o n~bp@sgdZddlZddlZddlmZddlmZmZmZddl m Z ddl m Z ddl mZmZmZddlmZmZmZGd d d eZd"d d Zd#ddZddZddZddZddZddZddZddZd$dd Z e Z!d!Z"dS)%)generate construct import_keyRsaKeyoidN)Random)tobytesbordtostr) DerSequence)Integer)test_probable_primegenerate_probable_prime COMPOSITE)_expand_subject_public_key_info_create_subject_public_key_info _extract_subject_public_key_infoc@seZdZdZddZeddZeddZedd Zed d Z ed d Z eddZ ddZ ddZ ddZddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Z , +d=d-d.ZeZeZd/d0Zd1d2Zd3d4Zd5d6Zd7d8Z d9d:Z!d;d<Z"d+S)>raPClass defining an actual RSA key. Do not instantiate directly. Use :func:`generate`, :func:`construct` or :func:`import_key` instead. :ivar n: RSA modulus :vartype n: integer :ivar e: RSA public exponent :vartype e: integer :ivar d: RSA private exponent :vartype d: integer :ivar p: First factor of the RSA modulus :vartype p: integer :ivar q: Second factor of the RSA modulus :vartype q: integer :ivar u: Chinese remainder component (:math:`p^{-1} \text{mod } q`) :vartype u: integer :undocumented: exportKey, publickey cKst|}td}|tdB}|||fvrtd|D] \}}t|d||q||krC|j|jd|_|j|jd|_ dSdS)a.Build an RSA key. :Keywords: n : integer The modulus. e : integer The public exponent. d : integer The private exponent. Only required for private keys. p : integer The first factor of the modulus. Only required for private keys. q : integer The second factor of the modulus. Only required for private keys. u : integer The CRT coefficient (inverse of p modulo q). Only required for private keys. ne)pqduzSome RSA components are missing_N) setkeys ValueErroritemssetattr_d_p_dp_q_dq)selfkwargsZ input_setZ public_setZ private_set componentvaluer*C/usr/local/lib/python3.10/dist-packages/Cryptodome/PublicKey/RSA.py__init__Ms   zRsaKey.__init__cC t|jSN)int_nr&r*r*r+rk zRsaKey.ncCr-r.)r/_er1r*r*r+ror2zRsaKey.ecC|stdt|jS)Nz-No private exponent available for public keys) has_privateAttributeErrorr/r!r1r*r*r+rs zRsaKey.dcCr4)Nz.No CRT component 'p' available for public keys)r5r6r/r"r1r*r*r+ryr7zRsaKey.pcCr4)Nz.No CRT component 'q' available for public keys)r5r6r/r$r1r*r*r+rr7zRsaKey.qcCr4)Nz.No CRT component 'u' available for public keys)r5r6r/_ur1r*r*r+rr7zRsaKey.ucCs |jS)zSize of the RSA modulus in bitsr0 size_in_bitsr1r*r*r+r:r2zRsaKey.size_in_bitscCs|jdddS)z9The minimal amount of bytes that can hold the RSA modulusrr9r1r*r*r+ size_in_bytesszRsaKey.size_in_bytescCs>d|kr|jkstdtdttt||j|jS)NrzPlaintext too large)r0rr/powr r3)r& plaintextr*r*r+_encrypts zRsaKey._encryptc Csd|kr|jkstdtd|stdtjd|jd}t|t||j|j|j}t||j|j }t||j |j }|||j |j }||j |}| |j||j}|t||j|jkrltd|S)NrzCiphertext too largezThis is not a private keyr)Z min_inclusiveZ max_exclusivez Fault detected in RSA decryption)r0rr5 TypeErrorr Z random_ranger=r3r#r"r%r$r8inverse) r& ciphertextrcpm1m2hmpresultr*r*r+_decrypts zRsaKey._decryptcCs t|dS)z"Whether this is an RSA private keyr!)hasattrr1r*r*r+r5s zRsaKey.has_privatecCdSNTr*r1r*r*r+ can_encryptzRsaKey.can_encryptcCrLrMr*r1r*r*r+can_signrOzRsaKey.can_signcCst|j|jdS)z^A matching RSA public key. Returns: a new :class:`RsaKey` object r)rr0r3r1r*r*r+ public_keyszRsaKey.public_keycCsH||kr dS|j|jks|j|jkrdS|sdS|j|jkS)NFT)r5rrrr&otherr*r*r+__eq__s z RsaKey.__eq__cCs ||k Sr.r*rRr*r*r+__ne__s z RsaKey.__ne__cCsddlm}|)Nr) PicklingError)picklerV)r&rVr*r*r+ __getstate__s zRsaKey.__getstate__cCsP|rdt|jt|jt|jt|jf}nd}dt|jt|j|fS)Nz, d=%d, p=%d, q=%d, u=%dzRsaKey(n=%d, e=%d%s))r5r/r!r"r$r8r0r3)r&extrar*r*r+__repr__s zRsaKey.__repr__cCs"|rd}nd}d|t|fS)NZPrivateZPublicz%s RSA key at 0x%X)r5id)r&key_typer*r*r+__str__szRsaKey.__str__PEMNrc Cs|durt|}|durtj}|dkrRdd|j|jfD\}}t|dd@r,d|}t|dd@r8d|}d||g}d d d|D} d t| dd S| rt d|j |j |j |j|j|j |jd |j |jd t|j|jg } |d krd} |dkr|rtdn6ddlm} |dkr|durd} | | td} nd} |sd}| | t||} d}n d} ttt |j |j g} |dkr| S|dkrddlm} | | | ||}t|Std|)a5 Export this RSA key. Args: format (string): The format to use for wrapping the key: - *'PEM'*. (*Default*) Text encoding, done according to `RFC1421`_/`RFC1423`_. - *'DER'*. Binary encoding. - *'OpenSSH'*. Textual encoding, done according to OpenSSH specification. Only suitable for public keys (not private keys). passphrase (string): (*For private keys only*) The pass phrase used for protecting the output. pkcs (integer): (*For private keys only*) The ASN.1 structure to use for serializing the key. Note that even in case of PEM encoding, there is an inner ASN.1 DER structure. With ``pkcs=1`` (*default*), the private key is encoded in a simple `PKCS#1`_ structure (``RSAPrivateKey``). With ``pkcs=8``, the private key is encoded in a `PKCS#8`_ structure (``PrivateKeyInfo``). .. note:: This parameter is ignored for a public key. For DER and PEM, an ASN.1 DER ``SubjectPublicKeyInfo`` structure is always used. protection (string): (*For private keys only*) The encryption scheme to use for protecting the private key. If ``None`` (default), the behavior depends on :attr:`format`: - For *'DER'*, the *PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC* scheme is used. The following operations are performed: 1. A 16 byte Triple DES key is derived from the passphrase using :func:`Cryptodome.Protocol.KDF.PBKDF2` with 8 bytes salt, and 1 000 iterations of :mod:`Cryptodome.Hash.HMAC`. 2. The private key is encrypted using CBC. 3. The encrypted key is encoded according to PKCS#8. - For *'PEM'*, the obsolete PEM encryption scheme is used. It is based on MD5 for key derivation, and Triple DES for encryption. Specifying a value for :attr:`protection` is only meaningful for PKCS#8 (that is, ``pkcs=8``) and only if a pass phrase is present too. The supported schemes for PKCS#8 are listed in the :mod:`Cryptodome.IO.PKCS8` module (see :attr:`wrap_algo` parameter). randfunc (callable): A function that provides random bytes. Only used for PEM encoding. The default is :func:`Cryptodome.Random.get_random_bytes`. Returns: byte string: the encoded key Raises: ValueError:when the format is unknown or when you try to encrypt a private key with *DER* format and PKCS#1. .. warning:: If you don't provide a pass phrase, the private key will be exported in the clear! .. _RFC1421: http://www.ietf.org/rfc/rfc1421.txt .. _RFC1423: http://www.ietf.org/rfc/rfc1423.txt .. _`PKCS#1`: http://www.ietf.org/rfc/rfc3447.txt .. _`PKCS#8`: http://www.ietf.org/rfc/rfc5208.txt NZOpenSSHcSsg|]}|qSr*)to_bytes.0xr*r*r+ 7sz%RsaKey.export_key..rsssh-rsacSs g|] }tdt||qS)>I)structpacklen)rbkpr*r*r+rd=s ssh-rsa rzRSA PRIVATE KEYZDERz&PKCS#1 private key cannot be encryptedPKCS8r_z PRIVATE KEYzENCRYPTED PRIVATE KEYz"PBKDF2WithHMAC-SHA1AndDES-EDE3-CBCz PUBLIC KEYr_z3Unknown key format '%s'. Cannot export the RSA key.)rrget_random_bytesr3r0r joinbinascii b2a_base64r5r rrrrrr rAencoder Cryptodome.IOrpwraprrr_)r&format passphraseZpkcsZ protectionrandfuncZe_bytesZn_byteskeyparts keystringZ binary_keyr]rpr_Zpem_strr*r*r+ export_keysnM       zRsaKey.export_keycCtdNz0Use module Cryptodome.Signature.pkcs1_15 insteadNotImplementedError)r&MKr*r*r+signtz RsaKey.signcCrrr)r&r signaturer*r*r+verifywrz RsaKey.verifycCrNz/Use module Cryptodome.Cipher.PKCS1_OAEP insteadr)r&r>rr*r*r+encryptzrzRsaKey.encryptcCrrr)r&rBr*r*r+decrypt}rzRsaKey.decryptcCtr.rr&rBr*r*r+blindrOz RsaKey.blindcCrr.rrr*r*r+unblindrOzRsaKey.unblindcCrr.rr1r*r*r+sizerOz RsaKey.size)r_NrNN)#__name__ __module__ __qualname____doc__r,propertyrrrrrrr:r<r?rJr5rNrPrQrTrUrXr[r^r~Z exportKeyZ publickeyrrrrrrrr*r*r*r+r3sR         rc sv|dkrtdddksdkrtd|durtj}td}}t||kr|d|d>kr|d}||}tdd|d>||kr[tdd|d>fd d }t|||d td|dd >fd d}t|||d } | }d| d} | }||kr|d|d>ks5| kr| } | } t ||| | dS)a4Create a new RSA key pair. The algorithm closely follows NIST `FIPS 186-4`_ in its sections B.3.1 and B.3.3. The modulus is the product of two non-strong probable primes. Each prime passes a suitable number of Miller-Rabin tests with random bases and a single Lucas test. Args: bits (integer): Key length, or size (in bits) of the RSA modulus. It must be at least 1024, but **2048 is recommended.** The FIPS standard only defines 1024, 2048 and 3072. randfunc (callable): Function that returns random bytes. The default is :func:`Cryptodome.Random.get_random_bytes`. e (integer): Public RSA exponent. It must be an odd positive integer. It is typically a small number with very few ones in its binary representation. The FIPS standard requires the public exponent to be at least 65537 (the default). Returns: an RSA key object (:class:`RsaKey`, with private key). .. _FIPS 186-4: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf iz"RSA modulus length must be >= 1024rzBRSA public exponent must be a positive, odd integer larger than 2.Nrcs|ko |ddkSNr)gcd candidate)rmin_pr*r+filter_pszgenerate..filter_p)Z exact_bitsr{Z prime_filterdcs*|ko|ddkot|kSr)rabsr)r min_distancemin_qrr*r+filter_qs zgenerate..filter_qrrrrrr) rrrrr r:sqrtrlcmrAr) bitsr{rrrZsize_qZsize_prrrrrr*)rrrrrr+rsB  !  rTcCsGdddt}|}td|D] \}}t||t|q|j}|j}t|ds/t||d}n|j} t|dr>|j } |j } nt| |d} | } | dd krV| d} | dd ksLd }td}|s|d krt| }|| krt |||}|dkr||dkrt |d|dkrt| |d} d }n|d9}|| ksj|d7}|s|d ksb|st d || d ksJ|| } t|dr|j}n| | }t||| | | |d}|rq|dks||krt dt| |dkrt d|d@st d|rq| dks| |krt dt| | dkr t d| | |krt dt| tkr#t dt| tkr.t d| d| d}|| d | d}|| t|dkrPt dt|drq|dks`|| krdt d| || dkrqt d|S)a!Construct an RSA key from a tuple of valid RSA components. The modulus **n** must be the product of two primes. The public exponent **e** must be odd and larger than 1. In case of a private key, the following equations must apply: .. math:: \begin{align} p*q &= n \\ e*d &\equiv 1 ( \text{mod lcm} [(p-1)(q-1)]) \\ p*u &\equiv 1 ( \text{mod } q) \end{align} Args: rsa_components (tuple): A tuple of integers, with at least 2 and no more than 6 items. The items come in the following order: 1. RSA modulus *n*. 2. Public exponent *e*. 3. Private exponent *d*. Only required if the key is private. 4. First factor of *n* (*p*). Optional, but the other factor *q* must also be present. 5. Second factor of *n* (*q*). Optional. 6. CRT coefficient *q*, that is :math:`p^{-1} \text{mod }q`. Optional. consistency_check (boolean): If ``True``, the library will verify that the provided components fulfil the main RSA properties. Raises: ValueError: when the key being imported fails the most basic RSA validity checks. Returns: An RSA key object (:class:`RsaKey`). c@s eZdZdS)zconstruct..InputCompsN)rrrr*r*r*r+ InputCompssrrrrrrrrFrTz2Unable to compute factors p and q from exponent d.rzInvalid RSA public exponentz-RSA public exponent is not coprime to moduluszRSA modulus is not oddzInvalid RSA private exponentz.RSA private exponent is not coprime to modulusz RSA factors do not match moduluszRSA factor p is compositezRSA factor q is compositezInvalid RSA conditionzInvalid RSA component uzInvalid RSA component u with p)objectzipr r rrrKrrrrr=rrrrAr5r rr/)Zrsa_componentsZconsistency_checkrZ input_compscompr)rrkeyrrrZktottZspottedakcandrphirr*r*r+rs(       $     rcGsNtj|ddd}|ddkrtdt|ddt|d|d gS) N TZ nr_elementsZonly_ints_expectedrz(No PKCS#1 encoding of an RSA private keyr)r decoderrr rAencodedr'derr*r*r+_import_pkcs1_privatejs (rcGstj|ddd}t|S)NrTr)r rrrr*r*r+_import_pkcs1_public~srcGs.t|\}}}|tks|durtdt|S)NzNo RSA subjectPublicKeyInfo)rrrr)rr'ZalgoidZ encoded_keyparamsr*r*r+_import_subjectPublicKeyInfosrcGst|}t|Sr.)rr)rr'Zsp_infor*r*r+_import_x509_certsrcCs:ddlm}|||}|dtkrtdt|d|S)NrrozNo PKCS#8 encoded RSA keyr)rwrpunwraprr_import_keyDER)rrzrprr*r*r+ _import_pkcs8s   rc CsBtttttf}|D]}z|||WStyYq wtd)z@Import an RSA key (public or private half), encoded in DER form.RSA key format is not supported)rrrrrr) extern_keyrzZ decodingsZdecodingr*r*r+rs rcCsddlm}m}m}m}|||\}}|dkrtd||\}}||\} }||\} }||\} }||\} }||\} }||\}}||dd|| | | | | fD}t|S)Nr)import_openssh_private_generic read_bytes read_string check_paddingzssh-rsazThis SSH key is not RSAcSsg|]}t|qSr*)r from_bytesrar*r*r+rdsz/_import_openssh_private_rsa..)Z_opensshrrrrrr)datapasswordrrrrZssh_nameZ decryptedrrrZiqmprrrpaddedbuildr*r*r+_import_openssh_private_rsas       rcCsVddlm}t|}|durt|}|dr+t|}|||\}}}t||}|S|drD|t||\}}}|r?d}t||S|drt | dd} g} t | d krt d | dd d} | | d d | | d | d} t | d ks[t| d} t| d } t| | gSt |dkrt|dd krt||Std )aImport an RSA key (public or private). Args: extern_key (string or byte string): The RSA key to import. The following formats are supported for an RSA **public key**: - X.509 certificate (binary or PEM format) - X.509 ``subjectPublicKeyInfo`` DER SEQUENCE (binary or PEM encoding) - `PKCS#1`_ ``RSAPublicKey`` DER SEQUENCE (binary or PEM encoding) - An OpenSSH line (e.g. the content of ``~/.ssh/id_ecdsa``, ASCII) The following formats are supported for an RSA **private key**: - PKCS#1 ``RSAPrivateKey`` DER SEQUENCE (binary or PEM encoding) - `PKCS#8`_ ``PrivateKeyInfo`` or ``EncryptedPrivateKeyInfo`` DER SEQUENCE (binary or PEM encoding) - OpenSSH (text format, introduced in `OpenSSH 6.5`_) For details about the PEM encoding, see `RFC1421`_/`RFC1423`_. passphrase (string or byte string): For private keys only, the pass phrase that encrypts the key. Returns: An RSA key object (:class:`RsaKey`). Raises: ValueError/IndexError/TypeError: When the given key cannot be parsed (possibly because the pass phrase is wrong). .. _RFC1421: http://www.ietf.org/rfc/rfc1421.txt .. _RFC1423: http://www.ietf.org/rfc/rfc1423.txt .. _`PKCS#1`: http://www.ietf.org/rfc/rfc3447.txt .. _`PKCS#8`: http://www.ietf.org/rfc/rfc5208.txt .. _`OpenSSH 6.5`: https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf rrqNs-----BEGIN OPENSSH PRIVATE KEYs-----rm rrrhr0r)rwr_r startswithr rrrrt a2b_base64splitrkriunpackappendr rrr r)rrzr_Z text_encodedZopenssh_encodedmarkerZenc_flagrIrr}r|lengthrrr*r*r+rs8 )         rz1.2.840.113549.1.1.1)Nr)Tr.)#__all__rtriZ CryptodomerZCryptodome.Util.py3compatrr r ZCryptodome.Util.asn1r ZCryptodome.Math.Numbersr ZCryptodome.Math.Primalityr rrZCryptodome.PublicKeyrrrrrrrrrrrrrrrZ importKeyrr*r*r*r+s2    Y Q   P