blob: 4f2ee820e0a963af52d3ff73895d1d7c253d43a8 [file] [log] [blame]
# Author: Trevor Perrin
# See the LICENSE file for legal information regarding use of this file.
"""Class for post-handshake certificate checking."""
from .x509 import X509
from .x509certchain import X509CertChain
from .errors import *
class Checker(object):
"""This class is passed to a handshake function to check the other
party's certificate chain.
If a handshake function completes successfully, but the Checker
judges the other party's certificate chain to be missing or
inadequate, a subclass of
L{tlslite.errors.TLSAuthenticationError} will be raised.
Currently, the Checker can check an X.509 chain.
def __init__(self,
"""Create a new Checker instance.
You must pass in one of these argument combinations:
- x509Fingerprint
@type x509Fingerprint: str
@param x509Fingerprint: A hex-encoded X.509 end-entity
fingerprint which the other party's end-entity certificate must
@type checkResumedSession: bool
@param checkResumedSession: If resumed sessions should be
checked. This defaults to False, on the theory that if the
session was checked once, we don't need to bother
re-checking it.
self.x509Fingerprint = x509Fingerprint
self.checkResumedSession = checkResumedSession
def __call__(self, connection):
"""Check a TLSConnection.
When a Checker is passed to a handshake function, this will
be called at the end of the function.
@type connection: L{tlslite.tlsconnection.TLSConnection}
@param connection: The TLSConnection to examine.
@raise tlslite.errors.TLSAuthenticationError: If the other
party's certificate chain is missing or bad.
if not self.checkResumedSession and connection.resumed:
if self.x509Fingerprint:
if connection._client:
chain = connection.session.serverCertChain
chain = connection.session.clientCertChain
if self.x509Fingerprint:
if isinstance(chain, X509CertChain):
if self.x509Fingerprint:
if chain.getFingerprint() != self.x509Fingerprint:
raise TLSFingerprintError(\
"X.509 fingerprint mismatch: %s, %s" % \
(chain.getFingerprint(), self.x509Fingerprint))
elif chain:
raise TLSAuthenticationTypeError()
raise TLSNoAuthenticationError()