Update extremely outdated structures to tolerate relevant versions of CMS and S/MIME

src/rust/cryptography-x509/src/ocsp_resp.rs

@@ -6,11 +6,13 @@ use crate::{certificate, common, crl, extensions, name, ocsp_req};
 
 #[derive(asn1::Asn1Read, asn1::Asn1Write)]
 pub struct OCSPResponse<'a> {
-    pub response_status: asn1::Enumerated,
+    pub response_status: OCSPResponseStatus,
     #[explicit(0)]
     pub response_bytes: Option<ResponseBytes<'a>>,
 }
 
+pub type OCSPResponseStatus = asn1::Enumerated;
+
 #[derive(asn1::Asn1Read, asn1::Asn1Write)]
 pub struct ResponseBytes<'a> {
     pub response_type: asn1::ObjectIdentifier,

src/rust/cryptography-x509/src/pkcs7.rs

@@ -11,9 +11,9 @@ pub const PKCS7_ENCRYPTED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 84
 
 #[derive(asn1::Asn1Write, asn1::Asn1Read)]
 pub struct ContentInfo<'a> {
-    pub _content_type: asn1::DefinedByMarker<asn1::ObjectIdentifier>,
+    pub content_type: asn1::DefinedByMarker<asn1::ObjectIdentifier>,
 
-    #[defined_by(_content_type)]
+    #[defined_by(content_type)]
     pub content: Content<'a>,
 }
 
@@ -39,32 +39,64 @@ pub struct SignedData<'a> {
     >,
     pub content_info: ContentInfo<'a>,
     #[implicit(0)]
-    pub certificates: Option<
-        common::Asn1ReadableOrWritable<
-            asn1::SetOf<'a, certificate::Certificate<'a>>,
-            asn1::SetOfWriter<'a, certificate::Certificate<'a>>,
-        >,
-    >,
+    pub certificates: Option<CertificateSet<'a>>,
 
-    // We don't ever supply any of these, so for now, don't fill out the fields.
     #[implicit(1)]
-    pub crls: Option<
-        common::Asn1ReadableOrWritable<
-            asn1::SetOf<'a, asn1::Sequence<'a>>,
-            asn1::SetOfWriter<'a, asn1::Sequence<'a>>,
-        >,
-    >,
+    pub crls: Option<RevocationInfoChoices<'a>>,
 
     pub signer_infos: common::Asn1ReadableOrWritable<
         asn1::SetOf<'a, SignerInfo<'a>>,
         asn1::SetOfWriter<'a, SignerInfo<'a>>,
     >,
 }
 
+pub type CertificateSet<'a> = common::Asn1ReadableOrWritable<
+    asn1::SetOf<'a, CertificateChoices<'a>>,
+    asn1::SetOfWriter<'a, CertificateChoices<'a>, Vec<CertificateChoices<'a>>>,
+>;
+
+pub type RevocationInfoChoices<'a> = common::Asn1ReadableOrWritable<
+    asn1::SetOf<'a, RevocationInfoChoice<'a>>,
+    asn1::SetOfWriter<'a, RevocationInfoChoice<'a>, Vec<RevocationInfoChoice<'a>>>,
+>;
+
+#[allow(clippy::large_enum_variant)]
+#[derive(asn1::Asn1Write, asn1::Asn1Read)]
+pub enum CertificateChoices<'a> {
+    Certificate(certificate::Certificate<'a>),
+    #[implicit(0)]
+    ExtendedCertificate(asn1::Sequence<'a>),
+    #[implicit(1)]
+    V1AttrCert(asn1::Sequence<'a>),
+    #[implicit(2)]
+    V2AttrCert(asn1::Sequence<'a>),
+    #[implicit(3)]
+    OtherCertificate(OtherCertificateFormat<'a>),
+}
+
+#[derive(asn1::Asn1Write, asn1::Asn1Read)]
+pub struct OtherCertificateFormat<'a> {
+    pub other_cert_format: asn1::ObjectIdentifier,
+    pub other_cert: asn1::Tlv<'a>,
+}
+
+#[derive(asn1::Asn1Write, asn1::Asn1Read)]
+pub enum RevocationInfoChoice<'a> {
+    Crl(asn1::Sequence<'a>),
+    #[implicit(1)]
+    Other(OtherRevocationInfoFormat<'a>),
+}
+
+#[derive(asn1::Asn1Write, asn1::Asn1Read)]
+pub struct OtherRevocationInfoFormat<'a> {
+    pub other_rev_info_format: asn1::ObjectIdentifier,
+    pub other_rev_info: asn1::Tlv<'a>,
+}
+
 #[derive(asn1::Asn1Write, asn1::Asn1Read)]
 pub struct SignerInfo<'a> {
     pub version: u8,
-    pub issuer_and_serial_number: IssuerAndSerialNumber<'a>,
+    pub issuer_and_serial_number: SignerIdentifier<'a>,
     pub digest_algorithm: common::AlgorithmIdentifier<'a>,
     #[implicit(0)]
     pub authenticated_attributes: Option<csr::Attributes<'a>>,
@@ -76,6 +108,13 @@ pub struct SignerInfo<'a> {
     pub unauthenticated_attributes: Option<csr::Attributes<'a>>,
 }
 
+#[derive(asn1::Asn1Write, asn1::Asn1Read)]
+pub enum SignerIdentifier<'a> {
+    IssuerAndSerialNumber(IssuerAndSerialNumber<'a>),
+    #[implicit(0)]
+    SubjectKeyIdentifier(&'a [u8]),
+}
+
 #[derive(asn1::Asn1Write, asn1::Asn1Read)]
 pub struct EnvelopedData<'a> {
     pub version: u8,

src/rust/src/pkcs12.rs

@@ -318,7 +318,7 @@ fn serialize_safebags<'p>(
             )?;
 
             auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo {
-                _content_type: asn1::DefinedByMarker::marker(),
+                content_type: asn1::DefinedByMarker::marker(),
                 content: cryptography_x509::pkcs7::Content::EncryptedData(asn1::Explicit::new(
                     cryptography_x509::pkcs7::EncryptedData {
                         version: 0,
@@ -339,7 +339,7 @@ fn serialize_safebags<'p>(
             shrouded_safebag_contents =
                 asn1::write_single(&asn1::SequenceOfWriter::new(shrouded_safebags))?;
             auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo {
-                _content_type: asn1::DefinedByMarker::marker(),
+                content_type: asn1::DefinedByMarker::marker(),
                 content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new(
                     &shrouded_safebag_contents,
                 ))),
@@ -348,7 +348,7 @@ fn serialize_safebags<'p>(
     } else {
         plain_safebag_contents = asn1::write_single(&asn1::SequenceOfWriter::new(safebags))?;
         auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo {
-            _content_type: asn1::DefinedByMarker::marker(),
+            content_type: asn1::DefinedByMarker::marker(),
             content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new(
                 &plain_safebag_contents,
             ))),
@@ -384,7 +384,7 @@ fn serialize_safebags<'p>(
     let p12 = cryptography_x509::pkcs12::Pfx {
         version: 3,
         auth_safe: cryptography_x509::pkcs7::ContentInfo {
-            _content_type: asn1::DefinedByMarker::marker(),
+            content_type: asn1::DefinedByMarker::marker(),
             content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new(
                 &auth_safe_content,
             ))),

src/rust/src/pkcs7.rs

@@ -61,25 +61,25 @@ fn serialize_certificates<'p>(
 
     let raw_certs = py_certs
         .iter()
-        .map(|c| c.raw.borrow_dependent().clone())
+        .map(|c| pkcs7::CertificateChoices::Certificate(c.raw.borrow_dependent().clone()))
         .collect::<Vec<_>>();
 
     let signed_data = pkcs7::SignedData {
         version: 1,
         digest_algorithms: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(&[])),
         content_info: pkcs7::ContentInfo {
-            _content_type: asn1::DefinedByMarker::marker(),
+            content_type: asn1::DefinedByMarker::marker(),
             content: pkcs7::Content::Data(None),
         },
         certificates: Some(common::Asn1ReadableOrWritable::new_write(
-            asn1::SetOfWriter::new(&raw_certs),
+            asn1::SetOfWriter::new(raw_certs),
         )),
         crls: None,
         signer_infos: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(&[])),
     };
 
     let content_info = pkcs7::ContentInfo {
-        _content_type: asn1::DefinedByMarker::marker(),
+        content_type: asn1::DefinedByMarker::marker(),
         content: pkcs7::Content::SignedData(asn1::Explicit::new(Box::new(signed_data))),
     };
     let content_info_bytes = asn1::write_single(&content_info)?;
@@ -173,7 +173,7 @@ fn encrypt_and_serialize<'p>(
     };
 
     let content_info = pkcs7::ContentInfo {
-        _content_type: asn1::DefinedByMarker::marker(),
+        content_type: asn1::DefinedByMarker::marker(),
         content: pkcs7::Content::EnvelopedData(asn1::Explicit::new(Box::new(enveloped_data))),
     };
     let ci_bytes = asn1::write_single(&content_info)?;
@@ -503,7 +503,7 @@ fn sign_and_serialize<'p>(
     let mut digest_algs = vec![];
     let mut certs = py_certs
         .iter()
-        .map(|p| p.raw.borrow_dependent().clone())
+        .map(|p| pkcs7::CertificateChoices::Certificate(p.raw.borrow_dependent().clone()))
         .collect::<Vec<_>>();
 
     let ka_vec = cryptography_keepalive::KeepAlive::new();
@@ -582,14 +582,18 @@ fn sign_and_serialize<'p>(
         if !digest_algs.contains(&digest_alg) {
             digest_algs.push(digest_alg.clone());
         }
-        certs.push(cert.raw.borrow_dependent().clone());
+        certs.push(pkcs7::CertificateChoices::Certificate(
+            cert.raw.borrow_dependent().clone(),
+        ));
 
         signer_infos.push(pkcs7::SignerInfo {
             version: 1,
-            issuer_and_serial_number: pkcs7::IssuerAndSerialNumber {
-                issuer: cert.raw.borrow_dependent().tbs_cert.issuer.clone(),
-                serial_number: cert.raw.borrow_dependent().tbs_cert.serial,
-            },
+            issuer_and_serial_number: pkcs7::SignerIdentifier::IssuerAndSerialNumber(
+                pkcs7::IssuerAndSerialNumber {
+                    issuer: cert.raw.borrow_dependent().tbs_cert.issuer.clone(),
+                    serial_number: cert.raw.borrow_dependent().tbs_cert.serial,
+                },
+            ),
             digest_algorithm: digest_alg,
             authenticated_attributes: authenticated_attrs,
             digest_encryption_algorithm: compute_pkcs7_signature_algorithm(
@@ -617,14 +621,14 @@ fn sign_and_serialize<'p>(
             &digest_algs,
         )),
         content_info: pkcs7::ContentInfo {
-            _content_type: asn1::DefinedByMarker::marker(),
+            content_type: asn1::DefinedByMarker::marker(),
             content: pkcs7::Content::Data(content.map(asn1::Explicit::new)),
         },
         certificates: if options.contains(types::PKCS7_NO_CERTS.get(py)?)? {
             None
         } else {
             Some(common::Asn1ReadableOrWritable::new_write(
-                asn1::SetOfWriter::new(&certs),
+                asn1::SetOfWriter::new(certs),
             ))
         },
         crls: None,
@@ -634,7 +638,7 @@ fn sign_and_serialize<'p>(
     };
 
     let content_info = pkcs7::ContentInfo {
-        _content_type: asn1::DefinedByMarker::marker(),
+        content_type: asn1::DefinedByMarker::marker(),
         content: pkcs7::Content::SignedData(asn1::Explicit::new(Box::new(signed_data))),
     };
     let ci_bytes = asn1::write_single(&content_info)?;
@@ -800,7 +804,9 @@ fn load_pkcs7_certificates_rust(
             ));
         };
         for c in certs.unwrap_read().clone() {
-            cb(c)?;
+            if let pkcs7::CertificateChoices::Certificate(cert) = c {
+                cb(cert)?;
+            }
         }
 
         Ok(())