Skip to content

Commit

Permalink
src, tests: remove verification code
Browse files Browse the repository at this point in the history
Signed-off-by: William Woodruff <[email protected]>
  • Loading branch information
woodruffw committed Aug 11, 2023
1 parent f9c0c91 commit 4a8f50e
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 156 deletions.
3 changes: 0 additions & 3 deletions src/cryptography/x509/verification.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,10 +80,7 @@ def __init__(self, certs: typing.List[Certificate]):
self._certs = certs


verify = rust_x509.verify

__all__ = [
"verify",
"Policy",
"PolicyBuilder",
"Profile",
Expand Down
49 changes: 0 additions & 49 deletions src/rust/src/x509/verify.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ use cryptography_x509::certificate::Certificate;
use cryptography_x509_validation::{
ops::CryptoOps,
policy::{Policy, Subject},
trust_store::Store,
types::{DNSName, IPAddress},
};

Expand Down Expand Up @@ -203,56 +202,8 @@ fn create_policy<'p>(
Ok(PyPolicy(policy))
}

#[pyo3::prelude::pyfunction]
fn verify<'p>(
py: pyo3::Python<'p>,
leaf: &PyCertificate,
policy: &PyPolicy,
intermediates: &'p pyo3::types::PyList,
store: &'p pyo3::PyAny,
) -> CryptographyResult<Vec<PyCertificate>> {
let intermediates = intermediates
.iter()
.map(|o| o.extract::<pyo3::PyRef<'p, PyCertificate>>())
.collect::<Result<Vec<_>, _>>()?;
let store_certs = store
.getattr(pyo3::intern!(py, "_certs"))?
.downcast::<pyo3::types::PyList>()?
.iter()
.map(|o| o.extract::<pyo3::PyRef<'p, PyCertificate>>())
.collect::<Result<Vec<_>, _>>()?;
let store = Store::new(store_certs.iter().map(|t| t.raw.borrow_dependent().clone()));

let policy = policy.as_policy();
let chain = cryptography_x509_validation::verify(
leaf.raw.borrow_dependent(),
intermediates
.iter()
.map(|i| i.raw.borrow_dependent().clone()),
policy,
&store,
)
.map_err(|e| pyo3::exceptions::PyValueError::new_err(format!("validation failed: {e:?}")))?;

// TODO: Optimize this? Turning a Certificate back into a PyCertificate
// involves a full round-trip back through DER, which isn't ideal.
chain
.iter()
.map(|c| {
let raw = pyo3::types::PyBytes::new(py, &asn1::write_single(c)?);
Ok(PyCertificate {
raw: OwnedCertificate::try_new(raw.into(), |raw| {
asn1::parse_single(raw.as_bytes(py))
})?,
cached_extensions: pyo3::once_cell::GILOnceCell::new(),
})
})
.collect()
}

pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> {
module.add_class::<PyPolicy>()?;
module.add_function(pyo3::wrap_pyfunction!(verify, module)?)?;
module.add_function(pyo3::wrap_pyfunction!(create_policy, module)?)?;

Ok(())
Expand Down
113 changes: 9 additions & 104 deletions tests/x509/test_verification.py
Original file line number Diff line number Diff line change
@@ -1,104 +1,9 @@
from cryptography.x509.verification import (
PolicyBuilder,
Profile,
Store,
verify,
)
from cryptography.x509 import load_pem_x509_certificate


def test_verify_basic():
ee = load_pem_x509_certificate(
b"""
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIUcNqk/7PML+7lLXVcx3gjsq65hM4wDQYJKoZIhvcNAQEL
BQAwLDEqMCgGA1UEAwwheDUwOS1saW1iby1pbnRlcm1lZGlhdGUtcGF0aGxlbi0w
MCAXDTY5MTIzMTE5MDAwMFoYDzI5NjkwNTAyMTkwMDAwWjAYMRYwFAYDVQQDDA14
NTA5LWxpbWJvLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunA2
HOgxI+I/RYPFB+4eAEz36KqDLCkGHYi4SPa5pX/hD+F+aEFWmboqdwgSpgRks8LS
a9dZO8Fg+Or8HQ6WFOrAtWcWX2KlRXSF6A7M0lUPVrSmmgcwp6yOyMAVCEumRk7l
lEG9TJSK0pInEC2gAmRY95sTiGYgyu/0OFbZk6rZRJtpq617d84D6EkJz80I9XIa
dejC1/V7YAbWIvJ+gJDvoQ0zz9//bZkDNHVRP/8rhMvo9JCBZoCqPohDQg/kJzk0
0Dw1bUiGmnyGOOyjjBVjG0BpZ5cJeYeIR+vBKjbdskwf+fNRAfgg3mx/GTBkpAWb
TdxOdON0VlNTTLSThwIDAQABo10wWzAdBgNVHQ4EFgQUYEyaR1+cGsp4ksddTVm4
2vR5mXYwHwYDVR0jBBgwFoAUHyKN5Jy/CWcuUTv4icRmQ9lqy20wDAYDVR0TAQH/
BAIwADALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAB8/04XbnzEumwLE
BwrG8ddJw09M9bfyHZE3o2fP3axfoCmPb148W0EKjd3/ta0C0IS6FSSAZjE0omQy
PFB5R2VyjR9/MSP0CbRu/kgku8yUzTA8XuJjUWwCT+JYxP7peOAIBoKFJpuHy4dq
5omfndXDKmVUzzWSUhPMIFrlk0QX/V7fC3LAMwtjuhdJ7KlrNVyYUuOpYgS0jTYQ
BpcoQFqXRmO2v1kO+A8KIO9+ZWDnOP9ma1YFbrHfPU9Px5j5OexDQ+nJ+2iLiHdo
DA9R5Sse+51/INk+4ZNZxO4BuoSNYz991KGUX/3w5EF7vsC1DX6Gf8E8HCMd2sYR
8S06Qm0=
-----END CERTIFICATE-----
"""
)

intermediate = load_pem_x509_certificate(
b"""
-----BEGIN CERTIFICATE-----
MIIEOTCCAiGgAwIBAgIUR2Y0g1z8TPo2nJguc6VquNHd5QwwDQYJKoZIhvcNAQEL
BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY
DzI5NjkwNTAyMTkwMDAwWjAsMSowKAYDVQQDDCF4NTA5LWxpbWJvLWludGVybWVk
aWF0ZS1wYXRobGVuLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN
oX/AIxNzzgD9D9Jkyx0nj2bNPblIYkl3UZK9v8+oTAkDkkk9fwZJfrzgNk7DYZ7L
CN9urM5NmQkmEb0h4iBHwxZ2srfSX5Q2406FqZe/naDvPRS6SH06nYlEAyFM0AYq
hyfQq/eNpqHv+/2HPRYmoBAD0mnDPF50aI6p5EpLt+HRRp4aoJDZCLuat1YnEm4U
eEqRQPdJNjEAqU7rpoJ3I0tDQMg8VwZbtIQizfFAgq+iaoOVFtywCnD6C6GmLNXr
uFrBSii0GBk1Wj/ilORzE6y0CQQB+0b0pw1qXvWhnDh9KmIrUGng6rhEqn9M+ygB
G0OX+9bOrqe7DMG9wVKrAgMBAAGjYzBhMB0GA1UdDgQWBBQfIo3knL8JZy5RO/iJ
xGZD2WrLbTAfBgNVHSMEGDAWgBQk6STcTVDVaZDL0bPuPX6jOckpLTASBgNVHRMB
Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsFAAOCAgEA4KB4
ZLZsoKnY/bOKZmsT8hYVlzlFWCjitKt0wW5oQ888xB6mRuF7RN4UB4vS+wGsxD+U
Uruv0wfehEfuljN9N67pKpzE38ZzbvDuyhCHTGl/swLVlASWQPdPIG/fba/SFDqC
zvCQ2O1EZCNsixw2EVi6u/9CJQPmTab6kgQE0z6R1Xsd5Jr8FkG3funRtbeKAIyG
Gal8jBztw7ND06B+NlTSUK7S8nASK1FF8UXl9eDzkgc///NEF3BN4GWDE1wqv4KD
d3KAhCC3Jc8pjVnkKhLT5JHc7Xm4wI9NTM5Z6OU9dazUbg1ZPSxny8ZLym+6uTaz
wiDfWSDiuJFs7hvAeSZxJ9YAqqtATMaDaidSZGg3hFsXlrZ55J6MgxMw0J2Yelvv
/1dTUaNSH5E8o4y2EDZDY+F6w4qyrSv8Y/LGCjAqA+2KyZ5UYwTvAZBmW8aex1kc
t4nmFaYww8mXjV0BKT8IpocQwEg0nCTGFBcym+JQ5gsZDrVo5tpwFh0uDMnCp4ZW
9pvsY4dYKErjakjVxNfm3zucWb+i87m0N+XkosGshvZzCyiAJllZvIAz9rYGlgpL
lIxFcUftR94ANsows30zT+mkrh9YotLzKzTfL7QGd8+MIbahfasLY91UISP90ExR
iVjMQ19R8XwBE6n9t+BePjjvfF5ws+ahgpjx1AM=
-----END CERTIFICATE-----
"""
)

root = load_pem_x509_certificate(
b"""
-----BEGIN CERTIFICATE-----
MIIFAzCCAuugAwIBAgIULk/1FzjhdjPggYD8EUdUtMKIXQIwDQYJKoZIhvcNAQEL
BQAwGjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTY5MTIzMTE5MDAwMFoY
DzI5NjkwNTAyMTkwMDAwWjAaMRgwFgYDVQQDDA94NTA5LWxpbWJvLXJvb3QwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDjaj2hSumOoxmHtQmAcR907Whw
2xHWQLa+v9mcsJbPMu2rwwhEs6MYWB2U3YV8BRtdLTFwUm7+JLZv9KSdk440Z5Ts
Ohm8XtieZRI2CEs4ypFyT15jDfY4T7U49mTSuZ9JuoFlsWrhm6R8+4xmkto/PTUr
x+xwgCyHPJlfxIQg5jlpwyoUK+Yl1h1moAyvWJBz5cUj+FENrXvwhvhfoBEo42Q7
LRU1st9LBnR3rvpUbd2BcABsXIqIyAd+Lu57bhFZ+abLnhVa7JNOeucMZ7BWH9N4
RSZn3iXmyOElpB2h4Us2Phzj9X6flfWCiHGPHnMs+Ndz4oQ3OScQcEZ3bMIJ3fwy
c5pnNr9Eq1f+uKNXfq7IXyg45Ho7iVhuk4ZpAaqAyKFiryusqYDBjHnWkiIbE2dX
aOTk1SQNuYOj3JhrwDFgfdZ+0mtWXW7Y/V93Dx1n0EkIoRahVCOkxGBm+a6Mr3G+
PqFAPioKOgjB9DI8uGtVA9YjwE0bXLeIuMswL5LGdo4ULhaqpHmhLDnO3DFGT5x4
jgbT1r+K/N7lPIpkrcXAIsCzuQ73eUlo6anrO+WrJ/L99rRAbWKGAKN2HO1N+x/K
weVRCL794ZXABqf9HmHxB0MlRLEBfOjcUmTghlPsmYMI47Sjrf0IdfFgZ3XU9MLP
HZ0U1J2LKGqi4PUqbwIDAQABoz8wPTAdBgNVHQ4EFgQUJOkk3E1Q1WmQy9Gz7j1+
oznJKS0wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEL
BQADggIBAF/+zaqgfk5+AughIdfUDt+BspxDcp17Mv1O0UlbdfitFbQrJmLcz8qs
ZTYKZ3rcIZMEXUPVB64UgAd5QGa6Xb8wqYy93PuZoeB65KA3gPKOlRVo881FD4iT
Cb/ztZnHSpyDzYtyl5ECmeuJgEybRbZMcxovBngaFunI0K2+q4OzApak0hj/4oii
X6DAA25og2oM2iHEhG7eaemBxp62Lmboew4tKV8Sa8uwy8RxWJwRYlVkcI8uBFep
otfno/4IALx0nyXmEyRnLT6NNwNMakvf/95xU7qqn25s0xF+0G1EOIPma5pCBIF7
Y+kS2JaS4uhI66mrDTEvwtrDA/zNwPl6C3kHZlaRYiFTNxXeTfZKO+pA49ww0GzK
56KVef2E0d2zeEwZ2S5baGMtI1KssxY7eQIPY8cidUdaCeFQE/NKkGnOLVqT/LNF
gpkjybz/BQmGBCTQI5UWDj49UPoRVP8gXC0TyIPRIeITpXSmnpiDn4gPqC1+Z7jA
lJu1dP3ITd84CVkhuHOe9oLtECWSQENKxfEY+145iqHsgsG8Vim3tZyYJsWI5V0x
utv77PsVLZNG9QiyDMKbkVFk9+BzOnXWpFxyEys9A5HNBn1pVp30lu0EMqhChoR6
NlIpBxyLOUUx0e7+ooHYTUm9rNHmAYadjwNk3phoRzSQHhAQFjVQ
-----END CERTIFICATE-----
"""
)

policy = PolicyBuilder(profile=Profile.RFC5280).build()
store = Store([root])
chain = verify(ee, policy, [intermediate], store)

assert chain == [ee, intermediate, root]
# This file is dual licensed under the terms of the Apache License, Version
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
# for complete details.

# from cryptography.x509.verification import (
# PolicyBuilder,
# Profile,
# Store,
# )

0 comments on commit 4a8f50e

Please sign in to comment.