diff options
Diffstat (limited to 'pipermail/pycrypto/attachments/20130715/85868584/attachment.html')
-rw-r--r-- | pipermail/pycrypto/attachments/20130715/85868584/attachment.html | 168 |
1 files changed, 168 insertions, 0 deletions
diff --git a/pipermail/pycrypto/attachments/20130715/85868584/attachment.html b/pipermail/pycrypto/attachments/20130715/85868584/attachment.html new file mode 100644 index 0000000..1296052 --- /dev/null +++ b/pipermail/pycrypto/attachments/20130715/85868584/attachment.html @@ -0,0 +1,168 @@ +<tt> +<div><br></div>Understood, but the format of the export changes when we add 'protection' parameter.<div>Can we keep same format and have different headers, ex:</div><div><br></div><div>> Proc-Type: 4,ENCRYPTED<br><br> +> DEK-Info: AES-256-CBC,16D792053CB9E5981B06E020900F86EA<br><br>Because I notice we wrap the unencrypted PEM into a PBES2 which is encrypted there. </div><div><br></div><div>Also maybe more importantly would be the extra parameters for salt size and iteration count?</div><br> +<div><br></div><div>An afterthought, maybe it's time exportKey(), importKey() stay the same as 2.6 and have new functions that allow these extra combinations? </div><div><br></div><div>Thanks,</div><div>Kurt</div><div><br> +<br><br><br><div class="gmail_quote">On Mon, Jul 15, 2013 at 2:26 AM, Legrandin <span dir="ltr"><<a href="mailto:helderijs@gmail.com" target="_blank">helderijs@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br> +Hi Kurt,<br><br> +<br><br> +In the PyCrypto 2.6 release, rsa.exportKey(passphrase='boo') generates<br><br> +a TDES-encrypted private key, with encryption being done at the PEM<br><br> +level.<br><br> +<br><br> +I don't think that behavior should change (e.g. we should not silently<br><br> +switch to AES or even to the more robust PKCS#8-level encryption).<br><br> +<br><br> +2013/7/15 Kurt Vogel <<a href="mailto:kvogel@mdcom.com">kvogel@mdcom.com</a>>:<br><br> +> And finally a comment/question/complaint :(<br><br> +><br><br> +> If I use protection like this for ex:<br><br> +><br><br> +> export = rsa.exportKey(passphrase='boo', pkcs=8,<br><br> +> protection='PBKDF2WithHMAC-SHA1AndAES256-CBC')<br><br> +><br><br> +> The exported key looks like this:<br><br> +><br><br> +> -----BEGIN ENCRYPTED PRIVATE KEY-----<br><br> +> MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIHI1C+JhO35cCAgPo<br><br> +> MB0GCWCGSAFlAwQBKgQQ2FsezYUEaQLPHxk0z6+R4gSCBNDV++BsvKxxpo6uhUYw<br><br> +> ...<br><br> +><br><br> +> With export = rsa.exportKey(passphrase='boo'):<br><br> +><br><br> +> -----BEGIN RSA PRIVATE KEY-----<br><br> +> Proc-Type: 4,ENCRYPTED<br><br> +> DEK-Info: DES-EDE3-CBC,CE7B6EC598ED0D10<br><br> +><br><br> +> lPMvbYUypG+O4P/LilzGVQqP+6PMbnnLMP6eosyubcBqLtQxvMlvRRqgRu5CDApA<br><br> +> ...<br><br> +><br><br> +> The logic in exportKey() looks a bit convoluted, is this for some backward<br><br> +> compatibility issue? I would expect to see something like this, what<br><br> +> ssh-key does:<br><br> +><br><br> +> -----BEGIN RSA PRIVATE KEY-----<br><br> +> Proc-Type: 4,ENCRYPTED<br><br> +> DEK-Info: AES-256-CBC,16D792053CB9E5981B06E020900F86EA<br><br> +><br><br> +> oL8O6n5v1S3cgGJIwrzrAq5TQIb7OeolGJpHXiyTUj1iStulgS5vAjkht0cgq53p<br><br> +> ...<br><br> +> ..<br><br> +><br><br> +> Thanks,<br><br> +> Kurt<br><br> +><br><br> +><br><br> +> On Sun, Jul 14, 2013 at 11:40 PM, Kurt Vogel <<a href="mailto:kvogel@mdcom.com">kvogel@mdcom.com</a>> wrote:<br><br> +>><br><br> +>> While I'm on the subject and appears Dwayne is merging in pull requests :)<br><br> +>><br><br> +>> For RSA exportKey() think we could have **kwargs for extra prot_params<br><br> +>> passed to<br><br> +>><br><br> +>> PKCS8.wrap() like iteration_count and salt size?<br><br> +>><br><br> +>><br><br> +>><br><br> +>> On Sun, Jul 14, 2013 at 9:34 PM, Kurt Vogel <<a href="mailto:kvogel@mdcom.com">kvogel@mdcom.com</a>> wrote:<br><br> +>>><br><br> +>>> Hi,<br><br> +>>><br><br> +>>> Do you guys know roughly when this will go in?<br><br> +>>><br><br> +>>> Also with import/export RSA keys can we support bcrypt?<br><br> +>>><br><br> +>>> Does JCA and BouncyCastle use bcrypt, eg:<br><br> +>>><br><br> +>>> 'BcryptWithHMAC-SHA1AndAES256-CBC'<br><br> +>>><br><br> +>>> Thanks,<br><br> +>>> Kurt<br><br> +>>><br><br> +>>><br><br> +>>> On Fri, Jul 5, 2013 at 2:52 AM, Legrandin <<a href="mailto:helderijs@gmail.com">helderijs@gmail.com</a>> wrote:<br><br> +>>> ><br><br> +>>> > Hi Kurt , thanks a lot for providing feedback. It is much appreciated.<br><br> +>>> ><br><br> +>>> > * I guess you refer to camel-casing used for several variables, which<br><br> +>>> > was due to my preference to stick to ASN.1 naming.<br><br> +>>> > I can work on that and make sure flake8 does not complain that much.<br><br> +>>> ><br><br> +>>> > * Right. Code evolved at different points in time, and indeed it is<br><br> +>>> > now hard to follow the path of the 'parameter' value. I will try to<br><br> +>>> > fix that.<br><br> +>>> ><br><br> +>>> > * I used strings like 'PBKDF2WithHMAC-SHA1AndAES128-CBC' because that<br><br> +>>> > is the style used in JCA and BouncyCastle and a lot of people are<br><br> +>>> > familiar with it.<br><br> +>>> > I am not very clear what the benefit enums might bring? One option I<br><br> +>>> > considered was the ability to provide 3 independent parameters<br><br> +>>> > instead of one (since protection mainly depends on type of KDF, PRF,<br><br> +>>> > and symmetric cipher) but at the end I guess most<br><br> +>>> > uses case are about the desire to protect the private key using a<br><br> +>>> > password in a strong way, and the ability to tweak the various<br><br> +>>> > parameters<br><br> +>>> > is not that relevant. Plus, exportKey() parameter list becomes to<br><br> +>>> > long.<br><br> +>>> ><br><br> +>>> > * I am really ashamed to admit that I actually have 9 pull requests<br><br> +>>> > open, not 2 so I am totally giving headaches to the maintainer. :-)<br><br> +>>> > It is of course only up to him to decide which features should go<br><br> +>>> > in; given that he has not much time these days, it is likely that only<br><br> +>>> > few features and bugfixes may go into any next release.<br><br> +>>> > The release merge window seems to roughly be once per year and I<br><br> +>>> > find it is natural to have so many outstanding pull requests by now.<br><br> +>>> > To my defense, I can only say that the all pull requests cover one<br><br> +>>> > feature only and that I try to keep them as independent as possible.<br><br> +>>> > Most of them apply cleanly to master (e.g. HKDF, CCM, PKCS#8, bug<br><br> +>>> > fixes, etc).<br><br> +>>> > In some cases though, they do depend on an existing pull request (as<br><br> +>>> > in the case of DSA import/export depending on PKCS8 be applied first),<br><br> +>>> > because keeping them separated is honestly too much work for me<br><br> +>>> > *and* they are indeed extensions of other extensions.<br><br> +>>> ><br><br> +>>> > > Hi, I was looking at the pycrypto pull request<br><br> +>>> > > <a href="https://github.com/dlitz/pycrypto/pull/32" target="_blank">https://github.com/dlitz/pycrypto/pull/32</a>. Just a few comments...<br><br> +>>> > ><br><br> +>>> > > * For readability can you pep8 format the code?<br><br> +>>> > > * RSA, for import/export the protection parameter maybe rename to<br><br> +>>> > > algo or<br><br> +>>> > > wrap algo? It evolves from: 'protection' to 'wrap_algo' to 'mode' as<br><br> +>>> > > it<br><br> +>>> > > goes down the call stack.<br><br> +>>> > > * Also maybe make this parameter an enum/value? Since the long<br><br> +>>> > > string can<br><br> +>>> > > be error prone, low level code would need to change anyway if it were<br><br> +>>> > > either<br><br> +>>> > > string or int if we support more modes.<br><br> +>>> > > * And last but not least... I'm new to this email list and not sure<br><br> +>>> > > how<br><br> +>>> > > often pull requests are accepted but maybe you could reduce the<br><br> +>>> > > amount of<br><br> +>>> > > features going in? I know you have another one, 51, after this...<br><br> +>>> > > Maintainer may reluctant to do massive changes all at once?<br><br> +>>> > ><br><br> +>>> > > Anyway just ideas...<br><br> +>>> > > Thanks for your time,<br><br> +>>> > > Sincerely,<br><br> +>>> > > Kurt<br><br> +>>> > ><br><br> +>>> > _______________________________________________<br><br> +>>> > pycrypto mailing list<br><br> +>>> > <a href="mailto:pycrypto@lists.dlitz.net">pycrypto@lists.dlitz.net</a><br><br> +>>> > <a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto" target="_blank">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</a><br><br> +>>><br><br> +>><br><br> +><br><br> +><br><br> +> _______________________________________________<br><br> +> pycrypto mailing list<br><br> +> <a href="mailto:pycrypto@lists.dlitz.net">pycrypto@lists.dlitz.net</a><br><br> +> <a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto" target="_blank">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</a><br><br> +><br><br> +_______________________________________________<br><br> +pycrypto mailing list<br><br> +<a href="mailto:pycrypto@lists.dlitz.net">pycrypto@lists.dlitz.net</a><br><br> +<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto" target="_blank">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</a><br><br> +</blockquote></div><br></div><br> + +</tt> |