rustls
diff --git a/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎tests/generate.py‎
Lines changed: 2 additions & 288 deletions b/‎tests/generate.py‎
Lines changed: 2 additions & 288 deletions
@@ -92,6 +92,7 @@ once_cell = "1.17.2"
 rcgen = { version = "0.14.2", default-features = false, features = ["aws_lc_rs"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
+x509-parser = "0.18"
 
 [profile.bench]
 opt-level = 3
 
@@ -16,8 +16,8 @@
 
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.asymmetric import rsa, ec, ed25519, padding
-from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
+from cryptography.hazmat.primitives.asymmetric import rsa, ec, ed25519
+from cryptography.hazmat.primitives.serialization import Encoding
 from cryptography.hazmat.backends import default_backend
 from cryptography.x509.oid import NameOID
 import datetime
@@ -189,284 +189,6 @@ def ca_cert(
     )
 
 
-def signatures(force: bool) -> None:
-    rsa_pub_exponent: int = 0x10001
-    backend: Any = default_backend()
-    all_key_types: dict[str, ANY_PRIV_KEY] = {
-        "ed25519": ed25519.Ed25519PrivateKey.generate(),
-        "ecdsa_p256": ec.generate_private_key(ec.SECP256R1(), backend),
-        "ecdsa_p384": ec.generate_private_key(ec.SECP384R1(), backend),
-        "ecdsa_p521": ec.generate_private_key(ec.SECP521R1(), backend),
-        "rsa_1024_not_supported": rsa.generate_private_key(
-            rsa_pub_exponent, 1024, backend
-        ),
-        "rsa_2048": rsa.generate_private_key(rsa_pub_exponent, 2048, backend),
-        "rsa_3072": rsa.generate_private_key(rsa_pub_exponent, 3072, backend),
-        "rsa_4096": rsa.generate_private_key(rsa_pub_exponent, 4096, backend),
-    }
-
-    feature_gates = {
-        "ECDSA_P521_SHA256": 'all(not(feature = "ring"), feature = "aws-lc-rs")',
-        "ECDSA_P521_SHA384": 'all(not(feature = "ring"), feature = "aws-lc-rs")',
-        "ECDSA_P521_SHA512": 'all(not(feature = "ring"), feature = "aws-lc-rs")',
-    }
-
-    rsa_types: list[str] = [
-        "RSA_PKCS1_2048_8192_SHA256",
-        "RSA_PKCS1_2048_8192_SHA384",
-        "RSA_PKCS1_2048_8192_SHA512",
-        "RSA_PSS_2048_8192_SHA256_LEGACY_KEY",
-        "RSA_PSS_2048_8192_SHA384_LEGACY_KEY",
-        "RSA_PSS_2048_8192_SHA512_LEGACY_KEY",
-    ]
-
-    webpki_algs: dict[str, Iterable[str]] = {
-        "ed25519": ["ED25519"],
-        "ecdsa_p256": ["ECDSA_P256_SHA384", "ECDSA_P256_SHA256"],
-        "ecdsa_p384": ["ECDSA_P384_SHA384", "ECDSA_P384_SHA256"],
-        "ecdsa_p521": ["ECDSA_P521_SHA512", "ECDSA_P521_SHA256", "ECDSA_P521_SHA384"],
-        "rsa_2048": rsa_types,
-        "rsa_3072": rsa_types + ["RSA_PKCS1_3072_8192_SHA384"],
-        "rsa_4096": rsa_types + ["RSA_PKCS1_3072_8192_SHA384"],
-    }
-
-    pss_sha256: padding.PSS = padding.PSS(
-        mgf=padding.MGF1(hashes.SHA256()), salt_length=32
-    )
-    pss_sha384: padding.PSS = padding.PSS(
-        mgf=padding.MGF1(hashes.SHA384()), salt_length=48
-    )
-    pss_sha512: padding.PSS = padding.PSS(
-        mgf=padding.MGF1(hashes.SHA512()), salt_length=64
-    )
-
-    how_to_sign: dict[str, SIGNER] = {
-        "ED25519": lambda key, message: key.sign(message),
-        "ECDSA_P256_SHA256": lambda key, message: key.sign(
-            message, ec.ECDSA(hashes.SHA256())
-        ),
-        "ECDSA_P256_SHA384": lambda key, message: key.sign(
-            message, ec.ECDSA(hashes.SHA384())
-        ),
-        "ECDSA_P384_SHA256": lambda key, message: key.sign(
-            message, ec.ECDSA(hashes.SHA256())
-        ),
-        "ECDSA_P384_SHA384": lambda key, message: key.sign(
-            message, ec.ECDSA(hashes.SHA384())
-        ),
-        "ECDSA_P521_SHA256": lambda key, message: key.sign(
-            message, ec.ECDSA(hashes.SHA256())
-        ),
-        "ECDSA_P521_SHA384": lambda key, message: key.sign(
-            message, ec.ECDSA(hashes.SHA384())
-        ),
-        "ECDSA_P521_SHA512": lambda key, message: key.sign(
-            message, ec.ECDSA(hashes.SHA512())
-        ),
-        "RSA_PKCS1_2048_8192_SHA256": lambda key, message: key.sign(
-            message, padding.PKCS1v15(), hashes.SHA256()
-        ),
-        "RSA_PKCS1_2048_8192_SHA384": lambda key, message: key.sign(
-            message, padding.PKCS1v15(), hashes.SHA384()
-        ),
-        "RSA_PKCS1_2048_8192_SHA512": lambda key, message: key.sign(
-            message, padding.PKCS1v15(), hashes.SHA512()
-        ),
-        "RSA_PKCS1_3072_8192_SHA384": lambda key, message: key.sign(
-            message, padding.PKCS1v15(), hashes.SHA384()
-        ),
-        "RSA_PSS_2048_8192_SHA256_LEGACY_KEY": lambda key, message: key.sign(
-            message, pss_sha256, hashes.SHA256()
-        ),
-        "RSA_PSS_2048_8192_SHA384_LEGACY_KEY": lambda key, message: key.sign(
-            message, pss_sha384, hashes.SHA384()
-        ),
-        "RSA_PSS_2048_8192_SHA512_LEGACY_KEY": lambda key, message: key.sign(
-            message, pss_sha512, hashes.SHA512()
-        ),
-    }
-
-    output_dir: str = "signatures"
-    if not os.path.isdir(output_dir):
-        os.mkdir(output_dir)
-
-    message = b"hello world!"
-    message_path: str = os.path.join(output_dir, "message.bin")
-    write_der(message_path, message, force)
-
-    def _cert_path(cert_type: str) -> str:
-        return os.path.join(output_dir, f"{cert_type}.ee.der")
-
-    def _rpk_path(rpk_type: str) -> str:
-        return os.path.join(output_dir, f"{rpk_type}.spki.der")
-
-    for name, private_key in all_key_types.items():
-        ee_subject = x509.Name(
-            [x509.NameAttribute(NameOID.ORGANIZATION_NAME, name + " test")]
-        )
-        issuer_subject = x509.Name(
-            [x509.NameAttribute(NameOID.ORGANIZATION_NAME, name + " issuer")]
-        )
-        certificate: x509.Certificate = end_entity_cert(
-            subject_name=ee_subject,
-            subject_key=private_key,
-            issuer_name=issuer_subject,
-        )
-
-        rpk_pub_key = private_key.public_key().public_bytes(
-            Encoding.DER, PublicFormat.SubjectPublicKeyInfo
-        )
-        write_der(_rpk_path(name), rpk_pub_key, force)
-        write_der(_cert_path(name), certificate.public_bytes(Encoding.DER), force)
-
-    def _test(
-        test_name: str, cert_type: str, algorithm: str, signature: bytes, expected: str
-    ) -> None:
-        nonlocal message_path  # noqa: F824
-        cert_path: str = _cert_path(cert_type)
-        rpk_path: str = _rpk_path(cert_type)
-        lower_test_name: str = test_name.lower()
-
-        sig_path: str = os.path.join(output_dir, f"{lower_test_name}.sig.bin")
-        write_der(sig_path, signature, force)
-        feature_gate: str = feature_gates.get(algorithm, "")
-        if feature_gate:
-            feature_gate = f"#[cfg({feature_gate})]\n"
-
-        print(
-            """
-#[test]
-%(feature_gate)sfn %(lower_test_name)s() {
-    let ee = include_bytes!("%(cert_path)s");
-    let message = include_bytes!("%(message_path)s");
-    let signature = include_bytes!("%(sig_path)s");
-    assert_eq!(
-        check_sig(ee, %(algorithm)s, message, signature),
-        %(expected)s
-    );
-}""" % locals(),
-            file=output,
-        )
-
-        print(
-            """
-#[test]
-%(feature_gate)sfn %(lower_test_name)s_rpk() {
-    let rpk = include_bytes!("%(rpk_path)s");
-    let message = include_bytes!("%(message_path)s");
-    let signature = include_bytes!("%(sig_path)s");
-    assert_eq!(
-        check_sig_rpk(rpk, %(algorithm)s, message, signature),
-        %(expected)s
-    );
-}""" % locals(),
-            file=output,
-        )
-
-    def good_signature(
-        test_name: str, cert_type: str, algorithm: str, signer: SIGNER
-    ) -> None:
-        signature: bytes = signer(all_key_types[cert_type], message)
-        _test(test_name, cert_type, algorithm, signature, expected="Ok(())")
-
-    def good_signature_but_rejected(
-        test_name: str, cert_type: str, algorithm: str, signer: SIGNER
-    ) -> None:
-        signature: bytes = signer(all_key_types[cert_type], message)
-        _test(
-            test_name,
-            cert_type,
-            algorithm,
-            signature,
-            expected="Err(webpki::Error::InvalidSignatureForPublicKey)",
-        )
-
-    def bad_signature(
-        test_name: str, cert_type: str, algorithm: str, signer: SIGNER
-    ) -> None:
-        signature: bytes = signer(all_key_types[cert_type], message + b"?")
-        _test(
-            test_name,
-            cert_type,
-            algorithm,
-            signature,
-            expected="Err(webpki::Error::InvalidSignatureForPublicKey)",
-        )
-
-    def bad_algorithms_for_key(
-        test_name: str, cert_type: str, unusable_algs: set[str]
-    ) -> None:
-        cert_path: str = _cert_path(cert_type)
-        test_name_lower: str = test_name.lower()
-        unusable_algs_str: str = ", ".join(alg for alg in sorted(unusable_algs))
-        print(
-            """
-#[test]
-fn %(test_name_lower)s() {
-    let ee = include_bytes!("%(cert_path)s");
-    for algorithm in &[ %(unusable_algs_str)s ] {
-        assert!(matches!(
-            check_sig(ee, *algorithm, b"", b""),
-            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey(_))
-        ));
-    }
-}""" % locals(),
-            file=output,
-        )
-
-    with trim_top("signatures.rs") as output:
-        # compute all webpki algorithms covered by these tests
-        all_webpki_algs: set[str] = set(
-            [item for algs in webpki_algs.values() for item in algs]
-        )
-
-        for type, algs in webpki_algs.items():
-            for alg in algs:
-                signer: SIGNER = how_to_sign[alg]
-                good_signature(
-                    type + "_key_and_" + alg + "_good_signature",
-                    cert_type=type,
-                    algorithm=alg,
-                    signer=signer,
-                )
-                bad_signature(
-                    type + "_key_and_" + alg + "_detects_bad_signature",
-                    cert_type=type,
-                    algorithm=alg,
-                    signer=signer,
-                )
-
-            unusable_algs = set(all_webpki_algs)
-            for alg in algs:
-                unusable_algs.remove(alg)
-
-            # special case: tested separately below
-            if type == "rsa_2048":
-                unusable_algs.remove("RSA_PKCS1_3072_8192_SHA384")
-
-            unusable_algs = {
-                (
-                    "#[cfg(%s)] %s" % (feature_gates[alg], alg)
-                    if alg in feature_gates
-                    else alg
-                )
-                for alg in unusable_algs
-            }
-
-            bad_algorithms_for_key(
-                type + "_key_rejected_by_other_algorithms",
-                cert_type=type,
-                unusable_algs=unusable_algs,
-            )
-
-        good_signature_but_rejected(
-            "rsa_2048_key_rejected_by_RSA_PKCS1_3072_8192_SHA384",
-            cert_type="rsa_2048",
-            algorithm="RSA_PKCS1_3072_8192_SHA384",
-            signer=signer,
-        )
-
-
 def client_auth_revocation(force: bool) -> None:
     output_dir: str = "client_auth_revocation"
     if not os.path.isdir(output_dir):
@@ -1840,12 +1562,6 @@ def _expired_crl_enforce_expiration() -> None:
 
 if __name__ == "__main__":
     parser = argparse.ArgumentParser()
-    parser.add_argument(
-        "--signatures",
-        action=argparse.BooleanOptionalAction,
-        default=True,
-        help="Generate signature testcases",
-    )
     parser.add_argument(
         "--client-auth-revocation",
         action=argparse.BooleanOptionalAction,
@@ -1872,8 +1588,6 @@ def _expired_crl_enforce_expiration() -> None:
     )
     args = parser.parse_args()
 
-    if args.signatures:
-        signatures(args.force)
     if args.client_auth_revocation:
         client_auth_revocation(args.force)