[3.0.0] Support unpadding for blinded rsa decryption using PKCS#11

[weberph2]

To ensure that blinding is used for PKCS#11 rsa decryption, it is necessary to set the padding of Botan::PK_Decryptor_EME to "Raw". This prevents sensitive information from being passed through the reader, the usb connection and the middleware. If the result needs unpadding (e.g. OAEP) then Botan::EME::unpad can be used as long as the header / EME base class are public.

Would it be an option to keep exposing the EME headers or base class as part of the public API or are there any alternatives?

[randombit]

I thought the PKCS11 RSA wrapper already implemented this blinding? So I wouldn't think there would be any need for such operations at the application level as well. Or am I misunderstanding?

[weberph2]

Yes, the PKCS11 RSA wrapper performs blinding, but only for "Raw" operations: https://github.com/randombit/botan/blob/master/src/lib/prov/pkcs11/p11_rsa.cpp#L149

Blinding is not possible if the smart card or middleware is asked to perform the unpadding.

As long as Botan does not provide a way to explicitly perform "unpadding with (blinded) raw decryption", an application must use "Raw" decryption, then perform unpadding at the application level (no blinding at app level).