move asn1 private key processing into separate module

Author: mattsb42-aws

jose/backends/_asn1.py

@@ -0,0 +1,51 @@
+"""ASN1 encoding helpers for converting between PKCS1 and PKCS8.
+
+Required by rsa_backend and pycrypto_backend but not cryptography_backend.
+"""
+from pyasn1.codec.der import decoder, encoder
+from pyasn1.error import PyAsn1Error
+from pyasn1.type import namedtype, univ
+
+RSA_ENCRYPTION_ASN1_OID = "1.2.840.113549.1.1.1"
+
+
+class PKCS8RsaPrivateKeyAlgorithm(univ.Sequence):
+    """ASN1 structure for recording RSA PrivateKeyAlgorithm identifiers."""
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType("rsaEncryption", univ.ObjectIdentifier()),
+        namedtype.NamedType("parameters", univ.Null())
+    )
+
+
+class PKCS8PrivateKey(univ.Sequence):
+    """ASN1 structure for recording PKCS8 private keys."""
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType("version", univ.Integer()),
+        namedtype.NamedType("privateKeyAlgorithm", PKCS8RsaPrivateKeyAlgorithm()),
+        namedtype.NamedType("privateKey", univ.OctetString())
+    )
+
+
+def rsa_private_key_pkcs8_to_pkcs1(pkcs8_key):
+    """Convert a PKCS8-encoded RSA private key to PKCS1."""
+    decoded_values = decoder.decode(pkcs8_key, asn1Spec=PKCS8PrivateKey())
+
+    try:
+        decoded_key = decoded_values[0]
+    except IndexError:
+        raise ValueError("Invalid private key encoding")
+
+    return decoded_key["privateKey"]
+
+
+def rsa_private_key_pkcs1_to_pkcs8(pkcs1_key):
+    """Convert a PKCS1-encoded RSA private key to PKCS8."""
+    algorithm = PKCS8RsaPrivateKeyAlgorithm()
+    algorithm["rsaEncryption"] = RSA_ENCRYPTION_ASN1_OID
+
+    pkcs8_key = PKCS8PrivateKey()
+    pkcs8_key["version"] = 0
+    pkcs8_key["privateKeyAlgorithm"] = algorithm
+    pkcs8_key["privateKey"] = pkcs1_key
+
+    return encoder.encode(pkcs8_key)

jose/backends/pycrypto_backend.py

@@ -152,7 +152,8 @@ def to_pem(self, pem_format='PKCS8'):
             raise ValueError("Invalid pem format specified: %r" % (pem_format,))
 
         if self.is_public():
-            pem = self.prepared_key.exportKey('PEM', pkcs=1)
+            # PyCrypto/dome always export public keys as PKCS8
+            pem = self.prepared_key.exportKey('PEM')
             if pkcs == 8:
                 pem = pem_to_spki(pem, fmt='PKCS8')
             else:

jose/backends/rsa_backend.py

@@ -1,15 +1,16 @@
 import binascii
 
 import six
-from pyasn1.codec.der import decoder, encoder
+from pyasn1.codec.der import encoder
 from pyasn1.error import PyAsn1Error
-from pyasn1.type import namedtype, univ
+from pyasn1.type import univ
 
 import rsa as pyrsa
 import rsa.pem as pyrsa_pem
 from rsa.asn1 import OpenSSLPubKey, AsnPubKey, PubKeyHeader
 
 from jose.backends.base import Key
+from jose.backends._asn1 import rsa_private_key_pkcs1_to_pkcs8, rsa_private_key_pkcs8_to_pkcs1
 from jose.constants import ALGORITHMS
 from jose.exceptions import JWKError
 from jose.utils import base64_to_long, long_to_base64
@@ -114,48 +115,6 @@ def _legacy_private_key_pkcs8_to_pkcs1(pkcs8_key):
     return pkcs8_key[len(LEGACY_INVALID_PKCS8_RSA_HEADER):]
 
 
-class PKCS8RsaPrivateKeyAlgorithm(univ.Sequence):
-    """ASN1 structure for recording RSA PrivateKeyAlgorithm identifiers."""
-    componentType = namedtype.NamedTypes(
-        namedtype.NamedType("rsaEncryption", univ.ObjectIdentifier()),
-        namedtype.NamedType("parameters", univ.Null())
-    )
-
-
-class PKCS8PrivateKey(univ.Sequence):
-    """ASN1 structure for recording PKCS8 private keys."""
-    componentType = namedtype.NamedTypes(
-        namedtype.NamedType("version", univ.Integer()),
-        namedtype.NamedType("privateKeyAlgorithm", PKCS8RsaPrivateKeyAlgorithm()),
-        namedtype.NamedType("privateKey", univ.OctetString())
-    )
-
-
-def _private_key_pkcs8_to_pkcs1(pkcs8_key):
-    """Convert a PKCS8-encoded RSA private key to PKCS1."""
-    decoded_values = decoder.decode(pkcs8_key, asn1Spec=PKCS8PrivateKey())
-
-    try:
-        decoded_key = decoded_values[0]
-    except IndexError:
-        raise ValueError("Invalid private key encoding")
-
-    return decoded_key["privateKey"]
-
-
-def _private_key_pkcs1_to_pkcs8(pkcs1_key):
-    """Convert a PKCS1-encoded RSA private key to PKCS8."""
-    algorithm = PKCS8RsaPrivateKeyAlgorithm()
-    algorithm["rsaEncryption"] = RSA_ENCRYPTION_ASN1_OID
-
-    pkcs8_key = PKCS8PrivateKey()
-    pkcs8_key["version"] = 0
-    pkcs8_key["privateKeyAlgorithm"] = algorithm
-    pkcs8_key["privateKey"] = pkcs1_key
-
-    return encoder.encode(pkcs8_key)
-
-
 class RSAKey(Key):
     SHA256 = 'SHA-256'
     SHA384 = 'SHA-384'
@@ -196,7 +155,7 @@ def __init__(self, key, algorithm):
                         try:
                             der = pyrsa_pem.load_pem(key, b'PRIVATE KEY')
                             try:
-                                pkcs1_key = _private_key_pkcs8_to_pkcs1(der)
+                                pkcs1_key = rsa_private_key_pkcs8_to_pkcs1(der)
                             except PyAsn1Error:
                                 # If the key was encoded using the old, invalid,
                                 # encoding then pyasn1 will throw an error attempting
@@ -259,7 +218,7 @@ def to_pem(self, pem_format='PKCS8'):
         if isinstance(self._prepared_key, pyrsa.PrivateKey):
             der = self._prepared_key.save_pkcs1(format='DER')
             if pem_format == 'PKCS8':
-                pkcs8_der = _private_key_pkcs1_to_pkcs8(der)
+                pkcs8_der = rsa_private_key_pkcs1_to_pkcs8(der)
                 pem = pyrsa_pem.save_pem(pkcs8_der, pem_marker='PRIVATE KEY')
             elif pem_format == 'PKCS1':
                 pem = pyrsa_pem.save_pem(der, pem_marker='RSA PRIVATE KEY')

setup.py

@@ -21,12 +21,13 @@ def get_packages(package):
     ]
 
 
+pyasn1 = ['pyasn1']
 extras_require = {
     'cryptography': ['cryptography'],
-    'pycrypto': ['pycrypto >=2.6.0, <2.7.0'],
-    'pycryptodome': ['pycryptodome >=3.3.1, <4.0.0'],
+    'pycrypto': ['pycrypto >=2.6.0, <2.7.0'] + pyasn1,
+    'pycryptodome': ['pycryptodome >=3.3.1, <4.0.0'] + pyasn1,
 }
-legacy_backend_requires = ['ecdsa <1.0', 'rsa', 'pyasn1']
+legacy_backend_requires = ['ecdsa <1.0', 'rsa'] + pyasn1
 install_requires = ['six <2.0', 'future <1.0']
 
 # TODO: work this into the extras selection instead.

tests/algorithms/test_RSA.py

@@ -318,18 +318,6 @@ def test_python_rsa_legacy_private_key_pkcs8_to_pkcs1_invalid(self):
 
         excinfo.match("Invalid private key encoding")
 
-    def test_python_rsa_private_key_pkcs1_to_pkcs8(self):
-        pkcs1 = base64.b64decode(PKCS1_PRIVATE_KEY)
-        pkcs8 = base64.b64decode(PKCS8_PRIVATE_KEY)
-
-        assert rsa_backend._private_key_pkcs1_to_pkcs8(pkcs1) == pkcs8
-
-    def test_python_rsa_private_key_pkcs8_to_pkcs1(self):
-        pkcs1 = base64.b64decode(PKCS1_PRIVATE_KEY)
-        pkcs8 = base64.b64decode(PKCS8_PRIVATE_KEY)
-
-        assert rsa_backend._private_key_pkcs8_to_pkcs1(pkcs8) == pkcs1
-
 
 @pytest.mark.pycrypto
 @pytest.mark.pycryptodome

tests/test_asn1.py

@@ -0,0 +1,31 @@
+"""Tests for ``jose.backends._asn1``."""
+import base64
+
+import pytest
+
+try:
+    from jose.backends import _asn1
+except ImportError:
+    _asn1 = None
+
+from .algorithms.test_RSA import PKCS1_PRIVATE_KEY, PKCS8_PRIVATE_KEY
+
+pytestmark = [
+    pytest.mark.pycrypto,
+    pytest.mark.pycryptodome,
+    pytest.mark.skipif(_asn1 is None, reason="ASN1 backend not available")
+]
+
+
+def test_rsa_private_key_pkcs1_to_pkcs8():
+    pkcs1 = base64.b64decode(PKCS1_PRIVATE_KEY)
+    pkcs8 = base64.b64decode(PKCS8_PRIVATE_KEY)
+
+    assert _asn1.rsa_private_key_pkcs1_to_pkcs8(pkcs1) == pkcs8
+
+
+def test_rsa_private_key_pkcs8_to_pkcs1():
+    pkcs1 = base64.b64decode(PKCS1_PRIVATE_KEY)
+    pkcs8 = base64.b64decode(PKCS8_PRIVATE_KEY)
+
+    assert _asn1.rsa_private_key_pkcs8_to_pkcs1(pkcs8) == pkcs1