New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow 'raw' PKCS1 signatures #103
Allow 'raw' PKCS1 signatures #103
Conversation
8cfa86f
to
d8bc7ac
Compare
d8bc7ac
to
64065e3
Compare
Please also update the documentation so that our users actually know about this feature and how to use it. |
64065e3
to
34eaf2d
Compare
Good call. I've added a line to highlight this in the |
536303b
to
a9a5b8c
Compare
This provides more convenient compatability with other libraries that use such raw signatures in intermediate results. In particular, it matches the behavior of `openssl rsautl -sign`
a9a5b8c
to
69ccc2b
Compare
Not sure if you get notifications of new commits, so for completeness; I've added a test and a changelog entry :) |
@sybrenstuvel: could you merge this PR? |
Probably it should be rebased first because there are conflicts |
@vstoykov Since the conflict is in a recently released |
There is one thing that bugs me, and that's the change in behaviour of The documented behaviour of raising an exception in case of an error has been removed in this PR, without changing the documentation and adding huge big red letters that the API has changed. In any case I would reject such an API change, as such errors should never be silenced. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rejecting this PR as it silently ignores signature errors (making the code insecure-by-default), changes the semantics of functions without updating the docstring of those functions.
I agree, and would suggest to close this PR on that account; I had overlooked that marking signatures without an ASN1 tag as 'RAW' rather than raising an error was changing API behavior, and I see no obvious way to prevent doing so. |
This provides more convenient compatability with other libraries that use such raw signatures in intermediate results. In particular, it matches the behavior of
openssl rsautl -sign
.