Resolve coverage issues.

src/rust/cryptography-x509-verification/src/policy/extension.rs

@@ -14,7 +14,6 @@ use cryptography_x509::{
 
 use crate::{ops::CryptoOps, policy::Policy, ValidationError};
 
-#[derive(Clone)]
 pub struct ExtensionPolicy<B: CryptoOps> {
     pub(crate) authority_information_access: ExtensionValidator<B>,
     pub(crate) authority_key_identifier: ExtensionValidator<B>,
@@ -124,7 +123,6 @@ impl<B: CryptoOps> ExtensionPolicy<B> {
 }
 
 /// Represents different criticality states for an extension.
-#[derive(Clone)]
 pub(crate) enum Criticality {
     /// The extension MUST be marked as critical.
     Critical,
@@ -153,7 +151,6 @@ type MaybeExtensionValidatorCallback<B> =
     fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), ValidationError>;
 
 /// Represents different validation states for an extension.
-#[derive(Clone)]
 pub(crate) enum ExtensionValidator<B: CryptoOps> {
     /// The extension MUST NOT be present.
     NotPresent,

src/rust/cryptography-x509-verification/src/policy/mod.rs

@@ -25,12 +25,10 @@ use cryptography_x509::oid::{
 use once_cell::sync::Lazy;
 
 use crate::ops::CryptoOps;
-use crate::policy::extension::{ca, common, ee, Criticality, ExtensionValidator};
+use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy, ExtensionValidator};
 use crate::types::{DNSName, DNSPattern, IPAddress};
 use crate::{ValidationError, VerificationCertificate};
 
-pub use crate::policy::extension::ExtensionPolicy;
-
 // RSA key constraints, as defined in CA/B 6.1.5.
 static WEBPKI_MINIMUM_RSA_MODULUS: usize = 2048;
 

src/rust/src/x509/verify.rs

@@ -7,7 +7,7 @@ use cryptography_x509::{
 };
 use cryptography_x509_verification::{
     ops::{CryptoOps, VerificationCertificate},
-    policy::{ExtensionPolicy, Policy, Subject},
+    policy::{Policy, Subject},
     trust_store::Store,
     types::{DNSName, IPAddress},
 };
@@ -74,8 +74,6 @@ pub(crate) struct PolicyBuilder {
     time: Option<asn1::DateTime>,
     store: Option<pyo3::Py<PyStore>>,
     max_chain_depth: Option<u8>,
-    ca_ext_policy: Option<ExtensionPolicy<PyCryptoOps>>,
-    ee_ext_policy: Option<ExtensionPolicy<PyCryptoOps>>,
 }
 
 impl PolicyBuilder {
@@ -84,8 +82,6 @@ impl PolicyBuilder {
             time: self.time.clone(),
             store: self.store.as_ref().map(|s| s.clone_ref(py)),
             max_chain_depth: self.max_chain_depth,
-            ca_ext_policy: self.ca_ext_policy.clone(),
-            ee_ext_policy: self.ee_ext_policy.clone(),
         }
     }
 }
@@ -98,8 +94,6 @@ impl PolicyBuilder {
             time: None,
             store: None,
             max_chain_depth: None,
-            ca_ext_policy: None,
-            ee_ext_policy: None,
         }
     }
 
@@ -311,24 +305,22 @@ impl PyClientVerifier {
             py_chain.append(c.extra())?;
         }
 
-        // NOTE: The `unwrap()` cannot fail, since the underlying policy
-        // enforces the well-formedness of the extension set.
-        let subjects = match &chain[0]
+        // NOTE: These `unwrap()`s cannot fail, since the underlying policy
+        // enforces the presence of a SAN and the well-formedness of the
+        // extension set.
+        let leaf_san = &chain[0]
             .certificate()
             .extensions()
             .ok()
             .unwrap()
             .get_extension(&SUBJECT_ALTERNATIVE_NAME_OID)
-        {
-            Some(leaf_san) => {
-                let leaf_gns = leaf_san.value::<SubjectAlternativeName<'_>>()?;
-                Some(parse_general_names(py, &leaf_gns)?)
-            }
-            None => None,
-        };
+            .unwrap();
+
+        let leaf_gns = leaf_san.value::<SubjectAlternativeName<'_>>()?;
+        let py_gns = parse_general_names(py, &leaf_gns)?;
 
         Ok(PyVerifiedClient {
-            subjects,
+            subjects: Some(py_gns),
             chain: py_chain.unbind(),
         })
     }