The pyca/cryptography RSA PKCS#1 v1.5 is unsafe, making the users of it vulnerable to Bleichenbacher attacks

[tomato42]

The API provided by pyca/cryptography is not secure, as documented in their docs:
pyca/cryptography@8686d52

As far as I can tell, it's one of the APIs that jwcrypto uses to implement the key management:

jwcrypto/jwcrypto/jwe.py

Line 36 in 3b7e832

'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256',

That would mean that jwcrypto is vulnerable to Bleichenbacher attacks.
To fix it, implementing an API with built-in workarounding of padding oracle attacks is necessary in pyca/cryptography, as briefly described in pyca/cryptography#5510.

[simo5]

At the very least I will add documentation about the problem.

Should we also disable RSA1_5 by default ? At least until pyca provides some option ?

[tomato42]

At the very least I will add documentation about the problem.

and what users that need this mechanism for interoperability are expected to do? rewrite their application in some other language?

Should we also disable RSA1_5 by default ?

disabling it is probably the best way to gauge how extensively it is used, but there are two problems that are apparent to me:

1. for that to be effective it needs to actually break applications that depend on this functionality, that's not really user-friendly
2. the prevalence of version pinning in the python ecosystem means that there will be a long delay before many users of jwcrypto that depend on RSA PKCS#1 v1.5 start complaining; maybe you could workaround it by publishing a new version and filing a CVE that all the old versions are vulnerable

At least until pyca provides some option ?

pyca specifically is asking for users of the API to help design a new API that the users can use safely (API that doesn't require side-channel free code on python level), so unless you contribute to the project you use, I don't see it happening soon

[tomato42]

@simo5 will you ask for CVE or should I?

[simo5]

I do not think this is a CVE level event for jwcrypto.
The construction jwcrypto does with RSA1_5 is not in itself a problem either, the problem is fully in the underlying library. Jwcrypto just gives access to algorithms, does not implement them.
Impl is in pyca/cryptography, if a CVE is needed it is only needed there, not here.

[tomato42]

well, it was using an API that was insecure, just because we didn't know about it doesn't change the fact that it was vulnerable

now it's not, because a change in jwcrypto

[simo5]

We did do just a work around because python cryptography is not "yet" fixing it, the problem is still on pyca side IMO.

[tomato42]

If applications generally don't provide list of algorithms that they wish to support on receiving end, then no, the vulnerability is in jwcrypto for allowing its use.

[tomato42]

@simo5 even if you decide not to publish a security advisory for this, the users need to start using this new code, so could you release a new version?