Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 90c0914f2ae03afc16d3789223fe96f9ca79f17e / . / OpenSSL / crypto.py
blob: cab145d918ad1d16b8b2988b2ae7a211efbea215 [file] [log] [blame]
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1from time import time
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2from base64 import b16encode
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]3from functools import partial
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]4from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]5from warnings import warn as _warn
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]6
7from six import (
8 integer_types as _integer_types,
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400[diff] [blame]9 text_type as _text_type,
10 PY3 as _PY3)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]11
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]12from OpenSSL._util import (
13 ffi as _ffi,
14 lib as _lib,
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]15 exception_from_error_queue as _exception_from_error_queue,
16 byte_string as _byte_string,
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -0400[diff] [blame]17 native as _native,
18 UNSPECIFIED as _UNSPECIFIED,
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]19 text_to_bytes_and_warn as _text_to_bytes_and_warn,
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -0400[diff] [blame]20)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]21
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]22FILETYPE_PEM = _lib.SSL_FILETYPE_PEM
23FILETYPE_ASN1 = _lib.SSL_FILETYPE_ASN1
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]24
25# TODO This was an API mistake. OpenSSL has no such constant.
26FILETYPE_TEXT = 2 ** 16 - 1
27
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]28TYPE_RSA = _lib.EVP_PKEY_RSA
29TYPE_DSA = _lib.EVP_PKEY_DSA
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]30
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]31
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]32
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]33class Error(Exception):
Jean-Paul Calderone511cde02013-12-29 10:31:13 -0500[diff] [blame]34 """
35 An error occurred in an `OpenSSL.crypto` API.
36 """
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]37
38
39_raise_current_error = partial(_exception_from_error_queue, Error)
40
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]41
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]42
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]43def _untested_error(where):
44 """
45 An OpenSSL API failed somehow. Additionally, the failure which was
46 encountered isn't one that's exercised by the test suite so future behavior
47 of pyOpenSSL is now somewhat less predictable.
48 """
49 raise RuntimeError("Unknown %s failure" % (where,))
50
51
52
53def _new_mem_buf(buffer=None):
54 """
55 Allocate a new OpenSSL memory BIO.
56
57 Arrange for the garbage collector to clean it up automatically.
58
59 :param buffer: None or some bytes to use to put into the BIO so that they
60 can be read out.
61 """
62 if buffer is None:
63 bio = _lib.BIO_new(_lib.BIO_s_mem())
64 free = _lib.BIO_free
65 else:
66 data = _ffi.new("char[]", buffer)
67 bio = _lib.BIO_new_mem_buf(data, len(buffer))
68 # Keep the memory alive as long as the bio is alive!
69 def free(bio, ref=data):
70 return _lib.BIO_free(bio)
71
72 if bio == _ffi.NULL:
73 # TODO: This is untested.
74 _raise_current_error()
75
76 bio = _ffi.gc(bio, free)
77 return bio
78
79
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]80
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]81def _bio_to_string(bio):
82 """
83 Copy the contents of an OpenSSL BIO object into a Python byte string.
84 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]85 result_buffer = _ffi.new('char**')
86 buffer_length = _lib.BIO_get_mem_data(bio, result_buffer)
87 return _ffi.buffer(result_buffer[0], buffer_length)[:]
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]88
89
90
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]91def _set_asn1_time(boundary, when):
Jean-Paul Calderonee728e872013-12-29 10:37:15 -0500[diff] [blame]92 """
93 The the time value of an ASN1 time object.
94
95 @param boundary: An ASN1_GENERALIZEDTIME pointer (or an object safely
96 castable to that type) which will have its value set.
97 @param when: A string representation of the desired time value.
98
99 @raise TypeError: If C{when} is not a L{bytes} string.
100 @raise ValueError: If C{when} does not represent a time in the required
101 format.
102 @raise RuntimeError: If the time value cannot be set for some other
103 (unspecified) reason.
104 """
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]105 if not isinstance(when, bytes):
106 raise TypeError("when must be a byte string")
107
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]108 set_result = _lib.ASN1_GENERALIZEDTIME_set_string(
109 _ffi.cast('ASN1_GENERALIZEDTIME*', boundary), when)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]110 if set_result == 0:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]111 dummy = _ffi.gc(_lib.ASN1_STRING_new(), _lib.ASN1_STRING_free)
112 _lib.ASN1_STRING_set(dummy, when, len(when))
113 check_result = _lib.ASN1_GENERALIZEDTIME_check(
114 _ffi.cast('ASN1_GENERALIZEDTIME*', dummy))
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]115 if not check_result:
116 raise ValueError("Invalid string")
117 else:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]118 _untested_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]119
120
121
122def _get_asn1_time(timestamp):
Jean-Paul Calderonee728e872013-12-29 10:37:15 -0500[diff] [blame]123 """
124 Retrieve the time value of an ASN1 time object.
125
126 @param timestamp: An ASN1_GENERALIZEDTIME* (or an object safely castable to
127 that type) from which the time value will be retrieved.
128
129 @return: The time value from C{timestamp} as a L{bytes} string in a certain
130 format. Or C{None} if the object contains no time value.
131 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]132 string_timestamp = _ffi.cast('ASN1_STRING*', timestamp)
133 if _lib.ASN1_STRING_length(string_timestamp) == 0:
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]134 return None
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]135 elif _lib.ASN1_STRING_type(string_timestamp) == _lib.V_ASN1_GENERALIZEDTIME:
136 return _ffi.string(_lib.ASN1_STRING_data(string_timestamp))
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]137 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]138 generalized_timestamp = _ffi.new("ASN1_GENERALIZEDTIME**")
139 _lib.ASN1_TIME_to_generalizedtime(timestamp, generalized_timestamp)
140 if generalized_timestamp[0] == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]141 # This may happen:
142 # - if timestamp was not an ASN1_TIME
143 # - if allocating memory for the ASN1_GENERALIZEDTIME failed
144 # - if a copy of the time data from timestamp cannot be made for
145 # the newly allocated ASN1_GENERALIZEDTIME
146 #
147 # These are difficult to test. cffi enforces the ASN1_TIME type.
148 # Memory allocation failures are a pain to trigger
149 # deterministically.
150 _untested_error("ASN1_TIME_to_generalizedtime")
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]151 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]152 string_timestamp = _ffi.cast(
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]153 "ASN1_STRING*", generalized_timestamp[0])
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]154 string_data = _lib.ASN1_STRING_data(string_timestamp)
155 string_result = _ffi.string(string_data)
156 _lib.ASN1_GENERALIZEDTIME_free(generalized_timestamp[0])
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]157 return string_result
158
159
160
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]161class PKey(object):
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]162 """
163 A class representing an DSA or RSA public key or key pair.
164 """
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]165 _only_public = False
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800[diff] [blame]166 _initialized = True
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]167
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]168 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]169 pkey = _lib.EVP_PKEY_new()
170 self._pkey = _ffi.gc(pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800[diff] [blame]171 self._initialized = False
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]172
173
174 def generate_key(self, type, bits):
175 """
Laurens Van Houtven90c09142015-04-23 10:52:49 -0700[diff] [blame^]176 Generate a key pair of the given type, with the given number of bits.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]177
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]178 This generates a key "into" the this object.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]179
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]180 :param type: The key type.
181 :type type: :py:data:`TYPE_RSA` or :py:data:`TYPE_DSA`
182 :param bits: The number of bits.
183 :type bits: :py:data:`int` ``>= 0``
184 :raises TypeError: If :py:data:`type` or :py:data:`bits` isn't
185 of the appropriate type.
186 :raises ValueError: If the number of bits isn't an integer of
187 the appropriate size.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]188 :return: :py:const:`None`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]189 """
190 if not isinstance(type, int):
191 raise TypeError("type must be an integer")
192
193 if not isinstance(bits, int):
194 raise TypeError("bits must be an integer")
195
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]196 # TODO Check error return
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]197 exponent = _lib.BN_new()
198 exponent = _ffi.gc(exponent, _lib.BN_free)
199 _lib.BN_set_word(exponent, _lib.RSA_F4)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]200
201 if type == TYPE_RSA:
202 if bits <= 0:
203 raise ValueError("Invalid number of bits")
204
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]205 rsa = _lib.RSA_new()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]206
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]207 result = _lib.RSA_generate_key_ex(rsa, bits, exponent, _ffi.NULL)
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]208 if result == 0:
209 # TODO: The test for this case is commented out. Different
210 # builds of OpenSSL appear to have different failure modes that
211 # make it hard to test. Visual inspection of the OpenSSL
212 # source reveals that a return value of 0 signals an error.
213 # Manual testing on a particular build of OpenSSL suggests that
214 # this is probably the appropriate way to handle those errors.
215 _raise_current_error()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]216
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]217 result = _lib.EVP_PKEY_assign_RSA(self._pkey, rsa)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]218 if not result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]219 # TODO: It appears as though this can fail if an engine is in
220 # use which does not support RSA.
221 _raise_current_error()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]222
223 elif type == TYPE_DSA:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]224 dsa = _lib.DSA_generate_parameters(
225 bits, _ffi.NULL, 0, _ffi.NULL, _ffi.NULL, _ffi.NULL, _ffi.NULL)
226 if dsa == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]227 # TODO: This is untested.
228 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]229 if not _lib.DSA_generate_key(dsa):
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]230 # TODO: This is untested.
231 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]232 if not _lib.EVP_PKEY_assign_DSA(self._pkey, dsa):
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]233 # TODO: This is untested.
234 _raise_current_error()
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]235 else:
236 raise Error("No such key type")
237
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800[diff] [blame]238 self._initialized = True
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]239
240
241 def check(self):
242 """
243 Check the consistency of an RSA private key.
244
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]245 This is the Python equivalent of OpenSSL's ``RSA_check_key``.
246
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]247 :return: True if key is consistent.
248 :raise Error: if the key is inconsistent.
249 :raise TypeError: if the key is of a type which cannot be checked.
250 Only RSA keys can currently be checked.
251 """
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800[diff] [blame]252 if self._only_public:
253 raise TypeError("public key only")
254
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]255 if _lib.EVP_PKEY_type(self._pkey.type) != _lib.EVP_PKEY_RSA:
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]256 raise TypeError("key type unsupported")
257
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]258 rsa = _lib.EVP_PKEY_get1_RSA(self._pkey)
259 rsa = _ffi.gc(rsa, _lib.RSA_free)
260 result = _lib.RSA_check_key(rsa)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]261 if result:
262 return True
263 _raise_current_error()
264
265
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800[diff] [blame]266 def type(self):
267 """
268 Returns the type of the key
269
270 :return: The type of the key.
271 """
272 return self._pkey.type
273
274
275 def bits(self):
276 """
277 Returns the number of bits of the key
278
279 :return: The number of bits of the key.
280 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]281 return _lib.EVP_PKEY_bits(self._pkey)
Jean-Paul Calderonec86fcaf2013-02-20 12:38:33 -0800[diff] [blame]282PKeyType = PKey
283
284
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]285
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]286class _EllipticCurve(object):
287 """
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]288 A representation of a supported elliptic curve.
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]289
290 @cvar _curves: :py:obj:`None` until an attempt is made to load the curves.
291 Thereafter, a :py:type:`set` containing :py:type:`_EllipticCurve`
292 instances each of which represents one curve supported by the system.
293 @type _curves: :py:type:`NoneType` or :py:type:`set`
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]294 """
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]295 _curves = None
296
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400[diff] [blame]297 if _PY3:
Jean-Paul Calderonea5381052014-05-01 09:32:46 -0400[diff] [blame]298 # This only necessary on Python 3. Morever, it is broken on Python 2.
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400[diff] [blame]299 def __ne__(self, other):
Jean-Paul Calderonea5381052014-05-01 09:32:46 -0400[diff] [blame]300 """
301 Implement cooperation with the right-hand side argument of ``!=``.
302
303 Python 3 seems to have dropped this cooperation in this very narrow
304 circumstance.
305 """
Jean-Paul Calderonef22abcd2014-05-01 09:31:19 -0400[diff] [blame]306 if isinstance(other, _EllipticCurve):
307 return super(_EllipticCurve, self).__ne__(other)
308 return NotImplemented
Jean-Paul Calderone40da72d2014-05-01 09:25:17 -0400[diff] [blame]309
310
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]311 @classmethod
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]312 def _load_elliptic_curves(cls, lib):
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]313 """
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]314 Get the curves supported by OpenSSL.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]315
316 :param lib: The OpenSSL library binding object.
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]317
318 :return: A :py:type:`set` of ``cls`` instances giving the names of the
319 elliptic curves the underlying library supports.
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]320 """
321 if lib.Cryptography_HAS_EC:
322 num_curves = lib.EC_get_builtin_curves(_ffi.NULL, 0)
323 builtin_curves = _ffi.new('EC_builtin_curve[]', num_curves)
324 # The return value on this call should be num_curves again. We could
325 # check it to make sure but if it *isn't* then.. what could we do?
326 # Abort the whole process, I suppose...? -exarkun
327 lib.EC_get_builtin_curves(builtin_curves, num_curves)
328 return set(
329 cls.from_nid(lib, c.nid)
330 for c in builtin_curves)
Jean-Paul Calderone73945e32014-04-30 18:18:01 -0400[diff] [blame]331 return set()
332
333
334 @classmethod
335 def _get_elliptic_curves(cls, lib):
336 """
337 Get, cache, and return the curves supported by OpenSSL.
338
339 :param lib: The OpenSSL library binding object.
340
341 :return: A :py:type:`set` of ``cls`` instances giving the names of the
342 elliptic curves the underlying library supports.
343 """
344 if cls._curves is None:
345 cls._curves = cls._load_elliptic_curves(lib)
346 return cls._curves
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]347
348
349 @classmethod
350 def from_nid(cls, lib, nid):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]351 """
352 Instantiate a new :py:class:`_EllipticCurve` associated with the given
353 OpenSSL NID.
354
355 :param lib: The OpenSSL library binding object.
356
357 :param nid: The OpenSSL NID the resulting curve object will represent.
358 This must be a curve NID (and not, for example, a hash NID) or
359 subsequent operations will fail in unpredictable ways.
360 :type nid: :py:class:`int`
361
362 :return: The curve object.
363 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]364 return cls(lib, nid, _ffi.string(lib.OBJ_nid2sn(nid)).decode("ascii"))
365
366
367 def __init__(self, lib, nid, name):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]368 """
369 :param _lib: The :py:mod:`cryptography` binding instance used to
370 interface with OpenSSL.
371
372 :param _nid: The OpenSSL NID identifying the curve this object
373 represents.
374 :type _nid: :py:class:`int`
375
376 :param name: The OpenSSL short name identifying the curve this object
377 represents.
378 :type name: :py:class:`unicode`
379 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]380 self._lib = lib
381 self._nid = nid
382 self.name = name
383
384
385 def __repr__(self):
386 return "<Curve %r>" % (self.name,)
387
388
389 def _to_EC_KEY(self):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]390 """
391 Create a new OpenSSL EC_KEY structure initialized to use this curve.
392
393 The structure is automatically garbage collected when the Python object
394 is garbage collected.
395 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]396 key = self._lib.EC_KEY_new_by_curve_name(self._nid)
397 return _ffi.gc(key, _lib.EC_KEY_free)
398
399
400
401def get_elliptic_curves():
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]402 """
403 Return a set of objects representing the elliptic curves supported in the
404 OpenSSL build in use.
405
406 The curve objects have a :py:class:`unicode` ``name`` attribute by which
407 they identify themselves.
408
409 The curve objects are useful as values for the argument accepted by
Jean-Paul Calderone3b04e352014-04-19 09:29:10 -0400[diff] [blame]410 :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be
411 used for ECDHE key exchange.
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]412 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]413 return _EllipticCurve._get_elliptic_curves(_lib)
414
415
416
417def get_elliptic_curve(name):
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]418 """
419 Return a single curve object selected by name.
420
421 See :py:func:`get_elliptic_curves` for information about curve objects.
422
Jean-Paul Calderoned5839e22014-04-19 09:26:44 -0400[diff] [blame]423 :param name: The OpenSSL short name identifying the curve object to
424 retrieve.
425 :type name: :py:class:`unicode`
426
Jean-Paul Calderoneaaf516d2014-04-19 09:10:45 -0400[diff] [blame]427 If the named curve is not supported then :py:class:`ValueError` is raised.
428 """
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -0400[diff] [blame]429 for curve in get_elliptic_curves():
430 if curve.name == name:
431 return curve
432 raise ValueError("unknown curve name", name)
433
434
435
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]436class X509Name(object):
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]437 """
438 An X.509 Distinguished Name.
439
440 :ivar countryName: The country of the entity.
441 :ivar C: Alias for :py:attr:`countryName`.
442
443 :ivar stateOrProvinceName: The state or province of the entity.
444 :ivar ST: Alias for :py:attr:`stateOrProvinceName`.
445
446 :ivar localityName: The locality of the entity.
447 :ivar L: Alias for :py:attr:`localityName`.
448
449 :ivar organizationName: The organization name of the entity.
450 :ivar O: Alias for :py:attr:`organizationName`.
451
452 :ivar organizationalUnitName: The organizational unit of the entity.
453 :ivar OU: Alias for :py:attr:`organizationalUnitName`
454
455 :ivar commonName: The common name of the entity.
456 :ivar CN: Alias for :py:attr:`commonName`.
457
458 :ivar emailAddress: The e-mail address of the entity.
459 """
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]460 def __init__(self, name):
461 """
462 Create a new X509Name, copying the given X509Name instance.
463
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]464 :param name: The name to copy.
465 :type name: :py:class:`X509Name`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]466 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]467 name = _lib.X509_NAME_dup(name._name)
468 self._name = _ffi.gc(name, _lib.X509_NAME_free)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]469
470
471 def __setattr__(self, name, value):
472 if name.startswith('_'):
473 return super(X509Name, self).__setattr__(name, value)
474
Jean-Paul Calderoneff363be2013-03-03 10:21:23 -0800[diff] [blame]475 # Note: we really do not want str subclasses here, so we do not use
476 # isinstance.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]477 if type(name) is not str:
478 raise TypeError("attribute name must be string, not '%.200s'" % (
479 type(value).__name__,))
480
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]481 nid = _lib.OBJ_txt2nid(_byte_string(name))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]482 if nid == _lib.NID_undef:
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]483 try:
484 _raise_current_error()
485 except Error:
486 pass
487 raise AttributeError("No such attribute")
488
489 # If there's an old entry for this NID, remove it
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]490 for i in range(_lib.X509_NAME_entry_count(self._name)):
491 ent = _lib.X509_NAME_get_entry(self._name, i)
492 ent_obj = _lib.X509_NAME_ENTRY_get_object(ent)
493 ent_nid = _lib.OBJ_obj2nid(ent_obj)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]494 if nid == ent_nid:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]495 ent = _lib.X509_NAME_delete_entry(self._name, i)
496 _lib.X509_NAME_ENTRY_free(ent)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]497 break
498
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]499 if isinstance(value, _text_type):
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]500 value = value.encode('utf-8')
501
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]502 add_result = _lib.X509_NAME_add_entry_by_NID(
503 self._name, nid, _lib.MBSTRING_UTF8, value, -1, -1, 0)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]504 if not add_result:
Jean-Paul Calderone5300d6a2013-12-29 16:36:50 -0500[diff] [blame]505 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]506
507
508 def __getattr__(self, name):
509 """
510 Find attribute. An X509Name object has the following attributes:
511 countryName (alias C), stateOrProvince (alias ST), locality (alias L),
512 organization (alias O), organizationalUnit (alias OU), commonName (alias
513 CN) and more...
514 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]515 nid = _lib.OBJ_txt2nid(_byte_string(name))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]516 if nid == _lib.NID_undef:
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]517 # This is a bit weird. OBJ_txt2nid indicated failure, but it seems
518 # a lower level function, a2d_ASN1_OBJECT, also feels the need to
519 # push something onto the error queue. If we don't clean that up
520 # now, someone else will bump into it later and be quite confused.
521 # See lp#314814.
522 try:
523 _raise_current_error()
524 except Error:
525 pass
526 return super(X509Name, self).__getattr__(name)
527
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]528 entry_index = _lib.X509_NAME_get_index_by_NID(self._name, nid, -1)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]529 if entry_index == -1:
530 return None
531
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]532 entry = _lib.X509_NAME_get_entry(self._name, entry_index)
533 data = _lib.X509_NAME_ENTRY_get_data(entry)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]534
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]535 result_buffer = _ffi.new("unsigned char**")
536 data_length = _lib.ASN1_STRING_to_UTF8(result_buffer, data)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]537 if data_length < 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]538 # TODO: This is untested.
539 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]540
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]541 try:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]542 result = _ffi.buffer(result_buffer[0], data_length)[:].decode('utf-8')
Jean-Paul Calderoned899af02013-03-19 22:10:37 -0700[diff] [blame]543 finally:
544 # XXX untested
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]545 _lib.OPENSSL_free(result_buffer[0])
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]546 return result
547
548
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]549 def _cmp(op):
550 def f(self, other):
551 if not isinstance(other, X509Name):
552 return NotImplemented
553 result = _lib.X509_NAME_cmp(self._name, other._name)
554 return op(result, 0)
555 return f
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]556
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]557 __eq__ = _cmp(__eq__)
558 __ne__ = _cmp(__ne__)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]559
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]560 __lt__ = _cmp(__lt__)
561 __le__ = _cmp(__le__)
562
563 __gt__ = _cmp(__gt__)
564 __ge__ = _cmp(__ge__)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]565
566 def __repr__(self):
567 """
568 String representation of an X509Name
569 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]570 result_buffer = _ffi.new("char[]", 512);
571 format_result = _lib.X509_NAME_oneline(
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]572 self._name, result_buffer, len(result_buffer))
573
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]574 if format_result == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]575 # TODO: This is untested.
576 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]577
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]578 return "<X509Name object '%s'>" % (
579 _native(_ffi.string(result_buffer)),)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]580
581
582 def hash(self):
583 """
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]584 Return an integer representation of the first four bytes of the
585 MD5 digest of the DER representation of the name.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]586
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]587 This is the Python equivalent of OpenSSL's ``X509_NAME_hash``.
588
589 :return: The (integer) hash of this name.
590 :rtype: :py:class:`int`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]591 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]592 return _lib.X509_NAME_hash(self._name)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]593
594
595 def der(self):
596 """
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]597 Return the DER encoding of this name.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]598
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]599 :return: The DER encoded form of this name.
600 :rtype: :py:class:`bytes`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]601 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]602 result_buffer = _ffi.new('unsigned char**')
603 encode_result = _lib.i2d_X509_NAME(self._name, result_buffer)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]604 if encode_result < 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]605 # TODO: This is untested.
606 _raise_current_error()
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]607
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]608 string_result = _ffi.buffer(result_buffer[0], encode_result)[:]
609 _lib.OPENSSL_free(result_buffer[0])
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]610 return string_result
611
612
613 def get_components(self):
614 """
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]615 Returns the components of this name, as a sequence of 2-tuples.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]616
Laurens Van Houtven196195b2014-06-17 17:06:34 +0200[diff] [blame]617 :return: The components of this name.
618 :rtype: :py:class:`list` of ``name, value`` tuples.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]619 """
620 result = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]621 for i in range(_lib.X509_NAME_entry_count(self._name)):
622 ent = _lib.X509_NAME_get_entry(self._name, i)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]623
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]624 fname = _lib.X509_NAME_ENTRY_get_object(ent)
625 fval = _lib.X509_NAME_ENTRY_get_data(ent)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]626
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]627 nid = _lib.OBJ_obj2nid(fname)
628 name = _lib.OBJ_nid2sn(nid)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]629
630 result.append((
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]631 _ffi.string(name),
632 _ffi.string(
633 _lib.ASN1_STRING_data(fval),
634 _lib.ASN1_STRING_length(fval))))
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]635
636 return result
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]637
638
639
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]640X509NameType = X509Name
641
642
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]643
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]644class X509Extension(object):
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]645 """
646 An X.509 v3 certificate extension.
647 """
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]648 def __init__(self, type_name, critical, value, subject=None, issuer=None):
649 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]650 Initializes an X509 extension.
651
652 :param typename: The name of the type of extension to create. See
653 http://openssl.org/docs/apps/x509v3_config.html#STANDARD_EXTENSIONS
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]654 :type typename: :py:data:`str`
655
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]656 :param bool critical: A flag indicating whether this is a critical extension.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]657
658 :param value: The value of the extension.
659 :type value: :py:data:`str`
660
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]661 :param subject: Optional X509 certificate to use as subject.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]662 :type subject: :py:class:`X509`
663
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]664 :param issuer: Optional X509 certificate to use as issuer.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]665 :type issuer: :py:class:`X509`
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]666 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]667 ctx = _ffi.new("X509V3_CTX*")
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]668
669 # A context is necessary for any extension which uses the r2i conversion
670 # method. That is, X509V3_EXT_nconf may segfault if passed a NULL ctx.
671 # Start off by initializing most of the fields to NULL.
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]672 _lib.X509V3_set_ctx(ctx, _ffi.NULL, _ffi.NULL, _ffi.NULL, _ffi.NULL, 0)
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]673
674 # We have no configuration database - but perhaps we should (some
675 # extensions may require it).
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]676 _lib.X509V3_set_ctx_nodb(ctx)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]677
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]678 # Initialize the subject and issuer, if appropriate. ctx is a local,
679 # and as far as I can tell none of the X509V3_* APIs invoked here steal
680 # any references, so no need to mess with reference counts or duplicates.
681 if issuer is not None:
682 if not isinstance(issuer, X509):
683 raise TypeError("issuer must be an X509 instance")
684 ctx.issuer_cert = issuer._x509
685 if subject is not None:
686 if not isinstance(subject, X509):
687 raise TypeError("subject must be an X509 instance")
688 ctx.subject_cert = subject._x509
689
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]690 if critical:
691 # There are other OpenSSL APIs which would let us pass in critical
692 # separately, but they're harder to use, and since value is already
693 # a pile of crappy junk smuggling a ton of utterly important
694 # structured data, what's the point of trying to avoid nasty stuff
695 # with strings? (However, X509V3_EXT_i2d in particular seems like it
696 # would be a better API to invoke. I do not know where to get the
697 # ext_struc it desires for its last parameter, though.)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]698 value = b"critical," + value
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]699
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]700 extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name, value)
701 if extension == _ffi.NULL:
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]702 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]703 self._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]704
705
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]706 @property
707 def _nid(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]708 return _lib.OBJ_obj2nid(self._extension.object)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]709
710 _prefixes = {
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]711 _lib.GEN_EMAIL: "email",
712 _lib.GEN_DNS: "DNS",
713 _lib.GEN_URI: "URI",
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]714 }
715
716 def _subjectAltNameString(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]717 method = _lib.X509V3_EXT_get(self._extension)
718 if method == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]719 # TODO: This is untested.
720 _raise_current_error()
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]721 payload = self._extension.value.data
722 length = self._extension.value.length
723
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]724 payloadptr = _ffi.new("unsigned char**")
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]725 payloadptr[0] = payload
726
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]727 if method.it != _ffi.NULL:
728 ptr = _lib.ASN1_ITEM_ptr(method.it)
729 data = _lib.ASN1_item_d2i(_ffi.NULL, payloadptr, length, ptr)
730 names = _ffi.cast("GENERAL_NAMES*", data)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]731 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]732 names = _ffi.cast(
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]733 "GENERAL_NAMES*",
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]734 method.d2i(_ffi.NULL, payloadptr, length))
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]735
736 parts = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]737 for i in range(_lib.sk_GENERAL_NAME_num(names)):
738 name = _lib.sk_GENERAL_NAME_value(names, i)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]739 try:
740 label = self._prefixes[name.type]
741 except KeyError:
742 bio = _new_mem_buf()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]743 _lib.GENERAL_NAME_print(bio, name)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]744 parts.append(_native(_bio_to_string(bio)))
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]745 else:
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]746 value = _native(
747 _ffi.buffer(name.d.ia5.data, name.d.ia5.length)[:])
748 parts.append(label + ":" + value)
749 return ", ".join(parts)
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]750
751
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]752 def __str__(self):
753 """
754 :return: a nice text representation of the extension
755 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]756 if _lib.NID_subject_alt_name == self._nid:
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]757 return self._subjectAltNameString()
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]758
Jean-Paul Calderoneed0c57b2013-10-06 08:31:40 -0400[diff] [blame]759 bio = _new_mem_buf()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]760 print_result = _lib.X509V3_EXT_print(bio, self._extension, 0, 0)
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]761 if not print_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]762 # TODO: This is untested.
763 _raise_current_error()
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]764
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]765 return _native(_bio_to_string(bio))
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]766
767
768 def get_critical(self):
769 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]770 Returns the critical field of this X.509 extension.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]771
772 :return: The critical field.
773 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]774 return _lib.X509_EXTENSION_get_critical(self._extension)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]775
776
777 def get_short_name(self):
778 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]779 Returns the short type name of this X.509 extension.
780
781 The result is a byte string such as :py:const:`b"basicConstraints"`.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]782
783 :return: The short type name.
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]784 :rtype: :py:data:`bytes`
785
786 .. versionadded:: 0.12
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]787 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]788 obj = _lib.X509_EXTENSION_get_object(self._extension)
789 nid = _lib.OBJ_obj2nid(obj)
790 return _ffi.string(_lib.OBJ_nid2sn(nid))
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]791
792
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]793 def get_data(self):
794 """
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]795 Returns the data of the X509 extension, encoded as ASN.1.
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]796
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]797 :return: The ASN.1 encoded data of this X509 extension.
798 :rtype: :py:data:`bytes`
799
800 .. versionadded:: 0.12
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]801 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]802 octet_result = _lib.X509_EXTENSION_get_data(self._extension)
803 string_result = _ffi.cast('ASN1_STRING*', octet_result)
804 char_result = _lib.ASN1_STRING_data(string_result)
805 result_length = _lib.ASN1_STRING_length(string_result)
806 return _ffi.buffer(char_result, result_length)[:]
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]807
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]808
809
Jean-Paul Calderoned418a9c2013-02-20 16:24:55 -0800[diff] [blame]810X509ExtensionType = X509Extension
811
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]812
Laurens Van Houtven2650de52014-06-18 13:47:47 +0200[diff] [blame]813
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]814class X509Req(object):
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]815 """
816 An X.509 certificate signing requests.
817 """
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]818 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]819 req = _lib.X509_REQ_new()
820 self._req = _ffi.gc(req, _lib.X509_REQ_free)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]821
822
823 def set_pubkey(self, pkey):
824 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]825 Set the public key of the certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]826
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]827 :param pkey: The public key to use.
828 :type pkey: :py:class:`PKey`
829
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]830 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]831 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]832 set_result = _lib.X509_REQ_set_pubkey(self._req, pkey._pkey)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]833 if not set_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]834 # TODO: This is untested.
835 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]836
837
838 def get_pubkey(self):
839 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]840 Get the public key of the certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]841
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]842 :return: The public key.
843 :rtype: :py:class:`PKey`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]844 """
845 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]846 pkey._pkey = _lib.X509_REQ_get_pubkey(self._req)
847 if pkey._pkey == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]848 # TODO: This is untested.
849 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]850 pkey._pkey = _ffi.gc(pkey._pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]851 pkey._only_public = True
852 return pkey
853
854
855 def set_version(self, version):
856 """
857 Set the version subfield (RFC 2459, section 4.1.2.1) of the certificate
858 request.
859
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]860 :param int version: The version number.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]861 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]862 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]863 set_result = _lib.X509_REQ_set_version(self._req, version)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]864 if not set_result:
865 _raise_current_error()
866
867
868 def get_version(self):
869 """
870 Get the version subfield (RFC 2459, section 4.1.2.1) of the certificate
871 request.
872
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]873 :return: The value of the version subfield.
874 :rtype: :py:class:`int`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]875 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]876 return _lib.X509_REQ_get_version(self._req)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]877
878
879 def get_subject(self):
880 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]881 Return the subject of this certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]882
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]883 This creates a new :py:class:`X509Name`: modifying it does not affect
884 this request.
885
886 :return: The subject of this certificate signing request.
887 :rtype: :py:class:`X509Name`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]888 """
889 name = X509Name.__new__(X509Name)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]890 name._name = _lib.X509_REQ_get_subject_name(self._req)
891 if name._name == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]892 # TODO: This is untested.
893 _raise_current_error()
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]894
895 # The name is owned by the X509Req structure. As long as the X509Name
896 # Python object is alive, keep the X509Req Python object alive.
897 name._owner = self
898
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]899 return name
900
901
902 def add_extensions(self, extensions):
903 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]904 Add extensions to the certificate signing request.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]905
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]906 :param extensions: The X.509 extensions to add.
907 :type extensions: iterable of :py:class:`X509Extension`
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]908 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]909 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]910 stack = _lib.sk_X509_EXTENSION_new_null()
911 if stack == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]912 # TODO: This is untested.
913 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]914
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]915 stack = _ffi.gc(stack, _lib.sk_X509_EXTENSION_free)
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]916
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]917 for ext in extensions:
918 if not isinstance(ext, X509Extension):
Jean-Paul Calderonec2154b72013-02-20 14:29:37 -0800[diff] [blame]919 raise ValueError("One of the elements is not an X509Extension")
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]920
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]921 # TODO push can fail (here and elsewhere)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]922 _lib.sk_X509_EXTENSION_push(stack, ext._extension)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]923
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]924 add_result = _lib.X509_REQ_add_extensions(self._req, stack)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]925 if not add_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]926 # TODO: This is untested.
927 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]928
929
Stephen Holsappleadfd39d2014-01-28 17:58:31 -0800[diff] [blame]930 def get_extensions(self):
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]931 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]932 Get X.509 extensions in the certificate signing request.
Stephen Holsappleadfd39d2014-01-28 17:58:31 -0800[diff] [blame]933
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]934 :return: The X.509 extensions in this request.
935 :rtype: :py:class:`list` of :py:class:`X509Extension` objects.
936
937 .. versionadded:: 0.15
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]938 """
939 exts = []
Jean-Paul Calderone9479d732014-03-02 08:04:54 -0500[diff] [blame]940 native_exts_obj = _lib.X509_REQ_get_extensions(self._req)
Jean-Paul Calderoneb7a79b42014-03-02 08:06:47 -0500[diff] [blame]941 for i in range(_lib.sk_X509_EXTENSION_num(native_exts_obj)):
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]942 ext = X509Extension.__new__(X509Extension)
Jean-Paul Calderone9479d732014-03-02 08:04:54 -0500[diff] [blame]943 ext._extension = _lib.sk_X509_EXTENSION_value(native_exts_obj, i)
Stephen Holsapple7fbdf642014-03-01 20:05:47 -0800[diff] [blame]944 exts.append(ext)
945 return exts
Stephen Holsappleadfd39d2014-01-28 17:58:31 -0800[diff] [blame]946
947
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]948 def sign(self, pkey, digest):
949 """
Laurens Van Houtven6f2e4262015-04-23 10:48:32 -0700[diff] [blame]950 Sign the certificate signing request with this key and digest type.
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]951
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]952 :param pkey: The key pair to sign with.
953 :type pkey: :py:class:`PKey`
954 :param digest: The name of the message digest to use for the signature,
955 e.g. :py:data:`b"sha1"`.
956 :type digest: :py:class:`bytes`
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]957 :return: :py:const:`None`
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]958 """
959 if pkey._only_public:
960 raise ValueError("Key has only public part")
961
962 if not pkey._initialized:
963 raise ValueError("Key is uninitialized")
964
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]965 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]966 if digest_obj == _ffi.NULL:
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]967 raise ValueError("No such digest method")
968
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]969 sign_result = _lib.X509_REQ_sign(self._req, pkey._pkey, digest_obj)
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]970 if not sign_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]971 # TODO: This is untested.
972 _raise_current_error()
Jean-Paul Calderone4328d472013-02-20 14:28:46 -0800[diff] [blame]973
974
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]975 def verify(self, pkey):
976 """
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]977 Verifies the signature on this certificate signing request.
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]978
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]979 :param key: A public key.
980 :type key: :py:class:`PKey`
981 :return: :py:data:`True` if the signature is correct.
982 :rtype: :py:class:`bool`
983 :raises Error: If the signature is invalid or there is a
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]984 problem verifying the signature.
985 """
986 if not isinstance(pkey, PKey):
987 raise TypeError("pkey must be a PKey instance")
988
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]989 result = _lib.X509_REQ_verify(self._req, pkey._pkey)
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]990 if result <= 0:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]991 _raise_current_error()
Jean-Paul Calderone5565f0f2013-03-06 11:10:20 -0800[diff] [blame]992
993 return result
994
995
Laurens Van Houtven3e83d242014-06-18 14:29:47 +0200[diff] [blame]996
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]997X509ReqType = X509Req
998
999
1000
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1001class X509(object):
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1002 """
1003 An X.509 certificate.
1004 """
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1005 def __init__(self):
1006 # TODO Allocation failure? And why not __new__ instead of __init__?
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1007 x509 = _lib.X509_new()
1008 self._x509 = _ffi.gc(x509, _lib.X509_free)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1009
1010
1011 def set_version(self, version):
1012 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1013 Set the version number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1014
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1015 :param version: The version number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1016 :type version: :py:class:`int`
1017
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1018 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1019 """
1020 if not isinstance(version, int):
1021 raise TypeError("version must be an integer")
1022
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1023 _lib.X509_set_version(self._x509, version)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1024
1025
1026 def get_version(self):
1027 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1028 Return the version number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1029
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1030 :return: The version number of the certificate.
1031 :rtype: :py:class:`int`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1032 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1033 return _lib.X509_get_version(self._x509)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1034
1035
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1036 def get_pubkey(self):
1037 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1038 Get the public key of the certificate.
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1039
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1040 :return: The public key.
1041 :rtype: :py:class:`PKey`
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1042 """
1043 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1044 pkey._pkey = _lib.X509_get_pubkey(self._x509)
1045 if pkey._pkey == _ffi.NULL:
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1046 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1047 pkey._pkey = _ffi.gc(pkey._pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1048 pkey._only_public = True
1049 return pkey
1050
1051
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1052 def set_pubkey(self, pkey):
1053 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1054 Set the public key of the certificate.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1055
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1056 :param pkey: The public key.
1057 :type pkey: :py:class:`PKey`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1058
Laurens Van Houtven33fcf122015-04-23 10:50:08 -0700[diff] [blame]1059 :return: :py:data:`None`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1060 """
1061 if not isinstance(pkey, PKey):
1062 raise TypeError("pkey must be a PKey instance")
1063
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1064 set_result = _lib.X509_set_pubkey(self._x509, pkey._pkey)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1065 if not set_result:
1066 _raise_current_error()
1067
1068
1069 def sign(self, pkey, digest):
1070 """
Laurens Van Houtven6f2e4262015-04-23 10:48:32 -0700[diff] [blame]1071 Sign the certificate with this key and digest type.
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1072
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1073 :param pkey: The key to sign with.
1074 :type pkey: :py:class:`PKey`
1075
1076 :param digest: The name of the message digest to use.
1077 :type digest: :py:class:`bytes`
1078
Laurens Van Houtvena367fe82015-04-23 10:49:12 -0700[diff] [blame]1079 :return: :py:data:`None`
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1080 """
1081 if not isinstance(pkey, PKey):
1082 raise TypeError("pkey must be a PKey instance")
1083
Jean-Paul Calderoneedafced2013-02-19 11:48:38 -0800[diff] [blame]1084 if pkey._only_public:
1085 raise ValueError("Key only has public part")
1086
Jean-Paul Calderone09e3bdc2013-02-19 12:15:28 -0800[diff] [blame]1087 if not pkey._initialized:
1088 raise ValueError("Key is uninitialized")
1089
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1090 evp_md = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1091 if evp_md == _ffi.NULL:
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1092 raise ValueError("No such digest method")
1093
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1094 sign_result = _lib.X509_sign(self._x509, pkey._pkey, evp_md)
Jean-Paul Calderone3e29ccf2013-02-19 11:32:46 -0800[diff] [blame]1095 if not sign_result:
1096 _raise_current_error()
1097
1098
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1099 def get_signature_algorithm(self):
1100 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1101 Return the signature algorithm used in the certificate.
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1102
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1103 :return: The name of the algorithm.
1104 :rtype: :py:class:`bytes`
1105
1106 :raises ValueError: If the signature algorithm is undefined.
1107
Laurens Van Houtven0dd87402015-04-23 10:47:18 -0700[diff] [blame]1108 .. versionadded:: 0.13
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1109 """
1110 alg = self._x509.cert_info.signature.algorithm
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1111 nid = _lib.OBJ_obj2nid(alg)
1112 if nid == _lib.NID_undef:
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1113 raise ValueError("Undefined signature algorithm")
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1114 return _ffi.string(_lib.OBJ_nid2ln(nid))
Jean-Paul Calderonee4aa3fa2013-02-19 12:12:53 -0800[diff] [blame]1115
1116
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1117 def digest(self, digest_name):
1118 """
1119 Return the digest of the X509 object.
1120
1121 :param digest_name: The name of the digest algorithm to use.
1122 :type digest_name: :py:class:`bytes`
1123
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1124 :return: The digest of the object, formatted as
1125 :py:const:`b":"`-delimited hex pairs.
1126 :rtype: :py:class:`bytes`
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1127 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1128 digest = _lib.EVP_get_digestbyname(_byte_string(digest_name))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1129 if digest == _ffi.NULL:
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1130 raise ValueError("No such digest method")
1131
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1132 result_buffer = _ffi.new("char[]", _lib.EVP_MAX_MD_SIZE)
1133 result_length = _ffi.new("unsigned int[]", 1)
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1134 result_length[0] = len(result_buffer)
1135
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1136 digest_result = _lib.X509_digest(
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1137 self._x509, digest, result_buffer, result_length)
1138
1139 if not digest_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1140 # TODO: This is untested.
1141 _raise_current_error()
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1142
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1143 return b":".join([
1144 b16encode(ch).upper() for ch
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1145 in _ffi.buffer(result_buffer, result_length[0])])
Jean-Paul Calderoneb4078722013-02-19 12:01:55 -0800[diff] [blame]1146
1147
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1148 def subject_name_hash(self):
1149 """
1150 Return the hash of the X509 subject.
1151
1152 :return: The hash of the subject.
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1153 :rtype: :py:class:`bytes`
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1154 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1155 return _lib.X509_subject_name_hash(self._x509)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1156
1157
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1158 def set_serial_number(self, serial):
1159 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1160 Set the serial number of the certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1161
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1162 :param serial: The new serial number.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1163 :type serial: :py:class:`int`
1164
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1165 :return: :py:data`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1166 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1167 if not isinstance(serial, _integer_types):
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1168 raise TypeError("serial must be an integer")
1169
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1170 hex_serial = hex(serial)[2:]
1171 if not isinstance(hex_serial, bytes):
1172 hex_serial = hex_serial.encode('ascii')
1173
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1174 bignum_serial = _ffi.new("BIGNUM**")
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1175
1176 # BN_hex2bn stores the result in &bignum. Unless it doesn't feel like
1177 # it. If bignum is still NULL after this call, then the return value is
1178 # actually the result. I hope. -exarkun
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1179 small_serial = _lib.BN_hex2bn(bignum_serial, hex_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1180
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1181 if bignum_serial[0] == _ffi.NULL:
1182 set_result = _lib.ASN1_INTEGER_set(
1183 _lib.X509_get_serialNumber(self._x509), small_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1184 if set_result:
1185 # TODO Not tested
1186 _raise_current_error()
1187 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1188 asn1_serial = _lib.BN_to_ASN1_INTEGER(bignum_serial[0], _ffi.NULL)
1189 _lib.BN_free(bignum_serial[0])
1190 if asn1_serial == _ffi.NULL:
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1191 # TODO Not tested
1192 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1193 asn1_serial = _ffi.gc(asn1_serial, _lib.ASN1_INTEGER_free)
1194 set_result = _lib.X509_set_serialNumber(self._x509, asn1_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1195 if not set_result:
1196 # TODO Not tested
1197 _raise_current_error()
1198
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1199
1200 def get_serial_number(self):
1201 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1202 Return the serial number of this certificate.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1203
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1204 :return: The serial number.
1205 :rtype: :py:class:`int`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1206 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1207 asn1_serial = _lib.X509_get_serialNumber(self._x509)
1208 bignum_serial = _lib.ASN1_INTEGER_to_BN(asn1_serial, _ffi.NULL)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1209 try:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1210 hex_serial = _lib.BN_bn2hex(bignum_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1211 try:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1212 hexstring_serial = _ffi.string(hex_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1213 serial = int(hexstring_serial, 16)
1214 return serial
1215 finally:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1216 _lib.OPENSSL_free(hex_serial)
Jean-Paul Calderone78133852013-02-19 10:41:46 -0800[diff] [blame]1217 finally:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1218 _lib.BN_free(bignum_serial)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1219
1220
1221 def gmtime_adj_notAfter(self, amount):
1222 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1223 Adjust the time stamp on which the certificate stops being valid.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1224
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1225 :param amount: The number of seconds by which to adjust the timestamp.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1226 :type amount: :py:class:`int`
1227
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1228 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1229 """
1230 if not isinstance(amount, int):
1231 raise TypeError("amount must be an integer")
1232
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1233 notAfter = _lib.X509_get_notAfter(self._x509)
1234 _lib.X509_gmtime_adj(notAfter, amount)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1235
1236
Jean-Paul Calderone662afe52013-02-20 08:41:11 -0800[diff] [blame]1237 def gmtime_adj_notBefore(self, amount):
1238 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1239 Adjust the timestamp on which the certificate starts being valid.
Jean-Paul Calderone662afe52013-02-20 08:41:11 -0800[diff] [blame]1240
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1241 :param amount: The number of seconds by which to adjust the timestamp.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1242 :return: :py:const:`None`
Jean-Paul Calderone662afe52013-02-20 08:41:11 -0800[diff] [blame]1243 """
1244 if not isinstance(amount, int):
1245 raise TypeError("amount must be an integer")
1246
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1247 notBefore = _lib.X509_get_notBefore(self._x509)
1248 _lib.X509_gmtime_adj(notBefore, amount)
Jean-Paul Calderone662afe52013-02-20 08:41:11 -0800[diff] [blame]1249
1250
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1251 def has_expired(self):
1252 """
1253 Check whether the certificate has expired.
1254
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1255 :return: :py:const:`True` if the certificate has expired,
1256 :py:const:`False` otherwise.
1257 :rtype: :py:class:`bool`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1258 """
1259 now = int(time())
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1260 notAfter = _lib.X509_get_notAfter(self._x509)
1261 return _lib.ASN1_UTCTIME_cmp_time_t(
1262 _ffi.cast('ASN1_UTCTIME*', notAfter), now) < 0
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1263
1264
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1265 def _get_boundary_time(self, which):
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1266 return _get_asn1_time(which(self._x509))
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1267
1268
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1269 def get_notBefore(self):
1270 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1271 Get the timestamp at which the certificate starts being valid.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1272
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1273 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1274
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1275 YYYYMMDDhhmmssZ
1276 YYYYMMDDhhmmss+hhmm
1277 YYYYMMDDhhmmss-hhmm
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1278
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1279 :return: A timestamp string, or :py:const:`None` if there is none.
1280 :rtype: :py:class:`bytes` or :py:const:`None`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1281 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1282 return self._get_boundary_time(_lib.X509_get_notBefore)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1283
1284
1285 def _set_boundary_time(self, which, when):
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1286 return _set_asn1_time(which(self._x509), when)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1287
1288
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1289 def set_notBefore(self, when):
1290 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1291 Set the timestamp at which the certificate starts being valid.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1292
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1293 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1294
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1295 YYYYMMDDhhmmssZ
1296 YYYYMMDDhhmmss+hhmm
1297 YYYYMMDDhhmmss-hhmm
1298
1299 :param when: A timestamp string.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1300 :type when: :py:class:`bytes`
1301
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1302 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1303 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1304 return self._set_boundary_time(_lib.X509_get_notBefore, when)
Jean-Paul Calderoned7d81272013-02-19 13:16:03 -0800[diff] [blame]1305
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1306
1307 def get_notAfter(self):
1308 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1309 Get the timestamp at which the certificate stops being valid.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1310
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1311 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1312
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1313 YYYYMMDDhhmmssZ
1314 YYYYMMDDhhmmss+hhmm
1315 YYYYMMDDhhmmss-hhmm
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1316
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1317 :return: A timestamp string, or :py:const:`None` if there is none.
1318 :rtype: :py:class:`bytes` or :py:const:`None`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1319 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1320 return self._get_boundary_time(_lib.X509_get_notAfter)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1321
1322
1323 def set_notAfter(self, when):
1324 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1325 Set the timestamp at which the certificate stops being valid.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1326
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1327 The timestamp is formatted as an ASN.1 GENERALIZEDTIME::
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1328
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1329 YYYYMMDDhhmmssZ
1330 YYYYMMDDhhmmss+hhmm
1331 YYYYMMDDhhmmss-hhmm
1332
1333 :param when: A timestamp string.
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1334 :type when: :py:class:`bytes`
1335
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1336 :return: :py:const:`None`
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1337 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1338 return self._set_boundary_time(_lib.X509_get_notAfter, when)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1339
1340
1341 def _get_name(self, which):
1342 name = X509Name.__new__(X509Name)
1343 name._name = which(self._x509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1344 if name._name == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1345 # TODO: This is untested.
1346 _raise_current_error()
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]1347
1348 # The name is owned by the X509 structure. As long as the X509Name
1349 # Python object is alive, keep the X509 Python object alive.
1350 name._owner = self
1351
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1352 return name
1353
1354
1355 def _set_name(self, which, name):
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1356 if not isinstance(name, X509Name):
1357 raise TypeError("name must be an X509Name")
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1358 set_result = which(self._x509, name._name)
1359 if not set_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1360 # TODO: This is untested.
1361 _raise_current_error()
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1362
1363
1364 def get_issuer(self):
1365 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1366 Return the issuer of this certificate.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1367
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1368 This creates a new :py:class:`X509Name`: modifying it does not affect
1369 this certificate.
1370
1371 :return: The issuer of this certificate.
1372 :rtype: :py:class:`X509Name`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1373 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1374 return self._get_name(_lib.X509_get_issuer_name)
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1375
1376
1377 def set_issuer(self, issuer):
1378 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1379 Set the issuer of this certificate.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1380
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1381 :param issuer: The issuer.
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1382 :type issuer: :py:class:`X509Name`
1383
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1384 :return: :py:const:`None`
Jean-Paul Calderonec2bd4e92013-02-20 08:12:36 -0800[diff] [blame]1385 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1386 return self._set_name(_lib.X509_set_issuer_name, issuer)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1387
1388
1389 def get_subject(self):
1390 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1391 Return the subject of this certificate.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1392
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1393 This creates a new :py:class:`X509Name`: modifying it does not affect
1394 this certificate.
1395
1396 :return: The subject of this certificate.
1397 :rtype: :py:class:`X509Name`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1398 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1399 return self._get_name(_lib.X509_get_subject_name)
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1400
1401
1402 def set_subject(self, subject):
1403 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1404 Set the subject of this certificate.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1405
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1406 :param subject: The subject.
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1407 :type subject: :py:class:`X509Name`
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1408
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1409 :return: :py:const:`None`
Jean-Paul Calderonea9de1952013-02-19 16:58:42 -0800[diff] [blame]1410 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1411 return self._set_name(_lib.X509_set_subject_name, subject)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1412
1413
1414 def get_extension_count(self):
1415 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1416 Get the number of extensions on this certificate.
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1417
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1418 :return: The number of extensions.
1419 :rtype: :py:class:`int`
1420
1421 .. versionadded:: 0.12
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1422 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1423 return _lib.X509_get_ext_count(self._x509)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1424
1425
1426 def add_extensions(self, extensions):
1427 """
1428 Add extensions to the certificate.
1429
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1430 :param extensions: The extensions to add.
1431 :type extensions: An iterable of :py:class:`X509Extension` objects.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1432 :return: :py:const:`None`
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1433 """
1434 for ext in extensions:
1435 if not isinstance(ext, X509Extension):
1436 raise ValueError("One of the elements is not an X509Extension")
1437
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1438 add_result = _lib.X509_add_ext(self._x509, ext._extension, -1)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1439 if not add_result:
1440 _raise_current_error()
1441
1442
1443 def get_extension(self, index):
1444 """
1445 Get a specific extension of the certificate by index.
1446
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]1447 Extensions on a certificate are kept in order. The index
1448 parameter selects which extension will be returned.
1449
1450 :param int index: The index of the extension to retrieve.
1451 :return: The extension at the specified index.
1452 :rtype: :py:class:`X509Extension`
1453 :raises IndexError: If the extension index was out of bounds.
1454
1455 .. versionadded:: 0.12
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1456 """
1457 ext = X509Extension.__new__(X509Extension)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1458 ext._extension = _lib.X509_get_ext(self._x509, index)
1459 if ext._extension == _ffi.NULL:
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1460 raise IndexError("extension index out of bounds")
1461
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1462 extension = _lib.X509_EXTENSION_dup(ext._extension)
1463 ext._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
Jean-Paul Calderone83d22eb2013-02-20 12:19:43 -0800[diff] [blame]1464 return ext
1465
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1466
1467
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1468X509Type = X509
1469
1470
1471
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1472class X509Store(object):
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1473 """
1474 An X509 certificate store.
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1475 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1476 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1477 store = _lib.X509_STORE_new()
1478 self._store = _ffi.gc(store, _lib.X509_STORE_free)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1479
1480
1481 def add_cert(self, cert):
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1482 """
1483 Adds the certificate :py:data:`cert` to this store.
1484
Laurens Van Houtven6e7dd432014-06-17 16:10:57 +0200[diff] [blame]1485 This is the Python equivalent of OpenSSL's ``X509_STORE_add_cert``.
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1486
1487 :param X509 cert: The certificate to add to this store.
1488 :raises TypeError: If the certificate is not an :py:class:`X509`.
1489 :raises Error: If OpenSSL was unhappy with your certificate.
Laurens Van Houtven5ee60b32015-04-23 10:51:16 -0700[diff] [blame]1490 :return: :py:data:`None` if the certificate was added successfully.
Laurens Van Houtvenef5c83d2014-06-17 15:32:27 +0200[diff] [blame]1491 """
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1492 if not isinstance(cert, X509):
1493 raise TypeError()
1494
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1495 result = _lib.X509_STORE_add_cert(self._store, cert._x509)
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1496 if not result:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]1497 _raise_current_error()
Jean-Paul Calderonee6f32b82013-03-06 10:27:57 -0800[diff] [blame]1498
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1499
1500X509StoreType = X509Store
1501
1502
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1503class X509StoreContextError(Exception):
1504 """
1505 An error occurred while verifying a certificate using
Jean-Paul Calderonefeb17432015-03-15 15:49:45 -0400[diff] [blame]1506 `OpenSSL.X509StoreContext.verify_certificate`.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1507
Jean-Paul Calderonefeb17432015-03-15 15:49:45 -0400[diff] [blame]1508 :ivar certificate: The certificate which caused verificate failure.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1509 :type cert: :class:`X509`
1510
1511 """
1512 def __init__(self, message, certificate):
1513 super(X509StoreContextError, self).__init__(message)
1514 self.certificate = certificate
1515
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -0800[diff] [blame]1516
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1517class X509StoreContext(object):
1518 """
1519 An X.509 store context.
1520
Jean-Paul Calderone13a81682015-01-18 15:49:15 -0500[diff] [blame]1521 An :py:class:`X509StoreContext` is used to define some of the criteria for
1522 certificate verification. The information encapsulated in this object
1523 includes, but is not limited to, a set of trusted certificates,
1524 verification parameters, and revoked certificates.
1525
1526 Of these, only the set of trusted certificates is currently exposed.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1527
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1528 :ivar _store_ctx: The underlying X509_STORE_CTX structure used by this
1529 instance. It is dynamically allocated and automatically garbage
1530 collected.
1531
Jean-Paul Calderone64b6b842015-03-15 16:08:02 -0400[diff] [blame]1532 :ivar _store: See the ``store`` ``__init__`` parameter.
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1533
Jean-Paul Calderone64b6b842015-03-15 16:08:02 -0400[diff] [blame]1534 :ivar _cert: See the ``certificate`` ``__init__`` parameter.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1535 """
1536
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1537 def __init__(self, store, certificate):
1538 """
1539 :param X509Store store: The certificates which will be trusted for the
1540 purposes of any verifications.
1541
1542 :param X509 certificate: The certificate to be verified.
1543 """
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1544 store_ctx = _lib.X509_STORE_CTX_new()
1545 self._store_ctx = _ffi.gc(store_ctx, _lib.X509_STORE_CTX_free)
1546 self._store = store
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1547 self._cert = certificate
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]1548 # Make the store context available for use after instantiating this
1549 # class by initializing it now. Per testing, subsequent calls to
1550 # :py:meth:`_init` have no adverse affect.
1551 self._init()
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1552
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1553
1554 def _init(self):
1555 """
1556 Set up the store context for a subsequent verification operation.
1557 """
1558 ret = _lib.X509_STORE_CTX_init(self._store_ctx, self._store._store, self._cert._x509, _ffi.NULL)
1559 if ret <= 0:
1560 _raise_current_error()
1561
Jean-Paul Calderoneb7b7fb92015-01-18 15:37:10 -0500[diff] [blame]1562
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1563 def _cleanup(self):
1564 """
1565 Internally cleans up the store context.
1566
1567 The store context can then be reused with a new call to
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]1568 :py:meth:`_init`.
Stephen Holsapple0d9815f2014-08-27 19:36:53 -0700[diff] [blame]1569 """
1570 _lib.X509_STORE_CTX_cleanup(self._store_ctx)
1571
1572
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1573 def _exception_from_context(self):
1574 """
1575 Convert an OpenSSL native context error failure into a Python
1576 exception.
1577
1578 When a call to native OpenSSL X509_verify_cert fails, additonal information
1579 about the failure can be obtained from the store context.
1580 """
1581 errors = [
1582 _lib.X509_STORE_CTX_get_error(self._store_ctx),
1583 _lib.X509_STORE_CTX_get_error_depth(self._store_ctx),
1584 _native(_ffi.string(_lib.X509_verify_cert_error_string(
1585 _lib.X509_STORE_CTX_get_error(self._store_ctx)))),
1586 ]
Stephen Holsapple1f713eb2015-02-09 19:19:44 -0800[diff] [blame]1587 # A context error should always be associated with a certificate, so we
1588 # expect this call to never return :class:`None`.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1589 _x509 = _lib.X509_STORE_CTX_get_current_cert(self._store_ctx)
Stephen Holsapple1f713eb2015-02-09 19:19:44 -0800[diff] [blame]1590 _cert = _lib.X509_dup(_x509)
1591 pycert = X509.__new__(X509)
1592 pycert._x509 = _ffi.gc(_cert, _lib.X509_free)
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1593 return X509StoreContextError(errors, pycert)
1594
1595
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]1596 def set_store(self, store):
1597 """
1598 Set the context's trust store.
1599
1600 :param X509Store store: The certificates which will be trusted for the
1601 purposes of any *future* verifications.
1602 """
1603 self._store = store
1604
1605
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1606 def verify_certificate(self):
1607 """
1608 Verify a certificate in a context.
1609
1610 :param store_ctx: The :py:class:`X509StoreContext` to verify.
1611 :raises: Error
1612 """
Stephen Holsapple46a09252015-02-12 14:45:43 -0800[diff] [blame]1613 # Always re-initialize the store context in case
1614 # :py:meth:`verify_certificate` is called multiple times.
Stephen Holsapple08ffaa62015-01-30 17:18:40 -0800[diff] [blame]1615 self._init()
1616 ret = _lib.X509_verify_cert(self._store_ctx)
1617 self._cleanup()
1618 if ret <= 0:
1619 raise self._exception_from_context()
1620
1621
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]1622
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1623def load_certificate(type, buffer):
1624 """
1625 Load a certificate from a buffer
1626
1627 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]1628
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1629 :param buffer: The buffer the certificate is stored in
1630 :type buffer: :py:class:`bytes`
1631
1632 :return: The X509 object
1633 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]1634 if isinstance(buffer, _text_type):
1635 buffer = buffer.encode("ascii")
1636
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1637 bio = _new_mem_buf(buffer)
1638
1639 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1640 x509 = _lib.PEM_read_bio_X509(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1641 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1642 x509 = _lib.d2i_X509_bio(bio, _ffi.NULL);
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1643 else:
1644 raise ValueError(
1645 "type argument must be FILETYPE_PEM or FILETYPE_ASN1")
1646
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1647 if x509 == _ffi.NULL:
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1648 _raise_current_error()
1649
1650 cert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1651 cert._x509 = _ffi.gc(x509, _lib.X509_free)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1652 return cert
1653
1654
1655def dump_certificate(type, cert):
1656 """
1657 Dump a certificate to a buffer
1658
Jean-Paul Calderonea12e7d22013-04-03 08:17:34 -0400[diff] [blame]1659 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or
1660 FILETYPE_TEXT)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1661 :param cert: The certificate to dump
1662 :return: The buffer with the dumped certificate in
1663 """
Jean-Paul Calderone0c73aff2013-03-02 07:45:12 -0800[diff] [blame]1664 bio = _new_mem_buf()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]1665
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1666 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1667 result_code = _lib.PEM_write_bio_X509(bio, cert._x509)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1668 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1669 result_code = _lib.i2d_X509_bio(bio, cert._x509)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1670 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1671 result_code = _lib.X509_print_ex(bio, cert._x509, 0, 0)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1672 else:
1673 raise ValueError(
1674 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
1675 "FILETYPE_TEXT")
1676
1677 return _bio_to_string(bio)
1678
1679
1680
1681def dump_privatekey(type, pkey, cipher=None, passphrase=None):
1682 """
1683 Dump a private key to a buffer
1684
Jean-Paul Calderonee66fde22013-04-03 08:35:08 -0400[diff] [blame]1685 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or
1686 FILETYPE_TEXT)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1687 :param pkey: The PKey to dump
1688 :param cipher: (optional) if encrypted PEM format, the cipher to
1689 use
1690 :param passphrase: (optional) if encrypted PEM format, this can be either
1691 the passphrase to use, or a callback for providing the
1692 passphrase.
1693 :return: The buffer with the dumped key in
1694 :rtype: :py:data:`str`
1695 """
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]1696 bio = _new_mem_buf()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]1697
1698 if cipher is not None:
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1699 if passphrase is None:
1700 raise TypeError(
1701 "if a value is given for cipher "
1702 "one must also be given for passphrase")
1703 cipher_obj = _lib.EVP_get_cipherbyname(_byte_string(cipher))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1704 if cipher_obj == _ffi.NULL:
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]1705 raise ValueError("Invalid cipher name")
1706 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1707 cipher_obj = _ffi.NULL
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1708
Jean-Paul Calderone23478b32013-02-20 13:31:38 -0800[diff] [blame]1709 helper = _PassphraseHelper(type, passphrase)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1710 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1711 result_code = _lib.PEM_write_bio_PrivateKey(
1712 bio, pkey._pkey, cipher_obj, _ffi.NULL, 0,
Jean-Paul Calderone23478b32013-02-20 13:31:38 -0800[diff] [blame]1713 helper.callback, helper.callback_args)
1714 helper.raise_if_problem()
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1715 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1716 result_code = _lib.i2d_PrivateKey_bio(bio, pkey._pkey)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1717 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1718 rsa = _lib.EVP_PKEY_get1_RSA(pkey._pkey)
1719 result_code = _lib.RSA_print(bio, rsa, 0)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]1720 # TODO RSA_free(rsa)?
1721 else:
1722 raise ValueError(
1723 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or "
1724 "FILETYPE_TEXT")
1725
1726 if result_code == 0:
1727 _raise_current_error()
1728
1729 return _bio_to_string(bio)
1730
1731
1732
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1733def _X509_REVOKED_dup(original):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1734 copy = _lib.X509_REVOKED_new()
1735 if copy == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1736 # TODO: This is untested.
1737 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1738
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1739 if original.serialNumber != _ffi.NULL:
Jonathan Giannuzzib5b93222014-03-20 15:54:29 +0100[diff] [blame]1740 _lib.ASN1_INTEGER_free(copy.serialNumber)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1741 copy.serialNumber = _lib.ASN1_INTEGER_dup(original.serialNumber)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1742
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1743 if original.revocationDate != _ffi.NULL:
Jonathan Giannuzzib5b93222014-03-20 15:54:29 +0100[diff] [blame]1744 _lib.ASN1_TIME_free(copy.revocationDate)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1745 copy.revocationDate = _lib.M_ASN1_TIME_dup(original.revocationDate)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1746
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1747 if original.extensions != _ffi.NULL:
1748 extension_stack = _lib.sk_X509_EXTENSION_new_null()
1749 for i in range(_lib.sk_X509_EXTENSION_num(original.extensions)):
1750 original_ext = _lib.sk_X509_EXTENSION_value(original.extensions, i)
1751 copy_ext = _lib.X509_EXTENSION_dup(original_ext)
1752 _lib.sk_X509_EXTENSION_push(extension_stack, copy_ext)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1753 copy.extensions = extension_stack
1754
1755 copy.sequence = original.sequence
1756 return copy
1757
1758
1759
1760class Revoked(object):
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1761 """
1762 A certificate revocation.
1763 """
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1764 # http://www.openssl.org/docs/apps/x509v3_config.html#CRL_distribution_points_
1765 # which differs from crl_reasons of crypto/x509v3/v3_enum.c that matches
1766 # OCSP_crl_reason_str. We use the latter, just like the command line
1767 # program.
1768 _crl_reasons = [
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1769 b"unspecified",
1770 b"keyCompromise",
1771 b"CACompromise",
1772 b"affiliationChanged",
1773 b"superseded",
1774 b"cessationOfOperation",
1775 b"certificateHold",
1776 # b"removeFromCRL",
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1777 ]
1778
1779 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1780 revoked = _lib.X509_REVOKED_new()
1781 self._revoked = _ffi.gc(revoked, _lib.X509_REVOKED_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1782
1783
1784 def set_serial(self, hex_str):
1785 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1786 Set the serial number.
1787
1788 The serial number is formatted as a hexadecimal number encoded in
1789 ASCII.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1790
1791 :param hex_str: The new serial number.
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1792 :type hex_str: :py:class:`bytes`
1793
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1794 :return: :py:const:`None`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1795 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1796 bignum_serial = _ffi.gc(_lib.BN_new(), _lib.BN_free)
1797 bignum_ptr = _ffi.new("BIGNUM**")
Jean-Paul Calderonefd371362013-03-01 20:53:58 -0800[diff] [blame]1798 bignum_ptr[0] = bignum_serial
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1799 bn_result = _lib.BN_hex2bn(bignum_ptr, hex_str)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1800 if not bn_result:
1801 raise ValueError("bad hex string")
1802
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1803 asn1_serial = _ffi.gc(
1804 _lib.BN_to_ASN1_INTEGER(bignum_serial, _ffi.NULL),
1805 _lib.ASN1_INTEGER_free)
1806 _lib.X509_REVOKED_set_serialNumber(self._revoked, asn1_serial)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1807
1808
1809 def get_serial(self):
1810 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1811 Get the serial number.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1812
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1813 The serial number is formatted as a hexadecimal number encoded in
1814 ASCII.
1815
1816 :return: The serial number.
1817 :rtype: :py:class:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1818 """
Jean-Paul Calderonefd371362013-03-01 20:53:58 -0800[diff] [blame]1819 bio = _new_mem_buf()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1820
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1821 result = _lib.i2a_ASN1_INTEGER(bio, self._revoked.serialNumber)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1822 if result < 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1823 # TODO: This is untested.
1824 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1825
1826 return _bio_to_string(bio)
1827
1828
1829 def _delete_reason(self):
1830 stack = self._revoked.extensions
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1831 for i in range(_lib.sk_X509_EXTENSION_num(stack)):
1832 ext = _lib.sk_X509_EXTENSION_value(stack, i)
1833 if _lib.OBJ_obj2nid(ext.object) == _lib.NID_crl_reason:
1834 _lib.X509_EXTENSION_free(ext)
1835 _lib.sk_X509_EXTENSION_delete(stack, i)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1836 break
1837
1838
1839 def set_reason(self, reason):
1840 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1841 Set the reason of this revocation.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1842
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1843 If :py:data:`reason` is :py:const:`None`, delete the reason instead.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1844
1845 :param reason: The reason string.
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1846 :type reason: :py:class:`bytes` or :py:class:`NoneType`
1847
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1848 :return: :py:const:`None`
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1849
1850 .. seealso::
1851
1852 :py:meth:`all_reasons`, which gives you a list of all supported
1853 reasons which you might pass to this method.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1854 """
1855 if reason is None:
1856 self._delete_reason()
1857 elif not isinstance(reason, bytes):
1858 raise TypeError("reason must be None or a byte string")
1859 else:
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]1860 reason = reason.lower().replace(b' ', b'')
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1861 reason_code = [r.lower() for r in self._crl_reasons].index(reason)
1862
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1863 new_reason_ext = _lib.ASN1_ENUMERATED_new()
1864 if new_reason_ext == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1865 # TODO: This is untested.
1866 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1867 new_reason_ext = _ffi.gc(new_reason_ext, _lib.ASN1_ENUMERATED_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1868
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1869 set_result = _lib.ASN1_ENUMERATED_set(new_reason_ext, reason_code)
1870 if set_result == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1871 # TODO: This is untested.
1872 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1873
1874 self._delete_reason()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1875 add_result = _lib.X509_REVOKED_add1_ext_i2d(
1876 self._revoked, _lib.NID_crl_reason, new_reason_ext, 0, 0)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1877
1878 if not add_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1879 # TODO: This is untested.
1880 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1881
1882
1883 def get_reason(self):
1884 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1885 Set the reason of this revocation.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1886
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1887 :return: The reason, or :py:const:`None` if there is none.
1888 :rtype: :py:class:`bytes` or :py:class:`NoneType`
1889
1890 .. seealso::
1891
1892 :py:meth:`all_reasons`, which gives you a list of all supported
1893 reasons this method might return.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1894 """
1895 extensions = self._revoked.extensions
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1896 for i in range(_lib.sk_X509_EXTENSION_num(extensions)):
1897 ext = _lib.sk_X509_EXTENSION_value(extensions, i)
1898 if _lib.OBJ_obj2nid(ext.object) == _lib.NID_crl_reason:
Jean-Paul Calderonefd371362013-03-01 20:53:58 -0800[diff] [blame]1899 bio = _new_mem_buf()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1900
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1901 print_result = _lib.X509V3_EXT_print(bio, ext, 0, 0)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1902 if not print_result:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1903 print_result = _lib.M_ASN1_OCTET_STRING_print(bio, ext.value)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1904 if print_result == 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1905 # TODO: This is untested.
1906 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1907
1908 return _bio_to_string(bio)
1909
1910
1911 def all_reasons(self):
1912 """
1913 Return a list of all the supported reason strings.
1914
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1915 This list is a copy; modifying it does not change the supported reason
1916 strings.
1917
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1918 :return: A list of reason strings.
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1919 :rtype: :py:class:`list` of :py:class:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1920 """
1921 return self._crl_reasons[:]
1922
1923
1924 def set_rev_date(self, when):
1925 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1926 Set the revocation timestamp.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1927
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1928 :param when: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
1929 :type when: :py:class:`bytes`
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1930 :return: :py:const:`None`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1931 """
1932 return _set_asn1_time(self._revoked.revocationDate, when)
1933
1934
1935 def get_rev_date(self):
1936 """
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1937 Get the revocation timestamp.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1938
Laurens Van Houtvend92f55c2014-06-19 17:08:41 +0200[diff] [blame]1939 :return: The timestamp of the revocation, as ASN.1 GENERALIZEDTIME.
1940 :rtype: :py:class:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1941 """
1942 return _get_asn1_time(self._revoked.revocationDate)
1943
1944
1945
1946class CRL(object):
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1947 """
1948 A certificate revocation list.
1949 """
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1950 def __init__(self):
1951 """
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1952 Create a new empty certificate revocation list.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1953 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1954 crl = _lib.X509_CRL_new()
1955 self._crl = _ffi.gc(crl, _lib.X509_CRL_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1956
1957
1958 def get_revoked(self):
1959 """
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1960 Return the revocations in this certificate revocation list.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1961
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1962 These revocations will be provided by value, not by reference.
1963 That means it's okay to mutate them: it won't affect this CRL.
1964
1965 :return: The revocations in this CRL.
1966 :rtype: :py:class:`tuple` of :py:class:`Revocation`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1967 """
1968 results = []
1969 revoked_stack = self._crl.crl.revoked
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1970 for i in range(_lib.sk_X509_REVOKED_num(revoked_stack)):
1971 revoked = _lib.sk_X509_REVOKED_value(revoked_stack, i)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1972 revoked_copy = _X509_REVOKED_dup(revoked)
1973 pyrev = Revoked.__new__(Revoked)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1974 pyrev._revoked = _ffi.gc(revoked_copy, _lib.X509_REVOKED_free)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1975 results.append(pyrev)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]1976 if results:
1977 return tuple(results)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1978
1979
1980 def add_revoked(self, revoked):
1981 """
1982 Add a revoked (by value not reference) to the CRL structure
1983
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]1984 This revocation will be added by value, not by reference. That
1985 means it's okay to mutate it after adding: it won't affect
1986 this CRL.
1987
1988 :param revoked: The new revocation.
1989 :type revoked: :class:`Revoked`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1990
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]1991 :return: :py:const:`None`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1992 """
1993 copy = _X509_REVOKED_dup(revoked._revoked)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1994 if copy == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1995 # TODO: This is untested.
1996 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]1997
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]1998 add_result = _lib.X509_CRL_add0_revoked(self._crl, copy)
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]1999 if add_result == 0:
2000 # TODO: This is untested.
2001 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2002
2003
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]2004 def export(self, cert, key, type=FILETYPE_PEM, days=100,
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -0400[diff] [blame]2005 digest=_UNSPECIFIED):
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2006 """
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]2007 Export a CRL as a string.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2008
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]2009 :param cert: The certificate used to sign the CRL.
2010 :type cert: :py:class:`X509`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2011
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]2012 :param key: The key used to sign the CRL.
2013 :type key: :py:class:`PKey`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2014
Laurens Van Houtvencb32e852014-06-19 17:36:28 +0200[diff] [blame]2015 :param type: The export format, either :py:data:`FILETYPE_PEM`,
2016 :py:data:`FILETYPE_ASN1`, or :py:data:`FILETYPE_TEXT`.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2017
Jean-Paul Calderonedf514012015-04-13 21:45:18 -0400[diff] [blame]2018 :param int days: The number of days until the next update of this CRL.
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2019
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]2020 :param bytes digest: The name of the message digest to use (eg
2021 ``b"sha1"``).
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2022
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]2023 :return: :py:data:`bytes`
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2024 """
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2025 if not isinstance(cert, X509):
2026 raise TypeError("cert must be an X509 instance")
2027 if not isinstance(key, PKey):
2028 raise TypeError("key must be a PKey instance")
2029 if not isinstance(type, int):
2030 raise TypeError("type must be an integer")
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2031
Jean-Paul Calderone00f84eb2015-04-13 12:47:21 -0400[diff] [blame]2032 if digest is _UNSPECIFIED:
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]2033 _warn(
2034 "The default message digest (md5) is deprecated. "
2035 "Pass the name of a message digest explicitly.",
2036 category=DeprecationWarning,
2037 stacklevel=2,
2038 )
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]2039 digest = b"md5"
Jean-Paul Calderone60432792015-04-13 12:26:07 -0400[diff] [blame]2040
Jean-Paul Calderonecce22d02015-04-13 13:56:09 -0400[diff] [blame]2041 digest_obj = _lib.EVP_get_digestbyname(digest)
Bulat Gaifullin2923dc02014-09-21 22:36:48 +0400[diff] [blame]2042 if digest_obj == _ffi.NULL:
2043 raise ValueError("No such digest method")
2044
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2045 bio = _lib.BIO_new(_lib.BIO_s_mem())
2046 if bio == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2047 # TODO: This is untested.
2048 _raise_current_error()
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2049
2050 # A scratch time object to give different values to different CRL fields
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2051 sometime = _lib.ASN1_TIME_new()
2052 if sometime == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2053 # TODO: This is untested.
2054 _raise_current_error()
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2055
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2056 _lib.X509_gmtime_adj(sometime, 0)
2057 _lib.X509_CRL_set_lastUpdate(self._crl, sometime)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2058
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2059 _lib.X509_gmtime_adj(sometime, days * 24 * 60 * 60)
2060 _lib.X509_CRL_set_nextUpdate(self._crl, sometime)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2061
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2062 _lib.X509_CRL_set_issuer_name(self._crl, _lib.X509_get_subject_name(cert._x509))
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2063
Bulat Gaifullin2923dc02014-09-21 22:36:48 +0400[diff] [blame]2064 sign_result = _lib.X509_CRL_sign(self._crl, key._pkey, digest_obj)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2065 if not sign_result:
2066 _raise_current_error()
2067
2068 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2069 ret = _lib.PEM_write_bio_X509_CRL(bio, self._crl)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2070 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2071 ret = _lib.i2d_X509_CRL_bio(bio, self._crl)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2072 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2073 ret = _lib.X509_CRL_print(bio, self._crl)
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2074 else:
2075 raise ValueError(
2076 "type argument must be FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT")
2077
2078 if not ret:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2079 # TODO: This is untested.
2080 _raise_current_error()
Jean-Paul Calderone85b74eb2013-02-21 09:15:01 -0800[diff] [blame]2081
2082 return _bio_to_string(bio)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2083CRLType = CRL
2084
2085
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2086
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2087class PKCS7(object):
2088 def type_is_signed(self):
2089 """
2090 Check if this NID_pkcs7_signed object
2091
2092 :return: True if the PKCS7 is of type signed
2093 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2094 if _lib.PKCS7_type_is_signed(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2095 return True
2096 return False
2097
2098
2099 def type_is_enveloped(self):
2100 """
2101 Check if this NID_pkcs7_enveloped object
2102
2103 :returns: True if the PKCS7 is of type enveloped
2104 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2105 if _lib.PKCS7_type_is_enveloped(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2106 return True
2107 return False
2108
2109
2110 def type_is_signedAndEnveloped(self):
2111 """
2112 Check if this NID_pkcs7_signedAndEnveloped object
2113
2114 :returns: True if the PKCS7 is of type signedAndEnveloped
2115 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2116 if _lib.PKCS7_type_is_signedAndEnveloped(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2117 return True
2118 return False
2119
2120
2121 def type_is_data(self):
2122 """
2123 Check if this NID_pkcs7_data object
2124
2125 :return: True if the PKCS7 is of type data
2126 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2127 if _lib.PKCS7_type_is_data(self._pkcs7):
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2128 return True
2129 return False
2130
2131
2132 def get_type_name(self):
2133 """
2134 Returns the type name of the PKCS7 structure
2135
2136 :return: A string with the typename
2137 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2138 nid = _lib.OBJ_obj2nid(self._pkcs7.type)
2139 string_type = _lib.OBJ_nid2sn(nid)
2140 return _ffi.string(string_type)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2141
2142PKCS7Type = PKCS7
2143
2144
2145
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2146class PKCS12(object):
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2147 """
2148 A PKCS #12 archive.
2149 """
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2150 def __init__(self):
2151 self._pkey = None
2152 self._cert = None
2153 self._cacerts = None
2154 self._friendlyname = None
2155
2156
2157 def get_certificate(self):
2158 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2159 Get the certificate in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2160
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2161 :return: The certificate, or :py:const:`None` if there is none.
2162 :rtype: :py:class:`X509` or :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2163 """
2164 return self._cert
2165
2166
2167 def set_certificate(self, cert):
2168 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2169 Set the certificate in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2170
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2171 :param cert: The new certificate, or :py:const:`None` to unset it.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2172 :type cert: :py:class:`X509` or :py:const:`None`
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2173
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2174 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2175 """
2176 if not isinstance(cert, X509):
2177 raise TypeError("cert must be an X509 instance")
2178 self._cert = cert
2179
2180
2181 def get_privatekey(self):
2182 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2183 Get the private key in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2184
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2185 :return: The private key, or :py:const:`None` if there is none.
2186 :rtype: :py:class:`PKey`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2187 """
2188 return self._pkey
2189
2190
2191 def set_privatekey(self, pkey):
2192 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2193 Set the certificate portion of the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2194
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2195 :param pkey: The new private key, or :py:const:`None` to unset it.
2196 :type pkey: :py:class:`PKey` or :py:const:`None`
2197
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2198 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2199 """
2200 if not isinstance(pkey, PKey):
2201 raise TypeError("pkey must be a PKey instance")
2202 self._pkey = pkey
2203
2204
2205 def get_ca_certificates(self):
2206 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2207 Get the CA certificates in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2208
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2209 :return: A tuple with the CA certificates in the chain, or
2210 :py:const:`None` if there are none.
2211 :rtype: :py:class:`tuple` of :py:class:`X509` or :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2212 """
2213 if self._cacerts is not None:
2214 return tuple(self._cacerts)
2215
2216
2217 def set_ca_certificates(self, cacerts):
2218 """
Alex Gaynor3b0ee972014-11-15 09:17:33 -0800[diff] [blame]2219 Replace or set the CA certificates within the PKCS12 object.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2220
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2221 :param cacerts: The new CA certificates, or :py:const:`None` to unset
2222 them.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2223 :type cacerts: An iterable of :py:class:`X509` or :py:const:`None`
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2224
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2225 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2226 """
2227 if cacerts is None:
2228 self._cacerts = None
2229 else:
2230 cacerts = list(cacerts)
2231 for cert in cacerts:
2232 if not isinstance(cert, X509):
2233 raise TypeError("iterable must only contain X509 instances")
2234 self._cacerts = cacerts
2235
2236
2237 def set_friendlyname(self, name):
2238 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2239 Set the friendly name in the PKCS #12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2240
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2241 :param name: The new friendly name, or :py:const:`None` to unset.
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2242 :type name: :py:class:`bytes` or :py:const:`None`
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2243
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2244 :return: :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2245 """
2246 if name is None:
2247 self._friendlyname = None
2248 elif not isinstance(name, bytes):
2249 raise TypeError("name must be a byte string or None (not %r)" % (name,))
2250 self._friendlyname = name
2251
2252
2253 def get_friendlyname(self):
2254 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2255 Get the friendly name in the PKCS# 12 structure.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2256
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2257 :returns: The friendly name, or :py:const:`None` if there is none.
2258 :rtype: :py:class:`bytes` or :py:const:`None`
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2259 """
2260 return self._friendlyname
2261
2262
2263 def export(self, passphrase=None, iter=2048, maciter=1):
2264 """
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2265 Dump a PKCS12 object as a string.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2266
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2267 For more information, see the :c:func:`PKCS12_create` man page.
2268
2269 :param passphrase: The passphrase used to encrypt the structure. Unlike
2270 some other passphrase arguments, this *must* be a string, not a
2271 callback.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2272 :type passphrase: :py:data:`bytes`
2273
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2274 :param iter: Number of times to repeat the encryption step.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2275 :type iter: :py:data:`int`
2276
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2277 :param maciter: Number of times to repeat the MAC step.
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2278 :type maciter: :py:data:`int`
2279
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2280 :return: The string representation of the PKCS #12 structure.
2281 :rtype:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2282 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]2283 passphrase = _text_to_bytes_and_warn("passphrase", passphrase)
Abraham Martine82326c2015-02-04 10:18:10 +0000[diff] [blame]2284
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2285 if self._cacerts is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2286 cacerts = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2287 else:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2288 cacerts = _lib.sk_X509_new_null()
2289 cacerts = _ffi.gc(cacerts, _lib.sk_X509_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2290 for cert in self._cacerts:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2291 _lib.sk_X509_push(cacerts, cert._x509)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2292
2293 if passphrase is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2294 passphrase = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2295
2296 friendlyname = self._friendlyname
2297 if friendlyname is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2298 friendlyname = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2299
2300 if self._pkey is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2301 pkey = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2302 else:
2303 pkey = self._pkey._pkey
2304
2305 if self._cert is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2306 cert = _ffi.NULL
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2307 else:
2308 cert = self._cert._x509
2309
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2310 pkcs12 = _lib.PKCS12_create(
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2311 passphrase, friendlyname, pkey, cert, cacerts,
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2312 _lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
2313 _lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2314 iter, maciter, 0)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2315 if pkcs12 == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2316 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2317 pkcs12 = _ffi.gc(pkcs12, _lib.PKCS12_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2318
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]2319 bio = _new_mem_buf()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2320 _lib.i2d_PKCS12_bio(bio, pkcs12)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2321 return _bio_to_string(bio)
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]2322
Laurens Van Houtvenbb503a32014-06-19 12:28:08 +0200[diff] [blame]2323
2324
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2325PKCS12Type = PKCS12
2326
2327
2328
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2329class NetscapeSPKI(object):
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2330 """
2331 A Netscape SPKI object.
2332 """
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2333 def __init__(self):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2334 spki = _lib.NETSCAPE_SPKI_new()
2335 self._spki = _ffi.gc(spki, _lib.NETSCAPE_SPKI_free)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2336
2337
2338 def sign(self, pkey, digest):
2339 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2340 Sign the certificate request with this key and digest type.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2341
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2342 :param pkey: The private key to sign with.
2343 :type pkey: :py:class:`PKey`
2344
2345 :param digest: The message digest to use.
2346 :type digest: :py:class:`bytes`
2347
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2348 :return: :py:const:`None`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2349 """
2350 if pkey._only_public:
2351 raise ValueError("Key has only public part")
2352
2353 if not pkey._initialized:
2354 raise ValueError("Key is uninitialized")
2355
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2356 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2357 if digest_obj == _ffi.NULL:
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2358 raise ValueError("No such digest method")
2359
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2360 sign_result = _lib.NETSCAPE_SPKI_sign(self._spki, pkey._pkey, digest_obj)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2361 if not sign_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2362 # TODO: This is untested.
2363 _raise_current_error()
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2364
2365
2366 def verify(self, key):
2367 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2368 Verifies a signature on a certificate request.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2369
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2370 :param key: The public key that signature is supposedly from.
2371 :type pkey: :py:class:`PKey`
2372
2373 :return: :py:const:`True` if the signature is correct.
2374 :rtype: :py:class:`bool`
2375
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]2376 :raises Error: If the signature is invalid, or there was a problem
2377 verifying the signature.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2378 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2379 answer = _lib.NETSCAPE_SPKI_verify(self._spki, key._pkey)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2380 if answer <= 0:
2381 _raise_current_error()
2382 return True
2383
2384
2385 def b64_encode(self):
2386 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2387 Generate a base64 encoded representation of this SPKI object.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2388
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2389 :return: The base64 encoded string.
2390 :rtype: :py:class:`bytes`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2391 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2392 encoded = _lib.NETSCAPE_SPKI_b64_encode(self._spki)
2393 result = _ffi.string(encoded)
2394 _lib.CRYPTO_free(encoded)
Jean-Paul Calderone2c2e21d2013-03-02 16:50:35 -0800[diff] [blame]2395 return result
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2396
2397
2398 def get_pubkey(self):
2399 """
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2400 Get the public key of this certificate.
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2401
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2402 :return: The public key.
2403 :rtype: :py:class:`PKey`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2404 """
2405 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2406 pkey._pkey = _lib.NETSCAPE_SPKI_get_pubkey(self._spki)
2407 if pkey._pkey == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2408 # TODO: This is untested.
2409 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2410 pkey._pkey = _ffi.gc(pkey._pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2411 pkey._only_public = True
2412 return pkey
2413
2414
2415 def set_pubkey(self, pkey):
2416 """
2417 Set the public key of the certificate
2418
2419 :param pkey: The public key
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2420 :return: :py:const:`None`
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2421 """
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2422 set_result = _lib.NETSCAPE_SPKI_set_pubkey(self._spki, pkey._pkey)
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2423 if not set_result:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2424 # TODO: This is untested.
2425 _raise_current_error()
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2426
2427
2428
Jean-Paul Calderone3b89f472013-02-21 09:32:25 -0800[diff] [blame]2429NetscapeSPKIType = NetscapeSPKI
2430
2431
Laurens Van Houtven59152b52014-06-19 16:42:30 +0200[diff] [blame]2432
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2433class _PassphraseHelper(object):
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2434 def __init__(self, type, passphrase, more_args=False, truncate=False):
Jean-Paul Calderone23478b32013-02-20 13:31:38 -0800[diff] [blame]2435 if type != FILETYPE_PEM and passphrase is not None:
2436 raise ValueError("only FILETYPE_PEM key format supports encryption")
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2437 self._passphrase = passphrase
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2438 self._more_args = more_args
2439 self._truncate = truncate
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2440 self._problems = []
2441
2442
2443 @property
2444 def callback(self):
2445 if self._passphrase is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2446 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2447 elif isinstance(self._passphrase, bytes):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2448 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2449 elif callable(self._passphrase):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2450 return _ffi.callback("pem_password_cb", self._read_passphrase)
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2451 else:
2452 raise TypeError("Last argument must be string or callable")
2453
2454
2455 @property
2456 def callback_args(self):
2457 if self._passphrase is None:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2458 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2459 elif isinstance(self._passphrase, bytes):
2460 return self._passphrase
2461 elif callable(self._passphrase):
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2462 return _ffi.NULL
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2463 else:
2464 raise TypeError("Last argument must be string or callable")
2465
2466
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2467 def raise_if_problem(self, exceptionType=Error):
2468 try:
Jean-Paul Calderonec86bb7d2013-12-29 10:25:59 -0500[diff] [blame]2469 _exception_from_error_queue(exceptionType)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2470 except exceptionType as e:
Jean-Paul Calderone9b4115f2014-01-10 14:06:04 -0500[diff] [blame]2471 from_queue = e
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2472 if self._problems:
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2473 raise self._problems[0]
Jean-Paul Calderone9b4115f2014-01-10 14:06:04 -0500[diff] [blame]2474 return from_queue
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2475
2476
2477 def _read_passphrase(self, buf, size, rwflag, userdata):
2478 try:
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2479 if self._more_args:
2480 result = self._passphrase(size, rwflag, userdata)
2481 else:
2482 result = self._passphrase(rwflag)
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2483 if not isinstance(result, bytes):
2484 raise ValueError("String expected")
2485 if len(result) > size:
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800[diff] [blame]2486 if self._truncate:
2487 result = result[:size]
2488 else:
2489 raise ValueError("passphrase returned by callback is too long")
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2490 for i in range(len(result)):
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2491 buf[i] = result[i:i + 1]
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2492 return len(result)
2493 except Exception as e:
2494 self._problems.append(e)
2495 return 0
2496
2497
2498
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2499def load_privatekey(type, buffer, passphrase=None):
2500 """
2501 Load a private key from a buffer
2502
2503 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2504 :param buffer: The buffer the key is stored in
2505 :param passphrase: (optional) if encrypted PEM format, this can be
2506 either the passphrase to use, or a callback for
2507 providing the passphrase.
2508
2509 :return: The PKey object
2510 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2511 if isinstance(buffer, _text_type):
2512 buffer = buffer.encode("ascii")
2513
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2514 bio = _new_mem_buf(buffer)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2515
Jean-Paul Calderone23478b32013-02-20 13:31:38 -0800[diff] [blame]2516 helper = _PassphraseHelper(type, passphrase)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2517 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2518 evp_pkey = _lib.PEM_read_bio_PrivateKey(
2519 bio, _ffi.NULL, helper.callback, helper.callback_args)
Jean-Paul Calderonee41f05c2013-02-20 13:28:16 -0800[diff] [blame]2520 helper.raise_if_problem()
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2521 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2522 evp_pkey = _lib.d2i_PrivateKey_bio(bio, _ffi.NULL)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2523 else:
2524 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2525
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2526 if evp_pkey == _ffi.NULL:
Jean-Paul Calderone31393aa2013-02-20 13:22:21 -0800[diff] [blame]2527 _raise_current_error()
2528
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2529 pkey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2530 pkey._pkey = _ffi.gc(evp_pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2531 return pkey
2532
2533
2534
2535def dump_certificate_request(type, req):
2536 """
2537 Dump a certificate request to a buffer
2538
2539 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2540 :param req: The certificate request to dump
2541 :return: The buffer with the dumped certificate request in
2542 """
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]2543 bio = _new_mem_buf()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2544
2545 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2546 result_code = _lib.PEM_write_bio_X509_REQ(bio, req._req)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2547 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2548 result_code = _lib.i2d_X509_REQ_bio(bio, req._req)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2549 elif type == FILETYPE_TEXT:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2550 result_code = _lib.X509_REQ_print_ex(bio, req._req, 0, 0)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2551 else:
Jean-Paul Calderonec9a395f2013-02-20 16:59:21 -0800[diff] [blame]2552 raise ValueError("type argument must be FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT")
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2553
2554 if result_code == 0:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2555 # TODO: This is untested.
2556 _raise_current_error()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2557
2558 return _bio_to_string(bio)
Jean-Paul Calderoneabfbab62013-02-09 21:25:02 -0800[diff] [blame]2559
2560
2561
2562def load_certificate_request(type, buffer):
2563 """
2564 Load a certificate request from a buffer
2565
2566 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2567 :param buffer: The buffer the certificate request is stored in
2568 :return: The X509Req object
2569 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2570 if isinstance(buffer, _text_type):
2571 buffer = buffer.encode("ascii")
2572
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2573 bio = _new_mem_buf(buffer)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2574
2575 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2576 req = _lib.PEM_read_bio_X509_REQ(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2577 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2578 req = _lib.d2i_X509_REQ_bio(bio, _ffi.NULL)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2579 else:
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]2580 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2581
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2582 if req == _ffi.NULL:
Jean-Paul Calderone4a68b402013-12-29 16:54:58 -0500[diff] [blame]2583 # TODO: This is untested.
2584 _raise_current_error()
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2585
2586 x509req = X509Req.__new__(X509Req)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2587 x509req._req = _ffi.gc(req, _lib.X509_REQ_free)
Jean-Paul Calderone066f0572013-02-20 13:43:44 -0800[diff] [blame]2588 return x509req
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2589
2590
2591
2592def sign(pkey, data, digest):
2593 """
2594 Sign data with a digest
2595
2596 :param pkey: Pkey to sign with
2597 :param data: data to be signed
2598 :param digest: message digest to use
2599 :return: signature
2600 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]2601 data = _text_to_bytes_and_warn("data", data)
Abraham Martine82326c2015-02-04 10:18:10 +0000[diff] [blame]2602
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2603 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2604 if digest_obj == _ffi.NULL:
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2605 raise ValueError("No such digest method")
2606
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2607 md_ctx = _ffi.new("EVP_MD_CTX*")
2608 md_ctx = _ffi.gc(md_ctx, _lib.EVP_MD_CTX_cleanup)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2609
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2610 _lib.EVP_SignInit(md_ctx, digest_obj)
2611 _lib.EVP_SignUpdate(md_ctx, data, len(data))
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2612
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2613 signature_buffer = _ffi.new("unsigned char[]", 512)
2614 signature_length = _ffi.new("unsigned int*")
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2615 signature_length[0] = len(signature_buffer)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2616 final_result = _lib.EVP_SignFinal(
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2617 md_ctx, signature_buffer, signature_length, pkey._pkey)
2618
2619 if final_result != 1:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2620 # TODO: This is untested.
2621 _raise_current_error()
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2622
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2623 return _ffi.buffer(signature_buffer, signature_length[0])[:]
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2624
2625
2626
2627def verify(cert, signature, data, digest):
2628 """
Laurens Van Houtvenc3baa7b2014-06-18 22:06:56 +0200[diff] [blame]2629 Verify a signature.
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2630
2631 :param cert: signing certificate (X509 object)
2632 :param signature: signature returned by sign function
2633 :param data: data to be verified
2634 :param digest: message digest to use
Laurens Van Houtvena7904582014-06-19 12:33:04 +0200[diff] [blame]2635 :return: :py:const:`None` if the signature is correct, raise exception otherwise
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2636 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]2637 data = _text_to_bytes_and_warn("data", data)
Abraham Martine82326c2015-02-04 10:18:10 +0000[diff] [blame]2638
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500[diff] [blame]2639 digest_obj = _lib.EVP_get_digestbyname(_byte_string(digest))
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2640 if digest_obj == _ffi.NULL:
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2641 raise ValueError("No such digest method")
2642
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2643 pkey = _lib.X509_get_pubkey(cert._x509)
2644 if pkey == _ffi.NULL:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2645 # TODO: This is untested.
2646 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2647 pkey = _ffi.gc(pkey, _lib.EVP_PKEY_free)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2648
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2649 md_ctx = _ffi.new("EVP_MD_CTX*")
2650 md_ctx = _ffi.gc(md_ctx, _lib.EVP_MD_CTX_cleanup)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2651
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2652 _lib.EVP_VerifyInit(md_ctx, digest_obj)
2653 _lib.EVP_VerifyUpdate(md_ctx, data, len(data))
2654 verify_result = _lib.EVP_VerifyFinal(md_ctx, signature, len(signature), pkey)
Jean-Paul Calderone8cf4f802013-02-20 16:45:02 -0800[diff] [blame]2655
2656 if verify_result != 1:
2657 _raise_current_error()
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2658
2659
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2660def load_crl(type, buffer):
2661 """
2662 Load a certificate revocation list from a buffer
2663
2664 :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1)
2665 :param buffer: The buffer the CRL is stored in
2666
2667 :return: The PKey object
2668 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2669 if isinstance(buffer, _text_type):
2670 buffer = buffer.encode("ascii")
2671
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2672 bio = _new_mem_buf(buffer)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2673
2674 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2675 crl = _lib.PEM_read_bio_X509_CRL(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2676 elif type == FILETYPE_ASN1:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2677 crl = _lib.d2i_X509_CRL_bio(bio, _ffi.NULL)
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2678 else:
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2679 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2680
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2681 if crl == _ffi.NULL:
Jean-Paul Calderone57122982013-02-21 08:47:05 -0800[diff] [blame]2682 _raise_current_error()
2683
2684 result = CRL.__new__(CRL)
2685 result._crl = crl
2686 return result
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2687
2688
2689
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2690def load_pkcs7_data(type, buffer):
2691 """
2692 Load pkcs7 data from a buffer
2693
2694 :param type: The file type (one of FILETYPE_PEM or FILETYPE_ASN1)
2695 :param buffer: The buffer with the pkcs7 data.
2696 :return: The PKCS7 object
2697 """
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2698 if isinstance(buffer, _text_type):
2699 buffer = buffer.encode("ascii")
2700
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2701 bio = _new_mem_buf(buffer)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2702
2703 if type == FILETYPE_PEM:
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2704 pkcs7 = _lib.PEM_read_bio_PKCS7(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2705 elif type == FILETYPE_ASN1:
Alex Gaynor77acc362014-08-13 14:46:15 -0700[diff] [blame]2706 pkcs7 = _lib.d2i_PKCS7_bio(bio, _ffi.NULL)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2707 else:
Jean-Paul Calderonedba578b2013-12-29 17:00:04 -0500[diff] [blame]2708 # TODO: This is untested.
2709 _raise_current_error()
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2710 raise ValueError("type argument must be FILETYPE_PEM or FILETYPE_ASN1")
2711
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2712 if pkcs7 == _ffi.NULL:
Jean-Paul Calderoneb0f64712013-03-03 10:15:39 -0800[diff] [blame]2713 _raise_current_error()
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2714
2715 pypkcs7 = PKCS7.__new__(PKCS7)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2716 pypkcs7._pkcs7 = _ffi.gc(pkcs7, _lib.PKCS7_free)
Jean-Paul Calderone4e8be1c2013-02-21 18:31:12 -0800[diff] [blame]2717 return pypkcs7
2718
2719
2720
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2721def load_pkcs12(buffer, passphrase=None):
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2722 """
2723 Load a PKCS12 object from a buffer
2724
2725 :param buffer: The buffer the certificate is stored in
2726 :param passphrase: (Optional) The password to decrypt the PKCS12 lump
2727 :returns: The PKCS12 object
2728 """
Jean-Paul Calderone39a8d592015-04-13 20:49:50 -0400[diff] [blame]2729 passphrase = _text_to_bytes_and_warn("passphrase", passphrase)
Abraham Martine82326c2015-02-04 10:18:10 +0000[diff] [blame]2730
Jean-Paul Calderone6922a862014-01-18 10:38:28 -0500[diff] [blame]2731 if isinstance(buffer, _text_type):
2732 buffer = buffer.encode("ascii")
2733
Jean-Paul Calderonef6745b32013-03-01 15:08:46 -0800[diff] [blame]2734 bio = _new_mem_buf(buffer)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2735
Stephen Holsapple38482622014-04-05 20:29:34 -0700[diff] [blame]2736 # Use null passphrase if passphrase is None or empty string. With PKCS#12
2737 # password based encryption no password and a zero length password are two
2738 # different things, but OpenSSL implementation will try both to figure out
2739 # which one works.
2740 if not passphrase:
2741 passphrase = _ffi.NULL
2742
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2743 p12 = _lib.d2i_PKCS12_bio(bio, _ffi.NULL)
2744 if p12 == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2745 _raise_current_error()
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2746 p12 = _ffi.gc(p12, _lib.PKCS12_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2747
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2748 pkey = _ffi.new("EVP_PKEY**")
2749 cert = _ffi.new("X509**")
2750 cacerts = _ffi.new("Cryptography_STACK_OF_X509**")
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2751
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2752 parse_result = _lib.PKCS12_parse(p12, passphrase, pkey, cert, cacerts)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2753 if not parse_result:
2754 _raise_current_error()
2755
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2756 cacerts = _ffi.gc(cacerts[0], _lib.sk_X509_free)
Jean-Paul Calderoneef9a3dc2013-03-02 16:33:32 -0800[diff] [blame]2757
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2758 # openssl 1.0.0 sometimes leaves an X509_check_private_key error in the
2759 # queue for no particular reason. This error isn't interesting to anyone
2760 # outside this function. It's not even interesting to us. Get rid of it.
2761 try:
2762 _raise_current_error()
2763 except Error:
2764 pass
2765
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2766 if pkey[0] == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2767 pykey = None
2768 else:
2769 pykey = PKey.__new__(PKey)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2770 pykey._pkey = _ffi.gc(pkey[0], _lib.EVP_PKEY_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2771
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2772 if cert[0] == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2773 pycert = None
2774 friendlyname = None
2775 else:
2776 pycert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2777 pycert._x509 = _ffi.gc(cert[0], _lib.X509_free)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2778
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2779 friendlyname_length = _ffi.new("int*")
2780 friendlyname_buffer = _lib.X509_alias_get0(cert[0], friendlyname_length)
2781 friendlyname = _ffi.buffer(friendlyname_buffer, friendlyname_length[0])[:]
2782 if friendlyname_buffer == _ffi.NULL:
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2783 friendlyname = None
2784
2785 pycacerts = []
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2786 for i in range(_lib.sk_X509_num(cacerts)):
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2787 pycacert = X509.__new__(X509)
Jean-Paul Calderone6037d072013-12-28 18:04:00 -0500[diff] [blame]2788 pycacert._x509 = _lib.sk_X509_value(cacerts, i)
Jean-Paul Calderonee5912ce2013-02-21 10:49:35 -0800[diff] [blame]2789 pycacerts.append(pycacert)
2790 if not pycacerts:
2791 pycacerts = None
2792
2793 pkcs12 = PKCS12.__new__(PKCS12)
2794 pkcs12._pkey = pykey
2795 pkcs12._cert = pycert
2796 pkcs12._cacerts = pycacerts
2797 pkcs12._friendlyname = friendlyname
2798 return pkcs12
Jean-Paul Calderone6bb40892014-01-01 12:21:34 -0500[diff] [blame]2799
2800
2801def _initialize_openssl_threads(get_ident, Lock):
2802 import _ssl
2803 return
2804
2805 locks = list(Lock() for n in range(_lib.CRYPTO_num_locks()))
2806
2807 def locking_function(mode, index, filename, line):
2808 if mode & _lib.CRYPTO_LOCK:
2809 locks[index].acquire()
2810 else:
2811 locks[index].release()
2812
2813 _lib.CRYPTO_set_id_callback(
2814 _ffi.callback("unsigned long (*)(void)", get_ident))
2815
2816 _lib.CRYPTO_set_locking_callback(
2817 _ffi.callback(
2818 "void (*)(int, int, const char*, int)", locking_function))
2819
2820
2821try:
2822 from thread import get_ident
2823 from threading import Lock
2824except ImportError:
2825 pass
2826else:
2827 _initialize_openssl_threads(get_ident, Lock)
2828 del get_ident, Lock
Jean-Paul Calderonee324fd62014-01-11 08:00:33 -0500[diff] [blame]2829
Jean-Paul Calderoneb64e2a22014-01-11 08:06:35 -0500[diff] [blame]2830# There are no direct unit tests for this initialization. It is tested
2831# indirectly since it is necessary for functions like dump_privatekey when
2832# using encryption.
2833#
2834# Thus OpenSSL.test.test_crypto.FunctionTests.test_dump_privatekey_passphrase
2835# and some other similar tests may fail without this (though they may not if
2836# the Python runtime has already done some initialization of the underlying
2837# OpenSSL library (and is linked against the same one that cryptography is
2838# using)).
Jean-Paul Calderonee324fd62014-01-11 08:00:33 -0500[diff] [blame]2839_lib.OpenSSL_add_all_algorithms()
Jean-Paul Calderone11ed8e82014-01-18 10:21:50 -0500[diff] [blame]2840
Jean-Paul Calderonefab157b2014-01-18 11:21:38 -0500[diff] [blame]2841# This is similar but exercised mainly by exception_from_error_queue. It calls
2842# both ERR_load_crypto_strings() and ERR_load_SSL_strings().
2843_lib.SSL_load_error_strings()
D.S. Ljungmark349e1362014-05-31 18:40:38 +0200[diff] [blame]2844
2845
2846
2847# Set the default string mask to match OpenSSL upstream (since 2005) and
2848# RFC5280 recommendations.
2849_lib.ASN1_STRING_set_default_mask_asc(b'utf8only')