From 03eb6b4a11bfbf8b8e6047bafee303fde7608038 Mon Sep 17 00:00:00 2001 From: Alexis Date: Wed, 23 Oct 2024 15:52:19 +0200 Subject: [PATCH 1/2] Simplify the imports by exposing the public API in __init__ --- src/rfc3161_client/__init__.py | 37 +++++++++++++++++++++++++++++++++- src/rfc3161_client/base.py | 25 +++++++---------------- src/rfc3161_client/verify.py | 16 ++++++++++++++- 3 files changed, 58 insertions(+), 20 deletions(-) diff --git a/src/rfc3161_client/__init__.py b/src/rfc3161_client/__init__.py index 4b63aeb..4f36df6 100644 --- a/src/rfc3161_client/__init__.py +++ b/src/rfc3161_client/__init__.py @@ -1,3 +1,38 @@ -"""RFC3161 Client.""" +"""rfc3161-client""" + +from .base import decode_timestamp_response +from .errors import VerificationError +from .tsp import ( + Accuracy, + MessageImprint, + PKIStatus, + SignedData, + SignerInfo, + TimeStampRequest, + TimeStampResponse, + TimeStampTokenInfo, +) +from .verify import VerifyOpts, create_verify_opts, verify_signed_data, verify_timestamp_response + +__all__ = [ + # From base.py + "decode_timestamp_response", + # From verify.py + "verify_signed_data", + "verify_timestamp_response", + "create_verify_opts", + "VerifyOpts", + # From errors.py + "VerificationError", + # From tsp.py + "TimeStampRequest", + "TimeStampResponse", + "TimeStampTokenInfo", + "MessageImprint", + "PKIStatus", + "Accuracy", + "SignedData", + "SignerInfo", +] __version__ = "0.0.1" diff --git a/src/rfc3161_client/base.py b/src/rfc3161_client/base.py index adedd0c..9809276 100644 --- a/src/rfc3161_client/base.py +++ b/src/rfc3161_client/base.py @@ -3,9 +3,12 @@ from __future__ import annotations import enum +from typing import TYPE_CHECKING -from rfc3161_client import _rust, tsp -from rfc3161_client._rust import verify as _rust_verify +from rfc3161_client import _rust + +if TYPE_CHECKING: + from rfc3161_client.tsp import TimeStampRequest, TimeStampResponse class HashAlgorithm(enum.Enum): @@ -67,7 +70,7 @@ def nonce(self, *, nonce: bool = True) -> TimestampRequestBuilder: return TimestampRequestBuilder(self._data, self._algorithm, nonce, self._cert_req) - def build(self) -> tsp.TimeStampRequest: + def build(self) -> TimeStampRequest: """Build a TimestampRequest.""" if self._data is None: msg = "Data must be for a Timestamp Request." @@ -83,20 +86,6 @@ def build(self) -> tsp.TimeStampRequest: ) -def decode_timestamp_response(data: bytes) -> tsp.TimeStampResponse: +def decode_timestamp_response(data: bytes) -> TimeStampResponse: """Decode a Timestamp response.""" return _rust.parse_timestamp_response(data) - - -def verify_signed_data(sig: bytes, certificates: set[bytes]) -> None: - """Verify signed data. - - This function verify that the bytes used a signature are signed by a certificate - trusted in the `certificates` list. - The function does not return anything, but raises an exception if the verification fails. - - :param sig: Bytes of a PKCS7 object. This must be in DER format and will be unserialized. - :param certificates: A list of trusted certificates to verify the response against. - :raise: ValueError if the signature verification fails. - """ - return _rust_verify.pkcs7_verify(sig, list(certificates)) diff --git a/src/rfc3161_client/verify.py b/src/rfc3161_client/verify.py index 922b3c0..2f108da 100644 --- a/src/rfc3161_client/verify.py +++ b/src/rfc3161_client/verify.py @@ -7,7 +7,7 @@ import cryptography.x509 from cryptography.hazmat.primitives._serialization import Encoding -from rfc3161_client.base import verify_signed_data +from rfc3161_client._rust import verify as _rust_verify from rfc3161_client.errors import VerificationError from rfc3161_client.tsp import PKIStatus, TimeStampRequest, TimeStampResponse @@ -45,6 +45,20 @@ def create_verify_opts( ) +def verify_signed_data(sig: bytes, certificates: set[bytes]) -> None: + """Verify signed data. + + This function verify that the bytes used a signature are signed by a certificate + trusted in the `certificates` list. + The function does not return anything, but raises an exception if the verification fails. + + :param sig: Bytes of a PKCS7 object. This must be in DER format and will be unserialized. + :param certificates: A list of trusted certificates to verify the response against. + :raise: ValueError if the signature verification fails. + """ + return _rust_verify.pkcs7_verify(sig, list(certificates)) + + def _verify_leaf_certs(tsp_response: TimeStampResponse, opts: VerifyOpts) -> bool: if opts.tsa_certificate is None and len(tsp_response.signed_data.certificates) == 0: msg = "Certificates neither found in the answer or in the opts." From f4436be1f96f80feb7ecfc3376c748c3c6b6f802 Mon Sep 17 00:00:00 2001 From: dm Date: Wed, 23 Oct 2024 16:40:06 +0200 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Facundo Tuesca --- src/rfc3161_client/__init__.py | 4 ---- src/rfc3161_client/verify.py | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/rfc3161_client/__init__.py b/src/rfc3161_client/__init__.py index 4f36df6..d3da112 100644 --- a/src/rfc3161_client/__init__.py +++ b/src/rfc3161_client/__init__.py @@ -15,16 +15,12 @@ from .verify import VerifyOpts, create_verify_opts, verify_signed_data, verify_timestamp_response __all__ = [ - # From base.py "decode_timestamp_response", - # From verify.py "verify_signed_data", "verify_timestamp_response", "create_verify_opts", "VerifyOpts", - # From errors.py "VerificationError", - # From tsp.py "TimeStampRequest", "TimeStampResponse", "TimeStampTokenInfo", diff --git a/src/rfc3161_client/verify.py b/src/rfc3161_client/verify.py index 2f108da..666e426 100644 --- a/src/rfc3161_client/verify.py +++ b/src/rfc3161_client/verify.py @@ -48,7 +48,7 @@ def create_verify_opts( def verify_signed_data(sig: bytes, certificates: set[bytes]) -> None: """Verify signed data. - This function verify that the bytes used a signature are signed by a certificate + This function verifies that the bytes used in a signature are signed by a certificate trusted in the `certificates` list. The function does not return anything, but raises an exception if the verification fails.