OLD | NEW |
| 1 # Author: Trevor Perrin |
| 2 # See the LICENSE file for legal information regarding use of this file. |
| 3 |
1 """TLS Lite + smtplib.""" | 4 """TLS Lite + smtplib.""" |
2 | 5 |
3 from smtplib import SMTP | 6 from smtplib import SMTP |
4 from tlslite.tlsconnection import TLSConnection | 7 from tlslite.tlsconnection import TLSConnection |
5 from tlslite.integration.clienthelper import ClientHelper | 8 from tlslite.integration.clienthelper import ClientHelper |
6 | 9 |
7 class SMTP_TLS(SMTP): | 10 class SMTP_TLS(SMTP): |
8 """This class extends L{smtplib.SMTP} with TLS support.""" | 11 """This class extends L{smtplib.SMTP} with TLS support.""" |
9 | 12 |
10 def starttls(self, | 13 def starttls(self, |
11 username=None, password=None, sharedKey=None, | 14 username=None, password=None, |
12 certChain=None, privateKey=None, | 15 certChain=None, privateKey=None, |
13 cryptoID=None, protocol=None, | 16 checker=None, |
14 x509Fingerprint=None, | |
15 x509TrustList=None, x509CommonName=None, | |
16 settings=None): | 17 settings=None): |
17 """Puts the connection to the SMTP server into TLS mode. | 18 """Puts the connection to the SMTP server into TLS mode. |
18 | 19 |
19 If the server supports TLS, this will encrypt the rest of the SMTP | 20 If the server supports TLS, this will encrypt the rest of the SMTP |
20 session. | 21 session. |
21 | 22 |
22 For client authentication, use one of these argument | 23 For client authentication, use one of these argument |
23 combinations: | 24 combinations: |
24 - username, password (SRP) | 25 - username, password (SRP) |
25 - username, sharedKey (shared-key) | |
26 - certChain, privateKey (certificate) | 26 - certChain, privateKey (certificate) |
27 | 27 |
28 For server authentication, you can either rely on the | 28 For server authentication, you can either rely on the |
29 implicit mutual authentication performed by SRP or | 29 implicit mutual authentication performed by SRP or |
30 shared-keys, or you can do certificate-based server | 30 you can do certificate-based server |
31 authentication with one of these argument combinations: | 31 authentication with one of these argument combinations: |
32 - cryptoID[, protocol] (requires cryptoIDlib) | |
33 - x509Fingerprint | 32 - x509Fingerprint |
34 - x509TrustList[, x509CommonName] (requires cryptlib_py) | |
35 | 33 |
36 Certificate-based server authentication is compatible with | 34 Certificate-based server authentication is compatible with |
37 SRP or certificate-based client authentication. It is | 35 SRP or certificate-based client authentication. |
38 not compatible with shared-keys. | |
39 | 36 |
40 The caller should be prepared to handle TLS-specific | 37 The caller should be prepared to handle TLS-specific |
41 exceptions. See the client handshake functions in | 38 exceptions. See the client handshake functions in |
42 L{tlslite.TLSConnection.TLSConnection} for details on which | 39 L{tlslite.TLSConnection.TLSConnection} for details on which |
43 exceptions might be raised. | 40 exceptions might be raised. |
44 | 41 |
45 @type username: str | 42 @type username: str |
46 @param username: SRP or shared-key username. Requires the | 43 @param username: SRP username. Requires the |
47 'password' or 'sharedKey' argument. | 44 'password' argument. |
48 | 45 |
49 @type password: str | 46 @type password: str |
50 @param password: SRP password for mutual authentication. | 47 @param password: SRP password for mutual authentication. |
51 Requires the 'username' argument. | 48 Requires the 'username' argument. |
52 | 49 |
53 @type sharedKey: str | 50 @type certChain: L{tlslite.x509certchain.X509CertChain} |
54 @param sharedKey: Shared key for mutual authentication. | 51 @param certChain: Certificate chain for client authentication. |
55 Requires the 'username' argument. | 52 Requires the 'privateKey' argument. Excludes the SRP arguments. |
56 | 53 |
57 @type certChain: L{tlslite.X509CertChain.X509CertChain} or | 54 @type privateKey: L{tlslite.utils.rsakey.RSAKey} |
58 L{cryptoIDlib.CertChain.CertChain} | 55 @param privateKey: Private key for client authentication. |
59 @param certChain: Certificate chain for client authentication. | 56 Requires the 'certChain' argument. Excludes the SRP arguments. |
60 Requires the 'privateKey' argument. Excludes the SRP or | |
61 shared-key related arguments. | |
62 | 57 |
63 @type privateKey: L{tlslite.utils.RSAKey.RSAKey} | 58 @type checker: L{tlslite.checker.Checker} |
64 @param privateKey: Private key for client authentication. | 59 @param checker: Callable object called after handshaking to |
65 Requires the 'certChain' argument. Excludes the SRP or | 60 evaluate the connection and raise an Exception if necessary. |
66 shared-key related arguments. | |
67 | 61 |
68 @type cryptoID: str | 62 @type settings: L{tlslite.handshakesettings.HandshakeSettings} |
69 @param cryptoID: cryptoID for server authentication. Mutually | |
70 exclusive with the 'x509...' arguments. | |
71 | |
72 @type protocol: str | |
73 @param protocol: cryptoID protocol URI for server | |
74 authentication. Requires the 'cryptoID' argument. | |
75 | |
76 @type x509Fingerprint: str | |
77 @param x509Fingerprint: Hex-encoded X.509 fingerprint for | |
78 server authentication. Mutually exclusive with the 'cryptoID' | |
79 and 'x509TrustList' arguments. | |
80 | |
81 @type x509TrustList: list of L{tlslite.X509.X509} | |
82 @param x509TrustList: A list of trusted root certificates. The | |
83 other party must present a certificate chain which extends to | |
84 one of these root certificates. The cryptlib_py module must be | |
85 installed to use this parameter. Mutually exclusive with the | |
86 'cryptoID' and 'x509Fingerprint' arguments. | |
87 | |
88 @type x509CommonName: str | |
89 @param x509CommonName: The end-entity certificate's 'CN' field | |
90 must match this value. For a web server, this is typically a | |
91 server name such as 'www.amazon.com'. Mutually exclusive with | |
92 the 'cryptoID' and 'x509Fingerprint' arguments. Requires the | |
93 'x509TrustList' argument. | |
94 | |
95 @type settings: L{tlslite.HandshakeSettings.HandshakeSettings} | |
96 @param settings: Various settings which can be used to control | 63 @param settings: Various settings which can be used to control |
97 the ciphersuites, certificate types, and SSL/TLS versions | 64 the ciphersuites, certificate types, and SSL/TLS versions |
98 offered by the client. | 65 offered by the client. |
99 """ | 66 """ |
100 (resp, reply) = self.docmd("STARTTLS") | 67 (resp, reply) = self.docmd("STARTTLS") |
101 if resp == 220: | 68 if resp == 220: |
102 helper = ClientHelper( | 69 helper = ClientHelper( |
103 username, password, sharedKey, | 70 username, password, |
104 certChain, privateKey, | 71 certChain, privateKey, |
105 cryptoID, protocol, | 72 checker, |
106 x509Fingerprint, | |
107 x509TrustList, x509CommonName, | |
108 settings) | 73 settings) |
109 conn = TLSConnection(self.sock) | 74 conn = TLSConnection(self.sock) |
110 conn.closeSocket = True | |
111 helper._handshake(conn) | 75 helper._handshake(conn) |
112 self.sock = conn | 76 self.sock = conn |
113 self.file = conn.makefile('rb') | 77 self.file = conn.makefile('rb') |
114 return (resp, reply) | 78 return (resp, reply) |
OLD | NEW |