-
Notifications
You must be signed in to change notification settings - Fork 255
Description
In the process of investigating the pycrypto/dome dependency on the python-rsa backend, I discovered that the PKCS8 encoding being performed for RSA private keys by the python-rsa backend is incompatible with the other backends.
Digging deeper, I found that the magic prefix[1] being added to the PKCS1 encoded private key[2] is both invalid per the PKCS8 spec[3] and incorrectly sets a static message size.
This results in the serialized keys being unreadable by any other system, and also in the python-rsa backend being unable to deserialize any keys written by a correct system.
Current magic prefix:
Full key from tests, header tweaked to have a valid length
30 # sequence
8204BD # DER-encoded sequence contents length of 1213 bytes -- INCORRECT STATIC LENGTH
020100 # integer: 0 -- Version
300D # sequence containing 13 bytes -- PrivateKeyAlgorithmIdentifier
06092A864886F70D010101 # OID -- rsaEncryption
0500 # NULL -- parameters
<PKCS1 key added>
Prefix should be:
30 # sequence
820945 # DER-encoded sequence contents length of 2373 bytes -- LENGTH MUST BE SET PER KEY
02 01 00 # integer: 0 -- Version
30 # sequence
0D # DER-encoded sequence contents length of 13 bytes -- PrivateKeyAlgorithmIdentifier
06092A864886F70D010101 # OID -- rsaEncryption
0500 # NULL -- parameters
04 # Octet String
82092F # DER-encoded octet string length of 2351 bytes -- LENGTH MUST BE SET PER KEY
<PKCS1 key added>
[1] https://github.com/mpdavis/python-jose/blob/master/jose/backends/rsa_backend.py#L15
[2] https://github.com/mpdavis/python-jose/blob/master/jose/backends/rsa_backend.py#L186
[3] https://tools.ietf.org/html/rfc5208#page-5