crytography library

[davemo88]

I ended up here because of PyJWT but I also needed jwk stuff. I noticed PyJWT uses cryptography for some algorithm support. I guess Google App Engine requires PyCrypto as you mention but perhaps python-jose should also support cryptography. For example pycrypto hasn't had a commit in 2 years whereas cryptography repository is active.

Just a thought! I might be interested in pitching in as well.

[mpdavis]

I would be interested in supporting cryptography if it is installed. We have an open PR (#39) to do something similar for elliptic curve signatures.

It will take some work to support cryptography, as well as dynamically determining which library to use. Additionally, the unit tests will need to be run against each crypto library.

I would like to avoid having to manually register the crypto library manually and instead opting for dynamically determining which libraries are installed.

[davemo88]

I guess you could hide the crypto library away in the core code with an abstraction that has the required API, e.g. close to the PyCrypto one to make it easier. Then users could either set a config to use the library of their choice or it defaults to something like:

try:
   import cryptography
except ImportError:
   import PyCrypto

and then the abstraction does magic to map the right crypto library functions onto its API.

[mpdavis]

That is the general idea. We will also need to work through how dependencies are managed in setup.py, as well as what happens with no suitable library is installed.

[lmazuel]

Hi, +1 for this one. PyCrypto does not install easily on Py3.6 on Windows. Moreover, PyCrypto is not supposed to be compatible with > 3.3, this becomes to be difficult with more and more Py3 :(

[nathanclayton]

pycryptodome is a supported, drop-in replacement for PyCrypto, it might make sense to use that.

[michou]

any reason why pycryptodome is used only when running on PyPy? I am trying to run a project that's using python-jose on Windows and, boy, is it a pain.. 😿

[mpdavis]

It is still a requirement to support pycrypto for supporting Google AppEngine.

That said, it would certainly be possible to support pycryptodome outside of PyPy. That work simply hasn't been prioritized up to this point. I don't personally use Windows in any manner so I don't feel that pain, but I wouldn't be opposed to it.

[nueverest]

Same here developing on windows. The guys at pycryptodome are active. https://github.com/Legrandin/pycryptodome

[zejn]

Pycryptodome works with any python as far as I know, it is simply not enabled or preferred.

Installing pycryptodome instead of pycrypto should just work, since they're API compatible. Installing python-jose will probably still fail if you don't change manually change the setup.py, since pycrypto is listed as a dependency.

[nueverest]

Right. I forked python-jose and swapped pycrypto out for pycryptodome this weekend. It works fine.

[g4jc]

@mpdavis - Definitely should make this happen to help people avoid CVE-2013-7459
https://blog.sqreen.io/stop-using-pycrypto-use-pycryptodome

[melutovich]

What is the status of this issue?

[mpdavis]

@melutovich The cryptography library is supported and the recommended default. In order to use it, you would install with that option.

pip install python-jose[cryptography]