This patch forces the user to explicitly assert
that no validation of the X.509 certificate will be
done when importing an RSA key.
In other words, public keys can only be imported in the following way:
>>> cert_data = open("cert.pem", "rb").read()
>>> key = RSA.importKey(cert_data, verify_x509_cert=False)
Not passing the parameter "verify_x509_cert" will raise an exception.
This patch does a few things to simplify the public key classes
(RSA, DSA and ElGamal):
* It removes the Crypto.PublicKey.pubkey module. The 3 classes
do not have an ancestor anymore.
* Methods sign(), verify(), encrypt(), and decrypt() are removed.
* Methods blind() and unblind() are removed.
* Methods can_sign() and can_encrypt() are removed.
* The 3 classes cannot be pickled anymore.
When the various components are assembled into an RSA,
DSA or ElGamal key via the construct() method, we must verify
as much as possible if the result is indeed a valid key.
The patch contains the following changes:
- Private RSA keys can be imported/exported in encrypted form,
protected according to PKCS#8 and:
* PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC.
* PBKDF2WithHMAC-SHA1AndAES128-CBC
* PBKDF2WithHMAC-SHA1AndAES192-CBC
* PBKDF2WithHMAC-SHA1AndAES256-CBC
In addition to that, it is possible to import keys i the
following weak formats:
* pbeWithMD5AndDES-CBC
* pbeWithSHA1AndRC2-CBC
* pbeWithMD5AndRC2-CBC
* pbeWithSHA1AndDES-CBC
- The following new module (and 1 new package) are added:
* Crypto.Util.Padding for simple padding/unpadding logic
* Crypto.IO._PBES for PBE-related PKCS#5 logic
* Crypto.IO.PEM for PEM wrapping/unwrapping
* Crypto.IO.PKCS8 for PKCS#8 wrapping/unwrapping
- All Object ID (OIDs) are now in dotted form to increase
readability.
- Add AES support to PEM format (decode only).
The PEM module can decrypt messages protected with AES-CBC.
- Update RSA import test cases.
- Updated to PKCS8 test cases
The bug is at: https://bugs.launchpad.net/pycrypto/+bug/702835
When importing an DER RSA private key, u (that is, p^{-1} mod q) must be
computed manually. RSA.importKey() also raises a more descriptive exception in
case of an unknown key format.
Conflicts:
lib/Crypto/PublicKey/RSA.py
Small fix to importKey documentation (ASN.1 structure names were
incorrect for public keys).
Factors of an RSA private key are computed from private exponent d
(both slowmath and fastmath).
o _fastmath now builds and runs on PY3K
o Changes to setup.py to allow /usr/include for gmp.h
o Changes to setup.py to allow linking fastmath w/ static mpir
on Windows without warning messages
o Changes to test_DSA/test_RSA to throw an exception if _fastmath
is present but cannot be imported (due to an issue building
_fastmath or the shared gmp/mpir libraries not being reachable)
o number.py has the code to flag a failing _fastmath, but that
code is commented out for a better runtime experience
o Clean up the if for py21compat import - should have been == not is
o Clean up some '== None' occurences, now 'is None' instead
Before this change, doing RSA.generate(128*5) would raise an exception saying:
"bits must be multiple of 128 and > 512"
This was because getStrongPrime was raising the exception when trying to
generate 320-bit primes (which is correct behaviour). Now, we raise a more
friendly error message:
"RSA modulus length must be a multiple of 256 and > 1024"
Typical usage for importing an RSA key:
f = file("ssl.pem")
key = RSA.importKey(f.read())
f.close()
key.verify(hash, signature)
Typical usage for exporting an RSA public key:
key = RSA.generate(512, randfunc)
f = file("ssl.der","w")
f.write(key.publickey.exportKey('DER'))
f.close()
I confirm I am eligible for submitting code to pycrypto according
to http://www.dlitz.net/software/pycrypto/submission-requirements/
fetched on 27 December 2009.
Committer: Legrandin <gooksankoo@hoiptorrow.mailexpire.com>
In an attempt to simplify the copyright status of PyCrypto, I'm placing my
code into the public domain, and encouraging other contributors to do the
same.
I have used a public domain dedication that was recommended in a book on FOSS legal
issues[1], followed by the warranty disclaimer boilerplate from the MIT license.
[1] _Intellectual Property and Open Source: A Practical Guide to Protecting
Code_, a book written by Van Lindberg and published by O'Reilly Media.
(ISBN 978-0-596-51796-0)
This will avoid the previous situation where scripts like the old "test.py"
get included accidentally in a release. It also frees us to put additional
build scripts in the top-level directory of the source tree.
