| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`PublicKey` and `PrivateKey` both define the `n` and `e` slots, which
are already present in their base class. This reduces the benefits of
having slots.
```shell
$ slotscheck -m rsa -v
ERROR: 'rsa.key:PrivateKey' defines overlapping slots.
- e (rsa.key:AbstractKey)
- n (rsa.key:AbstractKey)
ERROR: 'rsa.key:PublicKey' defines overlapping slots.
- e (rsa.key:AbstractKey)
- n (rsa.key:AbstractKey)
```
The Python docs say:
> If a class defines a slot also defined in a base class, the instance
> variable defined by the base class slot is inaccessible (except by
> retrieving its descriptor directly from the base class). This renders
> the meaning of the program undefined.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Use the Chinese Remainder Theorem when decrypting with private key, as that
makes the decryption 2-4x faster.
This fixes #163.
|
| |
|
|
| |
No functional changes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As captured in https://github.com/python/typeshed/pull/1663, the types for
SHA-1 and SHA-2 family of functions are callables that return a Hash instance,
whilst the SHA-3 family of functions are Hash `type`s (at least in Python 3.6).
Mixing the two kinds of functions together in a dictionary confuses mypy's type
inference as noted in #153, so we instead add an annotation as a hint.
Also, update test_my.py to match the python version set by tox.ini in CI
instead of always targeting Python 3.7 (as configured in setup.cfg) to
validate the types in all supported Python 3.x versions.
This fix also avoids the issue with the older mypy releases for
Python 3.6 / Python 3.7 found in distro repos...
... for Ubuntu:
```
docker run \
-v $(pwd):/tmp/rsa \
-w /tmp/rsa ubuntu:18.04 \
/bin/bash -c 'apt-get update -qqy \
&& apt-get install -qqy python3-pyasn1 python3-setuptools python3-mypy \
&& python3 setup.py test'
```
... and for Fedora:
```
docker run \
-v $(pwd):/tmp/rsa \
-w /tmp/rsa docker.io/fedora \
/bin/bash -c 'dnf -y install wget python3-devel python3-pyasn1 python3-setuptools python3-mypy \
&& python3 setup.py test'
```
Fixes #153
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mistake is this: In some parts of the code, an exception is being
caught and replaced with a more user-friendly error. In these cases the
syntax `raise new_error from old_error` needs to be used.
Python's exception chaining means it shows not only the traceback of the
current exception, but that of the original exception (and possibly
more.) This is regardless of `raise from`. The usage of `raise from`
tells Python to put a more accurate message between the tracebacks.
Instead of this:
During handling of the above exception, another exception occurred:
You'll get this:
The above exception was the direct cause of the following exception:
The first is inaccurate, because it signifies a bug in the
exception-handling code itself, which is a separate situation than
wrapping an exception.
|
| | |
|
| | |
|
| |
|
|
|
| |
When a `PrivateKey` or `PublicKey` is unpickled `AbstractKey.__init__()`
should be called so `self.mutex` and `self.blindfac` are created.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Computing the blinding factor and its inverse was done in a thread-unsafe
manner. Locking the computation & update of the blinding factors, and
passing these around in frame- and stack-bound data, solves this.
This fixes part of the issues reported in sybrenstuvel/python-rsa#173,
but there is more going on in that particular report.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Store blinding factor + its inverse, so that they can be reused & updated
on every blinding operation. This avoids expensive computations.
The reuse of the previous blinding factor is done via squaring (mod n), as
per section 9 of 'A Timing Attack against RSA with the Chinese Remainder
Theorem' by Werner Schindler, https://tls.mbed.org/public/WSchindler-RSA_Timing_Attack.pdf
|
| |
|
|
|
| |
Crypto length and blocksize are public info, so don't need side-channel
free comparison.
|
| |
|
|
|
| |
Use `bytes.find()` instead of `bytes.index()`, as the former doesn't raise
an exception when the to-be-found byte doesn't exist.
|
| |
|
|
|
| |
According to PKCS#1 v1.5, the padding should be at least 8 bytes long.
See https://tools.ietf.org/html/rfc8017#section-7.2.2 step 3 for more info.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use as many constant-time comparisons as practical in the
`rsa.pkcs1.decrypt` function.
`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
alternative would be to iterate over all the data byte by byte in
Python, which is several orders of magnitude slower. Given that a
perfect constant-time implementation is very hard or even impossible to
do in Python [1], I chose the more performant option here.
[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The third-party library that adds support for this to Python 3.5 is a
binary package, and thus breaks the pure-Python nature of Python-RSA.
This should fix [#147](https://github.com/sybrenstuvel/python-rsa/issues/147).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Reject cyphertexts that have been modified by prepending zero bytes, by
checking the cyphertext length against the expected size (given the
decryption key). This resolves CVE-2020-13757.
The same approach is used when verifying a signature.
Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146
|
| | |
|
| | |
|
| |
|
|
| |
This is a requirement for RSA blinding, but wasn't implemented yet.
|
| |
|
|
| |
Also reorganised the only function that had a higher complexity.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This is based on https://github.com/sybrenstuvel/python-rsa/pull/96, with
a few improvements:
- The minimum of one use of SHA3 in a unit test, to at least touch it at
some point.
- Documented the support of SHA3.
- Only install the third-party library required by Python 3.5 when we're
running on Python 3.5. Newer Python versions support SHA3 natively.
|
| |
|
|
|
|
| |
One functional change: `CryptoOperation.read_infile()` now reads bytes
from `sys.stdin` instead of text. This is necessary to be consistent with
the rest of the code, which all deals with bytes.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
"if A and B" if mostly A is True then we should judge B at first
|
| |
|
|
|
|
| |
In preparation of removal of Python 2.7 support, I only want to have
compatibility code for Python 2.7 in `_compat.py`, and not other kinds
of 'compatibility'.
|
| | |
|
| |
|
|
|
|
|
| |
There is no need to specify this list in PKCS1_v2 when it is
already specified in PKCS1. This does rely on the digest_size
attribute being available, but pkcs1.py already depends heavily
on the specific API of hashlib.
|
| |
|
|
| |
Implementation of the Mask Generation Function `MGF1` used in the OAEP encoding step.
For more information, the MGF1 specification is at https://tools.ietf.org/html/rfc2437#section-10.2.1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Split the hashing out of the sign method
This code change adds support to split the hashing of a message
and the actual signing of the message.
* Updating unit test and documentation
This commit updates the unit test and usage docs. In addition,
This change removes a redundant error check inside rsa.sign().
* Refactore unit tests and code comments
Removed the print statements from the unit test and refactored a
few code comments to improve readability.
* Rename hash function
The new hash function had the same name as a function in the
standard library. This commit changes the name to avoid conflicts.
* Rename hash function to compute_hash()
This commit renames the hash function to compute_hash().
|
| |
|
|
| |
Created as a new function as it will be needed by the new PKCS#1 2.0 implementation. Specifically, for the MGF1 function used in the OAEP encoding/decoding.
This allows us not to have `math` dependencies
|
