-
-
Notifications
You must be signed in to change notification settings - Fork 30.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gh-128192: support sha-256 digest authentication #128193
base: main
Are you sure you want to change the base?
Conversation
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
Misc/NEWS.d/next/Core_and_Builtins/2024-12-23-11-14-07.gh-issue-128192.02mEhD.rst
Outdated
Show resolved
Hide resolved
cc @picnixz (cryptography expert) |
…e-128192.02mEhD.rst Co-authored-by: Peter Bierma <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks fine, but you should add a test.
from RFC-7616
This specification defines the following algorithms:
o SHA2-256 (mandatory to implement)
o SHA2-512/256 (as a backup algorithm)
o MD5 (for backward compatibility).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i dont know, I assume i would just be re-writing a test that probably exists in hashlib?
i've only found a single test written for this function that checks for an invalid algorithm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hashlib
does not need to be tested. What needs to be tested is that MD5
, SHA
and SHA-256
are recognized algorithms if you specify them as is in the request headers. This is an opportunity to add tests for this as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A preliminary round of comments. You can also update "RFC 2617" to "RFC 2617/7616" in the AbstractDigestAuthHandler comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hashlib
does not need to be tested. What needs to be tested is that MD5
, SHA
and SHA-256
are recognized algorithms if you specify them as is in the request headers. This is an opportunity to add tests for this as well.
@@ -1182,6 +1182,8 @@ def get_algorithm_impls(self, algorithm): | |||
elif algorithm == 'SHA': | |||
H = lambda x: hashlib.sha1(x.encode("ascii")).hexdigest() | |||
# XXX MD5-sess | |||
elif algorithm == 'SHA-256': |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you move the XXX MD5-sess
before the else and not before the elif
? thanks. In addition, mention that the algorithm names are taken from https://datatracker.ietf.org/doc/html/rfc7616#section-6.1.
@@ -0,0 +1 @@ | |||
Support digest authentication algorithm SHA-256 in :mod:`urllib.request`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Support digest authentication algorithm SHA-256 in :mod:`urllib.request`. | |
Upgrade HTTP digest authentication algorithm for :mod:`urllib.request` by | |
supporting SHA-2/256 digest authentication as specified in :rfc:`7616`. |
This also requires a What's New entry. However, we do not have any documentation concerning HTTP digest access authentication (we only have https://docs.python.org/3/library/urllib.request.html#abstractdigestauthhandler-objects but never do we mention which digests we are supporting). Nonetheless, maybe we can update the wording of that documented entry.
as mentioned in the issue, other authentication exist, but i don't see them supported out of the box in hashlib.
this all depends if python wishes to support rfc7616