x509 Verification: Python support for custom ext. policies.

src/cryptography/hazmat/bindings/_rust/x509.pyi

@@ -201,6 +201,9 @@ class PolicyBuilder:
     def time(self, new_time: datetime.datetime) -> PolicyBuilder: ...
     def store(self, new_store: Store) -> PolicyBuilder: ...
     def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: ...
+    def extension_policies(
+        self, new_ca_policy: ExtensionPolicy, new_ee_policy: ExtensionPolicy
+    ) -> PolicyBuilder: ...
     def build_client_verifier(self) -> ClientVerifier: ...
     def build_server_verifier(
         self, subject: x509.verification.Subject
@@ -218,6 +221,50 @@ class Policy:
     @property
     def minimum_rsa_modulus(self) -> int: ...
 
+class Criticality:
+    CRITICAL: Criticality
+    AGNOSTIC: Criticality
+    NON_CRITICAL: Criticality
+
+type MaybeExtensionValidatorCallback[T: x509.ExtensionType] = typing.Callable[
+    [
+        Policy,
+        x509.Certificate,
+        T | None,
+    ],
+    None,
+]
+
+type PresentExtensionValidatorCallback[T: x509.ExtensionType] = (
+    typing.Callable[
+        [Policy, x509.Certificate, T],
+        None,
+    ]
+)
+
+class ExtensionPolicy:
+    @staticmethod
+    def permit_all() -> ExtensionPolicy: ...
+    @staticmethod
+    def webpki_defaults_ca() -> ExtensionPolicy: ...
+    @staticmethod
+    def webpki_defaults_ee() -> ExtensionPolicy: ...
+    def require_not_present(
+        self, extension_type: type[x509.ExtensionType]
+    ) -> ExtensionPolicy: ...
+    def may_be_present[T: x509.ExtensionType](
+        self,
+        extension_type: type[T],
+        criticality: Criticality,
+        validator: MaybeExtensionValidatorCallback[T] | None,
+    ) -> ExtensionPolicy: ...
+    def require_present[T: x509.ExtensionType](
+        self,
+        extension_type: type[T],
+        criticality: Criticality,
+        validator: PresentExtensionValidatorCallback[T] | None,
+    ) -> ExtensionPolicy: ...
+
 class VerifiedClient:
     @property
     def subjects(self) -> list[x509.GeneralName] | None: ...

src/cryptography/x509/verification.py

@@ -11,6 +11,9 @@
 
 __all__ = [
     "ClientVerifier",
+    "Criticality",
+    "ExtensionPolicy",
+    "Policy",
     "PolicyBuilder",
     "ServerVerifier",
     "Store",
@@ -26,4 +29,6 @@
 ServerVerifier = rust_x509.ServerVerifier
 PolicyBuilder = rust_x509.PolicyBuilder
 Policy = rust_x509.Policy
+ExtensionPolicy = rust_x509.ExtensionPolicy
+Criticality = rust_x509.Criticality
 VerificationError = rust_x509.VerificationError

src/rust/cryptography-x509-verification/src/lib.rs

@@ -49,7 +49,7 @@ pub struct ValidationError<'chain, B: CryptoOps> {
 }
 
 impl<'chain, B: CryptoOps> ValidationError<'chain, B> {
-    pub(crate) fn new(kind: ValidationErrorKind<'chain, B>) -> Self {
+    pub fn new(kind: ValidationErrorKind<'chain, B>) -> Self {
         ValidationError { kind, cert: None }
     }
 

src/rust/cryptography-x509-verification/src/policy/extension.rs

@@ -16,6 +16,7 @@ use crate::{
     ops::CryptoOps, policy::Policy, ValidationError, ValidationErrorKind, ValidationResult,
 };
 
+#[derive(Clone)]
 pub struct ExtensionPolicy<'cb, B: CryptoOps> {
     pub authority_information_access: ExtensionValidator<'cb, B>,
     pub authority_key_identifier: ExtensionValidator<'cb, B>,
@@ -28,6 +29,27 @@ pub struct ExtensionPolicy<'cb, B: CryptoOps> {
 }
 
 impl<'cb, B: CryptoOps + 'cb> ExtensionPolicy<'cb, B> {
+    pub fn new_permit_all() -> Self {
+        const fn make_permissive_validator<'cb, B: CryptoOps + 'cb>() -> ExtensionValidator<'cb, B>
+        {
+            ExtensionValidator::MaybePresent {
+                criticality: Criticality::Agnostic,
+                validator: None,
+            }
+        }
+
+        ExtensionPolicy {
+            authority_information_access: make_permissive_validator(),
+            authority_key_identifier: make_permissive_validator(),
+            subject_key_identifier: make_permissive_validator(),
+            key_usage: make_permissive_validator(),
+            subject_alternative_name: make_permissive_validator(),
+            basic_constraints: make_permissive_validator(),
+            name_constraints: make_permissive_validator(),
+            extended_key_usage: make_permissive_validator(),
+        }
+    }
+
     pub fn new_default_webpki_ca() -> Self {
         ExtensionPolicy {
             // 5280 4.2.2.1: Authority Information Access
@@ -214,6 +236,7 @@ impl<'cb, B: CryptoOps + 'cb> ExtensionPolicy<'cb, B> {
 }
 
 /// Represents different criticality states for an extension.
+#[derive(Clone)]
 pub enum Criticality {
     /// The extension MUST be marked as critical.
     Critical,
@@ -258,6 +281,7 @@ pub type MaybeExtensionValidatorCallback<'cb, B> = Arc<
 >;
 
 /// Represents different validation states for an extension.
+#[derive(Clone)]
 pub enum ExtensionValidator<'cb, B: CryptoOps> {
     /// The extension MUST NOT be present.
     NotPresent,

src/rust/src/lib.rs

@@ -135,8 +135,8 @@ mod _rust {
         use crate::x509::sct::Sct;
         #[pymodule_export]
         use crate::x509::verify::{
-            PolicyBuilder, PyClientVerifier, PyPolicy, PyServerVerifier, PyStore, PyVerifiedClient,
-            VerificationError,
+            PolicyBuilder, PyClientVerifier, PyCriticality, PyExtensionPolicy, PyPolicy,
+            PyServerVerifier, PyStore, PyVerifiedClient, VerificationError,
         };
     }
 

src/rust/src/types.rs

@@ -181,6 +181,9 @@ pub static REASON_FLAGS: LazyPyImport = LazyPyImport::new("cryptography.x509", &
 pub static ATTRIBUTE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Attribute"]);
 pub static ATTRIBUTES: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Attributes"]);
 
+pub static EXTENSION_TYPE: LazyPyImport =
+    LazyPyImport::new("cryptography.x509", &["ExtensionType"]);
+
 pub static CRL_NUMBER: LazyPyImport = LazyPyImport::new("cryptography.x509", &["CRLNumber"]);
 pub static DELTA_CRL_INDICATOR: LazyPyImport =
     LazyPyImport::new("cryptography.x509", &["DeltaCRLIndicator"]);