* Bump RSA-512 test keys to RSA-2048
RSA-512 was broken in 1999. cryptography.io should not be requesting
its backend library support it in 2024.
* Update test-vectors.rst
The replacement keys were generated fresh, and this document seems to
just cite the external ones.
* Document custom test vectors
* extensions: EKU must contain at least one member
Signed-off-by: William Woodruff <william@trailofbits.com>
* record changes
Signed-off-by: William Woodruff <william@trailofbits.com>
* empty EKU test vector
Signed-off-by: William Woodruff <william@trailofbits.com>
* typo
Signed-off-by: William Woodruff <william@trailofbits.com>
---------
Signed-off-by: William Woodruff <william@trailofbits.com>
* Add support for encrypting S/MIME messages
* Move PKCS7 decrypt test function to Rust
* Use symmetric encryption function from PKCS12
* Remove debug file write from tests
* Remove unneeded backend parameter
* docs and changelog
Given the RSA public exponent (`e`), and the RSA primes (`p`, `q`), it is possible
to calculate the corresponding private exponent `d = e⁻¹ mod λ(n)` where
`λ(n) = lcm(p-1, q-1)`.
With this function added, it becomes possible to use the library to reconstruct an RSA
private key given *only* `p`, `q`, and `e`:
from cryptography.hazmat.primitives.asymmetric import rsa
n = p * q
d = rsa.rsa_recover_private_exponent(e, p, q) # newly-added piece
iqmp = rsa.rsa_crt_iqmp(p, q) # preexisting
dmp1 = rsa.rsa_crt_dmp1(d, p) # preexisting
dmq1 = rsa.rsa_crt_dmq1(d, q) # preexisting
assert rsa.rsa_recover_prime_factors(n, e, d) in ((p, q), (q, p)) # verify consistency
privk = rsa.RSAPrivateNumbers(p, q, d, dmp1, dmq1, iqmp, rsa.RSAPublicNumbers(e, n)).private_key()
Older RSA implementations, including the original RSA paper, often used the
Euler totient function `ɸ(n) = (p-1) * (q-1)` instead of `λ(n)`. The
private exponents generated by that method work equally well, but may be
larger than strictly necessary (`λ(n)` always divides `ɸ(n)`). This commit
additionally implements `_rsa_recover_euler_private_exponent`, so that tests
of the internal structure of RSA private keys can allow for either the Euler
or the Carmichael versions of the private exponents.
It makes sense to expose only the more modern version (using the Carmichael
totient function) for public usage, given that it is slightly more
computationally efficient to use the keys in this form, and that some
standards like FIPS 186-4 require this form. (See
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#page=63)
* Update reference.rst
This code snippet works when importing the extension oid
* Apply suggestions from code review
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Fix more misspellings
* Apply codespell suggestion: implementor → implementer
This is not exactly a misspelling, but:
* From Garner's Modern English Usage (4 ed.)
Although the variant spelling ✳implementor predominated for much of
the late 20th century, today implementer is considered standard.
* The Google Ngram Viewer shows a ratio of almost 10:1 in 2019.
* verification: WIP client verification skeleton
Signed-off-by: William Woodruff <william@yossarian.net>
* verify: fill in build_client_verifier
Signed-off-by: William Woodruff <william@yossarian.net>
* implement ClientVerifier.verify
Signed-off-by: William Woodruff <william@yossarian.net>
* verification: make Python 3.8 happy
Signed-off-by: William Woodruff <william@yossarian.net>
* switch to a full VerifiedClient type
Signed-off-by: William Woodruff <william@yossarian.net>
* remove the SubjectOwner::None hack
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: fix ClientVerifier
Signed-off-by: William Woodruff <william@yossarian.net>
* verification: replace match with if
Signed-off-by: William Woodruff <william@yossarian.net>
* return GNs directly, not whole extension
Signed-off-by: William Woodruff <william@yossarian.net>
* docs/verification: document UnsupportedGeneralNameType raise
Signed-off-by: William Woodruff <william@yossarian.net>
* lib: RFC822 checks on NCs
* test_limbo: enable client tests
* tests: flake
* test_verification: more Python API coverage
* verification: filter GNs by NC support
* verification: forbid unsupported NC GNs
This is what we should have been doing originally, per
RFC 5280 4.2.1.10:
> If a name constraints extension that is marked as critical
> imposes constraints on a particular name form, and an instance of
> that name form appears in the subject field or subjectAltName
> extension of a subsequent certificate, then the application MUST
> either process the constraint or reject the certificate.
* docs/verification: remove old sentence
Signed-off-by: William Woodruff <william@yossarian.net>
* verification: ensure the right EKU for client/server paths
Signed-off-by: William Woodruff <william@yossarian.net>
* test_limbo: fixup EKU assertion
* verification: feedback
---------
Signed-off-by: William Woodruff <william@yossarian.net>
* allow SPKI RSA keys to be parsed even if they have an incorrect delimiter
This allows RSA SPKI keys (typically delimited with PUBLIC KEY) to be parsed
even if they are using the RSA PUBLIC KEY delimiter.
* formatting
* use original error if nothing parses, don't let it parse non-RSA
* Update ocsp.rst
Added warning about SHA1 being used for sign()
* Update ocsp.rst
Fixed spelling issues, at least according to en-GB dictionary.
* Update ocsp.rst
Spell checker didn't catch "algorithim" somehow.
* Update ocsp.rst
Attempting to rephrase the warning.
* Update ocsp.rst
Removing rouge space.
