Extended key usage support for the openssl backend
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 4ba66bb..dd2aba6 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -267,6 +267,8 @@
value = self._build_key_usage(ext)
elif oid == x509.OID_SUBJECT_ALTERNATIVE_NAME:
value = self._build_subject_alt_name(ext)
+ elif oid == x509.OID_EXTENDED_KEY_USAGE:
+ value = self._build_extended_key_usage(ext)
elif critical:
raise x509.UnsupportedExtension(
"{0} is not currently supported".format(oid), oid
@@ -366,6 +368,24 @@
return x509.SubjectAlternativeName(general_names)
+ def _build_extended_key_usage(self, ext):
+ sk = self._backend._ffi.cast(
+ "Cryptography_STACK_OF_ASN1_OBJECT *",
+ self._backend._lib.X509V3_EXT_d2i(ext)
+ )
+ assert sk != self._backend._ffi.NULL
+ sk = self._backend._ffi.gc(sk, self._backend._lib.sk_ASN1_OBJECT_free)
+ num = self._backend._lib.sk_ASN1_OBJECT_num(sk)
+ ekus = []
+
+ for i in range(num):
+ obj = self._backend._lib.sk_ASN1_OBJECT_value(sk, i)
+ assert obj != self._backend._ffi.NULL
+ oid = x509.ObjectIdentifier(_obj2txt(self._backend, obj))
+ ekus.append(oid)
+
+ return x509.ExtendedKeyUsage(ekus)
+
@utils.register_interface(x509.CertificateSigningRequest)
class _CertificateSigningRequest(object):
diff --git a/src/cryptography/hazmat/bindings/openssl/x509.py b/src/cryptography/hazmat/bindings/openssl/x509.py
index a1fb7ff..0c6c325 100644
--- a/src/cryptography/hazmat/bindings/openssl/x509.py
+++ b/src/cryptography/hazmat/bindings/openssl/x509.py
@@ -17,6 +17,7 @@
typedef STACK_OF(X509) Cryptography_STACK_OF_X509;
typedef STACK_OF(X509_CRL) Cryptography_STACK_OF_X509_CRL;
typedef STACK_OF(X509_REVOKED) Cryptography_STACK_OF_X509_REVOKED;
+typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT;
"""
TYPES = """
@@ -303,6 +304,11 @@
int i2d_EC_PUBKEY_bio(BIO *, EC_KEY *);
EC_KEY *d2i_ECPrivateKey_bio(BIO *, EC_KEY **);
int i2d_ECPrivateKey_bio(BIO *, EC_KEY *);
+
+// declared in safestack
+int sk_ASN1_OBJECT_num(Cryptography_STACK_OF_ASN1_OBJECT *);
+ASN1_OBJECT *sk_ASN1_OBJECT_value(Cryptography_STACK_OF_ASN1_OBJECT *, int);
+void sk_ASN1_OBJECT_free(Cryptography_STACK_OF_ASN1_OBJECT *);
"""
CUSTOMIZATIONS = """
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 05734b4..92e616e 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -959,3 +959,32 @@
cert.extensions
assert 'Invalid rfc822name value' in str(exc.value)
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestExtendedKeyUsageExtension(object):
+ def test_eku(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "extended_key_usage.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_EXTENDED_KEY_USAGE
+ )
+ assert ext is not None
+ assert ext.critical is False
+
+ assert [
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
+ x509.ObjectIdentifier("2.5.29.37.0"),
+ x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
+ ] == list(ext.value)