diff -r 441737b6711b Lib/ssl.py --- a/Lib/ssl.py Sat Oct 19 22:36:17 2013 +0200 +++ b/Lib/ssl.py Sun Oct 20 03:05:27 2013 +0200 @@ -92,6 +92,7 @@ import sys import os import collections +from enum import Enum import _ssl # if we can't import it, let the error propagate @@ -141,7 +142,8 @@ _PROTOCOL_NAMES[PROTOCOL_TLSv1_2] = "TLSv1.2" if sys.platform == "win32": - from _ssl import enum_cert_store, X509_ASN_ENCODING, PKCS_7_ASN_ENCODING + from _ssl import enum_certificates, enum_crls + from _ssl import X509_ASN_ENCODING, PKCS_7_ASN_ENCODING from socket import getnameinfo as _getnameinfo from socket import socket, AF_INET, SOCK_STREAM, create_connection @@ -161,6 +163,8 @@ # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') _DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2' +TrustOIDs = Enum('TrustOids', {v: k for k, v in _ssl.oids_to_names.items()}) + class CertificateError(ValueError): pass diff -r 441737b6711b Lib/test/test_ssl.py --- a/Lib/test/test_ssl.py Sat Oct 19 22:36:17 2013 +0200 +++ b/Lib/test/test_ssl.py Sun Oct 20 03:05:27 2013 +0200 @@ -489,29 +489,48 @@ self.assertEqual(paths.cafile, CERTFILE) self.assertEqual(paths.capath, CAPATH) - @unittest.skipUnless(sys.platform == "win32", "Windows specific") - def test_enum_cert_store(self): + def test_enum_certificates(self): self.assertEqual(ssl.X509_ASN_ENCODING, 1) self.assertEqual(ssl.PKCS_7_ASN_ENCODING, 0x00010000) - self.assertEqual(ssl.enum_cert_store("CA"), - ssl.enum_cert_store("CA", "certificate")) - ssl.enum_cert_store("CA", "crl") - self.assertEqual(ssl.enum_cert_store("ROOT"), - ssl.enum_cert_store("ROOT", "certificate")) - ssl.enum_cert_store("ROOT", "crl") + self.assertTrue(ssl.enum_certificates("CA")) + self.assertTrue(ssl.enum_certificates("ROOT")) + + self.assertRaises(TypeError, ssl.enum_certificates) + self.assertRaises(WindowsError, ssl.enum_certificates, "") + + names = set(member.name for member in ssl.TrustOIDs) - self.assertRaises(TypeError, ssl.enum_cert_store) - self.assertRaises(WindowsError, ssl.enum_cert_store, "") - self.assertRaises(ValueError, ssl.enum_cert_store, "CA", "wrong") + ca = ssl.enum_certificates("CA") + self.assertIsInstance(ca, list) + for element in ca: + self.assertIsInstance(element, tuple) + self.assertEqual(len(element), 3) + cert, enc, trust = element + self.assertIsInstance(cert, bytes) + self.assertIn(enc, {ssl.X509_ASN_ENCODING, + ssl.PKCS_7_ASN_ENCODING}) + self.assertIsInstance(trust, (set, bool)) + if isinstance(trust, set): + self.assertTrue(trust.issubset(names), trust) - ca = ssl.enum_cert_store("CA") - self.assertIsInstance(ca, list) - self.assertIsInstance(ca[0], tuple) - self.assertEqual(len(ca[0]), 2) - self.assertIsInstance(ca[0][0], bytes) - self.assertIsInstance(ca[0][1], int) + @unittest.skipUnless(sys.platform == "win32", "Windows specific") + def test_enum_crls(self): + self.assertTrue(ssl.enum_crls("CA")) + + self.assertRaises(TypeError, ssl.enum_crls) + self.assertRaises(WindowsError, ssl.enum_crls, "") + + crls = ssl.enum_crls("CA") + self.assertIsInstance(crls, list) + for element in crls: + self.assertIsInstance(element, tuple) + self.assertEqual(len(element), 2) + self.assertIsInstance(element[0], bytes) + self.assertIn(element[1], {ssl.X509_ASN_ENCODING, + ssl.PKCS_7_ASN_ENCODING}) + class ContextTests(unittest.TestCase): diff -r 441737b6711b Modules/_ssl.c --- a/Modules/_ssl.c Sat Oct 19 22:36:17 2013 +0200 +++ b/Modules/_ssl.c Sun Oct 20 03:05:27 2013 +0200 @@ -79,6 +79,9 @@ static PyObject *err_names_to_codes; static PyObject *lib_codes_to_names; +/* Mapping */ +static PyObject *oidmapping; + struct py_ssl_error_code { const char *mnemonic; int library, reason; @@ -88,6 +91,35 @@ int code; }; +/* OID to name */ +static PyObject *oids_to_names; + +struct py_oid_mapping { + const char *oid; + const char *name; +}; + +struct py_oid_mapping oid_mapping[] = { + {"1.3.6.1.5.5.7.3.1", "SERVER_AUTH"}, + {"1.3.6.1.5.5.7.3.2", "CLIENT_AUTH"}, + {"1.3.6.1.5.5.7.3.3", "CODE_SIGNING"}, + {"1.3.6.1.5.5.7.3.4", "EMAIL_PROTECTION"}, + {"1.3.6.1.5.5.7.3.5", "IPSEC_END_SYSTEM"}, + {"1.3.6.1.5.5.7.3.6", "IPSEC_TUNNEL"}, + {"1.3.6.1.5.5.7.3.7", "IPSEC_USER"}, + {"1.3.6.1.5.5.7.3.8", "TIME_STAMPING"}, + {"1.3.6.1.5.5.7.3.9", "OCSP_SIGN"}, + {"1.3.6.1.5.5.7.3.10", "DVCS"}, + /* other */ + {"1.3.6.1.5.5.8.2.2", "IKE_INTERMEDIATE"}, + {"1.3.6.1.4.1.311.10.3.4", "EFS_CRYPTO"}, + {"1.3.6.1.4.1.311.10.3.5", "WHQL_CRYPTO"}, + /* server gated crypto */ + {"2.16.840.1.113733.1.8.1", "VeriSign_SGC"}, + {"2.16.840.1.113730.4.1", "Netscape_SGC"}, + {NULL}, +}; + /* Include generated data (error codes) */ #include "_ssl_data.h" @@ -3052,127 +3084,231 @@ } #ifdef _MSC_VER -PyDoc_STRVAR(PySSL_enum_cert_store_doc, -"enum_cert_store(store_name, cert_type='certificate') -> []\n\ + +static PyObject* +parseKeyUsage(PCCERT_CONTEXT pCertCtx, DWORD flags) +{ + CERT_ENHKEY_USAGE *usage; + DWORD size, error; + int i; + PyObject *retval; + + if (!CertGetEnhancedKeyUsage(pCertCtx, flags, NULL, &size)) { + error = GetLastError(); + if (error == CRYPT_E_NOT_FOUND) { + Py_RETURN_TRUE; + } + return PyErr_SetFromWindowsErr(error); + } + + usage = (CERT_ENHKEY_USAGE*)PyMem_Malloc(size); + if (usage == NULL) { + return PyErr_NoMemory(); + } + + /* Now get the actual enhanced usage property */ + if (!CertGetEnhancedKeyUsage(pCertCtx, flags, usage, &size)) { + PyMem_Free(usage); + error = GetLastError(); + if (error == CRYPT_E_NOT_FOUND) { + Py_RETURN_TRUE; + } + return PyErr_SetFromWindowsErr(error); + } + retval = PySet_New(NULL); + if (retval == NULL) { + goto error; + } + for (i = 0; i < usage->cUsageIdentifier; ++i) { + if (usage->rgpszUsageIdentifier[i]) { + PyObject *oid, *name; + int err; + oid = PyUnicode_FromString(usage->rgpszUsageIdentifier[i]); + if (oid == NULL) { + Py_CLEAR(retval); + goto error; + } + name = PyDict_GetItem(oids_to_names, oid); + if (name != NULL) { + err = PySet_Add(retval, name); + } else { + PyErr_Clear(); + err = PySet_Add(retval, oid); + } + Py_DECREF(oid); + if (err == -1) { + Py_CLEAR(retval); + goto error; + } + } + } + error: + PyMem_Free(usage); + return retval; +} + +PyDoc_STRVAR(PySSL_enum_certificates_doc, +"enum_certificates(store_name) -> []\n\ \n\ Retrieve certificates from Windows' cert store. store_name may be one of\n\ 'CA', 'ROOT' or 'MY'. The system may provide more cert storages, too.\n\ -cert_type must be either 'certificate' or 'crl'.\n\ -The function returns a list of (bytes, encoding_type) tuples. The\n\ +The function returns a list of (bytes, encoding_type, trust) tuples. The\n\ encoding_type flag can be interpreted with X509_ASN_ENCODING or\n\ -PKCS_7_ASN_ENCODING."); +PKCS_7_ASN_ENCODING. The trust setting is either a set of OIDs or the\n\ +boolean True."); static PyObject * -PySSL_enum_cert_store(PyObject *self, PyObject *args, PyObject *kwds) +PySSL_enum_certificates(PyObject *self, PyObject *args, PyObject *kwds) { - char *kwlist[] = {"store_name", "cert_type", NULL}; + char *kwlist[] = {"store_name", NULL}; char *store_name; - char *cert_type = "certificate"; HCERTSTORE hStore = NULL; + PCCERT_CONTEXT pCertCtx = NULL; + PyObject *keyusage = NULL, *cert = NULL, *enc = NULL, *tup = NULL; PyObject *result = NULL; - PyObject *tup = NULL, *cert = NULL, *enc = NULL; - int ok = 1; - - if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|s:enum_cert_store", - kwlist, &store_name, &cert_type)) { - return NULL; + + if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|s:enum_certificates", + kwlist, &store_name)) { + return NULL; } - - if ((strcmp(cert_type, "certificate") != 0) && - (strcmp(cert_type, "crl") != 0)) { - return PyErr_Format(PyExc_ValueError, - "cert_type must be 'certificate' or 'crl', " - "not %.100s", cert_type); - } - if ((result = PyList_New(0)) == NULL) { return NULL; } - if ((hStore = CertOpenSystemStore((HCRYPTPROV)NULL, store_name)) == NULL) { Py_DECREF(result); return PyErr_SetFromWindowsErr(GetLastError()); } - if (strcmp(cert_type, "certificate") == 0) { - PCCERT_CONTEXT pCertCtx = NULL; - while (pCertCtx = CertEnumCertificatesInStore(hStore, pCertCtx)) { - cert = PyBytes_FromStringAndSize((const char*)pCertCtx->pbCertEncoded, - pCertCtx->cbCertEncoded); - if (!cert) { - ok = 0; - break; - } - if ((enc = PyLong_FromLong(pCertCtx->dwCertEncodingType)) == NULL) { - ok = 0; - break; - } - if ((tup = PyTuple_New(2)) == NULL) { - ok = 0; - break; - } - PyTuple_SET_ITEM(tup, 0, cert); cert = NULL; - PyTuple_SET_ITEM(tup, 1, enc); enc = NULL; - - if (PyList_Append(result, tup) < 0) { - ok = 0; - break; - } - Py_CLEAR(tup); + while (pCertCtx = CertEnumCertificatesInStore(hStore, pCertCtx)) { + cert = PyBytes_FromStringAndSize((const char*)pCertCtx->pbCertEncoded, + pCertCtx->cbCertEncoded); + if (!cert) { + Py_CLEAR(result); + break; } - if (pCertCtx) { - /* loop ended with an error, need to clean up context manually */ - CertFreeCertificateContext(pCertCtx); + if ((enc = PyLong_FromLong(pCertCtx->dwCertEncodingType)) == NULL) { + Py_CLEAR(result); + break; } - } else { - PCCRL_CONTEXT pCrlCtx = NULL; - while (pCrlCtx = CertEnumCRLsInStore(hStore, pCrlCtx)) { - cert = PyBytes_FromStringAndSize((const char*)pCrlCtx->pbCrlEncoded, - pCrlCtx->cbCrlEncoded); - if (!cert) { - ok = 0; - break; - } - if ((enc = PyLong_FromLong(pCrlCtx->dwCertEncodingType)) == NULL) { - ok = 0; - break; - } - if ((tup = PyTuple_New(2)) == NULL) { - ok = 0; - break; - } - PyTuple_SET_ITEM(tup, 0, cert); cert = NULL; - PyTuple_SET_ITEM(tup, 1, enc); enc = NULL; - - if (PyList_Append(result, tup) < 0) { - ok = 0; - break; - } - Py_CLEAR(tup); + keyusage = parseKeyUsage(pCertCtx, CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG); + if (keyusage == Py_True) { + Py_DECREF(keyusage); + keyusage = parseKeyUsage(pCertCtx, CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG); } - if (pCrlCtx) { - /* loop ended with an error, need to clean up context manually */ - CertFreeCRLContext(pCrlCtx); + if (keyusage == NULL) { + Py_CLEAR(result); + break; } + if ((tup = PyTuple_New(3)) == NULL) { + Py_CLEAR(result); + break; + } + PyTuple_SET_ITEM(tup, 0, cert); + cert = NULL; + PyTuple_SET_ITEM(tup, 1, enc); + enc = NULL; + PyTuple_SET_ITEM(tup, 2, keyusage); + keyusage = NULL; + if (PyList_Append(result, tup) < 0) { + Py_CLEAR(result); + break; + } + Py_CLEAR(tup); + } + if (pCertCtx) { + /* loop ended with an error, need to clean up context manually */ + CertFreeCertificateContext(pCertCtx); } /* In error cases cert, enc and tup may not be NULL */ Py_XDECREF(cert); Py_XDECREF(enc); + Py_XDECREF(keyusage); Py_XDECREF(tup); if (!CertCloseStore(hStore, 0)) { /* This error case might shadow another exception.*/ + Py_XDECREF(result); + return PyErr_SetFromWindowsErr(GetLastError()); + } + return result; +} + +PyDoc_STRVAR(PySSL_enum_crls_doc, +"enum_crls(store_name) -> []\n\ +\n\ +Retrieve CRLs from Windows' cert store. store_name may be one of\n\ +'CA', 'ROOT' or 'MY'. The system may provide more cert storages, too.\n\ +The function returns a list of (bytes, encoding_type) tuples. The\n\ +encoding_type flag can be interpreted with X509_ASN_ENCODING or\n\ +PKCS_7_ASN_ENCODING."); + +static PyObject * +PySSL_enum_crls(PyObject *self, PyObject *args, PyObject *kwds) +{ + char *kwlist[] = {"store_name", NULL}; + char *store_name; + HCERTSTORE hStore = NULL; + PCCRL_CONTEXT pCrlCtx = NULL; + PyObject *crl = NULL, *enc = NULL, *tup = NULL; + PyObject *result = NULL; + + if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|s:enum_crls", + kwlist, &store_name)) { + return NULL; + } + if ((result = PyList_New(0)) == NULL) { + return NULL; + } + if ((hStore = CertOpenSystemStore((HCRYPTPROV)NULL, store_name)) == NULL) { Py_DECREF(result); return PyErr_SetFromWindowsErr(GetLastError()); } - if (ok) { - return result; - } else { - Py_DECREF(result); - return NULL; + + while (pCrlCtx = CertEnumCRLsInStore(hStore, pCrlCtx)) { + crl = PyBytes_FromStringAndSize((const char*)pCrlCtx->pbCrlEncoded, + pCrlCtx->cbCrlEncoded); + if (!crl) { + Py_CLEAR(result); + break; + } + if ((enc = PyLong_FromLong(pCrlCtx->dwCertEncodingType)) == NULL) { + Py_CLEAR(result); + break; + } + if ((tup = PyTuple_New(2)) == NULL) { + Py_CLEAR(result); + break; + } + PyTuple_SET_ITEM(tup, 0, crl); + crl = NULL; + PyTuple_SET_ITEM(tup, 1, enc); + enc = NULL; + + if (PyList_Append(result, tup) < 0) { + Py_CLEAR(result); + break; + } + Py_CLEAR(tup); } + if (pCrlCtx) { + /* loop ended with an error, need to clean up context manually */ + CertFreeCRLContext(pCrlCtx); + } + + /* In error cases cert, enc and tup may not be NULL */ + Py_XDECREF(crl); + Py_XDECREF(enc); + Py_XDECREF(tup); + + if (!CertCloseStore(hStore, 0)) { + /* This error case might shadow another exception.*/ + Py_XDECREF(result); + return PyErr_SetFromWindowsErr(GetLastError()); + } + return result; } + #endif /* List of functions exported by this module. */ @@ -3195,8 +3331,10 @@ {"get_default_verify_paths", (PyCFunction)PySSL_get_default_verify_paths, METH_NOARGS, PySSL_get_default_verify_paths_doc}, #ifdef _MSC_VER - {"enum_cert_store", (PyCFunction)PySSL_enum_cert_store, - METH_VARARGS | METH_KEYWORDS, PySSL_enum_cert_store_doc}, + {"enum_certificates", (PyCFunction)PySSL_enum_certificates, + METH_VARARGS | METH_KEYWORDS, PySSL_enum_certificates_doc}, + {"enum_crls", (PyCFunction)PySSL_enum_crls, + METH_VARARGS | METH_KEYWORDS, PySSL_enum_crls_doc}, #endif {NULL, NULL} /* Sentinel */ }; @@ -3331,6 +3469,7 @@ PySocketModule_APIObject *socket_api; struct py_ssl_error_code *errcode; struct py_ssl_library_code *libcode; + struct py_oid_mapping *oid_map; if (PyType_Ready(&PySSLContext_Type) < 0) return NULL; @@ -3598,6 +3737,25 @@ if (PyModule_AddObject(m, "lib_codes_to_names", lib_codes_to_names)) return NULL; + oids_to_names = PyDict_New(); + if (oids_to_names == NULL) + return NULL; + oid_map = oid_mapping; + while (oid_map->name != NULL) { + PyObject *oid, *name; + oid = PyUnicode_FromString(oid_map->oid); + name = PyUnicode_FromString(oid_map->name); + if (oid == NULL || name == NULL) + return NULL; + if (PyDict_SetItem(oids_to_names, oid, name)) + return NULL; + Py_DECREF(oid); + Py_DECREF(name); + oid_map++; + } + if (PyModule_AddObject(m, "oids_to_names", oids_to_names)) + return NULL; + /* OpenSSL version */ /* SSLeay() gives us the version of the library linked against, which could be different from the headers version.