def success_hook(self, certificate_name, order_name, csr, certificate,
certificate_raw, poll_identifier):
""" run after each successfully certificate enrollment/renewal """
self.logger.debug('Hook.success_hook()')
san_list = cert_san_get(self.logger, certificate_raw)
self._file_append('{0}/success_hook.txt'.format(self.save_path),
json.dumps(san_list) + '\n')
def _authorization_check(self, order_name, certificate):
""" check if an acount holds authorization for all identifiers = SANs in the certificate """
self.logger.debug('Certificate._authorization_check()')
# empty list of statuses
identifier_status = []
# get identifiers for order
try:
identifier_dic = self.dbstore.order_lookup('name', order_name,
['identifiers'])
except BaseException as err_:
self.logger.critical(
'acme2certifier database error in Certificate._authorization_check(): {0}'
.format(err_))
identifier_dic = {}
if identifier_dic and 'identifiers' in identifier_dic:
# load identifiers
try:
identifiers = json.loads(identifier_dic['identifiers'].lower())
except BaseException:
identifiers = []
# check if we have a tnauthlist identifier
tnauthlist_identifer_in = self._tnauth_identifier_check(
identifiers)
if self.tnauthlist_support and tnauthlist_identifer_in:
try:
# get list of certextensions in base64 format and identifier status
tnauthlist = cert_extensions_get(self.logger, certificate)
identifier_status = self._identifer_tnauth_list(
identifier_dic, tnauthlist)
except BaseException as err_:
# enough to set identifier_list as empty list
identifier_status = []
self.logger.warning(
'Certificate._authorization_check() error while loading parsing certifcate. Error: {0}'
.format(err_))
else:
try:
# get sans
san_list = cert_san_get(self.logger, certificate)
identifier_status = self._identifer_status_list(
identifiers, san_list)
except BaseException as err_:
# enough to set identifier_list as empty list
identifier_status = []
self.logger.warning(
'Certificate._authorization_check() error while loading parsing certifcate. Error: {0}'
.format(err_))
result = False
if identifier_status and False not in identifier_status:
result = True
self.logger.debug(
'Certificate._authorization_check() ended with {0}'.format(result))
return result
def _validate_alpn_challenge(self, challenge_name, fqdn, token,
jwk_thumbprint):
""" validate dns challenge """
self.logger.debug(
'Challenge._validate_alpn_challenge({0}:{1}:{2})'.format(
challenge_name, fqdn, token))
# resolve name
(response, invalid) = fqdn_resolve(fqdn, self.dns_server_list)
self.logger.debug('fqdn_resolve() ended with: {0}/{1}'.format(
response, invalid))
# we are expecting a certifiate extension which is the sha256 hexdigest of token in a byte structure
# which is base64 encoded '0420' has been taken from acme_srv.sh sources
sha256_digest = sha256_hash_hex(
self.logger, '{0}.{1}'.format(token, jwk_thumbprint))
extension_value = b64_encode(
self.logger, bytearray.fromhex('0420{0}'.format(sha256_digest)))
self.logger.debug('computed value: {0}'.format(extension_value))
if not invalid:
# check if we need to set a proxy
if self.proxy_server_list:
proxy_server = proxy_check(self.logger, fqdn,
self.proxy_server_list)
else:
proxy_server = None
cert = servercert_get(self.logger, fqdn, 443, proxy_server)
if cert:
san_list = cert_san_get(self.logger, cert, recode=False)
fqdn_in_san = fqdn_in_san_check(self.logger, san_list, fqdn)
if fqdn_in_san:
extension_list = cert_extensions_get(self.logger,
cert,
recode=False)
if extension_value in extension_list:
self.logger.debug('alpn validation successful')
result = True
else:
self.logger.debug('alpn validation not successful')
result = False
else:
self.logger.debug('fqdn check against san failed')
result = False
else:
self.logger.debug('no cert returned...')
result = False
else:
result = False
self.logger.debug(
'Challenge._validate_alpn_challenge() ended with: {0}/{1}'.format(
result, invalid))
return (result, invalid)