Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 67903a6122b06d676dd15c7f0ad1aed884a1ebfa / . / src / OpenSSL / crypto.py
blob: 84cce76cb72c205097aacbb6b511ce19bb30fbe1 [file] [log] [blame]
Paul Kehrer5d5d28d2015-10-21 18:55:22 -0500[diff] [blame]1import datetime
Paul Kehrer8d887e12015-10-24 09:09:55 -0500[diff] [blame]2
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]3from base64 import b16encode
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]4from functools import partial
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]5from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]6from warnings import warn as _warn
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]7
8from six import (
9 integer_types as _integer_types,
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400[diff] [blame]10 text_type as _text_type,
11 PY3 as _PY3)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]12
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]13from OpenSSL._util import (
14 ffi as _ffi,
15 lib as _lib,
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]16 exception_from_error_queue as _exception_from_error_queue,
17 byte_string as _byte_string,
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -0400[diff] [blame]18 native as _native,
19 UNSPECIFIED as _UNSPECIFIED,
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]20 text_to_bytes_and_warn as _text_to_bytes_and_warn,
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]21 make_assert as _make_assert,
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -0400[diff] [blame]22)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]23
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]24FILETYPE_PEM = _lib.SSL_FILETYPE_PEM
25FILETYPE_ASN1 = _lib.SSL_FILETYPE_ASN1
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]26
27# TODO This was an API mistake. OpenSSL has no such constant.
28FILETYPE_TEXT = 2 ** 16 - 1
29
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]30TYPE_RSA = _lib.EVP_PKEY_RSA
31TYPE_DSA = _lib.EVP_PKEY_DSA
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]32
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]33
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]34class Error(Exception):
Jean-Paul Calderone511cde02013-12-29 10:31:13 -0500[diff] [blame]35 """
36 An error occurred in an `OpenSSL.crypto` API.
37 """
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]38
39
40_raise_current_error = partial(_exception_from_error_queue, Error)
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]41_openssl_assert = _make_assert(Error)
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]42
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]43
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]44def _untested_error(where):
45 """
46 An OpenSSL API failed somehow. Additionally, the failure which was
47 encountered isn't one that's exercised by the test suite so future behavior
48 of pyOpenSSL is now somewhat less predictable.
49 """
50 raise RuntimeError("Unknown %s failure" % (where,))
51
52
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]53def _new_mem_buf(buffer=None):
54 """
55 Allocate a new OpenSSL memory BIO.
56
57 Arrange for the garbage collector to clean it up automatically.
58
59 :param buffer: None or some bytes to use to put into the BIO so that they
60 can be read out.
61 """
62 if buffer is None:
63 bio = _lib.BIO_new(_lib.BIO_s_mem())
64 free = _lib.BIO_free
65 else:
66 data = _ffi.new("char[]", buffer)
67 bio = _lib.BIO_new_mem_buf(data, len(buffer))
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]68
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]69 # Keep the memory alive as long as the bio is alive!
70 def free(bio, ref=data):
71 return _lib.BIO_free(bio)
72
73 if bio == _ffi.NULL:
74 # TODO: This is untested.
75 _raise_current_error()
76
77 bio = _ffi.gc(bio, free)
78 return bio
79
80
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]81def _bio_to_string(bio):
82 """
83 Copy the contents of an OpenSSL BIO object into a Python byte string.
84 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]85 result_buffer = _ffi.new('char**')
86 buffer_length = _lib.BIO_get_mem_data(bio, result_buffer)
87 return _ffi.buffer(result_buffer[0], buffer_length)[:]
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]88
89
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]90def _set_asn1_time(boundary, when):
Jean-Paul Calderonee728e872013-12-29 10:37:15 -0500[diff] [blame]91 """
92 The the time value of an ASN1 time object.
93
94 @param boundary: An ASN1_GENERALIZEDTIME pointer (or an object safely
95 castable to that type) which will have its value set.
96 @param when: A string representation of the desired time value.
97
98 @raise TypeError: If C{when} is not a L{bytes} string.
99 @raise ValueError: If C{when} does not represent a time in the required
100 format.
101 @raise RuntimeError: If the time value cannot be set for some other
102 (unspecified) reason.
103 """
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]104 if not isinstance(when, bytes):
105 raise TypeError("when must be a byte string")
106
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]107 set_result = _lib.ASN1_GENERALIZEDTIME_set_string(
108 _ffi.cast('ASN1_GENERALIZEDTIME*', boundary), when)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]109 if set_result == 0:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]110 dummy = _ffi.gc(_lib.ASN1_STRING_new(), _lib.ASN1_STRING_free)
111 _lib.ASN1_STRING_set(dummy, when, len(when))
112 check_result = _lib.ASN1_GENERALIZEDTIME_check(
113 _ffi.cast('ASN1_GENERALIZEDTIME*', dummy))
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]114 if not check_result:
115 raise ValueError("Invalid string")
116 else:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]117 _untested_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]118
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]119def _get_asn1_time(timestamp):
Jean-Paul Calderonee728e872013-12-29 10:37:15 -0500[diff] [blame]120 """
121 Retrieve the time value of an ASN1 time object.
122
123 @param timestamp: An ASN1_GENERALIZEDTIME* (or an object safely castable to
124 that type) from which the time value will be retrieved.
125
126 @return: The time value from C{timestamp} as a L{bytes} string in a certain
127 format. Or C{None} if the object contains no time value.
128 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]129 string_timestamp = _ffi.cast('ASN1_STRING*', timestamp)
130 if _lib.ASN1_STRING_length(string_timestamp) == 0:
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]131 return None
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]132 elif (
133 _lib.ASN1_STRING_type(string_timestamp) == _lib.V_ASN1_GENERALIZEDTIME
134 ):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]135 return _ffi.string(_lib.ASN1_STRING_data(string_timestamp))
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]136 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]137 generalized_timestamp = _ffi.new("ASN1_GENERALIZEDTIME**")
138 _lib.ASN1_TIME_to_generalizedtime(timestamp, generalized_timestamp)
139 if generalized_timestamp[0] == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]140 # This may happen:
141 # - if timestamp was not an ASN1_TIME
142 # - if allocating memory for the ASN1_GENERALIZEDTIME failed
143 # - if a copy of the time data from timestamp cannot be made for
144 # the newly allocated ASN1_GENERALIZEDTIME
145 #
146 # These are difficult to test. cffi enforces the ASN1_TIME type.
147 # Memory allocation failures are a pain to trigger
148 # deterministically.
149 _untested_error("ASN1_TIME_to_generalizedtime")
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]150 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]151 string_timestamp = _ffi.cast(
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]152 "ASN1_STRING*", generalized_timestamp[0])
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]153 string_data = _lib.ASN1_STRING_data(string_timestamp)
154 string_result = _ffi.string(string_data)
155 _lib.ASN1_GENERALIZEDTIME_free(generalized_timestamp[0])
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]156 return string_result
157
158
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]159class PKey(object):
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]160 """
161 A class representing an DSA or RSA public key or key pair.
162 """
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]163 _only_public = False
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800[diff] [blame]164 _initialized = True
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]165
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]166 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]167 pkey = _lib.EVP_PKEY_new()
168 self._pkey = _ffi.gc(pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800[diff] [blame]169 self._initialized = False
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]170
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]171 def generate_key(self, type, bits):
172 """
Laurens Van Houtven90c09142015-04-23 10:52:49 -0700[diff] [blame]173 Generate a key pair of the given type, with the given number of bits.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]174
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]175 This generates a key "into" the this object.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]176
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]177 :param type: The key type.
178 :type type: :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA`
179 :param bits: The number of bits.
180 :type bits: :py:data:`int` ``>= 0``
181 :raises TypeError: If :py:data:`type` or :py:data:`bits` isn't
182 of the appropriate type.
183 :raises ValueError: If the number of bits isn't an integer of
184 the appropriate size.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]185 :return: :py:const:`None`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]186 """
187 if not isinstance(type, int):
188 raise TypeError("type must be an integer")
189
190 if not isinstance(bits, int):
191 raise TypeError("bits must be an integer")
192
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]193 # TODO Check error return
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]194 exponent = _lib.BN_new()
195 exponent = _ffi.gc(exponent, _lib.BN_free)
196 _lib.BN_set_word(exponent, _lib.RSA_F4)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]197
198 if type == TYPE_RSA:
199 if bits <= 0:
200 raise ValueError("Invalid number of bits")
201
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]202 rsa = _lib.RSA_new()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]203
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]204 result = _lib.RSA_generate_key_ex(rsa, bits, exponent, _ffi.NULL)
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]205 if result == 0:
206 # TODO: The test for this case is commented out. Different
207 # builds of OpenSSL appear to have different failure modes that
208 # make it hard to test. Visual inspection of the OpenSSL
209 # source reveals that a return value of 0 signals an error.
210 # Manual testing on a particular build of OpenSSL suggests that
211 # this is probably the appropriate way to handle those errors.
212 _raise_current_error()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]213
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]214 result = _lib.EVP_PKEY_assign_RSA(self._pkey, rsa)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]215 if not result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]216 # TODO: It appears as though this can fail if an engine is in
217 # use which does not support RSA.
218 _raise_current_error()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]219
220 elif type == TYPE_DSA:
Paul Kehrera0860b92016-03-09 21:39:27 -0400[diff] [blame]221 dsa = _lib.DSA_new()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]222 if dsa == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]223 # TODO: This is untested.
224 _raise_current_error()
Paul Kehrerafa5a662016-03-10 10:29:28 -0400[diff] [blame]225
226 dsa = _ffi.gc(dsa, _lib.DSA_free)
Paul Kehrera0860b92016-03-09 21:39:27 -0400[diff] [blame]227 res = _lib.DSA_generate_parameters_ex(
228 dsa, bits, _ffi.NULL, 0, _ffi.NULL, _ffi.NULL, _ffi.NULL
229 )
230 if not res == 1:
231 # TODO: This is untested.
232 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]233 if not _lib.DSA_generate_key(dsa):
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]234 # TODO: This is untested.
235 _raise_current_error()
Paul Kehrerafa5a662016-03-10 10:29:28 -0400[diff] [blame]236 if not _lib.EVP_PKEY_set1_DSA(self._pkey, dsa):
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]237 # TODO: This is untested.
238 _raise_current_error()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]239 else:
240 raise Error("No such key type")
241
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800[diff] [blame]242 self._initialized = True
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]243
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]244 def check(self):
245 """
246 Check the consistency of an RSA private key.
247
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]248 This is the Python equivalent of OpenSSL's ``RSA_check_key``.
249
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]250 :return: True if key is consistent.
251 :raise Error: if the key is inconsistent.
252 :raise TypeError: if the key is of a type which cannot be checked.
253 Only RSA keys can currently be checked.
254 """
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800[diff] [blame]255 if self._only_public:
256 raise TypeError("public key only")
257
Hynek Schlawack2a91ba32016-01-31 14:18:54 +0100[diff] [blame]258 if _lib.EVP_PKEY_type(self.type()) != _lib.EVP_PKEY_RSA:
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]259 raise TypeError("key type unsupported")
260
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]261 rsa = _lib.EVP_PKEY_get1_RSA(self._pkey)
262 rsa = _ffi.gc(rsa, _lib.RSA_free)
263 result = _lib.RSA_check_key(rsa)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]264 if result:
265 return True
266 _raise_current_error()
267
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800[diff] [blame]268 def type(self):
269 """
270 Returns the type of the key
271
272 :return: The type of the key.
273 """
Alex Gaynorc84567b2016-03-16 07:45:09 -0400[diff] [blame]274 return _lib.Cryptography_EVP_PKEY_id(self._pkey)
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800[diff] [blame]275
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800[diff] [blame]276 def bits(self):
277 """
278 Returns the number of bits of the key
279
280 :return: The number of bits of the key.
281 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]282 return _lib.EVP_PKEY_bits(self._pkey)
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800[diff] [blame]283PKeyType = PKey
284
285
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]286class _EllipticCurve(object):
287 """
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]288 A representation of a supported elliptic curve.
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]289
290 @cvar _curves: :py:obj:`None` until an attempt is made to load the curves.
291 Thereafter, a :py:type:`set` containing :py:type:`_EllipticCurve`
292 instances each of which represents one curve supported by the system.
293 @type _curves: :py:type:`NoneType` or :py:type:`set`
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]294 """
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]295 _curves = None
296
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400[diff] [blame]297 if _PY3:
Jean-Paul Calderonea5381052014-05-01 09:32:46 -0400[diff] [blame]298 # This only necessary on Python 3. Morever, it is broken on Python 2.
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400[diff] [blame]299 def __ne__(self, other):
Jean-Paul Calderonea5381052014-05-01 09:32:46 -0400[diff] [blame]300 """
301 Implement cooperation with the right-hand side argument of ``!=``.
302
303 Python 3 seems to have dropped this cooperation in this very narrow
304 circumstance.
305 """
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400[diff] [blame]306 if isinstance(other, _EllipticCurve):
307 return super(_EllipticCurve, self).__ne__(other)
308 return NotImplemented
Jean-Paul Calderone40da72d2014-05-01 09:25:17 -0400[diff] [blame]309
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]310 @classmethod
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]311 def _load_elliptic_curves(cls, lib):
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]312 """
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]313 Get the curves supported by OpenSSL.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]314
315 :param lib: The OpenSSL library binding object.
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]316
317 :return: A :py:type:`set` of ``cls`` instances giving the names of the
318 elliptic curves the underlying library supports.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]319 """
320 if lib.Cryptography_HAS_EC:
321 num_curves = lib.EC_get_builtin_curves(_ffi.NULL, 0)
322 builtin_curves = _ffi.new('EC_builtin_curve[]', num_curves)
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]323 # The return value on this call should be num_curves again. We
324 # could check it to make sure but if it *isn't* then.. what could
325 # we do? Abort the whole process, I suppose...? -exarkun
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]326 lib.EC_get_builtin_curves(builtin_curves, num_curves)
327 return set(
328 cls.from_nid(lib, c.nid)
329 for c in builtin_curves)
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]330 return set()
331
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]332 @classmethod
333 def _get_elliptic_curves(cls, lib):
334 """
335 Get, cache, and return the curves supported by OpenSSL.
336
337 :param lib: The OpenSSL library binding object.
338
339 :return: A :py:type:`set` of ``cls`` instances giving the names of the
340 elliptic curves the underlying library supports.
341 """
342 if cls._curves is None:
343 cls._curves = cls._load_elliptic_curves(lib)
344 return cls._curves
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]345
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]346 @classmethod
347 def from_nid(cls, lib, nid):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]348 """
349 Instantiate a new :py:class:`_EllipticCurve` associated with the given
350 OpenSSL NID.
351
352 :param lib: The OpenSSL library binding object.
353
354 :param nid: The OpenSSL NID the resulting curve object will represent.
355 This must be a curve NID (and not, for example, a hash NID) or
356 subsequent operations will fail in unpredictable ways.
357 :type nid: :py:class:`int`
358
359 :return: The curve object.
360 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]361 return cls(lib, nid, _ffi.string(lib.OBJ_nid2sn(nid)).decode("ascii"))
362
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]363 def __init__(self, lib, nid, name):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]364 """
365 :param _lib: The :py:mod:`cryptography` binding instance used to
366 interface with OpenSSL.
367
368 :param _nid: The OpenSSL NID identifying the curve this object
369 represents.
370 :type _nid: :py:class:`int`
371
372 :param name: The OpenSSL short name identifying the curve this object
373 represents.
374 :type name: :py:class:`unicode`
375 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]376 self._lib = lib
377 self._nid = nid
378 self.name = name
379
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]380 def __repr__(self):
381 return "<Curve %r>" % (self.name,)
382
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]383 def _to_EC_KEY(self):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]384 """
385 Create a new OpenSSL EC_KEY structure initialized to use this curve.
386
387 The structure is automatically garbage collected when the Python object
388 is garbage collected.
389 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]390 key = self._lib.EC_KEY_new_by_curve_name(self._nid)
391 return _ffi.gc(key, _lib.EC_KEY_free)
392
393
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]394def get_elliptic_curves():
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]395 """
396 Return a set of objects representing the elliptic curves supported in the
397 OpenSSL build in use.
398
399 The curve objects have a :py:class:`unicode` ``name`` attribute by which
400 they identify themselves.
401
402 The curve objects are useful as values for the argument accepted by
Jean-Paul Calderone3b04e352014-04-19 09:29:10 -0400[diff] [blame]403 :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be
404 used for ECDHE key exchange.
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]405 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]406 return _EllipticCurve._get_elliptic_curves(_lib)
407
408
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]409def get_elliptic_curve(name):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]410 """
411 Return a single curve object selected by name.
412
413 See :py:func:`get_elliptic_curves` for information about curve objects.
414
Jean-Paul Calderoned5839e22014-04-19 09:26:44 -0400[diff] [blame]415 :param name: The OpenSSL short name identifying the curve object to
416 retrieve.
417 :type name: :py:class:`unicode`
418
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]419 If the named curve is not supported then :py:class:`ValueError` is raised.
420 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]421 for curve in get_elliptic_curves():
422 if curve.name == name:
423 return curve
424 raise ValueError("unknown curve name", name)
425
426
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]427class X509Name(object):
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]428 """
429 An X.509 Distinguished Name.
430
431 :ivar countryName: The country of the entity.
432 :ivar C: Alias for :py:attr:`countryName`.
433
434 :ivar stateOrProvinceName: The state or province of the entity.
435 :ivar ST: Alias for :py:attr:`stateOrProvinceName`.
436
437 :ivar localityName: The locality of the entity.
438 :ivar L: Alias for :py:attr:`localityName`.
439
440 :ivar organizationName: The organization name of the entity.
441 :ivar O: Alias for :py:attr:`organizationName`.
442
443 :ivar organizationalUnitName: The organizational unit of the entity.
444 :ivar OU: Alias for :py:attr:`organizationalUnitName`
445
446 :ivar commonName: The common name of the entity.
447 :ivar CN: Alias for :py:attr:`commonName`.
448
449 :ivar emailAddress: The e-mail address of the entity.
450 """
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]451
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]452 def __init__(self, name):
453 """
454 Create a new X509Name, copying the given X509Name instance.
455
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]456 :param name: The name to copy.
457 :type name: :py:class:`X509Name`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]458 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]459 name = _lib.X509_NAME_dup(name._name)
460 self._name = _ffi.gc(name, _lib.X509_NAME_free)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]461
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]462 def __setattr__(self, name, value):
463 if name.startswith('_'):
464 return super(X509Name, self).__setattr__(name, value)
465
Jean-Paul Calderoneff363be2013-03-03 10:21:23 -0800[diff] [blame]466 # Note: we really do not want str subclasses here, so we do not use
467 # isinstance.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]468 if type(name) is not str:
469 raise TypeError("attribute name must be string, not '%.200s'" % (
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]470 type(value).__name__,))
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]471
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]472 nid = _lib.OBJ_txt2nid(_byte_string(name))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]473 if nid == _lib.NID_undef:
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]474 try:
475 _raise_current_error()
476 except Error:
477 pass
478 raise AttributeError("No such attribute")
479
480 # If there's an old entry for this NID, remove it
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]481 for i in range(_lib.X509_NAME_entry_count(self._name)):
482 ent = _lib.X509_NAME_get_entry(self._name, i)
483 ent_obj = _lib.X509_NAME_ENTRY_get_object(ent)
484 ent_nid = _lib.OBJ_obj2nid(ent_obj)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]485 if nid == ent_nid:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]486 ent = _lib.X509_NAME_delete_entry(self._name, i)
487 _lib.X509_NAME_ENTRY_free(ent)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]488 break
489
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]490 if isinstance(value, _text_type):
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]491 value = value.encode('utf-8')
492
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]493 add_result = _lib.X509_NAME_add_entry_by_NID(
494 self._name, nid, _lib.MBSTRING_UTF8, value, -1, -1, 0)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]495 if not add_result:
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]496 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]497
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]498 def __getattr__(self, name):
499 """
500 Find attribute. An X509Name object has the following attributes:
501 countryName (alias C), stateOrProvince (alias ST), locality (alias L),
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]502 organization (alias O), organizationalUnit (alias OU), commonName
503 (alias CN) and more...
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]504 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]505 nid = _lib.OBJ_txt2nid(_byte_string(name))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]506 if nid == _lib.NID_undef:
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]507 # This is a bit weird. OBJ_txt2nid indicated failure, but it seems
508 # a lower level function, a2d_ASN1_OBJECT, also feels the need to
509 # push something onto the error queue. If we don't clean that up
510 # now, someone else will bump into it later and be quite confused.
511 # See lp#314814.
512 try:
513 _raise_current_error()
514 except Error:
515 pass
516 return super(X509Name, self).__getattr__(name)
517
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]518 entry_index = _lib.X509_NAME_get_index_by_NID(self._name, nid, -1)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]519 if entry_index == -1:
520 return None
521
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]522 entry = _lib.X509_NAME_get_entry(self._name, entry_index)
523 data = _lib.X509_NAME_ENTRY_get_data(entry)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]524
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]525 result_buffer = _ffi.new("unsigned char**")
526 data_length = _lib.ASN1_STRING_to_UTF8(result_buffer, data)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]527 if data_length < 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]528 # TODO: This is untested.
529 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]530
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]531 try:
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]532 result = _ffi.buffer(
533 result_buffer[0], data_length
534 )[:].decode('utf-8')
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]535 finally:
536 # XXX untested
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]537 _lib.OPENSSL_free(result_buffer[0])
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]538 return result
539
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]540 def _cmp(op):
541 def f(self, other):
542 if not isinstance(other, X509Name):
543 return NotImplemented
544 result = _lib.X509_NAME_cmp(self._name, other._name)
545 return op(result, 0)
546 return f
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]547
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]548 __eq__ = _cmp(__eq__)
549 __ne__ = _cmp(__ne__)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]550
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]551 __lt__ = _cmp(__lt__)
552 __le__ = _cmp(__le__)
553
554 __gt__ = _cmp(__gt__)
555 __ge__ = _cmp(__ge__)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]556
557 def __repr__(self):
558 """
559 String representation of an X509Name
560 """
Alex Gaynor962ac212015-09-04 08:06:42 -0400[diff] [blame]561 result_buffer = _ffi.new("char[]", 512)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]562 format_result = _lib.X509_NAME_oneline(
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]563 self._name, result_buffer, len(result_buffer))
564
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]565 if format_result == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]566 # TODO: This is untested.
567 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]568
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]569 return "<X509Name object '%s'>" % (
570 _native(_ffi.string(result_buffer)),)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]571
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]572 def hash(self):
573 """
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]574 Return an integer representation of the first four bytes of the
575 MD5 digest of the DER representation of the name.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]576
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]577 This is the Python equivalent of OpenSSL's ``X509_NAME_hash``.
578
579 :return: The (integer) hash of this name.
580 :rtype: :py:class:`int`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]581 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]582 return _lib.X509_NAME_hash(self._name)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]583
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]584 def der(self):
585 """
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]586 Return the DER encoding of this name.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]587
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]588 :return: The DER encoded form of this name.
589 :rtype: :py:class:`bytes`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]590 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]591 result_buffer = _ffi.new('unsigned char**')
592 encode_result = _lib.i2d_X509_NAME(self._name, result_buffer)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]593 if encode_result < 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]594 # TODO: This is untested.
595 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]596
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]597 string_result = _ffi.buffer(result_buffer[0], encode_result)[:]
598 _lib.OPENSSL_free(result_buffer[0])
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]599 return string_result
600
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]601 def get_components(self):
602 """
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]603 Returns the components of this name, as a sequence of 2-tuples.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]604
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]605 :return: The components of this name.
606 :rtype: :py:class:`list` of ``name, value`` tuples.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]607 """
608 result = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]609 for i in range(_lib.X509_NAME_entry_count(self._name)):
610 ent = _lib.X509_NAME_get_entry(self._name, i)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]611
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]612 fname = _lib.X509_NAME_ENTRY_get_object(ent)
613 fval = _lib.X509_NAME_ENTRY_get_data(ent)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]614
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]615 nid = _lib.OBJ_obj2nid(fname)
616 name = _lib.OBJ_nid2sn(nid)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]617
618 result.append((
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]619 _ffi.string(name),
620 _ffi.string(
621 _lib.ASN1_STRING_data(fval),
622 _lib.ASN1_STRING_length(fval))))
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]623
624 return result
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]625
626
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]627X509NameType = X509Name
628
629
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]630class X509Extension(object):
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]631 """
632 An X.509 v3 certificate extension.
633 """
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]634
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]635 def __init__(self, type_name, critical, value, subject=None, issuer=None):
636 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]637 Initializes an X509 extension.
638
Hynek Schlawack8d4f9762016-03-19 08:15:03 +0100[diff] [blame]639 :param type_name: The name of the type of extension_ to create.
Alex Gaynor6f719912015-09-20 09:21:29 -0400[diff] [blame]640 :type type_name: :py:data:`bytes`
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]641
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]642 :param bool critical: A flag indicating whether this is a critical
643 extension.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]644
645 :param value: The value of the extension.
Maximilian Hils0de43752015-09-18 15:26:54 +0200[diff] [blame]646 :type value: :py:data:`bytes`
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]647
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]648 :param subject: Optional X509 certificate to use as subject.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]649 :type subject: :py:class:`X509`
650
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]651 :param issuer: Optional X509 certificate to use as issuer.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]652 :type issuer: :py:class:`X509`
Hynek Schlawack8d4f9762016-03-19 08:15:03 +0100[diff] [blame]653
654 .. _extension: https://openssl.org/docs/manmaster/apps/
655 x509v3_config.html#STANDARD-EXTENSIONS
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]656 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]657 ctx = _ffi.new("X509V3_CTX*")
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]658
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]659 # A context is necessary for any extension which uses the r2i
660 # conversion method. That is, X509V3_EXT_nconf may segfault if passed
661 # a NULL ctx. Start off by initializing most of the fields to NULL.
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]662 _lib.X509V3_set_ctx(ctx, _ffi.NULL, _ffi.NULL, _ffi.NULL, _ffi.NULL, 0)
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]663
664 # We have no configuration database - but perhaps we should (some
665 # extensions may require it).
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]666 _lib.X509V3_set_ctx_nodb(ctx)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]667
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]668 # Initialize the subject and issuer, if appropriate. ctx is a local,
669 # and as far as I can tell none of the X509V3_* APIs invoked here steal
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]670 # any references, so no need to mess with reference counts or
671 # duplicates.
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]672 if issuer is not None:
673 if not isinstance(issuer, X509):
674 raise TypeError("issuer must be an X509 instance")
675 ctx.issuer_cert = issuer._x509
676 if subject is not None:
677 if not isinstance(subject, X509):
678 raise TypeError("subject must be an X509 instance")
679 ctx.subject_cert = subject._x509
680
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]681 if critical:
682 # There are other OpenSSL APIs which would let us pass in critical
683 # separately, but they're harder to use, and since value is already
684 # a pile of crappy junk smuggling a ton of utterly important
685 # structured data, what's the point of trying to avoid nasty stuff
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]686 # with strings? (However, X509V3_EXT_i2d in particular seems like
687 # it would be a better API to invoke. I do not know where to get
688 # the ext_struc it desires for its last parameter, though.)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]689 value = b"critical," + value
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]690
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]691 extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name, value)
692 if extension == _ffi.NULL:
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]693 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]694 self._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]695
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]696 @property
697 def _nid(self):
Paul Kehrere8f91cc2016-03-09 21:26:29 -0400[diff] [blame]698 return _lib.OBJ_obj2nid(
699 _lib.X509_EXTENSION_get_object(self._extension)
700 )
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]701
702 _prefixes = {
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]703 _lib.GEN_EMAIL: "email",
704 _lib.GEN_DNS: "DNS",
705 _lib.GEN_URI: "URI",
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]706 }
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]707
708 def _subjectAltNameString(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]709 method = _lib.X509V3_EXT_get(self._extension)
710 if method == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]711 # TODO: This is untested.
712 _raise_current_error()
Paul Kehrere8f91cc2016-03-09 21:26:29 -0400[diff] [blame]713 ext_data = _lib.X509_EXTENSION_get_data(self._extension)
714 payload = ext_data.data
715 length = ext_data.length
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]716
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]717 payloadptr = _ffi.new("unsigned char**")
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]718 payloadptr[0] = payload
719
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]720 if method.it != _ffi.NULL:
721 ptr = _lib.ASN1_ITEM_ptr(method.it)
722 data = _lib.ASN1_item_d2i(_ffi.NULL, payloadptr, length, ptr)
723 names = _ffi.cast("GENERAL_NAMES*", data)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]724 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]725 names = _ffi.cast(
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]726 "GENERAL_NAMES*",
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]727 method.d2i(_ffi.NULL, payloadptr, length))
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]728
Paul Kehrerb7d79502015-05-04 07:43:51 -0500[diff] [blame]729 names = _ffi.gc(names, _lib.GENERAL_NAMES_free)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]730 parts = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]731 for i in range(_lib.sk_GENERAL_NAME_num(names)):
732 name = _lib.sk_GENERAL_NAME_value(names, i)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]733 try:
734 label = self._prefixes[name.type]
735 except KeyError:
736 bio = _new_mem_buf()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]737 _lib.GENERAL_NAME_print(bio, name)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]738 parts.append(_native(_bio_to_string(bio)))
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]739 else:
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]740 value = _native(
741 _ffi.buffer(name.d.ia5.data, name.d.ia5.length)[:])
742 parts.append(label + ":" + value)
743 return ", ".join(parts)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]744
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]745 def __str__(self):
746 """
747 :return: a nice text representation of the extension
748 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]749 if _lib.NID_subject_alt_name == self._nid:
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]750 return self._subjectAltNameString()
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]751
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]752 bio = _new_mem_buf()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]753 print_result = _lib.X509V3_EXT_print(bio, self._extension, 0, 0)
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]754 if not print_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]755 # TODO: This is untested.
756 _raise_current_error()
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]757
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]758 return _native(_bio_to_string(bio))
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]759
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]760 def get_critical(self):
761 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]762 Returns the critical field of this X.509 extension.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]763
764 :return: The critical field.
765 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]766 return _lib.X509_EXTENSION_get_critical(self._extension)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]767
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]768 def get_short_name(self):
769 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]770 Returns the short type name of this X.509 extension.
771
772 The result is a byte string such as :py:const:`b"basicConstraints"`.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]773
774 :return: The short type name.
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]775 :rtype: :py:data:`bytes`
776
777 .. versionadded:: 0.12
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]778 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]779 obj = _lib.X509_EXTENSION_get_object(self._extension)
780 nid = _lib.OBJ_obj2nid(obj)
781 return _ffi.string(_lib.OBJ_nid2sn(nid))
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]782
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]783 def get_data(self):
784 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]785 Returns the data of the X509 extension, encoded as ASN.1.
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]786
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]787 :return: The ASN.1 encoded data of this X509 extension.
788 :rtype: :py:data:`bytes`
789
790 .. versionadded:: 0.12
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]791 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]792 octet_result = _lib.X509_EXTENSION_get_data(self._extension)
793 string_result = _ffi.cast('ASN1_STRING*', octet_result)
794 char_result = _lib.ASN1_STRING_data(string_result)
795 result_length = _lib.ASN1_STRING_length(string_result)
796 return _ffi.buffer(char_result, result_length)[:]
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]797
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]798
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]799X509ExtensionType = X509Extension
800
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]801
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]802class X509Req(object):
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]803 """
804 An X.509 certificate signing requests.
805 """
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]806
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]807 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]808 req = _lib.X509_REQ_new()
809 self._req = _ffi.gc(req, _lib.X509_REQ_free)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]810
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]811 def set_pubkey(self, pkey):
812 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]813 Set the public key of the certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]814
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]815 :param pkey: The public key to use.
816 :type pkey: :py:class:`PKey`
817
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]818 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]819 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]820 set_result = _lib.X509_REQ_set_pubkey(self._req, pkey._pkey)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]821 if not set_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]822 # TODO: This is untested.
823 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]824
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]825 def get_pubkey(self):
826 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]827 Get the public key of the certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]828
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]829 :return: The public key.
830 :rtype: :py:class:`PKey`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]831 """
832 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]833 pkey._pkey = _lib.X509_REQ_get_pubkey(self._req)
834 if pkey._pkey == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]835 # TODO: This is untested.
836 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]837 pkey._pkey = _ffi.gc(pkey._pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]838 pkey._only_public = True
839 return pkey
840
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]841 def set_version(self, version):
842 """
843 Set the version subfield (RFC 2459, section 4.1.2.1) of the certificate
844 request.
845
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]846 :param int version: The version number.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]847 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]848 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]849 set_result = _lib.X509_REQ_set_version(self._req, version)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]850 if not set_result:
851 _raise_current_error()
852
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]853 def get_version(self):
854 """
855 Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate
856 request.
857
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]858 :return: The value of the version subfield.
859 :rtype: :py:class:`int`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]860 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]861 return _lib.X509_REQ_get_version(self._req)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]862
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]863 def get_subject(self):
864 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]865 Return the subject of this certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]866
Cory Benfield881dc8d2015-12-09 08:25:14 +0000[diff] [blame]867 This creates a new :class:`X509Name` that wraps the underlying subject
868 name field on the certificate signing request. Modifying it will modify
869 the underlying signing request, and will have the effect of modifying
870 any other :class:`X509Name` that refers to this subject.
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]871
872 :return: The subject of this certificate signing request.
Cory Benfield881dc8d2015-12-09 08:25:14 +0000[diff] [blame]873 :rtype: :class:`X509Name`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]874 """
875 name = X509Name.__new__(X509Name)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]876 name._name = _lib.X509_REQ_get_subject_name(self._req)
877 if name._name == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]878 # TODO: This is untested.
879 _raise_current_error()
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]880
881 # The name is owned by the X509Req structure. As long as the X509Name
882 # Python object is alive, keep the X509Req Python object alive.
883 name._owner = self
884
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]885 return name
886
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]887 def add_extensions(self, extensions):
888 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]889 Add extensions to the certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]890
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]891 :param extensions: The X.509 extensions to add.
892 :type extensions: iterable of :py:class:`X509Extension`
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]893 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]894 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]895 stack = _lib.sk_X509_EXTENSION_new_null()
896 if stack == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]897 # TODO: This is untested.
898 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]899
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]900 stack = _ffi.gc(stack, _lib.sk_X509_EXTENSION_free)
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]901
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]902 for ext in extensions:
903 if not isinstance(ext, X509Extension):
Jean-Paul Calderonec2154b72013-02-20 14:29:37 -0800[diff] [blame]904 raise ValueError("One of the elements is not an X509Extension")
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]905
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]906 # TODO push can fail (here and elsewhere)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]907 _lib.sk_X509_EXTENSION_push(stack, ext._extension)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]908
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]909 add_result = _lib.X509_REQ_add_extensions(self._req, stack)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]910 if not add_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]911 # TODO: This is untested.
912 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]913
Stephen Holsappleadfd39d2014-01-28 17:58:31 -0800[diff] [blame]914 def get_extensions(self):
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]915 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]916 Get X.509 extensions in the certificate signing request.
Stephen Holsappleadfd39d2014-01-28 17:58:31 -0800[diff] [blame]917
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]918 :return: The X.509 extensions in this request.
919 :rtype: :py:class:`list` of :py:class:`X509Extension` objects.
920
921 .. versionadded:: 0.15
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]922 """
923 exts = []
Jean-Paul Calderone9479d732014-03-02 08:04:54 -0500[diff] [blame]924 native_exts_obj = _lib.X509_REQ_get_extensions(self._req)
Jean-Paul Calderoneb7a79b42014-03-02 08:06:47 -0500[diff] [blame]925 for i in range(_lib.sk_X509_EXTENSION_num(native_exts_obj)):
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]926 ext = X509Extension.__new__(X509Extension)
Jean-Paul Calderone9479d732014-03-02 08:04:54 -0500[diff] [blame]927 ext._extension = _lib.sk_X509_EXTENSION_value(native_exts_obj, i)
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]928 exts.append(ext)
929 return exts
Stephen Holsappleadfd39d2014-01-28 17:58:31 -0800[diff] [blame]930
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]931 def sign(self, pkey, digest):
932 """
Laurens Van Houtven6f2e4262015-04-23 10:48:32 -0700[diff] [blame]933 Sign the certificate signing request with this key and digest type.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]934
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]935 :param pkey: The key pair to sign with.
936 :type pkey: :py:class:`PKey`
937 :param digest: The name of the message digest to use for the signature,
938 e.g. :py:data:`b"sha1"`.
939 :type digest: :py:class:`bytes`
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]940 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]941 """
942 if pkey._only_public:
943 raise ValueError("Key has only public part")
944
945 if not pkey._initialized:
946 raise ValueError("Key is uninitialized")
947
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]948 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]949 if digest_obj == _ffi.NULL:
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]950 raise ValueError("No such digest method")
951
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]952 sign_result = _lib.X509_REQ_sign(self._req, pkey._pkey, digest_obj)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]953 if not sign_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]954 # TODO: This is untested.
955 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]956
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]957 def verify(self, pkey):
958 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]959 Verifies the signature on this certificate signing request.
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]960
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]961 :param key: A public key.
962 :type key: :py:class:`PKey`
963 :return: :py:data:`True` if the signature is correct.
964 :rtype: :py:class:`bool`
965 :raises Error: If the signature is invalid or there is a
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]966 problem verifying the signature.
967 """
968 if not isinstance(pkey, PKey):
969 raise TypeError("pkey must be a PKey instance")
970
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]971 result = _lib.X509_REQ_verify(self._req, pkey._pkey)
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]972 if result <= 0:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]973 _raise_current_error()
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]974
975 return result
976
977
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]978X509ReqType = X509Req
979
980
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]981class X509(object):
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]982 """
983 An X.509 certificate.
984 """
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]985
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]986 def __init__(self):
987 # TODO Allocation failure? And why not __new__ instead of __init__?
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]988 x509 = _lib.X509_new()
989 self._x509 = _ffi.gc(x509, _lib.X509_free)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]990
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]991 def set_version(self, version):
992 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]993 Set the version number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]994
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]995 :param version: The version number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]996 :type version: :py:class:`int`
997
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]998 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]999 """
1000 if not isinstance(version, int):
1001 raise TypeError("version must be an integer")
1002
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1003 _lib.X509_set_version(self._x509, version)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1004
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1005 def get_version(self):
1006 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1007 Return the version number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1008
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1009 :return: The version number of the certificate.
1010 :rtype: :py:class:`int`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1011 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1012 return _lib.X509_get_version(self._x509)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1013
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1014 def get_pubkey(self):
1015 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1016 Get the public key of the certificate.
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1017
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1018 :return: The public key.
1019 :rtype: :py:class:`PKey`
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1020 """
1021 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1022 pkey._pkey = _lib.X509_get_pubkey(self._x509)
1023 if pkey._pkey == _ffi.NULL:
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1024 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1025 pkey._pkey = _ffi.gc(pkey._pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1026 pkey._only_public = True
1027 return pkey
1028
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1029 def set_pubkey(self, pkey):
1030 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1031 Set the public key of the certificate.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1032
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1033 :param pkey: The public key.
1034 :type pkey: :py:class:`PKey`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1035
Laurens Van Houtven33fcf122015-04-23 10:50:08 -0700[diff] [blame]1036 :return: :py:data:`None`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1037 """
1038 if not isinstance(pkey, PKey):
1039 raise TypeError("pkey must be a PKey instance")
1040
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1041 set_result = _lib.X509_set_pubkey(self._x509, pkey._pkey)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1042 if not set_result:
1043 _raise_current_error()
1044
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1045 def sign(self, pkey, digest):
1046 """
Laurens Van Houtven6f2e4262015-04-23 10:48:32 -0700[diff] [blame]1047 Sign the certificate with this key and digest type.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1048
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1049 :param pkey: The key to sign with.
1050 :type pkey: :py:class:`PKey`
1051
1052 :param digest: The name of the message digest to use.
1053 :type digest: :py:class:`bytes`
1054
Laurens Van Houtvena367fe82015-04-23 10:49:12 -0700[diff] [blame]1055 :return: :py:data:`None`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1056 """
1057 if not isinstance(pkey, PKey):
1058 raise TypeError("pkey must be a PKey instance")
1059
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1060 if pkey._only_public:
1061 raise ValueError("Key only has public part")
1062
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800[diff] [blame]1063 if not pkey._initialized:
1064 raise ValueError("Key is uninitialized")
1065
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1066 evp_md = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1067 if evp_md == _ffi.NULL:
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1068 raise ValueError("No such digest method")
1069
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1070 sign_result = _lib.X509_sign(self._x509, pkey._pkey, evp_md)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1071 if not sign_result:
1072 _raise_current_error()
1073
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1074 def get_signature_algorithm(self):
1075 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1076 Return the signature algorithm used in the certificate.
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1077
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1078 :return: The name of the algorithm.
1079 :rtype: :py:class:`bytes`
1080
1081 :raises ValueError: If the signature algorithm is undefined.
1082
Laurens Van Houtven0dd87402015-04-23 10:47:18 -0700[diff] [blame]1083 .. versionadded:: 0.13
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1084 """
Alex Gaynor39ea5312016-06-02 09:12:10 -0700[diff] [blame]1085 algor = _lib.X509_get0_tbs_sigalg(self._x509)
1086 nid = _lib.OBJ_obj2nid(algor.algorithm)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1087 if nid == _lib.NID_undef:
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1088 raise ValueError("Undefined signature algorithm")
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1089 return _ffi.string(_lib.OBJ_nid2ln(nid))
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1090
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1091 def digest(self, digest_name):
1092 """
1093 Return the digest of the X509 object.
1094
1095 :param digest_name: The name of the digest algorithm to use.
1096 :type digest_name: :py:class:`bytes`
1097
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1098 :return: The digest of the object, formatted as
1099 :py:const:`b":"`-delimited hex pairs.
1100 :rtype: :py:class:`bytes`
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1101 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1102 digest = _lib.EVP_get_digestbyname(_byte_string(digest_name))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1103 if digest == _ffi.NULL:
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1104 raise ValueError("No such digest method")
1105
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1106 result_buffer = _ffi.new("char[]", _lib.EVP_MAX_MD_SIZE)
1107 result_length = _ffi.new("unsigned int[]", 1)
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1108 result_length[0] = len(result_buffer)
1109
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1110 digest_result = _lib.X509_digest(
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1111 self._x509, digest, result_buffer, result_length)
1112
1113 if not digest_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1114 # TODO: This is untested.
1115 _raise_current_error()
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1116
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1117 return b":".join([
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]1118 b16encode(ch).upper() for ch
1119 in _ffi.buffer(result_buffer, result_length[0])])
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1120
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1121 def subject_name_hash(self):
1122 """
1123 Return the hash of the X509 subject.
1124
1125 :return: The hash of the subject.
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1126 :rtype: :py:class:`bytes`
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1127 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1128 return _lib.X509_subject_name_hash(self._x509)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1129
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1130 def set_serial_number(self, serial):
1131 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1132 Set the serial number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1133
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1134 :param serial: The new serial number.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1135 :type serial: :py:class:`int`
1136
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1137 :return: :py:data`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1138 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1139 if not isinstance(serial, _integer_types):
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1140 raise TypeError("serial must be an integer")
1141
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1142 hex_serial = hex(serial)[2:]
1143 if not isinstance(hex_serial, bytes):
1144 hex_serial = hex_serial.encode('ascii')
1145
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1146 bignum_serial = _ffi.new("BIGNUM**")
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1147
1148 # BN_hex2bn stores the result in &bignum. Unless it doesn't feel like
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]1149 # it. If bignum is still NULL after this call, then the return value
1150 # is actually the result. I hope. -exarkun
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1151 small_serial = _lib.BN_hex2bn(bignum_serial, hex_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1152
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1153 if bignum_serial[0] == _ffi.NULL:
1154 set_result = _lib.ASN1_INTEGER_set(
1155 _lib.X509_get_serialNumber(self._x509), small_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1156 if set_result:
1157 # TODO Not tested
1158 _raise_current_error()
1159 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1160 asn1_serial = _lib.BN_to_ASN1_INTEGER(bignum_serial[0], _ffi.NULL)
1161 _lib.BN_free(bignum_serial[0])
1162 if asn1_serial == _ffi.NULL:
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1163 # TODO Not tested
1164 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1165 asn1_serial = _ffi.gc(asn1_serial, _lib.ASN1_INTEGER_free)
1166 set_result = _lib.X509_set_serialNumber(self._x509, asn1_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1167 if not set_result:
1168 # TODO Not tested
1169 _raise_current_error()
1170
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1171 def get_serial_number(self):
1172 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1173 Return the serial number of this certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1174
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1175 :return: The serial number.
1176 :rtype: :py:class:`int`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1177 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1178 asn1_serial = _lib.X509_get_serialNumber(self._x509)
1179 bignum_serial = _lib.ASN1_INTEGER_to_BN(asn1_serial, _ffi.NULL)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1180 try:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1181 hex_serial = _lib.BN_bn2hex(bignum_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1182 try:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1183 hexstring_serial = _ffi.string(hex_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1184 serial = int(hexstring_serial, 16)
1185 return serial
1186 finally:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1187 _lib.OPENSSL_free(hex_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1188 finally:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1189 _lib.BN_free(bignum_serial)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1190
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1191 def gmtime_adj_notAfter(self, amount):
1192 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1193 Adjust the time stamp on which the certificate stops being valid.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1194
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1195 :param amount: The number of seconds by which to adjust the timestamp.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1196 :type amount: :py:class:`int`
1197
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1198 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1199 """
1200 if not isinstance(amount, int):
1201 raise TypeError("amount must be an integer")
1202
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1203 notAfter = _lib.X509_get_notAfter(self._x509)
1204 _lib.X509_gmtime_adj(notAfter, amount)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1205
Jean-Paul Calderone662afe52013-02-20 08:41:11 -0800[diff] [blame]1206 def gmtime_adj_notBefore(self, amount):
1207 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1208 Adjust the timestamp on which the certificate starts being valid.
Jean-Paul Calderone662afe52013-02-20 08:41:11 -0800[diff] [blame]1209
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1210 :param amount: The number of seconds by which to adjust the timestamp.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1211 :return: :py:const:`None`
Jean-Paul Calderone662afe52013-02-20 08:41:11 -0800[diff] [blame]1212 """
1213 if not isinstance(amount, int):
1214 raise TypeError("amount must be an integer")
1215
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1216 notBefore = _lib.X509_get_notBefore(self._x509)
1217 _lib.X509_gmtime_adj(notBefore, amount)
Jean-Paul Calderone662afe52013-02-20 08:41:11 -0800[diff] [blame]1218
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1219 def has_expired(self):
1220 """
1221 Check whether the certificate has expired.
1222
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1223 :return: :py:const:`True` if the certificate has expired,
1224 :py:const:`False` otherwise.
1225 :rtype: :py:class:`bool`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1226 """
Paul Kehrer8d887e12015-10-24 09:09:55 -0500[diff] [blame]1227 time_string = _native(self.get_notAfter())
Paul Kehrerfde45c92016-01-21 12:57:37 -0600[diff] [blame]1228 not_after = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ")
Paul Kehrer5d5d28d2015-10-21 18:55:22 -0500[diff] [blame]1229
Paul Kehrerfde45c92016-01-21 12:57:37 -0600[diff] [blame]1230 return not_after < datetime.datetime.utcnow()
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1231
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1232 def _get_boundary_time(self, which):
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1233 return _get_asn1_time(which(self._x509))
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1234
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1235 def get_notBefore(self):
1236 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1237 Get the timestamp at which the certificate starts being valid.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1238
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1239 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1240
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1241 YYYYMMDDhhmmssZ
1242 YYYYMMDDhhmmss+hhmm
1243 YYYYMMDDhhmmss-hhmm
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1244
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1245 :return: A timestamp string, or :py:const:`None` if there is none.
1246 :rtype: :py:class:`bytes` or :py:const:`None`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1247 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1248 return self._get_boundary_time(_lib.X509_get_notBefore)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1249
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1250 def _set_boundary_time(self, which, when):
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1251 return _set_asn1_time(which(self._x509), when)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1252
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1253 def set_notBefore(self, when):
1254 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1255 Set the timestamp at which the certificate starts being valid.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1256
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1257 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1258
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1259 YYYYMMDDhhmmssZ
1260 YYYYMMDDhhmmss+hhmm
1261 YYYYMMDDhhmmss-hhmm
1262
1263 :param when: A timestamp string.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1264 :type when: :py:class:`bytes`
1265
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1266 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1267 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1268 return self._set_boundary_time(_lib.X509_get_notBefore, when)
Jean-Paul Calderoned7d81272013-02-19 13:16:03 -0800[diff] [blame]1269
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1270 def get_notAfter(self):
1271 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1272 Get the timestamp at which the certificate stops being valid.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1273
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1274 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1275
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1276 YYYYMMDDhhmmssZ
1277 YYYYMMDDhhmmss+hhmm
1278 YYYYMMDDhhmmss-hhmm
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1279
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1280 :return: A timestamp string, or :py:const:`None` if there is none.
1281 :rtype: :py:class:`bytes` or :py:const:`None`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1282 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1283 return self._get_boundary_time(_lib.X509_get_notAfter)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1284
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1285 def set_notAfter(self, when):
1286 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1287 Set the timestamp at which the certificate stops being valid.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1288
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1289 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1290
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1291 YYYYMMDDhhmmssZ
1292 YYYYMMDDhhmmss+hhmm
1293 YYYYMMDDhhmmss-hhmm
1294
1295 :param when: A timestamp string.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1296 :type when: :py:class:`bytes`
1297
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1298 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1299 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1300 return self._set_boundary_time(_lib.X509_get_notAfter, when)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1301
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1302 def _get_name(self, which):
1303 name = X509Name.__new__(X509Name)
1304 name._name = which(self._x509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1305 if name._name == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1306 # TODO: This is untested.
1307 _raise_current_error()
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]1308
1309 # The name is owned by the X509 structure. As long as the X509Name
1310 # Python object is alive, keep the X509 Python object alive.
1311 name._owner = self
1312
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1313 return name
1314
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1315 def _set_name(self, which, name):
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1316 if not isinstance(name, X509Name):
1317 raise TypeError("name must be an X509Name")
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1318 set_result = which(self._x509, name._name)
1319 if not set_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1320 # TODO: This is untested.
1321 _raise_current_error()
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1322
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1323 def get_issuer(self):
1324 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1325 Return the issuer of this certificate.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1326
Cory Benfielde6bcce82015-12-09 08:40:03 +0000[diff] [blame]1327 This creates a new :class:`X509Name` that wraps the underlying issuer
1328 name field on the certificate. Modifying it will modify the underlying
1329 certificate, and will have the effect of modifying any other
1330 :class:`X509Name` that refers to this issuer.
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1331
1332 :return: The issuer of this certificate.
Cory Benfielde6bcce82015-12-09 08:40:03 +0000[diff] [blame]1333 :rtype: :class:`X509Name`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1334 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1335 return self._get_name(_lib.X509_get_issuer_name)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1336
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1337 def set_issuer(self, issuer):
1338 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1339 Set the issuer of this certificate.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1340
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1341 :param issuer: The issuer.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1342 :type issuer: :py:class:`X509Name`
1343
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1344 :return: :py:const:`None`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1345 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1346 return self._set_name(_lib.X509_set_issuer_name, issuer)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1347
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1348 def get_subject(self):
1349 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1350 Return the subject of this certificate.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1351
Cory Benfielde6bcce82015-12-09 08:40:03 +0000[diff] [blame]1352 This creates a new :class:`X509Name` that wraps the underlying subject
1353 name field on the certificate. Modifying it will modify the underlying
1354 certificate, and will have the effect of modifying any other
1355 :class:`X509Name` that refers to this subject.
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1356
1357 :return: The subject of this certificate.
Cory Benfielde6bcce82015-12-09 08:40:03 +0000[diff] [blame]1358 :rtype: :class:`X509Name`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1359 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1360 return self._get_name(_lib.X509_get_subject_name)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1361
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1362 def set_subject(self, subject):
1363 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1364 Set the subject of this certificate.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1365
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1366 :param subject: The subject.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1367 :type subject: :py:class:`X509Name`
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1368
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1369 :return: :py:const:`None`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1370 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1371 return self._set_name(_lib.X509_set_subject_name, subject)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1372
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1373 def get_extension_count(self):
1374 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1375 Get the number of extensions on this certificate.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1376
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1377 :return: The number of extensions.
1378 :rtype: :py:class:`int`
1379
1380 .. versionadded:: 0.12
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1381 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1382 return _lib.X509_get_ext_count(self._x509)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1383
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1384 def add_extensions(self, extensions):
1385 """
1386 Add extensions to the certificate.
1387
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1388 :param extensions: The extensions to add.
1389 :type extensions: An iterable of :py:class:`X509Extension` objects.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1390 :return: :py:const:`None`
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1391 """
1392 for ext in extensions:
1393 if not isinstance(ext, X509Extension):
1394 raise ValueError("One of the elements is not an X509Extension")
1395
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1396 add_result = _lib.X509_add_ext(self._x509, ext._extension, -1)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1397 if not add_result:
1398 _raise_current_error()
1399
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1400 def get_extension(self, index):
1401 """
1402 Get a specific extension of the certificate by index.
1403
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1404 Extensions on a certificate are kept in order. The index
1405 parameter selects which extension will be returned.
1406
1407 :param int index: The index of the extension to retrieve.
1408 :return: The extension at the specified index.
1409 :rtype: :py:class:`X509Extension`
1410 :raises IndexError: If the extension index was out of bounds.
1411
1412 .. versionadded:: 0.12
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1413 """
1414 ext = X509Extension.__new__(X509Extension)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1415 ext._extension = _lib.X509_get_ext(self._x509, index)
1416 if ext._extension == _ffi.NULL:
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1417 raise IndexError("extension index out of bounds")
1418
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1419 extension = _lib.X509_EXTENSION_dup(ext._extension)
1420 ext._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1421 return ext
1422
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1423
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1424X509Type = X509
1425
1426
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1427class X509Store(object):
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1428 """
1429 An X509 certificate store.
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1430 """
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]1431
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1432 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1433 store = _lib.X509_STORE_new()
1434 self._store = _ffi.gc(store, _lib.X509_STORE_free)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1435
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1436 def add_cert(self, cert):
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1437 """
1438 Adds the certificate :py:data:`cert` to this store.
1439
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]1440 This is the Python equivalent of OpenSSL's ``X509_STORE_add_cert``.
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1441
1442 :param X509 cert: The certificate to add to this store.
1443 :raises TypeError: If the certificate is not an :py:class:`X509`.
1444 :raises Error: If OpenSSL was unhappy with your certificate.
Laurens Van Houtven5ee60b32015-04-23 10:51:16 -0700[diff] [blame]1445 :return: :py:data:`None` if the certificate was added successfully.
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1446 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1447 if not isinstance(cert, X509):
1448 raise TypeError()
1449
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1450 result = _lib.X509_STORE_add_cert(self._store, cert._x509)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1451 if not result:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]1452 _raise_current_error()
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]1453
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1454
1455X509StoreType = X509Store
1456
1457
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1458class X509StoreContextError(Exception):
1459 """
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700[diff] [blame]1460 An exception raised when an error occurred while verifying a certificate
1461 using `OpenSSL.X509StoreContext.verify_certificate`.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1462
Jean-Paul Calderonefeb17432015-03-15 15:49:45 -0400[diff] [blame]1463 :ivar certificate: The certificate which caused verificate failure.
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700[diff] [blame]1464 :type certificate: :class:`X509`
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1465 """
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]1466
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1467 def __init__(self, message, certificate):
1468 super(X509StoreContextError, self).__init__(message)
1469 self.certificate = certificate
1470
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1471
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1472class X509StoreContext(object):
1473 """
1474 An X.509 store context.
1475
Jean-Paul Calderone13a81682015-01-18 15:49:15 -0500[diff] [blame]1476 An :py:class:`X509StoreContext` is used to define some of the criteria for
1477 certificate verification. The information encapsulated in this object
1478 includes, but is not limited to, a set of trusted certificates,
1479 verification parameters, and revoked certificates.
1480
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700[diff] [blame]1481 .. note::
1482
1483 Currently, one can only set the trusted certificates on an
1484 :py:class:`X509StoreContext`. Future versions of pyOpenSSL will expose
1485 verification parameters and certificate revocation lists.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1486
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1487 :ivar _store_ctx: The underlying X509_STORE_CTX structure used by this
1488 instance. It is dynamically allocated and automatically garbage
1489 collected.
1490
Jean-Paul Calderone64b6b842015-03-15 16:08:02 -0400[diff] [blame]1491 :ivar _store: See the ``store`` ``__init__`` parameter.
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1492
Jean-Paul Calderone64b6b842015-03-15 16:08:02 -0400[diff] [blame]1493 :ivar _cert: See the ``certificate`` ``__init__`` parameter.
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700[diff] [blame]1494
1495 :param X509Store store: The certificates which will be trusted for the
1496 purposes of any verifications.
1497
1498 :param X509 certificate: The certificate to be verified.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1499 """
1500
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1501 def __init__(self, store, certificate):
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1502 store_ctx = _lib.X509_STORE_CTX_new()
1503 self._store_ctx = _ffi.gc(store_ctx, _lib.X509_STORE_CTX_free)
1504 self._store = store
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1505 self._cert = certificate
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]1506 # Make the store context available for use after instantiating this
1507 # class by initializing it now. Per testing, subsequent calls to
1508 # :py:meth:`_init` have no adverse affect.
1509 self._init()
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1510
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1511 def _init(self):
1512 """
1513 Set up the store context for a subsequent verification operation.
1514 """
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]1515 ret = _lib.X509_STORE_CTX_init(
1516 self._store_ctx, self._store._store, self._cert._x509, _ffi.NULL
1517 )
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1518 if ret <= 0:
1519 _raise_current_error()
1520
1521 def _cleanup(self):
1522 """
1523 Internally cleans up the store context.
1524
1525 The store context can then be reused with a new call to
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]1526 :py:meth:`_init`.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1527 """
1528 _lib.X509_STORE_CTX_cleanup(self._store_ctx)
1529
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1530 def _exception_from_context(self):
1531 """
1532 Convert an OpenSSL native context error failure into a Python
1533 exception.
1534
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]1535 When a call to native OpenSSL X509_verify_cert fails, additional
1536 information about the failure can be obtained from the store context.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1537 """
1538 errors = [
1539 _lib.X509_STORE_CTX_get_error(self._store_ctx),
1540 _lib.X509_STORE_CTX_get_error_depth(self._store_ctx),
1541 _native(_ffi.string(_lib.X509_verify_cert_error_string(
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]1542 _lib.X509_STORE_CTX_get_error(self._store_ctx)))),
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1543 ]
Stephen Holsapple1f713eb2015-02-09 19:19:44 -0800[diff] [blame]1544 # A context error should always be associated with a certificate, so we
1545 # expect this call to never return :class:`None`.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1546 _x509 = _lib.X509_STORE_CTX_get_current_cert(self._store_ctx)
Stephen Holsapple1f713eb2015-02-09 19:19:44 -0800[diff] [blame]1547 _cert = _lib.X509_dup(_x509)
1548 pycert = X509.__new__(X509)
1549 pycert._x509 = _ffi.gc(_cert, _lib.X509_free)
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1550 return X509StoreContextError(errors, pycert)
1551
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]1552 def set_store(self, store):
1553 """
1554 Set the context's trust store.
1555
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700[diff] [blame]1556 .. versionadded:: 0.15
1557
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]1558 :param X509Store store: The certificates which will be trusted for the
1559 purposes of any *future* verifications.
1560 """
1561 self._store = store
1562
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1563 def verify_certificate(self):
1564 """
1565 Verify a certificate in a context.
1566
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700[diff] [blame]1567 .. versionadded:: 0.15
1568
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1569 :param store_ctx: The :py:class:`X509StoreContext` to verify.
Stephen Holsapple8ad4a192015-06-09 22:51:43 -0700[diff] [blame]1570
Alex Gaynorca87ff62015-09-04 23:31:03 -0400[diff] [blame]1571 :raises X509StoreContextError: If an error occurred when validating a
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]1572 certificate in the context. Sets ``certificate`` attribute to
1573 indicate which certificate caused the error.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1574 """
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]1575 # Always re-initialize the store context in case
1576 # :py:meth:`verify_certificate` is called multiple times.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1577 self._init()
1578 ret = _lib.X509_verify_cert(self._store_ctx)
1579 self._cleanup()
1580 if ret <= 0:
1581 raise self._exception_from_context()
1582
1583
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1584def load_certificate(type, buffer):
1585 """
1586 Load a certificate from a buffer
1587
1588 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
1589
1590 :param buffer: The buffer the certificate is stored in
1591 :type buffer: :py:class:`bytes`
1592
1593 :return: The X509 object
1594 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]1595 if isinstance(buffer, _text_type):
1596 buffer = buffer.encode("ascii")
1597
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]1598 bio = _new_mem_buf(buffer)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1599
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]1600 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1601 x509 = _lib.PEM_read_bio_X509(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]1602 elif type == FILETYPE_ASN1:
Alex Gaynor962ac212015-09-04 08:06:42 -0400[diff] [blame]1603 x509 = _lib.d2i_X509_bio(bio, _ffi.NULL)
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]1604 else:
1605 raise ValueError(
1606 "type argument must be FILETYPE_PEM or FILETYPE_ASN1")
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1607
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1608 if x509 == _ffi.NULL:
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1609 _raise_current_error()
1610
1611 cert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1612 cert._x509 = _ffi.gc(x509, _lib.X509_free)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1613 return cert
1614
1615
1616def dump_certificate(type, cert):
1617 """
1618 Dump a certificate to a buffer
1619
Jean-Paul Calderonea12e7d22013-04-03 08:17:34 -0400[diff] [blame]1620 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or
1621 FILETYPE_TEXT)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1622 :param cert: The certificate to dump
1623 :return: The buffer with the dumped certificate in
1624 """
Jean-Paul Calderone0c73aff2013-03-02 07:45:12 -0800[diff] [blame]1625 bio = _new_mem_buf()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]1626
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1627 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1628 result_code = _lib.PEM_write_bio_X509(bio, cert._x509)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1629 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1630 result_code = _lib.i2d_X509_bio(bio, cert._x509)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1631 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1632 result_code = _lib.X509_print_ex(bio, cert._x509, 0, 0)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1633 else:
1634 raise ValueError(
1635 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
1636 "FILETYPE_TEXT")
1637
Alex Gaynorc7a9eb52015-09-05 16:57:49 -0400[diff] [blame]1638 assert result_code == 1
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1639 return _bio_to_string(bio)
1640
1641
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]1642def dump_publickey(type, pkey):
1643 """
Cory Benfield11c10192015-10-27 17:23:03 +0900[diff] [blame]1644 Dump a public key to a buffer.
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]1645
Cory Benfield9c590b92015-10-28 14:55:05 +0900[diff] [blame]1646 :param type: The file type (one of :data:`FILETYPE_PEM` or
Cory Benfielde813cec2015-10-28 08:57:08 +0900[diff] [blame]1647 :data:`FILETYPE_ASN1`).
Cory Benfield2b6bb802015-10-28 22:19:31 +0900[diff] [blame]1648 :param PKey pkey: The public key to dump
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]1649 :return: The buffer with the dumped key in it.
Cory Benfield11c10192015-10-27 17:23:03 +0900[diff] [blame]1650 :rtype: bytes
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]1651 """
1652 bio = _new_mem_buf()
1653 if type == FILETYPE_PEM:
1654 write_bio = _lib.PEM_write_bio_PUBKEY
1655 elif type == FILETYPE_ASN1:
1656 write_bio = _lib.i2d_PUBKEY_bio
1657 else:
1658 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
1659
1660 result_code = write_bio(bio, pkey._pkey)
Cory Benfield1e9c7ab2015-10-28 08:58:31 +0900[diff] [blame]1661 if result_code != 1: # pragma: no cover
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]1662 _raise_current_error()
1663
1664 return _bio_to_string(bio)
1665
1666
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1667def dump_privatekey(type, pkey, cipher=None, passphrase=None):
1668 """
1669 Dump a private key to a buffer
1670
Jean-Paul Calderonee66fde22013-04-03 08:35:08 -0400[diff] [blame]1671 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or
1672 FILETYPE_TEXT)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1673 :param pkey: The PKey to dump
1674 :param cipher: (optional) if encrypted PEM format, the cipher to
1675 use
1676 :param passphrase: (optional) if encrypted PEM format, this can be either
1677 the passphrase to use, or a callback for providing the
1678 passphrase.
1679 :return: The buffer with the dumped key in
Maximilian Hils0de43752015-09-18 15:26:54 +0200[diff] [blame]1680 :rtype: :py:data:`bytes`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1681 """
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]1682 bio = _new_mem_buf()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]1683
1684 if cipher is not None:
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1685 if passphrase is None:
1686 raise TypeError(
1687 "if a value is given for cipher "
1688 "one must also be given for passphrase")
1689 cipher_obj = _lib.EVP_get_cipherbyname(_byte_string(cipher))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1690 if cipher_obj == _ffi.NULL:
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]1691 raise ValueError("Invalid cipher name")
1692 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1693 cipher_obj = _ffi.NULL
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1694
Jean-Paul Calderone23478b32013-02-20 13:31:38 -0800[diff] [blame]1695 helper = _PassphraseHelper(type, passphrase)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1696 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1697 result_code = _lib.PEM_write_bio_PrivateKey(
1698 bio, pkey._pkey, cipher_obj, _ffi.NULL, 0,
Jean-Paul Calderone23478b32013-02-20 13:31:38 -0800[diff] [blame]1699 helper.callback, helper.callback_args)
1700 helper.raise_if_problem()
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1701 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1702 result_code = _lib.i2d_PrivateKey_bio(bio, pkey._pkey)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1703 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1704 rsa = _lib.EVP_PKEY_get1_RSA(pkey._pkey)
1705 result_code = _lib.RSA_print(bio, rsa, 0)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1706 # TODO RSA_free(rsa)?
1707 else:
1708 raise ValueError(
1709 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
1710 "FILETYPE_TEXT")
1711
1712 if result_code == 0:
1713 _raise_current_error()
1714
1715 return _bio_to_string(bio)
1716
1717
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1718class Revoked(object):
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1719 """
1720 A certificate revocation.
1721 """
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1722 # http://www.openssl.org/docs/apps/x509v3_config.html#CRL_distribution_points_
1723 # which differs from crl_reasons of crypto/x509v3/v3_enum.c that matches
1724 # OCSP_crl_reason_str. We use the latter, just like the command line
1725 # program.
1726 _crl_reasons = [
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1727 b"unspecified",
1728 b"keyCompromise",
1729 b"CACompromise",
1730 b"affiliationChanged",
1731 b"superseded",
1732 b"cessationOfOperation",
1733 b"certificateHold",
1734 # b"removeFromCRL",
Alex Gaynorca87ff62015-09-04 23:31:03 -0400[diff] [blame]1735 ]
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1736
1737 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1738 revoked = _lib.X509_REVOKED_new()
1739 self._revoked = _ffi.gc(revoked, _lib.X509_REVOKED_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1740
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1741 def set_serial(self, hex_str):
1742 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1743 Set the serial number.
1744
1745 The serial number is formatted as a hexadecimal number encoded in
1746 ASCII.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1747
1748 :param hex_str: The new serial number.
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1749 :type hex_str: :py:class:`bytes`
1750
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1751 :return: :py:const:`None`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1752 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1753 bignum_serial = _ffi.gc(_lib.BN_new(), _lib.BN_free)
1754 bignum_ptr = _ffi.new("BIGNUM**")
Jean-Paul Calderonefd371362013-03-01 20:53:58 -0800[diff] [blame]1755 bignum_ptr[0] = bignum_serial
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1756 bn_result = _lib.BN_hex2bn(bignum_ptr, hex_str)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1757 if not bn_result:
1758 raise ValueError("bad hex string")
1759
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1760 asn1_serial = _ffi.gc(
1761 _lib.BN_to_ASN1_INTEGER(bignum_serial, _ffi.NULL),
1762 _lib.ASN1_INTEGER_free)
1763 _lib.X509_REVOKED_set_serialNumber(self._revoked, asn1_serial)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1764
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1765 def get_serial(self):
1766 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1767 Get the serial number.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1768
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1769 The serial number is formatted as a hexadecimal number encoded in
1770 ASCII.
1771
1772 :return: The serial number.
1773 :rtype: :py:class:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1774 """
Jean-Paul Calderonefd371362013-03-01 20:53:58 -0800[diff] [blame]1775 bio = _new_mem_buf()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1776
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]1777 asn1_int = _lib.X509_REVOKED_get0_serialNumber(self._revoked)
1778 _openssl_assert(asn1_int != _ffi.NULL)
1779 result = _lib.i2a_ASN1_INTEGER(bio, asn1_int)
1780 _openssl_assert(result >= 0)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1781 return _bio_to_string(bio)
1782
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1783 def _delete_reason(self):
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]1784 for i in range(_lib.X509_REVOKED_get_ext_count(self._revoked)):
1785 ext = _lib.X509_REVOKED_get_ext(self._revoked, i)
Paul Kehrere8f91cc2016-03-09 21:26:29 -0400[diff] [blame]1786 obj = _lib.X509_EXTENSION_get_object(ext)
1787 if _lib.OBJ_obj2nid(obj) == _lib.NID_crl_reason:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1788 _lib.X509_EXTENSION_free(ext)
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]1789 _lib.X509_REVOKED_delete_ext(self._revoked, i)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1790 break
1791
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1792 def set_reason(self, reason):
1793 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1794 Set the reason of this revocation.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1795
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1796 If :py:data:`reason` is :py:const:`None`, delete the reason instead.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1797
1798 :param reason: The reason string.
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1799 :type reason: :py:class:`bytes` or :py:class:`NoneType`
1800
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1801 :return: :py:const:`None`
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1802
1803 .. seealso::
1804
1805 :py:meth:`all_reasons`, which gives you a list of all supported
1806 reasons which you might pass to this method.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1807 """
1808 if reason is None:
1809 self._delete_reason()
1810 elif not isinstance(reason, bytes):
1811 raise TypeError("reason must be None or a byte string")
1812 else:
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1813 reason = reason.lower().replace(b' ', b'')
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1814 reason_code = [r.lower() for r in self._crl_reasons].index(reason)
1815
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1816 new_reason_ext = _lib.ASN1_ENUMERATED_new()
1817 if new_reason_ext == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1818 # TODO: This is untested.
1819 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1820 new_reason_ext = _ffi.gc(new_reason_ext, _lib.ASN1_ENUMERATED_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1821
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1822 set_result = _lib.ASN1_ENUMERATED_set(new_reason_ext, reason_code)
1823 if set_result == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1824 # TODO: This is untested.
1825 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1826
1827 self._delete_reason()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1828 add_result = _lib.X509_REVOKED_add1_ext_i2d(
1829 self._revoked, _lib.NID_crl_reason, new_reason_ext, 0, 0)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1830
1831 if not add_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1832 # TODO: This is untested.
1833 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1834
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1835 def get_reason(self):
1836 """
Alex Gaynor80262fb2016-04-22 07:53:42 -0400[diff] [blame]1837 Get the reason of this revocation.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1838
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1839 :return: The reason, or :py:const:`None` if there is none.
1840 :rtype: :py:class:`bytes` or :py:class:`NoneType`
1841
1842 .. seealso::
1843
1844 :py:meth:`all_reasons`, which gives you a list of all supported
1845 reasons this method might return.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1846 """
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]1847 for i in range(_lib.X509_REVOKED_get_ext_count(self._revoked)):
1848 ext = _lib.X509_REVOKED_get_ext(self._revoked, i)
Paul Kehrere8f91cc2016-03-09 21:26:29 -0400[diff] [blame]1849 obj = _lib.X509_EXTENSION_get_object(ext)
1850 if _lib.OBJ_obj2nid(obj) == _lib.NID_crl_reason:
Jean-Paul Calderonefd371362013-03-01 20:53:58 -0800[diff] [blame]1851 bio = _new_mem_buf()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1852
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1853 print_result = _lib.X509V3_EXT_print(bio, ext, 0, 0)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1854 if not print_result:
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]1855 print_result = _lib.M_ASN1_OCTET_STRING_print(
Paul Kehrere8f91cc2016-03-09 21:26:29 -0400[diff] [blame]1856 bio, _lib.X509_EXTENSION_get_data(ext)
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]1857 )
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1858 if print_result == 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1859 # TODO: This is untested.
1860 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1861
1862 return _bio_to_string(bio)
1863
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1864 def all_reasons(self):
1865 """
1866 Return a list of all the supported reason strings.
1867
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1868 This list is a copy; modifying it does not change the supported reason
1869 strings.
1870
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1871 :return: A list of reason strings.
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1872 :rtype: :py:class:`list` of :py:class:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1873 """
1874 return self._crl_reasons[:]
1875
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1876 def set_rev_date(self, when):
1877 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1878 Set the revocation timestamp.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1879
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1880 :param when: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
1881 :type when: :py:class:`bytes`
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1882 :return: :py:const:`None`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1883 """
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]1884 dt = _lib.X509_REVOKED_get0_revocationDate(self._revoked)
1885 return _set_asn1_time(dt, when)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1886
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1887 def get_rev_date(self):
1888 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1889 Get the revocation timestamp.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1890
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1891 :return: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
1892 :rtype: :py:class:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1893 """
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]1894 dt = _lib.X509_REVOKED_get0_revocationDate(self._revoked)
1895 return _get_asn1_time(dt)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1896
1897
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1898class CRL(object):
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1899 """
1900 A certificate revocation list.
1901 """
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]1902
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1903 def __init__(self):
1904 """
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1905 Create a new empty certificate revocation list.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1906 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1907 crl = _lib.X509_CRL_new()
1908 self._crl = _ffi.gc(crl, _lib.X509_CRL_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1909
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1910 def get_revoked(self):
1911 """
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1912 Return the revocations in this certificate revocation list.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1913
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1914 These revocations will be provided by value, not by reference.
1915 That means it's okay to mutate them: it won't affect this CRL.
1916
1917 :return: The revocations in this CRL.
1918 :rtype: :py:class:`tuple` of :py:class:`Revocation`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1919 """
1920 results = []
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]1921 revoked_stack = _lib.X509_CRL_get_REVOKED(self._crl)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1922 for i in range(_lib.sk_X509_REVOKED_num(revoked_stack)):
1923 revoked = _lib.sk_X509_REVOKED_value(revoked_stack, i)
Paul Kehrer2fe23b02016-03-09 22:02:15 -0400[diff] [blame]1924 revoked_copy = _lib.Cryptography_X509_REVOKED_dup(revoked)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1925 pyrev = Revoked.__new__(Revoked)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1926 pyrev._revoked = _ffi.gc(revoked_copy, _lib.X509_REVOKED_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1927 results.append(pyrev)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]1928 if results:
1929 return tuple(results)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1930
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1931 def add_revoked(self, revoked):
1932 """
1933 Add a revoked (by value not reference) to the CRL structure
1934
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1935 This revocation will be added by value, not by reference. That
1936 means it's okay to mutate it after adding: it won't affect
1937 this CRL.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1938
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1939 :param revoked: The new revocation.
1940 :type revoked: :class:`Revoked`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1941
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1942 :return: :py:const:`None`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1943 """
Paul Kehrer8dddb1a2016-03-09 21:48:04 -0400[diff] [blame]1944 copy = _lib.Cryptography_X509_REVOKED_dup(revoked._revoked)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1945 if copy == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1946 # TODO: This is untested.
1947 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1948
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1949 add_result = _lib.X509_CRL_add0_revoked(self._crl, copy)
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1950 if add_result == 0:
1951 # TODO: This is untested.
1952 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1953
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]1954 def export(self, cert, key, type=FILETYPE_PEM, days=100,
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -0400[diff] [blame]1955 digest=_UNSPECIFIED):
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1956 """
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1957 Export a CRL as a string.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1958
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1959 :param cert: The certificate used to sign the CRL.
1960 :type cert: :py:class:`X509`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1961
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1962 :param key: The key used to sign the CRL.
1963 :type key: :py:class:`PKey`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1964
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]1965 :param type: The export format, either :py:data:`FILETYPE_PEM`,
1966 :py:data:`FILETYPE_ASN1`, or :py:data:`FILETYPE_TEXT`.
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]1967
Jean-Paul Calderonedf514012015-04-13 21:45:18 -0400[diff] [blame]1968 :param int days: The number of days until the next update of this CRL.
Bulat Gaifullin5f9eea42014-09-23 19:35:15 +0400[diff] [blame]1969
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]1970 :param bytes digest: The name of the message digest to use (eg
1971 ``b"sha1"``).
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1972
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]1973 :return: :py:data:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1974 """
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]1975 if not isinstance(cert, X509):
1976 raise TypeError("cert must be an X509 instance")
1977 if not isinstance(key, PKey):
1978 raise TypeError("key must be a PKey instance")
1979 if not isinstance(type, int):
1980 raise TypeError("type must be an integer")
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1981
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -0400[diff] [blame]1982 if digest is _UNSPECIFIED:
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]1983 _warn(
1984 "The default message digest (md5) is deprecated. "
1985 "Pass the name of a message digest explicitly.",
1986 category=DeprecationWarning,
1987 stacklevel=2,
1988 )
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]1989 digest = b"md5"
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]1990
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]1991 digest_obj = _lib.EVP_get_digestbyname(digest)
Bulat Gaifullin2923dc02014-09-21 22:36:48 +0400[diff] [blame]1992 if digest_obj == _ffi.NULL:
1993 raise ValueError("No such digest method")
1994
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1995 bio = _lib.BIO_new(_lib.BIO_s_mem())
1996 if bio == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1997 # TODO: This is untested.
1998 _raise_current_error()
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]1999
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]2000 # A scratch time object to give different values to different CRL
2001 # fields
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2002 sometime = _lib.ASN1_TIME_new()
2003 if sometime == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2004 # TODO: This is untested.
2005 _raise_current_error()
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2006
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2007 _lib.X509_gmtime_adj(sometime, 0)
2008 _lib.X509_CRL_set_lastUpdate(self._crl, sometime)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2009
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2010 _lib.X509_gmtime_adj(sometime, days * 24 * 60 * 60)
2011 _lib.X509_CRL_set_nextUpdate(self._crl, sometime)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2012
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2013 _lib.X509_CRL_set_issuer_name(
2014 self._crl, _lib.X509_get_subject_name(cert._x509)
2015 )
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2016
Bulat Gaifullin2923dc02014-09-21 22:36:48 +0400[diff] [blame]2017 sign_result = _lib.X509_CRL_sign(self._crl, key._pkey, digest_obj)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2018 if not sign_result:
2019 _raise_current_error()
2020
Dominic Chenf05b2122015-10-13 16:32:35 +0000[diff] [blame]2021 return dump_crl(type, self)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2022
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2023
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2024CRLType = CRL
2025
2026
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2027class PKCS7(object):
2028 def type_is_signed(self):
2029 """
2030 Check if this NID_pkcs7_signed object
2031
2032 :return: True if the PKCS7 is of type signed
2033 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2034 if _lib.PKCS7_type_is_signed(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2035 return True
2036 return False
2037
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2038 def type_is_enveloped(self):
2039 """
2040 Check if this NID_pkcs7_enveloped object
2041
2042 :returns: True if the PKCS7 is of type enveloped
2043 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2044 if _lib.PKCS7_type_is_enveloped(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2045 return True
2046 return False
2047
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2048 def type_is_signedAndEnveloped(self):
2049 """
2050 Check if this NID_pkcs7_signedAndEnveloped object
2051
2052 :returns: True if the PKCS7 is of type signedAndEnveloped
2053 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2054 if _lib.PKCS7_type_is_signedAndEnveloped(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2055 return True
2056 return False
2057
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2058 def type_is_data(self):
2059 """
2060 Check if this NID_pkcs7_data object
2061
2062 :return: True if the PKCS7 is of type data
2063 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2064 if _lib.PKCS7_type_is_data(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2065 return True
2066 return False
2067
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2068 def get_type_name(self):
2069 """
2070 Returns the type name of the PKCS7 structure
2071
2072 :return: A string with the typename
2073 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2074 nid = _lib.OBJ_obj2nid(self._pkcs7.type)
2075 string_type = _lib.OBJ_nid2sn(nid)
2076 return _ffi.string(string_type)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2077
2078PKCS7Type = PKCS7
2079
2080
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2081class PKCS12(object):
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2082 """
2083 A PKCS #12 archive.
2084 """
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]2085
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2086 def __init__(self):
2087 self._pkey = None
2088 self._cert = None
2089 self._cacerts = None
2090 self._friendlyname = None
2091
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2092 def get_certificate(self):
2093 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2094 Get the certificate in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2095
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2096 :return: The certificate, or :py:const:`None` if there is none.
2097 :rtype: :py:class:`X509` or :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2098 """
2099 return self._cert
2100
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2101 def set_certificate(self, cert):
2102 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2103 Set the certificate in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2104
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2105 :param cert: The new certificate, or :py:const:`None` to unset it.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2106 :type cert: :py:class:`X509` or :py:const:`None`
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2107
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2108 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2109 """
2110 if not isinstance(cert, X509):
2111 raise TypeError("cert must be an X509 instance")
2112 self._cert = cert
2113
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2114 def get_privatekey(self):
2115 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2116 Get the private key in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2117
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2118 :return: The private key, or :py:const:`None` if there is none.
2119 :rtype: :py:class:`PKey`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2120 """
2121 return self._pkey
2122
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2123 def set_privatekey(self, pkey):
2124 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2125 Set the certificate portion of the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2126
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2127 :param pkey: The new private key, or :py:const:`None` to unset it.
2128 :type pkey: :py:class:`PKey` or :py:const:`None`
2129
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2130 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2131 """
2132 if not isinstance(pkey, PKey):
2133 raise TypeError("pkey must be a PKey instance")
2134 self._pkey = pkey
2135
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2136 def get_ca_certificates(self):
2137 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2138 Get the CA certificates in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2139
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2140 :return: A tuple with the CA certificates in the chain, or
2141 :py:const:`None` if there are none.
2142 :rtype: :py:class:`tuple` of :py:class:`X509` or :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2143 """
2144 if self._cacerts is not None:
2145 return tuple(self._cacerts)
2146
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2147 def set_ca_certificates(self, cacerts):
2148 """
Alex Gaynor3b0ee972014-11-15 09:17:33 -0800[diff] [blame]2149 Replace or set the CA certificates within the PKCS12 object.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2150
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2151 :param cacerts: The new CA certificates, or :py:const:`None` to unset
2152 them.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2153 :type cacerts: An iterable of :py:class:`X509` or :py:const:`None`
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2154
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2155 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2156 """
2157 if cacerts is None:
2158 self._cacerts = None
2159 else:
2160 cacerts = list(cacerts)
2161 for cert in cacerts:
2162 if not isinstance(cert, X509):
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2163 raise TypeError(
2164 "iterable must only contain X509 instances"
2165 )
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2166 self._cacerts = cacerts
2167
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2168 def set_friendlyname(self, name):
2169 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2170 Set the friendly name in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2171
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2172 :param name: The new friendly name, or :py:const:`None` to unset.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2173 :type name: :py:class:`bytes` or :py:const:`None`
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2174
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2175 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2176 """
2177 if name is None:
2178 self._friendlyname = None
2179 elif not isinstance(name, bytes):
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2180 raise TypeError(
2181 "name must be a byte string or None (not %r)" % (name,)
2182 )
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2183 self._friendlyname = name
2184
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2185 def get_friendlyname(self):
2186 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2187 Get the friendly name in the PKCS# 12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2188
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2189 :returns: The friendly name, or :py:const:`None` if there is none.
2190 :rtype: :py:class:`bytes` or :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2191 """
2192 return self._friendlyname
2193
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2194 def export(self, passphrase=None, iter=2048, maciter=1):
2195 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2196 Dump a PKCS12 object as a string.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2197
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2198 For more information, see the :c:func:`PKCS12_create` man page.
2199
2200 :param passphrase: The passphrase used to encrypt the structure. Unlike
2201 some other passphrase arguments, this *must* be a string, not a
2202 callback.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2203 :type passphrase: :py:data:`bytes`
2204
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2205 :param iter: Number of times to repeat the encryption step.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2206 :type iter: :py:data:`int`
2207
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2208 :param maciter: Number of times to repeat the MAC step.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2209 :type maciter: :py:data:`int`
2210
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2211 :return: The string representation of the PKCS #12 structure.
2212 :rtype:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2213 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]2214 passphrase = _text_to_bytes_and_warn("passphrase", passphrase)
Abraham Martine82326c2015-02-04 10:18:10 +0000[diff] [blame]2215
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2216 if self._cacerts is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2217 cacerts = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2218 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2219 cacerts = _lib.sk_X509_new_null()
2220 cacerts = _ffi.gc(cacerts, _lib.sk_X509_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2221 for cert in self._cacerts:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2222 _lib.sk_X509_push(cacerts, cert._x509)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2223
2224 if passphrase is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2225 passphrase = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2226
2227 friendlyname = self._friendlyname
2228 if friendlyname is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2229 friendlyname = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2230
2231 if self._pkey is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2232 pkey = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2233 else:
2234 pkey = self._pkey._pkey
2235
2236 if self._cert is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2237 cert = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2238 else:
2239 cert = self._cert._x509
2240
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2241 pkcs12 = _lib.PKCS12_create(
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2242 passphrase, friendlyname, pkey, cert, cacerts,
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2243 _lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
2244 _lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2245 iter, maciter, 0)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2246 if pkcs12 == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2247 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2248 pkcs12 = _ffi.gc(pkcs12, _lib.PKCS12_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2249
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]2250 bio = _new_mem_buf()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2251 _lib.i2d_PKCS12_bio(bio, pkcs12)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2252 return _bio_to_string(bio)
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]2253
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2254
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2255PKCS12Type = PKCS12
2256
2257
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2258class NetscapeSPKI(object):
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2259 """
2260 A Netscape SPKI object.
2261 """
Alex Gaynora738ed52015-09-05 11:17:10 -0400[diff] [blame]2262
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2263 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2264 spki = _lib.NETSCAPE_SPKI_new()
2265 self._spki = _ffi.gc(spki, _lib.NETSCAPE_SPKI_free)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2266
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2267 def sign(self, pkey, digest):
2268 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2269 Sign the certificate request with this key and digest type.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2270
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2271 :param pkey: The private key to sign with.
2272 :type pkey: :py:class:`PKey`
2273
2274 :param digest: The message digest to use.
2275 :type digest: :py:class:`bytes`
2276
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2277 :return: :py:const:`None`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2278 """
2279 if pkey._only_public:
2280 raise ValueError("Key has only public part")
2281
2282 if not pkey._initialized:
2283 raise ValueError("Key is uninitialized")
2284
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2285 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2286 if digest_obj == _ffi.NULL:
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2287 raise ValueError("No such digest method")
2288
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2289 sign_result = _lib.NETSCAPE_SPKI_sign(
2290 self._spki, pkey._pkey, digest_obj
2291 )
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2292 if not sign_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2293 # TODO: This is untested.
2294 _raise_current_error()
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2295
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2296 def verify(self, key):
2297 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2298 Verifies a signature on a certificate request.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2299
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2300 :param key: The public key that signature is supposedly from.
2301 :type pkey: :py:class:`PKey`
2302
2303 :return: :py:const:`True` if the signature is correct.
2304 :rtype: :py:class:`bool`
2305
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]2306 :raises Error: If the signature is invalid, or there was a problem
2307 verifying the signature.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2308 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2309 answer = _lib.NETSCAPE_SPKI_verify(self._spki, key._pkey)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2310 if answer <= 0:
2311 _raise_current_error()
2312 return True
2313
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2314 def b64_encode(self):
2315 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2316 Generate a base64 encoded representation of this SPKI object.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2317
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2318 :return: The base64 encoded string.
2319 :rtype: :py:class:`bytes`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2320 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2321 encoded = _lib.NETSCAPE_SPKI_b64_encode(self._spki)
2322 result = _ffi.string(encoded)
Paul Kehrer0dcacf72016-03-17 19:25:39 -0400[diff] [blame]2323 _lib.OPENSSL_free(encoded)
Jean-Paul Calderone2c2e21d2013-03-02 16:50:35 -0800[diff] [blame]2324 return result
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2325
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2326 def get_pubkey(self):
2327 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2328 Get the public key of this certificate.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2329
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2330 :return: The public key.
2331 :rtype: :py:class:`PKey`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2332 """
2333 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2334 pkey._pkey = _lib.NETSCAPE_SPKI_get_pubkey(self._spki)
2335 if pkey._pkey == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2336 # TODO: This is untested.
2337 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2338 pkey._pkey = _ffi.gc(pkey._pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2339 pkey._only_public = True
2340 return pkey
2341
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2342 def set_pubkey(self, pkey):
2343 """
2344 Set the public key of the certificate
2345
2346 :param pkey: The public key
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2347 :return: :py:const:`None`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2348 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2349 set_result = _lib.NETSCAPE_SPKI_set_pubkey(self._spki, pkey._pkey)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2350 if not set_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2351 # TODO: This is untested.
2352 _raise_current_error()
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2353
2354
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2355NetscapeSPKIType = NetscapeSPKI
2356
2357
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2358class _PassphraseHelper(object):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2359 def __init__(self, type, passphrase, more_args=False, truncate=False):
Jean-Paul Calderone23478b32013-02-20 13:31:38 -0800[diff] [blame]2360 if type != FILETYPE_PEM and passphrase is not None:
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2361 raise ValueError(
2362 "only FILETYPE_PEM key format supports encryption"
2363 )
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2364 self._passphrase = passphrase
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2365 self._more_args = more_args
2366 self._truncate = truncate
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2367 self._problems = []
2368
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2369 @property
2370 def callback(self):
2371 if self._passphrase is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2372 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2373 elif isinstance(self._passphrase, bytes):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2374 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2375 elif callable(self._passphrase):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2376 return _ffi.callback("pem_password_cb", self._read_passphrase)
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2377 else:
2378 raise TypeError("Last argument must be string or callable")
2379
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2380 @property
2381 def callback_args(self):
2382 if self._passphrase is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2383 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2384 elif isinstance(self._passphrase, bytes):
2385 return self._passphrase
2386 elif callable(self._passphrase):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2387 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2388 else:
2389 raise TypeError("Last argument must be string or callable")
2390
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2391 def raise_if_problem(self, exceptionType=Error):
2392 try:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]2393 _exception_from_error_queue(exceptionType)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2394 except exceptionType as e:
Jean-Paul Calderone9b4115f2014-01-10 14:06:04 -0500[diff] [blame]2395 from_queue = e
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2396 if self._problems:
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2397 raise self._problems[0]
Jean-Paul Calderone9b4115f2014-01-10 14:06:04 -0500[diff] [blame]2398 return from_queue
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2399
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2400 def _read_passphrase(self, buf, size, rwflag, userdata):
2401 try:
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2402 if self._more_args:
2403 result = self._passphrase(size, rwflag, userdata)
2404 else:
2405 result = self._passphrase(rwflag)
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2406 if not isinstance(result, bytes):
2407 raise ValueError("String expected")
2408 if len(result) > size:
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2409 if self._truncate:
2410 result = result[:size]
2411 else:
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2412 raise ValueError(
2413 "passphrase returned by callback is too long"
2414 )
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2415 for i in range(len(result)):
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2416 buf[i] = result[i:i + 1]
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2417 return len(result)
2418 except Exception as e:
2419 self._problems.append(e)
2420 return 0
2421
2422
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]2423def load_publickey(type, buffer):
2424 """
Cory Benfield11c10192015-10-27 17:23:03 +0900[diff] [blame]2425 Load a public key from a buffer.
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]2426
Cory Benfield9c590b92015-10-28 14:55:05 +0900[diff] [blame]2427 :param type: The file type (one of :data:`FILETYPE_PEM`,
Cory Benfielde813cec2015-10-28 08:57:08 +0900[diff] [blame]2428 :data:`FILETYPE_ASN1`).
Cory Benfieldc9c30a22015-10-28 17:39:20 +0900[diff] [blame]2429 :param buffer: The buffer the key is stored in.
2430 :type buffer: A Python string object, either unicode or bytestring.
2431 :return: The PKey object.
2432 :rtype: :class:`PKey`
Cory Benfield6492f7c2015-10-27 16:57:58 +0900[diff] [blame]2433 """
2434 if isinstance(buffer, _text_type):
2435 buffer = buffer.encode("ascii")
2436
2437 bio = _new_mem_buf(buffer)
2438
2439 if type == FILETYPE_PEM:
2440 evp_pkey = _lib.PEM_read_bio_PUBKEY(
2441 bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
2442 elif type == FILETYPE_ASN1:
2443 evp_pkey = _lib.d2i_PUBKEY_bio(bio, _ffi.NULL)
2444 else:
2445 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2446
2447 if evp_pkey == _ffi.NULL:
2448 _raise_current_error()
2449
2450 pkey = PKey.__new__(PKey)
2451 pkey._pkey = _ffi.gc(evp_pkey, _lib.EVP_PKEY_free)
2452 return pkey
2453
2454
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2455def load_privatekey(type, buffer, passphrase=None):
2456 """
2457 Load a private key from a buffer
2458
2459 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2460 :param buffer: The buffer the key is stored in
2461 :param passphrase: (optional) if encrypted PEM format, this can be
2462 either the passphrase to use, or a callback for
2463 providing the passphrase.
2464
2465 :return: The PKey object
2466 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2467 if isinstance(buffer, _text_type):
2468 buffer = buffer.encode("ascii")
2469
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2470 bio = _new_mem_buf(buffer)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2471
Jean-Paul Calderone23478b32013-02-20 13:31:38 -0800[diff] [blame]2472 helper = _PassphraseHelper(type, passphrase)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2473 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2474 evp_pkey = _lib.PEM_read_bio_PrivateKey(
2475 bio, _ffi.NULL, helper.callback, helper.callback_args)
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2476 helper.raise_if_problem()
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2477 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2478 evp_pkey = _lib.d2i_PrivateKey_bio(bio, _ffi.NULL)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2479 else:
2480 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2481
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2482 if evp_pkey == _ffi.NULL:
Jean-Paul Calderone31393aa2013-02-20 13:22:21 -0800[diff] [blame]2483 _raise_current_error()
2484
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2485 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2486 pkey._pkey = _ffi.gc(evp_pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2487 return pkey
2488
2489
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2490def dump_certificate_request(type, req):
2491 """
2492 Dump a certificate request to a buffer
2493
2494 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2495 :param req: The certificate request to dump
2496 :return: The buffer with the dumped certificate request in
2497 """
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]2498 bio = _new_mem_buf()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2499
2500 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2501 result_code = _lib.PEM_write_bio_X509_REQ(bio, req._req)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2502 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2503 result_code = _lib.i2d_X509_REQ_bio(bio, req._req)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2504 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2505 result_code = _lib.X509_REQ_print_ex(bio, req._req, 0, 0)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2506 else:
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2507 raise ValueError(
2508 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
2509 "FILETYPE_TEXT"
2510 )
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2511
2512 if result_code == 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2513 # TODO: This is untested.
2514 _raise_current_error()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2515
2516 return _bio_to_string(bio)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2517
2518
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2519def load_certificate_request(type, buffer):
2520 """
2521 Load a certificate request from a buffer
2522
2523 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2524 :param buffer: The buffer the certificate request is stored in
2525 :return: The X509Req object
2526 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2527 if isinstance(buffer, _text_type):
2528 buffer = buffer.encode("ascii")
2529
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2530 bio = _new_mem_buf(buffer)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2531
2532 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2533 req = _lib.PEM_read_bio_X509_REQ(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2534 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2535 req = _lib.d2i_X509_REQ_bio(bio, _ffi.NULL)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2536 else:
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]2537 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2538
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2539 if req == _ffi.NULL:
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]2540 # TODO: This is untested.
2541 _raise_current_error()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2542
2543 x509req = X509Req.__new__(X509Req)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2544 x509req._req = _ffi.gc(req, _lib.X509_REQ_free)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2545 return x509req
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2546
2547
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2548def sign(pkey, data, digest):
2549 """
2550 Sign data with a digest
2551
2552 :param pkey: Pkey to sign with
2553 :param data: data to be signed
2554 :param digest: message digest to use
2555 :return: signature
2556 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]2557 data = _text_to_bytes_and_warn("data", data)
Abraham Martine82326c2015-02-04 10:18:10 +0000[diff] [blame]2558
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2559 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2560 if digest_obj == _ffi.NULL:
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2561 raise ValueError("No such digest method")
2562
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]2563 md_ctx = _lib.Cryptography_EVP_MD_CTX_new()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2564 md_ctx = _ffi.gc(md_ctx, _lib.EVP_MD_CTX_cleanup)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2565
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2566 _lib.EVP_SignInit(md_ctx, digest_obj)
2567 _lib.EVP_SignUpdate(md_ctx, data, len(data))
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2568
Colleen Murphye09399b2016-03-01 17:40:49 -0800[diff] [blame]2569 pkey_length = (PKey.bits(pkey) + 7) // 8
2570 signature_buffer = _ffi.new("unsigned char[]", pkey_length)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2571 signature_length = _ffi.new("unsigned int*")
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2572 final_result = _lib.EVP_SignFinal(
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2573 md_ctx, signature_buffer, signature_length, pkey._pkey)
2574
2575 if final_result != 1:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2576 # TODO: This is untested.
2577 _raise_current_error()
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2578
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2579 return _ffi.buffer(signature_buffer, signature_length[0])[:]
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2580
2581
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2582def verify(cert, signature, data, digest):
2583 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]2584 Verify a signature.
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2585
2586 :param cert: signing certificate (X509 object)
2587 :param signature: signature returned by sign function
2588 :param data: data to be verified
2589 :param digest: message digest to use
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2590 :return: :py:const:`None` if the signature is correct, raise exception
2591 otherwise
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2592 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]2593 data = _text_to_bytes_and_warn("data", data)
Abraham Martine82326c2015-02-04 10:18:10 +0000[diff] [blame]2594
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2595 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2596 if digest_obj == _ffi.NULL:
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2597 raise ValueError("No such digest method")
2598
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2599 pkey = _lib.X509_get_pubkey(cert._x509)
2600 if pkey == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2601 # TODO: This is untested.
2602 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2603 pkey = _ffi.gc(pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2604
Alex Gaynor67903a62016-06-02 10:37:13 -0700[diff] [blame^]2605 md_ctx = _lib.Cryptography_EVP_MD_CTX_new()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2606 md_ctx = _ffi.gc(md_ctx, _lib.EVP_MD_CTX_cleanup)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2607
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2608 _lib.EVP_VerifyInit(md_ctx, digest_obj)
2609 _lib.EVP_VerifyUpdate(md_ctx, data, len(data))
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2610 verify_result = _lib.EVP_VerifyFinal(
2611 md_ctx, signature, len(signature), pkey
2612 )
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2613
2614 if verify_result != 1:
2615 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2616
2617
Dominic Chenf05b2122015-10-13 16:32:35 +0000[diff] [blame]2618def dump_crl(type, crl):
2619 """
2620 Dump a certificate revocation list to a buffer.
2621
2622 :param type: The file type (one of ``FILETYPE_PEM``, ``FILETYPE_ASN1``, or
2623 ``FILETYPE_TEXT``).
Hynek Schlawack0a3cd6d2015-10-21 16:39:22 +0200[diff] [blame]2624 :param CRL crl: The CRL to dump.
2625
Dominic Chenf05b2122015-10-13 16:32:35 +0000[diff] [blame]2626 :return: The buffer with the CRL.
Hynek Schlawack0a3cd6d2015-10-21 16:39:22 +0200[diff] [blame]2627 :rtype: :data:`bytes`
Dominic Chenf05b2122015-10-13 16:32:35 +0000[diff] [blame]2628 """
2629 bio = _new_mem_buf()
2630
2631 if type == FILETYPE_PEM:
2632 ret = _lib.PEM_write_bio_X509_CRL(bio, crl._crl)
2633 elif type == FILETYPE_ASN1:
2634 ret = _lib.i2d_X509_CRL_bio(bio, crl._crl)
2635 elif type == FILETYPE_TEXT:
2636 ret = _lib.X509_CRL_print(bio, crl._crl)
2637 else:
2638 raise ValueError(
2639 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
2640 "FILETYPE_TEXT")
2641
2642 assert ret == 1
2643 return _bio_to_string(bio)
2644
2645
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2646def load_crl(type, buffer):
2647 """
2648 Load a certificate revocation list from a buffer
2649
2650 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2651 :param buffer: The buffer the CRL is stored in
2652
2653 :return: The PKey object
2654 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2655 if isinstance(buffer, _text_type):
2656 buffer = buffer.encode("ascii")
2657
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2658 bio = _new_mem_buf(buffer)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2659
2660 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2661 crl = _lib.PEM_read_bio_X509_CRL(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2662 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2663 crl = _lib.d2i_X509_CRL_bio(bio, _ffi.NULL)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2664 else:
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2665 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2666
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2667 if crl == _ffi.NULL:
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2668 _raise_current_error()
2669
2670 result = CRL.__new__(CRL)
2671 result._crl = crl
2672 return result
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2673
2674
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2675def load_pkcs7_data(type, buffer):
2676 """
2677 Load pkcs7 data from a buffer
2678
2679 :param type: The file type (one of FILETYPE_PEM or FILETYPE_ASN1)
2680 :param buffer: The buffer with the pkcs7 data.
2681 :return: The PKCS7 object
2682 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2683 if isinstance(buffer, _text_type):
2684 buffer = buffer.encode("ascii")
2685
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2686 bio = _new_mem_buf(buffer)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2687
2688 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2689 pkcs7 = _lib.PEM_read_bio_PKCS7(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2690 elif type == FILETYPE_ASN1:
Alex Gaynor77acc362014-08-13 14:46:15 -0700[diff] [blame]2691 pkcs7 = _lib.d2i_PKCS7_bio(bio, _ffi.NULL)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2692 else:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2693 # TODO: This is untested.
2694 _raise_current_error()
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2695 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2696
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2697 if pkcs7 == _ffi.NULL:
Jean-Paul Calderoneb0f64712013-03-03 10:15:39 -0800[diff] [blame]2698 _raise_current_error()
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2699
2700 pypkcs7 = PKCS7.__new__(PKCS7)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2701 pypkcs7._pkcs7 = _ffi.gc(pkcs7, _lib.PKCS7_free)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2702 return pypkcs7
2703
2704
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2705def load_pkcs12(buffer, passphrase=None):
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2706 """
2707 Load a PKCS12 object from a buffer
2708
2709 :param buffer: The buffer the certificate is stored in
2710 :param passphrase: (Optional) The password to decrypt the PKCS12 lump
2711 :returns: The PKCS12 object
2712 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]2713 passphrase = _text_to_bytes_and_warn("passphrase", passphrase)
Abraham Martine82326c2015-02-04 10:18:10 +0000[diff] [blame]2714
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2715 if isinstance(buffer, _text_type):
2716 buffer = buffer.encode("ascii")
2717
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2718 bio = _new_mem_buf(buffer)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2719
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2720 # Use null passphrase if passphrase is None or empty string. With PKCS#12
2721 # password based encryption no password and a zero length password are two
2722 # different things, but OpenSSL implementation will try both to figure out
2723 # which one works.
2724 if not passphrase:
2725 passphrase = _ffi.NULL
2726
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2727 p12 = _lib.d2i_PKCS12_bio(bio, _ffi.NULL)
2728 if p12 == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2729 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2730 p12 = _ffi.gc(p12, _lib.PKCS12_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2731
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2732 pkey = _ffi.new("EVP_PKEY**")
2733 cert = _ffi.new("X509**")
2734 cacerts = _ffi.new("Cryptography_STACK_OF_X509**")
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2735
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2736 parse_result = _lib.PKCS12_parse(p12, passphrase, pkey, cert, cacerts)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2737 if not parse_result:
2738 _raise_current_error()
2739
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2740 cacerts = _ffi.gc(cacerts[0], _lib.sk_X509_free)
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]2741
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2742 # openssl 1.0.0 sometimes leaves an X509_check_private_key error in the
2743 # queue for no particular reason. This error isn't interesting to anyone
2744 # outside this function. It's not even interesting to us. Get rid of it.
2745 try:
2746 _raise_current_error()
2747 except Error:
2748 pass
2749
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2750 if pkey[0] == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2751 pykey = None
2752 else:
2753 pykey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2754 pykey._pkey = _ffi.gc(pkey[0], _lib.EVP_PKEY_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2755
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2756 if cert[0] == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2757 pycert = None
2758 friendlyname = None
2759 else:
2760 pycert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2761 pycert._x509 = _ffi.gc(cert[0], _lib.X509_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2762
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2763 friendlyname_length = _ffi.new("int*")
Alex Gaynor5945ea82015-09-05 14:59:06 -0400[diff] [blame]2764 friendlyname_buffer = _lib.X509_alias_get0(
2765 cert[0], friendlyname_length
2766 )
2767 friendlyname = _ffi.buffer(
2768 friendlyname_buffer, friendlyname_length[0]
2769 )[:]
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2770 if friendlyname_buffer == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2771 friendlyname = None
2772
2773 pycacerts = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2774 for i in range(_lib.sk_X509_num(cacerts)):
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2775 pycacert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2776 pycacert._x509 = _lib.sk_X509_value(cacerts, i)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2777 pycacerts.append(pycacert)
2778 if not pycacerts:
2779 pycacerts = None
2780
2781 pkcs12 = PKCS12.__new__(PKCS12)
2782 pkcs12._pkey = pykey
2783 pkcs12._cert = pycert
2784 pkcs12._cacerts = pycacerts
2785 pkcs12._friendlyname = friendlyname
2786 return pkcs12
Jean-Paul Calderone6bb40892014-01-01 12:21:34 -0500[diff] [blame]2787
2788
Jean-Paul Calderoneb64e2a22014-01-11 08:06:35 -0500[diff] [blame]2789# There are no direct unit tests for this initialization. It is tested
2790# indirectly since it is necessary for functions like dump_privatekey when
2791# using encryption.
2792#
2793# Thus OpenSSL.test.test_crypto.FunctionTests.test_dump_privatekey_passphrase
2794# and some other similar tests may fail without this (though they may not if
2795# the Python runtime has already done some initialization of the underlying
2796# OpenSSL library (and is linked against the same one that cryptography is
2797# using)).
Jean-Paul Calderonee324fd62014-01-11 08:00:33 -0500[diff] [blame]2798_lib.OpenSSL_add_all_algorithms()
Jean-Paul Calderone11ed8e82014-01-18 10:21:50 -0500[diff] [blame]2799
Jean-Paul Calderonefab157b2014-01-18 11:21:38 -0500[diff] [blame]2800# This is similar but exercised mainly by exception_from_error_queue. It calls
2801# both ERR_load_crypto_strings() and ERR_load_SSL_strings().
2802_lib.SSL_load_error_strings()
D.S. Ljungmark349e1362014-05-31 18:40:38 +0200[diff] [blame]2803
2804
D.S. Ljungmark349e1362014-05-31 18:40:38 +0200[diff] [blame]2805# Set the default string mask to match OpenSSL upstream (since 2005) and
2806# RFC5280 recommendations.
2807_lib.ASN1_STRING_set_default_mask_asc(b'utf8only')