Cryptographic API Misuse Vulnerability

[lialon]

Description:

In the "endesive/endesive/email/decrypt.py", "endesive/examples/pdf-verify-rsa_sha1.py", "endesive/endesive/email/encrypt.py" and "endesive/endesive/signer.py", I have identified a security vulnerabilities about insecure cryptographic algorithm. PKCS1v1.5 is vulnerable to the chosen-ciphertext attack.

Location:

https://github.com/m32/endesive/blob/master/endesive/email/decrypt.py#L51

udata = key.decrypt(pkey, padding.PKCS1v15())

https://github.com/m32/endesive/blob/master/endesive/email/decrypt.py#L71

algorithms.TripleDES(udata),

https://github.com/m32/endesive/blob/master/endesive/email/encrypt.py#L68

encrypted_key = public_key.encrypt(session_key, padding.PKCS1v15())

https://github.com/m32/endesive/blob/master/endesive/signer.py#L347

signed_value_signature = asymmetric.rsa_pkcs1v15_sign(
                key, tosign, hashalgo.lower()
            )

https://github.com/m32/endesive/blob/master/endesive/signer.py#L368

 tosign, padding.PKCS1v15(), getattr(hashes, hashalgo.upper())()

https://github.com/m32/endesive/blob/master/endesive/verifier.py#L104

padding.PKCS1v15(),

https://github.com/m32/endesive/blob/master/examples/cert-info-p12.py#L31

padding.PKCS1v15(),

https://github.com/m32/endesive/blob/master/examples/pdf-verify-rsa_sha1.py#L69

pubkey.verify(signature, data, padding.PKCS1v15(), hashes.SHA1())

Reference

• CWE-780: Use of RSA Algorithm without OAEP

Recommendations:

Try using other padding(OAEP) instead of PKCS1v1.5.

[m32]

When creating a signature, you can always choose a different algorithm than rsaes_pkcs1v15, e.g.: rsaes_oaep (endesive/email/encrypt.py line 41) When reading/verifying a signature, you can't freely choose an algorithm, you have to use the right one.

This is not a bug in the library, but an intended action. You can choose what you want, not what the author thought was right.