For a n-bit RSA key, direct encryption (with PKCS#1"old-style" padding) works for arbitrary binary messages up to floor(n/8)-11bytes. In other words, for a 1024-bit RSA key (128 bytes), up to 117 bytes. With OAEP (the PKCS#1 "new-style" padding), this is a bit less: OAEP use a hash function with output length hbits; this implies a size limit of floor(n/8)-2*ceil(h/8)-2: still for a 1024-bit RSA key, with SHA-256 as hash function (h = 256), this means binary messages up to 60 bytes.

对于n位 RSA 密钥，直接加密（使用PKCS#1“旧式”填充）适用于高达floor(n/8)-11字节的任意二进制消息。换句话说，对于 1024 位 RSA 密钥（128 字节），最多 117 字节。使用 OAEP（PKCS#1“新型”填充），这有点少：OAEP 使用输出长度为h位的散列函数；这意味着floor(n/8)-2*ceil(h/8)-2的大小限制：仍然是 1024 位 RSA 密钥，使用 SHA-256 作为哈希函数（h = 256），这意味着二进制消息最多 60 个字节。

There is no problem in encrypting a RSA key with another RSA key (there is no problem in encrypting anysequence of bytes with RSA, whatever those bytes represent), but, of course, the "outer" RSA key will have to be bigger: with old-style padding, to encrypt a 256-byte message, you will need a RSA key with a modulus of at least 2136 bits.

用另一个 RSA 密钥加密一个 RSA 密钥没有问题（用 RSA加密任何字节序列都没有问题，无论这些字节代表什么），但是，当然，“外部”RSA 密钥必须更大：使用旧式填充，要加密 256 字节的消息，您将需要模数至少为 2136 位的 RSA 密钥。

Hybrid modes(you encrypt data with a random symmetric key and encrypt that symmetric key with RSA) are nonetheless recommended as a general case, if only because they do not have any practical size limits, and also because they make it easier to replace the RSA part with another key exchange algorithm (e.g. Diffie-Hellman).

混合模式（您使用随机对称密钥加密数据并使用 RSA 加密该对称密钥）作为一般情况仍被推荐，因为它们没有任何实际大小限制，而且因为它们更容易替换 RSA部分与另一种密钥交换算法（例如 Diffie-Hellman）。

The limit is more or less infinite, but as you say yourself, this is not how asymmetric crypto should be used. The methods used to implement an asymmetrical crypto system are orders of magnitude slower than those for symmetric crypto (such as AES, TrippleDES, PRESENT, ...). So why would you do that? Use your asymmetric crypto to establish a key (using a secure key establishment protocol, don't invent one) and then encrypt your data with a symmetric algorithm using the established key.

限制或多或少是无限的，但正如你自己所说，这不是非对称加密的使用方式。用于实现非对称密码系统的方法比对称密码系统（例如 AES、TrippleDES、PRESENT 等）慢几个数量级。那你为什么要这样做？使用您的非对称加密来建立一个密钥（使用安全的密钥建立协议，不要发明一个），然后使用已建立的密钥使用对称算法加密您的数据。

On an related note: why would you encrypt with another public key? As the name says, it's supposed to be public. An attacker can't do anything with it if he gets his hands on it.

相关说明：为什么要使用另一个公钥加密？顾名思义，它应该是公开的。如果攻击者拿到它，他就无法对它做任何事情。

[Edit]One thing you should definitely check is if the functions you use implement padding (preferably RSAES-OAEP). Otherwise your public key will encrypt to the same output every time and thus an adversary spying in on your communication can still learn that it is you who is transmitting something, even though he can't see which public key it is you are transmitting.

[编辑]您绝对应该检查的一件事是您使用的函数是否实现了填充（最好是 RSAES-OAEP）。否则，您的公钥每次都会加密为相同的输出，因此监视您的通信的对手仍然可以了解到是您在传输某些东西，即使他看不到您正在传输的是哪个公钥。

The (theoretical) limit is infinite.

（理论）极限是无限的。

For the practical limit, you'll have to make tests with your particular hardware/software implementation and compare to your requirements regarding speed.

对于实际限制，您必须对特定的硬件/软件实现进行测试，并与您对速度的要求进行比较。

Regarding safety, I'd say yes. Your identity (that you want hidden) is as safe as your recipient's private key's safety.

关于安全，我会说是的。您的身份（您想要隐藏的）与收件人私钥的安全性一样安全。

Three years after you asked the question, I stumbled across your posting, because I just had to implement something similiar. What you will need in this case is an encryption mode to break the message into key sized chunks, because of the maximum message length. You will also need block padding to pad each block of the message (oposed to message padding that is usually applied to something like DES,3DES,AES). Not easy, but possible. You need to make sure that each padded block is smaller than the maximum allowed size. For block padding you could use for example OAEP or PKCS_V1_5. As encryption mode you could use ECB (not secure but works) or something more elaborated. (see wikipedia and encryption modes).

在你问这个问题三年后，我偶然发现了你的帖子，因为我只需要实现一些类似的东西。在这种情况下，您将需要一种加密模式来将消息分成密钥大小的块，因为消息长度是最大的。您还需要块填充来填充消息的每个块（与通常应用于 DES、3DES、AES 之类的消息填充相反）。不容易，但可能。您需要确保每个填充块都小于允许的最大大小。对于块填充，您可以使用例如 OAEP 或 PKCS_V1_5。作为加密模式，您可以使用 ECB（不安全但有效）或更详细的内容。（参见维基百科和加密模式）。

if you have a good crypto API you should be able to set the encryption mode and block/message padding and just throw the message at it.

如果你有一个好的加密 API，你应该能够设置加密模式和块/消息填充，然后将消息扔给它。