Challenges¶
ACME Identifier Validation Challenges.
-
class
acme.challenges.
Challenge
(**kwargs)[source]¶ Bases:
acme.jose.json_util.TypedJSONObjectWithFields
ACME challenge.
-
class
acme.challenges.
ChallengeResponse
(**kwargs)[source]¶ Bases:
acme.jose.json_util.TypedJSONObjectWithFields
ACME challenge response.
-
class
acme.challenges.
UnrecognizedChallenge
(jobj)[source]¶ Bases:
acme.challenges.Challenge
Unrecognized challenge.
ACME specification defines a generic framework for challenges and defines some standard challenges that are implemented in this module. However, other implementations (including peers) might define additional challenge types, which should be ignored if unrecognized.
Variables: jobj – Original JSON decoded object.
-
class
acme.challenges.
_TokenChallenge
(**kwargs)[source]¶ Bases:
acme.challenges.Challenge
Challenge with token.
Variables: token (bytes) – -
TOKEN_SIZE
= 16.0¶ Minimum size of the
token
in bytes.
-
good_token
¶ Is
token
good?Todo
acme-spec wants “It MUST NOT contain any non-ASCII characters”, but it should also warrant that it doesn’t contain ”..” or “/”...
-
-
class
acme.challenges.
KeyAuthorizationChallengeResponse
(**kwargs)[source]¶ Bases:
acme.challenges.ChallengeResponse
Response to Challenges based on Key Authorization.
Parameters: key_authorization (unicode) –
-
class
acme.challenges.
KeyAuthorizationChallenge
(**kwargs)[source]¶ Bases:
acme.challenges._TokenChallenge
Challenge based on Key Authorization.
Parameters: response_cls – Subclass of KeyAuthorizationChallengeResponse
that will be used to generateresponse
.Generate Key Authorization.
Parameters: account_key (JWK) – Rtype unicode:
-
response
(account_key)[source]¶ Generate response to the challenge.
Parameters: account_key (JWK) – Returns: Response (initialized response_cls
) to the challenge.Return type: KeyAuthorizationChallengeResponse
-
validation
(account_key, **kwargs)[source]¶ Generate validation for the challenge.
Subclasses must implement this method, but they are likely to return completely different data structures, depending on what’s necessary to complete the challenge. Interepretation of that return value must be known to the caller.
Parameters: account_key (JWK) – Returns: Challenge-specific validation.
-
response_and_validation
(account_key, *args, **kwargs)[source]¶ Generate response and validation.
Convenience function that return results of
response
andvalidation
.Parameters: account_key (JWK) – Return type: tuple
-
class
acme.challenges.
DNS01Response
(**kwargs)[source]¶ Bases:
acme.challenges.KeyAuthorizationChallengeResponse
ACME dns-01 challenge response.
-
simple_verify
(chall, domain, account_public_key)[source]¶ Simple verify.
Parameters: - chall (challenges.DNS01) – Corresponding challenge.
- domain (unicode) – Domain name being verified.
- account_public_key (JWK) – Public key for the key pair being authorized.
Returns: True
iff validation with the TXT records resolved from a DNS server is successful.Return type: bool
-
-
class
acme.challenges.
DNS01
(**kwargs)[source]¶ Bases:
acme.challenges.KeyAuthorizationChallenge
ACME dns-01 challenge.
-
response_cls
¶ alias of
DNS01Response
-
LABEL
= '_acme-challenge'¶ Label clients prepend to the domain name being validated.
-
-
class
acme.challenges.
HTTP01Response
(**kwargs)[source]¶ Bases:
acme.challenges.KeyAuthorizationChallengeResponse
ACME http-01 challenge response.
-
PORT
= 80¶ Verification port as defined by the protocol.
You can override it (e.g. for testing) by passing
port
tosimple_verify
.
-
WHITESPACE_CUTSET
= '\n\r\t '¶ Whitespace characters which should be ignored at the end of the body.
-
simple_verify
(chall, domain, account_public_key, port=None)[source]¶ Simple verify.
Parameters: - chall (challenges.SimpleHTTP) – Corresponding challenge.
- domain (unicode) – Domain name being verified.
- account_public_key (JWK) – Public key for the key pair being authorized.
- port (int) – Port used in the validation.
Returns: True
iff validation with the files currently served by the HTTP server is successful.Return type: bool
-
-
class
acme.challenges.
HTTP01
(**kwargs)[source]¶ Bases:
acme.challenges.KeyAuthorizationChallenge
ACME http-01 challenge.
-
response_cls
¶ alias of
HTTP01Response
-
URI_ROOT_PATH
= '.well-known/acme-challenge'¶ URI root path for the server provisioned resource.
-
path
¶ Path (starting with ‘/’) for provisioned resource.
Return type: string
-
-
class
acme.challenges.
TLSSNI01Response
(**kwargs)[source]¶ Bases:
acme.challenges.KeyAuthorizationChallengeResponse
ACME tls-sni-01 challenge response.
-
DOMAIN_SUFFIX
= b'.acme.invalid'¶ Domain name suffix.
-
PORT
= 443¶ Verification port as defined by the protocol.
You can override it (e.g. for testing) by passing
port
tosimple_verify
.
-
z
¶ z
value used for verification.Rtype bytes:
-
gen_cert
(key=None, bits=2048)[source]¶ Generate tls-sni-01 certificate.
Parameters: - key (OpenSSL.crypto.PKey) – Optional private key used in
certificate generation. If not provided (
None
), then fresh key will be generated. - bits (int) – Number of bits for newly generated key.
Return type: tuple
ofOpenSSL.crypto.X509
andOpenSSL.crypto.PKey
- key (OpenSSL.crypto.PKey) – Optional private key used in
certificate generation. If not provided (
-
probe_cert
(domain, **kwargs)[source]¶ Probe tls-sni-01 challenge certificate.
Parameters: domain (unicode) –
-
verify_cert
(cert)[source]¶ Verify tls-sni-01 challenge certificate.
Parameters: cert (OpensSSL.crypto.X509) – Challenge certificate. Returns: Whether the certificate was successfully verified. Return type: bool
-
simple_verify
(chall, domain, account_public_key, cert=None, **kwargs)[source]¶ Simple verify.
Verify
validation
usingaccount_public_key
, optionally probe tls-sni-01 certificate and check usingverify_cert
.Parameters: - chall (challenges.TLSSNI01) – Corresponding challenge.
- domain (str) – Domain name being validated.
- account_public_key (JWK) –
- cert (OpenSSL.crypto.X509) – Optional certificate. If not
provided (
None
) certificate will be retrieved usingprobe_cert
. - port (int) – Port used to probe the certificate.
Returns: True
iff client’s control of the domain has been verified.Return type: bool
-
-
class
acme.challenges.
TLSSNI01
(**kwargs)[source]¶ Bases:
acme.challenges.KeyAuthorizationChallenge
ACME tls-sni-01 challenge.
-
response_cls
¶ alias of
TLSSNI01Response
-
validation
(account_key, **kwargs)[source]¶ Generate validation.
Parameters: - account_key (JWK) –
- cert_key (OpenSSL.crypto.PKey) – Optional private key used
in certificate generation. If not provided (
None
), then fresh key will be generated.
Return type: tuple
ofOpenSSL.crypto.X509
andOpenSSL.crypto.PKey
-
-
class
acme.challenges.
DNS
(**kwargs)[source]¶ Bases:
acme.challenges._TokenChallenge
ACME “dns” challenge.
-
LABEL
= '_acme-challenge'¶ Label clients prepend to the domain name being validated.
-
gen_validation
(account_key, alg=RS256, **kwargs)[source]¶ Generate validation.
Parameters: Returns: This challenge wrapped in
JWS
Return type:
-
check_validation
(validation, account_public_key)[source]¶ Check validation.
Parameters: Return type: bool
-
-
class
acme.challenges.
DNSResponse
(**kwargs)[source]¶ Bases:
acme.challenges.ChallengeResponse
ACME “dns” challenge response.
Parameters: validation (JWS) – -
check_validation
(chall, account_public_key)[source]¶ Check validation.
Parameters: - chall (challenges.DNS) –
- account_public_key (JWK) –
Return type: bool
-