❇️ Add x509 helper for niquests sole usage (#27)

This make for cryptography removal and propose a viable way to issue OCSP requests and parse responses

CHANGELOG.rst

@@ -7,6 +7,9 @@
 **Added**
 - Exposed ``CipherSuite`` and ``SessionTicket`` classes in the top-level import.
 
+**Misc**
+- Exposed a x509 helper to make for ``cryptography`` dependency removal, solely for Niquests usage.
+
 1.0.0 (2024-04-18)
 =====================
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "qh3"
-version = "1.0.0"
+version = "1.0.1"
 edition = "2021"
 rust-version = "1.75"
 license = "BSD-3"
@@ -27,6 +27,10 @@ pkcs8 = {version = "0.10.2", features = ["encryption", "pem", "alloc"]}
 pkcs1 = {version = "0.7.5", features = ["alloc", "pem"]}
 rustls-pemfile = {version = "2.1.2"}
 aws-lc-rs = {version = "1.7.0", features=["bindgen"]}
+x509-ocsp = {version = "0.2.1", features = ["builder"]}
+x509-cert = "0.2.5"
+der = {version = "0.7.9", features = ["alloc"]}
+sha1 = {version = "0.10.6", features = ["oid"]}
 
 [package.metadata.maturin]
 python-source = "qh3"

docs/index.rst

@@ -1,25 +1,26 @@
-aioquic
-=======
+qh3
+====
 
-|pypi-v| |pypi-pyversions| |pypi-l| |tests| |codecov|
+|pypi-v| |pypi-pyversions| |pypi-l|
 
-.. |pypi-v| image:: https://img.shields.io/pypi/v/aioquic.svg
+.. |pypi-v| image:: https://img.shields.io/pypi/v/qh3.svg
     :target: https://pypi.python.org/pypi/aioquic
 
-.. |pypi-pyversions| image:: https://img.shields.io/pypi/pyversions/aioquic.svg
+.. |pypi-pyversions| image:: https://img.shields.io/pypi/pyversions/qh3.svg
     :target: https://pypi.python.org/pypi/aioquic
 
 .. |pypi-l| image:: https://img.shields.io/pypi/l/aioquic.svg
     :target: https://pypi.python.org/pypi/aioquic
 
-.. |tests| image:: https://github.com/aiortc/aioquic/workflows/tests/badge.svg
-    :target: https://github.com/aiortc/aioquic/actions
+``qh3`` is a library for the QUIC network protocol in Python. It is a maintained fork of the ``aioquic`` library.
+``aioquic`` is still maintained, but we decided to diverge as qh3 took a path that is in opposition to their wishes.
 
-.. |codecov| image:: https://img.shields.io/codecov/c/github/aiortc/aioquic.svg
-    :target: https://codecov.io/gh/aiortc/aioquic
+It is lighter, and a bit faster, and more adapted to a broader audience as this package has no external dependency
+and does not rely on mainstream OpenSSL.
 
-``aioquic`` is a library for the QUIC network protocol in Python. It features several
-APIs:
+While it is a compatible fork, it is not a drop-in replacement since the first major. See the CHANGELOG for details.
+
+It features several APIs:
 
 - a QUIC API following the "bring your own I/O" pattern, suitable for
   embedding in any framework,

qh3/_hazmat.pyi

@@ -167,3 +167,43 @@ class SignatureError(Exception): ...
 class QUICHeaderProtection:
     def __init__(self, key: bytes, algorithm: int) -> None: ...
     def mask(self, sample: bytes) -> bytes: ...
+
+class ReasonFlags(Enum):
+    unspecified = 0
+    key_compromise = 1
+    ca_compromise = 2
+    affiliation_changed = 3
+    superseded = 4
+    cessation_of_operation = 5
+    certificate_hold = 6
+    privilege_withdrawn = 9
+    aa_compromise = 10
+    remove_from_crl = 8
+
+class OCSPResponseStatus(Enum):
+    SUCCESSFUL = 0
+    MALFORMED_REQUEST = 1
+    INTERNAL_ERROR = 2
+    TRY_LATER = 3
+    SIG_REQUIRED = 5
+    UNAUTHORIZED = 6
+
+class OCSPCertStatus(Enum):
+    GOOD = 0
+    REVOKED = 1
+    UNKNOWN = 2
+
+class OCSPResponse:
+    def __init__(self, raw_response: bytes) -> None: ...
+    @property
+    def next_update(self) -> int: ...
+    @property
+    def response_status(self) -> OCSPResponseStatus: ...
+    @property
+    def certificate_status(self) -> OCSPCertStatus: ...
+    @property
+    def revocation_reason(self) -> ReasonFlags | None: ...
+
+class OCSPRequest:
+    def __init__(self, peer_certificate: bytes, issuer_certificate: bytes) -> None: ...
+    def public_bytes(self) -> bytes: ...

src/lib.rs

@@ -9,6 +9,7 @@ mod agreement;
 mod private_key;
 mod pkcs8;
 mod hpk;
+mod ocsp;
 
 pub use self::headers::{QpackDecoder, QpackEncoder, StreamBlocked, EncoderStreamError, DecoderStreamError, DecompressionFailed};
 pub use self::aead::{AeadChaCha20Poly1305, AeadAes128Gcm, AeadAes256Gcm};
@@ -18,6 +19,7 @@ pub use self::private_key::{RsaPrivateKey, DsaPrivateKey, Ed25519PrivateKey, EcP
 pub use self::agreement::{X25519KeyExchange, ECDHP256KeyExchange, ECDHP384KeyExchange, ECDHP521KeyExchange};
 pub use self::pkcs8::{PrivateKeyInfo, KeyType};
 pub use self::hpk::{QUICHeaderProtection};
+pub use self::ocsp::{OCSPResponse, OCSPCertStatus, OCSPResponseStatus, ReasonFlags, OCSPRequest};
 
 pyo3::create_exception!(_hazmat, CryptoError, PyException);
 
@@ -61,5 +63,11 @@ fn _hazmat(py: Python, m: &PyModule) -> PyResult<()> {
     m.add_class::<ECDHP521KeyExchange>()?;
     // General Crypto Error
     m.add("CryptoError", py.get_type::<CryptoError>())?;
+    // Niquests OCSP helper
+    m.add_class::<OCSPResponse>()?;
+    m.add_class::<OCSPCertStatus>()?;
+    m.add_class::<OCSPResponseStatus>()?;
+    m.add_class::<ReasonFlags>()?;
+    m.add_class::<OCSPRequest>()?;
     Ok(())
 }