Index: third_party/tlslite/tlslite/checker.py |
diff --git a/third_party/tlslite/tlslite/checker.py b/third_party/tlslite/tlslite/checker.py |
index fc09af9f6fc58c9e09d09c6e66edf0ba364f388e..4f2ee820e0a963af52d3ff73895d1d7c253d43a8 100644 |
--- a/third_party/tlslite/tlslite/checker.py |
+++ b/third_party/tlslite/tlslite/checker.py |
@@ -1,12 +1,14 @@ |
+# Author: Trevor Perrin |
+# See the LICENSE file for legal information regarding use of this file. |
+ |
"""Class for post-handshake certificate checking.""" |
-from utils.cryptomath import hashAndBase64 |
-from x509 import X509 |
-from x509certchain import X509CertChain |
-from errors import * |
+from .x509 import X509 |
+from .x509certchain import X509CertChain |
+from .errors import * |
-class Checker: |
+class Checker(object): |
"""This class is passed to a handshake function to check the other |
party's certificate chain. |
@@ -15,50 +17,21 @@ class Checker: |
inadequate, a subclass of |
L{tlslite.errors.TLSAuthenticationError} will be raised. |
- Currently, the Checker can check either an X.509 or a cryptoID |
- chain (for the latter, cryptoIDlib must be installed). |
+ Currently, the Checker can check an X.509 chain. |
""" |
- def __init__(self, cryptoID=None, protocol=None, |
+ def __init__(self, |
x509Fingerprint=None, |
- x509TrustList=None, x509CommonName=None, |
checkResumedSession=False): |
"""Create a new Checker instance. |
You must pass in one of these argument combinations: |
- - cryptoID[, protocol] (requires cryptoIDlib) |
- x509Fingerprint |
- - x509TrustList[, x509CommonName] (requires cryptlib_py) |
- |
- @type cryptoID: str |
- @param cryptoID: A cryptoID which the other party's certificate |
- chain must match. The cryptoIDlib module must be installed. |
- Mutually exclusive with all of the 'x509...' arguments. |
- |
- @type protocol: str |
- @param protocol: A cryptoID protocol URI which the other |
- party's certificate chain must match. Requires the 'cryptoID' |
- argument. |
@type x509Fingerprint: str |
@param x509Fingerprint: A hex-encoded X.509 end-entity |
fingerprint which the other party's end-entity certificate must |
- match. Mutually exclusive with the 'cryptoID' and |
- 'x509TrustList' arguments. |
- |
- @type x509TrustList: list of L{tlslite.X509.X509} |
- @param x509TrustList: A list of trusted root certificates. The |
- other party must present a certificate chain which extends to |
- one of these root certificates. The cryptlib_py module must be |
- installed. Mutually exclusive with the 'cryptoID' and |
- 'x509Fingerprint' arguments. |
- |
- @type x509CommonName: str |
- @param x509CommonName: The end-entity certificate's 'CN' field |
- must match this value. For a web server, this is typically a |
- server name such as 'www.amazon.com'. Mutually exclusive with |
- the 'cryptoID' and 'x509Fingerprint' arguments. Requires the |
- 'x509TrustList' argument. |
+ match. |
@type checkResumedSession: bool |
@param checkResumedSession: If resumed sessions should be |
@@ -67,23 +40,7 @@ class Checker: |
re-checking it. |
""" |
- if cryptoID and (x509Fingerprint or x509TrustList): |
- raise ValueError() |
- if x509Fingerprint and x509TrustList: |
- raise ValueError() |
- if x509CommonName and not x509TrustList: |
- raise ValueError() |
- if protocol and not cryptoID: |
- raise ValueError() |
- if cryptoID: |
- import cryptoIDlib #So we raise an error here |
- if x509TrustList: |
- import cryptlib_py #So we raise an error here |
- self.cryptoID = cryptoID |
- self.protocol = protocol |
self.x509Fingerprint = x509Fingerprint |
- self.x509TrustList = x509TrustList |
- self.x509CommonName = x509CommonName |
self.checkResumedSession = checkResumedSession |
def __call__(self, connection): |
@@ -92,7 +49,7 @@ class Checker: |
When a Checker is passed to a handshake function, this will |
be called at the end of the function. |
- @type connection: L{tlslite.TLSConnection.TLSConnection} |
+ @type connection: L{tlslite.tlsconnection.TLSConnection} |
@param connection: The TLSConnection to examine. |
@raise tlslite.errors.TLSAuthenticationError: If the other |
@@ -101,46 +58,20 @@ class Checker: |
if not self.checkResumedSession and connection.resumed: |
return |
- if self.cryptoID or self.x509Fingerprint or self.x509TrustList: |
+ if self.x509Fingerprint: |
if connection._client: |
chain = connection.session.serverCertChain |
else: |
chain = connection.session.clientCertChain |
- if self.x509Fingerprint or self.x509TrustList: |
+ if self.x509Fingerprint: |
if isinstance(chain, X509CertChain): |
if self.x509Fingerprint: |
if chain.getFingerprint() != self.x509Fingerprint: |
raise TLSFingerprintError(\ |
"X.509 fingerprint mismatch: %s, %s" % \ |
(chain.getFingerprint(), self.x509Fingerprint)) |
- else: #self.x509TrustList |
- if not chain.validate(self.x509TrustList): |
- raise TLSValidationError("X.509 validation failure") |
- if self.x509CommonName and \ |
- (chain.getCommonName() != self.x509CommonName): |
- raise TLSAuthorizationError(\ |
- "X.509 Common Name mismatch: %s, %s" % \ |
- (chain.getCommonName(), self.x509CommonName)) |
elif chain: |
raise TLSAuthenticationTypeError() |
else: |
- raise TLSNoAuthenticationError() |
- elif self.cryptoID: |
- import cryptoIDlib.CertChain |
- if isinstance(chain, cryptoIDlib.CertChain.CertChain): |
- if chain.cryptoID != self.cryptoID: |
- raise TLSFingerprintError(\ |
- "cryptoID mismatch: %s, %s" % \ |
- (chain.cryptoID, self.cryptoID)) |
- if self.protocol: |
- if not chain.checkProtocol(self.protocol): |
- raise TLSAuthorizationError(\ |
- "cryptoID protocol mismatch") |
- if not chain.validate(): |
- raise TLSValidationError("cryptoID validation failure") |
- elif chain: |
- raise TLSAuthenticationTypeError() |
- else: |
- raise TLSNoAuthenticationError() |
- |
+ raise TLSNoAuthenticationError() |