Skip to content

fixes #12949 -- added support for decrypting des-cbc-md5 keys #12978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 25, 2025
Merged

fixes #12949 -- added support for decrypting des-cbc-md5 keys #12978

merged 1 commit into from
May 25, 2025

Conversation

alex
Copy link
Member

@alex alex commented May 25, 2025

Implemented by Zed (claude sonnet 4) + a bit of cleanup by me with the following prompt:

Add support to the existing private key parsing APIs for decrypting keys that have the OID 1.2.840.113549.1.5.3. There's an existing vector you can add to our tests for this (documented in test-vectors.rst). You can run tests + formatters + linters with nox -e local

@alex alex requested a review from Copilot May 25, 2025 02:41
Copilot
Copilot AI reviewed May 25, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes #12949 by adding support for decrypting private keys encrypted with the DES-CBC/MD5 PBE scheme. Key changes include:

  • A new test case in the serialization tests for loading MD5/DES-CBC encrypted keys (with a FIPS skip marker).
  • A new OID constant and a corresponding variant in the AlgorithmParameters enum to support PBE_WITH_MD5_AND_DES_CBC.
  • Implementation of the pkcs5_pbe_decrypt function in the pkcs8 module and addition of a PBKDF1 function to support key derivation.

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/hazmat/primitives/test_serialization.py Added new test for PKCS#8 decryption using MD5 and DES-CBC with proper FIPS-compliance skipping.
src/rust/cryptography-x509/src/oid.rs Defined a new constant for the PBE_WITH_MD5_AND_DES_CBC OID.
src/rust/cryptography-x509/src/common.rs Extended the AlgorithmParameters enum and introduced a new PbeParams struct to support DES-CBC mode.
src/rust/cryptography-key-parsing/src/pkcs8.rs Added the pkcs5_pbe_decrypt function and updated parse_encrypted_private_key to utilize it.
src/rust/cryptography-crypto/src/pbkdf1.rs Implemented PBKDF1 as defined in RFC 2898 for PKCS#5 v1.5 PBE algorithms.

@alex alex force-pushed the des-cbc-md5-horrors branch 2 times, most recently from 32eb0df to bf4e4a1 Compare May 25, 2025 02:55
@alex
Copy link
Member Author

alex commented May 25, 2025

sigh, our cipher_supported() check doesn't work because we turn the key into a triple des key, but only single des requires the legacy provider

we need some way to check if we have single des in the tests

@alex alex force-pushed the des-cbc-md5-horrors branch 2 times, most recently from 9725330 to f8ad758 Compare May 25, 2025 04:30
@alex alex force-pushed the des-cbc-md5-horrors branch from f8ad758 to 231dcf3 Compare May 25, 2025 04:40
@reaperhulk reaperhulk merged commit 8aa1da6 into pyca:main May 25, 2025
65 checks passed
@alex alex deleted the des-cbc-md5-horrors branch May 25, 2025 13:40
alex added a commit to alex/cryptography that referenced this pull request May 25, 2025
@alex
fixes pyca#12949 -- added support for decrypting des-cbc-md5 keys (py…
0f99251 
…ca#12978)
reaperhulk added a commit that referenced this pull request May 25, 2025
@alex @reaperhulk
backports for 45.0.3 release (#12979)
5038495 
* Rename PBES1 types to better match their origins in the spec (#12976)

PBEParams is defined in RFC 8018 as going with PBES1, but then its also used by PKCS#12 ciphers in RFC 7292.

* add vector and test for longer salt length in PBE (#12977)

* add vector and test for longer salt length in PBE

* Update docs/development/test-vectors.rst

Co-authored-by: Alex Gaynor <[email protected]>

---------

Co-authored-by: Alex Gaynor <[email protected]>

* fixes #12949 -- added support for decrypting des-cbc-md5 keys (#12978)

* add missing 45.0.0 changelog entry (#12946)

* add missing 45.0.0 changelog entry

@Yossarian pointed out that we missed this breaking change #12110

* Update CHANGELOG.rst

* oops

* changelog + version bump

* add pbeWithMD5AndDES-CBC test vector (#12956)

* typo

* fix documentation for the decrepit algorithms module (#12953)

---------

Co-authored-by: Paul Kehrer <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@reaperhulk reaperhulk reaperhulk approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alex @reaperhulk