2 A helper class for using TLS Lite with stdlib clients
3 (httplib, xmlrpclib, imaplib, poplib).
6 from tlslite.Checker import Checker
9 """This is a helper class used to integrate TLS Lite with various
10 TLS clients (e.g. poplib, smtplib, httplib, etc.)"""
13 username=None, password=None, sharedKey=None,
14 certChain=None, privateKey=None,
15 cryptoID=None, protocol=None,
17 x509TrustList=None, x509CommonName=None,
20 For client authentication, use one of these argument
22 - username, password (SRP)
23 - username, sharedKey (shared-key)
24 - certChain, privateKey (certificate)
26 For server authentication, you can either rely on the
27 implicit mutual authentication performed by SRP or
28 shared-keys, or you can do certificate-based server
29 authentication with one of these argument combinations:
30 - cryptoID[, protocol] (requires cryptoIDlib)
32 - x509TrustList[, x509CommonName] (requires cryptlib_py)
34 Certificate-based server authentication is compatible with
35 SRP or certificate-based client authentication. It is
36 not compatible with shared-keys.
38 The constructor does not perform the TLS handshake itself, but
39 simply stores these arguments for later. The handshake is
40 performed only when this class needs to connect with the
41 server. Then you should be prepared to handle TLS-specific
42 exceptions. See the client handshake functions in
43 L{tlslite.TLSConnection.TLSConnection} for details on which
44 exceptions might be raised.
47 @param username: SRP or shared-key username. Requires the
48 'password' or 'sharedKey' argument.
51 @param password: SRP password for mutual authentication.
52 Requires the 'username' argument.
55 @param sharedKey: Shared key for mutual authentication.
56 Requires the 'username' argument.
58 @type certChain: L{tlslite.X509CertChain.X509CertChain} or
59 L{cryptoIDlib.CertChain.CertChain}
60 @param certChain: Certificate chain for client authentication.
61 Requires the 'privateKey' argument. Excludes the SRP or
62 shared-key related arguments.
64 @type privateKey: L{tlslite.utils.RSAKey.RSAKey}
65 @param privateKey: Private key for client authentication.
66 Requires the 'certChain' argument. Excludes the SRP or
67 shared-key related arguments.
70 @param cryptoID: cryptoID for server authentication. Mutually
71 exclusive with the 'x509...' arguments.
74 @param protocol: cryptoID protocol URI for server
75 authentication. Requires the 'cryptoID' argument.
77 @type x509Fingerprint: str
78 @param x509Fingerprint: Hex-encoded X.509 fingerprint for
79 server authentication. Mutually exclusive with the 'cryptoID'
80 and 'x509TrustList' arguments.
82 @type x509TrustList: list of L{tlslite.X509.X509}
83 @param x509TrustList: A list of trusted root certificates. The
84 other party must present a certificate chain which extends to
85 one of these root certificates. The cryptlib_py module must be
86 installed to use this parameter. Mutually exclusive with the
87 'cryptoID' and 'x509Fingerprint' arguments.
89 @type x509CommonName: str
90 @param x509CommonName: The end-entity certificate's 'CN' field
91 must match this value. For a web server, this is typically a
92 server name such as 'www.amazon.com'. Mutually exclusive with
93 the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
94 'x509TrustList' argument.
96 @type settings: L{tlslite.HandshakeSettings.HandshakeSettings}
97 @param settings: Various settings which can be used to control
98 the ciphersuites, certificate types, and SSL/TLS versions
99 offered by the client.
104 self.sharedKey = None
105 self.certChain = None
106 self.privateKey = None
110 if username and password and not \
111 (sharedKey or certChain or privateKey):
112 self.username = username
113 self.password = password
115 #Shared Key Authentication
116 elif username and sharedKey and not \
117 (password or certChain or privateKey):
118 self.username = username
119 self.sharedKey = sharedKey
121 #Certificate Chain Authentication
122 elif certChain and privateKey and not \
123 (username or password or sharedKey):
124 self.certChain = certChain
125 self.privateKey = privateKey
128 elif not password and not username and not \
129 sharedKey and not certChain and not privateKey:
133 raise ValueError("Bad parameters")
135 #Authenticate the server based on its cryptoID or fingerprint
136 if sharedKey and (cryptoID or protocol or x509Fingerprint):
137 raise ValueError("Can't use shared keys with other forms of"\
140 self.checker = Checker(cryptoID, protocol, x509Fingerprint,
141 x509TrustList, x509CommonName)
142 self.settings = settings
144 self.tlsSession = None
146 def _handshake(self, tlsConnection):
147 if self.username and self.password:
148 tlsConnection.handshakeClientSRP(username=self.username,
149 password=self.password,
150 checker=self.checker,
151 settings=self.settings,
152 session=self.tlsSession)
153 elif self.username and self.sharedKey:
154 tlsConnection.handshakeClientSharedKey(username=self.username,
155 sharedKey=self.sharedKey,
156 settings=self.settings)
158 tlsConnection.handshakeClientCert(certChain=self.certChain,
159 privateKey=self.privateKey,
160 checker=self.checker,
161 settings=self.settings,
162 session=self.tlsSession)
163 self.tlsSession = tlsConnection.session