first draft of smime extension policy

nitneuqr · nitneuqr · commit aa7b39faf1f2 · 2025-02-15T13:18:01.000+01:00
diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py
@@ -21,7 +21,14 @@
     algorithms,
 )
 from cryptography.utils import _check_byteslike
-from cryptography.x509.verification import PolicyBuilder, Store
+from cryptography.x509 import Certificate
+from cryptography.x509.verification import (
+    Criticality,
+    ExtensionPolicy,
+    Policy,
+    PolicyBuilder,
+    Store,
+)
 
 load_pem_pkcs7_certificates = rust_pkcs7.load_pem_pkcs7_certificates
 
@@ -391,8 +398,54 @@ def _smime_signed_decode(data: bytes) -> tuple[bytes | None, bytes]:
         raise ValueError("Not an S/MIME signed message")
 
 
+def get_smime_x509_extension_policies() -> tuple[
+    ExtensionPolicy, ExtensionPolicy
+]:
+    """
+    Gets the default X.509 extension policy for S/MIME. Some specifications
+    that differ from the standard ones:
+    - Certificates used as end entities (i.e., the cert used to sign
+      a PKCS#7/SMIME message) should not have ca=true in their basic
+      constraints extension.
+    - EKU_CLIENT_AUTH_OID is not required
+    - EKU_EMAIL_PROTECTION_OID is required
+    """
+
+    # CA policy
+    def _validate_ca(
+        policy: Policy, cert: Certificate, bc: x509.BasicConstraints
+    ):
+        assert not bc.ca
+
+    ca_policy = ExtensionPolicy.permit_all().require_present(
+        x509.BasicConstraints,
+        Criticality.AGNOSTIC,
+        _validate_ca,
+    )
+
+    # EE policy
+    def _validate_eku(
+        policy: Policy, cert: Certificate, eku: x509.ExtendedKeyUsage
+    ):
+        # Checking for EKU_EMAIL_PROTECTION_OID
+        assert x509.ExtendedKeyUsageOID.EMAIL_PROTECTION in eku  # type: ignore[attr-defined]
+
+    ee_policy = ExtensionPolicy.permit_all().require_present(
+        x509.ExtendedKeyUsage,
+        Criticality.AGNOSTIC,
+        _validate_eku,
+    )
+
+    return ca_policy, ee_policy
+
+
 def _verify_pkcs7_certificates(certificates: list[x509.Certificate]) -> None:
-    builder = PolicyBuilder().store(Store(certificates))
+    builder = (
+        PolicyBuilder()
+        .store(Store(certificates))
+        .extension_policies(*get_smime_x509_extension_policies())
+    )
+
     verifier = builder.build_client_verifier()
     verifier.verify(certificates[0], certificates[1:])
 
