From 05c5b5b74f64763d60ba263df90645f512af0a1b Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 22 Jan 2024 18:32:16 +0100 Subject: [PATCH] Disable PKCS7 functions under BoringSSL --- src/rust/src/pkcs7.rs | 44 +++++++++++++++++++-------- tests/hazmat/primitives/test_pkcs7.py | 13 ++++++++ 2 files changed, 45 insertions(+), 12 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 30bb94d5f40f..8bf44385f0a2 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -9,12 +9,15 @@ use std::ops::Deref; use cryptography_x509::csr::Attribute; use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; use crate::asn1::encode_der_data; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use crate::x509::certificate::load_der_x509_certificate; use crate::{exceptions, types, x509}; @@ -293,6 +296,7 @@ fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_, [ } } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn load_pkcs7_certificates( py: pyo3::Python<'_>, pkcs7: Pkcs7, @@ -333,12 +337,20 @@ fn load_pem_pkcs7_certificates( py: pyo3::Python<'_>, data: &[u8], ) -> CryptographyResult> { - let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_pem(data).map_err(|_| { - CryptographyError::from(pyo3::exceptions::PyValueError::new_err( - "Unable to parse PKCS7 data", - )) - })?; - load_pkcs7_certificates(py, pkcs7_decoded) + cfg_if::cfg_if! { + if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { + let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_pem(data).map_err(|_| { + CryptographyError::from(pyo3::exceptions::PyValueError::new_err( + "Unable to parse PKCS7 data", + )) + })?; + load_pkcs7_certificates(py, pkcs7_decoded) + } else { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err("PKCS#7 is not supported by this backend."), + )); + } + } } #[pyo3::prelude::pyfunction] @@ -346,12 +358,20 @@ fn load_der_pkcs7_certificates( py: pyo3::Python<'_>, data: &[u8], ) -> CryptographyResult> { - let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_der(data).map_err(|_| { - CryptographyError::from(pyo3::exceptions::PyValueError::new_err( - "Unable to parse PKCS7 data", - )) - })?; - load_pkcs7_certificates(py, pkcs7_decoded) + cfg_if::cfg_if! { + if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { + let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_der(data).map_err(|_| { + CryptographyError::from(pyo3::exceptions::PyValueError::new_err( + "Unable to parse PKCS7 data", + )) + })?; + load_pkcs7_certificates(py, pkcs7_decoded) + } else { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err("PKCS#7 is not supported by this backend."), + )); + } + } } pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index dffc4ab2c1d0..e2aa5f094e3a 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -922,3 +922,16 @@ def test_invalid_types(self): certs, "not an encoding", # type: ignore[arg-type] ) + + +@pytest.mark.supported( + only_if=lambda backend: not backend.pkcs7_supported(), + skip_message="Requires OpenSSL without PKCS7 support (BoringSSL)", +) +class TestPKCS7Unsupported: + def test_pkcs7_functions_unsupported(self): + with raises_unsupported_algorithm("PKCS#7 is not supported by this backend."): + pkcs7.load_der_pkcs7_certificates(b"nonsense") + + with raises_unsupported_algorithm("PKCS#7 is not supported by this backend."): + pkcs7.load_pem_pkcs7_certificates(b"nonsense")