Update tlslite to 0.4.6.

third_party/tlslite/tlslite/checker.py

+# Author: Trevor Perrin
+# See the LICENSE file for legal information regarding use of this file.
+
 """Class for post-handshake certificate checking."""
 
-from utils.cryptomath import hashAndBase64
-from x509 import X509
-from x509certchain import X509CertChain
-from errors import *
+from .x509 import X509
+from .x509certchain import X509CertChain
+from .errors import *
 
 
-class Checker:
+class Checker(object):
     """This class is passed to a handshake function to check the other
     party's certificate chain.
 
     If a handshake function completes successfully, but the Checker
     judges the other party's certificate chain to be missing or
     inadequate, a subclass of
     L{tlslite.errors.TLSAuthenticationError} will be raised.
 
-    Currently, the Checker can check either an X.509 or a cryptoID
-    chain (for the latter, cryptoIDlib must be installed).
+    Currently, the Checker can check an X.509 chain.
     """
 
-    def __init__(self, cryptoID=None, protocol=None,
+    def __init__(self, 
                  x509Fingerprint=None,
-                 x509TrustList=None, x509CommonName=None,
                  checkResumedSession=False):
         """Create a new Checker instance.
 
         You must pass in one of these argument combinations:
-         - cryptoID[, protocol] (requires cryptoIDlib)
          - x509Fingerprint
-         - x509TrustList[, x509CommonName] (requires cryptlib_py)
-
-        @type cryptoID: str
-        @param cryptoID: A cryptoID which the other party's certificate
-        chain must match.  The cryptoIDlib module must be installed.
-        Mutually exclusive with all of the 'x509...' arguments.
-
-        @type protocol: str
-        @param protocol: A cryptoID protocol URI which the other
-        party's certificate chain must match.  Requires the 'cryptoID'
-        argument.
 
         @type x509Fingerprint: str
         @param x509Fingerprint: A hex-encoded X.509 end-entity
         fingerprint which the other party's end-entity certificate must
-        match.  Mutually exclusive with the 'cryptoID' and
-        'x509TrustList' arguments.
-
-        @type x509TrustList: list of L{tlslite.X509.X509}
-        @param x509TrustList: A list of trusted root certificates.  The
-        other party must present a certificate chain which extends to
-        one of these root certificates.  The cryptlib_py module must be
-        installed.  Mutually exclusive with the 'cryptoID' and
-        'x509Fingerprint' arguments.
-
-        @type x509CommonName: str
-        @param x509CommonName: The end-entity certificate's 'CN' field
-        must match this value.  For a web server, this is typically a
-        server name such as 'www.amazon.com'.  Mutually exclusive with
-        the 'cryptoID' and 'x509Fingerprint' arguments.  Requires the
-        'x509TrustList' argument.
+        match.
 
         @type checkResumedSession: bool
         @param checkResumedSession: If resumed sessions should be
         checked.  This defaults to False, on the theory that if the
         session was checked once, we don't need to bother
         re-checking it.
         """
 
-        if cryptoID and (x509Fingerprint or x509TrustList):
-            raise ValueError()
-        if x509Fingerprint and x509TrustList:
-            raise ValueError()
-        if x509CommonName and not x509TrustList:
-            raise ValueError()
-        if protocol and not cryptoID:
-            raise ValueError()
-        if cryptoID:
-            import cryptoIDlib #So we raise an error here
-        if x509TrustList:
-            import cryptlib_py #So we raise an error here
-        self.cryptoID = cryptoID
-        self.protocol = protocol
         self.x509Fingerprint = x509Fingerprint
-        self.x509TrustList = x509TrustList
-        self.x509CommonName = x509CommonName
         self.checkResumedSession = checkResumedSession
 
     def __call__(self, connection):
         """Check a TLSConnection.
 
         When a Checker is passed to a handshake function, this will
         be called at the end of the function.
 
-        @type connection: L{tlslite.TLSConnection.TLSConnection}
+        @type connection: L{tlslite.tlsconnection.TLSConnection}
         @param connection: The TLSConnection to examine.
 
         @raise tlslite.errors.TLSAuthenticationError: If the other
         party's certificate chain is missing or bad.
         """
         if not self.checkResumedSession and connection.resumed:
             return
 
-        if self.cryptoID or self.x509Fingerprint or self.x509TrustList:
+        if self.x509Fingerprint:
             if connection._client:
                 chain = connection.session.serverCertChain
             else:
                 chain = connection.session.clientCertChain
 
-            if self.x509Fingerprint or self.x509TrustList:
+            if self.x509Fingerprint:
                 if isinstance(chain, X509CertChain):
                     if self.x509Fingerprint:
                         if chain.getFingerprint() != self.x509Fingerprint:
                             raise TLSFingerprintError(\
                                 "X.509 fingerprint mismatch: %s, %s" % \
                                 (chain.getFingerprint(), self.x509Fingerprint))
-                    else: #self.x509TrustList
-                        if not chain.validate(self.x509TrustList):
-                            raise TLSValidationError("X.509 validation failure")
-                        if self.x509CommonName and \
-                               (chain.getCommonName() != self.x509CommonName):
-                           raise TLSAuthorizationError(\
-                               "X.509 Common Name mismatch: %s, %s" % \
-                               (chain.getCommonName(), self.x509CommonName))
                 elif chain:
                     raise TLSAuthenticationTypeError()
                 else:
-                    raise TLSNoAuthenticationError()
-            elif self.cryptoID:
-                import cryptoIDlib.CertChain
-                if isinstance(chain, cryptoIDlib.CertChain.CertChain):
-                    if chain.cryptoID != self.cryptoID:
-                        raise TLSFingerprintError(\
-                            "cryptoID mismatch: %s, %s" % \
-                            (chain.cryptoID, self.cryptoID))
-                    if self.protocol:
-                        if not chain.checkProtocol(self.protocol):
-                            raise TLSAuthorizationError(\
-                            "cryptoID protocol mismatch")
-                    if not chain.validate():
-                        raise TLSValidationError("cryptoID validation failure")
-                elif chain:
-                    raise TLSAuthenticationTypeError()
-                else:
-                    raise TLSNoAuthenticationError()
-
+                    raise TLSNoAuthenticationError()