Allow Connection.get_peer_certificate to return a cryptography certif…

…icate
pyca · Aug 9, 2024 · e1d932a · e1d932a
1 parent 38d8b04
commit e1d932a
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 3 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -21,7 +21,7 @@ Deprecations:
 Changes:
 ^^^^^^^^
 
-* ``OpenSSL.SSL.Connection.get_certificate`` now takes an ``as_cryptography`` keyword-argument. When ``True`` is passed then a ``cryptography.x509.Certificate`` is returned, instead of an ``OpenSSL.crypto.X509``. In the future, passing ``False`` (the default) will be deprecated.
+* ``OpenSSL.SSL.Connection.get_certificate`` and ``OpenSSL.SSL.Connection.get_peer_certificate`` now take an ``as_cryptography`` keyword-argument. When ``True`` is passed then a ``cryptography.x509.Certificate`` is returned, instead of an ``OpenSSL.crypto.X509``. In the future, passing ``False`` (the default) will be deprecated.
 
 
 24.2.1 (2024-07-20)

diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
@@ -2735,15 +2735,42 @@ def get_certificate(
             return pycert
         return None
 
-    def get_peer_certificate(self) -> X509 | None:
+    @typing.overload
+    def get_peer_certificate(
+        self, *, as_cryptography: typing.Literal[True]
+    ) -> x509.Certificate | None:
+        pass
+
+    @typing.overload
+    def get_peer_certificate(
+        self, *, as_cryptography: typing.Literal[False] = False
+    ) -> X509 | None:
+        pass
+
+    @typing.overload
+    def get_peer_certificate(
+        self, *, as_cryptography: bool = False
+    ) -> X509 | x509.Certificate | None:
+        pass
+
+    def get_peer_certificate(
+        self, *, as_cryptography: bool = False
+    ) -> X509 | x509.Certificate | None:
         """
         Retrieve the other side's certificate (if any)
 
+        :param bool as_cryptography: Controls whether a
+            ``cryptography.x509.Certificate`` or an ``OpenSSL.crypto.X509``
+            object should be returned.
+
         :return: The peer's certificate
         """
         cert = _lib.SSL_get_peer_certificate(self._ssl)
         if cert != _ffi.NULL:
-            return X509._from_raw_x509_ptr(cert)
+            pycert = X509._from_raw_x509_ptr(cert)
+            if as_cryptography:
+                return pycert.to_cryptography()
+            return pycert
         return None
 
     @staticmethod

diff --git a/tests/test_ssl.py b/tests/test_ssl.py
@@ -1073,6 +1073,14 @@ def _load_verify_locations_test(self, *args):
         cert = clientSSL.get_peer_certificate()
         assert cert.get_subject().CN == "Testing Root CA"
 
+        cryptography_cert = clientSSL.get_peer_certificate(
+            as_cryptography=True
+        )
+        assert (
+            cryptography_cert.subject.rfc4514_string()
+            == "CN=Testing Root CA,O=Testing,L=Chicago,ST=IL,C=US"
+        )
+
     def _load_verify_cafile(self, cafile):
         """
         Verify that if path to a file containing a certificate is passed to