From 72d28500b3c5e6f4051826432b2a801ce4e556f4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@cheimes.de>
Date: Sat, 23 Nov 2013 13:56:58 +0100
Subject: Issue #19292: Add SSLContext.load_default_certs() to load default
 root CA certificates from default stores or system stores. By default the
 method loads CA certs for authentication of server certs.

---
 Doc/library/ssl.rst  | 31 ++++++++++++++++++++++++++++++-
 Lib/ssl.py           | 28 ++++++++++++++++++++++++++++
 Lib/test/test_ssl.py | 32 ++++++++++++++++++++++++++++++++
 Misc/NEWS            |  4 ++++
 4 files changed, 94 insertions(+), 1 deletion(-)

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 7a7ddac..8d14ae9 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -681,6 +681,20 @@ Constants
 
    .. versionadded:: 3.4
 
+.. data:: Purpose.SERVER_AUTH
+
+   Option for :meth:`SSLContext.load_default_certs` to load CA certificates
+   for TLS web server authentication (client side socket).
+
+   .. versionadded:: 3.4
+
+.. data:: Purpose.clientAuth
+
+   Option for :meth:`SSLContext.load_default_certs` to load CA certificates
+   for TLS web client authentication (server side socket).
+
+   .. versionadded:: 3.4
+
 
 SSL Sockets
 -----------
@@ -903,6 +917,22 @@ to speed up repeated connections from the same clients.
    .. versionchanged:: 3.3
       New optional argument *password*.
 
+.. method:: SSLContext.load_default_certs(purpose=Purpose.SERVER_AUTH)
+
+   Load a set of default "certification authority" (CA) certificates from
+   default locations. On Windows it loads CA certs from the ``CA`` and
+   ``ROOT`` system stores. On other systems it calls
+   :meth:`SSLContext.set_default_verify_paths`. In the future the method may
+   load CA certificates from other locations, too.
+
+   The *purpose* flag specifies what kind of CA certificates are loaded. The
+   default settings :data:`Purpose.SERVER_AUTH` loads certificates, that are
+   flagged and trusted for TLS web server authentication (client side
+   sockets). :data:`Purpose.clientAuth` loads CA certificates for client
+   certificate verification on the server side.
+
+   .. versionadded:: 3.4
+
 .. method:: SSLContext.load_verify_locations(cafile=None, capath=None, cadata=None)
 
    Load a set of "certification authority" (CA) certificates used to validate
@@ -931,7 +961,6 @@ to speed up repeated connections from the same clients.
    .. versionchanged:: 3.4
       New optional argument *cadata*
 
-
 .. method:: SSLContext.get_ca_certs(binary_form=False)
 
    Get a list of loaded "certification authority" (CA) certificates. If the
diff --git a/Lib/ssl.py b/Lib/ssl.py
index d4c7bad..e668dc1 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -92,6 +92,7 @@ import re
 import sys
 import os
 from collections import namedtuple
+from enum import Enum as _Enum
 
 import _ssl             # if we can't import it, let the error propagate
 
@@ -298,11 +299,19 @@ class _ASN1Object(namedtuple("_ASN1Object", "nid shortname longname oid")):
         return super().__new__(cls, *_txt2obj(name, name=True))
 
 
+class Purpose(_ASN1Object, _Enum):
+    """SSLContext purpose flags with X509v3 Extended Key Usage objects
+    """
+    SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
+    CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
+
+
 class SSLContext(_SSLContext):
     """An SSLContext holds various SSL-related configuration options and
     data, such as certificates and possibly a private key."""
 
     __slots__ = ('protocol', '__weakref__')
+    _windows_cert_stores = ("CA", "ROOT")
 
     def __new__(cls, protocol, *args, **kwargs):
         self = _SSLContext.__new__(cls, protocol)
@@ -334,6 +343,25 @@ class SSLContext(_SSLContext):
 
         self._set_npn_protocols(protos)
 
+    def _load_windows_store_certs(self, storename, purpose):
+        certs = bytearray()
+        for cert, encoding, trust in enum_certificates(storename):
+            # CA certs are never PKCS#7 encoded
+            if encoding == "x509_asn":
+                if trust is True or purpose.oid in trust:
+                    certs.extend(cert)
+        self.load_verify_locations(cadata=certs)
+        return certs
+
+    def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
+        if not isinstance(purpose, _ASN1Object):
+            raise TypeError(purpose)
+        if sys.platform == "win32":
+            for storename in self._windows_cert_stores:
+                self._load_windows_store_certs(storename, purpose)
+        else:
+            self.set_default_verify_paths()
+
 
 class SSLSocket(socket):
     """This class implements a subtype of socket.socket that wraps
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index d6a7443..722d331 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -611,6 +611,23 @@ class BasicSocketTests(unittest.TestCase):
         with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):
             ssl._ASN1Object.fromname('serverauth')
 
+    def test_purpose_enum(self):
+        val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
+        self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
+        self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
+        self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
+        self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
+        self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
+                              '1.3.6.1.5.5.7.3.1')
+
+        val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
+        self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
+        self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
+        self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
+        self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
+        self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
+                              '1.3.6.1.5.5.7.3.2')
+
 
 class ContextTests(unittest.TestCase):
 
@@ -967,6 +984,21 @@ class ContextTests(unittest.TestCase):
         der = ssl.PEM_cert_to_DER_cert(pem)
         self.assertEqual(ctx.get_ca_certs(True), [der])
 
+    def test_load_default_certs(self):
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        ctx.load_default_certs()
+
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
+        ctx.load_default_certs()
+
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
+
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        self.assertRaises(TypeError, ctx.load_default_certs, None)
+        self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
+
 
 class SSLErrorTests(unittest.TestCase):
 
diff --git a/Misc/NEWS b/Misc/NEWS
index ed04e36..ac04743 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -68,6 +68,10 @@ Core and Builtins
 Library
 -------
 
+- Issue #19292: Add SSLContext.load_default_certs() to load default root CA
+  certificates from default stores or system stores. By default the method
+  loads CA certs for authentication of server certs.
+
 - Issue #19673: Add pathlib to the stdlib as a provisional module (PEP 428).
 
 - Issue #17916: Added dis.Bytecode.from_traceback() and
-- 
cgit v0.12