# HG changeset patch
# User Paul Kehrer <paul.l.kehrer@gmail.com>
# Date 1593317880 18000
#      Sat Jun 27 23:18:00 2020 -0500
# Node ID 3434b61fcb5b3a27faea8827d555ae43099866e0
# Parent  595bfb54d4c71f2a9545009091df97b9e1bc5f91
constrain RSA key generation more heavily (#5288)

* constrain RSA key generation more heavily

* constraint to just 3 & 65537

* explain change

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -16,6 +16,10 @@
   been removed (2.9.1+ is still supported).
 * **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.9, macOS users must
   upgrade to 10.10 or newer.
+* **BACKWARDS INCOMPATIBLE:** RSA
+  :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
+  no longer accepts ``public_exponent`` values except 65537 and 3 (the latter
+  for legacy purposes).
 * Deprecated support for Python 2. At the time there is no time table for
   actually dropping support, however we strongly encourage all users to upgrade
   their Python, as Python 2 no longer receives support from the Python core
diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst
--- a/docs/hazmat/primitives/asymmetric/rsa.rst
+++ b/docs/hazmat/primitives/asymmetric/rsa.rst
@@ -18,6 +18,10 @@
 
     .. versionadded:: 0.5
 
+    .. versionchanged:: 3.0
+
+        Tightened restrictions on ``public_exponent``.
+
     Generates a new RSA private key using the provided ``backend``.
     ``key_size`` describes how many :term:`bits` long the key should be. Larger
     keys provide more security; currently ``1024`` and below are considered
@@ -37,8 +41,8 @@
         ... )
 
     :param int public_exponent: The public exponent of the new key.
-        Usually one of the small Fermat primes 3, 5, 17, 257, 65537. If in
-        doubt you should `use 65537`_.
+        Either 65537 or 3 (for legacy purposes). Almost everyone should
+        `use 65537`_.
 
     :param int key_size: The length of the modulus in :term:`bits`. For keys
         generated in 2015 it is strongly recommended to be
diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py
--- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py
@@ -120,11 +120,11 @@
 
 
 def _verify_rsa_parameters(public_exponent, key_size):
-    if public_exponent < 3:
-        raise ValueError("public_exponent must be >= 3.")
-
-    if public_exponent & 1 == 0:
-        raise ValueError("public_exponent must be odd.")
+    if public_exponent not in (3, 65537):
+        raise ValueError(
+            "public_exponent must be either 3 (for legacy compatibility) or "
+            "65537. Almost everyone should choose 65537 here!"
+        )
 
     if key_size < 512:
         raise ValueError("key_size must be at least 512-bits.")
diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
--- a/tests/hazmat/primitives/test_rsa.py
+++ b/tests/hazmat/primitives/test_rsa.py
@@ -147,7 +147,7 @@
     @pytest.mark.parametrize(
         ("public_exponent", "key_size"),
         itertools.product(
-            (3, 5, 65537),
+            (3, 65537),
             (1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1536, 2048)
         )
     )
@@ -170,6 +170,11 @@
                                      key_size=2048,
                                      backend=backend)
 
+        with pytest.raises(ValueError):
+            rsa.generate_private_key(public_exponent=65535,
+                                     key_size=2048,
+                                     backend=backend)
+
     def test_cant_generate_insecure_tiny_key(self, backend):
         with pytest.raises(ValueError):
             rsa.generate_private_key(public_exponent=65537,