def test_server_with_client_proposing_SHA256_on_TLSv1_1(self):
gen_sock = MockSocket(bytearray(0))
gen_record_layer = RecordLayer(gen_sock)
gen_record_layer.version = (3, 0)
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256,
0x88, # TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
client_hello = ClientHello().create(version=(3, 2),
random=bytearray(32),
session_id=bytearray(0),
cipher_suites=ciphers)
for res in gen_record_layer.sendRecord(client_hello):
if res in (0, 1):
self.assertTrue(False, "Blocking socket")
else:
break
# test proper
sock = MockSocket(gen_sock.sent[0])
conn = TLSConnection(sock)
srv_private_key = parsePEMKey(srv_raw_key, private=True)
srv_cert_chain = X509CertChain([X509().parse(srv_raw_certificate)])
with self.assertRaises(TLSLocalAlert) as err:
conn.handshakeServer(certChain=srv_cert_chain,
privateKey=srv_private_key)
self.assertEqual(err.exception.description,
AlertDescription.handshake_failure)
def test_client_with_server_responing_with_SHA256_on_TLSv1_1(self):
# socket to generate the faux response
gen_sock = MockSocket(bytearray(0))
gen_record_layer = RecordLayer(gen_sock)
gen_record_layer.version = (3, 2)
server_hello = ServerHello().create(
version=(3, 2),
random=bytearray(32),
session_id=bytearray(0),
cipher_suite=CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
certificate_type=None,
tackExt=None,
next_protos_advertised=None,
)
for res in gen_record_layer.sendRecord(server_hello):
if res in (0, 1):
self.assertTrue(False, "Blocking socket")
else:
break
# test proper
sock = MockSocket(gen_sock.sent[0])
conn = TLSConnection(sock)
with self.assertRaises(TLSLocalAlert) as err:
conn.handshakeClientCert()
self.assertEqual(err.exception.description, AlertDescription.illegal_parameter)
def test_padding_extension_with_hello_over_256(self):
sock = self.prepare_mock_socket_with_handshake_failure()
conn = TLSConnection(sock)
# create hostname extension
with self.assertRaises(TLSRemoteAlert):
# use serverName with 252 bytes
settings = HandshakeSettings()
settings.maxVersion = (3, 3)
settings.keyShares = []
conn.handshakeClientCert(
settings=settings,
serverName='aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd.' +
'eeeeeeeeeeffffffffffgggggggggghhhhhhhhhh.' +
'iiiiiiiiiijjjjjjjjjjkkkkkkkkkkllllllllll.' +
'mmmmmmmmmmnnnnnnnnnnoooooooooopppppppppp.' +
'qqqqqqqqqqrrrrrrrrrrsssssssssstttttttttt.' +
'uuuuuuuuuuvvvvvvvvvvwwwwwwwwwwxxxxxxxxxx.' + 'y.com')
self.assertEqual(len(sock.sent), 1)
# check for version and content type (handshake)
self.assertEqual(sock.sent[0][0:3], bytearray(b'\x16' + b'\x03\x03'))
# check for handshake message type (client_hello)
self.assertEqual(sock.sent[0][5:6], bytearray(b'\x01'))
self.assertEqual(sock.sent[0][5:9], bytearray(b'\x01\x00\x02\x00'))
# 5 bytes is record layer header, 4 bytes is handshake protocol header
self.assertEqual(len(sock.sent[0]) - 5 - 4, 512)
def test_client_with_server_responing_with_SHA256_on_TLSv1_1(self):
# socket to generate the faux response
gen_sock = MockSocket(bytearray(0))
gen_record_layer = RecordLayer(gen_sock)
gen_record_layer.version = (3, 2)
server_hello = ServerHello().create(
version=(3, 2),
random=bytearray(32),
session_id=bytearray(0),
cipher_suite=CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
certificate_type=None,
tackExt=None,
next_protos_advertised=None)
for res in gen_record_layer.sendRecord(server_hello):
if res in (0, 1):
self.assertTrue(False, "Blocking socket")
else:
break
# test proper
sock = MockSocket(gen_sock.sent[0])
conn = TLSConnection(sock)
with self.assertRaises(TLSLocalAlert) as err:
conn.handshakeClientCert()
self.assertEqual(err.exception.description,
AlertDescription.illegal_parameter)
def test_padding_extension_with_hello_over_256(self):
sock = self.prepare_mock_socket_with_handshake_failure()
conn = TLSConnection(sock)
# create hostname extension
with self.assertRaises(TLSRemoteAlert):
# use serverName with 254 bytes
conn.handshakeClientCert(
serverName='aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd' +
'eeeeeeeeeeffffffffffgggggggggghhhhhhhhhh' +
'iiiiiiiiiijjjjjjjjjjkkkkkkkkkkllllllllll' +
'mmmmmmmmmmnnnnnnnnnnoooooooooopppppppppp' +
'qqqqqqqqqqrrrrrrrrrrsssssssssstttttttttt' +
'uuuuuuuuuuvvvvvvvvvvwwwwwwwwwwxxxxxxxxxx' +
'yyyyyyyyyy.com')
self.assertEqual(len(sock.sent), 1)
# check for version and content type (handshake)
self.assertEqual(sock.sent[0][0:3], bytearray(
b'\x16' +
b'\x03\x03'))
# check for handshake message type (client_hello)
self.assertEqual(sock.sent[0][5:6], bytearray(
b'\x01'))
self.assertEqual(sock.sent[0][5:9], bytearray(
b'\x01\x00\x02\x00'))
# 5 bytes is record layer header, 4 bytes is handshake protocol header
self.assertEqual(len(sock.sent[0]) - 5 - 4, 512)
def test_server_with_client_proposing_SHA256_on_TLSv1_1(self):
gen_sock = MockSocket(bytearray(0))
gen_record_layer = RecordLayer(gen_sock)
gen_record_layer.version = (3, 0)
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256,
0x88, # TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
]
client_hello = ClientHello().create(
version=(3, 2), random=bytearray(32), session_id=bytearray(0), cipher_suites=ciphers
)
for res in gen_record_layer.sendRecord(client_hello):
if res in (0, 1):
self.assertTrue(False, "Blocking socket")
else:
break
# test proper
sock = MockSocket(gen_sock.sent[0])
conn = TLSConnection(sock)
srv_private_key = parsePEMKey(self.srv_raw_key, private=True)
srv_cert_chain = X509CertChain([X509().parse(self.srv_raw_certificate)])
with self.assertRaises(TLSLocalAlert) as err:
conn.handshakeServer(certChain=srv_cert_chain, privateKey=srv_private_key)
self.assertEqual(err.exception.description, AlertDescription.handshake_failure)
def finish_request(self, sock, client_address):
try:
tlsConnection = TLSConnection(sock)
if self.handshake(tlsConnection) == True:
self.RequestHandlerClass(tlsConnection, client_address, self)
tlsConnection.close()
except OSError:
print("Connection closed before data was received")
def test_keyingMaterialExporter_tls1_2_sha384(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 3)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
mat = conn.keyingMaterialExporter(bytearray(b'test'), 20)
self.assertEqual(mat,
bytearray(b'1\xb8X\xef\x9b\xa5\n9p\x13\xfaxXI\\$\xdf\xb5\xc7i'))
def open(self, host='', port=IMAP4_TLS_PORT):
"""Setup connection to remote server on "host:port".
This connection will be used by the routines:
read, readline, send, shutdown.
"""
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect((host, port))
self.sock = TLSConnection(self.sock)
ClientHelper._handshake(self, self.sock)
self.file = self.sock.makefile('rb')
def test_keyingMaterialExporter_tls1_2_sha256(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 3)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
mat = conn.keyingMaterialExporter(bytearray(b'test'), 20)
self.assertEqual(mat,
bytearray(b'\xe6EQ\x93\xcb!\xe7\x87\x1e\xdd\x85' +
b'\xb2\x08|\xc9\xbfDh\r\x90'))
def test_keyingMaterialExporter_tls1_1(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 2)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
mat = conn.keyingMaterialExporter(bytearray(b'test'), 20)
self.assertEqual(mat,
bytearray(b'\x1f\xf8\x18\x01:\x9f\x15a\xd5x\xaa;Y>' +
b'\xafG\x92AH\xa4'))
def test_keyingMaterialExporter_tls1_3_sha384(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._recordLayer.version = (3, 4)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
conn.session.exporterMasterSecret = \
bytearray(b'0123456789abcdef0123456789abcdef0123456789abcdef' +
b'0123456789abcdef0123456789abcdef0123456789abcdef')
mat = conn.keyingMaterialExporter(bytearray(b'test'), 20)
self.assertEqual(
mat, bytearray(b';\x96;\x08U*\xbd1\x0fL5^0\xe1*I\x9e\xd3\xcb0'))
def __init__(self, factory, wrappedProtocol):
ProtocolWrapper.__init__(self, factory, wrappedProtocol)
AsyncStateMachine.__init__(self)
self.fakeSocket = _FakeSocket(self)
self.tlsConnection = TLSConnection(self.fakeSocket)
self.tlsStarted = False
self.connectionLostCalled = False
def wrap_socket(sock,
keyfile=None,
certfile=None,
server_side=False,
cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23,
ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True,
ciphers=None,
fingerprint=None):
try:
sock = TLSConnection(sock)
if do_handshake_on_connect:
checker = None if fingerprint is None else tlslite.CheckerXfw(
x509Fingerprint=fingerprint)
helper = ClientHelper(checker=checker)
helper._handshake(sock)
except:
sock = None
raise
return sock
def test_keyingMaterialExporter_tls1_3_sha256(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._recordLayer.version = (3, 4)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
conn.session.exporterMasterSecret = \
bytearray(b'0123456789abcdef0123456789abcdef' +
b'0123456789abcdef0123456789abcdef')
mat = conn.keyingMaterialExporter(bytearray(b'test'), 20)
self.assertEqual(
mat,
bytearray(
b'W_h\x10\x83\xc0XD\x0fw\x0e\xfc/\x92\x8f\xb3\xfd\x13\x96\xd9')
)
def connect(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'):
sock.settimeout(10)
sock.connect((self.host, self.port))
#Use a TLSConnection to emulate a socket
self.sock = TLSConnection(sock)
#When httplib closes this, close the socket
self.sock.closeSocket = True
self._handshake(self.sock)
def test_server_with_client_not_using_required_EMS(self):
gen_sock = MockSocket(bytearray(0))
gen_record_layer = RecordLayer(gen_sock)
gen_record_layer.version = (3, 0)
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
client_hello = ClientHello().create(version=(3, 3),
random=bytearray(32),
session_id=bytearray(0),
cipher_suites=ciphers)
for res in gen_record_layer.sendRecord(client_hello):
if res in (0, 1):
self.assertTrue(False, "Blocking socket")
else:
break
# test proper
sock = MockSocket(gen_sock.sent[0])
conn = TLSConnection(sock)
hs = HandshakeSettings()
hs.requireExtendedMasterSecret = True
srv_private_key = parsePEMKey(srv_raw_key, private=True)
srv_cert_chain = X509CertChain([X509().parse(srv_raw_certificate)])
with self.assertRaises(TLSLocalAlert) as err:
conn.handshakeServer(certChain=srv_cert_chain,
privateKey=srv_private_key,
settings=hs)
self.assertEqual(err.exception.description,
AlertDescription.insufficient_security)
def test_client_with_server_responing_with_wrong_session_id_in_TLS1_3(
self):
# socket to generate the faux response
gen_sock = MockSocket(bytearray(0))
gen_record_layer = RecordLayer(gen_sock)
gen_record_layer.version = (3, 3)
srv_ext = []
srv_ext.append(SrvSupportedVersionsExtension().create((3, 4)))
srv_ext.append(ServerKeyShareExtension().create(KeyShareEntry().create(
GroupName.secp256r1, bytearray(b'\x03' + b'\x01' * 32))))
server_hello = ServerHello().create(
version=(3, 3),
random=bytearray(32),
session_id=bytearray(b"test"),
cipher_suite=CipherSuite.TLS_AES_128_GCM_SHA256,
certificate_type=None,
tackExt=None,
next_protos_advertised=None,
extensions=srv_ext)
for res in gen_record_layer.sendRecord(server_hello):
if res in (0, 1):
self.assertTrue(False, "Blocking socket")
else:
break
# test proper
sock = MockSocket(gen_sock.sent[0])
conn = TLSConnection(sock)
with self.assertRaises(TLSLocalAlert) as err:
conn.handshakeClientCert()
self.assertEqual(err.exception.description,
AlertDescription.illegal_parameter)
def open(self, host = '', port = IMAP4_TLS_PORT):
"""Setup connection to remote server on "host:port".
This connection will be used by the routines:
read, readline, send, shutdown.
"""
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect((host, port))
self.sock = TLSConnection(self.sock)
ClientHelper._handshake(self, self.sock)
self.file = self.sock.makefile('rb')
def test_connection_no_rsa_pss(self):
settings = HandshakeSettings()
settings.maxVersion = (3, 3)
# exclude pss as the keys in this module are too small for
# the needed salt size for sha512 hash
settings.rsaSchemes = ["pkcs1"]
conn = TLSConnection(self.client_socket)
conn.handshakeClientCert(serverName="localhost", settings=settings)
self.assertIn(conn.session.cipherSuite, CipherSuite.aeadSuites)
conn.write(bytearray(b"client hello"))
ret = conn.read(min=len("Conn OK"))
self.assertEqual(ret, bytearray(b"Conn OK"))
def test_keyingMaterialExporter_tls1_3(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 4)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
with self.assertRaises(AssertionError):
conn.keyingMaterialExporter(bytearray(b'test'), 20)
def test_keyingMaterialExporter_invalid_label(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 1)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
with self.assertRaises(ValueError):
conn.keyingMaterialExporter(bytearray(b'server finished'), 20)
def test_server_with_client_not_using_required_EMS(self):
gen_sock = MockSocket(bytearray(0))
gen_record_layer = RecordLayer(gen_sock)
gen_record_layer.version = (3, 0)
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
client_hello = ClientHello().create(version=(3, 3),
random=bytearray(32),
session_id=bytearray(0),
cipher_suites=ciphers)
for res in gen_record_layer.sendRecord(client_hello):
if res in (0, 1):
self.assertTrue(False, "Blocking socket")
else:
break
# test proper
sock = MockSocket(gen_sock.sent[0])
conn = TLSConnection(sock)
hs = HandshakeSettings()
hs.requireExtendedMasterSecret = True
srv_private_key = parsePEMKey(srv_raw_key, private=True)
srv_cert_chain = X509CertChain([X509().parse(srv_raw_certificate)])
with self.assertRaises(TLSLocalAlert) as err:
conn.handshakeServer(certChain=srv_cert_chain,
privateKey=srv_private_key,
settings=hs)
self.assertEqual(err.exception.description,
AlertDescription.insufficient_security)
def __init__(self, sock=None):
AsyncStateMachine.__init__(self)
if sock:
self.tlsConnection = TLSConnection(sock)
#Calculate the sibling I'm being mixed in with.
#This is necessary since we override functions
#like readable(), handle_read(), etc., but we
#also want to call the sibling's versions.
for cl in self.__class__.__bases__:
if cl != TLSAsyncDispatcherMixIn and cl != AsyncStateMachine:
self.siblingClass = cl
break
else:
raise AssertionError()
def test_keyingMaterialExporter_invalid_label(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 1)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
with self.assertRaises(ValueError):
conn.keyingMaterialExporter(bytearray(b'server finished'), 20)
def test_keyingMaterialExporter_tls1_3(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 4)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
with self.assertRaises(AssertionError):
conn.keyingMaterialExporter(bytearray(b'test'), 20)
def test_keyingMaterialExporter_tls1_2_sha384(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 3)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
mat = conn.keyingMaterialExporter(bytearray(b'test'), 20)
self.assertEqual(mat,
bytearray(b'1\xb8X\xef\x9b\xa5\n9p\x13\xfaxXI\\$\xdf\xb5\xc7i'))
def test_keyingMaterialExporter_tls1_1(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 2)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
mat = conn.keyingMaterialExporter(bytearray(b'test'), 20)
self.assertEqual(mat,
bytearray(b'\x1f\xf8\x18\x01:\x9f\x15a\xd5x\xaa;Y>' +
b'\xafG\x92AH\xa4'))
def test_keyingMaterialExporter_tls1_2_sha256(self):
sock = MockSocket(bytearray(0))
conn = TLSConnection(sock)
conn._clientRandom = bytearray(b'012345678901234567890123456789ab')
conn._serverRandom = bytearray(b'987654321098765432109876543210ab')
conn._recordLayer.version = (3, 3)
conn.session = Session()
conn.session.cipherSuite = \
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
mat = conn.keyingMaterialExporter(bytearray(b'test'), 20)
self.assertEqual(mat,
bytearray(b'\xe6EQ\x93\xcb!\xe7\x87\x1e\xdd\x85' +
b'\xb2\x08|\xc9\xbfDh\r\x90'))
def setUp(self):
self.client_socket, self.server_socket = socket.socketpair()
self.server_socket.settimeout(1)
self.server = TLSConnection(self.server_socket)
def server_process(server):
settings = HandshakeSettings()
settings.maxVersion = (3, 3)
server.handshakeServer(certChain=self.cert_chain,
privateKey=self.certKey)
ret = server.read(min=len("client hello"))
if ret != bytearray(b"client hello"):
raise AssertionError("incorrect query")
server.write(bytearray(b"Conn OK"))
server.close()
self.thread = threading.Thread(target=server_process,
args=(self.server, ))
self.thread.start()
class POP3_TLS(POP3, ClientHelper):
"""This class extends L{poplib.POP3} with TLS support."""
def __init__(self,
host,
port=POP3_TLS_PORT,
username=None,
password=None,
sharedKey=None,
certChain=None,
privateKey=None,
cryptoID=None,
protocol=None,
x509Fingerprint=None,
x509TrustList=None,
x509CommonName=None,
settings=None):
"""Create a new POP3_TLS.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- username, sharedKey (shared-key)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP or
shared-keys, or you can do certificate-based server
authentication with one of these argument combinations:
- cryptoID[, protocol] (requires cryptoIDlib)
- x509Fingerprint
- x509TrustList[, x509CommonName] (requires cryptlib_py)
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication. It is
not compatible with shared-keys.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type host: str
@param host: Server to connect to.
@type port: int
@param port: Port to connect to.
@type username: str
@param username: SRP or shared-key username. Requires the
'password' or 'sharedKey' argument.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type sharedKey: str
@param sharedKey: Shared key for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.X509CertChain.X509CertChain} or
L{cryptoIDlib.CertChain.CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP or
shared-key related arguments.
@type privateKey: L{tlslite.utils.RSAKey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP or
shared-key related arguments.
@type cryptoID: str
@param cryptoID: cryptoID for server authentication. Mutually
exclusive with the 'x509...' arguments.
@type protocol: str
@param protocol: cryptoID protocol URI for server
authentication. Requires the 'cryptoID' argument.
@type x509Fingerprint: str
@param x509Fingerprint: Hex-encoded X.509 fingerprint for
server authentication. Mutually exclusive with the 'cryptoID'
and 'x509TrustList' arguments.
@type x509TrustList: list of L{tlslite.X509.X509}
@param x509TrustList: A list of trusted root certificates. The
other party must present a certificate chain which extends to
one of these root certificates. The cryptlib_py module must be
installed to use this parameter. Mutually exclusive with the
'cryptoID' and 'x509Fingerprint' arguments.
@type x509CommonName: str
@param x509CommonName: The end-entity certificate's 'CN' field
must match this value. For a web server, this is typically a
server name such as 'www.amazon.com'. Mutually exclusive with
the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
'x509TrustList' argument.
@type settings: L{tlslite.HandshakeSettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
self.host = host
self.port = port
msg = "getaddrinfo returns an empty list"
self.sock = None
for res in socket.getaddrinfo(self.host, self.port, 0,
socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
self.sock = socket.socket(af, socktype, proto)
self.sock.connect(sa)
except socket.error, msg:
if self.sock:
self.sock.close()
self.sock = None
continue
break
if not self.sock:
raise socket.error, msg
### New code below (all else copied from poplib)
ClientHelper.__init__(self, username, password, sharedKey, certChain,
privateKey, cryptoID, protocol, x509Fingerprint,
x509TrustList, x509CommonName, settings)
self.sock = TLSConnection(self.sock)
self.sock.closeSocket = True
ClientHelper._handshake(self, self.sock)
###
self.file = self.sock.makefile('rb')
self._debugging = 0
self.welcome = self._getresp()
def __init__(self,
host,
port=POP3_SSL_PORT,
timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
username=None,
password=None,
certChain=None,
privateKey=None,
checker=None,
settings=None):
"""Create a new POP3_TLS.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP or
you can do certificate-based server
authentication with one of these argument combinations:
- x509Fingerprint
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type host: str
@param host: Server to connect to.
@type port: int
@param port: Port to connect to.
@type username: str
@param username: SRP username.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.x509certchain.X509CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP argument.
@type privateKey: L{tlslite.utils.rsakey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP argument.
@type checker: L{tlslite.checker.Checker}
@param checker: Callable object called after handshaking to
evaluate the connection and raise an Exception if necessary.
@type settings: L{tlslite.handshakesettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
self.host = host
self.port = port
sock = socket.create_connection((host, port), timeout)
ClientHelper.__init__(self, username, password, certChain, privateKey,
checker, settings)
connection = TLSConnection(sock)
ClientHelper._handshake(self, connection)
self.sock = connection
self.file = self.sock.makefile('rb')
self._debugging = 0
self.welcome = self._getresp()
def connect(self):
httplib.HTTPConnection.connect(self)
self.sock = TLSConnection(self.sock)
self.sock.ignoreAbruptClose = self.ignoreAbruptClose
ClientHelper._handshake(self, self.sock)
def starttls(self,
username=None,
password=None,
sharedKey=None,
certChain=None,
privateKey=None,
cryptoID=None,
protocol=None,
x509Fingerprint=None,
x509TrustList=None,
x509CommonName=None,
settings=None):
"""Puts the connection to the SMTP server into TLS mode.
If the server supports TLS, this will encrypt the rest of the SMTP
session.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- username, sharedKey (shared-key)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP or
shared-keys, or you can do certificate-based server
authentication with one of these argument combinations:
- cryptoID[, protocol] (requires cryptoIDlib)
- x509Fingerprint
- x509TrustList[, x509CommonName] (requires cryptlib_py)
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication. It is
not compatible with shared-keys.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type username: str
@param username: SRP or shared-key username. Requires the
'password' or 'sharedKey' argument.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type sharedKey: str
@param sharedKey: Shared key for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.X509CertChain.X509CertChain} or
L{cryptoIDlib.CertChain.CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP or
shared-key related arguments.
@type privateKey: L{tlslite.utils.RSAKey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP or
shared-key related arguments.
@type cryptoID: str
@param cryptoID: cryptoID for server authentication. Mutually
exclusive with the 'x509...' arguments.
@type protocol: str
@param protocol: cryptoID protocol URI for server
authentication. Requires the 'cryptoID' argument.
@type x509Fingerprint: str
@param x509Fingerprint: Hex-encoded X.509 fingerprint for
server authentication. Mutually exclusive with the 'cryptoID'
and 'x509TrustList' arguments.
@type x509TrustList: list of L{tlslite.X509.X509}
@param x509TrustList: A list of trusted root certificates. The
other party must present a certificate chain which extends to
one of these root certificates. The cryptlib_py module must be
installed to use this parameter. Mutually exclusive with the
'cryptoID' and 'x509Fingerprint' arguments.
@type x509CommonName: str
@param x509CommonName: The end-entity certificate's 'CN' field
must match this value. For a web server, this is typically a
server name such as 'www.amazon.com'. Mutually exclusive with
the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
'x509TrustList' argument.
@type settings: L{tlslite.HandshakeSettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
(resp, reply) = self.docmd("STARTTLS")
if resp == 220:
helper = ClientHelper(username, password, sharedKey, certChain,
privateKey, cryptoID, protocol,
x509Fingerprint, x509TrustList,
x509CommonName, settings)
conn = TLSConnection(self.sock)
conn.closeSocket = True
helper._handshake(conn)
self.sock = conn
self.file = conn.makefile('rb')
return (resp, reply)
def starttls(
self,
username=None,
password=None,
sharedKey=None,
certChain=None,
privateKey=None,
cryptoID=None,
protocol=None,
x509Fingerprint=None,
x509TrustList=None,
x509CommonName=None,
settings=None,
):
"""Puts the connection to the SMTP server into TLS mode.
If the server supports TLS, this will encrypt the rest of the SMTP
session.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- username, sharedKey (shared-key)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP or
shared-keys, or you can do certificate-based server
authentication with one of these argument combinations:
- cryptoID[, protocol] (requires cryptoIDlib)
- x509Fingerprint
- x509TrustList[, x509CommonName] (requires cryptlib_py)
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication. It is
not compatible with shared-keys.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type username: str
@param username: SRP or shared-key username. Requires the
'password' or 'sharedKey' argument.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type sharedKey: str
@param sharedKey: Shared key for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.X509CertChain.X509CertChain} or
L{cryptoIDlib.CertChain.CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP or
shared-key related arguments.
@type privateKey: L{tlslite.utils.RSAKey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP or
shared-key related arguments.
@type cryptoID: str
@param cryptoID: cryptoID for server authentication. Mutually
exclusive with the 'x509...' arguments.
@type protocol: str
@param protocol: cryptoID protocol URI for server
authentication. Requires the 'cryptoID' argument.
@type x509Fingerprint: str
@param x509Fingerprint: Hex-encoded X.509 fingerprint for
server authentication. Mutually exclusive with the 'cryptoID'
and 'x509TrustList' arguments.
@type x509TrustList: list of L{tlslite.X509.X509}
@param x509TrustList: A list of trusted root certificates. The
other party must present a certificate chain which extends to
one of these root certificates. The cryptlib_py module must be
installed to use this parameter. Mutually exclusive with the
'cryptoID' and 'x509Fingerprint' arguments.
@type x509CommonName: str
@param x509CommonName: The end-entity certificate's 'CN' field
must match this value. For a web server, this is typically a
server name such as 'www.amazon.com'. Mutually exclusive with
the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
'x509TrustList' argument.
@type settings: L{tlslite.HandshakeSettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
(resp, reply) = self.docmd("STARTTLS")
if resp == 220:
helper = ClientHelper(
username,
password,
sharedKey,
certChain,
privateKey,
cryptoID,
protocol,
x509Fingerprint,
x509TrustList,
x509CommonName,
settings,
)
conn = TLSConnection(self.sock)
conn.closeSocket = True
helper._handshake(conn)
self.sock = conn
self.file = conn.makefile("rb")
return (resp, reply)
def finish_request(self, sock, client_address):
tlsConnection = TLSConnection(sock)
if self.handshake(tlsConnection) == True:
self.RequestHandlerClass(tlsConnection, client_address, self)
tlsConnection.close()
def starttls(self,
username=None, password=None,
certChain=None, privateKey=None,
checker=None,
settings=None):
"""Puts the connection to the SMTP server into TLS mode.
If the server supports TLS, this will encrypt the rest of the SMTP
session.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP or
you can do certificate-based server
authentication with one of these argument combinations:
- x509Fingerprint
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type username: str
@param username: SRP username. Requires the
'password' argument.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.x509certchain.X509CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP arguments.
@type privateKey: L{tlslite.utils.rsakey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP arguments.
@type checker: L{tlslite.checker.Checker}
@param checker: Callable object called after handshaking to
evaluate the connection and raise an Exception if necessary.
@type settings: L{tlslite.handshakesettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
(resp, reply) = self.docmd("STARTTLS")
if resp == 220:
helper = ClientHelper(
username, password,
certChain, privateKey,
checker,
settings)
conn = TLSConnection(self.sock)
helper._handshake(conn)
self.sock = conn
self.file = conn.makefile('rb')
return (resp, reply)
class IMAP4_TLS(IMAP4, ClientHelper):
"""This class extends L{imaplib.IMAP4} with TLS support."""
def __init__(self,
host='',
port=IMAP4_TLS_PORT,
username=None,
password=None,
sharedKey=None,
certChain=None,
privateKey=None,
cryptoID=None,
protocol=None,
x509Fingerprint=None,
x509TrustList=None,
x509CommonName=None,
settings=None):
"""Create a new IMAP4_TLS.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- username, sharedKey (shared-key)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP or
shared-keys, or you can do certificate-based server
authentication with one of these argument combinations:
- cryptoID[, protocol] (requires cryptoIDlib)
- x509Fingerprint
- x509TrustList[, x509CommonName] (requires cryptlib_py)
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication. It is
not compatible with shared-keys.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type host: str
@param host: Server to connect to.
@type port: int
@param port: Port to connect to.
@type username: str
@param username: SRP or shared-key username. Requires the
'password' or 'sharedKey' argument.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type sharedKey: str
@param sharedKey: Shared key for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.X509CertChain.X509CertChain} or
L{cryptoIDlib.CertChain.CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP or
shared-key related arguments.
@type privateKey: L{tlslite.utils.RSAKey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP or
shared-key related arguments.
@type cryptoID: str
@param cryptoID: cryptoID for server authentication. Mutually
exclusive with the 'x509...' arguments.
@type protocol: str
@param protocol: cryptoID protocol URI for server
authentication. Requires the 'cryptoID' argument.
@type x509Fingerprint: str
@param x509Fingerprint: Hex-encoded X.509 fingerprint for
server authentication. Mutually exclusive with the 'cryptoID'
and 'x509TrustList' arguments.
@type x509TrustList: list of L{tlslite.X509.X509}
@param x509TrustList: A list of trusted root certificates. The
other party must present a certificate chain which extends to
one of these root certificates. The cryptlib_py module must be
installed to use this parameter. Mutually exclusive with the
'cryptoID' and 'x509Fingerprint' arguments.
@type x509CommonName: str
@param x509CommonName: The end-entity certificate's 'CN' field
must match this value. For a web server, this is typically a
server name such as 'www.amazon.com'. Mutually exclusive with
the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
'x509TrustList' argument.
@type settings: L{tlslite.HandshakeSettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
ClientHelper.__init__(self, username, password, sharedKey, certChain,
privateKey, cryptoID, protocol, x509Fingerprint,
x509TrustList, x509CommonName, settings)
IMAP4.__init__(self, host, port)
def open(self, host='', port=IMAP4_TLS_PORT):
"""Setup connection to remote server on "host:port".
This connection will be used by the routines:
read, readline, send, shutdown.
"""
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect((host, port))
self.sock = TLSConnection(self.sock)
self.sock.closeSocket = True
ClientHelper._handshake(self, self.sock)
self.file = self.sock.makefile('rb')
def starttls(self,
username=None,
password=None,
certChain=None,
privateKey=None,
use_fido2=False,
domain_name=None,
checker=None,
settings=None):
"""Puts the connection to the SMTP server into TLS mode.
If the server supports TLS, this will encrypt the rest of the SMTP
session.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- certChain, privateKey (certificate)
- use_fido2, domain_name (and username) (FIDO2)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP, FIDO2 or
you can do certificate-based server
authentication with one of these argument combinations:
- x509Fingerprint
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
:py:class:`~tlslite.tlsconnection.TLSConnection` for details on which
exceptions might be raised.
:type username: str
:param username: SRP or FIDO2 username. Requires the
'password' argument for SRP.
:type password: str
:param password: SRP password for mutual authentication.
Requires the 'username' argument.
:type certChain: ~tlslite.x509certchain.X509CertChain
:param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP arguments.
:type privateKey: ~tlslite.utils.rsakey.RSAKey
:param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP arguments.
:type use_fido2: bool
:param use_fido2: Indication whether or not to use FIDO2
authentication. Requires the 'domain_name' parameter or 'host'
as domain name.
:type domain_name: str
:param domain_name: The domain name of the server to authenticate
against using FIDO2. May be omitted if host is given as a domain
name.
:type checker: ~tlslite.checker.Checker
:param checker: Callable object called after handshaking to
evaluate the connection and raise an Exception if necessary.
:type settings: ~tlslite.handshakesettings.HandshakeSettings
:param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
(resp, reply) = self.docmd("STARTTLS")
if resp == 220:
helper = ClientHelper(username, password, certChain, privateKey,
use_fido2, domain_name, checker, settings)
conn = TLSConnection(self.sock)
helper._handshake(conn)
self.sock = conn
self.file = conn.makefile('rb')
return (resp, reply)
class IMAP4_TLS(IMAP4, ClientHelper):
"""This class extends L{imaplib.IMAP4} with TLS support."""
def __init__(self,
host='',
port=IMAP4_TLS_PORT,
username=None,
password=None,
certChain=None,
privateKey=None,
checker=None,
settings=None):
"""Create a new IMAP4_TLS.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP
or you can do certificate-based server
authentication with one of these argument combinations:
- x509Fingerprint
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type host: str
@param host: Server to connect to.
@type port: int
@param port: Port to connect to.
@type username: str
@param username: SRP username. Requires the
'password' argument.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.x509certchain.X509CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP arguments.
@type privateKey: L{tlslite.utils.rsakey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP arguments.
@type checker: L{tlslite.checker.Checker}
@param checker: Callable object called after handshaking to
evaluate the connection and raise an Exception if necessary.
@type settings: L{tlslite.handshakesettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
ClientHelper.__init__(self, username, password, certChain, privateKey,
checker, settings)
IMAP4.__init__(self, host, port)
def open(self, host='', port=IMAP4_TLS_PORT):
"""Setup connection to remote server on "host:port".
This connection will be used by the routines:
read, readline, send, shutdown.
"""
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect((host, port))
self.sock = TLSConnection(self.sock)
ClientHelper._handshake(self, self.sock)
self.file = self.sock.makefile('rb')
def finish_request(self, sock, client_address):
tlsConnection = TLSConnection(sock)
if self.handshake(tlsConnection) == True:
self.RequestHandlerClass(tlsConnection, client_address, self)
tlsConnection.close()
class IMAP4_TLS(IMAP4, ClientHelper):
"""This class extends L{imaplib.IMAP4} with TLS support."""
def __init__(self, host = '', port = IMAP4_TLS_PORT,
username=None, password=None, sharedKey=None,
certChain=None, privateKey=None,
cryptoID=None, protocol=None,
x509Fingerprint=None,
x509TrustList=None, x509CommonName=None,
settings=None):
"""Create a new IMAP4_TLS.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- username, sharedKey (shared-key)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP or
shared-keys, or you can do certificate-based server
authentication with one of these argument combinations:
- cryptoID[, protocol] (requires cryptoIDlib)
- x509Fingerprint
- x509TrustList[, x509CommonName] (requires cryptlib_py)
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication. It is
not compatible with shared-keys.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type host: str
@param host: Server to connect to.
@type port: int
@param port: Port to connect to.
@type username: str
@param username: SRP or shared-key username. Requires the
'password' or 'sharedKey' argument.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type sharedKey: str
@param sharedKey: Shared key for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.X509CertChain.X509CertChain} or
L{cryptoIDlib.CertChain.CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP or
shared-key related arguments.
@type privateKey: L{tlslite.utils.RSAKey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP or
shared-key related arguments.
@type cryptoID: str
@param cryptoID: cryptoID for server authentication. Mutually
exclusive with the 'x509...' arguments.
@type protocol: str
@param protocol: cryptoID protocol URI for server
authentication. Requires the 'cryptoID' argument.
@type x509Fingerprint: str
@param x509Fingerprint: Hex-encoded X.509 fingerprint for
server authentication. Mutually exclusive with the 'cryptoID'
and 'x509TrustList' arguments.
@type x509TrustList: list of L{tlslite.X509.X509}
@param x509TrustList: A list of trusted root certificates. The
other party must present a certificate chain which extends to
one of these root certificates. The cryptlib_py module must be
installed to use this parameter. Mutually exclusive with the
'cryptoID' and 'x509Fingerprint' arguments.
@type x509CommonName: str
@param x509CommonName: The end-entity certificate's 'CN' field
must match this value. For a web server, this is typically a
server name such as 'www.amazon.com'. Mutually exclusive with
the 'cryptoID' and 'x509Fingerprint' arguments. Requires the
'x509TrustList' argument.
@type settings: L{tlslite.HandshakeSettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
ClientHelper.__init__(self,
username, password, sharedKey,
certChain, privateKey,
cryptoID, protocol,
x509Fingerprint,
x509TrustList, x509CommonName,
settings)
IMAP4.__init__(self, host, port)
def open(self, host = '', port = IMAP4_TLS_PORT):
"""Setup connection to remote server on "host:port".
This connection will be used by the routines:
read, readline, send, shutdown.
"""
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect((host, port))
self.sock = TLSConnection(self.sock)
self.sock.closeSocket = True
ClientHelper._handshake(self, self.sock)
self.file = self.sock.makefile('rb')
def starttls(self,
username=None,
password=None,
certChain=None,
privateKey=None,
checker=None,
settings=None):
"""Puts the connection to the SMTP server into TLS mode.
If the server supports TLS, this will encrypt the rest of the SMTP
session.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP or
you can do certificate-based server
authentication with one of these argument combinations:
- x509Fingerprint
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type username: str
@param username: SRP username. Requires the
'password' argument.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.x509certchain.X509CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP arguments.
@type privateKey: L{tlslite.utils.rsakey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP arguments.
@type checker: L{tlslite.checker.Checker}
@param checker: Callable object called after handshaking to
evaluate the connection and raise an Exception if necessary.
@type settings: L{tlslite.handshakesettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
(resp, reply) = self.docmd("STARTTLS")
if resp == 220:
helper = ClientHelper(username, password, certChain, privateKey,
checker, settings)
conn = TLSConnection(self.sock)
helper._handshake(conn)
self.sock = conn
self.file = conn.makefile('rb')
return (resp, reply)
class IMAP4_TLS(IMAP4, ClientHelper):
"""This class extends L{imaplib.IMAP4} with TLS support."""
def __init__(self, host = '', port = IMAP4_TLS_PORT,
username=None, password=None,
certChain=None, privateKey=None,
checker=None,
settings=None):
"""Create a new IMAP4_TLS.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- certChain, privateKey (certificate)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP
or you can do certificate-based server
authentication with one of these argument combinations:
- x509Fingerprint
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
L{tlslite.TLSConnection.TLSConnection} for details on which
exceptions might be raised.
@type host: str
@param host: Server to connect to.
@type port: int
@param port: Port to connect to.
@type username: str
@param username: SRP username. Requires the
'password' argument.
@type password: str
@param password: SRP password for mutual authentication.
Requires the 'username' argument.
@type certChain: L{tlslite.x509certchain.X509CertChain}
@param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP arguments.
@type privateKey: L{tlslite.utils.rsakey.RSAKey}
@param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP arguments.
@type checker: L{tlslite.checker.Checker}
@param checker: Callable object called after handshaking to
evaluate the connection and raise an Exception if necessary.
@type settings: L{tlslite.handshakesettings.HandshakeSettings}
@param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
ClientHelper.__init__(self,
username, password,
certChain, privateKey,
checker,
settings)
IMAP4.__init__(self, host, port)
def open(self, host = '', port = IMAP4_TLS_PORT):
"""Setup connection to remote server on "host:port".
This connection will be used by the routines:
read, readline, send, shutdown.
"""
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect((host, port))
self.sock = TLSConnection(self.sock)
ClientHelper._handshake(self, self.sock)
self.file = self.sock.makefile('rb')
def __init__(self,
host,
port=POP3_SSL_PORT,
timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
username=None,
password=None,
certChain=None,
privateKey=None,
use_fido2=False,
domain_name=None,
checker=None,
settings=None):
"""Create a new POP3_TLS.
For client authentication, use one of these argument
combinations:
- username, password (SRP)
- certChain, privateKey (certificate)
- use_fido2, domain_name (and username) (FIDO2)
For server authentication, you can either rely on the
implicit mutual authentication performed by SRP, FIDO2, or
you can do certificate-based server
authentication with one of these argument combinations:
- x509Fingerprint
Certificate-based server authentication is compatible with
SRP or certificate-based client authentication.
The caller should be prepared to handle TLS-specific
exceptions. See the client handshake functions in
:py:class:`~tlslite.tlsconnection.TLSConnection`
for details on which
exceptions might be raised.
:type host: str
:param host: Server to connect to.
:type port: int
:param port: Port to connect to.
:type username: str
:param username: SRP or FIDO2 username. Requires the
'password' argument for SRP.
:type password: str
:param password: SRP password for mutual authentication.
Requires the 'username' argument.
:type certChain: ~tlslite.x509certchain.X509CertChain
:param certChain: Certificate chain for client authentication.
Requires the 'privateKey' argument. Excludes the SRP argument.
:type privateKey: ~tlslite.utils.rsakey.RSAKey
:param privateKey: Private key for client authentication.
Requires the 'certChain' argument. Excludes the SRP argument.
:type use_fido2: bool
:param use_fido2: Indication whether or not to use FIDO2
authentication. Requires the 'domain_name' parameter or 'host'
as domain name.
:type domain_name: str
:param domain_name: The domain name of the server to authenticate
against using FIDO2. May be omitted if host is given as a domain
name.
:type checker: ~tlslite.checker.Checker
:param checker: Callable object called after handshaking to
evaluate the connection and raise an Exception if necessary.
:type settings: ~tlslite.handshakesettings.HandshakeSettings
:param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
"""
self.host = host
self.port = port
sock = socket.create_connection((host, port), timeout)
ClientHelper.__init__(self, username, password, certChain, privateKey,
use_fido2, domain_name, checker, settings)
connection = TLSConnection(sock)
ClientHelper._handshake(self, connection)
self.sock = connection
self.file = self.sock.makefile('rb')
self._debugging = 0
self.welcome = self._getresp()
