4 * Copyright (C) AB Strakt
5 * See LICENSE for details.
7 * Certificate transport (PKCS12) handling code,
8 * mostly thin wrappers around OpenSSL.
9 * See the file RATIONALE for a short explanation of why
10 * this module was written.
19 * PKCS12 is a standard exchange format for digital certificates.
20 * See e.g. the OpenSSL homepage http://www.openssl.org/ for more information
23 static void crypto_PKCS12_dealloc(crypto_PKCS12Obj *self);
24 static int crypto_PKCS12_clear(crypto_PKCS12Obj *self);
26 static char crypto_PKCS12_get_certificate_doc[] = "\n\
27 Return certificate portion of the PKCS12 structure\n\
29 @return: X509 object containing the certificate\n\
32 crypto_PKCS12_get_certificate(crypto_PKCS12Obj *self, PyObject *args)
34 if (!PyArg_ParseTuple(args, ":get_certificate"))
37 Py_INCREF(self->cert);
41 static char crypto_PKCS12_set_certificate_doc[] = "\n\
42 Replace the certificate portion of the PKCS12 structure\n\
44 @param cert: The new certificate.\n\
45 @type cert: L{X509} or L{NoneType}\n\
49 crypto_PKCS12_set_certificate(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds) {
50 PyObject *cert = NULL;
51 static char *kwlist[] = {"cert", NULL};
53 if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_certificate",
57 if (cert != Py_None && ! crypto_X509_Check(cert)) {
58 PyErr_SetString(PyExc_TypeError, "cert must be type X509 or None");
62 Py_INCREF(cert); /* Make consistent before calling Py_DECREF() */
63 Py_DECREF(self->cert);
70 static char crypto_PKCS12_get_privatekey_doc[] = "\n\
71 Return private key portion of the PKCS12 structure\n\
73 @returns: PKey object containing the private key\n\
75 static crypto_PKeyObj *
76 crypto_PKCS12_get_privatekey(crypto_PKCS12Obj *self, PyObject *args)
78 if (!PyArg_ParseTuple(args, ":get_privatekey"))
82 return (crypto_PKeyObj *) self->key;
85 static char crypto_PKCS12_set_privatekey_doc[] = "\n\
86 Replace or set the certificate portion of the PKCS12 structure\n\
88 @param pkey: The new private key.\n\
89 @type pkey: L{PKey}\n\
93 crypto_PKCS12_set_privatekey(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds) {
94 PyObject *pkey = NULL;
95 static char *kwlist[] = {"pkey", NULL};
97 if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_privatekey",
101 if (pkey != Py_None && ! crypto_PKey_Check(pkey)) {
102 PyErr_SetString(PyExc_TypeError, "pkey must be type X509 or None");
106 Py_INCREF(pkey); /* Make consistent before calling Py_DECREF() */
107 Py_DECREF(self->key);
114 static char crypto_PKCS12_get_ca_certificates_doc[] = "\n\
115 Return CA certificates within of the PKCS12 object\n\
117 @return: A newly created tuple containing the CA certificates in the chain,\n\
118 if any are present, or None if no CA certificates are present.\n\
121 crypto_PKCS12_get_ca_certificates(crypto_PKCS12Obj *self, PyObject *args)
123 if (!PyArg_ParseTuple(args, ":get_ca_certificates"))
126 Py_INCREF(self->cacerts);
127 return self->cacerts;
130 static char crypto_PKCS12_set_ca_certificates_doc[] = "\n\
131 Replace or set the CA certificates withing the PKCS12 object.\n\
133 @param cacerts: The new CA certificates.\n\
134 @type cacerts: Iterable of L{X509} or L{NoneType}\n\
138 crypto_PKCS12_set_ca_certificates(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds)
142 static char *kwlist[] = {"cacerts", NULL};
143 int i, len; /* Py_ssize_t for Python 2.5+ */
145 if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_ca_certificates",
148 if (cacerts == Py_None) {
152 cacerts = PySequence_Tuple(cacerts);
153 if (cacerts == NULL) {
156 len = PyTuple_Size(cacerts);
158 /* Check is's a simple list filled only with X509 objects. */
159 for (i = 0; i < len; i++) {
160 obj = PyTuple_GetItem(cacerts, i);
161 if (!crypto_X509_Check(obj)) {
163 PyErr_SetString(PyExc_TypeError, "iterable must only contain X509Type");
169 Py_DECREF(self->cacerts);
170 self->cacerts = cacerts;
176 static char crypto_PKCS12_get_friendlyname_doc[] = "\n\
177 Return friendly name portion of the PKCS12 structure\n\
179 @returns: String containing the friendlyname\n\
182 crypto_PKCS12_get_friendlyname(crypto_PKCS12Obj *self, PyObject *args) {
183 if (!PyArg_ParseTuple(args, ":get_friendlyname"))
186 Py_INCREF(self->friendlyname);
187 return (PyObject *) self->friendlyname;
190 static char crypto_PKCS12_set_friendlyname_doc[] = "\n\
191 Replace or set the certificate portion of the PKCS12 structure\n\
193 @param name: The new friendly name.\n\
194 @type name: L{str}\n\
198 crypto_PKCS12_set_friendlyname(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds) {
199 PyObject *name = NULL;
200 static char *kwlist[] = {"name", NULL};
202 if (!PyArg_ParseTupleAndKeywords(args, keywds, "O:set_friendlyname",
206 if (name != Py_None && ! PyBytes_CheckExact(name)) {
207 PyErr_SetString(PyExc_TypeError, "name must be a byte string or None");
211 Py_INCREF(name); /* Make consistent before calling Py_DECREF() */
212 Py_DECREF(self->friendlyname);
213 self->friendlyname = name;
219 static char crypto_PKCS12_export_doc[] = "\n\
220 export([passphrase=None][, friendly_name=None][, iter=2048][, maciter=1]\n\
221 Dump a PKCS12 object as a string. See also \"man PKCS12_create\".\n\
223 @param passphrase: used to encrypt the PKCS12\n\
224 @type passphrase: L{str}\n\
225 @param iter: How many times to repeat the encryption\n\
226 @type iter: L{int}\n\
227 @param maciter: How many times to repeat the MAC\n\
228 @type maciter: L{int}\n\
229 @return: The string containing the PKCS12\n\
232 crypto_PKCS12_export(crypto_PKCS12Obj *self, PyObject *args, PyObject *keywds) {
233 int i; /* Py_ssize_t for Python 2.5+ */
237 char *temp, *passphrase = NULL, *friendly_name = NULL;
240 EVP_PKEY *pkey = NULL;
241 STACK_OF(X509) *cacerts = NULL;
243 int iter = 0; /* defaults to PKCS12_DEFAULT_ITER */
245 static char *kwlist[] = {"passphrase", "iter", "maciter", NULL};
247 if (!PyArg_ParseTupleAndKeywords(args, keywds, "|zii:export",
248 kwlist, &passphrase, &iter, &maciter))
251 if (self->key != Py_None) {
252 pkey = ((crypto_PKeyObj*) self->key)->pkey;
254 if (self->cert != Py_None) {
255 x509 = ((crypto_X509Obj*) self->cert)->x509;
257 if (self->cacerts != Py_None) {
258 cacerts = sk_X509_new_null();
259 for (i = 0; i < PyTuple_Size(self->cacerts); i++) { /* For each CA cert */
260 obj = PySequence_GetItem(self->cacerts, i);
261 /* assert(PyObject_IsInstance(obj, (PyObject *) &crypto_X509_Type )); */
262 sk_X509_push(cacerts, (( crypto_X509Obj* ) obj)->x509);
266 if (self->friendlyname != Py_None) {
267 friendly_name = PyBytes_AsString(self->friendlyname);
270 p12 = PKCS12_create(passphrase, friendly_name, pkey, x509, cacerts,
271 NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
272 NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
274 sk_X509_free(cacerts); /* NULL safe. Free just the container. */
276 exception_from_error_queue(crypto_Error);
279 bio = BIO_new(BIO_s_mem());
280 i2d_PKCS12_bio(bio, p12);
281 buf_len = BIO_get_mem_data(bio, &temp);
282 buffer = PyBytes_FromStringAndSize(temp, buf_len);
288 * ADD_METHOD(name) expands to a correct PyMethodDef declaration
289 * { 'name', (PyCFunction)crypto_PKCS12_name, METH_VARARGS, crypto_PKCS12_name_doc }
292 #define ADD_METHOD(name) \
293 { #name, (PyCFunction)crypto_PKCS12_##name, METH_VARARGS, crypto_PKCS12_##name##_doc }
294 #define ADD_KW_METHOD(name) \
295 { #name, (PyCFunction)crypto_PKCS12_##name, METH_VARARGS | METH_KEYWORDS, crypto_PKCS12_##name##_doc }
296 static PyMethodDef crypto_PKCS12_methods[] =
298 ADD_METHOD(get_certificate),
299 ADD_KW_METHOD(set_certificate),
300 ADD_METHOD(get_privatekey),
301 ADD_KW_METHOD(set_privatekey),
302 ADD_METHOD(get_ca_certificates),
303 ADD_KW_METHOD(set_ca_certificates),
304 ADD_METHOD(get_friendlyname),
305 ADD_KW_METHOD(set_friendlyname),
306 ADD_KW_METHOD(export),
312 * Constructor for PKCS12 objects, never called by Python code directly.
313 * The strategy for this object is to create all the Python objects
314 * corresponding to the cert/key/CA certs right away
316 * Arguments: p12 - A "real" PKCS12 object or NULL
317 * passphrase - Passphrase to use when decrypting the PKCS12 object
318 * Returns: The newly created PKCS12 object
321 crypto_PKCS12_New(PKCS12 *p12, char *passphrase) {
322 crypto_PKCS12Obj *self = NULL;
323 PyObject *cacertobj = NULL;
325 unsigned char *alias_str;
329 EVP_PKEY *pkey = NULL;
330 STACK_OF(X509) *cacerts = NULL;
332 int i, cacert_count = 0;
334 /* allocate space for the CA cert stack */
335 if((cacerts = sk_X509_new_null()) == NULL) {
336 goto error; /* out of memory? */
339 /* parse the PKCS12 lump */
340 if (p12 && !PKCS12_parse(p12, passphrase, &pkey, &cert, &cacerts)) {
342 * If PKCS12_parse fails, and it allocated cacerts, it seems to free
343 * cacerts, but not re-NULL the pointer. Zounds! Make sure it is
344 * re-set to NULL here, else we'll have a double-free below.
347 exception_from_error_queue(crypto_Error);
351 if (!(self = PyObject_GC_New(crypto_PKCS12Obj, &crypto_PKCS12_Type))) {
355 /* client certificate and friendlyName */
358 self->cert = Py_None;
360 self->friendlyname = Py_None;
362 if ((self->cert = (PyObject *)crypto_X509_New(cert, 1)) == NULL) {
366 /* Now we need to extract the friendlyName of the PKCS12
367 * that was stored by PKCS_parse() in the alias of the
369 alias_str = X509_alias_get0(cert, &alias_len);
371 self->friendlyname = Py_BuildValue(BYTESTRING_FMT "#", alias_str, alias_len);
372 if (!self->friendlyname) {
381 self->friendlyname = Py_None;
390 if ((self->key = (PyObject *)crypto_PKey_New(pkey, 1)) == NULL)
395 cacert_count = sk_X509_num(cacerts);
396 if (cacert_count <= 0) {
398 self->cacerts = Py_None;
400 if ((self->cacerts = PyTuple_New(cacert_count)) == NULL) {
404 for (i = 0; i < cacert_count; i++) {
405 cert = sk_X509_value(cacerts, i);
406 if ((cacertobj = (PyObject *)crypto_X509_New(cert, 1)) == NULL) {
409 PyTuple_SET_ITEM(self->cacerts, i, cacertobj);
413 sk_X509_free(cacerts); /* Don't free the certs, just the container. */
414 PyObject_GC_Track(self);
419 sk_X509_free(cacerts); /* NULL safe. Free just the container. */
421 crypto_PKCS12_clear(self);
422 PyObject_GC_Del(self);
427 static char crypto_PKCS12_doc[] = "\n\
428 PKCS12() -> PKCS12 instance\n\
430 Create a new empty PKCS12 object.\n\
432 @returns: The PKCS12 object\n\
435 crypto_PKCS12_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs) {
436 if (!PyArg_ParseTuple(args, ":PKCS12")) {
440 return (PyObject *)crypto_PKCS12_New(NULL, NULL);
444 * Call the visitproc on all contained objects.
446 * Arguments: self - The PKCS12 object
447 * visit - Function to call
448 * arg - Extra argument to visit
449 * Returns: 0 if all goes well, otherwise the return code from the first
450 * call that gave non-zero result.
453 crypto_PKCS12_traverse(crypto_PKCS12Obj *self, visitproc visit, void *arg)
457 if (ret == 0 && self->cert != NULL)
458 ret = visit(self->cert, arg);
459 if (ret == 0 && self->key != NULL)
460 ret = visit(self->key, arg);
461 if (ret == 0 && self->cacerts != NULL)
462 ret = visit(self->cacerts, arg);
463 if (ret == 0 && self->friendlyname != NULL)
464 ret = visit(self->friendlyname, arg);
469 * Decref all contained objects and zero the pointers.
471 * Arguments: self - The PKCS12 object
475 crypto_PKCS12_clear(crypto_PKCS12Obj *self)
477 Py_XDECREF(self->cert);
479 Py_XDECREF(self->key);
481 Py_XDECREF(self->cacerts);
482 self->cacerts = NULL;
483 Py_XDECREF(self->friendlyname);
484 self->friendlyname = NULL;
489 * Deallocate the memory used by the PKCS12 object
491 * Arguments: self - The PKCS12 object
495 crypto_PKCS12_dealloc(crypto_PKCS12Obj *self)
497 PyObject_GC_UnTrack(self);
498 crypto_PKCS12_clear(self);
499 PyObject_GC_Del(self);
502 PyTypeObject crypto_PKCS12_Type = {
503 PyOpenSSL_HEAD_INIT(&PyType_Type, 0)
505 sizeof(crypto_PKCS12Obj),
507 (destructor)crypto_PKCS12_dealloc,
513 NULL, /* as_number */
514 NULL, /* as_sequence */
515 NULL, /* as_mapping */
521 NULL, /* as_buffer */
522 Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC,
524 (traverseproc)crypto_PKCS12_traverse,
525 (inquiry)crypto_PKCS12_clear,
526 NULL, /* tp_richcompare */
527 0, /* tp_weaklistoffset */
529 NULL, /* tp_iternext */
530 crypto_PKCS12_methods, /* tp_methods */
531 NULL, /* tp_members */
532 NULL, /* tp_getset */
535 NULL, /* tp_descr_get */
536 NULL, /* tp_descr_set */
537 0, /* tp_dictoffset */
540 crypto_PKCS12_new, /* tp_new */
544 * Initialize the PKCS12 part of the crypto sub module
546 * Arguments: module - The crypto module
550 init_crypto_pkcs12(PyObject *module) {
551 if (PyType_Ready(&crypto_PKCS12_Type) < 0) {
555 if (PyModule_AddObject(module, "PKCS12", (PyObject *)&crypto_PKCS12_Type) != 0) {
559 if (PyModule_AddObject(module, "PKCS12Type", (PyObject *)&crypto_PKCS12_Type) != 0) {