Add CustomPolicyBuilder foundation.

pyca · Sep 11, 2024 · 0b9082b · 0b9082b
1 parent d445299
commit 0b9082b
Show file tree

Hide file tree

Showing 9 changed files with 392 additions and 126 deletions.
diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi
@@ -67,9 +67,23 @@ class PolicyBuilder:
         self, subject: x509.verification.Subject
     ) -> ServerVerifier: ...
 
+class CustomPolicyBuilder:
+    def time(self, new_time: datetime.datetime) -> CustomPolicyBuilder: ...
+    def store(self, new_store: Store) -> CustomPolicyBuilder: ...
+    def max_chain_depth(
+        self, new_max_chain_depth: int
+    ) -> CustomPolicyBuilder: ...
+    def eku(self, new_eku: x509.ObjectIdentifier) -> CustomPolicyBuilder: ...
+    def build_client_verifier(self) -> ClientVerifier: ...
+    def build_server_verifier(
+        self, subject: x509.verification.Subject
+    ) -> ServerVerifier: ...
+
 class VerifiedClient:
     @property
-    def subjects(self) -> list[x509.GeneralName]: ...
+    def subject(self) -> x509.Name: ...
+    @property
+    def sans(self) -> list[x509.GeneralName] | None: ...
     @property
     def chain(self) -> list[x509.Certificate]: ...
 

diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py
@@ -12,6 +12,7 @@
 __all__ = [
     "ClientVerifier",
     "PolicyBuilder",
+    "CustomPolicyBuilder",
     "ServerVerifier",
     "Store",
     "Subject",
@@ -25,4 +26,5 @@
 ClientVerifier = rust_x509.ClientVerifier
 ServerVerifier = rust_x509.ServerVerifier
 PolicyBuilder = rust_x509.PolicyBuilder
+CustomPolicyBuilder = rust_x509.CustomPolicyBuilder
 VerificationError = rust_x509.VerificationError
diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs
@@ -14,7 +14,8 @@ use cryptography_x509::{
 
 use crate::{ops::CryptoOps, policy::Policy, ValidationError};
 
-pub(crate) struct ExtensionPolicy<B: CryptoOps> {
+#[derive(Clone)]
+pub struct ExtensionPolicy<B: CryptoOps> {
     pub(crate) authority_information_access: ExtensionValidator<B>,
     pub(crate) authority_key_identifier: ExtensionValidator<B>,
     pub(crate) subject_key_identifier: ExtensionValidator<B>,
@@ -123,6 +124,7 @@ impl<B: CryptoOps> ExtensionPolicy<B> {
 }
 
 /// Represents different criticality states for an extension.
+#[derive(Clone)]
 pub(crate) enum Criticality {
     /// The extension MUST be marked as critical.
     Critical,
@@ -151,6 +153,7 @@ type MaybeExtensionValidatorCallback<B> =
     fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), ValidationError>;
 
 /// Represents different validation states for an extension.
+#[derive(Clone)]
 pub(crate) enum ExtensionValidator<B: CryptoOps> {
     /// The extension MUST NOT be present.
     NotPresent,

diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs
@@ -25,10 +25,12 @@ use cryptography_x509::oid::{
 use once_cell::sync::Lazy;
 
 use crate::ops::CryptoOps;
-use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy, ExtensionValidator};
+use crate::policy::extension::{ca, common, ee, Criticality, ExtensionValidator};
 use crate::types::{DNSName, DNSPattern, IPAddress};
 use crate::{ValidationError, VerificationCertificate};
 
+pub use crate::policy::extension::ExtensionPolicy;
+
 // RSA key constraints, as defined in CA/B 6.1.5.
 static WEBPKI_MINIMUM_RSA_MODULUS: usize = 2048;
 

diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs
@@ -148,6 +148,17 @@ pub const EKU_ANY_KEY_USAGE_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 3
 pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier =
     asn1::oid!(1, 3, 6, 1, 4, 1, 11129, 2, 4, 4);
 
+pub const ALL_EKU_OIDS: [asn1::ObjectIdentifier; 8] = [
+    EKU_SERVER_AUTH_OID,
+    EKU_CLIENT_AUTH_OID,
+    EKU_CODE_SIGNING_OID,
+    EKU_EMAIL_PROTECTION_OID,
+    EKU_TIME_STAMPING_OID,
+    EKU_OCSP_SIGNING_OID,
+    EKU_ANY_KEY_USAGE_OID,
+    EKU_CERTIFICATE_TRANSPARENCY_OID,
+];
+
 pub const PBES2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 13);
 pub const PBKDF2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 12);
 

diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs
@@ -132,8 +132,8 @@ mod _rust {
         use crate::x509::sct::Sct;
         #[pymodule_export]
         use crate::x509::verify::{
-            PolicyBuilder, PyClientVerifier, PyServerVerifier, PyStore, PyVerifiedClient,
-            VerificationError,
+            CustomPolicyBuilder, PolicyBuilder, PyClientVerifier, PyServerVerifier, PyStore,
+            PyVerifiedClient, VerificationError,
         };
     }