Skip to content

feat: add RSA-OAEP padding support with backwards compatibility #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
script3r wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add RSA-OAEP padding support with backwards compatibility #5

script3r wants to merge 1 commit into from

Conversation

@script3r
Copy link

@script3r script3r commented Jan 12, 2026
edited
Loading

Summary

This PR adds support for RSA-OAEP (Optimal Asymmetric Encryption Padding) while maintaining full backwards compatibility with existing code using PKCS#1 v1.5 padding.

Why OAEP?

PKCS#1 v1.5 (current default) has known vulnerabilities:

OAEP provides stronger security guarantees:

  • Provably secure under the RSA assumption in the random oracle model
  • Recommended by NIST (SP 800-56B) and PKCS#1 v2.x standards
  • Used by default in modern cryptographic libraries (OpenSSL 3.x, WebCrypto API)

Backwards Compatibility

  • All existing code continues to work without any changes
  • The new padding parameter defaults to 'PKCS1'
  • Users can opt-in to OAEP by explicitly passing 'OAEP'

API Changes

type RSAPadding = 'PKCS1' | 'OAEP';

// All RSA functions now accept an optional padding parameter
encryptRSA(data: string, publicKey: string, padding?: RSAPadding): string;
decryptRSA(data: string, privateKey: string, padding?: RSAPadding): string;
encryptAsyncRSA(data: string, publicKey: string, padding?: RSAPadding): Promise<string>;
decryptAsyncRSA(data: string, privateKey: string, padding?: RSAPadding): Promise<string>;

Usage

import { encryptRSA, decryptRSA } from 'rn-encryption';

// Existing code works unchanged (uses PKCS1 - backwards compatible)
const encrypted = encryptRSA(data, publicKey);
const decrypted = decryptRSA(encrypted, privateKey);

// Opt-in to more secure OAEP padding
const encryptedSecure = encryptRSA(data, publicKey, 'OAEP');
const decryptedSecure = decryptRSA(encryptedSecure, privateKey, 'OAEP');

Implementation Details

Platform PKCS1 OAEP
Android RSA/ECB/PKCS1Padding RSA/ECB/OAEPWithSHA-256AndMGF1Padding
iOS SecKeyAlgorithm.rsaEncryptionPKCS1 SecKeyAlgorithm.rsaEncryptionOAEPSHA256

🤖 Generated with Claude Code

@script3r @claude
feat: add RSA-OAEP padding support with backwards compatibility
1d83d55 
Add optional `padding` parameter to RSA encryption/decryption functions
that allows choosing between PKCS1 (legacy) and OAEP (recommended) padding.

**Why OAEP?**
- PKCS#1 v1.5 padding is vulnerable to padding oracle attacks (Bleichenbacher's attack)
- OAEP (Optimal Asymmetric Encryption Padding) provides provable security
- OAEP is recommended by NIST and modern security standards

**Backwards Compatibility**
- All existing code continues to work without changes
- The `padding` parameter defaults to `'PKCS1'`
- Users can opt-in to OAEP by passing `'OAEP'` as the third parameter

**Usage**
```typescript
// Existing code works unchanged (uses PKCS1)
const encrypted = encryptRSA(data, publicKey);

// Opt-in to more secure OAEP padding
const encrypted = encryptRSA(data, publicKey, 'OAEP');
```

**Affected functions**
- encryptRSA / decryptRSA
- encryptAsyncRSA / decryptAsyncRSA

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@script3r