diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 777644ece87c..1cbad5526aa2 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -132,8 +132,6 @@ the root of trust: .. class:: ClientVerifier .. versionadded:: 43.0.0 - .. versionchanged:: 44.0.0 - Added :attr:`eku`. A ClientVerifier verifies client certificates. @@ -161,18 +159,6 @@ the root of trust: :type: :class:`Store` The verifier's trust store. - - .. attribute:: eku - - :type: :class:`~cryptography.x509.ObjectIdentifier` or None - - The value of the Extended Key Usage extension required by this verifier - If the verifier was built using :meth:`PolicyBuilder.build_client_verifier`, - this will always be :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH`. - - :note: - See :meth:`CustomPolicyBuilder.eku` documentation for how verification is affected - when changing the required EKU or using a custom extension policy. .. method:: verify(leaf, intermediates) @@ -229,18 +215,6 @@ the root of trust: The verifier's trust store. - .. attribute:: eku - - :type: :class:`~cryptography.x509.ObjectIdentifier` - - The value of the Extended Key Usage extension required by this verifier - If the verifier was built using :meth:`PolicyBuilder.build_server_verifier`, - this will always be :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.SERVER_AUTH`. - - :note: - See :meth:`CustomPolicyBuilder.eku` documentation for how verification is affected - when changing the required EKU or using a custom extension policy. - .. method:: verify(leaf, intermediates) Performs path validation on ``leaf``, returning a valid path @@ -365,24 +339,6 @@ the root of trust: :returns: A new instance of :class:`PolicyBuilder` - .. method:: eku(new_eku) - - Sets the Extended Key Usage required by the verifier's policy. - - If this method is not called, the EKU defaults to :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.SERVER_AUTH` - if :meth:`build_server_verifier` is called, and :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH` if - :meth:`build_client_verifier` is called. - - When using the default extension policies, only certificates - with the Extended Key Usage extension containing the specified value - will be accepted. To accept more than one EKU or any EKU, use an extension policy - with a custom validator. The EKU set via this method is accessible to custom extension validator - callbacks via the `policy` argument. - - :param ~cryptography.x509.ObjectIdentifier new_eku: - - :returns: A new instance of :class:`PolicyBuilder` - .. method:: build_server_verifier(subject) Builds a verifier for verifying server certificates. diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 02145af308c7..684c60db23b6 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -73,7 +73,6 @@ class CustomPolicyBuilder: def max_chain_depth( self, new_max_chain_depth: int ) -> CustomPolicyBuilder: ... - def eku(self, new_eku: x509.ObjectIdentifier) -> CustomPolicyBuilder: ... def build_client_verifier(self) -> ClientVerifier: ... def build_server_verifier( self, subject: x509.verification.Subject @@ -92,8 +91,6 @@ class ClientVerifier: def store(self) -> Store: ... @property def max_chain_depth(self) -> int: ... - @property - def eku(self) -> x509.ObjectIdentifier: ... def verify( self, leaf: x509.Certificate, @@ -109,8 +106,6 @@ class ServerVerifier: def store(self) -> Store: ... @property def max_chain_depth(self) -> int: ... - @property - def eku(self) -> x509.ObjectIdentifier: ... def verify( self, leaf: x509.Certificate, diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs index c29cd42de2ee..fbc440eea122 100644 --- a/src/rust/cryptography-x509/src/oid.rs +++ b/src/rust/cryptography-x509/src/oid.rs @@ -148,17 +148,6 @@ pub const EKU_ANY_KEY_USAGE_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 3 pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 4, 1, 11129, 2, 4, 4); -pub const ALL_EKU_OIDS: [asn1::ObjectIdentifier; 8] = [ - EKU_SERVER_AUTH_OID, - EKU_CLIENT_AUTH_OID, - EKU_CODE_SIGNING_OID, - EKU_EMAIL_PROTECTION_OID, - EKU_TIME_STAMPING_OID, - EKU_OCSP_SIGNING_OID, - EKU_ANY_KEY_USAGE_OID, - EKU_CERTIFICATE_TRANSPARENCY_OID, -]; - pub const PBES2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 13); pub const PBKDF2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 12); diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 7406e07d422b..055e816d05e6 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -3,9 +3,7 @@ // for complete details. use cryptography_x509::{ - certificate::Certificate, - extensions::SubjectAlternativeName, - oid::{ALL_EKU_OIDS, SUBJECT_ALTERNATIVE_NAME_OID}, + certificate::Certificate, extensions::SubjectAlternativeName, oid::SUBJECT_ALTERNATIVE_NAME_OID, }; use cryptography_x509_verification::{ ops::{CryptoOps, VerificationCertificate}, @@ -15,15 +13,12 @@ use cryptography_x509_verification::{ }; use pyo3::types::{PyAnyMethods, PyListMethods}; +use crate::backend::keys; +use crate::error::{CryptographyError, CryptographyResult}; use crate::types; use crate::x509::certificate::Certificate as PyCertificate; use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime}; use crate::x509::sign; -use crate::{ - asn1::oid_to_py_oid, - error::{CryptographyError, CryptographyResult}, -}; -use crate::{asn1::py_oid_to_oid, backend::keys}; use super::parse_general_names; @@ -152,7 +147,6 @@ pub(crate) struct CustomPolicyBuilder { time: Option, store: Option>, max_chain_depth: Option, - eku: Option, ca_ext_policy: Option>, ee_ext_policy: Option>, } @@ -165,7 +159,6 @@ impl CustomPolicyBuilder { time: self.time.clone(), store: self.store.as_ref().map(|s| s.clone_ref(py)), max_chain_depth: self.max_chain_depth, - eku: self.eku.clone(), ca_ext_policy: self.ca_ext_policy.clone(), ee_ext_policy: self.ee_ext_policy.clone(), } @@ -180,7 +173,6 @@ impl CustomPolicyBuilder { time: None, store: None, max_chain_depth: None, - eku: None, ca_ext_policy: None, ee_ext_policy: None, } @@ -225,29 +217,6 @@ impl CustomPolicyBuilder { }) } - fn eku( - &self, - py: pyo3::Python<'_>, - new_eku: pyo3::Bound<'_, pyo3::PyAny>, - ) -> CryptographyResult { - policy_builder_set_once_check!(self, eku, "EKU"); - - let oid = py_oid_to_oid(new_eku)?; - - if !ALL_EKU_OIDS.contains(&oid) { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err( - "Unknown EKU OID. Only EKUs from x509.ExtendedKeyUsageOID are supported.", - ), - )); - } - - Ok(CustomPolicyBuilder { - eku: Some(oid), - ..self.py_clone(py) - }) - } - fn build_client_verifier(&self, py: pyo3::Python<'_>) -> CryptographyResult { build_client_verifier_impl(py, &self.store, &self.time, |time| { // TODO: Replace with a custom policy once it's implemented in cryptography-x509-verification @@ -399,12 +368,6 @@ impl PyClientVerifier { self.as_policy().max_chain_depth } - #[getter] - fn eku(&self, py: pyo3::Python<'_>) -> pyo3::PyResult> { - let eku = &self.as_policy().extended_key_usage; - return Ok(oid_to_py_oid(py, eku)?.as_unbound().clone_ref(py)); - } - fn verify( &self, py: pyo3::Python<'_>, @@ -506,12 +469,6 @@ impl PyServerVerifier { self.as_policy().max_chain_depth } - #[getter] - fn eku(&self, py: pyo3::Python<'_>) -> pyo3::PyResult> { - let eku = &self.as_policy().extended_key_usage; - return Ok(oid_to_py_oid(py, eku)?.as_unbound().clone_ref(py)); - } - fn verify<'p>( &self, py: pyo3::Python<'p>, diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index 09dc14f2a1b7..f8dc6049c166 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -12,10 +12,6 @@ from cryptography import x509 from cryptography.x509.general_name import DNSName, IPAddress -from cryptography.x509.oid import ( - AuthorityInformationAccessOID, - ExtendedKeyUsageOID, -) from cryptography.x509.verification import ( CustomPolicyBuilder, PolicyBuilder, @@ -108,7 +104,6 @@ def test_builder_pattern(self, builder_type: Type[AnyPolicyBuilder]): assert verifier.validation_time == now assert verifier.store == store assert verifier.max_chain_depth == max_chain_depth - assert verifier.eku == ExtendedKeyUsageOID.SERVER_AUTH def test_build_server_verifier_missing_store( self, builder_type: Type[AnyPolicyBuilder] @@ -119,22 +114,6 @@ def test_build_server_verifier_missing_store( builder_type().build_server_verifier(DNSName("cryptography.io")) -class TestCustomPolicyBuilder: - def test_eku_already_set(self): - with pytest.raises(ValueError): - CustomPolicyBuilder().eku(ExtendedKeyUsageOID.IPSEC_IKE).eku( - ExtendedKeyUsageOID.IPSEC_IKE - ) - - def test_eku_bad_type(self): - with pytest.raises(TypeError): - CustomPolicyBuilder().eku("not an OID") # type: ignore[arg-type] - - def test_eku_non_eku_oid(self): - with pytest.raises(ValueError): - CustomPolicyBuilder().eku(AuthorityInformationAccessOID.OCSP) - - class TestStore: def test_store_rejects_empty_list(self): with pytest.raises(ValueError): @@ -180,7 +159,6 @@ def test_verify(self, builder_type: Type[AnyPolicyBuilder]): assert verifier.validation_time == validation_time.replace(tzinfo=None) assert verifier.max_chain_depth == 16 assert verifier.store is store - assert verifier.eku == ExtendedKeyUsageOID.CLIENT_AUTH verified_client = verifier.verify(leaf, []) assert verified_client.chain == [leaf]