Blame SOURCES/corefx-openssl-0002-Use-EVP_PKEY-for-RSA-Decrypt.patch

debe55
From 16f162f76cdbdd150487eb9824f9d8f8e39df5ca Mon Sep 17 00:00:00 2001
debe55
From: Jeremy Barton <jbarton@microsoft.com>
debe55
Date: Wed, 24 Mar 2021 10:27:42 -0700
debe55
Subject: [PATCH 02/11] Use EVP_PKEY for RSA Decrypt
debe55
debe55
---
debe55
 .../Interop.EVP.DigestAlgs.cs                 |  58 +++++
debe55
 .../Interop.EVP.cs                            |  18 +-
debe55
 .../Interop.EvpPkey.Rsa.cs                    |  37 +++
debe55
 .../Interop.EvpPkey.cs                        |   3 +
debe55
 .../Interop.Rsa.cs                            |  16 --
debe55
 .../Security/Cryptography/RSAOpenSsl.cs       | 222 ++++++++++--------
debe55
 .../apibridge.c                               |  17 ++
debe55
 .../apibridge.h                               |   1 +
debe55
 .../opensslshim.h                             |  17 +-
debe55
 .../pal_evp_pkey.c                            |   7 +
debe55
 .../pal_evp_pkey.h                            |   5 +
debe55
 .../pal_evp_pkey_rsa.c                        | 137 ++++++++++-
debe55
 .../pal_evp_pkey_rsa.h                        |  27 ++-
debe55
 .../pal_rsa.c                                 |  13 -
debe55
 .../pal_rsa.h                                 |   8 -
debe55
 .../HashProviderDispenser.Unix.cs             |  36 +--
debe55
 ...em.Security.Cryptography.Algorithms.csproj |   3 +
debe55
 ...ystem.Security.Cryptography.OpenSsl.csproj |   3 +
debe55
 18 files changed, 444 insertions(+), 184 deletions(-)
debe55
 create mode 100644 src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EVP.DigestAlgs.cs
debe55
debe55
diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EVP.DigestAlgs.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EVP.DigestAlgs.cs
debe55
new file mode 100644
debe55
index 0000000000..53ef644d84
debe55
--- /dev/null
debe55
+++ b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EVP.DigestAlgs.cs
debe55
@@ -0,0 +1,58 @@
debe55
+// Licensed to the .NET Foundation under one or more agreements.
debe55
+// The .NET Foundation licenses this file to you under the MIT license.
debe55
+
debe55
+using System;
debe55
+using System.Runtime.InteropServices;
debe55
+using System.Security.Cryptography;
debe55
+
debe55
+internal static partial class Interop
debe55
+{
debe55
+    internal static partial class Crypto
debe55
+    {
debe55
+        private static volatile IntPtr s_evpMd5;
debe55
+        private static volatile IntPtr s_evpSha1;
debe55
+        private static volatile IntPtr s_evpSha256;
debe55
+        private static volatile IntPtr s_evpSha384;
debe55
+        private static volatile IntPtr s_evpSha512;
debe55
+
debe55
+        [DllImport(Libraries.CryptoNative)]
debe55
+        private static extern IntPtr CryptoNative_EvpMd5();
debe55
+
debe55
+        internal static IntPtr EvpMd5() =>
debe55
+            s_evpMd5 != IntPtr.Zero ? s_evpMd5 : (s_evpMd5 = CryptoNative_EvpMd5());
debe55
+
debe55
+        [DllImport(Libraries.CryptoNative)]
debe55
+        internal static extern IntPtr CryptoNative_EvpSha1();
debe55
+
debe55
+        internal static IntPtr EvpSha1() =>
debe55
+            s_evpSha1 != IntPtr.Zero ? s_evpSha1 : (s_evpSha1 = CryptoNative_EvpSha1());
debe55
+
debe55
+        [DllImport(Libraries.CryptoNative)]
debe55
+        internal static extern IntPtr CryptoNative_EvpSha256();
debe55
+
debe55
+        internal static IntPtr EvpSha256() =>
debe55
+            s_evpSha256 != IntPtr.Zero ? s_evpSha256 : (s_evpSha256 = CryptoNative_EvpSha256());
debe55
+
debe55
+        [DllImport(Libraries.CryptoNative)]
debe55
+        internal static extern IntPtr CryptoNative_EvpSha384();
debe55
+
debe55
+        internal static IntPtr EvpSha384() =>
debe55
+            s_evpSha384 != IntPtr.Zero ? s_evpSha384 : (s_evpSha384 = CryptoNative_EvpSha384());
debe55
+
debe55
+        [DllImport(Libraries.CryptoNative)]
debe55
+        internal static extern IntPtr CryptoNative_EvpSha512();
debe55
+
debe55
+        internal static IntPtr EvpSha512() =>
debe55
+            s_evpSha512 != IntPtr.Zero ? s_evpSha512 : (s_evpSha512 = CryptoNative_EvpSha512());
debe55
+
debe55
+        internal static IntPtr HashAlgorithmToEvp(string hashAlgorithmId) => hashAlgorithmId switch
debe55
+        {
debe55
+            nameof(HashAlgorithmName.SHA1) => EvpSha1(),
debe55
+            nameof(HashAlgorithmName.SHA256) => EvpSha256(),
debe55
+            nameof(HashAlgorithmName.SHA384) => EvpSha384(),
debe55
+            nameof(HashAlgorithmName.SHA512) => EvpSha512(),
debe55
+            nameof(HashAlgorithmName.MD5) => EvpMd5(),
debe55
+            _ => throw new CryptographicException(SR.Format(SR.Cryptography_UnknownHashAlgorithm, hashAlgorithmId))
debe55
+        };
debe55
+    }
debe55
+}
debe55
diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EVP.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EVP.cs
debe55
index 67a9b54230..ea9dc5186d 100644
debe55
--- a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EVP.cs
debe55
+++ b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EVP.cs
debe55
@@ -4,6 +4,7 @@
debe55
 
debe55
 using System;
debe55
 using System.Runtime.InteropServices;
debe55
+using System.Security.Cryptography;
debe55
 using Microsoft.Win32.SafeHandles;
debe55
 
debe55
 internal static partial class Interop
debe55
@@ -31,23 +32,6 @@ internal static partial class Crypto
debe55
         [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpMdSize")]
debe55
         internal extern static int EvpMdSize(IntPtr md);
debe55
 
debe55
-
debe55
-        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpMd5")]
debe55
-        internal extern static IntPtr EvpMd5();
debe55
-
debe55
-        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpSha1")]
debe55
-        internal extern static IntPtr EvpSha1();
debe55
-
debe55
-        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpSha256")]
debe55
-        internal extern static IntPtr EvpSha256();
debe55
-
debe55
-        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpSha384")]
debe55
-        internal extern static IntPtr EvpSha384();
debe55
-
debe55
-        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpSha512")]
debe55
-        internal extern static IntPtr EvpSha512();
debe55
-
debe55
-
debe55
         [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_GetMaxMdSize")]
debe55
         private extern static int GetMaxMdSize();
debe55
 
debe55
diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.Rsa.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.Rsa.cs
debe55
index c28522784b..f023ced7f9 100644
debe55
--- a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.Rsa.cs
debe55
+++ b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.Rsa.cs
debe55
@@ -2,6 +2,8 @@
debe55
 // The .NET Foundation licenses this file to you under the MIT license.
debe55
 // See the LICENSE file in the project root for more information.
debe55
 
debe55
+using System;
debe55
+using System.Diagnostics;
debe55
 using System.Runtime.InteropServices;
debe55
 using System.Security.Cryptography;
debe55
 using Microsoft.Win32.SafeHandles;
debe55
@@ -26,6 +28,41 @@ internal static SafeEvpPKeyHandle RsaGenerateKey(int keySize)
debe55
             return pkey;
debe55
         }
debe55
 
debe55
+        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_RsaDecrypt")]
debe55
+        private static extern int CryptoNative_RsaDecrypt(
debe55
+            SafeEvpPKeyHandle pkey,
debe55
+            ref byte source,
debe55
+            int sourceLength,
debe55
+            RSAEncryptionPaddingMode paddingMode,
debe55
+            IntPtr digestAlgorithm,
debe55
+            ref byte destination,
debe55
+            int destinationLength);
debe55
+
debe55
+        internal static int RsaDecrypt(
debe55
+            SafeEvpPKeyHandle pkey,
debe55
+            ReadOnlySpan<byte> source,
debe55
+            RSAEncryptionPaddingMode paddingMode,
debe55
+            IntPtr digestAlgorithm,
debe55
+            Span<byte> destination)
debe55
+        {
debe55
+            int written = CryptoNative_RsaDecrypt(
debe55
+                pkey,
debe55
+                ref MemoryMarshal.GetReference(source),
debe55
+                source.Length,
debe55
+                paddingMode,
debe55
+                digestAlgorithm,
debe55
+                ref MemoryMarshal.GetReference(destination),
debe55
+                destination.Length);
debe55
+
debe55
+            if (written < 0)
debe55
+            {
debe55
+                Debug.Assert(written == -1);
debe55
+                throw CreateOpenSslCryptographicException();
debe55
+            }
debe55
+
debe55
+            return written;
debe55
+        }
debe55
+
debe55
         [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpPkeyGetRsa")]
debe55
         internal static extern SafeRsaHandle EvpPkeyGetRsa(SafeEvpPKeyHandle pkey);
debe55
 
debe55
diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs
debe55
index 2eff6bfcd1..3ad4bc9d08 100644
debe55
--- a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs
debe55
+++ b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs
debe55
@@ -16,6 +16,9 @@ internal static partial class Crypto
debe55
         [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpPkeyDestroy")]
debe55
         internal static extern void EvpPkeyDestroy(IntPtr pkey);
debe55
 
debe55
+        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpPKeySize")]
debe55
+        internal static extern int EvpPKeySize(SafeEvpPKeyHandle pkey);
debe55
+
debe55
         [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_UpRefEvpPkey")]
debe55
         internal static extern int UpRefEvpPkey(SafeEvpPKeyHandle handle);
debe55
     }
debe55
diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.Rsa.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.Rsa.cs
debe55
index a05f020ada..5ad534a8f2 100644
debe55
--- a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.Rsa.cs
debe55
+++ b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.Rsa.cs
debe55
@@ -44,22 +44,6 @@ internal static partial class Crypto
debe55
             SafeRsaHandle rsa,
debe55
             RsaPadding padding);
debe55
 
debe55
-        internal static int RsaPrivateDecrypt(
debe55
-            int flen,
debe55
-            ReadOnlySpan<byte> from,
debe55
-            Span<byte> to,
debe55
-            SafeRsaHandle rsa,
debe55
-            RsaPadding padding) =>
debe55
-            RsaPrivateDecrypt(flen, ref MemoryMarshal.GetReference(from), ref MemoryMarshal.GetReference(to), rsa, padding);
debe55
-
debe55
-        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_RsaPrivateDecrypt")]
debe55
-        private extern static int RsaPrivateDecrypt(
debe55
-            int flen,
debe55
-            ref byte from,
debe55
-            ref byte to,
debe55
-            SafeRsaHandle rsa,
debe55
-            RsaPadding padding);
debe55
-
debe55
         internal static int RsaSignPrimitive(
debe55
             ReadOnlySpan<byte> from,
debe55
             Span<byte> to,
debe55
diff --git a/src/Common/src/System/Security/Cryptography/RSAOpenSsl.cs b/src/Common/src/System/Security/Cryptography/RSAOpenSsl.cs
debe55
index 4d4a8414b3..87e31b9dde 100644
debe55
--- a/src/Common/src/System/Security/Cryptography/RSAOpenSsl.cs
debe55
+++ b/src/Common/src/System/Security/Cryptography/RSAOpenSsl.cs
debe55
@@ -85,10 +85,9 @@ public override byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
debe55
             if (padding == null)
debe55
                 throw new ArgumentNullException(nameof(padding));
debe55
 
debe55
-            Interop.Crypto.RsaPadding rsaPadding = GetInteropPadding(padding, out RsaPaddingProcessor oaepProcessor);
debe55
-            SafeRsaHandle key = GetKey();
debe55
-
debe55
-            int rsaSize = Interop.Crypto.RsaSize(key);
debe55
+            ValidatePadding(padding);
debe55
+            SafeEvpPKeyHandle key = GetPKey();
debe55
+            int rsaSize = Interop.Crypto.EvpPKeySize(key);
debe55
             byte[] buf = null;
debe55
             Span<byte> destination = default;
debe55
 
debe55
@@ -97,18 +96,15 @@ public override byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
debe55
                 buf = CryptoPool.Rent(rsaSize);
debe55
                 destination = new Span<byte>(buf, 0, rsaSize);
debe55
 
debe55
-                if (!TryDecrypt(key, data, destination, rsaPadding, oaepProcessor, out int bytesWritten))
debe55
-                {
debe55
-                    Debug.Fail($"{nameof(TryDecrypt)} should not return false for RSA_size buffer");
debe55
-                    throw new CryptographicException();
debe55
-                }
debe55
-
debe55
+                int bytesWritten = Decrypt(key, data, destination, padding);
debe55
                 return destination.Slice(0, bytesWritten).ToArray();
debe55
             }
debe55
             finally
debe55
             {
debe55
                 CryptographicOperations.ZeroMemory(destination);
debe55
                 CryptoPool.Return(buf, clearSize: 0);
debe55
+                // Until EVP_PKEY is what gets stored, free the temporary key handle.
debe55
+                key.Dispose();
debe55
             }
debe55
         }
debe55
 
debe55
@@ -119,82 +115,73 @@ public override byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
debe55
             out int bytesWritten)
debe55
         {
debe55
             if (padding == null)
debe55
-            {
debe55
                 throw new ArgumentNullException(nameof(padding));
debe55
-            }
debe55
-
debe55
-            Interop.Crypto.RsaPadding rsaPadding = GetInteropPadding(padding, out RsaPaddingProcessor oaepProcessor);
debe55
-            SafeRsaHandle key = GetKey();
debe55
 
debe55
-            int keySizeBytes = Interop.Crypto.RsaSize(key);
debe55
+            ValidatePadding(padding);
debe55
+            SafeEvpPKeyHandle key = GetPKey();
debe55
+            int keySizeBytes = Interop.Crypto.EvpPKeySize(key);
debe55
 
debe55
-            // OpenSSL does not take a length value for the destination, so it can write out of bounds.
debe55
-            // To prevent the OOB write, decrypt into a temporary buffer.
debe55
+            // OpenSSL requires that the decryption buffer be at least as large as EVP_PKEY_size.
debe55
+            // So if the destination is too small, use a temporary buffer so we can match
debe55
+            // Windows behavior of succeeding so long as the buffer can hold the final output.
debe55
             if (destination.Length < keySizeBytes)
debe55
             {
debe55
-                Span<byte> tmp = stackalloc byte[0];
debe55
+                // RSA up through 4096 bits use a stackalloc
debe55
+                Span<byte> tmp = stackalloc byte[512];
debe55
                 byte[] rent = null;
debe55
 
debe55
-                // RSA up through 4096 stackalloc
debe55
-                if (keySizeBytes <= 512)
debe55
+                if (keySizeBytes > tmp.Length)
debe55
                 {
debe55
-                    tmp = stackalloc byte[keySizeBytes];
debe55
-                }
debe55
-                else
debe55
-                {
debe55
-                    rent = ArrayPool<byte>.Shared.Rent(keySizeBytes);
debe55
+                    rent = CryptoPool.Rent(keySizeBytes);
debe55
                     tmp = rent;
debe55
                 }
debe55
 
debe55
-                bool ret = TryDecrypt(key, data, tmp, rsaPadding, oaepProcessor, out bytesWritten);
debe55
+                int written = Decrypt(key, data, tmp, padding);
debe55
+                // Until EVP_PKEY is what gets stored, free the temporary key handle.
debe55
+                key.Dispose();
debe55
+                bool ret;
debe55
 
debe55
-                if (ret)
debe55
+                if (destination.Length < written)
debe55
                 {
debe55
-                    tmp = tmp.Slice(0, bytesWritten);
debe55
-
debe55
-                    if (bytesWritten > destination.Length)
debe55
-                    {
debe55
-                        ret = false;
debe55
-                        bytesWritten = 0;
debe55
-                    }
debe55
-                    else
debe55
-                    {
debe55
-                        tmp.CopyTo(destination);
debe55
-                    }
debe55
-
debe55
-                    CryptographicOperations.ZeroMemory(tmp);
debe55
+                    bytesWritten = 0;
debe55
+                    ret = false;
debe55
+                }
debe55
+                else
debe55
+                {
debe55
+                    tmp.Slice(0, written).CopyTo(destination);
debe55
+                    bytesWritten = written;
debe55
+                    ret = true;
debe55
                 }
debe55
 
debe55
+                // Whether a stackalloc or a rented array, clear our copy of
debe55
+                // the decrypted content.
debe55
+                CryptographicOperations.ZeroMemory(tmp.Slice(0, written));
debe55
+
debe55
                 if (rent != null)
debe55
                 {
debe55
-                    // Already cleared
debe55
-                    ArrayPool<byte>.Shared.Return(rent);
debe55
+                    // Already cleared.
debe55
+                    CryptoPool.Return(rent, clearSize: 0);
debe55
                 }
debe55
 
debe55
                 return ret;
debe55
             }
debe55
 
debe55
-            return TryDecrypt(key, data, destination, rsaPadding, oaepProcessor, out bytesWritten);
debe55
+            bytesWritten = Decrypt(key, data, destination, padding);
debe55
+            // Until EVP_PKEY is what gets stored, free the temporary key handle.
debe55
+            key.Dispose();
debe55
+            return true;
debe55
         }
debe55
 
debe55
-        private static bool TryDecrypt(
debe55
-            SafeRsaHandle key,
debe55
+        private static int Decrypt(
debe55
+            SafeEvpPKeyHandle key,
debe55
             ReadOnlySpan<byte> data,
debe55
             Span<byte> destination,
debe55
-            Interop.Crypto.RsaPadding rsaPadding,
debe55
-            RsaPaddingProcessor rsaPaddingProcessor,
debe55
-            out int bytesWritten)
debe55
+            RSAEncryptionPadding padding)
debe55
         {
debe55
-            // If rsaPadding is PKCS1 or OAEP-SHA1 then no depadding method should be present.
debe55
-            // If rsaPadding is NoPadding then a depadding method should be present.
debe55
-            Debug.Assert(
debe55
-                (rsaPadding == Interop.Crypto.RsaPadding.NoPadding) ==
debe55
-                (rsaPaddingProcessor != null));
debe55
-
debe55
             // Caller should have already checked this.
debe55
             Debug.Assert(!key.IsInvalid);
debe55
 
debe55
-            int rsaSize = Interop.Crypto.RsaSize(key);
debe55
+            int rsaSize = Interop.Crypto.EvpPKeySize(key);
debe55
 
debe55
             if (data.Length != rsaSize)
debe55
             {
debe55
@@ -203,50 +190,24 @@ public override byte[] Decrypt(byte[] data, RSAEncryptionPadding padding)
debe55
 
debe55
             if (destination.Length < rsaSize)
debe55
             {
debe55
-                bytesWritten = 0;
debe55
-                return false;
debe55
+                Debug.Fail("Caller is responsible for temporary decryption buffer creation");
debe55
+                throw new CryptographicException();
debe55
             }
debe55
 
debe55
-            Span<byte> decryptBuf = destination;
debe55
-            byte[] paddingBuf = null;
debe55
+            IntPtr hashAlgorithm = IntPtr.Zero;
debe55
 
debe55
-            if (rsaPaddingProcessor != null)
debe55
+            if (padding.Mode == RSAEncryptionPaddingMode.Oaep)
debe55
             {
debe55
-                paddingBuf = CryptoPool.Rent(rsaSize);
debe55
-                decryptBuf = paddingBuf;
debe55
+                Debug.Assert(padding.OaepHashAlgorithm.Name != null);
debe55
+                hashAlgorithm = Interop.Crypto.HashAlgorithmToEvp(padding.OaepHashAlgorithm.Name);
debe55
             }
debe55
 
debe55
-            try
debe55
-            {
debe55
-                int returnValue = Interop.Crypto.RsaPrivateDecrypt(data.Length, data, decryptBuf, key, rsaPadding);
debe55
-                CheckReturn(returnValue);
debe55
-
debe55
-                if (rsaPaddingProcessor != null)
debe55
-                {
debe55
-                    return rsaPaddingProcessor.DepadOaep(paddingBuf, destination, out bytesWritten);
debe55
-                }
debe55
-                else
debe55
-                {
debe55
-                    // If the padding mode is RSA_NO_PADDING then the size of the decrypted block
debe55
-                    // will be RSA_size. If any padding was used, then some amount (determined by the padding algorithm)
debe55
-                    // will have been reduced, and only returnValue bytes were part of the decrypted
debe55
-                    // body.  Either way, we can just use returnValue, but some additional bytes may have been overwritten
debe55
-                    // in the destination span.
debe55
-                    bytesWritten = returnValue;
debe55
-                }
debe55
-
debe55
-                return true;
debe55
-            }
debe55
-            finally
debe55
-            {
debe55
-                if (paddingBuf != null)
debe55
-                {
debe55
-                    // DecryptBuf is paddingBuf if paddingBuf is not null, erase it before returning it.
debe55
-                    // If paddingBuf IS null then decryptBuf was destination, and shouldn't be cleared.
debe55
-                    CryptographicOperations.ZeroMemory(decryptBuf);
debe55
-                    CryptoPool.Return(paddingBuf, clearSize: 0);
debe55
-                }
debe55
-            }
debe55
+            return Interop.Crypto.RsaDecrypt(
debe55
+                key,
debe55
+                data,
debe55
+                padding.Mode,
debe55
+                hashAlgorithm,
debe55
+                destination);
debe55
         }
debe55
 
debe55
         public override byte[] Encrypt(byte[] data, RSAEncryptionPadding padding)
debe55
@@ -550,6 +511,30 @@ private void ThrowIfDisposed()
debe55
             }
debe55
         }
debe55
 
debe55
+        private SafeEvpPKeyHandle GetPKey()
debe55
+        {
debe55
+            SafeRsaHandle currentKey = GetKey();
debe55
+            SafeEvpPKeyHandle pkeyHandle = Interop.Crypto.EvpPkeyCreate();
debe55
+
debe55
+            try
debe55
+            {
debe55
+                // Wrapping our key in an EVP_PKEY will up_ref our key.
debe55
+                // When the EVP_PKEY is Disposed it will down_ref the key.
debe55
+                // So everything should be copacetic.
debe55
+                if (!Interop.Crypto.EvpPkeySetRsa(pkeyHandle, currentKey))
debe55
+                {
debe55
+                    throw Interop.Crypto.CreateOpenSslCryptographicException();
debe55
+                }
debe55
+            }
debe55
+            catch
debe55
+            {
debe55
+                pkeyHandle.Dispose();
debe55
+                throw;
debe55
+            }
debe55
+
debe55
+            return pkeyHandle;
debe55
+        }
debe55
+
debe55
         private SafeRsaHandle GetKey()
debe55
         {
debe55
             ThrowIfDisposed();    
debe55
@@ -843,6 +828,55 @@ private static int GetAlgorithmNid(HashAlgorithmName hashAlgorithmName)
debe55
             return nid;
debe55
         }
debe55
 
debe55
+        private static void ValidatePadding(RSAEncryptionPadding padding)
debe55
+        {
debe55
+            if (padding == null)
debe55
+            {
debe55
+                throw new ArgumentNullException(nameof(padding));
debe55
+            }
debe55
+
debe55
+            // There are currently two defined padding modes:
debe55
+            // * Oaep has an option (the hash algorithm)
debe55
+            // * Pkcs1 has no options
debe55
+            //
debe55
+            // Anything other than those to modes is an error,
debe55
+            // and Pkcs1 having options set is an error, so compare it to
debe55
+            // the padding struct instead of the padding mode enum.
debe55
+            if (padding.Mode != RSAEncryptionPaddingMode.Oaep &&
debe55
+                padding != RSAEncryptionPadding.Pkcs1)
debe55
+            {
debe55
+                throw PaddingModeNotSupported();
debe55
+            }
debe55
+        }
debe55
+
debe55
+        private static void ValidatePadding(RSASignaturePadding padding)
debe55
+        {
debe55
+            if (padding == null)
debe55
+            {
debe55
+                throw new ArgumentNullException(nameof(padding));
debe55
+            }
debe55
+
debe55
+            // RSASignaturePadding currently only has the mode property, so
debe55
+            // there's no need for a runtime check that PKCS#1 doesn't use
debe55
+            // nonsensical options like with RSAEncryptionPadding.
debe55
+            //
debe55
+            // This would change if we supported PSS with an MGF other than MGF-1,
debe55
+            // or with a custom salt size, or with a different MGF digest algorithm
debe55
+            // than the data digest algorithm.
debe55
+            if (padding.Mode == RSASignaturePaddingMode.Pkcs1)
debe55
+            {
debe55
+                Debug.Assert(padding == RSASignaturePadding.Pkcs1);
debe55
+            }
debe55
+            else if (padding.Mode == RSASignaturePaddingMode.Pss)
debe55
+            {
debe55
+                Debug.Assert(padding == RSASignaturePadding.Pss);
debe55
+            }
debe55
+            else
debe55
+            {
debe55
+                throw PaddingModeNotSupported();
debe55
+            }
debe55
+        }
debe55
+
debe55
         private static Exception PaddingModeNotSupported() =>
debe55
             new CryptographicException(SR.Cryptography_InvalidPaddingMode);
debe55
 
debe55
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/apibridge.c b/src/Native/Unix/System.Security.Cryptography.Native/apibridge.c
debe55
index def7198deb..ff71105837 100644
debe55
--- a/src/Native/Unix/System.Security.Cryptography.Native/apibridge.c
debe55
+++ b/src/Native/Unix/System.Security.Cryptography.Native/apibridge.c
debe55
@@ -258,6 +258,23 @@ int32_t local_DSA_set0_key(DSA* dsa, BIGNUM* bnY, BIGNUM* bnX)
debe55
     return 1;
debe55
 }
debe55
 
debe55
+RSA* local_EVP_PKEY_get0_RSA(EVP_PKEY* pkey)
debe55
+{
debe55
+    if (pkey == NULL)
debe55
+    {
debe55
+        return NULL;
debe55
+    }
debe55
+
debe55
+    RSA* rsa = EVP_PKEY_get1_RSA(pkey);
debe55
+
debe55
+    if (rsa != NULL)
debe55
+    {
debe55
+        RSA_free(rsa);
debe55
+    }
debe55
+
debe55
+    return rsa;
debe55
+}
debe55
+
debe55
 int32_t local_EVP_PKEY_up_ref(EVP_PKEY* pkey)
debe55
 {
debe55
     if (!pkey)
debe55
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/apibridge.h b/src/Native/Unix/System.Security.Cryptography.Native/apibridge.h
debe55
index b58611ae73..e1315499f3 100644
debe55
--- a/src/Native/Unix/System.Security.Cryptography.Native/apibridge.h
debe55
+++ b/src/Native/Unix/System.Security.Cryptography.Native/apibridge.h
debe55
@@ -15,6 +15,7 @@ int32_t local_DSA_set0_pqg(DSA* dsa, BIGNUM* bnP, BIGNUM* bnQ, BIGNUM* bnG);
debe55
 void local_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX* ctx);
debe55
 EVP_CIPHER_CTX* local_EVP_CIPHER_CTX_new(void);
debe55
 int32_t local_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX* ctx);
debe55
+RSA* local_EVP_PKEY_get0_RSA(EVP_PKEY* pkey);
debe55
 int32_t local_EVP_PKEY_up_ref(EVP_PKEY* pkey);
debe55
 void local_HMAC_CTX_free(HMAC_CTX* ctx);
debe55
 HMAC_CTX* local_HMAC_CTX_new(void);
debe55
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h
debe55
index dff6091e9e..47cb142d25 100644
debe55
--- a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h
debe55
+++ b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h
debe55
@@ -128,6 +128,7 @@ EVP_CIPHER_CTX* EVP_CIPHER_CTX_new(void);
debe55
 int32_t EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX* ctx);
debe55
 void EVP_MD_CTX_free(EVP_MD_CTX* ctx);
debe55
 EVP_MD_CTX* EVP_MD_CTX_new(void);
debe55
+RSA* EVP_PKEY_get0_RSA(EVP_PKEY* pkey);
debe55
 int32_t EVP_PKEY_up_ref(EVP_PKEY* pkey);
debe55
 void HMAC_CTX_free(HMAC_CTX* ctx);
debe55
 HMAC_CTX* HMAC_CTX_new(void);
debe55
@@ -178,6 +179,12 @@ int32_t X509_up_ref(X509* x509);
debe55
 #define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
debe55
     RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
debe55
 
debe55
+#undef EVP_PKEY_CTX_set_rsa_padding
debe55
+#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
debe55
+    RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, pad, NULL)
debe55
+
debe55
+// EVP_PKEY_CTX_set_rsa_oaep_md doesn't call RSA_pkey_ctx_ctrl in 1.1, so don't redefine it here.
debe55
+
debe55
 #endif
debe55
 
debe55
 #if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_0_2_RTM
debe55
@@ -355,10 +362,13 @@ void SSL_get0_alpn_selected(const SSL* ssl, const unsigned char** protocol, unsi
debe55
     REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_CTX_new_id) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_base_id) \
debe55
+    REQUIRED_FUNCTION(EVP_PKEY_decrypt) \
debe55
+    REQUIRED_FUNCTION(EVP_PKEY_decrypt_init) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_derive_set_peer) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_derive_init) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_derive) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_free) \
debe55
+    FALLBACK_FUNCTION(EVP_PKEY_get0_RSA) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_get1_DSA) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_get1_EC_KEY) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_get1_RSA) \
debe55
@@ -368,6 +378,7 @@ void SSL_get0_alpn_selected(const SSL* ssl, const unsigned char** protocol, unsi
debe55
     REQUIRED_FUNCTION(EVP_PKEY_set1_DSA) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_set1_EC_KEY) \
debe55
     REQUIRED_FUNCTION(EVP_PKEY_set1_RSA) \
debe55
+    REQUIRED_FUNCTION(EVP_PKEY_size) \
debe55
     FALLBACK_FUNCTION(EVP_PKEY_up_ref) \
debe55
     REQUIRED_FUNCTION(EVP_rc2_cbc) \
debe55
     REQUIRED_FUNCTION(EVP_rc2_ecb) \
debe55
@@ -448,7 +459,6 @@ void SSL_get0_alpn_selected(const SSL* ssl, const unsigned char** protocol, unsi
debe55
     REQUIRED_FUNCTION(RSA_new) \
debe55
     FALLBACK_FUNCTION(RSA_pkey_ctx_ctrl) \
debe55
     RENAMED_FUNCTION(RSA_PKCS1_OpenSSL, RSA_PKCS1_SSLeay) \
debe55
-    REQUIRED_FUNCTION(RSA_private_decrypt) \
debe55
     REQUIRED_FUNCTION(RSA_private_encrypt) \
debe55
     REQUIRED_FUNCTION(RSA_public_decrypt) \
debe55
     REQUIRED_FUNCTION(RSA_public_encrypt) \
debe55
@@ -748,10 +758,13 @@ FOR_ALL_OPENSSL_FUNCTIONS
debe55
 #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
debe55
 #define EVP_PKEY_CTX_new_id EVP_PKEY_CTX_new_id_ptr
debe55
 #define EVP_PKEY_base_id EVP_PKEY_base_id_ptr
debe55
+#define EVP_PKEY_decrypt_init EVP_PKEY_decrypt_init_ptr
debe55
+#define EVP_PKEY_decrypt EVP_PKEY_decrypt_ptr
debe55
 #define EVP_PKEY_derive_set_peer EVP_PKEY_derive_set_peer_ptr
debe55
 #define EVP_PKEY_derive_init EVP_PKEY_derive_init_ptr
debe55
 #define EVP_PKEY_derive EVP_PKEY_derive_ptr
debe55
 #define EVP_PKEY_free EVP_PKEY_free_ptr
debe55
+#define EVP_PKEY_get0_RSA EVP_PKEY_get0_RSA_ptr
debe55
 #define EVP_PKEY_get1_DSA EVP_PKEY_get1_DSA_ptr
debe55
 #define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEY_ptr
debe55
 #define EVP_PKEY_get1_RSA EVP_PKEY_get1_RSA_ptr
debe55
@@ -761,6 +774,7 @@ FOR_ALL_OPENSSL_FUNCTIONS
debe55
 #define EVP_PKEY_set1_DSA EVP_PKEY_set1_DSA_ptr
debe55
 #define EVP_PKEY_set1_EC_KEY EVP_PKEY_set1_EC_KEY_ptr
debe55
 #define EVP_PKEY_set1_RSA EVP_PKEY_set1_RSA_ptr
debe55
+#define EVP_PKEY_size EVP_PKEY_size_ptr
debe55
 #define EVP_PKEY_up_ref EVP_PKEY_up_ref_ptr
debe55
 #define EVP_rc2_cbc EVP_rc2_cbc_ptr
debe55
 #define EVP_rc2_ecb EVP_rc2_ecb_ptr
debe55
@@ -841,7 +855,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
debe55
 #define RSA_new RSA_new_ptr
debe55
 #define RSA_pkey_ctx_ctrl RSA_pkey_ctx_ctrl_ptr
debe55
 #define RSA_PKCS1_OpenSSL RSA_PKCS1_OpenSSL_ptr
debe55
-#define RSA_private_decrypt RSA_private_decrypt_ptr
debe55
 #define RSA_private_encrypt RSA_private_encrypt_ptr
debe55
 #define RSA_public_decrypt RSA_public_decrypt_ptr
debe55
 #define RSA_public_encrypt RSA_public_encrypt_ptr
debe55
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.c b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.c
debe55
index 4d479dde6c..f232b382ea 100644
debe55
--- a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.c
debe55
+++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.c
debe55
@@ -2,6 +2,7 @@
debe55
 // The .NET Foundation licenses this file to you under the MIT license.
debe55
 // See the LICENSE file in the project root for more information.
debe55
 
debe55
+#include <assert.h>
debe55
 #include "pal_evp_pkey.h"
debe55
 
debe55
 EVP_PKEY* CryptoNative_EvpPkeyCreate()
debe55
@@ -17,6 +18,12 @@ void CryptoNative_EvpPkeyDestroy(EVP_PKEY* pkey)
debe55
     }
debe55
 }
debe55
 
debe55
+int32_t CryptoNative_EvpPKeySize(EVP_PKEY* pkey)
debe55
+{
debe55
+    assert(pkey != NULL);
debe55
+    return EVP_PKEY_size(pkey);
debe55
+}
debe55
+
debe55
 int32_t CryptoNative_UpRefEvpPkey(EVP_PKEY* pkey)
debe55
 {
debe55
     if (!pkey)
debe55
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.h
debe55
index 7baf997d8d..750282efdb 100644
debe55
--- a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.h
debe55
+++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.h
debe55
@@ -24,6 +24,11 @@ Always succeeds.
debe55
 */
debe55
 DLLEXPORT void CryptoNative_EvpPkeyDestroy(EVP_PKEY* pkey);
debe55
 
debe55
+/*
debe55
+Returns the maximum size, in bytes, of an operation with the provided key.
debe55
+*/
debe55
+DLLEXPORT int32_t CryptoNative_EvpPKeySize(EVP_PKEY* pkey);
debe55
+
debe55
 /*
debe55
 Used by System.Security.Cryptography.X509Certificates' OpenSslX509CertificateReader when
debe55
 duplicating a private key context as part of duplicating the Pal object.
debe55
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
debe55
index 29f9238ce9..6235c905db 100644
debe55
--- a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
debe55
+++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
debe55
@@ -3,6 +3,10 @@
debe55
 // See the LICENSE file in the project root for more information.
debe55
 
debe55
 #include "pal_evp_pkey_rsa.h"
debe55
+#include "pal_utilities.h"
debe55
+#include <assert.h>
debe55
+
debe55
+static int HasNoPrivateKey(RSA* rsa);
debe55
 
debe55
 EVP_PKEY* CryptoNative_RsaGenerateKey(int keySize)
debe55
 {
debe55
@@ -16,8 +20,7 @@ EVP_PKEY* CryptoNative_RsaGenerateKey(int keySize)
debe55
     EVP_PKEY* pkey = NULL;
debe55
     EVP_PKEY* ret = NULL;
debe55
 
debe55
-    if (EVP_PKEY_keygen_init(ctx) == 1 &&
debe55
-        EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, keySize) == 1 &&
debe55
+    if (EVP_PKEY_keygen_init(ctx) == 1 && EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, keySize) == 1 &&
debe55
         EVP_PKEY_keygen(ctx, &pkey) == 1)
debe55
     {
debe55
         ret = pkey;
debe55
@@ -33,6 +36,82 @@ EVP_PKEY* CryptoNative_RsaGenerateKey(int keySize)
debe55
     return ret;
debe55
 }
debe55
 
debe55
+int32_t CryptoNative_RsaDecrypt(EVP_PKEY* pkey,
debe55
+                                const uint8_t* source,
debe55
+                                int32_t sourceLen,
debe55
+                                RsaPaddingMode padding,
debe55
+                                const EVP_MD* digest,
debe55
+                                uint8_t* destination,
debe55
+                                int32_t destinationLen)
debe55
+{
debe55
+    assert(pkey != NULL);
debe55
+    assert(source != NULL);
debe55
+    assert(destination != NULL);
debe55
+    assert(padding >= RsaPaddingPkcs1 && padding <= RsaPaddingOaepOrPss);
debe55
+    assert(digest != NULL || padding == RsaPaddingPkcs1);
debe55
+
debe55
+    EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new(pkey, NULL);
debe55
+
debe55
+    int ret = -1;
debe55
+
debe55
+    if (ctx == NULL || EVP_PKEY_decrypt_init(ctx) <= 0)
debe55
+    {
debe55
+        goto done;
debe55
+    }
debe55
+
debe55
+    if (padding == RsaPaddingPkcs1)
debe55
+    {
debe55
+        if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
debe55
+        {
debe55
+            goto done;
debe55
+        }
debe55
+    }
debe55
+    else
debe55
+    {
debe55
+        assert(padding == RsaPaddingOaepOrPss);
debe55
+
debe55
+        if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0)
debe55
+        {
debe55
+            goto done;
debe55
+        }
debe55
+
debe55
+#pragma clang diagnostic push
debe55
+#pragma clang diagnostic ignored "-Wcast-qual"
debe55
+        if (EVP_PKEY_CTX_set_rsa_oaep_md(ctx, digest) <= 0)
debe55
+#pragma clang diagnostic pop
debe55
+        {
debe55
+            goto done;
debe55
+        }
debe55
+    }
debe55
+
debe55
+    // This check may no longer be needed on OpenSSL 3.0
debe55
+    {
debe55
+        RSA* rsa = EVP_PKEY_get0_RSA(pkey);
debe55
+
debe55
+        if (rsa == NULL || HasNoPrivateKey(rsa))
debe55
+        {
debe55
+            ERR_PUT_error(ERR_LIB_RSA, RSA_F_RSA_NULL_PRIVATE_DECRYPT, RSA_R_VALUE_MISSING, __FILE__, __LINE__);
debe55
+            ret = -1;
debe55
+            goto done;
debe55
+        }
debe55
+    }
debe55
+
debe55
+    size_t written = Int32ToSizeT(destinationLen);
debe55
+
debe55
+    if (EVP_PKEY_decrypt(ctx, destination, &written, source, Int32ToSizeT(sourceLen)) > 0)
debe55
+    {
debe55
+        ret = SizeTToInt32(written);
debe55
+    }
debe55
+
debe55
+done:
debe55
+    if (ctx != NULL)
debe55
+    {
debe55
+        EVP_PKEY_CTX_free(ctx);
debe55
+    }
debe55
+
debe55
+    return ret;
debe55
+}
debe55
+
debe55
 RSA* CryptoNative_EvpPkeyGetRsa(EVP_PKEY* pkey)
debe55
 {
debe55
     return EVP_PKEY_get1_RSA(pkey);
debe55
@@ -42,3 +121,57 @@ int32_t CryptoNative_EvpPkeySetRsa(EVP_PKEY* pkey, RSA* rsa)
debe55
 {
debe55
     return EVP_PKEY_set1_RSA(pkey, rsa);
debe55
 }
debe55
+
debe55
+static int HasNoPrivateKey(RSA* rsa)
debe55
+{
debe55
+    if (rsa == NULL)
debe55
+        return 1;
debe55
+
debe55
+    // Shared pointer, don't free.
debe55
+    const RSA_METHOD* meth = RSA_get_method(rsa);
debe55
+
debe55
+    // The method has descibed itself as having the private key external to the structure.
debe55
+    // That doesn't mean it's actually present, but we can't tell.
debe55
+#pragma clang diagnostic push
debe55
+#pragma clang diagnostic ignored "-Wcast-qual"
debe55
+    if (RSA_meth_get_flags((RSA_METHOD*)meth) & RSA_FLAG_EXT_PKEY)
debe55
+#pragma clang diagnostic pop
debe55
+    {
debe55
+        return 0;
debe55
+    }
debe55
+
debe55
+    // In the event that there's a middle-ground where we report failure when success is expected,
debe55
+    // one could do something like check if the RSA_METHOD intercepts all private key operations:
debe55
+    //
debe55
+    // * meth->rsa_priv_enc
debe55
+    // * meth->rsa_priv_dec
debe55
+    // * meth->rsa_sign (in 1.0.x this is only respected if the RSA_FLAG_SIGN_VER flag is asserted)
debe55
+    //
debe55
+    // But, for now, leave it at the EXT_PKEY flag test.
debe55
+
debe55
+    // The module is documented as accepting either d or the full set of CRT parameters (p, q, dp, dq, qInv)
debe55
+    // So if we see d, we're good. Otherwise, if any of the rest are missing, we're public-only.
debe55
+    const BIGNUM* d;
debe55
+    RSA_get0_key(rsa, NULL, NULL, &d);
debe55
+
debe55
+    if (d != NULL)
debe55
+    {
debe55
+        return 0;
debe55
+    }
debe55
+
debe55
+    const BIGNUM* p;
debe55
+    const BIGNUM* q;
debe55
+    const BIGNUM* dmp1;
debe55
+    const BIGNUM* dmq1;
debe55
+    const BIGNUM* iqmp;
debe55
+
debe55
+    RSA_get0_factors(rsa, &p, &q);
debe55
+    RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
debe55
+
debe55
+    if (p == NULL || q == NULL || dmp1 == NULL || dmq1 == NULL || iqmp == NULL)
debe55
+    {
debe55
+        return 1;
debe55
+    }
debe55
+
debe55
+    return 0;
debe55
+}
debe55
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.h
debe55
index 1fda149414..d220065adf 100644
debe55
--- a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.h
debe55
+++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.h
debe55
@@ -2,15 +2,38 @@
debe55
 // The .NET Foundation licenses this file to you under the MIT license.
debe55
 // See the LICENSE file in the project root for more information.
debe55
 
debe55
-#include "pal_types.h"
debe55
-#include "pal_compiler.h"
debe55
 #include "opensslshim.h"
debe55
+#include "pal_compiler.h"
debe55
+#include "pal_types.h"
debe55
+
debe55
+/*
debe55
+Padding options for RSA.
debe55
+Matches RSAEncryptionPaddingMode / RSASignaturePaddingMode.
debe55
+*/
debe55
+typedef enum
debe55
+{
debe55
+    RsaPaddingPkcs1,
debe55
+    RsaPaddingOaepOrPss,
debe55
+} RsaPaddingMode;
debe55
 
debe55
 /*
debe55
 Creates an RSA key of the requested size.
debe55
 */
debe55
 DLLEXPORT EVP_PKEY* CryptoNative_RsaGenerateKey(int32_t keySize);
debe55
 
debe55
+/*
debe55
+Decrypt source into destination using the specified RSA key (wrapped in an EVP_PKEY) and padding/digest options.
debe55
+
debe55
+Returns the number of bytes written to destination, -1 on error.
debe55
+*/
debe55
+DLLEXPORT int32_t CryptoNative_RsaDecrypt(EVP_PKEY* pkey,
debe55
+                                          const uint8_t* source,
debe55
+                                          int32_t sourceLen,
debe55
+                                          RsaPaddingMode padding,
debe55
+                                          const EVP_MD* digest,
debe55
+                                          uint8_t* destination,
debe55
+                                          int32_t destinationLen);
debe55
+
debe55
 /*
debe55
 Shims the EVP_PKEY_get1_RSA method.
debe55
 
debe55
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.c b/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.c
debe55
index 080027de0e..0c635dfca7 100644
debe55
--- a/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.c
debe55
+++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.c
debe55
@@ -109,19 +109,6 @@ CryptoNative_RsaPublicEncrypt(int32_t flen, const uint8_t* from, uint8_t* to, RS
debe55
     return RSA_public_encrypt(flen, from, to, rsa, openSslPadding);
debe55
 }
debe55
 
debe55
-int32_t
debe55
-CryptoNative_RsaPrivateDecrypt(int32_t flen, const uint8_t* from, uint8_t* to, RSA* rsa, RsaPadding padding)
debe55
-{
debe55
-    if (HasNoPrivateKey(rsa))
debe55
-    {
debe55
-        ERR_PUT_error(ERR_LIB_RSA, RSA_F_RSA_NULL_PRIVATE_DECRYPT, RSA_R_VALUE_MISSING, __FILE__, __LINE__);
debe55
-        return -1;
debe55
-    }
debe55
-
debe55
-    int openSslPadding = GetOpenSslPadding(padding);
debe55
-    return RSA_private_decrypt(flen, from, to, rsa, openSslPadding);
debe55
-}
debe55
-
debe55
 int32_t CryptoNative_RsaSignPrimitive(int32_t flen, const uint8_t* from, uint8_t* to, RSA* rsa)
debe55
 {
debe55
     if (HasNoPrivateKey(rsa))
debe55
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.h
debe55
index 1c0bc2df47..30d7d9fa59 100644
debe55
--- a/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.h
debe55
+++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.h
debe55
@@ -55,14 +55,6 @@ Returns the size of the signature, or -1 on error.
debe55
 DLLEXPORT int32_t
debe55
 CryptoNative_RsaPublicEncrypt(int32_t flen, const uint8_t* from, uint8_t* to, RSA* rsa, RsaPadding padding);
debe55
 
debe55
-/*
debe55
-Shims the RSA_private_decrypt method.
debe55
-
debe55
-Returns the size of the signature, or -1 on error.
debe55
-*/
debe55
-DLLEXPORT int32_t
debe55
-CryptoNative_RsaPrivateDecrypt(int32_t flen, const uint8_t* from, uint8_t* to, RSA* rsa, RsaPadding padding);
debe55
-
debe55
 /*
debe55
 Shims RSA_private_encrypt with a fixed value of RSA_NO_PADDING.
debe55
 
debe55
diff --git a/src/System.Security.Cryptography.Algorithms/src/Internal/Cryptography/HashProviderDispenser.Unix.cs b/src/System.Security.Cryptography.Algorithms/src/Internal/Cryptography/HashProviderDispenser.Unix.cs
debe55
index ff8e91e7c9..589ff882bf 100644
debe55
--- a/src/System.Security.Cryptography.Algorithms/src/Internal/Cryptography/HashProviderDispenser.Unix.cs
debe55
+++ b/src/System.Security.Cryptography.Algorithms/src/Internal/Cryptography/HashProviderDispenser.Unix.cs
debe55
@@ -12,40 +12,16 @@ namespace Internal.Cryptography
debe55
 {
debe55
     internal static partial class HashProviderDispenser
debe55
     {
debe55
-        public static HashProvider CreateHashProvider(string hashAlgorithmId)
debe55
+        internal static HashProvider CreateHashProvider(string hashAlgorithmId)
debe55
         {
debe55
-            switch (hashAlgorithmId)
debe55
-            {
debe55
-                case HashAlgorithmNames.SHA1:
debe55
-                    return new EvpHashProvider(Interop.Crypto.EvpSha1());
debe55
-                case HashAlgorithmNames.SHA256:
debe55
-                    return new EvpHashProvider(Interop.Crypto.EvpSha256());
debe55
-                case HashAlgorithmNames.SHA384:
debe55
-                    return new EvpHashProvider(Interop.Crypto.EvpSha384());
debe55
-                case HashAlgorithmNames.SHA512:
debe55
-                    return new EvpHashProvider(Interop.Crypto.EvpSha512());
debe55
-                case HashAlgorithmNames.MD5:
debe55
-                    return new EvpHashProvider(Interop.Crypto.EvpMd5());
debe55
-            }
debe55
-            throw new CryptographicException(SR.Format(SR.Cryptography_UnknownHashAlgorithm, hashAlgorithmId));
debe55
+            IntPtr evpType = Interop.Crypto.HashAlgorithmToEvp(hashAlgorithmId);
debe55
+            return new EvpHashProvider(evpType);
debe55
         }
debe55
 
debe55
-        public static unsafe HashProvider CreateMacProvider(string hashAlgorithmId, byte[] key)
debe55
+        internal static unsafe HashProvider CreateMacProvider(string hashAlgorithmId, byte[] key)
debe55
         {
debe55
-            switch (hashAlgorithmId)
debe55
-            {
debe55
-                case HashAlgorithmNames.SHA1:
debe55
-                    return new HmacHashProvider(Interop.Crypto.EvpSha1(), key);
debe55
-                case HashAlgorithmNames.SHA256:
debe55
-                    return new HmacHashProvider(Interop.Crypto.EvpSha256(), key);
debe55
-                case HashAlgorithmNames.SHA384:
debe55
-                    return new HmacHashProvider(Interop.Crypto.EvpSha384(), key);
debe55
-                case HashAlgorithmNames.SHA512:
debe55
-                    return new HmacHashProvider(Interop.Crypto.EvpSha512(), key);
debe55
-                case HashAlgorithmNames.MD5:
debe55
-                    return new HmacHashProvider(Interop.Crypto.EvpMd5(), key);
debe55
-            }
debe55
-            throw new CryptographicException(SR.Format(SR.Cryptography_UnknownHashAlgorithm, hashAlgorithmId));
debe55
+            IntPtr evpType = Interop.Crypto.HashAlgorithmToEvp(hashAlgorithmId);
debe55
+            return new HmacHashProvider(evpType, key);
debe55
         }
debe55
 
debe55
         // -----------------------------
debe55
diff --git a/src/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj b/src/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj
debe55
index 6ad2b78e01..c6e8b5b69a 100644
debe55
--- a/src/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj
debe55
+++ b/src/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj
debe55
@@ -513,6 +513,9 @@
debe55
     <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.EVP.cs">
debe55
       <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.EVP.cs</Link>
debe55
     </Compile>
debe55
+    <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.EVP.DigestAlgs.cs">
debe55
+      <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.EVP.DigestAlgs.cs</Link>
debe55
+    </Compile>
debe55
     <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.Hmac.cs">
debe55
       <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.Hmac.cs</Link>
debe55
     </Compile>
debe55
diff --git a/src/System.Security.Cryptography.OpenSsl/src/System.Security.Cryptography.OpenSsl.csproj b/src/System.Security.Cryptography.OpenSsl/src/System.Security.Cryptography.OpenSsl.csproj
debe55
index 17ab176ec2..dbbc4848e8 100644
debe55
--- a/src/System.Security.Cryptography.OpenSsl/src/System.Security.Cryptography.OpenSsl.csproj
debe55
+++ b/src/System.Security.Cryptography.OpenSsl/src/System.Security.Cryptography.OpenSsl.csproj
debe55
@@ -57,6 +57,9 @@
debe55
     <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.ERR.cs">
debe55
       <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.ERR.cs</Link>
debe55
     </Compile>
debe55
+    <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.EVP.DigestAlgs.cs">
debe55
+      <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.EVP.DigestAlgs.cs</Link>
debe55
+    </Compile>
debe55
     <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.EvpPkey.cs">
debe55
       <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.EvpPkey.cs</Link>
debe55
     </Compile>
debe55
-- 
debe55
2.31.1
debe55