You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When attempting to port some code from PyOpenSSL X509 store verification to using the ClientVerifier ( see #10393 ), I ran across an issue with using code signing certificates and getting a "required EKU not found" exception. This appears to be a duplicate of #11352 but I have a self-contained reproducer.
Running the reproducer raises the following exception:
> python x509_err.py
eku err reproducer
<Certificate(subject=<Name(CN=My cool CA)>, ...)>
<Certificate(subject=<Name(CN=secondary CA)>, ...)>
<Certificate(subject=<Name(CN=code signer)>, ...)>
<Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.3, name=codeSigning)>])>)>
Verifying certificate signature.
RUH ROH: validation failed: required EKU not found (encountered processing <Certificate(subject=<Name(CN=code signer)>, ...)>)
Traceback (most recent call last):
File "/home/user/project/x509_err.py", line 150, in <module>
main()
File "/home/user/project/x509_err.py", line 144, in main
client = verifyCodeSign(codecert, cacerts=[rootcert, immcert])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/project/x509_err.py", line 131, in verifyCodeSign
raise e
File "/home/user/project/x509_err.py", line 128, in verifyCodeSign
verifiedclient = verifier.verify(leaf=cert, intermediates=[])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography.hazmat.bindings._rust.x509.VerificationError: validation failed: required EKU not found (encountered processing <Certificate(subject=<Name(CN=code signer)>, ...)>)
When attempting to port some code from PyOpenSSL X509 store verification to using the ClientVerifier ( see #10393 ), I ran across an issue with using code signing certificates and getting a "required EKU not found" exception. This appears to be a duplicate of #11352 but I have a self-contained reproducer.
Running the reproducer raises the following exception:
Here is the reproducer:
Python and Cryptography packages for reference:
The text was updated successfully, but these errors were encountered: