Remove one call to into_gil_ref (#10816)

pyca · Apr 15, 2024 · e7a0023 · e7a0023
1 parent b302955
commit e7a0023
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 25 deletions.
diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs
@@ -11,7 +11,7 @@ use cryptography_x509::{common, oid, pkcs7};
 use once_cell::sync::Lazy;
 #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
 use openssl::pkcs7::Pkcs7;
-use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods};
+use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods};
 #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
 use pyo3::IntoPy;
 
@@ -160,15 +160,12 @@ fn sign_and_serialize<'p>(
                     },
                 ];
 
-                let digest = ka_vec.add(asn1::write_single(&x509::ocsp::hash_data(
-                    py,
-                    py_hash_alg,
-                    &data_with_header,
-                )?)?);
+                let digest = x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?;
+                let digest_wrapped = ka_vec.add(asn1::write_single(&digest.as_bytes())?);
                 authenticated_attrs.push(Attribute {
                     type_id: PKCS7_MESSAGE_DIGEST_OID,
                     values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([
-                        asn1::parse_single(digest).unwrap(),
+                        asn1::parse_single(digest_wrapped).unwrap(),
                     ])),
                 });
 

diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs
@@ -74,13 +74,15 @@ pub(crate) static HASH_NAME_TO_ALGORITHM_IDENTIFIERS: Lazy<
 
 pub(crate) fn certid_new<'p>(
     py: pyo3::Python<'p>,
+    ka: &'p cryptography_keepalive::KeepAlive<pyo3::pybacked::PyBackedBytes>,
     cert: &'p Certificate,
     issuer: &'p Certificate,
     hash_algorithm: &pyo3::Bound<'p, pyo3::PyAny>,
 ) -> CryptographyResult<CertID<'p>> {
     let issuer_der = asn1::write_single(&cert.raw.borrow_dependent().tbs_cert.issuer)?;
-    let issuer_name_hash = hash_data(py, hash_algorithm, &issuer_der)?;
-    let issuer_key_hash = hash_data(
+    let issuer_name_hash =
+        pyo3::pybacked::PyBackedBytes::from(hash_data(py, hash_algorithm, &issuer_der)?);
+    let issuer_key_hash = pyo3::pybacked::PyBackedBytes::from(hash_data(
         py,
         hash_algorithm,
         issuer
@@ -90,15 +92,15 @@ pub(crate) fn certid_new<'p>(
             .spki
             .subject_public_key
             .as_bytes(),
-    )?;
+    )?);
 
     Ok(CertID {
         hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm
             .getattr(pyo3::intern!(py, "name"))?
             .extract::<&str>()?]
         .clone(),
-        issuer_name_hash,
-        issuer_key_hash,
+        issuer_name_hash: ka.add(issuer_name_hash),
+        issuer_key_hash: ka.add(issuer_key_hash),
         serial_number: cert.raw.borrow_dependent().tbs_cert.serial,
     })
 }
@@ -125,8 +127,8 @@ pub(crate) fn hash_data<'p>(
     py: pyo3::Python<'p>,
     py_hash_alg: &pyo3::Bound<'p, pyo3::PyAny>,
     data: &[u8],
-) -> pyo3::PyResult<&'p [u8]> {
+) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
     let mut h = Hash::new(py, py_hash_alg, None)?;
     h.update_bytes(data)?;
-    Ok(h.finalize(py)?.into_gil_ref().as_bytes())
+    Ok(h.finalize(py)?)
 }
diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs
@@ -173,6 +173,9 @@ fn create_ocsp_request(
     let builder_request = builder.getattr(pyo3::intern!(py, "_request"))?;
     let serial_number_bytes;
 
+    let ka_vec = cryptography_keepalive::KeepAlive::new();
+    let ka_bytes = cryptography_keepalive::KeepAlive::new();
+
     // Declare outside the if-block so the lifetimes are right.
     let (py_cert, py_issuer, py_hash, issuer_name_hash, issuer_key_hash): (
         pyo3::PyRef<'_, x509::certificate::Certificate>,
@@ -183,7 +186,7 @@ fn create_ocsp_request(
     );
     let req_cert = if !builder_request.is_none() {
         (py_cert, py_issuer, py_hash) = builder_request.extract()?;
-        ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash)?
+        ocsp::certid_new(py, &ka_bytes, &py_cert, &py_issuer, &py_hash)?
     } else {
         let py_serial: pyo3::Bound<'_, pyo3::types::PyLong>;
         (issuer_name_hash, issuer_key_hash, py_serial, py_hash) = builder
@@ -200,9 +203,6 @@ fn create_ocsp_request(
         )?
     };
 
-    let ka_vec = cryptography_keepalive::KeepAlive::new();
-    let ka_bytes = cryptography_keepalive::KeepAlive::new();
-
     let extensions = x509::common::encode_extensions(
         py,
         &ka_vec,

diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs
@@ -10,7 +10,7 @@ use cryptography_x509::{
     ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse},
     oid,
 };
-use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods};
+use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods};
 
 use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid};
 use crate::error::{CryptographyError, CryptographyResult};
@@ -669,18 +669,22 @@ fn create_ocsp_response(
     let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?;
     let this_update = asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update)?)?;
 
+    let ka_vec = cryptography_keepalive::KeepAlive::new();
+    let ka_bytes = cryptography_keepalive::KeepAlive::new();
+
     let responses = vec![SingleResponse {
-        cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?,
+        cert_id: ocsp::certid_new(py, &ka_bytes, &py_cert, &py_issuer, &py_cert_hash_algorithm)?,
         cert_status,
         next_update,
         this_update,
         raw_single_extensions: None,
     }];
 
     borrowed_cert = responder_cert.borrow();
+    let by_key_hash;
     let responder_id = if responder_encoding.is(&types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) {
         let sha1 = types::SHA1.get(py)?.call0()?;
-        ocsp_resp::ResponderId::ByKey(ocsp::hash_data(
+        by_key_hash = ocsp::hash_data(
             py,
             &sha1,
             borrowed_cert
@@ -690,7 +694,8 @@ fn create_ocsp_response(
                 .spki
                 .subject_public_key
                 .as_bytes(),
-        )?)
+        )?;
+        ocsp_resp::ResponderId::ByKey(by_key_hash.as_bytes())
     } else {
         ocsp_resp::ResponderId::ByName(
             borrowed_cert
@@ -702,9 +707,6 @@ fn create_ocsp_response(
         )
     };
 
-    let ka_vec = cryptography_keepalive::KeepAlive::new();
-    let ka_bytes = cryptography_keepalive::KeepAlive::new();
-
     let tbs_response_data = ocsp_resp::ResponseData {
         version: 0,
         produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?,