pyOpenSSL

Merge lp:~zseil/pyopenssl/client_CA into lp:~exarkun/pyopenssl/trunk

client_CA
Merge into trunk

Proposed by Ziga Seilnacht on 2009-09-01

Status:

Superseded

Proposed branch:

lp:~zseil/pyopenssl/client_CA

Merge into:

lp:~exarkun/pyopenssl/trunk

Diff against target:

None lines

To merge this branch:

bzr merge lp:~zseil/pyopenssl/client_CA

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Ziga Seilnacht (community)		Needs Resubmitting on 2009-09-01
Jean-Paul Calderone	2009-09-01	Needs Fixing on 2009-09-01
Review via email: mp+10972@code.launchpad.net

This proposal has been superseded by a proposal from 2009-09-02.

Revision history for this message

Ziga Seilnacht (zseil) wrote on 2009-09-01:

Hello Jean-Paul,

This branch adds finer control over the list of preferred certificate authorities sent by the server when requesting a client certificate.

This functionality was requested in bug #364185 and in Twisted's bug #2061. The branch adds two new methods to SSL.Context, set_client_CA_list and add_client_CA and one new method to SSL.Connection, get_client_CA_list. The new methods are documented and tested.

More information can be found in commit messages and documentation. There are some unrelated changes in this branch, let me know if I should create a separate branch for those.

Regards,
Ziga

Revision history for this message

Jean-Paul Calderone (exarkun) wrote on 2009-09-01:

Hi Žiga,

First, thanks for working on this. :)

It would be great to see the CA management API additions separated out from the other bug fixes. I think the new methods look like they should go in (I need to spend a little more time looking at the code and reading about the relevant OpenSSL APIs to be sure). Some of the other changes are a bit trickier though. It'd be great to get the CA stuff in without having to think about all the consequences of changing the type names of all the types in pyOpenSSL, for example. :) Similarly, I think some of the unrelated fixes (eg, for NULL return checks) should probably have test coverage added, but figuring out exactly how to test those may take some consideration.

Thanks again. Looking forward to the next version of the branch.

review: Needs Fixing

lp:~zseil/pyopenssl/client_CA updated on 2009-09-01

131. By Ziga Seilnacht on 2009-09-01: Revert all changes unrelated to the new *client_CA* functionality.

Revision history for this message

Ziga Seilnacht (zseil) wrote on 2009-09-01:

> Hi Žiga,
>
> First, thanks for working on this. :)
>
> It would be great to see the CA management API additions separated out from
> the other bug fixes. I think the new methods look like they should go in (I
> need to spend a little more time looking at the code and reading about the
> relevant OpenSSL APIs to be sure). Some of the other changes are a bit
> trickier though. It'd be great to get the CA stuff in without having to think
> about all the consequences of changing the type names of all the types in
> pyOpenSSL, for example. :) Similarly, I think some of the unrelated fixes
> (eg, for NULL return checks) should probably have test coverage added, but
> figuring out exactly how to test those may take some consideration.
>
> Thanks again. Looking forward to the next version of the branch.

Hello Jean-Paul,

Thank you for reviewing :)

I reverted the unrelated changes now, I'll submit them as separate issues in the next few days.

review: Needs Resubmitting

lp:~zseil/pyopenssl/client_CA updated on 2009-11-11

132. By Ziga Seilnacht on 2009-10-23

Clarify documentation for SSL.Context.set_client_CA_list and remove silly comments.

133. By Ziga Seilnacht on 2009-10-23

Lowercase *client_CA* methods for consistency with the rest of PyOpenSSL.

134. By Jean-Paul Calderone on 2009-10-24

Break up big set_client_ca_list test into a bunch of smaller ones

135. By Jean-Paul Calderone on 2009-10-24

Break up big add_client_ca test into a bunch of smaller ones

136. By Jean-Paul Calderone on 2009-10-24

doc formatting and wording tweak

137. By Jean-Paul Calderone on 2009-10-24

remove pre-2.5 warning with PyObject_GetAttrString; reformat some braces

138. By Jean-Paul Calderone on 2009-10-24

a few more brace re-arrangements

139. By Jean-Paul Calderone on 2009-11-07

Minimal tests for Context.add_extra_chain_cert

140. By Ziga Seilnacht on 2009-11-11

Hack setup.py until MinGW builds without errors.

In addition, describe in detail what is needed for building on Windows.

Unmerged revisions

140. By Ziga Seilnacht on 2009-11-11

Hack setup.py until MinGW builds without errors.

In addition, describe in detail what is needed for building on Windows.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Alex Stapleton

Eric P. Mangold

Ziga Seilnacht

to status/vote changes:

Ramon

pyOpenSSL

Merge lp:~zseil/pyopenssl/client_CA into lp:~exarkun/pyopenssl/trunk

Commit message

Description of the change

Unmerged revisions

Preview Diff

Subscribers

 === modified file 'doc/pyOpenSSL.tex'
 --- doc/pyOpenSSL.tex	2009-07-25 16:32:46 +0000
 +++ doc/pyOpenSSL.tex	2009-09-01 11:31:36 +0000
@@ -189,8 +189,8 @@
  \end{datadesc}
  \begin{classdesc}{X509Extension}{typename, critical, value\optional{, subject}\optional{, issuer}}
--A class representing an X.509 v3 certificate extensions.
--See \url{http://openssl.org/docs/apps/x509v3_config.html\#STANDARD_EXTENSIONS}
++A class representing an X.509 v3 certificate extensions.
++See \url{http://openssl.org/docs/apps/x509v3_config.html\#STANDARD_EXTENSIONS}
  for \var{typename} strings and their options.
  Optional parameters \var{subject} and \var{issuer} must be X509 objects.
  \end{classdesc}
@@ -673,7 +673,7 @@
  \end{funcdesc}
  \begin{excdesc}{Error}
--If the current RAND method supports any errors, this is raised when needed.
++If the current RAND method supports any errors, this is raised when needed.
  The default method does not raise this when the entropy pool is depleted.
  Whenever this exception is raised directly, it has a list of error messages
@@ -853,6 +853,24 @@
  when requesting a client certificate.
  \end{methoddesc}
++\begin{methoddesc}[Context]{set_client_CA_list}{certificate_authorities}
++Replace the current list of \class{OpenSSL.crypto.X509Name} objects that
++would be sent to the client when requesting a client certificate with a
++new one.
++
++\versionadded{0.10}
++\end{methoddesc}
++
++\begin{methoddesc}[Context]{add_client_CA}{certificate_authority}
++Extract a \class{OpenSSL.crypto.X509Name} from the \var{certificate_authority}
++\class{OpenSSL.crypto.X509} certificate and add it to the list of preferred
++certificate signers sent to the client when requesting a client certificate.
++% Certificate certificate certificate. Certificate certificate. Certificate
++% certificate certificate certificate certificate certificate. Certificate.
++
++\versionadded{0.10}
++\end{methoddesc}
++
  \begin{methoddesc}[Context]{load_verify_locations}{pemfile, capath}
  Specify where CA certificates for verification purposes are located. These
  are trusted certificates. Note that the certificates have to be in PEM
@@ -1026,6 +1044,20 @@
  but not it returns the entire list in one go.
  \end{methoddesc}
++\begin{methoddesc}[Connection]{get_client_CA_list}{}
++Retrieve the list of preferred client certificate issuers sent by the server
++as \class{OpenSSL.crypto.X509Name} objects.
++
++If this is a client \class{Connection}, the list will be empty until the
++connection with the server is established.
++
++If this is a server \class{Connection}, return the list of certificate
++authorities that will be sent or has been sent to the client, as controlled
++by this \class{Connection}'s \class{Context}.
++
++\versionadded{0.10}
++\end{methoddesc}
++
  \begin{methoddesc}[Connection]{get_context}{}
  Retrieve the Context object associated with this Connection.
  \end{methoddesc}
 === modified file 'doc/tools/texinputs/howto.cls'
 --- doc/tools/texinputs/howto.cls	2008-02-19 01:50:23 +0000
 +++ doc/tools/texinputs/howto.cls	2009-09-01 11:27:38 +0000
@@ -6,6 +6,7 @@
  \ProvidesClass{howto}
               [1998/02/25 Document class (Python HOWTO)]
++\RequirePackage{ifpdf}
  \RequirePackage{pypaper}
  % Change the options here to get a different set of basic options,  This
@@ -23,7 +24,7 @@
  % distribution.
+ %
  % The "fancyhdr" package makes nicer page footers reasonable to
--% implement, and is used to put the chapter and section information in
++% implement, and is used to put the chapter and section information in
  % the footers.
+ %
  \RequirePackage{fancyhdr}\typeout{Using fancier footers than usual.}
@@ -49,7 +50,8 @@
+ %
  \renewcommand{\maketitle}{
    \py@doHorizontalRule
--  \@ifundefined{pdfinfo}{}{{
++  \ifpdf
++    \begingroup
      % This \def is required to deal with multi-line authors; it
      % changes \\ to ', ' (comma-space), making it pass muster for
      % generating document info in the PDF file.
@@ -58,7 +60,8 @@
        /Author (\@author)
        /Title (\@title)
+     }
--  }}
++    \endgroup
++  \fi
    \begin{flushright}
      {\rm\Huge\py@HeaderFamily \@title} \par
      {\em\large\py@HeaderFamily \py@release} \par
@@ -84,7 +87,7 @@
    \py@doHorizontalRule
    \vspace{12pt}
    \py@doing@page@targetstrue
--}
++}
  % Fix the theindex environment to add an entry to the Table of
  % Contents; this is much nicer than just having to jump to the end of
 === modified file 'doc/tools/texinputs/manual.cls'
 --- doc/tools/texinputs/manual.cls	2008-02-19 01:50:23 +0000
 +++ doc/tools/texinputs/manual.cls	2009-09-01 11:27:38 +0000
@@ -6,6 +6,7 @@
  \ProvidesClass{manual}
               [1998/03/03 Document class (Python manual)]
++\RequirePackage{ifpdf}
  \RequirePackage{pypaper}
  % Change the options here to get a different set of basic options, but only
@@ -23,7 +24,7 @@
  % distribution.
+ %
  % The "fancyhdr" package makes nicer page footers reasonable to
--% implement, and is used to put the chapter and section information in
++% implement, and is used to put the chapter and section information in
  % the footers.
+ %
  \RequirePackage{fancyhdr}\typeout{Using fancier footers than usual.}
@@ -63,7 +64,8 @@
      \let\footnotesize\small
      \let\footnoterule\relax
      \py@doHorizontalRule%
--    \@ifundefined{pdfinfo}{}{{
++    \ifpdf
++      \begingroup
        % This \def is required to deal with multi-line authors; it
        % changes \\ to ', ' (comma-space), making it pass muster for
        % generating document info in the PDF file.
@@ -72,7 +74,8 @@
          /Author (\@author)
          /Title (\@title)
+       }
--    }}
++      \endgroup
++    \fi
      \begin{flushright}%
        {\rm\Huge\py@HeaderFamily \@title \par}%
        {\em\LARGE\py@HeaderFamily \py@release \par}
 === modified file 'src/crypto/netscape_spki.c'
 --- src/crypto/netscape_spki.c	2009-07-08 16:48:33 +0000
 +++ src/crypto/netscape_spki.c	2009-08-31 18:52:30 +0000
@@ -243,7 +243,7 @@
  PyTypeObject crypto_NetscapeSPKI_Type = {
      PyObject_HEAD_INIT(NULL)
 ,
--    "NetscapeSPKI",
++    "OpenSSL.crypto.NetscapeSPKI",
      sizeof(crypto_NetscapeSPKIObj),
 ,
      (destructor)crypto_NetscapeSPKI_dealloc,
 === modified file 'src/crypto/pkcs12.c'
 --- src/crypto/pkcs12.c	2009-07-26 01:23:01 +0000
 +++ src/crypto/pkcs12.c	2009-08-31 19:36:23 +0000
@@ -71,14 +71,14 @@
  \n\
  @returns: PKey object containing the private key\n\
  ";
--static crypto_PKeyObj *
++static PyObject *
  crypto_PKCS12_get_privatekey(crypto_PKCS12Obj *self, PyObject *args)
+ {
      if (!PyArg_ParseTuple(args, ":get_privatekey"))
          return NULL;
      Py_INCREF(self->key);
--    return (crypto_PKeyObj *) self->key;
++    return self->key;
+ }
  static char crypto_PKCS12_set_privatekey_doc[] = "\n\
@@ -514,7 +514,7 @@
  PyTypeObject crypto_PKCS12_Type = {
      PyObject_HEAD_INIT(NULL)
 ,
--    "PKCS12",
++    "OpenSSL.crypto.PKCS12",
      sizeof(crypto_PKCS12Obj),
 ,
      (destructor)crypto_PKCS12_dealloc,
 === modified file 'src/crypto/pkcs7.c'
 --- src/crypto/pkcs7.c	2009-06-27 18:32:07 +0000
 +++ src/crypto/pkcs7.c	2009-08-31 18:52:30 +0000
@@ -177,7 +177,7 @@
  PyTypeObject crypto_PKCS7_Type = {
      PyObject_HEAD_INIT(NULL)
 ,
--    "PKCS7",
++    "OpenSSL.crypto.PKCS7",
      sizeof(crypto_PKCS7Obj),
 ,
      (destructor)crypto_PKCS7_dealloc,
 === modified file 'src/crypto/x509.c'
 --- src/crypto/x509.c	2009-07-08 16:48:33 +0000
 +++ src/crypto/x509.c	2009-08-31 18:52:30 +0000
@@ -800,7 +800,7 @@
  PyTypeObject crypto_X509_Type = {
      PyObject_HEAD_INIT(NULL)
 ,
--    "X509",
++    "OpenSSL.crypto.X509",
      sizeof(crypto_X509Obj),
 ,
      (destructor)crypto_X509_dealloc,
 === modified file 'src/crypto/x509ext.c'
 --- src/crypto/x509ext.c	2009-07-17 20:06:12 +0000
 +++ src/crypto/x509ext.c	2009-08-31 18:52:30 +0000
@@ -256,7 +256,7 @@
  PyTypeObject crypto_X509Extension_Type = {
      PyObject_HEAD_INIT(NULL)
 ,
--    "X509Extension",
++    "OpenSSL.crypto.X509Extension",
      sizeof(crypto_X509ExtensionObj),
 ,
      (destructor)crypto_X509Extension_dealloc,
 === modified file 'src/crypto/x509name.c'
 --- src/crypto/x509name.c	2009-07-16 20:25:19 +0000
 +++ src/crypto/x509name.c	2009-08-31 19:33:58 +0000
@@ -55,12 +55,22 @@
  crypto_X509Name_new(PyTypeObject *subtype, PyObject *args, PyObject *kwargs)
+ {
      crypto_X509NameObj *name;
++    X509_NAME *sslname;
++    PyObject *newname;
      if (!PyArg_ParseTuple(args, "O!:X509Name", &crypto_X509Name_Type, &name)) {
          return NULL;
+     }
--
--    return (PyObject *)crypto_X509Name_New(X509_NAME_dup(name->x509_name), 1);
++    sslname = X509_NAME_dup(name->x509_name);
++    if (sslname == NULL) {
++        exception_from_error_queue(crypto_Error);
++        return NULL;
++    }
++    newname = (PyObject *)crypto_X509Name_New(sslname, 1);
++    if (newname == NULL) {
++        X509_NAME_free(sslname);
++    }
++    return newname;
+ }
@@ -423,7 +433,7 @@
  PyTypeObject crypto_X509Name_Type = {
      PyObject_HEAD_INIT(NULL)
 ,
--    "X509Name",
++    "OpenSSL.crypto.X509Name",
      sizeof(crypto_X509NameObj),
 ,
      (destructor)crypto_X509Name_dealloc,
 === modified file 'src/crypto/x509req.c'
 --- src/crypto/x509req.c	2009-07-08 16:48:33 +0000
 +++ src/crypto/x509req.c	2009-08-31 18:52:30 +0000
@@ -372,7 +372,7 @@
  PyTypeObject crypto_X509Req_Type = {
      PyObject_HEAD_INIT(NULL)
 ,
--    "X509Req",
++    "OpenSSL.crypto.X509Req",
      sizeof(crypto_X509ReqObj),
 ,
      (destructor)crypto_X509Req_dealloc,
 === modified file 'src/crypto/x509store.c'
 --- src/crypto/x509store.c	2009-07-08 16:48:33 +0000
 +++ src/crypto/x509store.c	2009-08-31 18:52:30 +0000
@@ -109,7 +109,7 @@
  PyTypeObject crypto_X509Store_Type = {
      PyObject_HEAD_INIT(NULL)
 ,
--    "X509Store",
++    "OpenSSL.crypto.X509Store",
      sizeof(crypto_X509StoreObj),
 ,
      (destructor)crypto_X509Store_dealloc,
 === modified file 'src/ssl/connection.c'
 --- src/ssl/connection.c	2009-07-08 16:48:33 +0000
 +++ src/ssl/connection.c	2009-08-31 23:32:29 +0000
@@ -819,16 +819,79 @@
          return NULL;
      lst = PyList_New(0);
++    if (lst == NULL) {
++        return NULL;
++    }
      while ((ret = SSL_get_cipher_list(self->ssl, idx)) != NULL)
+     {
          item = PyString_FromString(ret);
--        PyList_Append(lst, item);
++        if (item == NULL) {
++            Py_DECREF(lst);
++            return NULL;
++        }
++        if (PyList_Append(lst, item)) {
++            Py_DECREF(lst);
++            Py_DECREF(item);
++            return NULL;
++        }
          Py_DECREF(item);
          idx++;
+     }
      return lst;
+ }
++static char ssl_Connection_get_client_CA_list_doc[] = "\n\
++Get CAs whose certificates are suggested for client authentication.\n\
++\n\
++@return: A list of X509Names representing the acceptable CAs as set by\n\
++         ssl.Context.{set, add}_client_CA* if this is a server connection\n\
++         or as sent by the server if this is a client connection.\n\
++";
++
++static PyObject *
++ssl_Connection_get_client_CA_list(ssl_ConnectionObj *self, PyObject *args)
++{
++    STACK_OF(X509_NAME) *CANames;
++    PyObject *CAList;
++    int i, n;
++
++    if (!PyArg_ParseTuple(args, ":get_client_CA_list")) {
++        return NULL;
++    }
++    CANames = SSL_get_client_CA_list(self->ssl);
++    if (CANames == NULL) {
++        return PyList_New(0);
++    }
++    n = sk_X509_NAME_num(CANames);
++    CAList = PyList_New(n);
++    if (CAList == NULL) {
++        return NULL;
++    }
++    for (i = 0; i < n; i++) {
++        X509_NAME *CAName;
++        PyObject *CA;
++
++        CAName = X509_NAME_dup(sk_X509_NAME_value(CANames, i));
++        if (CAName == NULL) {
++            Py_DECREF(CAList);
++            exception_from_error_queue(ssl_Error);
++            return NULL;
++        }
++        CA = (PyObject *)crypto_X509Name_New(CAName, 1);
++        if (CA == NULL) {
++            X509_NAME_free(CAName);
++            Py_DECREF(CAList);
++            return NULL;
++        }
++        if (PyList_SetItem(CAList, i, CA)) {
++            Py_DECREF(CA);
++            Py_DECREF(CAList);
++            return NULL;
++        }
++    }
++    return CAList;
++}
++
  static char ssl_Connection_makefile_doc[] = "\n\
  The makefile() method is not implemented, since there is no dup semantics\n\
  for SSL connections\n\
@@ -1087,6 +1150,7 @@
      ADD_METHOD(bio_shutdown),
      ADD_METHOD(shutdown),
      ADD_METHOD(get_cipher_list),
++    ADD_METHOD(get_client_CA_list),
      ADD_METHOD(makefile),
      ADD_METHOD(get_app_data),
      ADD_METHOD(set_app_data),
 === modified file 'src/ssl/context.c'
 --- src/ssl/context.c	2009-07-08 16:48:33 +0000
 +++ src/ssl/context.c	2009-08-31 23:32:29 +0000
@@ -335,36 +335,63 @@
      return Py_None;
+ }
++static PyTypeObject *
++type_modified_error(const char *name)
++{
++    PyErr_Format(PyExc_RuntimeError,
++                 "OpenSSL.crypto's '%s' attribute has been modified",
++                 name);
++    return NULL;
++}
++
++static PyTypeObject *
++import_crypto_type(const char *name, size_t objsize)
++{
++    PyObject *module, *type;
++    PyTypeObject *res;
++    char modname[] = "OpenSSL.crypto";
++    char buffer[256] = "OpenSSL.crypto.";
++
++    if (strlen(buffer) + strlen(name) >= sizeof(buffer)) {
++        PyErr_BadInternalCall();
++        return NULL;
++    }
++    strcat(buffer, name);
++    module = PyImport_ImportModule(modname);
++    if (module == NULL) {
++        return NULL;
++    }
++    type = PyObject_GetAttrString(module, name);
++    Py_DECREF(module);
++    if (type == NULL) {
++        return NULL;
++    }
++    if (!(PyType_Check(type))) {
++        Py_DECREF(type);
++        return type_modified_error(name);
++    }
++    res = (PyTypeObject *)type;
++    if (strcmp(buffer, res->tp_name) != 0 || res->tp_basicsize != objsize) {
++        Py_DECREF(type);
++        return type_modified_error(name);
++    }
++    return res;
++}
++
  static crypto_X509Obj *
--parse_certificate_argument(const char* format1, const char* format2, PyObject* args)
++parse_certificate_argument(const char* format, PyObject* args)
+ {
      static PyTypeObject *crypto_X509_type = NULL;
      crypto_X509Obj *cert;
--    /* We need to check that cert really is an X509 object before
--       we deal with it. The problem is we can't just quickly verify
--       the type (since that comes from another module). This should
--       do the trick (reasonably well at least): Once we have one
--       verified object, we use it's type object for future
--       comparisons. */
--
      if (!crypto_X509_type)
+     {
--	if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format1, &cert))
--	    return NULL;
--
--	if (strcmp(cert->ob_type->tp_name, "X509") != 0 ||
--	    cert->ob_type->tp_basicsize != sizeof(crypto_X509Obj))
--	{
--	    PyErr_SetString(PyExc_TypeError, "Expected an X509 object");
--	    return NULL;
--	}
--
--	crypto_X509_type = cert->ob_type;
++        crypto_X509_type = import_crypto_type("X509", sizeof(crypto_X509Obj));
++        if (!crypto_X509_type)
++            return NULL;
+     }
--    else
--	if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format2, crypto_X509_type,
--			      &cert))
++    if (!PyArg_ParseTuple(args, (PYARG_PARSETUPLE_FORMAT *)format,
++                          crypto_X509_type, &cert))
  	    return NULL;
      return cert;
+ }
@@ -381,7 +408,7 @@
+ {
      X509* cert_original;
      crypto_X509Obj *cert = parse_certificate_argument(
--        "O:add_extra_chain_cert", "O!:add_extra_chain_cert", args);
++        "O!:add_extra_chain_cert", args);
      if (cert == NULL)
+     {
          return NULL;
@@ -471,7 +498,7 @@
  ssl_Context_use_certificate(ssl_ContextObj *self, PyObject *args)
+ {
      crypto_X509Obj *cert = parse_certificate_argument(
--        "O:use_certificate", "O!:use_certificate", args);
++        "O!:use_certificate", args);
      if (cert == NULL) {
          return NULL;
+     }
@@ -538,28 +565,12 @@
      static PyTypeObject *crypto_PKey_type = NULL;
      crypto_PKeyObj *pkey;
--    /* We need to check that cert really is a PKey object before
--       we deal with it. The problem is we can't just quickly verify
--       the type (since that comes from another module). This should
--       do the trick (reasonably well at least): Once we have one
--       verified object, we use it's type object for future
--       comparisons. */
--
      if (!crypto_PKey_type)
+     {
--	if (!PyArg_ParseTuple(args, "O:use_privatekey", &pkey))
--	    return NULL;
--
--	if (strcmp(pkey->ob_type->tp_name, "OpenSSL.crypto.PKey") != 0 ||
--	    pkey->ob_type->tp_basicsize != sizeof(crypto_PKeyObj))
--	{
--	    PyErr_SetString(PyExc_TypeError, "Expected a PKey object");
--	    return NULL;
--	}
--
--	crypto_PKey_type = pkey->ob_type;
++        crypto_PKey_type = import_crypto_type("PKey", sizeof(crypto_PKeyObj));
++        if (!crypto_PKey_type)
++            return NULL;
+     }
--    else
      if (!PyArg_ParseTuple(args, "O!:use_privatekey", crypto_PKey_type, &pkey))
          return NULL;
@@ -789,6 +800,111 @@
+     }
+ }
++static char ssl_Context_set_client_CA_list_doc[] = "\n\
++Set the list of preferred client certificate signers for this server context.\n\
++\n\
++This list of certificate authorities will be sent to the client when the\n\
++server requests a client certificate.\n\
++\n\
++@param certificate_authorities: a sequence of X509Names.\n\
++@return: None\n\
++";
++
++static PyObject *
++ssl_Context_set_client_CA_list(ssl_ContextObj *self, PyObject *args)
++{
++    static PyTypeObject *X509NameType;
++    PyObject *sequence, *tuple, *item;
++    crypto_X509NameObj *name;
++    X509_NAME *sslname;
++    STACK_OF(X509_NAME) *CANames;
++    Py_ssize_t length;
++    int i;
++
++    if (X509NameType == NULL) {
++        X509NameType = import_crypto_type("X509Name", sizeof(crypto_X509NameObj));
++        if (X509NameType == NULL) {
++            return NULL;
++        }
++    }
++    if (!PyArg_ParseTuple(args, "O:set_client_CA_list", &sequence)) {
++        return NULL;
++    }
++    tuple = PySequence_Tuple(sequence);
++    if (tuple == NULL) {
++        return NULL;
++    }
++    length = PyTuple_Size(tuple);
++    if (length >= INT_MAX) {
++        PyErr_SetString(PyExc_ValueError, "client CA list is too long");
++        Py_DECREF(tuple);
++        return NULL;
++    }
++    CANames = sk_X509_NAME_new_null();
++    if (CANames == NULL) {
++        Py_DECREF(tuple);
++        exception_from_error_queue(ssl_Error);
++        return NULL;
++    }
++    for (i = 0; i < length; i++) {
++        item = PyTuple_GetItem(tuple, i);
++        if (item->ob_type != X509NameType) {
++            PyErr_Format(PyExc_TypeError,
++                         "client CAs must be X509Name objects, not %s objects",
++                         item->ob_type->tp_name);
++            sk_X509_NAME_free(CANames);
++            Py_DECREF(tuple);
++            return NULL;
++        }
++        name = (crypto_X509NameObj *)item;
++        sslname = X509_NAME_dup(name->x509_name);
++        if (sslname == NULL) {
++            sk_X509_NAME_free(CANames);
++            Py_DECREF(tuple);
++            exception_from_error_queue(ssl_Error);
++            return NULL;
++        }
++        if (!sk_X509_NAME_push(CANames, sslname)) {
++            X509_NAME_free(sslname);
++            sk_X509_NAME_free(CANames);
++            Py_DECREF(tuple);
++            exception_from_error_queue(ssl_Error);
++            return NULL;
++        }
++    }
++    Py_DECREF(tuple);
++    SSL_CTX_set_client_CA_list(self->ctx, CANames);
++    Py_INCREF(Py_None);
++    return Py_None;
++}
++
++static char ssl_Context_add_client_CA_doc[] = "\n\
++Add the CA certificate to the list of preferred signers for this context.\n\
++\n\
++The list of certificate authorities will be sent to the client when the\n\
++server requests a client certificate.\n\
++\n\
++@param certificate_authority: certificate authority's X509 certificate.\n\
++@return: None\n\
++";
++
++static PyObject *
++ssl_Context_add_client_CA(ssl_ContextObj *self, PyObject *args)
++{
++    crypto_X509Obj *cert;
++
++    cert = parse_certificate_argument("O!:add_client_CA", args);
++    if (cert == NULL) {
++        return NULL;
++    }
++    if (!SSL_CTX_add_client_CA(self->ctx, cert->x509)) {
++        exception_from_error_queue(ssl_Error);
++        return NULL;
++    }
++    Py_INCREF(Py_None);
++    return Py_None;
++}
++
  static char ssl_Context_set_timeout_doc[] = "\n\
  Set session timeout\n\
  \n\
@@ -960,6 +1076,8 @@
      ADD_METHOD(get_verify_depth),
      ADD_METHOD(load_tmp_dh),
      ADD_METHOD(set_cipher_list),
++    ADD_METHOD(set_client_CA_list),
++    ADD_METHOD(add_client_CA),
      ADD_METHOD(set_timeout),
      ADD_METHOD(get_timeout),
      ADD_METHOD(set_info_callback),
 === modified file 'src/util.c'
 --- src/util.c	2009-07-16 22:47:27 +0000
 +++ src/util.c	2009-08-31 19:33:58 +0000
@@ -22,26 +22,40 @@
  PyObject *
  error_queue_to_list(void) {
      PyObject *errlist, *tuple;
++    int failed;
      long err;
      errlist = PyList_New(0);
--
++    if (errlist == NULL) {
++        return NULL;
++    }
      while ((err = ERR_get_error()) != 0) {
--	tuple = Py_BuildValue("(sss)", ERR_lib_error_string(err),
--		                       ERR_func_error_string(err),
--				       ERR_reason_error_string(err));
--        PyList_Append(errlist, tuple);
++        tuple = Py_BuildValue("(sss)", ERR_lib_error_string(err),
++                                       ERR_func_error_string(err),
++                                       ERR_reason_error_string(err));
++        if (tuple == NULL) {
++            Py_DECREF(errlist);
++            return NULL;
++        }
++        failed = PyList_Append(errlist, tuple);
          Py_DECREF(tuple);
++        if (failed) {
++            Py_DECREF(errlist);
++            return NULL;
++        }
+     }
      return errlist;
+ }
--void exception_from_error_queue(PyObject *the_Error) {
++void exception_from_error_queue(PyObject *the_Error) {
      PyObject *errlist = error_queue_to_list();
--    PyErr_SetObject(the_Error, errlist);
--    Py_DECREF(errlist);
--}
++
++    if (errlist != NULL) {
++        PyErr_SetObject(the_Error, errlist);
++        Py_DECREF(errlist);
++    }
++}
  /*
   * Flush OpenSSL's error queue and ignore the result
@@ -57,5 +71,5 @@
       * very nasty things if we just invoked it with error_queue_to_list().
       */
      PyObject *list = error_queue_to_list();
--    Py_DECREF(list);
++    Py_XDECREF(list);
+ }
 === modified file 'src/util.h'
 --- src/util.h	2009-07-08 16:48:33 +0000
 +++ src/util.h	2009-08-31 23:32:29 +0000
@@ -119,6 +119,10 @@
+ }
  #endif
--
++#if !defined(PY_SSIZE_T_MIN)
++typedef int Py_ssize_t;
++#define PY_SSIZE_T_MAX INT_MAX
++#define PY_SSIZE_T_MIN INT_MIN
++#endif
  #endif
 === modified file 'test/test_crypto.py'
 --- test/test_crypto.py	2009-08-27 16:47:55 +0000
 +++ test/test_crypto.py	2009-08-31 18:49:30 +0000
@@ -10,6 +10,7 @@
  from os import popen2
  from datetime import datetime, timedelta
++from OpenSSL import crypto
  from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey, PKeyType
  from OpenSSL.crypto import X509, X509Type, X509Name, X509NameType
  from OpenSSL.crypto import X509Req, X509ReqType
@@ -1533,5 +1534,20 @@
++class ModuleTests(TestCase):
++    """
++    Tests for all objects in L{OpenSSL.crypto} module.
++    """
++
++    def test_type_module_name(self):
++        """
++        Test that all types have a sane C{__module__} attribute.
++        """
++        for name, obj in vars(crypto).items():
++            if isinstance(obj, type):
++                self.assertEqual(obj.__module__, "OpenSSL.crypto", name)
++
++
++
  if __name__ == '__main__':
      main()
 === modified file 'test/test_ssl.py'
 --- test/test_ssl.py	2009-07-25 16:32:46 +0000
 +++ test/test_ssl.py	2009-09-01 11:32:34 +0000
@@ -10,6 +10,7 @@
  from os.path import join
  from unittest import main
++from OpenSSL import SSL
  from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM, PKey, dump_privatekey, load_certificate, load_privatekey
  from OpenSSL.SSL import WantReadError, Context, ContextType, Connection, ConnectionType, Error
  from OpenSSL.SSL import SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD
@@ -255,7 +256,7 @@
              context = Context(SSLv3_METHOD)
              context.set_default_verify_paths()
              context.set_verify(
--                VERIFY_PEER,
++                VERIFY_PEER,
                  lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
              client = socket()
@@ -511,8 +512,8 @@
              established = True  # assume the best
              for ssl in client_conn, server_conn:
                  try:
--                    # Generally a recv() or send() could also work instead
--                    # of do_handshake(), and we would stop on the first
++                    # Generally a recv() or send() could also work instead
++                    # of do_handshake(), and we would stop on the first
                      # non-exception.
                      ssl.do_handshake()
                  except WantReadError:
@@ -583,6 +584,139 @@
          self.assertEquals(e.__class__, Error)
++    def _check_client_CA_list(self, func):
++        server = self._server(None)
++        client = self._client(None)
++        self.assertEqual(client.get_client_CA_list(), [])
++        self.assertEqual(server.get_client_CA_list(), [])
++        ctx = server.get_context()
++        expected = func(ctx)
++        self.assertEqual(client.get_client_CA_list(), [])
++        self.assertEqual(server.get_client_CA_list(), expected)
++        self._loopback(client, server)
++        self.assertEqual(client.get_client_CA_list(), expected)
++        self.assertEqual(server.get_client_CA_list(), expected)
++
++
++    def test_set_client_CA_list_basic(self):
++        """
++        Test paramater validation and return value for
++        L{Context.set_client_CA_list}.
++        """
++        ctx = Context(TLSv1_METHOD)
++        self.assertRaises(TypeError, ctx.set_client_CA_list, "spam")
++        self.assertRaises(TypeError, ctx.set_client_CA_list, ["spam"])
++        self.assertIdentical(ctx.set_client_CA_list([]), None)
++
++
++    def test_set_client_CA_list_functional(self):
++        """
++        The list of CAs set by L{Context.set_client_CA_list} and read by
++        L{Connection.get_client_CA_list} should match on server and
++        client side.
++        """
++        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
++        secert = load_certificate(FILETYPE_PEM, server_cert_pem)
++        clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
++
++        cadesc = cacert.get_subject()
++        sedesc = secert.get_subject()
++        cldesc = clcert.get_subject()
++
++        def single_CA(ctx):
++            ctx.set_client_CA_list([cadesc])
++            return [cadesc]
++        self._check_client_CA_list(single_CA)
++
++        def no_CA(ctx):
++            ctx.set_client_CA_list([])
++            return []
++        self._check_client_CA_list(no_CA)
++
++        def multiple_CA(ctx):
++            L = [cadesc, sedesc, cldesc]
++            ctx.set_client_CA_list(L)
++            return L
++        self._check_client_CA_list(multiple_CA)
++
++        def changed_CA(ctx):
++            ctx.set_client_CA_list([sedesc, cldesc])
++            ctx.set_client_CA_list([cadesc])
++            return [cadesc]
++        self._check_client_CA_list(changed_CA)
++
++        def mutated_CA(ctx):
++            L = [cadesc]
++            ctx.set_client_CA_list([cadesc])
++            L.append(sedesc)
++            return [cadesc]
++        self._check_client_CA_list(mutated_CA)
++
++
++    def test_add_client_CA_basic(self):
++        """
++        Test paramater validation and return value for
++        L{Context.add_client_CA}.
++        """
++        ctx = Context(TLSv1_METHOD)
++        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
++        self.assertRaises(TypeError, ctx.add_client_CA, "spam")
++        self.assertIdentical(ctx.add_client_CA(cacert), None)
++
++
++    def test_add_client_CA_functional(self):
++        """
++        The list of CAs set by L{Context.add_client_CA} and read by
++        L{Connection.get_client_CA_list} should match on server and
++        client side.
++        """
++        cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
++        secert = load_certificate(FILETYPE_PEM, server_cert_pem)
++        clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
++
++        cadesc = cacert.get_subject()
++        sedesc = secert.get_subject()
++        cldesc = clcert.get_subject()
++
++        def single_CA(ctx):
++            ctx.add_client_CA(cacert)
++            return [cadesc]
++        self._check_client_CA_list(single_CA)
++
++        def multiple_CA(ctx):
++            ctx.add_client_CA(cacert)
++            ctx.add_client_CA(secert)
++            return [cadesc, sedesc]
++        self._check_client_CA_list(multiple_CA)
++
++        def mixed_set_add_CA(ctx):
++            ctx.set_client_CA_list([cadesc, sedesc])
++            ctx.add_client_CA(clcert)
++            return [cadesc, sedesc, cldesc]
++        self._check_client_CA_list(mixed_set_add_CA)
++
++        def set_replaces_add_CA(ctx):
++            ctx.add_client_CA(clcert)
++            ctx.set_client_CA_list([cadesc])
++            ctx.add_client_CA(secert)
++            return [cadesc, sedesc]
++        self._check_client_CA_list(set_replaces_add_CA)
++
++
++class ModuleTests(TestCase):
++    """
++    Tests for all objects in L{OpenSSL.crypto} module.
++    """
++
++    def test_type_module_name(self):
++        """
++        Test that all types have a sane C{__module__} attribute.
++        """
++        for name, obj in vars(SSL).items():
++            if isinstance(obj, type):
++                self.assertEqual(obj.__module__, "OpenSSL.SSL", name)
++
++
  if __name__ == '__main__':
      main()