Implement support for OPT_X_TLS_PEERCERT

tiran · graingert · mistotebe · commit 610b2ee59129 · 2022-04-20T14:50:58.000+01:00
Co-authored-by: Thomas Grainger &lt;tagrain@gmail.com&gt;
Signed-off-by: Christian Heimes &lt;cheimes@redhat.com&gt;
diff --git a/Doc/reference/ldap.rst b/Doc/reference/ldap.rst
@@ -406,7 +406,12 @@ TLS options
 
 .. py:data:: OPT_X_TLS_PEERCERT
 
-   Get peer's certificate as binary ASN.1 data structure (not supported)
+   Get peer's certificate as binary ASN.1 data structure (DER)
+
+   .. versionadded:: 3.4.1
+
+   .. note::
+      The option leaks memory with OpenLDAP < 2.5.8.
 
 .. py:data:: OPT_X_TLS_PROTOCOL_MIN
 
diff --git a/Lib/ldap/constants.py b/Lib/ldap/constants.py
@@ -301,6 +301,9 @@ class Str(Constant):
     # Added in OpenLDAP 2.4.52
     TLSInt('OPT_X_TLS_REQUIRE_SAN', optional=True),
 
+    # Added in OpenLDAP 2.5
+    TLSInt('OPT_X_TLS_PEERCERT', optional=True),
+
     Int('OPT_X_SASL_MECH'),
     Int('OPT_X_SASL_REALM'),
     Int('OPT_X_SASL_AUTHCID'),
diff --git a/Modules/berval.c b/Modules/berval.c
@@ -17,7 +17,7 @@ LDAPberval_to_object(const struct berval *bv)
 {
     PyObject *ret = NULL;
 
-    if (!bv) {
+    if (!bv || !bv->bv_val) {
         ret = Py_None;
         Py_INCREF(ret);
     }
diff --git a/Modules/constants_generated.h b/Modules/constants_generated.h
@@ -263,6 +263,11 @@ add_int(OPT_X_TLS_PACKAGE);
 add_int(OPT_X_TLS_REQUIRE_SAN);
 #endif
 
+
+#if defined(LDAP_OPT_X_TLS_PEERCERT)
+add_int(OPT_X_TLS_PEERCERT);
+#endif
+
 #endif
 
 add_int(OPT_X_SASL_MECH);
diff --git a/Modules/options.c b/Modules/options.c
@@ -5,6 +5,7 @@
 #include "LDAPObject.h"
 #include "ldapcontrol.h"
 #include "options.h"
+#include "berval.h"
 
 void
 set_timeval_from_double(struct timeval *tv, double d)
@@ -58,6 +59,9 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
     case LDAP_OPT_API_FEATURE_INFO:
 #ifdef HAVE_SASL
     case LDAP_OPT_X_SASL_SSF:
+#endif
+#ifdef LDAP_OPT_X_TLS_PEERCERT
+    case LDAP_OPT_X_TLS_PEERCERT:
 #endif
         /* Read-only options */
         PyErr_SetString(PyExc_ValueError, "read-only option");
@@ -254,6 +258,7 @@ LDAP_get_option(LDAPObject *self, int option)
     LDAPAPIInfo apiinfo;
     LDAPControl **lcs;
     char *strval;
+    struct berval berbytes;
 #if HAVE_SASL
     /* unsigned long */
     ber_len_t blen;
@@ -406,6 +411,19 @@ LDAP_get_option(LDAPObject *self, int option)
         ldap_memfree(strval);
         return v;
 
+#ifdef HAVE_TLS
+#ifdef LDAP_OPT_X_TLS_PEERCERT
+    case LDAP_OPT_X_TLS_PEERCERT:
+#endif
+#endif
+        /* Options dealing with raw data */
+        res = LDAP_int_get_option(self, option, &berbytes);
+        if (res != LDAP_OPT_SUCCESS)
+            return option_error(res, "ldap_get_option");
+        v = LDAPberval_to_object(&berbytes);
+        ldap_memfree(berbytes.bv_val);
+        return v;
+
     case LDAP_OPT_TIMEOUT:
     case LDAP_OPT_NETWORK_TIMEOUT:
         /* Double-valued timeval options */
diff --git a/Tests/t_ldapobject.py b/Tests/t_ldapobject.py
@@ -20,6 +20,11 @@
 from slapdtest import requires_ldapi, requires_sasl, requires_tls
 from slapdtest import requires_init_fd
 
+try:
+    from ssl import PEM_cert_to_DER_cert
+except ImportError:
+    PEM_cert_to_DER_cert = None
+
 
 LDIF_TEMPLATE = """dn: %(suffix)s
 objectClass: dcObject
@@ -421,6 +426,36 @@ def test_multiple_starttls(self):
             l.simple_bind_s(self.server.root_dn, self.server.root_pw)
             self.assertEqual(l.whoami_s(), 'dn:' + self.server.root_dn)
 
+    @requires_tls()
+    @unittest.skipUnless(
+        hasattr(ldap, "OPT_X_TLS_PEERCERT"),
+        reason="Requires OPT_X_TLS_PEERCERT"
+    )
+    def test_get_tls_peercert(self):
+        l = self.ldap_object_class(self.server.ldap_uri)
+        peercert = l.get_option(ldap.OPT_X_TLS_PEERCERT)
+        self.assertEqual(peercert, None)
+        with self.assertRaises(ValueError):
+            l.set_option(ldap.OPT_X_TLS_PEERCERT, b"")
+
+        l.set_option(ldap.OPT_X_TLS_CACERTFILE, self.server.cafile)
+        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+        l.start_tls_s()
+
+        peercert = l.get_option(ldap.OPT_X_TLS_PEERCERT)
+        self.assertTrue(peercert)
+        self.assertIsInstance(peercert, bytes)
+
+        if PEM_cert_to_DER_cert is not None:
+            with open(self.server.servercert) as f:
+                server_pem = f.read()
+            # remove text
+            begin = server_pem.find("-----BEGIN CERTIFICATE-----")
+            server_pem = server_pem[begin:-1]
+
+            server_der = PEM_cert_to_DER_cert(server_pem)
+            self.assertEqual(server_der, peercert)
+
     def test_dse(self):
         dse = self._ldap_conn.read_rootdse_s()
         self.assertIsInstance(dse, dict)

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ LDAPberval_to_object(const struct berval *bv)`
`17`	`17`	`{`
`18`	`18`	`PyObject *ret = NULL;`
`19`	`19`
`20`		`- if (!bv) {`
	`20`	`+ if (!bv \|\| !bv->bv_val) {`
`21`	`21`	`ret = Py_None;`
`22`	`22`	`Py_INCREF(ret);`
`23`	`23`	`}`