147 lines
6.2 KiB
Python
147 lines
6.2 KiB
Python
|
"""Class for post-handshake certificate checking."""
|
||
|
|
||
|
from utils.cryptomath import hashAndBase64
|
||
|
from X509 import X509
|
||
|
from X509CertChain import X509CertChain
|
||
|
from errors import *
|
||
|
|
||
|
|
||
|
class Checker:
|
||
|
"""This class is passed to a handshake function to check the other
|
||
|
party's certificate chain.
|
||
|
|
||
|
If a handshake function completes successfully, but the Checker
|
||
|
judges the other party's certificate chain to be missing or
|
||
|
inadequate, a subclass of
|
||
|
L{tlslite.errors.TLSAuthenticationError} will be raised.
|
||
|
|
||
|
Currently, the Checker can check either an X.509 or a cryptoID
|
||
|
chain (for the latter, cryptoIDlib must be installed).
|
||
|
"""
|
||
|
|
||
|
def __init__(self, cryptoID=None, protocol=None,
|
||
|
x509Fingerprint=None,
|
||
|
x509TrustList=None, x509CommonName=None,
|
||
|
checkResumedSession=False):
|
||
|
"""Create a new Checker instance.
|
||
|
|
||
|
You must pass in one of these argument combinations:
|
||
|
- cryptoID[, protocol] (requires cryptoIDlib)
|
||
|
- x509Fingerprint
|
||
|
- x509TrustList[, x509CommonName] (requires cryptlib_py)
|
||
|
|
||
|
@type cryptoID: str
|
||
|
@param cryptoID: A cryptoID which the other party's certificate
|
||
|
chain must match. The cryptoIDlib module must be installed.
|
||
|
Mutually exclusive with all of the 'x509...' arguments.
|
||
|
|
||
|
@type protocol: str
|
||
|
@param protocol: A cryptoID protocol URI which the other
|
||
|
party's certificate chain must match. Requires the 'cryptoID'
|
||
|
argument.
|
||
|
|
||
|
@type x509Fingerprint: str
|
||
|
@param x509Fingerprint: A hex-encoded X.509 end-entity
|
||
|
fingerprint which the other party's end-entity certificate must
|
||
|
match. Mutually exclusive with the 'cryptoID' and
|
||
|
'x509TrustList' arguments.
|
||
|
|
||
|
@type x509TrustList: list of L{tlslite.X509.X509}
|
||
|
@param x509TrustList: A list of trusted root certificates. The
|
||
|
other party must present a certificate chain which extends to
|
||
|
one of these root certificates. The cryptlib_py module must be
|
||
|
installed. Mutually exclusive with the 'cryptoID' and
|
||
|
'x509Fingerprint' arguments.
|
||
|
|
||
|
@type x509CommonName: str
|
||
|
@param x509CommonName: The end-entity certificate's 'CN' field
|
||
|
must match this value. For a web server, this is typically a
|
||
|
server name such as 'www.amazon.com'. Mutually exclusive with
|
||
|
the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
|
||
|
'x509TrustList' argument.
|
||
|
|
||
|
@type checkResumedSession: bool
|
||
|
@param checkResumedSession: If resumed sessions should be
|
||
|
checked. This defaults to False, on the theory that if the
|
||
|
session was checked once, we don't need to bother
|
||
|
re-checking it.
|
||
|
"""
|
||
|
|
||
|
if cryptoID and (x509Fingerprint or x509TrustList):
|
||
|
raise ValueError()
|
||
|
if x509Fingerprint and x509TrustList:
|
||
|
raise ValueError()
|
||
|
if x509CommonName and not x509TrustList:
|
||
|
raise ValueError()
|
||
|
if protocol and not cryptoID:
|
||
|
raise ValueError()
|
||
|
if cryptoID:
|
||
|
import cryptoIDlib #So we raise an error here
|
||
|
if x509TrustList:
|
||
|
import cryptlib_py #So we raise an error here
|
||
|
self.cryptoID = cryptoID
|
||
|
self.protocol = protocol
|
||
|
self.x509Fingerprint = x509Fingerprint
|
||
|
self.x509TrustList = x509TrustList
|
||
|
self.x509CommonName = x509CommonName
|
||
|
self.checkResumedSession = checkResumedSession
|
||
|
|
||
|
def __call__(self, connection):
|
||
|
"""Check a TLSConnection.
|
||
|
|
||
|
When a Checker is passed to a handshake function, this will
|
||
|
be called at the end of the function.
|
||
|
|
||
|
@type connection: L{tlslite.TLSConnection.TLSConnection}
|
||
|
@param connection: The TLSConnection to examine.
|
||
|
|
||
|
@raise tlslite.errors.TLSAuthenticationError: If the other
|
||
|
party's certificate chain is missing or bad.
|
||
|
"""
|
||
|
if not self.checkResumedSession and connection.resumed:
|
||
|
return
|
||
|
|
||
|
if self.cryptoID or self.x509Fingerprint or self.x509TrustList:
|
||
|
if connection._client:
|
||
|
chain = connection.session.serverCertChain
|
||
|
else:
|
||
|
chain = connection.session.clientCertChain
|
||
|
|
||
|
if self.x509Fingerprint or self.x509TrustList:
|
||
|
if isinstance(chain, X509CertChain):
|
||
|
if self.x509Fingerprint:
|
||
|
if chain.getFingerprint() != self.x509Fingerprint:
|
||
|
raise TLSFingerprintError(\
|
||
|
"X.509 fingerprint mismatch: %s, %s" % \
|
||
|
(chain.getFingerprint(), self.x509Fingerprint))
|
||
|
else: #self.x509TrustList
|
||
|
if not chain.validate(self.x509TrustList):
|
||
|
raise TLSValidationError("X.509 validation failure")
|
||
|
if self.x509CommonName and \
|
||
|
(chain.getCommonName() != self.x509CommonName):
|
||
|
raise TLSAuthorizationError(\
|
||
|
"X.509 Common Name mismatch: %s, %s" % \
|
||
|
(chain.getCommonName(), self.x509CommonName))
|
||
|
elif chain:
|
||
|
raise TLSAuthenticationTypeError()
|
||
|
else:
|
||
|
raise TLSNoAuthenticationError()
|
||
|
elif self.cryptoID:
|
||
|
import cryptoIDlib.CertChain
|
||
|
if isinstance(chain, cryptoIDlib.CertChain.CertChain):
|
||
|
if chain.cryptoID != self.cryptoID:
|
||
|
raise TLSFingerprintError(\
|
||
|
"cryptoID mismatch: %s, %s" % \
|
||
|
(chain.cryptoID, self.cryptoID))
|
||
|
if self.protocol:
|
||
|
if not chain.checkProtocol(self.protocol):
|
||
|
raise TLSAuthorizationError(\
|
||
|
"cryptoID protocol mismatch")
|
||
|
if not chain.validate():
|
||
|
raise TLSValidationError("cryptoID validation failure")
|
||
|
elif chain:
|
||
|
raise TLSAuthenticationTypeError()
|
||
|
else:
|
||
|
raise TLSNoAuthenticationError()
|
||
|
|