o 6ab @sdZddlmZddlZddlmZddlmZddlmZddlmZddlm Z dd lm Z dd lm Z dd lm Z dd lm Z ddlZdd lmZddlmZddlmZddlmZddlmZddlmZdZdZidddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;dd?d@ ZedAdBeDZeedCdBeDdDedEe fdFdGZ!GdHdIdIej"ej#Z#GdJdKdKej$eZ%GdLdMdMe%Z&e&dNZ'e&dOZ(e&dPZ)e&dQZ*e&dRZ+e&dSZ,e&dTZ-e&dUZ.GdVdWdWe%Z/e/d)Z0e/dXZ1GdYdZdZej"Z2Gd[d\d\ej$Z3Gd]d^d^ej"Z4Gd_d`d`e4Z5Gdadbdbej"Z6GdcddddZ7Gdedfdfe6Z8e3j9Gdgdhdhee8Z:Gdidjdjee8Z;Gdkdldle5ZGdqdrdre6Z?e3j9Gdsdtdtee?Z@Gdudvdvee?ZAGdwdxdxe5ZBe3j9Gdydzdzeej"ZCGd{d|d|e5ZDe3j9Gd}d~d~eej"ZEGddde6ZFGddde5ZGe3j9GdddeFZHdS)zACME protocol messages.)HashableN)Any)Dict)Iterator)List)Mapping)MutableMapping)Tuple)Type)Optional challenges)errors)fields)jws)util) ResourceMixinzurn:acme:error:zurn:ietf:params:acme:error:accountDoesNotExistz4The request specified an account that does not existalreadyRevokedzOThe request specified a certificate to be revoked that has already been revokedbadCSRz2The CSR is unacceptable (e.g., due to a short key)badNoncez1The client sent an unacceptable anti-replay nonce badPublicKeyz>The JWS was signed by a public key the server does not supportbadRevocationReasonz;The revocation reason provided is not allowed by the serverbadSignatureAlgorithmz@The JWS was signed with an algorithm the server does not supportcaaz\Certification Authority Authorization (CAA) records forbid the CA from issuing a certificatecompoundzBSpecific error conditions are indicated in the "subproblems" array connectionz?The server could not connect to the client to verify the domaindnszAThere was a problem with a DNS query during identifier validationdnssecz4The server could not validate a DNSSEC signed domainincorrectResponsez;Response received didn't match the challenge's requirements invalidEmailz1The provided email for a registration was invalidinvalidContactz$The provided contact URI was invalid malformedz!The request message was malformedrejectedIdentifierz9The server will not issue certificates for the identifierzLThe request attempted to finalize an order that is not ready to be finalizedz,There were too many requests of a given typez(The server experienced an internal errorz=The server experienced a TLS error during domain verificationz)The client lacks sufficient authorizationz@A contact URL for an account used an unsupported protocol schemez*The server could not resolve a domain namez'An identifier is of an unsupported typez,The server requires external account binding) orderNotReady rateLimitedserverInternaltls unauthorizedunsupportedContact unknownHostunsupportedIdentifierexternalAccountRequiredcc |] \}}t||fVqdSN) ERROR_PREFIX.0namedescr4//usr/lib/python3/dist-packages/acme/messages.py ; r6ccr-r.)OLD_ERROR_PREFIXr0r4r4r5r6>r7errreturncCs,t|tr|jdurt|jvpt|jvSdS)z#Check if argument is an ACME error.NF) isinstanceErrortypr/r8)r9r4r4r5 is_acme_errorBsr>c@seZdZdZejddddZejdddZejdddZe d e d e d dfd d Z e d ee fddZe d ee fddZd e fddZdS)r<zACME error. https://tools.ietf.org/html/draft-ietf-appsawg-http-problem-00 :ivar unicode typ: :ivar unicode title: :ivar unicode detail: typeTz about:blank omitemptydefaulttitlerAdetailcodekwargsr:cKs.|tvr td|t|}|dd|i|S)zCreate an Error instance with an ACME Error code. :unicode code: An ACME error code, like 'dnssec'. :kwargs: kwargs to pass to Error. z4The supplied code: %s is not a known ACME error coder=Nr4) ERROR_CODES ValueErrorr/)clsrFrGr=r4r4r5 with_codeWs zError.with_codecCs t|jS)zHardcoded error description based on its type. :returns: Description if standard ACME error or ``None``. :rtype: unicode )ERROR_TYPE_DESCRIPTIONSgetr=selfr4r4r5 descriptiongs zError.descriptioncCs(t|jjdddd}|tvr|SdS)zACME error code. Basically self.typ without the ERROR_PREFIX. :returns: error code if standard ACME code or ``None``. :rtype: unicode :)maxsplitN)strr=rsplitrH)rOrFr4r4r5rFqs z Error.codecCs(ddd|j|j|j|jfDS)Ns :: css$|] }|dur|ddVqdS)Nasciibackslashreplace)encode)r1partr4r4r5r6s z Error.__str__..)joinr=rPrErCdecoderNr4r4r5__str__s z Error.__str__N)__name__ __module__ __qualname____doc__joseFieldr=rCrE classmethodrUrrKpropertyr rPrFr]r4r4r4r5r<Is  r<cseZdZUdZdZeZeedfe d<deddffdd Z defd d Z e d eddfd d Z defddZdedefddZdefddZZS) _ConstantzACME constant.r2POSSIBLE_NAMESr2r:Ncst||j|<||_dSr.)super__init__rhr2rOr2 __class__r4r5rjs   z_Constant.__init__cC|jSr.rgrNr4r4r5to_partial_jsonz_Constant.to_partial_jsonjobjcCs&||jvrtd|j|j|S)Nz{0} not recognized)rhrbDeserializationErrorformatr^rJrqr4r4r5 from_jsons   z_Constant.from_jsoncCsd|jj|jS)Nz{0}({1}))rsrmr^r2rNr4r4r5__repr__z_Constant.__repr__othercCst|t|o |j|jkSr.)r;r?r2)rOrxr4r4r5__eq__sz_Constant.__eq__cCst|j|jfSr.)hashrmr2rNr4r4r5__hash__sz_Constant.__hash__)r^r_r`ra __slots__NotImplementedrhrrU__annotations__rjrordrurvrboolryintr{ __classcell__r4r4rlr5rfs rfc@&eZdZUdZiZeedfed<dS)StatuszACME "status" field.rhNr^r_r`rarhrrUr~r4r4r4r5r runknownpending processingvalidinvalidrevokedready deactivatedc@r)IdentifierTypezACME identifier type.rhNrr4r4r4r5rrripc@s*eZdZdZejdejdZedZ dS) IdentifierzNACME identifier. :ivar IdentifierType typ: :ivar unicode value: r?decodervalueN) r^r_r`rarbrcrrur=rr4r4r4r5rsrc@seZdZUdZiZeeedfed<Gddde j Z e dedefddZ e d eddedfd d Zd eeefdd fddZdedefddZdedefddZdeeeffddZe d eeefddfddZd S) Directoryz Directory._REGISTERED_TYPEScseZdZdZejdddZejdddZejdddZejdddZ ejdddZ d e d d ffd d Z e d efddZd eeffdd Zded efddZZS)zDirectory.MetazDirectory Meta.zterms-of-serviceTrDtermsOfServicewebsite caaIdentitiesr,rGr:Nc ,fdd|D}tjdi|dS)Nci|] \}}||qSr4_internal_namer1kvrNr4r5 z+Directory.Meta.__init__..r4itemsrirjrOrGrlrNr5rjzDirectory.Meta.__init__cC |jp|jS)zURL for the CA TOS)_terms_of_service_terms_of_service_v2rNr4r4r5terms_of_service zDirectory.Meta.terms_of_servicec#0tD]}|dkr|ddn|VqdS)NrrRri__iter__rkrlr4r5rzDirectory.Meta.__iter__r2cC|dkrd|S|S)Nr_r4rkr4r4r5rzDirectory.Meta._internal_name)r^r_r`rarbrcrrrcaa_identitiesexternal_account_requiredrrjrerUrrrrrr4r4rlr5Metasrkeyr:cCs t|d|S)N resource_type)getattr)rJrr4r4r5 _canon_keys zDirectory._canon_keyresource_body_clscCs"|j}||jvs J||j|<|S)zRegister resource.)rr)rJrrr4r4r5registers zDirectory.registerrqNcCst||j}||_dSr.)rmap_keysr_jobj)rOrq canon_jobjr4r4r5rjs zDirectory.__init__r2c Cs8z ||ddWSty}ztt|d}~ww)Nr-)replaceKeyErrorAttributeErrorrU)rOr2errorr4r4r5 __getattr__s  zDirectory.__getattr__cCs8z |j||WStytd||dw)NzDirectory field "z " not found)rrrrkr4r4r5 __getitem__s  zDirectory.__getitem__cCrnr.)rrNr4r4r5rorpzDirectory.to_partial_jsoncCs |j|di|d<||S)Nmeta)rrupoprtr4r4r5ruszDirectory.from_json)r^r_r`rarrrUr r~rbJSONObjectWithFieldsrrdrrrrrjrrrorrur4r4r4r5rs  rc@eZdZdZedZdS)ResourcezOACME Resource. :ivar acme.messages.ResourceBody body: Resource body. bodyN)r^r_r`rarbrcrr4r4r4r5rrc@r)ResourceWithURIzQACME Resource with URI. :ivar unicode ~.uri: Location of the resource. uriN)r^r_r`rarbrcrr4r4r4r5rrrc@seZdZdZdS) ResourceBodyzACME Resource Body.N)r^r_r`rar4r4r4r5r src @s<eZdZdZedejdededede ee ff ddZ d S) ExternalAccountBindingzACME External Account Bindingaccount_public_keykidhmac_key directoryr:c CsRt|}tj|}|d}tj |tj j |dtj j d||}|S)zLCreate External Account Binding Resource from contact details, kid and hmac. newAccount)rN)jsondumpsrorYrbb64 b64decoderJWSsignjwkJWKOctjwaHS256) rJrrrrkey_jsondecoded_hmac_keyurleabr4r4r5 from_data's z ExternalAccountBinding.from_dataN) r^r_r`rardrbJWKrUrrrrr4r4r4r5r$s rc steZdZdZejddejjdZejddddZ ejddd Z ejd dd Z ejd dd Z ejd dd Z ejd dd ZdZdZe  d)deedeedeededdf ddZdeddffdd ZdedeedffddZdeeefdeeeffdd Zdeeefffd!d" Zdeeefffd#d$ Zedeedffd%d&Zedeedffd'd(Z Z!S)* RegistrationzRegistration Resource Body. :ivar josepy.jwk.JWK key: Public key. :ivar tuple contact: Contact information following ACME spec, `tuple` of `unicode`. :ivar unicode agreement: rTrArcontactr4r@ agreementrDstatustermsOfServiceAgreedonlyReturnExistingexternalAccountBindingztel:zmailto:Nphoneemailexternal_account_bindingrGr:c sd|v}t|dd}|dur|j||dur+|fdd|dD|s/|r5t||d<|r;||d<di|S)a Create registration resource from contact details. The `contact` keyword being passed to a Registration object is meaningful, so this function represents empty iterables in its kwargs by passing on an empty `tuple`. rr4Ncsg|]}j|qSr4) email_prefix)r1mailrJr4r5 dsz*Registration.from_data..,r)listrappend phone_prefixextendsplittuple)rJrrrrGcontact_provideddetailsr4rr5rPs  zRegistration.from_datac s8d|vr|ddurt|ddtjdi|dS)z;Note if the user provides a value for the `contact` member.rN _add_contactTr4)object __setattr__rirjrrlr4r5rjpszRegistration.__init__prefix.cstfdd|jDS)Nc3s*|]}|r|tdVqdSr.) startswithlen)r1rErr4r5r6xs z/Registration._filter_contact..)rr)rOrr4rr5_filter_contactws zRegistration._filter_contactrqcCst|ddr |d|d<|S)a The `contact` member of Registration objects should not be required when de-serializing (as it would be if the Fields' `omitempty` flag were `False`), but it should be included in serializations if it was provided. :param jobj: Dictionary containing this Registrations' data :type jobj: dict :returns: Dictionary containing Registrations data to transmit to the server :rtype: dict rFr)rrYrOrqr4r4r5_add_contact_if_appropriate|s z(Registration._add_contact_if_appropriatect}||S)z2Modify josepy.JSONDeserializable.to_partial_json())rirorrrlr4r5ro  zRegistration.to_partial_jsoncr)z;Modify josepy.JSONObjectWithFields.fields_to_partial_json())rifields_to_partial_jsonrrrlr4r5r rz#Registration.fields_to_partial_jsoncC ||jS)z*All phones found in the ``contact`` field.)rrrNr4r4r5phonesrzRegistration.phonescCr )z*All emails found in the ``contact`` field.)rrrNr4r4r5emailsrzRegistration.emails)NNN)"r^r_r`rarbrcrrurrrrterms_of_service_agreedonly_return_existingrrrrdr rUrrrrjr rrrror rer r rr4r4rlr5r7s<  " rc@eZdZdZdZeeZdS)NewRegistrationzNew registration.znew-regNr^r_r`rarrrresourcer4r4r4r5rrc@r)UpdateRegistrationzUpdate registration.regNrr4r4r4r5rrc@s<eZdZdZejdejdZejdddZ ejdddZ dS) RegistrationResourcezRegistration Resource. :ivar acme.messages.Registration body: :ivar unicode new_authzr_uri: Deprecated. Do not use. :ivar unicode terms_of_service: URL for the CA TOS. rrnew_authzr_uriTrDrN) r^r_r`rarbrcrrurrrr4r4r4r5rs rcs*eZdZdZdZejddddZejddddZejde j de d Z e jd dd Zejd ej ddd Zd eddffdd Zdedeffdd Zdeeefffdd Zedeeefdeeefffdd ZedefddZdedefddZdeeffdd Zdedefdd Z Z!S)! ChallengeBodya>Challenge Resource Body. .. todo:: Confusingly, this has a similar name to `.challenges.Challenge`, as well as `.achallenges.AnnotatedChallenge`. Please use names such as ``challb`` to distinguish instances of this class from ``achall``. :ivar acme.challenges.Challenge: Wrapped challenge. Conveniently, all challenge fields are proxied, i.e. you can call ``challb.x`` to get ``challb.chall.x`` contents. :ivar acme.messages.Status status: :ivar datetime.datetime validated: :ivar messages.Error error: )challrTNr@rr)rrArB validatedrDrrGr:c r)Ncrr4rrrNr4r5rrz*ChallengeBody.__init__..r4rrrlrNr5rjrzChallengeBody.__init__r2cst||Sr.)rirYrrkrlr4r5rYrwzChallengeBody.encodecst}||j|Sr.)riroupdaterrrlr4r5ros zChallengeBody.to_partial_jsonrqcs t|}tj||d<|S)Nr)rifields_from_jsonr Challengeru)rJrq jobj_fieldsrlr4r5rs zChallengeBody.fields_from_jsoncCr)zThe URL of this challenge.)_url_urirNr4r4r5rrzChallengeBody.uricCs t|j|Sr.)rrrkr4r4r5rs zChallengeBody.__getattr__c#r)Nr!rRrrkrlr4r5rrzChallengeBody.__iter__cCr)Nrrr4rkr4r4r5rrzChallengeBody._internal_name)"r^r_r`rar|rbrcr!r rruSTATUS_PENDINGrr RFC3339Fieldrr<rrrjrUrYrrordrrrerrrrrrr4r4rlr5rs,  (rc@s<eZdZdZejdejdZedZ e de fddZ dS) ChallengeResourcezChallenge Resource. :ivar acme.messages.ChallengeBody body: :ivar unicode authzr_uri: URI found in the 'up' ``Link`` header. rr authzr_urir:cCs|jjS)zThe URL of the challenge body.)rrrNr4r4r5rszChallengeResource.uriN) r^r_r`rarbrcrrurr%rerUrr4r4r4r5r$s  r$c@seZdZdZejdejddZejdddZ ejdddZ ejdde jd Z e jd ddZejd ddZe jd eeeefd eedffddZ ed eeeeefdfdffddZdS) Authorizationa^Authorization Resource Body. :ivar acme.messages.Identifier identifier: :ivar list challenges: `list` of `.ChallengeBody` :ivar tuple combinations: Challenge combinations (`tuple` of `tuple` of `int`, as opposed to `list` of `list` from the spec). :ivar acme.messages.Status status: :ivar datetime.datetime expires: identifierTrrAr rD combinationsrrexpireswildcardrr:.cCtdd|DS)Ncs|]}t|VqdSr.)rru)r1rr4r4r5r6)z+Authorization.challenges..rrr4r4r5r 'zAuthorization.challengescstfddjDS)z0Combinations with challenges instead of indices.c3s&|]}tfdd|DVqdS)c3s|]}j|VqdSr.r )r1idxrNr4r5r6.r.z@Authorization.resolved_combinations...Nr/)r1comborNr4r5r6.sz6Authorization.resolved_combinations..)rr)rNr4rNr5resolved_combinations+s z#Authorization.resolved_combinationsN)r^r_r`rarbrcrrur'r r)rrrr#r*r+rrrrUrr rrerr4r4r4r4r5r&s (,r&c@r)NewAuthorizationzNew authorization.z new-authzNrr4r4r4r5r52rr5c@r)UpdateAuthorizationzUpdate authorization.authzNrr4r4r4r5r69rr6c@s.eZdZdZejdejdZejdddZ dS)AuthorizationResourcezAuthorization Resource. :ivar acme.messages.Authorization body: :ivar unicode new_cert_uri: Deprecated. Do not use. rr new_cert_uriTrDN) r^r_r`rarbrcr&rurr9r4r4r4r5r8?sr8c@s2eZdZdZdZeeZej dej ej dZ dS)CertificateRequestzACME new-cert request. :ivar josepy.util.ComparableX509 csr: `OpenSSL.crypto.X509Req` wrapped in `.ComparableX509` znew-certcsrrencoderN) r^r_r`rarrrrrbrc decode_csr encode_csrr;r4r4r4r5r:Js  r:c@s$eZdZdZedZedZdS)CertificateResourceaCertificate Resource. :ivar josepy.util.ComparableX509 body: `OpenSSL.crypto.X509` wrapped in `.ComparableX509` :ivar unicode cert_chain_uri: URI found in the 'up' ``Link`` header :ivar tuple authzrs: `tuple` of `AuthorizationResource`. cert_chain_uriauthzrsN)r^r_r`rarbrcrArBr4r4r4r5r@Ws r@c@s<eZdZdZdZeeZej dej ej dZ e dZ dS) Revocationz|Revocation message. :ivar .ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in `.ComparableX509` z revoke-cert certificater<reasonN)r^r_r`rarrrrrbrc decode_cert encode_certrDrEr4r4r4r5rCds  rCc@seZdZdZejdddZejdejddZ ejdddZ ejdddZ ejd ddZ e jd ddZejd dejd Zejd eeeefdeedffddZdS)Ordera_Order Resource Body. :ivar identifiers: List of identifiers for the certificate. :vartype identifiers: `list` of `.Identifier` :ivar acme.messages.Status status: :ivar authorizations: URLs of authorizations. :vartype authorizations: `list` of `str` :ivar str certificate: URL to download certificate as a fullchain PEM. :ivar str finalize: URL to POST to to request issuance once all authorizations have "valid" status. :ivar datetime.datetime expires: When the order expires. :ivar ~.Error error: Any error that occurred during finalization, if applicable. identifiersTrDrr(authorizationsrDfinalizer*rrrr:.cCr,)Ncsr-r.)rru)r1r'r4r4r5r6r.z$Order.identifiers..r/r0r4r4r5rIr1zOrder.identifiersN)r^r_r`rarbrcrIrrurrJrDrKrr#r*r<rrrrrUrr rr4r4r4r5rHss ,rHc@sTeZdZdZejdejdZejdddZ edZ ejdddZ ejd ddZ d S) OrderResourceaOrder Resource. :ivar acme.messages.Order body: :ivar str csr_pem: The CSR this Order will be finalized with. :ivar authorizations: Fully-fetched AuthorizationResource objects. :vartype authorizations: `list` of `acme.messages.AuthorizationResource` :ivar str fullchain_pem: The fetched contents of the certificate URL produced once the order was finalized, if it's present. :ivar alternative_fullchains_pem: The fetched contents of alternative certificate chain URLs produced once the order was finalized, if present and requested during finalization. :vartype alternative_fullchains_pem: `list` of `str` rrcsr_pemTrDrJ fullchain_pemalternative_fullchains_pemN) r^r_r`rarbrcrHrurrMrJrNrOr4r4r4r5rLs  rLc@seZdZdZdZdS)NewOrderz New order.z new-orderN)r^r_r`rarr4r4r4r5rPsrP)Iracollections.abcrrtypingrrrrrrr r r josepyrbacmer rrrr acme.mixinsrr8r/rHdictrrLr BaseExceptionrr>rr<JSONDeSerializablerfrSTATUS_UNKNOWNr"STATUS_PROCESSING STATUS_VALIDSTATUS_INVALIDSTATUS_REVOKED STATUS_READYSTATUS_DEACTIVATEDrIDENTIFIER_FQDN IDENTIFIER_IPrrrrrrrrrrrrr$r&r5r6r8r:r@rCrHrLrPr4r4r4r5s                   !  > F  k B$