From 3bfa0ec8b4d13e8e5cb84e2e493d0b13f6544058 Mon Sep 17 00:00:00 2001
From: Quentin Retourne <32574188+nitneuqr@users.noreply.github.com>
Date: Tue, 19 Nov 2024 15:04:53 +0100
Subject: [PATCH] fix: handling other key encryption algorithms

added vectors & tests accordingly
---
 src/rust/src/pkcs7.rs                 | 30 +++++++++++++++++++--------
 tests/hazmat/primitives/test_pkcs7.py | 19 ++++++++++++++++-
 2 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs
index d515762a22d6..8c1a8da9fb0b 100644
--- a/src/rust/src/pkcs7.rs
+++ b/src/rust/src/pkcs7.rs
@@ -216,14 +216,26 @@ fn deserialize_and_decrypt<'p>(
                 }
             };
 
-            // Decrypt the key using the private key
-            let padding = types::PKCS1V15.get(py)?.call0()?;
-            let key = private_key
-                .call_method1(
-                    pyo3::intern!(py, "decrypt"),
-                    (recipient_info.encrypted_key, &padding),
-                )?
-                .extract::<pyo3::pybacked::PyBackedBytes>()?;
+            // Raise error when the key encryption algorithm is not RSA
+            let key = match recipient_info.key_encryption_algorithm.oid() {
+                &oid::RSA_OID => {
+                    let padding = types::PKCS1V15.get(py)?.call0()?;
+                    private_key
+                        .call_method1(
+                            pyo3::intern!(py, "decrypt"),
+                            (recipient_info.encrypted_key, &padding),
+                        )?
+                        .extract::<pyo3::pybacked::PyBackedBytes>()?
+                }
+                _ => {
+                    return Err(CryptographyError::from(
+                        exceptions::UnsupportedAlgorithm::new_err((
+                            "Only RSA with PKCS #1 v1.5 padding is currently supported for key decryption.",
+                            exceptions::Reasons::UNSUPPORTED_SERIALIZATION,
+                        )),
+                    ));
+                }
+            };
 
             // Get algorithm
             // TODO: implement all the possible algorithms
@@ -240,7 +252,7 @@ fn deserialize_and_decrypt<'p>(
                 _ => {
                     return Err(CryptographyError::from(
                         exceptions::UnsupportedAlgorithm::new_err((
-                            "Only AES-128-CBC is currently supported for decryption.",
+                            "Only AES-128-CBC is currently supported for content decryption.",
                             exceptions::Reasons::UNSUPPORTED_SERIALIZATION,
                         )),
                     ));
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
index 5261760d87f3..2348de42ba2f 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
@@ -860,6 +860,15 @@ def _load_rsa_cert_key():
     return cert, key
 
 
+def _load_rsa_oaep_pkcs7_pem():
+    enveloped = load_vectors_from_file(
+        os.path.join("pkcs7", "enveloped-rsa-oaep.pem"),
+        loader=lambda pemfile: pemfile.read(),
+        mode="rb",
+    )
+    return enveloped
+
+
 def _load_aes_256_cbc_pkcs7_pem():
     enveloped = load_vectors_from_file(
         os.path.join("pkcs7", "enveloped-aes-256-cbc.pem"),
@@ -1197,7 +1206,15 @@ def test_smime_decrypt_no_recipient_match(
                 enveloped, another_cert, another_private_key, []
             )
 
-    def test_smime_decrypt_unsupported_algorithm(
+    def test_smime_decrypt_unsupported_key_encryption_algorithm(
+        self, backend, data, certificate, private_key
+    ):
+        enveloped = _load_rsa_oaep_pkcs7_pem()
+
+        with pytest.raises(exceptions.UnsupportedAlgorithm):
+            pkcs7.pkcs7_decrypt_pem(enveloped, certificate, private_key, [])
+
+    def test_smime_decrypt_unsupported_content_encryption_algorithm(
         self, backend, data, certificate, private_key
     ):
         enveloped = _load_aes_256_cbc_pkcs7_pem()