Additional custom extension policy tests.

deivse · deivse · commit 8aa5eb77a479 · 2025-02-10T16:22:41.000+01:00
diff --git a/src/rust/src/x509/verify/mod.rs b/src/rust/src/x509/verify/mod.rs
@@ -573,3 +573,15 @@ impl PyStore {
         })
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::PyCryptoOps;
+
+    #[test]
+    fn test_crypto_ops_clone() {
+        // Just for coverage.
+        // The trait is needed to be able to clone ExtensionPolicy<'_, PyCryptoOps>.
+        let _ = PyCryptoOps {}.clone();
+    }
+}
diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py
@@ -12,10 +12,7 @@
 
 from cryptography import utils, x509
 from cryptography.hazmat._oid import ExtendedKeyUsageOID
-from cryptography.x509.extensions import (
-    ExtendedKeyUsage,
-    ExtensionType,
-)
+from cryptography.x509 import ExtensionType
 from cryptography.x509.general_name import DNSName, IPAddress
 from cryptography.x509.verification import (
     Criticality,
@@ -303,7 +300,7 @@ def test_error_message(self):
             verifier.verify(leaf, [])
 
 
-TESTED_EXTENSION_TYPES = (
+SUPPORTED_EXTENSION_TYPES = (
     x509.AuthorityInformationAccess,
     x509.AuthorityKeyIdentifier,
     x509.SubjectKeyIdentifier,
@@ -390,38 +387,99 @@ def validator_cb(policy, cert, ext: Optional[ExtensionType]):
 
         return validator_cb
 
-    # def test_all_extension_types(self):
-    #     ca_ext_policy = ExtensionPolicy.webpki_defaults_ca()
-    #     ee_ext_policy = ExtensionPolicy.webpki_defaults_ee()
+    def test_require_not_present(self):
+        default_ee = ExtensionPolicy.webpki_defaults_ee()
+        no_basic_constraints_ee = default_ee.require_not_present(
+            x509.BasicConstraints
+        )
 
-    #     ca_validator_called = False
+        default_builder = (
+            PolicyBuilder().store(self.store).time(self.validation_time)
+        )
+        builder_no_basic_constraints = default_builder.extension_policies(
+            ExtensionPolicy.webpki_defaults_ca(), no_basic_constraints_ee
+        )
 
-    #     extension_types = [
-    #         AuthorityInformationAccess,
-    #         AuthorityKeyIdentifier,
-    #         SubjectKeyIdentifier,
-    #         KeyUsage,
-    #         SubjectAlternativeName,
-    #         BasicConstraints,
-    #     ]
+        default_builder.build_client_verifier().verify(self.leaf, [])
 
-    #     for
+        with pytest.raises(
+            VerificationError,
+            match="Certificate contains prohibited extension",
+        ):
+            builder_no_basic_constraints.build_client_verifier().verify(
+                self.leaf, []
+            )
 
-    #     ca_ext_policy = ca_ext_policy.may_be_present(
-    #         x509.BasicConstraints,
-    #         Criticality.AGNOSTIC,
-    #         ca_basic_constraints_validator,
-    #     )
+    def test_require_present(self):
+        default_builder = (
+            PolicyBuilder().store(self.store).time(self.validation_time)
+        )
+        builder_require_subject_keyid = default_builder.extension_policies(
+            ExtensionPolicy.webpki_defaults_ca(),
+            ExtensionPolicy.webpki_defaults_ee().require_present(
+                x509.SubjectKeyIdentifier,
+                Criticality.AGNOSTIC,
+                self._make_validator_cb(x509.SubjectKeyIdentifier),
+            ),
+        )
+        builder_require_san = default_builder.extension_policies(
+            ExtensionPolicy.webpki_defaults_ca(),
+            ExtensionPolicy.webpki_defaults_ee().require_present(
+                x509.SubjectAlternativeName,
+                Criticality.AGNOSTIC,
+                self._make_validator_cb(x509.SubjectAlternativeName),
+            ),
+        )
 
-    #     builder = PolicyBuilder().store(self.store)
-    #     builder = builder.time(self.validation_time)
-    #     builder = builder.extension_policies(ca_ext_policy, ee_ext_policy)
+        default_builder.build_client_verifier().verify(self.leaf, [])
+        builder_require_san.build_client_verifier().verify(self.leaf, [])
 
-    #     builder.build_client_verifier().verify(self.leaf, [])
+        with pytest.raises(
+            VerificationError,
+            match="missing required extension",
+        ):
+            builder_require_subject_keyid.build_client_verifier().verify(
+                self.leaf, []
+            )
+
+    def test_criticality_constraints(self):
+        builder = PolicyBuilder().store(self.store).time(self.validation_time)
+        noncrit_key_usage_builder = builder.extension_policies(
+            ExtensionPolicy.webpki_defaults_ca(),
+            ExtensionPolicy.webpki_defaults_ee().require_present(
+                x509.KeyUsage, Criticality.NON_CRITICAL, None
+            ),
+        )
+        critical_eku_builder = builder.extension_policies(
+            ExtensionPolicy.webpki_defaults_ca(),
+            ExtensionPolicy.webpki_defaults_ee().require_present(
+                x509.ExtendedKeyUsage, Criticality.CRITICAL, None
+            ),
+        )
+
+        def make_pattern(extension_type: Type[ExtensionType]):
+            return (
+                f"invalid extension: {extension_type.oid.dotted_string}:"
+                " Certificate extension has incorrect criticality"
+            )
+
+        builder.build_client_verifier().verify(self.leaf, [])
+        with pytest.raises(
+            VerificationError,
+            match=make_pattern(x509.KeyUsage),
+        ):
+            noncrit_key_usage_builder.build_client_verifier().verify(
+                self.leaf, []
+            )
+        with pytest.raises(
+            VerificationError,
+            match=make_pattern(x509.ExtendedKeyUsage),
+        ):
+            critical_eku_builder.build_client_verifier().verify(self.leaf, [])
 
     @pytest.mark.parametrize(
         "extension_type",
-        TESTED_EXTENSION_TYPES,
+        SUPPORTED_EXTENSION_TYPES,
     )
     def test_custom_cb_pass(self, extension_type: Type[x509.ExtensionType]):
         ca_ext_policy = ExtensionPolicy.webpki_defaults_ca()
@@ -446,7 +504,7 @@ def test_custom_cb_pass(self, extension_type: Type[x509.ExtensionType]):
 
     @pytest.mark.parametrize(
         "extension_type",
-        TESTED_EXTENSION_TYPES,
+        SUPPORTED_EXTENSION_TYPES,
     )
     def test_custom_cb_exception_fails_verification(self, extension_type):
         ca_ext_policy = ExtensionPolicy.webpki_defaults_ca()
@@ -482,7 +540,7 @@ def validator(*_):
             return False
 
         ee_ext_policy = ee_ext_policy.may_be_present(
-            ExtendedKeyUsage,
+            x509.ExtendedKeyUsage,
             Criticality.AGNOSTIC,
             validator,
         )
