blob: 13b328f36097a76a80003a244f12f189943a3c7c [file] [log] [blame]
Paul Kehrer5d5d28d2015-10-21 18:55:22 -05001import datetime
Paul Kehrer8d887e12015-10-24 09:09:55 -05002
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05003from base64 import b16encode
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -05004from functools import partial
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05005from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__
Jean-Paul Calderone60432792015-04-13 12:26:07 -04006from warnings import warn as _warn
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05007
8from six import (
9 integer_types as _integer_types,
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -040010 text_type as _text_type,
11 PY3 as _PY3)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -080012
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -050013from OpenSSL._util import (
14 ffi as _ffi,
15 lib as _lib,
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -050016 exception_from_error_queue as _exception_from_error_queue,
17 byte_string as _byte_string,
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -040018 native as _native,
19 UNSPECIFIED as _UNSPECIFIED,
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -040020 text_to_bytes_and_warn as _text_to_bytes_and_warn,
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -040021)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -080022
Jean-Paul Calderone6037d072013-12-28 18:04:00 -050023FILETYPE_PEM = _lib.SSL_FILETYPE_PEM
24FILETYPE_ASN1 = _lib.SSL_FILETYPE_ASN1
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -080025
26# TODO This was an API mistake. OpenSSL has no such constant.
27FILETYPE_TEXT = 2 ** 16 - 1
28
Jean-Paul Calderone6037d072013-12-28 18:04:00 -050029TYPE_RSA = _lib.EVP_PKEY_RSA
30TYPE_DSA = _lib.EVP_PKEY_DSA
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -080031
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -080032
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -050033class Error(Exception):
Jean-Paul Calderone511cde02013-12-29 10:31:13 -050034 """
35 An error occurred in an `OpenSSL.crypto` API.
36 """
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -050037
38
39_raise_current_error = partial(_exception_from_error_queue, Error)
40
Stephen Holsapple0d9815f2014-08-27 19:36:53 -070041
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -050042def _untested_error(where):
43 """
44 An OpenSSL API failed somehow. Additionally, the failure which was
45 encountered isn't one that's exercised by the test suite so future behavior
46 of pyOpenSSL is now somewhat less predictable.
47 """
48 raise RuntimeError("Unknown %s failure" % (where,))
49
50
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -050051def _new_mem_buf(buffer=None):
52 """
53 Allocate a new OpenSSL memory BIO.
54
55 Arrange for the garbage collector to clean it up automatically.
56
57 :param buffer: None or some bytes to use to put into the BIO so that they
58 can be read out.
59 """
60 if buffer is None:
61 bio = _lib.BIO_new(_lib.BIO_s_mem())
62 free = _lib.BIO_free
63 else:
64 data = _ffi.new("char[]", buffer)
65 bio = _lib.BIO_new_mem_buf(data, len(buffer))
Alex Gaynor5945ea82015-09-05 14:59:06 -040066
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -050067 # Keep the memory alive as long as the bio is alive!
68 def free(bio, ref=data):
69 return _lib.BIO_free(bio)
70
71 if bio == _ffi.NULL:
72 # TODO: This is untested.
73 _raise_current_error()
74
75 bio = _ffi.gc(bio, free)
76 return bio
77
78
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -080079def _bio_to_string(bio):
80 """
81 Copy the contents of an OpenSSL BIO object into a Python byte string.
82 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -050083 result_buffer = _ffi.new('char**')
84 buffer_length = _lib.BIO_get_mem_data(bio, result_buffer)
85 return _ffi.buffer(result_buffer[0], buffer_length)[:]
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -080086
87
Jean-Paul Calderone57122982013-02-21 08:47:05 -080088def _set_asn1_time(boundary, when):
Jean-Paul Calderonee728e872013-12-29 10:37:15 -050089 """
90 The the time value of an ASN1 time object.
91
92 @param boundary: An ASN1_GENERALIZEDTIME pointer (or an object safely
93 castable to that type) which will have its value set.
94 @param when: A string representation of the desired time value.
95
96 @raise TypeError: If C{when} is not a L{bytes} string.
97 @raise ValueError: If C{when} does not represent a time in the required
98 format.
99 @raise RuntimeError: If the time value cannot be set for some other
100 (unspecified) reason.
101 """
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800102 if not isinstance(when, bytes):
103 raise TypeError("when must be a byte string")
104
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500105 set_result = _lib.ASN1_GENERALIZEDTIME_set_string(
106 _ffi.cast('ASN1_GENERALIZEDTIME*', boundary), when)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800107 if set_result == 0:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500108 dummy = _ffi.gc(_lib.ASN1_STRING_new(), _lib.ASN1_STRING_free)
109 _lib.ASN1_STRING_set(dummy, when, len(when))
110 check_result = _lib.ASN1_GENERALIZEDTIME_check(
111 _ffi.cast('ASN1_GENERALIZEDTIME*', dummy))
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800112 if not check_result:
113 raise ValueError("Invalid string")
114 else:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500115 _untested_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800116
117
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800118def _get_asn1_time(timestamp):
Jean-Paul Calderonee728e872013-12-29 10:37:15 -0500119 """
120 Retrieve the time value of an ASN1 time object.
121
122 @param timestamp: An ASN1_GENERALIZEDTIME* (or an object safely castable to
123 that type) from which the time value will be retrieved.
124
125 @return: The time value from C{timestamp} as a L{bytes} string in a certain
126 format. Or C{None} if the object contains no time value.
127 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500128 string_timestamp = _ffi.cast('ASN1_STRING*', timestamp)
129 if _lib.ASN1_STRING_length(string_timestamp) == 0:
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800130 return None
Alex Gaynor5945ea82015-09-05 14:59:06 -0400131 elif (
132 _lib.ASN1_STRING_type(string_timestamp) == _lib.V_ASN1_GENERALIZEDTIME
133 ):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500134 return _ffi.string(_lib.ASN1_STRING_data(string_timestamp))
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800135 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500136 generalized_timestamp = _ffi.new("ASN1_GENERALIZEDTIME**")
137 _lib.ASN1_TIME_to_generalizedtime(timestamp, generalized_timestamp)
138 if generalized_timestamp[0] == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500139 # This may happen:
140 # - if timestamp was not an ASN1_TIME
141 # - if allocating memory for the ASN1_GENERALIZEDTIME failed
142 # - if a copy of the time data from timestamp cannot be made for
143 # the newly allocated ASN1_GENERALIZEDTIME
144 #
145 # These are difficult to test. cffi enforces the ASN1_TIME type.
146 # Memory allocation failures are a pain to trigger
147 # deterministically.
148 _untested_error("ASN1_TIME_to_generalizedtime")
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800149 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500150 string_timestamp = _ffi.cast(
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800151 "ASN1_STRING*", generalized_timestamp[0])
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500152 string_data = _lib.ASN1_STRING_data(string_timestamp)
153 string_result = _ffi.string(string_data)
154 _lib.ASN1_GENERALIZEDTIME_free(generalized_timestamp[0])
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800155 return string_result
156
157
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800158class PKey(object):
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200159 """
160 A class representing an DSA or RSA public key or key pair.
161 """
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800162 _only_public = False
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800163 _initialized = True
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800164
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800165 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500166 pkey = _lib.EVP_PKEY_new()
167 self._pkey = _ffi.gc(pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800168 self._initialized = False
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800169
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800170 def generate_key(self, type, bits):
171 """
Laurens Van Houtven90c09142015-04-23 10:52:49 -0700172 Generate a key pair of the given type, with the given number of bits.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800173
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200174 This generates a key "into" the this object.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800175
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200176 :param type: The key type.
177 :type type: :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA`
178 :param bits: The number of bits.
179 :type bits: :py:data:`int` ``>= 0``
180 :raises TypeError: If :py:data:`type` or :py:data:`bits` isn't
181 of the appropriate type.
182 :raises ValueError: If the number of bits isn't an integer of
183 the appropriate size.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200184 :return: :py:const:`None`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800185 """
186 if not isinstance(type, int):
187 raise TypeError("type must be an integer")
188
189 if not isinstance(bits, int):
190 raise TypeError("bits must be an integer")
191
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800192 # TODO Check error return
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500193 exponent = _lib.BN_new()
194 exponent = _ffi.gc(exponent, _lib.BN_free)
195 _lib.BN_set_word(exponent, _lib.RSA_F4)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800196
197 if type == TYPE_RSA:
198 if bits <= 0:
199 raise ValueError("Invalid number of bits")
200
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500201 rsa = _lib.RSA_new()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800202
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500203 result = _lib.RSA_generate_key_ex(rsa, bits, exponent, _ffi.NULL)
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500204 if result == 0:
205 # TODO: The test for this case is commented out. Different
206 # builds of OpenSSL appear to have different failure modes that
207 # make it hard to test. Visual inspection of the OpenSSL
208 # source reveals that a return value of 0 signals an error.
209 # Manual testing on a particular build of OpenSSL suggests that
210 # this is probably the appropriate way to handle those errors.
211 _raise_current_error()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800212
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500213 result = _lib.EVP_PKEY_assign_RSA(self._pkey, rsa)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800214 if not result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500215 # TODO: It appears as though this can fail if an engine is in
216 # use which does not support RSA.
217 _raise_current_error()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800218
219 elif type == TYPE_DSA:
Paul Kehrera0860b92016-03-09 21:39:27 -0400220 dsa = _lib.DSA_new()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500221 if dsa == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500222 # TODO: This is untested.
223 _raise_current_error()
Paul Kehrerafa5a662016-03-10 10:29:28 -0400224
225 dsa = _ffi.gc(dsa, _lib.DSA_free)
Paul Kehrera0860b92016-03-09 21:39:27 -0400226 res = _lib.DSA_generate_parameters_ex(
227 dsa, bits, _ffi.NULL, 0, _ffi.NULL, _ffi.NULL, _ffi.NULL
228 )
229 if not res == 1:
230 # TODO: This is untested.
231 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500232 if not _lib.DSA_generate_key(dsa):
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500233 # TODO: This is untested.
234 _raise_current_error()
Paul Kehrerafa5a662016-03-10 10:29:28 -0400235 if not _lib.EVP_PKEY_set1_DSA(self._pkey, dsa):
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500236 # TODO: This is untested.
237 _raise_current_error()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800238 else:
239 raise Error("No such key type")
240
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800241 self._initialized = True
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800242
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800243 def check(self):
244 """
245 Check the consistency of an RSA private key.
246
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200247 This is the Python equivalent of OpenSSL's ``RSA_check_key``.
248
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800249 :return: True if key is consistent.
250 :raise Error: if the key is inconsistent.
251 :raise TypeError: if the key is of a type which cannot be checked.
252 Only RSA keys can currently be checked.
253 """
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800254 if self._only_public:
255 raise TypeError("public key only")
256
Hynek Schlawack2a91ba32016-01-31 14:18:54 +0100257 if _lib.EVP_PKEY_type(self.type()) != _lib.EVP_PKEY_RSA:
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800258 raise TypeError("key type unsupported")
259
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500260 rsa = _lib.EVP_PKEY_get1_RSA(self._pkey)
261 rsa = _ffi.gc(rsa, _lib.RSA_free)
262 result = _lib.RSA_check_key(rsa)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800263 if result:
264 return True
265 _raise_current_error()
266
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800267 def type(self):
268 """
269 Returns the type of the key
270
271 :return: The type of the key.
272 """
Alex Gaynorc84567b2016-03-16 07:45:09 -0400273 return _lib.Cryptography_EVP_PKEY_id(self._pkey)
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800274
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800275 def bits(self):
276 """
277 Returns the number of bits of the key
278
279 :return: The number of bits of the key.
280 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500281 return _lib.EVP_PKEY_bits(self._pkey)
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800282PKeyType = PKey
283
284
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400285class _EllipticCurve(object):
286 """
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400287 A representation of a supported elliptic curve.
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400288
289 @cvar _curves: :py:obj:`None` until an attempt is made to load the curves.
290 Thereafter, a :py:type:`set` containing :py:type:`_EllipticCurve`
291 instances each of which represents one curve supported by the system.
292 @type _curves: :py:type:`NoneType` or :py:type:`set`
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400293 """
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400294 _curves = None
295
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400296 if _PY3:
Jean-Paul Calderonea5381052014-05-01 09:32:46 -0400297 # This only necessary on Python 3. Morever, it is broken on Python 2.
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400298 def __ne__(self, other):
Jean-Paul Calderonea5381052014-05-01 09:32:46 -0400299 """
300 Implement cooperation with the right-hand side argument of ``!=``.
301
302 Python 3 seems to have dropped this cooperation in this very narrow
303 circumstance.
304 """
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400305 if isinstance(other, _EllipticCurve):
306 return super(_EllipticCurve, self).__ne__(other)
307 return NotImplemented
Jean-Paul Calderone40da72d2014-05-01 09:25:17 -0400308
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400309 @classmethod
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400310 def _load_elliptic_curves(cls, lib):
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400311 """
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400312 Get the curves supported by OpenSSL.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400313
314 :param lib: The OpenSSL library binding object.
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400315
316 :return: A :py:type:`set` of ``cls`` instances giving the names of the
317 elliptic curves the underlying library supports.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400318 """
319 if lib.Cryptography_HAS_EC:
320 num_curves = lib.EC_get_builtin_curves(_ffi.NULL, 0)
321 builtin_curves = _ffi.new('EC_builtin_curve[]', num_curves)
Alex Gaynor5945ea82015-09-05 14:59:06 -0400322 # The return value on this call should be num_curves again. We
323 # could check it to make sure but if it *isn't* then.. what could
324 # we do? Abort the whole process, I suppose...? -exarkun
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400325 lib.EC_get_builtin_curves(builtin_curves, num_curves)
326 return set(
327 cls.from_nid(lib, c.nid)
328 for c in builtin_curves)
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400329 return set()
330
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400331 @classmethod
332 def _get_elliptic_curves(cls, lib):
333 """
334 Get, cache, and return the curves supported by OpenSSL.
335
336 :param lib: The OpenSSL library binding object.
337
338 :return: A :py:type:`set` of ``cls`` instances giving the names of the
339 elliptic curves the underlying library supports.
340 """
341 if cls._curves is None:
342 cls._curves = cls._load_elliptic_curves(lib)
343 return cls._curves
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400344
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400345 @classmethod
346 def from_nid(cls, lib, nid):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400347 """
348 Instantiate a new :py:class:`_EllipticCurve` associated with the given
349 OpenSSL NID.
350
351 :param lib: The OpenSSL library binding object.
352
353 :param nid: The OpenSSL NID the resulting curve object will represent.
354 This must be a curve NID (and not, for example, a hash NID) or
355 subsequent operations will fail in unpredictable ways.
356 :type nid: :py:class:`int`
357
358 :return: The curve object.
359 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400360 return cls(lib, nid, _ffi.string(lib.OBJ_nid2sn(nid)).decode("ascii"))
361
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400362 def __init__(self, lib, nid, name):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400363 """
364 :param _lib: The :py:mod:`cryptography` binding instance used to
365 interface with OpenSSL.
366
367 :param _nid: The OpenSSL NID identifying the curve this object
368 represents.
369 :type _nid: :py:class:`int`
370
371 :param name: The OpenSSL short name identifying the curve this object
372 represents.
373 :type name: :py:class:`unicode`
374 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400375 self._lib = lib
376 self._nid = nid
377 self.name = name
378
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400379 def __repr__(self):
380 return "<Curve %r>" % (self.name,)
381
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400382 def _to_EC_KEY(self):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400383 """
384 Create a new OpenSSL EC_KEY structure initialized to use this curve.
385
386 The structure is automatically garbage collected when the Python object
387 is garbage collected.
388 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400389 key = self._lib.EC_KEY_new_by_curve_name(self._nid)
390 return _ffi.gc(key, _lib.EC_KEY_free)
391
392
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400393def get_elliptic_curves():
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400394 """
395 Return a set of objects representing the elliptic curves supported in the
396 OpenSSL build in use.
397
398 The curve objects have a :py:class:`unicode` ``name`` attribute by which
399 they identify themselves.
400
401 The curve objects are useful as values for the argument accepted by
Jean-Paul Calderone3b04e352014-04-19 09:29:10 -0400402 :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be
403 used for ECDHE key exchange.
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400404 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400405 return _EllipticCurve._get_elliptic_curves(_lib)
406
407
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400408def get_elliptic_curve(name):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400409 """
410 Return a single curve object selected by name.
411
412 See :py:func:`get_elliptic_curves` for information about curve objects.
413
Jean-Paul Calderoned5839e22014-04-19 09:26:44 -0400414 :param name: The OpenSSL short name identifying the curve object to
415 retrieve.
416 :type name: :py:class:`unicode`
417
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400418 If the named curve is not supported then :py:class:`ValueError` is raised.
419 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400420 for curve in get_elliptic_curves():
421 if curve.name == name:
422 return curve
423 raise ValueError("unknown curve name", name)
424
425
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800426class X509Name(object):
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200427 """
428 An X.509 Distinguished Name.
429
430 :ivar countryName: The country of the entity.
431 :ivar C: Alias for :py:attr:`countryName`.
432
433 :ivar stateOrProvinceName: The state or province of the entity.
434 :ivar ST: Alias for :py:attr:`stateOrProvinceName`.
435
436 :ivar localityName: The locality of the entity.
437 :ivar L: Alias for :py:attr:`localityName`.
438
439 :ivar organizationName: The organization name of the entity.
440 :ivar O: Alias for :py:attr:`organizationName`.
441
442 :ivar organizationalUnitName: The organizational unit of the entity.
443 :ivar OU: Alias for :py:attr:`organizationalUnitName`
444
445 :ivar commonName: The common name of the entity.
446 :ivar CN: Alias for :py:attr:`commonName`.
447
448 :ivar emailAddress: The e-mail address of the entity.
449 """
Alex Gaynor5945ea82015-09-05 14:59:06 -0400450
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800451 def __init__(self, name):
452 """
453 Create a new X509Name, copying the given X509Name instance.
454
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200455 :param name: The name to copy.
456 :type name: :py:class:`X509Name`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800457 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500458 name = _lib.X509_NAME_dup(name._name)
459 self._name = _ffi.gc(name, _lib.X509_NAME_free)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800460
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800461 def __setattr__(self, name, value):
462 if name.startswith('_'):
463 return super(X509Name, self).__setattr__(name, value)
464
Jean-Paul Calderoneff363be2013-03-03 10:21:23 -0800465 # Note: we really do not want str subclasses here, so we do not use
466 # isinstance.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800467 if type(name) is not str:
468 raise TypeError("attribute name must be string, not '%.200s'" % (
Alex Gaynora738ed52015-09-05 11:17:10 -0400469 type(value).__name__,))
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800470
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500471 nid = _lib.OBJ_txt2nid(_byte_string(name))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500472 if nid == _lib.NID_undef:
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800473 try:
474 _raise_current_error()
475 except Error:
476 pass
477 raise AttributeError("No such attribute")
478
479 # If there's an old entry for this NID, remove it
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500480 for i in range(_lib.X509_NAME_entry_count(self._name)):
481 ent = _lib.X509_NAME_get_entry(self._name, i)
482 ent_obj = _lib.X509_NAME_ENTRY_get_object(ent)
483 ent_nid = _lib.OBJ_obj2nid(ent_obj)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800484 if nid == ent_nid:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500485 ent = _lib.X509_NAME_delete_entry(self._name, i)
486 _lib.X509_NAME_ENTRY_free(ent)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800487 break
488
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500489 if isinstance(value, _text_type):
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800490 value = value.encode('utf-8')
491
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500492 add_result = _lib.X509_NAME_add_entry_by_NID(
493 self._name, nid, _lib.MBSTRING_UTF8, value, -1, -1, 0)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800494 if not add_result:
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500495 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800496
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800497 def __getattr__(self, name):
498 """
499 Find attribute. An X509Name object has the following attributes:
500 countryName (alias C), stateOrProvince (alias ST), locality (alias L),
Alex Gaynor5945ea82015-09-05 14:59:06 -0400501 organization (alias O), organizationalUnit (alias OU), commonName
502 (alias CN) and more...
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800503 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500504 nid = _lib.OBJ_txt2nid(_byte_string(name))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500505 if nid == _lib.NID_undef:
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800506 # This is a bit weird. OBJ_txt2nid indicated failure, but it seems
507 # a lower level function, a2d_ASN1_OBJECT, also feels the need to
508 # push something onto the error queue. If we don't clean that up
509 # now, someone else will bump into it later and be quite confused.
510 # See lp#314814.
511 try:
512 _raise_current_error()
513 except Error:
514 pass
515 return super(X509Name, self).__getattr__(name)
516
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500517 entry_index = _lib.X509_NAME_get_index_by_NID(self._name, nid, -1)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800518 if entry_index == -1:
519 return None
520
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500521 entry = _lib.X509_NAME_get_entry(self._name, entry_index)
522 data = _lib.X509_NAME_ENTRY_get_data(entry)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800523
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500524 result_buffer = _ffi.new("unsigned char**")
525 data_length = _lib.ASN1_STRING_to_UTF8(result_buffer, data)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800526 if data_length < 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500527 # TODO: This is untested.
528 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800529
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700530 try:
Alex Gaynor5945ea82015-09-05 14:59:06 -0400531 result = _ffi.buffer(
532 result_buffer[0], data_length
533 )[:].decode('utf-8')
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700534 finally:
535 # XXX untested
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500536 _lib.OPENSSL_free(result_buffer[0])
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800537 return result
538
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500539 def _cmp(op):
540 def f(self, other):
541 if not isinstance(other, X509Name):
542 return NotImplemented
543 result = _lib.X509_NAME_cmp(self._name, other._name)
544 return op(result, 0)
545 return f
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800546
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500547 __eq__ = _cmp(__eq__)
548 __ne__ = _cmp(__ne__)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800549
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500550 __lt__ = _cmp(__lt__)
551 __le__ = _cmp(__le__)
552
553 __gt__ = _cmp(__gt__)
554 __ge__ = _cmp(__ge__)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800555
556 def __repr__(self):
557 """
558 String representation of an X509Name
559 """
Alex Gaynor962ac212015-09-04 08:06:42 -0400560 result_buffer = _ffi.new("char[]", 512)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500561 format_result = _lib.X509_NAME_oneline(
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800562 self._name, result_buffer, len(result_buffer))
563
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500564 if format_result == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500565 # TODO: This is untested.
566 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800567
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500568 return "<X509Name object '%s'>" % (
569 _native(_ffi.string(result_buffer)),)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800570
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800571 def hash(self):
572 """
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200573 Return an integer representation of the first four bytes of the
574 MD5 digest of the DER representation of the name.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800575
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200576 This is the Python equivalent of OpenSSL's ``X509_NAME_hash``.
577
578 :return: The (integer) hash of this name.
579 :rtype: :py:class:`int`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800580 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500581 return _lib.X509_NAME_hash(self._name)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800582
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800583 def der(self):
584 """
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200585 Return the DER encoding of this name.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800586
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200587 :return: The DER encoded form of this name.
588 :rtype: :py:class:`bytes`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800589 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500590 result_buffer = _ffi.new('unsigned char**')
591 encode_result = _lib.i2d_X509_NAME(self._name, result_buffer)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800592 if encode_result < 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500593 # TODO: This is untested.
594 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800595
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500596 string_result = _ffi.buffer(result_buffer[0], encode_result)[:]
597 _lib.OPENSSL_free(result_buffer[0])
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800598 return string_result
599
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800600 def get_components(self):
601 """
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200602 Returns the components of this name, as a sequence of 2-tuples.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800603
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200604 :return: The components of this name.
605 :rtype: :py:class:`list` of ``name, value`` tuples.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800606 """
607 result = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500608 for i in range(_lib.X509_NAME_entry_count(self._name)):
609 ent = _lib.X509_NAME_get_entry(self._name, i)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800610
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500611 fname = _lib.X509_NAME_ENTRY_get_object(ent)
612 fval = _lib.X509_NAME_ENTRY_get_data(ent)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800613
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500614 nid = _lib.OBJ_obj2nid(fname)
615 name = _lib.OBJ_nid2sn(nid)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800616
617 result.append((
Alex Gaynora738ed52015-09-05 11:17:10 -0400618 _ffi.string(name),
619 _ffi.string(
620 _lib.ASN1_STRING_data(fval),
621 _lib.ASN1_STRING_length(fval))))
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800622
623 return result
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200624
625
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800626X509NameType = X509Name
627
628
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800629class X509Extension(object):
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200630 """
631 An X.509 v3 certificate extension.
632 """
Alex Gaynor5945ea82015-09-05 14:59:06 -0400633
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800634 def __init__(self, type_name, critical, value, subject=None, issuer=None):
635 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200636 Initializes an X509 extension.
637
Alex Gaynor6f719912015-09-20 09:21:29 -0400638 :param type_name: The name of the type of extension to create. See
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200639 http://openssl.org/docs/apps/x509v3_config.html#STANDARD_EXTENSIONS
Alex Gaynor6f719912015-09-20 09:21:29 -0400640 :type type_name: :py:data:`bytes`
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800641
Alex Gaynor5945ea82015-09-05 14:59:06 -0400642 :param bool critical: A flag indicating whether this is a critical
643 extension.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800644
645 :param value: The value of the extension.
Maximilian Hils0de43752015-09-18 15:26:54 +0200646 :type value: :py:data:`bytes`
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800647
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200648 :param subject: Optional X509 certificate to use as subject.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800649 :type subject: :py:class:`X509`
650
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200651 :param issuer: Optional X509 certificate to use as issuer.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800652 :type issuer: :py:class:`X509`
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800653 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500654 ctx = _ffi.new("X509V3_CTX*")
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800655
Alex Gaynor5945ea82015-09-05 14:59:06 -0400656 # A context is necessary for any extension which uses the r2i
657 # conversion method. That is, X509V3_EXT_nconf may segfault if passed
658 # a NULL ctx. Start off by initializing most of the fields to NULL.
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500659 _lib.X509V3_set_ctx(ctx, _ffi.NULL, _ffi.NULL, _ffi.NULL, _ffi.NULL, 0)
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800660
661 # We have no configuration database - but perhaps we should (some
662 # extensions may require it).
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500663 _lib.X509V3_set_ctx_nodb(ctx)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800664
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800665 # Initialize the subject and issuer, if appropriate. ctx is a local,
666 # and as far as I can tell none of the X509V3_* APIs invoked here steal
Alex Gaynora738ed52015-09-05 11:17:10 -0400667 # any references, so no need to mess with reference counts or
668 # duplicates.
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800669 if issuer is not None:
670 if not isinstance(issuer, X509):
671 raise TypeError("issuer must be an X509 instance")
672 ctx.issuer_cert = issuer._x509
673 if subject is not None:
674 if not isinstance(subject, X509):
675 raise TypeError("subject must be an X509 instance")
676 ctx.subject_cert = subject._x509
677
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800678 if critical:
679 # There are other OpenSSL APIs which would let us pass in critical
680 # separately, but they're harder to use, and since value is already
681 # a pile of crappy junk smuggling a ton of utterly important
682 # structured data, what's the point of trying to avoid nasty stuff
Alex Gaynor5945ea82015-09-05 14:59:06 -0400683 # with strings? (However, X509V3_EXT_i2d in particular seems like
684 # it would be a better API to invoke. I do not know where to get
685 # the ext_struc it desires for its last parameter, though.)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500686 value = b"critical," + value
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800687
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500688 extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name, value)
689 if extension == _ffi.NULL:
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800690 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500691 self._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800692
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400693 @property
694 def _nid(self):
Paul Kehrere8f91cc2016-03-09 21:26:29 -0400695 return _lib.OBJ_obj2nid(
696 _lib.X509_EXTENSION_get_object(self._extension)
697 )
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400698
699 _prefixes = {
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500700 _lib.GEN_EMAIL: "email",
701 _lib.GEN_DNS: "DNS",
702 _lib.GEN_URI: "URI",
Alex Gaynora738ed52015-09-05 11:17:10 -0400703 }
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400704
705 def _subjectAltNameString(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500706 method = _lib.X509V3_EXT_get(self._extension)
707 if method == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500708 # TODO: This is untested.
709 _raise_current_error()
Paul Kehrere8f91cc2016-03-09 21:26:29 -0400710 ext_data = _lib.X509_EXTENSION_get_data(self._extension)
711 payload = ext_data.data
712 length = ext_data.length
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400713
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500714 payloadptr = _ffi.new("unsigned char**")
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400715 payloadptr[0] = payload
716
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500717 if method.it != _ffi.NULL:
718 ptr = _lib.ASN1_ITEM_ptr(method.it)
719 data = _lib.ASN1_item_d2i(_ffi.NULL, payloadptr, length, ptr)
720 names = _ffi.cast("GENERAL_NAMES*", data)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400721 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500722 names = _ffi.cast(
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400723 "GENERAL_NAMES*",
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500724 method.d2i(_ffi.NULL, payloadptr, length))
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400725
Paul Kehrerb7d79502015-05-04 07:43:51 -0500726 names = _ffi.gc(names, _lib.GENERAL_NAMES_free)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400727 parts = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500728 for i in range(_lib.sk_GENERAL_NAME_num(names)):
729 name = _lib.sk_GENERAL_NAME_value(names, i)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400730 try:
731 label = self._prefixes[name.type]
732 except KeyError:
733 bio = _new_mem_buf()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500734 _lib.GENERAL_NAME_print(bio, name)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500735 parts.append(_native(_bio_to_string(bio)))
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400736 else:
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500737 value = _native(
738 _ffi.buffer(name.d.ia5.data, name.d.ia5.length)[:])
739 parts.append(label + ":" + value)
740 return ", ".join(parts)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400741
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800742 def __str__(self):
743 """
744 :return: a nice text representation of the extension
745 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500746 if _lib.NID_subject_alt_name == self._nid:
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400747 return self._subjectAltNameString()
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800748
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400749 bio = _new_mem_buf()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500750 print_result = _lib.X509V3_EXT_print(bio, self._extension, 0, 0)
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800751 if not print_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500752 # TODO: This is untested.
753 _raise_current_error()
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800754
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500755 return _native(_bio_to_string(bio))
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800756
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800757 def get_critical(self):
758 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200759 Returns the critical field of this X.509 extension.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800760
761 :return: The critical field.
762 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500763 return _lib.X509_EXTENSION_get_critical(self._extension)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800764
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800765 def get_short_name(self):
766 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200767 Returns the short type name of this X.509 extension.
768
769 The result is a byte string such as :py:const:`b"basicConstraints"`.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800770
771 :return: The short type name.
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200772 :rtype: :py:data:`bytes`
773
774 .. versionadded:: 0.12
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800775 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500776 obj = _lib.X509_EXTENSION_get_object(self._extension)
777 nid = _lib.OBJ_obj2nid(obj)
778 return _ffi.string(_lib.OBJ_nid2sn(nid))
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800779
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800780 def get_data(self):
781 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200782 Returns the data of the X509 extension, encoded as ASN.1.
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800783
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200784 :return: The ASN.1 encoded data of this X509 extension.
785 :rtype: :py:data:`bytes`
786
787 .. versionadded:: 0.12
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800788 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500789 octet_result = _lib.X509_EXTENSION_get_data(self._extension)
790 string_result = _ffi.cast('ASN1_STRING*', octet_result)
791 char_result = _lib.ASN1_STRING_data(string_result)
792 result_length = _lib.ASN1_STRING_length(string_result)
793 return _ffi.buffer(char_result, result_length)[:]
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800794
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200795
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800796X509ExtensionType = X509Extension
797
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800798
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800799class X509Req(object):
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200800 """
801 An X.509 certificate signing requests.
802 """
Alex Gaynora738ed52015-09-05 11:17:10 -0400803
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800804 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500805 req = _lib.X509_REQ_new()
806 self._req = _ffi.gc(req, _lib.X509_REQ_free)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800807
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800808 def set_pubkey(self, pkey):
809 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200810 Set the public key of the certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800811
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200812 :param pkey: The public key to use.
813 :type pkey: :py:class:`PKey`
814
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200815 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800816 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500817 set_result = _lib.X509_REQ_set_pubkey(self._req, pkey._pkey)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800818 if not set_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500819 # TODO: This is untested.
820 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800821
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800822 def get_pubkey(self):
823 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200824 Get the public key of the certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800825
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200826 :return: The public key.
827 :rtype: :py:class:`PKey`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800828 """
829 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500830 pkey._pkey = _lib.X509_REQ_get_pubkey(self._req)
831 if pkey._pkey == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500832 # TODO: This is untested.
833 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500834 pkey._pkey = _ffi.gc(pkey._pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800835 pkey._only_public = True
836 return pkey
837
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800838 def set_version(self, version):
839 """
840 Set the version subfield (RFC 2459, section 4.1.2.1) of the certificate
841 request.
842
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200843 :param int version: The version number.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200844 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800845 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500846 set_result = _lib.X509_REQ_set_version(self._req, version)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800847 if not set_result:
848 _raise_current_error()
849
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800850 def get_version(self):
851 """
852 Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate
853 request.
854
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200855 :return: The value of the version subfield.
856 :rtype: :py:class:`int`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800857 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500858 return _lib.X509_REQ_get_version(self._req)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800859
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800860 def get_subject(self):
861 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200862 Return the subject of this certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800863
Cory Benfield881dc8d2015-12-09 08:25:14 +0000864 This creates a new :class:`X509Name` that wraps the underlying subject
865 name field on the certificate signing request. Modifying it will modify
866 the underlying signing request, and will have the effect of modifying
867 any other :class:`X509Name` that refers to this subject.
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200868
869 :return: The subject of this certificate signing request.
Cory Benfield881dc8d2015-12-09 08:25:14 +0000870 :rtype: :class:`X509Name`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800871 """
872 name = X509Name.__new__(X509Name)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500873 name._name = _lib.X509_REQ_get_subject_name(self._req)
874 if name._name == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500875 # TODO: This is untested.
876 _raise_current_error()
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800877
878 # The name is owned by the X509Req structure. As long as the X509Name
879 # Python object is alive, keep the X509Req Python object alive.
880 name._owner = self
881
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800882 return name
883
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800884 def add_extensions(self, extensions):
885 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200886 Add extensions to the certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800887
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200888 :param extensions: The X.509 extensions to add.
889 :type extensions: iterable of :py:class:`X509Extension`
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200890 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800891 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500892 stack = _lib.sk_X509_EXTENSION_new_null()
893 if stack == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500894 # TODO: This is untested.
895 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800896
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500897 stack = _ffi.gc(stack, _lib.sk_X509_EXTENSION_free)
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800898
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800899 for ext in extensions:
900 if not isinstance(ext, X509Extension):
Jean-Paul Calderonec2154b72013-02-20 14:29:37 -0800901 raise ValueError("One of the elements is not an X509Extension")
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800902
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800903 # TODO push can fail (here and elsewhere)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500904 _lib.sk_X509_EXTENSION_push(stack, ext._extension)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800905
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500906 add_result = _lib.X509_REQ_add_extensions(self._req, stack)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800907 if not add_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500908 # TODO: This is untested.
909 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800910
Stephen Holsappleadfd39d2014-01-28 17:58:31 -0800911 def get_extensions(self):
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800912 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200913 Get X.509 extensions in the certificate signing request.
Stephen Holsappleadfd39d2014-01-28 17:58:31 -0800914
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200915 :return: The X.509 extensions in this request.
916 :rtype: :py:class:`list` of :py:class:`X509Extension` objects.
917
918 .. versionadded:: 0.15
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800919 """
920 exts = []
Jean-Paul Calderone9479d732014-03-02 08:04:54 -0500921 native_exts_obj = _lib.X509_REQ_get_extensions(self._req)
Jean-Paul Calderoneb7a79b42014-03-02 08:06:47 -0500922 for i in range(_lib.sk_X509_EXTENSION_num(native_exts_obj)):
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800923 ext = X509Extension.__new__(X509Extension)
Jean-Paul Calderone9479d732014-03-02 08:04:54 -0500924 ext._extension = _lib.sk_X509_EXTENSION_value(native_exts_obj, i)
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800925 exts.append(ext)
926 return exts
Stephen Holsappleadfd39d2014-01-28 17:58:31 -0800927
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800928 def sign(self, pkey, digest):
929 """
Laurens Van Houtven6f2e4262015-04-23 10:48:32 -0700930 Sign the certificate signing request with this key and digest type.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800931
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200932 :param pkey: The key pair to sign with.
933 :type pkey: :py:class:`PKey`
934 :param digest: The name of the message digest to use for the signature,
935 e.g. :py:data:`b"sha1"`.
936 :type digest: :py:class:`bytes`
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200937 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800938 """
939 if pkey._only_public:
940 raise ValueError("Key has only public part")
941
942 if not pkey._initialized:
943 raise ValueError("Key is uninitialized")
944
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500945 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500946 if digest_obj == _ffi.NULL:
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800947 raise ValueError("No such digest method")
948
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500949 sign_result = _lib.X509_REQ_sign(self._req, pkey._pkey, digest_obj)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800950 if not sign_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500951 # TODO: This is untested.
952 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800953
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800954 def verify(self, pkey):
955 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200956 Verifies the signature on this certificate signing request.
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800957
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200958 :param key: A public key.
959 :type key: :py:class:`PKey`
960 :return: :py:data:`True` if the signature is correct.
961 :rtype: :py:class:`bool`
962 :raises Error: If the signature is invalid or there is a
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800963 problem verifying the signature.
964 """
965 if not isinstance(pkey, PKey):
966 raise TypeError("pkey must be a PKey instance")
967
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500968 result = _lib.X509_REQ_verify(self._req, pkey._pkey)
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800969 if result <= 0:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500970 _raise_current_error()
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800971
972 return result
973
974
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800975X509ReqType = X509Req
976
977
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800978class X509(object):
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200979 """
980 An X.509 certificate.
981 """
Alex Gaynora738ed52015-09-05 11:17:10 -0400982
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800983 def __init__(self):
984 # TODO Allocation failure? And why not __new__ instead of __init__?
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500985 x509 = _lib.X509_new()
986 self._x509 = _ffi.gc(x509, _lib.X509_free)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800987
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800988 def set_version(self, version):
989 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200990 Set the version number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800991
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200992 :param version: The version number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800993 :type version: :py:class:`int`
994
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200995 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800996 """
997 if not isinstance(version, int):
998 raise TypeError("version must be an integer")
999
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001000 _lib.X509_set_version(self._x509, version)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001001
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001002 def get_version(self):
1003 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001004 Return the version number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001005
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001006 :return: The version number of the certificate.
1007 :rtype: :py:class:`int`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001008 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001009 return _lib.X509_get_version(self._x509)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001010
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -08001011 def get_pubkey(self):
1012 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001013 Get the public key of the certificate.
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -08001014
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001015 :return: The public key.
1016 :rtype: :py:class:`PKey`
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -08001017 """
1018 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001019 pkey._pkey = _lib.X509_get_pubkey(self._x509)
1020 if pkey._pkey == _ffi.NULL:
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -08001021 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001022 pkey._pkey = _ffi.gc(pkey._pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -08001023 pkey._only_public = True
1024 return pkey
1025
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001026 def set_pubkey(self, pkey):
1027 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001028 Set the public key of the certificate.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001029
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001030 :param pkey: The public key.
1031 :type pkey: :py:class:`PKey`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001032
Laurens Van Houtven33fcf122015-04-23 10:50:08 -07001033 :return: :py:data:`None`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001034 """
1035 if not isinstance(pkey, PKey):
1036 raise TypeError("pkey must be a PKey instance")
1037
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001038 set_result = _lib.X509_set_pubkey(self._x509, pkey._pkey)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001039 if not set_result:
1040 _raise_current_error()
1041
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001042 def sign(self, pkey, digest):
1043 """
Laurens Van Houtven6f2e4262015-04-23 10:48:32 -07001044 Sign the certificate with this key and digest type.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001045
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001046 :param pkey: The key to sign with.
1047 :type pkey: :py:class:`PKey`
1048
1049 :param digest: The name of the message digest to use.
1050 :type digest: :py:class:`bytes`
1051
Laurens Van Houtvena367fe82015-04-23 10:49:12 -07001052 :return: :py:data:`None`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001053 """
1054 if not isinstance(pkey, PKey):
1055 raise TypeError("pkey must be a PKey instance")
1056
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -08001057 if pkey._only_public:
1058 raise ValueError("Key only has public part")
1059
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -08001060 if not pkey._initialized:
1061 raise ValueError("Key is uninitialized")
1062
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001063 evp_md = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001064 if evp_md == _ffi.NULL:
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001065 raise ValueError("No such digest method")
1066
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001067 sign_result = _lib.X509_sign(self._x509, pkey._pkey, evp_md)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -08001068 if not sign_result:
1069 _raise_current_error()
1070
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -08001071 def get_signature_algorithm(self):
1072 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001073 Return the signature algorithm used in the certificate.
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -08001074
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001075 :return: The name of the algorithm.
1076 :rtype: :py:class:`bytes`
1077
1078 :raises ValueError: If the signature algorithm is undefined.
1079
Laurens Van Houtven0dd87402015-04-23 10:47:18 -07001080 .. versionadded:: 0.13
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -08001081 """
1082 alg = self._x509.cert_info.signature.algorithm
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001083 nid = _lib.OBJ_obj2nid(alg)
1084 if nid == _lib.NID_undef:
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -08001085 raise ValueError("Undefined signature algorithm")
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001086 return _ffi.string(_lib.OBJ_nid2ln(nid))
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -08001087
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -08001088 def digest(self, digest_name):
1089 """
1090 Return the digest of the X509 object.
1091
1092 :param digest_name: The name of the digest algorithm to use.
1093 :type digest_name: :py:class:`bytes`
1094
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001095 :return: The digest of the object, formatted as
1096 :py:const:`b":"`-delimited hex pairs.
1097 :rtype: :py:class:`bytes`
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -08001098 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001099 digest = _lib.EVP_get_digestbyname(_byte_string(digest_name))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001100 if digest == _ffi.NULL:
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -08001101 raise ValueError("No such digest method")
1102
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001103 result_buffer = _ffi.new("char[]", _lib.EVP_MAX_MD_SIZE)
1104 result_length = _ffi.new("unsigned int[]", 1)
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -08001105 result_length[0] = len(result_buffer)
1106
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001107 digest_result = _lib.X509_digest(
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -08001108 self._x509, digest, result_buffer, result_length)
1109
1110 if not digest_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001111 # TODO: This is untested.
1112 _raise_current_error()
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -08001113
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001114 return b":".join([
Alex Gaynora738ed52015-09-05 11:17:10 -04001115 b16encode(ch).upper() for ch
1116 in _ffi.buffer(result_buffer, result_length[0])])
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -08001117
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001118 def subject_name_hash(self):
1119 """
1120 Return the hash of the X509 subject.
1121
1122 :return: The hash of the subject.
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001123 :rtype: :py:class:`bytes`
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001124 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001125 return _lib.X509_subject_name_hash(self._x509)
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001126
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001127 def set_serial_number(self, serial):
1128 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001129 Set the serial number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001130
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001131 :param serial: The new serial number.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001132 :type serial: :py:class:`int`
1133
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001134 :return: :py:data`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001135 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001136 if not isinstance(serial, _integer_types):
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001137 raise TypeError("serial must be an integer")
1138
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001139 hex_serial = hex(serial)[2:]
1140 if not isinstance(hex_serial, bytes):
1141 hex_serial = hex_serial.encode('ascii')
1142
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001143 bignum_serial = _ffi.new("BIGNUM**")
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001144
1145 # BN_hex2bn stores the result in &bignum. Unless it doesn't feel like
Alex Gaynor5945ea82015-09-05 14:59:06 -04001146 # it. If bignum is still NULL after this call, then the return value
1147 # is actually the result. I hope. -exarkun
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001148 small_serial = _lib.BN_hex2bn(bignum_serial, hex_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001149
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001150 if bignum_serial[0] == _ffi.NULL:
1151 set_result = _lib.ASN1_INTEGER_set(
1152 _lib.X509_get_serialNumber(self._x509), small_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001153 if set_result:
1154 # TODO Not tested
1155 _raise_current_error()
1156 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001157 asn1_serial = _lib.BN_to_ASN1_INTEGER(bignum_serial[0], _ffi.NULL)
1158 _lib.BN_free(bignum_serial[0])
1159 if asn1_serial == _ffi.NULL:
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001160 # TODO Not tested
1161 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001162 asn1_serial = _ffi.gc(asn1_serial, _lib.ASN1_INTEGER_free)
1163 set_result = _lib.X509_set_serialNumber(self._x509, asn1_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001164 if not set_result:
1165 # TODO Not tested
1166 _raise_current_error()
1167
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001168 def get_serial_number(self):
1169 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001170 Return the serial number of this certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001171
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001172 :return: The serial number.
1173 :rtype: :py:class:`int`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001174 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001175 asn1_serial = _lib.X509_get_serialNumber(self._x509)
1176 bignum_serial = _lib.ASN1_INTEGER_to_BN(asn1_serial, _ffi.NULL)
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001177 try:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001178 hex_serial = _lib.BN_bn2hex(bignum_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001179 try:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001180 hexstring_serial = _ffi.string(hex_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001181 serial = int(hexstring_serial, 16)
1182 return serial
1183 finally:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001184 _lib.OPENSSL_free(hex_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -08001185 finally:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001186 _lib.BN_free(bignum_serial)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001187
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001188 def gmtime_adj_notAfter(self, amount):
1189 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001190 Adjust the time stamp on which the certificate stops being valid.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001191
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001192 :param amount: The number of seconds by which to adjust the timestamp.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001193 :type amount: :py:class:`int`
1194
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001195 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001196 """
1197 if not isinstance(amount, int):
1198 raise TypeError("amount must be an integer")
1199
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001200 notAfter = _lib.X509_get_notAfter(self._x509)
1201 _lib.X509_gmtime_adj(notAfter, amount)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001202
Jean-Paul Calderone662afe52013-02-20 08:41:11 -08001203 def gmtime_adj_notBefore(self, amount):
1204 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001205 Adjust the timestamp on which the certificate starts being valid.
Jean-Paul Calderone662afe52013-02-20 08:41:11 -08001206
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001207 :param amount: The number of seconds by which to adjust the timestamp.
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001208 :return: :py:const:`None`
Jean-Paul Calderone662afe52013-02-20 08:41:11 -08001209 """
1210 if not isinstance(amount, int):
1211 raise TypeError("amount must be an integer")
1212
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001213 notBefore = _lib.X509_get_notBefore(self._x509)
1214 _lib.X509_gmtime_adj(notBefore, amount)
Jean-Paul Calderone662afe52013-02-20 08:41:11 -08001215
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001216 def has_expired(self):
1217 """
1218 Check whether the certificate has expired.
1219
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001220 :return: :py:const:`True` if the certificate has expired,
1221 :py:const:`False` otherwise.
1222 :rtype: :py:class:`bool`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001223 """
Paul Kehrer8d887e12015-10-24 09:09:55 -05001224 time_string = _native(self.get_notAfter())
Paul Kehrerfde45c92016-01-21 12:57:37 -06001225 not_after = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ")
Paul Kehrer5d5d28d2015-10-21 18:55:22 -05001226
Paul Kehrerfde45c92016-01-21 12:57:37 -06001227 return not_after < datetime.datetime.utcnow()
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001228
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001229 def _get_boundary_time(self, which):
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001230 return _get_asn1_time(which(self._x509))
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001231
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001232 def get_notBefore(self):
1233 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001234 Get the timestamp at which the certificate starts being valid.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001235
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001236 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001237
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001238 YYYYMMDDhhmmssZ
1239 YYYYMMDDhhmmss+hhmm
1240 YYYYMMDDhhmmss-hhmm
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001241
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001242 :return: A timestamp string, or :py:const:`None` if there is none.
1243 :rtype: :py:class:`bytes` or :py:const:`None`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001244 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001245 return self._get_boundary_time(_lib.X509_get_notBefore)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001246
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001247 def _set_boundary_time(self, which, when):
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001248 return _set_asn1_time(which(self._x509), when)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001249
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001250 def set_notBefore(self, when):
1251 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001252 Set the timestamp at which the certificate starts being valid.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001253
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001254 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001255
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001256 YYYYMMDDhhmmssZ
1257 YYYYMMDDhhmmss+hhmm
1258 YYYYMMDDhhmmss-hhmm
1259
1260 :param when: A timestamp string.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001261 :type when: :py:class:`bytes`
1262
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001263 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001264 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001265 return self._set_boundary_time(_lib.X509_get_notBefore, when)
Jean-Paul Calderoned7d81272013-02-19 13:16:03 -08001266
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001267 def get_notAfter(self):
1268 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001269 Get the timestamp at which the certificate stops being valid.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001270
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001271 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001272
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001273 YYYYMMDDhhmmssZ
1274 YYYYMMDDhhmmss+hhmm
1275 YYYYMMDDhhmmss-hhmm
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001276
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001277 :return: A timestamp string, or :py:const:`None` if there is none.
1278 :rtype: :py:class:`bytes` or :py:const:`None`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001279 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001280 return self._get_boundary_time(_lib.X509_get_notAfter)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001281
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001282 def set_notAfter(self, when):
1283 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001284 Set the timestamp at which the certificate stops being valid.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001285
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001286 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001287
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001288 YYYYMMDDhhmmssZ
1289 YYYYMMDDhhmmss+hhmm
1290 YYYYMMDDhhmmss-hhmm
1291
1292 :param when: A timestamp string.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001293 :type when: :py:class:`bytes`
1294
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001295 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001296 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001297 return self._set_boundary_time(_lib.X509_get_notAfter, when)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001298
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001299 def _get_name(self, which):
1300 name = X509Name.__new__(X509Name)
1301 name._name = which(self._x509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001302 if name._name == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001303 # TODO: This is untested.
1304 _raise_current_error()
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08001305
1306 # The name is owned by the X509 structure. As long as the X509Name
1307 # Python object is alive, keep the X509 Python object alive.
1308 name._owner = self
1309
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001310 return name
1311
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001312 def _set_name(self, which, name):
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001313 if not isinstance(name, X509Name):
1314 raise TypeError("name must be an X509Name")
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001315 set_result = which(self._x509, name._name)
1316 if not set_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001317 # TODO: This is untested.
1318 _raise_current_error()
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001319
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001320 def get_issuer(self):
1321 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001322 Return the issuer of this certificate.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001323
Cory Benfielde6bcce82015-12-09 08:40:03 +00001324 This creates a new :class:`X509Name` that wraps the underlying issuer
1325 name field on the certificate. Modifying it will modify the underlying
1326 certificate, and will have the effect of modifying any other
1327 :class:`X509Name` that refers to this issuer.
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001328
1329 :return: The issuer of this certificate.
Cory Benfielde6bcce82015-12-09 08:40:03 +00001330 :rtype: :class:`X509Name`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001331 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001332 return self._get_name(_lib.X509_get_issuer_name)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001333
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001334 def set_issuer(self, issuer):
1335 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001336 Set the issuer of this certificate.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001337
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001338 :param issuer: The issuer.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001339 :type issuer: :py:class:`X509Name`
1340
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001341 :return: :py:const:`None`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -08001342 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001343 return self._set_name(_lib.X509_set_issuer_name, issuer)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -08001344
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -08001345 def get_subject(self):
1346 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001347 Return the subject of this certificate.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -08001348
Cory Benfielde6bcce82015-12-09 08:40:03 +00001349 This creates a new :class:`X509Name` that wraps the underlying subject
1350 name field on the certificate. Modifying it will modify the underlying
1351 certificate, and will have the effect of modifying any other
1352 :class:`X509Name` that refers to this subject.
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001353
1354 :return: The subject of this certificate.
Cory Benfielde6bcce82015-12-09 08:40:03 +00001355 :rtype: :class:`X509Name`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -08001356 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001357 return self._get_name(_lib.X509_get_subject_name)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -08001358
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -08001359 def set_subject(self, subject):
1360 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001361 Set the subject of this certificate.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -08001362
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001363 :param subject: The subject.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -08001364 :type subject: :py:class:`X509Name`
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001365
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001366 :return: :py:const:`None`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -08001367 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001368 return self._set_name(_lib.X509_set_subject_name, subject)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001369
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001370 def get_extension_count(self):
1371 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001372 Get the number of extensions on this certificate.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001373
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001374 :return: The number of extensions.
1375 :rtype: :py:class:`int`
1376
1377 .. versionadded:: 0.12
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001378 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001379 return _lib.X509_get_ext_count(self._x509)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001380
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001381 def add_extensions(self, extensions):
1382 """
1383 Add extensions to the certificate.
1384
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001385 :param extensions: The extensions to add.
1386 :type extensions: An iterable of :py:class:`X509Extension` objects.
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001387 :return: :py:const:`None`
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001388 """
1389 for ext in extensions:
1390 if not isinstance(ext, X509Extension):
1391 raise ValueError("One of the elements is not an X509Extension")
1392
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001393 add_result = _lib.X509_add_ext(self._x509, ext._extension, -1)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001394 if not add_result:
1395 _raise_current_error()
1396
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001397 def get_extension(self, index):
1398 """
1399 Get a specific extension of the certificate by index.
1400
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02001401 Extensions on a certificate are kept in order. The index
1402 parameter selects which extension will be returned.
1403
1404 :param int index: The index of the extension to retrieve.
1405 :return: The extension at the specified index.
1406 :rtype: :py:class:`X509Extension`
1407 :raises IndexError: If the extension index was out of bounds.
1408
1409 .. versionadded:: 0.12
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001410 """
1411 ext = X509Extension.__new__(X509Extension)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001412 ext._extension = _lib.X509_get_ext(self._x509, index)
1413 if ext._extension == _ffi.NULL:
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001414 raise IndexError("extension index out of bounds")
1415
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001416 extension = _lib.X509_EXTENSION_dup(ext._extension)
1417 ext._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -08001418 return ext
1419
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +02001420
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001421X509Type = X509
1422
1423
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001424class X509Store(object):
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +02001425 """
1426 An X509 certificate store.
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +02001427 """
Alex Gaynora738ed52015-09-05 11:17:10 -04001428
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001429 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001430 store = _lib.X509_STORE_new()
1431 self._store = _ffi.gc(store, _lib.X509_STORE_free)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001432
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001433 def add_cert(self, cert):
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +02001434 """
1435 Adds the certificate :py:data:`cert` to this store.
1436
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +02001437 This is the Python equivalent of OpenSSL's ``X509_STORE_add_cert``.
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +02001438
1439 :param X509 cert: The certificate to add to this store.
1440 :raises TypeError: If the certificate is not an :py:class:`X509`.
1441 :raises Error: If OpenSSL was unhappy with your certificate.
Laurens Van Houtven5ee60b32015-04-23 10:51:16 -07001442 :return: :py:data:`None` if the certificate was added successfully.
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +02001443 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001444 if not isinstance(cert, X509):
1445 raise TypeError()
1446
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001447 result = _lib.X509_STORE_add_cert(self._store, cert._x509)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001448 if not result:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -05001449 _raise_current_error()
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -08001450
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001451
1452X509StoreType = X509Store
1453
1454
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001455class X509StoreContextError(Exception):
1456 """
Stephen Holsapple8ad4a192015-06-09 22:51:43 -07001457 An exception raised when an error occurred while verifying a certificate
1458 using `OpenSSL.X509StoreContext.verify_certificate`.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001459
Jean-Paul Calderonefeb17432015-03-15 15:49:45 -04001460 :ivar certificate: The certificate which caused verificate failure.
Stephen Holsapple8ad4a192015-06-09 22:51:43 -07001461 :type certificate: :class:`X509`
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001462 """
Alex Gaynora738ed52015-09-05 11:17:10 -04001463
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001464 def __init__(self, message, certificate):
1465 super(X509StoreContextError, self).__init__(message)
1466 self.certificate = certificate
1467
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001468
Stephen Holsapple0d9815f2014-08-27 19:36:53 -07001469class X509StoreContext(object):
1470 """
1471 An X.509 store context.
1472
Jean-Paul Calderone13a81682015-01-18 15:49:15 -05001473 An :py:class:`X509StoreContext` is used to define some of the criteria for
1474 certificate verification. The information encapsulated in this object
1475 includes, but is not limited to, a set of trusted certificates,
1476 verification parameters, and revoked certificates.
1477
Stephen Holsapple8ad4a192015-06-09 22:51:43 -07001478 .. note::
1479
1480 Currently, one can only set the trusted certificates on an
1481 :py:class:`X509StoreContext`. Future versions of pyOpenSSL will expose
1482 verification parameters and certificate revocation lists.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -07001483
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -05001484 :ivar _store_ctx: The underlying X509_STORE_CTX structure used by this
1485 instance. It is dynamically allocated and automatically garbage
1486 collected.
1487
Jean-Paul Calderone64b6b842015-03-15 16:08:02 -04001488 :ivar _store: See the ``store`` ``__init__`` parameter.
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -05001489
Jean-Paul Calderone64b6b842015-03-15 16:08:02 -04001490 :ivar _cert: See the ``certificate`` ``__init__`` parameter.
Stephen Holsapple8ad4a192015-06-09 22:51:43 -07001491
1492 :param X509Store store: The certificates which will be trusted for the
1493 purposes of any verifications.
1494
1495 :param X509 certificate: The certificate to be verified.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -07001496 """
1497
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -05001498 def __init__(self, store, certificate):
Stephen Holsapple0d9815f2014-08-27 19:36:53 -07001499 store_ctx = _lib.X509_STORE_CTX_new()
1500 self._store_ctx = _ffi.gc(store_ctx, _lib.X509_STORE_CTX_free)
1501 self._store = store
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -05001502 self._cert = certificate
Stephen Holsapple46a09252015-02-12 14:45:43 -08001503 # Make the store context available for use after instantiating this
1504 # class by initializing it now. Per testing, subsequent calls to
1505 # :py:meth:`_init` have no adverse affect.
1506 self._init()
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -05001507
Stephen Holsapple0d9815f2014-08-27 19:36:53 -07001508 def _init(self):
1509 """
1510 Set up the store context for a subsequent verification operation.
1511 """
Alex Gaynor5945ea82015-09-05 14:59:06 -04001512 ret = _lib.X509_STORE_CTX_init(
1513 self._store_ctx, self._store._store, self._cert._x509, _ffi.NULL
1514 )
Stephen Holsapple0d9815f2014-08-27 19:36:53 -07001515 if ret <= 0:
1516 _raise_current_error()
1517
1518 def _cleanup(self):
1519 """
1520 Internally cleans up the store context.
1521
1522 The store context can then be reused with a new call to
Stephen Holsapple46a09252015-02-12 14:45:43 -08001523 :py:meth:`_init`.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -07001524 """
1525 _lib.X509_STORE_CTX_cleanup(self._store_ctx)
1526
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001527 def _exception_from_context(self):
1528 """
1529 Convert an OpenSSL native context error failure into a Python
1530 exception.
1531
Alex Gaynor5945ea82015-09-05 14:59:06 -04001532 When a call to native OpenSSL X509_verify_cert fails, additional
1533 information about the failure can be obtained from the store context.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001534 """
1535 errors = [
1536 _lib.X509_STORE_CTX_get_error(self._store_ctx),
1537 _lib.X509_STORE_CTX_get_error_depth(self._store_ctx),
1538 _native(_ffi.string(_lib.X509_verify_cert_error_string(
Alex Gaynor5945ea82015-09-05 14:59:06 -04001539 _lib.X509_STORE_CTX_get_error(self._store_ctx)))),
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001540 ]
Stephen Holsapple1f713eb2015-02-09 19:19:44 -08001541 # A context error should always be associated with a certificate, so we
1542 # expect this call to never return :class:`None`.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001543 _x509 = _lib.X509_STORE_CTX_get_current_cert(self._store_ctx)
Stephen Holsapple1f713eb2015-02-09 19:19:44 -08001544 _cert = _lib.X509_dup(_x509)
1545 pycert = X509.__new__(X509)
1546 pycert._x509 = _ffi.gc(_cert, _lib.X509_free)
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001547 return X509StoreContextError(errors, pycert)
1548
Stephen Holsapple46a09252015-02-12 14:45:43 -08001549 def set_store(self, store):
1550 """
1551 Set the context's trust store.
1552
Stephen Holsapple8ad4a192015-06-09 22:51:43 -07001553 .. versionadded:: 0.15
1554
Stephen Holsapple46a09252015-02-12 14:45:43 -08001555 :param X509Store store: The certificates which will be trusted for the
1556 purposes of any *future* verifications.
1557 """
1558 self._store = store
1559
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001560 def verify_certificate(self):
1561 """
1562 Verify a certificate in a context.
1563
Stephen Holsapple8ad4a192015-06-09 22:51:43 -07001564 .. versionadded:: 0.15
1565
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001566 :param store_ctx: The :py:class:`X509StoreContext` to verify.
Stephen Holsapple8ad4a192015-06-09 22:51:43 -07001567
Alex Gaynorca87ff62015-09-04 23:31:03 -04001568 :raises X509StoreContextError: If an error occurred when validating a
Alex Gaynor5945ea82015-09-05 14:59:06 -04001569 certificate in the context. Sets ``certificate`` attribute to
1570 indicate which certificate caused the error.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001571 """
Stephen Holsapple46a09252015-02-12 14:45:43 -08001572 # Always re-initialize the store context in case
1573 # :py:meth:`verify_certificate` is called multiple times.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -08001574 self._init()
1575 ret = _lib.X509_verify_cert(self._store_ctx)
1576 self._cleanup()
1577 if ret <= 0:
1578 raise self._exception_from_context()
1579
1580
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001581def load_certificate(type, buffer):
1582 """
1583 Load a certificate from a buffer
1584
1585 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
1586
1587 :param buffer: The buffer the certificate is stored in
1588 :type buffer: :py:class:`bytes`
1589
1590 :return: The X509 object
1591 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -05001592 if isinstance(buffer, _text_type):
1593 buffer = buffer.encode("ascii")
1594
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08001595 bio = _new_mem_buf(buffer)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001596
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08001597 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001598 x509 = _lib.PEM_read_bio_X509(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08001599 elif type == FILETYPE_ASN1:
Alex Gaynor962ac212015-09-04 08:06:42 -04001600 x509 = _lib.d2i_X509_bio(bio, _ffi.NULL)
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08001601 else:
1602 raise ValueError(
1603 "type argument must be FILETYPE_PEM or FILETYPE_ASN1")
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001604
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001605 if x509 == _ffi.NULL:
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001606 _raise_current_error()
1607
1608 cert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001609 cert._x509 = _ffi.gc(x509, _lib.X509_free)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001610 return cert
1611
1612
1613def dump_certificate(type, cert):
1614 """
1615 Dump a certificate to a buffer
1616
Jean-Paul Calderonea12e7d22013-04-03 08:17:34 -04001617 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or
1618 FILETYPE_TEXT)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001619 :param cert: The certificate to dump
1620 :return: The buffer with the dumped certificate in
1621 """
Jean-Paul Calderone0c73aff2013-03-02 07:45:12 -08001622 bio = _new_mem_buf()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08001623
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001624 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001625 result_code = _lib.PEM_write_bio_X509(bio, cert._x509)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001626 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001627 result_code = _lib.i2d_X509_bio(bio, cert._x509)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001628 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001629 result_code = _lib.X509_print_ex(bio, cert._x509, 0, 0)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001630 else:
1631 raise ValueError(
1632 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
1633 "FILETYPE_TEXT")
1634
Alex Gaynorc7a9eb52015-09-05 16:57:49 -04001635 assert result_code == 1
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001636 return _bio_to_string(bio)
1637
1638
Cory Benfield6492f7c2015-10-27 16:57:58 +09001639def dump_publickey(type, pkey):
1640 """
Cory Benfield11c10192015-10-27 17:23:03 +09001641 Dump a public key to a buffer.
Cory Benfield6492f7c2015-10-27 16:57:58 +09001642
Cory Benfield9c590b92015-10-28 14:55:05 +09001643 :param type: The file type (one of :data:`FILETYPE_PEM` or
Cory Benfielde813cec2015-10-28 08:57:08 +09001644 :data:`FILETYPE_ASN1`).
Cory Benfield2b6bb802015-10-28 22:19:31 +09001645 :param PKey pkey: The public key to dump
Cory Benfield6492f7c2015-10-27 16:57:58 +09001646 :return: The buffer with the dumped key in it.
Cory Benfield11c10192015-10-27 17:23:03 +09001647 :rtype: bytes
Cory Benfield6492f7c2015-10-27 16:57:58 +09001648 """
1649 bio = _new_mem_buf()
1650 if type == FILETYPE_PEM:
1651 write_bio = _lib.PEM_write_bio_PUBKEY
1652 elif type == FILETYPE_ASN1:
1653 write_bio = _lib.i2d_PUBKEY_bio
1654 else:
1655 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
1656
1657 result_code = write_bio(bio, pkey._pkey)
Cory Benfield1e9c7ab2015-10-28 08:58:31 +09001658 if result_code != 1: # pragma: no cover
Cory Benfield6492f7c2015-10-27 16:57:58 +09001659 _raise_current_error()
1660
1661 return _bio_to_string(bio)
1662
1663
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001664def dump_privatekey(type, pkey, cipher=None, passphrase=None):
1665 """
1666 Dump a private key to a buffer
1667
Jean-Paul Calderonee66fde22013-04-03 08:35:08 -04001668 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or
1669 FILETYPE_TEXT)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001670 :param pkey: The PKey to dump
1671 :param cipher: (optional) if encrypted PEM format, the cipher to
1672 use
1673 :param passphrase: (optional) if encrypted PEM format, this can be either
1674 the passphrase to use, or a callback for providing the
1675 passphrase.
1676 :return: The buffer with the dumped key in
Maximilian Hils0de43752015-09-18 15:26:54 +02001677 :rtype: :py:data:`bytes`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001678 """
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -08001679 bio = _new_mem_buf()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08001680
1681 if cipher is not None:
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001682 if passphrase is None:
1683 raise TypeError(
1684 "if a value is given for cipher "
1685 "one must also be given for passphrase")
1686 cipher_obj = _lib.EVP_get_cipherbyname(_byte_string(cipher))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001687 if cipher_obj == _ffi.NULL:
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08001688 raise ValueError("Invalid cipher name")
1689 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001690 cipher_obj = _ffi.NULL
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001691
Jean-Paul Calderone23478b32013-02-20 13:31:38 -08001692 helper = _PassphraseHelper(type, passphrase)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001693 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001694 result_code = _lib.PEM_write_bio_PrivateKey(
1695 bio, pkey._pkey, cipher_obj, _ffi.NULL, 0,
Jean-Paul Calderone23478b32013-02-20 13:31:38 -08001696 helper.callback, helper.callback_args)
1697 helper.raise_if_problem()
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001698 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001699 result_code = _lib.i2d_PrivateKey_bio(bio, pkey._pkey)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001700 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001701 rsa = _lib.EVP_PKEY_get1_RSA(pkey._pkey)
1702 result_code = _lib.RSA_print(bio, rsa, 0)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08001703 # TODO RSA_free(rsa)?
1704 else:
1705 raise ValueError(
1706 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
1707 "FILETYPE_TEXT")
1708
1709 if result_code == 0:
1710 _raise_current_error()
1711
1712 return _bio_to_string(bio)
1713
1714
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001715class Revoked(object):
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001716 """
1717 A certificate revocation.
1718 """
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001719 # http://www.openssl.org/docs/apps/x509v3_config.html#CRL_distribution_points_
1720 # which differs from crl_reasons of crypto/x509v3/v3_enum.c that matches
1721 # OCSP_crl_reason_str. We use the latter, just like the command line
1722 # program.
1723 _crl_reasons = [
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001724 b"unspecified",
1725 b"keyCompromise",
1726 b"CACompromise",
1727 b"affiliationChanged",
1728 b"superseded",
1729 b"cessationOfOperation",
1730 b"certificateHold",
1731 # b"removeFromCRL",
Alex Gaynorca87ff62015-09-04 23:31:03 -04001732 ]
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001733
1734 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001735 revoked = _lib.X509_REVOKED_new()
1736 self._revoked = _ffi.gc(revoked, _lib.X509_REVOKED_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001737
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001738 def set_serial(self, hex_str):
1739 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001740 Set the serial number.
1741
1742 The serial number is formatted as a hexadecimal number encoded in
1743 ASCII.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001744
1745 :param hex_str: The new serial number.
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001746 :type hex_str: :py:class:`bytes`
1747
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001748 :return: :py:const:`None`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001749 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001750 bignum_serial = _ffi.gc(_lib.BN_new(), _lib.BN_free)
1751 bignum_ptr = _ffi.new("BIGNUM**")
Jean-Paul Calderonefd371362013-03-01 20:53:58 -08001752 bignum_ptr[0] = bignum_serial
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001753 bn_result = _lib.BN_hex2bn(bignum_ptr, hex_str)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001754 if not bn_result:
1755 raise ValueError("bad hex string")
1756
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001757 asn1_serial = _ffi.gc(
1758 _lib.BN_to_ASN1_INTEGER(bignum_serial, _ffi.NULL),
1759 _lib.ASN1_INTEGER_free)
1760 _lib.X509_REVOKED_set_serialNumber(self._revoked, asn1_serial)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001761
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001762 def get_serial(self):
1763 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001764 Get the serial number.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001765
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001766 The serial number is formatted as a hexadecimal number encoded in
1767 ASCII.
1768
1769 :return: The serial number.
1770 :rtype: :py:class:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001771 """
Jean-Paul Calderonefd371362013-03-01 20:53:58 -08001772 bio = _new_mem_buf()
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001773
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001774 result = _lib.i2a_ASN1_INTEGER(bio, self._revoked.serialNumber)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001775 if result < 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001776 # TODO: This is untested.
1777 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001778
1779 return _bio_to_string(bio)
1780
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001781 def _delete_reason(self):
1782 stack = self._revoked.extensions
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001783 for i in range(_lib.sk_X509_EXTENSION_num(stack)):
1784 ext = _lib.sk_X509_EXTENSION_value(stack, i)
Paul Kehrere8f91cc2016-03-09 21:26:29 -04001785 obj = _lib.X509_EXTENSION_get_object(ext)
1786 if _lib.OBJ_obj2nid(obj) == _lib.NID_crl_reason:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001787 _lib.X509_EXTENSION_free(ext)
1788 _lib.sk_X509_EXTENSION_delete(stack, i)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001789 break
1790
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001791 def set_reason(self, reason):
1792 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001793 Set the reason of this revocation.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001794
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001795 If :py:data:`reason` is :py:const:`None`, delete the reason instead.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001796
1797 :param reason: The reason string.
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001798 :type reason: :py:class:`bytes` or :py:class:`NoneType`
1799
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001800 :return: :py:const:`None`
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001801
1802 .. seealso::
1803
1804 :py:meth:`all_reasons`, which gives you a list of all supported
1805 reasons which you might pass to this method.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001806 """
1807 if reason is None:
1808 self._delete_reason()
1809 elif not isinstance(reason, bytes):
1810 raise TypeError("reason must be None or a byte string")
1811 else:
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001812 reason = reason.lower().replace(b' ', b'')
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001813 reason_code = [r.lower() for r in self._crl_reasons].index(reason)
1814
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001815 new_reason_ext = _lib.ASN1_ENUMERATED_new()
1816 if new_reason_ext == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001817 # TODO: This is untested.
1818 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001819 new_reason_ext = _ffi.gc(new_reason_ext, _lib.ASN1_ENUMERATED_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001820
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001821 set_result = _lib.ASN1_ENUMERATED_set(new_reason_ext, reason_code)
1822 if set_result == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001823 # TODO: This is untested.
1824 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001825
1826 self._delete_reason()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001827 add_result = _lib.X509_REVOKED_add1_ext_i2d(
1828 self._revoked, _lib.NID_crl_reason, new_reason_ext, 0, 0)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001829
1830 if not add_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001831 # TODO: This is untested.
1832 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001833
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001834 def get_reason(self):
1835 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001836 Set the reason of this revocation.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001837
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001838 :return: The reason, or :py:const:`None` if there is none.
1839 :rtype: :py:class:`bytes` or :py:class:`NoneType`
1840
1841 .. seealso::
1842
1843 :py:meth:`all_reasons`, which gives you a list of all supported
1844 reasons this method might return.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001845 """
1846 extensions = self._revoked.extensions
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001847 for i in range(_lib.sk_X509_EXTENSION_num(extensions)):
1848 ext = _lib.sk_X509_EXTENSION_value(extensions, i)
Paul Kehrere8f91cc2016-03-09 21:26:29 -04001849 obj = _lib.X509_EXTENSION_get_object(ext)
1850 if _lib.OBJ_obj2nid(obj) == _lib.NID_crl_reason:
Jean-Paul Calderonefd371362013-03-01 20:53:58 -08001851 bio = _new_mem_buf()
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001852
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001853 print_result = _lib.X509V3_EXT_print(bio, ext, 0, 0)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001854 if not print_result:
Alex Gaynor5945ea82015-09-05 14:59:06 -04001855 print_result = _lib.M_ASN1_OCTET_STRING_print(
Paul Kehrere8f91cc2016-03-09 21:26:29 -04001856 bio, _lib.X509_EXTENSION_get_data(ext)
Alex Gaynor5945ea82015-09-05 14:59:06 -04001857 )
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001858 if print_result == 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001859 # TODO: This is untested.
1860 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001861
1862 return _bio_to_string(bio)
1863
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001864 def all_reasons(self):
1865 """
1866 Return a list of all the supported reason strings.
1867
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001868 This list is a copy; modifying it does not change the supported reason
1869 strings.
1870
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001871 :return: A list of reason strings.
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001872 :rtype: :py:class:`list` of :py:class:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001873 """
1874 return self._crl_reasons[:]
1875
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001876 def set_rev_date(self, when):
1877 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001878 Set the revocation timestamp.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001879
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001880 :param when: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
1881 :type when: :py:class:`bytes`
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001882 :return: :py:const:`None`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001883 """
1884 return _set_asn1_time(self._revoked.revocationDate, when)
1885
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001886 def get_rev_date(self):
1887 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001888 Get the revocation timestamp.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001889
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +02001890 :return: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
1891 :rtype: :py:class:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001892 """
1893 return _get_asn1_time(self._revoked.revocationDate)
1894
1895
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001896class CRL(object):
Laurens Van Houtvencb32e852014-06-19 17:36:28 +02001897 """
1898 A certificate revocation list.
1899 """
Alex Gaynora738ed52015-09-05 11:17:10 -04001900
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001901 def __init__(self):
1902 """
Laurens Van Houtvencb32e852014-06-19 17:36:28 +02001903 Create a new empty certificate revocation list.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001904 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001905 crl = _lib.X509_CRL_new()
1906 self._crl = _ffi.gc(crl, _lib.X509_CRL_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001907
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001908 def get_revoked(self):
1909 """
Laurens Van Houtvencb32e852014-06-19 17:36:28 +02001910 Return the revocations in this certificate revocation list.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001911
Laurens Van Houtvencb32e852014-06-19 17:36:28 +02001912 These revocations will be provided by value, not by reference.
1913 That means it's okay to mutate them: it won't affect this CRL.
1914
1915 :return: The revocations in this CRL.
1916 :rtype: :py:class:`tuple` of :py:class:`Revocation`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001917 """
1918 results = []
1919 revoked_stack = self._crl.crl.revoked
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001920 for i in range(_lib.sk_X509_REVOKED_num(revoked_stack)):
1921 revoked = _lib.sk_X509_REVOKED_value(revoked_stack, i)
Paul Kehrer2fe23b02016-03-09 22:02:15 -04001922 revoked_copy = _lib.Cryptography_X509_REVOKED_dup(revoked)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001923 pyrev = Revoked.__new__(Revoked)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001924 pyrev._revoked = _ffi.gc(revoked_copy, _lib.X509_REVOKED_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001925 results.append(pyrev)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08001926 if results:
1927 return tuple(results)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001928
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001929 def add_revoked(self, revoked):
1930 """
1931 Add a revoked (by value not reference) to the CRL structure
1932
Laurens Van Houtvencb32e852014-06-19 17:36:28 +02001933 This revocation will be added by value, not by reference. That
1934 means it's okay to mutate it after adding: it won't affect
1935 this CRL.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001936
Laurens Van Houtvencb32e852014-06-19 17:36:28 +02001937 :param revoked: The new revocation.
1938 :type revoked: :class:`Revoked`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001939
Laurens Van Houtvena7904582014-06-19 12:33:04 +02001940 :return: :py:const:`None`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001941 """
Paul Kehrer8dddb1a2016-03-09 21:48:04 -04001942 copy = _lib.Cryptography_X509_REVOKED_dup(revoked._revoked)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001943 if copy == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001944 # TODO: This is untested.
1945 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001946
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001947 add_result = _lib.X509_CRL_add0_revoked(self._crl, copy)
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001948 if add_result == 0:
1949 # TODO: This is untested.
1950 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001951
Jean-Paul Calderone60432792015-04-13 12:26:07 -04001952 def export(self, cert, key, type=FILETYPE_PEM, days=100,
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -04001953 digest=_UNSPECIFIED):
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001954 """
Laurens Van Houtvencb32e852014-06-19 17:36:28 +02001955 Export a CRL as a string.
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001956
Laurens Van Houtvencb32e852014-06-19 17:36:28 +02001957 :param cert: The certificate used to sign the CRL.
1958 :type cert: :py:class:`X509`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001959
Laurens Van Houtvencb32e852014-06-19 17:36:28 +02001960 :param key: The key used to sign the CRL.
1961 :type key: :py:class:`PKey`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001962
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -04001963 :param type: The export format, either :py:data:`FILETYPE_PEM`,
1964 :py:data:`FILETYPE_ASN1`, or :py:data:`FILETYPE_TEXT`.
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -04001965
Jean-Paul Calderonedf514012015-04-13 21:45:18 -04001966 :param int days: The number of days until the next update of this CRL.
Bulat Gaifullin5f9eea42014-09-23 19:35:15 +04001967
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -04001968 :param bytes digest: The name of the message digest to use (eg
1969 ``b"sha1"``).
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001970
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -04001971 :return: :py:data:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001972 """
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08001973 if not isinstance(cert, X509):
1974 raise TypeError("cert must be an X509 instance")
1975 if not isinstance(key, PKey):
1976 raise TypeError("key must be a PKey instance")
1977 if not isinstance(type, int):
1978 raise TypeError("type must be an integer")
Jean-Paul Calderone57122982013-02-21 08:47:05 -08001979
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -04001980 if digest is _UNSPECIFIED:
Jean-Paul Calderone60432792015-04-13 12:26:07 -04001981 _warn(
1982 "The default message digest (md5) is deprecated. "
1983 "Pass the name of a message digest explicitly.",
1984 category=DeprecationWarning,
1985 stacklevel=2,
1986 )
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -04001987 digest = b"md5"
Jean-Paul Calderone60432792015-04-13 12:26:07 -04001988
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -04001989 digest_obj = _lib.EVP_get_digestbyname(digest)
Bulat Gaifullin2923dc02014-09-21 22:36:48 +04001990 if digest_obj == _ffi.NULL:
1991 raise ValueError("No such digest method")
1992
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05001993 bio = _lib.BIO_new(_lib.BIO_s_mem())
1994 if bio == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05001995 # TODO: This is untested.
1996 _raise_current_error()
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08001997
Alex Gaynora738ed52015-09-05 11:17:10 -04001998 # A scratch time object to give different values to different CRL
1999 # fields
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002000 sometime = _lib.ASN1_TIME_new()
2001 if sometime == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05002002 # TODO: This is untested.
2003 _raise_current_error()
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08002004
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002005 _lib.X509_gmtime_adj(sometime, 0)
2006 _lib.X509_CRL_set_lastUpdate(self._crl, sometime)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08002007
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002008 _lib.X509_gmtime_adj(sometime, days * 24 * 60 * 60)
2009 _lib.X509_CRL_set_nextUpdate(self._crl, sometime)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08002010
Alex Gaynor5945ea82015-09-05 14:59:06 -04002011 _lib.X509_CRL_set_issuer_name(
2012 self._crl, _lib.X509_get_subject_name(cert._x509)
2013 )
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08002014
Bulat Gaifullin2923dc02014-09-21 22:36:48 +04002015 sign_result = _lib.X509_CRL_sign(self._crl, key._pkey, digest_obj)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08002016 if not sign_result:
2017 _raise_current_error()
2018
Dominic Chenf05b2122015-10-13 16:32:35 +00002019 return dump_crl(type, self)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08002020
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -08002021
Jean-Paul Calderone57122982013-02-21 08:47:05 -08002022CRLType = CRL
2023
2024
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002025class PKCS7(object):
2026 def type_is_signed(self):
2027 """
2028 Check if this NID_pkcs7_signed object
2029
2030 :return: True if the PKCS7 is of type signed
2031 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002032 if _lib.PKCS7_type_is_signed(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002033 return True
2034 return False
2035
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002036 def type_is_enveloped(self):
2037 """
2038 Check if this NID_pkcs7_enveloped object
2039
2040 :returns: True if the PKCS7 is of type enveloped
2041 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002042 if _lib.PKCS7_type_is_enveloped(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002043 return True
2044 return False
2045
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002046 def type_is_signedAndEnveloped(self):
2047 """
2048 Check if this NID_pkcs7_signedAndEnveloped object
2049
2050 :returns: True if the PKCS7 is of type signedAndEnveloped
2051 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002052 if _lib.PKCS7_type_is_signedAndEnveloped(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002053 return True
2054 return False
2055
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002056 def type_is_data(self):
2057 """
2058 Check if this NID_pkcs7_data object
2059
2060 :return: True if the PKCS7 is of type data
2061 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002062 if _lib.PKCS7_type_is_data(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002063 return True
2064 return False
2065
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002066 def get_type_name(self):
2067 """
2068 Returns the type name of the PKCS7 structure
2069
2070 :return: A string with the typename
2071 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002072 nid = _lib.OBJ_obj2nid(self._pkcs7.type)
2073 string_type = _lib.OBJ_nid2sn(nid)
2074 return _ffi.string(string_type)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002075
2076PKCS7Type = PKCS7
2077
2078
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002079class PKCS12(object):
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002080 """
2081 A PKCS #12 archive.
2082 """
Alex Gaynora738ed52015-09-05 11:17:10 -04002083
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002084 def __init__(self):
2085 self._pkey = None
2086 self._cert = None
2087 self._cacerts = None
2088 self._friendlyname = None
2089
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002090 def get_certificate(self):
2091 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002092 Get the certificate in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002093
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002094 :return: The certificate, or :py:const:`None` if there is none.
2095 :rtype: :py:class:`X509` or :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002096 """
2097 return self._cert
2098
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002099 def set_certificate(self, cert):
2100 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002101 Set the certificate in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002102
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002103 :param cert: The new certificate, or :py:const:`None` to unset it.
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002104 :type cert: :py:class:`X509` or :py:const:`None`
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002105
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002106 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002107 """
2108 if not isinstance(cert, X509):
2109 raise TypeError("cert must be an X509 instance")
2110 self._cert = cert
2111
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002112 def get_privatekey(self):
2113 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002114 Get the private key in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002115
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002116 :return: The private key, or :py:const:`None` if there is none.
2117 :rtype: :py:class:`PKey`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002118 """
2119 return self._pkey
2120
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002121 def set_privatekey(self, pkey):
2122 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002123 Set the certificate portion of the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002124
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002125 :param pkey: The new private key, or :py:const:`None` to unset it.
2126 :type pkey: :py:class:`PKey` or :py:const:`None`
2127
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002128 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002129 """
2130 if not isinstance(pkey, PKey):
2131 raise TypeError("pkey must be a PKey instance")
2132 self._pkey = pkey
2133
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002134 def get_ca_certificates(self):
2135 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002136 Get the CA certificates in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002137
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002138 :return: A tuple with the CA certificates in the chain, or
2139 :py:const:`None` if there are none.
2140 :rtype: :py:class:`tuple` of :py:class:`X509` or :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002141 """
2142 if self._cacerts is not None:
2143 return tuple(self._cacerts)
2144
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002145 def set_ca_certificates(self, cacerts):
2146 """
Alex Gaynor3b0ee972014-11-15 09:17:33 -08002147 Replace or set the CA certificates within the PKCS12 object.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002148
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002149 :param cacerts: The new CA certificates, or :py:const:`None` to unset
2150 them.
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002151 :type cacerts: An iterable of :py:class:`X509` or :py:const:`None`
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002152
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002153 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002154 """
2155 if cacerts is None:
2156 self._cacerts = None
2157 else:
2158 cacerts = list(cacerts)
2159 for cert in cacerts:
2160 if not isinstance(cert, X509):
Alex Gaynor5945ea82015-09-05 14:59:06 -04002161 raise TypeError(
2162 "iterable must only contain X509 instances"
2163 )
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002164 self._cacerts = cacerts
2165
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002166 def set_friendlyname(self, name):
2167 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002168 Set the friendly name in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002169
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002170 :param name: The new friendly name, or :py:const:`None` to unset.
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002171 :type name: :py:class:`bytes` or :py:const:`None`
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002172
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002173 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002174 """
2175 if name is None:
2176 self._friendlyname = None
2177 elif not isinstance(name, bytes):
Alex Gaynor5945ea82015-09-05 14:59:06 -04002178 raise TypeError(
2179 "name must be a byte string or None (not %r)" % (name,)
2180 )
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002181 self._friendlyname = name
2182
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002183 def get_friendlyname(self):
2184 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002185 Get the friendly name in the PKCS# 12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002186
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002187 :returns: The friendly name, or :py:const:`None` if there is none.
2188 :rtype: :py:class:`bytes` or :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002189 """
2190 return self._friendlyname
2191
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002192 def export(self, passphrase=None, iter=2048, maciter=1):
2193 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002194 Dump a PKCS12 object as a string.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002195
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002196 For more information, see the :c:func:`PKCS12_create` man page.
2197
2198 :param passphrase: The passphrase used to encrypt the structure. Unlike
2199 some other passphrase arguments, this *must* be a string, not a
2200 callback.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002201 :type passphrase: :py:data:`bytes`
2202
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002203 :param iter: Number of times to repeat the encryption step.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002204 :type iter: :py:data:`int`
2205
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002206 :param maciter: Number of times to repeat the MAC step.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002207 :type maciter: :py:data:`int`
2208
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002209 :return: The string representation of the PKCS #12 structure.
2210 :rtype:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002211 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -04002212 passphrase = _text_to_bytes_and_warn("passphrase", passphrase)
Abraham Martine82326c2015-02-04 10:18:10 +00002213
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002214 if self._cacerts is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002215 cacerts = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002216 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002217 cacerts = _lib.sk_X509_new_null()
2218 cacerts = _ffi.gc(cacerts, _lib.sk_X509_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002219 for cert in self._cacerts:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002220 _lib.sk_X509_push(cacerts, cert._x509)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002221
2222 if passphrase is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002223 passphrase = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002224
2225 friendlyname = self._friendlyname
2226 if friendlyname is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002227 friendlyname = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002228
2229 if self._pkey is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002230 pkey = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002231 else:
2232 pkey = self._pkey._pkey
2233
2234 if self._cert is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002235 cert = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002236 else:
2237 cert = self._cert._x509
2238
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002239 pkcs12 = _lib.PKCS12_create(
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002240 passphrase, friendlyname, pkey, cert, cacerts,
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002241 _lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
2242 _lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002243 iter, maciter, 0)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002244 if pkcs12 == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002245 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002246 pkcs12 = _ffi.gc(pkcs12, _lib.PKCS12_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002247
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -08002248 bio = _new_mem_buf()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002249 _lib.i2d_PKCS12_bio(bio, pkcs12)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002250 return _bio_to_string(bio)
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -08002251
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +02002252
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002253PKCS12Type = PKCS12
2254
2255
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002256class NetscapeSPKI(object):
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002257 """
2258 A Netscape SPKI object.
2259 """
Alex Gaynora738ed52015-09-05 11:17:10 -04002260
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002261 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002262 spki = _lib.NETSCAPE_SPKI_new()
2263 self._spki = _ffi.gc(spki, _lib.NETSCAPE_SPKI_free)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002264
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002265 def sign(self, pkey, digest):
2266 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002267 Sign the certificate request with this key and digest type.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002268
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002269 :param pkey: The private key to sign with.
2270 :type pkey: :py:class:`PKey`
2271
2272 :param digest: The message digest to use.
2273 :type digest: :py:class:`bytes`
2274
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002275 :return: :py:const:`None`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002276 """
2277 if pkey._only_public:
2278 raise ValueError("Key has only public part")
2279
2280 if not pkey._initialized:
2281 raise ValueError("Key is uninitialized")
2282
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002283 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002284 if digest_obj == _ffi.NULL:
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002285 raise ValueError("No such digest method")
2286
Alex Gaynor5945ea82015-09-05 14:59:06 -04002287 sign_result = _lib.NETSCAPE_SPKI_sign(
2288 self._spki, pkey._pkey, digest_obj
2289 )
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002290 if not sign_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05002291 # TODO: This is untested.
2292 _raise_current_error()
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002293
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002294 def verify(self, key):
2295 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002296 Verifies a signature on a certificate request.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002297
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002298 :param key: The public key that signature is supposedly from.
2299 :type pkey: :py:class:`PKey`
2300
2301 :return: :py:const:`True` if the signature is correct.
2302 :rtype: :py:class:`bool`
2303
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02002304 :raises Error: If the signature is invalid, or there was a problem
2305 verifying the signature.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002306 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002307 answer = _lib.NETSCAPE_SPKI_verify(self._spki, key._pkey)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002308 if answer <= 0:
2309 _raise_current_error()
2310 return True
2311
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002312 def b64_encode(self):
2313 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002314 Generate a base64 encoded representation of this SPKI object.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002315
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002316 :return: The base64 encoded string.
2317 :rtype: :py:class:`bytes`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002318 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002319 encoded = _lib.NETSCAPE_SPKI_b64_encode(self._spki)
2320 result = _ffi.string(encoded)
Paul Kehrer0dcacf72016-03-17 19:25:39 -04002321 _lib.OPENSSL_free(encoded)
Jean-Paul Calderone2c2e21d2013-03-02 16:50:35 -08002322 return result
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002323
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002324 def get_pubkey(self):
2325 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002326 Get the public key of this certificate.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002327
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002328 :return: The public key.
2329 :rtype: :py:class:`PKey`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002330 """
2331 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002332 pkey._pkey = _lib.NETSCAPE_SPKI_get_pubkey(self._spki)
2333 if pkey._pkey == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05002334 # TODO: This is untested.
2335 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002336 pkey._pkey = _ffi.gc(pkey._pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002337 pkey._only_public = True
2338 return pkey
2339
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002340 def set_pubkey(self, pkey):
2341 """
2342 Set the public key of the certificate
2343
2344 :param pkey: The public key
Laurens Van Houtvena7904582014-06-19 12:33:04 +02002345 :return: :py:const:`None`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002346 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002347 set_result = _lib.NETSCAPE_SPKI_set_pubkey(self._spki, pkey._pkey)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002348 if not set_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05002349 # TODO: This is untested.
2350 _raise_current_error()
Laurens Van Houtven59152b52014-06-19 16:42:30 +02002351
2352
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -08002353NetscapeSPKIType = NetscapeSPKI
2354
2355
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002356class _PassphraseHelper(object):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -08002357 def __init__(self, type, passphrase, more_args=False, truncate=False):
Jean-Paul Calderone23478b32013-02-20 13:31:38 -08002358 if type != FILETYPE_PEM and passphrase is not None:
Alex Gaynor5945ea82015-09-05 14:59:06 -04002359 raise ValueError(
2360 "only FILETYPE_PEM key format supports encryption"
2361 )
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002362 self._passphrase = passphrase
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -08002363 self._more_args = more_args
2364 self._truncate = truncate
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002365 self._problems = []
2366
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002367 @property
2368 def callback(self):
2369 if self._passphrase is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002370 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002371 elif isinstance(self._passphrase, bytes):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002372 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002373 elif callable(self._passphrase):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002374 return _ffi.callback("pem_password_cb", self._read_passphrase)
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002375 else:
2376 raise TypeError("Last argument must be string or callable")
2377
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002378 @property
2379 def callback_args(self):
2380 if self._passphrase is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002381 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002382 elif isinstance(self._passphrase, bytes):
2383 return self._passphrase
2384 elif callable(self._passphrase):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002385 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002386 else:
2387 raise TypeError("Last argument must be string or callable")
2388
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -08002389 def raise_if_problem(self, exceptionType=Error):
2390 try:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -05002391 _exception_from_error_queue(exceptionType)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -08002392 except exceptionType as e:
Jean-Paul Calderone9b4115f2014-01-10 14:06:04 -05002393 from_queue = e
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002394 if self._problems:
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002395 raise self._problems[0]
Jean-Paul Calderone9b4115f2014-01-10 14:06:04 -05002396 return from_queue
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002397
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002398 def _read_passphrase(self, buf, size, rwflag, userdata):
2399 try:
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -08002400 if self._more_args:
2401 result = self._passphrase(size, rwflag, userdata)
2402 else:
2403 result = self._passphrase(rwflag)
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002404 if not isinstance(result, bytes):
2405 raise ValueError("String expected")
2406 if len(result) > size:
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -08002407 if self._truncate:
2408 result = result[:size]
2409 else:
Alex Gaynor5945ea82015-09-05 14:59:06 -04002410 raise ValueError(
2411 "passphrase returned by callback is too long"
2412 )
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002413 for i in range(len(result)):
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002414 buf[i] = result[i:i + 1]
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002415 return len(result)
2416 except Exception as e:
2417 self._problems.append(e)
2418 return 0
2419
2420
Cory Benfield6492f7c2015-10-27 16:57:58 +09002421def load_publickey(type, buffer):
2422 """
Cory Benfield11c10192015-10-27 17:23:03 +09002423 Load a public key from a buffer.
Cory Benfield6492f7c2015-10-27 16:57:58 +09002424
Cory Benfield9c590b92015-10-28 14:55:05 +09002425 :param type: The file type (one of :data:`FILETYPE_PEM`,
Cory Benfielde813cec2015-10-28 08:57:08 +09002426 :data:`FILETYPE_ASN1`).
Cory Benfieldc9c30a22015-10-28 17:39:20 +09002427 :param buffer: The buffer the key is stored in.
2428 :type buffer: A Python string object, either unicode or bytestring.
2429 :return: The PKey object.
2430 :rtype: :class:`PKey`
Cory Benfield6492f7c2015-10-27 16:57:58 +09002431 """
2432 if isinstance(buffer, _text_type):
2433 buffer = buffer.encode("ascii")
2434
2435 bio = _new_mem_buf(buffer)
2436
2437 if type == FILETYPE_PEM:
2438 evp_pkey = _lib.PEM_read_bio_PUBKEY(
2439 bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
2440 elif type == FILETYPE_ASN1:
2441 evp_pkey = _lib.d2i_PUBKEY_bio(bio, _ffi.NULL)
2442 else:
2443 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2444
2445 if evp_pkey == _ffi.NULL:
2446 _raise_current_error()
2447
2448 pkey = PKey.__new__(PKey)
2449 pkey._pkey = _ffi.gc(evp_pkey, _lib.EVP_PKEY_free)
2450 return pkey
2451
2452
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002453def load_privatekey(type, buffer, passphrase=None):
2454 """
2455 Load a private key from a buffer
2456
2457 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2458 :param buffer: The buffer the key is stored in
2459 :param passphrase: (optional) if encrypted PEM format, this can be
2460 either the passphrase to use, or a callback for
2461 providing the passphrase.
2462
2463 :return: The PKey object
2464 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -05002465 if isinstance(buffer, _text_type):
2466 buffer = buffer.encode("ascii")
2467
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08002468 bio = _new_mem_buf(buffer)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002469
Jean-Paul Calderone23478b32013-02-20 13:31:38 -08002470 helper = _PassphraseHelper(type, passphrase)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002471 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002472 evp_pkey = _lib.PEM_read_bio_PrivateKey(
2473 bio, _ffi.NULL, helper.callback, helper.callback_args)
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -08002474 helper.raise_if_problem()
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002475 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002476 evp_pkey = _lib.d2i_PrivateKey_bio(bio, _ffi.NULL)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002477 else:
2478 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2479
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002480 if evp_pkey == _ffi.NULL:
Jean-Paul Calderone31393aa2013-02-20 13:22:21 -08002481 _raise_current_error()
2482
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002483 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002484 pkey._pkey = _ffi.gc(evp_pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002485 return pkey
2486
2487
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002488def dump_certificate_request(type, req):
2489 """
2490 Dump a certificate request to a buffer
2491
2492 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2493 :param req: The certificate request to dump
2494 :return: The buffer with the dumped certificate request in
2495 """
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -08002496 bio = _new_mem_buf()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002497
2498 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002499 result_code = _lib.PEM_write_bio_X509_REQ(bio, req._req)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002500 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002501 result_code = _lib.i2d_X509_REQ_bio(bio, req._req)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002502 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002503 result_code = _lib.X509_REQ_print_ex(bio, req._req, 0, 0)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002504 else:
Alex Gaynor5945ea82015-09-05 14:59:06 -04002505 raise ValueError(
2506 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
2507 "FILETYPE_TEXT"
2508 )
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002509
2510 if result_code == 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05002511 # TODO: This is untested.
2512 _raise_current_error()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002513
2514 return _bio_to_string(bio)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002515
2516
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -08002517def load_certificate_request(type, buffer):
2518 """
2519 Load a certificate request from a buffer
2520
2521 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2522 :param buffer: The buffer the certificate request is stored in
2523 :return: The X509Req object
2524 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -05002525 if isinstance(buffer, _text_type):
2526 buffer = buffer.encode("ascii")
2527
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08002528 bio = _new_mem_buf(buffer)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002529
2530 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002531 req = _lib.PEM_read_bio_X509_REQ(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002532 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002533 req = _lib.d2i_X509_REQ_bio(bio, _ffi.NULL)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002534 else:
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -05002535 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002536
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002537 if req == _ffi.NULL:
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -05002538 # TODO: This is untested.
2539 _raise_current_error()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002540
2541 x509req = X509Req.__new__(X509Req)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002542 x509req._req = _ffi.gc(req, _lib.X509_REQ_free)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -08002543 return x509req
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002544
2545
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002546def sign(pkey, data, digest):
2547 """
2548 Sign data with a digest
2549
2550 :param pkey: Pkey to sign with
2551 :param data: data to be signed
2552 :param digest: message digest to use
2553 :return: signature
2554 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -04002555 data = _text_to_bytes_and_warn("data", data)
Abraham Martine82326c2015-02-04 10:18:10 +00002556
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002557 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002558 if digest_obj == _ffi.NULL:
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002559 raise ValueError("No such digest method")
2560
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002561 md_ctx = _ffi.new("EVP_MD_CTX*")
2562 md_ctx = _ffi.gc(md_ctx, _lib.EVP_MD_CTX_cleanup)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002563
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002564 _lib.EVP_SignInit(md_ctx, digest_obj)
2565 _lib.EVP_SignUpdate(md_ctx, data, len(data))
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002566
Colleen Murphye09399b2016-03-01 17:40:49 -08002567 pkey_length = (PKey.bits(pkey) + 7) // 8
2568 signature_buffer = _ffi.new("unsigned char[]", pkey_length)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002569 signature_length = _ffi.new("unsigned int*")
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002570 final_result = _lib.EVP_SignFinal(
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002571 md_ctx, signature_buffer, signature_length, pkey._pkey)
2572
2573 if final_result != 1:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05002574 # TODO: This is untested.
2575 _raise_current_error()
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002576
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002577 return _ffi.buffer(signature_buffer, signature_length[0])[:]
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002578
2579
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002580def verify(cert, signature, data, digest):
2581 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +02002582 Verify a signature.
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002583
2584 :param cert: signing certificate (X509 object)
2585 :param signature: signature returned by sign function
2586 :param data: data to be verified
2587 :param digest: message digest to use
Alex Gaynor5945ea82015-09-05 14:59:06 -04002588 :return: :py:const:`None` if the signature is correct, raise exception
2589 otherwise
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002590 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -04002591 data = _text_to_bytes_and_warn("data", data)
Abraham Martine82326c2015-02-04 10:18:10 +00002592
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002593 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002594 if digest_obj == _ffi.NULL:
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002595 raise ValueError("No such digest method")
2596
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002597 pkey = _lib.X509_get_pubkey(cert._x509)
2598 if pkey == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05002599 # TODO: This is untested.
2600 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002601 pkey = _ffi.gc(pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002602
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002603 md_ctx = _ffi.new("EVP_MD_CTX*")
2604 md_ctx = _ffi.gc(md_ctx, _lib.EVP_MD_CTX_cleanup)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002605
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002606 _lib.EVP_VerifyInit(md_ctx, digest_obj)
2607 _lib.EVP_VerifyUpdate(md_ctx, data, len(data))
Alex Gaynor5945ea82015-09-05 14:59:06 -04002608 verify_result = _lib.EVP_VerifyFinal(
2609 md_ctx, signature, len(signature), pkey
2610 )
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -08002611
2612 if verify_result != 1:
2613 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -08002614
2615
Dominic Chenf05b2122015-10-13 16:32:35 +00002616def dump_crl(type, crl):
2617 """
2618 Dump a certificate revocation list to a buffer.
2619
2620 :param type: The file type (one of ``FILETYPE_PEM``, ``FILETYPE_ASN1``, or
2621 ``FILETYPE_TEXT``).
Hynek Schlawack0a3cd6d2015-10-21 16:39:22 +02002622 :param CRL crl: The CRL to dump.
2623
Dominic Chenf05b2122015-10-13 16:32:35 +00002624 :return: The buffer with the CRL.
Hynek Schlawack0a3cd6d2015-10-21 16:39:22 +02002625 :rtype: :data:`bytes`
Dominic Chenf05b2122015-10-13 16:32:35 +00002626 """
2627 bio = _new_mem_buf()
2628
2629 if type == FILETYPE_PEM:
2630 ret = _lib.PEM_write_bio_X509_CRL(bio, crl._crl)
2631 elif type == FILETYPE_ASN1:
2632 ret = _lib.i2d_X509_CRL_bio(bio, crl._crl)
2633 elif type == FILETYPE_TEXT:
2634 ret = _lib.X509_CRL_print(bio, crl._crl)
2635 else:
2636 raise ValueError(
2637 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
2638 "FILETYPE_TEXT")
2639
2640 assert ret == 1
2641 return _bio_to_string(bio)
2642
2643
Jean-Paul Calderone57122982013-02-21 08:47:05 -08002644def load_crl(type, buffer):
2645 """
2646 Load a certificate revocation list from a buffer
2647
2648 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2649 :param buffer: The buffer the CRL is stored in
2650
2651 :return: The PKey object
2652 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -05002653 if isinstance(buffer, _text_type):
2654 buffer = buffer.encode("ascii")
2655
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08002656 bio = _new_mem_buf(buffer)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08002657
2658 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002659 crl = _lib.PEM_read_bio_X509_CRL(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08002660 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002661 crl = _lib.d2i_X509_CRL_bio(bio, _ffi.NULL)
Jean-Paul Calderone57122982013-02-21 08:47:05 -08002662 else:
Jean-Paul Calderone57122982013-02-21 08:47:05 -08002663 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2664
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002665 if crl == _ffi.NULL:
Jean-Paul Calderone57122982013-02-21 08:47:05 -08002666 _raise_current_error()
2667
2668 result = CRL.__new__(CRL)
2669 result._crl = crl
2670 return result
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002671
2672
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002673def load_pkcs7_data(type, buffer):
2674 """
2675 Load pkcs7 data from a buffer
2676
2677 :param type: The file type (one of FILETYPE_PEM or FILETYPE_ASN1)
2678 :param buffer: The buffer with the pkcs7 data.
2679 :return: The PKCS7 object
2680 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -05002681 if isinstance(buffer, _text_type):
2682 buffer = buffer.encode("ascii")
2683
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08002684 bio = _new_mem_buf(buffer)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002685
2686 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002687 pkcs7 = _lib.PEM_read_bio_PKCS7(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002688 elif type == FILETYPE_ASN1:
Alex Gaynor77acc362014-08-13 14:46:15 -07002689 pkcs7 = _lib.d2i_PKCS7_bio(bio, _ffi.NULL)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002690 else:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -05002691 # TODO: This is untested.
2692 _raise_current_error()
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002693 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2694
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002695 if pkcs7 == _ffi.NULL:
Jean-Paul Calderoneb0f64712013-03-03 10:15:39 -08002696 _raise_current_error()
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002697
2698 pypkcs7 = PKCS7.__new__(PKCS7)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002699 pypkcs7._pkcs7 = _ffi.gc(pkcs7, _lib.PKCS7_free)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -08002700 return pypkcs7
2701
2702
Stephen Holsapple38482622014-04-05 20:29:34 -07002703def load_pkcs12(buffer, passphrase=None):
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002704 """
2705 Load a PKCS12 object from a buffer
2706
2707 :param buffer: The buffer the certificate is stored in
2708 :param passphrase: (Optional) The password to decrypt the PKCS12 lump
2709 :returns: The PKCS12 object
2710 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -04002711 passphrase = _text_to_bytes_and_warn("passphrase", passphrase)
Abraham Martine82326c2015-02-04 10:18:10 +00002712
Jean-Paul Calderone6922a862014-01-18 10:38:28 -05002713 if isinstance(buffer, _text_type):
2714 buffer = buffer.encode("ascii")
2715
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -08002716 bio = _new_mem_buf(buffer)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002717
Stephen Holsapple38482622014-04-05 20:29:34 -07002718 # Use null passphrase if passphrase is None or empty string. With PKCS#12
2719 # password based encryption no password and a zero length password are two
2720 # different things, but OpenSSL implementation will try both to figure out
2721 # which one works.
2722 if not passphrase:
2723 passphrase = _ffi.NULL
2724
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002725 p12 = _lib.d2i_PKCS12_bio(bio, _ffi.NULL)
2726 if p12 == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002727 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002728 p12 = _ffi.gc(p12, _lib.PKCS12_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002729
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002730 pkey = _ffi.new("EVP_PKEY**")
2731 cert = _ffi.new("X509**")
2732 cacerts = _ffi.new("Cryptography_STACK_OF_X509**")
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002733
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002734 parse_result = _lib.PKCS12_parse(p12, passphrase, pkey, cert, cacerts)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002735 if not parse_result:
2736 _raise_current_error()
2737
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002738 cacerts = _ffi.gc(cacerts[0], _lib.sk_X509_free)
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -08002739
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002740 # openssl 1.0.0 sometimes leaves an X509_check_private_key error in the
2741 # queue for no particular reason. This error isn't interesting to anyone
2742 # outside this function. It's not even interesting to us. Get rid of it.
2743 try:
2744 _raise_current_error()
2745 except Error:
2746 pass
2747
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002748 if pkey[0] == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002749 pykey = None
2750 else:
2751 pykey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002752 pykey._pkey = _ffi.gc(pkey[0], _lib.EVP_PKEY_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002753
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002754 if cert[0] == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002755 pycert = None
2756 friendlyname = None
2757 else:
2758 pycert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002759 pycert._x509 = _ffi.gc(cert[0], _lib.X509_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002760
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002761 friendlyname_length = _ffi.new("int*")
Alex Gaynor5945ea82015-09-05 14:59:06 -04002762 friendlyname_buffer = _lib.X509_alias_get0(
2763 cert[0], friendlyname_length
2764 )
2765 friendlyname = _ffi.buffer(
2766 friendlyname_buffer, friendlyname_length[0]
2767 )[:]
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002768 if friendlyname_buffer == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002769 friendlyname = None
2770
2771 pycacerts = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002772 for i in range(_lib.sk_X509_num(cacerts)):
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002773 pycacert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -05002774 pycacert._x509 = _lib.sk_X509_value(cacerts, i)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -08002775 pycacerts.append(pycacert)
2776 if not pycacerts:
2777 pycacerts = None
2778
2779 pkcs12 = PKCS12.__new__(PKCS12)
2780 pkcs12._pkey = pykey
2781 pkcs12._cert = pycert
2782 pkcs12._cacerts = pycacerts
2783 pkcs12._friendlyname = friendlyname
2784 return pkcs12
Jean-Paul Calderone6bb40892014-01-01 12:21:34 -05002785
2786
Jean-Paul Calderoneb64e2a22014-01-11 08:06:35 -05002787# There are no direct unit tests for this initialization. It is tested
2788# indirectly since it is necessary for functions like dump_privatekey when
2789# using encryption.
2790#
2791# Thus OpenSSL.test.test_crypto.FunctionTests.test_dump_privatekey_passphrase
2792# and some other similar tests may fail without this (though they may not if
2793# the Python runtime has already done some initialization of the underlying
2794# OpenSSL library (and is linked against the same one that cryptography is
2795# using)).
Jean-Paul Calderonee324fd62014-01-11 08:00:33 -05002796_lib.OpenSSL_add_all_algorithms()
Jean-Paul Calderone11ed8e82014-01-18 10:21:50 -05002797
Jean-Paul Calderonefab157b2014-01-18 11:21:38 -05002798# This is similar but exercised mainly by exception_from_error_queue. It calls
2799# both ERR_load_crypto_strings() and ERR_load_SSL_strings().
2800_lib.SSL_load_error_strings()
D.S. Ljungmark349e1362014-05-31 18:40:38 +02002801
2802
D.S. Ljungmark349e1362014-05-31 18:40:38 +02002803# Set the default string mask to match OpenSSL upstream (since 2005) and
2804# RFC5280 recommendations.
2805_lib.ASN1_STRING_set_default_mask_asc(b'utf8only')