Rewriting PublicKeyInfo.unwrap().dump() with PublicKeyInfo['public_key'].parsed.dump()

[smtakeda]

Due to the change in 1.0.0, I'm rewriting PublicKeyInfo.unwrap().dump() with PublicKeyInfo['public_key'].parsed.dump(). Is this right approach or any other better way?

[wbond]

Are you dealing with different types of keys, e.g. RSA and EC?

---

The reason this was removed from asn1crypto is that some private keys don't contain the public key in their structure, and thus the public key needs to be computed using math. Some security-minded users were concerned the process of computing the public key from the private key could allow for a side-channel attack to determine (part of, or the whole) private key.

Thus, without using a cryptography library such as oscrypto, or another Python crypto library that provides access to (constant-time) functions to compute the public key from the private key, there isn't a way to handle all keys strictly within asn1crypto.

[smtakeda]

So far looks like we've seen RSA only, because PublicKeyInfo.unwrap().dump() has worked well without problem where the older PublicKeyInfo.unwrap() supports only RSA.

https://github.com/wbond/asn1crypto/blob/0.24.0/asn1crypto/keys.py#L1040

My usage is this. It verifies the signature of content.
https://github.com/snowflakedb/snowflake-connector-python/blob/master/ocsp_asn1crypto.py#L316

The certificate is for TLS. Is there any sample that can cover both case?

[smtakeda]

Figured out:

pubkey = cert.public_key.unwrap().dump()

can be replaced with:

pubkey = oscrypto.asymmetric.load_public_key(cert.public_key).unwrap().dump()