Provide a safe way to check if a key is valid.

lgarron commented 5 years ago

See https://github.com/cedarcode/webauthn-ruby/issues/222 and https://github.com/cedarcode/cose-ruby/issues/39

To check if a COSE key is valid, it seems we have to do:

begin
  COSE::Key.deserialize(public_key_bytes)
rescue ArgumentError, EOFError, TypeError, COSE::UnknownKeyType, CBOR::UnpackError
  # ...
end

This is not quite enough, because a NoMemoryError is also possible (#39). It would be nice to have a safe way to check whether an untrusted byte string is a valid key, e.g.:

a method with a documented set of possible errors
a boolean method, e.g. COSE::Key.valid?(public_key_bytes)

grzuy commented 5 years ago

For future reference, related comment => https://github.com/cedarcode/cose-ruby/issues/39#issuecomment-504232656.

grzuy commented 4 years ago

It feels like most of these would be responsibility of the CBOR decoder... I mean, most of the possible random exceptions you would get are coming from CBOR.decode.

Seems like the responsibility could lie on cbor to respond to the question if the cbor bytes are actually something that would decode without throwing...?

grzuy commented 4 years ago

Staring discussion in https://github.com/cabo/cbor-ruby/issues/14.

grzuy commented 4 years ago

FWIW https://github.com/cedarcode/cose-ruby/pull/50 released in v0.10.0.

cedarcode / cose-ruby

Provide a safe way to check if a key is valid. #40