Here’s my code:
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from Crypto import Random
from Crypto import Hash
import base64
key = RSA.import_key("""-----BEGIN PRIVATE KEY-----
MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAqPfgaTEWEP3S9w0t
gsicURfo+nLW09/0KfOPinhYZ4ouzU+3xC4pSlEp8Ut9FgL0AgqNslNaK34Kq+NZ
jO9DAQIDAQABAkAgkuLEHLaqkWhLgNKagSajeobLS3rPT0Agm0f7k55FXVt743hw
Ngkp98bMNrzy9AQ1mJGbQZGrpr4c8ZAx3aRNAiEAoxK/MgGeeLui385KJ7ZOYktj
hLBNAB69fKwTZFsUNh0CIQEJQRpFCcydunv2bENcN/oBTRw39E8GNv2pIcNxZkcb
NQIgbYSzn3Py6AasNj6nEtCfB+i1p3F35TK/87DlPSrmAgkCIQDJLhFoj1gbwRbH
/bDRPrtlRUDDx44wHoEhSDRdy77eiQIgE6z/k6I+ChN1LLttwX0galITxmAYrOBh
BVl433tgTTQ=
-----END PRIVATE KEY-----""")
ciphertext = "h3j3zLT2jXCaZuwF7cgUE/Zmc/5IsIfKbaTiBhpCJo86AiyuoA3Yvni+Lrm5wu2OGv2h5R7Zu3voFcHugiystw=="
ciphertextBytes = base64.decodebytes(ciphertext.encode('ascii'))
cipher = PKCS1_OAEP.new(key, Hash.MD5, Hash.SHA1)
plaintext = cipher.decrypt(ciphertextBytes)
print(plaintext)
Here’s the error I get:
Traceback (most recent call last):
File "test.py", line 23, in <module>
plaintext = cipher.decrypt(ciphertextBytes)
File "C:UsersneubertAppDataLocalProgramsPythonPython38libsite-packagesCryptoCipherPKCS1_OAEP.py", line 183, in decrypt
seedMask = self._mgf(maskedDB, hLen)
TypeError: 'module' object is not callable
What am I doing wrong? I’m running Python 3.8.3.
Advertisement
Answer
The mgfunc parameter (3rd parameter) for the mask generation function is incorrectly specified in the posted code. According to the description of Crypto.Cipher.PKCS1_OAEP.new():
mgfunc (callable) – A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. If not specified, the standard MGF1 consistent with hashAlgo is used (a safe choice).
where hashAlgo (2nd parameter) denotes the OAEP digest.
The use of MGF1 with an explicitly specified digest is described in the documentation in the context of Crypto.Signature.pss, see Crypto.Signature.pss.MGF1() and Crypto.Signature.pss.new(). However, MGF1 is also available in Crypto.Cipher.PKCS1_OAEP (where it is imported from Crypto.Signature.pss in the source code).
Since by default MGF1 is used with the OAEP digest specified in the 2nd parameter (hashAlgo), an explicit specification of the mask generation function or MGF1 is necessary whenever the two digests differ, i.e., as in this example, where the OAEP digest is MD5, and the MGF1 digest is SHA1.
If the following line is used in the code:
cipher = PKCS1_OAEP.new(key, Hash.MD5, mgfunc = lambda x,y: PKCS1_OAEP.MGF1(x, y, Hash.SHA1))
then the decryption works and b’test’ is returned as the decrypted value.
Please note that MD5 and SHA1 are deprecated. RFC8017 recommends only SHA-1 and SHA-2 for RSAES-OAEP.