diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ea0a119733af..9c7119c23a35 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* Enforce the :rfc:`5280` requirement that extended key usage extensions must + not be empty. .. _v43-0-0: diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index c906f611ceff..c8d0765fc854 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -534,6 +534,8 @@ Custom X.509 Vectors algorithm parameters. This encoding is invalid, but was generated by Java 20. * ``ekucrit-testuser-cert.pem`` - A leaf certificate containing a critical EKU. This is an invalid certificate per CA/B 7.1.2.7.6. +* ``empty-eku.pem`` - A leaf certificate containing an empty EKU extension. + This is an invalid certificate per :rfc:`5280` 4.2.1.12. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 51df9fb0646b..1fddb3ecf83a 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -231,7 +231,7 @@ pub struct BasicConstraints { pub type SubjectAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>; pub type IssuerAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>; -pub type ExtendedKeyUsage<'a> = asn1::SequenceOf<'a, asn1::ObjectIdentifier>; +pub type ExtendedKeyUsage<'a> = asn1::SequenceOf<'a, asn1::ObjectIdentifier, 1>; pub struct KeyUsage<'a>(asn1::BitString<'a>); diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 91251d58c0a3..b96c4dbfdc7a 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -31,6 +31,7 @@ from cryptography.hazmat.primitives.asymmetric.utils import ( decode_dss_signature, ) +from cryptography.x509.extensions import ExtendedKeyUsage from cryptography.x509.name import _ASN1Type from cryptography.x509.oid import ( AuthorityInformationAccessOID, @@ -5733,6 +5734,15 @@ def test_bad_time_in_validity(self, backend): x509.load_pem_x509_certificate, ) + def test_invalid_empty_eku(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "empty-eku.pem"), + x509.load_pem_x509_certificate, + ) + + with pytest.raises(ValueError, match="InvalidSize"): + cert.extensions.get_extension_for_class(ExtendedKeyUsage) + class TestNameAttribute: EXPECTED_TYPES: typing.ClassVar[ diff --git a/vectors/cryptography_vectors/x509/custom/empty-eku.pem b/vectors/cryptography_vectors/x509/custom/empty-eku.pem new file mode 100644 index 000000000000..d8f8880f4cad --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/empty-eku.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBpjCCAUygAwIBAgIUXbgOb3WRImMh6PjbldAK3smepIkwCgYIKoZIzj0EAwIw +GjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5 +NjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49 +AgEGCCqGSM49AwEHA0IABM3LPV6xuBpFrGXEPvnjF2VnXwhfqYbfIrWUSVQFf6Eb +TiPFZH96VPllxT176ftzTAHWMSG0oCdEduz2MFR0nqWjcjBwMB0GA1UdDgQWBBS+ +VOamU8j9i+62OkrB1PsJXEHTpTAfBgNVHSMEGDAWgBTrOA5ME/MKp4PpBUmEBQ6U +vTpcWjALBgNVHQ8EBAMCB4AwCQYDVR0lBAIwADAWBgNVHREEDzANggtleGFtcGxl +LmNvbTAKBggqhkjOPQQDAgNIADBFAiEAq8/MoJb/PyG710O0o/dAXYvsCbQgNNvg +CAcF/8JQGxUCIEJgYI2pX8slVoRke9RDDMKzNQ49qkKOd++v2tTb+rbh +-----END CERTIFICATE-----