Apply the get_peer_cert_chain parts of okuda's patch
diff --git a/OpenSSL/ssl/connection.c b/OpenSSL/ssl/connection.c
index 5b304b1..09e2607 100755
--- a/OpenSSL/ssl/connection.c
+++ b/OpenSSL/ssl/connection.c
@@ -1098,6 +1098,43 @@
}
}
+static char ssl_Connection_get_peer_cert_chain_doc[] = "\n\
+Retrieve the other side's certificate (if any)\n\
+\n\
+Arguments: self - The Connection object\n\
+ args - The Python argument tuple, should be empty\n\
+Returns: The peer's certificates chain tuple\n\
+";
+static PyObject *
+ssl_Connection_get_peer_cert_chain(ssl_ConnectionObj *self, PyObject *args)
+{
+ STACK_OF(X509) *sk;
+ PyObject *tpl, *item;
+ Py_ssize_t i;
+
+ if (!PyArg_ParseTuple(args, ":get_peer_cert_chain"))
+ return NULL;
+
+ sk = SSL_get_peer_cert_chain(self->ssl);
+ if (sk != NULL)
+ {
+ tpl = PyTuple_New(sk_X509_num(sk));
+ for (i=0; i<sk_X509_num(sk); i++)
+ {
+ item = (PyObject *)crypto_X509_New(sk_X509_value(sk,i), 1);
+ Py_INCREF(item);
+ PyTuple_SET_ITEM(tpl, i, item);
+ }
+ return tpl;
+ }
+ else
+ {
+ Py_INCREF(Py_None);
+ return Py_None;
+ }
+
+}
+
static char ssl_Connection_want_read_doc[] = "\n\
Checks if more data has to be read from the transport layer to complete an\n\
operation.\n\
@@ -1175,6 +1212,7 @@
ADD_METHOD(master_key),
ADD_METHOD(sock_shutdown),
ADD_METHOD(get_peer_certificate),
+ ADD_METHOD(get_peer_cert_chain),
ADD_METHOD(want_read),
ADD_METHOD(want_write),
ADD_METHOD(set_accept_state),
diff --git a/OpenSSL/test/test_ssl.py b/OpenSSL/test/test_ssl.py
index ff2e725..5752d13 100644
--- a/OpenSSL/test/test_ssl.py
+++ b/OpenSSL/test/test_ssl.py
@@ -307,6 +307,37 @@
context = Context(TLSv1_METHOD)
self.assertRaises(TypeError, context.get_timeout, None)
+ def test_get_peer_cert_chain(self):
+ """
+ L{Connection.get_peer_cert_chain} returns the tuple of certificates
+ which the connected server returned for the certification verification.
+ """
+ # Testing this requires a server with a certificate signed by one of
+ # the CAs in the platform CA location. Getting one of those costs
+ # money. Fortunately (or unfortunately, depending on your
+ # perspective), it's easy to think of a public server on the
+ # internet which has such a certificate. Connecting to the network
+ # in a unit test is bad, but it's the only way I can think of to
+ # really test this. -exarkun
+
+ # Arg, verisign.com doesn't speak TLSv1
+ context = Context(SSLv3_METHOD)
+
+ client = socket()
+ client.connect(('verisign.com', 443))
+ clientSSL = Connection(context, client)
+ clientSSL.set_connect_state()
+ clientSSL.do_handshake()
+ cert = clientSSL.get_peer_certificate()
+ certs = clientSSL.get_peer_cert_chain()
+ self.assertEqual(dump_certificate(FILETYPE_PEM, cert),
+ dump_certificate(FILETYPE_PEM, certs[0]))
+ self.assertEqual(certs[0].get_subject().CN, 'www.verisign.com')
+ self.assertEqual(certs[1].get_subject().CN,
+ 'VeriSign Class 3 Extended Validation SSL SGC CA')
+ self.assertEqual(certs[2].get_subject().CN,
+ 'VeriSign Class 3 Public Primary Certification Authority - G5')
+
def test_timeout(self):
"""
diff --git a/OpenSSL/tsafe.py b/OpenSSL/tsafe.py
index fe4b75f..9d7ad2f 100644
--- a/OpenSSL/tsafe.py
+++ b/OpenSSL/tsafe.py
@@ -16,7 +16,7 @@
'setblocking', 'fileno', 'shutdown', 'close', 'get_cipher_list',
'getpeername', 'getsockname', 'getsockopt', 'setsockopt',
'makefile', 'get_app_data', 'set_app_data', 'state_string',
- 'sock_shutdown', 'get_peer_certificate', 'want_read',
+ 'sock_shutdown', 'get_peer_certificate', 'get_peer_cert_chain', 'want_read',
'want_write', 'set_connect_state', 'set_accept_state',
'connect_ex', 'sendall'):
exec("""def %s(self, *args):