PyPI - webtoken - Versions diffs - 0.6.3__tar.gz → 0.6.4__tar.gz - Mend

webtoken 0.6.3tar.gz → 0.6.4tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

{webtoken-0.6.3 → webtoken-0.6.4}/Cargo.toml RENAMED Viewed

@@ -20,6 +20,7 @@ argon2 = "0.5.3"
 flate2 = "1.1.9"
 subtle = "2.6"
 base64 = "0.22"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = { version = "1.0", features = ["preserve_order"] }

{webtoken-0.6.3 → webtoken-0.6.4}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: webtoken
-Version: 0.6.3
+Version: 0.6.4
 Summary: A Rust-backed JWT library
 Requires-Python: >=3.12
 Description-Content-Type: text/markdown; charset=UTF-8; variant=GFM

{webtoken-0.6.3 → webtoken-0.6.4}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "maturin"
 [project]
 name = "webtoken"
-version = "0.6.3"
+version = "0.6.4"
 description = "A Rust-backed JWT library"
 readme = "README.md"
 requires-python = ">=3.12"

{webtoken-0.6.3 → webtoken-0.6.4}/src/crypto_parsing.rs RENAMED Viewed

@@ -1,10 +1,10 @@
 use base64::{engine::general_purpose::STANDARD, Engine as _};
+use num_bigint::BigUint;
-use pyo3::prelude::{Bound, PyModule, wrap_pyfunction, PyModuleMethods};
-use pyo3::{pyfunction, PyResult, exceptions::PyValueError};
+use pyo3::prelude::{Bound, PyModule, wrap_pyfunction, PyModuleMethods, Python, PyDictMethods};
+use pyo3::{pyfunction, PyResult, exceptions::PyValueError, types::PyDict};
-use crate::{WebtokenError, };
+use crate::WebtokenError;
 pub const OID_EC_PUBLIC_KEY: &[u8] = &[0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01];
 pub const OID_P192: &[u8] = &[0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x01];
@@ -13,7 +13,13 @@ pub const OID_P384: &[u8] = &[0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22];
 pub const OID_P521: &[u8] = &[0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23];
 pub const OID_SECP256K1: &[u8] = &[0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A];
 pub const OID_RSA_ENCRYPTION: &[u8] = &[0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01];
 pub const OID_COMMON_NAME: &[u8] = &[0x55, 0x04, 0x03]; // 2.5.4.3
+pub const OID_COUNTRY: &[u8] = &[0x55, 0x04, 0x06];
+pub const OID_ORG: &[u8] = &[0x55, 0x04, 0x0a];
+pub const OID_ORG_UNIT: &[u8] = &[0x55, 0x04, 0x0b];
+pub const OID_KEY_USAGE: &[u8] = &[0x55, 0x1d, 0x0f]; // 2.5.29.15
+pub const OID_AUTHORITY_KEY_IDENTIFIER: &[u8] = &[0x55, 0x1d, 0x23]; // 2.5.29.35
 // ============================================================================
@@ -247,13 +253,41 @@ impl<'a> DerReader<'a> {
             Ok(Some(DerReader::new(content)))
         } else { Ok(None) }
     }
-}
+    /// Returns the exact raw bytes of the current Tag-Length-Value object without parsing inside it
+    pub fn read_tlv(&mut self) -> Result<&'a [u8], String> {
+        let original_input = self.input;
+        let _ = self.read_tag()?; // Advance past it
+        let consumed = original_input.len() - self.input.len();
+        Ok(&original_input[..consumed])
+    }
+    /// Reads an IMPLICIT tag (e.g., Context Specific [0] -> 0x80)
+    pub fn read_optional_implicit(&mut self, tag_id: u8) -> Result<Option<&'a [u8]>, String> {
+        if !self.input.is_empty() && self.input[0] == (0x80 | tag_id) {
+            let (_, content) = self.read_tag()?;
+            Ok(Some(content))
+        } else { Ok(None) }
+    }
+}
 // ============================================================================
 //  X.509 Certificate Parsing
 // ============================================================================
+fn decode_directory_string(tag: u8, content: &[u8]) -> Result<String, String> {
+    if tag == 0x1E { // BMPString (UTF-16 BE)
+        if content.len() % 2 != 0 { return Err("Invalid BMPString length".into()); }
+        let utf16_data: Vec<u16> = content.chunks_exact(2).map(|c| u16::from_be_bytes([c[0], c[1]])).collect();
+        String::from_utf16(&utf16_data).map_err(|_| "Invalid UTF-16 in string".into())
+    } else {
+        // UTF8String (0x0C), PrintableString (0x13), TeletexString (0x14)
+        String::from_utf8(content.to_vec()).map_err(|_| "Invalid UTF-8 in string".into())
+    }
+}
 pub fn get_x509_subject_cn(der: &[u8]) -> Result<String, String> {
     let mut cert = DerReader::new(der).read_sequence()?;
@@ -288,33 +322,186 @@ pub fn get_x509_subject_cn(der: &[u8]) -> Result<String, String> {
             if let Ok(oid) = attr_seq.read_oid() {
                 // If the OID matches the Common Name (CN) OID
                 if oid == OID_COMMON_NAME {
-                    // Extract the string tag and the raw bytes
                     let (str_tag, string_content) = attr_seq.read_tag()?;
-                    // 0x1E is BMPString (UTF-16 Big Endian) - Common in Microsoft AD CS / Smart Cards
-                    if str_tag == 0x1E {
-                        if string_content.len() % 2 != 0 {
-                            return Err("Invalid BMPString length".into());
+                    return decode_directory_string(str_tag, string_content);
+                }
+            }
+        }
+    }
+    Err("Common Name (CN) not found in certificate".into())
+}
+fn parse_asn1_time(tag: u8, content: &[u8]) -> Result<u64, String> {
+    let s = std::str::from_utf8(content).map_err(|_| "Invalid time string")?;
+    let (y, mo, d, h, m, sec) = if tag == 0x17 { // UTCTime
+        let y2 = s[0..2].parse::<u64>().unwrap_or(0);
+        let y = if y2 < 50 { 2000 + y2 } else { 1900 + y2 };
+        (y, s[2..4].parse().unwrap_or(1), s[4..6].parse().unwrap_or(1), s[6..8].parse().unwrap_or(0), s[8..10].parse().unwrap_or(0), s[10..12].parse().unwrap_or(0))
+    } else if tag == 0x18 { // GeneralizedTime
+        (s[0..4].parse().unwrap_or(1970), s[4..6].parse().unwrap_or(1), s[6..8].parse().unwrap_or(1), s[8..10].parse().unwrap_or(0), s[10..12].parse().unwrap_or(0), s[12..14].parse().unwrap_or(0))
+    } else {
+        return Err("Unknown time tag".into());
+    };
+    // Quick Unix Timestamp Calculation (Valid from 1970 to 2100)
+    let mut days = 0;
+    for year in 1970..y { days += if (year % 4 == 0 && year % 100 != 0) || (year % 400 == 0) { 366 } else { 365 }; }
+    let days_in_month = [0, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31];
+    for month in 1..mo {
+        let mut dim = days_in_month[month as usize];
+        if month == 2 && ((y % 4 == 0 && y % 100 != 0) || (y % 400 == 0)) { dim = 29; }
+        days += dim;
+    }
+    days += d - 1;
+    Ok(days * 86400 + h * 3600 + m * 60 + sec)
+}
+fn parse_x509_name(content: &[u8]) -> String {
+    let mut parts = Vec::new();
+    let mut outer = DerReader::new(content);
+    // Unpack the outer SEQUENCE envelope first
+    if let Ok(mut seq) = outer.read_sequence() {
+        while !seq.input.is_empty() {
+            if let Ok((tag, set_data)) = seq.read_tag() {
+                if tag == 0x31 { // Ensure it's a SET
+                    let mut set_r = DerReader::new(set_data);
+                    while !set_r.input.is_empty() {
+                        if let Ok(mut attr) = set_r.read_sequence() {
+                            if let Ok(oid) = attr.read_oid() {
+                                let label = match oid {
+                                    OID_COMMON_NAME => "CN",
+                                    OID_COUNTRY => "C",
+                                    OID_ORG => "O",
+                                    OID_ORG_UNIT => "OU",
+                                    _ => "Unknown"
+                                };
+                                if let Ok((str_tag, val)) = attr.read_tag() {
+                                    if let Ok(s) = decode_directory_string(str_tag, val) {
+                                        parts.push(format!("{}={}", label, s));
+                                    }
+                                }
+                            }
                         }
-                        let utf16_data: Vec<u16> = string_content
-                            .chunks_exact(2)
-                            .map(|c| u16::from_be_bytes([c[0], c[1]]))
-                            .collect();
-                        return String::from_utf16(&utf16_data)
-                            .map_err(|_| "Invalid UTF-16 in Common Name".into());
-                    }
-                    // 0x0C is UTF8String, 0x13 is PrintableString, 0x14 is TeletexString
-                    else {
-                        return String::from_utf8(string_content.to_vec())
-                            .map_err(|_| "Invalid UTF-8 in Common Name".into());
                     }
                 }
             }
         }
     }
+    // Reverse to match standard RFC4514 representation (from most specific to least)
+    parts.reverse();
+    parts.join(",")
+}
+#[pyfunction]
+pub fn get_x509_public_key(der_bytes: &[u8]) -> PyResult<Vec<u8>> {
+    let mut cert = DerReader::new(der_bytes).read_sequence().map_err(PyValueError::new_err)?;
+    let mut tbs = cert.read_sequence().map_err(PyValueError::new_err)?;
+    let _ = tbs.read_optional_explicit(0); // Version
+    let _ = tbs.read_integer_bytes();      // Serial
+    let _ = tbs.read_sequence();           // Sig Alg
+    let _ = tbs.read_sequence();           // Issuer
+    let _ = tbs.read_sequence();           // Validity
+    let _ = tbs.read_sequence();           // Subject
-    Err("Common Name (CN) not found in certificate".into())
+    // The next object is the SubjectPublicKeyInfo. We extract the raw DER bytes natively!
+    let spki_der = tbs.read_tlv().map_err(PyValueError::new_err)?;
+    Ok(spki_der.to_vec())
+}
+#[pyfunction]
+pub fn get_x509_metadata<'py>(py: Python<'py>, der_bytes: &[u8]) -> PyResult<Bound<'py, PyDict>> {
+    let mut cert = DerReader::new(der_bytes).read_sequence().map_err(PyValueError::new_err)?;
+    let mut tbs = cert.read_sequence().map_err(PyValueError::new_err)?;
+    let dict = PyDict::new(py);
+    let _ = tbs.read_optional_explicit(0); // Version
+    // 1. Serial Number (Parsed to BigInt Base-10 string just like cryptography does)
+    if let Ok(serial_bytes) = tbs.read_integer_bytes() {
+        let big_serial = BigUint::from_bytes_be(serial_bytes);
+        dict.set_item("serial", big_serial.to_string())?;
+    }
+    let _ = tbs.read_sequence(); // Sig Alg
+    // 2. Issuer Name
+    if let Ok(issuer_der) = tbs.read_tlv() {
+        dict.set_item("issuer", parse_x509_name(issuer_der))?;
+    }
+    // 3. Validity (Unix Timestamps)
+    if let Ok(mut validity) = tbs.read_sequence() {
+        if let Ok((t1, c1)) = validity.read_tag() {
+            if let Ok(ts) = parse_asn1_time(t1, c1) { dict.set_item("not_before", ts)?; }
+        }
+        if let Ok((t2, c2)) = validity.read_tag() {
+            if let Ok(ts) = parse_asn1_time(t2, c2) { dict.set_item("not_after", ts)?; }
+        }
+    }
+    let _ = tbs.read_sequence(); // Subject
+    let _ = tbs.read_tag();      // SPKI
+    let _ = tbs.read_optional_implicit(1); // Issuer Unique ID
+    let _ = tbs.read_optional_implicit(2); // Subject Unique ID
+    // 4. Extensions (Extract AKI & Key Usages)
+    let mut usages = Vec::new();
+    if let Ok(Some(mut ext_wrapper)) = tbs.read_optional_explicit(3) {
+        if let Ok(mut ext_seq) = ext_wrapper.read_sequence() {
+            while !ext_seq.input.is_empty() {
+                if let Ok(mut ext) = ext_seq.read_sequence() {
+                    let oid = ext.read_oid().unwrap_or(&[]);
+                    let (mut tag, mut content) = ext.read_tag().unwrap();
+                    if tag == 0x01 { // Skip boolean CRITICAL flag
+                        let next = ext.read_tag().unwrap();
+                        tag = next.0; content = next.1;
+                    }
+                    if tag == 0x04 { // OCTET STRING containing the extension data
+                        if oid == OID_KEY_USAGE {
+                            if let Ok(bits) = DerReader::new(content).read_bit_string() {
+                                if !bits.is_empty() {
+                                    let b = bits[0];
+                                    if b & (1 << 7) != 0 { usages.push("digitalSignature"); }
+                                    if b & (1 << 6) != 0 { usages.push("nonRepudiation"); }
+                                    if b & (1 << 5) != 0 { usages.push("keyEncipherment"); }
+                                    if b & (1 << 4) != 0 { usages.push("dataEncipherment"); }
+                                    if b & (1 << 3) != 0 { usages.push("keyAgreement"); }
+                                    if b & (1 << 2) != 0 { usages.push("keyCertSign"); }
+                                    if b & (1 << 1) != 0 { usages.push("cRLSign"); }
+                                    if b & (1 << 0) != 0 { usages.push("encipherOnly"); }
+                                    if bits.len() > 1 && bits[1] & (1 << 7) != 0 { usages.push("decipherOnly"); }
+                                }
+                            }
+                        } else if oid == OID_AUTHORITY_KEY_IDENTIFIER {
+                            let mut inner = DerReader::new(content);
+                            if let Ok(mut aki_seq) = inner.read_sequence() {
+                                // Extract the implicit [0] KeyIdentifier
+                                if let Ok(Some(kid)) = aki_seq.read_optional_implicit(0) {
+                                    let mut hex_str = String::with_capacity(kid.len() * 2);
+                                    for byte in kid { hex_str.push_str(&format!("{:02X}", byte)); }
+                                    dict.set_item("aki", hex_str)?;
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    dict.set_item("key_usages", usages)?;
+    Ok(dict)
 }
@@ -347,10 +534,11 @@ pub fn get_x509_subject_py(der_bytes: &[u8]) -> PyResult<String> {
 pub fn export_functions(m: &Bound<'_, PyModule>) -> PyResult<()> {
-     m.add_function(wrap_pyfunction!(extract_ed25519_private_key_py, m)?)?;
-     m.add_function(wrap_pyfunction!(extract_ed25519_public_key_py, m)?)?;
-     m.add_function(wrap_pyfunction!(get_x509_subject_py, m)?)?;
+    m.add_function(wrap_pyfunction!(extract_ed25519_private_key_py, m)?)?;
+    m.add_function(wrap_pyfunction!(extract_ed25519_public_key_py, m)?)?;
+    m.add_function(wrap_pyfunction!(get_x509_subject_py, m)?)?;
+    m.add_function(wrap_pyfunction!(get_x509_public_key, m)?)?;
+    m.add_function(wrap_pyfunction!(get_x509_metadata, m)?)?;
      Ok(())
-}
+}

{webtoken-0.6.3 → webtoken-0.6.4}/tests/test_crypto_parsing.py RENAMED Viewed

@@ -214,4 +214,82 @@ class TestCryptoParsing:
         der_bytes = base64.b64decode(real_cert_b64)
         subject = webtoken.get_x509_subject(der_bytes)
-        assert subject == 'Testing'
+        assert subject == 'Testing'
+    def test_x509_metadata_extraction(self):
+        '''
+        PROVES: The native Rust metadata extractor perfectly pulls out
+        the serial number, issuer, timestamps, AKI, and Key Usages from a real cert
+        and hands them to Python as a standard dictionary.
+        '''
+        real_cert_b64 = (
+            'MIICnTCCAYUCBgGAUN03JTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0aW5nMB4X'
+            'DTIyMDQyMjEwNDAxNloXDTMyMDQyMjEwNDE1NlowEjEQMA4GA1UEAwwHVGVzdGluZzCCASIw'
+            'DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJnn9zZF3+PvugbVDyo4ZVe6X+lb+xzIPlS'
+            '/iE1/CkGUw+C081jt8fUT8FXqSo4H7yXvyImRWiV+/Pmu86XBvZqWRvHM6dwvJ2UrwCSqYb2'
+            'C3fbPamKxjBVvbdXh8hsJiEDdNlV8B3mdCQ3eV+Iu7DuFz5DcnH80qMWkG7+8ADWAU3L3FnI'
+            '2FcSI+GaWJErEKq6zk5uvRuxcrq7XxMRnO45UkXL/hrm6vytyECxxh05YpdtMKmZorNXSycK'
+            'QI4E8WO7kEsBHaiRwiUd6u+m7A3pSAWaW0dO5KiDl6mLudsNMJAv9Vu/x3FTyzaek/zC9PT/'
+            'IxrDlnzDvef83IZLHkMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAi7ZppYbkpt0ALn5NXIIP'
+            'gA04svRwAmsUJWKLBS5iKVXq6HOJPsz0GAB9oKpjar83rUomwK2UE0XFJLMDvrB0nTZJBjm2'
+            'DCANLL1GtTKUd+mdvhyHCIMrUApkhAYzv2Rk1c4+Jt7f5/h8FnM8jdl9FGc5TBy5ixS0Oxny'
+            'W1JOakClYQz8vNS7LrC4hmLWwy7GAmUdemNLEefQcECaNzaLN5gGk1ht5lJyNCsHu9STZeYM'
+            '2UXdDAtMtu9HAepfzh2CAOscSDtZr89SmFSwxKaOfbJyXH4PivMgWK4zO0P6ofuv8d8gRbUA'
+            'UgnysKHQc0isTVWOxgmzI69EUe/iVXJHig=='
+        )
+        der_bytes = base64.b64decode(real_cert_b64)
+        # Execute
+        meta = webtoken.get_x509_metadata(der_bytes)
+        # Verify structure and PyO3 type bindings
+        assert isinstance(meta, dict)
+        assert isinstance(meta.get('serial'), str)
+        assert isinstance(meta.get('issuer'), str)
+        assert isinstance(meta.get('not_before'), int)
+        assert isinstance(meta.get('not_after'), int)
+        assert isinstance(meta.get('key_usages'), list)
+        # Verify data accuracy (This specific test cert is valid for 10 years)
+        assert meta['issuer'] == 'CN=Testing'
+        assert (meta['not_after'] - meta['not_before']) == 315619300  # 3653 days * 86400 seconds + 100 seconds
+    def test_x509_public_key_spki_extraction(self):
+        '''
+        PROVES: The parser successfully isolates the SubjectPublicKeyInfo (SPKI)
+        block and returns it as raw ASN.1 DER bytes so `webtoken.verify` can
+        natively digest it.
+        '''
+        real_cert_b64 = (
+            'MIICnTCCAYUCBgGAUN03JTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0aW5nMB4X'
+            'DTIyMDQyMjEwNDAxNloXDTMyMDQyMjEwNDE1NlowEjEQMA4GA1UEAwwHVGVzdGluZzCCASIw'
+            'DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJnn9zZF3+PvugbVDyo4ZVe6X+lb+xzIPlS'
+            '/iE1/CkGUw+C081jt8fUT8FXqSo4H7yXvyImRWiV+/Pmu86XBvZqWRvHM6dwvJ2UrwCSqYb2'
+            'C3fbPamKxjBVvbdXh8hsJiEDdNlV8B3mdCQ3eV+Iu7DuFz5DcnH80qMWkG7+8ADWAU3L3FnI'
+            '2FcSI+GaWJErEKq6zk5uvRuxcrq7XxMRnO45UkXL/hrm6vytyECxxh05YpdtMKmZorNXSycK'
+            'QI4E8WO7kEsBHaiRwiUd6u+m7A3pSAWaW0dO5KiDl6mLudsNMJAv9Vu/x3FTyzaek/zC9PT/'
+            'IxrDlnzDvef83IZLHkMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAi7ZppYbkpt0ALn5NXIIP'
+            'gA04svRwAmsUJWKLBS5iKVXq6HOJPsz0GAB9oKpjar83rUomwK2UE0XFJLMDvrB0nTZJBjm2'
+            'DCANLL1GtTKUd+mdvhyHCIMrUApkhAYzv2Rk1c4+Jt7f5/h8FnM8jdl9FGc5TBy5ixS0Oxny'
+            'W1JOakClYQz8vNS7LrC4hmLWwy7GAmUdemNLEefQcECaNzaLN5gGk1ht5lJyNCsHu9STZeYM'
+            '2UXdDAtMtu9HAepfzh2CAOscSDtZr89SmFSwxKaOfbJyXH4PivMgWK4zO0P6ofuv8d8gRbUA'
+            'UgnysKHQc0isTVWOxgmzI69EUe/iVXJHig=='
+        )
+        der_bytes = base64.b64decode(real_cert_b64)
+        # Execute
+        spki_bytes = webtoken.get_x509_public_key(der_bytes)
+        # Verify
+        assert isinstance(spki_bytes, bytes)
+        assert len(spki_bytes) > 0
+        # SPKI is an ASN.1 SEQUENCE, so it MUST mathematically start with 0x30
+        assert spki_bytes[0] == 0x30
+        # The SPKI block for an RSA 2048-bit key is exactly 294 bytes
+        assert len(spki_bytes) == 294