Simplify PIV zlib support for Net iD

dainnilsson · dainnilsson · commit d4982afa43a3 · 2026-01-28T15:51:22.000+01:00
diff --git a/tests/test_piv.py b/tests/test_piv.py
@@ -18,7 +18,6 @@
     Chuid,
     FascN,
     _do_check_key_support,
-    _cxf_dictionary,
     decompress_certificate,
 )
 
@@ -182,35 +181,35 @@ def test_gzip_decompression(self):
         result = decompress_certificate(compressed_data)
         assert result == original_data
 
-    def test_cxf_deflate_decompression(self):
-        """Test decompression of CXF deflate format (used by Pointsharp Net iD)."""
-        original_data = b"Test certificate content for CXF format"
+    def test_zlib_deflate_decompression(self):
+        """Test decompression of zlib deflate format (used by Pointsharp Net iD)."""
+        original_data = b"Test certificate content for zlib format"
 
-        # CXF format: 0x01 0x00 + 2-byte little-endian length + zlib compressed data
-        compressor = zlib.compressobj(wbits=zlib.MAX_WBITS, zdict=_cxf_dictionary)
+        # zlib format: 0x01 0x00 + 2-byte little-endian length + zlib compressed data
+        compressor = zlib.compressobj(wbits=zlib.MAX_WBITS)
         compressed = compressor.compress(original_data) + compressor.flush()
 
-        # Build CXF format: magic bytes + length + compressed data
+        # Build zlib format: magic bytes + length + compressed data
         length_bytes = len(original_data).to_bytes(2, "little")
-        cxf_data = b"\x01\x00" + length_bytes + compressed
+        zlib_data = b"\x01\x00" + length_bytes + compressed
 
-        result = decompress_certificate(cxf_data)
+        result = decompress_certificate(zlib_data)
         assert result == original_data
 
-    def test_cxf_deflate_wrong_length_raises(self):
-        """Test that CXF deflate with wrong expected length raises ValueError."""
+    def test_zlib_deflate_wrong_length_raises(self):
+        """Test that zlib deflate with wrong expected length raises ValueError."""
         original_data = b"Test certificate content"
 
-        compressor = zlib.compressobj(wbits=zlib.MAX_WBITS, zdict=_cxf_dictionary)
+        compressor = zlib.compressobj(wbits=zlib.MAX_WBITS)
         compressed = compressor.compress(original_data) + compressor.flush()
 
         # Use wrong length (actual length + 10)
         wrong_length = len(original_data) + 10
         length_bytes = wrong_length.to_bytes(2, "little")
-        cxf_data = b"\x01\x00" + length_bytes + compressed
+        zlib_data = b"\x01\x00" + length_bytes + compressed
 
         with pytest.raises(BadResponseError):
-            decompress_certificate(cxf_data)
+            decompress_certificate(zlib_data)
 
     def test_invalid_data_raises_bad_response_error(self):
         """Test that invalid/uncompressed data raises BadResponseError."""
@@ -227,12 +226,12 @@ def test_corrupted_gzip_raises_bad_response_error(self):
         with pytest.raises(BadResponseError):
             decompress_certificate(corrupted_gzip)
 
-    def test_cxf_format_fallback_to_gzip(self):
-        """Test that invalid CXF data falls back to gzip decompression."""
+    def test_zlib_format_fallback_to_gzip(self):
+        """Test that invalid zlib data falls back to gzip decompression."""
         original_data = b"Fallback test data"
 
-        # Create data that starts with CXF magic but is actually gzip compressed
-        # The CXF decompression will fail and it should fall back to gzip
+        # Create data that starts with zlib magic but is actually gzip compressed
+        # The zlib decompression will fail and it should fall back to gzip
         gzip_data = gzip.compress(original_data)
 
         result = decompress_certificate(gzip_data)
diff --git a/yubikit/piv.py b/yubikit/piv.py
@@ -33,7 +33,6 @@
 import re
 import warnings
 import zlib
-from base64 import b64decode
 from dataclasses import astuple, dataclass
 from datetime import date
 from enum import Enum, IntEnum, unique
@@ -657,53 +656,39 @@ def _parse_device_public_key(key_type, encoded):
         return ec.EllipticCurvePublicKey.from_encoded_point(curve(), data[0x86])
 
 
-# This data embeds pre-computed structures used by the zlib deflate algorithm
-# It's purpose is to avoid to store the full dictionary in the compressed
-# stream, thus reducing the size of the certificate
-# Source: https://datatracker.ietf.org/doc/html/draft-pritikin-comp-x509-00#appendix-A
-_cxf_dictionary = b64decode("""
-MIIBOTCCASOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAZMRcwFQYDVQQDEw5odHRw
-Oi8vd3d3LmNvbTAeFw0xMDA1MTExOTEzMDNaFw0xMTA1MTExOTEzMDNaMF8xEDAO
-BgkqhkiG9w0BCQEWAUAxCjAIBgNVBAMTASAxCzAJBgNVBAYTAlVTMQswCQYDVQQI
-EwJXSTELMAkGA1UEChMCb24xDDAKBgNVBAsTA291bjEKMAgGA1UEBRMBIDAfMA0G
-CSqGSIb3DQEBAQUAAw4AMAsCBG6G5ZUCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNV
-HQ4EFgQUHSkK6busCxxK6PKpBlL9q8K1mcQwHwYDVR0jBBgwFoAUn7r/DVMuEpK9
-Rxq3nyiLml10+nQwDQYJKoZIhvcNAQEFBQADAQA=
-""")
-
-
 def decompress_certificate(cert_data: bytes) -> bytes:
     """
     Decompress a compressed certificate using various methods.
     """
     logger.debug("Certificate is compressed, decompressing...")
 
-    # CXF Deflate Method (as used by Pointsharp Net iD)
-    if cert_data[:2] == b"\01\00":
-        expected_length = int.from_bytes(cert_data[2:4], "little")
-        decompressor = zlib.decompressobj(wbits=zlib.MAX_WBITS, zdict=_cxf_dictionary)
-        try:
-            cert_data = decompressor.decompress(cert_data[4:])
-            if len(cert_data) != expected_length:
-                logger.error(
-                    "Unexpected decompressed length, expected %d, got %d",
-                    expected_length,
-                    len(cert_data),
-                )
-                raise ValueError("Decompressed length does not match expected length")
-
-            logger.debug("Decompressed certificate with CXF deflate format")
-            return cert_data
-        except (zlib.error, ValueError):
-            logger.warning("Failed to decompress with CXF format")
-
-    # Gzip Method (default)
-    try:
-        cert_data = gzip.decompress(cert_data)
-        logger.debug("Decompressed certificate with basic gzip format")
-        return cert_data
-    except (zlib.error, gzip.BadGzipFile):
-        logger.warning("Failed to decompressed with basic gzip format")
+    match tuple(cert_data[:2]):
+        case (0x1F, 0x8B):  # Gzip (most commonly used)
+            logger.debug("Decompressing certificate using gzip")
+            try:
+                return gzip.decompress(cert_data)
+            except (zlib.error, gzip.BadGzipFile):
+                logger.warning("Failed to decompressed with gzip")
+        case (0x01, 0x00):  # Net iD zlib format
+            logger.debug("Decompressing certificate using zlib")
+            expected_length = int.from_bytes(cert_data[2:4], "little")
+            try:
+                decompressed = zlib.decompress(cert_data[4:])
+                if len(decompressed) != expected_length:
+                    logger.error(
+                        "Unexpected decompressed length, expected %d, got %d",
+                        expected_length,
+                        len(decompressed),
+                    )
+                    raise BadResponseError(
+                        "Decompressed length does not match expected length"
+                    )
+
+                return decompressed
+            except (zlib.error, ValueError):
+                logger.warning("Failed to decompress with zlib")
+        case _:
+            logger.warning("Unknown compression type")
 
     raise BadResponseError("Failed to decompress certificate")
 
