2019-01-20 10:35:31 +00:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
#
|
|
|
|
# PublicKey/RSA.py : RSA public key primitive
|
|
|
|
#
|
|
|
|
# Written in 2008 by Dwayne C. Litzenberger <dlitz@dlitz.net>
|
|
|
|
#
|
|
|
|
# ===================================================================
|
|
|
|
# The contents of this file are dedicated to the public domain. To
|
|
|
|
# the extent that dedication to the public domain is not available,
|
|
|
|
# everyone is granted a worldwide, perpetual, royalty-free,
|
|
|
|
# non-exclusive license to exercise all rights associated with the
|
|
|
|
# contents of this file for any purpose whatsoever.
|
|
|
|
# No rights are reserved.
|
|
|
|
#
|
|
|
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
|
|
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
|
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
|
|
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
|
|
|
|
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
|
|
|
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
|
|
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
|
|
# SOFTWARE.
|
|
|
|
# ===================================================================
|
|
|
|
|
|
|
|
"""RSA public-key cryptography algorithm (signature and encryption).
|
|
|
|
|
|
|
|
RSA_ is the most widespread and used public key algorithm. Its security is
|
|
|
|
based on the difficulty of factoring large integers. The algorithm has
|
|
|
|
withstood attacks for 30 years, and it is therefore considered reasonably
|
|
|
|
secure for new designs.
|
|
|
|
|
|
|
|
The algorithm can be used for both confidentiality (encryption) and
|
|
|
|
authentication (digital signature). It is worth noting that signing and
|
|
|
|
decryption are significantly slower than verification and encryption.
|
|
|
|
The cryptograhic strength is primarily linked to the length of the modulus *n*.
|
|
|
|
In 2012, a sufficient length is deemed to be 2048 bits. For more information,
|
|
|
|
see the most recent ECRYPT_ report.
|
|
|
|
|
|
|
|
Both RSA ciphertext and RSA signature are as big as the modulus *n* (256
|
|
|
|
bytes if *n* is 2048 bit long).
|
|
|
|
|
|
|
|
This module provides facilities for generating fresh, new RSA keys, constructing
|
|
|
|
them from known components, exporting them, and importing them.
|
|
|
|
|
|
|
|
>>> from Crypto.PublicKey import RSA
|
|
|
|
>>>
|
|
|
|
>>> key = RSA.generate(2048)
|
|
|
|
>>> f = open('mykey.pem','w')
|
|
|
|
>>> f.write(RSA.exportKey('PEM'))
|
|
|
|
>>> f.close()
|
|
|
|
...
|
|
|
|
>>> f = open('mykey.pem','r')
|
|
|
|
>>> key = RSA.importKey(f.read())
|
|
|
|
|
|
|
|
Even though you may choose to directly use the methods of an RSA key object
|
|
|
|
to perform the primitive cryptographic operations (e.g. `_RSAobj.encrypt`),
|
|
|
|
it is recommended to use one of the standardized schemes instead (like
|
|
|
|
`Crypto.Cipher.PKCS1_v1_5` or `Crypto.Signature.PKCS1_v1_5`).
|
|
|
|
|
|
|
|
.. _RSA: http://en.wikipedia.org/wiki/RSA_%28algorithm%29
|
|
|
|
.. _ECRYPT: http://www.ecrypt.eu.org/documents/D.SPA.17.pdf
|
|
|
|
|
|
|
|
:sort: generate,construct,importKey,error
|
|
|
|
"""
|
|
|
|
|
|
|
|
__revision__ = "$Id$"
|
|
|
|
|
|
|
|
__all__ = ['generate', 'construct', 'error', 'importKey', 'RSAImplementation', '_RSAobj']
|
|
|
|
|
|
|
|
import sys
|
|
|
|
if sys.version_info[0] == 2 and sys.version_info[1] == 1:
|
|
|
|
from Crypto.Util.py21compat import *
|
|
|
|
from Crypto.Util.py3compat import *
|
|
|
|
#from Crypto.Util.python_compat import *
|
|
|
|
from Crypto.Util.number import getRandomRange, bytes_to_long, long_to_bytes
|
|
|
|
|
|
|
|
from Crypto.PublicKey import _RSA, _slowmath, pubkey
|
|
|
|
from Crypto import Random
|
|
|
|
|
|
|
|
from Crypto.Util.asn1 import DerObject, DerSequence, DerNull
|
|
|
|
import binascii
|
|
|
|
import struct
|
|
|
|
|
|
|
|
from Crypto.Util.number import inverse
|
|
|
|
|
|
|
|
from Crypto.Util.number import inverse
|
|
|
|
|
|
|
|
try:
|
|
|
|
from Crypto.PublicKey import _fastmath
|
|
|
|
except ImportError:
|
|
|
|
_fastmath = None
|
|
|
|
|
|
|
|
class _RSAobj(pubkey.pubkey):
|
|
|
|
"""Class defining an actual RSA key.
|
|
|
|
|
|
|
|
:undocumented: __getstate__, __setstate__, __repr__, __getattr__
|
|
|
|
"""
|
|
|
|
#: Dictionary of RSA parameters.
|
|
|
|
#:
|
|
|
|
#: A public key will only have the following entries:
|
|
|
|
#:
|
|
|
|
#: - **n**, the modulus.
|
|
|
|
#: - **e**, the public exponent.
|
|
|
|
#:
|
|
|
|
#: A private key will also have:
|
|
|
|
#:
|
|
|
|
#: - **d**, the private exponent.
|
|
|
|
#: - **p**, the first factor of n.
|
|
|
|
#: - **q**, the second factor of n.
|
|
|
|
#: - **u**, the CRT coefficient (1/p) mod q.
|
|
|
|
keydata = ['n', 'e', 'd', 'p', 'q', 'u']
|
|
|
|
|
|
|
|
def __init__(self, implementation, key, randfunc=None):
|
|
|
|
self.implementation = implementation
|
|
|
|
self.key = key
|
|
|
|
if randfunc is None:
|
|
|
|
randfunc = Random.new().read
|
|
|
|
self._randfunc = randfunc
|
|
|
|
|
|
|
|
def __getattr__(self, attrname):
|
|
|
|
if attrname in self.keydata:
|
|
|
|
# For backward compatibility, allow the user to get (not set) the
|
|
|
|
# RSA key parameters directly from this object.
|
|
|
|
return getattr(self.key, attrname)
|
|
|
|
else:
|
|
|
|
raise AttributeError("%s object has no %r attribute" % (self.__class__.__name__, attrname,))
|
|
|
|
|
|
|
|
def encrypt(self, plaintext, K):
|
|
|
|
"""Encrypt a piece of data with RSA.
|
|
|
|
|
|
|
|
:Parameter plaintext: The piece of data to encrypt with RSA. It may not
|
|
|
|
be numerically larger than the RSA module (**n**).
|
|
|
|
:Type plaintext: byte string or long
|
|
|
|
|
|
|
|
:Parameter K: A random parameter (*for compatibility only. This
|
|
|
|
value will be ignored*)
|
|
|
|
:Type K: byte string or long
|
|
|
|
|
|
|
|
:attention: this function performs the plain, primitive RSA encryption
|
|
|
|
(*textbook*). In real applications, you always need to use proper
|
|
|
|
cryptographic padding, and you should not directly encrypt data with
|
|
|
|
this method. Failure to do so may lead to security vulnerabilities.
|
|
|
|
It is recommended to use modules
|
|
|
|
`Crypto.Cipher.PKCS1_OAEP` or `Crypto.Cipher.PKCS1_v1_5` instead.
|
|
|
|
|
|
|
|
:Return: A tuple with two items. The first item is the ciphertext
|
|
|
|
of the same type as the plaintext (string or long). The second item
|
|
|
|
is always None.
|
|
|
|
"""
|
|
|
|
return pubkey.pubkey.encrypt(self, plaintext, K)
|
|
|
|
|
|
|
|
def decrypt(self, ciphertext):
|
|
|
|
"""Decrypt a piece of data with RSA.
|
|
|
|
|
|
|
|
Decryption always takes place with blinding.
|
|
|
|
|
|
|
|
:attention: this function performs the plain, primitive RSA decryption
|
|
|
|
(*textbook*). In real applications, you always need to use proper
|
|
|
|
cryptographic padding, and you should not directly decrypt data with
|
|
|
|
this method. Failure to do so may lead to security vulnerabilities.
|
|
|
|
It is recommended to use modules
|
|
|
|
`Crypto.Cipher.PKCS1_OAEP` or `Crypto.Cipher.PKCS1_v1_5` instead.
|
|
|
|
|
|
|
|
:Parameter ciphertext: The piece of data to decrypt with RSA. It may
|
|
|
|
not be numerically larger than the RSA module (**n**). If a tuple,
|
|
|
|
the first item is the actual ciphertext; the second item is ignored.
|
|
|
|
|
|
|
|
:Type ciphertext: byte string, long or a 2-item tuple as returned by
|
|
|
|
`encrypt`
|
|
|
|
|
|
|
|
:Return: A byte string if ciphertext was a byte string or a tuple
|
|
|
|
of byte strings. A long otherwise.
|
|
|
|
"""
|
|
|
|
return pubkey.pubkey.decrypt(self, ciphertext)
|
|
|
|
|
|
|
|
def sign(self, M, K):
|
|
|
|
"""Sign a piece of data with RSA.
|
|
|
|
|
|
|
|
Signing always takes place with blinding.
|
|
|
|
|
|
|
|
:attention: this function performs the plain, primitive RSA decryption
|
|
|
|
(*textbook*). In real applications, you always need to use proper
|
|
|
|
cryptographic padding, and you should not directly sign data with
|
|
|
|
this method. Failure to do so may lead to security vulnerabilities.
|
|
|
|
It is recommended to use modules
|
|
|
|
`Crypto.Signature.PKCS1_PSS` or `Crypto.Signature.PKCS1_v1_5` instead.
|
|
|
|
|
|
|
|
:Parameter M: The piece of data to sign with RSA. It may
|
|
|
|
not be numerically larger than the RSA module (**n**).
|
|
|
|
:Type M: byte string or long
|
|
|
|
|
|
|
|
:Parameter K: A random parameter (*for compatibility only. This
|
|
|
|
value will be ignored*)
|
|
|
|
:Type K: byte string or long
|
|
|
|
|
|
|
|
:Return: A 2-item tuple. The first item is the actual signature (a
|
|
|
|
long). The second item is always None.
|
|
|
|
"""
|
|
|
|
return pubkey.pubkey.sign(self, M, K)
|
|
|
|
|
|
|
|
def verify(self, M, signature):
|
|
|
|
"""Verify the validity of an RSA signature.
|
|
|
|
|
|
|
|
:attention: this function performs the plain, primitive RSA encryption
|
|
|
|
(*textbook*). In real applications, you always need to use proper
|
|
|
|
cryptographic padding, and you should not directly verify data with
|
|
|
|
this method. Failure to do so may lead to security vulnerabilities.
|
|
|
|
It is recommended to use modules
|
|
|
|
`Crypto.Signature.PKCS1_PSS` or `Crypto.Signature.PKCS1_v1_5` instead.
|
|
|
|
|
|
|
|
:Parameter M: The expected message.
|
|
|
|
:Type M: byte string or long
|
|
|
|
|
|
|
|
:Parameter signature: The RSA signature to verify. The first item of
|
|
|
|
the tuple is the actual signature (a long not larger than the modulus
|
|
|
|
**n**), whereas the second item is always ignored.
|
|
|
|
:Type signature: A 2-item tuple as return by `sign`
|
|
|
|
|
|
|
|
:Return: True if the signature is correct, False otherwise.
|
|
|
|
"""
|
|
|
|
return pubkey.pubkey.verify(self, M, signature)
|
|
|
|
|
|
|
|
def _encrypt(self, c, K):
|
|
|
|
return (self.key._encrypt(c),)
|
|
|
|
|
|
|
|
def _decrypt(self, c):
|
|
|
|
#(ciphertext,) = c
|
|
|
|
(ciphertext,) = c[:1] # HACK - We should use the previous line
|
|
|
|
# instead, but this is more compatible and we're
|
|
|
|
# going to replace the Crypto.PublicKey API soon
|
|
|
|
# anyway.
|
|
|
|
|
|
|
|
# Blinded RSA decryption (to prevent timing attacks):
|
|
|
|
# Step 1: Generate random secret blinding factor r, such that 0 < r < n-1
|
|
|
|
r = getRandomRange(1, self.key.n-1, randfunc=self._randfunc)
|
|
|
|
# Step 2: Compute c' = c * r**e mod n
|
|
|
|
cp = self.key._blind(ciphertext, r)
|
|
|
|
# Step 3: Compute m' = c'**d mod n (ordinary RSA decryption)
|
|
|
|
mp = self.key._decrypt(cp)
|
|
|
|
# Step 4: Compute m = m**(r-1) mod n
|
|
|
|
return self.key._unblind(mp, r)
|
|
|
|
|
|
|
|
def _blind(self, m, r):
|
|
|
|
return self.key._blind(m, r)
|
|
|
|
|
|
|
|
def _unblind(self, m, r):
|
|
|
|
return self.key._unblind(m, r)
|
|
|
|
|
|
|
|
def _sign(self, m, K=None):
|
|
|
|
return (self.key._sign(m),)
|
|
|
|
|
|
|
|
def _verify(self, m, sig):
|
|
|
|
#(s,) = sig
|
|
|
|
(s,) = sig[:1] # HACK - We should use the previous line instead, but
|
|
|
|
# this is more compatible and we're going to replace
|
|
|
|
# the Crypto.PublicKey API soon anyway.
|
|
|
|
return self.key._verify(m, s)
|
|
|
|
|
|
|
|
def has_private(self):
|
|
|
|
return self.key.has_private()
|
|
|
|
|
|
|
|
def size(self):
|
|
|
|
return self.key.size()
|
|
|
|
|
|
|
|
def can_blind(self):
|
|
|
|
return True
|
|
|
|
|
|
|
|
def can_encrypt(self):
|
|
|
|
return True
|
|
|
|
|
|
|
|
def can_sign(self):
|
|
|
|
return True
|
|
|
|
|
|
|
|
def publickey(self):
|
|
|
|
return self.implementation.construct((self.key.n, self.key.e))
|
|
|
|
|
|
|
|
def __getstate__(self):
|
|
|
|
d = {}
|
|
|
|
for k in self.keydata:
|
|
|
|
try:
|
|
|
|
d[k] = getattr(self.key, k)
|
|
|
|
except AttributeError:
|
|
|
|
pass
|
|
|
|
return d
|
|
|
|
|
|
|
|
def __setstate__(self, d):
|
|
|
|
if not hasattr(self, 'implementation'):
|
|
|
|
self.implementation = RSAImplementation()
|
|
|
|
t = []
|
|
|
|
for k in self.keydata:
|
|
|
|
if k not in d:
|
|
|
|
break
|
|
|
|
t.append(d[k])
|
|
|
|
self.key = self.implementation._math.rsa_construct(*tuple(t))
|
|
|
|
|
|
|
|
def __repr__(self):
|
|
|
|
attrs = []
|
|
|
|
for k in self.keydata:
|
|
|
|
if k == 'n':
|
|
|
|
attrs.append("n(%d)" % (self.size()+1,))
|
|
|
|
elif hasattr(self.key, k):
|
|
|
|
attrs.append(k)
|
|
|
|
if self.has_private():
|
|
|
|
attrs.append("private")
|
|
|
|
# PY3K: This is meant to be text, do not change to bytes (data)
|
|
|
|
return "<%s @0x%x %s>" % (self.__class__.__name__, id(self), ",".join(attrs))
|
|
|
|
|
|
|
|
def exportKey(self, format='PEM', passphrase=None, pkcs=1):
|
|
|
|
"""Export this RSA key.
|
|
|
|
|
|
|
|
:Parameter format: The format to use for wrapping the key.
|
|
|
|
|
|
|
|
- *'DER'*. Binary encoding, always unencrypted.
|
|
|
|
- *'PEM'*. Textual encoding, done according to `RFC1421`_/`RFC1423`_.
|
|
|
|
Unencrypted (default) or encrypted.
|
|
|
|
- *'OpenSSH'*. Textual encoding, done according to OpenSSH specification.
|
|
|
|
Only suitable for public keys (not private keys).
|
|
|
|
:Type format: string
|
|
|
|
|
|
|
|
:Parameter passphrase: In case of PEM, the pass phrase to derive the encryption key from.
|
|
|
|
:Type passphrase: string
|
|
|
|
|
|
|
|
:Parameter pkcs: The PKCS standard to follow for assembling the key.
|
|
|
|
You have two choices:
|
|
|
|
|
|
|
|
- with **1**, the public key is embedded into an X.509 `SubjectPublicKeyInfo` DER SEQUENCE.
|
|
|
|
The private key is embedded into a `PKCS#1`_ `RSAPrivateKey` DER SEQUENCE.
|
|
|
|
This mode is the default.
|
|
|
|
- with **8**, the private key is embedded into a `PKCS#8`_ `PrivateKeyInfo` DER SEQUENCE.
|
|
|
|
This mode is not available for public keys.
|
|
|
|
|
|
|
|
PKCS standards are not relevant for the *OpenSSH* format.
|
|
|
|
:Type pkcs: integer
|
|
|
|
|
|
|
|
:Return: A byte string with the encoded public or private half.
|
|
|
|
:Raise ValueError:
|
|
|
|
When the format is unknown.
|
|
|
|
|
|
|
|
.. _RFC1421: http://www.ietf.org/rfc/rfc1421.txt
|
|
|
|
.. _RFC1423: http://www.ietf.org/rfc/rfc1423.txt
|
|
|
|
.. _`PKCS#1`: http://www.ietf.org/rfc/rfc3447.txt
|
|
|
|
.. _`PKCS#8`: http://www.ietf.org/rfc/rfc5208.txt
|
|
|
|
"""
|
|
|
|
if passphrase is not None:
|
|
|
|
passphrase = tobytes(passphrase)
|
|
|
|
if format=='OpenSSH':
|
|
|
|
eb = long_to_bytes(self.e)
|
|
|
|
nb = long_to_bytes(self.n)
|
|
|
|
if bord(eb[0]) & 0x80: eb=bchr(0x00)+eb
|
|
|
|
if bord(nb[0]) & 0x80: nb=bchr(0x00)+nb
|
|
|
|
keyparts = [ 'ssh-rsa', eb, nb ]
|
|
|
|
keystring = ''.join([ struct.pack(">I",len(kp))+kp for kp in keyparts])
|
|
|
|
return 'ssh-rsa '+binascii.b2a_base64(keystring)[:-1]
|
|
|
|
|
|
|
|
# DER format is always used, even in case of PEM, which simply
|
|
|
|
# encodes it into BASE64.
|
|
|
|
der = DerSequence()
|
|
|
|
if self.has_private():
|
|
|
|
keyType= { 1: 'RSA PRIVATE', 8: 'PRIVATE' }[pkcs]
|
|
|
|
der[:] = [ 0, self.n, self.e, self.d, self.p, self.q,
|
|
|
|
self.d % (self.p-1), self.d % (self.q-1),
|
|
|
|
inverse(self.q, self.p) ]
|
|
|
|
if pkcs==8:
|
|
|
|
derkey = der.encode()
|
|
|
|
der = DerSequence([0])
|
|
|
|
der.append(algorithmIdentifier)
|
|
|
|
der.append(DerObject('OCTET STRING', derkey).encode())
|
|
|
|
else:
|
|
|
|
keyType = "PUBLIC"
|
|
|
|
der.append(algorithmIdentifier)
|
|
|
|
bitmap = DerObject('BIT STRING')
|
|
|
|
derPK = DerSequence( [ self.n, self.e ] )
|
|
|
|
bitmap.payload = bchr(0x00) + derPK.encode()
|
|
|
|
der.append(bitmap.encode())
|
|
|
|
if format=='DER':
|
|
|
|
return der.encode()
|
|
|
|
if format=='PEM':
|
|
|
|
pem = b("-----BEGIN " + keyType + " KEY-----\n")
|
|
|
|
objenc = None
|
|
|
|
if passphrase and keyType.endswith('PRIVATE'):
|
|
|
|
# We only support 3DES for encryption
|
|
|
|
import Crypto.Hash.MD5
|
|
|
|
from Crypto.Cipher import DES3
|
|
|
|
from Crypto.Protocol.KDF import PBKDF1
|
|
|
|
salt = self._randfunc(8)
|
|
|
|
key = PBKDF1(passphrase, salt, 16, 1, Crypto.Hash.MD5)
|
|
|
|
key += PBKDF1(key+passphrase, salt, 8, 1, Crypto.Hash.MD5)
|
|
|
|
objenc = DES3.new(key, Crypto.Cipher.DES3.MODE_CBC, salt)
|
|
|
|
pem += b('Proc-Type: 4,ENCRYPTED\n')
|
|
|
|
pem += b('DEK-Info: DES-EDE3-CBC,') + binascii.b2a_hex(salt).upper() + b('\n\n')
|
|
|
|
|
|
|
|
binaryKey = der.encode()
|
|
|
|
if objenc:
|
|
|
|
# Add PKCS#7-like padding
|
|
|
|
padding = objenc.block_size-len(binaryKey)%objenc.block_size
|
|
|
|
binaryKey = objenc.encrypt(binaryKey+bchr(padding)*padding)
|
|
|
|
|
|
|
|
# Each BASE64 line can take up to 64 characters (=48 bytes of data)
|
|
|
|
chunks = [ binascii.b2a_base64(binaryKey[i:i+48]) for i in range(0, len(binaryKey), 48) ]
|
|
|
|
pem += b('').join(chunks)
|
|
|
|
pem += b("-----END " + keyType + " KEY-----")
|
|
|
|
return pem
|
|
|
|
return ValueError("Unknown key format '%s'. Cannot export the RSA key." % format)
|
|
|
|
|
|
|
|
class RSAImplementation(object):
|
|
|
|
"""
|
|
|
|
An RSA key factory.
|
|
|
|
|
|
|
|
This class is only internally used to implement the methods of the `Crypto.PublicKey.RSA` module.
|
|
|
|
|
|
|
|
:sort: __init__,generate,construct,importKey
|
|
|
|
:undocumented: _g*, _i*
|
|
|
|
"""
|
|
|
|
|
|
|
|
def __init__(self, **kwargs):
|
|
|
|
"""Create a new RSA key factory.
|
|
|
|
|
|
|
|
:Keywords:
|
|
|
|
use_fast_math : bool
|
|
|
|
Specify which mathematic library to use:
|
|
|
|
|
|
|
|
- *None* (default). Use fastest math available.
|
|
|
|
- *True* . Use fast math.
|
|
|
|
- *False* . Use slow math.
|
|
|
|
default_randfunc : callable
|
|
|
|
Specify how to collect random data:
|
|
|
|
|
|
|
|
- *None* (default). Use Random.new().read().
|
|
|
|
- not *None* . Use the specified function directly.
|
|
|
|
:Raise RuntimeError:
|
|
|
|
When **use_fast_math** =True but fast math is not available.
|
|
|
|
"""
|
|
|
|
use_fast_math = kwargs.get('use_fast_math', None)
|
|
|
|
if use_fast_math is None: # Automatic
|
|
|
|
if _fastmath is not None:
|
|
|
|
self._math = _fastmath
|
|
|
|
else:
|
|
|
|
self._math = _slowmath
|
|
|
|
|
|
|
|
elif use_fast_math: # Explicitly select fast math
|
|
|
|
if _fastmath is not None:
|
|
|
|
self._math = _fastmath
|
|
|
|
else:
|
|
|
|
raise RuntimeError("fast math module not available")
|
|
|
|
|
|
|
|
else: # Explicitly select slow math
|
|
|
|
self._math = _slowmath
|
|
|
|
|
|
|
|
self.error = self._math.error
|
|
|
|
|
|
|
|
self._default_randfunc = kwargs.get('default_randfunc', None)
|
|
|
|
self._current_randfunc = None
|
|
|
|
|
|
|
|
def _get_randfunc(self, randfunc):
|
|
|
|
if randfunc is not None:
|
|
|
|
return randfunc
|
|
|
|
elif self._current_randfunc is None:
|
|
|
|
self._current_randfunc = Random.new().read
|
|
|
|
return self._current_randfunc
|
|
|
|
|
|
|
|
def generate(self, bits, randfunc=None, progress_func=None, e=65537):
|
|
|
|
"""Randomly generate a fresh, new RSA key.
|
|
|
|
|
|
|
|
:Parameters:
|
|
|
|
bits : int
|
|
|
|
Key length, or size (in bits) of the RSA modulus.
|
|
|
|
It must be a multiple of 256, and no smaller than 1024.
|
|
|
|
|
|
|
|
randfunc : callable
|
|
|
|
Random number generation function; it should accept
|
|
|
|
a single integer N and return a string of random data
|
|
|
|
N bytes long.
|
|
|
|
If not specified, a new one will be instantiated
|
|
|
|
from ``Crypto.Random``.
|
|
|
|
|
|
|
|
progress_func : callable
|
|
|
|
Optional function that will be called with a short string
|
|
|
|
containing the key parameter currently being generated;
|
|
|
|
it's useful for interactive applications where a user is
|
|
|
|
waiting for a key to be generated.
|
|
|
|
|
|
|
|
e : int
|
|
|
|
Public RSA exponent. It must be an odd positive integer.
|
|
|
|
It is typically a small number with very few ones in its
|
|
|
|
binary representation.
|
|
|
|
The default value 65537 (= ``0b10000000000000001`` ) is a safe
|
|
|
|
choice: other common values are 5, 7, 17, and 257.
|
|
|
|
|
|
|
|
:attention: You should always use a cryptographically secure random number generator,
|
|
|
|
such as the one defined in the ``Crypto.Random`` module; **don't** just use the
|
|
|
|
current time and the ``random`` module.
|
|
|
|
|
|
|
|
:attention: Exponent 3 is also widely used, but it requires very special care when padding
|
|
|
|
the message.
|
|
|
|
|
|
|
|
:Return: An RSA key object (`_RSAobj`).
|
|
|
|
|
|
|
|
:Raise ValueError:
|
|
|
|
When **bits** is too little or not a multiple of 256, or when
|
|
|
|
**e** is not odd or smaller than 2.
|
|
|
|
"""
|
|
|
|
if bits < 1024 or (bits & 0xff) != 0:
|
|
|
|
# pubkey.getStrongPrime doesn't like anything that's not a multiple of 256 and >= 1024
|
|
|
|
raise ValueError("RSA modulus length must be a multiple of 256 and >= 1024")
|
|
|
|
if e%2==0 or e<3:
|
|
|
|
raise ValueError("RSA public exponent must be a positive, odd integer larger than 2.")
|
|
|
|
rf = self._get_randfunc(randfunc)
|
|
|
|
obj = _RSA.generate_py(bits, rf, progress_func, e) # TODO: Don't use legacy _RSA module
|
|
|
|
key = self._math.rsa_construct(obj.n, obj.e, obj.d, obj.p, obj.q, obj.u)
|
|
|
|
return _RSAobj(self, key)
|
|
|
|
|
|
|
|
def construct(self, tup):
|
|
|
|
"""Construct an RSA key from a tuple of valid RSA components.
|
|
|
|
|
|
|
|
The modulus **n** must be the product of two primes.
|
|
|
|
The public exponent **e** must be odd and larger than 1.
|
|
|
|
|
|
|
|
In case of a private key, the following equations must apply:
|
|
|
|
|
|
|
|
- e != 1
|
|
|
|
- p*q = n
|
|
|
|
- e*d = 1 mod (p-1)(q-1)
|
|
|
|
- p*u = 1 mod q
|
|
|
|
|
|
|
|
:Parameters:
|
|
|
|
tup : tuple
|
|
|
|
A tuple of long integers, with at least 2 and no
|
|
|
|
more than 6 items. The items come in the following order:
|
|
|
|
|
|
|
|
1. RSA modulus (n).
|
|
|
|
2. Public exponent (e).
|
|
|
|
3. Private exponent (d). Only required if the key is private.
|
|
|
|
4. First factor of n (p). Optional.
|
|
|
|
5. Second factor of n (q). Optional.
|
|
|
|
6. CRT coefficient, (1/p) mod q (u). Optional.
|
|
|
|
|
|
|
|
:Return: An RSA key object (`_RSAobj`).
|
|
|
|
"""
|
|
|
|
key = self._math.rsa_construct(*tup)
|
|
|
|
return _RSAobj(self, key)
|
|
|
|
|
|
|
|
def _importKeyDER(self, externKey):
|
|
|
|
"""Import an RSA key (public or private half), encoded in DER form."""
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
|
|
|
der = DerSequence()
|
|
|
|
der.decode(externKey, True)
|
|
|
|
|
|
|
|
# Try PKCS#1 first, for a private key
|
|
|
|
if len(der)==9 and der.hasOnlyInts() and der[0]==0:
|
|
|
|
# ASN.1 RSAPrivateKey element
|
|
|
|
del der[6:] # Remove d mod (p-1), d mod (q-1), and q^{-1} mod p
|
|
|
|
der.append(inverse(der[4],der[5])) # Add p^{-1} mod q
|
|
|
|
del der[0] # Remove version
|
|
|
|
return self.construct(der[:])
|
|
|
|
|
|
|
|
# Keep on trying PKCS#1, but now for a public key
|
|
|
|
if len(der)==2:
|
|
|
|
# The DER object is an RSAPublicKey SEQUENCE with two elements
|
|
|
|
if der.hasOnlyInts():
|
|
|
|
return self.construct(der[:])
|
|
|
|
# The DER object is a SubjectPublicKeyInfo SEQUENCE with two elements:
|
|
|
|
# an 'algorithm' (or 'algorithmIdentifier') SEQUENCE and a 'subjectPublicKey' BIT STRING.
|
|
|
|
# 'algorithm' takes the value given a few lines above.
|
|
|
|
# 'subjectPublicKey' encapsulates the actual ASN.1 RSAPublicKey element.
|
|
|
|
if der[0]==algorithmIdentifier:
|
|
|
|
bitmap = DerObject()
|
|
|
|
bitmap.decode(der[1], True)
|
|
|
|
if bitmap.isType('BIT STRING') and bord(bitmap.payload[0])==0x00:
|
|
|
|
der.decode(bitmap.payload[1:], True)
|
|
|
|
if len(der)==2 and der.hasOnlyInts():
|
|
|
|
return self.construct(der[:])
|
|
|
|
|
|
|
|
# Try unencrypted PKCS#8
|
|
|
|
if der[0]==0:
|
|
|
|
# The second element in the SEQUENCE is algorithmIdentifier.
|
|
|
|
# It must say RSA (see above for description).
|
|
|
|
if der[1]==algorithmIdentifier:
|
|
|
|
privateKey = DerObject()
|
|
|
|
privateKey.decode(der[2], True)
|
|
|
|
if privateKey.isType('OCTET STRING'):
|
|
|
|
return self._importKeyDER(privateKey.payload)
|
|
|
|
|
|
|
|
except ValueError as IndexError:
|
|
|
|
pass
|
|
|
|
|
|
|
|
raise ValueError("RSA key format is not supported")
|
|
|
|
|
|
|
|
def importKey(self, externKey, passphrase=None):
|
|
|
|
"""Import an RSA key (public or private half), encoded in standard form.
|
|
|
|
|
|
|
|
:Parameter externKey:
|
|
|
|
The RSA key to import, encoded as a string.
|
|
|
|
|
|
|
|
An RSA public key can be in any of the following formats:
|
|
|
|
|
|
|
|
- X.509 `subjectPublicKeyInfo` DER SEQUENCE (binary or PEM encoding)
|
|
|
|
- `PKCS#1`_ `RSAPublicKey` DER SEQUENCE (binary or PEM encoding)
|
|
|
|
- OpenSSH (textual public key only)
|
|
|
|
|
|
|
|
An RSA private key can be in any of the following formats:
|
|
|
|
|
|
|
|
- PKCS#1 `RSAPrivateKey` DER SEQUENCE (binary or PEM encoding)
|
|
|
|
- `PKCS#8`_ `PrivateKeyInfo` DER SEQUENCE (binary or PEM encoding)
|
|
|
|
- OpenSSH (textual public key only)
|
|
|
|
|
|
|
|
For details about the PEM encoding, see `RFC1421`_/`RFC1423`_.
|
|
|
|
|
|
|
|
In case of PEM encoding, the private key can be encrypted with DES or 3TDES according to a certain ``pass phrase``.
|
|
|
|
Only OpenSSL-compatible pass phrases are supported.
|
|
|
|
:Type externKey: string
|
|
|
|
|
|
|
|
:Parameter passphrase:
|
|
|
|
In case of an encrypted PEM key, this is the pass phrase from which the encryption key is derived.
|
|
|
|
:Type passphrase: string
|
|
|
|
|
|
|
|
:Return: An RSA key object (`_RSAobj`).
|
|
|
|
|
|
|
|
:Raise ValueError/IndexError/TypeError:
|
|
|
|
When the given key cannot be parsed (possibly because the pass phrase is wrong).
|
|
|
|
|
|
|
|
.. _RFC1421: http://www.ietf.org/rfc/rfc1421.txt
|
|
|
|
.. _RFC1423: http://www.ietf.org/rfc/rfc1423.txt
|
|
|
|
.. _`PKCS#1`: http://www.ietf.org/rfc/rfc3447.txt
|
|
|
|
.. _`PKCS#8`: http://www.ietf.org/rfc/rfc5208.txt
|
|
|
|
"""
|
|
|
|
externKey = tobytes(externKey)
|
|
|
|
if passphrase is not None:
|
|
|
|
passphrase = tobytes(passphrase)
|
|
|
|
|
|
|
|
if externKey.startswith(b('-----')):
|
|
|
|
# This is probably a PEM encoded key
|
|
|
|
lines = externKey.replace(b(" "),b('')).split()
|
|
|
|
keyobj = None
|
|
|
|
|
|
|
|
# The encrypted PEM format
|
|
|
|
if lines[1].startswith(b('Proc-Type:4,ENCRYPTED')):
|
|
|
|
DEK = lines[2].split(b(':'))
|
|
|
|
if len(DEK)!=2 or DEK[0]!=b('DEK-Info') or not passphrase:
|
|
|
|
raise ValueError("PEM encryption format not supported.")
|
|
|
|
algo, salt = DEK[1].split(b(','))
|
|
|
|
salt = binascii.a2b_hex(salt)
|
|
|
|
import Crypto.Hash.MD5
|
|
|
|
from Crypto.Cipher import DES, DES3
|
|
|
|
from Crypto.Protocol.KDF import PBKDF1
|
|
|
|
if algo==b("DES-CBC"):
|
|
|
|
# This is EVP_BytesToKey in OpenSSL
|
|
|
|
key = PBKDF1(passphrase, salt, 8, 1, Crypto.Hash.MD5)
|
|
|
|
keyobj = DES.new(key, Crypto.Cipher.DES.MODE_CBC, salt)
|
|
|
|
elif algo==b("DES-EDE3-CBC"):
|
|
|
|
# Note that EVP_BytesToKey is note exactly the same as PBKDF1
|
|
|
|
key = PBKDF1(passphrase, salt, 16, 1, Crypto.Hash.MD5)
|
|
|
|
key += PBKDF1(key+passphrase, salt, 8, 1, Crypto.Hash.MD5)
|
|
|
|
keyobj = DES3.new(key, Crypto.Cipher.DES3.MODE_CBC, salt)
|
|
|
|
else:
|
|
|
|
raise ValueError("Unsupport PEM encryption algorithm.")
|
|
|
|
lines = lines[2:]
|
|
|
|
|
|
|
|
der = binascii.a2b_base64(b('').join(lines[1:-1]))
|
|
|
|
if keyobj:
|
|
|
|
der = keyobj.decrypt(der)
|
|
|
|
padding = bord(der[-1])
|
|
|
|
der = der[:-padding]
|
|
|
|
return self._importKeyDER(der)
|
|
|
|
|
|
|
|
if externKey.startswith(b('ssh-rsa ')):
|
|
|
|
# This is probably an OpenSSH key
|
|
|
|
keystring = binascii.a2b_base64(externKey.split(b(' '))[1])
|
|
|
|
keyparts = []
|
|
|
|
while len(keystring)>4:
|
|
|
|
l = struct.unpack(">I",keystring[:4])[0]
|
|
|
|
keyparts.append(keystring[4:4+l])
|
|
|
|
keystring = keystring[4+l:]
|
|
|
|
e = bytes_to_long(keyparts[1])
|
|
|
|
n = bytes_to_long(keyparts[2])
|
|
|
|
return self.construct([n, e])
|
|
|
|
if bord(externKey[0])==0x30:
|
|
|
|
# This is probably a DER encoded key
|
|
|
|
return self._importKeyDER(externKey)
|
|
|
|
|
|
|
|
raise ValueError("RSA key format is not supported")
|
|
|
|
|
|
|
|
#: This is the ASN.1 DER object that qualifies an algorithm as
|
|
|
|
#: compliant to PKCS#1 (that is, the standard RSA).
|
|
|
|
# It is found in all 'algorithm' fields (also called 'algorithmIdentifier').
|
|
|
|
# It is a SEQUENCE with the oid assigned to RSA and with its parameters (none).
|
|
|
|
# 0x06 0x09 OBJECT IDENTIFIER, 9 bytes of payload
|
|
|
|
# 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x01 0x01
|
|
|
|
# rsaEncryption (1 2 840 113549 1 1 1) (PKCS #1)
|
|
|
|
# 0x05 0x00 NULL
|
|
|
|
algorithmIdentifier = DerSequence(
|
|
|
|
[ b('\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01'),
|
|
|
|
DerNull().encode() ]
|
|
|
|
).encode()
|
|
|
|
|
|
|
|
_impl = RSAImplementation()
|
|
|
|
#:
|
|
|
|
#: Randomly generate a fresh, new RSA key object.
|
|
|
|
#:
|
|
|
|
#: See `RSAImplementation.generate`.
|
|
|
|
#:
|
|
|
|
generate = _impl.generate
|
|
|
|
#:
|
|
|
|
#: Construct an RSA key object from a tuple of valid RSA components.
|
|
|
|
#:
|
|
|
|
#: See `RSAImplementation.construct`.
|
|
|
|
#:
|
|
|
|
construct = _impl.construct
|
|
|
|
#:
|
|
|
|
#: Import an RSA key (public or private half), encoded in standard form.
|
|
|
|
#:
|
|
|
|
#: See `RSAImplementation.importKey`.
|
|
|
|
#:
|
|
|
|
importKey = _impl.importKey
|
|
|
|
error = _impl.error
|
|
|
|
|
|
|
|
# vim:set ts=4 sw=4 sts=4 expandtab:
|
|
|
|
|