Add support for encrypting S/MIME messages (#10889)

* Add support for encrypting S/MIME messages

* Move PKCS7 decrypt test function to Rust

* Use symmetric encryption function from PKCS12

* Remove debug file write from tests

* Remove unneeded backend parameter

* docs and changelog

Author: facutuesca

CHANGELOG.rst

@@ -66,6 +66,8 @@ Changelog
 * :class:`~cryptography.x509.NameAttribute` now raises an exception when
   attempting to create a common name whose length is shorter or longer than
   :rfc:`5280` permits.
+* Added basic support for PKCS7 encryption (including SMIME) via
+  :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7EnvelopeBuilder`.
 
 .. _v42-0-8:
 

docs/hazmat/primitives/asymmetric/serialization.rst

@@ -1095,6 +1095,37 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
     -----END CERTIFICATE-----
     """.strip()
 
+    ca_cert_rsa = b"""
+    -----BEGIN CERTIFICATE-----
+    MIIExzCCAq+gAwIBAgIJAOcS06ClbtbJMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
+    BAMMD2NyeXB0b2dyYXBoeSBDQTAeFw0yMDA5MTQyMTQwNDJaFw00ODAxMzEyMTQw
+    NDJaMBoxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTCCAiIwDQYJKoZIhvcNAQEB
+    BQADggIPADCCAgoCggIBANBIheRc1HT4MzV5GvUbDk9CFU6DTomRApNqRmizriRq
+    m6OY4Ht3d71BXog6/IBkqAnZ4/XJQ40G4sVDb52k11oPvfJ/F5pc+6UqPBL+QGzY
+    GkJoubAqXFpI6ow0qayFNQLv0T9o4yh0QQOoGvgCmv91qmitLrZNXu4U9S76G+Di
+    GST+QyMkMxj+VsGRsRRBufV1urcnvFWjU6Q2+cr2cp0mMAG96NTyIskYiJ8vL03W
+    z4DX4klO4X47fPmDnU/OMn4SbvMZ896j1L0J04S+uVThTkxQWcFcqXhX5qM8kzcj
+    JUmybFlbf150j3WiucW48K/j7fJ0x9q3iUo4Gva0coScglJWcgo/BBCwFDw8NVba
+    7npxSRMiaS3qTv0dEFcRnvByc+7hyGxxlWdTE9tHisUI1eZVk9P9ziqNOZKscY8Z
+    X1+/C4M9X69Y7A8I74F5dO27IRycEgOrSo2z1NhfSwbqJr9a2TBtRsFinn8rjKBI
+    zNn0E5p9jO1WjxtkcjHfXXpLN8FFMvoYI9l/K+ZWDm9sboaF8jrgozSc004AFemA
+    H79mmCGVRKXn1vDAo4DLC6p3NiBFYQcYbW9V+beGD6srsF6xJtuY/UwtPROLWSzu
+    CCrZ/4BlmpNsR0ehIFFvzEKjX6rR2yp3YKlguDbMBMKMpfSGxAFwcZ7OiaxR20UH
+    AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADSveDS4
+    y2V/N6Li2n9ChGNdCMr/45M0cl+GpL55aA36AWYMRLv0wip7MWV3yOj4mkjGBlTE
+    awKHH1FtetsE6B4a7M2hHhOXyXE60uUdptEx6ckGrJ1iyqu5cQUX1P+VnXbmOxfF
+    bl+Ugzjbgirx239rA4ezkDRuOvKcCbDOFV/gw3ZHfJ/IQeRXIQRl/y51wcnFUvFM
+    JEESYiijeDbEcY8r1/phmVQL0CO7WLMmTxlFj4X/TR3MTZWJQIap9GiLs5+n3QiO
+    jsZ3GuFOomB8oTebYkXniwbNu5hgLP/seRQzGA7B9VDZryAhCtvGgjtQh0eW2Qxt
+    sgmDJGOPKnKT3O5U0v3+IPLEYpe8JSzgAhhh6H1rAJRUNwP2gRcO4eOUJSkdl218
+    fRNT0ILzosuWxwprER9ciMQF8q0JJKMhcfHRMH0S5mWVJAIkj68KY05oCy2zNyYa
+    oruopKSWXe0Bzr40znm40P7xIkui2BGQMlDPpbCaEfLsLqyctfbdmMlxac/QgIfY
+    TltrbqmI3MNy5uqGViGFpWPCB+kD8EsJF9nlKJXlu/i55qgUr/2/2CdeWlZDBP8A
+    1fdzmpYpWnwhE0KobzLS2z3AwDxiY/RSWUfypLZA0K/lpaEtYB6UHMDZ0/8WqgZV
+    gNucCuty0cA4Kf7eX1TlAKVwH8hTkVmJc2rX
+    -----END CERTIFICATE-----
+    """.strip()
+
 
 .. class:: PKCS7SignatureBuilder
 
@@ -1174,11 +1205,72 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``,
         :returns bytes: The signed PKCS7 message.
 
 
+.. class:: PKCS7EnvelopeBuilder
+
+    The PKCS7 envelope builder can create encrypted S/MIME messages,
+    which are commonly used in email. S/MIME has multiple versions,
+    but this implements a subset of :rfc:`5751`, also known as S/MIME
+    Version 3.2.
+
+    .. versionadded:: 43.0.0
+
+    .. doctest::
+
+        >>> from cryptography import x509
+        >>> from cryptography.hazmat.primitives import serialization
+        >>> from cryptography.hazmat.primitives.serialization import pkcs7
+        >>> cert = x509.load_pem_x509_certificate(ca_cert_rsa)
+        >>> options = [pkcs7.PKCS7Options.Text]
+        >>> pkcs7.PKCS7EnvelopeBuilder().set_data(
+        ...     b"data to encrypt"
+        ... ).add_recipient(
+        ...     cert
+        ... ).encrypt(
+        ...     serialization.Encoding.SMIME, options
+        ... )
+        b'...'
+
+    .. method:: set_data(data)
+
+        :param data: The data to be encrypted.
+        :type data: :term:`bytes-like`
+
+    .. method:: add_recipient(certificate)
+
+        Add a recipient for the message. Recipients will be able to use their private keys
+        to decrypt the message. This method may be called multiple times to add as many recipients
+        as desired.
+
+        :param certificate: A :class:`~cryptography.x509.Certificate` for an intended
+            recipient of the encrypted message. Only certificates with public RSA keys
+            are currently supported.
+
+    .. method:: encrypt(encoding, options)
+
+        The message is encrypted using AES-128-CBC. The encryption key used is included in
+        the envelope, encrypted using the recipient's public RSA key. If multiple recipients
+        are specified, the key is encrypted once with each recipient's public key, and all
+        encrypted keys are included in the envelope (one per recipient).
+
+        :param encoding: :attr:`~cryptography.hazmat.primitives.serialization.Encoding.PEM`,
+            :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`,
+            or :attr:`~cryptography.hazmat.primitives.serialization.Encoding.SMIME`.
+
+        :param options: A list of
+            :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For
+            this operation only
+            :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Text` and
+            :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Binary`
+            are supported.
+
+        :returns bytes: The enveloped PKCS7 message.
+
+
 .. class:: PKCS7Options
 
     .. versionadded:: 3.2
 
-    An enumeration of options for PKCS7 signature creation.
+    An enumeration of options for PKCS7 signature and envelope creation.
 
     .. attribute:: Text
 

src/cryptography/hazmat/bindings/_rust/pkcs7.pyi

@@ -12,6 +12,11 @@ def serialize_certificates(
     certs: list[x509.Certificate],
     encoding: serialization.Encoding,
 ) -> bytes: ...
+def encrypt_and_serialize(
+    builder: pkcs7.PKCS7EnvelopeBuilder,
+    encoding: serialization.Encoding,
+    options: typing.Iterable[pkcs7.PKCS7Options],
+) -> bytes: ...
 def sign_and_serialize(
     builder: pkcs7.PKCS7SignatureBuilder,
     encoding: serialization.Encoding,

src/cryptography/hazmat/bindings/_rust/test_support.pyi

@@ -13,6 +13,13 @@ class TestCertificate:
     subject_value_tags: list[int]
 
 def test_parse_certificate(data: bytes) -> TestCertificate: ...
+def pkcs7_decrypt(
+    encoding: serialization.Encoding,
+    msg: bytes,
+    pkey: serialization.pkcs7.PKCS7PrivateKeyTypes,
+    cert_recipient: x509.Certificate,
+    options: list[pkcs7.PKCS7Options],
+) -> bytes: ...
 def pkcs7_verify(
     encoding: serialization.Encoding,
     sig: bytes,

src/cryptography/hazmat/primitives/serialization/pkcs7.py

@@ -12,6 +12,7 @@
 import typing
 
 from cryptography import utils, x509
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
 from cryptography.hazmat.bindings._rust import pkcs7 as rust_pkcs7
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa
@@ -177,7 +178,92 @@ def sign(
         return rust_pkcs7.sign_and_serialize(self, encoding, options)
 
 
-def _smime_encode(
+class PKCS7EnvelopeBuilder:
+    def __init__(
+        self,
+        *,
+        _data: bytes | None = None,
+        _recipients: list[x509.Certificate] | None = None,
+    ):
+        from cryptography.hazmat.backends.openssl.backend import (
+            backend as ossl,
+        )
+
+        if not ossl.rsa_encryption_supported(padding=padding.PKCS1v15()):
+            raise UnsupportedAlgorithm(
+                "RSA with PKCS1 v1.5 padding is not supported by this version"
+                " of OpenSSL.",
+                _Reasons.UNSUPPORTED_PADDING,
+            )
+        self._data = _data
+        self._recipients = _recipients if _recipients is not None else []
+
+    def set_data(self, data: bytes) -> PKCS7EnvelopeBuilder:
+        _check_byteslike("data", data)
+        if self._data is not None:
+            raise ValueError("data may only be set once")
+
+        return PKCS7EnvelopeBuilder(_data=data, _recipients=self._recipients)
+
+    def add_recipient(
+        self,
+        certificate: x509.Certificate,
+    ) -> PKCS7EnvelopeBuilder:
+        if not isinstance(certificate, x509.Certificate):
+            raise TypeError("certificate must be a x509.Certificate")
+
+        if not isinstance(certificate.public_key(), rsa.RSAPublicKey):
+            raise TypeError("Only RSA keys are supported at this time.")
+
+        return PKCS7EnvelopeBuilder(
+            _data=self._data,
+            _recipients=[
+                *self._recipients,
+                certificate,
+            ],
+        )
+
+    def encrypt(
+        self,
+        encoding: serialization.Encoding,
+        options: typing.Iterable[PKCS7Options],
+    ) -> bytes:
+        if len(self._recipients) == 0:
+            raise ValueError("Must have at least one recipient")
+        if self._data is None:
+            raise ValueError("You must add data to encrypt")
+        options = list(options)
+        if not all(isinstance(x, PKCS7Options) for x in options):
+            raise ValueError("options must be from the PKCS7Options enum")
+        if encoding not in (
+            serialization.Encoding.PEM,
+            serialization.Encoding.DER,
+            serialization.Encoding.SMIME,
+        ):
+            raise ValueError(
+                "Must be PEM, DER, or SMIME from the Encoding enum"
+            )
+
+        # Only allow options that make sense for encryption
+        if any(
+            opt not in [PKCS7Options.Text, PKCS7Options.Binary]
+            for opt in options
+        ):
+            raise ValueError(
+                "Only the following options are supported for encryption: "
+                "Text, Binary"
+            )
+        elif PKCS7Options.Text in options and PKCS7Options.Binary in options:
+            # OpenSSL accepts both options at the same time, but ignores Text.
+            # We fail defensively to avoid unexpected outputs.
+            raise ValueError(
+                "Cannot use Binary and Text options at the same time"
+            )
+
+        return rust_pkcs7.encrypt_and_serialize(self, encoding, options)
+
+
+def _smime_signed_encode(
     data: bytes, signature: bytes, micalg: str, text_mode: bool
 ) -> bytes:
     # This function works pretty hard to replicate what OpenSSL does
@@ -225,6 +311,23 @@ def _smime_encode(
     return fp.getvalue()
 
 
+def _smime_enveloped_encode(data: bytes) -> bytes:
+    m = email.message.Message()
+    m.add_header("MIME-Version", "1.0")
+    m.add_header("Content-Disposition", "attachment", filename="smime.p7m")
+    m.add_header(
+        "Content-Type",
+        "application/pkcs7-mime",
+        smime_type="enveloped-data",
+        name="smime.p7m",
+    )
+    m.add_header("Content-Transfer-Encoding", "base64")
+
+    m.set_payload(email.base64mime.body_encode(data, maxlinelen=65))
+
+    return m.as_bytes(policy=m.policy.clone(linesep="\n", max_line_length=0))
+
+
 class OpenSSLMimePart(email.message.MIMEPart):
     # A MIMEPart subclass that replicates OpenSSL's behavior of not including
     # a newline if there are no headers.

src/rust/cryptography-x509/src/common.rs

@@ -136,6 +136,16 @@ pub enum AlgorithmParameters<'a> {
     #[defined_by(oid::HMAC_WITH_SHA256_OID)]
     HmacWithSha256(asn1::Null),
 
+    // Used only in PKCS#7 AlgorithmIdentifiers
+    // https://datatracker.ietf.org/doc/html/rfc3565#section-4.1
+    //
+    // From RFC 3565 section 4.1:
+    // The AlgorithmIdentifier parameters field MUST be present, and the
+    // parameters field MUST contain a AES-IV:
+    //
+    // AES-IV ::= OCTET STRING (SIZE(16))
+    #[defined_by(oid::AES_128_CBC_OID)]
+    Aes128Cbc([u8; 16]),
     #[defined_by(oid::AES_256_CBC_OID)]
     Aes256Cbc([u8; 16]),
 

src/rust/cryptography-x509/src/pkcs7.rs

@@ -6,6 +6,7 @@ use crate::{certificate, common, csr, name};
 
 pub const PKCS7_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 1);
 pub const PKCS7_SIGNED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 2);
+pub const PKCS7_ENVELOPED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 3);
 pub const PKCS7_ENCRYPTED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 6);
 
 #[derive(asn1::Asn1Write)]
@@ -18,6 +19,8 @@ pub struct ContentInfo<'a> {
 
 #[derive(asn1::Asn1DefinedByWrite)]
 pub enum Content<'a> {
+    #[defined_by(PKCS7_ENVELOPED_DATA_OID)]
+    EnvelopedData(asn1::Explicit<Box<EnvelopedData<'a>>, 0>),
     #[defined_by(PKCS7_SIGNED_DATA_OID)]
     SignedData(asn1::Explicit<Box<SignedData<'a>>, 0>),
     #[defined_by(PKCS7_DATA_OID)]
@@ -56,6 +59,21 @@ pub struct SignerInfo<'a> {
     pub unauthenticated_attributes: Option<csr::Attributes<'a>>,
 }
 
+#[derive(asn1::Asn1Write)]
+pub struct EnvelopedData<'a> {
+    pub version: u8,
+    pub recipient_infos: asn1::SetOfWriter<'a, RecipientInfo<'a>>,
+    pub encrypted_content_info: EncryptedContentInfo<'a>,
+}
+
+#[derive(asn1::Asn1Write)]
+pub struct RecipientInfo<'a> {
+    pub version: u8,
+    pub issuer_and_serial_number: IssuerAndSerialNumber<'a>,
+    pub key_encryption_algorithm: common::AlgorithmIdentifier<'a>,
+    pub encrypted_key: &'a [u8],
+}
+
 #[derive(asn1::Asn1Write)]
 pub struct IssuerAndSerialNumber<'a> {
     pub issuer: name::Name<'a>,

src/rust/src/pkcs12.rs

@@ -79,7 +79,7 @@ impl PKCS12Certificate {
     }
 }
 
-fn symmetric_encrypt(
+pub(crate) fn symmetric_encrypt(
     py: pyo3::Python<'_>,
     algorithm: pyo3::Bound<'_, pyo3::PyAny>,
     mode: pyo3::Bound<'_, pyo3::PyAny>,