python-3.xcryptographyrsaprivate-key

Implementing "openssl_private_encrypt" in latest Python 3 versions


I'm trying to maintain FastSpring e-commerce platform Secure Payload api implementation in Python.

Their documentation has examples for encrypting (or technically signing?) the payload with private key in Java and PHP: https://developer.fastspring.com/docs/pass-a-secure-request#locally-encrypt-the-session-object

And I have been previously using a Python "cryptography" library based implementation based on this repository: https://github.com/klokantech/flask-fastspring/blob/0462833f67727cba9755a26c88941f11f0159a48/flask_fastspring.py#L247

However, that relies on undocumented openssl "_lib.RSA_private_encrypt()" function that is no longer exposed in cryptography versions higher than 2.9.2, which is already several years old. And with latest python versions it no longer includes binary packages and PIP must compile it from source.

PyCryptodome seems to include similar RSA private key signing with PKCS #1 v1.5 padding, but it requires payload to be a Hash object, so naturally the produced output doesn't match what FastSpring expects regardless of what Hash function I use: https://pycryptodome.readthedocs.io/en/latest/src/signature/pkcs1_v1_5.html?highlight=pkcs1_15#pkcs-1-v1-5-rsa

I have been trying to figure out any alternative ways to implement this kind of "private key encryption" without success. So my question is: Is there ANY way to do this with up-to-date python libraries or am I stuck to use an outdated cryptography library until it no longer is supported at all?


Solution

  • The two linked codes implement low level signing using RSASSA-PKCS1-v1_5, but a modified encoding is used for the message rather than EMSA-PKCS1-v1_5, and therefore the processing differs from the standard.

    The two major Python crypto libraries PyCryptodome and Cryptography only support high level signing, which encapsulates the entire process, follows the standard and thus does not allow any modification of the encoding of the message.

    The most efficient way to solve the problem would be to use a Python library that also supports a low level signing, so that the encoding of the message from the linked Java or Python code can be used. However, I am not aware of such a library.

    If you don't know such a library either, there is the following alternative: Since RSASSA-PKCS1-v1_5 is pretty simple and Python supports large integers and their operations natively, a custom implementation in combination with the helper functions of e.g. PyCryptodome is easily possible. At least you wouldn't have to rely on the legacy library anymore:

    from Crypto.Util import number
    
    def customizedSign(key, msg):
        
        modBits = number.size(key.n)
        k = number.ceil_div(modBits, 8) 
      
        ps = b'\xFF' * (k - len(msg) - 3)
        em = b'\x00\x01' + ps + b'\x00' + msg 
      
        em_int = number.bytes_to_long(em)
        m_int = key._decrypt(em_int) 
        signature = number.long_to_bytes(m_int, k)
        
        return signature
    

    Explanation:
    The implementation follows the PyCryptodome implementation of the sign() method. The only functional difference is that instead of EMSA-PKCS1-v1_5 the encoding of the linked codes is used. EMSA-PKCS1-v1_5 is defined as:

    EM = 0x00 || 0x01 || PS || 0x00 || T
    

    where T is the concatenation of the DER encoded DigestInfo value and the hashed message, see here.
    The encoding of the linked codes simply uses the message MSG instead of T:

    EM = 0x00 || 0x01 || PS || 0x00 || MSG 
    

    In both cases, PS is a padding with 0xFF values up to the key size (i.e. size of the modulus).

    Usage and test:

    Since the signature is deterministic, the same key and the same message always provide the same signature. This way it is easy to show that the above function is equivalent to the linked Java or Python code:

    from Crypto.PublicKey import RSA
    import base64
    
    # For simplicity, a 512 bits key is used. Note that a 512 bits key may only be used for testing, in practice the key size has to be >= 2048 bits for security reasons.
    pkcs8 = """-----BEGIN PRIVATE KEY-----
    MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA2gdsVIRmg5IH0rG3
    u3w+gHCZq5o4OMQIeomC1NTeHgxbkrfznv7TgWVzrHpr3HHK8IpLlG04/aBo6U5W
    2umHQQIDAQABAkEAu7wulGvZFat1Xv+19BMcgl3yhCdsB70Mi+7CH98XTwjACk4T
    +IYv4N53j16gce7U5fJxmGkdq83+xAyeyw8U0QIhAPIMhbtXlRS7XpkB66l5DvN1
    XrKRWeB3RtvcUSf30RyFAiEA5ph7eWXbXWpIhdWMoe50yffF7pW+C5z07tzAIH6D
    Ko0CIQCyveSTr917bdIxk2V/xNHxnx7LJuMEC5DcExorNanKMQIgUxHRQU1hNgjI
    sXXZoKgfaHaa1jUZbmOPlNDvYYVRyS0CIB9ZZee2zubyRla4qN8PQxCJb7DiICmH
    7nWP7CIvcQwB
    -----END PRIVATE KEY-----""" 
    
    key = RSA.import_key(pkcs8)
    msg = 'The quick brown fox jumps over the lazy dog'.encode('utf8')
    signature = customizedSign(key, msg)
    
    print(base64.b64encode(signature).decode('utf8')) # OwpVG/nPmkIbVxONRwXHvOqLdYNnP67YtiWA+GcKBZ3rIzAJ+8izvmlqUQnzVp03Wrrzq2ogUmCMaLSPlInDNw==
    

    The linked Java code provides the same signature for the same key and message.