1.. hazmat:: 2 3RSA 4=== 5 6.. module:: cryptography.hazmat.primitives.asymmetric.rsa 7 8`RSA`_ is a `public-key`_ algorithm for encrypting and signing messages. 9 10Generation 11~~~~~~~~~~ 12 13Unlike symmetric cryptography, where the key is typically just a random series 14of bytes, RSA keys have a complex internal structure with `specific 15mathematical properties`_. 16 17.. function:: generate_private_key(public_exponent, key_size, backend=None) 18 19 .. versionadded:: 0.5 20 21 .. versionchanged:: 3.0 22 23 Tightened restrictions on ``public_exponent``. 24 25 Generates a new RSA private key using the provided ``backend``. 26 ``key_size`` describes how many :term:`bits` long the key should be. Larger 27 keys provide more security; currently ``1024`` and below are considered 28 breakable while ``2048`` or ``4096`` are reasonable default key sizes for 29 new keys. The ``public_exponent`` indicates what one mathematical property 30 of the key generation will be. Unless you have a specific reason to do 31 otherwise, you should always `use 65537`_. 32 33 .. doctest:: 34 35 >>> from cryptography.hazmat.primitives.asymmetric import rsa 36 >>> private_key = rsa.generate_private_key( 37 ... public_exponent=65537, 38 ... key_size=2048, 39 ... ) 40 41 :param int public_exponent: The public exponent of the new key. 42 Either 65537 or 3 (for legacy purposes). Almost everyone should 43 `use 65537`_. 44 45 :param int key_size: The length of the modulus in :term:`bits`. For keys 46 generated in 2015 it is strongly recommended to be 47 `at least 2048`_ (See page 41). It must not be less than 512. 48 Some backends may have additional limitations. 49 50 :param backend: An optional backend which implements 51 :class:`~cryptography.hazmat.backends.interfaces.RSABackend`. 52 53 :return: An instance of 54 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`. 55 56 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised if 57 the provided ``backend`` does not implement 58 :class:`~cryptography.hazmat.backends.interfaces.RSABackend` 59 60Key loading 61~~~~~~~~~~~ 62 63If you already have an on-disk key in the PEM format (which are recognizable by 64the distinctive ``-----BEGIN {format}-----`` and ``-----END {format}-----`` 65markers), you can load it: 66 67.. code-block:: pycon 68 69 >>> from cryptography.hazmat.primitives import serialization 70 71 >>> with open("path/to/key.pem", "rb") as key_file: 72 ... private_key = serialization.load_pem_private_key( 73 ... key_file.read(), 74 ... password=None, 75 ... ) 76 77Serialized keys may optionally be encrypted on disk using a password. In this 78example we loaded an unencrypted key, and therefore we did not provide a 79password. If the key is encrypted we can pass a ``bytes`` object as the 80``password`` argument. 81 82There is also support for :func:`loading public keys in the SSH format 83<cryptography.hazmat.primitives.serialization.load_ssh_public_key>`. 84 85Key serialization 86~~~~~~~~~~~~~~~~~ 87 88If you have a private key that you've loaded or generated which implements the 89:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization` 90interface you can use 91:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization.private_bytes` 92to serialize the key. 93 94.. doctest:: 95 96 >>> from cryptography.hazmat.primitives import serialization 97 >>> pem = private_key.private_bytes( 98 ... encoding=serialization.Encoding.PEM, 99 ... format=serialization.PrivateFormat.PKCS8, 100 ... encryption_algorithm=serialization.BestAvailableEncryption(b'mypassword') 101 ... ) 102 >>> pem.splitlines()[0] 103 b'-----BEGIN ENCRYPTED PRIVATE KEY-----' 104 105It is also possible to serialize without encryption using 106:class:`~cryptography.hazmat.primitives.serialization.NoEncryption`. 107 108.. doctest:: 109 110 >>> pem = private_key.private_bytes( 111 ... encoding=serialization.Encoding.PEM, 112 ... format=serialization.PrivateFormat.TraditionalOpenSSL, 113 ... encryption_algorithm=serialization.NoEncryption() 114 ... ) 115 >>> pem.splitlines()[0] 116 b'-----BEGIN RSA PRIVATE KEY-----' 117 118For public keys you can use 119:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.public_bytes` 120to serialize the key. 121 122.. doctest:: 123 124 >>> from cryptography.hazmat.primitives import serialization 125 >>> public_key = private_key.public_key() 126 >>> pem = public_key.public_bytes( 127 ... encoding=serialization.Encoding.PEM, 128 ... format=serialization.PublicFormat.SubjectPublicKeyInfo 129 ... ) 130 >>> pem.splitlines()[0] 131 b'-----BEGIN PUBLIC KEY-----' 132 133Signing 134~~~~~~~ 135 136A private key can be used to sign a message. This allows anyone with the public 137key to verify that the message was created by someone who possesses the 138corresponding private key. RSA signatures require a specific hash function, and 139padding to be used. Here is an example of signing ``message`` using RSA, with a 140secure hash function and padding: 141 142.. doctest:: 143 144 >>> from cryptography.hazmat.primitives import hashes 145 >>> from cryptography.hazmat.primitives.asymmetric import padding 146 >>> message = b"A message I want to sign" 147 >>> signature = private_key.sign( 148 ... message, 149 ... padding.PSS( 150 ... mgf=padding.MGF1(hashes.SHA256()), 151 ... salt_length=padding.PSS.MAX_LENGTH 152 ... ), 153 ... hashes.SHA256() 154 ... ) 155 156Valid paddings for signatures are 157:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` and 158:class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`. ``PSS`` 159is the recommended choice for any new protocols or applications, ``PKCS1v15`` 160should only be used to support legacy protocols. 161 162If your data is too large to be passed in a single call, you can hash it 163separately and pass that value using 164:class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`. 165 166.. doctest:: 167 168 >>> from cryptography.hazmat.primitives.asymmetric import utils 169 >>> chosen_hash = hashes.SHA256() 170 >>> hasher = hashes.Hash(chosen_hash) 171 >>> hasher.update(b"data & ") 172 >>> hasher.update(b"more data") 173 >>> digest = hasher.finalize() 174 >>> sig = private_key.sign( 175 ... digest, 176 ... padding.PSS( 177 ... mgf=padding.MGF1(hashes.SHA256()), 178 ... salt_length=padding.PSS.MAX_LENGTH 179 ... ), 180 ... utils.Prehashed(chosen_hash) 181 ... ) 182 183Verification 184~~~~~~~~~~~~ 185 186The previous section describes what to do if you have a private key and want to 187sign something. If you have a public key, a message, a signature, and the 188signing algorithm that was used you can check that the private key associated 189with a given public key was used to sign that specific message. You can obtain 190a public key to use in verification using 191:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`, 192:func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`, 193:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicNumbers.public_key` 194, or 195:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.public_key`. 196 197.. doctest:: 198 199 >>> public_key = private_key.public_key() 200 >>> public_key.verify( 201 ... signature, 202 ... message, 203 ... padding.PSS( 204 ... mgf=padding.MGF1(hashes.SHA256()), 205 ... salt_length=padding.PSS.MAX_LENGTH 206 ... ), 207 ... hashes.SHA256() 208 ... ) 209 210If the signature does not match, ``verify()`` will raise an 211:class:`~cryptography.exceptions.InvalidSignature` exception. 212 213If your data is too large to be passed in a single call, you can hash it 214separately and pass that value using 215:class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`. 216 217.. doctest:: 218 219 >>> chosen_hash = hashes.SHA256() 220 >>> hasher = hashes.Hash(chosen_hash) 221 >>> hasher.update(b"data & ") 222 >>> hasher.update(b"more data") 223 >>> digest = hasher.finalize() 224 >>> public_key.verify( 225 ... sig, 226 ... digest, 227 ... padding.PSS( 228 ... mgf=padding.MGF1(hashes.SHA256()), 229 ... salt_length=padding.PSS.MAX_LENGTH 230 ... ), 231 ... utils.Prehashed(chosen_hash) 232 ... ) 233 234Encryption 235~~~~~~~~~~ 236 237RSA encryption is interesting because encryption is performed using the 238**public** key, meaning anyone can encrypt data. The data is then decrypted 239using the **private** key. 240 241Like signatures, RSA supports encryption with several different padding 242options. Here's an example using a secure padding and hash function: 243 244.. doctest:: 245 246 >>> message = b"encrypted data" 247 >>> ciphertext = public_key.encrypt( 248 ... message, 249 ... padding.OAEP( 250 ... mgf=padding.MGF1(algorithm=hashes.SHA256()), 251 ... algorithm=hashes.SHA256(), 252 ... label=None 253 ... ) 254 ... ) 255 256Valid paddings for encryption are 257:class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` and 258:class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`. ``OAEP`` 259is the recommended choice for any new protocols or applications, ``PKCS1v15`` 260should only be used to support legacy protocols. 261 262 263Decryption 264~~~~~~~~~~ 265 266Once you have an encrypted message, it can be decrypted using the private key: 267 268.. doctest:: 269 270 >>> plaintext = private_key.decrypt( 271 ... ciphertext, 272 ... padding.OAEP( 273 ... mgf=padding.MGF1(algorithm=hashes.SHA256()), 274 ... algorithm=hashes.SHA256(), 275 ... label=None 276 ... ) 277 ... ) 278 >>> plaintext == message 279 True 280 281Padding 282~~~~~~~ 283 284.. module:: cryptography.hazmat.primitives.asymmetric.padding 285 286.. class:: AsymmetricPadding 287 288 .. versionadded:: 0.2 289 290 .. attribute:: name 291 292.. class:: PSS(mgf, salt_length) 293 294 .. versionadded:: 0.3 295 296 .. versionchanged:: 0.4 297 Added ``salt_length`` parameter. 298 299 PSS (Probabilistic Signature Scheme) is a signature scheme defined in 300 :rfc:`3447`. It is more complex than PKCS1 but possesses a `security proof`_. 301 This is the `recommended padding algorithm`_ for RSA signatures. It cannot 302 be used with RSA encryption. 303 304 :param mgf: A mask generation function object. At this time the only 305 supported MGF is :class:`MGF1`. 306 307 :param int salt_length: The length of the salt. It is recommended that this 308 be set to ``PSS.MAX_LENGTH``. 309 310 .. attribute:: MAX_LENGTH 311 312 Pass this attribute to ``salt_length`` to get the maximum salt length 313 available. 314 315.. class:: OAEP(mgf, algorithm, label) 316 317 .. versionadded:: 0.4 318 319 OAEP (Optimal Asymmetric Encryption Padding) is a padding scheme defined in 320 :rfc:`3447`. It provides probabilistic encryption and is `proven secure`_ 321 against several attack types. This is the `recommended padding algorithm`_ 322 for RSA encryption. It cannot be used with RSA signing. 323 324 :param mgf: A mask generation function object. At this time the only 325 supported MGF is :class:`MGF1`. 326 327 :param algorithm: An instance of 328 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`. 329 330 :param bytes label: A label to apply. This is a rarely used field and 331 should typically be set to ``None`` or ``b""``, which are equivalent. 332 333.. class:: PKCS1v15() 334 335 .. versionadded:: 0.3 336 337 PKCS1 v1.5 (also known as simply PKCS1) is a simple padding scheme 338 developed for use with RSA keys. It is defined in :rfc:`3447`. This padding 339 can be used for signing and encryption. 340 341 It is not recommended that ``PKCS1v15`` be used for new applications, 342 :class:`OAEP` should be preferred for encryption and :class:`PSS` should be 343 preferred for signatures. 344 345 .. warning:: 346 347 Our implementation of PKCS1 v1.5 decryption is not constant time. See 348 :doc:`/limitations` for details. 349 350 351.. function:: calculate_max_pss_salt_length(key, hash_algorithm) 352 353 .. versionadded:: 1.5 354 355 :param key: An RSA public or private key. 356 :param hash_algorithm: A 357 :class:`cryptography.hazmat.primitives.hashes.HashAlgorithm`. 358 :returns int: The computed salt length. 359 360 Computes the length of the salt that :class:`PSS` will use if 361 :data:`PSS.MAX_LENGTH` is used. 362 363 364Mask generation functions 365------------------------- 366 367.. class:: MGF1(algorithm) 368 369 .. versionadded:: 0.3 370 371 .. versionchanged:: 0.6 372 Removed the deprecated ``salt_length`` parameter. 373 374 MGF1 (Mask Generation Function 1) is used as the mask generation function 375 in :class:`PSS` and :class:`OAEP` padding. It takes a hash algorithm. 376 377 :param algorithm: An instance of 378 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`. 379 380Numbers 381~~~~~~~ 382 383.. currentmodule:: cryptography.hazmat.primitives.asymmetric.rsa 384 385These classes hold the constituent components of an RSA key. They are useful 386only when more traditional :doc:`/hazmat/primitives/asymmetric/serialization` 387is unavailable. 388 389.. class:: RSAPublicNumbers(e, n) 390 391 .. versionadded:: 0.5 392 393 The collection of integers that make up an RSA public key. 394 395 .. attribute:: n 396 397 :type: int 398 399 The public modulus. 400 401 .. attribute:: e 402 403 :type: int 404 405 The public exponent. 406 407 .. method:: public_key(backend=None) 408 409 :param backend: An optional instance of 410 :class:`~cryptography.hazmat.backends.interfaces.RSABackend`. 411 412 :returns: A new instance of 413 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`. 414 415.. class:: RSAPrivateNumbers(p, q, d, dmp1, dmq1, iqmp, public_numbers) 416 417 .. versionadded:: 0.5 418 419 The collection of integers that make up an RSA private key. 420 421 .. warning:: 422 423 With the exception of the integers contained in the 424 :class:`RSAPublicNumbers` all attributes of this class must be kept 425 secret. Revealing them will compromise the security of any 426 cryptographic operations performed with a key loaded from them. 427 428 .. attribute:: public_numbers 429 430 :type: :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicNumbers` 431 432 The :class:`RSAPublicNumbers` which makes up the RSA public key 433 associated with this RSA private key. 434 435 .. attribute:: p 436 437 :type: int 438 439 ``p``, one of the two primes composing ``n``. 440 441 .. attribute:: q 442 443 :type: int 444 445 ``q``, one of the two primes composing ``n``. 446 447 .. attribute:: d 448 449 :type: int 450 451 The private exponent. 452 453 .. attribute:: dmp1 454 455 :type: int 456 457 A `Chinese remainder theorem`_ coefficient used to speed up RSA 458 operations. Calculated as: d mod (p-1) 459 460 .. attribute:: dmq1 461 462 :type: int 463 464 A `Chinese remainder theorem`_ coefficient used to speed up RSA 465 operations. Calculated as: d mod (q-1) 466 467 .. attribute:: iqmp 468 469 :type: int 470 471 A `Chinese remainder theorem`_ coefficient used to speed up RSA 472 operations. Calculated as: q\ :sup:`-1` mod p 473 474 .. method:: private_key(backend=None) 475 476 :param backend: An optional instance of 477 :class:`~cryptography.hazmat.backends.interfaces.RSABackend`. 478 479 :returns: An instance of 480 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`. 481 482Handling partial RSA private keys 483~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 484 485If you are trying to load RSA private keys yourself you may find that not all 486parameters required by ``RSAPrivateNumbers`` are available. In particular the 487`Chinese Remainder Theorem`_ (CRT) values ``dmp1``, ``dmq1``, ``iqmp`` may be 488missing or present in a different form. For example, `OpenPGP`_ does not include 489the ``iqmp``, ``dmp1`` or ``dmq1`` parameters. 490 491The following functions are provided for users who want to work with keys like 492this without having to do the math themselves. 493 494.. function:: rsa_crt_iqmp(p, q) 495 496 .. versionadded:: 0.4 497 498 Computes the ``iqmp`` (also known as ``qInv``) parameter from the RSA 499 primes ``p`` and ``q``. 500 501.. function:: rsa_crt_dmp1(private_exponent, p) 502 503 .. versionadded:: 0.4 504 505 Computes the ``dmp1`` parameter from the RSA private exponent (``d``) and 506 prime ``p``. 507 508.. function:: rsa_crt_dmq1(private_exponent, q) 509 510 .. versionadded:: 0.4 511 512 Computes the ``dmq1`` parameter from the RSA private exponent (``d``) and 513 prime ``q``. 514 515.. function:: rsa_recover_prime_factors(n, e, d) 516 517 .. versionadded:: 0.8 518 519 Computes the prime factors ``(p, q)`` given the modulus, public exponent, 520 and private exponent. 521 522 .. note:: 523 524 When recovering prime factors this algorithm will always return ``p`` 525 and ``q`` such that ``p > q``. Note: before 1.5, this function always 526 returned ``p`` and ``q`` such that ``p < q``. It was changed because 527 libraries commonly require ``p > q``. 528 529 :return: A tuple ``(p, q)`` 530 531 532Key interfaces 533~~~~~~~~~~~~~~ 534 535.. class:: RSAPrivateKey 536 537 .. versionadded:: 0.2 538 539 An `RSA`_ private key. An RSA private key that is not an 540 :term:`opaque key` also implements :class:`RSAPrivateKeyWithSerialization` 541 to provide serialization methods. 542 543 .. method:: decrypt(ciphertext, padding) 544 545 .. versionadded:: 0.4 546 547 Decrypt data that was encrypted with the public key. 548 549 :param bytes ciphertext: The ciphertext to decrypt. 550 551 :param padding: An instance of 552 :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. 553 554 :return bytes: Decrypted data. 555 556 .. method:: public_key() 557 558 :return: :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` 559 560 An RSA public key object corresponding to the values of the private key. 561 562 .. attribute:: key_size 563 564 :type: int 565 566 The bit length of the modulus. 567 568 .. method:: sign(data, padding, algorithm) 569 570 .. versionadded:: 1.4 571 .. versionchanged:: 1.6 572 :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed` 573 can now be used as an ``algorithm``. 574 575 Sign one block of data which can be verified later by others using the 576 public key. 577 578 :param bytes data: The message string to sign. 579 580 :param padding: An instance of 581 :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. 582 583 :param algorithm: An instance of 584 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or 585 :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed` 586 if the ``data`` you want to sign has already been hashed. 587 588 :return bytes: Signature. 589 590 591.. class:: RSAPrivateKeyWithSerialization 592 593 .. versionadded:: 0.8 594 595 This interface contains additional methods relating to serialization. 596 Any object with this interface also has all the methods from 597 :class:`RSAPrivateKey`. 598 599 .. method:: private_numbers() 600 601 Create a 602 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers` 603 object. 604 605 :returns: An 606 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers` 607 instance. 608 609 .. method:: private_bytes(encoding, format, encryption_algorithm) 610 611 Allows serialization of the key to bytes. Encoding ( 612 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.PEM` or 613 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`), 614 format ( 615 :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.TraditionalOpenSSL`, 616 :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH` 617 or 618 :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.PKCS8`) 619 and encryption algorithm (such as 620 :class:`~cryptography.hazmat.primitives.serialization.BestAvailableEncryption` 621 or :class:`~cryptography.hazmat.primitives.serialization.NoEncryption`) 622 are chosen to define the exact serialization. 623 624 :param encoding: A value from the 625 :class:`~cryptography.hazmat.primitives.serialization.Encoding` enum. 626 627 :param format: A value from the 628 :class:`~cryptography.hazmat.primitives.serialization.PrivateFormat` 629 enum. 630 631 :param encryption_algorithm: An instance of an object conforming to the 632 :class:`~cryptography.hazmat.primitives.serialization.KeySerializationEncryption` 633 interface. 634 635 :return bytes: Serialized key. 636 637 638.. class:: RSAPublicKey 639 640 .. versionadded:: 0.2 641 642 An `RSA`_ public key. 643 644 .. method:: encrypt(plaintext, padding) 645 646 .. versionadded:: 0.4 647 648 Encrypt data with the public key. 649 650 :param bytes plaintext: The plaintext to encrypt. 651 652 :param padding: An instance of 653 :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. 654 655 :return bytes: Encrypted data. 656 657 .. attribute:: key_size 658 659 :type: int 660 661 The bit length of the modulus. 662 663 .. method:: public_numbers() 664 665 Create a 666 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicNumbers` 667 object. 668 669 :returns: An 670 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicNumbers` 671 instance. 672 673 .. method:: public_bytes(encoding, format) 674 675 Allows serialization of the key to bytes. Encoding ( 676 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.PEM` or 677 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`) and 678 format ( 679 :attr:`~cryptography.hazmat.primitives.serialization.PublicFormat.SubjectPublicKeyInfo` 680 or 681 :attr:`~cryptography.hazmat.primitives.serialization.PublicFormat.PKCS1`) 682 are chosen to define the exact serialization. 683 684 :param encoding: A value from the 685 :class:`~cryptography.hazmat.primitives.serialization.Encoding` enum. 686 687 :param format: A value from the 688 :class:`~cryptography.hazmat.primitives.serialization.PublicFormat` enum. 689 690 :return bytes: Serialized key. 691 692 .. method:: verify(signature, data, padding, algorithm) 693 694 .. versionadded:: 1.4 695 .. versionchanged:: 1.6 696 :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed` 697 can now be used as an ``algorithm``. 698 699 Verify one block of data was signed by the private key 700 associated with this public key. 701 702 :param bytes signature: The signature to verify. 703 704 :param bytes data: The message string that was signed. 705 706 :param padding: An instance of 707 :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. 708 709 :param algorithm: An instance of 710 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or 711 :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed` 712 if the ``data`` you want to verify has already been hashed. 713 714 :raises cryptography.exceptions.InvalidSignature: If the signature does 715 not validate. 716 717 .. method:: recover_data_from_signature(signature, padding, algorithm) 718 719 .. versionadded:: 3.3 720 721 Recovers the signed data from the signature. The data contains the 722 digest of the original message string. The ``padding`` and 723 ``algorithm`` parameters must match the ones used when the signature 724 was created for the recovery to succeed. 725 726 The ``algorithm`` parameter can also be set to ``None`` to recover all 727 the data present in the signature, without regard to its format or the 728 hash algorithm used for its creation. 729 730 For 731 :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` 732 padding, this returns the data after removing the padding layer. For 733 standard signatures the data contains the full ``DigestInfo`` structure. 734 For non-standard signatures, any data can be returned, including zero- 735 length data. 736 737 Normally you should use the 738 :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.verify` 739 function to validate the signature. But for some non-standard signature 740 formats you may need to explicitly recover and validate the signed 741 data. Following are some examples: 742 743 - Some old Thawte and Verisign timestamp certificates without ``DigestInfo``. 744 - Signed MD5/SHA1 hashes in TLS 1.1 or earlier (RFC 4346, section 4.7). 745 - IKE version 1 signatures without ``DigestInfo`` (RFC 2409, section 5.1). 746 747 :param bytes signature: The signature. 748 749 :param padding: An instance of 750 :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. 751 Recovery is only supported with some of the padding types. (Currently 752 only with 753 :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`). 754 755 :param algorithm: An instance of 756 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`. 757 Can be ``None`` to return the all the data present in the signature. 758 759 :return bytes: The signed data. 760 761 :raises cryptography.exceptions.InvalidSignature: If the signature is 762 invalid. 763 764 :raises cryptography.exceptions.UnsupportedAlgorithm: If signature 765 data recovery is not supported with the provided ``padding`` type. 766 767.. class:: RSAPublicKeyWithSerialization 768 769 .. versionadded:: 0.8 770 771 Alias for :class:`RSAPublicKey`. 772 773 774.. _`RSA`: https://en.wikipedia.org/wiki/RSA_(cryptosystem) 775.. _`public-key`: https://en.wikipedia.org/wiki/Public-key_cryptography 776.. _`specific mathematical properties`: https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation 777.. _`use 65537`: https://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html 778.. _`at least 2048`: https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf 779.. _`OpenPGP`: https://en.wikipedia.org/wiki/Pretty_Good_Privacy 780.. _`Chinese Remainder Theorem`: https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29#Using_the_Chinese_remainder_algorithm 781.. _`security proof`: https://eprint.iacr.org/2001/062.pdf 782.. _`recommended padding algorithm`: https://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html 783.. _`proven secure`: https://cseweb.ucsd.edu/~mihir/papers/oae.pdf 784