2008-09-18 21:42:28 -04:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
#
|
|
|
|
|
# PublicKey/RSA.py : RSA public key primitive
|
|
|
|
|
#
|
2009-02-28 13:24:04 -05:00
|
|
|
# Written in 2008 by Dwayne C. Litzenberger <dlitz@dlitz.net>
|
2008-09-18 21:42:28 -04:00
|
|
|
#
|
2009-02-28 13:24:04 -05:00
|
|
|
# ===================================================================
|
|
|
|
|
# The contents of this file are dedicated to the public domain. To
|
|
|
|
|
# the extent that dedication to the public domain is not available,
|
|
|
|
|
# everyone is granted a worldwide, perpetual, royalty-free,
|
|
|
|
|
# non-exclusive license to exercise all rights associated with the
|
|
|
|
|
# contents of this file for any purpose whatsoever.
|
|
|
|
|
# No rights are reserved.
|
2008-09-18 21:42:28 -04:00
|
|
|
#
|
2009-02-28 13:24:04 -05:00
|
|
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
|
|
|
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
|
|
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
|
|
|
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
|
|
|
|
|
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
|
|
|
|
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
|
|
|
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
|
|
|
# SOFTWARE.
|
|
|
|
|
# ===================================================================
|
2008-09-18 21:42:28 -04:00
|
|
|
|
|
|
|
|
"""RSA public-key cryptography algorithm."""
|
|
|
|
|
|
|
|
|
|
__revision__ = "$Id$"
|
|
|
|
|
|
2009-12-27 17:26:59 +01:00
|
|
|
__all__ = ['generate', 'construct', 'error', 'importKey' ]
|
2008-09-18 21:42:28 -04:00
|
|
|
|
|
|
|
|
from Crypto.Util.python_compat import *
|
|
|
|
|
|
|
|
|
|
from Crypto.PublicKey import _RSA, _slowmath, pubkey
|
|
|
|
|
from Crypto import Random
|
|
|
|
|
|
2009-12-27 17:26:59 +01:00
|
|
|
from Crypto.Util.asn1 import DerObject, DerSequence
|
2010-01-21 20:14:10 +01:00
|
|
|
import binascii
|
2009-12-27 17:26:59 +01:00
|
|
|
|
2011-01-16 21:44:10 +01:00
|
|
|
from Crypto.Util.number import inverse
|
|
|
|
|
|
2008-09-18 21:42:28 -04:00
|
|
|
try:
|
|
|
|
|
from Crypto.PublicKey import _fastmath
|
|
|
|
|
except ImportError:
|
|
|
|
|
_fastmath = None
|
|
|
|
|
|
|
|
|
|
class _RSAobj(pubkey.pubkey):
|
|
|
|
|
keydata = ['n', 'e', 'd', 'p', 'q', 'u']
|
|
|
|
|
|
|
|
|
|
def __init__(self, implementation, key):
|
|
|
|
|
self.implementation = implementation
|
|
|
|
|
self.key = key
|
|
|
|
|
|
|
|
|
|
def __getattr__(self, attrname):
|
|
|
|
|
if attrname in self.keydata:
|
|
|
|
|
# For backward compatibility, allow the user to get (not set) the
|
|
|
|
|
# RSA key parameters directly from this object.
|
|
|
|
|
return getattr(self.key, attrname)
|
|
|
|
|
else:
|
|
|
|
|
raise AttributeError("%s object has no %r attribute" % (self.__class__.__name__, attrname,))
|
|
|
|
|
|
2008-10-18 20:26:01 -04:00
|
|
|
def _encrypt(self, c, K):
|
2008-09-18 21:42:28 -04:00
|
|
|
return (self.key._encrypt(c),)
|
|
|
|
|
|
|
|
|
|
def _decrypt(self, c):
|
RSA: Make .verify() accept extra garbage after the signature.
The developers of Twisted Conch (an SSH protocol implementation) apparently
think they need to add extra junk to the end of the signature tuple when
calling RSAobj.verify. In other words, they do something like this:
RSAobj.verify("foo", (sig, ''))
instead of something like this:
RSAobj.verify("foo", (sig,))
This isn't necessary, but it worked in PyCrypto 2.0.1.
The people behind Twisted Conch probably got confused by a similar requirement
in RSAobj.sign(). I could call it "user error" and rebuke them for misusing
the API, but that would be dumb. The unified Crypto.PublicKey API is
confusing, encouraging exactly this kind of mistake.
The Crypto.PublicKey API needs to be replaced with something less error-prone,
but in the meantime, I am applying this change to make the .verify() method
behave how Twisted Conch expects.
2008-11-02 10:33:52 -05:00
|
|
|
#(ciphertext,) = c
|
|
|
|
|
(ciphertext,) = c[:1] # HACK - We should use the previous line
|
|
|
|
|
# instead, but this is more compatible and we're
|
|
|
|
|
# going to replace the Crypto.PublicKey API soon
|
|
|
|
|
# anyway.
|
2008-09-18 21:42:28 -04:00
|
|
|
return self.key._decrypt(ciphertext)
|
|
|
|
|
|
|
|
|
|
def _blind(self, m, r):
|
|
|
|
|
return self.key._blind(m, r)
|
|
|
|
|
|
|
|
|
|
def _unblind(self, m, r):
|
|
|
|
|
return self.key._unblind(m, r)
|
|
|
|
|
|
2008-10-18 20:20:49 -04:00
|
|
|
def _sign(self, m, K=None):
|
|
|
|
|
return (self.key._sign(m),)
|
2008-09-18 21:42:28 -04:00
|
|
|
|
|
|
|
|
def _verify(self, m, sig):
|
RSA: Make .verify() accept extra garbage after the signature.
The developers of Twisted Conch (an SSH protocol implementation) apparently
think they need to add extra junk to the end of the signature tuple when
calling RSAobj.verify. In other words, they do something like this:
RSAobj.verify("foo", (sig, ''))
instead of something like this:
RSAobj.verify("foo", (sig,))
This isn't necessary, but it worked in PyCrypto 2.0.1.
The people behind Twisted Conch probably got confused by a similar requirement
in RSAobj.sign(). I could call it "user error" and rebuke them for misusing
the API, but that would be dumb. The unified Crypto.PublicKey API is
confusing, encouraging exactly this kind of mistake.
The Crypto.PublicKey API needs to be replaced with something less error-prone,
but in the meantime, I am applying this change to make the .verify() method
behave how Twisted Conch expects.
2008-11-02 10:33:52 -05:00
|
|
|
#(s,) = sig
|
|
|
|
|
(s,) = sig[:1] # HACK - We should use the previous line instead, but
|
|
|
|
|
# this is more compatible and we're going to replace
|
|
|
|
|
# the Crypto.PublicKey API soon anyway.
|
2008-10-18 20:20:49 -04:00
|
|
|
return self.key._verify(m, s)
|
2008-09-18 21:42:28 -04:00
|
|
|
|
|
|
|
|
def has_private(self):
|
|
|
|
|
return self.key.has_private()
|
|
|
|
|
|
|
|
|
|
def size(self):
|
|
|
|
|
return self.key.size()
|
|
|
|
|
|
|
|
|
|
def can_blind(self):
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def can_encrypt(self):
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def can_sign(self):
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def publickey(self):
|
|
|
|
|
return self.implementation.construct((self.key.n, self.key.e))
|
|
|
|
|
|
|
|
|
|
def __getstate__(self):
|
|
|
|
|
d = {}
|
|
|
|
|
for k in self.keydata:
|
|
|
|
|
try:
|
|
|
|
|
d[k] = getattr(self.key, k)
|
|
|
|
|
except AttributeError:
|
|
|
|
|
pass
|
|
|
|
|
return d
|
|
|
|
|
|
|
|
|
|
def __setstate__(self, d):
|
|
|
|
|
if not hasattr(self, 'implementation'):
|
|
|
|
|
self.implementation = RSAImplementation()
|
|
|
|
|
t = []
|
|
|
|
|
for k in self.keydata:
|
|
|
|
|
if not d.has_key(k):
|
|
|
|
|
break
|
|
|
|
|
t.append(d[k])
|
|
|
|
|
self.key = self.implementation._math.rsa_construct(*tuple(t))
|
|
|
|
|
|
|
|
|
|
def __repr__(self):
|
|
|
|
|
attrs = []
|
|
|
|
|
for k in self.keydata:
|
|
|
|
|
if k == 'n':
|
|
|
|
|
attrs.append("n(%d)" % (self.size()+1,))
|
|
|
|
|
elif hasattr(self.key, k):
|
|
|
|
|
attrs.append(k)
|
|
|
|
|
if self.has_private():
|
|
|
|
|
attrs.append("private")
|
|
|
|
|
return "<%s @0x%x %s>" % (self.__class__.__name__, id(self), ",".join(attrs))
|
|
|
|
|
|
2009-12-27 17:26:59 +01:00
|
|
|
def exportKey(self, format='PEM'):
|
2011-01-16 22:05:54 +01:00
|
|
|
"""Export the RSA key. A string is returned
|
|
|
|
|
with the encoded public or the private half
|
|
|
|
|
under the selected format.
|
|
|
|
|
|
|
|
|
|
format: 'DER' (PKCS#1) or 'PEM' (RFC1421)
|
|
|
|
|
"""
|
|
|
|
|
der = DerSequence()
|
|
|
|
|
if self.has_private():
|
|
|
|
|
keyType = "RSA PRIVATE"
|
|
|
|
|
der[:] = [ 0, self.n, self.e, self.d, self.p, self.q,
|
|
|
|
|
self.d % (self.p-1), self.d % (self.q-1),
|
|
|
|
|
inverse(self.q, self.p) ]
|
|
|
|
|
else:
|
|
|
|
|
keyType = "PUBLIC"
|
|
|
|
|
der.append('\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00')
|
|
|
|
|
bitmap = DerObject('BIT STRING')
|
|
|
|
|
derPK = DerSequence()
|
|
|
|
|
derPK[:] = [ self.n, self.e ]
|
|
|
|
|
bitmap.payload = '\x00' + derPK.encode()
|
|
|
|
|
der.append(bitmap.encode())
|
|
|
|
|
if format=='DER':
|
|
|
|
|
return der.encode()
|
|
|
|
|
if format=='PEM':
|
|
|
|
|
pem = "-----BEGIN %s KEY-----\n" % keyType
|
|
|
|
|
binaryKey = der.encode()
|
|
|
|
|
# Each BASE64 line can take up to 64 characters (=48 bytes of data)
|
|
|
|
|
chunks = [ binascii.b2a_base64(binaryKey[i:i+48]) for i in range(0, len(binaryKey), 48) ]
|
|
|
|
|
pem += ''.join(chunks)
|
|
|
|
|
pem += "-----END %s KEY-----" % keyType
|
|
|
|
|
return pem
|
|
|
|
|
return ValueError("Unknown key format '%s'. Cannot export the RSA key." % format)
|
2009-12-27 17:26:59 +01:00
|
|
|
|
2008-09-18 21:42:28 -04:00
|
|
|
class RSAImplementation(object):
|
|
|
|
|
def __init__(self, **kwargs):
|
|
|
|
|
# 'use_fast_math' parameter:
|
|
|
|
|
# None (default) - Use fast math if available; Use slow math if not.
|
|
|
|
|
# True - Use fast math, and raise RuntimeError if it's not available.
|
|
|
|
|
# False - Use slow math.
|
|
|
|
|
use_fast_math = kwargs.get('use_fast_math', None)
|
|
|
|
|
if use_fast_math is None: # Automatic
|
|
|
|
|
if _fastmath is not None:
|
|
|
|
|
self._math = _fastmath
|
|
|
|
|
else:
|
|
|
|
|
self._math = _slowmath
|
|
|
|
|
|
|
|
|
|
elif use_fast_math: # Explicitly select fast math
|
|
|
|
|
if _fastmath is not None:
|
|
|
|
|
self._math = _fastmath
|
|
|
|
|
else:
|
|
|
|
|
raise RuntimeError("fast math module not available")
|
|
|
|
|
|
|
|
|
|
else: # Explicitly select slow math
|
|
|
|
|
self._math = _slowmath
|
|
|
|
|
|
|
|
|
|
self.error = self._math.error
|
|
|
|
|
|
|
|
|
|
# 'default_randfunc' parameter:
|
|
|
|
|
# None (default) - use Random.new().read
|
|
|
|
|
# not None - use the specified function
|
|
|
|
|
self._default_randfunc = kwargs.get('default_randfunc', None)
|
|
|
|
|
self._current_randfunc = None
|
|
|
|
|
|
|
|
|
|
def _get_randfunc(self, randfunc):
|
|
|
|
|
if randfunc is not None:
|
|
|
|
|
return randfunc
|
|
|
|
|
elif self._current_randfunc is None:
|
|
|
|
|
self._current_randfunc = Random.new().read
|
|
|
|
|
return self._current_randfunc
|
|
|
|
|
|
2011-01-17 21:17:19 +01:00
|
|
|
def generate(self, bits, randfunc=None, progress_func=None, e=65537):
|
2010-08-27 00:13:44 -04:00
|
|
|
if bits < 1024 or (bits & 0xff) != 0:
|
|
|
|
|
# pubkey.getStrongPrime doesn't like anything that's not a multiple of 128 and > 512
|
2011-01-16 21:44:10 +01:00
|
|
|
raise ValueError("RSA modulus length must be a multiple of 256 and >= 1024")
|
2011-01-17 21:17:19 +01:00
|
|
|
if e%2==0:
|
|
|
|
|
raise ValueError("RSA public exponent must be odd.")
|
2008-09-18 21:42:28 -04:00
|
|
|
rf = self._get_randfunc(randfunc)
|
2011-01-17 21:17:19 +01:00
|
|
|
obj = _RSA.generate_py(bits, rf, progress_func, e) # TODO: Don't use legacy _RSA module
|
2008-09-18 21:42:28 -04:00
|
|
|
key = self._math.rsa_construct(obj.n, obj.e, obj.d, obj.p, obj.q, obj.u)
|
|
|
|
|
return _RSAobj(self, key)
|
|
|
|
|
|
|
|
|
|
def construct(self, tup):
|
|
|
|
|
key = self._math.rsa_construct(*tup)
|
|
|
|
|
return _RSAobj(self, key)
|
|
|
|
|
|
2009-12-27 17:26:59 +01:00
|
|
|
def _importKeyDER(self, externKey):
|
2011-01-16 22:05:54 +01:00
|
|
|
der = DerSequence()
|
|
|
|
|
der.decode(externKey, True)
|
|
|
|
|
if len(der)==9 and der.hasOnlyInts() and der[0]==0:
|
|
|
|
|
# ASN.1 RSAPrivateKey element
|
|
|
|
|
del der[6:] # Remove d mod (p-1), d mod (q-1), and q^{-1} mod p
|
2011-01-16 21:44:10 +01:00
|
|
|
der.append(inverse(der[4],der[5])) # Add p^{-1} mod q
|
2011-01-16 22:05:54 +01:00
|
|
|
del der[0] # Remove version
|
|
|
|
|
return self.construct(der[:])
|
|
|
|
|
if len(der)==2:
|
2011-01-17 21:17:19 +01:00
|
|
|
# The DER object is a SubjectPublicKeyInfo SEQUENCE with two elements:
|
|
|
|
|
# an algorithm SEQUENCE (or algorithmIdentifier) and a subjectPublicKey BIT STRING.
|
2011-01-16 21:44:10 +01:00
|
|
|
#
|
2011-01-17 21:17:19 +01:00
|
|
|
# The first element is always the same. It contains the oid of
|
|
|
|
|
# the RSA algorithm and its parameters (none).
|
2011-01-16 21:44:10 +01:00
|
|
|
# 0x30 0x0D SEQUENCE, 12 bytes of payload
|
|
|
|
|
# 0x06 0x09 OBJECT IDENTIFIER, 9 bytes of payload
|
|
|
|
|
# 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x01 0x01
|
|
|
|
|
# rsaEncryption (1 2 840 113549 1 1 1) (PKCS #1)
|
|
|
|
|
# 0x05 0x00 NULL
|
|
|
|
|
#
|
2011-01-17 21:17:19 +01:00
|
|
|
# subjectPublicKey encapsulates the actual ASN.1 RSAPublicKey element.
|
2011-01-16 22:05:54 +01:00
|
|
|
if der[0]=='\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00':
|
|
|
|
|
bitmap = DerObject()
|
|
|
|
|
bitmap.decode(der[1], True)
|
|
|
|
|
if bitmap.typeTag=='\x03' and bitmap.payload[0]=='\x00':
|
|
|
|
|
der.decode(bitmap.payload[1:], True)
|
|
|
|
|
if len(der)==2 and der.hasOnlyInts():
|
|
|
|
|
return self.construct(der[:])
|
|
|
|
|
raise ValueError("RSA key format is not supported")
|
2009-12-27 17:26:59 +01:00
|
|
|
|
|
|
|
|
def importKey(self, externKey):
|
2011-01-16 22:05:54 +01:00
|
|
|
"""Import an RSA key (public or private half).
|
2009-12-27 17:26:59 +01:00
|
|
|
|
2011-01-16 22:05:54 +01:00
|
|
|
externKey: the RSA key to import, encoded as a string.
|
|
|
|
|
The key can be in DER (PKCS#1) or in unencrypted
|
|
|
|
|
PEM format (RFC1421).
|
2011-01-16 21:44:10 +01:00
|
|
|
|
|
|
|
|
Raises a ValueError/IndexError if the given key cannot be parsed.
|
2011-01-16 22:05:54 +01:00
|
|
|
"""
|
|
|
|
|
if externKey.startswith('-----'):
|
|
|
|
|
# This is probably a PEM encoded key
|
|
|
|
|
lines = externKey.replace(" ",'').split()
|
|
|
|
|
der = binascii.a2b_base64(''.join(lines[1:-1]))
|
|
|
|
|
return self._importKeyDER(der)
|
|
|
|
|
if externKey[0]=='\x30':
|
|
|
|
|
# This is probably a DER encoded key
|
|
|
|
|
return self._importKeyDER(externKey)
|
|
|
|
|
raise ValueError("RSA key format is not supported")
|
2009-12-27 17:26:59 +01:00
|
|
|
|
2008-09-18 21:42:28 -04:00
|
|
|
_impl = RSAImplementation()
|
|
|
|
|
generate = _impl.generate
|
|
|
|
|
construct = _impl.construct
|
2009-12-27 17:26:59 +01:00
|
|
|
importKey = _impl.importKey
|
2008-09-18 21:42:28 -04:00
|
|
|
error = _impl.error
|
|
|
|
|
|
|
|
|
|
# vim:set ts=4 sw=4 sts=4 expandtab:
|
|
|
|
|
|
