Add Support for X509 extension - PrivateKeyUsagePeriod (pyca#12738)

* feat: add private key usage period extension

* fix: resolve linter issues

* test: increase coverage

* test: increase coverage

* test: increase coverage

* test: add more vectors

* feat: add implicit tagging

* fix: replaced GeneralizedTime with X509GeneralizedTime

* chore: remove test vectors

* chore: update vector path

* test: remove test for der file

* Update tests/x509/test_x509_ext.py

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

* Update src/rust/src/x509/extensions.rs

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

* Update src/rust/src/x509/extensions.rs

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

* fix: assert on exact values

* refactor: switch to ec key for better performance

---------

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

Author: HamdaanAliQuatil

src/cryptography/hazmat/_oid.py

@@ -14,6 +14,7 @@ class ExtensionOID:
     SUBJECT_DIRECTORY_ATTRIBUTES = ObjectIdentifier("2.5.29.9")
     SUBJECT_KEY_IDENTIFIER = ObjectIdentifier("2.5.29.14")
     KEY_USAGE = ObjectIdentifier("2.5.29.15")
+    PRIVATE_KEY_USAGE_PERIOD = ObjectIdentifier("2.5.29.16")
     SUBJECT_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.17")
     ISSUER_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.18")
     BASIC_CONSTRAINTS = ObjectIdentifier("2.5.29.19")
@@ -305,6 +306,7 @@ class AttributeOID:
     ExtensionOID.SUBJECT_DIRECTORY_ATTRIBUTES: "subjectDirectoryAttributes",
     ExtensionOID.SUBJECT_KEY_IDENTIFIER: "subjectKeyIdentifier",
     ExtensionOID.KEY_USAGE: "keyUsage",
+    ExtensionOID.PRIVATE_KEY_USAGE_PERIOD: "privateKeyUsagePeriod",
     ExtensionOID.SUBJECT_ALTERNATIVE_NAME: "subjectAltName",
     ExtensionOID.ISSUER_ALTERNATIVE_NAME: "issuerAltName",
     ExtensionOID.BASIC_CONSTRAINTS: "basicConstraints",

src/cryptography/x509/__init__.py

@@ -66,6 +66,7 @@
     PolicyInformation,
     PrecertificateSignedCertificateTimestamps,
     PrecertPoison,
+    PrivateKeyUsagePeriod,
     ProfessionInfo,
     ReasonFlags,
     SignedCertificateTimestamps,
@@ -115,6 +116,7 @@
 OID_INHIBIT_ANY_POLICY = ExtensionOID.INHIBIT_ANY_POLICY
 OID_ISSUER_ALTERNATIVE_NAME = ExtensionOID.ISSUER_ALTERNATIVE_NAME
 OID_KEY_USAGE = ExtensionOID.KEY_USAGE
+OID_PRIVATE_KEY_USAGE_PERIOD = ExtensionOID.PRIVATE_KEY_USAGE_PERIOD
 OID_NAME_CONSTRAINTS = ExtensionOID.NAME_CONSTRAINTS
 OID_OCSP_NO_CHECK = ExtensionOID.OCSP_NO_CHECK
 OID_POLICY_CONSTRAINTS = ExtensionOID.POLICY_CONSTRAINTS
@@ -233,6 +235,7 @@
     "PolicyInformation",
     "PrecertPoison",
     "PrecertificateSignedCertificateTimestamps",
+    "PrivateKeyUsagePeriod",
     "ProfessionInfo",
     "PublicKeyAlgorithmOID",
     "RFC822Name",

src/cryptography/x509/extensions.py

@@ -1266,6 +1266,71 @@ def public_bytes(self) -> bytes:
         return rust_x509.encode_extension_value(self)
 
 
+class PrivateKeyUsagePeriod(ExtensionType):
+    oid = ExtensionOID.PRIVATE_KEY_USAGE_PERIOD
+
+    def __init__(
+        self,
+        not_before: datetime.datetime | None,
+        not_after: datetime.datetime | None,
+    ) -> None:
+        if (
+            not isinstance(not_before, datetime.datetime)
+            and not_before is not None
+        ):
+            raise TypeError("not_before must be a datetime.datetime or None")
+
+        if (
+            not isinstance(not_after, datetime.datetime)
+            and not_after is not None
+        ):
+            raise TypeError("not_after must be a datetime.datetime or None")
+
+        if not_before is None and not_after is None:
+            raise ValueError(
+                "At least one of not_before and not_after must not be None"
+            )
+
+        if (
+            not_before is not None
+            and not_after is not None
+            and not_before > not_after
+        ):
+            raise ValueError("not_before must be before not_after")
+
+        self._not_before = not_before
+        self._not_after = not_after
+
+    @property
+    def not_before(self) -> datetime.datetime | None:
+        return self._not_before
+
+    @property
+    def not_after(self) -> datetime.datetime | None:
+        return self._not_after
+
+    def __repr__(self) -> str:
+        return (
+            f"<PrivateKeyUsagePeriod(not_before={self.not_before}, "
+            f"not_after={self.not_after})>"
+        )
+
+    def __eq__(self, other: object) -> bool:
+        if not isinstance(other, PrivateKeyUsagePeriod):
+            return NotImplemented
+
+        return (
+            self.not_before == other.not_before
+            and self.not_after == other.not_after
+        )
+
+    def __hash__(self) -> int:
+        return hash((self.not_before, self.not_after))
+
+    def public_bytes(self) -> bytes:
+        return rust_x509.encode_extension_value(self)
+
+
 class NameConstraints(ExtensionType):
     oid = ExtensionOID.NAME_CONSTRAINTS
 

src/rust/cryptography-x509/src/extensions.rs

@@ -301,6 +301,14 @@ pub struct Admissions<'a, Op: Asn1Operation> {
     pub contents_of_admissions: Op::SequenceOfVec<'a, Admission<'a, Op>>,
 }
 
+#[derive(asn1::Asn1Read, asn1::Asn1Write)]
+pub struct PrivateKeyUsagePeriod {
+    #[implicit(0)]
+    pub not_before: Option<asn1::X509GeneralizedTime>,
+    #[implicit(1)]
+    pub not_after: Option<asn1::X509GeneralizedTime>,
+}
+
 #[cfg(test)]
 mod tests {
     use super::{BasicConstraints, Extension, Extensions, KeyUsage};

src/rust/cryptography-x509/src/oid.rs

@@ -45,6 +45,7 @@ pub const INHIBIT_ANY_POLICY_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29,
 pub const ACCEPTABLE_RESPONSES_OID: asn1::ObjectIdentifier =
     asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 4);
 pub const ADMISSIONS_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 36, 8, 3, 3);
+pub const PRIVATE_KEY_USAGE_PERIOD_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 16);
 
 // Public key identifiers
 pub const EC_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 2, 1);

src/rust/src/types.rs

@@ -250,6 +250,8 @@ pub static SUBJECT_KEY_IDENTIFIER: LazyPyImport =
 pub static TLS_FEATURE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["TLSFeature"]);
 pub static SUBJECT_ALTERNATIVE_NAME: LazyPyImport =
     LazyPyImport::new("cryptography.x509", &["SubjectAlternativeName"]);
+pub static PRIVATE_KEY_USAGE_PERIOD: LazyPyImport =
+    LazyPyImport::new("cryptography.x509", &["PrivateKeyUsagePeriod"]);
 pub static POLICY_INFORMATION: LazyPyImport =
     LazyPyImport::new("cryptography.x509", &["PolicyInformation"]);
 pub static USER_NOTICE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["UserNotice"]);

src/rust/src/x509/certificate.rs

@@ -11,9 +11,9 @@ use cryptography_x509::extensions::{
     Admission, Admissions, AuthorityKeyIdentifier, BasicConstraints, DisplayText,
     DistributionPoint, DistributionPointName, DuplicateExtensionsError, ExtendedKeyUsage,
     Extension, IssuerAlternativeName, KeyUsage, MSCertificateTemplate, NameConstraints,
-    NamingAuthority, PolicyConstraints, PolicyInformation, PolicyQualifierInfo, ProfessionInfo,
-    Qualifier, RawExtensions, SequenceOfAccessDescriptions, SequenceOfSubtrees,
-    SubjectAlternativeName, UserNotice,
+    NamingAuthority, PolicyConstraints, PolicyInformation, PolicyQualifierInfo,
+    PrivateKeyUsagePeriod, ProfessionInfo, Qualifier, RawExtensions, SequenceOfAccessDescriptions,
+    SequenceOfSubtrees, SubjectAlternativeName, UserNotice,
 };
 use cryptography_x509::{common, oid};
 use cryptography_x509_verification::ops::CryptoOps;
@@ -946,6 +946,31 @@ pub fn parse_cert_ext<'p>(
                     .call1((admission_authority, py_admissions))?,
             ))
         }
+        oid::PRIVATE_KEY_USAGE_PERIOD_OID => {
+            let pkup = ext.value::<PrivateKeyUsagePeriod>()?;
+
+            let not_before = match &pkup.not_before {
+                Some(t) => {
+                    let dt = t.as_datetime();
+                    Some(x509::datetime_to_py(py, dt)?)
+                }
+                None => None,
+            };
+
+            let not_after = match &pkup.not_after {
+                Some(t) => {
+                    let dt = t.as_datetime();
+                    Some(x509::datetime_to_py(py, dt)?)
+                }
+                None => None,
+            };
+
+            Ok(Some(
+                types::PRIVATE_KEY_USAGE_PERIOD
+                    .get(py)?
+                    .call1((not_before, not_after))?,
+            ))
+        }
         _ => Ok(None),
     }
 }

src/rust/src/x509/extensions.rs

@@ -728,6 +728,39 @@ pub(crate) fn encode_extension(
             };
             Ok(Some(asn1::write_single(&admission)?))
         }
+        &oid::PRIVATE_KEY_USAGE_PERIOD_OID => {
+            let der = encode_private_key_usage_period(py, ext)?;
+            Ok(Some(der))
+        }
         _ => Ok(None),
     }
 }
+
+pub(crate) fn encode_private_key_usage_period(
+    py: pyo3::Python<'_>,
+    ext: &pyo3::Bound<'_, pyo3::PyAny>,
+) -> CryptographyResult<Vec<u8>> {
+    let not_before = ext.getattr(pyo3::intern!(py, "not_before"))?;
+    let not_after = ext.getattr(pyo3::intern!(py, "not_after"))?;
+
+    let not_before_value = if !not_before.is_none() {
+        let dt = x509::py_to_datetime(py, not_before)?;
+        Some(asn1::X509GeneralizedTime::new(dt)?)
+    } else {
+        None
+    };
+
+    let not_after_value = if !not_after.is_none() {
+        let dt = x509::py_to_datetime(py, not_after)?;
+        Some(asn1::X509GeneralizedTime::new(dt)?)
+    } else {
+        None
+    };
+
+    let pkup = extensions::PrivateKeyUsagePeriod {
+        not_before: not_before_value,
+        not_after: not_after_value,
+    };
+
+    Ok(asn1::write_single(&pkup)?)
+}

tests/x509/test_x509.py

@@ -4383,6 +4383,10 @@ def test_build_cert_with_rsa_key_too_small(
                 encipher_only=False,
                 decipher_only=False,
             ),
+            x509.PrivateKeyUsagePeriod(
+                not_before=datetime.datetime(2002, 1, 1, 12, 1),
+                not_after=datetime.datetime(2030, 12, 31, 8, 30),
+            ),
             x509.OCSPNoCheck(),
             x509.SubjectKeyIdentifier,
         ],