[issue47124] explore hashlib use of the Apple CryptoKit macOS

[Dong-hee Na]

Change by Dong-hee Na :


--
nosy: +corona10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue47124] explore hashlib use of the Apple CryptoKit macOS

[Ronald Oussoren]

Ronald Oussoren  added the comment:

SecDigestTransformCreate() is probably a relevant API to look into, this seems 
to be supported from 10.7 until now.

A major disadvantage for us of this API is that it is a CoreFoundation API and 
because of that is problematic in pre-forking scenario's (that is, call in a 
child proces that's the result of fork-without-exec) because most if not all 
CoreFoundation types are not safe to use in these scenario's.

Apple also has an older crypto API, but that has been deprecated for a long 
time and should not be used.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue47124] explore hashlib use of the Apple CryptoKit macOS

[Gregory P. Smith]

Gregory P. Smith  added the comment:

I only pointed to that API after a brief search without looking at details 
(Swift? oops!). If there is one available from C that'd also make sense to 
consider.

The only things I expect, relevant to hashlib, that would be accelerated by OS 
native APIs most platforms are SHA2, maybe SHA1, and sometimes HMAC using those.

I'm in no position to judge if there is value in using them, I'm just assuming 
there might be.  The irony is that builds without OpenSSL are rare, so unless 
the OS native APIs provide tangible benefits it may not matter.

(ex: the Linux APIs may allow for an efficient zero-copy variant of the new 
`hashlib.file_digest()` function)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue47124] explore hashlib use of the Apple CryptoKit macOS

[Ronald Oussoren]

Ronald Oussoren  added the comment:

A "problem" with CryptoKit is that it is a swift-only framework, which makes 
using those APIs harder from C code (not impossible).

The older Security framework also contains crypto APIs, but seems to have less 
support for modern algorithms (e.g. no support for Curve25519). 

TBH I'm not sure if it is worthwhile to look into this in CPython, or that we 
should rely on OpenSSL for any integration (similar to Christian Heimes opinion 
on using the system keystore in the ssl module).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue47124] explore hashlib use of the Apple CryptoKit macOS

[Gregory P. Smith]

New submission from Gregory P. Smith :

https://developer.apple.com/documentation/cryptokit/ in macOS 10.15+

This is a common place for platform specific hardware acceleration to be 
exposed to the user (especially on SoCs which often have non-standard hardware 
- Like Apples... which is presumably why they create this).

What they offer is limited, but when present and running on a recent enough 
macOS, using their and SHA2 and HMAC(SHA2) implementations as well as 
Insecure.SHA1 is probably better than OpenSSL's.  **Verify this.** It'd also 
allow those to be fast in a non-openssl build (as if anyone does those).

I know little about mac building and packaging and how to have something target 
an older OS and use a 10.15+ API. So if this winds up only being used from 
aarch64 macOS builds (10.15+ by definition IIRC?) that could also work.

I leave this issue for a macOS Apple API friendly person to take on.

This issue is cousin to the Linux one: https://bugs.python.org/issue47102

--
components: Extension Modules, macOS
messages: 416032
nosy: gregory.p.smith, ned.deily, ronaldoussoren
priority: normal
severity: normal
status: open
title: explore hashlib use of the Apple CryptoKit macOS
type: enhancement

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com