RFC Errata
RFC 3447, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", February 2003
Note: This RFC has been obsoleted by RFC 8017
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 3716
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Jim Wigginton
Date Reported: 2013-09-02
Rejected by: Kathleen Moriarty
Date Rejected: 2015-03-31
Section 7.1.2 says:
3. EME-OAEP decoding: a. If the label L is not provided, let L be the empty string. Let lHash = Hash(L), an octet string of length hLen (see the note in Section 7.1.1). b. Separate the encoded message EM into a single octet Y, an octet string maskedSeed of length hLen, and an octet string maskedDB of length k - hLen - 1 as EM = Y || maskedSeed || maskedDB. c. Let seedMask = MGF(maskedDB, hLen).
It should say:
3. EME-OAEP decoding: a. If the label L is not provided, let L be the empty string. Let lHash = Hash(L), an octet string of length hLen (see the note in Section 7.1.1). b. Separate the encoded message EM into a single octet Y, an octet string maskedSeed of length hLen, and an octet string maskedDB of length k - hLen - 1 as EM = Y || maskedSeed || maskedDB. c. Check to see if Y is 00.
Notes:
Per <https://tools.ietf.org/html/rfc3447#page-21> the first byte of EM should be 00 so shouldn't RSAES-OAEP-DECRYPT / EME-OAEP decoding check that?
--VERIFIER NOTES--
Step g includes the check for Y = 0
If there is no octet with hexadecimal value 0x01 to separate PS
from M, if lHash does not equal lHash', or if Y is nonzero,
output "decryption error" and stop. (See the note below.)