Support RSA.PKCS1 on Apple provider about cryptography-kotlin HOT 7 CLOSED

Hey!
Thanks for raising the issue here!

First, regarding RSA in apple provider.
I will add RSA for apple provider in coming release (in several weeks, I have a prototype already in some old branch). But keep in mind, that Security Framework (where RSA is implemented out-of-the-box) have minimal support for key encoding/decoding, and until we will have some kind of ASN.1 (DER) encoder/decoder implemented in cryptography-kotlin (there is no such kind of things for Kotlin Multiplatform, yet), there will be only PKCS#1 format (it differs from standard DER/PEM encoding).
Some links for context about difference between RSA key formats:

• https://www.starkandwayne.com/blog/credhub-keysmust-be-pem-encoded-pkcs1-keys/index.html#:~:text=The%20difference%20between%20these%20two,released%20after%20PKCS%231%20chronologically.
• https://stackoverflow.com/questions/48958304/pkcs1-and-pkcs8-format-for-rsa-private-key
• https://crypto.stackexchange.com/questions/103582/confusion-over-pkcs1-and-traditional-options-with-openssl

Second, regarding Apple export regulations.
As far as I found, if you are using open source solutions (like cryptography-kotlin which is using openssl, which are both open-source) - you are falling into exemption, and so there should be no problems. Still, AFAIU you will still need to send annual (year-end) self-classification report to the US government to comply with the encryption export regulations, though, as far as I see, this step is needed even if you use standard Apple encryption, or even just do HTTPS requests - they all are treated as exemption, and so you will need only to submit this report. Looks like Google Play has the same policy for encryption, so it should be something standard (I believe).
Still, Im not a lawyer, Im not an expert in iOS development and distribution - so it's better to contact someone regarding this, even if you use Apple provided encryption.
Also, here I also have some links, which I found useful, and so may be it will be useful for you/your team. But, please look carefully, as articles/answers have rather different date of publication, and there were a lot of changes to U.S. laws (somewhen in 2016-2017), so be careful and patient:

• krzyzanowskim/CryptoSwift#928
• https://developer.apple.com/help/app-store-connect/reference/export-compliance-documentation-for-encryption
• https://stackoverflow.com/questions/56296001/does-apple-accept-ios-apps-with-statically-linked-openssl-in-the-app-store
• https://www.reddit.com/r/swift/comments/cyektl/am_i_exempt_from_complying_with_encryption_export/
• https://kitefaster.com/2017/08/10/encryption-export-compliance-ios-apps/
• https://medium.com/@cossacklabs/apple-export-regulations-on-crypto-6306380682e1
• https://stackoverflow.com/a/45888609
• https://docs.cossacklabs.com/themis/regulations/us-crypto-regulations/

May be this (a lot of links) is not what you expected when you've posted the question, but Im trying my best to at least understand what are the consequences of this and how it will affect end-users.

from cryptography-kotlin.

Thank you a lot for your research!
Yes, I indeed need to understand this topic far better.

from cryptography-kotlin.