From 63d337e5cc01c026e16b51a1c0b7aba40d9108ef Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 27 Jun 2020 23:18:00 -0500 Subject: [PATCH] constrain RSA key generation more heavily (#5288) * constrain RSA key generation more heavily * constraint to just 3 & 65537 * explain change --- CHANGELOG.rst | 4 ++++ docs/hazmat/primitives/asymmetric/rsa.rst | 8 ++++++-- src/cryptography/hazmat/primitives/asymmetric/rsa.py | 10 +++++----- tests/hazmat/primitives/test_rsa.py | 7 ++++++- 4 files changed, 21 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 41c578305..45600a2ec 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,10 @@ Changelog been removed (2.9.1+ is still supported). * **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or newer. +* **BACKWARDS INCOMPATIBLE:** RSA + :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` + no longer accepts ``public_exponent`` values except 65537 and 3 (the latter + for legacy purposes). * Deprecated support for Python 2. At the time there is no time table for actually dropping support, however we strongly encourage all users to upgrade their Python, as Python 2 no longer receives support from the Python core diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index 031acb9b9..ea4cce905 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -18,6 +18,10 @@ mathematical properties`_. .. versionadded:: 0.5 + .. versionchanged:: 3.0 + + Tightened restrictions on ``public_exponent``. + Generates a new RSA private key using the provided ``backend``. ``key_size`` describes how many :term:`bits` long the key should be. Larger keys provide more security; currently ``1024`` and below are considered @@ -37,8 +41,8 @@ mathematical properties`_. ... ) :param int public_exponent: The public exponent of the new key. - Usually one of the small Fermat primes 3, 5, 17, 257, 65537. If in - doubt you should `use 65537`_. + Either 65537 or 3 (for legacy purposes). Almost everyone should + `use 65537`_. :param int key_size: The length of the modulus in :term:`bits`. For keys generated in 2015 it is strongly recommended to be diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index f20cdf9c9..640577ad3 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -120,11 +120,11 @@ def generate_private_key(public_exponent, key_size, backend): def _verify_rsa_parameters(public_exponent, key_size): - if public_exponent < 3: - raise ValueError("public_exponent must be >= 3.") - - if public_exponent & 1 == 0: - raise ValueError("public_exponent must be odd.") + if public_exponent not in (3, 65537): + raise ValueError( + "public_exponent must be either 3 (for legacy compatibility) or " + "65537. Almost everyone should choose 65537 here!" + ) if key_size < 512: raise ValueError("key_size must be at least 512-bits.") diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index e6482651d..0e7bb6446 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -147,7 +147,7 @@ class TestRSA(object): @pytest.mark.parametrize( ("public_exponent", "key_size"), itertools.product( - (3, 5, 65537), + (3, 65537), (1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1536, 2048) ) ) @@ -170,6 +170,11 @@ class TestRSA(object): key_size=2048, backend=backend) + with pytest.raises(ValueError): + rsa.generate_private_key(public_exponent=65535, + key_size=2048, + backend=backend) + def test_cant_generate_insecure_tiny_key(self, backend): with pytest.raises(ValueError): rsa.generate_private_key(public_exponent=65537,