async def authenticate_message(request, message_tree, message_payload,
fingerprint_lookup):
if request.secure and 'ven_id' in message_payload:
print("Getting cert fingerprint from request")
connection_fingerprint = utils.get_cert_fingerprint_from_request(
request)
print("Checking cert fingerprint")
if connection_fingerprint is None:
msg = (
"Your request must use a client side SSL certificate, of which the "
"fingerprint must match the fingerprint that you have given to this VTN"
)
raise errors.NotRegisteredOrAuthorizedError(msg)
try:
ven_id = message_payload.get('ven_id')
expected_fingerprint = fingerprint_lookup(ven_id)
if iscoroutine(expected_fingerprint):
expected_fingerprint = await expected_fingerprint
except ValueError:
msg = (
f"Your venID {ven_id} is not known to this VTN. Make sure you use the venID "
"that you receive from this VTN during the registration step")
raise errors.NotRegisteredOrAuthorizedError(msg)
if expected_fingerprint is None:
msg = (
"This VTN server does not know what your certificate fingerprint is. Please "
"deliver your fingerprint to the VTN (outside of OpenADR). You used the "
"following fingerprint to make this request:")
raise errors.NotRegisteredOrAuthorizedError(msg)
print("Checking connection fingerprint")
if connection_fingerprint != expected_fingerprint:
msg = (
f"The fingerprint of your HTTPS certificate {connection_fingerprint} "
f"does not match the expected fingerprint {expected_fingerprint}"
)
raise errors.NotRegisteredOrAuthorizedError(msg)
print("Checking message fingerprint")
message_cert = utils.extract_pem_cert(message_tree)
message_fingerprint = utils.certificate_fingerprint(message_cert)
if message_fingerprint != expected_fingerprint:
msg = (
f"The fingerprint of the certificate used to sign the message "
f"{message_fingerprint} did not match the fingerprint that this "
f"VTN has for you {expected_fingerprint}. Make sure you use the correct "
"certificate to sign your messages.")
raise errors.NotRegisteredOrAuthorizedError(msg)
print("Validating XML signature")
try:
validate_xml_signature(message_tree)
except ValueError:
msg = (
"The message signature did not match the message contents. Please make sure "
"you are using the correct XMLDSig algorithm and C14n canonicalization."
)
raise errors.NotRegisteredOrAuthorizedError(msg)
def validate_xml_signature(xml_tree, cert_fingerprint=None):
"""
Validate the XMLDSIG signature and the ReplayProtect element.
"""
cert = utils.extract_pem_cert(xml_tree)
if cert_fingerprint:
fingerprint = utils.certificate_fingerprint(cert)
if fingerprint != cert_fingerprint:
raise errors.FingerprintMismatch("The certificate fingerprint was incorrect. "
f"Expected: {cert_fingerprint};"
f"Received: {fingerprint}")
VERIFIER.verify(xml_tree, x509_cert=utils.ensure_bytes(cert), expect_references=2)
_verify_replay_protect(xml_tree)
def validate_xml_signature(xml_tree):
cert = utils.extract_pem_cert(xml_tree)
VERIFIER.verify(xml_tree,
x509_cert=utils.ensure_bytes(cert),
expect_references=2)
_verify_replay_protect(xml_tree)
