Package tlslite :: Module checker
[hide private]
[frames] | no frames]

Source Code for Module tlslite.checker

 1  # Author: Trevor Perrin 
 2  # See the LICENSE file for legal information regarding use of this file. 
 3   
 4  """Class for post-handshake certificate checking.""" 
 5   
 6  from .x509 import X509 
 7  from .x509certchain import X509CertChain 
 8  from .errors import * 
 9   
10   
11 -class Checker:
12 """This class is passed to a handshake function to check the other 13 party's certificate chain. 14 15 If a handshake function completes successfully, but the Checker 16 judges the other party's certificate chain to be missing or 17 inadequate, a subclass of 18 L{tlslite.errors.TLSAuthenticationError} will be raised. 19 20 Currently, the Checker can check an X.509 chain. 21 """ 22
23 - def __init__(self, 24 x509Fingerprint=None, 25 checkResumedSession=False):
26 """Create a new Checker instance. 27 28 You must pass in one of these argument combinations: 29 - x509Fingerprint 30 31 @type x509Fingerprint: str 32 @param x509Fingerprint: A hex-encoded X.509 end-entity 33 fingerprint which the other party's end-entity certificate must 34 match. 35 36 @type checkResumedSession: bool 37 @param checkResumedSession: If resumed sessions should be 38 checked. This defaults to False, on the theory that if the 39 session was checked once, we don't need to bother 40 re-checking it. 41 """ 42 43 self.x509Fingerprint = x509Fingerprint 44 self.checkResumedSession = checkResumedSession
45
46 - def __call__(self, connection):
47 """Check a TLSConnection. 48 49 When a Checker is passed to a handshake function, this will 50 be called at the end of the function. 51 52 @type connection: L{tlslite.tlsconnection.TLSConnection} 53 @param connection: The TLSConnection to examine. 54 55 @raise tlslite.errors.TLSAuthenticationError: If the other 56 party's certificate chain is missing or bad. 57 """ 58 if not self.checkResumedSession and connection.resumed: 59 return 60 61 if self.x509Fingerprint: 62 if connection._client: 63 chain = connection.session.serverCertChain 64 else: 65 chain = connection.session.clientCertChain 66 67 if self.x509Fingerprint: 68 if isinstance(chain, X509CertChain): 69 if self.x509Fingerprint: 70 if chain.getFingerprint() != self.x509Fingerprint: 71 raise TLSFingerprintError(\ 72 "X.509 fingerprint mismatch: %s, %s" % \ 73 (chain.getFingerprint(), self.x509Fingerprint)) 74 elif chain: 75 raise TLSAuthenticationTypeError() 76 else: 77 raise TLSNoAuthenticationError()
78