def test_create(self):
from acme.messages import CertificateRequest
self.assertEqual(
self.msg,
CertificateRequest.create(
csr=CSR,
key=KEY,
sig_nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9'))
def setUp(self):
signature = other.Signature(
alg=jose.RS256,
jwk=jose.JWKRSA(key=KEY.publickey()),
sig='\x15\xed\x84\xaa:\xf2DO\x0e9 \xbcg\xf8\xc0\xcf\x87\x9a'
'\x95\xeb\xffT[\x84[\xec\x85\x7f\x8eK\xe9\xc2\x12\xc8Q'
'\xafo\xc6h\x07\xba\xa6\xdf\xd1\xa7"$\xba=Z\x13n\x14\x0b'
'k\xfe\xee\xb4\xe4\xc8\x05\x9a\x08\xa7',
nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9')
from acme.messages import CertificateRequest
self.msg = CertificateRequest(csr=CSR, signature=signature)
self.jmsg_to = {
'type': 'certificateRequest',
'csr': jose.b64encode(CSR.as_der()),
'signature': signature,
}
self.jmsg_from = self.jmsg_to.copy()
self.jmsg_from['signature'] = self.jmsg_from['signature'].to_json()
class CertificateRequestTest(unittest.TestCase):
"""Tests for acme.messages.CertificateRequest."""
def setUp(self):
from acme.messages import CertificateRequest
self.req = CertificateRequest(csr=CSR)
def test_json_de_serializable(self):
self.assertTrue(isinstance(self.req, jose.JSONDeSerializable))
from acme.messages import CertificateRequest
self.assertEqual(self.req,
CertificateRequest.from_json(self.req.to_json()))
class CertificateRequestTest(unittest.TestCase):
def setUp(self):
signature = other.Signature(
alg=jose.RS256,
jwk=jose.JWKRSA(key=KEY.publickey()),
sig='\x15\xed\x84\xaa:\xf2DO\x0e9 \xbcg\xf8\xc0\xcf\x87\x9a'
'\x95\xeb\xffT[\x84[\xec\x85\x7f\x8eK\xe9\xc2\x12\xc8Q'
'\xafo\xc6h\x07\xba\xa6\xdf\xd1\xa7"$\xba=Z\x13n\x14\x0b'
'k\xfe\xee\xb4\xe4\xc8\x05\x9a\x08\xa7',
nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9')
from acme.messages import CertificateRequest
self.msg = CertificateRequest(csr=CSR, signature=signature)
self.jmsg_to = {
'type': 'certificateRequest',
'csr': jose.b64encode(CSR.as_der()),
'signature': signature,
}
self.jmsg_from = self.jmsg_to.copy()
self.jmsg_from['signature'] = self.jmsg_from['signature'].to_json()
def test_create(self):
from acme.messages import CertificateRequest
self.assertEqual(
self.msg,
CertificateRequest.create(
csr=CSR,
key=KEY,
sig_nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9'))
def test_verify(self):
self.assertTrue(self.msg.verify())
def test_to_partial_json(self):
self.assertEqual(self.msg.to_partial_json(), self.jmsg_to)
def test_from_json(self):
from acme.messages import CertificateRequest
self.assertEqual(self.msg,
CertificateRequest.from_json(self.jmsg_from))
class CertificateRequestTest(unittest.TestCase):
"""Tests for acme.messages.CertificateRequest."""
def setUp(self):
from acme.messages import CertificateRequest
self.req = CertificateRequest(csr=CSR)
def test_json_de_serializable(self):
self.assertTrue(isinstance(self.req, jose.JSONDeSerializable))
from acme.messages import CertificateRequest
self.assertEqual(
self.req, CertificateRequest.from_json(self.req.to_json()))
class CertificateRequestTest(unittest.TestCase):
def setUp(self):
signature = other.Signature(
alg=jose.RS256, jwk=jose.JWKRSA(key=KEY.publickey()),
sig='\x15\xed\x84\xaa:\xf2DO\x0e9 \xbcg\xf8\xc0\xcf\x87\x9a'
'\x95\xeb\xffT[\x84[\xec\x85\x7f\x8eK\xe9\xc2\x12\xc8Q'
'\xafo\xc6h\x07\xba\xa6\xdf\xd1\xa7"$\xba=Z\x13n\x14\x0b'
'k\xfe\xee\xb4\xe4\xc8\x05\x9a\x08\xa7',
nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9')
from acme.messages import CertificateRequest
self.msg = CertificateRequest(csr=CSR, signature=signature)
self.jmsg_to = {
'type': 'certificateRequest',
'csr': jose.b64encode(CSR.as_der()),
'signature': signature,
}
self.jmsg_from = self.jmsg_to.copy()
self.jmsg_from['signature'] = self.jmsg_from['signature'].to_json()
def test_create(self):
from acme.messages import CertificateRequest
self.assertEqual(self.msg, CertificateRequest.create(
csr=CSR, key=KEY,
sig_nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9'))
def test_verify(self):
self.assertTrue(self.msg.verify())
def test_to_partial_json(self):
self.assertEqual(self.msg.to_partial_json(), self.jmsg_to)
def test_from_json(self):
from acme.messages import CertificateRequest
self.assertEqual(self.msg, CertificateRequest.from_json(self.jmsg_from))
def validate_csr(self, message: messages.CertificateRequest,
authorizations: Iterable[AcmeAuthorization]) -> str:
"""Parse and validate the CSR, returns the PEM as str."""
# Note: Jose wraps the CSR in a josepy.util.ComparableX509, that has *no* public member methods.
# The only public attribute or function is the wrapped object. We encode it back to get the regular
# PEM.
# Note that the CSR received here is not an actual PEM, see AcmeCertificate.parse_csr()
csr = parse_acme_csr(message.encode("csr"))
if csr.is_signature_valid is False:
raise AcmeBadCSR(message="CSR signature is not valid.")
# Do not accept MD5 or SHA1 signatures
if isinstance(csr.signature_hash_algorithm, (hashes.MD5, hashes.SHA1)):
raise AcmeBadCSR(message="%s: Insecure hash algorithm." %
csr.signature_hash_algorithm.name)
# Get list of general names from the authorizations
names_from_order = set(
SubjectAlternativeName({
"value":
[auth.subject_alternative_name for auth in authorizations]
}).extension_type)
# Test if any subject Common Name is in the names for this order
# NOTE: certbot does *not* set name in the subject
csr_subject = Subject(csr.subject)
common_name = csr_subject.get("CN")
if isinstance(
common_name,
str) and x509.DNSName(common_name) not in names_from_order:
raise AcmeBadCSR(message="CommonName was not in order.")
try:
names_from_csr: Set[x509.Name] = set(
csr.extensions.get_extension_for_class(
x509.SubjectAlternativeName).value)
except x509.ExtensionNotFound as ex:
raise AcmeBadCSR(
message="No subject alternative names found in CSR.") from ex
if names_from_order != names_from_csr:
raise AcmeBadCSR(message="Names in CSR do not match.")
return csr.public_bytes(Encoding.PEM).decode("utf-8")
def setUp(self):
signature = other.Signature(
alg=jose.RS256, jwk=jose.JWKRSA(key=KEY.publickey()),
sig='\x15\xed\x84\xaa:\xf2DO\x0e9 \xbcg\xf8\xc0\xcf\x87\x9a'
'\x95\xeb\xffT[\x84[\xec\x85\x7f\x8eK\xe9\xc2\x12\xc8Q'
'\xafo\xc6h\x07\xba\xa6\xdf\xd1\xa7"$\xba=Z\x13n\x14\x0b'
'k\xfe\xee\xb4\xe4\xc8\x05\x9a\x08\xa7',
nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9')
from acme.messages import CertificateRequest
self.msg = CertificateRequest(csr=CSR, signature=signature)
self.jmsg_to = {
'type': 'certificateRequest',
'csr': jose.b64encode(CSR.as_der()),
'signature': signature,
}
self.jmsg_from = self.jmsg_to.copy()
self.jmsg_from['signature'] = self.jmsg_from['signature'].to_json()
def test_order_finalize_early():
"""
Test that finalizing an order before its fully authorized results in the
order having an error set and the status being invalid.
"""
# Create a client
client = make_client(None)
# Create a random domain and a csr
domains = [random_domain()]
csr_pem = make_csr(domains)
# Create an order for the domain
order = client.new_order(csr_pem)
# Finalize the order without doing anything with the authorizations. YOLO
# We expect this to generate an unauthorized error.
chisel2.expect_problem(
"urn:ietf:params:acme:error:unauthorized", lambda: client.net.post(
order.body.finalize, CertificateRequest(csr=order.csr)))
# Poll for a fixed amount of time checking for the order to become invalid
# from the early finalization attempt initiated above failing
deadline = datetime.datetime.now() + datetime.timedelta(seconds=5)
while datetime.datetime.now() < deadline:
time.sleep(1)
updatedOrder = requests.get(order.uri).json()
if updatedOrder['status'] == "invalid":
break
# If the loop ended and the status isn't invalid then we reached the
# deadline waiting for the order to become invalid, fail the test
if updatedOrder['status'] != "invalid":
raise Exception("timed out waiting for order %s to become invalid" %
order.uri)
# The order should have an error with the expected type
if updatedOrder['error'][
'type'] != 'urn:ietf:params:acme:error:unauthorized':
raise Exception("order %s has incorrect error field type: \"%s\"" %
(order.uri, updatedOrder['error']['type']))
def test_json_de_serializable(self):
self.assertTrue(isinstance(self.req, jose.JSONDeSerializable))
from acme.messages import CertificateRequest
self.assertEqual(
self.req, CertificateRequest.from_json(self.req.to_json()))
def setUp(self):
from acme.messages import CertificateRequest
self.req = CertificateRequest(csr=CSR)
def test_from_json(self):
from acme.messages import CertificateRequest
self.assertEqual(self.msg,
CertificateRequest.from_json(self.jmsg_from))
def setUp(self):
from acme.messages import CertificateRequest
self.req = CertificateRequest(csr=CSR, authorizations=('foo',))
def setUp(self):
from acme.messages import CertificateRequest
self.req = CertificateRequest(csr=CSR, authorizations=('foo', ))
def test_from_json(self):
from acme.messages import CertificateRequest
self.assertEqual(self.msg, CertificateRequest.from_json(self.jmsg_from))
def test_create(self):
from acme.messages import CertificateRequest
self.assertEqual(self.msg, CertificateRequest.create(
csr=CSR, key=KEY,
sig_nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9'))
