U [ ^R@s,dZddlZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z zddl m Z Wn e k rddlm Z YnXd Zd Zd d d ddddddddddddddddddd d!d"d#d$d%Zed&d'eDZeed(d'eDd)d*ZejGd+d,d,ejejZGd-d.d.eje ZGd/d0d0eZed1Zed2Zed3Zed4Z ed5Z!ed6Z"ed7Z#ed8Z$Gd9d:d:eZ%e%d;Z&Gdd?d?ejZ(Gd@dAdAejZ)GdBdCdCe)Z*GdDdEdEejZ+GdFdGdGe,Z-GdHdIdIe+Z.e(j/GdJdKdKe.Z0GdLdMdMe.Z1GdNdOdOe*Z2GdPdQdQe+Z3GdRdSdSe)Z4GdTdUdUe+Z5e(j/GdVdWdWe5Z6GdXdYdYe5Z7GdZd[d[e*Z8e(j/Gd\d]d]ejZ9Gd^d_d_e*Z:e(j/Gd`dadaejZ;Gdbdcdce+ZdS)hzACME protocol messages.N challenges)errors)fields)jws)util)Hashablezurn:acme:error:zurn:ietf:params:acme:error:z4The request specified an account that does not existzOThe request specified a certificate to be revoked that has already been revokedz2The CSR is unacceptable (e.g., due to a short key)z1The client sent an unacceptable anti-replay noncez>The JWS was signed by a public key the server does not supportz;The revocation reason provided is not allowed by the serverz@The JWS was signed with an algorithm the server does not supportz\Certification Authority Authorization (CAA) records forbid the CA from issuing a certificatezBSpecific error conditions are indicated in the "subproblems" arrayz?The server could not connect to the client to verify the domainzAThere was a problem with a DNS query during identifier validationz4The server could not validate a DNSSEC signed domainz;Response recieved didn't match the challenge's requirementsz1The provided email for a registration was invalidz$The provided contact URI was invalidz!The request message was malformedz9The server will not issue certificates for the identifierzLThe request attempted to finalize an order that is not ready to be finalizedz,There were too many requests of a given typez(The server experienced an internal errorz=The server experienced a TLS error during domain verificationz)The client lacks sufficient authorizationz@A contact URL for an account used an unsupported protocol schemez*The server could not resolve a domain namez'An identifier is of an unsupported typez,The server requires external account binding)ZaccountDoesNotExistZalreadyRevokedZbadCSRZbadNonceZ badPublicKeyZbadRevocationReasonZbadSignatureAlgorithmZcaaZcompoundZ connectiondnsZdnssecZincorrectResponseZ invalidEmailZinvalidContactZ malformedZrejectedIdentifierZ orderNotReadyZ rateLimitedZserverInternalZtlsZ unauthorizedZunsupportedContactZ unknownHostZunsupportedIdentifierexternalAccountRequiredccs|]\}}t||fVqdSN) ERROR_PREFIX.0nameZdescr//usr/lib/python3/dist-packages/acme/messages.py 8srccs|]\}}t||fVqdSr )OLD_ERROR_PREFIXr rrrr;scCs,t|tr(|jdk r(t|jkp&t|jkSdS)z#Check if argument is an ACME error.NF) isinstanceErrortypr r)errrrr is_acme_error?src@sheZdZdZejddddZejdddZejdddZe d d Z e d d Z e d dZ ddZdS)rzACME error. https://tools.ietf.org/html/draft-ietf-appsawg-http-problem-00 :ivar unicode typ: :ivar unicode title: :ivar unicode detail: typeTz about:blank omitemptydefaulttitlerdetailcKs.|tkrtd|t|}|fd|i|S)zCreate an Error instance with an ACME Error code. :unicode code: An ACME error code, like 'dnssec'. :kwargs: kwargs to pass to Error. z4The supplied code: %s is not a known ACME error coder) ERROR_CODES ValueErrorr )clscodekwargsrrrr with_codeUs zError.with_codecCs t|jS)zHardcoded error description based on its type. :returns: Description if standard ACME error or ``None``. :rtype: unicode )ERROR_TYPE_DESCRIPTIONSgetrselfrrr descriptioncszError.descriptioncCs$t|jdd}|tkr |SdS)zACME error code. Basically self.typ without the ERROR_PREFIX. :returns: error code if standard ACME code or ``None``. :rtype: unicode :N)strrsplitr )r)r#rrrr#ms z Error.codecCs(ddd|j|j|j|jfDS)Ns :: css"|]}|dk r|ddVqdS)Nasciibackslashreplace)encode)rpartrrrr}sz Error.__str__..)joinrr*rrdecoder(rrr__str__|s z Error.__str__N)__name__ __module__ __qualname____doc__joseFieldrrr classmethodr%propertyr*r#r5rrrrrFs    rcs\eZdZdZdZeZfddZddZe ddZ d d Z d d Z d dZ ddZZS) _ConstantzACME constant.rcs"tt|||j|<||_dSr )superr>__init__POSSIBLE_NAMESrr)r __class__rrrAs z_Constant.__init__cCs|jSr r?r(rrrto_partial_jsonsz_Constant.to_partial_jsoncCs&||jkrtd|j|j|S)Nz{0} not recognized)rBr:ZDeserializationErrorformatr6r"jobjrrr from_jsons   z_Constant.from_jsoncCsd|jj|jS)Nz{0}({1}))rGrEr6rr(rrr__repr__sz_Constant.__repr__cCst|t|o|j|jkSr )rrrr)otherrrr__eq__sz_Constant.__eq__cCst|j|jfSr )hashrErr(rrr__hash__sz_Constant.__hash__cCs ||k Sr rrLrrr__ne__sz_Constant.__ne__)r6r7r8r9 __slots__NotImplementedrBrArFr<rJrKrNrPrQ __classcell__rrrDrr>s  r>c@seZdZdZiZdS)StatuszACME "status" field.Nr6r7r8r9rBrrrrrUsrUunknownpendingZ processingZvalidZinvalidZrevokedZreadyZ deactivatedc@seZdZdZiZdS)IdentifierTypezACME identifier type.NrVrrrrrYsrYr c@s*eZdZdZejdejdZedZ dS) IdentifierzNACME identifier. :ivar IdentifierType typ: :ivar unicode value: rdecodervalueN) r6r7r8r9r:r;rYrJrr]rrrrrZsrZc@sjeZdZdZiZGdddejZeddZ eddZ dd Z d d Z d d Z ddZeddZdS) Directoryz Directory.cseZdZdZejdddZejdddZejdddZejdddZ ejdddZ fd d Z e d d Z fd dZddZZS)zDirectory.MetazDirectory Meta.zterms-of-serviceTrZtermsOfServicewebsiteZ caaIdentitiesr c s2tfdd|D}ttjjf|dS)Nc3s |]\}}||fVqdSr _internal_namerkvr(rrrsz*Directory.Meta.__init__..)dictitemsr@r^MetarAr)r$rDr(rrAszDirectory.Meta.__init__cCs |jp |jS)zURL for the CA TOS)_terms_of_service_terms_of_service_v2r(rrrterms_of_serviceszDirectory.Meta.terms_of_servicec#s4ttj|D]}|dkr(|ddn|VqdS)Nri)r@r^rg__iter__rCrDrrrmszDirectory.Meta.__iter__cCs|dkrd|S|S)Nrk_rrCrrrraszDirectory.Meta._internal_name)r6r7r8r9r:r;rirjr_Zcaa_identitiesZexternal_account_requiredrAr=rkrmrarTrrrDrrgs   rgcCs t|d|S)N resource_type)getattr)r"keyrrr _canon_keyszDirectory._canon_keycCs"|j}||jkst||j|<|S)zRegister resource.)ro_REGISTERED_TYPESAssertionError)r"Zresource_body_clsrorrrregisters zDirectory.registercCst||j}||_dSr )rZmap_keysrr_jobj)r)rIZ canon_jobjrrrrAszDirectory.__init__c CsNz||ddWStk rH}ztt|d|W5d}~XYnXdS)Nrn-z: )replaceKeyErrorAttributeErrorr-)r)rerrorrrr __getattr__szDirectory.__getattr__cCs4z|j||WStk r.tdYnXdS)NzDirectory field not found)rvrrryrCrrr __getitem__szDirectory.__getitem__cCs|jSr )rvr(rrrrFszDirectory.to_partial_jsoncCs |j|di|d<||S)Nmeta)rgrJpoprHrrrrJszDirectory.from_jsonN)r6r7r8r9rsr:JSONObjectWithFieldsrgr<rrrurAr|r}rFrJrrrrr^s  r^c@seZdZdZedZdS)ResourcezOACME Resource. :ivar acme.messages.ResourceBody body: Resource body. bodyN)r6r7r8r9r:r;rrrrrr src@seZdZdZedZdS)ResourceWithURIzOACME Resource with URI. :ivar unicode uri: Location of the resource. uriN)r6r7r8r9r:r;rrrrrrsrc@seZdZdZdS) ResourceBodyzACME Resource Body.N)r6r7r8r9rrrrrsrc@seZdZdZeddZdS)ExternalAccountBindingzACME External Account Bindingc CsRt|}tj|}|d}tj |tj j |dtj j d||}|S)zLCreate External Account Binding Resource from contact details, kid and hmac.Z newAccount)rqN)jsondumpsrFr1r:Zb64Z b64decoderZJWSZsignZjwkZJWKOctZjwaZHS256) r"Zaccount_public_keyZkidZhmac_keyZ directoryZkey_jsonZdecoded_hmac_keyurlZeabrrr from_data"s z ExternalAccountBinding.from_dataN)r6r7r8r9r<rrrrrrsrc@seZdZdZejddejjdZejddddZ ejddd Z ejd dd Z ejd dd Z ejd dd Z ejd dd ZdZdZedddZddZeddZeddZdS) RegistrationzRegistration Resource Body. :ivar josepy.jwk.JWK key: Public key. :ivar tuple contact: Contact information following ACME spec, `tuple` of `unicode`. :ivar unicode agreement: rqTrr\contactrr agreementrstatusZtermsOfServiceAgreedZonlyReturnExistingZexternalAccountBindingztel:zmailto:Nc spt|dd}|dk r(|j||dk rN|fdd|dDt||d<|rf||d<f|S)z2Create registration resource from contact details.rrNcsg|]}j|qSr) email_prefix)rZmailr"rr Nsz*Registration.from_data..,external_account_binding)listrappend phone_prefixextendr.tuple)r"ZphoneZemailrr$ZdetailsrrrrGs zRegistration.from_datacstfdd|jDS)Nc3s(|] }|r|tdVqdSr ) startswithlen)rrprefixrrrWs z/Registration._filter_contact..)rr)r)rrrr_filter_contactVs zRegistration._filter_contactcCs ||jS)z*All phones found in the ``contact`` field.)rrr(rrrphones[szRegistration.phonescCs ||jS)z*All emails found in the ``contact`` field.)rrr(rrremails`szRegistration.emails)NNN)r6r7r8r9r:r;ZJWKrJrqrrrZterms_of_service_agreedZonly_return_existingrrrr<rrr=rrrrrrr1s"   rc@seZdZdZdZeeZdS)NewRegistrationzNew registration.znew-regNr6r7r8r9rorrresourcerrrrrfsrc@seZdZdZdZeeZdS)UpdateRegistrationzUpdate registration.ZregNrrrrrrmsrc@s<eZdZdZejdejdZejdddZ ejdddZ dS) RegistrationResourcezRegistration Resource. :ivar acme.messages.Registration body: :ivar unicode new_authzr_uri: Deprecated. Do not use. :ivar unicode terms_of_service: URL for the CA TOS. rr[new_authzr_uriTrrkN) r6r7r8r9r:r;rrJrrrkrrrrrssrcseZdZdZdZejddddZejddddZejde j de d Z e jd dd Zejd ej ddd Zfd dZfddZfddZefddZeddZddZfddZddZZS) ChallengeBodya>Challenge Resource Body. .. todo:: Confusingly, this has a similar name to `.challenges.Challenge`, as well as `.achallenges.AnnotatedChallenge`. Please use names such as ``challb`` to distinguish instances of this class from ``achall``. :ivar acme.challenges.Challenge: Wrapped challenge. Conveniently, all challenge fields are proxied, i.e. you can call ``challb.x`` to get ``challb.chall.x`` contents. :ivar acme.messages.Status status: :ivar datetime.datetime validated: :ivar messages.Error error: )challrTNrrr)r\rr validatedrr{c s0tfdd|D}ttjf|dS)Nc3s |]\}}||fVqdSr r`rbr(rrrsz)ChallengeBody.__init__..)rerfr@rrArhrDr(rrAszChallengeBody.__init__cstt|||Sr )r@rr1rarCrDrrr1szChallengeBody.encodecs"tt|}||j|Sr )r@rrFupdater)r)rIrDrrrFszChallengeBody.to_partial_jsoncs$tt||}tj||d<|S)Nr)r@rfields_from_jsonrZ ChallengerJ)r"rIZ jobj_fieldsrDrrrszChallengeBody.fields_from_jsoncCs |jp |jS)zThe URL of this challenge.)_url_urir(rrrrszChallengeBody.uricCs t|j|Sr )rprrCrrrr|szChallengeBody.__getattr__c#s2tt|D]}|dkr&|ddn|VqdS)Nrrl)r@rrmrCrDrrrmszChallengeBody.__iter__cCs|dkrd|S|S)NrrnrrCrrrraszChallengeBody._internal_name)r6r7r8r9rRr:r;rrrUrJSTATUS_PENDINGrr RFC3339Fieldrrr{rAr1rFr<rr=rr|rmrarTrrrDrrs.       rc@s6eZdZdZejdejdZedZ e ddZ dS)ChallengeResourcezChallenge Resource. :ivar acme.messages.ChallengeBody body: :ivar unicode authzr_uri: URI found in the 'up' ``Link`` header. rr[ authzr_uricCs|jjS)zThe URL of the challenge body.)rrr(rrrrszChallengeResource.uriN) r6r7r8r9r:r;rrJrrr=rrrrrrs  rc@seZdZdZejdejddZejdddZ ejdddZ ejdde jd Z e jd ddZejd ddZe jd d Z eddZdS) Authorizationa^Authorization Resource Body. :ivar acme.messages.Identifier identifier: :ivar list challenges: `list` of `.ChallengeBody` :ivar tuple combinations: Challenge combinations (`tuple` of `tuple` of `int`, as opposed to `list` of `list` from the spec). :ivar acme.messages.Status status: :ivar datetime.datetime expires: identifierTr\rrr combinationsrrexpireswildcardcCstdd|DS)Ncss|]}t|VqdSr )rrJ)rrrrrrsz+Authorization.challenges..rr]rrrrszAuthorization.challengescstfddjDS)z0Combinations with challenges instead of indices.c3s$|]}tfdd|DVqdS)c3s|]}j|VqdSr r)ridxr(rrrsz@Authorization.resolved_combinations...Nr)rZcombor(rrrsz6Authorization.resolved_combinations..)rrr(rr(rresolved_combinationss z#Authorization.resolved_combinationsN)r6r7r8r9r:r;rZrJrrrrUrrrrrr\r=rrrrrrs  rc@seZdZdZdZeeZdS)NewAuthorizationzNew authorization.z new-authzNrrrrrrsrc@seZdZdZdZeeZdS)UpdateAuthorizationzUpdate authorization.ZauthzNrrrrrrsrc@s.eZdZdZejdejdZejdddZ dS)AuthorizationResourcezAuthorization Resource. :ivar acme.messages.Authorization body: :ivar unicode new_cert_uri: Deprecated. Do not use. rr[ new_cert_uriTrN) r6r7r8r9r:r;rrJrrrrrrrsrc@s2eZdZdZdZeeZej dej ej dZ dS)CertificateRequestzACME new-cert request. :ivar josepy.util.ComparableX509 csr: `OpenSSL.crypto.X509Req` wrapped in `.ComparableX509` znew-certcsrr\encoderN) r6r7r8r9rorrrr:r;Z decode_csrZ encode_csrrrrrrr s rc@s$eZdZdZedZedZdS)CertificateResourceaCertificate Resource. :ivar josepy.util.ComparableX509 body: `OpenSSL.crypto.X509` wrapped in `.ComparableX509` :ivar unicode cert_chain_uri: URI found in the 'up' ``Link`` header :ivar tuple authzrs: `tuple` of `AuthorizationResource`. cert_chain_uriauthzrsN)r6r7r8r9r:r;rrrrrrrs rc@s<eZdZdZdZeeZej dej ej dZ e dZ dS) Revocationz|Revocation message. :ivar .ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in `.ComparableX509` z revoke-cert certificaterreasonN)r6r7r8r9rorrrr:r;Z decode_certZ encode_certrrrrrrr's rc@seZdZdZejdddZejdejddZ ejdddZ ejdddZ ejd ddZ e jd ddZejd dejd Zejd dZdS)OrderaOrder Resource Body. :ivar list of .Identifier: List of identifiers for the certificate. :ivar acme.messages.Status status: :ivar list of str authorizations: URLs of authorizations. :ivar str certificate: URL to download certificate as a fullchain PEM. :ivar str finalize: URL to POST to to request issuance once all authorizations have "valid" status. :ivar datetime.datetime expires: When the order expires. :ivar .Error error: Any error that occurred during finalization, if applicable. identifiersTrrrauthorizationsrfinalizerr{rcCstdd|DS)Ncss|]}t|VqdSr )rZrJ)rrrrrrMsz$Order.identifiers..rrrrrrKszOrder.identifiersN)r6r7r8r9r:r;rrUrJrrrrrrrrr{r\rrrrr6s  rc@sFeZdZdZejdejdZejdddZ edZ ejdddZ d S) OrderResourceaOrder Resource. :ivar acme.messages.Order body: :ivar str csr_pem: The CSR this Order will be finalized with. :ivar list of acme.messages.AuthorizationResource authorizations: Fully-fetched AuthorizationResource objects. :ivar str fullchain_pem: The fetched contents of the certificate URL produced once the order was finalized, if it's present. rr[csr_pemTrr fullchain_pemN) r6r7r8r9r:r;rrJrrrrrrrrrOs   rc@seZdZdZdZdS)NewOrderz New order.z new-orderN)r6r7r8r9rorrrrr^sr)?r9rZjosepyr:ZsixZacmerrrrrZcollections.abcr ImportError collectionsrr r rerfr&rrZpython_2_unicode_compatiblerrZJSONDeSerializabler>rUZSTATUS_UNKNOWNrZSTATUS_PROCESSINGZ STATUS_VALIDZSTATUS_INVALIDZSTATUS_REVOKEDZ STATUS_READYZSTATUS_DEACTIVATEDrYZIDENTIFIER_FQDNrZr^rrrobjectrrrurrrrrrrrrrrrrrrrrrrs     !  <! G  5 B"