Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.0.0: Package rsa and pyasn1 required despite not using default rsa backend #92

Open
sfro opened this issue May 16, 2018 · 6 comments
Open

3.0.0: Package rsa and pyasn1 required despite not using default rsa backend #92

sfro opened this issue May 16, 2018 · 6 comments

Comments

@sfro
Copy link

sfro commented May 16, 2018

When trying to build with an alternative backend I am still required to pull in "rsa" and "pyasn1". Is it expected behaviour that they are always required even though I don't want to use the default backend?

I would have thought that if I have defined "python-jose[pycrypto]==3.0.0" (for example) in my requirements.txt file that I would not need to pull in packages required for the default backend, only "pycrypto". I'm wondering because I want to be sure I'm not accidentally using the wrong backend.
@zejn
Copy link
Collaborator

zejn commented May 29, 2018

Hi,

Yes, this is expected. Currently pip does not support a way to say a package provides something. Or at least I didn't find how one can have something like a default extra. If you know how to do this, I'd support this.

To be sure I am not using wrong backend, I usually do a test signing and check the timing. Pure Python will be slower so you'll be able to see when pycrypto is not used.

Be advised that pycrypto has known security issues and provided only for legacy AppEngine support. If you can, you should migrate away from pycrypto.

@sfro
Copy link
Author

sfro commented Jun 19, 2018

Yeah, we're looking into moving away from pycrypto, but have some license policies that affect which third party packets we may use. Pycryptodome has the OCB license which causes issues, which is why I asked this.

Thank you for you response! I'm no expert in pip so I had no idea if what I was asking was plausible.

@sfro
Copy link
Author

sfro commented Jun 19, 2018

Wait, I was confused (I asked this a while ago). As long as pycryptodome isn't pulled in we should be fine. I'll look into using the packet cryptography as a backend. Thanks!

@sfro
Copy link
Author

sfro commented Aug 9, 2018

@zejn I am trying to use timing to determine what backend is being used, but failing. Do you have an example of how to achieve this?

@zejn
Copy link
Collaborator

zejn commented Aug 9, 2018

I'm currenrtly using something like this. It does depend a bit on the signature type you're using as EC is a bit faster than RSA.

from jose import jwk
key_class = jwk.get_key('ES256')
ec_key = key_class(EC_KEY, 'ES256')

t1 = time.time()
signature = ec_key.sign(b'test')
t2 = time.time()
if t2-t1 > 0.010: # 10ms
    print("Slow signing!")

This won't ensure you're not using pycryptodome if it's installed though, this only ensures you're using a fast library.

@sfro
Copy link
Author

sfro commented Aug 9, 2018

Pycryptodome isn't installed (not in requirements.txt and doesn't show up in the build script) and we are now using cryptography instead of pycrypto as a backend as recommended :) I just want to ensure that that is the case! I'll try out your script, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zejn @sfro