`permitted_public_key_algorithms` and `permitted_signature_algorithms` are not exposed when verifying a x509 certificate

[twilleke]

I am trying to verify a certificate that has a ED25519 key and the certificate authority also has a ED25519 key.
But even when the certificate is valid I get the error:

cryptography.hazmat.bindings._rust.x509.VerificationError: validation failed: candidates exhausted: Forbidden public key algorithm: AlgorithmIdentifier { oid: DefinedByMarker(PhantomData<asn1::object_identifier::ObjectIdentifier>), params: Ed25519 }

This seems to occur because when the Policy is create, the WebPKI defaults are selected and the WebPKI does not allow ED25519 keys.

cryptography/src/rust/cryptography-x509-verification/src/policy/mod.rs

Lines 257 to 258 in 1a952fc

	permitted_public_key_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SPKI_ALGORITHMS),
	permitted_signature_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS),

I have found no way to set these parameters on the python side. Is this an oversight or is it meant that way ?

[alex]

That's correct that there's currently no API for setting allowed signature or public key algorithms.

[alex]

I think in principle we'd be ok with an API for this, if someone was interested in figuring out how it should work and proposing something.