def verify(self, chall, account_public_key):
"""Verify the key authorization.
:param KeyAuthorization chall: Challenge that corresponds to
this response.
:param JWK account_public_key:
:return: ``True`` iff verification of the key authorization was
successful.
:rtype: bool
"""
parts = self.key_authorization.split('.') # pylint: disable=no-member
if len(parts) != 2:
logger.debug("Key authorization (%r) is not well formed",
self.key_authorization)
return False
if parts[0] != chall.encode("token"):
logger.debug("Mismatching token in key authorization: "
"%r instead of %r", parts[0], chall.encode("token"))
return False
thumbprint = jose.b64encode(account_public_key.thumbprint(
hash_function=self.thumbprint_hash_function)).decode()
if parts[1] != thumbprint:
logger.debug("Mismatching thumbprint in key authorization: "
"%r instead of %r", parts[0], thumbprint)
return False
return True
def validation(self, account_key, **unused_kwargs):
"""Generate validation.
:param JWK account_key:
:rtype: unicode
"""
return jose.b64encode(hashlib.sha256(self.key_authorization(
account_key).encode("utf-8")).digest()).decode()
def key_authorization(self, account_key: jose.JWK) -> str:
"""Generate Key Authorization.
:param JWK account_key:
:rtype unicode:
"""
return self.encode("token") + "." + jose.b64encode(
account_key.thumbprint(
hash_function=self.thumbprint_hash_function)).decode()
def key_authorization(self, account_key):
"""Generate Key Authorization.
:param JWK account_key:
:rtype unicode:
"""
return self.encode("token") + "." + jose.b64encode(
account_key.thumbprint(
hash_function=self.thumbprint_hash_function)).decode()
def validation(self, account_key, **unused_kwargs):
"""Generate validation.
:param JWK account_key:
:rtype: unicode
"""
return jose.b64encode(
hashlib.sha256(
self.key_authorization(account_key).encode(
"utf-8")).digest()).decode()
def test_debug_challenges(self):
config = mock.Mock(debug_challenges=True, verbose_count=0)
authzrs = [gen_dom_authzr(domain="0", challs=acme_util.CHALLENGES)]
mock_order = mock.MagicMock(authorizations=authzrs)
account_key_thumbprint = b"foobarbaz"
self.mock_account.key.thumbprint.return_value = account_key_thumbprint
self.mock_net.poll.side_effect = _gen_mock_on_poll()
self.handler.handle_authorizations(mock_order, config)
self.assertEqual(self.mock_net.answer_challenge.call_count, 1)
self.assertEqual(self.mock_display.notification.call_count, 1)
self.assertIn('Pass "-v" for more info',
self.mock_display.notification.call_args[0][0])
self.assertNotIn(
f"http://{authzrs[0].body.identifier.value}/.well-known/acme-challenge/"
+ b64encode(authzrs[0].body.challenges[0].chall.token).decode(),
self.mock_display.notification.call_args[0][0])
self.assertNotIn(
b64encode(account_key_thumbprint).decode(),
self.mock_display.notification.call_args[0][0])
def _perform_emailreply00(self, achall):
response, _ = achall.challb.response_and_validation(achall.account_key)
text = 'A challenge request for S/MIME certificate has been sent. In few minutes, ACME server will send a challenge e-mail to requested recipient {}. Please, copy the ENTIRE subject and paste it below. The subject starts with the label ACME: '.format(achall.domain)
display_util.notification(text,pause=False)
code,subject = display_util.input_text('Subject: ', force_interactive=True)
token64 = subject.split(' ')[-1]
token1 = jose.b64.b64decode(token64)
full_token = token1+achall.chall.token
# We reconstruct the ChallengeBody
challt = messages.ChallengeBody.from_json({ 'type': 'email-reply-00', 'token': jose.b64.b64encode(bytes(full_token)).decode('ascii'), 'url': achall.challb.uri, 'status': achall.challb.status.to_json(), 'from': achall.challb.chall.from_addr })
response, validation = challt.response_and_validation(achall.account_key)
digest = hashes.Hash(hashes.SHA256())
digest.update(validation.encode())
thumbprint = jose.b64encode(digest.finalize()).decode()
display_util.notification('A challenge response has been generated. Please, copy the following text, reply the e-mail you have received from ACME server and paste this text in the TOP of the message\'s body: ',pause=False)
print('\n-----BEGIN ACME RESPONSE-----\n'
'{}\n'
'-----END ACME RESPONSE-----\n'.format(thumbprint))
return response
def ProcessEmailChallenge(msg, achall):
if (email.utils.parseaddr(msg['From'])[1] !=
achall.challb.chall.from_addr):
raise FromAddressMismatch
if (msg['To'] != achall.domain):
raise ReceiptAddressMismatch
subject = msg['Subject']
from_addr = email.utils.parseaddr(msg['From'])[1]
if (msg.get('DKIM-Signature', None)):
dkim.ProcessDKIM(msg, from_addr)
elif (msg.get_content_subtype() == 'signed'):
pkcs7.ProcessPKCS7(msg, from_addr)
if (not subject.startswith('ACME: ')):
raise BadSubject
token64 = subject.split(' ')[-1]
token1 = jose.b64.b64decode(token64)
full_token = token1 + achall.chall.token
# We reconstruct the ChallengeBody
challt = messages.ChallengeBody.from_json({
'type':
'email-reply-00',
'token':
jose.b64.b64encode(bytes(full_token)).decode('ascii'),
'url':
achall.challb.uri,
'status':
achall.challb.status.to_json(),
'from':
achall.challb.chall.from_addr
})
response, validation = challt.response_and_validation(achall.account_key)
digest = hashes.Hash(hashes.SHA256())
digest.update(validation.encode())
thumbprint = jose.b64encode(digest.finalize()).decode()
return response, '-----BEGIN ACME RESPONSE-----\n{}\n-----END ACME RESPONSE-----\n'.format(
thumbprint)
def setUp(self):
self.privkey = KEY
self.pubkey = self.privkey.public_key()
self.nonce = jose.b64encode(b'Nonce')
self.url = 'hi'
self.kid = 'baaaaa'
def test_post_wrong_post_response_nonce(self):
self.available_nonces = [jose.b64encode(b'good'), b'f']
self.assertRaises(errors.BadNonce, self.net.post, 'uri',
self.obj, content_type=self.content_type)
def test_post_wrong_initial_nonce(self): # HEAD
self.available_nonces = [b'f', jose.b64encode(b'good')]
self.assertRaises(errors.BadNonce, self.net.post, 'uri',
self.obj, content_type=self.content_type)
def setUp(self):
self.privkey = KEY
self.pubkey = self.privkey.public_key()
self.nonce = jose.b64encode(b'Nonce')
self.url = 'hi'
self.kid = 'baaaaa'
