diff options
| author | Jeff Forcier <jeff@bitprophet.org> | 2020-08-27 16:14:02 -0400 |
|---|---|---|
| committer | Jeff Forcier <jeff@bitprophet.org> | 2020-08-27 16:14:02 -0400 |
| commit | 4334157bf68a44522de3450fbe44784b007f952b (patch) | |
| tree | 015f2349c90b69338a24e33ea9a95f4c175bcf89 | |
| parent | ae3d0febef17a8ece5268bbf6c210a30573ce800 (diff) | |
| parent | 11ebdf5f6c091e07434017de2880fd82c4f40497 (diff) | |
Merge branch '2.7' into master
| -rw-r--r-- | paramiko/rsakey.py | 2 | ||||
| -rw-r--r-- | sites/www/changelog.rst | 5 | ||||
| -rw-r--r-- | tests/test_pkey.py | 20 |
3 files changed, 26 insertions, 1 deletions
diff --git a/paramiko/rsakey.py b/paramiko/rsakey.py index 9707b268..172f42d4 100644 --- a/paramiko/rsakey.py +++ b/paramiko/rsakey.py @@ -189,7 +189,7 @@ class RSAKey(PKey): except ValueError as e: raise SSHException(str(e)) elif pkformat == self._PRIVATE_KEY_FORMAT_OPENSSH: - n, e, d, iqmp, q, p = self._uint32_cstruct_unpack(data, "iiiiii") + n, e, d, iqmp, p, q = self._uint32_cstruct_unpack(data, "iiiiii") public_numbers = rsa.RSAPublicNumbers(e=e, n=n) key = rsa.RSAPrivateNumbers( p=p, diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index f7eefa08..cfc0d9c2 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,11 @@ Changelog ========= +- :bug:`1723` Fix incorrectly swapped order of ``p`` and ``q`` numbers when + loading OpenSSH-format RSA private keys. At minimum this should address a + slowdown when using such keys, and it also means Paramiko works with + Cryptography 3.1 and above (which complains strenuously when this problem + appears). Thanks to Alex Gaynor for the patch. - :release:`2.7.1 <2019-12-09>` - :bug:`1567` The new-style private key format (added in 2.7) suffered from an unpadding bug which had been fixed earlier for Ed25519 (as that key type has diff --git a/tests/test_pkey.py b/tests/test_pkey.py index 8d88545a..18c27bbe 100644 --- a/tests/test_pkey.py +++ b/tests/test_pkey.py @@ -29,6 +29,9 @@ from hashlib import md5 from paramiko import RSAKey, DSSKey, ECDSAKey, Ed25519Key, Message, util from paramiko.py3compat import StringIO, byte_chr, b, bytes, PY2 +from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateNumbers +from mock import patch + from .util import _support @@ -39,6 +42,8 @@ PUB_ECDSA_256 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA PUB_ECDSA_384 = "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBbGibQLW9AAZiGN2hEQxWYYoFaWKwN3PKSaDJSMqmIn1Z9sgRUuw8Y/w502OGvXL/wFk0i2z50l3pWZjD7gfMH7gX5TUiCzwrQkS+Hn1U2S9aF5WJp0NcIzYxXw2r4M2A==" # noqa PUB_ECDSA_521 = "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACaOaFLZGuxa5AW16qj6VLypFbLrEWrt9AZUloCMefxO8bNLjK/O5g0rAVasar1TnyHE9qj4NwzANZASWjQNbc4MAG8vzqezFwLIn/kNyNTsXNfqEko9OgHZknlj2Z79dwTJcRAL4QLcT5aND0EHZLB2fAUDXiWIb2j4rg1mwPlBMiBXA==" # noqa PUB_RSA_2K_OPENSSH = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF+Dpr54DX0WdeTDpNAMdkCWEkl3OXtNgf58qlN1gX572OLBqLf0zT4bHstUEpU3piazph/rSWcUMuBoD46tZ6jiH7H9b9Pem2eYQWaELDDkM+v9BMbEy5rMbFRLol5OtEvPFqneyEAanPOgvd8t3yyhSev9QVusakzJ8j8LGgrA8huYZ+Srnw0shEWLG70KUKCh3rG0QIvA8nfhtUOisr2Gp+F0YxMGb5gwBlQYAYE5l6u1SjZ7hNjyNosjK+wRBFgFFBYVpkZKJgWoK9w4ijFyzMZTucnZMqKOKAjIJvHfKBf2/cEfYxSq1EndqTqjYsd9T7/s2vcn1OH5a0wkER" # noqa +RSA_2K_OPENSSH_P = 161773687847617758886803946572654778625119997081005961935077336594287351354258259920334554906235187683459069634729972458348855793639393524799865799559575414247668746919721196359908321800753913350455861871582087986355637886875933045224711827701526739934602161222599672381604211130651397331775901258858869418853 # noqa +RSA_2K_OPENSSH_Q = 154483416325630619558401349033571772244816915504195060221073502923720741119664820208064202825686848103224453777955988437823797692957091438442833606009978046057345917301441832647551208158342812551003395417862260727795454409459089912659057393394458150862012620127030757893820711157099494238156383382454310199869 # noqa PUB_DSS_1K_OPENSSH = "ssh-dss AAAAB3NzaC1kc3MAAACBAL8XEx7F9xuwBNles+vWpNF+YcofrBhjX1r5QhpBe0eoYWLHRcroN6lxwCdGYRfgOoRjTncBiixQX/uUxAY96zDh3ir492s2BcJt4ihvNn/AY0I0OTuX/2IwGk9CGzafjaeZNVYxMa8lcVt0hSOTjkPQ7gVuk6bJzMInvie+VWKLAAAAFQDUgYdY+rhR0SkKbC09BS/SIHcB+wAAAIB44+4zpCNcd0CGvZlowH99zyPX8uxQtmTLQFuR2O8O0FgVVuCdDgD0D9W8CLOp32oatpM0jyyN89EdvSWzjHzZJ+L6H1FtZps7uhpDFWHdva1R25vyGecLMUuXjo5t/D7oCDih+HwHoSAxoi0QvsPd8/qqHQVznNJKtR6thUpXEwAAAIAG4DCBjbgTTgpBw0egRkJwBSz0oTt+1IcapNU2jA6N8urMSk9YXHEQHKN68BAF3YJ59q2Ujv3LOXmBqGd1T+kzwUszfMlgzq8MMu19Yfzse6AIK1Agn1Vj6F7YXLsXDN+T4KszX5+FJa7t/Zsp3nALWy6l0f4WKivEF5Y2QpEFcQ==" # noqa PUB_EC_384_OPENSSH = "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIch5LXTq/L/TWsTGG6dIktxD8DIMh7EfvoRmWsks6CuNDTvFvbQNtY4QO1mn5OXegHbS0M5DPIS++wpKGFP3suDEH08O35vZQasLNrL0tO2jyyEnzB2ZEx3PPYci811yg==" # noqa @@ -454,6 +459,21 @@ class KeyTest(unittest.TestCase): my_rsa = hexlify(key.get_fingerprint()) self.assertEqual(exp_rsa, my_rsa) + def test_loading_openssh_RSA_keys_uses_correct_p_q(self): + # Re #1723 - not the most elegant test but given how deep it is... + with patch( + "paramiko.rsakey.rsa.RSAPrivateNumbers", wraps=RSAPrivateNumbers + ) as spy: + # Load key + RSAKey.from_private_key_file( + _support("test_rsa_openssh.key"), b"television" + ) + # Ensure spy saw the correct P and Q values as derived from + # hardcoded test private key value + kwargs = spy.call_args[1] + assert kwargs["p"] == RSA_2K_OPENSSH_P + assert kwargs["q"] == RSA_2K_OPENSSH_Q + def test_load_openssh_format_DSS_key(self): key = DSSKey.from_private_key_file( _support("test_dss_openssh.key"), b"television" |