Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS7SignatureBuilder now supports new option NoCerts when signing #5500

Merged
merged 1 commit into from Oct 25, 2020
Merged

PKCS7SignatureBuilder now supports new option NoCerts when signing #5500

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 7 additions & 0 deletions docs/hazmat/primitives/asymmetric/serialization.rst
View file
Open in desktop
Expand Up @@ -699,6 +699,13 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
pass ``NoAttributes`` you can't pass ``NoCapabilities`` since
``NoAttributes`` removes ``MIMECapabilities`` and more.

.. attribute:: NoCerts

Don't include the signer's certificate in the PKCS7 structure. This can
reduce the size of the signature but requires that the recipient can
obtain the signer's certificate by other means (for example from a
previously signed message).

Serialization Formats
~~~~~~~~~~~~~~~~~~~~~

Expand Down
4 changes: 4 additions & 0 deletions src/cryptography/hazmat/backends/openssl/backend.py
View file
Open in desktop
Expand Up @@ -2719,6 +2719,10 @@ def pkcs7_sign(self, builder, encoding, options):
signer_flags |= self._lib.PKCS7_NOSMIMECAP
elif pkcs7.PKCS7Options.NoAttributes in options:
signer_flags |= self._lib.PKCS7_NOATTR

if pkcs7.PKCS7Options.NoCerts in options:
signer_flags |= self._lib.PKCS7_NOCERTS

for certificate, private_key, hash_algorithm in builder._signers:
md = self._evp_md_non_null_from_algorithm(hash_algorithm)
p7signerinfo = self._lib.PKCS7_sign_add_signer(
Expand Down
1 change: 1 addition & 0 deletions src/cryptography/hazmat/primitives/serialization/pkcs7.py
View file
Open in desktop
Expand Up @@ -120,3 +120,4 @@ class PKCS7Options(Enum):
DetachedSignature = "Don't embed data in the PKCS7 structure"
NoCapabilities = "Don't embed SMIME capabilities"
NoAttributes = "Don't embed authenticatedAttributes"
NoCerts = "Don't embed signer certificate"
17 changes: 17 additions & 0 deletions tests/hazmat/primitives/test_pkcs7.py
View file
Open in desktop
Expand Up @@ -535,6 +535,23 @@ def test_sign_no_attributes(self, backend):
backend,
)

def test_sign_no_certs(self, backend):
data = b"hello world"
cert, key = _load_cert_key()
builder = (
pkcs7.PKCS7SignatureBuilder()
.set_data(data)
.add_signer(cert, key, hashes.SHA256())
)

options = []
sig = builder.sign(serialization.Encoding.DER, options)
assert sig.count(cert.public_bytes(serialization.Encoding.DER)) == 1

options = [pkcs7.PKCS7Options.NoCerts]
sig_no = builder.sign(serialization.Encoding.DER, options)
assert sig_no.count(cert.public_bytes(serialization.Encoding.DER)) == 0

def test_multiple_signers(self, backend):
data = b"hello world"
cert, key = _load_cert_key()
Expand Down