diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2023-05-14 08:07:26 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-14 00:07:26 +0000 |
commit | 6cac7bcaf743d56215dd68a88f121c0811cfeb2b (patch) | |
tree | 325ef158e235f6b4d0405a6446abb584ccfa6228 | |
parent | 05900ddc6e3860af3517b0e351bc841f46732f1a (diff) | |
download | cryptography-6cac7bcaf743d56215dd68a88f121c0811cfeb2b.tar.gz |
refactor signature algorithm parameters into a separate function (#8921)
* refactor signature algorithm parameters into a separate function
this will be used in the verify_directly_issued_by PR
* fix coverage with more refactoring
-rw-r--r-- | src/rust/src/x509/certificate.rs | 188 |
1 files changed, 104 insertions, 84 deletions
diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 92ef6c967..4c0725023 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -269,29 +269,7 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { - let sig_oids_to_hash = py - .import(pyo3::intern!(py, "cryptography.hazmat._oid"))? - .getattr(pyo3::intern!(py, "_SIG_OIDS_TO_HASH"))?; - match &self.raw.borrow_value().signature_alg.params { - common::AlgorithmParameters::RsaPss(opt_pss) => { - let pss = opt_pss.as_ref().ok_or_else(|| { - pyo3::exceptions::PyValueError::new_err("Invalid RSA PSS parameters") - })?; - hash_oid_py_hash(py, pss.hash_algorithm.oid().clone()) - } - _ => { - let hash_alg = sig_oids_to_hash.get_item(self.signature_algorithm_oid(py)?); - match hash_alg { - Ok(data) => Ok(data), - Err(_) => Err(CryptographyError::from( - exceptions::UnsupportedAlgorithm::new_err(format!( - "Signature algorithm OID: {} not recognized", - self.raw.borrow_value().signature_alg.oid() - )), - )), - } - } - } + identify_signature_hash_algorithm(py, &self.raw.borrow_value().signature_alg) } #[getter] @@ -304,67 +282,7 @@ impl Certificate { &'p self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::PyAny> { - match &self.raw.borrow_value().signature_alg.params { - common::AlgorithmParameters::RsaPss(opt_pss) => { - let pss = opt_pss.as_ref().ok_or_else(|| { - pyo3::exceptions::PyValueError::new_err("Invalid RSA PSS parameters") - })?; - if pss.mask_gen_algorithm.oid != oid::MGF1_OID { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err(format!( - "Unsupported mask generation OID: {}", - pss.mask_gen_algorithm.oid - )), - )); - } - let py_mask_gen_hash_alg = - hash_oid_py_hash(py, pss.mask_gen_algorithm.params.oid().clone())?; - let padding = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.padding" - ))?; - let py_mgf = padding - .getattr(pyo3::intern!(py, "MGF1"))? - .call1((py_mask_gen_hash_alg,))?; - Ok(padding - .getattr(pyo3::intern!(py, "PSS"))? - .call1((py_mgf, pss.salt_length))?) - } - common::AlgorithmParameters::RsaWithSha1(_) - | common::AlgorithmParameters::RsaWithSha1Alt(_) - | common::AlgorithmParameters::RsaWithSha224(_) - | common::AlgorithmParameters::RsaWithSha256(_) - | common::AlgorithmParameters::RsaWithSha384(_) - | common::AlgorithmParameters::RsaWithSha512(_) - | common::AlgorithmParameters::RsaWithSha3_224(_) - | common::AlgorithmParameters::RsaWithSha3_256(_) - | common::AlgorithmParameters::RsaWithSha3_384(_) - | common::AlgorithmParameters::RsaWithSha3_512(_) => { - let pkcs = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.padding" - ))? - .getattr(pyo3::intern!(py, "PKCS1v15"))? - .call0()?; - Ok(pkcs) - } - common::AlgorithmParameters::EcDsaWithSha224 - | common::AlgorithmParameters::EcDsaWithSha256 - | common::AlgorithmParameters::EcDsaWithSha384 - | common::AlgorithmParameters::EcDsaWithSha512 - | common::AlgorithmParameters::EcDsaWithSha3_224 - | common::AlgorithmParameters::EcDsaWithSha3_256 - | common::AlgorithmParameters::EcDsaWithSha3_384 - | common::AlgorithmParameters::EcDsaWithSha3_512 => Ok(py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))? - .getattr(pyo3::intern!(py, "ECDSA"))? - .call1((self.signature_hash_algorithm(py)?,))?), - _ => Ok(py.None().into_ref(py)), - } + identify_signature_algorithm_parameters(py, &self.raw.borrow_value().signature_alg) } #[getter] @@ -1076,6 +994,108 @@ pub(crate) fn set_bit(vals: &mut [u8], n: usize, set: bool) { } } +pub(crate) fn identify_signature_hash_algorithm<'p>( + py: pyo3::Python<'p>, + signature_algorithm: &common::AlgorithmIdentifier<'_>, +) -> CryptographyResult<&'p pyo3::PyAny> { + let sig_oids_to_hash = py + .import(pyo3::intern!(py, "cryptography.hazmat._oid"))? + .getattr(pyo3::intern!(py, "_SIG_OIDS_TO_HASH"))?; + match &signature_algorithm.params { + common::AlgorithmParameters::RsaPss(opt_pss) => { + let pss = opt_pss.as_ref().ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Invalid RSA PSS parameters") + })?; + hash_oid_py_hash(py, pss.hash_algorithm.oid().clone()) + } + _ => { + let py_sig_alg_oid = oid_to_py_oid(py, signature_algorithm.oid())?; + let hash_alg = sig_oids_to_hash.get_item(py_sig_alg_oid); + match hash_alg { + Ok(data) => Ok(data), + Err(_) => Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(format!( + "Signature algorithm OID: {} not recognized", + signature_algorithm.oid() + )), + )), + } + } + } +} + +pub(crate) fn identify_signature_algorithm_parameters<'p>( + py: pyo3::Python<'p>, + signature_algorithm: &common::AlgorithmIdentifier<'_>, +) -> CryptographyResult<&'p pyo3::PyAny> { + match &signature_algorithm.params { + common::AlgorithmParameters::RsaPss(opt_pss) => { + let pss = opt_pss.as_ref().ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Invalid RSA PSS parameters") + })?; + if pss.mask_gen_algorithm.oid != oid::MGF1_OID { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "Unsupported mask generation OID: {}", + pss.mask_gen_algorithm.oid + )), + )); + } + let py_mask_gen_hash_alg = + hash_oid_py_hash(py, pss.mask_gen_algorithm.params.oid().clone())?; + let padding = py.import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.padding" + ))?; + let py_mgf = padding + .getattr(pyo3::intern!(py, "MGF1"))? + .call1((py_mask_gen_hash_alg,))?; + Ok(padding + .getattr(pyo3::intern!(py, "PSS"))? + .call1((py_mgf, pss.salt_length))?) + } + common::AlgorithmParameters::RsaWithSha1(_) + | common::AlgorithmParameters::RsaWithSha1Alt(_) + | common::AlgorithmParameters::RsaWithSha224(_) + | common::AlgorithmParameters::RsaWithSha256(_) + | common::AlgorithmParameters::RsaWithSha384(_) + | common::AlgorithmParameters::RsaWithSha512(_) + | common::AlgorithmParameters::RsaWithSha3_224(_) + | common::AlgorithmParameters::RsaWithSha3_256(_) + | common::AlgorithmParameters::RsaWithSha3_384(_) + | common::AlgorithmParameters::RsaWithSha3_512(_) => { + let pkcs = py + .import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.padding" + ))? + .getattr(pyo3::intern!(py, "PKCS1v15"))? + .call0()?; + Ok(pkcs) + } + common::AlgorithmParameters::EcDsaWithSha224 + | common::AlgorithmParameters::EcDsaWithSha256 + | common::AlgorithmParameters::EcDsaWithSha384 + | common::AlgorithmParameters::EcDsaWithSha512 + | common::AlgorithmParameters::EcDsaWithSha3_224 + | common::AlgorithmParameters::EcDsaWithSha3_256 + | common::AlgorithmParameters::EcDsaWithSha3_384 + | common::AlgorithmParameters::EcDsaWithSha3_512 => { + let signature_hash_algorithm = + identify_signature_hash_algorithm(py, signature_algorithm)?; + + Ok(py + .import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.ec" + ))? + .getattr(pyo3::intern!(py, "ECDSA"))? + .call1((signature_hash_algorithm,))?) + } + _ => Ok(py.None().into_ref(py)), + } +} + pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_function(pyo3::wrap_pyfunction!(load_der_x509_certificate, module)?)?; module.add_function(pyo3::wrap_pyfunction!(load_pem_x509_certificate, module)?)?; |