Used python rsa library brings PKCS#1 decryption vulnerability, is google-auth affected?

[attila123]

Environment details

• OS: not relevant for the issue
• Python version: not relevant for the issue
• pip version: not relevant for the issue
• google-auth version: 1.23.0, currently latest

Steps to reproduce

Security vulnerability scanners pick up an unfixed PKCS#1 decryption code issue with the rsa library 4.6 (see among the dependencies in setup.py in this project): sybrenstuvel/python-rsa#165 => although it is closed, from the comments it seems that it is not fixed, and anyway new version for this library is not released for some time...

One of the proposed solutions would be: sybrenstuvel/python-rsa#165 (comment) :
"3. modify code you depend on so that it uses libraries that do provide side-channel free behaviour for RSA decryption"

Questions:

1. Could you please confirm that this google-auth library does not use the vulnerable PKCS#1 decrypt() method, so that this rsa library issue can be considered a false-positive for google-auth? I tried to check quickly, for me this seems to be the case.
2. Would it be needed / feasible for google-auth to use another crypto library which does not have this issue? Is there a crypto library which would have clear advantages over the python rsa library?

[busunkim96]

Hi @attila123, thanks for the report.

1. Could you please confirm that this google-auth library does not use the vulnerable PKCS#1 decrypt() method, so that this rsa library issue can be considered a false-positive for google-auth? I tried to check quickly, for me this seems to be the case.

python-rsa is used only in https://github.com/googleapis/google-auth-library-python/blob/37141e4dffc2ba3f3f57c5914544fb8b9cf7d017/google/auth/crypt/_python_rsa.py. As you've stated, the decode() method is not called.

Full list of calls to python-rsa:

google-auth-library-python/google/auth/crypt/_python_rsa.py

Line 77 in 37141e4

return rsa.pkcs1.verify(message, signature, self._pubkey)

google-auth-library-python/google/auth/crypt/_python_rsa.py

Line 101 in 37141e4

der = rsa.pem.load_pem(public_key, "CERTIFICATE")

google-auth-library-python/google/auth/crypt/_python_rsa.py

Line 108 in 37141e4

pubkey = rsa.PublicKey.load_pkcs1(key_bytes, "DER")

google-auth-library-python/google/auth/crypt/_python_rsa.py

Line 110 in 37141e4

pubkey = rsa.PublicKey.load_pkcs1(public_key, "PEM")

google-auth-library-python/google/auth/crypt/_python_rsa.py

Line 136 in 37141e4

return rsa.pkcs1.sign(message, self._key, "SHA-256")

google-auth-library-python/google/auth/crypt/_python_rsa.py

Line 160 in 37141e4

private_key = rsa.key.PrivateKey.load_pkcs1(key_bytes, format="DER")

google-auth-library-python/google/auth/crypt/_python_rsa.py

Lines 167 to 169 in 37141e4

	private_key = rsa.key.PrivateKey.load_pkcs1(
	private_key_info.asOctets(), format="DER"
	)

2. Would it be needed / feasible for google-auth to use another crypto library which does not have this issue? Is there a crypto library which would have clear advantages over the python rsa library?

If cryptography is installed, it will be preferred overpython-rsa.

google-auth-library-python/google/auth/crypt/rsa.py

Lines 18 to 30 in 6407258

	try:
	# Prefer cryptograph-based RSA implementation.
	from google.auth.crypt import _cryptography_rsa
	RSASigner = _cryptography_rsa.RSASigner
	RSAVerifier = _cryptography_rsa.RSAVerifier
	except ImportError: # pragma: NO COVER
	# Fallback to pure-python RSA implementation if cryptography is
	# unavailable.
	from google.auth.crypt import _python_rsa
	RSASigner = _python_rsa.RSASigner
	RSAVerifier = _python_rsa.RSAVerifier

[attila123]

Thanks @busunkim96 for your kind support.