fixes #12949 -- added support for decrypting des-cbc-md5 keys

Author: alex

src/cryptography/hazmat/decrepit/ciphers/algorithms.py

@@ -40,6 +40,11 @@ def key_size(self) -> int:
         return len(self.key) * 8
 
 
+# Not actually supported, marker for tests
+class _DES:
+    key_size = 64
+
+
 class Blowfish(BlockCipherAlgorithm):
     name = "Blowfish"
     block_size = 64

src/rust/cryptography-crypto/src/pbkdf1.rs

@@ -30,9 +30,37 @@ pub fn openssl_kdf(
     Ok(key)
 }
 
+/// PBKDF1 as defined in RFC 2898 for PKCS#5 v1.5 PBE algorithms
+pub fn pbkdf1(
+    hash_alg: openssl::hash::MessageDigest,
+    password: &[u8],
+    salt: [u8; 8],
+    iterations: u64,
+    length: usize,
+) -> Result<Vec<u8>, openssl::error::ErrorStack> {
+    if length > hash_alg.size() || iterations == 0 {
+        return Err(openssl::error::ErrorStack::get());
+    }
+
+    let mut h = openssl::hash::Hasher::new(hash_alg)?;
+    h.update(password)?;
+    h.update(&salt)?;
+    let mut t = h.finish()?;
+
+    // Apply hash function for specified iterations
+    for _ in 1..iterations {
+        let mut h = openssl::hash::Hasher::new(hash_alg)?;
+        h.update(&t)?;
+        t = h.finish()?;
+    }
+
+    // Return the first `length` bytes
+    Ok(t[..length].to_vec())
+}
+
 #[cfg(test)]
 mod tests {
-    use super::openssl_kdf;
+    use super::{openssl_kdf, pbkdf1};
 
     #[test]
     fn test_openssl_kdf() {
@@ -98,4 +126,10 @@ mod tests {
             assert_eq!(key, expected);
         }
     }
+
+    #[test]
+    fn test_pbkdf1() {
+        assert!(pbkdf1(openssl::hash::MessageDigest::md5(), b"abc", [0; 8], 1, 20).is_err());
+        assert!(pbkdf1(openssl::hash::MessageDigest::md5(), b"abc", [0; 8], 0, 8).is_err());
+    }
 }

src/rust/cryptography-key-parsing/src/pkcs8.rs

@@ -2,7 +2,9 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
-use cryptography_x509::common::{AlgorithmIdentifier, AlgorithmParameters, Pkcs12PbeParams};
+use cryptography_x509::common::{
+    AlgorithmIdentifier, AlgorithmParameters, PbeParams, Pkcs12PbeParams,
+};
 use cryptography_x509::csr::Attributes;
 use cryptography_x509::pkcs8::EncryptedPrivateKeyInfo;
 
@@ -153,6 +155,31 @@ fn pkcs12_pbe_decrypt(
         .map_err(|_| KeyParsingError::IncorrectPassword)
 }
 
+fn pkcs5_pbe_decrypt(
+    data: &[u8],
+    password: &[u8],
+    cipher: openssl::symm::Cipher,
+    hash: openssl::hash::MessageDigest,
+    params: &PbeParams,
+) -> KeyParsingResult<Vec<u8>> {
+    // PKCS#5 v1.5 uses PBKDF1 with iteration count
+    // For PKCS#5 PBE, we need key + IV length
+    let key_iv_len = cipher.key_len() + cipher.iv_len().unwrap();
+    let key_iv = cryptography_crypto::pbkdf1::pbkdf1(
+        hash,
+        password,
+        params.salt,
+        params.iterations,
+        key_iv_len,
+    )?;
+
+    let key = &key_iv[..cipher.key_len()];
+    let iv = &key_iv[cipher.key_len()..];
+
+    openssl::symm::decrypt(cipher, key, Some(iv), data)
+        .map_err(|_| KeyParsingError::IncorrectPassword)
+}
+
 pub fn parse_encrypted_private_key(
     data: &[u8],
     password: Option<&[u8]>,
@@ -164,6 +191,13 @@ pub fn parse_encrypted_private_key(
     };
 
     let plaintext = match epki.encryption_algorithm.params {
+        AlgorithmParameters::PbeWithMd5AndDesCbc(params) => pkcs5_pbe_decrypt(
+            epki.encrypted_data,
+            password,
+            openssl::symm::Cipher::des_cbc(),
+            openssl::hash::MessageDigest::md5(),
+            &params,
+        )?,
         AlgorithmParameters::PbeWithShaAnd3KeyTripleDesCbc(params) => pkcs12_pbe_decrypt(
             epki.encrypted_data,
             password,

src/rust/cryptography-x509/src/common.rs

@@ -165,6 +165,8 @@ pub enum AlgorithmParameters<'a> {
     #[defined_by(oid::RC2_CBC)]
     Rc2Cbc(Rc2CbcParams),
 
+    #[defined_by(oid::PBE_WITH_MD5_AND_DES_CBC)]
+    PbeWithMd5AndDesCbc(PbeParams),
     #[defined_by(oid::PBE_WITH_SHA_AND_3KEY_TRIPLEDES_CBC)]
     PbeWithShaAnd3KeyTripleDesCbc(Pkcs12PbeParams<'a>),
     #[defined_by(oid::PBE_WITH_SHA_AND_40_BIT_RC2_CBC)]
@@ -529,6 +531,13 @@ pub struct ScryptParams<'a> {
     pub key_length: Option<u32>,
 }
 
+// RFC 8018 Appendix A.3
+#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone, Debug)]
+pub struct PbeParams {
+    pub salt: [u8; 8],
+    pub iterations: u64,
+}
+
 // From RFC 7202 Appendix C
 #[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone, Debug)]
 pub struct Pkcs12PbeParams<'a> {

src/rust/cryptography-x509/src/oid.rs

@@ -152,6 +152,7 @@ pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier =
 
 pub const PBES2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 13);
 pub const PBKDF2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 12);
+pub const PBE_WITH_MD5_AND_DES_CBC: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 3);
 pub const SCRYPT_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 4, 1, 11591, 4, 11);
 
 pub const PBE_WITH_SHA_AND_3KEY_TRIPLEDES_CBC: asn1::ObjectIdentifier =

src/rust/src/backend/cipher_registry.rs

@@ -123,6 +123,7 @@ fn get_cipher_registry(
         let aes128 = types::AES128.get(py)?;
         let aes256 = types::AES256.get(py)?;
         let triple_des = types::TRIPLE_DES.get(py)?;
+        let des = types::DES.get(py)?;
         #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))]
         let camellia = types::CAMELLIA.get(py)?;
         #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))]
@@ -306,6 +307,8 @@ fn get_cipher_registry(
             #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_RC4"))]
             m.add(&arc4, none_type.as_any(), None, Cipher::rc4())?;
 
+            m.add(&des, &cbc, Some(64), Cipher::des_cbc())?;
+
             if let Some(rc2_cbc) = Cipher::from_nid(openssl::nid::Nid::RC2_CBC) {
                 m.add(&rc2, &cbc, Some(128), rc2_cbc)?;
             }

src/rust/src/types.rs

@@ -513,6 +513,8 @@ pub static TRIPLE_DES: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.decrepit.ciphers.algorithms",
     &["TripleDES"],
 );
+pub static DES: LazyPyImport =
+    LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["_DES"]);
 pub static AES: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.ciphers.algorithms",
     &["AES"],

tests/hazmat/primitives/test_serialization.py

@@ -11,7 +11,7 @@
 import pytest
 
 from cryptography.hazmat.bindings._rust import openssl as rust_openssl
-from cryptography.hazmat.decrepit.ciphers.algorithms import RC2
+from cryptography.hazmat.decrepit.ciphers.algorithms import _DES, RC2
 from cryptography.hazmat.primitives.asymmetric import (
     dsa,
     ec,
@@ -22,7 +22,7 @@
     x25519,
 )
 from cryptography.hazmat.primitives.ciphers import modes
-from cryptography.hazmat.primitives.hashes import SHA1
+from cryptography.hazmat.primitives.hashes import MD5, SHA1
 from cryptography.hazmat.primitives.serialization import (
     BestAvailableEncryption,
     Encoding,
@@ -559,6 +559,20 @@ def test_load_pkcs8_scrypt(self):
         )
         assert isinstance(key, ed25519.Ed25519PrivateKey)
 
+    @pytest.mark.supported(
+        only_if=lambda backend: backend.hash_supported(MD5())
+        and backend.cipher_supported(_DES(), modes.CBC(b"\x00" * 8)),
+        skip_message="Does not support DES MD5",
+    )
+    def test_load_pkcs8_pbe_with_md5_and_des_cbc(self):
+        key = load_vectors_from_file(
+            os.path.join("asymmetric", "PKCS8", "rsa-pbewithmd5anddescbc.pem"),
+            lambda f: load_pem_private_key(f.read(), password=b"hunter2"),
+            mode="rb",
+        )
+        assert isinstance(key, rsa.RSAPrivateKey)
+        assert key.key_size == 2048
+
 
 class TestPEMSerialization:
     @pytest.mark.parametrize(