-
-
Notifications
You must be signed in to change notification settings - Fork 694
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added some fixes related to algorithm and key choice #109
Conversation
75ab144
to
aa88601
Compare
@@ -96,6 +103,11 @@ def prepare_key(self, key): | |||
if isinstance(key, text_type): | |||
key = key.encode('utf-8') | |||
|
|||
if (b'-----BEGIN PUBLIC KEY-----' in key or b'-----BEGIN CERTIFICATE-----' in key): | |||
raise InvalidAlgorithmError( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be InvalidKeyError
or InvalidAlgorithmError
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be InvalidKeyError... changing now
Added some fixes related to algorithm and key choice
FYI, I did some performance tests (500,000 Without new checks: 32.63310008600092 Looks like this change slows down HMAC encode by about 6%. |
invalid_strings = [ | ||
b'-----BEGIN PUBLIC KEY-----', | ||
b'-----BEGIN CERTIFICATE-----', | ||
b'ssh-rsa' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm aware this PR has already been merged, but I wanted to open a brief discussion.
Another possible header is -----BEGIN RSA PUBLIC KEY-----
, and there may be others. Is there a more sound way of dealing with this that's somewhat more future-proof? If the check looked like this, would it be too broad?
invalid_strings = [
b'-----',
b'ssh-rsa'
]
Added validations for the following:
encode()
anddecode()
should not accept a value for key if the algorithm is "none"