# -*- coding: utf-8 -*- # # PublicKey/RSA.py : RSA public key primitive # # Written in 2008 by Dwayne C. Litzenberger # # =================================================================== # The contents of this file are dedicated to the public domain. To # the extent that dedication to the public domain is not available, # everyone is granted a worldwide, perpetual, royalty-free, # non-exclusive license to exercise all rights associated with the # contents of this file for any purpose whatsoever. # No rights are reserved. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS # BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN # ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # =================================================================== """RSA public-key cryptography algorithm (signature and encryption). RSA_ is the most widespread and used public key algorithm. Its security is based on the difficulty of factoring large integers. The algorithm has withstood attacks for 30 years, and it is therefore considered reasonably secure for new designs. The algorithm can be used for both confidentiality (encryption) and authentication (digital signature). It is worth noting that signing and decryption are significantly slower than verification and encryption. The cryptograhic strength is primarily linked to the length of the modulus *n*. In 2012, a sufficient length is deemed to be 2048 bits. For more information, see the most recent ECRYPT_ report. Both RSA ciphertext and RSA signature are as big as the modulus *n* (256 bytes if *n* is 2048 bit long). This module provides facilities for generating fresh, new RSA keys, constructing them from known components, exporting them, and importing them. >>> from Crypto.PublicKey import RSA >>> >>> key = RSA.generate(2048) >>> f = open('mykey.pem','w') >>> f.write(RSA.exportKey('PEM')) >>> f.close() ... >>> f = open('mykey.pem','r') >>> key = RSA.importKey(f.read()) Even though you may choose to directly use the methods of an RSA key object to perform the primitive cryptographic operations (e.g. `_RSAobj.encrypt`), it is recommended to use one of the standardized schemes instead (like `Crypto.Cipher.PKCS1_v1_5` or `Crypto.Signature.PKCS1_v1_5`). .. _RSA: http://en.wikipedia.org/wiki/RSA_%28algorithm%29 .. _ECRYPT: http://www.ecrypt.eu.org/documents/D.SPA.17.pdf :sort: generate,construct,importKey,error """ __revision__ = "$Id$" __all__ = ['generate', 'construct', 'error', 'importKey', 'RSAImplementation', '_RSAobj'] import sys if sys.version_info[0] == 2 and sys.version_info[1] == 1: from Crypto.Util.py21compat import * from Crypto.Util.py3compat import * #from Crypto.Util.python_compat import * from Crypto.Util.number import getRandomRange, bytes_to_long, long_to_bytes from Crypto.PublicKey import _RSA, _slowmath, pubkey from Crypto import Random from Crypto.Util.asn1 import DerObject, DerSequence, DerNull import binascii import struct from Crypto.Util.number import inverse from Crypto.Util.number import inverse try: from Crypto.PublicKey import _fastmath except ImportError: _fastmath = None class _RSAobj(pubkey.pubkey): """Class defining an actual RSA key. :undocumented: __getstate__, __setstate__, __repr__, __getattr__ """ #: Dictionary of RSA parameters. #: #: A public key will only have the following entries: #: #: - **n**, the modulus. #: - **e**, the public exponent. #: #: A private key will also have: #: #: - **d**, the private exponent. #: - **p**, the first factor of n. #: - **q**, the second factor of n. #: - **u**, the CRT coefficient (1/p) mod q. keydata = ['n', 'e', 'd', 'p', 'q', 'u'] def __init__(self, implementation, key, randfunc=None): self.implementation = implementation self.key = key if randfunc is None: randfunc = Random.new().read self._randfunc = randfunc def __getattr__(self, attrname): if attrname in self.keydata: # For backward compatibility, allow the user to get (not set) the # RSA key parameters directly from this object. return getattr(self.key, attrname) else: raise AttributeError("%s object has no %r attribute" % (self.__class__.__name__, attrname,)) def encrypt(self, plaintext, K): """Encrypt a piece of data with RSA. :Parameter plaintext: The piece of data to encrypt with RSA. It may not be numerically larger than the RSA module (**n**). :Type plaintext: byte string or long :Parameter K: A random parameter (*for compatibility only. This value will be ignored*) :Type K: byte string or long :attention: this function performs the plain, primitive RSA encryption (*textbook*). In real applications, you always need to use proper cryptographic padding, and you should not directly encrypt data with this method. Failure to do so may lead to security vulnerabilities. It is recommended to use modules `Crypto.Cipher.PKCS1_OAEP` or `Crypto.Cipher.PKCS1_v1_5` instead. :Return: A tuple with two items. The first item is the ciphertext of the same type as the plaintext (string or long). The second item is always None. """ return pubkey.pubkey.encrypt(self, plaintext, K) def decrypt(self, ciphertext): """Decrypt a piece of data with RSA. Decryption always takes place with blinding. :attention: this function performs the plain, primitive RSA decryption (*textbook*). In real applications, you always need to use proper cryptographic padding, and you should not directly decrypt data with this method. Failure to do so may lead to security vulnerabilities. It is recommended to use modules `Crypto.Cipher.PKCS1_OAEP` or `Crypto.Cipher.PKCS1_v1_5` instead. :Parameter ciphertext: The piece of data to decrypt with RSA. It may not be numerically larger than the RSA module (**n**). If a tuple, the first item is the actual ciphertext; the second item is ignored. :Type ciphertext: byte string, long or a 2-item tuple as returned by `encrypt` :Return: A byte string if ciphertext was a byte string or a tuple of byte strings. A long otherwise. """ return pubkey.pubkey.decrypt(self, ciphertext) def sign(self, M, K): """Sign a piece of data with RSA. Signing always takes place with blinding. :attention: this function performs the plain, primitive RSA decryption (*textbook*). In real applications, you always need to use proper cryptographic padding, and you should not directly sign data with this method. Failure to do so may lead to security vulnerabilities. It is recommended to use modules `Crypto.Signature.PKCS1_PSS` or `Crypto.Signature.PKCS1_v1_5` instead. :Parameter M: The piece of data to sign with RSA. It may not be numerically larger than the RSA module (**n**). :Type M: byte string or long :Parameter K: A random parameter (*for compatibility only. This value will be ignored*) :Type K: byte string or long :Return: A 2-item tuple. The first item is the actual signature (a long). The second item is always None. """ return pubkey.pubkey.sign(self, M, K) def verify(self, M, signature): """Verify the validity of an RSA signature. :attention: this function performs the plain, primitive RSA encryption (*textbook*). In real applications, you always need to use proper cryptographic padding, and you should not directly verify data with this method. Failure to do so may lead to security vulnerabilities. It is recommended to use modules `Crypto.Signature.PKCS1_PSS` or `Crypto.Signature.PKCS1_v1_5` instead. :Parameter M: The expected message. :Type M: byte string or long :Parameter signature: The RSA signature to verify. The first item of the tuple is the actual signature (a long not larger than the modulus **n**), whereas the second item is always ignored. :Type signature: A 2-item tuple as return by `sign` :Return: True if the signature is correct, False otherwise. """ return pubkey.pubkey.verify(self, M, signature) def _encrypt(self, c, K): return (self.key._encrypt(c),) def _decrypt(self, c): #(ciphertext,) = c (ciphertext,) = c[:1] # HACK - We should use the previous line # instead, but this is more compatible and we're # going to replace the Crypto.PublicKey API soon # anyway. # Blinded RSA decryption (to prevent timing attacks): # Step 1: Generate random secret blinding factor r, such that 0 < r < n-1 r = getRandomRange(1, self.key.n-1, randfunc=self._randfunc) # Step 2: Compute c' = c * r**e mod n cp = self.key._blind(ciphertext, r) # Step 3: Compute m' = c'**d mod n (ordinary RSA decryption) mp = self.key._decrypt(cp) # Step 4: Compute m = m**(r-1) mod n return self.key._unblind(mp, r) def _blind(self, m, r): return self.key._blind(m, r) def _unblind(self, m, r): return self.key._unblind(m, r) def _sign(self, m, K=None): return (self.key._sign(m),) def _verify(self, m, sig): #(s,) = sig (s,) = sig[:1] # HACK - We should use the previous line instead, but # this is more compatible and we're going to replace # the Crypto.PublicKey API soon anyway. return self.key._verify(m, s) def has_private(self): return self.key.has_private() def size(self): return self.key.size() def can_blind(self): return True def can_encrypt(self): return True def can_sign(self): return True def publickey(self): return self.implementation.construct((self.key.n, self.key.e)) def __getstate__(self): d = {} for k in self.keydata: try: d[k] = getattr(self.key, k) except AttributeError: pass return d def __setstate__(self, d): if not hasattr(self, 'implementation'): self.implementation = RSAImplementation() t = [] for k in self.keydata: if k not in d: break t.append(d[k]) self.key = self.implementation._math.rsa_construct(*tuple(t)) def __repr__(self): attrs = [] for k in self.keydata: if k == 'n': attrs.append("n(%d)" % (self.size()+1,)) elif hasattr(self.key, k): attrs.append(k) if self.has_private(): attrs.append("private") # PY3K: This is meant to be text, do not change to bytes (data) return "<%s @0x%x %s>" % (self.__class__.__name__, id(self), ",".join(attrs)) def exportKey(self, format='PEM', passphrase=None, pkcs=1): """Export this RSA key. :Parameter format: The format to use for wrapping the key. - *'DER'*. Binary encoding, always unencrypted. - *'PEM'*. Textual encoding, done according to `RFC1421`_/`RFC1423`_. Unencrypted (default) or encrypted. - *'OpenSSH'*. Textual encoding, done according to OpenSSH specification. Only suitable for public keys (not private keys). :Type format: string :Parameter passphrase: In case of PEM, the pass phrase to derive the encryption key from. :Type passphrase: string :Parameter pkcs: The PKCS standard to follow for assembling the key. You have two choices: - with **1**, the public key is embedded into an X.509 `SubjectPublicKeyInfo` DER SEQUENCE. The private key is embedded into a `PKCS#1`_ `RSAPrivateKey` DER SEQUENCE. This mode is the default. - with **8**, the private key is embedded into a `PKCS#8`_ `PrivateKeyInfo` DER SEQUENCE. This mode is not available for public keys. PKCS standards are not relevant for the *OpenSSH* format. :Type pkcs: integer :Return: A byte string with the encoded public or private half. :Raise ValueError: When the format is unknown. .. _RFC1421: http://www.ietf.org/rfc/rfc1421.txt .. _RFC1423: http://www.ietf.org/rfc/rfc1423.txt .. _`PKCS#1`: http://www.ietf.org/rfc/rfc3447.txt .. _`PKCS#8`: http://www.ietf.org/rfc/rfc5208.txt """ if passphrase is not None: passphrase = tobytes(passphrase) if format=='OpenSSH': eb = long_to_bytes(self.e) nb = long_to_bytes(self.n) if bord(eb[0]) & 0x80: eb=bchr(0x00)+eb if bord(nb[0]) & 0x80: nb=bchr(0x00)+nb keyparts = [ 'ssh-rsa', eb, nb ] keystring = ''.join([ struct.pack(">I",len(kp))+kp for kp in keyparts]) return 'ssh-rsa '+binascii.b2a_base64(keystring)[:-1] # DER format is always used, even in case of PEM, which simply # encodes it into BASE64. der = DerSequence() if self.has_private(): keyType= { 1: 'RSA PRIVATE', 8: 'PRIVATE' }[pkcs] der[:] = [ 0, self.n, self.e, self.d, self.p, self.q, self.d % (self.p-1), self.d % (self.q-1), inverse(self.q, self.p) ] if pkcs==8: derkey = der.encode() der = DerSequence([0]) der.append(algorithmIdentifier) der.append(DerObject('OCTET STRING', derkey).encode()) else: keyType = "PUBLIC" der.append(algorithmIdentifier) bitmap = DerObject('BIT STRING') derPK = DerSequence( [ self.n, self.e ] ) bitmap.payload = bchr(0x00) + derPK.encode() der.append(bitmap.encode()) if format=='DER': return der.encode() if format=='PEM': pem = b("-----BEGIN " + keyType + " KEY-----\n") objenc = None if passphrase and keyType.endswith('PRIVATE'): # We only support 3DES for encryption import Crypto.Hash.MD5 from Crypto.Cipher import DES3 from Crypto.Protocol.KDF import PBKDF1 salt = self._randfunc(8) key = PBKDF1(passphrase, salt, 16, 1, Crypto.Hash.MD5) key += PBKDF1(key+passphrase, salt, 8, 1, Crypto.Hash.MD5) objenc = DES3.new(key, Crypto.Cipher.DES3.MODE_CBC, salt) pem += b('Proc-Type: 4,ENCRYPTED\n') pem += b('DEK-Info: DES-EDE3-CBC,') + binascii.b2a_hex(salt).upper() + b('\n\n') binaryKey = der.encode() if objenc: # Add PKCS#7-like padding padding = objenc.block_size-len(binaryKey)%objenc.block_size binaryKey = objenc.encrypt(binaryKey+bchr(padding)*padding) # Each BASE64 line can take up to 64 characters (=48 bytes of data) chunks = [ binascii.b2a_base64(binaryKey[i:i+48]) for i in range(0, len(binaryKey), 48) ] pem += b('').join(chunks) pem += b("-----END " + keyType + " KEY-----") return pem return ValueError("Unknown key format '%s'. Cannot export the RSA key." % format) class RSAImplementation(object): """ An RSA key factory. This class is only internally used to implement the methods of the `Crypto.PublicKey.RSA` module. :sort: __init__,generate,construct,importKey :undocumented: _g*, _i* """ def __init__(self, **kwargs): """Create a new RSA key factory. :Keywords: use_fast_math : bool Specify which mathematic library to use: - *None* (default). Use fastest math available. - *True* . Use fast math. - *False* . Use slow math. default_randfunc : callable Specify how to collect random data: - *None* (default). Use Random.new().read(). - not *None* . Use the specified function directly. :Raise RuntimeError: When **use_fast_math** =True but fast math is not available. """ use_fast_math = kwargs.get('use_fast_math', None) if use_fast_math is None: # Automatic if _fastmath is not None: self._math = _fastmath else: self._math = _slowmath elif use_fast_math: # Explicitly select fast math if _fastmath is not None: self._math = _fastmath else: raise RuntimeError("fast math module not available") else: # Explicitly select slow math self._math = _slowmath self.error = self._math.error self._default_randfunc = kwargs.get('default_randfunc', None) self._current_randfunc = None def _get_randfunc(self, randfunc): if randfunc is not None: return randfunc elif self._current_randfunc is None: self._current_randfunc = Random.new().read return self._current_randfunc def generate(self, bits, randfunc=None, progress_func=None, e=65537): """Randomly generate a fresh, new RSA key. :Parameters: bits : int Key length, or size (in bits) of the RSA modulus. It must be a multiple of 256, and no smaller than 1024. randfunc : callable Random number generation function; it should accept a single integer N and return a string of random data N bytes long. If not specified, a new one will be instantiated from ``Crypto.Random``. progress_func : callable Optional function that will be called with a short string containing the key parameter currently being generated; it's useful for interactive applications where a user is waiting for a key to be generated. e : int Public RSA exponent. It must be an odd positive integer. It is typically a small number with very few ones in its binary representation. The default value 65537 (= ``0b10000000000000001`` ) is a safe choice: other common values are 5, 7, 17, and 257. :attention: You should always use a cryptographically secure random number generator, such as the one defined in the ``Crypto.Random`` module; **don't** just use the current time and the ``random`` module. :attention: Exponent 3 is also widely used, but it requires very special care when padding the message. :Return: An RSA key object (`_RSAobj`). :Raise ValueError: When **bits** is too little or not a multiple of 256, or when **e** is not odd or smaller than 2. """ if bits < 1024 or (bits & 0xff) != 0: # pubkey.getStrongPrime doesn't like anything that's not a multiple of 256 and >= 1024 raise ValueError("RSA modulus length must be a multiple of 256 and >= 1024") if e%2==0 or e<3: raise ValueError("RSA public exponent must be a positive, odd integer larger than 2.") rf = self._get_randfunc(randfunc) obj = _RSA.generate_py(bits, rf, progress_func, e) # TODO: Don't use legacy _RSA module key = self._math.rsa_construct(obj.n, obj.e, obj.d, obj.p, obj.q, obj.u) return _RSAobj(self, key) def construct(self, tup): """Construct an RSA key from a tuple of valid RSA components. The modulus **n** must be the product of two primes. The public exponent **e** must be odd and larger than 1. In case of a private key, the following equations must apply: - e != 1 - p*q = n - e*d = 1 mod (p-1)(q-1) - p*u = 1 mod q :Parameters: tup : tuple A tuple of long integers, with at least 2 and no more than 6 items. The items come in the following order: 1. RSA modulus (n). 2. Public exponent (e). 3. Private exponent (d). Only required if the key is private. 4. First factor of n (p). Optional. 5. Second factor of n (q). Optional. 6. CRT coefficient, (1/p) mod q (u). Optional. :Return: An RSA key object (`_RSAobj`). """ key = self._math.rsa_construct(*tup) return _RSAobj(self, key) def _importKeyDER(self, externKey): """Import an RSA key (public or private half), encoded in DER form.""" try: der = DerSequence() der.decode(externKey, True) # Try PKCS#1 first, for a private key if len(der)==9 and der.hasOnlyInts() and der[0]==0: # ASN.1 RSAPrivateKey element del der[6:] # Remove d mod (p-1), d mod (q-1), and q^{-1} mod p der.append(inverse(der[4],der[5])) # Add p^{-1} mod q del der[0] # Remove version return self.construct(der[:]) # Keep on trying PKCS#1, but now for a public key if len(der)==2: # The DER object is an RSAPublicKey SEQUENCE with two elements if der.hasOnlyInts(): return self.construct(der[:]) # The DER object is a SubjectPublicKeyInfo SEQUENCE with two elements: # an 'algorithm' (or 'algorithmIdentifier') SEQUENCE and a 'subjectPublicKey' BIT STRING. # 'algorithm' takes the value given a few lines above. # 'subjectPublicKey' encapsulates the actual ASN.1 RSAPublicKey element. if der[0]==algorithmIdentifier: bitmap = DerObject() bitmap.decode(der[1], True) if bitmap.isType('BIT STRING') and bord(bitmap.payload[0])==0x00: der.decode(bitmap.payload[1:], True) if len(der)==2 and der.hasOnlyInts(): return self.construct(der[:]) # Try unencrypted PKCS#8 if der[0]==0: # The second element in the SEQUENCE is algorithmIdentifier. # It must say RSA (see above for description). if der[1]==algorithmIdentifier: privateKey = DerObject() privateKey.decode(der[2], True) if privateKey.isType('OCTET STRING'): return self._importKeyDER(privateKey.payload) except ValueError as IndexError: pass raise ValueError("RSA key format is not supported") def importKey(self, externKey, passphrase=None): """Import an RSA key (public or private half), encoded in standard form. :Parameter externKey: The RSA key to import, encoded as a string. An RSA public key can be in any of the following formats: - X.509 `subjectPublicKeyInfo` DER SEQUENCE (binary or PEM encoding) - `PKCS#1`_ `RSAPublicKey` DER SEQUENCE (binary or PEM encoding) - OpenSSH (textual public key only) An RSA private key can be in any of the following formats: - PKCS#1 `RSAPrivateKey` DER SEQUENCE (binary or PEM encoding) - `PKCS#8`_ `PrivateKeyInfo` DER SEQUENCE (binary or PEM encoding) - OpenSSH (textual public key only) For details about the PEM encoding, see `RFC1421`_/`RFC1423`_. In case of PEM encoding, the private key can be encrypted with DES or 3TDES according to a certain ``pass phrase``. Only OpenSSL-compatible pass phrases are supported. :Type externKey: string :Parameter passphrase: In case of an encrypted PEM key, this is the pass phrase from which the encryption key is derived. :Type passphrase: string :Return: An RSA key object (`_RSAobj`). :Raise ValueError/IndexError/TypeError: When the given key cannot be parsed (possibly because the pass phrase is wrong). .. _RFC1421: http://www.ietf.org/rfc/rfc1421.txt .. _RFC1423: http://www.ietf.org/rfc/rfc1423.txt .. _`PKCS#1`: http://www.ietf.org/rfc/rfc3447.txt .. _`PKCS#8`: http://www.ietf.org/rfc/rfc5208.txt """ externKey = tobytes(externKey) if passphrase is not None: passphrase = tobytes(passphrase) if externKey.startswith(b('-----')): # This is probably a PEM encoded key lines = externKey.replace(b(" "),b('')).split() keyobj = None # The encrypted PEM format if lines[1].startswith(b('Proc-Type:4,ENCRYPTED')): DEK = lines[2].split(b(':')) if len(DEK)!=2 or DEK[0]!=b('DEK-Info') or not passphrase: raise ValueError("PEM encryption format not supported.") algo, salt = DEK[1].split(b(',')) salt = binascii.a2b_hex(salt) import Crypto.Hash.MD5 from Crypto.Cipher import DES, DES3 from Crypto.Protocol.KDF import PBKDF1 if algo==b("DES-CBC"): # This is EVP_BytesToKey in OpenSSL key = PBKDF1(passphrase, salt, 8, 1, Crypto.Hash.MD5) keyobj = DES.new(key, Crypto.Cipher.DES.MODE_CBC, salt) elif algo==b("DES-EDE3-CBC"): # Note that EVP_BytesToKey is note exactly the same as PBKDF1 key = PBKDF1(passphrase, salt, 16, 1, Crypto.Hash.MD5) key += PBKDF1(key+passphrase, salt, 8, 1, Crypto.Hash.MD5) keyobj = DES3.new(key, Crypto.Cipher.DES3.MODE_CBC, salt) else: raise ValueError("Unsupport PEM encryption algorithm.") lines = lines[2:] der = binascii.a2b_base64(b('').join(lines[1:-1])) if keyobj: der = keyobj.decrypt(der) padding = bord(der[-1]) der = der[:-padding] return self._importKeyDER(der) if externKey.startswith(b('ssh-rsa ')): # This is probably an OpenSSH key keystring = binascii.a2b_base64(externKey.split(b(' '))[1]) keyparts = [] while len(keystring)>4: l = struct.unpack(">I",keystring[:4])[0] keyparts.append(keystring[4:4+l]) keystring = keystring[4+l:] e = bytes_to_long(keyparts[1]) n = bytes_to_long(keyparts[2]) return self.construct([n, e]) if bord(externKey[0])==0x30: # This is probably a DER encoded key return self._importKeyDER(externKey) raise ValueError("RSA key format is not supported") #: This is the ASN.1 DER object that qualifies an algorithm as #: compliant to PKCS#1 (that is, the standard RSA). # It is found in all 'algorithm' fields (also called 'algorithmIdentifier'). # It is a SEQUENCE with the oid assigned to RSA and with its parameters (none). # 0x06 0x09 OBJECT IDENTIFIER, 9 bytes of payload # 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x01 0x01 # rsaEncryption (1 2 840 113549 1 1 1) (PKCS #1) # 0x05 0x00 NULL algorithmIdentifier = DerSequence( [ b('\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01'), DerNull().encode() ] ).encode() _impl = RSAImplementation() #: #: Randomly generate a fresh, new RSA key object. #: #: See `RSAImplementation.generate`. #: generate = _impl.generate #: #: Construct an RSA key object from a tuple of valid RSA components. #: #: See `RSAImplementation.construct`. #: construct = _impl.construct #: #: Import an RSA key (public or private half), encoded in standard form. #: #: See `RSAImplementation.importKey`. #: importKey = _impl.importKey error = _impl.error # vim:set ts=4 sw=4 sts=4 expandtab: