o ckb @sdZddlmZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z dd lm Z dd lm Z dd lm Z dd lmZdd lmZddlZddlmZddlmZddlmZddlmZddlmZdZiddddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;dd? Zid@dAeDZdBedCefdDdEZGdFdGdGejeZ GdHdIdIe Z!e!d(Z"e!dJZ#GdKdLdLej$Z%GdMdNdNej$ej&Z&GdOdPdPe Z'e'dQZ(e'dRZ)e'dSZ*e'dTZ+e'dUZ,e'dVZ-e'dWZ.e'dXZ/GdYdZdZejZ0Gd[d\d\ej$Z1Gd]d^d^e1Z2Gd_d`d`ej$Z3GdadbdbZ4edcdddeZ5Gdfdddde3Z6Gdgdhdhe6Z7Gdidjdje6Z8Gdkdldle2Z9Gdmdndne3Z:Gdodpdpe1Z;Gdqdrdre3ZGdwdxdxe2Z?Gdydzdzej$Z@Gd{d|d|e2ZAGd}d~d~ej$ZBGddde3ZCGddde2ZDGdddeCZEdS)zACME protocol messages.)HashableN)Any)Dict)Iterator)List)Mapping)MutableMapping)Optional)Tuple)Type)TypeVar) challenges)errors)fields)jws)utilzurn:ietf:params:acme:error:accountDoesNotExistz4The request specified an account that does not existalreadyRevokedzOThe request specified a certificate to be revoked that has already been revokedbadCSRz2The CSR is unacceptable (e.g., due to a short key)badNoncez1The client sent an unacceptable anti-replay nonce badPublicKeyz>The JWS was signed by a public key the server does not supportbadRevocationReasonz;The revocation reason provided is not allowed by the serverbadSignatureAlgorithmz@The JWS was signed with an algorithm the server does not supportcaaz\Certification Authority Authorization (CAA) records forbid the CA from issuing a certificatecompoundzBSpecific error conditions are indicated in the "subproblems" array connectionz?The server could not connect to the client to verify the domaindnszAThere was a problem with a DNS query during identifier validationdnssecz4The server could not validate a DNSSEC signed domainincorrectResponsez;Response received didn't match the challenge's requirements invalidEmailz1The provided email for a registration was invalidinvalidContactz$The provided contact URI was invalid malformedz!The request message was malformedrejectedIdentifierz9The server will not issue certificates for the identifierzLThe request attempted to finalize an order that is not ready to be finalizedz,There were too many requests of a given typez(The server experienced an internal errorz=The server experienced a TLS error during domain verificationz)The client lacks sufficient authorizationz@A contact URL for an account used an unsupported protocol schemez*The server could not resolve a domain namez'An identifier is of an unsupported typez,The server requires external account binding) orderNotReady rateLimitedserverInternaltls unauthorizedunsupportedContact unknownHostunsupportedIdentifierexternalAccountRequiredcCsi|] \}}t||qS) ERROR_PREFIX).0namedescr,r,:/opt/certbot/lib/python3.10/site-packages/acme/messages.py ;sr2errreturncCs"t|tr|jdurt|jvSdS)z#Check if argument is an ACME error.NF) isinstanceErrortypr-)r3r,r,r1 is_acme_error@s r8cseZdZUdZdZeZeedfe d<deddffdd Z defd d Z e d eddfd d Z defddZdedefddZdefddZZS) _ConstantzACME constant.r/POSSIBLE_NAMESr/r4Ncst||j|<||_dSN)super__init__r;r/selfr/ __class__r,r1r>Ls   z_Constant.__init__cC|jSr<r:r@r,r,r1to_partial_jsonQsz_Constant.to_partial_jsonjobjcCs&||jvrt|jd|j|S)Nz not recognized)r;joseDeserializationError__name__clsrFr,r,r1 from_jsonTs  z_Constant.from_jsoncCs|jjd|jdS)N())rBrIr/rDr,r,r1__repr__Zsz_Constant.__repr__othercCst|t|o |j|jkSr<)r5typer/)r@rPr,r,r1__eq__]sz_Constant.__eq__cCst|j|jfSr<)hashrBr/rDr,r,r1__hash__`z_Constant.__hash__)rI __module__ __qualname____doc__ __slots__NotImplementedr;rstr__annotations__r>rE classmethodrLrOrboolrRintrT __classcell__r,r,rAr1r9Gs r9c@&eZdZUdZiZeeefed<dS)IdentifierTypezACME identifier type.r;N rIrVrWrXr;rr[r9r\r,r,r,r1rbd rbipc@s<eZdZUdZejdejdZee d<edZ e e d<dS) IdentifierzJACME identifier. :ivar IdentifierType typ: :ivar str value: rQdecoderr7valueN) rIrVrWrXrGfieldrbrLr7r\rir[r,r,r,r1rfms rfc@s$eZdZUdZejddddZeed<ejdddZ eed<ejd ddZ eed <ejd e j dd Z ed ed <ejd ddZeeded <ejdeeeefdedfddZedededdfddZedeefddZedeefddZdededdfddZdefdd ZdS)!r6aACME error. https://datatracker.ietf.org/doc/html/rfc7807 Note: Although Error inherits from JSONObjectWithFields, which is immutable, we add mutability for Error to comply with the Python exception API. :ivar str typ: :ivar str title: :ivar str detail: :ivar Identifier identifier: :ivar tuple subproblems: An array of ACME Errors which may be present when the CA returns multiple errors related to the same request, `tuple` of `Error`. rQTz about:blank omitemptydefaultr7titlerldetail identifierrhrlrf subproblems)r6.rir4cCtdd|DS)Ncs|]}t|VqdSr<)r6rL)r. subproblemr,r,r1 z$Error.subproblems..tuplerir,r,r1rszError.subproblemscodekwargscKs.|tvr td|t|}|dd|i|S)zCreate an Error instance with an ACME Error code. :str code: An ACME error code, like 'dnssec'. :kwargs: kwargs to pass to Error. z4The supplied code: %s is not a known ACME error coder7Nr,) ERROR_CODES ValueErrorr-)rKr}r~r7r,r,r1 with_codes zError.with_codecCs t|jS)zHardcoded error description based on its type. :returns: Description if standard ACME error or ``None``. :rtype: str )ERROR_TYPE_DESCRIPTIONSgetr7rDr,r,r1 descriptions zError.descriptioncCs(t|jjdddd}|tvr|SdS)zACME error code. Basically self.typ without the ERROR_PREFIX. :returns: error code if standard ACME code or ``None``. :rtype: str :)maxsplitN)r[r7rsplitr)r@r}r,r,r1r}s z Error.coder/NcCst|||Sr<)object __setattr__)r@r/rir,r,r1rszError.__setattr__cCstddd|j|j|j|jfD}|jr!d|jjd|}|jr8t |jdkr8|jD] }|d|7}q.|S)Ns :: css$|] }|dur|ddVqdS)Nasciibackslashreplace)encode)r.partr,r,r1rws  z Error.__str__..z Problem for z: r ) joinr7rrprndecoderqrirslen)r@resultrvr,r,r1__str__s  z Error.__str__)rIrVrWrXrGrjr7r[r\rnrprfrLrqr rsr rhrrrr]rpropertyrr}rrr,r,r,r1r6xs& $ r6c@ra)StatuszACME "status" field.r;Nrcr,r,r,r1rrdrunknownpending processingvalidinvalidrevokedready deactivatedc@seZdZdZGdddejZdeee fddfddZ d ede fd d Z d ede fd d Z de ee ffddZedeee fddfddZdS) DirectoryzmDirectory. Directory resources must be accessed by the exact field name in RFC8555 (section 9.7.5). cseZdZUdZejdddZeed<ejdddZ eed<ejdddZ e eed<ejd ddZ e ed <d ed d ffdd Zed efddZd eeffdd Zded efddZZS)zDirectory.MetazDirectory Meta.termsOfServiceTro_terms_of_servicewebsite caaIdentitiescaa_identitiesr+external_account_requiredr~r4Nc ,fdd|D}tjdi|dS)Nci|] \}}||qSr,_internal_namer.kvrDr,r1r2z+Directory.Meta.__init__..r,itemsr=r>r@r~rArDr1r>zDirectory.Meta.__init__cCrC)zURL for the CA TOS)rrDr,r,r1terms_of_servicezDirectory.Meta.terms_of_servicec#s0tD]}|dkr|ddn|VqdS)Nrrr=__iter__r?rAr,r1rszDirectory.Meta.__iter__r/cCs|dkrd|S|S)Nr_r,r?r,r,r1rszDirectory.Meta._internal_name)rIrVrWrXrGrjrr[r\rrrrr^rr>rrrrrr`r,r,rAr1Metas rrFr4NcCs ||_dSr<)_jobjr@rFr,r,r1r>s zDirectory.__init__r/c Cs0z||WSty}ztt|d}~wwr<)KeyErrorAttributeErrorr[)r@r/errorr,r,r1 __getattr__s   zDirectory.__getattr__cCs,z|j|WStytd|dw)NzDirectory field "z " not found)rrr?r,r,r1 __getitem__s   zDirectory.__getitem__cCst|jddS)NcSs|Sr<r,)rr,r,r1 sz+Directory.to_partial_json..)rmap_keysrrDr,r,r1rE zDirectory.to_partial_jsoncCs |j|di|d<||S)Nmeta)rrLpoprJr,r,r1rLszDirectory.from_json)rIrVrWrXrGJSONObjectWithFieldsrrr[rr>rrrrEr]rrLr,r,r,r1rs rc@s$eZdZUdZedZded<dS)ResourcezOACME Resource. :ivar acme.messages.ResourceBody body: Resource body. body ResourceBodyN)rIrVrWrXrGrjrr\r,r,r,r1r rc@s$eZdZUdZedZeed<dS)ResourceWithURIzKACME Resource with URI. :ivar str uri: Location of the resource. uriN) rIrVrWrXrGrjrr[r\r,r,r,r1rrrc@eZdZdZdS)rzACME Resource Body.NrIrVrWrXr,r,r,r1r'rc @s<eZdZdZedejdededede ee ff ddZ d S) ExternalAccountBindingzACME External Account Bindingaccount_public_keykidhmac_key directoryr4c CsRt|}tj|}|d}tj |tj j |dtj j d||}|S)zLCreate External Account Binding Resource from contact details, kid and hmac. newAccount)keyN)jsondumpsrErrGb64 b64decoderJWSsignjwkJWKOctjwaHS256) rKrrrrkey_jsondecoded_hmac_keyurleabr,r,r1 from_data.s z ExternalAccountBinding.from_dataN) rIrVrWrXr]rGJWKr[rrrrr,r,r,r1r+s rGenericRegistration Registration)boundcseZdZUdZejddejjdZeje d<ejddddZ e e dfe d<ejd dd Z e e d <ejd dd Zee d <ejd dd Zee d <ejddd Zee d<ejddd Zee efe d<dZdZe   d,deedee dee deee efdedef ddZdeddffdd Zde de e dffdd Zd!ee efdee effd"d#Zdee efffd$d% Z dee efffd&d' Z!e"de e dffd(d)Z#e"de e dffd*d+Z$Z%S)-rzRegistration Resource Body. :ivar jose.JWK key: Public key. :ivar tuple contact: Contact information following ACME spec, `tuple` of `str`. :ivar str agreement: rTrlrhcontactr,rk. agreementrostatustermsOfServiceAgreedterms_of_service_agreedonlyReturnExistingonly_return_existingexternalAccountBindingexternal_account_bindingztel:zmailto:NrKphoneemailr~r4c sd|v}t|dd}|dur|j||dur+|fdd|dD|s/|r5t||d<|r;||d<di|S)a Create registration resource from contact details. The `contact` keyword being passed to a Registration object is meaningful, so this function represents empty iterables in its kwargs by passing on an empty `tuple`. rr,Ncsg|]}j|qSr,) email_prefix)r.mailrKr,r1 psz*Registration.from_data..,r)listrappend phone_prefixextendsplitrz)rKrrrr~contact_provideddetailsr,rr1r[s zRegistration.from_datac s8d|vr|ddurt|ddtjdi|dS)z;Note if the user provides a value for the `contact` member.rN _add_contactTr,)rrr=r>rrAr,r1r>|szRegistration.__init__prefixcstfdd|jDS)Nc3s*|]}|r|tdVqdSr<) startswithr)r.rprr,r1rws z/Registration._filter_contact..)rzr)r@rr,rr1_filter_contacts zRegistration._filter_contactrFcCst|ddr |d|d<|S)a The `contact` member of Registration objects should not be required when de-serializing (as it would be if the Fields' `omitempty` flag were `False`), but it should be included in serializations if it was provided. :param jobj: Dictionary containing this Registrations' data :type jobj: dict :returns: Dictionary containing Registrations data to transmit to the server :rtype: dict rFr)getattrrrr,r,r1_add_contact_if_appropriates z(Registration._add_contact_if_appropriatect}||S)z2Modify josepy.JSONDeserializable.to_partial_json())r=rErrrAr,r1rE  zRegistration.to_partial_jsoncr)z;Modify josepy.JSONObjectWithFields.fields_to_partial_json())r=fields_to_partial_jsonrrrAr,r1r r z#Registration.fields_to_partial_jsoncC ||jS)z*All phones found in the ``contact`` field.)rrrDr,r,r1phones zRegistration.phonescCr )z*All emails found in the ``contact`` field.)rrrDr,r,r1emailsr zRegistration.emails)NNN)&rIrVrWrXrGrjrrLrr\rr r[rrrrr^rrrrrrr]r rr rr>rrrEr rr rr`r,r,rAr1rAsF    " c@r)NewRegistrationzNew registration.Nrr,r,r,r1rrrc@r)UpdateRegistrationzUpdate registration.Nrr,r,r,r1rrrc@sVeZdZUdZejdejdZee d<ejdddZ e e d<ejdddZ e e d<dS) RegistrationResourcezRegistration Resource. :ivar acme.messages.Registration body: :ivar str new_authzr_uri: Deprecated. Do not use. :ivar str terms_of_service: URL for the CA TOS. rrgnew_authzr_uriTrorN) rIrVrWrXrGrjrrLrr\rr[rr,r,r,r1rs rcs>eZdZUdZdZejddddZee d<ejde j de d Z e e d<ejd dd Zeje d <ejd ej ddd Zee d <d eddffdd Zdedeffdd Zdeeefffdd Zedeeefdeeefffdd ZedefddZdedefddZdeeffdd Z dedefdd Z!Z"S)! ChallengeBodya>Challenge Resource Body. .. todo:: Confusingly, this has a similar name to `.challenges.Challenge`, as well as `.achallenges.AnnotatedChallenge`. Please use names such as ``challb`` to distinguish instances of this class from ``achall``. :ivar acme.challenges.Challenge: Wrapped challenge. Conveniently, all challenge fields are proxied, i.e. you can call ``challb.x`` to get ``challb.chall.x`` contents. :ivar acme.messages.Status status: :ivar datetime.datetime validated: :ivar messages.Error error: )challrTNrk_urlr)rhrlrm validatedrorr~r4c r)Ncrr,rrrDr,r1r2rz*ChallengeBody.__init__..r,rrrArDr1r>rzChallengeBody.__init__r/cst||Sr<)r=rrr?rAr,r1rrzChallengeBody.encodecst}||j|Sr<)r=rEupdaterrrAr,r1rEs zChallengeBody.to_partial_jsonrFcs t|}tj||d<|S)Nr)r=fields_from_jsonr ChallengerL)rKrF jobj_fieldsrAr,r1rs zChallengeBody.fields_from_jsoncCrC)zThe URL of this challenge.)rrDr,r,r1rrzChallengeBody.uricCs t|j|Sr<)rrr?r,r,r1rs zChallengeBody.__getattr__c#s(tD] }|dkrdn|VqdS)Nrrrr?rAr,r1rszChallengeBody.__iter__cCs|dkrdS|S)Nrrr,r?r,r,r1rrUzChallengeBody._internal_name)#rIrVrWrXrYrGrjrr[r\rrLSTATUS_PENDINGrrrfc3339rdatetimer6rrr>rrrEr]rrrrrrrrr`r,r,rAr1rs*   (rc@sNeZdZUdZejdejdZee d<edZ e e d<e de fddZ dS) ChallengeResourcezChallenge Resource. :ivar acme.messages.ChallengeBody body: :ivar str authzr_uri: URI found in the 'up' ``Link`` header. rrg authzr_urir4cCs|jjS)zThe URL of the challenge body.)rrrDr,r,r1rszChallengeResource.uriN)rIrVrWrXrGrjrrLrr\rr[rrr,r,r,r1rs rc@seZdZUdZejdejddZee d<ejdddZ e e e d<ejdde jdZe e d<ejd ddZeje d <ejd ddZee d <e jd e eeefd ee d ffddZ dS) AuthorizationzAuthorization Resource Body. :ivar acme.messages.Identifier identifier: :ivar list challenges: `list` of `.ChallengeBody` :ivar acme.messages.Status status: :ivar datetime.datetime expires: rqTrrr rorrexpireswildcardrir4.cCrt)Ncsrur<)rrL)r.rr,r,r1rw,rxz+Authorization.challenges..ryr{r,r,r1r *r|zAuthorization.challengesN)rIrVrWrXrGrjrfrLrqr\r rrrrrrr!rr"r^rhrr[rr r,r,r,r1r s ,r c@r)NewAuthorizationzNew authorization.Nrr,r,r,r1r#/rr#c@r)UpdateAuthorizationzUpdate authorization.Nrr,r,r,r1r$3rr$c@s@eZdZUdZejdejdZee d<ejdddZ e e d<dS)AuthorizationResourcez~Authorization Resource. :ivar acme.messages.Authorization body: :ivar str new_cert_uri: Deprecated. Do not use. rrg new_cert_uriTroN) rIrVrWrXrGrjr rLrr\r&r[r,r,r,r1r%7s r%c@s0eZdZUdZejdejejdZej e d<dS)CertificateRequestz~ACME newOrder request. :ivar jose.ComparableX509 csr: `OpenSSL.crypto.X509Req` wrapped in `.ComparableX509` csrrhencoderN) rIrVrWrXrGrj decode_csr encode_csrr(ComparableX509r\r,r,r,r1r'Bs "r'c@s>eZdZUdZedZeed<edZ e e dfed<dS)CertificateResourceaCertificate Resource. :ivar josepy.util.ComparableX509 body: `OpenSSL.crypto.X509` wrapped in `.ComparableX509` :ivar str cert_chain_uri: URI found in the 'up' ``Link`` header :ivar tuple authzrs: `tuple` of `AuthorizationResource`. cert_chain_uriauthzrs.N) rIrVrWrXrGrjr/r[r\r0r r%r,r,r,r1r.Ls r.c@sBeZdZUdZejdejejdZej e d<edZ e e d<dS) RevocationzRevocation message. :ivar jose.ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in `jose.ComparableX509` certificater)reasonN) rIrVrWrXrGrj decode_cert encode_certr2r-r\r3r_r,r,r,r1r1Ys  r1c@seZdZUdZejdddZeee d<ejde j ddZ e e d<ejdddZ eee d<ejdddZee d<ejd ddZee d <ejd ddZeje d <ejd dej d Zee d <ejd eeeefdeedffddZdS)Ordera_Order Resource Body. :ivar identifiers: List of identifiers for the certificate. :vartype identifiers: `list` of `.Identifier` :ivar acme.messages.Status status: :ivar authorizations: URLs of authorizations. :vartype authorizations: `list` of `str` :ivar str certificate: URL to download certificate as a fullchain PEM. :ivar str finalize: URL to POST to to request issuance once all authorizations have "valid" status. :ivar datetime.datetime expires: When the order expires. :ivar ~.Error error: Any error that occurred during finalization, if applicable. identifiersTrorrrauthorizationsr2finalizer!rrrir4.cCrt)Ncsrur<)rfrL)r.rqr,r,r1rwrxz$Order.identifiers..ryr{r,r,r1r7}r|zOrder.identifiersN)rIrVrWrXrGrjr7rrfr\rrLrr8r[r2r9rrr!rr6rrhrrr r,r,r,r1r6es  ,r6c@seZdZUdZejdejdZee d<ejdddZ e e d<edZ e ee d<ejdddZee d<ejd ddZe ee d <d S) OrderResourceaOrder Resource. :ivar acme.messages.Order body: :ivar bytes csr_pem: The CSR this Order will be finalized with. :ivar authorizations: Fully-fetched AuthorizationResource objects. :vartype authorizations: `list` of `acme.messages.AuthorizationResource` :ivar str fullchain_pem: The fetched contents of the certificate URL produced once the order was finalized, if it's present. :ivar alternative_fullchains_pem: The fetched contents of alternative certificate chain URLs produced once the order was finalized, if present and requested during finalization. :vartype alternative_fullchains_pem: `list` of `str` rrgcsr_pemTror8 fullchain_pemalternative_fullchains_pemN)rIrVrWrXrGrjr6rLrr\r;bytesr8rr%r<r[r=r,r,r,r1r:s  r:c@r)NewOrderz New order.Nrr,r,r,r1r?rr?)FrXcollections.abcrrrtypingrrrrrrr r r r josepyrGacmer rrrrr-rrr BaseExceptionr^r8JSONDeSerializabler9rbIDENTIFIER_FQDN IDENTIFIER_IPrrfr6rSTATUS_UNKNOWNrSTATUS_PROCESSING STATUS_VALIDSTATUS_INVALIDSTATUS_REVOKED STATUS_READYSTATUS_DEACTIVATEDrrrrrrrrrrrrr r#r$r%r'r.r1r6r:r?r,r,r,r1s                   ! W7   m A