diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index c8a2ac8b4d2f..0607eebaa656 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -918,6 +918,9 @@ fn create_x509_certificate( let py_not_before = builder.getattr(pyo3::intern!(py, "_not_valid_before"))?; let py_not_after = builder.getattr(pyo3::intern!(py, "_not_valid_after"))?; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let serial_bytes = py_uint_to_big_endian_bytes(py, py_serial)?; let tbs_cert = cryptography_x509::certificate::TbsCertificate { version: builder @@ -937,6 +940,8 @@ fn create_x509_certificate( subject_unique_id: None, raw_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 6b115e81a1e6..17ff9693a305 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -410,6 +410,8 @@ pub(crate) fn encode_extensions< ) -> CryptographyResult>>, >( py: pyo3::Python<'p>, + ka_vec: &'p cryptography_keepalive::KeepAlive>, + ka_bytes: &'p cryptography_keepalive::KeepAlive, py_exts: &pyo3::Bound<'p, pyo3::PyAny>, encode_ext: F, ) -> pyo3::PyResult>> { @@ -424,20 +426,16 @@ pub(crate) fn encode_extensions< exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, - extn_value: ext_val - .getattr(pyo3::intern!(py, "value"))? - .extract::<&[u8]>()?, + extn_value: ka_bytes.add(ext_val.getattr(pyo3::intern!(py, "value"))?.extract()?), }); continue; } match encode_ext(py, &oid, &ext_val)? { Some(data) => { - // TODO: extra copy - let py_data = pyo3::types::PyBytes::new_bound(py, &data); exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, - extn_value: py_data.extract()?, + extn_value: ka_vec.add(data), }); } None => { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4484efee87bf..b3e37e967de7 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -655,7 +655,8 @@ fn create_x509_crl( rsa_padding.to_owned(), )?; let mut revoked_certs = vec![]; - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); for py_revoked_cert in builder .getattr(pyo3::intern!(py, "_revoked_certificates"))? .iter()? @@ -666,12 +667,14 @@ fn create_x509_crl( .extract()?; let py_revocation_date = py_revoked_cert.getattr(pyo3::intern!(py, "revocation_date_utc"))?; - let serial_bytes = ka.add(py_uint_to_big_endian_bytes(py, serial_number)?); + let serial_bytes = ka_bytes.add(py_uint_to_big_endian_bytes(py, serial_number)?); revoked_certs.push(crl::RevokedCertificate { user_certificate: asn1::BigUint::new(serial_bytes).unwrap(), revocation_date: x509::certificate::time_from_py(py, &py_revocation_date)?, raw_crl_entry_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, extensions::encode_extension, )?, @@ -696,6 +699,8 @@ fn create_x509_crl( }, raw_crl_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 1aab9d3a6b96..240f7f5d6dac 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -305,10 +305,15 @@ fn create_x509_csr( .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? .extract::()?; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let mut attrs = vec![]; let ext_bytes; if let Some(exts) = x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, x509::extensions::encode_extension, )? { diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 6635259a2571..218939dfca75 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -200,8 +200,13 @@ fn create_ocsp_request( )? }; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let extensions = x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?; diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 4ec133a8e038..e4038af1aec0 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -702,6 +702,9 @@ fn create_ocsp_response( ) }; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let tbs_response_data = ocsp_resp::ResponseData { version: 0, produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, @@ -711,6 +714,8 @@ fn create_ocsp_response( )), raw_response_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?,