New DSA signing API for #1648

[joernheissler]

No description provided.

[mention-bot]

By analyzing the blame information on this pull request, we identified @reaperhulk, @public and @alex to be potential reviewers

[reaperhulk]

Under what scenario do you want the ability to set k manually? I realize there's a warning below, but this API is incredibly dangerous.

[alex]

I would say setting k is out of scope for this API concern (and separately,
we should never support it)

On Wed, Jan 6, 2016 at 12:49 PM, Paul Kehrer notifications@github.com
wrote:

In docs/hazmat/primitives/asymmetric/dsa.rst
#2642 (comment):

+Signing a precomputed digest:
+
+.. warning::
+

• Only use this for digests, do NOT sign raw data. The data will get truncated
• to the size of DSA's "q" parameter, which is just a few bytes.

+.. doctest::
+

• digester = hashes.Hash(hashes.SHA256(), backend=default_backend())

• digester.update(data)

• digest = digester.finalize()

• signature = private_key.sign(digest, already_hashed=True)

+Specifying the per-message key k:

Under what scenario do you want the ability to set k manually? I realize
there's a warning below, but this API is incredibly dangerous.

—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/2642/files#r48986337.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

[joernheissler]

For debugging and educational purposes. And perhaps to allow users to implement stuff like rfc6979. Openssl implemented something similar which uses the private key + message digest do seed a PRNG. But it's non-deterministic. I'm not saying that this approach is bad, but it's not rfc6979.

What's wrong with supporting a dangerous API? For one, it's all in "hazmat". And with the big fat warning even a stupid user shouldn't accidentally use this function.
Perhaps change "warning" to "dangerous"?

[alex]

There's no reason for it. pyca/cryptography, we shouldn't be giving people
more tools to shoot themselves in the foot than is absolutely necessary.

On Wed, Jan 6, 2016 at 1:33 PM, joernheissler notifications@github.com
wrote:

In docs/hazmat/primitives/asymmetric/dsa.rst
#2642 (comment):

+Signing a precomputed digest:
+
+.. warning::
+

• Only use this for digests, do NOT sign raw data. The data will get truncated
• to the size of DSA's "q" parameter, which is just a few bytes.

+.. doctest::
+

• digester = hashes.Hash(hashes.SHA256(), backend=default_backend())

• digester.update(data)

• digest = digester.finalize()

• signature = private_key.sign(digest, already_hashed=True)

+Specifying the per-message key k:

For debugging and educational purposes. And perhaps to allow users to
implement stuff like rfc6979. Openssl implemented something similar which
uses the private key + message digest do seed a PRNG. But it's
non-deterministic. I'm not saying that this approach is bad, but it's not
rfc6979.

What's wrong with supporting a dangerous API? For one, it's all in
"hazmat". And with the big fat warning even a stupid user shouldn't
accidentally use this function.
Perhaps change "warning" to "dangerous"?

—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/2642/files#r48991323.

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

[reaperhulk]

This has been partially addressed by #2945 (in terms of API design, although that only implements RSA and does not allow prehashing at this time). I'm going to go ahead and close this PR and if we want to pursue this further we can discuss it on a new and more narrowly focused PR.