def success_hook(self, certificate_name, order_name, csr, certificate, certificate_raw, poll_identifier): """ run after each successfully certificate enrollment/renewal """ self.logger.debug('Hook.success_hook()') san_list = cert_san_get(self.logger, certificate_raw) self._file_append('{0}/success_hook.txt'.format(self.save_path), json.dumps(san_list) + '\n')
def _authorization_check(self, order_name, certificate): """ check if an acount holds authorization for all identifiers = SANs in the certificate """ self.logger.debug('Certificate._authorization_check()') # empty list of statuses identifier_status = [] # get identifiers for order try: identifier_dic = self.dbstore.order_lookup('name', order_name, ['identifiers']) except BaseException as err_: self.logger.critical( 'acme2certifier database error in Certificate._authorization_check(): {0}' .format(err_)) identifier_dic = {} if identifier_dic and 'identifiers' in identifier_dic: # load identifiers try: identifiers = json.loads(identifier_dic['identifiers'].lower()) except BaseException: identifiers = [] # check if we have a tnauthlist identifier tnauthlist_identifer_in = self._tnauth_identifier_check( identifiers) if self.tnauthlist_support and tnauthlist_identifer_in: try: # get list of certextensions in base64 format and identifier status tnauthlist = cert_extensions_get(self.logger, certificate) identifier_status = self._identifer_tnauth_list( identifier_dic, tnauthlist) except BaseException as err_: # enough to set identifier_list as empty list identifier_status = [] self.logger.warning( 'Certificate._authorization_check() error while loading parsing certifcate. Error: {0}' .format(err_)) else: try: # get sans san_list = cert_san_get(self.logger, certificate) identifier_status = self._identifer_status_list( identifiers, san_list) except BaseException as err_: # enough to set identifier_list as empty list identifier_status = [] self.logger.warning( 'Certificate._authorization_check() error while loading parsing certifcate. Error: {0}' .format(err_)) result = False if identifier_status and False not in identifier_status: result = True self.logger.debug( 'Certificate._authorization_check() ended with {0}'.format(result)) return result
def _validate_alpn_challenge(self, challenge_name, fqdn, token, jwk_thumbprint): """ validate dns challenge """ self.logger.debug( 'Challenge._validate_alpn_challenge({0}:{1}:{2})'.format( challenge_name, fqdn, token)) # resolve name (response, invalid) = fqdn_resolve(fqdn, self.dns_server_list) self.logger.debug('fqdn_resolve() ended with: {0}/{1}'.format( response, invalid)) # we are expecting a certifiate extension which is the sha256 hexdigest of token in a byte structure # which is base64 encoded '0420' has been taken from acme_srv.sh sources sha256_digest = sha256_hash_hex( self.logger, '{0}.{1}'.format(token, jwk_thumbprint)) extension_value = b64_encode( self.logger, bytearray.fromhex('0420{0}'.format(sha256_digest))) self.logger.debug('computed value: {0}'.format(extension_value)) if not invalid: # check if we need to set a proxy if self.proxy_server_list: proxy_server = proxy_check(self.logger, fqdn, self.proxy_server_list) else: proxy_server = None cert = servercert_get(self.logger, fqdn, 443, proxy_server) if cert: san_list = cert_san_get(self.logger, cert, recode=False) fqdn_in_san = fqdn_in_san_check(self.logger, san_list, fqdn) if fqdn_in_san: extension_list = cert_extensions_get(self.logger, cert, recode=False) if extension_value in extension_list: self.logger.debug('alpn validation successful') result = True else: self.logger.debug('alpn validation not successful') result = False else: self.logger.debug('fqdn check against san failed') result = False else: self.logger.debug('no cert returned...') result = False else: result = False self.logger.debug( 'Challenge._validate_alpn_challenge() ended with: {0}/{1}'.format( result, invalid)) return (result, invalid)