Add EKU getters to ClientVerifier and ServerVerifier.

pyca · Sep 11, 2024 · adc39ba · adc39ba
1 parent 0b9082b
commit adc39ba
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi
@@ -94,6 +94,8 @@ class ClientVerifier:
     def store(self) -> Store: ...
     @property
     def max_chain_depth(self) -> int: ...
+    @property
+    def eku(self) -> x509.ObjectIdentifier: ...
     def verify(
         self,
         leaf: x509.Certificate,
@@ -109,6 +111,8 @@ class ServerVerifier:
     def store(self) -> Store: ...
     @property
     def max_chain_depth(self) -> int: ...
+    @property
+    def eku(self) -> x509.ObjectIdentifier: ...
     def verify(
         self,
         leaf: x509.Certificate,

diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs
@@ -18,11 +18,14 @@ use pyo3::{
     ToPyObject,
 };
 
-use crate::error::{CryptographyError, CryptographyResult};
 use crate::types;
 use crate::x509::certificate::Certificate as PyCertificate;
 use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime};
 use crate::x509::sign;
+use crate::{
+    asn1::oid_to_py_oid,
+    error::{CryptographyError, CryptographyResult},
+};
 use crate::{asn1::py_oid_to_oid, backend::keys};
 
 use super::parse_general_names;
@@ -401,6 +404,12 @@ impl PyClientVerifier {
         self.as_policy().max_chain_depth
     }
 
+    #[getter]
+    fn eku(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::Py<pyo3::PyAny>> {
+        let eku = &self.as_policy().extended_key_usage;
+        return Ok(oid_to_py_oid(py, eku)?.as_unbound().clone_ref(py));
+    }
+
     fn verify(
         &self,
         py: pyo3::Python<'_>,
@@ -504,6 +513,12 @@ impl PyServerVerifier {
         self.as_policy().max_chain_depth
     }
 
+    #[getter]
+    fn eku(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::Py<pyo3::PyAny>> {
+        let eku = &self.as_policy().extended_key_usage;
+        return Ok(oid_to_py_oid(py, eku)?.as_unbound().clone_ref(py));
+    }
+
     fn verify<'p>(
         &self,
         py: pyo3::Python<'p>,

diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py
@@ -108,6 +108,7 @@ def test_builder_pattern(self, builder_type: Type[AnyPolicyBuilder]):
         assert verifier.validation_time == now
         assert verifier.store == store
         assert verifier.max_chain_depth == max_chain_depth
+        assert verifier.eku == ExtendedKeyUsageOID.SERVER_AUTH
 
     def test_build_server_verifier_missing_store(
         self, builder_type: Type[AnyPolicyBuilder]
@@ -179,6 +180,7 @@ def test_verify(self, builder_type: Type[AnyPolicyBuilder]):
         assert verifier.validation_time == validation_time.replace(tzinfo=None)
         assert verifier.max_chain_depth == 16
         assert verifier.store is store
+        assert verifier.eku == ExtendedKeyUsageOID.CLIENT_AUTH
 
         verified_client = verifier.verify(leaf, [])
         assert verified_client.chain == [leaf]