M/eWdZddlZddlZddlZddlZddlZddlZddlmZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZdd lmZdd lmZdd lmZddlZdd lmZddlmZddlZddlmZddlmZej8eZeddZGddej@Z!Gddej@Z"Gdde!Z#Gdde!Z$Gdde"Z%Gdde$ejLZ'e"jPGd d!e%Z)e!jPGd"d#e'Z*e"jPGd$d%e%Z+e!jPGd&d'e'Z,e"jPGd(d)e%Z-e!jPGd*d+e'Z.e!jPGd,d-e$Z/e"jPGd.d/e"Z0y)0z&ACME Identifier Validation Challenges.N)Any)cast)Dict)Mapping)Optional)Tuple)Type)TypeVar)Union)hashes)crypto)SSL) crypto_util)errorsGenericChallenge Challenge)boundc teZdZUdZiZeeedfed<e dee de ee fde e dfffd ZxZS)rzACME challenge.TYPESclsjobjreturnUnrecognizedChallengec ttt| |S#tj $r4}t j|tj|cYd}~Sd}~wwxYwN) rrsuper from_jsonjoseUnrecognizedTypeErrorloggerdebugr)rrerror __class__s 1/usr/lib/python3/dist-packages/acme/challenges.pyrzChallenge.from_json%sS 9(%'*;D*AB B)) 9 LL (2248 8 9s A')A"A'"A')__name__ __module__ __qualname____doc__rrstrr __annotations__ classmethodrrrr r __classcell__r#s@r$rr sc*,E4T+&& ',9t,-9S)9.34DF]4].^99cReZdZUdZiZeeedfed<deee fffd Z xZ S)ChallengeResponsezACME challenge response.rrc\t|}|j|jd|Sr)rto_partial_jsonpoptype_field_nameselfrr#s r$r2z!ChallengeResponse.to_partial_json4s+w&( %%t, r.) r%r&r'r(rrr)r r*rr2r,r-s@r$r0r0/s9"24E4T-.. /4c3hr.r0ceZdZUdZeeefed<deeefddffd Z deeeffdZ e deeefddfdZ xZ S)ralUnrecognized challenge. ACME specification defines a generic framework for challenges and defines some standard challenges that are implemented in this module. However, other implementations (including peers) might define additional challenge types, which should be ignored if unrecognized. :ivar jobj: Original JSON decoded object. rrNcPt|tj|d|y)Nr)r__init__object __setattr__r5s r$r9zUnrecognizedChallenge.__init__Js  4.r.c|jSr)rr6s r$r2z%UnrecognizedChallenge.to_partial_jsonNs yyr.c||Sr)rrs r$rzUnrecognizedChallenge.from_jsonQs 4yr.)r%r&r'r(rr)rr*rr9r2r+rr,r-s@r$rr<st  sCx./WS#X./4/c3hWS#X.3Jr.rc eZdZUdZdZ ej dejejejedZ e e d<edefdZy ) _TokenChallengez3Challenge with token. :ivar bytes token: g0@tokenT)sizeminimum)encoderdecoderrc>d|jvxrd|jvS)zIs `token` good? .. todo:: acme-spec wants "It MUST NOT contain any non-ASCII characters", but it should also warrant that it doesn't contain ".." or "/"... s../)rBr=s r$ good_tokenz_TokenChallenge.good_tokenes!DJJ&A4tzz+AAr.N)r%r&r'r( TOKEN_SIZErfieldencode_b64jose functoolspartialdecode_b64joserBbytesr*propertyboolrIr?r.r$rArAVss J54::,,6Gi6G6G   j$7@AE5A  BD B Br.rAceZdZUdZej dZeed<e jZ dddejde fdZdeeefffd ZxZS) !KeyAuthorizationChallengeResponsez[Response to Challenges based on Key Authorization. :param str key_authorization: keyAuthorizationkey_authorizationchallKeyAuthorizationChallengeaccount_public_keyrc|jjd}t|dk7r!tj d|jy|d|j dk7r*tj d|d|j dyt j|j|jj}|d |k7rtj d |d|yy ) a%Verify the key authorization. :param KeyAuthorization chall: Challenge that corresponds to this response. :param JWK account_public_key: :return: ``True`` iff verification of the key authorization was successful. :rtype: bool .z)Key authorization (%r) is not well formedFrrBz8Mismatching token in key authorization: %r instead of %r hash_functionz=Mismatching thumbprint in key authorization: %r instead of %rT) rVsplitlenr r!encoder b64encode thumbprintthumbprint_hash_functiondecode)r6rWrYpartsrds r$verifyz(KeyAuthorizationChallengeResponse.verify}s&&,,S1 u:? LLD// 1 8u||G, , LL,-21Xu||G7L N^^$6$A$A77%B%9::@&(  8z ! LL,-21Xz Cr.cHt|}|jdd|S)NrU)rr2r3r5s r$r2z1KeyAuthorizationChallengeResponse.to_partial_jsons$w&( #T* r.)r%r&r'r(rrKrVr)r*r SHA256reJWKrRrhrrr2r,r-s@r$rTrTtse (TZZ(:;s;%}}7TXXZ^@c3hr.rTc eZdZUdZeZeed<eZe e ed<e jZ de jdefdZde jde fdZej"de jdedefd Zde jd ededee effd Zy ) rXzChallenge based on Key Authorization. :param response_cls: Subclass of `KeyAuthorizationChallengeResponse` that will be used to generate ``response``. :param str typ: type of the challenge typ response_cls account_keyrc|jddztj|j|jj zS)zZGenerate Key Authorization. :param JWK account_key: :rtype str: rBr[r])rbrrcrdrerfr6ros r$rVz+KeyAuthorizationChallenge.key_authorizationsO{{7#c)DNN  " "";; # =->>DfhG Gr.cD|j|j|S)zGenerate response to the challenge. :param JWK account_key: :returns: Response (initialized `response_cls`) to the challenge. :rtype: KeyAuthorizationChallengeResponse rV)rnrVrqs r$responsez"KeyAuthorizationChallenge.responses,  "44[A!C Cr.kwargsc t)aGenerate validation for the challenge. Subclasses must implement this method, but they are likely to return completely different data structures, depending on what's necessary to complete the challenge. Interpretation of that return value must be known to the caller. :param JWK account_key: :returns: Challenge-specific validation. )NotImplementedErrorr6rorus r$ validationz$KeyAuthorizationChallenge.validations "##r.argscP|j||j|g|i|fS)zGenerate response and validation. Convenience function that return results of `response` and `validation`. :param JWK account_key: :rtype: tuple )rtry)r6rorzrus r$response_and_validationz1KeyAuthorizationChallenge.response_and_validations2 k* =d=f=? ?r.N)r%r&r'r(NotImplementedrmr)r*rnr rTrerrkrVrtabcabstractmethodrryrr|r?r.r$rXrXs C)> @+//66t7M7MN  ! !%7 7 LL./3/E/E+ --""33  LL13 > sD99E7E22E7)N)r%r&r'r(rmrrr)rrkrintrRrr?r.r$rrs`* C D"OBD686S6dhh6$SM6;>6HL6r.rceZdZdZeZej ZdZ ede fdZ de de fdZ de jdede fd Zy ) rzACME http-01 challenge.z.well-known/acme-challengercJd|jzdz|jdzS)zQPath (starting with '/') for provisioned resource. :rtype: str /rB) URI_ROOT_PATHrbr=s r$pathz HTTP01.pathqs(T'''#- G0DDDr.rc&d|z|jzS)zCreate an URI to the provisioned resource. Forms an URI to the HTTPS server provisioned resource (containing :attr:`~SimpleHTTP.token`). :param str domain: Domain name being verified. :rtype: str zhttp://)r)r6rs r$rz HTTP01.urizs6!DII--r.rorc $|j|S)rrsrs r$ryzHTTP01.validations%%k22r.N)r%r&r'r(rrnrmrrQr)rrrrkrryr?r.r$rrhsj!!L   C0M< EcEE .# .# .3dhh333r.rcheZdZdZdZdZ dZdZede fdZ dd e d e e jd edee j"e jffd Z dd e d e e de ede j"fdZd e de j"defdZ dddd e dej.de e j"d e e de edefdZy)TLSALPN01Responsez$ACME tls-alpn-01 challenge response.z tls-alpn-01is1.3.6.1.5.5.7.1.30.1s acme-tls/1rcztj|jjdj S)z*Hash value stored in challenge certificater)rrrVrbrr=s r$hzTLSALPN01Response.hs-~~d44;;GDELLNNr.Nrkeybitsc2|4tj}|jtj|dt j |j dz}tj|jd|}tj||gd|g|fS)aGenerate tls-alpn-01 certificate. :param str domain: Domain verified by the challenge. :param OpenSSL.crypto.PKey key: Optional private key used in certificate generation. If not provided (``None``), then fresh key will be generated. :param int bits: Number of bits for newly generated key. :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey` sDER:hexT)criticalvalue) force_san extensions) r PKey generate_keyTYPE_RSAcodecsrbr X509ExtensionID_PE_ACME_IDENTIFIER_V1r gen_ss_cert)r6rrr der_valueacme_extensions r$gen_certzTLSALPN01Response.gen_certs ;++-C   V__d 3fmmDFFE:: --d.K.K7;9N&&sVH3A2BDEHI Ir.hostrc|,tj|}tjd||| |j}t j |j||j|jgS)zProbe tls-alpn-01 challenge certificate. :param str domain: domain being validated, required. :param str host: IP address used to probe the certificate. :param int port: Port used to probe the certificate. z%s resolved to %s)rrralpn_protocols) socket gethostbynamer r!rr probe_snirbACME_TLS_1_PROTOCOL)r6rrrs r$ probe_certzTLSALPN01Response.probe_certsk <''/D LL,fd ; <99D$$$++-d595M5M4NP Pr.certctj|}tjd|j d|t |dk7s$|dj |j k7ryt|jD]G}|j|}|jdk(s(|j}||jk(cSy)aVerify tls-alpn-01 challenge certificate. :param str domain: Domain name being validated. :param OpensSSL.crypto.X509 cert: Challenge certificate. :returns: Whether the certificate was successfully verified. :rtype: bool zCertificate %s. SANs: %srr_rFsUNDEF) r _pyopenssl_cert_or_req_all_namesr r!rralowerrangeget_extension_count get_extensionget_short_nameget_datar)r6rrnamesiextdatas r$ verify_certzTLSALPN01Response.verify_certs<ISIFKK45I0=A)-PPHSMP!#P28++P$#V[[T>QU,0!.;!.!.QUQYQY!.$V[[1!.@H !.$SM!.59!.r.rceZdZdZeZej Zdejde de e je jffdZedefdZy)rzACME tls-alpn-01 challenge.rorurc tt|j|j|j dtt |j dS)aGenerate validation. :param JWK account_key: :param str domain: Domain verified by the challenge. :param OpenSSL.crypto.PKey cert_key: Optional private key used in certificate generation. If not provided (``None``), then fresh key will be generated. :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey` cert_keyr)rr)rrrtrrr)rxs r$ryzTLSALPN01.validationsM%t}}['ABKK :&VZZ12L4 4r.cnttjdxrttjdS)ai Check if TLS-ALPN-01 challenge is supported on this machine. This implies that a recent version of OpenSSL is installed (>= 1.0.2), or a recent cryptography version shipped with the OpenSSL library is installed. :returns: ``True`` if TLS-ALPN-01 is supported on this machine, ``False`` otherwise. :rtype: bool set_alpn_protosset_alpn_select_callback)hasattrr ConnectionContextr?r.r$ is_supportedzTLSALPN01.is_supported(s.(9:ECKK)CD Fr.N)r%r&r'r(rrnrmrrkrrr rrry staticmethodrRrr?r.r$rrsf%$L   C4dhh4#4% U[U`U`H`Ba4" F$ F Fr.rc eZdZdZdZdZ ejfdejdejde dejfdZ d ejd ejde fd Zdejde dd fd ZdedefdZy)DNSzACME "dns" challenge.dnsrroalgrurc tjjd|jdj d||d|S)zGenerate validation. :param .JWK account_key: Private account key. :param .JWA alg: :returns: This challenge wrapped in `.JWS` :rtype: .JWS T) sort_keysr)payloadrrr?)rJWSsign json_dumpsrb)r6rorrus r$gen_validationzDNS.gen_validation?sDxx}}0OOdO3::7C0(.0 0r.ryrYc|j|sy ||j|jjdk(S#tj $r }t jd|Yd}~yd}~wwxYw)zwCheck validation. :param JWS validation: :param JWK account_public_key: :rtype: bool )rFrz&Checking validation for DNS failed: %sN)rh json_loadsrrfrDeserializationErrorr r!)r6ryrYr"s r$check_validationzDNS.check_validationNsr  %7 8 4??""))'244 4((  LLA5 I s,AA5A00A5 DNSResponsec <t|j|fi|S)zGenerate response. :param .JWK account_key: Private account key. :param .JWA alg: :rtype: DNSResponse )ry)rrrxs r$ gen_responsezDNS.gen_response_s"&9d&9&9+&P&PQQr.rc:dj|j|S)zgDomain name for TXT validation record. :param str name: Domain name being validated. z{0}.{1})rrrs r$rzDNS.validation_domain_namejs  D11r.N)r%r&r'r(rmrrRS256rk JWASignaturerrrrRrrr)rr?r.r$rr7s C ECMQZZ 0$(( 09J9J 0!$ 0)- 0488VZ" R RC RM R23232r.rceZdZUdZdZej dejjZ eje d<dddejde fd Z y ) rz@ACME "dns" challenge response. :param JWS validation: rry)rFrWrrYrc:|j|j|S)z~Check validation. :param challenges.DNS chall: :param JWK account_public_key: :rtype: bool )rry)r6rWrYs r$rzDNSResponse.check_validation~s%%doo7IJJr.N)r%r&r'r(rmrrKrrryr*rkrRrr?r.r$rrssU C%4::lDHHrs,  1   8 $-[A 9.. 9 66 I4BiB<,(9,d>?3;;>?B54 & %&&8E6EEP $3 &$3$3N}.9}.}.@ "F)"F"FJ 82/8282vK#KKr.