src, tests: add max_chain_depth to validation API

src/cryptography/hazmat/bindings/_rust/x509.pyi

@@ -41,6 +41,7 @@ def create_server_verifier(
     name: x509.verification.Subject,
     store: Store,
     time: datetime.datetime | None,
+    max_chain_depth: int | None,
 ) -> x509.verification.ServerVerifier: ...
 
 class Sct: ...
@@ -56,6 +57,8 @@ class ServerVerifier:
     def validation_time(self) -> datetime.datetime: ...
     @property
     def store(self) -> Store: ...
+    @property
+    def max_chain_depth(self) -> int: ...
     def verify(
         self,
         leaf: x509.Certificate,

src/cryptography/x509/verification.py

@@ -25,9 +25,11 @@ def __init__(
         *,
         time: datetime.datetime | None = None,
         store: Store | None = None,
+        max_chain_depth: int | None = None,
     ):
         self._time = time
         self._store = store
+        self._max_chain_depth = max_chain_depth
 
     def time(self, new_time: datetime.datetime) -> PolicyBuilder:
         """
@@ -48,6 +50,20 @@ def store(self, new_store: Store) -> PolicyBuilder:
 
         return PolicyBuilder(time=self._time, store=new_store)
 
+    def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder:
+        """
+        Sets the maximum chain depth.
+        """
+
+        if self._max_chain_depth is not None:
+            raise ValueError("The maximum chain depth may only be set once.")
+
+        return PolicyBuilder(
+            time=self._time,
+            store=self._store,
+            max_chain_depth=new_max_chain_depth,
+        )
+
     def build_server_verifier(self, subject: Subject) -> ServerVerifier:
         """
         Builds a verifier for verifying server certificates.
@@ -60,4 +76,5 @@ def build_server_verifier(self, subject: Subject) -> ServerVerifier:
             subject,
             self._store,
             self._time,
+            self._max_chain_depth,
         )

src/rust/cryptography-x509-validation/src/policy/extension.rs

@@ -236,7 +236,7 @@ mod tests {
         let cert_pem = v1_cert_pem();
         let cert = cert(&cert_pem);
         let ops = NullOps {};
-        let policy = Policy::new(ops, None, epoch());
+        let policy = Policy::new(ops, None, epoch(), None);
 
         // Test a policy that stipulates that a given extension MUST be present.
         let extension_policy = ExtensionPolicy::present(
@@ -280,7 +280,7 @@ mod tests {
         let cert_pem = v1_cert_pem();
         let cert = cert(&cert_pem);
         let ops = NullOps {};
-        let policy = Policy::new(ops, None, epoch());
+        let policy = Policy::new(ops, None, epoch(), None);
 
         // Test a policy that stipulates that a given extension CAN be present.
         let extension_policy = ExtensionPolicy::maybe_present(
@@ -316,7 +316,7 @@ mod tests {
         let cert_pem = v1_cert_pem();
         let cert = cert(&cert_pem);
         let ops = NullOps {};
-        let policy = Policy::new(ops, None, epoch());
+        let policy = Policy::new(ops, None, epoch(), None);
 
         // Test a policy that stipulates that a given extension MUST NOT be present.
         let extension_policy = ExtensionPolicy::not_present(BASIC_CONSTRAINTS_OID);
@@ -348,7 +348,7 @@ mod tests {
         let cert_pem = v1_cert_pem();
         let cert = cert(&cert_pem);
         let ops = NullOps {};
-        let policy = Policy::new(ops, None, epoch());
+        let policy = Policy::new(ops, None, epoch(), None);
 
         // Test a present policy that stipulates that a given extension MUST be critical.
         let extension_policy = ExtensionPolicy::present(
@@ -376,7 +376,7 @@ mod tests {
         let cert_pem = v1_cert_pem();
         let cert = cert(&cert_pem);
         let ops = NullOps {};
-        let policy = Policy::new(ops, None, epoch());
+        let policy = Policy::new(ops, None, epoch(), None);
 
         // Test a maybe present policy that stipulates that a given extension MUST be critical.
         let extension_policy = ExtensionPolicy::maybe_present(

src/rust/cryptography-x509-validation/src/policy/mod.rs

@@ -230,10 +230,15 @@ pub struct Policy<'a, B: CryptoOps> {
 impl<'a, B: CryptoOps> Policy<'a, B> {
     /// Create a new policy with defaults for the certificate profile defined in
     /// the CA/B Forum's Basic Requirements.
-    pub fn new(ops: B, subject: Option<Subject<'a>>, time: asn1::DateTime) -> Self {
+    pub fn new(
+        ops: B,
+        subject: Option<Subject<'a>>,
+        time: asn1::DateTime,
+        max_chain_depth: Option<u8>,
+    ) -> Self {
         Self {
             _ops: ops,
-            max_chain_depth: 8,
+            max_chain_depth: max_chain_depth.unwrap_or(8),
             subject,
             validation_time: time,
             extended_key_usage: EKU_SERVER_AUTH_OID.clone(),
@@ -383,7 +388,7 @@ mod tests {
     #[test]
     fn test_policy_critical_extensions() {
         let time = asn1::DateTime::new(2023, 9, 12, 1, 1, 1).unwrap();
-        let policy = Policy::new(NullOps {}, None, time);
+        let policy = Policy::new(NullOps {}, None, time, None);
 
         assert_eq!(
             policy.critical_ca_extensions,

src/rust/src/x509/verify.rs

@@ -8,6 +8,7 @@ use cryptography_x509_validation::{
     policy::{Policy, Subject},
     types::{DNSName, IPAddress},
 };
+use pyo3::IntoPy;
 
 use crate::error::{CryptographyError, CryptographyResult};
 use crate::types;
@@ -93,6 +94,11 @@ impl PyServerVerifier {
         datetime_to_py(py, &self.as_policy().validation_time)
     }
 
+    #[getter]
+    fn max_chain_depth(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::PyObject> {
+        Ok(self.as_policy().max_chain_depth.into_py(py))
+    }
+
     fn verify<'p>(
         &self,
         _py: pyo3::Python<'p>,
@@ -155,11 +161,16 @@ fn create_server_verifier(
     subject: pyo3::Py<pyo3::PyAny>,
     store: pyo3::Py<PyStore>,
     time: Option<&pyo3::PyAny>,
+    max_chain_depth: Option<&pyo3::types::PyInt>,
 ) -> pyo3::PyResult<PyServerVerifier> {
     let time = match time {
         Some(time) => py_to_datetime(py, time)?,
         None => datetime_now(py)?,
     };
+    let max_chain_depth: Option<u8> = match max_chain_depth {
+        Some(max_chain_depth) => max_chain_depth.extract()?,
+        None => None,
+    };
 
     let subject_owner = build_subject_owner(py, &subject)?;
     let policy = OwnedPolicy::try_new(subject_owner, |subject_owner| {
@@ -168,6 +179,7 @@ fn create_server_verifier(
             PyCryptoOps {},
             subject,
             time,
+            max_chain_depth,
         )))
     })?;
 

tests/x509/test_verification.py

@@ -35,6 +35,10 @@ def test_store_already_set(self):
         with pytest.raises(ValueError):
             PolicyBuilder().store(dummy_store()).store(dummy_store())
 
+    def test_max_chain_depth_already_set(self):
+        with pytest.raises(ValueError):
+            PolicyBuilder().max_chain_depth(8).max_chain_depth(9)
+
     def test_ipaddress_subject(self):
         policy = (
             PolicyBuilder()
@@ -71,15 +75,18 @@ def test_subject_bad_types(self):
     def test_builder_pattern(self):
         now = datetime.datetime.now().replace(microsecond=0)
         store = dummy_store()
+        max_chain_depth = 16
 
         builder = PolicyBuilder()
         builder = builder.time(now)
         builder = builder.store(store)
+        builder = builder.max_chain_depth(max_chain_depth)
 
         verifier = builder.build_server_verifier(DNSName("cryptography.io"))
         assert verifier.subject == DNSName("cryptography.io")
         assert verifier.validation_time == now
         assert verifier.store == store
+        assert verifier.max_chain_depth == max_chain_depth
 
     def test_build_server_verifier_missing_store(self):
         with pytest.raises(