add generate_rsa_parameters_supported to RSABackend
diff --git a/cryptography/hazmat/backends/interfaces.py b/cryptography/hazmat/backends/interfaces.py
index 11b1378..97a7a4f 100644
--- a/cryptography/hazmat/backends/interfaces.py
+++ b/cryptography/hazmat/backends/interfaces.py
@@ -135,6 +135,13 @@
Returns True if the backend supports the given padding options.
"""
+ @abc.abstractmethod
+ def generate_rsa_parameters_supported(self, public_exponent, key_size):
+ """
+ Returns True if the backend supports the given parameters for key
+ generation.
+ """
+
@six.add_metaclass(abc.ABCMeta)
class DSABackend(object):
diff --git a/cryptography/hazmat/backends/multibackend.py b/cryptography/hazmat/backends/multibackend.py
index 21630ba..b4cb688 100644
--- a/cryptography/hazmat/backends/multibackend.py
+++ b/cryptography/hazmat/backends/multibackend.py
@@ -132,6 +132,14 @@
raise UnsupportedAlgorithm("RSA is not supported by the backend.",
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
+ def generate_rsa_parameters_supported(self, public_exponent, key_size):
+ for b in self._filtered_backends(RSABackend):
+ return b.generate_rsa_parameters_supported(
+ public_exponent, key_size
+ )
+ raise UnsupportedAlgorithm("RSA is not supported by the backend.",
+ _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
+
def create_rsa_signature_ctx(self, private_key, padding, algorithm):
for b in self._filtered_backends(RSABackend):
return b.create_rsa_signature_ctx(private_key, padding, algorithm)
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index e5d6eaa..8d76160 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -378,6 +378,10 @@
return self._rsa_cdata_to_private_key(ctx)
+ def generate_rsa_parameters_supported(self, public_exponent, key_size):
+ return (public_exponent >= 3 and public_exponent & 1 != 0 and
+ key_size >= 512)
+
def _new_evp_pkey(self):
evp_pkey = self._lib.EVP_PKEY_new()
assert evp_pkey != self._ffi.NULL
diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index e98b9a5..238c2e7 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -274,6 +274,15 @@
:returns: ``True`` if the specified ``padding`` is supported by this
backend, otherwise ``False``.
+ .. method:: generate_rsa_parameters_supported(public_exponent, key_size)
+
+ Check if the specified parameters are supported for key generation by
+ the backend.
+
+ :param int public_exponent: The public exponent desired.
+
+ :param int key_size: The length in bits of the modulus desired.
+
.. method:: decrypt_rsa(private_key, ciphertext, padding)
:param private_key: An instance of an
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index 63d7dd2..3fa364e 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -104,6 +104,9 @@
def rsa_padding_supported(self, padding):
pass
+ def generate_rsa_parameters_supported(self, public_exponent, key_size):
+ pass
+
def decrypt_rsa(self, private_key, ciphertext, padding):
pass
@@ -227,6 +230,8 @@
backend.rsa_padding_supported(padding.PKCS1v15())
+ backend.generate_rsa_parameters_supported(65537, 1024)
+
backend.encrypt_rsa("public_key", "encryptme", padding.PKCS1v15())
backend.decrypt_rsa("private_key", "encrypted", padding.PKCS1v15())
@@ -262,6 +267,11 @@
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
):
+ backend.generate_rsa_parameters_supported(65537, 1024)
+
+ with raises_unsupported_algorithm(
+ _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
+ ):
backend.encrypt_rsa("public_key", "encryptme", padding.PKCS1v15())
with raises_unsupported_algorithm(
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index f989623..0ccf728 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -271,6 +271,12 @@
class TestOpenSSLRSA(object):
+ def test_generate_rsa_parameters_supported(self):
+ assert backend.generate_rsa_parameters_supported(1, 1024) is False
+ assert backend.generate_rsa_parameters_supported(4, 1024) is False
+ assert backend.generate_rsa_parameters_supported(3, 1024) is True
+ assert backend.generate_rsa_parameters_supported(3, 511) is False
+
@pytest.mark.skipif(
backend._lib.OPENSSL_VERSION_NUMBER >= 0x1000100f,
reason="Requires an older OpenSSL. Must be < 1.0.1"
diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
index 4d5292e..47e572c 100644
--- a/tests/hazmat/primitives/test_rsa.py
+++ b/tests/hazmat/primitives/test_rsa.py
@@ -93,7 +93,7 @@
assert skey.key_size == key_size
assert skey.public_exponent == public_exponent
- def test_generate_bad_rsa_key(self, backend):
+ def test_generate_bad_public_exponent(self, backend):
with pytest.raises(ValueError):
rsa.RSAPrivateKey.generate(public_exponent=1,
key_size=2048,