wycheproof used for....
53 views
Skip to first unread message
ybel...@gmail.com
Dec 17, 2017, 6:30:54 AM12/17/17
to wycheproof-users
hi
background:
we've start to implement our new CI,
our code is based .NET and one of our goal is to implement static code analysis into our new CI pipeline, the propose is to verify our code under the security issue
can someone tell me if this project wycheproof can handle it? we thinking to used the "Bouncy Castle"
please advise
thanks
Daniel Bleichenbacher
Dec 18, 2017, 8:36:19 AM12/18/17
to ybel...@gmail.com, wycheproof-users
Wycheproof does not do any static code analysis.
All the tests in the library are black box tests for cryptographic primitives.
E.g. Wycheproof calls the provider to test to generate a number of public key signatures,
then analyzes these signatures for weaknesses that could leak the public key.
At the moment Java providers have the best support.
But we are working to extend the tests to other languages.
This will be mostly done by exchanging inputs and outputs via JSON.
--
You received this message because you are subscribed to the Google Groups "wycheproof-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wycheproof-users+unsubscribe@googlegroups.com.
To post to this group, send email to wycheproof-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wycheproof-users/841f57b1-77ae-4f19-9d96-caee0e8797b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Yossi Bello
Dec 19, 2017, 2:42:57 PM12/19/17
to Daniel Bleichenbacher, wycheproof-users
Ok, thanks for the clarification.
Can u please guide me which tool acting as a static code analysis for security issue? Also if u can suggest me also tool for. NET
Thanks
Daniel Bleichenbacher
Dec 20, 2017, 10:22:17 AM12/20/17
to Yossi Bello, wycheproof-users
On Tue, Dec 19, 2017 at 8:42 PM, Yossi Bello <ybel...@gmail.com> wrote:
Ok, thanks for the clarification.Can u please guide me which tool acting as a static code analysis for security issue? Also if u can suggest me also tool for. NETThanks
Unfortunately, I'm not familiar with the .NET world.
Yossi Bello
Dec 21, 2017, 9:21:05 AM12/21/17
to Daniel Bleichenbacher, wycheproof-users
thanks Daniel
can u please guide me what is the best way to run those test in our project ?
i'm using visual studio 2017 with checkout branch , this tool has a installation so i can apply it over our code and see what happens?
please advise
Daniel Bleichenbacher
Dec 21, 2017, 10:15:04 AM12/21/17
to Yossi Bello, wycheproof-users
One thing Wycheproof might eventually be able to do is to check the C# version of BouncyCastle.
At the moment we test the java versions of BouncyCastle (mainly because Android is using
a BouncyCastle version as a provider).
The plan is to allow most of the tests be done via JSON through test vectors.
But even for these tests it is necessary to have some code in the target language.
So far we have only a limited number of test vectors, but are working on more
and there is no code for C# available that would read the test vectors and run them
against any C# crypto library.
Yossi Bello
Dec 21, 2017, 1:49:22 PM12/21/17
to Daniel Bleichenbacher, wycheproof-users
Thanks!
So if i understand clearly, at this point i can't test it through our code? Can u please know the ETA version that we as C#/. NET can use this project as well?
Thanks for your or reply
⛷ Thai Duong
Dec 21, 2017, 2:15:34 PM12/21/17
to Yossi Bello, Daniel Bleichenbacher, wycheproof-users
You can, but you need to do some work.
To view this discussion on the web visit https://groups.google.com/d/msgid/wycheproof-users/CALH4G0nTtS83OmceOGLqz-87JjbaGvadyH0TgFzFGskzQ1rwWw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages