Expand description
PKCS#1 v1.5 padding for encryption and signatures (RFC 8017).
Encryption padding: 0x00 || 0x02 || PS || 0x00 || M
Signature padding: 0x00 || 0x01 || PS || 0x00 || DigestInfo || H
§⚠ Use OAEP / PSS for new deployments
PKCS#1 v1.5 is the legacy padding scheme. New code should prefer:
super::oaepfor encryption (RFC 8017 §7.1).super::pssfor signatures (RFC 8017 §8.1).
v1.5 is preserved here because it is still the only padding supported by some embedded TLS stacks and HSMs. Where the choice exists, do not select it.
§Side-channel posture — Bleichenbacher
The PKCS#1 v1.5 encryption scheme is the historical
Bleichenbacher target (CRYPTO 1998): a padding oracle on the
02 prefix recovers the plaintext in ~2²⁰ – 2²² queries. RFC
8017 §7.2.2 defines a constant-time decrypt that always
returns the same number of bytes whether or not padding parses
correctly, with the data being an internally-derived
deterministic dummy in the failure path. Roadmap item T2-J
tracks the audit + tightening of pkcs1::decrypt against this
recipe.
The PKCS#1 v1.5 signature scheme has no analogous oracle,
but inherits the underlying super::rsa::rsa_decrypt_raw
Bellcore exposure (roadmap item T1-C).
Enums§
- HashAlg
- Hash algorithm identifiers for PKCS#1 v1.5 signatures.
Functions§
- pkcs1v15_
decrypt - PKCS#1 v1.5 decryption.
- pkcs1v15_
encrypt - PKCS#1 v1.5 encryption.
- pkcs1v15_
sign - PKCS#1 v1.5 signature generation.
- pkcs1v15_
sign_ ripemd160 - Convenience: hash a message with RIPEMD-160, then sign / verify. Legacy: included for compatibility with older systems (Bitcoin, some 2000s X.509 CAs); not recommended for new designs.
- pkcs1v15_
sign_ sha1 - Convenience: hash a message with SHA-1, then sign / verify. Legacy: do not use for new designs; SHA-1 is collision-broken.
- pkcs1v15_
sign_ sha3_ 256 - Convenience: hash a message with SHA3-256, then sign / verify.
- pkcs1v15_
sign_ sha3_ 384 - Convenience: hash a message with SHA3-384, then sign / verify.
- pkcs1v15_
sign_ sha3_ 512 - Convenience: hash a message with SHA3-512, then sign / verify.
- pkcs1v15_
sign_ sha256 - Convenience: hash a message with SHA-256, then sign.
- pkcs1v15_
sign_ sha384 - Convenience: hash a message with SHA-384, then sign / verify.
- pkcs1v15_
sign_ sha512 - Convenience: hash a message with SHA-512, then sign / verify.
- pkcs1v15_
verify - PKCS#1 v1.5 signature verification.
- pkcs1v15_
verify_ ripemd160 - Convenience: hash a message with RIPEMD-160, then sign / verify. Legacy: included for compatibility with older systems (Bitcoin, some 2000s X.509 CAs); not recommended for new designs.
- pkcs1v15_
verify_ sha1 - Convenience: hash a message with SHA-1, then sign / verify. Legacy: do not use for new designs; SHA-1 is collision-broken.
- pkcs1v15_
verify_ sha3_ 256 - Convenience: hash a message with SHA3-256, then sign / verify.
- pkcs1v15_
verify_ sha3_ 384 - Convenience: hash a message with SHA3-384, then sign / verify.
- pkcs1v15_
verify_ sha3_ 512 - Convenience: hash a message with SHA3-512, then sign / verify.
- pkcs1v15_
verify_ sha256 - Convenience: hash a message with SHA-256, then verify.
- pkcs1v15_
verify_ sha384 - Convenience: hash a message with SHA-384, then sign / verify.
- pkcs1v15_
verify_ sha512 - Convenience: hash a message with SHA-512, then sign / verify.