Replace crypto lib ecdsa with coincurve #312

pnowosie · 2025-01-14T09:16:33Z

This PR replaces ecdsa with coincurve for crypto signing

ecdsa, being a pure Python implementation, is vulnerable to side-channel attacks
Ensured signature format aligns with expected canonical 64-bytes
All tests passing, maintaining functionality

…ating

ttl33 · 2025-01-14T16:59:14Z

v4-client-py-v2/pyproject.toml

@@ -28,6 +28,7 @@ pytest-asyncio = "^0.23.6"
 python-dotenv = "^1.0.1"
 twine = "^4.0.2"
 black = "^24.4.0"
+ecdsa = "^0.19.0"


is there a way to remove this dependency entirely?

Definitelly 👍 It's removed in c9d92f1

For clarity ecdsa is no longer direct dependency but still will be pulled as bip-utils depends of it.
Based on Snyk Advisor, bip-utils does not have these vulnerabilities and is considered secure.

pnowosie requested review from a team as code owners January 14, 2025 09:16

pnowosie force-pushed the pnowosie/replace-ecdsa branch 2 times, most recently from 5b55752 to cfe0efb Compare January 14, 2025 11:18

fix: replace crypto lib ecdsa with coincurve and align signature form…

5b89330

…ating

pnowosie force-pushed the pnowosie/replace-ecdsa branch from cfe0efb to 5b89330 Compare January 14, 2025 11:21

ttl33 reviewed Jan 14, 2025

View reviewed changes

remove ecdsa dependency

c9d92f1

pnowosie requested a review from ttl33 January 15, 2025 10:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Replace crypto lib ecdsa with coincurve #312

Replace crypto lib ecdsa with coincurve #312

pnowosie commented Jan 14, 2025

ttl33 Jan 14, 2025

pnowosie Jan 15, 2025

Replace crypto lib ecdsa with coincurve #312

Are you sure you want to change the base?

Replace crypto lib ecdsa with coincurve #312

Conversation

pnowosie commented Jan 14, 2025

ttl33 Jan 14, 2025

Choose a reason for hiding this comment

pnowosie Jan 15, 2025

Choose a reason for hiding this comment