RSA Security 5 manual Following procedures perform Oaep padding with encryption

AI_PKCS_OAEP_RSAPrivateBER

--This identifier means that P is an empty string, so the digest

--of the empty string appears in the RSA block before masking.

pSpecifiedEmptyIdentifier ::= AlgorithmIdentifier { id-pSpecified, OCTET STRING SIZE (0)

}

Format of info supplied to B_GetAlgorithmInfo:

pointer to an ITEM structure that gives the address and length of the DER-encoded algorithm identifier.

Crypto-C procedures to use with algorithm object:

The following procedures perform OAEP padding with encryption:

B_DecryptInit, B_DecryptUpdate, and B_DecryptFinal. You may pass

(B_ALGORITHM_OBJ)NULL_PTR for the randomAlgorithm argument in B_DecryptUpdate and B_DecryptFinal.

Algorithm methods to include in application's algorithm chooser:

AM_RSA_CRT_DECRYPT or AM_RSA_CRT_DECRYPT_BLIND for decryption.

AM_RSA_CRT_DECRYPT_BLIND performs blinding to protect against timing attacks, whereas AM_RSA_CRT_DECRYPT does not. AM_SHA is required for the default pSource digest function. It is also required for MGF1 as underlying algorithm.

Key info types for keyObject in B_EncryptInit or B_DecryptInit:

KI_RSA_CRT, KI_PKCS_RSAPrivate, or KI_PKCS_RSAPrivateBER.

Compatible representation:

AI_PKCS_OAEP_RSAPrivate.

Output considerations:

The output of decryption will be the same size as the original message.