/gdata/tlslite/Checker.py
http://radioappz.googlecode.com/ · Python · 146 lines · 112 code · 10 blank · 24 comment · 3 complexity · b387eac9221fd2c33dbf0629016f20d6 MD5 · raw file
- """Class for post-handshake certificate checking."""
- from utils.cryptomath import hashAndBase64
- from X509 import X509
- from X509CertChain import X509CertChain
- from errors import *
- class Checker:
- """This class is passed to a handshake function to check the other
- party's certificate chain.
- If a handshake function completes successfully, but the Checker
- judges the other party's certificate chain to be missing or
- inadequate, a subclass of
- L{tlslite.errors.TLSAuthenticationError} will be raised.
- Currently, the Checker can check either an X.509 or a cryptoID
- chain (for the latter, cryptoIDlib must be installed).
- """
- def __init__(self, cryptoID=None, protocol=None,
- x509Fingerprint=None,
- x509TrustList=None, x509CommonName=None,
- checkResumedSession=False):
- """Create a new Checker instance.
- You must pass in one of these argument combinations:
- - cryptoID[, protocol] (requires cryptoIDlib)
- - x509Fingerprint
- - x509TrustList[, x509CommonName] (requires cryptlib_py)
- @type cryptoID: str
- @param cryptoID: A cryptoID which the other party's certificate
- chain must match. The cryptoIDlib module must be installed.
- Mutually exclusive with all of the 'x509...' arguments.
- @type protocol: str
- @param protocol: A cryptoID protocol URI which the other
- party's certificate chain must match. Requires the 'cryptoID'
- argument.
- @type x509Fingerprint: str
- @param x509Fingerprint: A hex-encoded X.509 end-entity
- fingerprint which the other party's end-entity certificate must
- match. Mutually exclusive with the 'cryptoID' and
- 'x509TrustList' arguments.
- @type x509TrustList: list of L{tlslite.X509.X509}
- @param x509TrustList: A list of trusted root certificates. The
- other party must present a certificate chain which extends to
- one of these root certificates. The cryptlib_py module must be
- installed. Mutually exclusive with the 'cryptoID' and
- 'x509Fingerprint' arguments.
- @type x509CommonName: str
- @param x509CommonName: The end-entity certificate's 'CN' field
- must match this value. For a web server, this is typically a
- server name such as 'www.amazon.com'. Mutually exclusive with
- the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
- 'x509TrustList' argument.
- @type checkResumedSession: bool
- @param checkResumedSession: If resumed sessions should be
- checked. This defaults to False, on the theory that if the
- session was checked once, we don't need to bother
- re-checking it.
- """
- if cryptoID and (x509Fingerprint or x509TrustList):
- raise ValueError()
- if x509Fingerprint and x509TrustList:
- raise ValueError()
- if x509CommonName and not x509TrustList:
- raise ValueError()
- if protocol and not cryptoID:
- raise ValueError()
- if cryptoID:
- import cryptoIDlib #So we raise an error here
- if x509TrustList:
- import cryptlib_py #So we raise an error here
- self.cryptoID = cryptoID
- self.protocol = protocol
- self.x509Fingerprint = x509Fingerprint
- self.x509TrustList = x509TrustList
- self.x509CommonName = x509CommonName
- self.checkResumedSession = checkResumedSession
- def __call__(self, connection):
- """Check a TLSConnection.
- When a Checker is passed to a handshake function, this will
- be called at the end of the function.
- @type connection: L{tlslite.TLSConnection.TLSConnection}
- @param connection: The TLSConnection to examine.
- @raise tlslite.errors.TLSAuthenticationError: If the other
- party's certificate chain is missing or bad.
- """
- if not self.checkResumedSession and connection.resumed:
- return
- if self.cryptoID or self.x509Fingerprint or self.x509TrustList:
- if connection._client:
- chain = connection.session.serverCertChain
- else:
- chain = connection.session.clientCertChain
- if self.x509Fingerprint or self.x509TrustList:
- if isinstance(chain, X509CertChain):
- if self.x509Fingerprint:
- if chain.getFingerprint() != self.x509Fingerprint:
- raise TLSFingerprintError(\
- "X.509 fingerprint mismatch: %s, %s" % \
- (chain.getFingerprint(), self.x509Fingerprint))
- else: #self.x509TrustList
- if not chain.validate(self.x509TrustList):
- raise TLSValidationError("X.509 validation failure")
- if self.x509CommonName and \
- (chain.getCommonName() != self.x509CommonName):
- raise TLSAuthorizationError(\
- "X.509 Common Name mismatch: %s, %s" % \
- (chain.getCommonName(), self.x509CommonName))
- elif chain:
- raise TLSAuthenticationTypeError()
- else:
- raise TLSNoAuthenticationError()
- elif self.cryptoID:
- import cryptoIDlib.CertChain
- if isinstance(chain, cryptoIDlib.CertChain.CertChain):
- if chain.cryptoID != self.cryptoID:
- raise TLSFingerprintError(\
- "cryptoID mismatch: %s, %s" % \
- (chain.cryptoID, self.cryptoID))
- if self.protocol:
- if not chain.checkProtocol(self.protocol):
- raise TLSAuthorizationError(\
- "cryptoID protocol mismatch")
- if not chain.validate():
- raise TLSValidationError("cryptoID validation failure")
- elif chain:
- raise TLSAuthenticationTypeError()
- else:
- raise TLSNoAuthenticationError()