Misc oscp pyo3 migrations

src/rust/src/pkcs7.rs

@@ -134,71 +134,73 @@ fn sign_and_serialize<'p>(
         .map(|p| p.raw.borrow_dependent())
         .collect::<Vec<_>>();
     for (cert, py_private_key, py_hash_alg, rsa_padding) in &py_signers {
-        let (authenticated_attrs, signature) = if options
-            .contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)?
-        {
-            (
-                None,
-                x509::sign::sign_data(
+        let (authenticated_attrs, signature) =
+            if options.contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)? {
+                (
+                    None,
+                    x509::sign::sign_data(
+                        py,
+                        py_private_key.as_borrowed().to_owned(),
+                        py_hash_alg.as_borrowed().to_owned(),
+                        rsa_padding.as_borrowed().to_owned(),
+                        &data_with_header,
+                    )?,
+                )
+            } else {
+                let mut authenticated_attrs = vec![
+                    Attribute {
+                        type_id: PKCS7_CONTENT_TYPE_OID,
+                        values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(
+                            [asn1::parse_single(&content_type_bytes).unwrap()],
+                        )),
+                    },
+                    Attribute {
+                        type_id: PKCS7_SIGNING_TIME_OID,
+                        values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(
+                            [asn1::parse_single(&signing_time_bytes).unwrap()],
+                        )),
+                    },
+                ];
+
+                let digest = asn1::write_single(&x509::ocsp::hash_data(
                     py,
-                    py_private_key.as_borrowed().to_owned(),
-                    py_hash_alg.as_borrowed().to_owned(),
-                    rsa_padding.as_borrowed().to_owned(),
+                    &py_hash_alg.as_borrowed(),
                     &data_with_header,
-                )?,
-            )
-        } else {
-            let mut authenticated_attrs = vec![
-                Attribute {
-                    type_id: PKCS7_CONTENT_TYPE_OID,
-                    values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([
-                        asn1::parse_single(&content_type_bytes).unwrap(),
-                    ])),
-                },
-                Attribute {
-                    type_id: PKCS7_SIGNING_TIME_OID,
-                    values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([
-                        asn1::parse_single(&signing_time_bytes).unwrap(),
-                    ])),
-                },
-            ];
-
-            let digest =
-                asn1::write_single(&x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?)?;
-            // Gross hack: copy to PyBytes to extend the lifetime to 'p
-            let digest_bytes = pyo3::types::PyBytes::new(py, &digest);
-            authenticated_attrs.push(Attribute {
-                type_id: PKCS7_MESSAGE_DIGEST_OID,
-                values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([
-                    asn1::parse_single(digest_bytes.as_bytes()).unwrap(),
-                ])),
-            });
-
-            if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? {
+                )?)?;
+                // Gross hack: copy to PyBytes to extend the lifetime to 'p
+                let digest_bytes = pyo3::types::PyBytes::new(py, &digest);
                 authenticated_attrs.push(Attribute {
-                    type_id: PKCS7_SMIME_CAP_OID,
+                    type_id: PKCS7_MESSAGE_DIGEST_OID,
                     values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([
-                        asn1::parse_single(&smime_cap_bytes).unwrap(),
+                        asn1::parse_single(digest_bytes.as_bytes()).unwrap(),
                     ])),
                 });
-            }
-
-            let signed_data =
-                asn1::write_single(&asn1::SetOfWriter::new(authenticated_attrs.as_slice()))?;
 
-            (
-                Some(common::Asn1ReadableOrWritable::new_write(
-                    asn1::SetOfWriter::new(authenticated_attrs),
-                )),
-                x509::sign::sign_data(
-                    py,
-                    py_private_key.as_borrowed().to_owned(),
-                    py_hash_alg.as_borrowed().to_owned(),
-                    rsa_padding.as_borrowed().to_owned(),
-                    &signed_data,
-                )?,
-            )
-        };
+                if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? {
+                    authenticated_attrs.push(Attribute {
+                        type_id: PKCS7_SMIME_CAP_OID,
+                        values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(
+                            [asn1::parse_single(&smime_cap_bytes).unwrap()],
+                        )),
+                    });
+                }
+
+                let signed_data =
+                    asn1::write_single(&asn1::SetOfWriter::new(authenticated_attrs.as_slice()))?;
+
+                (
+                    Some(common::Asn1ReadableOrWritable::new_write(
+                        asn1::SetOfWriter::new(authenticated_attrs),
+                    )),
+                    x509::sign::sign_data(
+                        py,
+                        py_private_key.as_borrowed().to_owned(),
+                        py_hash_alg.as_borrowed().to_owned(),
+                        rsa_padding.as_borrowed().to_owned(),
+                        &signed_data,
+                    )?,
+                )
+            };
 
         let digest_alg = x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[py_hash_alg
             .getattr(pyo3::intern!(py, "name"))?

src/rust/src/x509/ocsp.rs

@@ -7,7 +7,7 @@ use std::collections::HashMap;
 use cryptography_x509::common;
 use cryptography_x509::ocsp_req::CertID;
 use once_cell::sync::Lazy;
-use pyo3::PyNativeType;
+use pyo3::prelude::PyAnyMethods;
 
 use crate::backend::hashes::Hash;
 use crate::error::CryptographyResult;
@@ -76,7 +76,7 @@ pub(crate) fn certid_new<'p>(
     py: pyo3::Python<'p>,
     cert: &'p Certificate,
     issuer: &'p Certificate,
-    hash_algorithm: &'p pyo3::PyAny,
+    hash_algorithm: &pyo3::Bound<'p, pyo3::PyAny>,
 ) -> CryptographyResult<CertID<'p>> {
     let issuer_der = asn1::write_single(&cert.raw.borrow_dependent().tbs_cert.issuer)?;
     let issuer_name_hash = hash_data(py, hash_algorithm, &issuer_der)?;
@@ -123,10 +123,10 @@ pub(crate) fn certid_new_from_hash<'p>(
 
 pub(crate) fn hash_data<'p>(
     py: pyo3::Python<'p>,
-    py_hash_alg: &'p pyo3::PyAny,
+    py_hash_alg: &pyo3::Bound<'p, pyo3::PyAny>,
     data: &[u8],
 ) -> pyo3::PyResult<&'p [u8]> {
-    let mut h = Hash::new(py, &py_hash_alg.as_borrowed(), None)?;
+    let mut h = Hash::new(py, py_hash_alg, None)?;
     h.update_bytes(data)?;
     Ok(h.finalize(py)?.into_gil_ref().as_bytes())
 }

src/rust/src/x509/ocsp_req.rs

@@ -8,6 +8,7 @@ use cryptography_x509::{
     oid,
 };
 use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods};
+use pyo3::PyNativeType;
 
 use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes};
 use crate::error::{CryptographyError, CryptographyResult};
@@ -187,7 +188,7 @@ fn create_ocsp_request(
         py_cert = tuple.0;
         py_issuer = tuple.1;
         py_hash = tuple.2;
-        ocsp::certid_new(py, &py_cert, &py_issuer, py_hash)?
+        ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash.as_borrowed())?
     } else {
         let (issuer_name_hash, issuer_key_hash, py_serial, py_hash): (
             &[u8],

src/rust/src/x509/ocsp_resp.rs

@@ -11,7 +11,6 @@ use cryptography_x509::{
     oid,
 };
 use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods};
-use pyo3::PyNativeType;
 
 use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid};
 use crate::error::{CryptographyError, CryptographyResult};
@@ -578,10 +577,10 @@ fn singleresp_py_revocation_time<'p>(
 #[pyo3::prelude::pyfunction]
 fn create_ocsp_response(
     py: pyo3::Python<'_>,
-    status: &pyo3::PyAny,
-    builder: &pyo3::PyAny,
-    private_key: &pyo3::PyAny,
-    hash_algorithm: &pyo3::PyAny,
+    status: &pyo3::Bound<'_, pyo3::PyAny>,
+    builder: &pyo3::Bound<'_, pyo3::PyAny>,
+    private_key: &pyo3::Bound<'_, pyo3::PyAny>,
+    hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>,
 ) -> CryptographyResult<OCSPResponse> {
     let response_status = status
         .getattr(pyo3::intern!(py, "value"))?
@@ -656,7 +655,7 @@ fn create_ocsp_response(
         )?)?;
 
         let responses = vec![SingleResponse {
-            cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, py_cert_hash_algorithm)?,
+            cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?,
             cert_status,
             next_update,
             this_update,
@@ -665,10 +664,10 @@ fn create_ocsp_response(
 
         borrowed_cert = responder_cert.borrow();
         let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) {
-            let sha1 = types::SHA1.get(py)?.call0()?;
+            let sha1 = types::SHA1.get_bound(py)?.call0()?;
             ocsp_resp::ResponderId::ByKey(ocsp::hash_data(
                 py,
-                sha1,
+                &sha1,
                 borrowed_cert
                     .raw
                     .borrow_dependent()
@@ -697,7 +696,10 @@ fn create_ocsp_response(
             )),
             raw_response_extensions: x509::common::encode_extensions(
                 py,
-                builder.getattr(pyo3::intern!(py, "_extensions"))?,
+                builder
+                    .getattr(pyo3::intern!(py, "_extensions"))?
+                    .clone()
+                    .into_gil_ref(),
                 extensions::encode_extension,
             )?,
         };