Exporting a Software-protected key by Applying RSA-OAEP without Temporary AES Key

#!/usr/bin/env bash

#
# This script is for demonstration purposes only. It provides
# a functioning set of calls to show how to export software-protected AES key material 
# from the Vault service by using the RSA_OAEP_SHA256 algorithm.
#


set -x

OPENSSL="<path_to_OpenSSL>" # Use OpenSSL 1.1.1.
KEY_OCID="<key_OCID>" # The Oracle Cloud Identifier (OCID) of the software-protected master encryption key to export.
ENCRYPTION_ALGORITHM="RSA_OAEP_SHA256"
VAULT_CRYPTO_ENDPOINT="<vault_data_plane_URL>" # The cryptographic endpoint of the vault that contains the software-protected master encryption key.
PUBLIC_KEY_STRING="<public_RSA_wrapping_key_in_PEM_format>" # The content of the public key.
PRIVATE_KEY_PATH="<path_to_private_RSA_wrapping_key>" # The location of the private key.
SOFTWARE_KEY_PATH="<path_to_output_exported_key>" # The location for outputting the software-protected master encryption key.
WRAPPED_SOFTWARE_KEY_PATH="<path_to_output_decoded_wrapped_target_key>" # The location for outputting the decoded, wrapped software-protected master encryption key.

# Invoke the CLI to export a software-protected master encryption key.
wrapped_data=$(oci kms crypto key export --key-id ${KEY_OCID} --algorithm ${ENCRYPTION_ALGORITHM} --public-key "${PUBLIC_KEY_STRING}" --endpoint 
${VAULT_CRYPTO_ENDPOINT} | grep  encrypted-key | cut -d: -f2  | sed 's# "\(.*\)",#\1#g')"

# Decode the encoded wrapped data.
echo ${wrapped_data} | base64 -d > ${WRAPPED_SOFTWARE_KEY_PATH}

# Unwrap the wrapped software-protected key material by using the private RSA wrapping key.
${OPENSSL} pkeyutl -decrypt -in ${WRAPPED_SOFTWARE_KEY_PATH} -inkey ${PRIVATE_KEY_PATH} -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -out ${SOFTWARE_KEY_PATH}