-
Notifications
You must be signed in to change notification settings - Fork 282
Switch to using "cryptography" Python lib #953
Conversation
9be990b
to
074116e
Compare
""" | ||
if (key_info.type != client_pb2.KeyInfo.ECDSA): | ||
raise error.UnsupportedAlgorithmError( | ||
"Expected ECDSA key, but got key type %d" % key_info.type) | ||
|
||
# Will raise a PemError on invalid encoding | ||
self.__der, _ = pem.from_pem(key_info.pem_key, self.__READ_MARKERS) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is self.__der no longer required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, because the cryptography library can load a public key directly from PEM, so there's no need to manually convert to DER first. It can also convert straight back to PEM, so self.__der isn't required in repr() either.
Per @ekasper 's comments on cryptography.io , undoing the LGTM until we further discuss how to proceed with it. |
@ekasper has rescinded her reservations about cryptography.io now. However, we probably want to sit on this PR a bit longer until other Googlers have been using cryptography.io successfully for a little while (and possibly worked out any kinks). |
Replaces "ecdsa" and "pycrypto" libraries; the former is considered to be poorly implemented, whilst the latter is poorly maintained. See: https://cryptography.io Fixes some broken test
I think we've waited more than long enough to de-risk this now. |
Re-adding original LGTM, approval. |
We don't state a dependency on M2Crypto in requirements.txt, and it creates a transitive dependency on a compatible version of OpenSSL being installed too, so it'd make this script more portable if we used cryptography.io instead (we started migrating to that with PR google#953).
We don't state a dependency on M2Crypto in requirements.txt, and it creates a transitive dependency on a compatible version of OpenSSL being installed too, so it'd make this script more portable if we used cryptography.io instead (we started migrating to that with PR google#953).
We don't state a dependency on M2Crypto in requirements.txt, and it creates a transitive dependency on a compatible version of OpenSSL being installed too, so it'd make this script more portable if we used cryptography.io instead (we started migrating to that with PR #953).
Replaces "ecdsa" and "pycrypto" libraries; the former is considered to be poorly implemented, whilst the latter is poorly maintained.
This library correctly raises exceptions for all forms of invalid ASN.1 in STHs, unlike the "ecdsa" library, so some tests have been modified to account for this and a TODO removed.
See: https://cryptography.io