x509: add Store API (#9411)

* Add x509.verification.Store

One of many sub-breakouts.

Signed-off-by: William Woodruff <[email protected]>

* lib: actually load the new verify module

Signed-off-by: William Woodruff <[email protected]>

* fix hints, add initial store tests

Signed-off-by: William Woodruff <[email protected]>

* verify: use `any` instead of for-if loop

Signed-off-by: William Woodruff <[email protected]>

* verify: mark Store as frozen

Signed-off-by: William Woodruff <[email protected]>

* verify: don't use an interior PyList

Signed-off-by: William Woodruff <[email protected]>

* verify: don't overthink the types

Signed-off-by: William Woodruff <[email protected]>

* verification: __all__

Signed-off-by: William Woodruff <[email protected]>

* verification: relocate __all__

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

src/cryptography/hazmat/bindings/_rust/x509.pyi

@@ -40,3 +40,6 @@ class Certificate: ...
 class RevokedCertificate: ...
 class CertificateRevocationList: ...
 class CertificateSigningRequest: ...
+
+class Store:
+    def __init__(self, certs: list[x509.Certificate]) -> None: ...

src/cryptography/x509/__init__.py

@@ -4,7 +4,7 @@
 
 from __future__ import annotations
 
-from cryptography.x509 import certificate_transparency
+from cryptography.x509 import certificate_transparency, verification
 from cryptography.x509.base import (
     Attribute,
     AttributeNotFound,
@@ -179,6 +179,7 @@
     "load_pem_x509_crl",
     "load_der_x509_crl",
     "random_serial_number",
+    "verification",
     "Attribute",
     "AttributeNotFound",
     "Attributes",

src/cryptography/x509/verification.py

@@ -0,0 +1,9 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from cryptography.hazmat.bindings._rust import x509 as rust_x509
+
+__all__ = ["Store"]
+
+Store = rust_x509.Store

src/rust/src/lib.rs

@@ -153,6 +153,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()>
     crate::x509::crl::add_to_module(x509_mod)?;
     crate::x509::csr::add_to_module(x509_mod)?;
     crate::x509::sct::add_to_module(x509_mod)?;
+    crate::x509::verify::add_to_module(x509_mod)?;
     m.add_submodule(x509_mod)?;
 
     let ocsp_mod = pyo3::prelude::PyModule::new(py, "ocsp")?;

src/rust/src/x509/mod.rs

@@ -12,6 +12,7 @@ pub(crate) mod ocsp_req;
 pub(crate) mod ocsp_resp;
 pub(crate) mod sct;
 pub(crate) mod sign;
+pub(crate) mod verify;
 
 pub(crate) use common::{
     datetime_to_py, find_in_pem, parse_and_cache_extensions, parse_general_name,

src/rust/src/x509/verify.rs

@@ -0,0 +1,26 @@
+// This file is dual licensed under the terms of the Apache License, Version
+// 2.0, and the BSD License. See the LICENSE file in the root of this repository
+// for complete details.
+
+use crate::x509::certificate::Certificate as PyCertificate;
+
+#[pyo3::pyclass(
+    frozen,
+    name = "Store",
+    module = "cryptography.hazmat.bindings._rust.x509"
+)]
+struct PyStore(Vec<pyo3::Py<PyCertificate>>);
+
+#[pyo3::pymethods]
+impl PyStore {
+    #[new]
+    fn new(certs: Vec<pyo3::Py<PyCertificate>>) -> pyo3::PyResult<Self> {
+        Ok(Self(certs))
+    }
+}
+
+pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> {
+    module.add_class::<PyStore>()?;
+
+    Ok(())
+}

tests/x509/test_verification.py

@@ -0,0 +1,24 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+import os
+
+import pytest
+
+from cryptography import x509
+from cryptography.x509.verification import Store
+from tests.x509.test_x509 import _load_cert
+
+
+class TestStore:
+    def test_store_rejects_non_certificates(self):
+        with pytest.raises(TypeError):
+            Store(["not a cert"])  # type: ignore[list-item]
+
+    def test_store_initializes(self):
+        cert = _load_cert(
+            os.path.join("x509", "cryptography.io.pem"),
+            x509.load_pem_x509_certificate,
+        )
+        assert Store([cert]) is not None