[New in v23.0] The RSA Key Encapsulation Mechanism (RSA-KEM) Algorithm is a one-pass (store-and-forward) cryptographic mechanism for an originator to securely send keying material to a recipient using the recipient's RSA public key. ("KEM" stands for "key encapsulation mechanism".)
Using the RSA-KEM Algorithm with the Cryptographic Message Syntax (CMS) is described in [RFC5990bis]. It makes use of the KEMRecipientInfo structure as specified in [RFC9629] as part of a CMS OtherRecipientInfo ("ori") type.
RSA-KEM provides higher security assurance than traditional uses of the RSA algorithm (e.g. RSAES-PKCS1-v1_5) because the input to the underlying RSA operation is a random integer without any structure that can be exploited, and the input is independent of the keying data so the result of the RSA decryption operation is not directly available to an adversary.
This Toolkit supports RSA-KEM using KEMRecipientInfo with key derivation functions KDF2, KDF3 and HKDF; key-wrap algorithms aes*-wrap (where * is 128, 192 or 256) and hash functions SHA-* (where * is 256, 384 or 512). To use, call CMS_MakeEnvData with the option flag PKI_CMS_RSA_KEM. The default options are KDF3 with aes128-wrap and SHA-256. Triple-DES and SHA-1 are not supported for this implementation of RSA-KEM.