Disallow verifying signatures with private RSA keys. by zejn · Pull Request #142 · mpdavis/python-jose · GitHub
Skip to content

Disallow verifying signatures with private RSA keys.#142

Closed
zejn wants to merge 1 commit into
mpdavis:masterfrom
zejn:rsa-privkey-no-verify
Closed

Disallow verifying signatures with private RSA keys.#142
zejn wants to merge 1 commit into
mpdavis:masterfrom
zejn:rsa-privkey-no-verify

Conversation

@zejn

@zejn zejn commented Apr 28, 2019

Copy link
Copy Markdown
Collaborator

Some backends are smart and know how to verify with private keys too.
Disallow that on those backends.

Backwards incompatible change.

Reported in #53.

Some backends are smart and know how to verify with private keys too.
Disallow that on those backends.
@zejn zejn added this to the 4.0 milestone Apr 28, 2019
@codecov

codecov Bot commented Apr 28, 2019

Copy link
Copy Markdown

@blag

blag commented Dec 16, 2019

Copy link
Copy Markdown
Contributor

If multiple backends allow people to verify with private keys, doesn't seem to imply that somebody somewhere has a valid usecase for doing so?

As mpdavis said:

This happens because the private key contains both the public and private key info. The verify method extracts the public key info and happily uses it.

I think it might be appropriate to simply throw a suppressible warning but continue the verification as normal.

@zejn

zejn commented Dec 17, 2019

Copy link
Copy Markdown
Collaborator Author

I agree that there may be a use case for this: It can certainly be a bit easier to just put in the private key and do verification with it. But I think there may be cases that is not correct, eg. somebody just using (same) private key on both ends of communication channel and thinking they're secure.

That's why I presonally would rather see this chosen explicitly.

I didn't want to just merge it since I think it merits a discussion.

@blag

blag commented Dec 17, 2019

Copy link
Copy Markdown
Contributor

But I think there may be cases that is not correct, eg. somebody just using (same) private key on both ends of communication channel and thinking they're secure.

Well, the recipient is (AIUI) just calculating the public key from the private key, so while it isn't the way RSA intended RSA to be used, it's also not guaranteed to be insecure (aside from securely distributing the private key itself, but this library doesn't deal with that). It's definitely super weird, IMO, but it's not necessarily "wrong", and I don't think it's something we should concern ourselves with preventing outright.

I would be more comfortable with just emitting a warning. @zejn @dumptyd Is that acceptable to you for now? If somebody can demonstrate that this is guaranteed to be insecure, we can always implement this PR at a later date.

@zejn

zejn commented Dec 18, 2019

Copy link
Copy Markdown
Collaborator Author

Warning seems sensible and OK.

@dumptyd

dumptyd commented Dec 18, 2019

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants