Added support for OCSP AcceptableResponses extension (#8617)

fixes #8589

6 files changed, 51 insertions, 4 deletions

diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py
index 927ffc4c5..bc9c046c6 100644
--- a/src/cryptography/hazmat/_oid.py
+++ b/src/cryptography/hazmat/_oid.py
@@ -42,6 +42,7 @@ class ExtensionOID:
 
 class OCSPExtensionOID:
     NONCE = ObjectIdentifier("1.3.6.1.5.5.7.48.1.2")
+    ACCEPTABLE_RESPONSES = ObjectIdentifier("1.3.6.1.5.5.7.48.1.4")
 
 
 class CRLEntryExtensionOID:
diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py
index ad924ad42..df7fd3fbb 100644
--- a/src/cryptography/x509/__init__.py
+++ b/src/cryptography/x509/__init__.py
@@ -54,6 +54,7 @@ from cryptography.x509.extensions import (
     KeyUsage,
     NameConstraints,
     NoticeReference,
+    OCSPAcceptableResponses,
     OCSPNoCheck,
     OCSPNonce,
     PolicyConstraints,
@@ -196,6 +197,7 @@ __all__ = [
     "IssuingDistributionPoint",
     "TLSFeature",
     "TLSFeatureType",
+    "OCSPAcceptableResponses",
     "OCSPNoCheck",
     "BasicConstraints",
     "CRLNumber",
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index 551887b4a..6fe3888bf 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -1932,6 +1932,35 @@ class OCSPNonce(ExtensionType):
         return rust_x509.encode_extension_value(self)
 
 
+class OCSPAcceptableResponses(ExtensionType):
+    oid = OCSPExtensionOID.ACCEPTABLE_RESPONSES
+
+    def __init__(self, responses: typing.Iterable[ObjectIdentifier]) -> None:
+        responses = list(responses)
+        if any(not isinstance(r, ObjectIdentifier) for r in responses):
+            raise TypeError("All responses must be ObjectIdentifiers")
+
+        self._responses = responses
+
+    def __eq__(self, other: object) -> bool:
+        if not isinstance(other, OCSPAcceptableResponses):
+            return NotImplemented
+
+        return self._responses == other._responses
+
+    def __hash__(self) -> int:
+        return hash(tuple(self._responses))
+
+    def __repr__(self) -> str:
+        return f"<OCSPAcceptableResponses(responses={self._responses})>"
+
+    def __iter__(self) -> typing.Iterator[ObjectIdentifier]:
+        return iter(self._responses)
+
+    def public_bytes(self) -> bytes:
+        return rust_x509.encode_extension_value(self)
+
+
 class IssuingDistributionPoint(ExtensionType):
     oid = ExtensionOID.ISSUING_DISTRIBUTION_POINT
 
diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs
index d5473a576..79170a616 100644
--- a/src/rust/src/x509/extensions.rs
+++ b/src/rust/src/x509/extensions.rs
@@ -202,7 +202,7 @@ pub(crate) fn encode_extension(
             let ads = x509::common::encode_access_descriptions(ext.py(), ext)?;
             Ok(Some(asn1::write_single(&ads)?))
         }
-        &oid::EXTENDED_KEY_USAGE_OID => {
+        &oid::EXTENDED_KEY_USAGE_OID | &oid::ACCEPTABLE_RESPONSES_OID => {
             let mut oids = vec![];
             for el in ext.iter()? {
                 let oid = py_oid_to_oid(el?)?;
diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs
index b239869d9..47810a023 100644
--- a/src/rust/src/x509/ocsp_req.rs
+++ b/src/rust/src/x509/ocsp_req.rs
@@ -2,7 +2,7 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
-use crate::asn1::{big_byte_slice_to_py_int, py_uint_to_big_endian_bytes};
+use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes};
 use crate::error::{CryptographyError, CryptographyResult};
 use crate::x509;
 use crate::x509::{extensions, ocsp, oid};
@@ -118,8 +118,8 @@ impl OCSPRequest {
             &mut self.cached_extensions,
             &self.raw.borrow_value().tbs_request.request_extensions,
             |oid, value| {
-                match oid {
-                    &oid::NONCE_OID => {
+                match *oid {
+                    oid::NONCE_OID => {
                         // This is a disaster. RFC 2560 says that the contents of the nonce is
                         // just the raw extension value. This is nonsense, since they're always
                         // supposed to be ASN.1 TLVs. RFC 6960 correctly specifies that the
@@ -129,6 +129,19 @@ impl OCSPRequest {
                         let nonce = asn1::parse_single::<&[u8]>(value).unwrap_or(value);
                         Ok(Some(x509_module.call_method1("OCSPNonce", (nonce,))?))
                     }
+                    oid::ACCEPTABLE_RESPONSES_OID => {
+                        let oids = asn1::parse_single::<
+                            asn1::SequenceOf<'_, asn1::ObjectIdentifier>,
+                        >(value)?;
+                        let py_oids = pyo3::types::PyList::empty(py);
+                        for oid in oids {
+                            py_oids.append(oid_to_py_oid(py, &oid)?)?;
+                        }
+
+                        Ok(Some(
+                            x509_module.call_method1("OCSPAcceptableResponses", (py_oids,))?,
+                        ))
+                    }
                     _ => Ok(None),
                 }
             },
diff --git a/src/rust/src/x509/oid.rs b/src/rust/src/x509/oid.rs
index 55477c608..2c9b36d0a 100644
--- a/src/rust/src/x509/oid.rs
+++ b/src/rust/src/x509/oid.rs
@@ -41,6 +41,8 @@ pub(crate) const POLICY_CONSTRAINTS_OID: asn1::ObjectIdentifier = asn1::oid!(2,
 pub(crate) const EXTENDED_KEY_USAGE_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 37);
 pub(crate) const FRESHEST_CRL_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 46);
 pub(crate) const INHIBIT_ANY_POLICY_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 54);
+pub(crate) const ACCEPTABLE_RESPONSES_OID: asn1::ObjectIdentifier =
+    asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 4);
 
 // Signing methods
 pub(crate) const ECDSA_WITH_SHA224_OID: asn1::ObjectIdentifier =