Add an option to disable expensive OpenSSL 3.x RSA private key checks

This commit adds a new unsafe_skip_rsa_key_validation argument to
import_private_key(), import_private_key_and_certs(), read_private_key(),
read_private_key_and_certs(), read_private_key_list(), and load_keypairs()
which can be used to disable somewhat expensive RSA private key validation
code in OpenSSL 3.x, reducing the cost back to what it was in earlier
OpenSSL versions.

Skipping these checks is only recommended when keys being loaded are
from a trusted source.

A new set_default_skip_rsa_key_validation() function was also added,
to set a global default for whether or not to disable this extra key
validation.

Author: ronf

asyncssh/__init__.py

@@ -86,6 +86,8 @@
 from .public_key import load_keypairs, load_public_keys, load_certificates
 from .public_key import load_resident_keys
 
+from .rsa import set_default_skip_rsa_key_validation
+
 from .scp import scp
 
 from .session import DataType, SSHClientSession, SSHServerSession
@@ -164,5 +166,5 @@
     'read_certificate_list', 'read_known_hosts', 'read_private_key',
     'read_private_key_list', 'read_public_key', 'read_public_key_list',
     'run_client', 'run_server', 'scp', 'set_debug_level', 'set_log_level',
-    'set_sftp_log_level',
+    'set_sftp_log_level', 'set_default_skip_rsa_key_validation',
 ]

asyncssh/crypto/rsa.py

@@ -98,12 +98,14 @@ class RSAPrivateKey(_RSAKey):
 
     @classmethod
     def construct(cls, n: int, e: int, d: int, p: int, q: int,
-                  dmp1: int, dmq1: int, iqmp: int) -> 'RSAPrivateKey':
+                  dmp1: int, dmq1: int, iqmp: int,
+                  skip_validation: bool) -> 'RSAPrivateKey':
         """Construct an RSA private key"""
 
         pub = rsa.RSAPublicNumbers(e, n)
         priv = rsa.RSAPrivateNumbers(p, q, d, dmp1, dmq1, iqmp, pub)
-        priv_key = priv.private_key()
+        priv_key = priv.private_key(
+            unsafe_skip_rsa_key_validation=skip_validation)
 
         return cls(priv_key, pub, priv)