pyca/cryptography is vulnerable to Bleichenbacher attacks on PKCS#1 v1.5 decryption

[tomato42]

As far as I can tell, python-jose supports PKCS#1 v1.5 for key transport:
https://github.com/mpdavis/python-jose/blob/99ec142374a6eb98e32be5b8cdfd72508fd404d4/docs/jwe/index.rst#supported-key-management-algorithms
and:

python-jose/tests/test_jwe.py

Lines 84 to 97 in 99ec142

	expected_header = {u"alg": u"RSA1_5", u"enc": u"A128CBC-HS256"}
	jwe_str = "eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0." \
	"UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7" \
	"Zx0-kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgN" \
	"Z__deLKxGHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRir" \
	"b6Y5Cl_p-ko3YvkkysZIFNPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8" \
	"OtvzlV7elprCbuPhcCdZ6XDP0_F8rkXds2vE4X-ncOIM8hAYHHi29NX0m" \
	"cKiRaD0-D-ljQTP-cFPgwCp6X-nZZd9OHBv-B3oWh2TbqmScqXMR4gp_A" \
	"." \
	"AxY8DCtDaGlsbGljb3RoZQ." \
	"KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY." \
	"9hH0vgRfYgPnAHOd8stkvw"
	actual_header = jwe.get_unverified_header(jwe_str)
	assert expected_header == actual_header

at the same time, pyca/cryptography doesn't guarantee side-channel safety of their decryption API:
pyca/cryptography#5510
pyca/cryptography#5600
pyca/cryptography@1ac4759

which means that python-jose with PKCS#1 v1.5 is insecure

[blag]

See #194, which is already merged.

I'm considering doing a security release to include #194, but that will need to include #199 to make sure I didn't break anything.

After that I will do a feature release with #189 merged.

[tomato42]

@blag you misunderstand, I'm not talking about CVE-2020-25658 (which only got a workaround, not a proper fix)
This is about the fact that pyca/cryptography needs a new API that implements the whole "generate a random value, test padding, return the random value instead of the decrypted value when padding check failed" to handle PKCS#1 v1.5 securely as it's impossible to do it securely on Python level.