Add Sphincs+ To Signer Interface #427
Conversation
There was a problem hiding this comment.
I don't know anything about sphincs so just commenting on cosmetics: there's a couple of code comments that do not seem to match code. I think it would be best to not duplicate information like bytearray length in the comments if the code is clear as it seems to be here
securesystemslib/formats.py
Outdated
| # An SPHINCS raw public key, which must be 32 bytes. | ||
| SPHINCSPRIVATE_SCHEMA = SCHEMA.LengthBytes(64) |
securesystemslib/formats.py
Outdated
| # An SPHINCS raw signature, which must be 64 bytes. | ||
| SPHINCSSIGNATURE_SCHEMA = SCHEMA.LengthBytes(7_856) |
There was a problem hiding this comment.
comment byte length mismatch?
Makes sense. I removed them. |
There was a problem hiding this comment.
Thanks for the patch, @rugo! I think what's there is great. There are a few peculiarities that were likely inspired from the existing interfaces (e.g. passing args that are not used, keytype/scheme redundancy), but I think it's okay for the sake of consistency.
Would you mind adding tests to check_public_interfaces.TestPublicInterfaces.test_keys, to assert that we fail gracefully if PySPX is not installed?
It would also be good to have interface.generate_and_write_sphincs*, and interface.import_sphincs* functions as we have for other key types. But that can be added in a separate PR.
securesystemslib/formats.py
Outdated
| @@ -193,7 +193,7 @@ | |||
| # Supported securesystemslib key types. | |||
| KEYTYPE_SCHEMA = SCHEMA.OneOf( | |||
| [SCHEMA.String('rsa'), SCHEMA.String('ed25519'), SCHEMA.String('ecdsa'), | |||
| SCHEMA.RegularExpression(r'ecdsa-sha2-nistp(256|384)')]) | |||
| SCHEMA.RegularExpression(r'ecdsa-sha2-nistp(256|384)'), SCHEMA.String('sphincs-shake-128s')]) | |||
securesystemslib/sphincs_keys.py
Outdated
| # be tested by running 'ed25519_keys.py' as a standalone module. | ||
| # python -B ed25519_keys.py | ||
| import doctest | ||
| doctest.testmod() |
There was a problem hiding this comment.
No need to add doctest boilerplate, there are no doctests in this module, and we wouldn't even run them in CI.
|
@lukpueh Thanks for the feedback. I added the required tests, changed the Regadring |
|
@lukpueh Could you check the failing test and give me some more insights? I don't really understand what is happening as the error says: Which doesn't seem related to what I did. Did the |
|
This is an unrelated test failure (#428). We are working on a fix. |
|
@rugo: I just merged #439, which auto-formats the entire code base. The easiest thing might be to re-apply your changes manually on top of the updated master branch, run auto-formatters commands (w/o |
rugo
force-pushed
the
add-sphincs-signer
branch
from
8562419
to
58a3f97
Compare
|
Alright. I think I have addressed your points. Additional feedback welcome. |
|
Since the pylint test case complained about some minor things I fixed them now. |
…e but sphincs+ function is called.
…f PySPX is not present.
…t doesn't find a false positive for E1101.
rugo
force-pushed
the
add-sphincs-signer
branch
from
3c8fe84
to
b802315
Compare
|
I rebased again to avoid the |
Fixes:
Updates: #169
Description of the changes being introduced by the pull request:
The PRs #160 and #169 tried to include the PQC scheme SPHINCS+, which is about to be NIST standardized.
However, work has stalled as people were busy with other stuff.
After talking to @lukpueh we decided to directly include SPHINCS+ into the "new" Signer API.
I welcome feedback and additional TODOs.