Comments (13)
dholth
commented on May 24, 2024
Thanks for writing this down.
JSON Web Keys would fit into TUF very well. It is a specification for expressing public keys in JSON without using (for example) PEM encodings. The whole of JSON Web Signature would fit less well because it is anti-normalization but overall what are collectively called the JOSE specifications are delightful.
Wheel uses the extraordinarily convenient Ed25519 elliptic curve signing algorithm to produce its signatures. Key generation, signing, and verification are all fast enough even in the 270-line pure python fallback implementation. Keys are only 256 bits or 32 bytes so you can just include them directly rather than bothering with key fingerprints.
I should also mention that JOSE and JSON Web Signatures / Keys are independent of the signing algorithm used. Wheel extends it to (only) use Ed25519 because it's incredibly convenient, but it works with RSA too.
from python-tuf.
trishankkarthik
commented on May 24, 2024
Sounds pretty sweet. We will definitely look at this! :]
from python-tuf.
dholth
commented on May 24, 2024
I wrote this concise ASN.1 DER parser & RSA signature verification library over the weekend. It can also convert public keys to JSON Web Key. https://bitbucket.org/dholth/rsalette/src/tip/rsalette.py https://bitbucket.org/dholth/rsalette/src/tip/asn1lette.py
from python-tuf.
trishankkarthik
commented on May 24, 2024
This sounds like it would help make our transition easier; we will definitely take a look at it as soon as we get some time. Thanks!
from python-tuf.
trishankkarthik
commented on May 24, 2024
Beginning work on the jws branch.
from python-tuf.
dholth
commented on May 24, 2024
I would recommend you continue to use openssl when it is available but you could consider using the pure Python RSA checker when it is not; it is obviously very convenient to be able to do everything in pure Python. We could convert the json web key back to PEM for openssl.
In json web signatures / json web algorithms what you call "evp" is probably something like "RS256" which means PKCS#1 v1.5 RSA signatures using SHA-256 as the hash function. I think you might actually be using SHA-1 which isn't formally part of the JSON web algorithms specifications; it's trivial to change the hash function used for signing.
from python-tuf.
trishankkarthik
commented on May 24, 2024
I like the idea of doing as much as possible in pure Python; it would certainly make testing simpler.
from python-tuf.
trishankkarthik
commented on May 24, 2024
@dholth , we think you might like to look at Seattle's Python implementation of the RSA algorithm.
from python-tuf.
dholth
commented on May 24, 2024
Mine was written mostly to prove to myself that RSA verification would
not be burdensome to include in pure Python. I feel that it's less
important to support signing and key generation in pure Python since
you can probably install a C version.
I see that still has Sybren Steuvel's credits on it, like mine :-) I
don't see any PKCS#1 v1.5 signature support in there? (Signing
performed by encrypting a hash value with specific padding to the RSA
block size.)
On Sun, Mar 31, 2013, at 09:05 PM, TKK wrote:
[1]@dholth , we think you might like to look at [2]Seattle's Python
implementation of the RSA algorithm.
[3]Wiki
[4]Source code
—
Reply to this email directly or [5]view it on GitHub.
[jRB-KP9-4apGOUr1-hoPd8vppp0NKvmXB1dFZQUbz3jR5BEm5jFBLgvCTbEZNegl.gif]
References
- https://github.com/dholth
- https://seattle.cs.washington.edu/
- https://seattle.cs.washington.edu/wiki/SeattleLib/rsa.repy
- https://seattle.cs.washington.edu/browser/seattle/trunk/seattlelib/rsa.repy
- https://github.com/akonst/tuf/issues/43#issuecomment-15700972
from python-tuf.
trishankkarthik
commented on May 24, 2024
I feel that it's less important to support signing and key generation in pure Python since you can probably install a C version.
Got it :)
I don't see any PKCS#1 v1.5 signature support in there? (Signing performed by encrypting a hash value with specific padding to the RSA block size.)
@JustinCappos , I think you are better-qualified to answer this question.
from python-tuf.
JustinCappos
commented on May 24, 2024
No, we don't have this support I don't think. I believe we borrowed from
another RSA impl, ported to pure Python, and it didn't have it this support
so we didn't add it.
Thanks,
Justin
On Sun, Mar 31, 2013 at 10:17 PM, TKK [email protected] wrote:
I feel that it's less important to support signing and key generation in
pure Python since you can probably install a C version.Got it :)
I don't see any PKCS#1 v1.5 signature support in there? (Signing performed
by encrypting a hash value with specific padding to the RSA block size.)@JustinCappos https://github.com/JustinCappos , I think you are
better-qualified to answer this question.—
Reply to this email directly or view it on GitHubhttps://github.com/akonst/tuf/issues/43#issuecomment-15701969
.
from python-tuf.
dholth
commented on May 24, 2024
Getting more and more OT, but if you want it PKCS#1 v1.5 signing is easy, approximately 0x00 + 0xff * n + (ASN.1 hash function id) + message hash (0xff repeated n times to pad to the RSA block size).
from python-tuf.
trishankatdatadog
commented on May 24, 2024
Not happening anytime soon, unfortunately.
from python-tuf.
Related Issues (20)
- tests: remove obsolete test metadata HOT 1
- repository: redesign needed after recent verify_delegate changes
- build: Enable python 3.12 HOT 4
- investigate alternative hatchling version pinning HOT 2
- Consider including `securesystemslib[crypto]` as a dependency in TUF HOT 4
- VerificationResult should include keys for keyids HOT 4
- Replace most linting tools with ruff HOT 1
- repository: maybe provide a Repository.get_delegating_role() HOT 2
- Yearly maintainer permissions review HOT 1
- Change `securesystemslib.dsse.Envelope.signatures` to dict upstream HOT 2
- Test all components with DSSE
- Test "ruff check --output-format=github" HOT 2
- linting: Enable more ruff rulesets HOT 7
- linting: enable pycodestyle for tests
- datetime.utcnow() is deprecated: stop using it HOT 1
- SimpleEnvelope._DEFAULT_PAYLOAD_TYPE should be public? HOT 1
- should build job require prior test job to pass? HOT 3
- possible blog post: Caching TUF metadata HOT 3
- provide user-agent customization?
- workflows: macos runners are missing older pythons
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-tuf.