5 files changed, 573 insertions, 0 deletions

diff --git a/src/cryptography/hazmat/primitives/asymmetric/__init__.py b/src/cryptography/hazmat/primitives/asymmetric/__init__.py
new file mode 100644
index 00000000..2f420574
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/asymmetric/__init__.py
@@ -0,0 +1,14 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
diff --git a/src/cryptography/hazmat/primitives/asymmetric/dsa.py b/src/cryptography/hazmat/primitives/asymmetric/dsa.py
new file mode 100644
index 00000000..83e01377
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/asymmetric/dsa.py
@@ -0,0 +1,108 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+import six
+
+from cryptography import utils
+
+
+def generate_parameters(key_size, backend):
+    return backend.generate_dsa_parameters(key_size)
+
+
+def generate_private_key(key_size, backend):
+    return backend.generate_dsa_private_key_and_parameters(key_size)
+
+
+def _check_dsa_parameters(parameters):
+    if utils.bit_length(parameters.p) not in [1024, 2048, 3072]:
+        raise ValueError("p must be exactly 1024, 2048, or 3072 bits long")
+    if utils.bit_length(parameters.q) not in [160, 256]:
+        raise ValueError("q must be exactly 160 or 256 bits long")
+
+    if not (1 < parameters.g < parameters.p):
+        raise ValueError("g, p don't satisfy 1 < g < p.")
+
+
+def _check_dsa_private_numbers(numbers):
+    parameters = numbers.public_numbers.parameter_numbers
+    _check_dsa_parameters(parameters)
+    if numbers.x <= 0 or numbers.x >= parameters.q:
+        raise ValueError("x must be > 0 and < q.")
+
+    if numbers.public_numbers.y != pow(parameters.g, numbers.x, parameters.p):
+        raise ValueError("y must be equal to (g ** x % p).")
+
+
+class DSAParameterNumbers(object):
+    def __init__(self, p, q, g):
+        if (
+            not isinstance(p, six.integer_types) or
+            not isinstance(q, six.integer_types) or
+            not isinstance(g, six.integer_types)
+        ):
+            raise TypeError(
+                "DSAParameterNumbers p, q, and g arguments must be integers."
+            )
+
+        self._p = p
+        self._q = q
+        self._g = g
+
+    p = utils.read_only_property("_p")
+    q = utils.read_only_property("_q")
+    g = utils.read_only_property("_g")
+
+    def parameters(self, backend):
+        return backend.load_dsa_parameter_numbers(self)
+
+
+class DSAPublicNumbers(object):
+    def __init__(self, y, parameter_numbers):
+        if not isinstance(y, six.integer_types):
+            raise TypeError("DSAPublicNumbers y argument must be an integer.")
+
+        if not isinstance(parameter_numbers, DSAParameterNumbers):
+            raise TypeError(
+                "parameter_numbers must be a DSAParameterNumbers instance."
+            )
+
+        self._y = y
+        self._parameter_numbers = parameter_numbers
+
+    y = utils.read_only_property("_y")
+    parameter_numbers = utils.read_only_property("_parameter_numbers")
+
+    def public_key(self, backend):
+        return backend.load_dsa_public_numbers(self)
+
+
+class DSAPrivateNumbers(object):
+    def __init__(self, x, public_numbers):
+        if not isinstance(x, six.integer_types):
+            raise TypeError("DSAPrivateNumbers x argument must be an integer.")
+
+        if not isinstance(public_numbers, DSAPublicNumbers):
+            raise TypeError(
+                "public_numbers must be a DSAPublicNumbers instance."
+            )
+        self._public_numbers = public_numbers
+        self._x = x
+
+    x = utils.read_only_property("_x")
+    public_numbers = utils.read_only_property("_public_numbers")
+
+    def private_key(self, backend):
+        return backend.load_dsa_private_numbers(self)
diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py
new file mode 100644
index 00000000..ced732fb
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py
@@ -0,0 +1,195 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+import six
+
+from cryptography import utils
+from cryptography.hazmat.primitives import interfaces
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT571R1(object):
+    name = "sect571r1"
+    key_size = 571
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT409R1(object):
+    name = "sect409r1"
+    key_size = 409
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT283R1(object):
+    name = "sect283r1"
+    key_size = 283
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT233R1(object):
+    name = "sect233r1"
+    key_size = 233
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT163R2(object):
+    name = "sect163r2"
+    key_size = 163
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT571K1(object):
+    name = "sect571k1"
+    key_size = 571
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT409K1(object):
+    name = "sect409k1"
+    key_size = 409
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT283K1(object):
+    name = "sect283k1"
+    key_size = 283
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT233K1(object):
+    name = "sect233k1"
+    key_size = 233
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECT163K1(object):
+    name = "sect163k1"
+    key_size = 163
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECP521R1(object):
+    name = "secp521r1"
+    key_size = 521
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECP384R1(object):
+    name = "secp384r1"
+    key_size = 384
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECP256R1(object):
+    name = "secp256r1"
+    key_size = 256
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECP224R1(object):
+    name = "secp224r1"
+    key_size = 224
+
+
+@utils.register_interface(interfaces.EllipticCurve)
+class SECP192R1(object):
+    name = "secp192r1"
+    key_size = 192
+
+
+_CURVE_TYPES = {
+    "prime192v1": SECP192R1,
+    "prime256v1": SECP256R1,
+
+    "secp192r1": SECP192R1,
+    "secp224r1": SECP224R1,
+    "secp256r1": SECP256R1,
+    "secp384r1": SECP384R1,
+    "secp521r1": SECP521R1,
+
+    "sect163k1": SECT163K1,
+    "sect233k1": SECT233K1,
+    "sect283k1": SECT283K1,
+    "sect409k1": SECT409K1,
+    "sect571k1": SECT571K1,
+
+    "sect163r2": SECT163R2,
+    "sect233r1": SECT233R1,
+    "sect283r1": SECT283R1,
+    "sect409r1": SECT409R1,
+    "sect571r1": SECT571R1,
+}
+
+
+@utils.register_interface(interfaces.EllipticCurveSignatureAlgorithm)
+class ECDSA(object):
+    def __init__(self, algorithm):
+        self._algorithm = algorithm
+
+    algorithm = utils.read_only_property("_algorithm")
+
+
+def generate_private_key(curve, backend):
+    return backend.generate_elliptic_curve_private_key(curve)
+
+
+class EllipticCurvePublicNumbers(object):
+    def __init__(self, x, y, curve):
+        if (
+            not isinstance(x, six.integer_types) or
+            not isinstance(y, six.integer_types)
+        ):
+            raise TypeError("x and y must be integers.")
+
+        if not isinstance(curve, interfaces.EllipticCurve):
+            raise TypeError("curve must provide the EllipticCurve interface.")
+
+        self._y = y
+        self._x = x
+        self._curve = curve
+
+    def public_key(self, backend):
+        try:
+            return backend.load_elliptic_curve_public_numbers(self)
+        except AttributeError:
+            return backend.elliptic_curve_public_key_from_numbers(self)
+
+    curve = utils.read_only_property("_curve")
+    x = utils.read_only_property("_x")
+    y = utils.read_only_property("_y")
+
+
+class EllipticCurvePrivateNumbers(object):
+    def __init__(self, private_value, public_numbers):
+        if not isinstance(private_value, six.integer_types):
+            raise TypeError("private_value must be an integer.")
+
+        if not isinstance(public_numbers, EllipticCurvePublicNumbers):
+            raise TypeError(
+                "public_numbers must be an EllipticCurvePublicNumbers "
+                "instance."
+            )
+
+        self._private_value = private_value
+        self._public_numbers = public_numbers
+
+    def private_key(self, backend):
+        try:
+            return backend.load_elliptic_curve_private_numbers(self)
+        except AttributeError:
+            return backend.elliptic_curve_private_key_from_numbers(self)
+
+    private_value = utils.read_only_property("_private_value")
+    public_numbers = utils.read_only_property("_public_numbers")
diff --git a/src/cryptography/hazmat/primitives/asymmetric/padding.py b/src/cryptography/hazmat/primitives/asymmetric/padding.py
new file mode 100644
index 00000000..3967e065
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/asymmetric/padding.py
@@ -0,0 +1,65 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+import six
+
+from cryptography import utils
+from cryptography.hazmat.primitives import interfaces
+
+
+@utils.register_interface(interfaces.AsymmetricPadding)
+class PKCS1v15(object):
+    name = "EMSA-PKCS1-v1_5"
+
+
+@utils.register_interface(interfaces.AsymmetricPadding)
+class PSS(object):
+    MAX_LENGTH = object()
+    name = "EMSA-PSS"
+
+    def __init__(self, mgf, salt_length):
+        self._mgf = mgf
+
+        if (not isinstance(salt_length, six.integer_types) and
+                salt_length is not self.MAX_LENGTH):
+            raise TypeError("salt_length must be an integer.")
+
+        if salt_length is not self.MAX_LENGTH and salt_length < 0:
+            raise ValueError("salt_length must be zero or greater.")
+
+        self._salt_length = salt_length
+
+
+@utils.register_interface(interfaces.AsymmetricPadding)
+class OAEP(object):
+    name = "EME-OAEP"
+
+    def __init__(self, mgf, algorithm, label):
+        if not isinstance(algorithm, interfaces.HashAlgorithm):
+            raise TypeError("Expected instance of interfaces.HashAlgorithm.")
+
+        self._mgf = mgf
+        self._algorithm = algorithm
+        self._label = label
+
+
+class MGF1(object):
+    MAX_LENGTH = object()
+
+    def __init__(self, algorithm):
+        if not isinstance(algorithm, interfaces.HashAlgorithm):
+            raise TypeError("Expected instance of interfaces.HashAlgorithm.")
+
+        self._algorithm = algorithm
diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py
new file mode 100644
index 00000000..db38ed55
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py
@@ -0,0 +1,191 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+import six
+
+from cryptography import utils
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.backends.interfaces import RSABackend
+
+
+def generate_private_key(public_exponent, key_size, backend):
+    if not isinstance(backend, RSABackend):
+        raise UnsupportedAlgorithm(
+            "Backend object does not implement RSABackend.",
+            _Reasons.BACKEND_MISSING_INTERFACE
+        )
+
+    _verify_rsa_parameters(public_exponent, key_size)
+    return backend.generate_rsa_private_key(public_exponent, key_size)
+
+
+def _verify_rsa_parameters(public_exponent, key_size):
+    if public_exponent < 3:
+        raise ValueError("public_exponent must be >= 3.")
+
+    if public_exponent & 1 == 0:
+        raise ValueError("public_exponent must be odd.")
+
+    if key_size < 512:
+        raise ValueError("key_size must be at least 512-bits.")
+
+
+def _check_private_key_components(p, q, private_exponent, dmp1, dmq1, iqmp,
+                                  public_exponent, modulus):
+    if modulus < 3:
+        raise ValueError("modulus must be >= 3.")
+
+    if p >= modulus:
+        raise ValueError("p must be < modulus.")
+
+    if q >= modulus:
+        raise ValueError("q must be < modulus.")
+
+    if dmp1 >= modulus:
+        raise ValueError("dmp1 must be < modulus.")
+
+    if dmq1 >= modulus:
+        raise ValueError("dmq1 must be < modulus.")
+
+    if iqmp >= modulus:
+        raise ValueError("iqmp must be < modulus.")
+
+    if private_exponent >= modulus:
+        raise ValueError("private_exponent must be < modulus.")
+
+    if public_exponent < 3 or public_exponent >= modulus:
+        raise ValueError("public_exponent must be >= 3 and < modulus.")
+
+    if public_exponent & 1 == 0:
+        raise ValueError("public_exponent must be odd.")
+
+    if dmp1 & 1 == 0:
+        raise ValueError("dmp1 must be odd.")
+
+    if dmq1 & 1 == 0:
+        raise ValueError("dmq1 must be odd.")
+
+    if p * q != modulus:
+        raise ValueError("p*q must equal modulus.")
+
+
+def _check_public_key_components(e, n):
+    if n < 3:
+        raise ValueError("n must be >= 3.")
+
+    if e < 3 or e >= n:
+        raise ValueError("e must be >= 3 and < n.")
+
+    if e & 1 == 0:
+        raise ValueError("e must be odd.")
+
+
+def _modinv(e, m):
+    """
+    Modular Multiplicative Inverse. Returns x such that: (x*e) mod m == 1
+    """
+    x1, y1, x2, y2 = 1, 0, 0, 1
+    a, b = e, m
+    while b > 0:
+        q, r = divmod(a, b)
+        xn, yn = x1 - q * x2, y1 - q * y2
+        a, b, x1, y1, x2, y2 = b, r, x2, y2, xn, yn
+    return x1 % m
+
+
+def rsa_crt_iqmp(p, q):
+    """
+    Compute the CRT (q ** -1) % p value from RSA primes p and q.
+    """
+    return _modinv(q, p)
+
+
+def rsa_crt_dmp1(private_exponent, p):
+    """
+    Compute the CRT private_exponent % (p - 1) value from the RSA
+    private_exponent and p.
+    """
+    return private_exponent % (p - 1)
+
+
+def rsa_crt_dmq1(private_exponent, q):
+    """
+    Compute the CRT private_exponent % (q - 1) value from the RSA
+    private_exponent and q.
+    """
+    return private_exponent % (q - 1)
+
+
+class RSAPrivateNumbers(object):
+    def __init__(self, p, q, d, dmp1, dmq1, iqmp,
+                 public_numbers):
+        if (
+            not isinstance(p, six.integer_types) or
+            not isinstance(q, six.integer_types) or
+            not isinstance(d, six.integer_types) or
+            not isinstance(dmp1, six.integer_types) or
+            not isinstance(dmq1, six.integer_types) or
+            not isinstance(iqmp, six.integer_types)
+        ):
+            raise TypeError(
+                "RSAPrivateNumbers p, q, d, dmp1, dmq1, iqmp arguments must"
+                " all be an integers."
+            )
+
+        if not isinstance(public_numbers, RSAPublicNumbers):
+            raise TypeError(
+                "RSAPrivateNumbers public_numbers must be an RSAPublicNumbers"
+                " instance."
+            )
+
+        self._p = p
+        self._q = q
+        self._d = d
+        self._dmp1 = dmp1
+        self._dmq1 = dmq1
+        self._iqmp = iqmp
+        self._public_numbers = public_numbers
+
+    p = utils.read_only_property("_p")
+    q = utils.read_only_property("_q")
+    d = utils.read_only_property("_d")
+    dmp1 = utils.read_only_property("_dmp1")
+    dmq1 = utils.read_only_property("_dmq1")
+    iqmp = utils.read_only_property("_iqmp")
+    public_numbers = utils.read_only_property("_public_numbers")
+
+    def private_key(self, backend):
+        return backend.load_rsa_private_numbers(self)
+
+
+class RSAPublicNumbers(object):
+    def __init__(self, e, n):
+        if (
+            not isinstance(e, six.integer_types) or
+            not isinstance(n, six.integer_types)
+        ):
+            raise TypeError("RSAPublicNumbers arguments must be integers.")
+
+        self._e = e
+        self._n = n
+
+    e = utils.read_only_property("_e")
+    n = utils.read_only_property("_n")
+
+    def public_key(self, backend):
+        return backend.load_rsa_public_numbers(self)
+
+    def __repr__(self):
+        return "<RSAPublicNumbers(e={0}, n={1})>".format(self._e, self._n)