Expose allow_truncate option in SigningKey.sign() and VerifyingKey.verify() #205
Conversation
|
what's the use case (or usage scenario) for not allowing verification of large hashes with small curves? (I'm not totally opposed to restoring the pre-0.15 behaviour, but I don't think I understand it well enough to decide one way or the other) |
blag
force-pushed
the
expose-allow-truncate
branch
from
362f33c to
4ffeed6
Compare
|
the pypy failure is caused by #206 so I've rescheduled it, but the |
|
that being said, my questions from #205 (comment) still stand |
|
Thank you. And yep, will do. I'm juggling a lot of things today, but I'll circle back around to this, fix the formatting issues identified by black, and discuss my usecase. |
|
ping? I'm planning to release a new version soon, and I think you'd like to have this work released sooner rather than later... |
|
Apologies for not circling back around to this until now. It's sometimes difficult or impossible to predict when I'll get interrupted with higher priority tasks. When I wrote this PR, I had just read the Security section of the README with the assumption that large hashes with small curves was weird and insecure, but now I'm questioning that assumption. My philosophy on cryptography software is that it should be as easy to use as possible, and part of that does mean intentionally making it difficult for people to use in an insecure manner. But with common, modern hashes that were designed to be possibly truncated (eg: SHA-2), truncating them only makes it slightly easier to find collisions. So the remaining rationale for this PR is to preserve backwards compatibility for existing users of If that's not enough to convince you, that's okay. I've also been working on a PR to python-jose that fixes the tests around this issue, so it won't be a problem for me for much longer either way. Thanks for your work on this project so far! |
|
sorry for the late reply, I was on holidays any cryptosystem is as strong as the weakest link, if you use P-256 curve with SHA-512 hash, the signature will be as strong as P-256 curve, not as the SHA-512 hash so, as long as the application is ok with the given curve and with the given hash used, it can mix and match it regarding the Security section in README: I consider "having API that's hard to misuse" to fall under "teaching tool", that being said, deciding what combinations of parameters are acceptable is a policy question, not API question, and I think the API provided does allow to build a policy on top of it |
|
looks good, thanks! |
|
Thanks for merging and releasing 0.16! 😃 |
PR #168 added the
allow_truncateoption toSigningKey.sign_digest()andVerifyingKey.verify_digest(), and then forcibly defaulted their value toTrueinSigningKey.sign()andVerifyingKey.verify():Unfortunately, this didn't actually satisfy the request in #129 (emphasis mine):
Note that while #168 added the
allow_truncateoption forVerifyingKey.verify_digest()andSigningKey.sign_digest(), the option is still not exposed in the signatures forVerifyingKey.verify()SigningKey.sign().Furthermore, due to the default behavior changing,
ecdsaversion 0.15 breaks tests for downstream projects: mpdavis/python-jose#176, which tested for the old behavior (eg:allow_truncate=False).This PR routes the
allow_truncateoption up toVerifyingKey.verify_digest()andSigningKey.sign_digest(), and more importantly for you, keeps the default value toTrue. This is to avoid possibly re-disruptingecdsausers but also allowspython-joseand other users to opt-in to the previous behavior.I also added tests for the new options.