Remove EKU-related setters, getters and documentation from this PR.

Author: deivse

docs/x509/verification.rst

@@ -132,8 +132,6 @@ the root of trust:
 .. class:: ClientVerifier
 
     .. versionadded:: 43.0.0
-    .. versionchanged:: 44.0.0
-        Added :attr:`eku`.
 
     A ClientVerifier verifies client certificates.
 
@@ -161,18 +159,6 @@ the root of trust:
         :type: :class:`Store`
 
         The verifier's trust store.
-    
-    .. attribute:: eku
-
-        :type: :class:`~cryptography.x509.ObjectIdentifier` or None
-
-        The value of the Extended Key Usage extension required by this verifier
-        If the verifier was built using :meth:`PolicyBuilder.build_client_verifier`,
-        this will always be :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH`. 
-        
-        :note: 
-            See :meth:`CustomPolicyBuilder.eku` documentation for how verification is affected 
-            when changing the required EKU or using a custom extension policy.
 
     .. method:: verify(leaf, intermediates)
 
@@ -229,18 +215,6 @@ the root of trust:
 
         The verifier's trust store.
 
-    .. attribute:: eku
-
-        :type: :class:`~cryptography.x509.ObjectIdentifier`
-
-        The value of the Extended Key Usage extension required by this verifier
-        If the verifier was built using :meth:`PolicyBuilder.build_server_verifier`,
-        this will always be :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.SERVER_AUTH`.
-        
-        :note:
-            See :meth:`CustomPolicyBuilder.eku` documentation for how verification is affected 
-            when changing the required EKU or using a custom extension policy.
-
     .. method:: verify(leaf, intermediates)
 
         Performs path validation on ``leaf``, returning a valid path
@@ -365,24 +339,6 @@ the root of trust:
 
         :returns: A new instance of :class:`PolicyBuilder`
 
-    .. method:: eku(new_eku)
-
-        Sets the Extended Key Usage required by the verifier's policy.
-
-        If this method is not called, the EKU defaults to :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.SERVER_AUTH` 
-        if :meth:`build_server_verifier` is called, and :attr:`~cryptography.x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH` if
-        :meth:`build_client_verifier` is called. 
-
-        When using the default extension policies, only certificates
-        with the Extended Key Usage extension containing the specified value
-        will be accepted. To accept more than one EKU or any EKU, use an extension policy
-        with a custom validator. The EKU set via this method is accessible to custom extension validator
-        callbacks via the `policy` argument.
-
-        :param ~cryptography.x509.ObjectIdentifier new_eku:
-
-        :returns: A new instance of :class:`PolicyBuilder`
-
     .. method:: build_server_verifier(subject)
 
         Builds a verifier for verifying server certificates.

src/cryptography/hazmat/bindings/_rust/x509.pyi

@@ -73,7 +73,6 @@ class CustomPolicyBuilder:
     def max_chain_depth(
         self, new_max_chain_depth: int
     ) -> CustomPolicyBuilder: ...
-    def eku(self, new_eku: x509.ObjectIdentifier) -> CustomPolicyBuilder: ...
     def build_client_verifier(self) -> ClientVerifier: ...
     def build_server_verifier(
         self, subject: x509.verification.Subject
@@ -92,8 +91,6 @@ class ClientVerifier:
     def store(self) -> Store: ...
     @property
     def max_chain_depth(self) -> int: ...
-    @property
-    def eku(self) -> x509.ObjectIdentifier: ...
     def verify(
         self,
         leaf: x509.Certificate,
@@ -109,8 +106,6 @@ class ServerVerifier:
     def store(self) -> Store: ...
     @property
     def max_chain_depth(self) -> int: ...
-    @property
-    def eku(self) -> x509.ObjectIdentifier: ...
     def verify(
         self,
         leaf: x509.Certificate,

src/rust/cryptography-x509/src/oid.rs

@@ -148,17 +148,6 @@ pub const EKU_ANY_KEY_USAGE_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 3
 pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier =
     asn1::oid!(1, 3, 6, 1, 4, 1, 11129, 2, 4, 4);
 
-pub const ALL_EKU_OIDS: [asn1::ObjectIdentifier; 8] = [
-    EKU_SERVER_AUTH_OID,
-    EKU_CLIENT_AUTH_OID,
-    EKU_CODE_SIGNING_OID,
-    EKU_EMAIL_PROTECTION_OID,
-    EKU_TIME_STAMPING_OID,
-    EKU_OCSP_SIGNING_OID,
-    EKU_ANY_KEY_USAGE_OID,
-    EKU_CERTIFICATE_TRANSPARENCY_OID,
-];
-
 pub const PBES2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 13);
 pub const PBKDF2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 12);
 

src/rust/src/x509/verify.rs

@@ -3,9 +3,7 @@
 // for complete details.
 
 use cryptography_x509::{
-    certificate::Certificate,
-    extensions::SubjectAlternativeName,
-    oid::{ALL_EKU_OIDS, SUBJECT_ALTERNATIVE_NAME_OID},
+    certificate::Certificate, extensions::SubjectAlternativeName, oid::SUBJECT_ALTERNATIVE_NAME_OID,
 };
 use cryptography_x509_verification::{
     ops::{CryptoOps, VerificationCertificate},
@@ -15,15 +13,12 @@ use cryptography_x509_verification::{
 };
 use pyo3::types::{PyAnyMethods, PyListMethods};
 
+use crate::backend::keys;
+use crate::error::{CryptographyError, CryptographyResult};
 use crate::types;
 use crate::x509::certificate::Certificate as PyCertificate;
 use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime};
 use crate::x509::sign;
-use crate::{
-    asn1::oid_to_py_oid,
-    error::{CryptographyError, CryptographyResult},
-};
-use crate::{asn1::py_oid_to_oid, backend::keys};
 
 use super::parse_general_names;
 
@@ -152,7 +147,6 @@ pub(crate) struct CustomPolicyBuilder {
     time: Option<asn1::DateTime>,
     store: Option<pyo3::Py<PyStore>>,
     max_chain_depth: Option<u8>,
-    eku: Option<asn1::ObjectIdentifier>,
     ca_ext_policy: Option<ExtensionPolicy<PyCryptoOps>>,
     ee_ext_policy: Option<ExtensionPolicy<PyCryptoOps>>,
 }
@@ -165,7 +159,6 @@ impl CustomPolicyBuilder {
             time: self.time.clone(),
             store: self.store.as_ref().map(|s| s.clone_ref(py)),
             max_chain_depth: self.max_chain_depth,
-            eku: self.eku.clone(),
             ca_ext_policy: self.ca_ext_policy.clone(),
             ee_ext_policy: self.ee_ext_policy.clone(),
         }
@@ -180,7 +173,6 @@ impl CustomPolicyBuilder {
             time: None,
             store: None,
             max_chain_depth: None,
-            eku: None,
             ca_ext_policy: None,
             ee_ext_policy: None,
         }
@@ -225,29 +217,6 @@ impl CustomPolicyBuilder {
         })
     }
 
-    fn eku(
-        &self,
-        py: pyo3::Python<'_>,
-        new_eku: pyo3::Bound<'_, pyo3::PyAny>,
-    ) -> CryptographyResult<CustomPolicyBuilder> {
-        policy_builder_set_once_check!(self, eku, "EKU");
-
-        let oid = py_oid_to_oid(new_eku)?;
-
-        if !ALL_EKU_OIDS.contains(&oid) {
-            return Err(CryptographyError::from(
-                pyo3::exceptions::PyValueError::new_err(
-                    "Unknown EKU OID. Only EKUs from x509.ExtendedKeyUsageOID are supported.",
-                ),
-            ));
-        }
-
-        Ok(CustomPolicyBuilder {
-            eku: Some(oid),
-            ..self.py_clone(py)
-        })
-    }
-
     fn build_client_verifier(&self, py: pyo3::Python<'_>) -> CryptographyResult<PyClientVerifier> {
         build_client_verifier_impl(py, &self.store, &self.time, |time| {
             // TODO: Replace with a custom policy once it's implemented in cryptography-x509-verification
@@ -399,12 +368,6 @@ impl PyClientVerifier {
         self.as_policy().max_chain_depth
     }
 
-    #[getter]
-    fn eku(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::Py<pyo3::PyAny>> {
-        let eku = &self.as_policy().extended_key_usage;
-        return Ok(oid_to_py_oid(py, eku)?.as_unbound().clone_ref(py));
-    }
-
     fn verify(
         &self,
         py: pyo3::Python<'_>,
@@ -506,12 +469,6 @@ impl PyServerVerifier {
         self.as_policy().max_chain_depth
     }
 
-    #[getter]
-    fn eku(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::Py<pyo3::PyAny>> {
-        let eku = &self.as_policy().extended_key_usage;
-        return Ok(oid_to_py_oid(py, eku)?.as_unbound().clone_ref(py));
-    }
-
     fn verify<'p>(
         &self,
         py: pyo3::Python<'p>,

tests/x509/verification/test_verification.py

@@ -12,10 +12,6 @@
 
 from cryptography import x509
 from cryptography.x509.general_name import DNSName, IPAddress
-from cryptography.x509.oid import (
-    AuthorityInformationAccessOID,
-    ExtendedKeyUsageOID,
-)
 from cryptography.x509.verification import (
     CustomPolicyBuilder,
     PolicyBuilder,
@@ -108,7 +104,6 @@ def test_builder_pattern(self, builder_type: Type[AnyPolicyBuilder]):
         assert verifier.validation_time == now
         assert verifier.store == store
         assert verifier.max_chain_depth == max_chain_depth
-        assert verifier.eku == ExtendedKeyUsageOID.SERVER_AUTH
 
     def test_build_server_verifier_missing_store(
         self, builder_type: Type[AnyPolicyBuilder]
@@ -119,22 +114,6 @@ def test_build_server_verifier_missing_store(
             builder_type().build_server_verifier(DNSName("cryptography.io"))
 
 
-class TestCustomPolicyBuilder:
-    def test_eku_already_set(self):
-        with pytest.raises(ValueError):
-            CustomPolicyBuilder().eku(ExtendedKeyUsageOID.IPSEC_IKE).eku(
-                ExtendedKeyUsageOID.IPSEC_IKE
-            )
-
-    def test_eku_bad_type(self):
-        with pytest.raises(TypeError):
-            CustomPolicyBuilder().eku("not an OID")  # type: ignore[arg-type]
-
-    def test_eku_non_eku_oid(self):
-        with pytest.raises(ValueError):
-            CustomPolicyBuilder().eku(AuthorityInformationAccessOID.OCSP)
-
-
 class TestStore:
     def test_store_rejects_empty_list(self):
         with pytest.raises(ValueError):
@@ -180,7 +159,6 @@ def test_verify(self, builder_type: Type[AnyPolicyBuilder]):
         assert verifier.validation_time == validation_time.replace(tzinfo=None)
         assert verifier.max_chain_depth == 16
         assert verifier.store is store
-        assert verifier.eku == ExtendedKeyUsageOID.CLIENT_AUTH
 
         verified_client = verifier.verify(leaf, [])
         assert verified_client.chain == [leaf]