Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable explicit ECC curve parameters export #368

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

sylvainpelissier
Copy link
Contributor

Explicit ECC curve parameters as defined in RFC5480 like -param_enc explicit parameter in openssl.

@Legrandin
Copy link
Owner

Thanks a lot for this contribution, which also include tests!

However, I wonder if this change has any practical use case: explicitly specifying curve parameters was a thing in the past, when people used generic Short Weierstrass implementations for curve arithmetic. Today curves are all named, and the implementation very specialized, because of special moduli for instance. On top of that, RFC5480 itself states that explicit curve parameters (specifiedCurve) should not be used (MUST NOT), and that was 11 years ago already...

@sylvainpelissier
Copy link
Contributor Author

Personnally I used this thing in my work on CVE-2020-0601 the ChainOfFools vulnerability. I agree this is a thing of the past but it is still used by OpenSSL on Windows 10. For a research point of view it would be convenient to have such feature.

@Legrandin
Copy link
Owner

OK, I was guessing right this was not a timely coincidence.
The library is also intended to support offensive research to a certain extent, so I am not excluding this code could be included, but it does, it should not be mixed with "safe" parts of the library.
I was thinking already of adding a separate module (e.g. Crypto.Experimental) that does not guarantee backward compatibility nor to always exist, and which could be a place for this features. For instance, in there, a class derived from EccKey could implement this deprecated method for exporting ECC key in all their components.

@sylvainpelissier
Copy link
Contributor Author

Yes I think it is the correct way to handle it. It would avoid misuse of the library.

@sylvainpelissier
Copy link
Contributor Author

Is it what you were thinking about ?

@sylvainpelissier
Copy link
Contributor Author

Any news on this one ?

@sylvainpelissier
Copy link
Contributor Author

Any plan to integrate it ?

@James-E-A James-E-A mentioned this pull request May 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants