convert ASN1 check values to hex for better readability and add check for known legacy prefix in legacy parsing

Author: mattsb42-aws

jose/backends/rsa_backend.py

@@ -1,3 +1,5 @@
+import binascii
+
 import six
 from pyasn1.codec.der import decoder, encoder
 from pyasn1.error import PyAsn1Error
@@ -13,7 +15,16 @@
 from jose.utils import base64_to_long, long_to_base64
 
 
-LEGACY_INVALID_PKCS8_RSA_HEADER = b'0\x82\x04\xbd\x02\x01\x000\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00'
+LEGACY_INVALID_PKCS8_RSA_HEADER = binascii.unhexlify(
+    "30"  # sequence
+    "8204BD"  # DER-encoded sequence contents length of 1213 bytes -- INCORRECT STATIC LENGTH
+    "020100"  # integer: 0 -- Version
+    "30"  # sequence
+    "0D"  # DER-encoded sequence contents length of 13 bytes -- PrivateKeyAlgorithmIdentifier
+    "06092A864886F70D010101"  # OID -- rsaEncryption
+    "0500"  # NULL -- parameters
+)
+ASN1_SEQUENCE_ID = binascii.unhexlify("30")
 RSA_ENCRYPTION_ASN1_OID = "1.2.840.113549.1.1.1"
 
 # Functions gcd and rsa_recover_prime_factors were copied from cryptography 1.9
@@ -86,15 +97,21 @@ def pem_to_spki(pem, fmt='PKCS8'):
     return key.to_pem(fmt)
 
 
-def _legacy_private_key_pkcs8_to_pkcs1(der_key):
+def _legacy_private_key_pkcs8_to_pkcs1(pkcs8_key):
     """Legacy RSA private key PKCS8-to-PKCS1 conversion.
 
     .. warning::
 
         This is incorrect parsing and only works because the legacy PKCS1-to-PKCS8
         encoding was also incorrect.
     """
-    return der_key[len(LEGACY_INVALID_PKCS8_RSA_HEADER):]
+    # Only allow this processing if the prefix matches
+    # AND the following byte indicates an ASN1 sequence,
+    # as we would expect with the legacy encoding.
+    if not pkcs8_key.startswith(LEGACY_INVALID_PKCS8_RSA_HEADER + ASN1_SEQUENCE_ID):
+        raise ValueError("Invalid private key encoding")
+
+    return pkcs8_key[len(LEGACY_INVALID_PKCS8_RSA_HEADER):]
 
 
 class PKCS8RsaPrivateKeyAlgorithm(univ.Sequence):

tests/algorithms/test_RSA.py

@@ -268,13 +268,55 @@
 pskDwcHyZmbKZuk+NU/FJ8IAcmvk9y7m25nSSc8="""
 
 
+def _legacy_invalid_private_key_pkcs8_der():
+    legacy_key = LEGACY_INVALID_PRIVATE_KEY_PKCS8_PEM.strip()
+    legacy_key = legacy_key[legacy_key.index(b"\n"):legacy_key.rindex(b"\n")]
+    return base64.b64decode(legacy_key)
+
+
+def _actually_invalid_private_key_pkcs8_der():
+    legacy_key = _legacy_invalid_private_key_pkcs8_der()
+    invalid_key = legacy_key[:len(rsa_backend.LEGACY_INVALID_PKCS8_RSA_HEADER)]
+    invalid_key += b"\x00"
+    invalid_key += legacy_key[len(rsa_backend.LEGACY_INVALID_PKCS8_RSA_HEADER):]
+    return invalid_key
+
+
+def _actually_invalid_private_key_pkcs8_pem():
+    invalid_key = b"-----BEGIN PRIVATE KEY-----\n"
+    invalid_key += base64.b64encode(_actually_invalid_private_key_pkcs8_der())
+    invalid_key += b"\n-----END PRIVATE KEY-----\n"
+    return invalid_key
+
+
 @pytest.mark.skipif(PurePythonRSAKey is None, reason="python-rsa backend not available")
 class TestPurePythonRsa(object):
+
     def test_python_rsa_legacy_pem_read(self):
         key = PurePythonRSAKey(LEGACY_INVALID_PRIVATE_KEY_PKCS8_PEM, ALGORITHMS.RS256)
         new_pem = key.to_pem(pem_format="PKCS8")
         assert new_pem != LEGACY_INVALID_PRIVATE_KEY_PKCS8_PEM
 
+    def test_python_rsa_legacy_pem_invalid(self):
+        with pytest.raises(JWKError) as excinfo:
+            PurePythonRSAKey(_actually_invalid_private_key_pkcs8_pem(), ALGORITHMS.RS256)
+
+        excinfo.match("Invalid private key encoding")
+
+    def test_python_rsa_legacy_private_key_pkcs8_to_pkcs1(self):
+        legacy_key = _legacy_invalid_private_key_pkcs8_der()
+        legacy_pkcs1 = legacy_key[len(rsa_backend.LEGACY_INVALID_PKCS8_RSA_HEADER):]
+
+        assert rsa_backend._legacy_private_key_pkcs8_to_pkcs1(legacy_key) == legacy_pkcs1
+
+    def test_python_rsa_legacy_private_key_pkcs8_to_pkcs1_invalid(self):
+        invalid_key = _actually_invalid_private_key_pkcs8_der()
+
+        with pytest.raises(ValueError) as excinfo:
+            rsa_backend._legacy_private_key_pkcs8_to_pkcs1(invalid_key)
+
+        excinfo.match("Invalid private key encoding")
+
     def test_python_rsa_private_key_pkcs1_to_pkcs8(self):
         pkcs1 = base64.b64decode(PKCS1_PRIVATE_KEY)
         pkcs8 = base64.b64decode(PKCS8_PRIVATE_KEY)