o 6aT@s$dZddlZddlZddlZddlZddlZddlZddlmZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZdd lmZddlZdd lmZdd lmZddlZdd lmZddlmZddlmZddlmZddlmZeeZ Gdddej!Z"Gdddeeej!Z#Gddde"Z$Gddde"Z%Gddde#Z&Gddde%ej'dZ(e#j)Gdd d e&Z*e"j)Gd!d"d"e(Z+e#j)Gd#d$d$e&Z,e"j)Gd%d&d&e(Z-e#j)Gd'd(d(e&Z.e"j)Gd)d*d*e(Z/e"j)Gd+d,d,e%Z0e#j)Gd-d.d.e#Z1dS)/z&ACME Identifier Validation Challenges.N)cast)Any)Dict)Mapping)Optional)Tuple)Type)hashes)crypto)SSL) crypto_util)errors)fields) ResourceMixin) TypeMixincsPeZdZUdZiZeeedfed<e de ee fddffdd Z Z S) ChallengezACME challenge.TYPESjobjreturnc sJzt|WStjy$}zt|t|WYd}~Sd}~wwN)super from_jsonjoseUnrecognizedTypeErrorloggerdebugUnrecognizedChallenge)clsrerror __class__1/usr/lib/python3/dist-packages/acme/challenges.pyr$s zChallenge.from_json)__name__ __module__ __qualname____doc__rrstrr__annotations__ classmethodrrr __classcell__r!r!rr"rs (rc@s8eZdZUdZiZeeedfed<dZ e e Z dS)ChallengeResponsezACME challenge response.r challengeN) r#r$r%r&rrr'rr( resource_typerResourceresourcer!r!r!r"r+-s r+csfeZdZdZdeeefddffdd ZdeeeffddZ e deeefddfd d Z Z S) ralUnrecognized challenge. ACME specification defines a generic framework for challenges and defines some standard challenges that are implemented in this module. However, other implementations (including peers) might define additional challenge types, which should be ignored if unrecognized. :ivar jobj: Original JSON decoded object. rrNcstt|d|dS)Nr)r__init__object __setattr__selfrrr!r"r0Bs zUnrecognizedChallenge.__init__cCs|jSr)rr4r!r!r"to_partial_jsonFsz%UnrecognizedChallenge.to_partial_jsoncCs||Srr!)rrr!r!r"rIszUnrecognizedChallenge.from_json) r#r$r%r&rr'rr0rr6r)rr*r!r!rr"r5s  $rc@sReZdZUdZdZ ejdejej ej edddZ e e d<edefdd Zd S) _TokenChallengez3Challenge with token. :ivar bytes token: g0@tokenT)sizeminimum)encoderdecoderrcCsd|jvo d|jvS)zIs `token` good? .. todo:: acme-spec wants "It MUST NOT contain any non-ASCII characters", but it should also warrant that it doesn't contain ".." or "/"... s../)r8r5r!r!r" good_token]s z_TokenChallenge.good_tokenN)r#r$r%r& TOKEN_SIZErFieldencode_b64jose functoolspartialdecode_b64joser8bytesr(propertyboolr>r!r!r!r"r7Ns  r7csVeZdZdZedZejZ dddej de fddZ de eefffd d ZZS) !KeyAuthorizationChallengeResponsez_Response to Challenges based on Key Authorization. :param unicode key_authorization: keyAuthorizationchallKeyAuthorizationChallengeaccount_public_keyrcCs|jd}t|dkrtd|jdS|d|dkr,td|d|ddSt|j|j d }|d |krItd |d|dSd S) a%Verify the key authorization. :param KeyAuthorization chall: Challenge that corresponds to this response. :param JWK account_public_key: :return: ``True`` iff verification of the key authorization was successful. :rtype: bool .z)Key authorization (%r) is not well formedFrr8z8Mismatching token in key authorization: %r instead of %r hash_functionz=Mismatching thumbprint in key authorization: %r instead of %rT) key_authorizationsplitlenrrencoder b64encode thumbprintthumbprint_hash_functiondecode)r4rJrLpartsrWr!r!r"verifyus,  z(KeyAuthorizationChallengeResponse.verifycst}|dd|S)NrI)rr6popr3rr!r"r6s  z1KeyAuthorizationChallengeResponse.to_partial_json)r#r$r%r&rr@rRr SHA256rXJWKrGr[rr'rr6r*r!r!rr"rHls  " rHc @seZdZUdZeZeed<eZe e ed<e j Z de j defddZde j de fdd Zejde j d edefd d Zde j d ed edee effddZdS)rKzChallenge based on Key Authorization. :param response_cls: Subclass of `KeyAuthorizationChallengeResponse` that will be used to generate ``response``. :param str typ: type of the challenge typ response_cls account_keyrcCs&|ddt|j|jdS)z^Generate Key Authorization. :param JWK account_key: :rtype unicode: r8rMrO)rUrrVrWrXrYr4rar!r!r"rRsz+KeyAuthorizationChallenge.key_authorizationcCs|j||dS)zGenerate response to the challenge. :param JWK account_key: :returns: Response (initialized `response_cls`) to the challenge. :rtype: KeyAuthorizationChallengeResponse rR)r`rRrbr!r!r"responses z"KeyAuthorizationChallenge.responsekwargscKst)aGenerate validation for the challenge. Subclasses must implement this method, but they are likely to return completely different data structures, depending on what's necessary to complete the challenge. Interpretation of that return value must be known to the caller. :param JWK account_key: :returns: Challenge-specific validation. )NotImplementedErrorr4rarer!r!r" validations z$KeyAuthorizationChallenge.validationargscOs"|||j|g|Ri|fS)zGenerate response and validation. Convenience function that return results of `response` and `validation`. :param JWK account_key: :rtype: tuple )rdrh)r4rarirer!r!r"response_and_validations z1KeyAuthorizationChallenge.response_and_validationN)r#r$r%r&NotImplementedr_r'r(r`rrHrXrr^rRrdabcabstractmethodrrhrrjr!r!r!r"rKs     rK) metaclassc@s0eZdZdZdZdddedejdefdd Z d S) DNS01ResponsezACME dns-01 challenge response.zdns-01rJDNS01domainrLrcCs|||}|s td|S)aSimple verify. This method no longer checks DNS records and is a simple wrapper around `KeyAuthorizationChallengeResponse.verify`. :param challenges.DNS01 chall: Corresponding challenge. :param unicode domain: Domain name being verified. :param JWK account_public_key: Public key for the key pair being authorized. :return: ``True`` iff verification of the key authorization was successful. :rtype: bool 4Verification of key authorization in response failed)r[rr)r4rJrqrLverifiedr!r!r" simple_verifys  zDNS01Response.simple_verifyN) r#r$r%r&r_r'rr^rGrtr!r!r!r"ros roc@sJeZdZdZeZejZdZ dej de de fddZ de de fd d Z d S) rpzACME dns-01 challenge._acme-challengera unused_kwargsrcKs$tt||dS)WGenerate validation. :param JWK account_key: :rtype: unicode utf-8)rrVhashlibsha256rRrUdigestrYr4rarvr!r!r"rhs zDNS01.validationnamecCd|j|SzkDomain name for TXT validation record. :param unicode name: Domain name being validated. z{0}.{1}formatLABELr4r}r!r!r"validation_domain_name zDNS01.validation_domain_nameN)r#r$r%r&ror`r_rrr^rr'rhrr!r!r!r"rps rpc @sHeZdZdZdZdZ dZ dddded ej d e e d e f d d Z dS)HTTP01Responsez ACME http-01 challenge response.zhttp-01Pz NrJHTTP01rqrLportrc Cs|||s tddS|dur#||jkr#td||d|7}||}td|j|z tj |dd}Wntj j yU}zt d||WYd}~dSd}~wwd |_ td ||j|j|j|j}|j|krytd |j|dSd S) aSimple verify. :param challenges.SimpleHTTP chall: Corresponding challenge. :param unicode domain: Domain name being verified. :param JWK account_public_key: Public key for the key pair being authorized. :param int port: Port used in the validation. :returns: ``True`` iff validation with the files currently served by the HTTP server is successful. :rtype: bool rrFNz4Using non-standard port for http-01 verification: %sz:{0}zVerifying %s at %s...)r[zUnable to reach %s: %sasciizReceived %s: %s. Headers: %szEKey authorization from response (%r) doesn't match HTTP response (%r)T)r[rrPORTwarningrurir_requestsget exceptionsRequestExceptionrencodingtextheadersrstripWHITESPACE_CUTSETrR) r4rJrqrLrr http_responserchallenge_responser!r!r"rt#s:     zHTTP01Response.simple_verifyr)r#r$r%r&r_rrr'rr^rintrGrtr!r!r!r"rsrc@s\eZdZdZeZejZdZ ede fddZ de de fddZ d e j d ede fd d Zd S)rzACME http-01 challenge.z.well-known/acme-challengercCsd|jd|dS)zTPath (starting with '/') for provisioned resource. :rtype: string /r8) URI_ROOT_PATHrUr5r!r!r"pathdsz HTTP01.pathrqcCsd||jS)zCreate an URI to the provisioned resource. Forms an URI to the HTTPS server provisioned resource (containing :attr:`~SimpleHTTP.token`). :param unicode domain: Domain name being verified. :rtype: string zhttp://)r)r4rqr!r!r"rms z HTTP01.urirarvcKs ||S)rwrcr|r!r!r"rhys zHTTP01.validationN)r#r$r%r&rr`r_rrFr'rrrr^rrhr!r!r!r"r[s rc@seZdZdZdZdZ dZdZede fddZ dd e d e e jd edee je jffddZ dd e de e de ede jfddZd e de jdefddZ dddd e dejde e jde e de edefddZd S)TLSALPN01Responsez$ACME tls-alpn-01 challenge response.z tls-alpn-01is1.3.6.1.5.5.7.1.30.1z acme-tls/1rcCst|jdS)z*Hash value stored in challenge certificaterx)ryrzrRrUr{r5r!r!r"hszTLSALPN01Response.hNrqkeybitscCs\|durt}|tj|dt|jd}tj|jd|d}t j ||gd|gd|fS)aGenerate tls-alpn-01 certificate. :param unicode domain: Domain verified by the challenge. :param OpenSSL.crypto.PKey key: Optional private key used in certificate generation. If not provided (``None``), then fresh key will be generated. :param int bits: Number of bits for newly generated key. :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey` NsDER:hexT)criticalvalue) force_san extensions) r PKey generate_keyTYPE_RSAcodecsrUr X509ExtensionID_PE_ACME_IDENTIFIER_V1r gen_ss_cert)r4rqrr der_valueacme_extensionr!r!r"gen_certs  zTLSALPN01Response.gen_certhostrcCsL|durt|}td|||dur|j}tj||||jgdS)zProbe tls-alpn-01 challenge certificate. :param unicode domain: domain being validated, required. :param string host: IP address used to probe the certificate. :param int port: Port used to probe the certificate. Nz%s resolved to %s)rrr}alpn_protocols) socket gethostbynamerrrr probe_snirUACME_TLS_1_PROTOCOL)r4rqrrr!r!r" probe_certs zTLSALPN01Response.probe_certcertcCst|}td|d|t|dks|d|kr!dSt|D]}| |}| dkr?| }||j kSq'dS)a Verify tls-alpn-01 challenge certificate. :param unicode domain: Domain name being validated. :param OpensSSL.crypto.X509 cert: Challenge certificate. :returns: Whether the certificate was successfully verified. :rtype: bool zCertificate %s. SANs: %srzrQrFsUNDEF) r _pyopenssl_cert_or_req_all_namesrrr{rTlowerrangeget_extension_count get_extensionget_short_nameget_datar)r4rqrnamesiextdatar!r!r" verify_certs     zTLSALPN01Response.verify_certrJ TLSALPN01rLc Cs~|||s tddS|dur9z |j|||d}Wntjy8}ztjt|ddWYd}~dSd}~ww|||S)aSimple verify. Verify ``validation`` using ``account_public_key``, optionally probe tls-alpn-01 certificate and check using `verify_cert`. :param .challenges.TLSALPN01 chall: Corresponding challenge. :param str domain: Domain name being validated. :param JWK account_public_key: :param OpenSSL.crypto.X509 cert: Optional certificate. If not provided (``None``) certificate will be retrieved using `probe_cert`. :param string host: IP address used to probe the certificate. :param int port: Port used to probe the certificate. :returns: ``True`` if and only if client's control of the domain has been verified. :rtype: bool rrFN)rqrrT)exc_info)r[rrrr Errorr'r)r4rJrqrLrrrrr!r!r"rts   zTLSALPN01Response.simple_verify)Nr)NN)NNN)r#r$r%r&r_rrrrFrErr'rr rrrX509rrrGrrr^rtr!r!r!r"rs>  rc@sPeZdZdZeZejZdejde de e j e j ffddZedefddZd S) rzACME tls-alpn-01 challenge.rarercKs ||j|d|ddS)aGenerate validation. :param JWK account_key: :param unicode domain: Domain verified by the challenge. :param OpenSSL.crypto.PKey cert_key: Optional private key used in certificate generation. If not provided (``None``), then fresh key will be generated. :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey` cert_keyrq)rrq)rdrrrgr!r!r"rh s zTLSALPN01.validationcCsttjdo ttjdS)ai Check if TLS-ALPN-01 challenge is supported on this machine. This implies that a recent version of OpenSSL is installed (>= 1.0.2), or a recent cryptography version shipped with the OpenSSL library is installed. :returns: ``True`` if TLS-ALPN-01 is supported on this machine, ``False`` otherwise. :rtype: bool set_alpn_protosset_alpn_select_callback)hasattrr ConnectionContextr!r!r!r" is_supporteds zTLSALPN01.is_supportedN)r#r$r%r&rr`r_rr^rrr rrrh staticmethodrGrr!r!r!r"rs$rc @seZdZdZdZdZ ejfdejdej de dej fdd Z d ej d ejde fd d Zdejde ddfddZdedefddZdS)DNSzACME "dns" challenge.dnsruraalgrercKs(tjjd|jddd||d|S)zGenerate validation. :param .JWK account_key: Private account key. :param .JWA alg: :returns: This challenge wrapped in `.JWS` :rtype: .JWS T) sort_keysrx)payloadrrNr!)rJWSsign json_dumpsrU)r4rarrer!r!r"gen_validation1s  zDNS.gen_validationrhrLc Cs^|j|dsdSz |||jdkWStjy.}z td|WYd}~dSd}~ww)zwCheck validation. :param JWS validation: :param JWK account_public_key: :rtype: bool )rFrxz&Checking validation for DNS failed: %sN)r[ json_loadsrrYrDeserializationErrorrr)r4rhrLrr!r!r"check_validation@s   zDNS.check_validation DNSResponsecKst|j|fi|dS)zGenerate response. :param .JWK account_key: Private account key. :param .JWA alg: :rtype: DNSResponse )rh)rrrgr!r!r" gen_responseQs   zDNS.gen_responser}cCr~rrrr!r!r"r]rzDNS.validation_domain_nameN)r#r$r%r&r_rrRS256r^ JWASignaturerrrrGrrr'rr!r!r!r"r)s  rc@s>eZdZdZdZejdejjdZ dddej de fd d Z d S) rz@ACME "dns" challenge response. :param JWS validation: rrh)r<rJrrLrcCs|ttj|j|S)z~Check validation. :param challenges.DNS chall: :param JWK account_public_key: :rtype: bool )rrrrrh)r4rJrLr!r!r"rqs zDNSResponse.check_validationN) r#r$r%r&r_rr@rrrhr^rGrr!r!r!r"rfs r)2r&rlrrBryloggingrtypingrrrrrrrcryptography.hazmat.primitivesr josepyrOpenSSLr r racmer r r acme.mixinsrr getLoggerr#rTypedJSONObjectWithFieldsrr+rr7rHABCMetarKregisterrorprrrrrrr!r!r!r"s`                /AG'$<