- class pyhanko.sign.validation.settings.KeyUsageConstraints(key_usage: Optional[Set[str]] = None, key_usage_forbidden: Optional[Set[str]] = None, extd_key_usage: Optional[Set[str]] = None, explicit_extd_key_usage_required: bool = True, match_all_key_usages: bool = False)
Convenience class to pass around key usage requirements and validate them. Intended to be flexible enough to handle both PKIX and ISO 32000 certificate seed value constraint semantics.
Changed in version 0.6.0: Bring extended key usage semantics in line with RFC 5280 (PKIX).
- key_usage: Set[str] = None
All or some (depending on
match_all_key_usage) of these key usage extensions must be present in the signer’s certificate. If not set or empty, all key usages are considered acceptable.
- key_usage_forbidden: Set[str] = None
These key usages must not be present in the signer’s certificate.
This behaviour is undefined in RFC 5280 (PKIX), but included for compatibility with certificate seed value settings in ISO 32000.
- extd_key_usage: Set[str] = None
List of acceptable key purposes that can appear in an extended key usage extension in the signer’s certificate, if such an extension is at all present. If not set, all extended key usages are considered acceptable.
If no extended key usage extension is present, or if the
anyExtendedKeyUsagekey purpose ID is present, the resulting behaviour depends on
Setting this option to the empty set (as opposed to
None) effectively bans all (presumably unrecognised) extended key usages.
Note the difference in behaviour with
key_usagefor empty sets of valid usages.
Contrary to what some CAs seem to believe, the criticality of the extended key usage extension is irrelevant here. Even a non-critical EKU extension must be enforced according to RFC 5280 § 18.104.22.168.
In practice, many certificate authorities issue non-repudiation certs that can also be used for TLS authentication by only including the TLS client authentication key purpose ID in the EKU extension. Interpreted strictly, RFC 5280 bans such certificates from being used to sign documents, and pyHanko will enforce these semantics if
- explicit_extd_key_usage_required: bool = True
New in version 0.6.0.
Require an extended key usage extension with the right key usages to be present if
If this flag is
True, at least one key purpose in
extd_key_usagemust appear in the certificate’s extended key usage, and
anyExtendedKeyUsagewill be ignored.
- match_all_key_usages: bool = False
New in version 0.6.0.
True, all key usages indicated in
key_usagemust be present in the certificate. If
False, one match suffices.
key_usageis empty or
None, this option has no effect.
- validate(cert: asn1crypto.x509.Certificate)
- classmethod process_entries(config_dict)
Hook method that can modify the configuration dictionary to overwrite or tweak some of their values (e.g. to convert string parameters into more complex Python objects)
Subclasses that override this method should call
super().process_entries(), and leave keys that they do not recognise untouched.
config_dict – A dictionary containing configuration values.
ConfigurationError – when there is a problem processing a relevant entry.