I have a project where I'd like to use public-key cryptography in both typical sign/verify situations and encrypt/decrypt situations. For example, I'd like to create a self-signed X.509 certificate for Bob (certificate request containing PubK.bob, signed by PrivK.bob to form Certificate.bob), and I'd also like to conduct transactions like:
Alice selects document key
DocK, encrypts documentDocK[document], computesPubK.bob[DocK], and sendsPubK.bob[DocK]to Bob.Bob uses
PrivK.bobto recoverDocKfromPubK.bob[DocK], then decryptsDocK[document]to receive document from Alice.
However, the RSA keys that can be generated by crypto.subtle.generateKey (RSASSA-PKCS1-v1_5, RSA-PSS and RSA-OAEP) can only be used for either ['sign','verify'] or ['encrypt','decrypt'] -- if you try to generate a key with all four usages, you get Cannot create a key using the specified key usages.
Is there a subtle crypto reason not to use a single RSA keypair for both sign/verify and encrypt/decrypt operations?
Is there a standard way of dealing with this? A good way of doing it using WebCrypto? (I can imagine putting an encrypt-capable public key into Bob's certificate, along with the verify-capable one, but that seems redundant, and also makes my certificates a little different from what other certificate-management tools are used to dealing with.)
