Merge pull request #1891 from reaperhulk/x509-ossl-eku

Extended key usage support for the openssl backend

3 files changed, 54 insertions, 0 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 4ba66bb7..dd2aba65 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -267,6 +267,8 @@ class _Certificate(object):
                 value = self._build_key_usage(ext)
             elif oid == x509.OID_SUBJECT_ALTERNATIVE_NAME:
                 value = self._build_subject_alt_name(ext)
+            elif oid == x509.OID_EXTENDED_KEY_USAGE:
+                value = self._build_extended_key_usage(ext)
             elif critical:
                 raise x509.UnsupportedExtension(
                     "{0} is not currently supported".format(oid), oid
@@ -366,6 +368,24 @@ class _Certificate(object):
 
         return x509.SubjectAlternativeName(general_names)
 
+    def _build_extended_key_usage(self, ext):
+        sk = self._backend._ffi.cast(
+            "Cryptography_STACK_OF_ASN1_OBJECT *",
+            self._backend._lib.X509V3_EXT_d2i(ext)
+        )
+        assert sk != self._backend._ffi.NULL
+        sk = self._backend._ffi.gc(sk, self._backend._lib.sk_ASN1_OBJECT_free)
+        num = self._backend._lib.sk_ASN1_OBJECT_num(sk)
+        ekus = []
+
+        for i in range(num):
+            obj = self._backend._lib.sk_ASN1_OBJECT_value(sk, i)
+            assert obj != self._backend._ffi.NULL
+            oid = x509.ObjectIdentifier(_obj2txt(self._backend, obj))
+            ekus.append(oid)
+
+        return x509.ExtendedKeyUsage(ekus)
+
 
 @utils.register_interface(x509.CertificateSigningRequest)
 class _CertificateSigningRequest(object):
diff --git a/src/cryptography/hazmat/bindings/openssl/x509.py b/src/cryptography/hazmat/bindings/openssl/x509.py
index a1fb7ffb..fa6a16b3 100644
--- a/src/cryptography/hazmat/bindings/openssl/x509.py
+++ b/src/cryptography/hazmat/bindings/openssl/x509.py
@@ -303,6 +303,11 @@ EC_KEY *d2i_EC_PUBKEY_bio(BIO *, EC_KEY **);
 int i2d_EC_PUBKEY_bio(BIO *, EC_KEY *);
 EC_KEY *d2i_ECPrivateKey_bio(BIO *, EC_KEY **);
 int i2d_ECPrivateKey_bio(BIO *, EC_KEY *);
+
+// declared in safestack
+int sk_ASN1_OBJECT_num(Cryptography_STACK_OF_ASN1_OBJECT *);
+ASN1_OBJECT *sk_ASN1_OBJECT_value(Cryptography_STACK_OF_ASN1_OBJECT *, int);
+void sk_ASN1_OBJECT_free(Cryptography_STACK_OF_ASN1_OBJECT *);
 """
 
 CUSTOMIZATIONS = """
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 05734b42..92e616e1 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -959,3 +959,32 @@ class TestRSASubjectAlternativeNameExtension(object):
             cert.extensions
 
         assert 'Invalid rfc822name value' in str(exc.value)
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestExtendedKeyUsageExtension(object):
+    def test_eku(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "extended_key_usage.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        ext = cert.extensions.get_extension_for_oid(
+            x509.OID_EXTENDED_KEY_USAGE
+        )
+        assert ext is not None
+        assert ext.critical is False
+
+        assert [
+            x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
+            x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
+            x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
+            x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
+            x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
+            x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
+            x509.ObjectIdentifier("2.5.29.37.0"),
+            x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
+        ] == list(ext.value)