fix(pki): Add sign algo to pki list result

FirelightFlagboy · FirelightFlagboy · commit 3035ab00b901 · 2025-11-12T09:16:47.000Z
Closes #11536
diff --git a/bindings/electron/src/index.d.ts b/bindings/electron/src/index.d.ts
@@ -292,6 +292,7 @@ export interface PkiEnrollmentListItem {
     submittedOn: number
     derX509Certificate: Uint8Array
     payloadSignature: Uint8Array
+    payloadSignatureAlgorithm: string
     payload: Uint8Array
 }
 
diff --git a/bindings/electron/src/meths.rs b/bindings/electron/src/meths.rs
@@ -2476,6 +2476,15 @@ fn struct_pki_enrollment_list_item_js_to_rs<'a>(
             }
         }
     };
+    let payload_signature_algorithm = {
+        let js_val: Handle<JsString> = obj.get(cx, "payloadSignatureAlgorithm")?;
+        {
+            match js_val.value(cx).parse() {
+                Ok(val) => val,
+                Err(err) => return cx.throw_type_error(err),
+            }
+        }
+    };
     let payload = {
         let js_val: Handle<JsTypedArray<u8>> = obj.get(cx, "payload")?;
         {
@@ -2495,6 +2504,7 @@ fn struct_pki_enrollment_list_item_js_to_rs<'a>(
         submitted_on,
         der_x509_certificate,
         payload_signature,
+        payload_signature_algorithm,
         payload,
     })
 }
@@ -2537,6 +2547,20 @@ fn struct_pki_enrollment_list_item_rs_to_js<'a>(
         js_buff
     };
     js_obj.set(cx, "payloadSignature", js_payload_signature)?;
+    let js_payload_signature_algorithm = JsString::try_new(cx, {
+        let custom_to_rs_string =
+            |v| -> Result<_, std::convert::Infallible> { Ok(std::string::ToString::to_string(&v)) };
+        match custom_to_rs_string(rs_obj.payload_signature_algorithm) {
+            Ok(ok) => ok,
+            Err(err) => return cx.throw_type_error(err.to_string()),
+        }
+    })
+    .or_throw(cx)?;
+    js_obj.set(
+        cx,
+        "payloadSignatureAlgorithm",
+        js_payload_signature_algorithm,
+    )?;
     let js_payload = {
         let rs_buff = { rs_obj.payload.as_ref() };
         let js_buff = JsTypedArray::from_slice(cx, rs_buff.as_ref())?;
diff --git a/bindings/generator/api/pki.py b/bindings/generator/api/pki.py
@@ -92,6 +92,7 @@ class PkiEnrollmentListItem(Structure):
     submitted_on: DateTime
     der_x509_certificate: Bytes
     payload_signature: Bytes
+    payload_signature_algorithm: PkiSignatureAlgorithm
     payload: Bytes
 
 
diff --git a/bindings/web/src/meths.rs b/bindings/web/src/meths.rs
@@ -2620,6 +2620,16 @@ fn struct_pki_enrollment_list_item_js_to_rs(
                 custom_from_rs_bytes(&x).map_err(|e| TypeError::new(e.as_ref()))
             })?
     };
+    let payload_signature_algorithm = {
+        let js_val = Reflect::get(&obj, &"payloadSignatureAlgorithm".into())?;
+        js_val
+            .dyn_into::<JsString>()
+            .ok()
+            .and_then(|s| s.as_string())
+            .ok_or_else(|| TypeError::new("Not a string"))?
+            .parse()
+            .map_err(|_| TypeError::new("Not a valid PkiSignatureAlgorithm"))?
+    };
     let payload = {
         let js_val = Reflect::get(&obj, &"payload".into())?;
         js_val
@@ -2637,6 +2647,7 @@ fn struct_pki_enrollment_list_item_js_to_rs(
         submitted_on,
         der_x509_certificate,
         payload_signature,
+        payload_signature_algorithm,
         payload,
     })
 }
@@ -2676,6 +2687,20 @@ fn struct_pki_enrollment_list_item_rs_to_js(
     )?;
     let js_payload_signature = JsValue::from(Uint8Array::from(rs_obj.payload_signature.as_ref()));
     Reflect::set(&js_obj, &"payloadSignature".into(), &js_payload_signature)?;
+    let js_payload_signature_algorithm = JsValue::from_str({
+        let custom_to_rs_string =
+            |v| -> Result<_, std::convert::Infallible> { Ok(std::string::ToString::to_string(&v)) };
+        match custom_to_rs_string(rs_obj.payload_signature_algorithm) {
+            Ok(ok) => ok,
+            Err(err) => return Err(JsValue::from(TypeError::new(&err.to_string()))),
+        }
+        .as_ref()
+    });
+    Reflect::set(
+        &js_obj,
+        &"payloadSignatureAlgorithm".into(),
+        &js_payload_signature_algorithm,
+    )?;
     let js_payload = JsValue::from(Uint8Array::from(rs_obj.payload.as_ref()));
     Reflect::set(&js_obj, &"payload".into(), &js_payload)?;
     Ok(js_obj)
diff --git a/client/src/plugins/libparsec/definitions.ts b/client/src/plugins/libparsec/definitions.ts
@@ -311,6 +311,7 @@ export interface PkiEnrollmentListItem {
     submittedOn: DateTime
     derX509Certificate: Bytes
     payloadSignature: Bytes
+    payloadSignatureAlgorithm: PkiSignatureAlgorithm
     payload: Bytes
 }
 
diff --git a/libparsec/crates/client/tests/unit/client/pki_enrollment_list.rs b/libparsec/crates/client/tests/unit/client/pki_enrollment_list.rs
@@ -19,6 +19,7 @@ async fn ok(env: &TestbedEnv) {
         enrollment_id: PKIEnrollmentID::from_hex("e1fe88bd0f054261887a6c8039710b40").unwrap(),
         payload: hex!("3c64756d6d793e").as_ref().into(),
         payload_signature: hex!("3c7369676e61747572653e").as_ref().into(),
+        payload_signature_algorithm: PkiSignatureAlgorithm::RsassaPssSha256,
         submitted_on: DateTime::from_timestamp_micros(1668594983390001).unwrap(),
     };
     let pki_enrollment_item_clone = pki_enrollment_item.clone();
diff --git a/libparsec/crates/protocol/schema/authenticated_cmds/pki_enrollment_list.json5 b/libparsec/crates/protocol/schema/authenticated_cmds/pki_enrollment_list.json5
@@ -46,6 +46,10 @@
                         "name": "payload_signature",
                         "type": "Bytes"
                     },
+                    {
+                        "name": "payload_signature_algorithm",
+                        "type": "PkiSignatureAlgorithm"
+                    },
                     {
                         // The payload, it's a `PkiEnrollmentSubmitPayload` formatted in msgpack
                         "name": "payload",
diff --git a/libparsec/crates/protocol/tests/authenticated_cmds/v5/pki_enrollment_list.rs b/libparsec/crates/protocol/tests/authenticated_cmds/v5/pki_enrollment_list.rs
@@ -42,7 +42,7 @@ pub fn req() {
 pub fn rep_ok() {
     let raw_expected = [
         (
-            // Generated from Parsec 3.5.1-a.0+dev
+            // Generated from Parsec 3.5.3-a.0+dev
             // Content:
             //   status: 'ok'
             //   enrollments: [
@@ -51,15 +51,17 @@ pub fn rep_ok() {
             //       enrollment_id: ext(2, 0xe1fe88bd0f054261887a6c8039710b40),
             //       payload: 0x3c64756d6d793e,
             //       payload_signature: 0x3c7369676e61747572653e,
+            //       payload_signature_algorithm: 'RSASSA-PSS-SHA256',
             //       submitted_on: ext(1, 1668594983390001) i.e. 2022-11-16T11:36:23.390001Z,
             //     },
             //   ]
             hex!(
-                "82a6737461747573a26f6bab656e726f6c6c6d656e74739185b46465725f783530395f"
+                "82a6737461747573a26f6bab656e726f6c6c6d656e74739186b46465725f783530395f"
                 "6365727469666963617465c40d3c78353039206365727469663ead656e726f6c6c6d65"
                 "6e745f6964d802e1fe88bd0f054261887a6c8039710b40a77061796c6f6164c4073c64"
                 "756d6d793eb17061796c6f61645f7369676e6174757265c40b3c7369676e6174757265"
-                "3eac7375626d69747465645f6f6ed7010005ed940b424b31"
+                "3ebb7061796c6f61645f7369676e61747572655f616c676f726974686db15253415353"
+                "412d5053532d534841323536ac7375626d69747465645f6f6ed7010005ed940b424b31"
             )
             .as_ref(),
             authenticated_cmds::pki_enrollment_list::Rep::Ok {
@@ -71,6 +73,7 @@ pub fn rep_ok() {
                         .unwrap(),
                         payload: hex!("3c64756d6d793e").as_ref().into(),
                         payload_signature: hex!("3c7369676e61747572653e").as_ref().into(),
+                        payload_signature_algorithm: PkiSignatureAlgorithm::RsassaPssSha256,
                         submitted_on: DateTime::from_timestamp_micros(1668594983390001).unwrap(),
                         der_x509_certificate: hex!("3c78353039206365727469663e").as_ref().into(),
                     },
@@ -90,6 +93,7 @@ pub fn rep_ok() {
     ];
 
     for (raw, expected) in raw_expected {
+        println!("***expected: {:?}", expected.dump().unwrap());
         let data = authenticated_cmds::pki_enrollment_list::Rep::load(raw).unwrap();
 
         p_assert_eq!(data, expected);
diff --git a/server/parsec/_parsec_pyi/protocol/authenticated_cmds/v5/pki_enrollment_list.pyi b/server/parsec/_parsec_pyi/protocol/authenticated_cmds/v5/pki_enrollment_list.pyi
@@ -4,7 +4,7 @@
 
 from __future__ import annotations
 
-from parsec._parsec import DateTime, PKIEnrollmentID
+from parsec._parsec import DateTime, PKIEnrollmentID, PkiSignatureAlgorithm
 
 class PkiEnrollmentListItem:
     def __init__(
@@ -13,6 +13,7 @@ class PkiEnrollmentListItem:
         submitted_on: DateTime,
         der_x509_certificate: bytes,
         payload_signature: bytes,
+        payload_signature_algorithm: PkiSignatureAlgorithm,
         payload: bytes,
     ) -> None: ...
     @property
@@ -24,6 +25,8 @@ class PkiEnrollmentListItem:
     @property
     def payload_signature(self) -> bytes: ...
     @property
+    def payload_signature_algorithm(self) -> PkiSignatureAlgorithm: ...
+    @property
     def submitted_on(self) -> DateTime: ...
 
 class Req:
diff --git a/server/parsec/components/memory/datamodel.py b/server/parsec/components/memory/datamodel.py
@@ -30,6 +30,7 @@
     InvitationType,
     OrganizationID,
     PKIEnrollmentID,
+    PkiSignatureAlgorithm,
     RealmArchivingCertificate,
     RealmKeyRotationCertificate,
     RealmNameCertificate,
@@ -745,6 +746,7 @@ class MemoryPkiEnrollment:
     submitter_der_x509_certificate_sha1: bytes = field(repr=False)
 
     submit_payload_signature: bytes = field(repr=False)
+    submit_payload_signature_algorithm: PkiSignatureAlgorithm
     submit_payload: bytes = field(repr=False)
     submitted_on: DateTime
 
diff --git a/server/parsec/components/memory/pki.py b/server/parsec/components/memory/pki.py
@@ -12,6 +12,7 @@
     PkiEnrollmentAnswerPayload,
     PKIEnrollmentID,
     PkiEnrollmentSubmitPayload,
+    PkiSignatureAlgorithm,
     UserCertificate,
     UserProfile,
     VerifyKey,
@@ -63,6 +64,7 @@ async def submit(
         force: bool,
         submitter_der_x509_certificate: bytes,
         submit_payload_signature: bytes,
+        submit_payload_signature_algorithm: PkiSignatureAlgorithm,
         submit_payload: bytes,
     ) -> None | PkiEnrollmentSubmitBadOutcome | PkiEnrollmentSubmitX509CertificateAlreadySubmitted:
         # 1) Check organization exists and is not expired
@@ -156,6 +158,7 @@ async def submit(
                 submitter_der_x509_certificate=submitter_der_x509_certificate,
                 submitter_der_x509_certificate_sha1=submitter_der_x509_certificate_sha1,
                 submit_payload_signature=submit_payload_signature,
+                submit_payload_signature_algorithm=submit_payload_signature_algorithm,
                 submit_payload=submit_payload,
                 submitted_on=now,
             )
@@ -251,6 +254,7 @@ async def list(
                     enrollment_id=enrollment.enrollment_id,
                     payload=enrollment.submit_payload,
                     payload_signature=enrollment.submit_payload_signature,
+                    payload_signature_algorithm=enrollment.submit_payload_signature_algorithm,
                     submitted_on=enrollment.submitted_on,
                     der_x509_certificate=enrollment.submitter_der_x509_certificate,
                 )
diff --git a/server/parsec/components/pki.py b/server/parsec/components/pki.py
@@ -10,6 +10,7 @@
     DeviceID,
     OrganizationID,
     PKIEnrollmentID,
+    PkiSignatureAlgorithm,
     UserCertificate,
     VerifyKey,
     anonymous_cmds,
@@ -134,6 +135,7 @@ class PkiEnrollmentListItem:
     submitted_on: DateTime
     der_x509_certificate: bytes
     payload_signature: bytes
+    payload_signature_algorithm: PkiSignatureAlgorithm
     payload: bytes
 
 
@@ -207,6 +209,7 @@ async def submit(
         force: bool,
         submitter_der_x509_certificate: bytes,
         submit_payload_signature: bytes,
+        submit_payload_signature_algorithm: PkiSignatureAlgorithm,
         submit_payload: bytes,
     ) -> None | PkiEnrollmentSubmitBadOutcome | PkiEnrollmentSubmitX509CertificateAlreadySubmitted:
         raise NotImplementedError
@@ -313,6 +316,7 @@ async def api_pki_enrollment_submit(
             force=req.force,
             submitter_der_x509_certificate=req.der_x509_certificate,
             submit_payload_signature=req.payload_signature,
+            submit_payload_signature_algorithm=req.payload_signature_algorithm,
             submit_payload=req.payload,
         )
         match outcome:
@@ -356,6 +360,7 @@ async def api_pki_enrollment_list(
                             e.submitted_on,
                             e.der_x509_certificate,
                             e.payload_signature,
+                            e.payload_signature_algorithm,
                             e.payload,
                         )
                         for e in enrollments
diff --git a/server/parsec/components/postgresql/migrations/0016_pki_enrollment_submit_payload_signature_algorithm.sql b/server/parsec/components/postgresql/migrations/0016_pki_enrollment_submit_payload_signature_algorithm.sql
@@ -0,0 +1,14 @@
+-- Parsec Cloud (https://parsec.cloud) Copyright (c) BUSL-1.1 2016-present Scille SAS
+
+-------------------------------------------------------
+--  Migration
+--
+-- Add column `submit_payload_signature_algorithm` to the `pki_enrollment` table
+-------------------------------------------------------
+
+CREATE TYPE pki_signature_algorithm AS ENUM ('RSASSA_PSS_SHA256');
+
+-- Note it's okay to declare the new column as `NOT NULL` given this table has
+-- no row since it was never used so far (it has been kept from Parsec v2 in
+-- prevision of a future support of PKI enrollment).
+ALTER TABLE pki_enrollment ADD submit_payload_signature_algorithm PKI_SIGNATURE_ALGORITHM NOT NULL;
diff --git a/server/parsec/components/postgresql/migrations/datamodel.sql b/server/parsec/components/postgresql/migrations/datamodel.sql
@@ -447,6 +447,8 @@ CREATE TYPE pki_enrollment_info_cancelled AS (
     cancelled_on TIMESTAMPTZ
 );
 
+CREATE TYPE pki_signature_algorithm AS ENUM ('RSASSA_PSS_SHA256');
+
 CREATE TABLE pki_enrollment (
     _id SERIAL PRIMARY KEY,
     organization INTEGER REFERENCES organization (_id) NOT NULL,
@@ -467,6 +469,9 @@ CREATE TABLE pki_enrollment (
     info_rejected PKI_ENROLLMENT_INFO_REJECTED,
     info_cancelled PKI_ENROLLMENT_INFO_CANCELLED,
 
+    -- Added in migration 0016
+    submit_payload_signature_algorithm PKI_SIGNATURE_ALGORITHM NOT NULL,
+
     UNIQUE (organization, enrollment_id)
 );
 
diff --git a/server/parsec/components/postgresql/pki.py b/server/parsec/components/postgresql/pki.py
@@ -11,6 +11,7 @@
     OrganizationID,
     UserCertificate,
     VerifyKey,
+    PkiSignatureAlgorithm,
 )
 from parsec.ballpark import RequireGreaterTimestamp, TimestampOutOfBallpark
 from parsec.components.pki import (
@@ -49,6 +50,7 @@ async def submit(
         force: bool,
         submitter_der_x509_certificate: bytes,
         submit_payload_signature: bytes,
+        submit_payload_signature_algorithm: PkiSignatureAlgorithm,
         submit_payload: bytes,
     ) -> None | PkiEnrollmentSubmitBadOutcome | PkiEnrollmentSubmitX509CertificateAlreadySubmitted:
         return await pki_submit(
@@ -59,6 +61,7 @@ async def submit(
             force,
             submitter_der_x509_certificate,
             submit_payload_signature,
+            submit_payload_signature_algorithm,
             submit_payload,
         )
 
diff --git a/server/parsec/components/postgresql/pki_list.py b/server/parsec/components/postgresql/pki_list.py
@@ -6,6 +6,7 @@
     DeviceID,
     OrganizationID,
     PKIEnrollmentID,
+    PkiSignatureAlgorithm,
     UserProfile,
 )
 from parsec.components.pki import (
@@ -26,6 +27,7 @@
     submitted_on,
     submitter_der_x509_certificate,
     submit_payload_signature,
+    submit_payload_signature_algorithm,
     submit_payload
 FROM pki_enrollment
 WHERE
@@ -87,6 +89,14 @@ async def pki_list(
             case _:
                 assert False, row
 
+        match row["submit_payload_signature_algorithm"]:
+            case str() as raw_payload_signature_algorithm:
+                payload_signature_algorithm = PkiSignatureAlgorithm.from_str(
+                    raw_payload_signature_algorithm
+                )
+            case _:
+                assert False, row
+
         match row["submit_payload"]:
             case bytes() as payload:
                 pass
@@ -99,6 +109,7 @@ async def pki_list(
                 submitted_on=submitted_on,
                 der_x509_certificate=der_x509_certificate,
                 payload_signature=payload_signature,
+                payload_signature_algorithm=payload_signature_algorithm,
                 payload=payload,
             )
         )
diff --git a/server/parsec/components/postgresql/pki_submit.py b/server/parsec/components/postgresql/pki_submit.py
diff --git a/server/tests/api_v5/anonymous/test_pki_enrollment_info.py b/server/tests/api_v5/anonymous/test_pki_enrollment_info.py
diff --git a/server/tests/api_v5/authenticated/test_pki_enrollment_accept.py b/server/tests/api_v5/authenticated/test_pki_enrollment_accept.py
diff --git a/server/tests/api_v5/authenticated/test_pki_enrollment_list.py b/server/tests/api_v5/authenticated/test_pki_enrollment_list.py
diff --git a/server/tests/api_v5/authenticated/test_pki_enrollment_reject.py b/server/tests/api_v5/authenticated/test_pki_enrollment_reject.py

Original file line number	Diff line number	Diff line change
`@@ -292,6 +292,7 @@ export interface PkiEnrollmentListItem {`
`292`	`292`	`submittedOn: number`
`293`	`293`	`derX509Certificate: Uint8Array`
`294`	`294`	`payloadSignature: Uint8Array`
	`295`	`+ payloadSignatureAlgorithm: string`
`295`	`296`	`payload: Uint8Array`
`296`	`297`	`}`
`297`	`298`
Original file line number	Diff line number	Diff line change
`@@ -311,6 +311,7 @@ export interface PkiEnrollmentListItem {`
`311`	`311`	`submittedOn: DateTime`
`312`	`312`	`derX509Certificate: Bytes`
`313`	`313`	`payloadSignature: Bytes`
	`314`	`+ payloadSignatureAlgorithm: PkiSignatureAlgorithm`
`314`	`315`	`payload: Bytes`
`315`	`316`	`}`
`316`	`317`