Skip to content

Commit

Permalink
Remove EKU-related setters, getters and documentation from this PR.
Browse files Browse the repository at this point in the history
  • Loading branch information
@deivse
deivse committed Sep 19, 2024
1 parent 8ec4c19 commit 66b8a6d
Show file tree
Hide file tree
Showing 5 changed files with 3 additions and 128 deletions.
44 changes: 0 additions & 44 deletions docs/x509/verification.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,8 +132,6 @@ the root of trust:
.. class:: ClientVerifier

.. versionadded:: 43.0.0
.. versionchanged:: 44.0.0
Added :attr:`eku`.

A ClientVerifier verifies client certificates.

Expand Down Expand Up @@ -161,18 +159,6 @@ the root of trust:
:type: :class:`Store`

The verifier's trust store.

.. attribute:: eku

:type: :class:`~cryptography.x509.ObjectIdentifier` or None

The value of the Extended Key Usage extension required by this verifier
If the verifier was built using :meth:`PolicyBuilder.build_client_verifier`,
this will always be :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH`.

:note:
See :meth:`CustomPolicyBuilder.eku` documentation for how verification is affected
when changing the required EKU or using a custom extension policy.

.. method:: verify(leaf, intermediates)

Expand Down Expand Up @@ -229,18 +215,6 @@ the root of trust:

The verifier's trust store.

.. attribute:: eku

:type: :class:`~cryptography.x509.ObjectIdentifier`

The value of the Extended Key Usage extension required by this verifier
If the verifier was built using :meth:`PolicyBuilder.build_server_verifier`,
this will always be :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.SERVER_AUTH`.

:note:
See :meth:`CustomPolicyBuilder.eku` documentation for how verification is affected
when changing the required EKU or using a custom extension policy.

.. method:: verify(leaf, intermediates)

Performs path validation on ``leaf``, returning a valid path
Expand Down Expand Up @@ -365,24 +339,6 @@ the root of trust:

:returns: A new instance of :class:`PolicyBuilder`

.. method:: eku(new_eku)

Sets the Extended Key Usage required by the verifier's policy.

If this method is not called, the EKU defaults to :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.SERVER_AUTH`
if :meth:`build_server_verifier` is called, and :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH` if
:meth:`build_client_verifier` is called.

When using the default extension policies, only certificates
with the Extended Key Usage extension containing the specified value
will be accepted. To accept more than one EKU or any EKU, use an extension policy
with a custom validator. The EKU set via this method is accessible to custom extension validator
callbacks via the `policy` argument.

:param ~cryptography.x509.ObjectIdentifier new_eku:

:returns: A new instance of :class:`PolicyBuilder`

.. method:: build_server_verifier(subject)

Builds a verifier for verifying server certificates.
Expand Down
5 changes: 0 additions & 5 deletions src/cryptography/hazmat/bindings/_rust/x509.pyi
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ class CustomPolicyBuilder:
def max_chain_depth(
self, new_max_chain_depth: int
) -> CustomPolicyBuilder: ...
def eku(self, new_eku: x509.ObjectIdentifier) -> CustomPolicyBuilder: ...
def build_client_verifier(self) -> ClientVerifier: ...
def build_server_verifier(
self, subject: x509.verification.Subject
Expand All @@ -92,8 +91,6 @@ class ClientVerifier:
def store(self) -> Store: ...
@property
def max_chain_depth(self) -> int: ...
@property
def eku(self) -> x509.ObjectIdentifier: ...
def verify(
self,
leaf: x509.Certificate,
Expand All @@ -109,8 +106,6 @@ class ServerVerifier:
def store(self) -> Store: ...
@property
def max_chain_depth(self) -> int: ...
@property
def eku(self) -> x509.ObjectIdentifier: ...
def verify(
self,
leaf: x509.Certificate,
Expand Down
11 changes: 0 additions & 11 deletions src/rust/cryptography-x509/src/oid.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,17 +148,6 @@ pub const EKU_ANY_KEY_USAGE_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 3
pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier =
asn1::oid!(1, 3, 6, 1, 4, 1, 11129, 2, 4, 4);

pub const ALL_EKU_OIDS: [asn1::ObjectIdentifier; 8] = [
EKU_SERVER_AUTH_OID,
EKU_CLIENT_AUTH_OID,
EKU_CODE_SIGNING_OID,
EKU_EMAIL_PROTECTION_OID,
EKU_TIME_STAMPING_OID,
EKU_OCSP_SIGNING_OID,
EKU_ANY_KEY_USAGE_OID,
EKU_CERTIFICATE_TRANSPARENCY_OID,
];

pub const PBES2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 13);
pub const PBKDF2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 12);

Expand Down
49 changes: 3 additions & 46 deletions src/rust/src/x509/verify.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,7 @@
// for complete details.

use cryptography_x509::{
certificate::Certificate,
extensions::SubjectAlternativeName,
oid::{ALL_EKU_OIDS, SUBJECT_ALTERNATIVE_NAME_OID},
certificate::Certificate, extensions::SubjectAlternativeName, oid::SUBJECT_ALTERNATIVE_NAME_OID,
};
use cryptography_x509_verification::{
ops::{CryptoOps, VerificationCertificate},
Expand All @@ -15,15 +13,12 @@ use cryptography_x509_verification::{
};
use pyo3::types::{PyAnyMethods, PyListMethods};

use crate::backend::keys;
use crate::error::{CryptographyError, CryptographyResult};
use crate::types;
use crate::x509::certificate::Certificate as PyCertificate;
use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime};
use crate::x509::sign;
use crate::{
asn1::oid_to_py_oid,
error::{CryptographyError, CryptographyResult},
};
use crate::{asn1::py_oid_to_oid, backend::keys};

use super::parse_general_names;

Expand Down Expand Up @@ -152,7 +147,6 @@ pub(crate) struct CustomPolicyBuilder {
time: Option<asn1::DateTime>,
store: Option<pyo3::Py<PyStore>>,
max_chain_depth: Option<u8>,
eku: Option<asn1::ObjectIdentifier>,
ca_ext_policy: Option<ExtensionPolicy<PyCryptoOps>>,
ee_ext_policy: Option<ExtensionPolicy<PyCryptoOps>>,
}
Expand All @@ -165,7 +159,6 @@ impl CustomPolicyBuilder {
time: self.time.clone(),
store: self.store.as_ref().map(|s| s.clone_ref(py)),
max_chain_depth: self.max_chain_depth,
eku: self.eku.clone(),
ca_ext_policy: self.ca_ext_policy.clone(),
ee_ext_policy: self.ee_ext_policy.clone(),
}
Expand All @@ -180,7 +173,6 @@ impl CustomPolicyBuilder {
time: None,
store: None,
max_chain_depth: None,
eku: None,
ca_ext_policy: None,
ee_ext_policy: None,
}
Expand Down Expand Up @@ -225,29 +217,6 @@ impl CustomPolicyBuilder {
})
}

fn eku(
&self,
py: pyo3::Python<'_>,
new_eku: pyo3::Bound<'_, pyo3::PyAny>,
) -> CryptographyResult<CustomPolicyBuilder> {
policy_builder_set_once_check!(self, eku, "EKU");

let oid = py_oid_to_oid(new_eku)?;

if !ALL_EKU_OIDS.contains(&oid) {
return Err(CryptographyError::from(
pyo3::exceptions::PyValueError::new_err(
"Unknown EKU OID. Only EKUs from x509.ExtendedKeyUsageOID are supported.",
),
));
}

Ok(CustomPolicyBuilder {
eku: Some(oid),
..self.py_clone(py)
})
}

fn build_client_verifier(&self, py: pyo3::Python<'_>) -> CryptographyResult<PyClientVerifier> {
build_client_verifier_impl(py, &self.store, &self.time, |time| {
// TODO: Replace with a custom policy once it's implemented in cryptography-x509-verification
Expand Down Expand Up @@ -399,12 +368,6 @@ impl PyClientVerifier {
self.as_policy().max_chain_depth
}

#[getter]
fn eku(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::Py<pyo3::PyAny>> {
let eku = &self.as_policy().extended_key_usage;
return Ok(oid_to_py_oid(py, eku)?.as_unbound().clone_ref(py));
}

fn verify(
&self,
py: pyo3::Python<'_>,
Expand Down Expand Up @@ -506,12 +469,6 @@ impl PyServerVerifier {
self.as_policy().max_chain_depth
}

#[getter]
fn eku(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::Py<pyo3::PyAny>> {
let eku = &self.as_policy().extended_key_usage;
return Ok(oid_to_py_oid(py, eku)?.as_unbound().clone_ref(py));
}

fn verify<'p>(
&self,
py: pyo3::Python<'p>,
Expand Down
22 changes: 0 additions & 22 deletions tests/x509/verification/test_verification.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,6 @@

from cryptography import x509
from cryptography.x509.general_name import DNSName, IPAddress
from cryptography.x509.oid import (
AuthorityInformationAccessOID,
ExtendedKeyUsageOID,
)
from cryptography.x509.verification import (
CustomPolicyBuilder,
PolicyBuilder,
Expand Down Expand Up @@ -108,7 +104,6 @@ def test_builder_pattern(self, builder_type: Type[AnyPolicyBuilder]):
assert verifier.validation_time == now
assert verifier.store == store
assert verifier.max_chain_depth == max_chain_depth
assert verifier.eku == ExtendedKeyUsageOID.SERVER_AUTH

def test_build_server_verifier_missing_store(
self, builder_type: Type[AnyPolicyBuilder]
Expand All @@ -119,22 +114,6 @@ def test_build_server_verifier_missing_store(
builder_type().build_server_verifier(DNSName("cryptography.io"))


class TestCustomPolicyBuilder:
def test_eku_already_set(self):
with pytest.raises(ValueError):
CustomPolicyBuilder().eku(ExtendedKeyUsageOID.IPSEC_IKE).eku(
ExtendedKeyUsageOID.IPSEC_IKE
)

def test_eku_bad_type(self):
with pytest.raises(TypeError):
CustomPolicyBuilder().eku("not an OID") # type: ignore[arg-type]

def test_eku_non_eku_oid(self):
with pytest.raises(ValueError):
CustomPolicyBuilder().eku(AuthorityInformationAccessOID.OCSP)


class TestStore:
def test_store_rejects_empty_list(self):
with pytest.raises(ValueError):
Expand Down Expand Up @@ -180,7 +159,6 @@ def test_verify(self, builder_type: Type[AnyPolicyBuilder]):
assert verifier.validation_time == validation_time.replace(tzinfo=None)
assert verifier.max_chain_depth == 16
assert verifier.store is store
assert verifier.eku == ExtendedKeyUsageOID.CLIENT_AUTH

verified_client = verifier.verify(leaf, [])
assert verified_client.chain == [leaf]
Expand Down

0 comments on commit 66b8a6d

Please sign in to comment.