Here’s my code:
from Crypto.PublicKey import RSAfrom Crypto.Cipher import PKCS1_OAEPfrom Crypto import Randomfrom Crypto import Hashimport base64key = RSA.import_key("""-----BEGIN PRIVATE KEY-----MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAqPfgaTEWEP3S9w0tgsicURfo+nLW09/0KfOPinhYZ4ouzU+3xC4pSlEp8Ut9FgL0AgqNslNaK34Kq+NZjO9DAQIDAQABAkAgkuLEHLaqkWhLgNKagSajeobLS3rPT0Agm0f7k55FXVt743hwNgkp98bMNrzy9AQ1mJGbQZGrpr4c8ZAx3aRNAiEAoxK/MgGeeLui385KJ7ZOYktjhLBNAB69fKwTZFsUNh0CIQEJQRpFCcydunv2bENcN/oBTRw39E8GNv2pIcNxZkcbNQIgbYSzn3Py6AasNj6nEtCfB+i1p3F35TK/87DlPSrmAgkCIQDJLhFoj1gbwRbH/bDRPrtlRUDDx44wHoEhSDRdy77eiQIgE6z/k6I+ChN1LLttwX0galITxmAYrOBhBVl433tgTTQ=-----END PRIVATE KEY-----""")ciphertext = "h3j3zLT2jXCaZuwF7cgUE/Zmc/5IsIfKbaTiBhpCJo86AiyuoA3Yvni+Lrm5wu2OGv2h5R7Zu3voFcHugiystw=="ciphertextBytes = base64.decodebytes(ciphertext.encode('ascii'))cipher = PKCS1_OAEP.new(key, Hash.MD5, Hash.SHA1)plaintext = cipher.decrypt(ciphertextBytes)print(plaintext)Here’s the error I get:
Traceback (most recent call last): File "test.py", line 23, in <module> plaintext = cipher.decrypt(ciphertextBytes) File "C:UsersneubertAppDataLocalProgramsPythonPython38libsite-packagesCryptoCipherPKCS1_OAEP.py", line 183, in decrypt seedMask = self._mgf(maskedDB, hLen)TypeError: 'module' object is not callableWhat am I doing wrong? I’m running Python 3.8.3.
Advertisement
Answer
The mgfunc parameter (3rd parameter) for the mask generation function is incorrectly specified in the posted code. According to the description of Crypto.Cipher.PKCS1_OAEP.new():
mgfunc (callable) – A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. If not specified, the standard MGF1 consistent with hashAlgo is used (a safe choice).
where hashAlgo (2nd parameter) denotes the OAEP digest.
The use of MGF1 with an explicitly specified digest is described in the documentation in the context of Crypto.Signature.pss, see Crypto.Signature.pss.MGF1() and Crypto.Signature.pss.new(). However, MGF1 is also available in Crypto.Cipher.PKCS1_OAEP (where it is imported from Crypto.Signature.pss in the source code).
Since by default MGF1 is used with the OAEP digest specified in the 2nd parameter (hashAlgo), an explicit specification of the mask generation function or MGF1 is necessary whenever the two digests differ, i.e., as in this example, where the OAEP digest is MD5, and the MGF1 digest is SHA1.
If the following line is used in the code:
cipher = PKCS1_OAEP.new(key, Hash.MD5, mgfunc = lambda x,y: PKCS1_OAEP.MGF1(x, y, Hash.SHA1))then the decryption works and b’test’ is returned as the decrypted value.
Please note that MD5 and SHA1 are deprecated. RFC8017 recommends only SHA-1 and SHA-2 for RSAES-OAEP.