botan
botan copied to clipboard
[3.0.0] Support unpadding for blinded rsa decryption using PKCS#11
To ensure that blinding is used for PKCS#11 rsa decryption, it is necessary to set the padding
of Botan::PK_Decryptor_EME
to "Raw"
.
This prevents sensitive information from being passed through the reader, the usb connection and the middleware.
If the result needs unpadding (e.g. OAEP) then Botan::EME::unpad
can be used as long as the header / EME base class are public.
Would it be an option to keep exposing the EME headers or base class as part of the public API or are there any alternatives?
I thought the PKCS11 RSA wrapper already implemented this blinding? So I wouldn't think there would be any need for such operations at the application level as well. Or am I misunderstanding?
Yes, the PKCS11 RSA wrapper performs blinding, but only for "Raw" operations: https://github.com/randombit/botan/blob/master/src/lib/prov/pkcs11/p11_rsa.cpp#L149
Blinding is not possible if the smart card or middleware is asked to perform the unpadding.
As long as Botan does not provide a way to explicitly perform "unpadding with (blinded) raw decryption", an application must use "Raw" decryption, then perform unpadding at the application level (no blinding at app level).