diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2023-05-05 13:37:10 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-05 12:37:10 -0500 |
| commit | 8ae2b3fc2d4abd840c0fd7722e5bd01436db8027 (patch) | |
| tree | 811170fb42c9151391d097ae126a79873bdb0e63 /src/rust | |
| parent | b0dc9b0a09744a52137157b5e7920d88c36bbb5d (diff) | |
| download | cryptography-8ae2b3fc2d4abd840c0fd7722e5bd01436db8027.tar.gz | |
Switch AlgorithmIdentifier to use rust-asn1's native defined by support (#8870)
Diffstat (limited to 'src/rust')
| -rw-r--r-- | src/rust/cryptography-x509/src/common.rs | 24 | ||||
| -rw-r--r-- | src/rust/src/pkcs7.rs | 16 | ||||
| -rw-r--r-- | src/rust/src/x509/certificate.rs | 6 | ||||
| -rw-r--r-- | src/rust/src/x509/crl.rs | 6 | ||||
| -rw-r--r-- | src/rust/src/x509/csr.rs | 6 | ||||
| -rw-r--r-- | src/rust/src/x509/ocsp.rs | 26 | ||||
| -rw-r--r-- | src/rust/src/x509/ocsp_req.rs | 4 | ||||
| -rw-r--r-- | src/rust/src/x509/ocsp_resp.rs | 10 | ||||
| -rw-r--r-- | src/rust/src/x509/sign.rs | 124 |
9 files changed, 144 insertions, 78 deletions
diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 122b37b6a..7835c3a5a 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -2,12 +2,32 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::oid; +use asn1::Asn1DefinedByWritable; use std::marker::PhantomData; #[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash, Clone)] pub struct AlgorithmIdentifier<'a> { - pub oid: asn1::ObjectIdentifier, - pub params: Option<asn1::Tlv<'a>>, + pub oid: asn1::DefinedByMarker<asn1::ObjectIdentifier>, + #[defined_by(oid)] + pub params: AlgorithmParameters<'a>, +} + +impl AlgorithmIdentifier<'_> { + pub fn oid(&self) -> &asn1::ObjectIdentifier { + self.params.item() + } +} + +#[derive(asn1::Asn1DefinedByRead, asn1::Asn1DefinedByWrite, PartialEq, Hash, Clone)] +pub enum AlgorithmParameters<'a> { + #[defined_by(oid::ED25519_OID)] + Ed25519, + #[defined_by(oid::ED448_OID)] + Ed448, + + #[default] + Other(asn1::ObjectIdentifier, Option<asn1::Tlv<'a>>), } #[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Clone)] diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 236976bf4..589be5673 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -8,7 +8,6 @@ use crate::error::CryptographyResult; use crate::x509; use cryptography_x509::csr::Attribute; use cryptography_x509::{common, oid, pkcs7}; - use once_cell::sync::Lazy; use std::borrow::Cow; use std::collections::HashMap; @@ -181,11 +180,14 @@ fn sign_and_serialize<'p>( }; let digest_alg = common::AlgorithmIdentifier { - oid: x509::ocsp::HASH_NAME_TO_OIDS[py_hash_alg - .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?] - .clone(), - params: Some(*x509::sign::NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + x509::ocsp::HASH_NAME_TO_OIDS[py_hash_alg + .getattr(pyo3::intern!(py, "name"))? + .extract::<&str>()?] + .clone(), + Some(*x509::sign::NULL_TLV), + ), }; // Technically O(n^2), but no one will have that many signers. if !digest_algs.contains(&digest_alg) { @@ -252,7 +254,7 @@ fn sign_and_serialize<'p>( if encoding.is(encoding_class.getattr(pyo3::intern!(py, "SMIME"))?) { let mic_algs = digest_algs .iter() - .map(|d| OIDS_TO_MIC_NAME[&d.oid]) + .map(|d| OIDS_TO_MIC_NAME[&d.oid()]) .collect::<Vec<_>>() .join(","); let smime_encode = py diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index b8d281014..949c4e10f 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -247,7 +247,7 @@ impl Certificate { Err(_) => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", - self.raw.borrow_value().signature_alg.oid + self.raw.borrow_value().signature_alg.oid(), )), )), } @@ -255,7 +255,7 @@ impl Certificate { #[getter] fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - oid_to_py_oid(py, &self.raw.borrow_value().signature_alg.oid) + oid_to_py_oid(py, self.raw.borrow_value().signature_alg.oid()) } #[getter] @@ -311,7 +311,7 @@ impl Certificate { sign::verify_signature_with_oid( py, issuer.public_key(py)?, - &self.raw.borrow_value().signature_alg.oid, + self.raw.borrow_value().signature_alg.oid(), self.raw.borrow_value().signature.as_bytes(), &asn1::write_single(&self.raw.borrow_value().tbs_cert)?, ) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index db4fd0394..b6529ebf3 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -184,7 +184,7 @@ impl CertificateRevocationList { #[getter] fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - oid_to_py_oid(py, &self.owned.borrow_value().signature_algorithm.oid) + oid_to_py_oid(py, self.owned.borrow_value().signature_algorithm.oid()) } #[getter] @@ -201,7 +201,7 @@ impl CertificateRevocationList { Ok(v) => Ok(v), Err(_) => Err(exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", - self.owned.borrow_value().signature_algorithm.oid + self.owned.borrow_value().signature_algorithm.oid(), ))), } } @@ -394,7 +394,7 @@ impl CertificateRevocationList { Ok(sign::verify_signature_with_oid( py, public_key, - &slf.owned.borrow_value().signature_algorithm.oid, + slf.owned.borrow_value().signature_algorithm.oid(), slf.owned.borrow_value().signature_value.as_bytes(), &asn1::write_single(&slf.owned.borrow_value().tbs_cert_list)?, ) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 2d7346819..c4a69ebb5 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -105,7 +105,7 @@ impl CertificateSigningRequest { Err(_) => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", - self.raw.borrow_value().signature_alg.oid + self.raw.borrow_value().signature_alg.oid() )), )), } @@ -113,7 +113,7 @@ impl CertificateSigningRequest { #[getter] fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - oid_to_py_oid(py, &self.raw.borrow_value().signature_alg.oid) + oid_to_py_oid(py, self.raw.borrow_value().signature_alg.oid()) } fn public_bytes<'p>( @@ -235,7 +235,7 @@ impl CertificateSigningRequest { Ok(sign::verify_signature_with_oid( py, slf.public_key(py)?, - &slf.raw.borrow_value().signature_alg.oid, + slf.raw.borrow_value().signature_alg.oid(), slf.raw.borrow_value().signature.as_bytes(), &asn1::write_single(&slf.raw.borrow_value().csr_info)?, ) diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index b362ef326..0ea5555c1 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -52,11 +52,14 @@ pub(crate) fn certid_new<'p>( Ok(CertID { hash_algorithm: common::AlgorithmIdentifier { - oid: HASH_NAME_TO_OIDS[hash_algorithm - .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?] - .clone(), - params: Some(*x509::sign::NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + HASH_NAME_TO_OIDS[hash_algorithm + .getattr(pyo3::intern!(py, "name"))? + .extract::<&str>()?] + .clone(), + Some(*x509::sign::NULL_TLV), + ), }, issuer_name_hash, issuer_key_hash, @@ -73,11 +76,14 @@ pub(crate) fn certid_new_from_hash<'p>( ) -> CryptographyResult<CertID<'p>> { Ok(CertID { hash_algorithm: common::AlgorithmIdentifier { - oid: HASH_NAME_TO_OIDS[hash_algorithm - .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?] - .clone(), - params: Some(*x509::sign::NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + HASH_NAME_TO_OIDS[hash_algorithm + .getattr(pyo3::intern!(py, "name"))? + .extract::<&str>()?] + .clone(), + Some(*x509::sign::NULL_TLV), + ), }, issuer_name_hash, issuer_key_hash, diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 701868e89..b8faedb09 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -86,12 +86,12 @@ impl OCSPRequest { let cert_id = self.cert_id(); let hashes = py.import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))?; - match ocsp::OIDS_TO_HASH.get(&cert_id.hash_algorithm.oid) { + match ocsp::OIDS_TO_HASH.get(&cert_id.hash_algorithm.oid()) { Some(alg_name) => Ok(hashes.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", - cert_id.hash_algorithm.oid + cert_id.hash_algorithm.oid() )), )), } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 103b610ec..15cf99d9f 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -168,7 +168,7 @@ impl OCSPResponse { #[getter] fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { let resp = self.requires_successful_response()?; - oid_to_py_oid(py, &resp.signature_algorithm.oid) + oid_to_py_oid(py, resp.signature_algorithm.oid()) } #[getter] @@ -185,7 +185,9 @@ impl OCSPResponse { Err(_) => { let exc_messsage = format!( "Signature algorithm OID: {} not recognized", - self.requires_successful_response()?.signature_algorithm.oid + self.requires_successful_response()? + .signature_algorithm + .oid() ); Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(exc_messsage), @@ -477,12 +479,12 @@ fn singleresp_py_hash_algorithm<'p>( py: pyo3::Python<'p>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { let hashes = py.import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))?; - match ocsp::OIDS_TO_HASH.get(&resp.cert_id.hash_algorithm.oid) { + match ocsp::OIDS_TO_HASH.get(&resp.cert_id.hash_algorithm.oid()) { Some(alg_name) => Ok(hashes.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", - resp.cert_id.hash_algorithm.oid + resp.cert_id.hash_algorithm.oid() )), )), } diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 187dc54db..c4c01c973 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -138,98 +138,134 @@ pub(crate) fn compute_signature_algorithm<'p>( match (key_type, hash_type) { (KeyType::Ed25519, HashType::None) => Ok(common::AlgorithmIdentifier { - oid: (oid::ED25519_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Ed25519, }), (KeyType::Ed448, HashType::None) => Ok(common::AlgorithmIdentifier { - oid: (oid::ED448_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Ed448, }), (KeyType::Ed25519 | KeyType::Ed448, _) => Err(pyo3::exceptions::PyValueError::new_err( "Algorithm must be None when signing via ed25519 or ed448", )), (KeyType::Ec, HashType::Sha224) => Ok(common::AlgorithmIdentifier { - oid: (oid::ECDSA_WITH_SHA224_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other((oid::ECDSA_WITH_SHA224_OID).clone(), None), }), (KeyType::Ec, HashType::Sha256) => Ok(common::AlgorithmIdentifier { - oid: (oid::ECDSA_WITH_SHA256_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other((oid::ECDSA_WITH_SHA256_OID).clone(), None), }), (KeyType::Ec, HashType::Sha384) => Ok(common::AlgorithmIdentifier { - oid: (oid::ECDSA_WITH_SHA384_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other((oid::ECDSA_WITH_SHA384_OID).clone(), None), }), (KeyType::Ec, HashType::Sha512) => Ok(common::AlgorithmIdentifier { - oid: (oid::ECDSA_WITH_SHA512_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other((oid::ECDSA_WITH_SHA512_OID).clone(), None), }), (KeyType::Ec, HashType::Sha3_224) => Ok(common::AlgorithmIdentifier { - oid: (oid::ECDSA_WITH_SHA3_224_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::ECDSA_WITH_SHA3_224_OID).clone(), + None, + ), }), (KeyType::Ec, HashType::Sha3_256) => Ok(common::AlgorithmIdentifier { - oid: (oid::ECDSA_WITH_SHA3_256_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::ECDSA_WITH_SHA3_256_OID).clone(), + None, + ), }), (KeyType::Ec, HashType::Sha3_384) => Ok(common::AlgorithmIdentifier { - oid: (oid::ECDSA_WITH_SHA3_384_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::ECDSA_WITH_SHA3_384_OID).clone(), + None, + ), }), (KeyType::Ec, HashType::Sha3_512) => Ok(common::AlgorithmIdentifier { - oid: (oid::ECDSA_WITH_SHA3_512_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::ECDSA_WITH_SHA3_512_OID).clone(), + None, + ), }), (KeyType::Rsa, HashType::Sha224) => Ok(common::AlgorithmIdentifier { - oid: (oid::RSA_WITH_SHA224_OID).clone(), - params: Some(*NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::RSA_WITH_SHA224_OID).clone(), + Some(*NULL_TLV), + ), }), (KeyType::Rsa, HashType::Sha256) => Ok(common::AlgorithmIdentifier { - oid: (oid::RSA_WITH_SHA256_OID).clone(), - params: Some(*NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::RSA_WITH_SHA256_OID).clone(), + Some(*NULL_TLV), + ), }), (KeyType::Rsa, HashType::Sha384) => Ok(common::AlgorithmIdentifier { - oid: (oid::RSA_WITH_SHA384_OID).clone(), - params: Some(*NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::RSA_WITH_SHA384_OID).clone(), + Some(*NULL_TLV), + ), }), (KeyType::Rsa, HashType::Sha512) => Ok(common::AlgorithmIdentifier { - oid: (oid::RSA_WITH_SHA512_OID).clone(), - params: Some(*NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::RSA_WITH_SHA512_OID).clone(), + Some(*NULL_TLV), + ), }), (KeyType::Rsa, HashType::Sha3_224) => Ok(common::AlgorithmIdentifier { - oid: (oid::RSA_WITH_SHA3_224_OID).clone(), - params: Some(*NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::RSA_WITH_SHA3_224_OID).clone(), + Some(*NULL_TLV), + ), }), (KeyType::Rsa, HashType::Sha3_256) => Ok(common::AlgorithmIdentifier { - oid: (oid::RSA_WITH_SHA3_256_OID).clone(), - params: Some(*NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::RSA_WITH_SHA3_256_OID).clone(), + Some(*NULL_TLV), + ), }), (KeyType::Rsa, HashType::Sha3_384) => Ok(common::AlgorithmIdentifier { - oid: (oid::RSA_WITH_SHA3_384_OID).clone(), - params: Some(*NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::RSA_WITH_SHA3_384_OID).clone(), + Some(*NULL_TLV), + ), }), (KeyType::Rsa, HashType::Sha3_512) => Ok(common::AlgorithmIdentifier { - oid: (oid::RSA_WITH_SHA3_512_OID).clone(), - params: Some(*NULL_TLV), + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other( + (oid::RSA_WITH_SHA3_512_OID).clone(), + Some(*NULL_TLV), + ), }), (KeyType::Dsa, HashType::Sha224) => Ok(common::AlgorithmIdentifier { - oid: (oid::DSA_WITH_SHA224_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other((oid::DSA_WITH_SHA224_OID).clone(), None), }), (KeyType::Dsa, HashType::Sha256) => Ok(common::AlgorithmIdentifier { - oid: (oid::DSA_WITH_SHA256_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other((oid::DSA_WITH_SHA256_OID).clone(), None), }), (KeyType::Dsa, HashType::Sha384) => Ok(common::AlgorithmIdentifier { - oid: (oid::DSA_WITH_SHA384_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other((oid::DSA_WITH_SHA384_OID).clone(), None), }), (KeyType::Dsa, HashType::Sha512) => Ok(common::AlgorithmIdentifier { - oid: (oid::DSA_WITH_SHA512_OID).clone(), - params: None, + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Other((oid::DSA_WITH_SHA512_OID).clone(), None), }), ( KeyType::Dsa, |