Migrate PKCS7 backend to Rust by facutuesca · Pull Request #10228 · pyca/cryptography

facutuesca · 2024-01-22T14:21:02Z

Part of #8770. Now that rust-openssl has the necessary bindings, this PR replaces the Python implementation with calls to the Rust OpenSSL bindings.

alex · 2024-01-22T14:26:28Z

+    let nid = pkcs7.type_().map_or(openssl::nid::Nid::UNDEF, |x| x.nid());
+    assert_ne!(nid, openssl::nid::Nid::UNDEF);
+    if nid != openssl::nid::Nid::PKCS7_SIGNED {


What's the reason for this assertion? Can we not just do nid = pkcs7.type_().map(|t| t.nid()); if nid != Some(PKCS7_SIGNED) {}?

I replicated the behavior from the Python implementation: src. Should I change it?

Yes, I think my formulation here is better --

it's important to note that the openssl_assert() would produce a python execption while this code would produce a rust panic, so they're not quite teh same

alex · 2024-01-22T14:26:48Z

+        )),
+        Some(c) => c
+            .iter()
+            .map(|c| load_pem_x509_certificate(py, c.to_pem()?.as_slice(), None))


Round-trip via DER, it'll be faster.

facutuesca · 2024-01-22T15:15:31Z

Leaving as a draft for now since rust-openssl doesn't have PKCS#7 bindings enabled for BoringSSL

alex · 2024-01-22T15:17:28Z

I believe that's because BoringSSL is missing PKCS#7 functionality -- we should just disable this there.

facutuesca · 2024-01-22T15:19:47Z

I believe that's because BoringSSL is missing PKCS#7 functionality -- we should just disable this there.

~~Wouldn't that mean we would be effectively removing PCKS#7 support from cryptography with BoringSSL?~~ nvm it was never supported

    def pkcs7_supported(self) -> bool:
        return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL

alex · 2024-01-22T19:15:45Z

+                exceptions::UnsupportedAlgorithm::new_err((
+                    "PKCS#7 is not supported by this backend.",
+                    exceptions::Reasons::BACKEND_MISSING_INTERFACE,
+                )),


Use UNSUPPORTED_SERIALIZATION here I think

alex · 2024-01-22T19:17:05Z

+fn load_pkcs7_certificates(
+    py: pyo3::Python<'_>,
+    pkcs7: Pkcs7,
+) -> CryptographyResult<Vec<x509::certificate::Certificate>> {


Small nit: Instead of returning a Vec, I'd suggest the &pyo3::types::PyList. This avoids a copy+malloc round trip.

See verify.rs l239 for an example of this

alex · 2024-01-22T21:06:43Z

+                result.append(
+                    load_der_x509_certificate(
+                        py,
+                        pyo3::types::PyBytes::new(py, c.to_der()?.as_slice()).into_py(py),
+                        None,
+                    )?
+                    .into_py(py),
+                )?;


You're getting coverage issues here. Best resolution is to rewrite as:

let cert_der = pyo3::types::PyBytes::new(py, c.to_der()?.as_slice()).into_py(py); let cert = load_der_x509_certificate(py, cert_der, None)?; result.append(cert.into_py(py))?;

facutuesca force-pushed the pkcs7-rust branch from 3dba583 to af8aa03 Compare January 22, 2024 14:25

facutuesca marked this pull request as draft January 22, 2024 14:26

alex reviewed Jan 22, 2024

View reviewed changes

alex mentioned this pull request Jan 22, 2024

Migrate backend to rust #8770

Closed

22 tasks

Migrate PKCS7 backend to Rust

d0d4407

facutuesca force-pushed the pkcs7-rust branch from af8aa03 to d0d4407 Compare January 22, 2024 15:14

facutuesca force-pushed the pkcs7-rust branch 3 times, most recently from 05c5b5b to 9bee3fc Compare January 22, 2024 18:26

Disable PKCS7 functions under BoringSSL

6efad7f

facutuesca force-pushed the pkcs7-rust branch from 9bee3fc to 6efad7f Compare January 22, 2024 18:43

facutuesca requested a review from alex January 22, 2024 19:12

facutuesca marked this pull request as ready for review January 22, 2024 19:12

alex reviewed Jan 22, 2024

View reviewed changes

facutuesca force-pushed the pkcs7-rust branch 2 times, most recently from b94a208 to 71ec332 Compare January 22, 2024 20:57

alex previously approved these changes Jan 22, 2024

View reviewed changes

alex enabled auto-merge (squash) January 22, 2024 21:02

alex reviewed Jan 22, 2024

View reviewed changes

auto-merge was automatically disabled January 22, 2024 21:11
Head branch was pushed to by a user without write access

facutuesca dismissed alex’s stale review via 6ded9d7 January 22, 2024 21:11

facutuesca force-pushed the pkcs7-rust branch from 71ec332 to 6ded9d7 Compare January 22, 2024 21:11

Misc PKCS7 fixes

e278436

facutuesca force-pushed the pkcs7-rust branch from 6ded9d7 to e278436 Compare January 22, 2024 21:13

alex approved these changes Jan 22, 2024

View reviewed changes

alex enabled auto-merge (squash) January 22, 2024 21:15

alex merged commit 41daf2d into pyca:main Jan 22, 2024

facutuesca deleted the pkcs7-rust branch January 22, 2024 21:45

Conversation

facutuesca commented Jan 22, 2024

Uh oh!

Choose a reason for hiding this comment

Uh oh!

facutuesca Jan 22, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

facutuesca commented Jan 22, 2024

Uh oh!

alex commented Jan 22, 2024

Uh oh!

facutuesca commented Jan 22, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

facutuesca Jan 22, 2024 •

edited

Loading

facutuesca commented Jan 22, 2024 •

edited

Loading