industry. Vault supports signing with pkcs1v15 but not for decryption; and also not other operations like encryption.

Describe the solution you'd like

We'd like to have the transit engine being able to encrypt and decrypt with the pkcs1v15 RSA padding scheme. Consequently datakey and rewrap shall provide a padding_scheme parameter too.

Describe alternatives you've considered

We could implement a plugin, and we already did as a PoC. We believe from a maintenance perspective, to have the option which padding scheme being used for RSA operation is still better.

We'll provide a PR, that follows after creating this Issue, that implements the feature including UI support.

Explain any additional use-cases There is none.

Additional context N/A.

[rcaillon-Iliad]

The transit secrets engine also doesn't support oaep-sha1 as a padding scheme. If pkcs1v15 is implemented, it would also be interesting to implement oaep-sha1. See https://github.com/hashicorp/vault/issues/8045