5.4.2 RSA-OAEP

Identifier:
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p (REQUIRED)

THE RSAES-OAEP-ENCRYPT, as specified in RFC 2437 [PKCS1], algorithm takes two explicit parameters: a mandatory message digest function and an optional octet string OAEPparams. The message digest function is indicated by the Algorithm attribute of a child ds:DigestMethod element and the octet string is the base64 decoding of the content of an optional OAEPparams child element.

Schema Definition:

<element ref='ds:DigestMethod'/> 
<element name='OAEPparams' minOccurs='0'
         type='base64Binary'/>

An example of an RSA-OAEP element is:

  <EncryptionMethod
     Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
     <ds:DigestMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     <OAEPparams> 9lWu3Q== </OAEPparams>
  <EncryptionMethod>

The CipherValue for an RSA-OAEP encrypted key is the base64 [MIME] encoding of the octet string computed as per RFC 2437 [PKCS1, section 7.1.1: Encryption operation]. As described in the EME-OAEP-ENCODE function RFC 2437 [PKCS1, section 9.1.1.1], the value input to the key transport function is calculated using the message digest function and string specified in the DigestMethod and OAEPparams elements and using the mask generator function MGF1 specified in RFC 2437. The desired output length for EME-OAEP-ENCODE is one byte shorter than the RSA modulus.

The transported key size is 192 bits for TRIPLEDES and 128, 192, or 256 bits for AES. Implementations MUST implement RSA-OAEP for the transport of 128 and 256 bit keys. They MAY implement RSA-OAEP for the transport of other keys.