/gdata/tlslite/integration/ClientHelper.py

http://radioappz.googlecode.com/ · Python · 163 lines · 91 code · 4 blank · 68 comment · 3 complexity · d2de1c957734b83c16f73df9ba2e98b8 MD5 · raw file

  1. """
  2. A helper class for using TLS Lite with stdlib clients
  3. (httplib, xmlrpclib, imaplib, poplib).
  4. """
  5. from gdata.tlslite.Checker import Checker
  6. class ClientHelper:
  7. """This is a helper class used to integrate TLS Lite with various
  8. TLS clients (e.g. poplib, smtplib, httplib, etc.)"""
  9. def __init__(self,
  10. username=None, password=None, sharedKey=None,
  11. certChain=None, privateKey=None,
  12. cryptoID=None, protocol=None,
  13. x509Fingerprint=None,
  14. x509TrustList=None, x509CommonName=None,
  15. settings = None):
  16. """
  17. For client authentication, use one of these argument
  18. combinations:
  19. - username, password (SRP)
  20. - username, sharedKey (shared-key)
  21. - certChain, privateKey (certificate)
  22. For server authentication, you can either rely on the
  23. implicit mutual authentication performed by SRP or
  24. shared-keys, or you can do certificate-based server
  25. authentication with one of these argument combinations:
  26. - cryptoID[, protocol] (requires cryptoIDlib)
  27. - x509Fingerprint
  28. - x509TrustList[, x509CommonName] (requires cryptlib_py)
  29. Certificate-based server authentication is compatible with
  30. SRP or certificate-based client authentication. It is
  31. not compatible with shared-keys.
  32. The constructor does not perform the TLS handshake itself, but
  33. simply stores these arguments for later. The handshake is
  34. performed only when this class needs to connect with the
  35. server. Then you should be prepared to handle TLS-specific
  36. exceptions. See the client handshake functions in
  37. L{tlslite.TLSConnection.TLSConnection} for details on which
  38. exceptions might be raised.
  39. @type username: str
  40. @param username: SRP or shared-key username. Requires the
  41. 'password' or 'sharedKey' argument.
  42. @type password: str
  43. @param password: SRP password for mutual authentication.
  44. Requires the 'username' argument.
  45. @type sharedKey: str
  46. @param sharedKey: Shared key for mutual authentication.
  47. Requires the 'username' argument.
  48. @type certChain: L{tlslite.X509CertChain.X509CertChain} or
  49. L{cryptoIDlib.CertChain.CertChain}
  50. @param certChain: Certificate chain for client authentication.
  51. Requires the 'privateKey' argument. Excludes the SRP or
  52. shared-key related arguments.
  53. @type privateKey: L{tlslite.utils.RSAKey.RSAKey}
  54. @param privateKey: Private key for client authentication.
  55. Requires the 'certChain' argument. Excludes the SRP or
  56. shared-key related arguments.
  57. @type cryptoID: str
  58. @param cryptoID: cryptoID for server authentication. Mutually
  59. exclusive with the 'x509...' arguments.
  60. @type protocol: str
  61. @param protocol: cryptoID protocol URI for server
  62. authentication. Requires the 'cryptoID' argument.
  63. @type x509Fingerprint: str
  64. @param x509Fingerprint: Hex-encoded X.509 fingerprint for
  65. server authentication. Mutually exclusive with the 'cryptoID'
  66. and 'x509TrustList' arguments.
  67. @type x509TrustList: list of L{tlslite.X509.X509}
  68. @param x509TrustList: A list of trusted root certificates. The
  69. other party must present a certificate chain which extends to
  70. one of these root certificates. The cryptlib_py module must be
  71. installed to use this parameter. Mutually exclusive with the
  72. 'cryptoID' and 'x509Fingerprint' arguments.
  73. @type x509CommonName: str
  74. @param x509CommonName: The end-entity certificate's 'CN' field
  75. must match this value. For a web server, this is typically a
  76. server name such as 'www.amazon.com'. Mutually exclusive with
  77. the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
  78. 'x509TrustList' argument.
  79. @type settings: L{tlslite.HandshakeSettings.HandshakeSettings}
  80. @param settings: Various settings which can be used to control
  81. the ciphersuites, certificate types, and SSL/TLS versions
  82. offered by the client.
  83. """
  84. self.username = None
  85. self.password = None
  86. self.sharedKey = None
  87. self.certChain = None
  88. self.privateKey = None
  89. self.checker = None
  90. #SRP Authentication
  91. if username and password and not \
  92. (sharedKey or certChain or privateKey):
  93. self.username = username
  94. self.password = password
  95. #Shared Key Authentication
  96. elif username and sharedKey and not \
  97. (password or certChain or privateKey):
  98. self.username = username
  99. self.sharedKey = sharedKey
  100. #Certificate Chain Authentication
  101. elif certChain and privateKey and not \
  102. (username or password or sharedKey):
  103. self.certChain = certChain
  104. self.privateKey = privateKey
  105. #No Authentication
  106. elif not password and not username and not \
  107. sharedKey and not certChain and not privateKey:
  108. pass
  109. else:
  110. raise ValueError("Bad parameters")
  111. #Authenticate the server based on its cryptoID or fingerprint
  112. if sharedKey and (cryptoID or protocol or x509Fingerprint):
  113. raise ValueError("Can't use shared keys with other forms of"\
  114. "authentication")
  115. self.checker = Checker(cryptoID, protocol, x509Fingerprint,
  116. x509TrustList, x509CommonName)
  117. self.settings = settings
  118. self.tlsSession = None
  119. def _handshake(self, tlsConnection):
  120. if self.username and self.password:
  121. tlsConnection.handshakeClientSRP(username=self.username,
  122. password=self.password,
  123. checker=self.checker,
  124. settings=self.settings,
  125. session=self.tlsSession)
  126. elif self.username and self.sharedKey:
  127. tlsConnection.handshakeClientSharedKey(username=self.username,
  128. sharedKey=self.sharedKey,
  129. settings=self.settings)
  130. else:
  131. tlsConnection.handshakeClientCert(certChain=self.certChain,
  132. privateKey=self.privateKey,
  133. checker=self.checker,
  134. settings=self.settings,
  135. session=self.tlsSession)
  136. self.tlsSession = tlsConnection.session