1 from ctypes import c_void_p,create_string_buffer,c_long,c_int
2 from ctypescrypto.bio import Membio
3 from ctypescrypto.pkey import PKey
4 from ctypescrypto.oid import Oid
5 from ctypescrypto.exception import LibCryptoError
6 from ctypescrypto import libcrypto
8 class X509Error(LibCryptoError):
10 Exception, generated when some openssl function fail
18 Class which represents X.509 distinguished name - typically
19 a certificate subject name or an issuer name.
21 # XN_FLAG_SEP_COMMA_PLUS & ASN1_STRFLG_UTF8_CONVERT
24 def __init__(self,ptr=None,copy=False):
26 Creates a X509Name object
27 @param ptr - pointer to X509_NAME C structure (as returned by some OpenSSL functions
28 @param copy - indicates that this structure have to be freed upon object destruction
35 self.ptr=libcrypto.X509_NAME_new()
43 libcrypto.X509_NAME_free(self.ptr)
46 Produces an ascii representation of the name, escaping all symbols > 0x80
47 Probably it is not what you want, unless your native language is English
50 libcrypto.X509_NAME_print_ex(b.bio,self.ptr,0,self.PRINT_FLAG | self.ESC_MSB)
52 def __unicode__(self):
54 Produces unicode representation of the name.
57 libcrypto.X509_NAME_print_ex(b.bio,self.ptr,0,self.PRINT_FLAG)
61 return number of components in the name
63 return libcrypto.X509_NAME_entry_count(self.ptr)
64 def __cmp__(self,other):
68 return libcrypto.X509_NAME_cmp(self.ptr,other.ptr)
69 def __eq__(self,other):
70 return libcrypto.X509_NAME_cmp(self.ptr,other.ptr)==0
72 def __getitem__(self,key):
73 if isinstance(key,Oid):
74 # Return first matching field
75 idx=libcrypto.X509_NAME_get_index_by_NID(self.ptr,key.nid,-1)
77 raise KeyError("Key not found "+repr(Oid))
78 entry=libcrypto.X509_NAME_get_entry(self.ptr,idx)
79 s=libcrypto.X509_NAME_ENTRY_get_data(entry)
81 libcrypto.ASN1_STRING_print_ex(b.bio,s,self.PRINT_FLAG)
83 elif isinstance(key,int):
84 # Return OID, string tuple
85 entry=libcrypto.X509_NAME_get_entry(self.ptr,key)
87 raise IndexError("name entry index out of range")
88 obj=libcrypto.X509_NAME_ENTRY_get_object(entry)
89 nid=libcrypto.OBJ_obj2nid(obj)
91 buf=create_string_buffer(80)
92 len=libcrypto.OBJ_obj2txt(buf,80,obj,1)
96 s=libcrypto.X509_NAME_ENTRY_get_data(entry)
98 libcrypto.ASN1_STRING_print_ex(b.bio,s,self.PRINT_FLAG)
99 return (oid,unicode(b))
101 def __setitem__(self,key,val):
102 if not self.writable:
103 raise ValueError("Attempt to modify constant X509 object")
105 def __init__(self,ptr):
108 libcrypto.X509_NAME_free(self.ptr)
110 raise NotImplementedError
112 return libcrypto.X509_NAME_entry_count(self.ptr)
114 def __getattr__(self,key):
115 raise NotImplementedError
116 def __setattr__(self,key,val):
117 raise NotImplementedError
124 Represents X.509 certificate.
126 def __init__(self,data=None,ptr=None,format="PEM"):
128 Initializes certificate
129 @param data - serialized certificate in PEM or DER format.
130 @param ptr - pointer to X509, returned by some openssl function.
131 mutually exclusive with data
132 @param format - specifies data format. "PEM" or "DER", default PEM
136 raise TypeError("Cannot use data and ptr simultaneously")
139 raise TypeError("data argument is required")
143 self.cert=libcrypto.PEM_read_bio_X509(b.bio,None,None,None)
145 self.cert=libcrypto.d2i_X509_bio(b.bio,None)
146 if self.cert is None:
147 raise X509Error("error reading certificate")
150 Frees certificate object
152 libcrypto.X509_free(self.cert)
154 """ Returns der string of the certificate """
156 if libcrypto.i2d_X509_bio(b.bio,self.cert)==0:
157 raise X509Error("error serializing certificate")
160 """ Returns valid call to the constructor """
161 return "X509(data="+repr(str(self))+",format='DER')"
164 """EVP PKEy object of certificate public key"""
165 return PKey(ptr=libcrypto.X509_get_pubkey(self.cert,False))
166 def verify(self,store=None,key=None):
168 Verify self. Supports verification on both X509 store object
169 or just public issuer key
170 @param store X509Store object.
171 @param key - PKey object
172 parameters are mutually exclusive. If neither is specified, attempts to verify
173 itself as self-signed certificate
175 if store is not None and key is not None:
176 raise X509Error("key and store cannot be specified simultaneously")
177 if store is not None:
178 ctx=libcrypto.X509_STORE_CTX_new()
180 raise X509Error("Error allocating X509_STORE_CTX")
181 if libcrypt.X509_STORE_CTX_init(ctx,store.ptr,self.cert,None) < 0:
182 raise X509Error("Error allocating X509_STORE_CTX")
183 res= libcrypto.X509_verify_cert(ctx)>0
184 libcrypto.X509_STORE_CTX_free(ctx)
188 if self.issuer != self.subject:
189 # Not a self-signed certificate
192 res = libcrypto.X509_verify(self.cert,key.ptr)
194 raise X509Error("X509_verify failed")
199 """ X509Name for certificate subject name """
200 return X509Name(libcrypto.X509_get_subject_name(self.cert))
203 """ X509Name for certificate issuer name """
204 return X509Name(libcrypto.X509_get_issuer_name(self.cert))
207 """ Serial number of certificate as integer """
208 asnint=libcrypto.X509_get_serialNumber(self.cert)
210 libcrypto.i2a_ASN1_INTEGER(b.bio,asnint)
211 return int(str(b),16)
214 """ Certificate validity period start date """
215 # Need deep poke into certificate structure (x)->cert_info->validity->notBefore
216 raise NotImplementedError
219 """ Certificate validity period end date """
220 # Need deep poke into certificate structure (x)->cert_info->validity->notAfter
221 raise NotImplementedError
222 def extensions(self):
223 raise NotImplementedError
226 Represents trusted certificate store. Can be used to lookup CA certificates to verify
228 @param file - file with several certificates and crls to load into store
229 @param dir - hashed directory with certificates and crls
230 @param default - if true, default verify location (directory) is installed
233 def __init__(self,file=None,dir=None,default=False):
235 Creates X509 store and installs lookup method. Optionally initializes
236 by certificates from given file or directory.
239 # Todo - set verification flags
241 self.store=libcrypto.X509_STORE_new()
242 lookup=libcrypto.X509_STORE_add_lookup(self.store,libcrypto.X509_LOOKUP_file())
244 raise X509Error("error installing file lookup method")
245 if (file is not None):
246 if not libcrypto.X509_LOOKUP_loadfile(lookup,file,1):
247 raise X509Error("error loading trusted certs from file "+file)
249 lookup=libcrypto.X509_STORE_add_lookup(self.store,libcrypto.X509_LOOKUP_hash_dir())
251 raise X509Error("error installing hashed lookup method")
253 if not libcrypto.X509_LOOKUP_add_dir(lookup,dir,1):
254 raise X509Error("error adding hashed trusted certs dir "+dir)
256 if not libcrypto.X509_LOOKUP.add_dir(lookup,None,3):
257 raise X509Error("error adding default trusted certs dir ")
258 def add_cert(self,cert):
260 Explicitely adds certificate to set of trusted in the store
261 @param cert - X509 object to add
263 if not isinstance(cert,X509):
264 raise TypeError("cert should be X509")
265 libcrypto.X509_STORE_add_cert(self.store,cert.cert)
266 def add_callback(self,callback):
268 Installs callbac function, which would receive detailed information
269 about verified ceritificates
271 raise NotImplementedError
272 def setflags(self,flags):
274 Set certificate verification flags.
275 @param flags - integer bit mask. See OpenSSL X509_V_FLAG_* constants
277 libcrypto.X509_STORE_set_flags(self.store,flags)
278 def setpurpose(self,purpose):
280 Sets certificate purpose which verified certificate should match
281 @param purpose - number from 1 to 9 or standard strind defined in Openssl
282 possible strings - sslcient,sslserver, nssslserver, smimesign,smimeencrypt, crlsign, any,ocsphelper
284 if isinstance(purpose,str):
285 purp_no=X509_PURPOSE_get_by_sname(purpose)
287 raise X509Error("Invalid certificate purpose '"+purpose+"'")
288 elif isinstance(purpose,int):
290 if libcrypto.X509_STORE_set_purpose(self.store,purp_no)<=0:
291 raise X509Error("cannot set purpose")
292 libcrypto.i2a_ASN1_INTEGER.argtypes=(c_void_p,c_void_p)
293 libcrypto.ASN1_STRING_print_ex.argtypes=(c_void_p,c_void_p,c_long)
294 libcrypto.X509_get_serialNumber.argtypes=(c_void_p,)
295 libcrypto.X509_get_serialNumber.restype=c_void_p
296 libcrypto.X509_NAME_ENTRY_get_object.restype=c_void_p
297 libcrypto.X509_NAME_ENTRY_get_object.argtypes=(c_void_p,)
298 libcrypto.OBJ_obj2nid.argtypes=(c_void_p,)
299 libcrypto.X509_NAME_get_entry.restype=c_void_p
300 libcrypto.X509_NAME_get_entry.argtypes=(c_void_p,c_int)