Switch to using "cryptography" Python lib #953
Conversation
RJPercival
force-pushed
the
crypt_lib
branch
2 times, most recently
from
9be990b
to
074116e
Compare
| """ | ||
| if (key_info.type != client_pb2.KeyInfo.ECDSA): | ||
| raise error.UnsupportedAlgorithmError( | ||
| "Expected ECDSA key, but got key type %d" % key_info.type) | ||
|
|
||
| # Will raise a PemError on invalid encoding | ||
| self.__der, _ = pem.from_pem(key_info.pem_key, self.__READ_MARKERS) |
There was a problem hiding this comment.
Is self.__der no longer required?
There was a problem hiding this comment.
No, because the cryptography library can load a public key directly from PEM, so there's no need to manually convert to DER first. It can also convert straight back to PEM, so self.__der isn't required in repr() either.
|
Per @ekasper 's comments on cryptography.io , undoing the LGTM until we further discuss how to proceed with it. |
|
@ekasper has rescinded her reservations about cryptography.io now. However, we probably want to sit on this PR a bit longer until other Googlers have been using cryptography.io successfully for a little while (and possibly worked out any kinks). |
Replaces "ecdsa" and "pycrypto" libraries; the former is considered to be poorly implemented, whilst the latter is poorly maintained. See: https://cryptography.io Fixes some broken test
|
I think we've waited more than long enough to de-risk this now. |
|
Re-adding original LGTM, approval. |
We don't state a dependency on M2Crypto in requirements.txt, and it creates a transitive dependency on a compatible version of OpenSSL being installed too, so it'd make this script more portable if we used cryptography.io instead (we started migrating to that with PR google#953).
We don't state a dependency on M2Crypto in requirements.txt, and it creates a transitive dependency on a compatible version of OpenSSL being installed too, so it'd make this script more portable if we used cryptography.io instead (we started migrating to that with PR google#953).
We don't state a dependency on M2Crypto in requirements.txt, and it creates a transitive dependency on a compatible version of OpenSSL being installed too, so it'd make this script more portable if we used cryptography.io instead (we started migrating to that with PR #953).
Replaces "ecdsa" and "pycrypto" libraries; the former is considered to be poorly implemented, whilst the latter is poorly maintained.
This library correctly raises exceptions for all forms of invalid ASN.1 in STHs, unlike the "ecdsa" library, so some tests have been modified to account for this and a TODO removed.
See: https://cryptography.io