Fixed two lifetime errors in common.rs with gil-refs disabled (#1…

…0811)

src/rust/src/x509/certificate.rs

@@ -918,6 +918,9 @@ fn create_x509_certificate(
     let py_not_before = builder.getattr(pyo3::intern!(py, "_not_valid_before"))?;
     let py_not_after = builder.getattr(pyo3::intern!(py, "_not_valid_after"))?;
 
+    let ka_vec = cryptography_keepalive::KeepAlive::new();
+    let ka_bytes = cryptography_keepalive::KeepAlive::new();
+
     let serial_bytes = py_uint_to_big_endian_bytes(py, py_serial)?;
     let tbs_cert = cryptography_x509::certificate::TbsCertificate {
         version: builder
@@ -937,6 +940,8 @@ fn create_x509_certificate(
         subject_unique_id: None,
         raw_extensions: x509::common::encode_extensions(
             py,
+            &ka_vec,
+            &ka_bytes,
             &builder.getattr(pyo3::intern!(py, "_extensions"))?,
             extensions::encode_extension,
         )?,

src/rust/src/x509/common.rs

@@ -410,6 +410,8 @@ pub(crate) fn encode_extensions<
     ) -> CryptographyResult<Option<Vec<u8>>>,
 >(
     py: pyo3::Python<'p>,
+    ka_vec: &'p cryptography_keepalive::KeepAlive<Vec<u8>>,
+    ka_bytes: &'p cryptography_keepalive::KeepAlive<pyo3::pybacked::PyBackedBytes>,
     py_exts: &pyo3::Bound<'p, pyo3::PyAny>,
     encode_ext: F,
 ) -> pyo3::PyResult<Option<RawExtensions<'p>>> {
@@ -424,20 +426,16 @@ pub(crate) fn encode_extensions<
             exts.push(Extension {
                 extn_id: oid,
                 critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?,
-                extn_value: ext_val
-                    .getattr(pyo3::intern!(py, "value"))?
-                    .extract::<&[u8]>()?,
+                extn_value: ka_bytes.add(ext_val.getattr(pyo3::intern!(py, "value"))?.extract()?),
             });
             continue;
         }
         match encode_ext(py, &oid, &ext_val)? {
             Some(data) => {
-                // TODO: extra copy
-                let py_data = pyo3::types::PyBytes::new_bound(py, &data);
                 exts.push(Extension {
                     extn_id: oid,
                     critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?,
-                    extn_value: py_data.extract()?,
+                    extn_value: ka_vec.add(data),
                 });
             }
             None => {

src/rust/src/x509/crl.rs

@@ -655,7 +655,8 @@ fn create_x509_crl(
         rsa_padding.to_owned(),
     )?;
     let mut revoked_certs = vec![];
-    let ka = cryptography_keepalive::KeepAlive::new();
+    let ka_vec = cryptography_keepalive::KeepAlive::new();
+    let ka_bytes = cryptography_keepalive::KeepAlive::new();
     for py_revoked_cert in builder
         .getattr(pyo3::intern!(py, "_revoked_certificates"))?
         .iter()?
@@ -666,12 +667,14 @@ fn create_x509_crl(
             .extract()?;
         let py_revocation_date =
             py_revoked_cert.getattr(pyo3::intern!(py, "revocation_date_utc"))?;
-        let serial_bytes = ka.add(py_uint_to_big_endian_bytes(py, serial_number)?);
+        let serial_bytes = ka_bytes.add(py_uint_to_big_endian_bytes(py, serial_number)?);
         revoked_certs.push(crl::RevokedCertificate {
             user_certificate: asn1::BigUint::new(serial_bytes).unwrap(),
             revocation_date: x509::certificate::time_from_py(py, &py_revocation_date)?,
             raw_crl_entry_extensions: x509::common::encode_extensions(
                 py,
+                &ka_vec,
+                &ka_bytes,
                 &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?,
                 extensions::encode_extension,
             )?,
@@ -696,6 +699,8 @@ fn create_x509_crl(
         },
         raw_crl_extensions: x509::common::encode_extensions(
             py,
+            &ka_vec,
+            &ka_bytes,
             &builder.getattr(pyo3::intern!(py, "_extensions"))?,
             extensions::encode_extension,
         )?,

src/rust/src/x509/csr.rs

@@ -305,10 +305,15 @@ fn create_x509_csr(
         .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))?
         .extract::<pyo3::pybacked::PyBackedBytes>()?;
 
+    let ka_vec = cryptography_keepalive::KeepAlive::new();
+    let ka_bytes = cryptography_keepalive::KeepAlive::new();
+
     let mut attrs = vec![];
     let ext_bytes;
     if let Some(exts) = x509::common::encode_extensions(
         py,
+        &ka_vec,
+        &ka_bytes,
         &builder.getattr(pyo3::intern!(py, "_extensions"))?,
         x509::extensions::encode_extension,
     )? {

src/rust/src/x509/ocsp_req.rs

@@ -200,8 +200,13 @@ fn create_ocsp_request(
         )?
     };
 
+    let ka_vec = cryptography_keepalive::KeepAlive::new();
+    let ka_bytes = cryptography_keepalive::KeepAlive::new();
+
     let extensions = x509::common::encode_extensions(
         py,
+        &ka_vec,
+        &ka_bytes,
         &builder.getattr(pyo3::intern!(py, "_extensions"))?,
         extensions::encode_extension,
     )?;

src/rust/src/x509/ocsp_resp.rs

@@ -702,6 +702,9 @@ fn create_ocsp_response(
         )
     };
 
+    let ka_vec = cryptography_keepalive::KeepAlive::new();
+    let ka_bytes = cryptography_keepalive::KeepAlive::new();
+
     let tbs_response_data = ocsp_resp::ResponseData {
         version: 0,
         produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?,
@@ -711,6 +714,8 @@ fn create_ocsp_response(
         )),
         raw_response_extensions: x509::common::encode_extensions(
             py,
+            &ka_vec,
+            &ka_bytes,
             &builder.getattr(pyo3::intern!(py, "_extensions"))?,
             extensions::encode_extension,
         )?,