extensions: EKU must contain at least one member (#11383)

* extensions: EKU must contain at least one member Signed-off-by: William Woodruff <[email protected]> * record changes Signed-off-by: William Woodruff <[email protected]> * empty EKU test vector Signed-off-by: William Woodruff <[email protected]> * typo Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: William Woodruff <[email protected]>
pyca · Aug 2, 2024 · 0db3ed8 · 0db3ed8
1 parent 2315512
commit 0db3ed8
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 1 deletion.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -8,6 +8,8 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* Enforce the :rfc:`5280` requirement that extended key usage extensions must
+  not be empty.
 
 .. _v43-0-0:
 

diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
@@ -534,6 +534,8 @@ Custom X.509 Vectors
   algorithm parameters. This encoding is invalid, but was generated by Java 20.
 * ``ekucrit-testuser-cert.pem`` - A leaf certificate containing a critical EKU.
   This is an invalid certificate per CA/B 7.1.2.7.6.
+* ``empty-eku.pem`` - A leaf certificate containing an empty EKU extension.
+  This is an invalid certificate per :rfc:`5280` 4.2.1.12.
 
 Custom X.509 Request Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs
@@ -231,7 +231,7 @@ pub struct BasicConstraints {
 
 pub type SubjectAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>;
 pub type IssuerAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>;
-pub type ExtendedKeyUsage<'a> = asn1::SequenceOf<'a, asn1::ObjectIdentifier>;
+pub type ExtendedKeyUsage<'a> = asn1::SequenceOf<'a, asn1::ObjectIdentifier, 1>;
 
 pub struct KeyUsage<'a>(asn1::BitString<'a>);
 

diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
@@ -31,6 +31,7 @@
 from cryptography.hazmat.primitives.asymmetric.utils import (
     decode_dss_signature,
 )
+from cryptography.x509.extensions import ExtendedKeyUsage
 from cryptography.x509.name import _ASN1Type
 from cryptography.x509.oid import (
     AuthorityInformationAccessOID,
@@ -5733,6 +5734,15 @@ def test_bad_time_in_validity(self, backend):
                 x509.load_pem_x509_certificate,
             )
 
+    def test_invalid_empty_eku(self, backend):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "empty-eku.pem"),
+            x509.load_pem_x509_certificate,
+        )
+
+        with pytest.raises(ValueError, match="InvalidSize"):
+            cert.extensions.get_extension_for_class(ExtendedKeyUsage)
+
 
 class TestNameAttribute:
     EXPECTED_TYPES: typing.ClassVar[

diff --git a/vectors/cryptography_vectors/x509/custom/empty-eku.pem b/vectors/cryptography_vectors/x509/custom/empty-eku.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpjCCAUygAwIBAgIUXbgOb3WRImMh6PjbldAK3smepIkwCgYIKoZIzj0EAwIw
+GjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5
+NjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABM3LPV6xuBpFrGXEPvnjF2VnXwhfqYbfIrWUSVQFf6Eb
+TiPFZH96VPllxT176ftzTAHWMSG0oCdEduz2MFR0nqWjcjBwMB0GA1UdDgQWBBS+
+VOamU8j9i+62OkrB1PsJXEHTpTAfBgNVHSMEGDAWgBTrOA5ME/MKp4PpBUmEBQ6U
+vTpcWjALBgNVHQ8EBAMCB4AwCQYDVR0lBAIwADAWBgNVHREEDzANggtleGFtcGxl
+LmNvbTAKBggqhkjOPQQDAgNIADBFAiEAq8/MoJb/PyG710O0o/dAXYvsCbQgNNvg
+CAcF/8JQGxUCIEJgYI2pX8slVoRke9RDDMKzNQ49qkKOd++v2tTb+rbh
+-----END CERTIFICATE-----