constrain RSA key generation more heavily (#5288)

* constrain RSA key generation more heavily * constraint to just 3 & 65537 * explain change
2026-05-14 20:37:55 +00:00 · 2020-06-27 23:18:00 -05:00 · 2020-06-27 23:18:00 -05:00 · 63d337e5cc
commit 63d337e5cc
parent 907ec96ee8
4 changed files with 21 additions and 8 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -16,6 +16,10 @@ Changelog
  been removed (2.9.1+ is still supported).
 * **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must
  upgrade to 10.10 or newer.
+* **BACKWARDS INCOMPATIBLE:** RSA
+  :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
+  no longer accepts ``public_exponent`` values except 65537 and 3 (the latter
+  for legacy purposes).
 * Deprecated support for Python 2. At the time there is no time table for
  actually dropping support, however we strongly encourage all users to upgrade
  their Python, as Python 2 no longer receives support from the Python core
--- a/docs/hazmat/primitives/asymmetric/rsa.rst
+++ b/docs/hazmat/primitives/asymmetric/rsa.rst
@ -18,6 +18,10 @@ mathematical properties`_.

    .. versionadded:: 0.5

+    .. versionchanged:: 3.0
+
+        Tightened restrictions on ``public_exponent``.
+
    Generates a new RSA private key using the provided ``backend``.
    ``key_size`` describes how many :term:`bits` long the key should be. Larger
    keys provide more security; currently ``1024`` and below are considered
@ -37,8 +41,8 @@ mathematical properties`_.
        ... )

    :param int public_exponent: The public exponent of the new key.
-        Usually one of the small Fermat primes 3, 5, 17, 257, 65537. If in
-        doubt you should `use 65537`_.
+        Either 65537 or 3 (for legacy purposes). Almost everyone should
+        `use 65537`_.

    :param int key_size: The length of the modulus in :term:`bits`. For keys
        generated in 2015 it is strongly recommended to be
--- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py
@ -120,11 +120,11 @@ def generate_private_key(public_exponent, key_size, backend):


 def _verify_rsa_parameters(public_exponent, key_size):
-    if public_exponent < 3:
-        raise ValueError("public_exponent must be >= 3.")
-
-    if public_exponent & 1 == 0:
-        raise ValueError("public_exponent must be odd.")
+    if public_exponent not in (3, 65537):
+        raise ValueError(
+            "public_exponent must be either 3 (for legacy compatibility) or "
+            "65537. Almost everyone should choose 65537 here!"
+        )

    if key_size < 512:
        raise ValueError("key_size must be at least 512-bits.")
--- a/tests/hazmat/primitives/test_rsa.py
+++ b/tests/hazmat/primitives/test_rsa.py
@ -147,7 +147,7 @@ class TestRSA(object):
    @pytest.mark.parametrize(
        ("public_exponent", "key_size"),
        itertools.product(
-            (3, 5, 65537),
+            (3, 65537),
            (1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1536, 2048)
        )
    )
@ -170,6 +170,11 @@ class TestRSA(object):
                                     key_size=2048,
                                     backend=backend)

+        with pytest.raises(ValueError):
+            rsa.generate_private_key(public_exponent=65535,
+                                     key_size=2048,
+                                     backend=backend)
+
    def test_cant_generate_insecure_tiny_key(self, backend):
        with pytest.raises(ValueError):
            rsa.generate_private_key(public_exponent=65537,