multiprime support

added fast CRT-based decryption to core
added multiprime key support
correction (see issue sybrenstuvel#205, PR sybrenstuvel#206)
added multiprime tests

Author: myheroyuki

rsa/__init__.py

@@ -35,8 +35,8 @@
 )
 
 __author__ = "Sybren Stuvel, Barry Mead and Yesudeep Mangalapilly"
-__date__ = "2023-04-23"
-__version__ = "4.10-dev0"
+__date__ = "2025-04-16"
+__version__ = "4.9.1"
 
 # Do doctest if we're run directly
 if __name__ == "__main__":

rsa/core.py

@@ -23,7 +23,7 @@ def assert_int(var: int, name: str) -> None:
     if isinstance(var, int):
         return
 
-    raise TypeError("{} should be an integer, not {}".format(name, var.__class__))
+    raise TypeError("%s should be an integer, not %s" % (name, var.__class__))
 
 
 def encrypt_int(message: int, ekey: int, n: int) -> int:
@@ -36,7 +36,7 @@ def encrypt_int(message: int, ekey: int, n: int) -> int:
     if message < 0:
         raise ValueError("Only non-negative numbers are supported")
 
-    if message >= n:
+    if message > n:
         raise OverflowError("The message %i is too long for n=%i" % (message, n))
 
     return pow(message, ekey, n)

rsa/key.py

@@ -31,7 +31,6 @@
 
 """
 
-import abc
 import threading
 import typing
 import warnings
@@ -49,7 +48,7 @@
 T = typing.TypeVar("T", bound="AbstractKey")
 
 
-class AbstractKey(metaclass=abc.ABCMeta):
+class AbstractKey:
     """Abstract superclass for private and public keys."""
 
     __slots__ = ("n", "e", "blindfac", "blindfac_inverse", "mutex")
@@ -66,7 +65,6 @@ def __init__(self, n: int, e: int) -> None:
         self.mutex = threading.Lock()
 
     @classmethod
-    @abc.abstractmethod
     def _load_pkcs1_pem(cls: typing.Type[T], keyfile: bytes) -> T:
         """Loads a key in PKCS#1 PEM format, implement in a subclass.
 
@@ -79,7 +77,6 @@ def _load_pkcs1_pem(cls: typing.Type[T], keyfile: bytes) -> T:
         """
 
     @classmethod
-    @abc.abstractmethod
     def _load_pkcs1_der(cls: typing.Type[T], keyfile: bytes) -> T:
         """Loads a key in PKCS#1 PEM format, implement in a subclass.
 
@@ -91,15 +88,13 @@ def _load_pkcs1_der(cls: typing.Type[T], keyfile: bytes) -> T:
         :rtype: AbstractKey
         """
 
-    @abc.abstractmethod
     def _save_pkcs1_pem(self) -> bytes:
         """Saves the key in PKCS#1 PEM format, implement in a subclass.
 
         :returns: the PEM-encoded key.
         :rtype: bytes
         """
 
-    @abc.abstractmethod
     def _save_pkcs1_der(self) -> bytes:
         """Saves the key in PKCS#1 DER format, implement in a subclass.
 
@@ -491,6 +486,19 @@ def blinded_decrypt(self, encrypted: int) -> int:
 
         return self.unblind(decrypted, blindfac_inverse)
 
+    def blinded_encrypt(self, message: int) -> int:
+        """Encrypts the message using blinding to prevent side-channel attacks.
+
+        :param message: the message to encrypt
+        :type message: int
+
+        :returns: the encrypted message
+        :rtype: int
+        """
+
+        blinded, blindfac_inverse = self.blind(message)
+        encrypted = rsa.core.encrypt_int(blinded, self.d, self.n)
+        return self.unblind(encrypted, blindfac_inverse)
 
     @classmethod
     def _load_pkcs1_der(cls, keyfile: bytes) -> "PrivateKey":

rsa/pkcs1.py

@@ -47,9 +47,6 @@
     "SHA-256": b"\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20",
     "SHA-384": b"\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02\x05\x00\x04\x30",
     "SHA-512": b"\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03\x05\x00\x04\x40",
-    "SHA3-256": b"\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x08\x05\x00\x04\x20",
-    "SHA3-384": b"\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x09\x05\x00\x04\x30",
-    "SHA3-512": b"\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x0a\x05\x00\x04\x40",
 }
 
 HASH_METHODS: typing.Dict[str, typing.Callable[[], HashType]] = {
@@ -59,13 +56,29 @@
     "SHA-256": hashlib.sha256,
     "SHA-384": hashlib.sha384,
     "SHA-512": hashlib.sha512,
-    "SHA3-256": hashlib.sha3_256,
-    "SHA3-384": hashlib.sha3_384,
-    "SHA3-512": hashlib.sha3_512,
 }
 """Hash methods supported by this library."""
 
 
+if sys.version_info >= (3, 6):
+    # Python 3.6 introduced SHA3 support.
+    HASH_ASN1.update(
+        {
+            "SHA3-256": b"\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x08\x05\x00\x04\x20",
+            "SHA3-384": b"\x30\x41\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x09\x05\x00\x04\x30",
+            "SHA3-512": b"\x30\x51\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x0a\x05\x00\x04\x40",
+        }
+    )
+
+    HASH_METHODS.update(
+        {
+            "SHA3-256": hashlib.sha3_256,
+            "SHA3-384": hashlib.sha3_384,
+            "SHA3-512": hashlib.sha3_512,
+        }
+    )
+
+
 class CryptoError(Exception):
     """Base class for all exceptions in this module."""
 
@@ -274,8 +287,8 @@ def decrypt(crypto: bytes, priv_key: key.PrivateKey) -> bytes:
 def sign_hash(hash_value: bytes, priv_key: key.PrivateKey, hash_method: str) -> bytes:
     """Signs a precomputed hash with the private key.
 
-    Signs the hash with the given key. This is known as a "detached signature",
-    because the message itself isn't altered.
+    Hashes the message, then signs the hash with the given key. This is known
+    as a "detached signature", because the message itself isn't altered.
 
     :param hash_value: A precomputed hash to sign (ignores message).
     :param priv_key: the :py:class:`rsa.PrivateKey` to sign with
@@ -298,7 +311,7 @@ def sign_hash(hash_value: bytes, priv_key: key.PrivateKey, hash_method: str) ->
     padded = _pad_for_signing(cleartext, keylength)
 
     payload = transform.bytes2int(padded)
-    encrypted = priv_key.blinded_decrypt(payload)
+    encrypted = priv_key.blinded_encrypt(payload)
     block = transform.int2bytes(encrypted, keylength)
 
     return block
@@ -342,11 +355,8 @@ def verify(message: bytes, signature: bytes, pub_key: key.PublicKey) -> str:
     """
 
     keylength = common.byte_size(pub_key.n)
-    if len(signature) != keylength:
-        raise VerificationError("Verification failed")
-    
     encrypted = transform.bytes2int(signature)
-    decrypted = core.encrypt_int(encrypted, pub_key.e, pub_key.n)
+    decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
     clearsig = transform.int2bytes(decrypted, keylength)
 
     # Get the hash method
@@ -357,6 +367,9 @@ def verify(message: bytes, signature: bytes, pub_key: key.PublicKey) -> str:
     cleartext = HASH_ASN1[method_name] + message_hash
     expected = _pad_for_signing(cleartext, keylength)
 
+    if len(signature) != keylength:
+        raise VerificationError("Verification failed")
+
     # Compare with the signed one
     if expected != clearsig:
         raise VerificationError("Verification failed")

tests/test_key.py

@@ -75,6 +75,19 @@ def getprime(_):
         self.assertEqual(39317, p)
         self.assertEqual(33107, q)
 
+    def test_multiprime(self):
+        primes = [64123, 50957, 39317, 33107]
+        exponent = 2**2**4 + 1
+
+        def getprime(_):
+            return primes.pop(0)
+        (p, q, e, d, rs) = rsa.key.gen_keys(
+            128, accurate=False, getprime_func=getprime, exponent=exponent, nprimes=4
+        )
+        self.assertEqual(64123, p)
+        self.assertEqual(50957, q)
+        self.assertEqual(rs, [39317, 33107])
+
 
 class HashTest(unittest.TestCase):
     """Test hashing of keys"""

tests/test_load_save_keys.py

@@ -209,6 +209,155 @@ def test_load_from_disk(self):
         self.assertEqual(14617195220284816877, privkey.q)
 
 
+MP_B64PRIV_DER = b"MEoCAQACCDsGeWW1Om5xAgMBAAECBQDHn4npAgMA+nsCAwDHDQICcw0CAwCWDQICTjYCAwCZlQICaukCAioVAgMAgVMCAksjAgIq3g=="
+MP_PRIVATE_DER = base64.standard_b64decode(MP_B64PRIV_DER)
+
+MP_B64PUB_DER = b"MA8CCDsGeWW1Om5xAgMBAAE="
+MP_PUBLIC_DER = base64.standard_b64decode(MP_B64PUB_DER)
+
+MP_PRIVATE_PEM = (
+    b"""\
+-----BEGIN CONFUSING STUFF-----
+Cruft before the key
+
+-----BEGIN RSA PRIVATE KEY-----
+Comment: something blah
+
+"""
+    + MP_B64PRIV_DER
+    + b"""
+-----END RSA PRIVATE KEY-----
+
+Stuff after the key
+-----END CONFUSING STUFF-----
+"""
+)
+
+MP_CLEAN_PRIVATE_PEM = (
+    b"""\
+-----BEGIN RSA PRIVATE KEY-----
+"""
+    + MP_B64PRIV_DER
+    + b"""
+-----END RSA PRIVATE KEY-----
+"""
+)
+
+MP_PUBLIC_PEM = (
+    b"""\
+-----BEGIN CONFUSING STUFF-----
+Cruft before the key
+
+-----BEGIN RSA PUBLIC KEY-----
+Comment: something blah
+
+"""
+    + MP_B64PUB_DER
+    + b"""
+-----END RSA PUBLIC KEY-----
+
+Stuff after the key
+-----END CONFUSING STUFF-----
+"""
+)
+
+MP_CLEAN_PUBLIC_PEM = (
+    b"""\
+-----BEGIN RSA PUBLIC KEY-----
+"""
+    + MP_B64PUB_DER
+    + b"""
+-----END RSA PUBLIC KEY-----
+"""
+)
+
+
+class MultiprimeDerTest(unittest.TestCase):
+    """Test saving and loading multiprime DER keys."""
+
+    def test_load_multiprime_private_key(self):
+        """Test loading private DER keys."""
+
+        key = rsa.key.PrivateKey.load_pkcs1(MP_PRIVATE_DER, "DER")
+        expected = rsa.key.PrivateKey(4253220375837175409, 65537, 3349121513, 64123, 50957, [39317, 33107])
+
+        self.assertEqual(expected, key)
+        self.assertEqual(key.exp1, 29453)
+        self.assertEqual(key.exp2, 38413)
+        self.assertEqual(key.coef, 20022)
+        self.assertEqual(key.ds, [27369, 19235])
+        self.assertEqual(key.ts, [10773, 10974])
+
+    def test_save_multiprime_private_key(self):
+        """Test saving private DER keys."""
+
+        key = rsa.key.PrivateKey(4253220375837175409, 65537, 3349121513, 64123, 50957, [39317, 33107])
+        der = key.save_pkcs1("DER")
+
+        self.assertIsInstance(der, bytes)
+        self.assertEqual(MP_PRIVATE_DER, der)
+
+    def test_load_multiprime_public_key(self):
+        """Test loading public DER keys."""
+
+        key = rsa.key.PublicKey.load_pkcs1(MP_PUBLIC_DER, "DER")
+        expected = rsa.key.PublicKey(4253220375837175409, 65537)
+
+        self.assertEqual(expected, key)
+
+    def test_save_multiprime_public_key(self):
+        """Test saving public DER keys."""
+
+        key = rsa.key.PublicKey(4253220375837175409, 65537)
+        der = key.save_pkcs1("DER")
+
+        self.assertIsInstance(der, bytes)
+        self.assertEqual(MP_PUBLIC_DER, der)
+
+
+class MultiprimePemTest(unittest.TestCase):
+    """Test saving and loading multiprime PEM keys."""
+
+    def test_load_multiprime_private_key(self):
+        """Test loading private PEM files."""
+
+        key = rsa.key.PrivateKey.load_pkcs1(MP_PRIVATE_PEM, "PEM")
+        expected = rsa.key.PrivateKey(4253220375837175409, 65537, 3349121513, 64123, 50957, [39317, 33107])
+
+        self.assertEqual(expected, key)
+        self.assertEqual(key.exp1, 29453)
+        self.assertEqual(key.exp2, 38413)
+        self.assertEqual(key.coef, 20022)
+        self.assertEqual(key.ds, [27369, 19235])
+        self.assertEqual(key.ts, [10773, 10974])
+
+    def test_save_multiprime_private_key(self):
+        """Test saving private PEM files."""
+
+        key = rsa.key.PrivateKey(4253220375837175409, 65537, 3349121513, 64123, 50957, [39317, 33107])
+        pem = key.save_pkcs1("PEM")
+
+        self.assertIsInstance(pem, bytes)
+        self.assertEqual(MP_CLEAN_PRIVATE_PEM.replace(b"\n", b""), pem.replace(b"\n", b""))
+
+    def test_load_multiprime_public_key(self):
+        """Test loading public PEM files."""
+
+        key = rsa.key.PublicKey.load_pkcs1(MP_PUBLIC_PEM, "PEM")
+        expected = rsa.key.PublicKey(4253220375837175409, 65537)
+
+        self.assertEqual(expected, key)
+
+    def test_save_multiprime_public_key(self):
+        """Test saving public PEM files."""
+
+        key = rsa.key.PublicKey(4253220375837175409, 65537)
+        pem = key.save_pkcs1("PEM")
+
+        self.assertIsInstance(pem, bytes)
+        self.assertEqual(MP_CLEAN_PUBLIC_PEM, pem)
+
+
 class PickleTest(unittest.TestCase):
     """Test saving and loading keys by pickling."""
 
@@ -222,6 +371,16 @@ def test_private_key(self):
         for attr in rsa.key.AbstractKey.__slots__:
             self.assertTrue(hasattr(unpickled, attr))
 
+    def test_multiprime_private_key(self):
+        pk = rsa.key.PrivateKey(4253220375837175409, 65537, 3349121513, 64123, 50957, [39317, 33107])
+
+        pickled = pickle.dumps(pk)
+        unpickled = pickle.loads(pickled)
+        self.assertEqual(pk, unpickled)
+
+        for attr in rsa.key.AbstractKey.__slots__:
+            self.assertTrue(hasattr(unpickled, attr))
+
     def test_public_key(self):
         pk = rsa.key.PublicKey(3727264081, 65537)