1# Author: Trevor Perrin
2# See the LICENSE file for legal information regarding use of this file.
3
4"""Class for post-handshake certificate checking."""
5
6from .x509 import X509
7from .x509certchain import X509CertChain
8from .errors import *
9
10
11class Checker(object):
12    """This class is passed to a handshake function to check the other
13    party's certificate chain.
14
15    If a handshake function completes successfully, but the Checker
16    judges the other party's certificate chain to be missing or
17    inadequate, a subclass of
18    L{tlslite.errors.TLSAuthenticationError} will be raised.
19
20    Currently, the Checker can check an X.509 chain.
21    """
22
23    def __init__(self,
24                 x509Fingerprint=None,
25                 checkResumedSession=False):
26        """Create a new Checker instance.
27
28        You must pass in one of these argument combinations:
29         - x509Fingerprint
30
31        @type x509Fingerprint: str
32        @param x509Fingerprint: A hex-encoded X.509 end-entity
33        fingerprint which the other party's end-entity certificate must
34        match.
35
36        @type checkResumedSession: bool
37        @param checkResumedSession: If resumed sessions should be
38        checked.  This defaults to False, on the theory that if the
39        session was checked once, we don't need to bother
40        re-checking it.
41        """
42
43        self.x509Fingerprint = x509Fingerprint
44        self.checkResumedSession = checkResumedSession
45
46    def __call__(self, connection):
47        """Check a TLSConnection.
48
49        When a Checker is passed to a handshake function, this will
50        be called at the end of the function.
51
52        @type connection: L{tlslite.tlsconnection.TLSConnection}
53        @param connection: The TLSConnection to examine.
54
55        @raise tlslite.errors.TLSAuthenticationError: If the other
56        party's certificate chain is missing or bad.
57        """
58        if not self.checkResumedSession and connection.resumed:
59            return
60
61        if self.x509Fingerprint:
62            if connection._client:
63                chain = connection.session.serverCertChain
64            else:
65                chain = connection.session.clientCertChain
66
67            if self.x509Fingerprint:
68                if isinstance(chain, X509CertChain):
69                    if self.x509Fingerprint:
70                        if chain.getFingerprint() != self.x509Fingerprint:
71                            raise TLSFingerprintError(\
72                                "X.509 fingerprint mismatch: %s, %s" % \
73                                (chain.getFingerprint(), self.x509Fingerprint))
74                elif chain:
75                    raise TLSAuthenticationTypeError()
76                else:
77                    raise TLSNoAuthenticationError()