a }|gf@sTdZddlmZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z dd lm Z dd lm Z dd lm Z dd lmZdd lmZddlZddlmZddlmZddlmZddlmZddlmZdZddddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.Zid/d0eDZeed1d2d3ZGd4d5d5ejeZ Gd6d7d7e Z!e!d8Z"e!d9Z#Gd:d;d;ej$Z%Gdd?d?e Z'e'd@Z(e'dAZ)e'dBZ*e'dCZ+e'dDZ,e'dEZ-e'dFZ.e'dGZ/GdHdIdIejZ0GdJdKdKej$Z1GdLdMdMe1Z2GdNdOdOej$Z3GdPdQdQZ4edRdSdTZ5GdUdSdSe3Z6GdVdWdWe6Z7GdXdYdYe6Z8GdZd[d[e2Z9Gd\d]d]e3Z:Gd^d_d_e1Z;Gd`dadae3ZGdfdgdge2Z?Gdhdidiej$Z@Gdjdkdke2ZAGdldmdmej$ZBGdndodoe3ZCGdpdqdqe2ZDGdrdsdseCZEdS)tzACME protocol messages.)HashableN)Any)Dict)Iterator)List)Mapping)MutableMapping)Optional)Tuple)Type)TypeVar) challenges)errors)fields)jws)utilzurn:ietf:params:acme:error:z4The request specified an account that does not existzOThe request specified a certificate to be revoked that has already been revokedz2The CSR is unacceptable (e.g., due to a short key)z1The client sent an unacceptable anti-replay noncez>The JWS was signed by a public key the server does not supportz;The revocation reason provided is not allowed by the serverz@The JWS was signed with an algorithm the server does not supportz\Certification Authority Authorization (CAA) records forbid the CA from issuing a certificatezBSpecific error conditions are indicated in the "subproblems" arrayz?The server could not connect to the client to verify the domainzAThere was a problem with a DNS query during identifier validationz4The server could not validate a DNSSEC signed domainz;Response received didn't match the challenge's requirementsz1The provided email for a registration was invalidz$The provided contact URI was invalidz!The request message was malformedz9The server will not issue certificates for the identifierzLThe request attempted to finalize an order that is not ready to be finalizedz,There were too many requests of a given typez(The server experienced an internal errorz=The server experienced a TLS error during domain verificationz)The client lacks sufficient authorizationz@A contact URL for an account used an unsupported protocol schemez*The server could not resolve a domain namez'An identifier is of an unsupported typez,The server requires external account binding)ZaccountDoesNotExistZalreadyRevokedZbadCSRZbadNonceZ badPublicKeyZbadRevocationReasonZbadSignatureAlgorithmZcaaZcompoundZ connectiondnsZdnssecZincorrectResponseZ invalidEmailZinvalidContactZ malformedZrejectedIdentifierZ orderNotReadyZ rateLimitedZserverInternalZtlsZ unauthorizedZunsupportedContactZ unknownHostZunsupportedIdentifierexternalAccountRequiredcCsi|]\}}t||qS) ERROR_PREFIX).0nameZdescrr1/usr/lib/python3.9/site-packages/acme/messages.py ;sr)errreturncCs"t|tr|jdurt|jvSdS)z#Check if argument is an ACME error.NF) isinstanceErrortypr)rrrr is_acme_error@s rcseZdZUdZdZeZeedfe d<eddfdd Z edd d Z e edd d d Z edddZeedddZedddZZS) _ConstantzACME constant.rPOSSIBLE_NAMESNrrcst||j|<||_dSN)super__init__r"rselfr __class__rrr&Ls  z_Constant.__init__rcCs|jSr$r!r(rrrto_partial_jsonQsz_Constant.to_partial_jsonjobjrcCs&||jvrt|jd|j|S)Nz not recognized)r"joseZDeserializationError__name__clsr/rrr from_jsonTs z_Constant.from_jsoncCs|jjd|jdS)N())r*r1rr,rrr__repr__Zsz_Constant.__repr__)otherrcCst|t|o|j|jkSr$)rtyper)r(r8rrr__eq__]sz_Constant.__eq__cCst|j|jfSr$)hashr*rr,rrr__hash__`sz_Constant.__hash__)r1 __module__ __qualname____doc__ __slots__NotImplementedr"rstr__annotations__r&r- classmethodr4r7rboolr:intr< __classcell__rrr)rr Gs r c@s&eZdZUdZiZeeefed<dS)IdentifierTypezACME identifier type.r"N r1r=r>r?r"rrBr rCrrrrrHds rHripc@s<eZdZUdZejdejdZee d<edZ e e d<dS) IdentifierzJACME identifier. :ivar IdentifierType typ: :ivar str value: r9decoderrvalueN) r1r=r>r?r0fieldrHr4rrCrNrBrrrrrKms rKc@seZdZUdZejddddZeed<ejdddZ eed<ejd ddZ eed <ejd e j dd Z ed ed <ejd ddZeeded <ejeeeefeddddZeeeddddZeeedddZeeedddZeeddddZedddZdS) raACME error. https://datatracker.ietf.org/doc/html/rfc7807 Note: Although Error inherits from JSONObjectWithFields, which is immutable, we add mutability for Error to comply with the Python exception API. :ivar str typ: :ivar str title: :ivar str detail: :ivar Identifier identifier: :ivar tuple subproblems: An array of ACME Errors which may be present when the CA returns multiple errors related to the same request, `tuple` of `Error`. r9Tz about:blank omitemptydefaultrtitlerQdetail identifierrMrQrK subproblems)r.rNrcCstdd|DS)Ncss|]}t|VqdSr$)rr4)r subproblemrrr z$Error.subproblems..tuplerNrrrrXszError.subproblems)codekwargsrcKs.|tvrtd|t|}|fd|i|S)zCreate an Error instance with an ACME Error code. :str code: An ACME error code, like 'dnssec'. :kwargs: kwargs to pass to Error. z4The supplied code: %s is not a known ACME error coder) ERROR_CODES ValueErrorr)r3r`rarrrr with_codes zError.with_coder+cCs t|jS)zHardcoded error description based on its type. :returns: Description if standard ACME error or ``None``. :rtype: str )ERROR_TYPE_DESCRIPTIONSgetrr,rrr descriptionszError.descriptioncCs(t|jjdddd}|tvr$|SdS)zACME error code. Basically self.typ without the ERROR_PREFIX. :returns: error code if standard ACME code or ``None``. :rtype: str :)maxsplitN)rBrrsplitrb)r(r`rrrr`s z Error.codeN)rrNrcCst|||Sr$)object __setattr__)r(rrNrrrrnszError.__setattr__cCstddd|j|j|j|jfD}|jrBd|jjd|}|jrpt |jdkrp|jD]}|d|7}q\|S)Ns :: css"|]}|dur|ddVqdS)Nasciibackslashreplaceencode)rpartrrrr[sz Error.__str__..z Problem for z: r ) joinrrgrUrSdecoderVrNrXlen)r(resultrZrrr__str__s   z Error.__str__)r1r=r>r?r0rOrrBrCrSrUrKr4rVr rXr rMrrrrDrdpropertyrgr`rnryrrrrrxs$ " rc@s&eZdZUdZiZeeefed<dS)StatuszACME "status" field.r"NrIrrrrr{s r{unknownpendingZ processingZvalidZinvalidZrevokedZreadyZ deactivatedc@seZdZdZGdddejZeee fddddZ ee dd d Z ee dd d Z e ee fd ddZeeee fddddZdS) DirectoryzmDirectory. Directory resources must be accessed by the exact field name in RFC8555 (section 9.7.5). cseZdZUdZejdddZeed<ejdddZ eed<ejdddZ e eed<ejd ddZ e ed <ed d fd d ZeedddZeedfdd ZeedddZZS)zDirectory.MetazDirectory Meta.ZtermsOfServiceTrT_terms_of_servicewebsiteZ caaIdentitiescaa_identitiesrexternal_account_requiredNrarc s,fdd|D}tjfi|dS)Ncsi|]\}}||qSr_internal_namerkvr,rrrr\z+Directory.Meta.__init__..itemsr%r&r(rar)r,rr&szDirectory.Meta.__init__r+cCs|jS)zURL for the CA TOS)rr,rrrterms_of_serviceszDirectory.Meta.terms_of_servicec#s.tD]}|dkr"|ddn|Vq dS)Nrrir%__iter__r'r)rrrszDirectory.Meta.__iter__r#cCs|dkrd|S|S)Nr_rr'rrrrszDirectory.Meta._internal_name)r1r=r>r?r0rOrrBrCrrrrrErr&rzrrrrrGrrr)rMetas rNr.cCs ||_dSr$)_jobjr(r/rrrr&szDirectory.__init__r#c Cs@z ||WSty:}ztt|WYd}~n d}~00dSr$)KeyErrorAttributeErrorrB)r(rerrorrrr __getattr__s zDirectory.__getattr__cCs4z |j|WSty.td|dYn0dS)NzDirectory field "z " not found)rrr'rrr __getitem__s  zDirectory.__getitem__r+cCst|jddS)NcSs|Sr$r)rrrr r\z+Directory.to_partial_json..)rZmap_keysrr,rrrr- szDirectory.to_partial_jsoncCs |j|di|d<||S)Nmeta)rr4popr2rrrr4szDirectory.from_json)r1r=r>r?r0JSONObjectWithFieldsrrrBrr&rrrr-rDrr4rrrrr~sr~c@s$eZdZUdZedZded<dS)ResourcezOACME Resource. :ivar acme.messages.ResourceBody body: Resource body. body ResourceBodyN)r1r=r>r?r0rOrrCrrrrrs rc@s$eZdZUdZedZeed<dS)ResourceWithURIzKACME Resource with URI. :ivar str uri: Location of the resource. uriN) r1r=r>r?r0rOrrBrCrrrrrs rc@seZdZdZdS)rzACME Resource Body.Nr1r=r>r?rrrrr'src@s4eZdZdZeejeeee ee fdddZ dS)ExternalAccountBindingzACME External Account Binding)account_public_keykidhmac_key directoryrc CsRt|}tj|}|d}tj |tj j |dtj j d||}|S)zLCreate External Account Binding Resource from contact details, kid and hmac.Z newAccount)keyN)jsondumpsr-rrr0Zb64Z b64decoderZJWSsignZjwkZJWKOctZjwaZHS256) r3rrrrZkey_jsonZdecoded_hmac_keyurlZeabrrr from_data.s z ExternalAccountBinding.from_dataN) r1r=r>r?rDr0JWKrBr~rrrrrrrr+s  rGenericRegistration Registration)boundc seZdZUdZejddejjdZeje d<ejddddZ e e dfe d<ejd dd Z e e d <ejd dd Zee d <ejd dd Zee d <ejddd Zee d<ejddd Zee efe d<dZdZed*eeee ee eee efeedddZeddfdd Ze e e dfdddZee efee efddd Zee efd!fd"d# Z ee efd!fd$d% Z!e"e e dfd!d&d'Z#e"e e dfd!d(d)Z$Z%S)+rzRegistration Resource Body. :ivar jose.JWK key: Public key. :ivar tuple contact: Contact information following ACME spec, `tuple` of `str`. :ivar str agreement: rTrQrMcontactrrP. agreementrTstatusZtermsOfServiceAgreedterms_of_service_agreedZonlyReturnExistingonly_return_existingZexternalAccountBindingexternal_account_bindingztel:zmailto:N)r3phoneemailrrarc sd|v}t|dd}|dur0|j||durV|fdd|dD|s^|rjt||d<|rv||d<fi|S)a Create registration resource from contact details. The `contact` keyword being passed to a Registration object is meaningful, so this function represents empty iterables in its kwargs by passing on an empty `tuple`. rrNcsg|]}j|qSr) email_prefix)rZmailr3rr pr\z*Registration.from_data..,r)listrappend phone_prefixextendsplitr^)r3rrrraZcontact_provideddetailsrrrr[s zRegistration.from_datarc s8d|vr"|ddur"t|ddtjfi|dS)z;Note if the user provides a value for the `contact` member.rN _add_contactT)rmrnr%r&rr)rrr&|szRegistration.__init__)prefixrcstfdd|jDS)Nc3s(|] }|r|tdVqdSr$) startswithrw)rrUrrrr[s z/Registration._filter_contact..)r^r)r(rrrr_filter_contacts zRegistration._filter_contactr.cCst|ddr|d|d<|S)a The `contact` member of Registration objects should not be required when de-serializing (as it would be if the Fields' `omitempty` flag were `False`), but it should be included in serializations if it was provided. :param jobj: Dictionary containing this Registrations' data :type jobj: dict :returns: Dictionary containing Registrations data to transmit to the server :rtype: dict rFr)getattrrrrrrr_add_contact_if_appropriates z(Registration._add_contact_if_appropriater+cst}||S)z2Modify josepy.JSONDeserializable.to_partial_json())r%r-rrr)rrr-s zRegistration.to_partial_jsoncst}||S)z;Modify josepy.JSONObjectWithFields.fields_to_partial_json())r%fields_to_partial_jsonrrr)rrrs z#Registration.fields_to_partial_jsoncCs ||jS)z*All phones found in the ``contact`` field.)rrr,rrrphonesszRegistration.phonescCs ||jS)z*All emails found in the ``contact`` field.)rrr,rrremailsszRegistration.emails)NNN)&r1r=r>r?r0rOrr4rrCrr rBrrr{rrErrrrrrrDr rr rr&rrr-rrzrrrGrrr)rrAs<     c@seZdZdZdS)NewRegistrationzNew registration.Nrrrrrrsrc@seZdZdZdS)UpdateRegistrationzUpdate registration.Nrrrrrrsrc@sVeZdZUdZejdejdZee d<ejdddZ e e d<ejdddZ e e d<dS) RegistrationResourcezRegistration Resource. :ivar acme.messages.Registration body: :ivar str new_authzr_uri: Deprecated. Do not use. :ivar str terms_of_service: URL for the CA TOS. rrLnew_authzr_uriTrTrN) r1r=r>r?r0rOrr4rrCrrBrrrrrrs rcs4eZdZUdZdZejddddZee d<ejde j de d Z e e d<ejd dd Zeje d <ejd ej ddd Zee d <edd fdd Zeedfdd Zeeefdfdd Zeeeefeeefdfdd ZeedddZeedddZeedfdd Z eeddd Z!Z"S)! ChallengeBodya>Challenge Resource Body. .. todo:: Confusingly, this has a similar name to `.challenges.Challenge`, as well as `.achallenges.AnnotatedChallenge`. Please use names such as ``challb`` to distinguish instances of this class from ``achall``. :ivar acme.challenges.Challenge: Wrapped challenge. Conveniently, all challenge fields are proxied, i.e. you can call ``challb.x`` to get ``challb.chall.x`` contents. :ivar acme.messages.Status status: :ivar datetime.datetime validated: :ivar messages.Error error: )challrTNrP_urlr)rMrQrR validatedrTrrc s,fdd|D}tjfi|dS)Ncsi|]\}}||qSrrrr,rrrr\z*ChallengeBody.__init__..rrr)r,rr&szChallengeBody.__init__r#cst||Sr$)r%rrrr'r)rrrrszChallengeBody.encoder+cst}||j|Sr$)r%r-updaterrr)rrr-s zChallengeBody.to_partial_jsonr.cs t|}tj||d<|S)Nr)r%fields_from_jsonr Z Challenger4)r3r/Z jobj_fieldsr)rrrs zChallengeBody.fields_from_jsoncCs|jS)zThe URL of this challenge.)rr,rrrrszChallengeBody.uricCs t|j|Sr$)rrr'rrrrszChallengeBody.__getattr__c#s&tD]}|dkrdn|Vq dS)Nrrrr'r)rrrszChallengeBody.__iter__cCs|dkr dS|S)Nrrrr'rrrrszChallengeBody._internal_name)#r1r=r>r?r@r0rOrrBrCr{r4STATUS_PENDINGrrrfc3339rdatetimerrrr&rrrr-rDrrrzrrrrrrGrrr)rrs(   &rc@sNeZdZUdZejdejdZee d<edZ e e d<e e dddZ dS) ChallengeResourcezChallenge Resource. :ivar acme.messages.ChallengeBody body: :ivar str authzr_uri: URI found in the 'up' ``Link`` header. rrL authzr_urir+cCs|jjS)zThe URL of the challenge body.)rrr,rrrrszChallengeResource.uriN)r1r=r>r?r0rOrr4rrCrrBrzrrrrrrs rc@seZdZUdZejdejddZee d<ejdddZ e e e d<ejdde jdZe e d<ejd ddZeje d <ejd ddZee d <e je eeefee d fd d dZ dS) AuthorizationzAuthorization Resource Body. :ivar acme.messages.Identifier identifier: :ivar list challenges: `list` of `.ChallengeBody` :ivar acme.messages.Status status: :ivar datetime.datetime expires: rVTrWr rTrrexpireswildcard.rYcCstdd|DS)Ncss|]}t|VqdSr$)rr4)rrrrrr[,r\z+Authorization.challenges..r]r_rrrr *szAuthorization.challengesN)r1r=r>r?r0rOrKr4rVrCr rrr{rrrrrrrErMrrBrr rrrrrs rc@seZdZdZdS)NewAuthorizationzNew authorization.Nrrrrrr/src@seZdZdZdS)UpdateAuthorizationzUpdate authorization.Nrrrrrr3src@s@eZdZUdZejdejdZee d<ejdddZ e e d<dS)AuthorizationResourcez~Authorization Resource. :ivar acme.messages.Authorization body: :ivar str new_cert_uri: Deprecated. Do not use. rrL new_cert_uriTrTN) r1r=r>r?r0rOrr4rrCrrBrrrrr7s rc@s0eZdZUdZejdejejdZej e d<dS)CertificateRequestz~ACME newOrder request. :ivar jose.ComparableX509 csr: `OpenSSL.crypto.X509Req` wrapped in `.ComparableX509` csrrMencoderN) r1r=r>r?r0rOZ decode_csrZ encode_csrrComparableX509rCrrrrrBs rc@s>eZdZUdZedZeed<edZ e e dfed<dS)CertificateResourceaCertificate Resource. :ivar josepy.util.ComparableX509 body: `OpenSSL.crypto.X509` wrapped in `.ComparableX509` :ivar str cert_chain_uri: URI found in the 'up' ``Link`` header :ivar tuple authzrs: `tuple` of `AuthorizationResource`. cert_chain_uriauthzrs.N) r1r=r>r?r0rOrrBrCrr rrrrrrLs rc@sBeZdZUdZejdejejdZej e d<edZ e e d<dS) RevocationzRevocation message. :ivar jose.ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in `jose.ComparableX509` certificaterreasonN) r1r=r>r?r0rOZ decode_certZ encode_certrrrCrrFrrrrrYs  rc@seZdZUdZejdddZeee d<ejde j ddZ e e d<ejdddZ eee d<ejdddZee d<ejd ddZee d <ejd ddZeje d <ejd dej d Zee d <ejeeeefeed fdddZdS)Ordera_Order Resource Body. :ivar identifiers: List of identifiers for the certificate. :vartype identifiers: `list` of `.Identifier` :ivar acme.messages.Status status: :ivar authorizations: URLs of authorizations. :vartype authorizations: `list` of `str` :ivar str certificate: URL to download certificate as a fullchain PEM. :ivar str finalize: URL to POST to to request issuance once all authorizations have "valid" status. :ivar datetime.datetime expires: When the order expires. :ivar ~.Error error: Any error that occurred during finalization, if applicable. identifiersTrTrrWauthorizationsrfinalizerrr.rYcCstdd|DS)Ncss|]}t|VqdSr$)rKr4)rrVrrrr[r\z$Order.identifiers..r]r_rrrr}szOrder.identifiersN)r1r=r>r?r0rOrrrKrCr{r4rrrBrrrrrrrrrMrrr rrrrres  rc@seZdZUdZejdejdZee d<ejddddddd Z e e d<ed Z e ee d <ejd dd Zee d <ejd dd Ze ee d <e je eeefeedfdddZ dS) OrderResourceaOrder Resource. :ivar acme.messages.Order body: :ivar bytes csr_pem: The CSR this Order will be finalized with. :ivar authorizations: Fully-fetched AuthorizationResource objects. :vartype authorizations: `list` of `acme.messages.AuthorizationResource` :ivar str fullchain_pem: The fetched contents of the certificate URL produced once the order was finalized, if it's present. :ivar alternative_fullchains_pem: The fetched contents of alternative certificate chain URLs produced once the order was finalized, if present and requested during finalization. :vartype alternative_fullchains_pem: `list` of `str` rrLcsr_pemTcCs |dSNzutf-8rq)srrrrr\zOrderResource.cCs |dSr)rv)brrrrr\)rQrMrr fullchain_pemrTalternative_fullchains_pem.rYcCstdd|DS)Ncss|]}t|VqdSr$)rr4)rZauthzrrrr[r\z/OrderResource.authorizations..r]r_rrrrszOrderResource.authorizationsN)r1r=r>r?r0rOrr4rrCrbytesrrrrrBrrMrrr rrrrrs   rc@seZdZdZdS)NewOrderz New order.Nrrrrrrsr)Fr?collections.abcrrrtypingrrrrrrr r r r Zjosepyr0Zacmer rrrrrrbrre BaseExceptionrErZJSONDeSerializabler rHZIDENTIFIER_FQDNZ IDENTIFIER_IPrrKrr{ZSTATUS_UNKNOWNrZSTATUS_PROCESSINGZ STATUS_VALIDZSTATUS_INVALIDZSTATUS_REVOKEDZ STATUS_READYZSTATUS_DEACTIVATEDr~rrrrrrrrrrrrrrrrrrrrrrrrrs                ! W7   m A    &