Opened 6 years ago

Closed 5 years ago

#7693 defect closed fixed (fixed)

Conch tests use 512-bit DSA keys

Reported by: Alex Gaynor Owned by: Glyph
Priority: normal Milestone:
Component: conch Keywords:
Cc: z3p, Adi Roiban Branch: branches/more-bits-7693
branch-diff, diff-cov, branch-cov, buildbot
Author: glyph


twisted.conch.test.keydata.publicDSA_openssh is a 512-bit DSA key. This should be bumped up to be at-least 1024-bits.

512-bit keys are very very small, and factorable by an attacker. This would normally not matter, since it's just a test fixture, but pyca/cryptography will refuse to load a key this small as a result. And there is a desire to port conch to pyca/cryptography.

Change History (9)

comment:1 Changed 6 years ago by DefaultCC Plugin

Cc: z3p added

comment:2 Changed 5 years ago by Adi Roiban

Why not update pyca to allow lower values when run in a 'insecure' mode ?

1024bit DSA is slow and it will slow the tests.

comment:3 Changed 5 years ago by Adi Roiban

Cc: Adi Roiban added

comment:4 Changed 5 years ago by Glyph

I'd rather deal with the (small) performance hit to our tests than take the risk that people might actually use 512-bit keys for real.

comment:5 Changed 5 years ago by Glyph

Author: glyph
Branch: branches/more-bits-7693

(In [46020]) Branching to more-bits-7693.

comment:6 Changed 5 years ago by Glyph

Keywords: review added

Builders are spinning.

comment:7 Changed 5 years ago by Alex Gaynor

Component: conchcore
Keywords: review removed
Owner: set to Glyph
Type: enhancementdefect

once tests pass, lgtm

comment:8 Changed 5 years ago by Glyph

Component: coreconch

Thanks a bunch!

comment:9 Changed 5 years ago by Glyph

Resolution: fixed
Status: newclosed

(In [46024]) Merge more-bits-7693: Use larger DSA keys in tests

Author: glyph

Reviewer: Alex

Fixes: #7693

Use 1024-bit DSA keys in unit tests. This is a prerequisite for switching Conch to use Cryptography, since Cryptography cannot load 512-bit DSA keys.

Note: See TracTickets for help on using tickets.