OLD | NEW |
| 1 # Authors: |
| 2 # Trevor Perrin |
| 3 # Dimitris Moraitis - Anon ciphersuites |
| 4 # |
| 5 # See the LICENSE file for legal information regarding use of this file. |
| 6 |
1 """ | 7 """ |
2 A helper class for using TLS Lite with stdlib clients | 8 A helper class for using TLS Lite with stdlib clients |
3 (httplib, xmlrpclib, imaplib, poplib). | 9 (httplib, xmlrpclib, imaplib, poplib). |
4 """ | 10 """ |
5 | 11 |
6 from tlslite.checker import Checker | 12 from tlslite.checker import Checker |
7 | 13 |
8 class ClientHelper: | 14 class ClientHelper(object): |
9 """This is a helper class used to integrate TLS Lite with various | 15 """This is a helper class used to integrate TLS Lite with various |
10 TLS clients (e.g. poplib, smtplib, httplib, etc.)""" | 16 TLS clients (e.g. poplib, smtplib, httplib, etc.)""" |
11 | 17 |
12 def __init__(self, | 18 def __init__(self, |
13 username=None, password=None, sharedKey=None, | 19 username=None, password=None, |
14 certChain=None, privateKey=None, | 20 certChain=None, privateKey=None, |
15 cryptoID=None, protocol=None, | 21 checker=None, |
16 x509Fingerprint=None, | 22 settings = None, |
17 x509TrustList=None, x509CommonName=None, | 23 anon = False): |
18 settings = None): | |
19 """ | 24 """ |
20 For client authentication, use one of these argument | 25 For client authentication, use one of these argument |
21 combinations: | 26 combinations: |
22 - username, password (SRP) | 27 - username, password (SRP) |
23 - username, sharedKey (shared-key) | |
24 - certChain, privateKey (certificate) | 28 - certChain, privateKey (certificate) |
25 | 29 |
26 For server authentication, you can either rely on the | 30 For server authentication, you can either rely on the |
27 implicit mutual authentication performed by SRP or | 31 implicit mutual authentication performed by SRP, |
28 shared-keys, or you can do certificate-based server | 32 or you can do certificate-based server |
29 authentication with one of these argument combinations: | 33 authentication with one of these argument combinations: |
30 - cryptoID[, protocol] (requires cryptoIDlib) | |
31 - x509Fingerprint | 34 - x509Fingerprint |
32 - x509TrustList[, x509CommonName] (requires cryptlib_py) | |
33 | 35 |
34 Certificate-based server authentication is compatible with | 36 Certificate-based server authentication is compatible with |
35 SRP or certificate-based client authentication. It is | 37 SRP or certificate-based client authentication. |
36 not compatible with shared-keys. | |
37 | 38 |
38 The constructor does not perform the TLS handshake itself, but | 39 The constructor does not perform the TLS handshake itself, but |
39 simply stores these arguments for later. The handshake is | 40 simply stores these arguments for later. The handshake is |
40 performed only when this class needs to connect with the | 41 performed only when this class needs to connect with the |
41 server. Then you should be prepared to handle TLS-specific | 42 server. Then you should be prepared to handle TLS-specific |
42 exceptions. See the client handshake functions in | 43 exceptions. See the client handshake functions in |
43 L{tlslite.TLSConnection.TLSConnection} for details on which | 44 L{tlslite.TLSConnection.TLSConnection} for details on which |
44 exceptions might be raised. | 45 exceptions might be raised. |
45 | 46 |
46 @type username: str | 47 @type username: str |
47 @param username: SRP or shared-key username. Requires the | 48 @param username: SRP username. Requires the |
48 'password' or 'sharedKey' argument. | 49 'password' argument. |
49 | 50 |
50 @type password: str | 51 @type password: str |
51 @param password: SRP password for mutual authentication. | 52 @param password: SRP password for mutual authentication. |
52 Requires the 'username' argument. | 53 Requires the 'username' argument. |
53 | 54 |
54 @type sharedKey: str | 55 @type certChain: L{tlslite.x509certchain.X509CertChain} |
55 @param sharedKey: Shared key for mutual authentication. | 56 @param certChain: Certificate chain for client authentication. |
56 Requires the 'username' argument. | 57 Requires the 'privateKey' argument. Excludes the SRP arguments. |
57 | 58 |
58 @type certChain: L{tlslite.X509CertChain.X509CertChain} or | 59 @type privateKey: L{tlslite.utils.rsakey.RSAKey} |
59 L{cryptoIDlib.CertChain.CertChain} | 60 @param privateKey: Private key for client authentication. |
60 @param certChain: Certificate chain for client authentication. | 61 Requires the 'certChain' argument. Excludes the SRP arguments. |
61 Requires the 'privateKey' argument. Excludes the SRP or | |
62 shared-key related arguments. | |
63 | 62 |
64 @type privateKey: L{tlslite.utils.RSAKey.RSAKey} | 63 @type checker: L{tlslite.checker.Checker} |
65 @param privateKey: Private key for client authentication. | 64 @param checker: Callable object called after handshaking to |
66 Requires the 'certChain' argument. Excludes the SRP or | 65 evaluate the connection and raise an Exception if necessary. |
67 shared-key related arguments. | |
68 | 66 |
69 @type cryptoID: str | 67 @type settings: L{tlslite.handshakesettings.HandshakeSettings} |
70 @param cryptoID: cryptoID for server authentication. Mutually | |
71 exclusive with the 'x509...' arguments. | |
72 | |
73 @type protocol: str | |
74 @param protocol: cryptoID protocol URI for server | |
75 authentication. Requires the 'cryptoID' argument. | |
76 | |
77 @type x509Fingerprint: str | |
78 @param x509Fingerprint: Hex-encoded X.509 fingerprint for | |
79 server authentication. Mutually exclusive with the 'cryptoID' | |
80 and 'x509TrustList' arguments. | |
81 | |
82 @type x509TrustList: list of L{tlslite.X509.X509} | |
83 @param x509TrustList: A list of trusted root certificates. The | |
84 other party must present a certificate chain which extends to | |
85 one of these root certificates. The cryptlib_py module must be | |
86 installed to use this parameter. Mutually exclusive with the | |
87 'cryptoID' and 'x509Fingerprint' arguments. | |
88 | |
89 @type x509CommonName: str | |
90 @param x509CommonName: The end-entity certificate's 'CN' field | |
91 must match this value. For a web server, this is typically a | |
92 server name such as 'www.amazon.com'. Mutually exclusive with | |
93 the 'cryptoID' and 'x509Fingerprint' arguments. Requires the | |
94 'x509TrustList' argument. | |
95 | |
96 @type settings: L{tlslite.HandshakeSettings.HandshakeSettings} | |
97 @param settings: Various settings which can be used to control | 68 @param settings: Various settings which can be used to control |
98 the ciphersuites, certificate types, and SSL/TLS versions | 69 the ciphersuites, certificate types, and SSL/TLS versions |
99 offered by the client. | 70 offered by the client. |
100 """ | 71 """ |
101 | 72 |
102 self.username = None | 73 self.username = None |
103 self.password = None | 74 self.password = None |
104 self.sharedKey = None | |
105 self.certChain = None | 75 self.certChain = None |
106 self.privateKey = None | 76 self.privateKey = None |
107 self.checker = None | 77 self.checker = None |
| 78 self.anon = anon |
108 | 79 |
109 #SRP Authentication | 80 #SRP Authentication |
110 if username and password and not \ | 81 if username and password and not \ |
111 (sharedKey or certChain or privateKey): | 82 (certChain or privateKey): |
112 self.username = username | 83 self.username = username |
113 self.password = password | 84 self.password = password |
114 | 85 |
115 #Shared Key Authentication | |
116 elif username and sharedKey and not \ | |
117 (password or certChain or privateKey): | |
118 self.username = username | |
119 self.sharedKey = sharedKey | |
120 | |
121 #Certificate Chain Authentication | 86 #Certificate Chain Authentication |
122 elif certChain and privateKey and not \ | 87 elif certChain and privateKey and not \ |
123 (username or password or sharedKey): | 88 (username or password): |
124 self.certChain = certChain | 89 self.certChain = certChain |
125 self.privateKey = privateKey | 90 self.privateKey = privateKey |
126 | 91 |
127 #No Authentication | 92 #No Authentication |
128 elif not password and not username and not \ | 93 elif not password and not username and not \ |
129 sharedKey and not certChain and not privateKey: | 94 certChain and not privateKey: |
130 pass | 95 pass |
131 | 96 |
132 else: | 97 else: |
133 raise ValueError("Bad parameters") | 98 raise ValueError("Bad parameters") |
134 | 99 |
135 #Authenticate the server based on its cryptoID or fingerprint | 100 self.checker = checker |
136 if sharedKey and (cryptoID or protocol or x509Fingerprint): | |
137 raise ValueError("Can't use shared keys with other forms of"\ | |
138 "authentication") | |
139 | |
140 self.checker = Checker(cryptoID, protocol, x509Fingerprint, | |
141 x509TrustList, x509CommonName) | |
142 self.settings = settings | 101 self.settings = settings |
143 | 102 |
144 self.tlsSession = None | 103 self.tlsSession = None |
145 | 104 |
146 def _handshake(self, tlsConnection): | 105 def _handshake(self, tlsConnection): |
147 if self.username and self.password: | 106 if self.username and self.password: |
148 tlsConnection.handshakeClientSRP(username=self.username, | 107 tlsConnection.handshakeClientSRP(username=self.username, |
149 password=self.password, | 108 password=self.password, |
150 checker=self.checker, | 109 checker=self.checker, |
151 settings=self.settings, | 110 settings=self.settings, |
152 session=self.tlsSession) | 111 session=self.tlsSession) |
153 elif self.username and self.sharedKey: | 112 elif self.anon: |
154 tlsConnection.handshakeClientSharedKey(username=self.username, | 113 tlsConnection.handshakeClientAnonymous(session=self.tlsSession, |
155 sharedKey=self.sharedKey, | 114 settings=self.settings, |
156 settings=self.settings) | 115 checker=self.checker) |
157 else: | 116 else: |
158 tlsConnection.handshakeClientCert(certChain=self.certChain, | 117 tlsConnection.handshakeClientCert(certChain=self.certChain, |
159 privateKey=self.privateKey, | 118 privateKey=self.privateKey, |
160 checker=self.checker, | 119 checker=self.checker, |
161 settings=self.settings, | 120 settings=self.settings, |
162 session=self.tlsSession) | 121 session=self.tlsSession) |
163 self.tlsSession = tlsConnection.session | 122 self.tlsSession = tlsConnection.session |
OLD | NEW |