commit 460a19d45425218c34dcb7d6fde478f80a987fea
author Jeremy Lainé <jeremy.laine@m4x.org> Wed May 16 17:44:19 2018
committer Paul Kehrer <paul.l.kehrer@gmail.com> Wed May 16 17:44:19 2018
tree 27a774b3666b094b1677aee76539342a6ca1f5e2
parent e7f334583541e1de98614e76a65b7d04e7be4979

Add Connection.get_certificate method (#733)

This makes it possible to retrieve the local certificate (if any)
for a Connection.

An example where this is useful is when negotiating a DTLS-SRTP
connection, the fingerprint of the local certificate needs to be
communicated to the remote party out-of-band via SDP.

CHANGELOG.rst

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 0d8765f..1a659a0 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -24,6 +24,8 @@
 Changes:
 ^^^^^^^^
 
+- Added ``Connection.get_certificate`` to retrieve the local certificate.
+  `#733 <https://github.com/pyca/pyopenssl/pull/733>`_
 - ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by default.
   `#753 <https://github.com/pyca/pyopenssl/pull/753>`_
 - Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP keying material.

src/OpenSSL/SSL.py

diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 4c708ba..e3eddae 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -2176,6 +2176,18 @@
         """
         return self._socket.shutdown(*args, **kwargs)
 
+    def get_certificate(self):
+        """
+        Retrieve the local certificate (if any)
+
+        :return: The local certificate
+        """
+        cert = _lib.SSL_get_certificate(self._ssl)
+        if cert != _ffi.NULL:
+            _lib.X509_up_ref(cert)
+            return X509._from_raw_x509_ptr(cert)
+        return None
+
     def get_peer_certificate(self):
         """
         Retrieve the other side's certificate (if any)

tests/test_ssl.py

diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index b09fce7..0831904 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -2418,6 +2418,31 @@
         with pytest.raises(NotImplementedError):
             conn.makefile()
 
+    def test_get_certificate(self):
+        """
+        `Connection.get_certificate` returns the local certificate.
+        """
+        chain = _create_certificate_chain()
+        [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
+
+        context = Context(TLSv1_METHOD)
+        context.use_certificate(scert)
+        client = Connection(context, None)
+        cert = client.get_certificate()
+        assert cert is not None
+        assert "Server Certificate" == cert.get_subject().CN
+
+    def test_get_certificate_none(self):
+        """
+        `Connection.get_certificate` returns the local certificate.
+
+        If there is no certificate, it returns None.
+        """
+        context = Context(TLSv1_METHOD)
+        client = Connection(context, None)
+        cert = client.get_certificate()
+        assert cert is None
+
     def test_get_peer_cert_chain(self):
         """
         `Connection.get_peer_cert_chain` returns a list of certificates