derivepassphrase bug allow-all-unicode-passphrases¶
Bug details: Allow all Unicode text strings as master passphrases
| Class | bug | This is clearly an actual problem we want fixed. |
|---|---|---|
| Present-in | 0.1.0 0.1.1 0.1.2 0.1.3 | |
| Fixed-in | aacd09bdcbdb01df7cb819396727d2427636b144 (0.2.0) | |
In v0.1.x, derivepassphrase will accept a textual master passphrase if and only if it has a unique Unicode normalization form, i.e. if the NFC- and NFD-normalized forms of the master passphrase agree. This check was intended to safeguard against a passphrase from the configuration file being interpreted incorrectly by the Vault constructor (and subsequently generating the wrong passphrase) because it derived the wrong normalized form as the binary input string to the vault algorithm.
This understanding of the “derived the wrong normalized form” part turns out to be wrong: the encoding of textual string to binary string is unique, and the ambiguity in the textual master passphrase arises only when reading the master passphrase as text. No matter what text is stored as the master passphrase, its binary encoding is unique, and is valid input to the vault algorithm. However, there is value in warning the user that the stored textual passphrase may not be what they think it is, because they are being misled by their editor, or copy-pasting the configuration from somewhere else.
Next steps:
- Remove the machinery that asserts a unique normalization form. In particular, remove the
Vault.AmbiguousByteRepresentationErrorexception type. - Remove the check for unique normalization form from the
Vaultconstructor. Instead, add a warning during the--importand--configmodes of operation when the config file has unnormalized or incorrectly normalized stored master passphrases. - Add a new configuration item, presumably
.global.unicode_normalization_formand defaulting toNFC, from which to obtain the correct normalization form.
- Remove the check for unique normalization form from the
Vaultconstructor. Instead, add a warning during the--importand--configmodes of operation when the config file has unnormalized or incorrectly normalized stored master passphrases.
Actually, the warning is equally sensible when interactively entering a master passphrase, not just when updating the configuration.