| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Clarify functionality that a hash is not computed, rather
a precomputed (given) hash is being signed.
Signed-off-by: Moritz Fischer <moritzf@google.com>
|
|
|
|
|
|
| |
equals to the modulus
modified: Added test cases in tests/test_integers.py
|
| |
|
|
|
|
|
|
|
|
|
| |
Decorate functions that subclassess should implement with
`@abc.abstractmethod`.
This is to fix a mypy error that'll show up when upgrading mypy. That
upgrade will follow shortly -- I just wanted to make sure things keep
working.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the documentation by adding referenced-but-not-included functions and
some other small fixes.
The only warnings left are:
```
python-rsa/rsa/key.py:docstring of rsa.key.AbstractKey.load_pkcs1:: WARNING: py:class reference target not found: rsa.key.T
python-rsa/rsa/key.py:docstring of rsa.key.AbstractKey.load_pkcs1:: WARNING: py:class reference target not found: rsa.key.T
```
These are due to Sphynx not really understanding `typing` type references.
Not sure how to fix those.
|
|
|
|
|
| |
There were very few functions in there, and none of them were actually used
by the RSA library (just by the test code).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`PublicKey` and `PrivateKey` both define the `n` and `e` slots, which
are already present in their base class. This reduces the benefits of
having slots.
```shell
$ slotscheck -m rsa -v
ERROR: 'rsa.key:PrivateKey' defines overlapping slots.
- e (rsa.key:AbstractKey)
- n (rsa.key:AbstractKey)
ERROR: 'rsa.key:PublicKey' defines overlapping slots.
- e (rsa.key:AbstractKey)
- n (rsa.key:AbstractKey)
```
The Python docs say:
> If a class defines a slot also defined in a base class, the instance
> variable defined by the base class slot is inaccessible (except by
> retrieving its descriptor directly from the base class). This renders
> the meaning of the program undefined.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Use the Chinese Remainder Theorem when decrypting with private key, as that
makes the decryption 2-4x faster.
This fixes #163.
|
|
|
|
| |
No functional changes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As captured in https://github.com/python/typeshed/pull/1663, the types for
SHA-1 and SHA-2 family of functions are callables that return a Hash instance,
whilst the SHA-3 family of functions are Hash `type`s (at least in Python 3.6).
Mixing the two kinds of functions together in a dictionary confuses mypy's type
inference as noted in #153, so we instead add an annotation as a hint.
Also, update test_my.py to match the python version set by tox.ini in CI
instead of always targeting Python 3.7 (as configured in setup.cfg) to
validate the types in all supported Python 3.x versions.
This fix also avoids the issue with the older mypy releases for
Python 3.6 / Python 3.7 found in distro repos...
... for Ubuntu:
```
docker run \
-v $(pwd):/tmp/rsa \
-w /tmp/rsa ubuntu:18.04 \
/bin/bash -c 'apt-get update -qqy \
&& apt-get install -qqy python3-pyasn1 python3-setuptools python3-mypy \
&& python3 setup.py test'
```
... and for Fedora:
```
docker run \
-v $(pwd):/tmp/rsa \
-w /tmp/rsa docker.io/fedora \
/bin/bash -c 'dnf -y install wget python3-devel python3-pyasn1 python3-setuptools python3-mypy \
&& python3 setup.py test'
```
Fixes #153
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mistake is this: In some parts of the code, an exception is being
caught and replaced with a more user-friendly error. In these cases the
syntax `raise new_error from old_error` needs to be used.
Python's exception chaining means it shows not only the traceback of the
current exception, but that of the original exception (and possibly
more.) This is regardless of `raise from`. The usage of `raise from`
tells Python to put a more accurate message between the tracebacks.
Instead of this:
During handling of the above exception, another exception occurred:
You'll get this:
The above exception was the direct cause of the following exception:
The first is inaccurate, because it signifies a bug in the
exception-handling code itself, which is a separate situation than
wrapping an exception.
|
| |
|
| |
|
|
|
|
|
| |
When a `PrivateKey` or `PublicKey` is unpickled `AbstractKey.__init__()`
should be called so `self.mutex` and `self.blindfac` are created.
|
| |
|
|
|
|
|
|
|
|
|
| |
Computing the blinding factor and its inverse was done in a thread-unsafe
manner. Locking the computation & update of the blinding factors, and
passing these around in frame- and stack-bound data, solves this.
This fixes part of the issues reported in sybrenstuvel/python-rsa#173,
but there is more going on in that particular report.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Store blinding factor + its inverse, so that they can be reused & updated
on every blinding operation. This avoids expensive computations.
The reuse of the previous blinding factor is done via squaring (mod n), as
per section 9 of 'A Timing Attack against RSA with the Chinese Remainder
Theorem' by Werner Schindler, https://tls.mbed.org/public/WSchindler-RSA_Timing_Attack.pdf
|
|
|
|
|
| |
Crypto length and blocksize are public info, so don't need side-channel
free comparison.
|
|
|
|
|
| |
Use `bytes.find()` instead of `bytes.index()`, as the former doesn't raise
an exception when the to-be-found byte doesn't exist.
|
|
|
|
|
| |
According to PKCS#1 v1.5, the padding should be at least 8 bytes long.
See https://tools.ietf.org/html/rfc8017#section-7.2.2 step 3 for more info.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use as many constant-time comparisons as practical in the
`rsa.pkcs1.decrypt` function.
`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
alternative would be to iterate over all the data byte by byte in
Python, which is several orders of magnitude slower. Given that a
perfect constant-time implementation is very hard or even impossible to
do in Python [1], I chose the more performant option here.
[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
The third-party library that adds support for this to Python 3.5 is a
binary package, and thus breaks the pure-Python nature of Python-RSA.
This should fix [#147](https://github.com/sybrenstuvel/python-rsa/issues/147).
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reject cyphertexts that have been modified by prepending zero bytes, by
checking the cyphertext length against the expected size (given the
decryption key). This resolves CVE-2020-13757.
The same approach is used when verifying a signature.
Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146
|
| |
|
| |
|
|
|
|
| |
This is a requirement for RSA blinding, but wasn't implemented yet.
|
|
|
|
| |
Also reorganised the only function that had a higher complexity.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is based on https://github.com/sybrenstuvel/python-rsa/pull/96, with
a few improvements:
- The minimum of one use of SHA3 in a unit test, to at least touch it at
some point.
- Documented the support of SHA3.
- Only install the third-party library required by Python 3.5 when we're
running on Python 3.5. Newer Python versions support SHA3 natively.
|
|
|
|
|
|
| |
One functional change: `CryptoOperation.read_infile()` now reads bytes
from `sys.stdin` instead of text. This is necessary to be consistent with
the rest of the code, which all deals with bytes.
|
| |
|
| |
|
| |
|