Hello community,
here is the log from the commit of package python-acme for openSUSE:Factory
checked in at 2020-05-14 23:26:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-acme (Old)
and /work/SRC/openSUSE:Factory/.python-acme.new.2738 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-acme"
Thu May 14 23:26:32 2020 rev:43 rq:805531 version:1.4.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-acme/python-acme.changes 2020-03-11
18:56:33.595707438 +0100
+++ /work/SRC/openSUSE:Factory/.python-acme.new.2738/python-acme.changes
2020-05-14 23:26:37.373220387 +0200
@@ -1,0 +2,10 @@
+Thu May 14 08:22:21 UTC 2020 - Marketa Calabkova <mcalabk...@suse.com>
+
+- update to version 1.4.0
+ * Added TLS-ALPN-01 challenge support in the acme library. Support of this
+ challenge in the Certbot client is planned to be added in a future release.
+ * mock dependency is now conditional on Python 2 in all of our packages.
+ * When using an RFC 8555 compliant endpoint, the acme library no longer
sends the
+ resource field in any requests or the type field when responding to
challenges.
+
+-------------------------------------------------------------------
Old:
----
acme-1.3.0.tar.gz
acme-1.3.0.tar.gz.asc
New:
----
acme-1.4.0.tar.gz
acme-1.4.0.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-acme.spec ++++++
--- /var/tmp/diff_new_pack.TcgdLb/_old 2020-05-14 23:26:38.041221845 +0200
+++ /var/tmp/diff_new_pack.TcgdLb/_new 2020-05-14 23:26:38.041221845 +0200
@@ -19,7 +19,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define libname acme
Name: python-%{libname}
-Version: 1.3.0
+Version: 1.4.0
Release: 0
Summary: Python library for the ACME protocol
License: Apache-2.0
@@ -43,7 +43,6 @@
BuildRequires: python-rpm-macros
Requires: python-cryptography >= 1.2.3
Requires: python-josepy >= 1.1.0
-Requires: python-ndg-httpsclient
Requires: python-pyOpenSSL >= 0.13.1
Requires: python-pyRFC3339
Requires: python-pytz
++++++ acme-1.3.0.tar.gz -> acme-1.4.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/PKG-INFO new/acme-1.4.0/PKG-INFO
--- old/acme-1.3.0/PKG-INFO 2020-03-03 21:36:42.000000000 +0100
+++ new/acme-1.4.0/PKG-INFO 2020-05-05 21:37:42.559923200 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: acme
-Version: 1.3.0
+Version: 1.4.0
Summary: ACME protocol implementation in Python
Home-page: https://github.com/letsencrypt/letsencrypt
Author: Certbot Project
@@ -22,5 +22,5 @@
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*
-Provides-Extra: docs
Provides-Extra: dev
+Provides-Extra: docs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme/challenges.py
new/acme-1.4.0/acme/challenges.py
--- old/acme-1.3.0/acme/challenges.py 2020-03-03 21:36:35.000000000 +0100
+++ new/acme-1.4.0/acme/challenges.py 2020-05-05 21:37:33.000000000 +0200
@@ -1,15 +1,22 @@
"""ACME Identifier Validation Challenges."""
import abc
+import codecs
import functools
import hashlib
import logging
+import socket
from cryptography.hazmat.primitives import hashes # type: ignore
import josepy as jose
import requests
import six
+from OpenSSL import SSL # type: ignore #
https://github.com/python/typeshed/issues/2052
+from OpenSSL import crypto
+from acme import crypto_util
+from acme import errors
from acme import fields
+from acme.mixins import ResourceMixin, TypeMixin
logger = logging.getLogger(__name__)
@@ -28,7 +35,7 @@
return UnrecognizedChallenge.from_json(jobj)
-class ChallengeResponse(jose.TypedJSONObjectWithFields):
+class ChallengeResponse(ResourceMixin, TypeMixin,
jose.TypedJSONObjectWithFields):
# _fields_to_partial_json
"""ACME challenge response."""
TYPES = {} # type: dict
@@ -362,29 +369,163 @@
@ChallengeResponse.register
class TLSALPN01Response(KeyAuthorizationChallengeResponse):
- """ACME TLS-ALPN-01 challenge response.
+ """ACME tls-alpn-01 challenge response."""
+ typ = "tls-alpn-01"
+
+ PORT = 443
+ """Verification port as defined by the protocol.
+
+ You can override it (e.g. for testing) by passing ``port`` to
+ `simple_verify`.
- This class only allows initiating a TLS-ALPN-01 challenge returned from the
- CA. Full support for responding to TLS-ALPN-01 challenges by generating and
- serving the expected response certificate is not currently provided.
"""
- typ = "tls-alpn-01"
+ ID_PE_ACME_IDENTIFIER_V1 = b"1.3.6.1.5.5.7.1.30.1"
+ ACME_TLS_1_PROTOCOL = "acme-tls/1"
-@Challenge.register
-class TLSALPN01(KeyAuthorizationChallenge):
- """ACME tls-alpn-01 challenge.
+ @property
+ def h(self):
+ """Hash value stored in challenge certificate"""
+ return hashlib.sha256(self.key_authorization.encode('utf-8')).digest()
- This class simply allows parsing the TLS-ALPN-01 challenge returned from
- the CA. Full TLS-ALPN-01 support is not currently provided.
+ def gen_cert(self, domain, key=None, bits=2048):
+ """Generate tls-alpn-01 certificate.
- """
- typ = "tls-alpn-01"
+ :param unicode domain: Domain verified by the challenge.
+ :param OpenSSL.crypto.PKey key: Optional private key used in
+ certificate generation. If not provided (``None``), then
+ fresh key will be generated.
+ :param int bits: Number of bits for newly generated key.
+
+ :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
+
+ """
+ if key is None:
+ key = crypto.PKey()
+ key.generate_key(crypto.TYPE_RSA, bits)
+
+
+ der_value = b"DER:" + codecs.encode(self.h, 'hex')
+ acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1,
+ critical=True, value=der_value)
+
+ return crypto_util.gen_ss_cert(key, [domain], force_san=True,
+ extensions=[acme_extension]), key
+
+ def probe_cert(self, domain, host=None, port=None):
+ """Probe tls-alpn-01 challenge certificate.
+
+ :param unicode domain: domain being validated, required.
+ :param string host: IP address used to probe the certificate.
+ :param int port: Port used to probe the certificate.
+
+ """
+ if host is None:
+ host = socket.gethostbyname(domain)
+ logger.debug('%s resolved to %s', domain, host)
+ if port is None:
+ port = self.PORT
+
+ return crypto_util.probe_sni(host=host, port=port, name=domain,
+ alpn_protocols=[self.ACME_TLS_1_PROTOCOL])
+
+ def verify_cert(self, domain, cert):
+ """Verify tls-alpn-01 challenge certificate.
+
+ :param unicode domain: Domain name being validated.
+ :param OpensSSL.crypto.X509 cert: Challenge certificate.
+
+ :returns: Whether the certificate was successfully verified.
+ :rtype: bool
+
+ """
+ # pylint: disable=protected-access
+ names = crypto_util._pyopenssl_cert_or_req_all_names(cert)
+ logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), names)
+ if len(names) != 1 or names[0].lower() != domain.lower():
+ return False
+
+ for i in range(cert.get_extension_count()):
+ ext = cert.get_extension(i)
+ # FIXME: assume this is the ACME extension. Currently there is no
+ # way to get full OID of an unknown extension from pyopenssl.
+ if ext.get_short_name() == b'UNDEF':
+ data = ext.get_data()
+ return data == self.h
+
+ return False
+
+ # pylint: disable=too-many-arguments
+ def simple_verify(self, chall, domain, account_public_key,
+ cert=None, host=None, port=None):
+ """Simple verify.
+
+ Verify ``validation`` using ``account_public_key``, optionally
+ probe tls-alpn-01 certificate and check using `verify_cert`.
+
+ :param .challenges.TLSALPN01 chall: Corresponding challenge.
+ :param str domain: Domain name being validated.
+ :param JWK account_public_key:
+ :param OpenSSL.crypto.X509 cert: Optional certificate. If not
+ provided (``None``) certificate will be retrieved using
+ `probe_cert`.
+ :param string host: IP address used to probe the certificate.
+ :param int port: Port used to probe the certificate.
+
+
+ :returns: ``True`` if and only if client's control of the domain has
been verified.
+ :rtype: bool
+
+ """
+ if not self.verify(chall, account_public_key):
+ logger.debug("Verification of key authorization in response
failed")
+ return False
+
+ if cert is None:
+ try:
+ cert = self.probe_cert(domain=domain, host=host, port=port)
+ except errors.Error as error:
+ logger.debug(str(error), exc_info=True)
+ return False
+
+ return self.verify_cert(domain, cert)
+
+
+@Challenge.register # pylint: disable=too-many-ancestors
+class TLSALPN01(KeyAuthorizationChallenge):
+ """ACME tls-alpn-01 challenge."""
response_cls = TLSALPN01Response
+ typ = response_cls.typ
def validation(self, account_key, **kwargs):
- """Generate validation for the challenge."""
- raise NotImplementedError()
+ """Generate validation.
+
+ :param JWK account_key:
+ :param unicode domain: Domain verified by the challenge.
+ :param OpenSSL.crypto.PKey cert_key: Optional private key used
+ in certificate generation. If not provided (``None``), then
+ fresh key will be generated.
+
+ :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
+
+ """
+ return self.response(account_key).gen_cert(
+ key=kwargs.get('cert_key'),
+ domain=kwargs.get('domain'))
+
+ @staticmethod
+ def is_supported():
+ """
+ Check if TLS-ALPN-01 challenge is supported on this machine.
+ This implies that a recent version of OpenSSL is installed (>= 1.0.2),
+ or a recent cryptography version shipped with the OpenSSL library is
installed.
+
+ :returns: ``True`` if TLS-ALPN-01 is supported on this machine,
``False`` otherwise.
+ :rtype: bool
+
+ """
+ return (hasattr(SSL.Connection, "set_alpn_protos")
+ and hasattr(SSL.Context, "set_alpn_select_callback"))
@Challenge.register
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme/client.py
new/acme-1.4.0/acme/client.py
--- old/acme-1.3.0/acme/client.py 2020-03-03 21:36:35.000000000 +0100
+++ new/acme-1.4.0/acme/client.py 2020-05-05 21:37:33.000000000 +0200
@@ -25,6 +25,7 @@
from acme.magic_typing import List
from acme.magic_typing import Set
from acme.magic_typing import Text
+from acme.mixins import VersionedLEACMEMixin
logger = logging.getLogger(__name__)
@@ -987,6 +988,8 @@
:rtype: `josepy.JWS`
"""
+ if isinstance(obj, VersionedLEACMEMixin):
+ obj.le_acme_version = acme_version
jobj = obj.json_dumps(indent=2).encode() if obj else b''
logger.debug('JWS payload:\n%s', jobj)
kwargs = {
@@ -1120,8 +1123,8 @@
debug_content = response.content.decode("utf-8")
logger.debug('Received response:\nHTTP %d\n%s\n\n%s',
response.status_code,
- "\n".join(["{0}: {1}".format(k, v)
- for k, v in response.headers.items()]),
+ "\n".join("{0}: {1}".format(k, v)
+ for k, v in response.headers.items()),
debug_content)
return response
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme/crypto_util.py
new/acme-1.4.0/acme/crypto_util.py
--- old/acme-1.3.0/acme/crypto_util.py 2020-03-03 21:36:35.000000000 +0100
+++ new/acme-1.4.0/acme/crypto_util.py 2020-05-05 21:37:33.000000000 +0200
@@ -27,19 +27,41 @@
_DEFAULT_SSL_METHOD = SSL.SSLv23_METHOD # type: ignore
-class SSLSocket(object):
+class _DefaultCertSelection(object):
+ def __init__(self, certs):
+ self.certs = certs
+
+ def __call__(self, connection):
+ server_name = connection.get_servername()
+ return self.certs.get(server_name, None)
+
+
+class SSLSocket(object): # pylint: disable=too-few-public-methods
"""SSL wrapper for sockets.
:ivar socket sock: Original wrapped socket.
:ivar dict certs: Mapping from domain names (`bytes`) to
`OpenSSL.crypto.X509`.
:ivar method: See `OpenSSL.SSL.Context` for allowed values.
+ :ivar alpn_selection: Hook to select negotiated ALPN protocol for
+ connection.
+ :ivar cert_selection: Hook to select certificate for connection. If given,
+ `certs` parameter would be ignored, and therefore must be empty.
"""
- def __init__(self, sock, certs, method=_DEFAULT_SSL_METHOD):
+ def __init__(self, sock, certs=None,
+ method=_DEFAULT_SSL_METHOD, alpn_selection=None,
+ cert_selection=None):
self.sock = sock
- self.certs = certs
+ self.alpn_selection = alpn_selection
self.method = method
+ if not cert_selection and not certs:
+ raise ValueError("Neither cert_selection or certs specified.")
+ if cert_selection and certs:
+ raise ValueError("Both cert_selection and certs specified.")
+ if cert_selection is None:
+ cert_selection = _DefaultCertSelection(certs)
+ self.cert_selection = cert_selection
def __getattr__(self, name):
return getattr(self.sock, name)
@@ -56,18 +78,19 @@
:type connection: :class:`OpenSSL.Connection`
"""
- server_name = connection.get_servername()
- try:
- key, cert = self.certs[server_name]
- except KeyError:
- logger.debug("Server name (%s) not recognized, dropping SSL",
- server_name)
+ pair = self.cert_selection(connection)
+ if pair is None:
+ logger.debug("Certificate selection for server name %s failed,
dropping SSL",
+ connection.get_servername())
return
+ key, cert = pair
new_context = SSL.Context(self.method)
new_context.set_options(SSL.OP_NO_SSLv2)
new_context.set_options(SSL.OP_NO_SSLv3)
new_context.use_privatekey(key)
new_context.use_certificate(cert)
+ if self.alpn_selection is not None:
+ new_context.set_alpn_select_callback(self.alpn_selection)
connection.set_context(new_context)
class FakeConnection(object):
@@ -92,6 +115,8 @@
context.set_options(SSL.OP_NO_SSLv2)
context.set_options(SSL.OP_NO_SSLv3)
context.set_tlsext_servername_callback(self._pick_certificate_cb)
+ if self.alpn_selection is not None:
+ context.set_alpn_select_callback(self.alpn_selection)
ssl_sock = self.FakeConnection(SSL.Connection(context, sock))
ssl_sock.set_accept_state()
@@ -107,8 +132,9 @@
return ssl_sock, addr
-def probe_sni(name, host, port=443, timeout=300,
- method=_DEFAULT_SSL_METHOD, source_address=('', 0)):
+def probe_sni(name, host, port=443, timeout=300, # pylint:
disable=too-many-arguments
+ method=_DEFAULT_SSL_METHOD, source_address=('', 0),
+ alpn_protocols=None):
"""Probe SNI server for SSL certificate.
:param bytes name: Byte string to send as the server name in the
@@ -120,6 +146,8 @@
:param tuple source_address: Enables multi-path probing (selection
of source interface). See `socket.creation_connection` for more
info. Available only in Python 2.7+.
+ :param alpn_protocols: Protocols to request using ALPN.
+ :type alpn_protocols: `list` of `bytes`
:raises acme.errors.Error: In case of any problems.
@@ -149,6 +177,8 @@
client_ssl = SSL.Connection(context, client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(name) # pyOpenSSL>=0.13
+ if alpn_protocols is not None:
+ client_ssl.set_alpn_protos(alpn_protocols)
try:
client_ssl.do_handshake()
client_ssl.shutdown()
@@ -239,12 +269,14 @@
def gen_ss_cert(key, domains, not_before=None,
- validity=(7 * 24 * 60 * 60), force_san=True):
+ validity=(7 * 24 * 60 * 60), force_san=True, extensions=None):
"""Generate new self-signed certificate.
:type domains: `list` of `unicode`
:param OpenSSL.crypto.PKey key:
:param bool force_san:
+ :param extensions: List of additional extensions to include in the cert.
+ :type extensions: `list` of `OpenSSL.crypto.X509Extension`
If more than one domain is provided, all of the domains are put into
``subjectAltName`` X.509 extension and first domain is set as the
@@ -257,10 +289,13 @@
cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16))
cert.set_version(2)
- extensions = [
+ if extensions is None:
+ extensions = []
+
+ extensions.append(
crypto.X509Extension(
b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
- ]
+ )
cert.get_subject().CN = domains[0]
# TODO: what to put into cert.get_subject()?
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme/magic_typing.py
new/acme-1.4.0/acme/magic_typing.py
--- old/acme-1.3.0/acme/magic_typing.py 2020-03-03 21:36:35.000000000 +0100
+++ new/acme-1.4.0/acme/magic_typing.py 2020-05-05 21:37:33.000000000 +0200
@@ -11,6 +11,5 @@
# mypy doesn't respect modifying sys.modules
from typing import * # pylint: disable=wildcard-import,
unused-wildcard-import
from typing import Collection, IO # type: ignore
- # pylint: enable=unused-import
except ImportError:
sys.modules[__name__] = TypingClass()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme/messages.py
new/acme-1.4.0/acme/messages.py
--- old/acme-1.3.0/acme/messages.py 2020-03-03 21:36:35.000000000 +0100
+++ new/acme-1.4.0/acme/messages.py 2020-05-05 21:37:33.000000000 +0200
@@ -9,6 +9,7 @@
from acme import fields
from acme import jws
from acme import util
+from acme.mixins import ResourceMixin
try:
from collections.abc import Hashable
@@ -356,13 +357,13 @@
@Directory.register
-class NewRegistration(Registration):
+class NewRegistration(ResourceMixin, Registration):
"""New registration."""
resource_type = 'new-reg'
resource = fields.Resource(resource_type)
-class UpdateRegistration(Registration):
+class UpdateRegistration(ResourceMixin, Registration):
"""Update registration."""
resource_type = 'reg'
resource = fields.Resource(resource_type)
@@ -498,13 +499,13 @@
@Directory.register
-class NewAuthorization(Authorization):
+class NewAuthorization(ResourceMixin, Authorization):
"""New authorization."""
resource_type = 'new-authz'
resource = fields.Resource(resource_type)
-class UpdateAuthorization(Authorization):
+class UpdateAuthorization(ResourceMixin, Authorization):
"""Update authorization."""
resource_type = 'authz'
resource = fields.Resource(resource_type)
@@ -522,7 +523,7 @@
@Directory.register
-class CertificateRequest(jose.JSONObjectWithFields):
+class CertificateRequest(ResourceMixin, jose.JSONObjectWithFields):
"""ACME new-cert request.
:ivar josepy.util.ComparableX509 csr:
@@ -548,7 +549,7 @@
@Directory.register
-class Revocation(jose.JSONObjectWithFields):
+class Revocation(ResourceMixin, jose.JSONObjectWithFields):
"""Revocation message.
:ivar .ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme/mixins.py
new/acme-1.4.0/acme/mixins.py
--- old/acme-1.3.0/acme/mixins.py 1970-01-01 01:00:00.000000000 +0100
+++ new/acme-1.4.0/acme/mixins.py 2020-05-05 21:37:33.000000000 +0200
@@ -0,0 +1,65 @@
+"""Useful mixins for Challenge and Resource objects"""
+
+
+class VersionedLEACMEMixin(object):
+ """This mixin stores the version of Let's Encrypt's endpoint being used."""
+ @property
+ def le_acme_version(self):
+ """Define the version of ACME protocol to use"""
+ return getattr(self, '_le_acme_version', 1)
+
+ @le_acme_version.setter
+ def le_acme_version(self, version):
+ # We need to use object.__setattr__ to not depend on the specific
implementation of
+ # __setattr__ in current class (eg. jose.TypedJSONObjectWithFields
raises AttributeError
+ # for any attempt to set an attribute to make objects immutable).
+ object.__setattr__(self, '_le_acme_version', version)
+
+ def __setattr__(self, key, value):
+ if key == 'le_acme_version':
+ # Required for @property to operate properly. See comment above.
+ object.__setattr__(self, key, value)
+ else:
+ super(VersionedLEACMEMixin, self).__setattr__(key, value) #
pragma: no cover
+
+
+class ResourceMixin(VersionedLEACMEMixin):
+ """
+ This mixin generates a RFC8555 compliant JWS payload
+ by removing the `resource` field if needed (eg. ACME v2 protocol).
+ """
+ def to_partial_json(self):
+ """See josepy.JSONDeserializable.to_partial_json()"""
+ return _safe_jobj_compliance(super(ResourceMixin, self),
+ 'to_partial_json', 'resource')
+
+ def fields_to_partial_json(self):
+ """See josepy.JSONObjectWithFields.fields_to_partial_json()"""
+ return _safe_jobj_compliance(super(ResourceMixin, self),
+ 'fields_to_partial_json', 'resource')
+
+
+class TypeMixin(VersionedLEACMEMixin):
+ """
+ This mixin allows generation of a RFC8555 compliant JWS payload
+ by removing the `type` field if needed (eg. ACME v2 protocol).
+ """
+ def to_partial_json(self):
+ """See josepy.JSONDeserializable.to_partial_json()"""
+ return _safe_jobj_compliance(super(TypeMixin, self),
+ 'to_partial_json', 'type')
+
+ def fields_to_partial_json(self):
+ """See josepy.JSONObjectWithFields.fields_to_partial_json()"""
+ return _safe_jobj_compliance(super(TypeMixin, self),
+ 'fields_to_partial_json', 'type')
+
+
+def _safe_jobj_compliance(instance, jobj_method, uncompliant_field):
+ if hasattr(instance, jobj_method):
+ jobj = getattr(instance, jobj_method)()
+ if instance.le_acme_version == 2:
+ jobj.pop(uncompliant_field, None)
+ return jobj
+
+ raise AttributeError('Method {0}() is not
implemented.'.format(jobj_method)) # pragma: no cover
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme/standalone.py
new/acme-1.4.0/acme/standalone.py
--- old/acme-1.3.0/acme/standalone.py 2020-03-03 21:36:35.000000000 +0100
+++ new/acme-1.4.0/acme/standalone.py 2020-05-05 21:37:33.000000000 +0200
@@ -33,7 +33,14 @@
def _wrap_sock(self):
self.socket = crypto_util.SSLSocket(
- self.socket, certs=self.certs, method=self.method)
+ self.socket, cert_selection=self._cert_selection,
+ alpn_selection=getattr(self, '_alpn_selection', None),
+ method=self.method)
+
+ def _cert_selection(self, connection): # pragma: no cover
+ """Callback selecting certificate for connection."""
+ server_name = connection.get_servername()
+ return self.certs.get(server_name, None)
def server_bind(self):
self._wrap_sock()
@@ -120,6 +127,40 @@
self.threads = []
+class TLSALPN01Server(TLSServer, ACMEServerMixin):
+ """TLSALPN01 Server."""
+
+ ACME_TLS_1_PROTOCOL = b"acme-tls/1"
+
+ def __init__(self, server_address, certs, challenge_certs, ipv6=False):
+ TLSServer.__init__(
+ self, server_address, _BaseRequestHandlerWithLogging, certs=certs,
+ ipv6=ipv6)
+ self.challenge_certs = challenge_certs
+
+ def _cert_selection(self, connection):
+ # TODO: We would like to serve challenge cert only if asked for it via
+ # ALPN. To do this, we need to retrieve the list of protos from client
+ # hello, but this is currently impossible with openssl [0], and ALPN
+ # negotiation is done after cert selection.
+ # Therefore, currently we always return challenge cert, and terminate
+ # handshake in alpn_selection() if ALPN protos are not what we expect.
+ # [0] https://github.com/openssl/openssl/issues/4952
+ server_name = connection.get_servername()
+ logger.debug("Serving challenge cert for server name %s", server_name)
+ return self.challenge_certs.get(server_name, None)
+
+ def _alpn_selection(self, _connection, alpn_protos):
+ """Callback to select alpn protocol."""
+ if len(alpn_protos) == 1 and alpn_protos[0] ==
self.ACME_TLS_1_PROTOCOL:
+ logger.debug("Agreed on %s ALPN", self.ACME_TLS_1_PROTOCOL)
+ return self.ACME_TLS_1_PROTOCOL
+ logger.debug("Cannot agree on ALPN proto. Got: %s", str(alpn_protos))
+ # Explicitly close the connection now, by returning an empty string.
+ # See
https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_alpn_select_callback
# pylint: disable=line-too-long
+ return b""
+
+
class HTTPServer(BaseHTTPServer.HTTPServer):
"""Generic HTTP Server."""
@@ -135,10 +176,10 @@
class HTTP01Server(HTTPServer, ACMEServerMixin):
"""HTTP01 Server."""
- def __init__(self, server_address, resources, ipv6=False):
+ def __init__(self, server_address, resources, ipv6=False, timeout=30):
HTTPServer.__init__(
self, server_address, HTTP01RequestHandler.partial_init(
- simple_http_resources=resources), ipv6=ipv6)
+ simple_http_resources=resources, timeout=timeout), ipv6=ipv6)
class HTTP01DualNetworkedServers(BaseDualNetworkedServers):
@@ -163,6 +204,7 @@
def __init__(self, *args, **kwargs):
self.simple_http_resources = kwargs.pop("simple_http_resources", set())
+ self.timeout = kwargs.pop('timeout', 30)
BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args, **kwargs)
def log_message(self, format, *args): # pylint: disable=redefined-builtin
@@ -212,7 +254,7 @@
self.path)
@classmethod
- def partial_init(cls, simple_http_resources):
+ def partial_init(cls, simple_http_resources, timeout):
"""Partially initialize this handler.
This is useful because `socketserver.BaseServer` takes
@@ -221,4 +263,18 @@
"""
return functools.partial(
- cls, simple_http_resources=simple_http_resources)
+ cls, simple_http_resources=simple_http_resources,
+ timeout=timeout)
+
+
+class _BaseRequestHandlerWithLogging(socketserver.BaseRequestHandler):
+ """BaseRequestHandler with logging."""
+
+ def log_message(self, format, *args): # pylint: disable=redefined-builtin
+ """Log arbitrary message."""
+ logger.debug("%s - - %s", self.client_address[0], format % args)
+
+ def handle(self):
+ """Handle request."""
+ self.log_message("Incoming request")
+ socketserver.BaseRequestHandler.handle(self)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme.egg-info/PKG-INFO
new/acme-1.4.0/acme.egg-info/PKG-INFO
--- old/acme-1.3.0/acme.egg-info/PKG-INFO 2020-03-03 21:36:42.000000000
+0100
+++ new/acme-1.4.0/acme.egg-info/PKG-INFO 2020-05-05 21:37:42.000000000
+0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: acme
-Version: 1.3.0
+Version: 1.4.0
Summary: ACME protocol implementation in Python
Home-page: https://github.com/letsencrypt/letsencrypt
Author: Certbot Project
@@ -22,5 +22,5 @@
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*
-Provides-Extra: docs
Provides-Extra: dev
+Provides-Extra: docs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme.egg-info/SOURCES.txt
new/acme-1.4.0/acme.egg-info/SOURCES.txt
--- old/acme-1.3.0/acme.egg-info/SOURCES.txt 2020-03-03 21:36:42.000000000
+0100
+++ new/acme-1.4.0/acme.egg-info/SOURCES.txt 2020-05-05 21:37:42.000000000
+0200
@@ -13,6 +13,7 @@
acme/jws.py
acme/magic_typing.py
acme/messages.py
+acme/mixins.py
acme/standalone.py
acme/util.py
acme.egg-info/PKG-INFO
@@ -67,6 +68,7 @@
tests/testdata/csr.der
tests/testdata/csr.pem
tests/testdata/dsa512_key.pem
+tests/testdata/rsa1024_cert.pem
tests/testdata/rsa1024_key.pem
tests/testdata/rsa2048_cert.pem
tests/testdata/rsa2048_key.pem
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/acme.egg-info/requires.txt
new/acme-1.4.0/acme.egg-info/requires.txt
--- old/acme-1.3.0/acme.egg-info/requires.txt 2020-03-03 21:36:42.000000000
+0100
+++ new/acme-1.4.0/acme.egg-info/requires.txt 2020-05-05 21:37:42.000000000
+0200
@@ -1,6 +1,5 @@
cryptography>=1.2.3
josepy>=1.1.0
-mock
PyOpenSSL>=0.13.1
pyrfc3339
pytz
@@ -9,6 +8,9 @@
setuptools
six>=1.9.0
+[:python_version < "3.3"]
+mock
+
[dev]
pytest
pytest-xdist
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/docs/conf.py new/acme-1.4.0/docs/conf.py
--- old/acme-1.3.0/docs/conf.py 2020-03-03 21:36:35.000000000 +0100
+++ new/acme-1.4.0/docs/conf.py 2020-05-05 21:37:33.000000000 +0200
@@ -13,7 +13,6 @@
# serve to show the default.
import os
-import shlex
import sys
here = os.path.abspath(os.path.dirname(__file__))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/setup.py new/acme-1.4.0/setup.py
--- old/acme-1.3.0/setup.py 2020-03-03 21:36:38.000000000 +0100
+++ new/acme-1.4.0/setup.py 2020-05-05 21:37:34.000000000 +0200
@@ -1,10 +1,12 @@
+from distutils.version import StrictVersion
import sys
+from setuptools import __version__ as setuptools_version
from setuptools import find_packages
from setuptools import setup
from setuptools.command.test import test as TestCommand
-version = '1.3.0'
+version = '1.4.0'
# Please update tox.ini when modifying dependency version requirements
install_requires = [
@@ -15,7 +17,6 @@
# 1.1.0+ is required to avoid the warnings described at
# https://github.com/certbot/josepy/issues/13.
'josepy>=1.1.0',
- 'mock',
# Connection.set_tlsext_host_name (>=0.13)
'PyOpenSSL>=0.13.1',
'pyrfc3339',
@@ -26,6 +27,15 @@
'six>=1.9.0', # needed for python_2_unicode_compatible
]
+setuptools_known_environment_markers = (StrictVersion(setuptools_version) >=
StrictVersion('36.2'))
+if setuptools_known_environment_markers:
+ install_requires.append('mock ; python_version < "3.3"')
+elif 'bdist_wheel' in sys.argv[1:]:
+ raise RuntimeError('Error, you are trying to build certbot wheels using an
old version '
+ 'of setuptools. Version 36.2+ of setuptools is
required.')
+elif sys.version_info < (3,3):
+ install_requires.append('mock')
+
dev_extras = [
'pytest',
'pytest-xdist',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/tests/challenges_test.py
new/acme-1.4.0/tests/challenges_test.py
--- old/acme-1.3.0/tests/challenges_test.py 2020-03-03 21:36:35.000000000
+0100
+++ new/acme-1.4.0/tests/challenges_test.py 2020-05-05 21:37:33.000000000
+0200
@@ -2,10 +2,16 @@
import unittest
import josepy as jose
-import mock
+import OpenSSL
+try:
+ import mock
+except ImportError: # pragma: no cover
+ from unittest import mock # type: ignore
import requests
from six.moves.urllib import parse as urllib_parse
+from acme import errors
+
import test_util
CERT = test_util.load_comparable_cert('cert.pem')
@@ -256,30 +262,87 @@
class TLSALPN01ResponseTest(unittest.TestCase):
def setUp(self):
- from acme.challenges import TLSALPN01Response
- self.msg = TLSALPN01Response(key_authorization=u'foo')
+ from acme.challenges import TLSALPN01
+ self.chall = TLSALPN01(
+ token=jose.b64decode(b'a82d5ff8ef740d12881f6d3c2277ab2e'))
+ self.domain = u'example.com'
+ self.domain2 = u'example2.com'
+
+ self.response = self.chall.response(KEY)
self.jmsg = {
'resource': 'challenge',
'type': 'tls-alpn-01',
- 'keyAuthorization': u'foo',
+ 'keyAuthorization': self.response.key_authorization,
}
- from acme.challenges import TLSALPN01
- self.chall = TLSALPN01(token=(b'x' * 16))
- self.response = self.chall.response(KEY)
-
def test_to_partial_json(self):
self.assertEqual({k: v for k, v in self.jmsg.items() if k !=
'keyAuthorization'},
- self.msg.to_partial_json())
+ self.response.to_partial_json())
def test_from_json(self):
from acme.challenges import TLSALPN01Response
- self.assertEqual(self.msg, TLSALPN01Response.from_json(self.jmsg))
+ self.assertEqual(self.response, TLSALPN01Response.from_json(self.jmsg))
def test_from_json_hashable(self):
from acme.challenges import TLSALPN01Response
hash(TLSALPN01Response.from_json(self.jmsg))
+ def test_gen_verify_cert(self):
+ key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
+ cert, key2 = self.response.gen_cert(self.domain, key1)
+ self.assertEqual(key1, key2)
+ self.assertTrue(self.response.verify_cert(self.domain, cert))
+
+ def test_gen_verify_cert_gen_key(self):
+ cert, key = self.response.gen_cert(self.domain)
+ self.assertTrue(isinstance(key, OpenSSL.crypto.PKey))
+ self.assertTrue(self.response.verify_cert(self.domain, cert))
+
+ def test_verify_bad_cert(self):
+ self.assertFalse(self.response.verify_cert(self.domain,
+ test_util.load_cert('cert.pem')))
+
+ def test_verify_bad_domain(self):
+ key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
+ cert, key2 = self.response.gen_cert(self.domain, key1)
+ self.assertEqual(key1, key2)
+ self.assertFalse(self.response.verify_cert(self.domain2, cert))
+
+ def test_simple_verify_bad_key_authorization(self):
+ key2 = jose.JWKRSA.load(test_util.load_vector('rsa256_key.pem'))
+ self.response.simple_verify(self.chall, "local", key2.public_key())
+
+ @mock.patch('acme.challenges.TLSALPN01Response.verify_cert', autospec=True)
+ def test_simple_verify(self, mock_verify_cert):
+ mock_verify_cert.return_value = mock.sentinel.verification
+ self.assertEqual(
+ mock.sentinel.verification, self.response.simple_verify(
+ self.chall, self.domain, KEY.public_key(),
+ cert=mock.sentinel.cert))
+ mock_verify_cert.assert_called_once_with(
+ self.response, self.domain, mock.sentinel.cert)
+
+ @mock.patch('acme.challenges.socket.gethostbyname')
+ @mock.patch('acme.challenges.crypto_util.probe_sni')
+ def test_probe_cert(self, mock_probe_sni, mock_gethostbyname):
+ mock_gethostbyname.return_value = '127.0.0.1'
+ self.response.probe_cert('foo.com')
+ mock_gethostbyname.assert_called_once_with('foo.com')
+ mock_probe_sni.assert_called_once_with(
+ host='127.0.0.1', port=self.response.PORT, name='foo.com',
+ alpn_protocols=['acme-tls/1'])
+
+ self.response.probe_cert('foo.com', host='8.8.8.8')
+ mock_probe_sni.assert_called_with(
+ host='8.8.8.8', port=mock.ANY, name='foo.com',
+ alpn_protocols=['acme-tls/1'])
+
+ @mock.patch('acme.challenges.TLSALPN01Response.probe_cert')
+ def test_simple_verify_false_on_probe_error(self, mock_probe_cert):
+ mock_probe_cert.side_effect = errors.Error
+ self.assertFalse(self.response.simple_verify(
+ self.chall, self.domain, KEY.public_key()))
+
class TLSALPN01Test(unittest.TestCase):
@@ -309,8 +372,13 @@
self.assertRaises(
jose.DeserializationError, TLSALPN01.from_json, self.jmsg)
- def test_validation(self):
- self.assertRaises(NotImplementedError, self.msg.validation, KEY)
+ @mock.patch('acme.challenges.TLSALPN01Response.gen_cert')
+ def test_validation(self, mock_gen_cert):
+ mock_gen_cert.return_value = ('cert', 'key')
+ self.assertEqual(('cert', 'key'), self.msg.validation(
+ KEY, cert_key=mock.sentinel.cert_key, domain=mock.sentinel.domain))
+ mock_gen_cert.assert_called_once_with(key=mock.sentinel.cert_key,
+ domain=mock.sentinel.domain)
class DNSTest(unittest.TestCase):
@@ -413,5 +481,18 @@
self.msg.check_validation(self.chall, KEY.public_key()))
+class JWSPayloadRFC8555Compliant(unittest.TestCase):
+ """Test for RFC8555 compliance of JWS generated from
resources/challenges"""
+ def test_challenge_payload(self):
+ from acme.challenges import HTTP01Response
+
+ challenge_body = HTTP01Response()
+ challenge_body.le_acme_version = 2
+
+ jobj = challenge_body.json_dumps(indent=2).encode()
+ # RFC8555 states that challenge responses must have an empty payload.
+ self.assertEqual(jobj, b'{}')
+
+
if __name__ == '__main__':
unittest.main() # pragma: no cover
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/tests/client_test.py
new/acme-1.4.0/tests/client_test.py
--- old/acme-1.3.0/tests/client_test.py 2020-03-03 21:36:35.000000000 +0100
+++ new/acme-1.4.0/tests/client_test.py 2020-05-05 21:37:33.000000000 +0200
@@ -6,7 +6,10 @@
import unittest
import josepy as jose
-import mock
+try:
+ import mock
+except ImportError: # pragma: no cover
+ from unittest import mock # type: ignore
import OpenSSL
import requests
from six.moves import http_client # pylint: disable=import-error
@@ -15,7 +18,7 @@
from acme import errors
from acme import jws as acme_jws
from acme import messages
-from acme.magic_typing import Dict # pylint: disable=unused-import,
no-name-in-module
+from acme.mixins import VersionedLEACMEMixin
import messages_test
import test_util
@@ -886,7 +889,7 @@
self.client.net.get.assert_not_called()
-class MockJSONDeSerializable(jose.JSONDeSerializable):
+class MockJSONDeSerializable(VersionedLEACMEMixin, jose.JSONDeSerializable):
# pylint: disable=missing-docstring
def __init__(self, value):
self.value = value
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/tests/crypto_util_test.py
new/acme-1.4.0/tests/crypto_util_test.py
--- old/acme-1.3.0/tests/crypto_util_test.py 2020-03-03 21:36:35.000000000
+0100
+++ new/acme-1.4.0/tests/crypto_util_test.py 2020-05-05 21:37:33.000000000
+0200
@@ -11,14 +11,12 @@
from six.moves import socketserver # type: ignore # pylint:
disable=import-error
from acme import errors
-from acme.magic_typing import List # pylint: disable=unused-import,
no-name-in-module
import test_util
class SSLSocketAndProbeSNITest(unittest.TestCase):
"""Tests for acme.crypto_util.SSLSocket/probe_sni."""
-
def setUp(self):
self.cert = test_util.load_comparable_cert('rsa2048_cert.pem')
key = test_util.load_pyopenssl_private_key('rsa2048_key.pem')
@@ -32,7 +30,8 @@
# six.moves.* | pylint:
disable=attribute-defined-outside-init,no-init
def server_bind(self): # pylint: disable=missing-docstring
- self.socket = SSLSocket(socket.socket(), certs=certs)
+ self.socket = SSLSocket(socket.socket(),
+ certs)
socketserver.TCPServer.server_bind(self)
self.server = _TestServer(('', 0), socketserver.BaseRequestHandler)
@@ -73,6 +72,18 @@
socket.setdefaulttimeout(original_timeout)
+class SSLSocketTest(unittest.TestCase):
+ """Tests for acme.crypto_util.SSLSocket."""
+
+ def test_ssl_socket_invalid_arguments(self):
+ from acme.crypto_util import SSLSocket
+ with self.assertRaises(ValueError):
+ _ = SSLSocket(None, {'sni': ('key', 'cert')},
+ cert_selection=lambda _: None)
+ with self.assertRaises(ValueError):
+ _ = SSLSocket(None)
+
+
class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase):
"""Test for acme.crypto_util._pyopenssl_cert_or_req_all_names."""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/tests/errors_test.py
new/acme-1.4.0/tests/errors_test.py
--- old/acme-1.3.0/tests/errors_test.py 2020-03-03 21:36:35.000000000 +0100
+++ new/acme-1.4.0/tests/errors_test.py 2020-05-05 21:37:33.000000000 +0200
@@ -1,7 +1,10 @@
"""Tests for acme.errors."""
import unittest
-import mock
+try:
+ import mock
+except ImportError: # pragma: no cover
+ from unittest import mock # type: ignore
class BadNonceTest(unittest.TestCase):
@@ -35,7 +38,7 @@
def setUp(self):
from acme.errors import PollError
self.timeout = PollError(
- exhausted=set([mock.sentinel.AR]),
+ exhausted={mock.sentinel.AR},
updated={})
self.invalid = PollError(exhausted=set(), updated={
mock.sentinel.AR: mock.sentinel.AR2})
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/tests/magic_typing_test.py
new/acme-1.4.0/tests/magic_typing_test.py
--- old/acme-1.3.0/tests/magic_typing_test.py 2020-03-03 21:36:35.000000000
+0100
+++ new/acme-1.4.0/tests/magic_typing_test.py 2020-05-05 21:37:33.000000000
+0200
@@ -2,7 +2,10 @@
import sys
import unittest
-import mock
+try:
+ import mock
+except ImportError: # pragma: no cover
+ from unittest import mock # type: ignore
class MagicTypingTest(unittest.TestCase):
@@ -18,7 +21,7 @@
sys.modules['typing'] = typing_class_mock
if 'acme.magic_typing' in sys.modules:
del sys.modules['acme.magic_typing'] # pragma: no cover
- from acme.magic_typing import Text # pylint: disable=no-name-in-module
+ from acme.magic_typing import Text
self.assertEqual(Text, text_mock)
del sys.modules['acme.magic_typing']
sys.modules['typing'] = temp_typing
@@ -31,7 +34,7 @@
sys.modules['typing'] = None
if 'acme.magic_typing' in sys.modules:
del sys.modules['acme.magic_typing'] # pragma: no cover
- from acme.magic_typing import Text # pylint: disable=no-name-in-module
+ from acme.magic_typing import Text
self.assertTrue(Text is None)
del sys.modules['acme.magic_typing']
sys.modules['typing'] = temp_typing
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/tests/messages_test.py
new/acme-1.4.0/tests/messages_test.py
--- old/acme-1.3.0/tests/messages_test.py 2020-03-03 21:36:35.000000000
+0100
+++ new/acme-1.4.0/tests/messages_test.py 2020-05-05 21:37:33.000000000
+0200
@@ -2,10 +2,12 @@
import unittest
import josepy as jose
-import mock
+try:
+ import mock
+except ImportError: # pragma: no cover
+ from unittest import mock # type: ignore
from acme import challenges
-from acme.magic_typing import Dict # pylint: disable=unused-import,
no-name-in-module
import test_util
CERT = test_util.load_comparable_cert('cert.der')
@@ -453,6 +455,7 @@
'authorizations': None,
})
+
class NewOrderTest(unittest.TestCase):
"""Tests for acme.messages.NewOrder."""
@@ -467,5 +470,18 @@
})
+class JWSPayloadRFC8555Compliant(unittest.TestCase):
+ """Test for RFC8555 compliance of JWS generated from
resources/challenges"""
+ def test_message_payload(self):
+ from acme.messages import NewAuthorization
+
+ new_order = NewAuthorization()
+ new_order.le_acme_version = 2
+
+ jobj = new_order.json_dumps(indent=2).encode()
+ # RFC8555 states that JWS bodies must not have a resource field.
+ self.assertEqual(jobj, b'{}')
+
+
if __name__ == '__main__':
unittest.main() # pragma: no cover
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/tests/standalone_test.py
new/acme-1.4.0/tests/standalone_test.py
--- old/acme-1.3.0/tests/standalone_test.py 2020-03-03 21:36:35.000000000
+0100
+++ new/acme-1.4.0/tests/standalone_test.py 2020-05-05 21:37:33.000000000
+0200
@@ -4,13 +4,18 @@
import unittest
import josepy as jose
-import mock
+try:
+ import mock
+except ImportError: # pragma: no cover
+ from unittest import mock # type: ignore
import requests
from six.moves import http_client # pylint: disable=import-error
from six.moves import socketserver # type: ignore # pylint:
disable=import-error
from acme import challenges
-from acme.magic_typing import Set # pylint: disable=unused-import,
no-name-in-module
+from acme import crypto_util
+from acme import errors
+
import test_util
@@ -83,6 +88,81 @@
def test_http01_not_found(self):
self.assertFalse(self._test_http01(add=False))
+ def test_timely_shutdown(self):
+ from acme.standalone import HTTP01Server
+ server = HTTP01Server(('', 0), resources=set(), timeout=0.05)
+ server_thread = threading.Thread(target=server.serve_forever)
+ server_thread.start()
+
+ client = socket.socket()
+ client.connect(('localhost', server.socket.getsockname()[1]))
+
+ stop_thread = threading.Thread(target=server.shutdown)
+ stop_thread.start()
+ server_thread.join(5.)
+
+ is_hung = server_thread.is_alive()
+ try:
+ client.shutdown(socket.SHUT_RDWR)
+ except: # pragma: no cover, pylint: disable=bare-except
+ # may raise error because socket could already be closed
+ pass
+
+ self.assertFalse(is_hung, msg='Server shutdown should not be hung')
+
+
+@unittest.skipIf(not challenges.TLSALPN01.is_supported(), "pyOpenSSL too old")
+class TLSALPN01ServerTest(unittest.TestCase):
+ """Test for acme.standalone.TLSALPN01Server."""
+
+ def setUp(self):
+ self.certs = {b'localhost': (
+ test_util.load_pyopenssl_private_key('rsa2048_key.pem'),
+ test_util.load_cert('rsa2048_cert.pem'),
+ )}
+ # Use different certificate for challenge.
+ self.challenge_certs = {b'localhost': (
+ test_util.load_pyopenssl_private_key('rsa1024_key.pem'),
+ test_util.load_cert('rsa1024_cert.pem'),
+ )}
+ from acme.standalone import TLSALPN01Server
+ self.server = TLSALPN01Server(("localhost", 0), certs=self.certs,
+ challenge_certs=self.challenge_certs)
+ # pylint: disable=no-member
+ self.thread = threading.Thread(target=self.server.serve_forever)
+ self.thread.start()
+
+ def tearDown(self):
+ self.server.shutdown() # pylint: disable=no-member
+ self.thread.join()
+
+ # TODO: This is not implemented yet, see comments in standalone.py
+ # def test_certs(self):
+ # host, port = self.server.socket.getsockname()[:2]
+ # cert = crypto_util.probe_sni(
+ # b'localhost', host=host, port=port, timeout=1)
+ # # Expect normal cert when connecting without ALPN.
+ # self.assertEqual(jose.ComparableX509(cert),
+ # jose.ComparableX509(self.certs[b'localhost'][1]))
+
+ def test_challenge_certs(self):
+ host, port = self.server.socket.getsockname()[:2]
+ cert = crypto_util.probe_sni(
+ b'localhost', host=host, port=port, timeout=1,
+ alpn_protocols=[b"acme-tls/1"])
+ # Expect challenge cert when connecting with ALPN.
+ self.assertEqual(
+ jose.ComparableX509(cert),
+ jose.ComparableX509(self.challenge_certs[b'localhost'][1])
+ )
+
+ def test_bad_alpn(self):
+ host, port = self.server.socket.getsockname()[:2]
+ with self.assertRaises(errors.Error):
+ crypto_util.probe_sni(
+ b'localhost', host=host, port=port, timeout=1,
+ alpn_protocols=[b"bad-alpn"])
+
class BaseDualNetworkedServersTest(unittest.TestCase):
"""Test for acme.standalone.BaseDualNetworkedServers."""
@@ -138,7 +218,6 @@
class HTTP01DualNetworkedServersTest(unittest.TestCase):
"""Tests for acme.standalone.HTTP01DualNetworkedServers."""
-
def setUp(self):
self.account_key = jose.JWK.load(
test_util.load_vector('rsa1024_key.pem'))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/tests/testdata/README
new/acme-1.4.0/tests/testdata/README
--- old/acme-1.3.0/tests/testdata/README 2020-03-03 21:36:35.000000000
+0100
+++ new/acme-1.4.0/tests/testdata/README 2020-05-05 21:37:33.000000000
+0200
@@ -10,6 +10,8 @@
openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -outform DER >
csr.der
-and for the certificate:
+and for the certificates:
- openssl req -key rsa2047_key.pem -new -subj '/CN=example.com' -x509 -outform
DER > cert.der
+ openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 -outform
DER > cert.der
+ openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 >
rsa2048_cert.pem
+ openssl req -key rsa1024_key.pem -new -subj '/CN=example.com' -x509 >
rsa1024_cert.pem
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/acme-1.3.0/tests/testdata/rsa1024_cert.pem
new/acme-1.4.0/tests/testdata/rsa1024_cert.pem
--- old/acme-1.3.0/tests/testdata/rsa1024_cert.pem 1970-01-01
01:00:00.000000000 +0100
+++ new/acme-1.4.0/tests/testdata/rsa1024_cert.pem 2020-05-05
21:37:33.000000000 +0200
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/TCCAWagAwIBAgIJAOyRIBs3QT8QMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMMC2V4YW1wbGUuY29tMB4XDTE4MDQyMzEwMzE0NFoXDTE4MDUyMzEwMzE0NFow
+FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAJqJ87R8aVwByONxgQA9hwgvQd/QqI1r1UInXhEF2VnEtZGtUWLi100IpIqr
+Mq4qusDwNZ3g8cUPtSkvJGs89djoajMDIJP7lQUEKUYnYrI0q755Tr/DgLWSk7iW
+l5ezym0VzWUD0/xXUz8yRbNMTjTac80rS5SZk2ja2wWkYlRJAgMBAAGjUzBRMB0G
+A1UdDgQWBBSsaX0IVZ4XXwdeffVAbG7gnxSYjTAfBgNVHSMEGDAWgBSsaX0IVZ4X
+XwdeffVAbG7gnxSYjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GB
+ADe7SVmvGH2nkwVfONk8TauRUDkePN1CJZKFb2zW1uO9ANJ2v5Arm/OQp0BG/xnI
+Djw/aLTNVESF89oe15dkrUErtcaF413MC1Ld5lTCaJLHLGqDKY69e02YwRuxW7jY
+qarpt7k7aR5FbcfO5r4V/FK/Gvp4Dmoky8uap7SJIW6x
+-----END CERTIFICATE-----
