From 6ded9d7257d4c6f9b1774e9140181ec246f484f2 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 22 Jan 2024 21:12:34 +0100 Subject: [PATCH] Misc PKCS7 fixes --- src/rust/src/pkcs7.rs | 37 +++++++++++++-------------- tests/hazmat/primitives/test_pkcs7.py | 4 +-- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index e743e3080fb0..f307cf483ad7 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -300,7 +300,7 @@ fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_, [ fn load_pkcs7_certificates( py: pyo3::Python<'_>, pkcs7: Pkcs7, -) -> CryptographyResult> { +) -> CryptographyResult<&pyo3::types::PyList> { let nid = pkcs7.type_().map(|t| t.nid()); if nid != Some(openssl::nid::Nid::PKCS7_SIGNED) { let nid_string = nid.map_or("empty".to_string(), |n| n.as_raw().to_string()); @@ -319,24 +319,23 @@ fn load_pkcs7_certificates( "The provided PKCS7 has no certificate data, but a cert loading method was called.", ), )), - Some(c) => c - .iter() - .map(|c| { - load_der_x509_certificate( - py, - pyo3::types::PyBytes::new(py, c.to_der()?.as_slice()).into_py(py), - None, - ) - }) - .collect(), + Some(certificates) => { + let result = pyo3::types::PyList::empty(py); + for c in certificates { + let cert_der = pyo3::types::PyBytes::new(py, c.to_der()?.as_slice()).into_py(py); + let cert = load_der_x509_certificate(py, cert_der, None)?; + result.append(cert.into_py(py))?; + } + Ok(result) + } } } #[pyo3::prelude::pyfunction] -fn load_pem_pkcs7_certificates( - py: pyo3::Python<'_>, +fn load_pem_pkcs7_certificates<'p>( + py: pyo3::Python<'p>, data: &[u8], -) -> CryptographyResult> { +) -> CryptographyResult<&'p pyo3::types::PyList> { cfg_if::cfg_if! { if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_pem(data).map_err(|_| { @@ -349,7 +348,7 @@ fn load_pem_pkcs7_certificates( return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "PKCS#7 is not supported by this backend.", - exceptions::Reasons::BACKEND_MISSING_INTERFACE, + exceptions::Reasons::UNSUPPORTED_SERIALIZATION, )), )); } @@ -357,10 +356,10 @@ fn load_pem_pkcs7_certificates( } #[pyo3::prelude::pyfunction] -fn load_der_pkcs7_certificates( - py: pyo3::Python<'_>, +fn load_der_pkcs7_certificates<'p>( + py: pyo3::Python<'p>, data: &[u8], -) -> CryptographyResult> { +) -> CryptographyResult<&'p pyo3::types::PyList> { cfg_if::cfg_if! { if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_der(data).map_err(|_| { @@ -373,7 +372,7 @@ fn load_der_pkcs7_certificates( return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "PKCS#7 is not supported by this backend.", - exceptions::Reasons::BACKEND_MISSING_INTERFACE, + exceptions::Reasons::UNSUPPORTED_SERIALIZATION, )), )); } diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 35583abac2ae..03b04cd389e5 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -930,8 +930,8 @@ def test_invalid_types(self): ) class TestPKCS7Unsupported: def test_pkcs7_functions_unsupported(self): - with raises_unsupported_algorithm(_Reasons.BACKEND_MISSING_INTERFACE): + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): pkcs7.load_der_pkcs7_certificates(b"nonsense") - with raises_unsupported_algorithm(_Reasons.BACKEND_MISSING_INTERFACE): + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): pkcs7.load_pem_pkcs7_certificates(b"nonsense")