Skip to content

Replace ecdsa with cryptography#104

Merged
tr4nt0r merged 3 commits intotr4nt0r:mainfrom
JamieMagee:replace-ecdsa-with-cryptography
Feb 26, 2026
Merged

Replace ecdsa with cryptography#104
tr4nt0r merged 3 commits intotr4nt0r:mainfrom
JamieMagee:replace-ecdsa-with-cryptography

Conversation

@JamieMagee
Copy link
Contributor

@JamieMagee JamieMagee commented Feb 26, 2026
edited
Loading

Replace the vulnerable ecdsa library with the production-grade cryptography library for all ECDSA operations.

The ecdsa package is vulnerable to CVE-2024-23342 and the upstream author explicitly states it should not be used in production:

I don't want people to use this library in production environments. It's a teaching tool, it's a testing tool, it's absolutely not a production grade implementation.

-- tlsfuzzer/python-ecdsa#330

Closes #69

@JamieMagee
Replace ecdsa with cryptography
28692cb 
Replace the vulnerable `ecdsa` library (CVE-2024-23342) with the
production-grade `cryptography` library for all ECDSA operations.

Closes tr4nt0r#69
@github-actions github-actions bot added the 🧪 testing Pull request that adds tests label Feb 26, 2026
@JamieMagee
Fix test fixtures after ecdsa → cryptography switch
f32f478 
The cryptography library produces different RFC 6979 nonces than ecdsa
did, so the hardcoded expected signatures needed updating. Also
re-wrapped the test PEM file to 64-char lines (what cryptography
exports) so the round-trip import/export test passes again.
@codecov
Copy link

codecov bot commented Feb 26, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 90.47619% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.31%. Comparing base (195fdcd) to head (405af51).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/pythonxbox/common/request_signer.py 90.47% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #104      +/-   ##
==========================================
- Coverage   88.34%   88.31%   -0.03%     
==========================================
  Files          54       54              
  Lines        2857     2868      +11     
==========================================
+ Hits         2524     2533       +9     
- Misses        333      335       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

tr4nt0r
tr4nt0r requested changes Feb 26, 2026
View reviewed changes
Copy link
Owner

@tr4nt0r tr4nt0r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution. I'm not familiar with this cryptography thing, so your help is very welcome. Just a small change, otherwise it looks good 👍🏼

@tr4nt0r tr4nt0r added the ♻️ dependencies Pull requests that update a dependency file label Feb 26, 2026
@tr4nt0r tr4nt0r merged commit 6f52131 into tr4nt0r:main Feb 26, 2026
6 checks passed
@JamieMagee JamieMagee deleted the replace-ecdsa-with-cryptography branch February 26, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tr4nt0r tr4nt0r tr4nt0r approved these changes

Assignees

No one assigned

Labels

♻️ dependencies Pull requests that update a dependency file 🧪 testing Pull request that adds tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Replace ecdsa with cryptography

2 participants

@JamieMagee @tr4nt0r