From 2726ee7e62bd4eda751ddacec44c31efcc5ce530 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Fri, 2 Aug 2024 10:42:07 -0400
Subject: [PATCH] empty EKU test vector

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 docs/development/test-vectors.rst                     |  2 ++
 tests/x509/test_x509.py                               | 10 ++++++++++
 .../cryptography_vectors/x509/custom/empty-eku.pem    | 11 +++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 vectors/cryptography_vectors/x509/custom/empty-eku.pem

diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index c906f611ceff..3332a512f97f 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -534,6 +534,8 @@ Custom X.509 Vectors
   algorithm parameters. This encoding is invalid, but was generated by Java 20.
 * ``ekucrit-testuser-cert.pem`` - A leaf certificate containing a critical EKU.
   This is an invalid certificate per CA/B 7.1.2.7.6.
+* ``empty-eku.pem`` - A leaf certificate containing an empty EKU extension.
+  This is an invalid certifcate per :rfc:`5280` 4.2.1.12.
 
 Custom X.509 Request Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 91251d58c0a3..b96c4dbfdc7a 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -31,6 +31,7 @@
 from cryptography.hazmat.primitives.asymmetric.utils import (
     decode_dss_signature,
 )
+from cryptography.x509.extensions import ExtendedKeyUsage
 from cryptography.x509.name import _ASN1Type
 from cryptography.x509.oid import (
     AuthorityInformationAccessOID,
@@ -5733,6 +5734,15 @@ def test_bad_time_in_validity(self, backend):
                 x509.load_pem_x509_certificate,
             )
 
+    def test_invalid_empty_eku(self, backend):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "empty-eku.pem"),
+            x509.load_pem_x509_certificate,
+        )
+
+        with pytest.raises(ValueError, match="InvalidSize"):
+            cert.extensions.get_extension_for_class(ExtendedKeyUsage)
+
 
 class TestNameAttribute:
     EXPECTED_TYPES: typing.ClassVar[
diff --git a/vectors/cryptography_vectors/x509/custom/empty-eku.pem b/vectors/cryptography_vectors/x509/custom/empty-eku.pem
new file mode 100644
index 000000000000..d8f8880f4cad
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/empty-eku.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpjCCAUygAwIBAgIUXbgOb3WRImMh6PjbldAK3smepIkwCgYIKoZIzj0EAwIw
+GjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5
+NjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABM3LPV6xuBpFrGXEPvnjF2VnXwhfqYbfIrWUSVQFf6Eb
+TiPFZH96VPllxT176ftzTAHWMSG0oCdEduz2MFR0nqWjcjBwMB0GA1UdDgQWBBS+
+VOamU8j9i+62OkrB1PsJXEHTpTAfBgNVHSMEGDAWgBTrOA5ME/MKp4PpBUmEBQ6U
+vTpcWjALBgNVHQ8EBAMCB4AwCQYDVR0lBAIwADAWBgNVHREEDzANggtleGFtcGxl
+LmNvbTAKBggqhkjOPQQDAgNIADBFAiEAq8/MoJb/PyG710O0o/dAXYvsCbQgNNvg
+CAcF/8JQGxUCIEJgYI2pX8slVoRke9RDDMKzNQ49qkKOd++v2tTb+rbh
+-----END CERTIFICATE-----