x509 Verification: base Python support for extension policies (#12432)

* Base Rust impl of python-defined ExtensionPolicies.

* Improve naming to make clone apparent.

* Add new API to python interface definition.

* ExtensionPolicy static constructor methods test.

* Fix invalid unwrap in ClientVerifier::verify

* Add ClientVerifier test for when policy allows no SAN.

* PyCryptoOps Clone test for coverage.

Author: deivse

src/cryptography/hazmat/bindings/_rust/x509.pyi

@@ -201,6 +201,9 @@ class PolicyBuilder:
     def time(self, new_time: datetime.datetime) -> PolicyBuilder: ...
     def store(self, new_store: Store) -> PolicyBuilder: ...
     def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: ...
+    def extension_policies(
+        self, new_ca_policy: ExtensionPolicy, new_ee_policy: ExtensionPolicy
+    ) -> PolicyBuilder: ...
     def build_client_verifier(self) -> ClientVerifier: ...
     def build_server_verifier(
         self, subject: x509.verification.Subject
@@ -218,6 +221,14 @@ class Policy:
     @property
     def minimum_rsa_modulus(self) -> int: ...
 
+class ExtensionPolicy:
+    @staticmethod
+    def permit_all() -> ExtensionPolicy: ...
+    @staticmethod
+    def webpki_defaults_ca() -> ExtensionPolicy: ...
+    @staticmethod
+    def webpki_defaults_ee() -> ExtensionPolicy: ...
+
 class VerifiedClient:
     @property
     def subjects(self) -> list[x509.GeneralName] | None: ...

src/cryptography/x509/verification.py

@@ -11,6 +11,8 @@
 
 __all__ = [
     "ClientVerifier",
+    "ExtensionPolicy",
+    "Policy",
     "PolicyBuilder",
     "ServerVerifier",
     "Store",
@@ -26,4 +28,5 @@
 ServerVerifier = rust_x509.ServerVerifier
 PolicyBuilder = rust_x509.PolicyBuilder
 Policy = rust_x509.Policy
+ExtensionPolicy = rust_x509.ExtensionPolicy
 VerificationError = rust_x509.VerificationError

src/rust/cryptography-x509-verification/src/lib.rs

@@ -49,7 +49,7 @@ pub struct ValidationError<'chain, B: CryptoOps> {
 }
 
 impl<'chain, B: CryptoOps> ValidationError<'chain, B> {
-    pub(crate) fn new(kind: ValidationErrorKind<'chain, B>) -> Self {
+    pub fn new(kind: ValidationErrorKind<'chain, B>) -> Self {
         ValidationError { kind, cert: None }
     }
 

src/rust/cryptography-x509-verification/src/policy/extension.rs

@@ -16,6 +16,7 @@ use crate::{
     ops::CryptoOps, policy::Policy, ValidationError, ValidationErrorKind, ValidationResult,
 };
 
+#[derive(Clone)]
 pub struct ExtensionPolicy<'cb, B: CryptoOps> {
     pub authority_information_access: ExtensionValidator<'cb, B>,
     pub authority_key_identifier: ExtensionValidator<'cb, B>,
@@ -28,6 +29,27 @@ pub struct ExtensionPolicy<'cb, B: CryptoOps> {
 }
 
 impl<'cb, B: CryptoOps + 'cb> ExtensionPolicy<'cb, B> {
+    pub fn new_permit_all() -> Self {
+        const fn make_permissive_validator<'cb, B: CryptoOps + 'cb>() -> ExtensionValidator<'cb, B>
+        {
+            ExtensionValidator::MaybePresent {
+                criticality: Criticality::Agnostic,
+                validator: None,
+            }
+        }
+
+        ExtensionPolicy {
+            authority_information_access: make_permissive_validator(),
+            authority_key_identifier: make_permissive_validator(),
+            subject_key_identifier: make_permissive_validator(),
+            key_usage: make_permissive_validator(),
+            subject_alternative_name: make_permissive_validator(),
+            basic_constraints: make_permissive_validator(),
+            name_constraints: make_permissive_validator(),
+            extended_key_usage: make_permissive_validator(),
+        }
+    }
+
     pub fn new_default_webpki_ca() -> Self {
         ExtensionPolicy {
             // 5280 4.2.2.1: Authority Information Access
@@ -214,6 +236,7 @@ impl<'cb, B: CryptoOps + 'cb> ExtensionPolicy<'cb, B> {
 }
 
 /// Represents different criticality states for an extension.
+#[derive(Clone)]
 pub enum Criticality {
     /// The extension MUST be marked as critical.
     Critical,
@@ -258,6 +281,7 @@ pub type MaybeExtensionValidatorCallback<'cb, B> = Arc<
 >;
 
 /// Represents different validation states for an extension.
+#[derive(Clone)]
 pub enum ExtensionValidator<'cb, B: CryptoOps> {
     /// The extension MUST NOT be present.
     NotPresent,

src/rust/src/lib.rs

@@ -135,8 +135,8 @@ mod _rust {
         use crate::x509::sct::Sct;
         #[pymodule_export]
         use crate::x509::verify::{
-            PolicyBuilder, PyClientVerifier, PyPolicy, PyServerVerifier, PyStore, PyVerifiedClient,
-            VerificationError,
+            PolicyBuilder, PyClientVerifier, PyExtensionPolicy, PyPolicy, PyServerVerifier,
+            PyStore, PyVerifiedClient, VerificationError,
         };
     }
 

src/rust/src/x509/verify/extension_policy.rs

@@ -0,0 +1,39 @@
+use super::PyCryptoOps;
+use cryptography_x509_verification::policy::ExtensionPolicy;
+
+#[pyo3::pyclass(
+    frozen,
+    module = "cryptography.x509.verification",
+    name = "ExtensionPolicy"
+)]
+pub(crate) struct PyExtensionPolicy {
+    rust_policy: ExtensionPolicy<'static, PyCryptoOps>,
+}
+
+impl PyExtensionPolicy {
+    pub(super) fn clone_rust_policy(&self) -> ExtensionPolicy<'static, PyCryptoOps> {
+        self.rust_policy.clone()
+    }
+
+    fn new(rust_policy: ExtensionPolicy<'static, PyCryptoOps>) -> Self {
+        PyExtensionPolicy { rust_policy }
+    }
+}
+
+#[pyo3::pymethods]
+impl PyExtensionPolicy {
+    #[staticmethod]
+    pub(crate) fn permit_all() -> Self {
+        PyExtensionPolicy::new(ExtensionPolicy::new_permit_all())
+    }
+
+    #[staticmethod]
+    pub(crate) fn webpki_defaults_ca() -> Self {
+        PyExtensionPolicy::new(ExtensionPolicy::new_default_webpki_ca())
+    }
+
+    #[staticmethod]
+    pub(crate) fn webpki_defaults_ee() -> Self {
+        PyExtensionPolicy::new(ExtensionPolicy::new_default_webpki_ee())
+    }
+}

src/rust/src/x509/verify/mod.rs

@@ -11,6 +11,7 @@ use cryptography_x509_verification::trust_store::Store;
 use cryptography_x509_verification::types::{DNSName, IPAddress};
 use pyo3::types::{PyAnyMethods, PyListMethods};
 
+mod extension_policy;
 mod policy;
 use super::parse_general_names;
 use crate::backend::keys;
@@ -20,8 +21,10 @@ use crate::utils::cstr_from_literal;
 use crate::x509::certificate::Certificate as PyCertificate;
 use crate::x509::common::{datetime_now, py_to_datetime};
 use crate::x509::sign;
+pub(crate) use extension_policy::PyExtensionPolicy;
 pub(crate) use policy::PyPolicy;
 
+#[derive(Clone)]
 pub(crate) struct PyCryptoOps {}
 
 impl CryptoOps for PyCryptoOps {
@@ -82,6 +85,8 @@ pub(crate) struct PolicyBuilder {
     time: Option<asn1::DateTime>,
     store: Option<pyo3::Py<PyStore>>,
     max_chain_depth: Option<u8>,
+    ca_ext_policy: Option<pyo3::Py<PyExtensionPolicy>>,
+    ee_ext_policy: Option<pyo3::Py<PyExtensionPolicy>>,
 }
 
 impl PolicyBuilder {
@@ -90,6 +95,8 @@ impl PolicyBuilder {
             time: self.time.clone(),
             store: self.store.as_ref().map(|s| s.clone_ref(py)),
             max_chain_depth: self.max_chain_depth,
+            ca_ext_policy: self.ca_ext_policy.as_ref().map(|p| p.clone_ref(py)),
+            ee_ext_policy: self.ee_ext_policy.as_ref().map(|p| p.clone_ref(py)),
         }
     }
 }
@@ -102,6 +109,8 @@ impl PolicyBuilder {
             time: None,
             store: None,
             max_chain_depth: None,
+            ca_ext_policy: None,
+            ee_ext_policy: None,
         }
     }
 
@@ -144,6 +153,22 @@ impl PolicyBuilder {
         })
     }
 
+    fn extension_policies(
+        &self,
+        py: pyo3::Python<'_>,
+        new_ca_policy: pyo3::Py<PyExtensionPolicy>,
+        new_ee_policy: pyo3::Py<PyExtensionPolicy>,
+    ) -> CryptographyResult<PolicyBuilder> {
+        // Enough to check one of the two, since they can only be set together.
+        policy_builder_set_once_check!(self, ca_ext_policy, "extension policies");
+
+        Ok(PolicyBuilder {
+            ca_ext_policy: Some(new_ca_policy),
+            ee_ext_policy: Some(new_ee_policy),
+            ..self.py_clone(py)
+        })
+    }
+
     fn build_client_verifier(&self, py: pyo3::Python<'_>) -> CryptographyResult<PyClientVerifier> {
         let store = match self.store.as_ref() {
             Some(s) => s.clone_ref(py),
@@ -162,8 +187,17 @@ impl PolicyBuilder {
         };
 
         let policy_definition = OwnedPolicyDefinition::new(None, |_subject| {
-            // TODO: Pass extension policies here once implemented in cryptography-x509-verification.
-            PolicyDefinition::client(PyCryptoOps {}, time, self.max_chain_depth, None, None)
+            PolicyDefinition::client(
+                PyCryptoOps {},
+                time,
+                self.max_chain_depth,
+                self.ca_ext_policy
+                    .as_ref()
+                    .map(|p| p.get().clone_rust_policy()),
+                self.ee_ext_policy
+                    .as_ref()
+                    .map(|p| p.get().clone_rust_policy()),
+            )
         });
 
         let py_policy = PyPolicy {
@@ -208,14 +242,17 @@ impl PolicyBuilder {
                         .expect("subject_owner for ServerVerifier can not be None"),
                 )?;
 
-                // TODO: Pass extension policies here once implemented in cryptography-x509-verification.
                 Ok::<PyCryptoPolicyDefinition<'_>, pyo3::PyErr>(PolicyDefinition::server(
                     PyCryptoOps {},
                     subject,
                     time,
                     self.max_chain_depth,
-                    None,
-                    None,
+                    self.ca_ext_policy
+                        .as_ref()
+                        .map(|p| p.get().clone_rust_policy()),
+                    self.ee_ext_policy
+                        .as_ref()
+                        .map(|p| p.get().clone_rust_policy()),
                 ))
             })?;
 
@@ -345,22 +382,24 @@ impl PyClientVerifier {
             py_chain.append(c.extra())?;
         }
 
-        // NOTE: These `unwrap()`s cannot fail, since the underlying policy
-        // enforces the presence of a SAN and the well-formedness of the
-        // extension set.
-        let leaf_san = &chain[0]
+        // NOTE: The `unwrap()` cannot fail, since the underlying policy
+        // enforces the well-formedness of the extension set.
+        let subjects = match &chain[0]
             .certificate()
             .extensions()
             .ok()
             .unwrap()
             .get_extension(&SUBJECT_ALTERNATIVE_NAME_OID)
-            .unwrap();
-
-        let leaf_gns = leaf_san.value::<SubjectAlternativeName<'_>>()?;
-        let py_gns = parse_general_names(py, &leaf_gns)?;
+        {
+            Some(leaf_san) => {
+                let leaf_gns = leaf_san.value::<SubjectAlternativeName<'_>>()?;
+                Some(parse_general_names(py, &leaf_gns)?.unbind())
+            }
+            None => None,
+        };
 
         Ok(PyVerifiedClient {
-            subjects: Some(py_gns.into()),
+            subjects,
             chain: py_chain.unbind(),
         })
     }
@@ -534,3 +573,15 @@ impl PyStore {
         })
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::PyCryptoOps;
+
+    #[test]
+    fn test_crypto_ops_clone() {
+        // Just for coverage.
+        // The trait is needed to be able to clone ExtensionPolicy<'_, PyCryptoOps>.
+        let _ = PyCryptoOps {}.clone();
+    }
+}

tests/x509/verification/test_verification.py

@@ -13,6 +13,7 @@
 from cryptography.hazmat._oid import ExtendedKeyUsageOID
 from cryptography.x509.general_name import DNSName, IPAddress
 from cryptography.x509.verification import (
+    ExtensionPolicy,
     PolicyBuilder,
     Store,
     VerificationError,
@@ -209,6 +210,33 @@ def test_verify_fails_renders_oid(self):
         ):
             verifier.verify(leaf, [])
 
+    def test_custom_ext_policy_no_san(self):
+        leaf = _load_cert(
+            os.path.join("x509", "custom", "no_sans.pem"),
+            x509.load_pem_x509_certificate,
+        )
+
+        store = Store([leaf])
+        validation_time = datetime.datetime.fromisoformat(
+            "2025-04-14T00:00:00+00:00"
+        )
+
+        builder = PolicyBuilder().store(store)
+        builder = builder.time(validation_time)
+
+        with pytest.raises(
+            VerificationError,
+            match="missing required extension",
+        ):
+            builder.build_client_verifier().verify(leaf, [])
+
+        builder = builder.extension_policies(
+            ExtensionPolicy.webpki_defaults_ca(), ExtensionPolicy.permit_all()
+        )
+
+        verified_client = builder.build_client_verifier().verify(leaf, [])
+        assert verified_client.subjects is None
+
 
 class TestServerVerifier:
     @pytest.mark.parametrize(
@@ -261,3 +289,31 @@ def test_error_message(self):
             match=r"<Certificate\(subject=.*?CN=www.cryptography.io.*?\)>",
         ):
             verifier.verify(leaf, [])
+
+
+class TestCustomExtensionPolicies:
+    leaf = _load_cert(
+        os.path.join("x509", "cryptography.io.pem"),
+        x509.load_pem_x509_certificate,
+    )
+    ca = _load_cert(
+        os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
+        x509.load_pem_x509_certificate,
+    )
+    store = Store([ca])
+    validation_time = datetime.datetime.fromisoformat(
+        "2018-11-16T00:00:00+00:00"
+    )
+
+    def test_static_methods(self):
+        builder = PolicyBuilder().store(self.store)
+        builder = builder.time(self.validation_time).max_chain_depth(16)
+        builder = builder.extension_policies(
+            ExtensionPolicy.webpki_defaults_ca(),
+            ExtensionPolicy.webpki_defaults_ee(),
+        )
+
+        builder.build_client_verifier().verify(self.leaf, [])
+        builder.build_server_verifier(DNSName("cryptography.io")).verify(
+            self.leaf, []
+        )