Remove all remaining uses of as_borrowed() (#10801)

src/rust/src/backend/dsa.rs

@@ -72,8 +72,7 @@ impl DsaPrivateKey {
         data: CffiBuf<'_>,
         algorithm: pyo3::Bound<'_, pyo3::PyAny>,
     ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
-        let (data, _) =
-            utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?;
+        let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm)?;
 
         let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?;
         signer.sign_init()?;
@@ -159,8 +158,7 @@ impl DsaPublicKey {
         data: CffiBuf<'_>,
         algorithm: pyo3::Bound<'_, pyo3::PyAny>,
     ) -> CryptographyResult<()> {
-        let (data, _) =
-            utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?;
+        let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm)?;
 
         let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?;
         verifier.verify_init()?;

src/rust/src/backend/ec.rs

@@ -403,9 +403,7 @@ impl ECPublicKey {
         let (data, _) = utils::calculate_digest_and_algorithm(
             py,
             data.as_bytes(),
-            &signature_algorithm
-                .as_borrowed()
-                .getattr(pyo3::intern!(py, "algorithm"))?,
+            &signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?,
         )?;
 
         let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?;

src/rust/src/backend/hmac.rs

@@ -24,7 +24,7 @@ impl Hmac {
         key: &[u8],
         algorithm: &pyo3::Bound<'_, pyo3::PyAny>,
     ) -> CryptographyResult<Hmac> {
-        let md = message_digest_from_algorithm(py, &algorithm.as_borrowed())?;
+        let md = message_digest_from_algorithm(py, algorithm)?;
         let ctx = cryptography_openssl::hmac::Hmac::new(key, md).map_err(|_| {
             exceptions::UnsupportedAlgorithm::new_err((
                 "Digest is not supported for HMAC",

src/rust/src/backend/rsa.rs

@@ -10,7 +10,6 @@ use crate::buf::CffiBuf;
 use crate::error::{CryptographyError, CryptographyResult};
 use crate::{exceptions, types};
 use pyo3::prelude::{PyAnyMethods, PyModuleMethods};
-use pyo3::PyNativeType;
 
 #[pyo3::prelude::pyclass(
     frozen,
@@ -295,14 +294,7 @@ impl RsaPrivateKey {
         ctx.sign_init().map_err(|_| {
             pyo3::exceptions::PyValueError::new_err("Unable to sign/verify with this key")
         })?;
-        setup_signature_ctx(
-            py,
-            &mut ctx,
-            padding,
-            &algorithm.as_borrowed(),
-            self.pkey.size(),
-            true,
-        )?;
+        setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), true)?;
 
         let length = ctx.sign(data, None)?;
         Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| {
@@ -440,14 +432,7 @@ impl RsaPublicKey {
 
         let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?;
         ctx.verify_init()?;
-        setup_signature_ctx(
-            py,
-            &mut ctx,
-            padding,
-            &algorithm.as_borrowed(),
-            self.pkey.size(),
-            false,
-        )?;
+        setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), false)?;
 
         let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false);
         if !valid {
@@ -487,7 +472,7 @@ impl RsaPublicKey {
         padding: &pyo3::Bound<'_, pyo3::PyAny>,
         algorithm: &pyo3::Bound<'_, pyo3::PyAny>,
     ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
-        if algorithm.is_instance(&types::PREHASHED.get(py)?.as_borrowed())? {
+        if algorithm.is_instance(&types::PREHASHED.get_bound(py)?)? {
             return Err(CryptographyError::from(
                 pyo3::exceptions::PyTypeError::new_err(
                     "Prehashed is only supported in the sign and verify methods. It cannot be used with recover_data_from_signature.",

src/rust/src/backend/utils.rs

@@ -365,7 +365,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>(
     } else {
         // Potential optimization: rather than allocate a PyBytes in
         // `h.finalize()`, have a way to get the `DigestBytes` directly.
-        let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?;
+        let mut h = Hash::new(py, algorithm, None)?;
         h.update_bytes(data)?;
         data = h.finalize(py)?.into_gil_ref().as_bytes();
     }

src/rust/src/pkcs7.rs

@@ -280,7 +280,7 @@ fn compute_pkcs7_signature_algorithm<'p>(
     hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>,
     rsa_padding: pyo3::Bound<'p, pyo3::PyAny>,
 ) -> pyo3::PyResult<common::AlgorithmIdentifier<'static>> {
-    let key_type = x509::sign::identify_key_type(py, private_key.as_borrowed().to_owned())?;
+    let key_type = x509::sign::identify_key_type(py, private_key.clone())?;
     let has_pss_padding = rsa_padding.is_instance(&types::PSS.get_bound(py)?)?;
     // For RSA signatures (with no PSS padding), the OID is always the same no matter the
     // digest algorithm. See RFC 3370 (section 3.2).
@@ -290,12 +290,7 @@ fn compute_pkcs7_signature_algorithm<'p>(
             params: common::AlgorithmParameters::Rsa(Some(())),
         })
     } else {
-        x509::sign::compute_signature_algorithm(
-            py,
-            private_key.as_borrowed().to_owned(),
-            hash_algorithm.as_borrowed().to_owned(),
-            rsa_padding.as_borrowed().to_owned(),
-        )
+        x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)
     }
 }
 

src/rust/src/x509/common.rs

@@ -76,10 +76,7 @@ pub(crate) fn encode_name_entry<'p>(
             .getattr(pyo3::intern!(py, "value"))?
             .extract()?
     };
-    let py_oid = py_name_entry
-        .getattr(pyo3::intern!(py, "oid"))?
-        .as_borrowed()
-        .to_owned();
+    let py_oid = py_name_entry.getattr(pyo3::intern!(py, "oid"))?;
     let oid = py_oid_to_oid(py_oid)?;
 
     Ok(AttributeTypeValue {
@@ -129,10 +126,7 @@ pub(crate) fn encode_general_name<'a>(
         let name = encode_name(py, &gn_value)?;
         Ok(GeneralName::DirectoryName(name))
     } else if gn_type.is(types::OTHER_NAME.get(py)?) {
-        let py_oid = gn
-            .getattr(pyo3::intern!(py, "type_id"))?
-            .as_borrowed()
-            .to_owned();
+        let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?;
         Ok(GeneralName::OtherName(OtherName {
             type_id: py_oid_to_oid(py_oid)?,
             value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| {
@@ -151,7 +145,7 @@ pub(crate) fn encode_general_name<'a>(
                 .extract::<&[u8]>()?,
         ))
     } else if gn_type.is(types::REGISTERED_ID.get(py)?) {
-        let oid = py_oid_to_oid(gn_value.as_borrowed().to_owned())?;
+        let oid = py_oid_to_oid(gn_value)?;
         Ok(GeneralName::RegisteredID(oid))
     } else {
         Err(CryptographyError::from(
@@ -167,10 +161,7 @@ pub(crate) fn encode_access_descriptions<'a>(
     let mut ads = vec![];
     for py_ad in py_ads.iter()? {
         let py_ad = py_ad?;
-        let py_oid = py_ad
-            .getattr(pyo3::intern!(py, "access_method"))?
-            .as_borrowed()
-            .to_owned();
+        let py_oid = py_ad.getattr(pyo3::intern!(py, "access_method"))?;
         let access_method = py_oid_to_oid(py_oid)?;
         let access_location =
             encode_general_name(py, &py_ad.getattr(pyo3::intern!(py, "access_location"))?)?;
@@ -429,10 +420,7 @@ pub(crate) fn encode_extensions<
     let mut exts = vec![];
     for py_ext in py_exts.iter()? {
         let py_ext = py_ext?;
-        let py_oid = py_ext
-            .getattr(pyo3::intern!(py, "oid"))?
-            .as_borrowed()
-            .to_owned();
+        let py_oid = py_ext.getattr(pyo3::intern!(py, "oid"))?;
         let oid = py_oid_to_oid(py_oid)?;
 
         let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?;

src/rust/src/x509/crl.rs

@@ -179,7 +179,7 @@ impl CertificateRevocationList {
     ) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
         let data = self.public_bytes_der()?;
 
-        let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?;
+        let mut h = Hash::new(py, &algorithm, None)?;
         h.update_bytes(&data)?;
         Ok(h.finalize(py)?)
     }
@@ -295,16 +295,14 @@ impl CertificateRevocationList {
                 "Properties that return a naïve datetime object have been deprecated. Please switch to last_update_utc.",
                 1,
             )?;
-        Ok(x509::datetime_to_py(
+        x509::datetime_to_py(
             py,
             self.owned
                 .borrow_dependent()
                 .tbs_cert_list
                 .this_update
                 .as_datetime(),
-        )?
-        .as_borrowed()
-        .to_owned())
+        )
     }
 
     #[getter]
@@ -573,12 +571,10 @@ impl RevokedCertificate {
                 "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.",
                 1,
             )?;
-        Ok(x509::datetime_to_py(
+        x509::datetime_to_py(
             py,
             self.owned.borrow_dependent().revocation_date.as_datetime(),
-        )?
-        .as_borrowed()
-        .to_owned())
+        )
     }
 
     #[getter]
@@ -682,10 +678,7 @@ fn create_x509_crl(
         revoked_certs.push(crl::RevokedCertificate {
             user_certificate: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, serial_number)?)
                 .unwrap(),
-            revocation_date: x509::certificate::time_from_py(
-                py,
-                &py_revocation_date.as_borrowed(),
-            )?,
+            revocation_date: x509::certificate::time_from_py(py, &py_revocation_date)?,
             raw_crl_entry_extensions: x509::common::encode_extensions(
                 py,
                 &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?,
@@ -700,12 +693,9 @@ fn create_x509_crl(
     let tbs_cert_list = crl::TBSCertList {
         version: Some(1),
         signature: sigalg.clone(),
-        issuer: x509::common::encode_name(py, &py_issuer_name.as_borrowed())?,
-        this_update: x509::certificate::time_from_py(py, &py_this_update.as_borrowed())?,
-        next_update: Some(x509::certificate::time_from_py(
-            py,
-            &py_next_update.as_borrowed(),
-        )?),
+        issuer: x509::common::encode_name(py, &py_issuer_name)?,
+        this_update: x509::certificate::time_from_py(py, &py_this_update)?,
+        next_update: Some(x509::certificate::time_from_py(py, &py_next_update)?),
         revoked_certificates: if revoked_certs.is_empty() {
             None
         } else {
@@ -723,9 +713,9 @@ fn create_x509_crl(
     let tbs_bytes = asn1::write_single(&tbs_cert_list)?;
     let signature = x509::sign::sign_data(
         py,
-        private_key.as_borrowed().to_owned(),
-        hash_algorithm.as_borrowed().to_owned(),
-        rsa_padding.as_borrowed().to_owned(),
+        private_key.clone(),
+        hash_algorithm.clone(),
+        rsa_padding.clone(),
         &tbs_bytes,
     )?;
     let data = asn1::write_single(&crl::CertificateRevocationList {

src/rust/src/x509/csr.rs

@@ -360,7 +360,7 @@ fn create_x509_csr(
 
     let csr_info = CertificationRequestInfo {
         version: 0,
-        subject: x509::common::encode_name(py, &py_subject_name.as_borrowed())?,
+        subject: x509::common::encode_name(py, &py_subject_name)?,
         spki: asn1::parse_single(&spki_bytes)?,
         attributes: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(attrs)),
     };