Closed cburroughs closed 7 years ago
master
Benchmark (hash) (providerCode) Mode Cnt Score Error Units
BenchmarkDSASigner.signHeaderThroughput SHA256 stdlib thrpt 50 2058.896 ± 4.611 ops/s
BenchmarkECDSASigner.signHeaderThroughput SHA256 stdlib thrpt 50 2939.279 ± 6.145 ops/s
BenchmarkRSASigner.signHeaderThroughput SHA256 stdlib thrpt 50 169.108 ± 2.775 ops/s
BenchmarkRSASigner.signHeaderThroughput SHA256 native.jnagmp thrpt 50 726.071 ± 2.569 ops/s
finger
Benchmark (hash) (providerCode) Mode Cnt Score Error Units
BenchmarkDSASigner.signHeaderThroughput SHA256 stdlib thrpt 50 2040.975 ± 4.386 ops/s
BenchmarkECDSASigner.signHeaderThroughput SHA256 stdlib thrpt 50 2879.544 ± 6.881 ops/s
BenchmarkRSASigner.signHeaderThroughput SHA256 stdlib thrpt 50 165.684 ± 0.297 ops/s
BenchmarkRSASigner.signHeaderThroughput SHA256 native.jnagmp thrpt 50 723.925 ± 2.734 ops/s
So we get a just barely measurable performance hit from the repeated fingerprint calculations. We could mitigate that with a cache, but we already have a cache for the entire signature.
I'll be the first to admit that "grab the last $MAGIC_NUMBER
bytes is not the most elegant approach. I've compared the fingerprint calculated here to ssh-keygen
(using KeyFingerprinterIntegrationCycle
) with 100,000 iterations for each key type/size. So while not pretty, it works in all of the ways I have thought to test it.
Pre-6.7 OpenSSH used hex encoded md5 as a key fingerprint. This was changed to be the base64 encoded sha256 with a prefix (
SHA256
). Triton and Manta only have server side support for the un-prefixed md5 fingerprint.Following the approach of the node tooling in PUBAPI-1146, break apart the key fingerprint specified by the user from what is sent to the server. Instead validate the user fingerprint, and calculate our own fingerprint to send to the server. In the long run this simplifies the API (fewer things to pass around) and helps give better errors to the user sooner (instead of waiting for an error from the server).
The details of how OpenSSH serializes fingerprints is based on the implementation in node-sshpk.
ref #10