Add function to SSL module to get all available TLS signature algorithms

Author: ronf

Doc/library/ssl.rst

@@ -215,6 +215,25 @@ purposes.
       :data:`VERIFY_X509_STRICT` in its default verify flags.
 
 
+Signature algorithms
+^^^^^^^^^^^^^^^^^^^^
+
+.. function: get_sigalgs()
+
+   Return a list of available TLS signature algorithm names used
+   by servers to complete the TLS handshake or clients requesting
+   certificate-based authentication. For example::
+
+       >>> ssl.get_sigalgs()  # doctest: +SKIP
+       ['ecdsa_secp256r1_sha256', 'ecdsa_secp384r1_sha384', ...]
+
+   These names can be used when building string values to pass to the
+   :meth:`SSLContext.set_client_sigalgs` and
+   :meth:`SSLContext.set_server_sigalgs` methods.
+
+   .. versionadded:: next
+
+
 Exceptions
 ^^^^^^^^^^
 

Doc/whatsnew/3.15.rst

@@ -435,6 +435,8 @@ ssl
 
 * Added new methods for managing signature algorithms:
 
+  * :func:`ssl.get_sigalgs` returns a list of all available TLS signature
+    algorithms. This call requires OpenSSL 3.4 or later.
   * :meth:`ssl.SSLContext.set_client_sigalgs` sets the signature algorithms
     allowed for certificate-based client authentication.
   * :meth:`ssl.SSLContext.set_server_sigalgs` sets the signature algorithms

Lib/ssl.py

@@ -112,6 +112,7 @@
 except ImportError:
     # RAND_egd is not supported on some platforms
     pass
+from _ssl import get_sigalgs
 
 
 from _ssl import (

Lib/test/test_ssl.py

@@ -51,6 +51,7 @@
 CAN_GET_SELECTED_OPENSSL_GROUP = ssl.OPENSSL_VERSION_INFO >= (3, 2)
 CAN_IGNORE_UNKNOWN_OPENSSL_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3, 3)
 CAN_GET_AVAILABLE_OPENSSL_GROUPS = ssl.OPENSSL_VERSION_INFO >= (3, 5)
+CAN_GET_AVAILABLE_OPENSSL_SIGALGS = ssl.OPENSSL_VERSION_INFO >= (3, 4)
 CAN_SET_CLIENT_SIGALGS = "AWS-LC" not in ssl.OPENSSL_VERSION
 CAN_IGNORE_UNKNOWN_OPENSSL_SIGALGS = ssl.OPENSSL_VERSION_INFO >= (3, 3)
 CAN_GET_SELECTED_OPENSSL_SIGALG = ssl.OPENSSL_VERSION_INFO >= (3, 5)
@@ -998,6 +999,11 @@ def test_get_groups(self):
         self.assertNotIn('P-256', ctx.get_groups())
         self.assertIn('P-256', ctx.get_groups(include_aliases=True))
 
+    @unittest.skipUnless(CAN_GET_AVAILABLE_OPENSSL_SIGALGS,
+                         "SSL library doesn't support getting sigalgs")
+    def test_get_sigalgs(self):
+        self.assertIn('rsa_pss_rsae_sha256', ssl.get_sigalgs())
+
     @unittest.skipUnless(CAN_SET_CLIENT_SIGALGS,
                          "SSL library doesn't support setting client sigalgs")
     def test_set_client_sigalgs(self):

Modules/_ssl.c

@@ -6338,6 +6338,66 @@ _ssl_get_default_verify_paths_impl(PyObject *module)
     return NULL;
 }
 
+/*[clinic input]
+@critical_section
+_ssl.get_sigalgs
+[clinic start generated code]*/
+
+static PyObject *
+_ssl_get_sigalgs_impl(PyObject *module)
+/*[clinic end generated code: output=ab0791b63856854b input=bf74cdad3a19d29e]*/
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30400000L
+    const char *sigalgs_list, *sigalg, *end;
+    PyObject *item, *result = NULL;
+    size_t len;
+
+    if ((sigalgs_list = SSL_get1_builtin_sigalgs(NULL)) == NULL) {
+        PyErr_NoMemory();
+        goto error;
+    }
+
+    result = PyList_New(0);
+    if (result == NULL) {
+        PyErr_NoMemory();
+        goto error;
+    }
+
+    sigalg = sigalgs_list;
+    while (sigalg) {
+        end = strchr(sigalg, ':');
+        len = end? end - sigalg : strlen(sigalg);
+
+        // Alg names are plain ASCII, so there's no chance of a decoding
+        // error here. However, an allocation failure could occur when
+        // constructing the Unicode version of the names.
+        item = PyUnicode_DecodeASCII(sigalg, len, "strict");
+        if (item == NULL) {
+            goto error;
+        }
+
+        if (PyList_Append(result, item) == -1) {
+            Py_DECREF(item);
+            goto error;
+        }
+
+        Py_DECREF(item);
+        sigalg = end? end + 1 : end;
+    }
+
+    OPENSSL_free((void *)sigalgs_list);
+    return result;
+error:
+    OPENSSL_free((void *)sigalgs_list);
+    Py_XDECREF(result);
+    return NULL;
+#else
+    PyErr_SetString(PyExc_NotImplementedError,
+                    "Getting signature algorithms requires OpenSSL 3.4 or later.");
+    return NULL;
+#endif
+}
+
 static PyObject*
 asn1obj2py(_sslmodulestate *state, ASN1_OBJECT *obj)
 {
@@ -6741,6 +6801,7 @@ static PyMethodDef PySSL_methods[] = {
     _SSL_RAND_BYTES_METHODDEF
     _SSL_RAND_STATUS_METHODDEF
     _SSL_GET_DEFAULT_VERIFY_PATHS_METHODDEF
+    _SSL_GET_SIGALGS_METHODDEF
     _SSL_ENUM_CERTIFICATES_METHODDEF
     _SSL_ENUM_CRLS_METHODDEF
     _SSL_TXT2OBJ_METHODDEF