Delegating to pyca/cryptography operations we can't secure

[tomato42]

As discussed in #165, the RSA decryption is not secure against side-channel attacks. Even if we implement the OAEP support (#68) the serialisation of integer to bytes may provide enough of a sidechannel to mount an attack.

So I was thinking if the code shouldn't try to use pyca/cryptography instead for performing the decryption operations, and rise a UserWarning in case pyca/cryptography is unavailable.

[sybrenstuvel]

I think the majority of users of this library actually do the opposite: try to use a binary encryption package, and defer to python-rsa when that's not available.

[tomato42]

that would be rather surprising given the popularity of python-rsa, I think that most people using it don't consider the security of it—they google "Python RSA" and that's the first result.

Also, that binary situation is changing: while pyca/cryptography couldn't be used in PyPy few years back, that is no longer the case; so even if you had to use pure python library before you may not to any more.

just to be entirely clear: I'm not suggesting that python-rsa should stop working without pyca/cryptography, rather it should use it if it is available

[sybrenstuvel]

You make a good point, as usual 👍

[jcristau]

FWIW at least python-jose (https://github.com/mpdavis/python-jose/blob/master/jose/backends/__init__.py) and google-auth (https://github.com/googleapis/google-auth-library-python/blob/main/google/auth/crypt/rsa.py), the two users I looked at, already prefer cryptography and fall back to this library if that's unavailable, as @sybrenstuvel said.