signing: Fix handling of certificate that has no KeyUsage (#457)

If a certificate without KeyUsage is encountered then the following error
is displayed:

Verification failed with error: \
   No <class 'cryptography.x509.extensions.KeyUsage'> extension was found

The error may be mistaken for a broken python cryptography library even
though it is related to the certificate missing 'KeyUsage'. Fix this error
by intercepting the x509.ExtensionNotFound exception and trying with the
ExtendedKeyUsage next.

Signed-off-by: Stefan Berger <[email protected]>

Author: stefanberger

src/model_signing/_signing/sign_certificate.py

@@ -222,18 +222,22 @@ def _to_openssl_certificate(certificate_bytes, log_fingerprints):
 
         extensions = signing_certificate.extensions
         can_use_for_signing = False
-        usage = extensions.get_extension_for_class(x509.KeyUsage)
-        if usage.value.digital_signature:
-            can_use_for_signing = True
-        else:
+        try:
+            usage = extensions.get_extension_for_class(x509.KeyUsage)
+            if usage.value.digital_signature:
+                can_use_for_signing = True
+        except x509.ExtensionNotFound:
+            logger.warn("Certificate does not specify 'KeyUsage'.")
+
+        if not can_use_for_signing:
             try:
                 usage = extensions.get_extension_for_class(
                     x509.ExtendedKeyUsage
                 )
                 if oid.ExtendedKeyUsageOID.CODE_SIGNING in usage.value:
                     can_use_for_signing = True
             except x509.ExtensionNotFound:
-                pass
+                logger.warn("Certificate does not specify 'ExtendedKeyUsage'.")
 
         if not can_use_for_signing:
             raise ValueError("Signing certificate cannot be used for signing")