OpenSSL/crypto/pkcs12.c - platform/external/python/pyopenssl - Gitiles

 /*
  * pkcs12.c
  *
  * Copyright (C) AB Strakt
  * See LICENSE for details.
  *
  * Certificate transport (PKCS12) handling code,
  * mostly thin wrappers around OpenSSL.
  * See the file RATIONALE for a short explanation of why
  * this module was written.
  *
  * Reviewed 2001-07-23
  */
 #include <Python.h>
 #define crypto_MODULE
 #include "crypto.h"

 /*
  * PKCS12 is a standard exchange format for digital certificates.
  * See e.g. the OpenSSL homepage http://www.openssl.org/ for more information
  */

 static void crypto_PKCS12_dealloc(crypto_PKCS12Obj *self);
 static int crypto_PKCS12_clear(crypto_PKCS12Obj *self);

 static char crypto_PKCS12_get_certificate_doc[] = "\n\
 Return certificate portion of the PKCS12 structure\n\
 \n\
 @return: X509 object containing the certificate\n\
 ";
 static PyObject *
 crypto_PKCS12_get_certificate(crypto_PKCS12Obj *self, PyObject *args)
 {
     if (!PyArg_ParseTuple(args, ":get_certificate"))
         return NULL;

     Py_INCREF(self->cert);
     return self->cert;
 }

 static char crypto_PKCS12_set_certificate_doc[] = "\n\
 Replace the certificate portion of the PKCS12 structure\n\
 \n\
 @param cert: The new certificate.\n\
 @type cert: L{X509} or L{NoneType}\n\
 @return: None\n\
 ";
 static PyObject *
 crypto_PKCS12_set_certificate(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds) {
     PyObject *cert = NULL;
     static char *kwlist[] = {"cert", NULL};

     if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_certificate",
         kwlist, &cert))
         return NULL;

     if (cert != Py_None && ! crypto_X509_Check(cert)) {
         PyErr_SetString(PyExc_TypeError, "cert must be type X509 or None");
         return NULL;
     }

     Py_INCREF(cert);  /* Make consistent before calling Py_DECREF() */
     Py_DECREF(self->cert);
     self->cert = cert;

     Py_INCREF(Py_None);
     return Py_None;
 }

 static char crypto_PKCS12_get_privatekey_doc[] = "\n\
 Return private key portion of the PKCS12 structure\n\
 \n\
 @returns: PKey object containing the private key\n\
 ";
 static crypto_PKeyObj *
 crypto_PKCS12_get_privatekey(crypto_PKCS12Obj *self, PyObject *args)
 {
     if (!PyArg_ParseTuple(args, ":get_privatekey"))
         return NULL;

     Py_INCREF(self->key);
     return (crypto_PKeyObj *) self->key;
 }

 static char crypto_PKCS12_set_privatekey_doc[] = "\n\
 Replace or set the certificate portion of the PKCS12 structure\n\
 \n\
 @param pkey: The new private key.\n\
 @type pkey: L{PKey}\n\
 @return: None\n\
 ";
 static PyObject *
 crypto_PKCS12_set_privatekey(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds) {
     PyObject *pkey = NULL;
     static char *kwlist[] = {"pkey", NULL};

     if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_privatekey",
         kwlist, &pkey))
         return NULL;

     if (pkey != Py_None && ! crypto_PKey_Check(pkey)) {
         PyErr_SetString(PyExc_TypeError, "pkey must be type X509 or None");
         return NULL;
     }

     Py_INCREF(pkey);  /* Make consistent before calling Py_DECREF() */
     Py_DECREF(self->key);
     self->key = pkey;

     Py_INCREF(Py_None);
     return Py_None;
 }

 static char crypto_PKCS12_get_ca_certificates_doc[] = "\n\
 Return CA certificates within of the PKCS12 object\n\
 \n\
 @return: A newly created tuple containing the CA certificates in the chain,\n\
          if any are present, or None if no CA certificates are present.\n\
 ";
 static PyObject *
 crypto_PKCS12_get_ca_certificates(crypto_PKCS12Obj *self, PyObject *args)
 {
     if (!PyArg_ParseTuple(args, ":get_ca_certificates"))
         return NULL;

     Py_INCREF(self->cacerts);
     return self->cacerts;
 }

 static char crypto_PKCS12_set_ca_certificates_doc[] = "\n\
 Replace or set the CA certificates withing the PKCS12 object.\n\
 \n\
 @param cacerts: The new CA certificates.\n\
 @type cacerts: Iterable of L{X509} or L{NoneType}\n\
 @return: None\n\
 ";
 static PyObject *
 crypto_PKCS12_set_ca_certificates(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds)
 {
     PyObject *obj;
     PyObject *cacerts;
     static char *kwlist[] = {"cacerts", NULL};
     int i, len; /* Py_ssize_t for Python 2.5+ */

     if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_ca_certificates",
         kwlist, &cacerts))
         return NULL;
     if (cacerts == Py_None) {
         Py_INCREF(cacerts);
     } else {
         /* It's iterable */
         cacerts = PySequence_Tuple(cacerts);
         if (cacerts == NULL) {
             return NULL;
         }
         len = PyTuple_Size(cacerts);

         /* Check is's a simple list filled only with X509 objects. */
         for (i = 0; i < len; i++) {
             obj = PyTuple_GetItem(cacerts, i);
             if (!crypto_X509_Check(obj)) {
                 Py_DECREF(cacerts);
                 PyErr_SetString(PyExc_TypeError, "iterable must only contain X509Type");
                 return NULL;
             }
         }
     }

     Py_DECREF(self->cacerts);
     self->cacerts = cacerts;

     Py_INCREF(Py_None);
     return Py_None;
 }

 static char crypto_PKCS12_get_friendlyname_doc[] = "\n\
 Return friendly name portion of the PKCS12 structure\n\
 \n\
 @returns: String containing the friendlyname\n\
 ";
 static PyObject *
 crypto_PKCS12_get_friendlyname(crypto_PKCS12Obj *self, PyObject *args) {
     if (!PyArg_ParseTuple(args, ":get_friendlyname"))
         return NULL;

     Py_INCREF(self->friendlyname);
     return (PyObject *) self->friendlyname;
 }

 static char crypto_PKCS12_set_friendlyname_doc[] = "\n\
 Replace or set the certificate portion of the PKCS12 structure\n\
 \n\
 @param name: The new friendly name.\n\
 @type name: L{str}\n\
 @return: None\n\
 ";
 static PyObject *
 crypto_PKCS12_set_friendlyname(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds) {
     PyObject *name = NULL;
     static char *kwlist[] = {"name", NULL};

     if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_friendlyname",
         kwlist, &name))
         return NULL;

     if (name != Py_None && ! PyBytes_CheckExact(name)) {
         PyErr_SetString(PyExc_TypeError, "name must be a byte string or None");
         return NULL;
     }

     Py_INCREF(name);  /* Make consistent before calling Py_DECREF() */
     Py_DECREF(self->friendlyname);
     self->friendlyname = name;

     Py_INCREF(Py_None);
     return Py_None;
 }

 static char crypto_PKCS12_export_doc[] = "\n\
 export([passphrase=None][, friendly_name=None][, iter=2048][, maciter=1]\n\
 Dump a PKCS12 object as a string.  See also \"man PKCS12_create\".\n\
 \n\
 @param passphrase: used to encrypt the PKCS12\n\
 @type passphrase: L{str}\n\
 @param iter: How many times to repeat the encryption\n\
 @type iter: L{int}\n\
 @param maciter: How many times to repeat the MAC\n\
 @type maciter: L{int}\n\
 @return: The string containing the PKCS12\n\
 ";
 static PyObject *
 crypto_PKCS12_export(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds) {
     int i; /* Py_ssize_t for Python 2.5+ */
     PyObject *obj;
     int buf_len;
     PyObject *buffer;
     char *temp, *passphrase = NULL, *friendly_name = NULL;
     BIO *bio;
     PKCS12 *p12;
     EVP_PKEY *pkey = NULL;
     STACK_OF(X509) *cacerts = NULL;
     X509 *x509 = NULL;
     int iter = 0;  /* defaults to PKCS12_DEFAULT_ITER */
     int maciter = 0;
     static char *kwlist[] = {"passphrase", "iter", "maciter", NULL};

     if (!PyArg_ParseTupleAndKeywords(args, keywds, "|zii:export",
         kwlist, &passphrase, &iter, &maciter))
         return NULL;

     if (self->key != Py_None) {
         pkey = ((crypto_PKeyObj*) self->key)->pkey;
     }
     if (self->cert != Py_None) {
         x509 = ((crypto_X509Obj*) self->cert)->x509;
     }
     if (self->cacerts != Py_None) {
         cacerts = sk_X509_new_null();
         for (i = 0; i < PyTuple_Size(self->cacerts); i++) {  /* For each CA cert */
             obj = PySequence_GetItem(self->cacerts, i);
             /* assert(PyObject_IsInstance(obj, (PyObject *) &crypto_X509_Type )); */
             sk_X509_push(cacerts, (( crypto_X509Obj* ) obj)->x509);
             Py_DECREF(obj);
         }
     }
     if (self->friendlyname != Py_None) {
         friendly_name = PyBytes_AsString(self->friendlyname);
     }

     p12 = PKCS12_create(passphrase, friendly_name, pkey, x509, cacerts,
                         NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
                         NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
                         iter, maciter, 0);
     sk_X509_free(cacerts); /* NULL safe.  Free just the container. */
     if (p12 == NULL) {
         exception_from_error_queue(crypto_Error);
         return NULL;
     }
     bio = BIO_new(BIO_s_mem());
     i2d_PKCS12_bio(bio, p12);
     buf_len = BIO_get_mem_data(bio, &temp);
     buffer = PyBytes_FromStringAndSize(temp, buf_len);
     BIO_free(bio);
     return buffer;
 }

 /*
  * ADD_METHOD(name) expands to a correct PyMethodDef declaration
  *   {  'name', (PyCFunction)crypto_PKCS12_name, METH_VARARGS, crypto_PKCS12_name_doc }
  * for convenience
  */
 #define ADD_METHOD(name)        \
     { #name, (PyCFunction)crypto_PKCS12_##name, METH_VARARGS, crypto_PKCS12_##name##_doc }
 #define ADD_KW_METHOD(name)        \
     { #name, (PyCFunction)crypto_PKCS12_##name, METH_VARARGS | METH_KEYWORDS, crypto_PKCS12_##name##_doc }
 static PyMethodDef crypto_PKCS12_methods[] =
 {
     ADD_METHOD(get_certificate),
     ADD_KW_METHOD(set_certificate),
     ADD_METHOD(get_privatekey),
     ADD_KW_METHOD(set_privatekey),
     ADD_METHOD(get_ca_certificates),
     ADD_KW_METHOD(set_ca_certificates),
     ADD_METHOD(get_friendlyname),
     ADD_KW_METHOD(set_friendlyname),
     ADD_KW_METHOD(export),
     { NULL, NULL }
 };
 #undef ADD_METHOD

 /*
  * Constructor for PKCS12 objects, never called by Python code directly.
  * The strategy for this object is to create all the Python objects
  * corresponding to the cert/key/CA certs right away
  *
  * Arguments: p12        - A "real" PKCS12 object or NULL
  *            passphrase - Passphrase to use when decrypting the PKCS12 object
  * Returns:   The newly created PKCS12 object
  */
 crypto_PKCS12Obj *
 crypto_PKCS12_New(PKCS12 *p12, char *passphrase) {
     crypto_PKCS12Obj *self = NULL;
     PyObject *cacertobj = NULL;

     unsigned char *alias_str;
     int alias_len;

     X509 *cert = NULL;
     EVP_PKEY *pkey = NULL;
     STACK_OF(X509) *cacerts = NULL;

     int i, cacert_count = 0;

     /* allocate space for the CA cert stack */
     if((cacerts = sk_X509_new_null()) == NULL) {
         goto error;   /* out of memory? */
     }

     /* parse the PKCS12 lump */
     if (p12) {
         if (!PKCS12_parse(p12, passphrase, &pkey, &cert, &cacerts)) {
 	    /*
              * If PKCS12_parse fails, and it allocated cacerts, it seems to
              * free cacerts, but not re-NULL the pointer.  Zounds!  Make sure
              * it is re-set to NULL here, else we'll have a double-free below.
              */
             cacerts = NULL;
             exception_from_error_queue(crypto_Error);
             goto error;
         } else {
 	  /*
 	   * OpenSSL 1.0.0 sometimes leaves an X509_check_private_key error in
 	   * the queue for no particular reason.  This error isn't interesting
 	   * to anyone outside this function.  It's not even interesting to
 	   * us.  Get rid of it.
 	   */
 	  flush_error_queue();
 	}
     }

     if (!(self = PyObject_GC_New(crypto_PKCS12Obj, &crypto_PKCS12_Type))) {
         goto error;
     }

     /* client certificate and friendlyName */
     if (cert == NULL) {
         Py_INCREF(Py_None);
         self->cert = Py_None;
         Py_INCREF(Py_None);
         self->friendlyname = Py_None;
     } else {
         if ((self->cert = (PyObject *)crypto_X509_New(cert, 1)) == NULL) {
             goto error;
         }

         /*  Now we need to extract the friendlyName of the PKCS12
          *  that was stored by PKCS_parse() in the alias of the
          *  certificate. */
         alias_str = X509_alias_get0(cert, &alias_len);
         if (alias_str) {
             self->friendlyname = Py_BuildValue(BYTESTRING_FMT "#", alias_str, alias_len);
             if (!self->friendlyname) {
                 /*
                  * XXX Untested
                  */
                 goto error;
             }
             /* success */
         } else {
             Py_INCREF(Py_None);
             self->friendlyname = Py_None;
         }
     }

     /* private key */
     if (pkey == NULL) {
         Py_INCREF(Py_None);
         self->key = Py_None;
     } else {
         if ((self->key = (PyObject *)crypto_PKey_New(pkey, 1)) == NULL)
             goto error;
     }

     /* CA certs */
     cacert_count = sk_X509_num(cacerts);
     if (cacert_count <= 0) {
         Py_INCREF(Py_None);
         self->cacerts = Py_None;
     } else {
         if ((self->cacerts = PyTuple_New(cacert_count)) == NULL) {
             goto error;
         }

         for (i = 0; i < cacert_count; i++) {
             cert = sk_X509_value(cacerts, i);
             if ((cacertobj = (PyObject *)crypto_X509_New(cert, 1)) == NULL) {
                 goto error;
             }
             PyTuple_SET_ITEM(self->cacerts, i, cacertobj);
         }
     }

     sk_X509_free(cacerts); /* Don't free the certs, just the container. */
     PyObject_GC_Track(self);

     return self;

 error:
     sk_X509_free(cacerts); /* NULL safe. Free just the container. */
     if (self) {
         crypto_PKCS12_clear(self);
         PyObject_GC_Del(self);
     }
     return NULL;
 }

 static char crypto_PKCS12_doc[] = "\n\
 PKCS12() -> PKCS12 instance\n\
 \n\
 Create a new empty PKCS12 object.\n\
 \n\
 @returns: The PKCS12 object\n\
 ";
 static PyObject *
 crypto_PKCS12_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs) {
     if (!PyArg_ParseTuple(args, ":PKCS12")) {
         return NULL;
     }

     return (PyObject *)crypto_PKCS12_New(NULL, NULL);
 }

 /*
  * Call the visitproc on all contained objects.
  *
  * Arguments: self - The PKCS12 object
  *            visit - Function to call
  *            arg - Extra argument to visit
  * Returns:   0 if all goes well, otherwise the return code from the first
  *            call that gave non-zero result.
  */
 static int
 crypto_PKCS12_traverse(crypto_PKCS12Obj *self, visitproc visit, void *arg)
 {
     int ret = 0;

     if (ret == 0 && self->cert != NULL)
         ret = visit(self->cert, arg);
     if (ret == 0 && self->key != NULL)
         ret = visit(self->key, arg);
     if (ret == 0 && self->cacerts != NULL)
         ret = visit(self->cacerts, arg);
     if (ret == 0 && self->friendlyname != NULL)
         ret = visit(self->friendlyname, arg);
     return ret;
 }

 /*
  * Decref all contained objects and zero the pointers.
  *
  * Arguments: self - The PKCS12 object
  * Returns:   Always 0.
  */
 static int
 crypto_PKCS12_clear(crypto_PKCS12Obj *self)
 {
     Py_XDECREF(self->cert);
     self->cert = NULL;
     Py_XDECREF(self->key);
     self->key = NULL;
     Py_XDECREF(self->cacerts);
     self->cacerts = NULL;
     Py_XDECREF(self->friendlyname);
     self->friendlyname = NULL;
     return 0;
 }

 /*
  * Deallocate the memory used by the PKCS12 object
  *
  * Arguments: self - The PKCS12 object
  * Returns:   None
  */
 static void
 crypto_PKCS12_dealloc(crypto_PKCS12Obj *self)
 {
     PyObject_GC_UnTrack(self);
     crypto_PKCS12_clear(self);
     PyObject_GC_Del(self);
 }

 PyTypeObject crypto_PKCS12_Type = {
     PyOpenSSL_HEAD_INIT(&PyType_Type, 0)
     "PKCS12",
     sizeof(crypto_PKCS12Obj),
     0,
     (destructor)crypto_PKCS12_dealloc,
     NULL, /* print */
     NULL, /* getattr */
     NULL, /* setattr */
     NULL, /* compare */
     NULL, /* repr */
     NULL, /* as_number */
     NULL, /* as_sequence */
     NULL, /* as_mapping */
     NULL, /* hash */
     NULL, /* call */
     NULL, /* str */
     NULL, /* getattro */
     NULL, /* setattro */
     NULL, /* as_buffer */
     Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC,
     crypto_PKCS12_doc,
     (traverseproc)crypto_PKCS12_traverse,
     (inquiry)crypto_PKCS12_clear,
     NULL, /* tp_richcompare */
     0, /* tp_weaklistoffset */
     NULL, /* tp_iter */
     NULL, /* tp_iternext */
     crypto_PKCS12_methods, /* tp_methods */
     NULL, /* tp_members */
     NULL, /* tp_getset */
     NULL, /* tp_base */
     NULL, /* tp_dict */
     NULL, /* tp_descr_get */
     NULL, /* tp_descr_set */
     0, /* tp_dictoffset */
     NULL, /* tp_init */
     NULL, /* tp_alloc */
     crypto_PKCS12_new, /* tp_new */
 };

 /*
  * Initialize the PKCS12 part of the crypto sub module
  *
  * Arguments: module - The crypto module
  * Returns:   None
  */
 int
 init_crypto_pkcs12(PyObject *module) {
     if (PyType_Ready(&crypto_PKCS12_Type) < 0) {
         return 0;
     }

     if (PyModule_AddObject(module, "PKCS12", (PyObject *)&crypto_PKCS12_Type) != 0) {
         return 0;
     }

     if (PyModule_AddObject(module, "PKCS12Type", (PyObject *)&crypto_PKCS12_Type) != 0) {
         return 0;
     }

     return 1;
 }
	/*
	* pkcs12.c
	*
	* Copyright (C) AB Strakt
	* See LICENSE for details.
	*
	* Certificate transport (PKCS12) handling code,
	* mostly thin wrappers around OpenSSL.
	* See the file RATIONALE for a short explanation of why
	* this module was written.
	*
	* Reviewed 2001-07-23
	*/
	#include <Python.h>
	#define crypto_MODULE
	#include "crypto.h"

	/*
	* PKCS12 is a standard exchange format for digital certificates.
	* See e.g. the OpenSSL homepage http://www.openssl.org/ for more information
	*/

	static void crypto_PKCS12_dealloc(crypto_PKCS12Obj *self);
	static int crypto_PKCS12_clear(crypto_PKCS12Obj *self);

	static char crypto_PKCS12_get_certificate_doc[] = "\n\
	Return certificate portion of the PKCS12 structure\n\
	\n\
	@return: X509 object containing the certificate\n\
	";
	static PyObject *
	crypto_PKCS12_get_certificate(crypto_PKCS12Obj self, PyObject args)
	{
	if (!PyArg_ParseTuple(args, ":get_certificate"))
	return NULL;

	Py_INCREF(self->cert);
	return self->cert;
	}

	static char crypto_PKCS12_set_certificate_doc[] = "\n\
	Replace the certificate portion of the PKCS12 structure\n\
	\n\
	@param cert: The new certificate.\n\
	@type cert: L{X509} or L{NoneType}\n\
	@return: None\n\
	";
	static PyObject *
	crypto_PKCS12_set_certificate(crypto_PKCS12Obj self, PyObject args, PyObject *keywds) {
	PyObject *cert = NULL;
	static char *kwlist[] = {"cert", NULL};

	if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_certificate",
	kwlist, &cert))
	return NULL;

	if (cert != Py_None && ! crypto_X509_Check(cert)) {
	PyErr_SetString(PyExc_TypeError, "cert must be type X509 or None");
	return NULL;
	}

	Py_INCREF(cert); /* Make consistent before calling Py_DECREF() */
	Py_DECREF(self->cert);
	self->cert = cert;

	Py_INCREF(Py_None);
	return Py_None;
	}

	static char crypto_PKCS12_get_privatekey_doc[] = "\n\
	Return private key portion of the PKCS12 structure\n\
	\n\
	@returns: PKey object containing the private key\n\
	";
	static crypto_PKeyObj *
	crypto_PKCS12_get_privatekey(crypto_PKCS12Obj self, PyObject args)
	{
	if (!PyArg_ParseTuple(args, ":get_privatekey"))
	return NULL;

	Py_INCREF(self->key);
	return (crypto_PKeyObj *) self->key;
	}

	static char crypto_PKCS12_set_privatekey_doc[] = "\n\
	Replace or set the certificate portion of the PKCS12 structure\n\
	\n\
	@param pkey: The new private key.\n\
	@type pkey: L{PKey}\n\
	@return: None\n\
	";
	static PyObject *
	crypto_PKCS12_set_privatekey(crypto_PKCS12Obj self, PyObject args, PyObject *keywds) {
	PyObject *pkey = NULL;
	static char *kwlist[] = {"pkey", NULL};

	if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_privatekey",
	kwlist, &pkey))
	return NULL;

	if (pkey != Py_None && ! crypto_PKey_Check(pkey)) {
	PyErr_SetString(PyExc_TypeError, "pkey must be type X509 or None");
	return NULL;
	}

	Py_INCREF(pkey); /* Make consistent before calling Py_DECREF() */
	Py_DECREF(self->key);
	self->key = pkey;

	Py_INCREF(Py_None);
	return Py_None;
	}

	static char crypto_PKCS12_get_ca_certificates_doc[] = "\n\
	Return CA certificates within of the PKCS12 object\n\
	\n\
	@return: A newly created tuple containing the CA certificates in the chain,\n\
	if any are present, or None if no CA certificates are present.\n\
	";
	static PyObject *
	crypto_PKCS12_get_ca_certificates(crypto_PKCS12Obj self, PyObject args)
	{
	if (!PyArg_ParseTuple(args, ":get_ca_certificates"))
	return NULL;

	Py_INCREF(self->cacerts);
	return self->cacerts;
	}

	static char crypto_PKCS12_set_ca_certificates_doc[] = "\n\
	Replace or set the CA certificates withing the PKCS12 object.\n\
	\n\
	@param cacerts: The new CA certificates.\n\
	@type cacerts: Iterable of L{X509} or L{NoneType}\n\
	@return: None\n\
	";
	static PyObject *
	crypto_PKCS12_set_ca_certificates(crypto_PKCS12Obj self, PyObject args, PyObject *keywds)
	{
	PyObject *obj;
	PyObject *cacerts;
	static char *kwlist[] = {"cacerts", NULL};
	int i, len; /* Py_ssize_t for Python 2.5+ */

	if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_ca_certificates",
	kwlist, &cacerts))
	return NULL;
	if (cacerts == Py_None) {
	Py_INCREF(cacerts);
	} else {
	/* It's iterable */
	cacerts = PySequence_Tuple(cacerts);
	if (cacerts == NULL) {
	return NULL;
	}
	len = PyTuple_Size(cacerts);

	/* Check is's a simple list filled only with X509 objects. */
	for (i = 0; i < len; i++) {
	obj = PyTuple_GetItem(cacerts, i);
	if (!crypto_X509_Check(obj)) {
	Py_DECREF(cacerts);
	PyErr_SetString(PyExc_TypeError, "iterable must only contain X509Type");
	return NULL;
	}
	}
	}

	Py_DECREF(self->cacerts);
	self->cacerts = cacerts;

	Py_INCREF(Py_None);
	return Py_None;
	}

	static char crypto_PKCS12_get_friendlyname_doc[] = "\n\
	Return friendly name portion of the PKCS12 structure\n\
	\n\
	@returns: String containing the friendlyname\n\
	";
	static PyObject *
	crypto_PKCS12_get_friendlyname(crypto_PKCS12Obj self, PyObject args) {
	if (!PyArg_ParseTuple(args, ":get_friendlyname"))
	return NULL;

	Py_INCREF(self->friendlyname);
	return (PyObject *) self->friendlyname;
	}

	static char crypto_PKCS12_set_friendlyname_doc[] = "\n\
	Replace or set the certificate portion of the PKCS12 structure\n\
	\n\
	@param name: The new friendly name.\n\
	@type name: L{str}\n\
	@return: None\n\
	";
	static PyObject *
	crypto_PKCS12_set_friendlyname(crypto_PKCS12Obj self, PyObject args, PyObject *keywds) {
	PyObject *name = NULL;
	static char *kwlist[] = {"name", NULL};

	if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_friendlyname",
	kwlist, &name))
	return NULL;

	if (name != Py_None && ! PyBytes_CheckExact(name)) {
	PyErr_SetString(PyExc_TypeError, "name must be a byte string or None");
	return NULL;
	}

	Py_INCREF(name); /* Make consistent before calling Py_DECREF() */
	Py_DECREF(self->friendlyname);
	self->friendlyname = name;

	Py_INCREF(Py_None);
	return Py_None;
	}

	static char crypto_PKCS12_export_doc[] = "\n\
	export([passphrase=None][, friendly_name=None][, iter=2048][, maciter=1]\n\
	Dump a PKCS12 object as a string. See also \"man PKCS12_create\".\n\
	\n\
	@param passphrase: used to encrypt the PKCS12\n\
	@type passphrase: L{str}\n\
	@param iter: How many times to repeat the encryption\n\
	@type iter: L{int}\n\
	@param maciter: How many times to repeat the MAC\n\
	@type maciter: L{int}\n\
	@return: The string containing the PKCS12\n\
	";
	static PyObject *
	crypto_PKCS12_export(crypto_PKCS12Obj self, PyObject args, PyObject *keywds) {
	int i; /* Py_ssize_t for Python 2.5+ */
	PyObject *obj;
	int buf_len;
	PyObject *buffer;
	char temp, passphrase = NULL, *friendly_name = NULL;
	BIO *bio;
	PKCS12 *p12;
	EVP_PKEY *pkey = NULL;
	STACK_OF(X509) *cacerts = NULL;
	X509 *x509 = NULL;
	int iter = 0; /* defaults to PKCS12_DEFAULT_ITER */
	int maciter = 0;
	static char *kwlist[] = {"passphrase", "iter", "maciter", NULL};

	if (!PyArg_ParseTupleAndKeywords(args, keywds, "\|zii:export",
	kwlist, &passphrase, &iter, &maciter))
	return NULL;

	if (self->key != Py_None) {
	pkey = ((crypto_PKeyObj*) self->key)->pkey;
	}
	if (self->cert != Py_None) {
	x509 = ((crypto_X509Obj*) self->cert)->x509;
	}
	if (self->cacerts != Py_None) {
	cacerts = sk_X509_new_null();
	for (i = 0; i < PyTuple_Size(self->cacerts); i++) { /* For each CA cert */
	obj = PySequence_GetItem(self->cacerts, i);
	/* assert(PyObject_IsInstance(obj, (PyObject ) &crypto_X509_Type )); /
	sk_X509_push(cacerts, (( crypto_X509Obj* ) obj)->x509);
	Py_DECREF(obj);
	}
	}
	if (self->friendlyname != Py_None) {
	friendly_name = PyBytes_AsString(self->friendlyname);
	}

	p12 = PKCS12_create(passphrase, friendly_name, pkey, x509, cacerts,
	NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
	NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
	iter, maciter, 0);
	sk_X509_free(cacerts); /* NULL safe. Free just the container. */
	if (p12 == NULL) {
	exception_from_error_queue(crypto_Error);
	return NULL;
	}
	bio = BIO_new(BIO_s_mem());
	i2d_PKCS12_bio(bio, p12);
	buf_len = BIO_get_mem_data(bio, &temp);
	buffer = PyBytes_FromStringAndSize(temp, buf_len);
	BIO_free(bio);
	return buffer;
	}

	/*
	* ADD_METHOD(name) expands to a correct PyMethodDef declaration
	* { 'name', (PyCFunction)crypto_PKCS12_name, METH_VARARGS, crypto_PKCS12_name_doc }
	* for convenience
	*/
	#define ADD_METHOD(name) \
	{ #name, (PyCFunction)crypto_PKCS12_##name, METH_VARARGS, crypto_PKCS12_##name##_doc }
	#define ADD_KW_METHOD(name) \
	{ #name, (PyCFunction)crypto_PKCS12_##name, METH_VARARGS \| METH_KEYWORDS, crypto_PKCS12_##name##_doc }
	static PyMethodDef crypto_PKCS12_methods[] =
	{
	ADD_METHOD(get_certificate),
	ADD_KW_METHOD(set_certificate),
	ADD_METHOD(get_privatekey),
	ADD_KW_METHOD(set_privatekey),
	ADD_METHOD(get_ca_certificates),
	ADD_KW_METHOD(set_ca_certificates),
	ADD_METHOD(get_friendlyname),
	ADD_KW_METHOD(set_friendlyname),
	ADD_KW_METHOD(export),
	{ NULL, NULL }
	};
	#undef ADD_METHOD

	/*
	* Constructor for PKCS12 objects, never called by Python code directly.
	* The strategy for this object is to create all the Python objects
	* corresponding to the cert/key/CA certs right away
	*
	* Arguments: p12 - A "real" PKCS12 object or NULL
	* passphrase - Passphrase to use when decrypting the PKCS12 object
	* Returns: The newly created PKCS12 object
	*/
	crypto_PKCS12Obj *
	crypto_PKCS12_New(PKCS12 p12, char passphrase) {
	crypto_PKCS12Obj *self = NULL;
	PyObject *cacertobj = NULL;

	unsigned char *alias_str;
	int alias_len;

	X509 *cert = NULL;
	EVP_PKEY *pkey = NULL;
	STACK_OF(X509) *cacerts = NULL;

	int i, cacert_count = 0;

	/* allocate space for the CA cert stack */
	if((cacerts = sk_X509_new_null()) == NULL) {
	goto error; /* out of memory? */
	}

	/* parse the PKCS12 lump */
	if (p12) {
	if (!PKCS12_parse(p12, passphrase, &pkey, &cert, &cacerts)) {
	/*
	* If PKCS12_parse fails, and it allocated cacerts, it seems to
	* free cacerts, but not re-NULL the pointer. Zounds! Make sure
	* it is re-set to NULL here, else we'll have a double-free below.
	*/
	cacerts = NULL;
	exception_from_error_queue(crypto_Error);
	goto error;
	} else {
	/*
	* OpenSSL 1.0.0 sometimes leaves an X509_check_private_key error in
	* the queue for no particular reason. This error isn't interesting
	* to anyone outside this function. It's not even interesting to
	* us. Get rid of it.
	*/
	flush_error_queue();
	}
	}

	if (!(self = PyObject_GC_New(crypto_PKCS12Obj, &crypto_PKCS12_Type))) {
	goto error;
	}

	/* client certificate and friendlyName */
	if (cert == NULL) {
	Py_INCREF(Py_None);
	self->cert = Py_None;
	Py_INCREF(Py_None);
	self->friendlyname = Py_None;
	} else {
	if ((self->cert = (PyObject *)crypto_X509_New(cert, 1)) == NULL) {
	goto error;
	}

	/* Now we need to extract the friendlyName of the PKCS12
	* that was stored by PKCS_parse() in the alias of the
	* certificate. */
	alias_str = X509_alias_get0(cert, &alias_len);
	if (alias_str) {
	self->friendlyname = Py_BuildValue(BYTESTRING_FMT "#", alias_str, alias_len);
	if (!self->friendlyname) {
	/*
	* XXX Untested
	*/
	goto error;
	}
	/* success */
	} else {
	Py_INCREF(Py_None);
	self->friendlyname = Py_None;
	}
	}

	/* private key */
	if (pkey == NULL) {
	Py_INCREF(Py_None);
	self->key = Py_None;
	} else {
	if ((self->key = (PyObject *)crypto_PKey_New(pkey, 1)) == NULL)
	goto error;
	}

	/* CA certs */
	cacert_count = sk_X509_num(cacerts);
	if (cacert_count <= 0) {
	Py_INCREF(Py_None);
	self->cacerts = Py_None;
	} else {
	if ((self->cacerts = PyTuple_New(cacert_count)) == NULL) {
	goto error;
	}

	for (i = 0; i < cacert_count; i++) {
	cert = sk_X509_value(cacerts, i);
	if ((cacertobj = (PyObject *)crypto_X509_New(cert, 1)) == NULL) {
	goto error;
	}
	PyTuple_SET_ITEM(self->cacerts, i, cacertobj);
	}
	}

	sk_X509_free(cacerts); /* Don't free the certs, just the container. */
	PyObject_GC_Track(self);

	return self;

	error:
	sk_X509_free(cacerts); /* NULL safe. Free just the container. */
	if (self) {
	crypto_PKCS12_clear(self);
	PyObject_GC_Del(self);
	}
	return NULL;
	}

	static char crypto_PKCS12_doc[] = "\n\
	PKCS12() -> PKCS12 instance\n\
	\n\
	Create a new empty PKCS12 object.\n\
	\n\
	@returns: The PKCS12 object\n\
	";
	static PyObject *
	crypto_PKCS12_new(PyTypeObject subtype, PyObject args, PyObject *kwargs) {
	if (!PyArg_ParseTuple(args, ":PKCS12")) {
	return NULL;
	}

	return (PyObject *)crypto_PKCS12_New(NULL, NULL);
	}

	/*
	* Call the visitproc on all contained objects.
	*
	* Arguments: self - The PKCS12 object
	* visit - Function to call
	* arg - Extra argument to visit
	* Returns: 0 if all goes well, otherwise the return code from the first
	* call that gave non-zero result.
	*/
	static int
	crypto_PKCS12_traverse(crypto_PKCS12Obj self, visitproc visit, void arg)
	{
	int ret = 0;

	if (ret == 0 && self->cert != NULL)
	ret = visit(self->cert, arg);
	if (ret == 0 && self->key != NULL)
	ret = visit(self->key, arg);
	if (ret == 0 && self->cacerts != NULL)
	ret = visit(self->cacerts, arg);
	if (ret == 0 && self->friendlyname != NULL)
	ret = visit(self->friendlyname, arg);
	return ret;
	}

	/*
	* Decref all contained objects and zero the pointers.
	*
	* Arguments: self - The PKCS12 object
	* Returns: Always 0.
	*/
	static int
	crypto_PKCS12_clear(crypto_PKCS12Obj *self)
	{
	Py_XDECREF(self->cert);
	self->cert = NULL;
	Py_XDECREF(self->key);
	self->key = NULL;
	Py_XDECREF(self->cacerts);
	self->cacerts = NULL;
	Py_XDECREF(self->friendlyname);
	self->friendlyname = NULL;
	return 0;
	}

	/*
	* Deallocate the memory used by the PKCS12 object
	*
	* Arguments: self - The PKCS12 object
	* Returns: None
	*/
	static void
	crypto_PKCS12_dealloc(crypto_PKCS12Obj *self)
	{
	PyObject_GC_UnTrack(self);
	crypto_PKCS12_clear(self);
	PyObject_GC_Del(self);
	}

	PyTypeObject crypto_PKCS12_Type = {
	PyOpenSSL_HEAD_INIT(&PyType_Type, 0)
	"PKCS12",
	sizeof(crypto_PKCS12Obj),
	0,
	(destructor)crypto_PKCS12_dealloc,
	NULL, /* print */
	NULL, /* getattr */
	NULL, /* setattr */
	NULL, /* compare */
	NULL, /* repr */
	NULL, /* as_number */
	NULL, /* as_sequence */
	NULL, /* as_mapping */
	NULL, /* hash */
	NULL, /* call */
	NULL, /* str */
	NULL, /* getattro */
	NULL, /* setattro */
	NULL, /* as_buffer */
	Py_TPFLAGS_DEFAULT \| Py_TPFLAGS_HAVE_GC,
	crypto_PKCS12_doc,
	(traverseproc)crypto_PKCS12_traverse,
	(inquiry)crypto_PKCS12_clear,
	NULL, /* tp_richcompare */
	0, /* tp_weaklistoffset */
	NULL, /* tp_iter */
	NULL, /* tp_iternext */
	crypto_PKCS12_methods, /* tp_methods */
	NULL, /* tp_members */
	NULL, /* tp_getset */
	NULL, /* tp_base */
	NULL, /* tp_dict */
	NULL, /* tp_descr_get */
	NULL, /* tp_descr_set */
	0, /* tp_dictoffset */
	NULL, /* tp_init */
	NULL, /* tp_alloc */
	crypto_PKCS12_new, /* tp_new */
	};

	/*
	* Initialize the PKCS12 part of the crypto sub module
	*
	* Arguments: module - The crypto module
	* Returns: None
	*/
	int
	init_crypto_pkcs12(PyObject *module) {
	if (PyType_Ready(&crypto_PKCS12_Type) < 0) {
	return 0;
	}

	if (PyModule_AddObject(module, "PKCS12", (PyObject *)&crypto_PKCS12_Type) != 0) {
	return 0;
	}

	if (PyModule_AddObject(module, "PKCS12Type", (PyObject *)&crypto_PKCS12_Type) != 0) {
	return 0;
	}

	return 1;
	}