[WIP]: Move to pure python code for parsing PEMs. #1390
Conversation
|
Test FAILed. |
|
Test FAILed. |
|
Test FAILed. |
|
Test FAILed. |
…tat some other tests are failing, heh
|
Test FAILed. |
|
Test FAILed. |
| ) | ||
|
|
||
|
|
||
| def bytes_to_int(b): |
There was a problem hiding this comment.
Is this some fancy ASN.1 bytes to int thing? It doesn't look particularly special and we already have a utility method that does bytes to int.
There was a problem hiding this comment.
Where do we have that method? We have some code in "bn_to_int", but it only
does py3k, py2k goes via hex.
On Sat, Oct 11, 2014 at 2:12 AM, Alex Stapleton notifications@github.com
wrote:
In cryptography/hazmat/primitives/serialization.py:
namedValues=namedval.NamedValues(("ecPrivkeyVer1", 1),)),),namedtype.NamedType("privateKey", univ.OctetString()),namedtype.OptionalNamedType("parameters", _ECParameters().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0),)),namedtype.OptionalNamedType("publicKey", univ.BitString().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1),)),- )
+def bytes_to_int(b):
Is this some fancy ASN.1 bytes to int thing? It doesn't look particularly
special and we already have a utility method that does bytes to int.—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/1390/files#r18740432.
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
There was a problem hiding this comment.
Unless I'm misunderstanding the purpose of this method, can't we just use six.bytes2int()?
There was a problem hiding this comment.
I don't think six.bytes2int exists, there's six.byte2int (singular!),
but that's basically just chr.
On Sat, Oct 11, 2014 at 8:20 AM, Terry Chia notifications@github.com
wrote:
In cryptography/hazmat/primitives/serialization.py:
namedValues=namedval.NamedValues(("ecPrivkeyVer1", 1),)),),namedtype.NamedType("privateKey", univ.OctetString()),namedtype.OptionalNamedType("parameters", _ECParameters().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0),)),namedtype.OptionalNamedType("publicKey", univ.BitString().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1),)),- )
+def bytes_to_int(b):
Unless I'm misunderstanding the purpose of this method, can't we just use
six.bytes2int()?—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/1390/files#r18742113.
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
There was a problem hiding this comment.
Oh right, I remembered it wrong. :)
|
Let's talk about PKCS#12. It's a thing. That's unfortunate, but we kind of have to live with it. Specifically, it's the KDF used with PKCS#8 for some keys. I started to implement it. I'm pretty sure I'm Implementing Crypto (tm). Since we all said we weren't going to do that, I'm kind of inclined to stop. How to do it then?
What do folks think? |
|
Test FAILed. |
|
Test FAILed. |
|
There is a PKCS#12-specific KDF involved, but why would you need to implement that in Python? OpenSSL understands these encodings already, so shouldn't you be able to let it do the decryption? Is the issue that you're trying to support non-ASCII pass-phrases and OpenSSL isn't giving you a way to pass in the already-encoded UTF-16 bytes to use as the pass-phrase, and so you can't pass the encrypted version of the key to OpenSSL? FWIW, the pure-Python KDF for PKCS#12 I implemented was only about 30 lines of code, but you're right that it's technically "crypto" code. Without this support, the following PKCS#8 ciphers would not be supported for PBE version 1: |
|
Test FAILed. |
|
Test FAILed. |
|
Test PASSed. |
|
Test PASSed. |
|
Test PASSed. |
Conflicts: setup.py src/cryptography/hazmat/primitives/serialization.py
|
Test PASSed. |
|
Test FAILed. |
|
retest this please |
|
Test FAILed. |
|
retest this please |
|
Test FAILed. |
|
retest this please |
|
Test FAILed. |
|
retest this please |
|
Test FAILed. |
Conflicts: src/cryptography/hazmat/primitives/serialization.py
|
Test PASSed. |
|
I think we should close this and if we choose to revisit it in the future a new PR can be opened. Let me know if you disagree @alex :) |
|
That's fine. On Wed, Sep 30, 2015 at 12:23 AM, Paul Kehrer notifications@github.com
"I disapprove of what you say, but I will defend to the death your right to |
OMFG. Not final.
Implements:
Not done:
Some notes:
makes me pretty uncomfortable given the sensitivity of this stuff.
the OpenSSL backend
We'll have to keep the old key loading logic around and port one key type at
a time.
notes in various places, and I assume if I ignore any one of those the
security of the system is screwed.
FEEDBACK PLEASE!!! :-)