Tracking changes required for full crypto backend independence

[mattsb42-aws]

As discussed in #108 and #109, the various cryptographic backends are not all independently operable. This tracking issue will enumerate the changes that need to be made and track the PRs that fix them.

Tags will use the names for dependency grouping as defined in the extras installs, with "base" used to define the python-rsa/python-ecdsa backend.

Known Issues

Test failures

cryptography

• TestECAlgorithm::test_verify Remove pyca/cryptography backend's dependency on python-ecdsa #117

base

• test_firebase.py::TestFirebase::test_individual_cert disable Firebase tests on python-rsa backend #118
• test_firebase.py::TestFirebase::test_certs_dict disable Firebase tests on python-rsa backend #118
• test_firebase.py::TestFirebase::test_certs_string disable Firebase tests on python-rsa backend #118

pycrypto

passing

pycryptodome

passing

compatibility (all backends installed concurrently)

• algorithms/test_EC.py::TestECAlgorithm::test_verify Remove pyca/cryptography backend's dependency on python-ecdsa #117
• algorithms/test_RSA.py::test_cryptography_RSA_key_instance [RSA] make backend-explicit tests use backend-explicit keys #116

Cross-dependencies

cryptography

CryptographyECKey depends on ecdsa.utils encoding functions.

• ecdsa.SigningKey and ecdsa.VerifyingKey Remove pyca/cryptography backend's dependency on python-ecdsa #117
• sigdecode_string Remove pyca/cryptography backend's dependency on python-ecdsa #117
• sigencode_string Remove pyca/cryptography backend's dependency on python-ecdsa #117
• sigdecode_der Remove pyca/cryptography backend's dependency on python-ecdsa #117
• sigencode_der Remove pyca/cryptography backend's dependency on python-ecdsa #117

pycrypto/dome

• pycrypto_backend.RSAKey depends on rsa_backend.pem_to_spki. Remove pycrypto/dome dependency on python-rsa #121

[mattsb42-aws]

After looking into the issues with the firebase tests failing in "base" mode, my conclusion is that the root cause here is that python-rsa cannot load certificates. I am not familiar with Firebase, so I will assume that the tests are written in a reasonable manner and so conclude that Firebase interactions require working with certificates.

It is my conclusion, then, that if you want to use this library with Firebase or any other application that passes certificates, you will need one of the more fully featured crypto backends.

[mpdavis]

@mattsb42-aws I want to thank you for all of this effort, especially over Christmas. I'm looking at this now to hopefully get all of these merged.

[mattsb42-aws]

Happy to help!

While I had my head in this space I went ahead and tackled the pycrypto/dome dependency on python-rsa too by centralizing the ASN1 handling into a separate module. This change fully removes any dependency on python-rsa or python-ecdsa outside of those specific backend modules (albeit by making pyasn1 a dependency of the pycrypto/dome backends).

I'm going to hold off on cutting that PR until #120 is merged, just because it builds very heavily on top of the changes in that.

I still haven't found a solution to the problem of how to have "default" extras; not sure what a good approach to that will be.

[mattsb42-aws]

^ rather; it removes the dependency on python-rsa. I forgot until I went to run the full isolation tests that the pycrypto/dome backend doesn't supply an ECDSA implementation.

[mattsb42-aws]

#121 and #122 should wrap this up and clear the way for merging the backend isolation dev branch in.

[mattsb42-aws]

We're on the final stretch! #128 is prepping backend-explicit-tests for merge into master by doing the reverse (the changes to master since backend-explicit-tests forked off are much less than the changes that backend-explicit-tests introduces).

[mattsb42-aws]

This is resolved with #129