Initial implementation of ASN.1 API

[facutuesca]

Part of #12283

Overview

This PR adds the initial structure for the ASN.1 module, plus support for defining SEQUENCE types and using INTEGER fields. Only the encoding logic is included, to keep the PR size small and to keep the focus on the structure of the code.

Here's an example of what using the API looks like:

import cryptography.hazmat.asn1 as asn1

@asn1.sequence
class Example:
    foo: int
    bar: int

value = Example(foo=9, bar=6)

encoded = asn1.encode_der(value)
assert encoded == b"\x30\x06\x02\x01\x09\x02\x01\x06"

Structure

The code is divided into a hazmat.asn1 Python module, and a Rust _rust.asn1_exp Rust module. This last one has a different name in order to avoid mixing it with the existing asn1 Rust module (which can be done later, but for now doing it like this simplifies the PR).

Details

Taking as an example the code snippet above, this is what happens:

1. While interpreting the class definition, the @asn1.sequence decorator is executed, which goes through the Example class and recursively reads its type annotations. This information is converted to a Rust object (AnnotatedType) and stored in the Example.__asn1_root__ and Example.__asn1_fields__ attributes. All of this happens in hazmat/asn1/asn1.py
2. An Example object is instantiated with some values, and asn1.encode_der is called on it. asn1.encode_der is a Rust function defined in asn1_exp/asn1.rs.
3. This function combines the type information (AnnotatedType object) and the value of the object into an AnnotatedTypeObject value, and encodes it using rust-asn1's asn1::write API.
4. This is possible because AnnotatedTypeObject implements the asn1::Asn1Writable trait. This is done in asn1_exp/encoding.rs
5. And that's it, the resulting bytes are now available in Python

Some things (like the empty Annotation struct) are there as placeholders for missing features I removed to keep this PR small. I removed their contents but left the empty struct so that the rest of the data and logic that depend on it will keep the same structure once we re-add the missing features.

[facutuesca]

I added typing-extensions as an unconditional dependency, but it can probably be removed for newer Python versions if we use typing when we detect a new-enough Python version

[alex]

looks like there's some missed coverage here -- do you want to take a look at the missing test cases before I review?

[alex]

I don't love this module name, I'm not sure what exp even stands for :-)

[facutuesca]

ah lol, experimental, it was just meant to have a different name from the existing asn1 module

[alex]

We probably need to find a real name 😂

[facutuesca]

I'm open to suggestions. asn1_api maybe?

[reaperhulk]

I suggest declarative_asn1 for now since it provides the declarative ASN.1 API (or decl_asn1 if we need it to be short)

[alex]

lets use the full word, bytes are free

[facutuesca]

fixed

[alex]

Similarly, house style is to reference these as typing. for clarity (Any is particularly unclear without the typing.)

[facutuesca]

fixed

[alex]

Prefer is when comparing against types

[facutuesca]

fixed

[alex]

similarly: cls.__asn1_fields__ = _annotate_fields(raw_fields)

[facutuesca]

mypy complains:

src/cryptography/hazmat/asn1/asn1.py:55: error: "type[U]" has no attribute "__asn1_fields__"  [attr-defined]

[alex]

Hmm, this error doesn't make much sense to me.

[alex]

Why do we need both __asn1_fields__ and __asn1_root__? It seems like only one should be required.

[facutuesca]

yup, see below, I removed __asn1_fields__

[facutuesca]

looks like there's some missed coverage here -- do you want to take a look at the missing test cases before I review?

Missing tests added!

[alex]

Will review again tomorrow. I should have said at the top: this looks like a solid start!

[alex]

Hmm, this error doesn't make much sense to me.

[alex]

Why do we need both __asn1_fields__ and __asn1_root__? It seems like only one should be required.

[alex]

We don't use import *

[facutuesca]

fixed

[alex]

This doesn't seem to do very much?

[facutuesca]

yeah, it's because it's useful to avoid duplication only when all the other types are implemented. See here (it saves us writing that match statement once for each type)

[alex]

It seems like instead of a separate __asn1_fields__ we could just store the field types in Type::Sequence()?

[facutuesca]

yup, good idea. Now Type::Sequence contains the root type and the fields.

[alex]

Let's put tests of specific types in their own test file.

[facutuesca]

fixed

[alex]

This file should be built in a way that uses the highest version for each python version:

uv pip compile -U --universal --python-version 3.8 --all-extras --unsafe-package=cffi --unsafe-package=pycparser --unsafe-package=setuptools --unsafe-package=cryptography-vectors --unsafe-package=bcrypt pyproject.toml -o ci-constraints-requirements.txt -q is the right way to build it.

[facutuesca]

fixed

[alex]

Why is this needed at build time?

[facutuesca]

it's not, ha. Fixed

[alex]

Looks like there's some merge conflicts

[facutuesca]

Looks like there's some merge conflicts

fixed!

[alex]

Two small comments, but otherwise this LGTM. I'd like @reaperhulk to have a look before we merge though.

[alex]

We should probably codegen this for performance, but doesn't have to happen in this PR. Can you add a TODO though?

[facutuesca]

added a TODO comment

[alex]

One class per type we're testing teh encoding of (sequence vs. int so far)

[facutuesca]

fixed

[reaperhulk]

This is required because we need two functions that were added in Python 3.11 right? is it a requirement for >= 3.11?

[alex]

If it's not, let's use the python_version branch

[reaperhulk]

Looks like typing has this in 3.11+ (and Facundo did note that in a comment 5 days ago, but there's a lot of traffic on this PR 😄). Let's call it from typing where possible and set the python_version on the rest, so we know when we can remove this...in 4 years.

[facutuesca]

fixed! there was an extra typing function which we need to use typing-extensions for: typing.get_type_hints which we call with its include_extras parameter. That parameter was added in Python 3.9, so I also added it to the conditional.

Now it will use the typing-extensions variant for any Python < 3.11. I can make it even more precise (only use it for Python < 3.9), but for now I only left a comment saying to remove it when the min version is 3.9.

if sys.version_info < (3, 11):
    import typing_extensions

    # We use the `include_extras` parameter of `get_type_hints`, which was
    #  added in Python 3.9, so this can be replaced by the `typing` version
    # once the min version is >= 3.9
    get_type_hints = typing_extensions.get_type_hints
else:
    get_type_hints = typing.get_type_hints

[alex]

Is there a reason not to make this branch on 3.9? Seems cleaner.

[facutuesca]

nope, fixed

[alex]

A small handful of comments, but otherwise LGTM!

[alex]

We don't want all the defaults that dataclass has, I think to start with the only thing we want to define is init, everything else should be false.

[facutuesca]

Fixed. I had to add another Python version check, since one of the dataclass arguments (match_args) that defaults to True was added in Python 3.10.

[alex]

is there a reason to expose these?

[facutuesca]

Removed it for now, it will be needed in the future

[alex]

I don't think this is required?

[facutuesca]

Removed

[alex]

will wait for @reaperhulk to confirm he's goood, but I think this is ready

[reaperhulk]

This needs a rebase now, sorry!