gh-109109: Expose retrieving certificate chains in SSL module (#109113)

Adds APIs to get the TLS certificate chains, verified or full unverified, from SSLSocket and SSLObject. Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
2025-07-07 19:35:27 +00:00 · 2023-09-20 03:20:54 +02:00 · 2023-09-20 03:20:54 +02:00 · 5a740cd06e
commit 5a740cd06e
parent ddf2e953c2
3 changed files with 63 additions and 4 deletions
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@ -876,6 +876,31 @@ class SSLObject:
        """
        return self._sslobj.getpeercert(binary_form)

+    def get_verified_chain(self):
+        """Returns verified certificate chain provided by the other
+        end of the SSL channel as a list of DER-encoded bytes.
+
+        If certificate verification was disabled method acts the same as
+        ``SSLSocket.get_unverified_chain``.
+        """
+        chain = self._sslobj.get_verified_chain()
+
+        if chain is None:
+            return []
+
+        return [cert.public_bytes(_ssl.ENCODING_DER) for cert in chain]
+
+    def get_unverified_chain(self):
+        """Returns raw certificate chain provided by the other
+        end of the SSL channel as a list of DER-encoded bytes.
+        """
+        chain = self._sslobj.get_unverified_chain()
+
+        if chain is None:
+            return []
+
+        return [cert.public_bytes(_ssl.ENCODING_DER) for cert in chain]
+
    def selected_npn_protocol(self):
        """Return the currently selected NPN protocol as a string, or ``None``
        if a next protocol was not negotiated or if NPN is not supported by one
@ -1129,6 +1154,14 @@ class SSLSocket(socket):
        self._check_connected()
        return self._sslobj.getpeercert(binary_form)

+    @_sslcopydoc
+    def get_verified_chain(self):
+        return self._sslobj.get_verified_chain()
+
+    @_sslcopydoc
+    def get_unverified_chain(self):
+        return self._sslobj.get_unverified_chain()
+
    @_sslcopydoc
    def selected_npn_protocol(self):
        self._checkClosed()