Implement support for OPT_X_TLS_PEERCERT

tiran · graingert · tiran · commit 9863bb7407a7 · 2021-09-16T13:57:21.000+02:00
Co-authored-by: Thomas Grainger &lt;tagrain@gmail.com&gt;
Signed-off-by: Christian Heimes &lt;cheimes@redhat.com&gt;
diff --git a/Doc/reference/ldap.rst b/Doc/reference/ldap.rst
@@ -406,7 +406,12 @@ TLS options
 
 .. py:data:: OPT_X_TLS_PEERCERT
 
-   Get peer's certificate as binary ASN.1 data structure (not supported)
+   Get peer's certificate as binary ASN.1 data structure (DER)
+
+   .. versionadded:: 3.4.0
+
+   .. note::
+      The option leaks memory with OpenLDAP < 2.5.8.
 
 .. py:data:: OPT_X_TLS_PROTOCOL_MIN
 
diff --git a/Modules/options.c b/Modules/options.c
@@ -5,6 +5,7 @@
 #include "LDAPObject.h"
 #include "ldapcontrol.h"
 #include "options.h"
+#include "berval.h"
 
 void
 set_timeval_from_double(struct timeval *tv, double d)
@@ -58,6 +59,9 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
     case LDAP_OPT_API_FEATURE_INFO:
 #ifdef HAVE_SASL
     case LDAP_OPT_X_SASL_SSF:
+#endif
+#ifdef LDAP_OPT_X_TLS_PEERCERT
+    case LDAP_OPT_X_TLS_PEERCERT:
 #endif
         /* Read-only options */
         PyErr_SetString(PyExc_ValueError, "read-only option");
@@ -256,6 +260,9 @@ LDAP_get_option(LDAPObject *self, int option)
 #if HAVE_SASL
     /* unsigned long */
     ber_len_t blen;
+#endif
+#ifdef LDAP_OPT_X_TLS_PEERCERT
+    struct berval bv = {0};
 #endif
     PyObject *extensions, *v;
     Py_ssize_t i, num_extensions;
@@ -424,7 +431,22 @@ LDAP_get_option(LDAPObject *self, int option)
         v = LDAPControls_to_List(lcs);
         ldap_controls_free(lcs);
         return v;
-
+#ifdef LDAP_OPT_X_TLS_PEERCERT
+    case LDAP_OPT_X_TLS_PEERCERT:
+        res = LDAP_int_get_option(self, option, &bv);
+        if (res != LDAP_OPT_SUCCESS) {
+            return option_error(res, "ldap_get_option");
+        }
+        if (bv.bv_len == 0) {
+            Py_RETURN_NONE;
+        } else {
+            v = LDAPberval_to_object(&bv);
+            /* bv_val memory is allocated with ber_memalloc_x()
+             * context allocation/dealloc is a private API. */
+            ber_memfree(bv.bv_val);
+            return v;
+        }
+#endif
     default:
         PyErr_Format(PyExc_ValueError, "unknown option %d", option);
         return NULL;
diff --git a/Tests/t_ldapobject.py b/Tests/t_ldapobject.py
@@ -20,6 +20,11 @@
 from slapdtest import requires_ldapi, requires_sasl, requires_tls
 from slapdtest import requires_init_fd
 
+try:
+    from ssl import PEM_cert_to_DER_cert
+except ImportError:
+    PEM_cert_to_DER_cert = None
+
 
 LDIF_TEMPLATE = """dn: %(suffix)s
 objectClass: dcObject
@@ -418,6 +423,36 @@ def test_multiple_starttls(self):
             l.simple_bind_s(self.server.root_dn, self.server.root_pw)
             self.assertEqual(l.whoami_s(), 'dn:' + self.server.root_dn)
 
+    @requires_tls()
+    @unittest.skipUnless(
+        hasattr(ldap, "OPT_X_TLS_PEERCERT"),
+        reason="Requires OPT_X_TLS_PEERCERT"
+    )
+    def test_get_tls_peercert(self):
+        l = self.ldap_object_class(self.server.ldap_uri)
+        peercert = l.get_option(ldap.OPT_X_TLS_PEERCERT)
+        self.assertEqual(peercert, None)
+        with self.assertRaises(ValueError):
+            l.set_option(ldap.OPT_X_TLS_PEERCERT, b"")
+
+        l.set_option(ldap.OPT_X_TLS_CACERTFILE, self.server.cafile)
+        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+        l.start_tls_s()
+
+        peercert = l.get_option(ldap.OPT_X_TLS_PEERCERT)
+        self.assertTrue(peercert)
+        self.assertIsInstance(peercert, bytes)
+
+        if PEM_cert_to_DER_cert is not None:
+            with open(self.server.servercert) as f:
+                server_pem = f.read()
+            # remove text
+            begin = server_pem.find("-----BEGIN CERTIFICATE-----")
+            server_pem = server_pem[begin:-1]
+
+            server_der = PEM_cert_to_DER_cert(server_pem)
+            self.assertEqual(server_der, peercert)
+
     def test_dse(self):
         dse = self._ldap_conn.read_rootdse_s()
         self.assertIsInstance(dse, dict)
