Skip to content

Commit

Permalink
Merge pull request #36 from trailofbits/dm/simplify-imports
Browse files Browse the repository at this point in the history
Simplify the public API usage
  • Loading branch information
DarkaMaul authored Oct 23, 2024
2 parents 493c647 + f4436be commit de7f0c5
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 20 deletions.
33 changes: 32 additions & 1 deletion src/rfc3161_client/__init__.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,34 @@
"""RFC3161 Client."""
"""rfc3161-client"""

from .base import decode_timestamp_response
from .errors import VerificationError
from .tsp import (
Accuracy,
MessageImprint,
PKIStatus,
SignedData,
SignerInfo,
TimeStampRequest,
TimeStampResponse,
TimeStampTokenInfo,
)
from .verify import VerifyOpts, create_verify_opts, verify_signed_data, verify_timestamp_response

__all__ = [
"decode_timestamp_response",
"verify_signed_data",
"verify_timestamp_response",
"create_verify_opts",
"VerifyOpts",
"VerificationError",
"TimeStampRequest",
"TimeStampResponse",
"TimeStampTokenInfo",
"MessageImprint",
"PKIStatus",
"Accuracy",
"SignedData",
"SignerInfo",
]

__version__ = "0.0.1"
25 changes: 7 additions & 18 deletions src/rfc3161_client/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,12 @@
from __future__ import annotations

import enum
from typing import TYPE_CHECKING

from rfc3161_client import _rust, tsp
from rfc3161_client._rust import verify as _rust_verify
from rfc3161_client import _rust

if TYPE_CHECKING:
from rfc3161_client.tsp import TimeStampRequest, TimeStampResponse


class HashAlgorithm(enum.Enum):
Expand Down Expand Up @@ -67,7 +70,7 @@ def nonce(self, *, nonce: bool = True) -> TimestampRequestBuilder:

return TimestampRequestBuilder(self._data, self._algorithm, nonce, self._cert_req)

def build(self) -> tsp.TimeStampRequest:
def build(self) -> TimeStampRequest:
"""Build a TimestampRequest."""
if self._data is None:
msg = "Data must be for a Timestamp Request."
Expand All @@ -83,20 +86,6 @@ def build(self) -> tsp.TimeStampRequest:
)


def decode_timestamp_response(data: bytes) -> tsp.TimeStampResponse:
def decode_timestamp_response(data: bytes) -> TimeStampResponse:
"""Decode a Timestamp response."""
return _rust.parse_timestamp_response(data)


def verify_signed_data(sig: bytes, certificates: set[bytes]) -> None:
"""Verify signed data.
This function verify that the bytes used a signature are signed by a certificate
trusted in the `certificates` list.
The function does not return anything, but raises an exception if the verification fails.
:param sig: Bytes of a PKCS7 object. This must be in DER format and will be unserialized.
:param certificates: A list of trusted certificates to verify the response against.
:raise: ValueError if the signature verification fails.
"""
return _rust_verify.pkcs7_verify(sig, list(certificates))
16 changes: 15 additions & 1 deletion src/rfc3161_client/verify.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
import cryptography.x509
from cryptography.hazmat.primitives._serialization import Encoding

from rfc3161_client.base import verify_signed_data
from rfc3161_client._rust import verify as _rust_verify
from rfc3161_client.errors import VerificationError
from rfc3161_client.tsp import PKIStatus, TimeStampRequest, TimeStampResponse

Expand Down Expand Up @@ -45,6 +45,20 @@ def create_verify_opts(
)


def verify_signed_data(sig: bytes, certificates: set[bytes]) -> None:
"""Verify signed data.
This function verifies that the bytes used in a signature are signed by a certificate
trusted in the `certificates` list.
The function does not return anything, but raises an exception if the verification fails.
:param sig: Bytes of a PKCS7 object. This must be in DER format and will be unserialized.
:param certificates: A list of trusted certificates to verify the response against.
:raise: ValueError if the signature verification fails.
"""
return _rust_verify.pkcs7_verify(sig, list(certificates))


def _verify_leaf_certs(tsp_response: TimeStampResponse, opts: VerifyOpts) -> bool:
if opts.tsa_certificate is None and len(tsp_response.signed_data.certificates) == 0:
msg = "Certificates neither found in the answer or in the opts."
Expand Down

0 comments on commit de7f0c5

Please sign in to comment.