pyca/cryptography is vulnerable to Bleichenbacher attacks on PKCS#1 v1.5 decryption

[tomato42]

As far as I can tell, python-jose supports PKCS#1 v1.5 for key transport: https://github.com/mpdavis/python-jose/blob/99ec142374a6eb98e32be5b8cdfd72508fd404d4/docs/jwe/index.rst#supported-key-management-algorithms and: https://github.com/mpdavis/python-jose/blob/99ec142374a6eb98e32be5b8cdfd72508fd404d4/tests/test_jwe.py#L84-L97

at the same time, pyca/cryptography doesn't guarantee side-channel safety of their decryption API: https://github.com/pyca/cryptography/issues/5510 https://github.com/pyca/cryptography/pull/5600 https://github.com/pyca/cryptography/pull/5600/commits/1ac4759359dd83a5a70962f5a1a53e5b21fa23c2

which means that python-jose with PKCS#1 v1.5 is insecure

[blag]

See #194, which is already merged.

I'm considering doing a security release to include #194, but that will need to include #199 to make sure I didn't break anything.

After that I will do a feature release with #189 merged.

[tomato42]

@blag you misunderstand, I'm not talking about CVE-2020-25658 (which only got a workaround, not a proper fix) This is about the fact that pyca/cryptography needs a new API that implements the whole "generate a random value, test padding, return the random value instead of the decrypted value when padding check failed" to handle PKCS#1 v1.5 securely as it's impossible to do it securely on Python level.