From 2e345f26d4826d14366ff02bfd0760e3417d1963 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 23:41:55 +0200 Subject: [PATCH] Migrate more `x509/extensions.rs` APIs to new pyo3 APIs (and other migrations) (#10749) * Migrate `encode_der_data` to new pyo3 APIs * Convert more `x509/extensions.rs` APIs to the new pyo3 APIs * Remove redundant function calls --- src/rust/src/asn1.rs | 2 +- src/rust/src/backend/dh.rs | 2 +- src/rust/src/pkcs7.rs | 14 ++----------- src/rust/src/x509/certificate.rs | 14 ++----------- src/rust/src/x509/common.rs | 12 +++++------ src/rust/src/x509/crl.rs | 12 +++-------- src/rust/src/x509/csr.rs | 11 ++-------- src/rust/src/x509/extensions.rs | 35 ++++++++++++++++++-------------- src/rust/src/x509/ocsp_req.rs | 5 +---- src/rust/src/x509/ocsp_resp.rs | 5 +---- 10 files changed, 39 insertions(+), 73 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 62cbd069b..35de60493 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -97,7 +97,7 @@ pub(crate) fn encode_der_data<'p>( py: pyo3::Python<'p>, pem_tag: String, data: Vec, - encoding: &'p pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if encoding.is(&types::ENCODING_DER.get_bound(py)?) { Ok(pyo3::types::PyBytes::new_bound(py, &data)) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index e52b87602..9d597b9ec 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -369,7 +369,7 @@ impl DHParameters { } else { "X9.42 DH PARAMETERS" }; - encode_der_data(py, tag.to_string(), data, encoding.into_gil_ref()) + encode_der_data(py, tag.to_string(), data, &encoding) } } diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 085d5e891..977d0c912 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -77,12 +77,7 @@ fn serialize_certificates<'p>( }; let content_info_bytes = asn1::write_single(&content_info)?; - encode_der_data( - py, - "PKCS7".to_string(), - content_info_bytes, - encoding.clone().into_gil_ref(), - ) + encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding) } #[pyo3::prelude::pyfunction] @@ -273,12 +268,7 @@ fn sign_and_serialize<'p>( .extract()?) } else { // Handles the DER, PEM, and error cases - encode_der_data( - py, - "PKCS7".to_string(), - ci_bytes, - encoding.clone().into_gil_ref(), - ) + encode_der_data(py, "PKCS7".to_string(), ci_bytes, encoding) } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d6751b7d0..02c3f8576 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -103,14 +103,7 @@ impl Certificate { ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - Ok(encode_der_data( - py, - "CERTIFICATE".to_string(), - result, - encoding.clone().into_gil_ref(), - )? - .as_borrowed() - .to_owned()) + encode_der_data(py, "CERTIFICATE".to_string(), result, encoding) } #[getter] @@ -963,10 +956,7 @@ fn create_x509_certificate( subject_unique_id: None, raw_extensions: x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, }; diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 4d4951821..ee4b0a3e4 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -9,7 +9,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::types::IntoPyDict; -use pyo3::{IntoPy, PyNativeType, ToPyObject}; +use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -418,11 +418,11 @@ pub(crate) fn encode_extensions< F: Fn( pyo3::Python<'_>, &asn1::ObjectIdentifier, - &pyo3::PyAny, + &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult>>, >( py: pyo3::Python<'p>, - py_exts: &'p pyo3::PyAny, + py_exts: &pyo3::Bound<'p, pyo3::PyAny>, encode_ext: F, ) -> pyo3::PyResult>> { let mut exts = vec![]; @@ -435,7 +435,7 @@ pub(crate) fn encode_extensions< let oid = py_oid_to_oid(py_oid)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; - if ext_val.is_instance(types::UNRECOGNIZED_EXTENSION.get(py)?)? { + if ext_val.is_instance(&types::UNRECOGNIZED_EXTENSION.get_bound(py)?)? { exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, @@ -445,7 +445,7 @@ pub(crate) fn encode_extensions< }); continue; } - match encode_ext(py, &oid, ext_val)? { + match encode_ext(py, &oid, &ext_val)? { Some(data) => { // TODO: extra copy let py_data = pyo3::types::PyBytes::new_bound(py, &data); @@ -477,7 +477,7 @@ fn encode_extension_value<'p>( ) -> pyo3::PyResult> { let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; - if let Some(data) = x509::extensions::encode_extension(py, &oid, py_ext.into_gil_ref())? { + if let Some(data) = x509::extensions::encode_extension(py, &oid, &py_ext)? { // TODO: extra copy let py_data = pyo3::types::PyBytes::new_bound(py, &data); return Ok(py_data); diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4a68cb028..c57917709 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -239,7 +239,7 @@ impl CertificateRevocationList { ) -> CryptographyResult> { let result = asn1::write_single(&self.owned.borrow_dependent())?; - encode_der_data(py, "X509 CRL".to_string(), result, encoding.into_gil_ref()) + encode_der_data(py, "X509 CRL".to_string(), result, &encoding) } #[getter] @@ -672,10 +672,7 @@ fn create_x509_crl( )?, raw_crl_entry_extensions: x509::common::encode_extensions( py, - py_revoked_cert - .getattr(pyo3::intern!(py, "extensions"))? - .clone() - .into_gil_ref(), + &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, extensions::encode_extension, )?, }); @@ -702,10 +699,7 @@ fn create_x509_crl( }, raw_crl_extensions: x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, }; diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index f79c84fd8..6049a5be2 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -123,12 +123,7 @@ impl CertificateSigningRequest { ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - encode_der_data( - py, - "CERTIFICATE REQUEST".to_string(), - result, - encoding.clone().into_gil_ref(), - ) + encode_der_data(py, "CERTIFICATE REQUEST".to_string(), result, encoding) } fn get_attribute_for_oid<'p>( @@ -317,9 +312,7 @@ fn create_x509_csr( let ext_bytes; if let Some(exts) = x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, x509::extensions::encode_extension, )? { ext_bytes = asn1::write_single(&exts)?; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index bbba8170d..3e0b7ec83 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -13,7 +13,7 @@ use pyo3::PyNativeType; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, - subtrees: &'a pyo3::PyAny, + subtrees: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { if subtrees.is_none() { Ok(None) @@ -35,7 +35,7 @@ fn encode_general_subtrees<'a>( pub(crate) fn encode_authority_key_identifier<'a>( py: pyo3::Python<'a>, - py_aki: &'a pyo3::PyAny, + py_aki: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyAuthorityKeyIdentifier<'a> { @@ -68,7 +68,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( pub(crate) fn encode_distribution_points<'p>( py: pyo3::Python<'p>, - py_dps: &'p pyo3::PyAny, + py_dps: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyDistributionPoint<'a> { @@ -123,7 +123,7 @@ pub(crate) fn encode_distribution_points<'p>( Ok(asn1::write_single(&asn1::SequenceOfWriter::new(dps))?) } -fn encode_basic_constraints(ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_basic_constraints(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyBasicConstraints { ca: bool, @@ -137,7 +137,10 @@ fn encode_basic_constraints(ext: &pyo3::PyAny) -> CryptographyResult> { Ok(asn1::write_single(&bc)?) } -fn encode_key_usage(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_key_usage( + py: pyo3::Python<'_>, + ext: &pyo3::Bound<'_, pyo3::PyAny>, +) -> CryptographyResult> { let mut bs = [0, 0]; certificate::set_bit( &mut bs, @@ -212,7 +215,7 @@ fn encode_key_usage(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResu fn encode_certificate_policies( py: pyo3::Python<'_>, - ext: &pyo3::PyAny, + ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let mut policy_informations = vec![]; for py_policy_info in ext.iter()? { @@ -303,7 +306,7 @@ fn encode_certificate_policies( fn encode_issuing_distribution_point( py: pyo3::Python<'_>, - ext: &pyo3::PyAny, + ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let only_some_reasons = if ext .getattr(pyo3::intern!(py, "only_some_reasons"))? @@ -328,8 +331,7 @@ fn encode_issuing_distribution_point( { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { - let bound_name_entry = &py_name_entry?.as_borrowed(); - name_entries.push(x509::common::encode_name_entry(ext.py(), bound_name_entry)?); + name_entries.push(x509::common::encode_name_entry(ext.py(), &py_name_entry?)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -355,7 +357,7 @@ fn encode_issuing_distribution_point( Ok(asn1::write_single(&idp)?) } -fn encode_oid_sequence(ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_oid_sequence(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut oids = vec![]; for el in ext.iter()? { let oid = py_oid_to_oid(el?.as_borrowed().to_owned())?; @@ -364,7 +366,10 @@ fn encode_oid_sequence(ext: &pyo3::PyAny) -> CryptographyResult> { Ok(asn1::write_single(&asn1::SequenceOfWriter::new(oids))?) } -fn encode_tls_features(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_tls_features( + py: pyo3::Python<'_>, + ext: &pyo3::Bound<'_, pyo3::PyAny>, +) -> CryptographyResult> { // Ideally we'd skip building up a vec and just write directly into the // writer. This isn't possible at the moment because the callback to write // an asn1::Sequence can't return an error, and we need to handle errors @@ -377,7 +382,7 @@ fn encode_tls_features(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyR Ok(asn1::write_single(&asn1::SequenceOfWriter::new(els))?) } -fn encode_scts(ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_scts(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut length = 0; for sct in ext.iter()? { let sct = sct?.as_borrowed().downcast::()?.clone(); @@ -397,7 +402,7 @@ fn encode_scts(ext: &pyo3::PyAny) -> CryptographyResult> { pub(crate) fn encode_extension( py: pyo3::Python<'_>, oid: &asn1::ObjectIdentifier, - ext: &pyo3::PyAny, + ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult>> { match oid { &oid::BASIC_CONSTRAINTS_OID => { @@ -441,8 +446,8 @@ pub(crate) fn encode_extension( let permitted = ext.getattr(pyo3::intern!(py, "permitted_subtrees"))?; let excluded = ext.getattr(pyo3::intern!(py, "excluded_subtrees"))?; let nc = extensions::NameConstraints { - permitted_subtrees: encode_general_subtrees(ext.py(), permitted)?, - excluded_subtrees: encode_general_subtrees(ext.py(), excluded)?, + permitted_subtrees: encode_general_subtrees(ext.py(), &permitted)?, + excluded_subtrees: encode_general_subtrees(ext.py(), &excluded)?, }; Ok(Some(asn1::write_single(&nc)?)) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 32cb7e6a2..d74f33947 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -210,10 +210,7 @@ fn create_ocsp_request( let extensions = x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?; let reqs = [ocsp_req::Request { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 394c3bdea..3b9e11531 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -696,10 +696,7 @@ fn create_ocsp_response( )), raw_response_extensions: x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, };