Handle the case of missing EKU in _is_preissuer

RFC 6962 stipulate that the TBSCertificate can be either signed by: - A special purpose CA Precertificate Signing Certificate with an EKU - The final CA Certificate with no mandatory EKU In _is_preissuer was failing on the later if no EKU was present Resolves: sigstore#658 Signed-off-by: Cyril Cordoui <ccordoui@redhat.com>
ccordoui · Jun 7, 2023 · aacc4d3 · aacc4d3
1 parent 554483d
commit aacc4d3
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/sigstore/_internal/sct.py b/sigstore/_internal/sct.py
@@ -24,7 +24,7 @@
 
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ec, rsa
-from cryptography.x509 import Certificate, ExtendedKeyUsage
+from cryptography.x509 import Certificate, ExtendedKeyUsage, ExtensionNotFound
 from cryptography.x509.certificate_transparency import (
     LogEntryType,
     SignedCertificateTimestamp,
@@ -127,7 +127,11 @@ def _pack_digitally_signed(
 
 
 def _is_preissuer(issuer: Certificate) -> bool:
-    ext_key_usage = issuer.extensions.get_extension_for_class(ExtendedKeyUsage)
+    try:
+        ext_key_usage = issuer.extensions.get_extension_for_class(ExtendedKeyUsage)
+    # If we do not have any EKU, we certainly do not have CT Ext
+    except ExtensionNotFound:
+        return False
 
     return ExtendedKeyUsageOID.CERTIFICATE_TRANSPARENCY in ext_key_usage.value