Legacy RSA EVP_PKEY_METHOD does not support RSA_PKCS1_WITH_TLS_PADDING

[mattcaswell]

The default/fips provider RSA implementations support a new padding mode called RSA_PKCS1_WITH_TLS_PADDING. This has not been added to the legacy RSA EVP_PKEY_METHOD. However libssl now requires this padding mode to be supported. This means that any custom EVP_PKEY_METHOD for RSA that an app creates that wraps the standard EVP_PKEY_METHOD (such as is done in OpenSSL's daysnc engine) cannot be used in libssl.

This is the cause of the "unsupported padding mode" errors seen by @beldmit in #16734.

Should we attempt to fix this?

[t8m]

Should we attempt to fix this?

This is clearly a bug to be fixed. Is it a priority to fix it? I am unsure. Perhaps if we get a real bug report of an application that stopped working because of that?

[beldmit]

If we believe e_dasync is a real-world demo, we have such n application.

[bernd-edlinger]

FYI, this also affects the capi engine, as this engine is only able to handle RSA_PKCS1_PADDING
and RSA_NO_PADDING.
The latter was added in 37f4928, and when I read the commit message:

"Since the SSL code started using RSA_NO_PADDING, the CAPI engine became
unusable. This change fixes that.
Fixes #7131 "

So this means the capi engine is effectively unusable again.
I have no way to test that engine though.

[RobinGeffroy]

Hello.
We also encounter that issue when trying to deal with hardware key. The RSA_method were easy to use for that.

I assume the issue is not fixed yet, and there are chances it won't be, ever.
Did anyone uses the provider to implement this behavior ? The documentation only says "you should replace it by provider", with nothing more. I understand how to create the provider and different functions, but the things that I can't find is how to get application data (current set by RSA_set_ex_data(), but I don't know how to do it with the provider now).

I'll gladly discuss it with anyone who succeeded in replacing the RSA_method API.