Initial implementation of ASN.1 API (#13325)

* Add initial ASN.1 Rust module

Signed-off-by: Facundo Tuesca <[email protected]>

* Add hazmat.asn1 Python module

Signed-off-by: Facundo Tuesca <[email protected]>

* Add initial ASN.1 tests

Signed-off-by: Facundo Tuesca <[email protected]>

* Add typing-extensions dependency

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove unused protocol

Signed-off-by: Facundo Tuesca <[email protected]>

* Add tests for missing coverage

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove upper version bound for typing-extensions

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove import aliases

Signed-off-by: Facundo Tuesca <[email protected]>

* Compare types with `is`

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove unnecessary getattr

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove unused RootType

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove more import aliases

Signed-off-by: Facundo Tuesca <[email protected]>

* Add test for missing coverage

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove unneeded build dependency

Signed-off-by: Facundo Tuesca <[email protected]>

* Regenerate ci constraints requirements

Signed-off-by: Facundo Tuesca <[email protected]>

* Deduplicate conversion of builtin Python types

Signed-off-by: Facundo Tuesca <[email protected]>

* Tidy up Rust imports

Signed-off-by: Facundo Tuesca <[email protected]>

* Separate tests into files per test type

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove unneeded __asn1_fields__ attribute

Signed-off-by: Facundo Tuesca <[email protected]>

* Re-add typing-extensions to build-requirements.in

Signed-off-by: Facundo Tuesca <[email protected]>

* Split tests by ASN.1 type

Signed-off-by: Facundo Tuesca <[email protected]>

* Add TODO

Signed-off-by: Facundo Tuesca <[email protected]>

* Rename Rust module to `declarative_asn1`

Signed-off-by: Facundo Tuesca <[email protected]>

* Use typing-extensions only for Python < 3.11

Signed-off-by: Facundo Tuesca <[email protected]>

* Use `typing_extensions.get_type_hints` only when <3.9

Signed-off-by: Facundo Tuesca <[email protected]>

* Add comment explaining mypy workaround

Signed-off-by: Facundo Tuesca <[email protected]>

* Use `dataclasses.dataclass` to generate init method

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove extra dataclass behavior

Signed-off-by: Facundo Tuesca <[email protected]>

* Remove unused pyo3 annotations

Signed-off-by: Facundo Tuesca <[email protected]>

* Use `kw_only` with dataclasses

Signed-off-by: Facundo Tuesca <[email protected]>

* Add test for kw-only initialization

Signed-off-by: Facundo Tuesca <[email protected]>

---------

Signed-off-by: Facundo Tuesca <[email protected]>

Author: facutuesca

.github/requirements/build-requirements.in

@@ -7,6 +7,9 @@ maturin>=1,<2
 # Must be kept sync with build-system.requires at vectors/pyproject.toml
 uv_build>=0.7.19,<0.9.0
 
+# Must be kept in sync with project.dependencies at pyproject.toml
+typing-extensions>=4.13.2; python_version < '3.11'
+
 # WARN: changing the requirements here DOES NOT update the dependencies used
 # for building at the github workflow -- it uses build-requirements.txt
 # To update build-requirements.txt, update this file and then run

.github/requirements/build-requirements.txt

@@ -144,6 +144,10 @@ tomli==2.2.1 ; python_full_version < '3.11' \
     --hash=sha256:ece47d672db52ac607a3d9599a9d48dcb2f2f735c6c2d1f34130085bb12b112a \
     --hash=sha256:f4039b9cbc3048b2416cc57ab3bda989a6fcf9b36cf8937f01a6e731b64f80d7
     # via maturin
+typing-extensions==4.15.0 ; python_full_version < '3.11' \
+    --hash=sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466 \
+    --hash=sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548
+    # via -r build-requirements.in
 uv-build==0.8.17 \
     --hash=sha256:061f0406751244f6554fec98e78128af508984b89aef312997e3c1bedd3dd9b0 \
     --hash=sha256:2a904939adf3e7eb115a074064dd77a3d2822a0b10621019712109e4a06e4250 \

ci-constraints-requirements.txt

@@ -257,11 +257,13 @@ tomli==2.2.1 ; python_full_version <= '3.11'
     #   sphinx
 typing-extensions==4.13.2 ; python_full_version < '3.9'
     # via
+    #   cryptography (pyproject.toml)
     #   exceptiongroup
     #   mypy
     #   virtualenv
 typing-extensions==4.15.0 ; python_full_version >= '3.9'
     # via
+    #   cryptography (pyproject.toml)
     #   exceptiongroup
     #   mypy
     #   virtualenv

pyproject.toml

@@ -53,6 +53,8 @@ dependencies = [
     # Must be kept in sync with `build-system.requires`
     "cffi>=1.14; platform_python_implementation != 'PyPy' and python_version < '3.14'",
     "cffi>=2.0.0; platform_python_implementation != 'PyPy' and python_version >= '3.14'",
+    # Must be kept in sync with ./.github/requirements/build-requirements.{in,txt}
+    "typing-extensions>=4.13.2; python_version < '3.11'",
 ]
 
 [project.urls]

src/cryptography/hazmat/asn1/__init__.py

@@ -0,0 +1,10 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from cryptography.hazmat.asn1.asn1 import encode_der, sequence
+
+__all__ = [
+    "encode_der",
+    "sequence",
+]

src/cryptography/hazmat/asn1/asn1.py

@@ -0,0 +1,116 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+import dataclasses
+import sys
+import typing
+
+if sys.version_info < (3, 11):
+    import typing_extensions
+
+    # We use the `include_extras` parameter of `get_type_hints`, which was
+    # added in Python 3.9. This can be replaced by the `typing` version
+    # once the min version is >= 3.9
+    if sys.version_info < (3, 9):
+        get_type_hints = typing_extensions.get_type_hints
+    else:
+        get_type_hints = typing.get_type_hints
+else:
+    get_type_hints = typing.get_type_hints
+
+from cryptography.hazmat.bindings._rust import declarative_asn1
+
+T = typing.TypeVar("T", covariant=True)
+U = typing.TypeVar("U")
+
+
+encode_der = declarative_asn1.encode_der
+
+
+def _normalize_field_type(
+    field_type: typing.Any, field_name: str
+) -> declarative_asn1.AnnotatedType:
+    annotation = declarative_asn1.Annotation()
+
+    if hasattr(field_type, "__asn1_root__"):
+        annotated_root = field_type.__asn1_root__
+        if not isinstance(annotated_root, declarative_asn1.AnnotatedType):
+            raise TypeError(f"unsupported root type: {annotated_root}")
+        return annotated_root
+    else:
+        rust_field_type = declarative_asn1.non_root_python_to_rust(field_type)
+
+    return declarative_asn1.AnnotatedType(rust_field_type, annotation)
+
+
+def _annotate_fields(
+    raw_fields: dict[str, type],
+) -> dict[str, declarative_asn1.AnnotatedType]:
+    fields = {}
+    for field_name, field_type in raw_fields.items():
+        # Recursively normalize the field type into something that the
+        # Rust code can understand.
+        annotated_field_type = _normalize_field_type(field_type, field_name)
+        fields[field_name] = annotated_field_type
+
+    return fields
+
+
+def _register_asn1_sequence(cls: type[U]) -> None:
+    raw_fields = get_type_hints(cls, include_extras=True)
+    root = declarative_asn1.AnnotatedType(
+        declarative_asn1.Type.Sequence(cls, _annotate_fields(raw_fields)),
+        declarative_asn1.Annotation(),
+    )
+
+    setattr(cls, "__asn1_root__", root)
+
+
+# Due to https://github.com/python/mypy/issues/19731, we can't define an alias
+# for `dataclass_transform` that conditionally points to `typing` or
+# `typing_extensions` depending on the Python version (like we do for
+# `get_type_hints`).
+# We work around it by making the whole decorated class conditional on the
+# Python version.
+if sys.version_info < (3, 11):
+
+    @typing_extensions.dataclass_transform(kw_only_default=True)
+    def sequence(cls: type[U]) -> type[U]:
+        # We use `dataclasses.dataclass` to add an __init__ method
+        # to the class with keyword-only parameters.
+        if sys.version_info >= (3, 10):
+            dataclass_cls = dataclasses.dataclass(
+                repr=False,
+                eq=False,
+                # `match_args` was added in Python 3.10 and defaults
+                # to True
+                match_args=False,
+                # `kw_only` was added in Python 3.10 and defaults to
+                # False
+                kw_only=True,
+            )(cls)
+        else:
+            dataclass_cls = dataclasses.dataclass(
+                repr=False,
+                eq=False,
+            )(cls)
+        _register_asn1_sequence(dataclass_cls)
+        return dataclass_cls
+
+else:
+
+    @typing.dataclass_transform(kw_only_default=True)
+    def sequence(cls: type[U]) -> type[U]:
+        # Only add an __init__ method, with keyword-only
+        # parameters.
+        dataclass_cls = dataclasses.dataclass(
+            repr=False,
+            eq=False,
+            match_args=False,
+            kw_only=True,
+        )(cls)
+        _register_asn1_sequence(dataclass_cls)
+        return dataclass_cls

src/cryptography/hazmat/bindings/_rust/declarative_asn1.pyi

@@ -0,0 +1,32 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+import typing
+
+def encode_der(value: typing.Any) -> bytes: ...
+def non_root_python_to_rust(cls: type) -> Type: ...
+
+# Type is a Rust enum with tuple variants. For now, we express the type
+# annotations like this:
+class Type:
+    Sequence: typing.ClassVar[type]
+    PyInt: typing.ClassVar[type]
+
+class Annotation:
+    def __new__(
+        cls,
+    ) -> Annotation: ...
+
+class AnnotatedType:
+    inner: Type
+    annotation: Annotation
+
+    def __new__(cls, inner: Type, annotation: Annotation) -> AnnotatedType: ...
+
+class AnnotatedTypeObject:
+    annotated_type: AnnotatedType
+    value: typing.Any
+
+    def __new__(
+        cls, annotated_type: AnnotatedType, value: typing.Any
+    ) -> AnnotatedTypeObject: ...

src/rust/src/declarative_asn1/asn1.rs

@@ -0,0 +1,43 @@
+// This file is dual licensed under the terms of the Apache License, Version
+// 2.0, and the BSD License. See the LICENSE file in the root of this repository
+// for complete details.
+
+use asn1::Asn1Writable;
+use pyo3::types::PyAnyMethods;
+
+use crate::declarative_asn1::types as asn1_types;
+
+#[pyo3::pyfunction]
+pub(crate) fn encode_der<'p>(
+    py: pyo3::Python<'p>,
+    value: &pyo3::Bound<'p, pyo3::types::PyAny>,
+) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
+    let class = value.get_type();
+
+    // TODO error messages are lost since asn1::WriteError does not allow
+    // specifying error messages
+    let encoded_bytes = if let Ok(root) = class.getattr("__asn1_root__") {
+        let root = root.downcast::<asn1_types::AnnotatedType>().map_err(|_| {
+            pyo3::exceptions::PyValueError::new_err(
+                "target type has invalid annotations".to_string(),
+            )
+        })?;
+        let object = asn1_types::AnnotatedTypeObject {
+            annotated_type: root.get(),
+            value: value.clone(),
+        };
+        asn1::write(|writer| object.write(writer))
+            .map_err(|e| pyo3::exceptions::PyValueError::new_err(e.to_string()))?
+    } else {
+        // Handle simple types directly
+        let annotated_type = asn1_types::non_root_type_to_annotated(py, &class, None)?;
+        let object = asn1_types::AnnotatedTypeObject {
+            annotated_type: &annotated_type,
+            value: value.clone(),
+        };
+        asn1::write(|writer| object.write(writer))
+            .map_err(|e| pyo3::exceptions::PyValueError::new_err(e.to_string()))?
+    };
+
+    Ok(pyo3::types::PyBytes::new(py, &encoded_bytes))
+}

src/rust/src/declarative_asn1/encode.rs

@@ -0,0 +1,59 @@
+// This file is dual licensed under the terms of the Apache License, Version
+// 2.0, and the BSD License. See the LICENSE file in the root of this repository
+// for complete details.
+
+use asn1::{SimpleAsn1Writable, Writer};
+use pyo3::types::PyAnyMethods;
+
+use crate::declarative_asn1::types::{AnnotatedType, AnnotatedTypeObject, Type};
+
+fn write_value<T: SimpleAsn1Writable>(
+    writer: &mut Writer<'_>,
+    value: &T,
+) -> Result<(), asn1::WriteError> {
+    writer.write_element(value)
+}
+
+impl asn1::Asn1Writable for AnnotatedTypeObject<'_> {
+    fn encoded_length(&self) -> Option<usize> {
+        None
+    }
+
+    fn write(&self, writer: &mut Writer<'_>) -> Result<(), asn1::WriteError> {
+        let value: pyo3::Bound<'_, pyo3::PyAny> = self.value.clone();
+        let py = value.py();
+        let annotated_type = self.annotated_type;
+
+        let inner = annotated_type.inner.get();
+        match &inner {
+            Type::Sequence(_cls, fields) => write_value(
+                writer,
+                &asn1::SequenceWriter::new(&|w| {
+                    for (name, ann_type) in fields.bind(py).into_iter() {
+                        let name = name
+                            .downcast::<pyo3::types::PyString>()
+                            .map_err(|_| asn1::WriteError::AllocationError)?;
+                        let ann_type = ann_type
+                            .downcast::<AnnotatedType>()
+                            .map_err(|_| asn1::WriteError::AllocationError)?;
+                        let object = AnnotatedTypeObject {
+                            annotated_type: ann_type.get(),
+                            value: self
+                                .value
+                                .getattr(name)
+                                .map_err(|_| asn1::WriteError::AllocationError)?,
+                        };
+                        w.write_element(&object)?;
+                    }
+                    Ok(())
+                }),
+            ),
+            Type::PyInt() => {
+                let val: i64 = value
+                    .extract()
+                    .map_err(|_| asn1::WriteError::AllocationError)?;
+                write_value(writer, &val)
+            }
+        }
+    }
+}

src/rust/src/declarative_asn1/mod.rs

@@ -0,0 +1,7 @@
+// This file is dual licensed under the terms of the Apache License, Version
+// 2.0, and the BSD License. See the LICENSE file in the root of this repository
+// for complete details.
+
+pub(crate) mod asn1;
+pub(crate) mod encode;
+pub(crate) mod types;