340
static PyTypeObject *
341
type_modified_error(const char *name) {
342
PyErr_Format(PyExc_RuntimeError,
343
"OpenSSL.crypto's '%s' attribute has been modified",
348
static PyTypeObject *
349
import_crypto_type(const char *name, size_t objsize) {
350
PyObject *module, *type, *name_attr;
354
module = PyImport_ImportModule("OpenSSL.crypto");
355
if (module == NULL) {
358
type = PyObject_GetAttrString(module, (PYOBJECT_GETATTRSTRING_TYPE)name);
363
if (!(PyType_Check(type))) {
365
return type_modified_error(name);
367
name_attr = PyObject_GetAttrString(type, "__name__");
368
if (name_attr == NULL) {
372
right_name = (PyString_CheckExact(name_attr) &&
373
strcmp(name, PyString_AsString(name_attr)) == 0);
374
Py_DECREF(name_attr);
375
res = (PyTypeObject *)type;
376
if (!right_name || res->tp_basicsize != objsize) {
378
return type_modified_error(name);
338
383
static crypto_X509Obj *
339
parse_certificate_argument(const char* format1, const char* format2, PyObject* args)
384
parse_certificate_argument(const char* format, PyObject* args) {
341
385
static PyTypeObject *crypto_X509_type = NULL;
342
386
crypto_X509Obj *cert;
344
/* We need to check that cert really is an X509 object before
345
we deal with it. The problem is we can't just quickly verify
346
the type (since that comes from another module). This should
347
do the trick (reasonably well at least): Once we have one
348
verified object, we use it's type object for future
351
if (!crypto_X509_type)
353
if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format1, &cert))
356
if (strcmp(cert->ob_type->tp_name, "X509") != 0 ||
357
cert->ob_type->tp_basicsize != sizeof(crypto_X509Obj))
359
PyErr_SetString(PyExc_TypeError, "Expected an X509 object");
363
crypto_X509_type = cert->ob_type;
366
if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format2, crypto_X509_type,
388
if (!crypto_X509_type) {
389
crypto_X509_type = import_crypto_type("X509", sizeof(crypto_X509Obj));
390
if (!crypto_X509_type) {
394
if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format,
395
crypto_X509_type, &cert)) {
535
564
static PyObject *
536
ssl_Context_use_privatekey(ssl_ContextObj *self, PyObject *args)
565
ssl_Context_use_privatekey(ssl_ContextObj *self, PyObject *args) {
538
566
static PyTypeObject *crypto_PKey_type = NULL;
539
567
crypto_PKeyObj *pkey;
541
/* We need to check that cert really is a PKey object before
542
we deal with it. The problem is we can't just quickly verify
543
the type (since that comes from another module). This should
544
do the trick (reasonably well at least): Once we have one
545
verified object, we use it's type object for future
548
if (!crypto_PKey_type)
550
if (!PyArg_ParseTuple(args, "O:use_privatekey", &pkey))
553
if (strcmp(pkey->ob_type->tp_name, "OpenSSL.crypto.PKey") != 0 ||
554
pkey->ob_type->tp_basicsize != sizeof(crypto_PKeyObj))
556
PyErr_SetString(PyExc_TypeError, "Expected a PKey object");
560
crypto_PKey_type = pkey->ob_type;
569
if (!crypto_PKey_type) {
570
crypto_PKey_type = import_crypto_type("PKey", sizeof(crypto_PKeyObj));
571
if (!crypto_PKey_type) {
563
if (!PyArg_ParseTuple(args, "O!:use_privatekey", crypto_PKey_type, &pkey))
575
if (!PyArg_ParseTuple(args, "O!:use_privatekey", crypto_PKey_type, &pkey)) {
566
if (!SSL_CTX_use_PrivateKey(self->ctx, pkey->pkey))
579
if (!SSL_CTX_use_PrivateKey(self->ctx, pkey->pkey)) {
568
580
exception_from_error_queue(ssl_Error);
573
583
Py_INCREF(Py_None);
802
static char ssl_Context_set_client_ca_list_doc[] = "\n\
803
Set the list of preferred client certificate signers for this server context.\n\
805
This list of certificate authorities will be sent to the client when the\n\
806
server requests a client certificate.\n\
808
@param certificate_authorities: a sequence of X509Names.\n\
813
ssl_Context_set_client_ca_list(ssl_ContextObj *self, PyObject *args)
815
static PyTypeObject *X509NameType;
816
PyObject *sequence, *tuple, *item;
817
crypto_X509NameObj *name;
819
STACK_OF(X509_NAME) *CANames;
823
if (X509NameType == NULL) {
824
X509NameType = import_crypto_type("X509Name", sizeof(crypto_X509NameObj));
825
if (X509NameType == NULL) {
829
if (!PyArg_ParseTuple(args, "O:set_client_ca_list", &sequence)) {
832
tuple = PySequence_Tuple(sequence);
836
length = PyTuple_Size(tuple);
837
if (length >= INT_MAX) {
838
PyErr_SetString(PyExc_ValueError, "client CA list is too long");
842
CANames = sk_X509_NAME_new_null();
843
if (CANames == NULL) {
845
exception_from_error_queue(ssl_Error);
848
for (i = 0; i < length; i++) {
849
item = PyTuple_GetItem(tuple, i);
850
if (item->ob_type != X509NameType) {
851
PyErr_Format(PyExc_TypeError,
852
"client CAs must be X509Name objects, not %s objects",
853
item->ob_type->tp_name);
854
sk_X509_NAME_free(CANames);
858
name = (crypto_X509NameObj *)item;
859
sslname = X509_NAME_dup(name->x509_name);
860
if (sslname == NULL) {
861
sk_X509_NAME_free(CANames);
863
exception_from_error_queue(ssl_Error);
866
if (!sk_X509_NAME_push(CANames, sslname)) {
867
X509_NAME_free(sslname);
868
sk_X509_NAME_free(CANames);
870
exception_from_error_queue(ssl_Error);
875
SSL_CTX_set_client_CA_list(self->ctx, CANames);
880
static char ssl_Context_add_client_ca_doc[] = "\n\
881
Add the CA certificate to the list of preferred signers for this context.\n\
883
The list of certificate authorities will be sent to the client when the\n\
884
server requests a client certificate.\n\
886
@param certificate_authority: certificate authority's X509 certificate.\n\
891
ssl_Context_add_client_ca(ssl_ContextObj *self, PyObject *args)
893
crypto_X509Obj *cert;
895
cert = parse_certificate_argument("O!:add_client_ca", args);
899
if (!SSL_CTX_add_client_CA(self->ctx, cert->x509)) {
900
exception_from_error_queue(ssl_Error);
792
907
static char ssl_Context_set_timeout_doc[] = "\n\
793
908
Set session timeout\n\
960
1075
ADD_METHOD(get_verify_depth),
961
1076
ADD_METHOD(load_tmp_dh),
962
1077
ADD_METHOD(set_cipher_list),
1078
ADD_METHOD(set_client_ca_list),
1079
ADD_METHOD(add_client_ca),
963
1080
ADD_METHOD(set_timeout),
964
1081
ADD_METHOD(get_timeout),
965
1082
ADD_METHOD(set_info_callback),