[PR #104] [MERGED] Replace ecdsa with cryptography #107

New issue

Closed

opened 2026-02-28 01:19:31 +03:00 by kerem · 0 comments

kerem commented

2026-02-28 01:19:31 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/tr4nt0r/python-xbox/pull/104
Author: @JamieMagee
Created: 2/26/2026
Status: ✅ Merged
Merged: 2/26/2026
Merged by: @tr4nt0r

Base: main ← Head: replace-ecdsa-with-cryptography

📝 Commits (3)

28692cb Replace ecdsa with cryptography
f32f478 Fix test fixtures after ecdsa → cryptography switch
405af51 pin cryptography in dev environment

📊 Changes

5 files changed (+56 additions, -32 deletions)

View changed files

📝 pyproject.toml (+2 -2)
📝 src/pythonxbox/common/request_signer.py (+33 -16)
📝 tests/conftest.py (+11 -6)
📝 tests/data/test_signing_key.pem (+3 -3)
📝 tests/test_request_signer.py (+7 -5)

📄 Description

Replace the vulnerable ecdsa library with the production-grade cryptography library for all ECDSA operations.

The ecdsa package is vulnerable to CVE-2024-23342 and the upstream author explicitly states it should not be used in production:

I don't want people to use this library in production environments. It's a teaching tool, it's a testing tool, it's absolutely not a production grade implementation.

-- https://github.com/tlsfuzzer/python-ecdsa/issues/330

Closes #69

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/tr4nt0r/python-xbox/pull/104 **Author:** [@JamieMagee](https://github.com/JamieMagee) **Created:** 2/26/2026 **Status:** ✅ Merged **Merged:** 2/26/2026 **Merged by:** [@tr4nt0r](https://github.com/tr4nt0r) **Base:** `main` ← **Head:** `replace-ecdsa-with-cryptography` --- ### 📝 Commits (3) - [`28692cb`](https://github.com/tr4nt0r/python-xbox/commit/28692cb154ceddcac6743886ef7ff0f78ca8028b) Replace ecdsa with cryptography - [`f32f478`](https://github.com/tr4nt0r/python-xbox/commit/f32f478690e73214c57046d00590928394894a01) Fix test fixtures after ecdsa → cryptography switch - [`405af51`](https://github.com/tr4nt0r/python-xbox/commit/405af5161239d6fdbc5f7437e25a60d3a3b84010) pin cryptography in dev environment ### 📊 Changes **5 files changed** (+56 additions, -32 deletions) <details> <summary>View changed files</summary> 📝 `pyproject.toml` (+2 -2) 📝 `src/pythonxbox/common/request_signer.py` (+33 -16) 📝 `tests/conftest.py` (+11 -6) 📝 `tests/data/test_signing_key.pem` (+3 -3) 📝 `tests/test_request_signer.py` (+7 -5) </details> ### 📄 Description Replace the vulnerable `ecdsa` library with the production-grade `cryptography` library for all ECDSA operations. The `ecdsa` package is vulnerable to [CVE-2024-23342](https://github.com/advisories/GHSA-wj6h-64fc-37mp) and the upstream author explicitly states it should not be used in production: > I don't want people to use this library in production environments. It's a teaching tool, it's a testing tool, it's absolutely not a production grade implementation. > > -- https://github.com/tlsfuzzer/python-ecdsa/issues/330 Closes #69 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>