In several Python libraries, I have seen validation functions that raise exceptions upon failure, instead of returning a boolean result. Examples include:
- various
verify
functions in the Cryptography library - the
validate_authentication
method of pyftpdlib's Authorizer
These functions only serve to test whether or not the input is valid (e.g. a digital signature or a user's password), and they don't produce any data other than the result of the test (unlike, for instance, decrypting a JWT token). From my point of view, it would be more logical to output the test result as a return value.
Is there a security issue with returning a boolean? Is it safer to use exceptions instead? Or is the rationale behind that choice not security-related?
Additionally, how does this rationale apply to cryptographic libraries in other programming languages?