def test_create(self): from acme.messages import CertificateRequest self.assertEqual( self.msg, CertificateRequest.create( csr=CSR, key=KEY, sig_nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9'))
def setUp(self): signature = other.Signature( alg=jose.RS256, jwk=jose.JWKRSA(key=KEY.publickey()), sig='\x15\xed\x84\xaa:\xf2DO\x0e9 \xbcg\xf8\xc0\xcf\x87\x9a' '\x95\xeb\xffT[\x84[\xec\x85\x7f\x8eK\xe9\xc2\x12\xc8Q' '\xafo\xc6h\x07\xba\xa6\xdf\xd1\xa7"$\xba=Z\x13n\x14\x0b' 'k\xfe\xee\xb4\xe4\xc8\x05\x9a\x08\xa7', nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9') from acme.messages import CertificateRequest self.msg = CertificateRequest(csr=CSR, signature=signature) self.jmsg_to = { 'type': 'certificateRequest', 'csr': jose.b64encode(CSR.as_der()), 'signature': signature, } self.jmsg_from = self.jmsg_to.copy() self.jmsg_from['signature'] = self.jmsg_from['signature'].to_json()
class CertificateRequestTest(unittest.TestCase): """Tests for acme.messages.CertificateRequest.""" def setUp(self): from acme.messages import CertificateRequest self.req = CertificateRequest(csr=CSR) def test_json_de_serializable(self): self.assertTrue(isinstance(self.req, jose.JSONDeSerializable)) from acme.messages import CertificateRequest self.assertEqual(self.req, CertificateRequest.from_json(self.req.to_json()))
class CertificateRequestTest(unittest.TestCase): def setUp(self): signature = other.Signature( alg=jose.RS256, jwk=jose.JWKRSA(key=KEY.publickey()), sig='\x15\xed\x84\xaa:\xf2DO\x0e9 \xbcg\xf8\xc0\xcf\x87\x9a' '\x95\xeb\xffT[\x84[\xec\x85\x7f\x8eK\xe9\xc2\x12\xc8Q' '\xafo\xc6h\x07\xba\xa6\xdf\xd1\xa7"$\xba=Z\x13n\x14\x0b' 'k\xfe\xee\xb4\xe4\xc8\x05\x9a\x08\xa7', nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9') from acme.messages import CertificateRequest self.msg = CertificateRequest(csr=CSR, signature=signature) self.jmsg_to = { 'type': 'certificateRequest', 'csr': jose.b64encode(CSR.as_der()), 'signature': signature, } self.jmsg_from = self.jmsg_to.copy() self.jmsg_from['signature'] = self.jmsg_from['signature'].to_json() def test_create(self): from acme.messages import CertificateRequest self.assertEqual( self.msg, CertificateRequest.create( csr=CSR, key=KEY, sig_nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9')) def test_verify(self): self.assertTrue(self.msg.verify()) def test_to_partial_json(self): self.assertEqual(self.msg.to_partial_json(), self.jmsg_to) def test_from_json(self): from acme.messages import CertificateRequest self.assertEqual(self.msg, CertificateRequest.from_json(self.jmsg_from))
class CertificateRequestTest(unittest.TestCase): """Tests for acme.messages.CertificateRequest.""" def setUp(self): from acme.messages import CertificateRequest self.req = CertificateRequest(csr=CSR) def test_json_de_serializable(self): self.assertTrue(isinstance(self.req, jose.JSONDeSerializable)) from acme.messages import CertificateRequest self.assertEqual( self.req, CertificateRequest.from_json(self.req.to_json()))
class CertificateRequestTest(unittest.TestCase): def setUp(self): signature = other.Signature( alg=jose.RS256, jwk=jose.JWKRSA(key=KEY.publickey()), sig='\x15\xed\x84\xaa:\xf2DO\x0e9 \xbcg\xf8\xc0\xcf\x87\x9a' '\x95\xeb\xffT[\x84[\xec\x85\x7f\x8eK\xe9\xc2\x12\xc8Q' '\xafo\xc6h\x07\xba\xa6\xdf\xd1\xa7"$\xba=Z\x13n\x14\x0b' 'k\xfe\xee\xb4\xe4\xc8\x05\x9a\x08\xa7', nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9') from acme.messages import CertificateRequest self.msg = CertificateRequest(csr=CSR, signature=signature) self.jmsg_to = { 'type': 'certificateRequest', 'csr': jose.b64encode(CSR.as_der()), 'signature': signature, } self.jmsg_from = self.jmsg_to.copy() self.jmsg_from['signature'] = self.jmsg_from['signature'].to_json() def test_create(self): from acme.messages import CertificateRequest self.assertEqual(self.msg, CertificateRequest.create( csr=CSR, key=KEY, sig_nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9')) def test_verify(self): self.assertTrue(self.msg.verify()) def test_to_partial_json(self): self.assertEqual(self.msg.to_partial_json(), self.jmsg_to) def test_from_json(self): from acme.messages import CertificateRequest self.assertEqual(self.msg, CertificateRequest.from_json(self.jmsg_from))
def validate_csr(self, message: messages.CertificateRequest, authorizations: Iterable[AcmeAuthorization]) -> str: """Parse and validate the CSR, returns the PEM as str.""" # Note: Jose wraps the CSR in a josepy.util.ComparableX509, that has *no* public member methods. # The only public attribute or function is the wrapped object. We encode it back to get the regular # PEM. # Note that the CSR received here is not an actual PEM, see AcmeCertificate.parse_csr() csr = parse_acme_csr(message.encode("csr")) if csr.is_signature_valid is False: raise AcmeBadCSR(message="CSR signature is not valid.") # Do not accept MD5 or SHA1 signatures if isinstance(csr.signature_hash_algorithm, (hashes.MD5, hashes.SHA1)): raise AcmeBadCSR(message="%s: Insecure hash algorithm." % csr.signature_hash_algorithm.name) # Get list of general names from the authorizations names_from_order = set( SubjectAlternativeName({ "value": [auth.subject_alternative_name for auth in authorizations] }).extension_type) # Test if any subject Common Name is in the names for this order # NOTE: certbot does *not* set name in the subject csr_subject = Subject(csr.subject) common_name = csr_subject.get("CN") if isinstance( common_name, str) and x509.DNSName(common_name) not in names_from_order: raise AcmeBadCSR(message="CommonName was not in order.") try: names_from_csr: Set[x509.Name] = set( csr.extensions.get_extension_for_class( x509.SubjectAlternativeName).value) except x509.ExtensionNotFound as ex: raise AcmeBadCSR( message="No subject alternative names found in CSR.") from ex if names_from_order != names_from_csr: raise AcmeBadCSR(message="Names in CSR do not match.") return csr.public_bytes(Encoding.PEM).decode("utf-8")
def test_order_finalize_early(): """ Test that finalizing an order before its fully authorized results in the order having an error set and the status being invalid. """ # Create a client client = make_client(None) # Create a random domain and a csr domains = [random_domain()] csr_pem = make_csr(domains) # Create an order for the domain order = client.new_order(csr_pem) # Finalize the order without doing anything with the authorizations. YOLO # We expect this to generate an unauthorized error. chisel2.expect_problem( "urn:ietf:params:acme:error:unauthorized", lambda: client.net.post( order.body.finalize, CertificateRequest(csr=order.csr))) # Poll for a fixed amount of time checking for the order to become invalid # from the early finalization attempt initiated above failing deadline = datetime.datetime.now() + datetime.timedelta(seconds=5) while datetime.datetime.now() < deadline: time.sleep(1) updatedOrder = requests.get(order.uri).json() if updatedOrder['status'] == "invalid": break # If the loop ended and the status isn't invalid then we reached the # deadline waiting for the order to become invalid, fail the test if updatedOrder['status'] != "invalid": raise Exception("timed out waiting for order %s to become invalid" % order.uri) # The order should have an error with the expected type if updatedOrder['error'][ 'type'] != 'urn:ietf:params:acme:error:unauthorized': raise Exception("order %s has incorrect error field type: \"%s\"" % (order.uri, updatedOrder['error']['type']))
def test_json_de_serializable(self): self.assertTrue(isinstance(self.req, jose.JSONDeSerializable)) from acme.messages import CertificateRequest self.assertEqual( self.req, CertificateRequest.from_json(self.req.to_json()))
def setUp(self): from acme.messages import CertificateRequest self.req = CertificateRequest(csr=CSR)
def test_from_json(self): from acme.messages import CertificateRequest self.assertEqual(self.msg, CertificateRequest.from_json(self.jmsg_from))
def setUp(self): from acme.messages import CertificateRequest self.req = CertificateRequest(csr=CSR, authorizations=('foo',))
def setUp(self): from acme.messages import CertificateRequest self.req = CertificateRequest(csr=CSR, authorizations=('foo', ))
def test_create(self): from acme.messages import CertificateRequest self.assertEqual(self.msg, CertificateRequest.create( csr=CSR, key=KEY, sig_nonce='\xec\xd6\xf2oYH\xeb\x13\xd5#q\xe0\xdd\xa2\x92\xa9'))