fix: adapted docmentation

fix: passed into Cow again

coverage: added one test case

Author: nitneuqr

docs/hazmat/primitives/asymmetric/serialization.rst

@@ -1189,6 +1189,63 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
     -----END PRIVATE KEY-----
     """.strip()
 
+    verify_cert = b"""
+    -----BEGIN CERTIFICATE-----
+    MIID9zCCAt+gAwIBAgIQIxMA+XhyS9Ou0qAc0zPyVTANBgkqhkiG9w0BAQsFADAN
+    MQswCQYDVQQDDAJDQTAeFw0yNTAxMDUxMDQ4MjhaFw0yNjAxMDUxMDQ4MjhaMCUx
+    IzAhBgkqhkiG9w0BCQEWFGRlbW8xQHRyaXNvZnQuY29tLnBsMIIBIjANBgkqhkiG
+    9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0WRzh5y+QmEUjCm+iHXZLrstOSSEhiEcUre
+    3L8zkuGYVLCKBEvmaHQI7uCu/xdqEht6/wEBCiK+KLdGDVrD4v3A7TnmHzzhvqCs
+    BTL/EmnD3ZMAJVYv4uEBaFpFPSYnPswd353E6KRkFYR4RmFjG9xLTayHXOKqCF6d
+    Hd3uVR7NSs98uhcSYRV7g4NdjmaDj8kz5HeRMfr/uqbcriJ9tu/ljFBWYSwPeiNY
+    nYhaOBLpUhZckyjFDfC+UpwOBPlkK7J047urvzG21xCtVU9DMHtXMkXYe/C+WSm1
+    MRYtgcsOTxpGf+ujceltI2/+IUhWxr5ys7m+xM1jYaM4O1Pw0QIDAQABo4IBOTCC
+    ATUwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQduUy7zqv6z3uk4fJeifohSntD
+    2TAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2EudHJpc29mdC5jb20ucGwvY3Js
+    MGYGCCsGAQUFBwEBBFowWDArBggrBgEFBQcwAoYfaHR0cDovL2NhLnRyaXNvZnQu
+    Y29tLnBsL2NhY2VydDApBggrBgEFBQcwAYYdaHR0cDovL2NhLnRyaXNvZnQuY29t
+    LnBsL29jc3AwHwYDVR0RBBgwFoEUZGVtbzFAdHJpc29mdC5jb20ucGwwHQYDVR0l
+    BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBT0/QFDFX/CCMsX356G
+    ImiWwPYxjDAOBgNVHQ8BAf8EBAMCA+gwDQYJKoZIhvcNAQELBQADggEBAL3Iisca
+    IqoFBLMox3cIhCANWO/U1eOvjDjfM/tOHn+6jci/pL/ZHgdRtqCCiaCKtJED/f/9
+    NFUKqcSZ9+vzW0RWLJxHgIvCSjLpoM06XClSlxjVnv62Hb1NC4FfDfnzyG+DZHus
+    nz/MQuXNwHntA6+JyB/HWHUie2ierQYH2mEN1XIJm5luSGwtuGaWfNz/w324ukcV
+    pMd3CbEOZqqfSYGWUHOVG90/OMSfKA/I0hia8Yij0X4Ny+b+bLnHaoozZwJ/UqBl
+    9ptbfiOOuFXJP7gt547Rp6+2C0XGJM+le0EYlUzbWE6UWgxaIRp5uc8HnUd5e4lX
+    br+Ixxcl3WHckkk=
+    -----END CERTIFICATE-----
+    """.strip()
+
+    verify_key = b"""
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIEowIBAAKCAQEAt0WRzh5y+QmEUjCm+iHXZLrstOSSEhiEcUre3L8zkuGYVLCK
+    BEvmaHQI7uCu/xdqEht6/wEBCiK+KLdGDVrD4v3A7TnmHzzhvqCsBTL/EmnD3ZMA
+    JVYv4uEBaFpFPSYnPswd353E6KRkFYR4RmFjG9xLTayHXOKqCF6dHd3uVR7NSs98
+    uhcSYRV7g4NdjmaDj8kz5HeRMfr/uqbcriJ9tu/ljFBWYSwPeiNYnYhaOBLpUhZc
+    kyjFDfC+UpwOBPlkK7J047urvzG21xCtVU9DMHtXMkXYe/C+WSm1MRYtgcsOTxpG
+    f+ujceltI2/+IUhWxr5ys7m+xM1jYaM4O1Pw0QIDAQABAoIBAEiVCdiq4HfWmAwA
+    7rBTZL2k9gfyGhOGmDVSJI8iPiemprCrtg1bjeXCRqNsYoHuYPjI315MpH/CILN5
+    WgoB72BfhN+utX+bmf/oHBh3COPe9U40YLNovdBJskgEsDU2fgZ1ykL8dbZ5HJYU
+    /5lICntHNJ+Pe5CCyDpGVk00zqXwwBDV7hBhbPZxXqdRwdA49yyLIdw/IlMQph9A
+    zuJ0cyicQ0eFSFb1nCv/11hx3RyhfZvn/V3/F3BIP1gBipc3npldvCXhM4CjNYSe
+    tilKiqlYt2exD95RR7NdtL16UcRRCOblgGh23qjJOIb8N4dsr8xbeeCN3A69lILo
+    fgVs2J0CgYEA5noMFh9GFkZFhMIBFPhTlEn+VgWfwK9gWfcyy5GlVsMfp4UA+Alc
+    JSqz+0y1es2yoF0N4ckFsuZuh0GFZxFg46cE6WL1mO6NyzbND8VItQ3Mb2nsJiDC
+    xtJCiLqekfXudbmkNkmXleOIW16ZHorkgJADs0LDehGEGJh6lTxOc7MCgYEAy5FG
+    FGRHGncMyhkoyw6iZC+vmcpvoiu4HfKmTIPQDm6MGS6CxGU6BcX7IgPjdQkogY7s
+    UUP7lYnlvR2G8u4rOqrEMhjAsbudYSry24iAvcalT5lRYud2dh/8cpamfC9TrrUt
+    Zd/p8/lvkLTiF7j88QB6onFtm3seagma4hUJl2sCgYAzo8zpeABgJUaWRFGxvSIc
+    66dM5t2wcpsIDVcYPX3qPrXs9uQMrywyN6sz9zACX+xR+geOO1hHiVHihE+7lC09
+    VMLI+B9HMMwcaB7yFaYAyyKvI/CBan25xoqZ0BaPZacUQZAFid+o+d4ner6cFUq1
+    c48gryjVRO9wA1oT7fs1+QKBgBBzPOaI8/X/iNkMD2/ZTuYptFcJNNw2DDrfUPD9
+    9eI0rL2cNJUKWRX+Wbz183uRseRGWHJ4u+vpqNcPe8hF1th21EP4HBpAvwcLIXT8
+    IuszEkjMavdDHR+OlifsZKfEa07C9Vg2MAG3NnzLITopiMcw8rgN0n2uBVcsT4fV
+    i2DhAoGBAIJtHUe9e8oPrasRlZ3bTFmDT+jNg+7RB8ebG8ZDqAUI3/gnklUd0+rF
+    nPGI8GEpjwgBxB/zg4/rYz/TEP0E2pd0beWH2vKD31kQVngbz/zhzLHCNLyKDlB4
+    vFHpXRHb7ddgTLjHbg6GvY/pRRCqSxWnLgNRW4m+pyLzAx/Hpk1D
+    -----END RSA PRIVATE KEY-----
+    """.strip()
+
 .. class:: PKCS7SignatureBuilder
 
     The PKCS7 signature builder can create both basic PKCS7 signed messages as
@@ -1267,7 +1324,7 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
         :returns bytes: The signed PKCS7 message.
 
 
-.. function:: pkcs7_verify_der(data, content, certificate, options)
+.. function:: pkcs7_verify_der(data, content=None, certificate=None, options=None)
 
     .. versionadded:: 45.0.0
 
@@ -1276,16 +1333,16 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
         >>> from cryptography import x509
         >>> from cryptography.hazmat.primitives import hashes, serialization
         >>> from cryptography.hazmat.primitives.serialization import pkcs7
-        >>> cert = x509.load_pem_x509_certificate(ca_cert)
-        >>> key = serialization.load_pem_private_key(ca_key, None)
+        >>> cert = x509.load_pem_x509_certificate(verify_cert)
+        >>> key = serialization.load_pem_private_key(verify_key, None)
         >>> signed = pkcs7.PKCS7SignatureBuilder().set_data(
         ...     b"data to sign"
         ... ).add_signer(
         ...     cert, key, hashes.SHA256()
         ... ).sign(
         ...     serialization.Encoding.DER, []
         ... )
-        >>> pkcs7.pkcs7_verify_der(signed, None, cert, [])
+        >>> pkcs7.pkcs7_verify_der(signed)
 
     Deserialize and verify a DER-encoded PKCS7 signed message. PKCS7 (or S/MIME) has multiple
     versions, but this supports a subset of :rfc:`5751`, also known as S/MIME Version 3.2. If the
@@ -1295,15 +1352,21 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
     :type data: bytes
 
     :param content: if specified, the content to verify against the signed message. If the content
-        is not specified, the function will look for the content in the signed message.
-    :type data: bytes or None
+        is not specified, the function will look for the content in the signed message. Defaults to
+        None.
+    :type content: bytes or None
 
-    :param certificate: A :class:`~cryptography.x509.Certificate` to verify against the signed
-        message.
+    :param certificate: if specified, a :class:`~cryptography.x509.Certificate` to verify against
+        the signed message. If None, the function will look for the signer certificate in the signed
+        message. Defaults to None.
+    :type certificate: :class:`~cryptography.x509.Certificate` or None
 
     :param options: A list of
-        :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For 
-        this operation, no options are supported as of now.
+        :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For this
+        operation, the `NoSigs` and `NoVerify` options are supported. If `NoSigs` is specified, the
+        function will not verify the signature in the PKCS#7 message. If `NoVerify` is specified,
+        the function will not verify the certificates in the PKCS#7 message. Defaults to None. 
+    :type options: list[`~cryptography.x509.Certificate`] or None
 
     :raises ValueError: If the recipient certificate does not match any of the signers in the
         PKCS7 data.
@@ -1313,7 +1376,7 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
     :raises ValueError: If the PKCS7 data is not of the signed data type.
 
 
-.. function:: pkcs7_verify_pem(data, content, certificate, options)
+.. function:: pkcs7_verify_pem(data, content=None, certificate=None, options=None)
 
     .. versionadded:: 45.0.0
 
@@ -1322,16 +1385,16 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
         >>> from cryptography import x509
         >>> from cryptography.hazmat.primitives import hashes, serialization
         >>> from cryptography.hazmat.primitives.serialization import pkcs7
-        >>> cert = x509.load_pem_x509_certificate(ca_cert)
-        >>> key = serialization.load_pem_private_key(ca_key, None)
+        >>> cert = x509.load_pem_x509_certificate(verify_cert)
+        >>> key = serialization.load_pem_private_key(verify_key, None)
         >>> signed = pkcs7.PKCS7SignatureBuilder().set_data(
         ...     b"data to sign"
         ... ).add_signer(
         ...     cert, key, hashes.SHA256()
         ... ).sign(
         ...     serialization.Encoding.PEM, []
         ... )
-        >>> pkcs7.pkcs7_verify_pem(signed, None, cert, [])
+        >>> pkcs7.pkcs7_verify_pem(signed)
 
     Deserialize and verify a PEM-encoded PKCS7 signed message. PKCS7 (or S/MIME) has multiple
     versions, but this supports a subset of :rfc:`5751`, also known as S/MIME Version 3.2. If the
@@ -1341,15 +1404,21 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
     :type data: bytes
 
     :param content: if specified, the content to verify against the signed message. If the content
-        is not specified, the function will look for the content in the signed message.
-    :type data: bytes or None
+        is not specified, the function will look for the content in the signed message. Defaults to
+        None.
+    :type content: bytes or None
 
-    :param certificate: A :class:`~cryptography.x509.Certificate` to verify against the signed
-        message.
+    :param certificate: if specified, a :class:`~cryptography.x509.Certificate` to verify against
+        the signed message. If None, the function will look for the signer certificate in the signed
+        message. Defaults to None.
+    :type certificate: :class:`~cryptography.x509.Certificate` or None
 
     :param options: A list of
-        :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For 
-        this operation, no options are supported as of now.
+        :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For this
+        operation, the `NoSigs` and `NoVerify` options are supported. If `NoSigs` is specified, the
+        function will not verify the signature in the PKCS#7 message. If `NoVerify` is specified,
+        the function will not verify the certificates in the PKCS#7 message. Defaults to None. 
+    :type options: list[`~cryptography.x509.Certificate`] or None
 
     :raises ValueError: If the PEM data does not have the PKCS7 tag.
 
@@ -1361,7 +1430,7 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
     :raises ValueError: If the PKCS7 data is not of the signed data type.
 
 
-.. function:: pkcs7_verify_smime(data, content, certificate, options)
+.. function:: pkcs7_verify_smime(data, content=None, certificate=None, options=None)
 
     .. versionadded:: 45.0.0
 
@@ -1370,16 +1439,16 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
         >>> from cryptography import x509
         >>> from cryptography.hazmat.primitives import hashes, serialization
         >>> from cryptography.hazmat.primitives.serialization import pkcs7
-        >>> cert = x509.load_pem_x509_certificate(ca_cert)
-        >>> key = serialization.load_pem_private_key(ca_key, None)
+        >>> cert = x509.load_pem_x509_certificate(verify_cert)
+        >>> key = serialization.load_pem_private_key(verify_key, None)
         >>> signed = pkcs7.PKCS7SignatureBuilder().set_data(
         ...     b"data to sign"
         ... ).add_signer(
         ...     cert, key, hashes.SHA256()
         ... ).sign(
         ...     serialization.Encoding.SMIME, []
         ... )
-        >>> pkcs7.pkcs7_verify_smime(signed, None, cert, [])
+        >>> pkcs7.pkcs7_verify_smime(signed)
 
     Verify a PKCS7 signed message stored in a MIME message, by reading it, extracting the content
     (if any) and signature, deserializing the signature and verifying it against the content. PKCS7
@@ -1392,15 +1461,21 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
 
     :param content: if specified, the content to verify against the signed message. If the content
         is not specified, the function will look for the content in the MIME message and in the
-        signature.
-    :type data: bytes or None
+        signature. Defaults to None.
+    :type content: bytes or None
 
-    :param certificate: A :class:`~cryptography.x509.Certificate` to verify against the signed
-        message.
+    :param certificate: if specified, a :class:`~cryptography.x509.Certificate` to verify against
+        the signed message. If None, the function will look for the signer certificate in the signed
+        message. Defaults to None.
+    :type certificate: :class:`~cryptography.x509.Certificate` or None
 
     :param options: A list of
-        :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For 
-        this operation, no options are supported as of now.
+        :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For this
+        operation, the `NoSigs` and `NoVerify` options are supported. If `NoSigs` is specified, the
+        function will not verify the signature in the PKCS#7 message. If `NoVerify` is specified,
+        the function will not verify the certificates in the PKCS#7 message. Defaults to None. 
+    :type options: list[`~cryptography.x509.Certificate`] or None
+
 
     :raises ValueError: If the MIME message is not a S/MIME signed message: content type is
         different than ``multipart/signed`` or ``application/pkcs7-mime``.

src/rust/src/pkcs7.rs

@@ -744,10 +744,10 @@ fn verify_der<'p>(
 ) -> CryptographyResult<()> {
     // Check the verify options
     let options = match options {
-        Some(options) => options,
-        None => &pyo3::types::PyList::empty(py),
+        Some(options) => Cow::Borrowed(options),
+        None => Cow::Owned(pyo3::types::PyList::empty(py)),
     };
-    check_verify_options(py, options)?;
+    check_verify_options(py, &options)?;
 
     // Verify the data
     let content_info = asn1::parse_single::<pkcs7::ContentInfo<'_>>(signature)?;

tests/hazmat/primitives/test_pkcs7.py

@@ -902,6 +902,7 @@ def test_not_a_cert(self, backend):
         "invalid_options",
         [
             [b"invalid"],
+            [pkcs7.PKCS7Options.Binary],
         ],
     )
     def test_pkcs7_verify_invalid_options(self, backend, invalid_options):