Question: algorithm for both, signing/verification and encryption/decryption

[jepetko]

I am writing this question because I am using the documentation https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto as main source for the implementation, and the documentation page points to this repository. Thank you for the comprehensive documentation and examples in the first place.

My implementation utilizes the native crypto support and pkijs/asn1js libraries.

I try to describe the scenario:

The client (running in browser) generates a key pair for signing / verification using getCrypto(true).generateKey method like this:

  getCrypto(true).generateKey(
    {
      name: 'RSASSA-PKCS1-v1_5',
      modulusLength: 2048,
      publicExponent: new Uint8Array([1, 0, 1]),
      hash: { name: 'SHA-256' },
    },
    true,
    ['sign', 'verify'],
  );

• The public key is imported into a certificates subjectPublicKeyInfo (created using pkijs/asn1js libs).
• Then, the certificate is signed using the private key.
• Subsequently, http payload is signed with the same private key by calculating a signature using getCrypto(true).sign method.
• Both, the signature and the certificate are submitted as request headers in the HTTP request to the backend.

Then, the following happens:

• The backend verifies the submitted signature using the submitted certificate -> OK.
• The backend encrypts the response body using the submitted certificate -> OK.
• The client decrypts the encrypted body using the private key -> NOT OK; An error is thrown:

CryptoKey does not support this operation, its algorithm.name must be RSA-OAEP

The issue is obvious: the private key cannot be used for decryption which is clear because usages: ['sign', 'verify']. However, the encryption using the certificate (containing the public key from the generated key pair, see above) works. RFC does not mention it that it is supposed to work https://www.rfc-editor.org/rfc/rfc3447#page-32 but I am sure there is an explanation why it works.

My actual question is: which algorithm needs to be used to support both, signing/verification and encryption/decryption. Using 'RSA-OAEP' (instead of 'RSASSA-PKCS1-v1_5') is not an option because it cannot be used for signing. Is this possible at all? (asking because I haven't found such examples in the documentation).

Thank you.

[bsmth]

Hi @jepetko - I moved the issue over as a discussion, maybe it's more convenient for getting feedback on your question. You're also welcome to join the Discord server to ask there.

[wbamberg]

My actual question is: which algorithm needs to be used to support both, signing/verification and encryption/decryption. Using 'RSA-OAEP' (instead of 'RSASSA-PKCS1-v1_5') is not an option because it cannot be used for signing. Is this possible at all? (asking because I haven't found such examples in the documentation).

I believe you're not supposed to use the same key for signing/verification and encryption/decryption: https://security.stackexchange.com/questions/1806/why-should-one-not-use-the-same-asymmetric-key-for-encryption-as-they-do-for-sig .

The spec has a helpful table listing the algorithms and possible usages: https://w3c.github.io/webcrypto/#algorithm-overview , and you'll see that none of them allow for both encryption and signing.