hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
4f54bb66b807ee4b22f6be28cfbb71d21b901b10
codeql/python/ql/test/library-tests/frameworks/cryptodome/test_rsa.py
Rasmus Wriedt Larsen f8254381f3 Python: Add MISSING: CryptographicOperationAlgorithm annotations 
For RSA it's unclear what the algorithm name should even be. Signatures based on
RSA private keys with PSS scheme is ok, but with pkcs#1 v1.5 they are
weak/vulnerable. So clearly just putting RSA as the algorithm name is not enough
information...

and that problem is also why I wanted to do this commit separetely (to call
extra atten to this).
2021-04-22 14:51:18 +02:00

72 lines
2.7 KiB
Python
Raw Blame History

# RSA is a public-key algorithm for encrypting and signing messages.
from Cryptodome.PublicKey import RSA
from Cryptodome.Cipher import PKCS1_OAEP
from Cryptodome.Signature import pss
from Cryptodome.Hash import SHA256
private_key = RSA.generate(2048) # $ PublicKeyGeneration keySize=2048
# These 2 methods do the same
public_key = private_key.publickey()
public_key = private_key.public_key()
# ------------------------------------------------------------------------------
# encrypt/decrypt
# ------------------------------------------------------------------------------
print("encrypt/decrypt")
secret_message = b"secret message"
# Following example at https://pycryptodome.readthedocs.io/en/latest/src/examples.html#encrypt-data-with-rsa
encrypt_cipher = PKCS1_OAEP.new(public_key)
encrypted = encrypt_cipher.encrypt(secret_message) # $ CryptographicOperation CryptographicOperationInput=secret_message # MISSING: CryptographicOperationAlgorithm=RSA-OAEP?
print("encrypted={}".format(encrypted))
print()
decrypt_cipher = PKCS1_OAEP.new(private_key)
decrypted = decrypt_cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationInput=encrypted # MISSING: CryptographicOperationAlgorithm=RSA-OAEP?
print("decrypted={}".format(decrypted))
assert decrypted == secret_message
print("\n---\n")
# ------------------------------------------------------------------------------
# sign/verify
# ------------------------------------------------------------------------------
print("sign/verify")
message = b"message"
signer = pss.new(private_key)
hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher # MISSING: CryptographicOperationAlgorithm=RSA-PSS?
print("signature={}".format(signature))
print()
verifier = pss.new(public_key)
hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=RSA-PSS?
print("Signature verified (as expected)")
try:
verifier = pss.new(public_key)
hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=RSA-PSS?
raise Exception("Signature verified (unexpected)")
except ValueError:
print("Signature mismatch (as expected)")
Reference in New Issue View Git Blame Copy Permalink