fix: removed test_support pkcs7_encrypt

added vector for aes_256_cbc encrypted pkcs7
pyca · Oct 27, 2024 · 1591c66 · 1591c66
1 parent dd858f8
commit 1591c66
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 77 deletions.
diff --git a/src/cryptography/hazmat/bindings/_rust/test_support.pyi b/src/cryptography/hazmat/bindings/_rust/test_support.pyi
@@ -13,13 +13,6 @@ class TestCertificate:
     subject_value_tags: list[int]
 
 def test_parse_certificate(data: bytes) -> TestCertificate: ...
-def pkcs7_encrypt(
-    cert_recipients: list[x509.Certificate],
-    msg: bytes,
-    cipher: bytes,
-    options: list[pkcs7.PKCS7Options],
-    encoding: serialization.Encoding,
-) -> bytes: ...
 def pkcs7_decrypt(
     encoding: serialization.Encoding,
     msg: bytes,

diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs
@@ -103,57 +103,6 @@ fn pkcs7_verify(
     Ok(())
 }
 
-#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
-#[pyo3::pyfunction]
-#[pyo3(signature = (cert_recipients, msg, cipher, options, encoding))]
-fn pkcs7_encrypt<'p>(
-    py: pyo3::Python<'p>,
-    cert_recipients: Vec<pyo3::Bound<'p, PyCertificate>>,
-    msg: CffiBuf<'p>,
-    cipher: CffiBuf<'p>,
-    options: pyo3::Bound<'p, pyo3::types::PyList>,
-    encoding: pyo3::Bound<'p, pyo3::PyAny>,
-) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
-    // Prepare the certificates
-    let mut certs_stack = openssl::stack::Stack::new()?;
-    for cert in &cert_recipients {
-        let der = asn1::write_single(cert.get().raw.borrow_dependent())?;
-        certs_stack.push(openssl::x509::X509::from_der(&der)?)?;
-    }
-
-    // Prepare the cipher
-    // SAFETY: No pre-conditions
-    let cipher = unsafe {
-        let ptr = openssl_sys::EVP_get_cipherbyname(cipher.as_bytes().as_ptr() as *const _);
-        openssl::symm::Cipher::from_ptr(ptr as *mut _)
-    };
-
-    // Prepare the options
-    let mut flags = openssl::pkcs7::Pkcs7Flags::empty();
-    if options.contains(types::PKCS7_TEXT.get(py)?)? {
-        flags |= openssl::pkcs7::Pkcs7Flags::TEXT;
-    }
-    if options.contains(types::PKCS7_BINARY.get(py)?)? {
-        flags |= openssl::pkcs7::Pkcs7Flags::BINARY;
-    }
-
-    // Encrypt the message
-    let p7 = openssl::pkcs7::Pkcs7::encrypt(&certs_stack, msg.as_bytes(), cipher, flags).unwrap();
-
-    // Return the result in the correct format
-    if encoding.is(&types::ENCODING_DER.get(py)?) {
-        Ok(pyo3::types::PyBytes::new_bound(py, &p7.to_der().unwrap()))
-    } else if encoding.is(&types::ENCODING_PEM.get(py)?) {
-        Ok(pyo3::types::PyBytes::new_bound(py, &p7.to_pem().unwrap()))
-    } else {
-        Ok(pyo3::types::PyBytes::new_bound(
-            py,
-            &p7.to_smime(&[], openssl::pkcs7::Pkcs7Flags::empty())
-                .unwrap(),
-        ))
-    }
-}
-
 #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
 #[pyo3::pyfunction]
 #[pyo3(signature = (encoding, msg, pkey, cert_recipient, options))]
@@ -205,9 +154,6 @@ pub(crate) mod test_support {
     use super::pkcs7_decrypt;
     #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     #[pymodule_export]
-    use super::pkcs7_encrypt;
-    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
-    #[pymodule_export]
     use super::pkcs7_verify;
     #[pymodule_export]
     use super::test_parse_certificate;

diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
@@ -867,6 +867,15 @@ def _load_another_rsa_cert_key():
     return cert, key
 
 
+def _load_aes_256_cbc_pkcs7_der():
+    enveloped = load_vectors_from_file(
+        os.path.join("pkcs7", "aes_256_cbc.der"),
+        loader=lambda pemfile: pemfile.read(),
+        mode="rb",
+    )
+    return enveloped
+
+
 @pytest.mark.supported(
     only_if=lambda backend: backend.pkcs7_supported()
     and backend.rsa_encryption_supported(padding.PKCS1v15()),
@@ -1147,10 +1156,12 @@ def test_pkcs7_decrypt_der(
         self, backend, data, certificate, private_key, options
     ):
         # Encryption
-        encoding = serialization.Encoding.DER
-        enveloped = test_support.pkcs7_encrypt(
-            [certificate], data, b"aes-128-cbc", options, encoding
+        builder = (
+            pkcs7.PKCS7EnvelopeBuilder()
+            .set_data(data)
+            .add_recipient(certificate)
         )
+        enveloped = builder.encrypt(serialization.Encoding.DER, options)
 
         # Test decryption
         decrypted = pkcs7.pkcs7_decrypt_der(
@@ -1165,10 +1176,12 @@ def test_pkcs7_decrypt_pem(
         self, backend, data, certificate, private_key, options
     ):
         # Encryption
-        encoding = serialization.Encoding.PEM
-        enveloped = test_support.pkcs7_encrypt(
-            [certificate], data, b"aes-128-cbc", options, encoding
+        builder = (
+            pkcs7.PKCS7EnvelopeBuilder()
+            .set_data(data)
+            .add_recipient(certificate)
         )
+        enveloped = builder.encrypt(serialization.Encoding.PEM, options)
 
         # Test decryption
         decrypted = pkcs7.pkcs7_decrypt_pem(
@@ -1183,10 +1196,12 @@ def test_pkcs7_decrypt_smime(
         self, backend, data, certificate, private_key, options
     ):
         # Encryption
-        encoding = serialization.Encoding.SMIME
-        enveloped = test_support.pkcs7_encrypt(
-            [certificate], data, b"aes-128-cbc", options, encoding
+        builder = (
+            pkcs7.PKCS7EnvelopeBuilder()
+            .set_data(data)
+            .add_recipient(certificate)
         )
+        enveloped = builder.encrypt(serialization.Encoding.SMIME, options)
 
         # Test decryption
         decrypted = pkcs7.pkcs7_decrypt_smime(
@@ -1198,10 +1213,12 @@ def test_smime_decrypt_no_recipient_match(
         self, backend, data, certificate
     ):
         # Encrypt some data with one RSA chain
-        encoding = serialization.Encoding.DER
-        enveloped = test_support.pkcs7_encrypt(
-            [certificate], data, b"aes-128-cbc", [], encoding
+        builder = (
+            pkcs7.PKCS7EnvelopeBuilder()
+            .set_data(data)
+            .add_recipient(certificate)
         )
+        enveloped = builder.encrypt(serialization.Encoding.DER, [])
 
         # Test decryption with another RSA chain
         another_cert, another_private_key = _load_another_rsa_cert_key()
@@ -1213,10 +1230,7 @@ def test_smime_decrypt_no_recipient_match(
     def test_smime_decrypt_algorithm_not_supported(
         self, backend, data, certificate, private_key
     ):
-        encoding = serialization.Encoding.DER
-        enveloped = test_support.pkcs7_encrypt(
-            [certificate], data, b"aes-256-cbc", [], encoding
-        )
+        enveloped = _load_aes_256_cbc_pkcs7_der()
 
         with pytest.raises(exceptions.UnsupportedAlgorithm):
             pkcs7.pkcs7_decrypt_der(enveloped, certificate, private_key, [])

diff --git a/vectors/cryptography_vectors/pkcs7/aes_256_cbc.der b/vectors/cryptography_vectors/pkcs7/aes_256_cbc.der