From 0db3ed870722b22754eaccf0d94e78a673e74ae1 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Fri, 2 Aug 2024 11:06:46 -0400
Subject: [PATCH] extensions: EKU must contain at least one member (#11383)

* extensions: EKU must contain at least one member

Signed-off-by: William Woodruff <william@trailofbits.com>

* record changes

Signed-off-by: William Woodruff <william@trailofbits.com>

* empty EKU test vector

Signed-off-by: William Woodruff <william@trailofbits.com>

* typo

Signed-off-by: William Woodruff <william@trailofbits.com>

---------

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 CHANGELOG.rst                                         |  2 ++
 docs/development/test-vectors.rst                     |  2 ++
 src/rust/cryptography-x509/src/extensions.rs          |  2 +-
 tests/x509/test_x509.py                               | 10 ++++++++++
 .../cryptography_vectors/x509/custom/empty-eku.pem    | 11 +++++++++++
 5 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 vectors/cryptography_vectors/x509/custom/empty-eku.pem

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index ea0a119733af..9c7119c23a35 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -8,6 +8,8 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* Enforce the :rfc:`5280` requirement that extended key usage extensions must
+  not be empty.
 
 .. _v43-0-0:
 
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index c906f611ceff..c8d0765fc854 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -534,6 +534,8 @@ Custom X.509 Vectors
   algorithm parameters. This encoding is invalid, but was generated by Java 20.
 * ``ekucrit-testuser-cert.pem`` - A leaf certificate containing a critical EKU.
   This is an invalid certificate per CA/B 7.1.2.7.6.
+* ``empty-eku.pem`` - A leaf certificate containing an empty EKU extension.
+  This is an invalid certificate per :rfc:`5280` 4.2.1.12.
 
 Custom X.509 Request Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs
index 51df9fb0646b..1fddb3ecf83a 100644
--- a/src/rust/cryptography-x509/src/extensions.rs
+++ b/src/rust/cryptography-x509/src/extensions.rs
@@ -231,7 +231,7 @@ pub struct BasicConstraints {
 
 pub type SubjectAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>;
 pub type IssuerAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>;
-pub type ExtendedKeyUsage<'a> = asn1::SequenceOf<'a, asn1::ObjectIdentifier>;
+pub type ExtendedKeyUsage<'a> = asn1::SequenceOf<'a, asn1::ObjectIdentifier, 1>;
 
 pub struct KeyUsage<'a>(asn1::BitString<'a>);
 
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 91251d58c0a3..b96c4dbfdc7a 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -31,6 +31,7 @@
 from cryptography.hazmat.primitives.asymmetric.utils import (
     decode_dss_signature,
 )
+from cryptography.x509.extensions import ExtendedKeyUsage
 from cryptography.x509.name import _ASN1Type
 from cryptography.x509.oid import (
     AuthorityInformationAccessOID,
@@ -5733,6 +5734,15 @@ def test_bad_time_in_validity(self, backend):
                 x509.load_pem_x509_certificate,
             )
 
+    def test_invalid_empty_eku(self, backend):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "empty-eku.pem"),
+            x509.load_pem_x509_certificate,
+        )
+
+        with pytest.raises(ValueError, match="InvalidSize"):
+            cert.extensions.get_extension_for_class(ExtendedKeyUsage)
+
 
 class TestNameAttribute:
     EXPECTED_TYPES: typing.ClassVar[
diff --git a/vectors/cryptography_vectors/x509/custom/empty-eku.pem b/vectors/cryptography_vectors/x509/custom/empty-eku.pem
new file mode 100644
index 000000000000..d8f8880f4cad
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/empty-eku.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpjCCAUygAwIBAgIUXbgOb3WRImMh6PjbldAK3smepIkwCgYIKoZIzj0EAwIw
+GjEYMBYGA1UEAwwPeDUwOS1saW1iby1yb290MCAXDTcwMDEwMTAwMDAwMVoYDzI5
+NjkwNTAzMDAwMDAxWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABM3LPV6xuBpFrGXEPvnjF2VnXwhfqYbfIrWUSVQFf6Eb
+TiPFZH96VPllxT176ftzTAHWMSG0oCdEduz2MFR0nqWjcjBwMB0GA1UdDgQWBBS+
+VOamU8j9i+62OkrB1PsJXEHTpTAfBgNVHSMEGDAWgBTrOA5ME/MKp4PpBUmEBQ6U
+vTpcWjALBgNVHQ8EBAMCB4AwCQYDVR0lBAIwADAWBgNVHREEDzANggtleGFtcGxl
+LmNvbTAKBggqhkjOPQQDAgNIADBFAiEAq8/MoJb/PyG710O0o/dAXYvsCbQgNNvg
+CAcF/8JQGxUCIEJgYI2pX8slVoRke9RDDMKzNQ49qkKOd++v2tTb+rbh
+-----END CERTIFICATE-----