| Index: third_party/tlslite/tlslite/checker.py
|
| diff --git a/third_party/tlslite/tlslite/checker.py b/third_party/tlslite/tlslite/checker.py
|
| index fc09af9f6fc58c9e09d09c6e66edf0ba364f388e..4f2ee820e0a963af52d3ff73895d1d7c253d43a8 100644
|
| --- a/third_party/tlslite/tlslite/checker.py
|
| +++ b/third_party/tlslite/tlslite/checker.py
|
| @@ -1,12 +1,14 @@
|
| +# Author: Trevor Perrin
|
| +# See the LICENSE file for legal information regarding use of this file.
|
| +
|
| """Class for post-handshake certificate checking."""
|
|
|
| -from utils.cryptomath import hashAndBase64
|
| -from x509 import X509
|
| -from x509certchain import X509CertChain
|
| -from errors import *
|
| +from .x509 import X509
|
| +from .x509certchain import X509CertChain
|
| +from .errors import *
|
|
|
|
|
| -class Checker:
|
| +class Checker(object):
|
| """This class is passed to a handshake function to check the other
|
| party's certificate chain.
|
|
|
| @@ -15,50 +17,21 @@ class Checker:
|
| inadequate, a subclass of
|
| L{tlslite.errors.TLSAuthenticationError} will be raised.
|
|
|
| - Currently, the Checker can check either an X.509 or a cryptoID
|
| - chain (for the latter, cryptoIDlib must be installed).
|
| + Currently, the Checker can check an X.509 chain.
|
| """
|
|
|
| - def __init__(self, cryptoID=None, protocol=None,
|
| + def __init__(self,
|
| x509Fingerprint=None,
|
| - x509TrustList=None, x509CommonName=None,
|
| checkResumedSession=False):
|
| """Create a new Checker instance.
|
|
|
| You must pass in one of these argument combinations:
|
| - - cryptoID[, protocol] (requires cryptoIDlib)
|
| - x509Fingerprint
|
| - - x509TrustList[, x509CommonName] (requires cryptlib_py)
|
| -
|
| - @type cryptoID: str
|
| - @param cryptoID: A cryptoID which the other party's certificate
|
| - chain must match. The cryptoIDlib module must be installed.
|
| - Mutually exclusive with all of the 'x509...' arguments.
|
| -
|
| - @type protocol: str
|
| - @param protocol: A cryptoID protocol URI which the other
|
| - party's certificate chain must match. Requires the 'cryptoID'
|
| - argument.
|
|
|
| @type x509Fingerprint: str
|
| @param x509Fingerprint: A hex-encoded X.509 end-entity
|
| fingerprint which the other party's end-entity certificate must
|
| - match. Mutually exclusive with the 'cryptoID' and
|
| - 'x509TrustList' arguments.
|
| -
|
| - @type x509TrustList: list of L{tlslite.X509.X509}
|
| - @param x509TrustList: A list of trusted root certificates. The
|
| - other party must present a certificate chain which extends to
|
| - one of these root certificates. The cryptlib_py module must be
|
| - installed. Mutually exclusive with the 'cryptoID' and
|
| - 'x509Fingerprint' arguments.
|
| -
|
| - @type x509CommonName: str
|
| - @param x509CommonName: The end-entity certificate's 'CN' field
|
| - must match this value. For a web server, this is typically a
|
| - server name such as 'www.amazon.com'. Mutually exclusive with
|
| - the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
|
| - 'x509TrustList' argument.
|
| + match.
|
|
|
| @type checkResumedSession: bool
|
| @param checkResumedSession: If resumed sessions should be
|
| @@ -67,23 +40,7 @@ class Checker:
|
| re-checking it.
|
| """
|
|
|
| - if cryptoID and (x509Fingerprint or x509TrustList):
|
| - raise ValueError()
|
| - if x509Fingerprint and x509TrustList:
|
| - raise ValueError()
|
| - if x509CommonName and not x509TrustList:
|
| - raise ValueError()
|
| - if protocol and not cryptoID:
|
| - raise ValueError()
|
| - if cryptoID:
|
| - import cryptoIDlib #So we raise an error here
|
| - if x509TrustList:
|
| - import cryptlib_py #So we raise an error here
|
| - self.cryptoID = cryptoID
|
| - self.protocol = protocol
|
| self.x509Fingerprint = x509Fingerprint
|
| - self.x509TrustList = x509TrustList
|
| - self.x509CommonName = x509CommonName
|
| self.checkResumedSession = checkResumedSession
|
|
|
| def __call__(self, connection):
|
| @@ -92,7 +49,7 @@ class Checker:
|
| When a Checker is passed to a handshake function, this will
|
| be called at the end of the function.
|
|
|
| - @type connection: L{tlslite.TLSConnection.TLSConnection}
|
| + @type connection: L{tlslite.tlsconnection.TLSConnection}
|
| @param connection: The TLSConnection to examine.
|
|
|
| @raise tlslite.errors.TLSAuthenticationError: If the other
|
| @@ -101,46 +58,20 @@ class Checker:
|
| if not self.checkResumedSession and connection.resumed:
|
| return
|
|
|
| - if self.cryptoID or self.x509Fingerprint or self.x509TrustList:
|
| + if self.x509Fingerprint:
|
| if connection._client:
|
| chain = connection.session.serverCertChain
|
| else:
|
| chain = connection.session.clientCertChain
|
|
|
| - if self.x509Fingerprint or self.x509TrustList:
|
| + if self.x509Fingerprint:
|
| if isinstance(chain, X509CertChain):
|
| if self.x509Fingerprint:
|
| if chain.getFingerprint() != self.x509Fingerprint:
|
| raise TLSFingerprintError(\
|
| "X.509 fingerprint mismatch: %s, %s" % \
|
| (chain.getFingerprint(), self.x509Fingerprint))
|
| - else: #self.x509TrustList
|
| - if not chain.validate(self.x509TrustList):
|
| - raise TLSValidationError("X.509 validation failure")
|
| - if self.x509CommonName and \
|
| - (chain.getCommonName() != self.x509CommonName):
|
| - raise TLSAuthorizationError(\
|
| - "X.509 Common Name mismatch: %s, %s" % \
|
| - (chain.getCommonName(), self.x509CommonName))
|
| elif chain:
|
| raise TLSAuthenticationTypeError()
|
| else:
|
| - raise TLSNoAuthenticationError()
|
| - elif self.cryptoID:
|
| - import cryptoIDlib.CertChain
|
| - if isinstance(chain, cryptoIDlib.CertChain.CertChain):
|
| - if chain.cryptoID != self.cryptoID:
|
| - raise TLSFingerprintError(\
|
| - "cryptoID mismatch: %s, %s" % \
|
| - (chain.cryptoID, self.cryptoID))
|
| - if self.protocol:
|
| - if not chain.checkProtocol(self.protocol):
|
| - raise TLSAuthorizationError(\
|
| - "cryptoID protocol mismatch")
|
| - if not chain.validate():
|
| - raise TLSValidationError("cryptoID validation failure")
|
| - elif chain:
|
| - raise TLSAuthenticationTypeError()
|
| - else:
|
| - raise TLSNoAuthenticationError()
|
| -
|
| + raise TLSNoAuthenticationError()
|
|
|
Chromium Code Reviews
Issue 210323002:
Update tlslite to 0.4.6. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src