1# Author: Trevor Perrin 2# See the LICENSE file for legal information regarding use of this file. 3 4"""Class for post-handshake certificate checking.""" 5 6from .x509 import X509 7from .x509certchain import X509CertChain 8from .errors import * 9 10 11class Checker(object): 12 """This class is passed to a handshake function to check the other 13 party's certificate chain. 14 15 If a handshake function completes successfully, but the Checker 16 judges the other party's certificate chain to be missing or 17 inadequate, a subclass of 18 L{tlslite.errors.TLSAuthenticationError} will be raised. 19 20 Currently, the Checker can check an X.509 chain. 21 """ 22 23 def __init__(self, 24 x509Fingerprint=None, 25 checkResumedSession=False): 26 """Create a new Checker instance. 27 28 You must pass in one of these argument combinations: 29 - x509Fingerprint 30 31 @type x509Fingerprint: str 32 @param x509Fingerprint: A hex-encoded X.509 end-entity 33 fingerprint which the other party's end-entity certificate must 34 match. 35 36 @type checkResumedSession: bool 37 @param checkResumedSession: If resumed sessions should be 38 checked. This defaults to False, on the theory that if the 39 session was checked once, we don't need to bother 40 re-checking it. 41 """ 42 43 self.x509Fingerprint = x509Fingerprint 44 self.checkResumedSession = checkResumedSession 45 46 def __call__(self, connection): 47 """Check a TLSConnection. 48 49 When a Checker is passed to a handshake function, this will 50 be called at the end of the function. 51 52 @type connection: L{tlslite.tlsconnection.TLSConnection} 53 @param connection: The TLSConnection to examine. 54 55 @raise tlslite.errors.TLSAuthenticationError: If the other 56 party's certificate chain is missing or bad. 57 """ 58 if not self.checkResumedSession and connection.resumed: 59 return 60 61 if self.x509Fingerprint: 62 if connection._client: 63 chain = connection.session.serverCertChain 64 else: 65 chain = connection.session.clientCertChain 66 67 if self.x509Fingerprint: 68 if isinstance(chain, X509CertChain): 69 if self.x509Fingerprint: 70 if chain.getFingerprint() != self.x509Fingerprint: 71 raise TLSFingerprintError(\ 72 "X.509 fingerprint mismatch: %s, %s" % \ 73 (chain.getFingerprint(), self.x509Fingerprint)) 74 elif chain: 75 raise TLSAuthenticationTypeError() 76 else: 77 raise TLSNoAuthenticationError()