FormatPkcs1Oaep Method

FormatPkcs1Oaep(ReadOnlySpan<byte>, int, int)

Build the input data into a PKCS #1 v2 OAEP formatted block for encryption (see RFC 8017).

C#
public static byte[] FormatPkcs1Oaep(ReadOnlySpan<byte> inputData, int digestAlgorithm, int keySizeBits)

Parameters

Type Name Description
ReadOnlySpan<byte> inputData

The data to format.
int digestAlgorithm

The algorithm to use in the OAEP operations. It must be one of the digest algorithms defined in this class: RsaFormat.Sha1, RsaFormat.Sha256, and so on.
int keySizeBits

The size of the key used, in bits. This value must be either 1024 or 2048

Returns

byte[]

A new byte array containing the formatted data.

Exceptions

Type Condition
ArgumentException

The data length is too long for the key size, or the keySizeBits is not supported.

Remarks

The OAEP (Optimal Asymmetric Encryption Padding) operation has a number of parameters: hash function, mask generating function, and label (pSource). The caller supplies the digestAlgorithm as the hash function, this method will use MGF1 as the mask generating function, and the empty label.

This method will build a new buffer that is keySizeBits long and contains the following data. 

00 || masked seed || masked DB

The seed is simply digest length random bytes. The masked seed is the same length.

The DB (data block) is originally 

lHash || PS || 01 || input data
The lHash value is the digest of the label. The standard specifies the default label is the empty string. This method will only be able to build an lHash from the default empty string. The PS (padding string) is all 00 bytes. Its length is 
length(PS) = block size - (input data length + (2 * digest length) + 2)

For example, if the block size is 128 (1024-bit RSA key), the input
data is 16 bytes, and the digest algorithm is SHA-256, then


length(PS) = 128 - (16 + (2 * 32) + 2)
= 128 - 82 = 46
The standard allows a PS of length 0.

Another way to look at this is the maximum input data length based on the block size and digest length. 

max input length = block size - ((2 * digestLen) + 2)

For example, if the block size is 128 (1024-bit RSA key), and the
digest algorithm is SHA-256, then


max input length = 128 - ((2 * 32) + 2)
= 128 - 66 = 62.


With a block size of 128 and digest algorithm of SHA-384,


max input length = 128 - ((2 * 48) + 2)
= 128 - 98 = 30.


Note that SHA-512 is simply not possible with a block size of 128.


max input length = 128 - ((2 * 64) + 2)
= 128 - 130 = -2.

If the input data length and digest algorithm make a block too big for the keySizeBits, this method will throw an exception.

This method supports only keySizeBits values that are defined in this class as KeySizeBits-x-, such as RsaFormat.KeySizeBits1024 (x=1024). You can use one of these values or simply the actual key size in bits. For example, if the key size in bits is 1024, then either RsaFormat.KeySizeBits1024 or 1024 are valid input to this method.

This method will use the random number generator and message digest implementations from CryptographyProviders.

Because this method creates a new byte array, and it contains sensitive data, it is a good idea to overwrite the buffer when done with it. 

CryptographicOperations.ZeroMemory(formattedData);