Hello everybody, I'm pretty sure this has already been discussed somewhere but grepping through the whole openssl-user list does not gave me the answer I'm searching for, so here am I. In my development I'm using a idiom that's not as widely used as I thought (as I get it after multiple days of searching out there). In order to securely distribute a binary, I encrypt it using an AES key and the AES key itself is encrypted using a /private/ RSA key I own. Only owners of the /public/ key (which, as it is a publilc key, may leak) can decrypt the AES key, and therefore the binary. The reason why I do this is that I cannot encrypt using the recipient public key because I don't know how many different recipient I have when I generate the encrypted binary ; and generate the binary on request is not feasible. With this idiom, recipient can check that I crypted the binary, and the binary itself cannot be decrypted unless you're a recipient (i.e. you have the public key). This has worked well for a few years. Of course, in order to do this I rely on RSA_private_encrypt() and RSA_public_decrypt() because EVP_PKEY_encrypt() / EVP_PKEY_decrypt() cannot be used(*). So, after that long introduction, here is my question : is there any OpenSSL 3.0 sanctionned, EVP_PKEY-based way to crypt using a private key and decrypt using a public key? While I fully understand the need to streamline the library interface and to remove the low-level RSA functions, it seems to me that not allowing this is going to be problematic for those who, like me, rely on public key decryption in their process. I also fully understand that it's not the prefered way to do it but I (and some others, I guess) deal with a use case which is not ideal here, and the possibility to use asymetric crypto in this way really saves me. Best regards, -- Emmanuel Deloget (*) tests on OpenSSL 1.0.2 (Ubuntu 16.04) and OpenSSL 1.1.1c (Ubuntu 19.04) shows that it segfaults in EVP_PKEY_decrypt() when feeded with a public key. In OpenSSL 3.0, EVP_PKEY_decrypt() does not appear to be able to decrypt using a RSA public key (it calls RSA_private_decrypt() internally, via rsa_decrypt()).
