PKCS7SignatureBuilder: ValueError: expected tuple of length 4, but got tuple of length 3

[allanlei]

Using cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder.sign results in ValueError

• python 3.11.7-alpine in docker
• cryptography == 42.0.2 installed via poetry
• cffi == 1.16.0
• pip == 23.2.1
• setuptools == 69.0.3

Reproducing code

import cryptography
import cryptography.hazmat.primitives.serialization.pkcs7

certificate = cryptography.x509.load_pem_x509_certificate(...)
key = cryptography.hazmat.primitives.serialization.load_pem_private_key(...)

cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder(
    data=b'hello',
    signers=[(
        certificate,
        key, 
        cryptography.hazmat.primitives.hashes.SHA512(),
    )],
).sign(
    cryptography.hazmat.primitives.serialization.Encoding.DER, [],
)

File /usr/local/lib/python3.11/site-packages/cryptography/hazmat/primitives/serialization/pkcs7.py:177, in PKCS7SignatureBuilder.sign(self, encoding, options, backend)
    168 if (
    169     PKCS7Options.NoAttributes in options
    170     and PKCS7Options.NoCapabilities in options
    171 ):
    172     raise ValueError(
    173         "NoAttributes is a superset of NoCapabilities. Do not pass "
    174         "both values."
    175     )
--> 177 return rust_pkcs7.sign_and_serialize(self, encoding, options)

ValueError: expected tuple of length 4, but got tuple of length 3

Results by version

• cryptography == 42.0.2 :x:
• cryptography == 42.0.1 :x:
• cryptography == 42.0.0 :x:
• cryptography == 41.0.7 ✅
• cryptography == 41.0.6 ✅

[allanlei]

https://github.com/pyca/cryptography/compare/41.0.7...42.0.0#diff-8ca3ed0edb153cd77f373e5e5856e6f1fc559cddcc5ebf91cc690a7aed7f0a3aR116 https://github.com/pyca/cryptography/compare/41.0.7...42.0.0#diff-0075be2b09cefb4b36a4646255d3e1bea05c99b6e3ffd141a08aa528de9741c3R56

Seems like there was a change to the signers value to add a 4th arg for padding

tuple[
    x509.Certificate,
    PKCS7PrivateKeyTypes,
    PKCS7HashTypes,
    padding.PSS | padding.PKCS1v15 | None,
]

Since my usage was using the __init__, it didn't add in the paddding by default unlike via add_signer(). add_signer() was mentioned in the changelog, but signers arg was not

[alex]

The args to init are not considered a public API, you should use the documented methods.

On Wed, Jan 31, 2024, 11:57 AM Allan Lei @.***> wrote:

Closed #10312 https://github.com/pyca/cryptography/issues/10312 as completed.

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/10312#event-11658748833, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBAIR36HOSUY3G3EPDLYRJZWVAVCNFSM6AAAAABCTMHYOKVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRGY2TQNZUHA4DGMY . You are receiving this because you are subscribed to this thread.Message ID: @.***>