Reject d, e values <= 1 (#12272)

* Reject d, e values <= 1

This avoids a potential infinite loop (e.g. with d=e=1 or d=e=-1).

* Add tests for possible loop/DoS in rsa_recover_prime_factors()

Author: hannob

src/cryptography/hazmat/primitives/asymmetric/rsa.py

@@ -235,6 +235,8 @@ def rsa_recover_prime_factors(n: int, e: int, d: int) -> tuple[int, int]:
     no more than two factors. This function is adapted from code in PyCrypto.
     """
     # reject invalid values early
+    if d <= 1 or e <= 1:
+        raise ValueError("d, e can't be <= 1")
     if 17 != pow(17, e * d, n):
         raise ValueError("n, d, e don't match")
     # See 8.2.2(i) in Handbook of Applied Cryptography.

tests/hazmat/primitives/test_rsa.py

@@ -2400,6 +2400,10 @@ def test_invalid_recover_prime_factors(self):
             rsa.rsa_recover_prime_factors(34, 3, 7)
         with pytest.raises(ValueError):
             rsa.rsa_recover_prime_factors(629, 17, 20)
+        with pytest.raises(ValueError):
+            rsa.rsa_recover_prime_factors(21, 1, 1)
+        with pytest.raises(ValueError):
+            rsa.rsa_recover_prime_factors(21, -1, -1)
 
 
 class TestRSAPrivateKeySerialization: