def connectionMade(self): if DispatcherConfig.management_use_tls and DispatcherConfig.management_passport is not None: peer_cert = self.transport.getPeerCertificate() if not DispatcherConfig.management_passport.accept(peer_cert): self.transport.loseConnection( CertificateSecurityError('peer certificate not accepted')) return
def connectionMade(self): peer = self.transport.getPeer() log.debug("Connected to dispatcher at %s:%d" % (peer.host, peer.port)) if RelayConfig.passport is not None: peer_cert = self.transport.getPeerCertificate() if not RelayConfig.passport.accept(peer_cert): self.transport.loseConnection(CertificateSecurityError('peer certificate not accepted')) self._connection_watcher = RecurrentCall(RelayConfig.keepalive_interval, self._send_keepalive)
def connectionMade(self): if DispatcherConfig.passport is not None: peer_cert = self.transport.getPeerCertificate() if not DispatcherConfig.passport.accept(peer_cert): self.transport.loseConnection( CertificateSecurityError('peer certificate not accepted')) return self.authenticated = True self.factory.new_relay(self)
def verify_peer(self): status = c_uint() gnutls_certificate_verify_peers2(self._c_object, byref(status)) status = status.value if status & GNUTLS_CERT_SIGNER_NOT_FOUND: raise CertificateAuthorityError( "peer certificate signer not found", self.peer_certificate, self.context) elif status & GNUTLS_CERT_SIGNER_NOT_CA: raise CertificateAuthorityError( "peer certificate signer is not a CA", self.peer_certificate, self.context) elif status & GNUTLS_CERT_INVALID: raise CertificateError("peer certificate invalid", self.peer_certificate, self.context) elif status & GNUTLS_CERT_INSECURE_ALGORITHM: raise CertificateSecurityError( "peer certificate uses an insecure algorithm ", self.peer_certificate, self.context) elif status & GNUTLS_CERT_REVOKED: raise CertificateRevokedError("peer certificate was revoked", self.peer_certificate, self.context)
def check_status(cls, retcode, function, args): if retcode >= 0: return retcode elif retcode == -1: raise GNUTLSError( getattr(function, "errmsg", None) or ErrorMessage(retcode)) elif retcode == GNUTLS_E_AGAIN: raise OperationWouldBlock(gnutls_strerror(retcode)) elif retcode == GNUTLS_E_INTERRUPTED: raise OperationInterrupted(gnutls_strerror(retcode)) elif retcode in (GNUTLS_E_MEMORY_ERROR, GNUTLS_E_SHORT_MEMORY_BUFFER): raise MemoryError(ErrorMessage(retcode)) elif retcode == GNUTLS_E_NO_CERTIFICATE_FOUND: raise CertificateSecurityError(gnutls_strerror(retcode)) elif retcode == GNUTLS_E_FATAL_ALERT_RECEIVED: exception = cls.alert_map.get(gnutls_alert_get(args[0])) raise exception and exception.__class__( *exception.args) or GNUTLSError(ErrorMessage(retcode)) elif retcode == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE: raise RequestedDataNotAvailable(gnutls_strerror(retcode)) else: raise GNUTLSError(ErrorMessage(retcode))
class ErrorHandler(object): alert_map = { GNUTLS_A_BAD_CERTIFICATE: CertificateError("peer rejected our certificate as invalid"), GNUTLS_A_UNKNOWN_CA: CertificateAuthorityError( "peer does not trust our certificate authority"), GNUTLS_A_INSUFFICIENT_SECURITY: CertificateSecurityError("peer rejected us on insufficient security"), GNUTLS_A_CERTIFICATE_EXPIRED: CertificateExpiredError("peer rejected our certificate as expired"), GNUTLS_A_CERTIFICATE_REVOKED: CertificateRevokedError("peer rejected our certificate as revoked"), } @classmethod def check_status(cls, retcode, function, args): if retcode >= 0: return retcode elif retcode == -1: raise GNUTLSError( getattr(function, "errmsg", None) or ErrorMessage(retcode)) elif retcode == GNUTLS_E_AGAIN: raise OperationWouldBlock(gnutls_strerror(retcode)) elif retcode == GNUTLS_E_INTERRUPTED: raise OperationInterrupted(gnutls_strerror(retcode)) elif retcode in (GNUTLS_E_MEMORY_ERROR, GNUTLS_E_SHORT_MEMORY_BUFFER): raise MemoryError(ErrorMessage(retcode)) elif retcode == GNUTLS_E_NO_CERTIFICATE_FOUND: raise CertificateSecurityError(gnutls_strerror(retcode)) elif retcode == GNUTLS_E_FATAL_ALERT_RECEIVED: exception = cls.alert_map.get(gnutls_alert_get(args[0])) raise exception and exception.__class__( *exception.args) or GNUTLSError(ErrorMessage(retcode)) elif retcode == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE: raise RequestedDataNotAvailable(gnutls_strerror(retcode)) else: raise GNUTLSError(ErrorMessage(retcode))