ServerVerifier incorrect ext. policy early fail. (#12455)

* Fail early when building ServerVerifier with ext. policy that doesn't require SAN.

* Remove `validate`, move check to `new`.

* Refactor test_subject_alt_name_absent_in_server_profile.

Author: deivse

src/rust/cryptography-x509-verification/src/policy/extension.rs

@@ -702,10 +702,11 @@ mod tests {
     use cryptography_x509::extensions::{BasicConstraints, Extension};
     use cryptography_x509::oid::BASIC_CONSTRAINTS_OID;
 
-    use super::{Criticality, ExtensionValidator};
+    use super::{Criticality, ExtensionPolicy, ExtensionValidator};
     use crate::certificate::tests::PublicKeyErrorOps;
     use crate::ops::tests::{cert, v1_cert_pem};
     use crate::ops::{CryptoOps, VerificationCertificate};
+    use crate::policy::extension::CertificateType;
     use crate::policy::{Policy, PolicyDefinition, Subject, ValidationResult};
     use crate::types::DNSName;
 
@@ -764,7 +765,8 @@ mod tests {
             None,
             None,
             None,
-        );
+        )
+        .expect("failed to create policy definition");
         let policy = Policy::new(&policy_def, ());
 
         // Test a policy that stipulates that a given extension MUST be present.
@@ -812,7 +814,8 @@ mod tests {
             None,
             None,
             None,
-        );
+        )
+        .expect("failed to create policy definition");
         let policy = Policy::new(&policy_def, ());
 
         // Test a validator that stipulates that a given extension CAN be present.
@@ -852,7 +855,8 @@ mod tests {
             None,
             None,
             None,
-        );
+        )
+        .expect("failed to create policy definition");
         let policy = Policy::new(&policy_def, ());
 
         // Test a validator that stipulates that a given extension MUST NOT be present.
@@ -888,7 +892,8 @@ mod tests {
             None,
             None,
             None,
-        );
+        )
+        .expect("failed to create policy definition");
         let policy = Policy::new(&policy_def, ());
 
         // Test a present policy that stipulates that a given extension MUST be critical.
@@ -926,7 +931,8 @@ mod tests {
             None,
             None,
             None,
-        );
+        )
+        .expect("failed to create policy definition");
         let policy = Policy::new(&policy_def, ());
 
         // Test a maybe present validator that stipulates that a given extension MUST be critical.
@@ -950,4 +956,39 @@ mod tests {
             )
             .is_err());
     }
+
+    #[test]
+    fn test_subject_alt_name_absent_in_server_profile() {
+        // This certificate doesn't have a SAN extension.
+        let cert_pem = v1_cert_pem();
+        let cert = cert(&cert_pem);
+        let ops = PublicKeyErrorOps {};
+
+        let policy_def = PolicyDefinition::server(
+            ops,
+            Subject::DNS(DNSName::new("example.com").unwrap()),
+            epoch(),
+            None,
+            None,
+            None,
+        )
+        .expect("failed to create policy definition");
+        let policy = Policy::new(&policy_def, ());
+
+        let extensions = &cert
+            .extensions()
+            .map_err(|_| "duplicate extensions")
+            .expect("failed to get extensions");
+
+        let result = ExtensionPolicy::new_permit_all().permits(
+            &policy,
+            CertificateType::EE,
+            &VerificationCertificate::new(&cert, ()),
+            &extensions,
+        );
+        assert_eq!(
+            result.unwrap_err().to_string(),
+            "leaf server certificate has no subjectAltName"
+        );
+    }
 }

src/rust/cryptography-x509-verification/src/policy/mod.rs

@@ -247,8 +247,8 @@ impl<'a, B: CryptoOps + 'a> PolicyDefinition<'a, B> {
         extended_key_usage: ObjectIdentifier,
         ca_extension_policy: Option<ExtensionPolicy<'a, B>>,
         ee_extension_policy: Option<ExtensionPolicy<'a, B>>,
-    ) -> Self {
-        Self {
+    ) -> Result<Self, &'static str> {
+        let retval = Self {
             ops,
             max_chain_depth: max_chain_depth.unwrap_or(DEFAULT_MAX_CHAIN_DEPTH),
             subject,
@@ -261,7 +261,24 @@ impl<'a, B: CryptoOps + 'a> PolicyDefinition<'a, B> {
                 .unwrap_or_else(ExtensionPolicy::new_default_webpki_ca),
             ee_extension_policy: ee_extension_policy
                 .unwrap_or_else(ExtensionPolicy::new_default_webpki_ee),
+        };
+
+        // NOTE: If subject is set (server profile), we do not accept
+        // EE extension policies that allow the SAN extension to be absent.
+        // Even without this check, `self.ee_extension_policy.permits(self, CertificateType::EE, ...)`
+        // would fail, but we want to fail early and provide a more specific error message.
+        if retval.subject.is_some()
+            && !matches!(
+                retval.ee_extension_policy.subject_alternative_name,
+                ExtensionValidator::Present { .. }
+            )
+        {
+            return Err(
+                "An EE extension policy used for server verification must require the subjectAltName extension to be present.",
+            );
         }
+
+        Ok(retval)
     }
 
     /// Create a new policy with suitable defaults for client certification
@@ -276,7 +293,7 @@ impl<'a, B: CryptoOps + 'a> PolicyDefinition<'a, B> {
         max_chain_depth: Option<u8>,
         ca_extension_policy: Option<ExtensionPolicy<'a, B>>,
         ee_extension_policy: Option<ExtensionPolicy<'a, B>>,
-    ) -> Self {
+    ) -> Result<Self, &'static str> {
         Self::new(
             ops,
             None,
@@ -297,7 +314,7 @@ impl<'a, B: CryptoOps + 'a> PolicyDefinition<'a, B> {
         max_chain_depth: Option<u8>,
         ca_extension_policy: Option<ExtensionPolicy<'a, B>>,
         ee_extension_policy: Option<ExtensionPolicy<'a, B>>,
-    ) -> Self {
+    ) -> Result<Self, &'static str> {
         Self::new(
             ops,
             Some(subject),

src/rust/src/x509/verify/mod.rs

@@ -186,7 +186,7 @@ impl PolicyBuilder {
             None => datetime_now(py)?,
         };
 
-        let policy_definition = OwnedPolicyDefinition::new(None, |_subject| {
+        let policy_definition = OwnedPolicyDefinition::try_new(None, |_subject| {
             PolicyDefinition::client(
                 PyCryptoOps {},
                 time,
@@ -198,7 +198,8 @@ impl PolicyBuilder {
                     .as_ref()
                     .map(|p| p.get().clone_inner_policy()),
             )
-        });
+            .map_err(pyo3::exceptions::PyValueError::new_err)
+        })?;
 
         let py_policy = PyPolicy {
             policy_definition,
@@ -242,7 +243,7 @@ impl PolicyBuilder {
                         .expect("subject_owner for ServerVerifier can not be None"),
                 )?;
 
-                Ok::<PyCryptoPolicyDefinition<'_>, pyo3::PyErr>(PolicyDefinition::server(
+                PolicyDefinition::server(
                     PyCryptoOps {},
                     subject,
                     time,
@@ -253,7 +254,8 @@ impl PolicyBuilder {
                     self.ee_ext_policy
                         .as_ref()
                         .map(|p| p.get().clone_inner_policy()),
-                ))
+                )
+                .map_err(pyo3::exceptions::PyValueError::new_err)
             })?;
 
         let py_policy = PyPolicy {

tests/x509/verification/test_verification.py

@@ -454,11 +454,19 @@ def test_custom_cb_pass(self, extension_type: Type[x509.ExtensionType]):
         ca_ext_policy = ExtensionPolicy.webpki_defaults_ca()
         ee_ext_policy = ExtensionPolicy.webpki_defaults_ee()
 
-        ee_ext_policy = ee_ext_policy.may_be_present(
-            extension_type,
-            Criticality.AGNOSTIC,
-            self._make_validator_cb(extension_type),
-        )
+        if extension_type is x509.SubjectAlternativeName:
+            # subjectAltName must be required for server verification
+            ee_ext_policy = ee_ext_policy.require_present(
+                extension_type,
+                Criticality.AGNOSTIC,
+                self._make_validator_cb(extension_type),
+            )
+        else:
+            ee_ext_policy = ee_ext_policy.may_be_present(
+                extension_type,
+                Criticality.AGNOSTIC,
+                self._make_validator_cb(extension_type),
+            )
 
         builder = PolicyBuilder().store(self.store)
         builder = builder.time(self.validation_time).max_chain_depth(16)
@@ -561,23 +569,27 @@ def test_no_subject_alt_name(self):
         verified_client = builder.build_client_verifier().verify(leaf, [])
         assert verified_client.subjects is None
 
-        # For ServerVerifier, SAN must be present,
-        # even if the ExtensionPolicy permits it's absence.
+        # Trying to build a ServerVerifier with an EE ExtensionPolicy
+        # that doesn't require SAN extension must fail.
         with pytest.raises(
-            VerificationError,
-            match="leaf server certificate has no subjectAltName",
+            ValueError,
+            match=(
+                "An EE extension policy used for server verification"
+                " must require the subjectAltName extension to be present."
+            ),
         ):
-            # SAN must be present for ServerVerifier,
-            #
-            builder.build_server_verifier(DNSName("example.com")).verify(
-                leaf, []
-            )
+            builder.build_server_verifier(DNSName("example.com"))
 
     def test_wrong_subject_alt_name(self):
+        ee_extension_policy = (
+            ExtensionPolicy.webpki_defaults_ee().require_present(
+                x509.SubjectAlternativeName, Criticality.AGNOSTIC, None
+            )
+        )
         builder = PolicyBuilder().store(self.store)
         builder = builder.time(self.validation_time)
         builder = builder.extension_policies(
-            ExtensionPolicy.webpki_defaults_ca(), ExtensionPolicy.permit_all()
+            ExtensionPolicy.webpki_defaults_ca(), ee_extension_policy
         )
 
         builder.build_client_verifier().verify(self.leaf, [])