U gy@sdddddgZddlZddlZddlmZddlmZmZmZdd l m Z m Z dd l m Z dd lmZdd lmZmZmZdd lmZmZmZGdddeZd#ddZd$ddZddZddZddZddZddZ ddZ!dd Z"d%d!dZ#e#Z$d"Z%dS)&generate construct import_keyRsaKeyoidN)Random)tobytesbordtostr) DerSequenceDerNull) bytes_to_long)Integer)test_probable_primegenerate_probable_prime COMPOSITE)_expand_subject_public_key_info_create_subject_public_key_info _extract_subject_public_key_infoc@sReZdZdZddZeddZeddZedd Zed d Z ed d Z eddZ eddZ eddZ eddZeddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3ZdKd7d8Zd9d:Zd;d<Z d=d>Z!d?d@Z"dAdBZ#dCdDZ$dEdFZ%dGdHZ&dIdJZ'd5S)LraClass defining an RSA key, private or public. Do not instantiate directly. Use :func:`generate`, :func:`construct` or :func:`import_key` instead. :ivar n: RSA modulus :vartype n: integer :ivar e: RSA public exponent :vartype e: integer :ivar d: RSA private exponent :vartype d: integer :ivar p: First factor of the RSA modulus :vartype p: integer :ivar q: Second factor of the RSA modulus :vartype q: integer :ivar invp: Chinese remainder component (:math:`p^{-1} \text{mod } q`) :vartype invp: integer :ivar invq: Chinese remainder component (:math:`q^{-1} \text{mod } p`) :vartype invq: integer :ivar u: Same as ``invp`` :vartype u: integer cKst|}td}|tdB}|||fkr4td|D]\}}t|d||q<||kr|j|jd|_|j|jd|_ d|_ dS)a.Build an RSA key. :Keywords: n : integer The modulus. e : integer The public exponent. d : integer The private exponent. Only required for private keys. p : integer The first factor of the modulus. Only required for private keys. q : integer The second factor of the modulus. Only required for private keys. u : integer The CRT coefficient (inverse of p modulo q). Only required for private keys. ne)pqduzSome RSA components are missing_N) setkeys ValueErroritemssetattr_d_p_dp_q_dq_invq)selfkwargsZ input_setZ public_setZ private_set componentvaluer-szRsaKey.size_in_bitscCs|jdddS)z9The minimal amount of bytes that can hold the RSA modulusrr=r3r-r-r. size_in_bytesszRsaKey.size_in_bytescCs8d|kr|jks ntdttt||j|jS)NrzPlaintext too large)r2r r1powrr4)r) plaintextr-r-r._encryptszRsaKey._encryptc Csd|kr|jks ntd|s0tdtjd|jd}t|t||j|j|j}t||j|j }t||j |j }|||j |j }||j |}t ||j||j}|S)NrzCiphertext too largezThis is not a private keyr)Z min_inclusiveZ max_exclusive)r2r r5 TypeErrorrZ random_rangerAr4r%r$r'r&r<Z_mult_modulo_bytesr9) r) ciphertextrcpm1m2hmpresultr-r-r._decrypt_to_bytess  zRsaKey._decrypt_to_bytescCst||S)zLegacy private method)r rMr)rEr-r-r._decryptszRsaKey._decryptcCs t|dS)z"Whether this is an RSA private keyr#)hasattrr3r-r-r.r5szRsaKey.has_privatecCsdSNTr-r3r-r-r. can_encryptszRsaKey.can_encryptcCsdSrQr-r3r-r-r.can_signszRsaKey.can_signcCst|j|jdS)z^A matching RSA public key. Returns: a new :class:`RsaKey` object r)rr2r4r3r-r-r. public_keyszRsaKey.public_keycCsH||krdS|j|jks,|j|jkr0dS|s`. The recommended value is ``'PBKDF2WithHMAC-SHA512AndAES256-CBC'``. If ``None`` (default), the behavior depends on :attr:`format`: - if ``format='PEM'``, the obsolete PEM encryption scheme is used. It is based on MD5 for key derivation, and 3DES for encryption. - if ``format='DER'``, the ``'PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC'`` scheme is used. prot_params (dict): (*For private keys only*) The parameters to use to derive the encryption key from the passphrase. ``'protection'`` must be also specified. For all possible values, refer to :ref:`the encryption parameters of PKCS#8`. The recommendation is to use ``{'iteration_count':21000}`` for PBKDF2, and ``{'iteration_count':131072}`` for scrypt. randfunc (callable): A function that provides random bytes. Only used for PEM encoding. The default is :func:`Cryptodome.Random.get_random_bytes`. Returns: bytes: the encoded key Raises: ValueError:when the format is unknown or when you try to encrypt a private key with *DER* format and PKCS#1. .. warning:: If you don't provide a pass phrase, the private key will be exported in the clear! .. _RFC1421: http://www.ietf.org/rfc/rfc1421.txt .. _RFC1423: http://www.ietf.org/rfc/rfc1423.txt .. _`PKCS#1`: http://www.ietf.org/rfc/rfc3447.txt .. _`PKCS#8`: http://www.ietf.org/rfc/rfc5208.txt NZOpenSSHcSsg|] }|qSr-)to_bytes.0xr-r-r. dsz%RsaKey.export_key..rsssh-rsacSs g|]}tdt||qS)>I)structpacklen)reZkpr-r-r.rgjsssh-rsa rzRSA PRIVATE KEYZDERz&PKCS#1 private key cannot be encryptedPKCS8rbz PRIVATE KEY) key_paramszENCRYPTED PRIVATE KEYz"'protection' parameter must be setz"PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC) prot_paramsrsz PUBLIC KEYrbz3Unknown key format '%s'. Cannot export the RSA key.)rrget_random_bytesr4r2r joinbinascii b2a_base64r5r rrrrrrr9encoder Cryptodome.IOrrwraprr rrb)r)format passphraseZpkcsZ protectionrandfuncrtZe_bytesZn_byteskeyparts keystringZ binary_keyr`rrrbZpem_strr-r-r. export_keysxV         zRsaKey.export_keycOs |j||S:meta private:)r)r)argsr*r-r-r. exportKeyszRsaKey.exportKeycCs|Sr)rTr3r-r-r. publickeyszRsaKey.publickeycCs tddSrz0Use module Cryptodome.Signature.pkcs1_15 insteadNNotImplementedError)r)MKr-r-r.signsz RsaKey.signcCs tddSrr)r)r signaturer-r-r.verifysz RsaKey.verifycCs tddSrz/Use module Cryptodome.Cipher.PKCS1_OAEP insteadNr)r)rBrr-r-r.encryptszRsaKey.encryptcCs tddSrrrNr-r-r.decryptszRsaKey.decryptcCstdSrNrr)rBr-r-r.blindsz RsaKey.blindcCstdSrrrr-r-r.unblindszRsaKey.unblindcCstdSrrr3r-r-r.sizesz RsaKey.size)rbNrNNN)(__name__ __module__ __qualname____doc__r/propertyrrrrrr7r8r:r;rr>r@rCrMrOr5rRrSrTrWrXr[r^rarrrrrrrrrrr-r-r-r.r4sf            c sb|dkrtdddks$dkr,td|dkr:tj}td}}t||kr0|d|d>kr0|d}||}tdd|d>||krtdd|d>fd d }t|||d td|dd >fd d}t|||d } | }d| d} | }qN| krD| } | } t ||| | dS)aFCreate a new RSA key pair. The algorithm closely follows NIST `FIPS 186-4`_ in its sections B.3.1 and B.3.3. The modulus is the product of two non-strong probable primes. Each prime passes a suitable number of Miller-Rabin tests with random bases and a single Lucas test. Args: bits (integer): Key length, or size (in bits) of the RSA modulus. It must be at least 1024, but **2048 is recommended.** The FIPS standard only defines 1024, 2048 and 3072. Keyword Args: randfunc (callable): Function that returns random bytes. The default is :func:`Cryptodome.Random.get_random_bytes`. e (integer): Public RSA exponent. It must be an odd positive integer. It is typically a small number with very few ones in its binary representation. The FIPS standard requires the public exponent to be at least 65537 (the default). Returns: an RSA key object (:class:`RsaKey`, with private key). .. _FIPS 186-4: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf iz"RSA modulus length must be >= 1024rzBRSA public exponent must be a positive, odd integer larger than 2.Nrcs|ko|ddkSNr)gcd candidate)rmin_pr-r.filter_pszgenerate..filter_p)Z exact_bitsrZ prime_filterdcs*|ko(|ddko(t|kSr)rabsr)r min_distancemin_qrr-r.filter_qs zgenerate..filter_qrrrrrr) r rrvrr>sqrtrlcmr9r) bitsrrrrZsize_qZsize_prrrrrr-)rrrrrr.rs@      TcCsGdddt}|}td|D]\}}t||t|q |j}|j}t|ds`t||d}n0|j} t|dr~|j } |j } n| |d} | } | dd kr| d} qd }td}|s6|d kr6t| }|| kr,t |||}|dkr"||dkr"t |d|dkr"t| |d} d }q,|d9}q|d7}q|sDt d || d ksVt|| } t|drr|j}n | | }t||| | | |d}|r|dks||krt dt| |dkrt d|d@st d|r| dks| |krt dt| | dkr"t d| | |kr8t dt| tkrNt dt| tkrdt d| d| d}|| d | d}|| t|dkrt dt|dr|dks|| krt d| || dkrt d|S)a3Construct an RSA key from a tuple of valid RSA components. The modulus **n** must be the product of two primes. The public exponent **e** must be odd and larger than 1. In case of a private key, the following equations must apply: .. math:: \begin{align} p*q &= n \\ e*d &\equiv 1 ( \text{mod lcm} [(p-1)(q-1)]) \\ p*u &\equiv 1 ( \text{mod } q) \end{align} Args: rsa_components (tuple): A tuple of integers, with at least 2 and no more than 6 items. The items come in the following order: 1. RSA modulus *n*. 2. Public exponent *e*. 3. Private exponent *d*. Only required if the key is private. 4. First factor of *n* (*p*). Optional, but the other factor *q* must also be present. 5. Second factor of *n* (*q*). Optional. 6. CRT coefficient *q*, that is :math:`p^{-1} \text{mod }q`. Optional. Keyword Args: consistency_check (boolean): If ``True``, the library will verify that the provided components fulfil the main RSA properties. Raises: ValueError: when the key being imported fails the most basic RSA validity checks. Returns: An RSA key object (:class:`RsaKey`). c@s eZdZdS)zconstruct..InputCompsN)rrrr-r-r-r. InputCompsDsrrrrrrrrFrTz2Unable to compute factors p and q from exponent d.rzInvalid RSA public exponentz-RSA public exponent is not coprime to moduluszRSA modulus is not oddzInvalid RSA private exponentz.RSA private exponent is not coprime to modulusz RSA factors do not match moduluszRSA factor p is compositezRSA factor q is compositezInvalid RSA conditionzInvalid RSA component uzInvalid RSA component u with p)objectzipr"rrrrPrrrrrArr AssertionErrorrr9r5rrr1)Zrsa_componentsZconsistency_checkrZ input_compscompr,rrkeyrrrZktottZspottedakZcandrphirr-r-r.rs)       *       cGsNtj|ddd}|ddkr&tdt|ddt|d|d gS) N TZ nr_elementsZonly_ints_expectedrz(No PKCS#1 encoding of an RSA private keyr)r decoder rrr9encodedr*derr-r-r._import_pkcs1_privates rcGstj|ddd}t|S)NrTr)r rrrr-r-r._import_pkcs1_publicsrcGs6tdf}t|\}}}||ks&|dk r.tdt|S)N1.2.840.113549.1.1.10zNo RSA subjectPublicKeyInfo)rrr r)rr*oidsZalgoidZ encoded_keyparamsr-r-r._import_subjectPublicKeyInfos rcGst|}t|Sr0)rr)rr*Zsp_infor-r-r._import_x509_certsrcCsBddlm}tdf}|||}|d|kr4tdt|d|S)NrrqrzNo PKCS#8 encoded RSA keyr)r{rrrunwrapr _import_keyDER)rr~rrrrr-r-r. _import_pkcs8s    rc CsJtttttf}|D]*}z|||WStk r:YqXqtddS)z@Import an RSA key (public or private half), encoded in DER form.RSA key format is not supportedN)rrrrrr ) extern_keyr~Z decodingsZdecodingr-r-r.rsrcCsddlm}m}m}m}|||\}}|dkr6td||\}}||\} }||\} }||\} }||\} }||\} }||\}}||dd|| | | | | fD}t|S)Nr)import_openssh_private_generic read_bytes read_string check_paddingzssh-rsazThis SSH key is not RSAcSsg|]}t|qSr-)r from_bytesrdr-r-r.rg sz/_import_openssh_private_rsa..)Z_opensshrrrrr r)datapasswordrrrrZssh_nameZ decryptedrrrZiqmprrrZpaddedbuildr-r-r._import_openssh_private_rsas       rcCsVddlm}t|}|dk r$t|}|drVt|}|||\}}}t||}|S|dr|t||\}}}|r~d}t||S|dr t | dd} g} t | d krt d | dd d} | | d d | | d | d} qt| d} t| d } t| | gSt |dkrJt|dd krJt||Std dS)aImport an RSA key (public or private). Args: extern_key (string or byte string): The RSA key to import. The following formats are supported for an RSA **public key**: - X.509 certificate (binary or PEM format) - X.509 ``subjectPublicKeyInfo`` DER SEQUENCE (binary or PEM encoding) - `PKCS#1`_ ``RSAPublicKey`` DER SEQUENCE (binary or PEM encoding) - An OpenSSH line (e.g. the content of ``~/.ssh/id_ecdsa``, ASCII) The following formats are supported for an RSA **private key**: - PKCS#1 ``RSAPrivateKey`` DER SEQUENCE (binary or PEM encoding) - `PKCS#8`_ ``PrivateKeyInfo`` or ``EncryptedPrivateKeyInfo`` DER SEQUENCE (binary or PEM encoding) - OpenSSH (text format, introduced in `OpenSSH 6.5`_) For details about the PEM encoding, see `RFC1421`_/`RFC1423`_. passphrase (string or byte string): For private keys only, the pass phrase that encrypts the key. Returns: An RSA key object (:class:`RsaKey`). Raises: ValueError/IndexError/TypeError: When the given key cannot be parsed (possibly because the pass phrase is wrong). .. _RFC1421: http://www.ietf.org/rfc/rfc1421.txt .. _RFC1423: http://www.ietf.org/rfc/rfc1423.txt .. _`PKCS#1`: http://www.ietf.org/rfc/rfc3447.txt .. _`PKCS#8`: http://www.ietf.org/rfc/rfc5208.txt .. _`OpenSSH 6.5`: https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf rruNs-----BEGIN OPENSSH PRIVATE KEYs-----ro rrrkr0r)r{rbr startswithr rrrrx a2b_base64splitrnrlunpackappendrrrr r )rr~rbZ text_encodedZopenssh_encodedmarkerZenc_flagrLrrrlengthrrr-r-r.r s6)          z1.2.840.113549.1.1.1)Nr)T)N)&__all__rxrlZ CryptodomerZCryptodome.Util.py3compatrr r ZCryptodome.Util.asn1r r ZCryptodome.Util.numberr ZCryptodome.Math.NumbersrZCryptodome.Math.PrimalityrrrZCryptodome.PublicKeyrrrrrrrrrrrrrrrZ importKeyrr-r-r-r. s:    R     P