I reviewed python-ecdsa version 0.11-1 as checked into utopic. This
should not be considered a full security audit; no effort has been made
to verify that this library is free from timing leaks, information leaks,
nor cryptographically relevant implementation flaws. Anyone interested
in relying upon this library would be wise to consult with a professional
cryptographer to determine suitability for purpose.
Because the codebase is short and sweet, I'll skip the more exhaustive
checklist. This library doesn't daemonize, doesn't do networking, doesn't
provide exotic interfaces. It just does DER and ECC.
The code looks clean and careful, parameters are checked for validity,
there are copious references to authoritative sources to find algorithms,
enough test vectors to have confidence in simple uses of the library, and
the scope of the project is small enough that it is unlikely to need
drastic work.
With a quick re-iteration that there are many different kinds of
implementation flaws that are fatal to cryptographic libraries that are
well beyond the scope of a quick review, the code looks straightforward.
Security team ACK for promoting python-ecdsa to main.
** Changed in: python-ecdsa (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1336783
Title:
[MIR] python-ecdsa
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-ecdsa/+bug/1336783/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
