This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
One can add a label when performing RSA-OAEP encryption, but can't get it from an encrypted message. Should there be a way to get the label? Also, unclear why decrypt operation also takes RsaOaepParams with a label. Is decryption supposed to fail if the labels don't match?
(In reply to Alexey Proskuryakov from comment #0) > One can add a label when performing RSA-OAEP encryption, but can't get it > from an encrypted message. > > Should there be a way to get the label? > > Also, unclear why decrypt operation also takes RsaOaepParams with a label. > Is decryption supposed to fail if the labels don't match? IIUC, the label in RSA-OAEP is additional data that is protected by the authentication tag, but not included in the ciphertext. So, the label is assumed to be communicated separately from the ciphertext (or otherwise made available to the recipient). It needs to be provided to the decrypt operation so that it can be included in the verification of the authentication tag.