Fix issue where encrypted data was not decryptable

[diffidentDude]

We are encrypting on the front end using RSA-OAEP.

const encrypted = key.encrypt(data, 'RSA-OAEP', {
  md: Forge.md.sha256.create(),
  mgf1: {
    md: Forge.md.sha256.create()
  }
});

We found that we were not able to decrypt with either bouncy castle or the HSM.

After debugging with forge and bouncy castle side by side we found this was the only difference between the libraries.

[dlongley]

Prepending the leading 0x00 byte is correct according to PKCS#1 v2.1. This is a change from 2.0, but it should be backwards compatible. So the patch in this PR would not be correct -- there must be some other issue with forge, bouncy castle, or the application. We can't rule out a bug with forge or bouncy castle, but the most likely source of the bug is usually the application, as many others are using both forge and bouncy castle RSA-OAEP without issue.

https://crypto.stackexchange.com/questions/40032/why-did-oaep-change-from-pkcs1-v2-0-and-v2-1

[dlongley]

The latest, PKCS#1 v2.2, also prepends a 0x00 byte to the encoded message.

[diffidentDude]

Cheers for the feedback, we'll do some more investigation and get back to you.