Commit da694400 authored by Adrien Dorsaz's avatar Adrien Dorsaz
Browse files

Nonce: use Nonce received in latest ACME server response if available

parent bdc36eb8
Pipeline #97 passed with stage
in 1 minute and 52 seconds
...@@ -37,9 +37,10 @@ def get_crt(config, log=LOGGER): ...@@ -37,9 +37,10 @@ def get_crt(config, log=LOGGER):
# helper function to send signed requests # helper function to send signed requests
def _send_signed_request(url, payload): def _send_signed_request(url, payload):
nonlocal jws_nonce
payload64 = _b64(json.dumps(payload).encode("utf8")) payload64 = _b64(json.dumps(payload).encode("utf8"))
protected = copy.deepcopy(jws_header) protected = copy.deepcopy(jws_header)
protected["nonce"] = urlopen(config["acmednstiny"]["ACMEDirectory"]).headers["Replay-Nonce"] protected["nonce"] = jws_nonce or urlopen(config["acmednstiny"]["ACMEDirectory"]).getheader("Replay-Nonce", None)
protected64 = _b64(json.dumps(protected).encode("utf8")) protected64 = _b64(json.dumps(protected).encode("utf8"))
signature = _openssl("dgst", ["-sha256", "-sign", config["acmednstiny"]["AccountKeyFile"]], signature = _openssl("dgst", ["-sha256", "-sign", config["acmednstiny"]["AccountKeyFile"]],
"{0}.{1}".format(protected64, payload64).encode("utf8")) "{0}.{1}".format(protected64, payload64).encode("utf8"))
...@@ -49,9 +50,11 @@ def get_crt(config, log=LOGGER): ...@@ -49,9 +50,11 @@ def get_crt(config, log=LOGGER):
}) })
try: try:
resp = urlopen(url, data.encode("utf8")) resp = urlopen(url, data.encode("utf8"))
return resp.getcode(), resp.read(), resp.getheaders()
except HTTPError as httperror: except HTTPError as httperror:
return httperror.getcode(), httperror.read(), httperror.getheaders() resp = httperror
finally:
jws_nonce = resp.getheader("Replay-Nonce", None)
return resp.getcode(), resp.read(), resp.getheaders()
# helper function to get url from Link HTTP headers # helper function to get url from Link HTTP headers
def _get_url_link(headers, rel): def _get_url_link(headers, rel):
...@@ -103,6 +106,7 @@ def get_crt(config, log=LOGGER): ...@@ -103,6 +106,7 @@ def get_crt(config, log=LOGGER):
} }
accountkey_json = json.dumps(jws_header["jwk"], sort_keys=True, separators=(",", ":")) accountkey_json = json.dumps(jws_header["jwk"], sort_keys=True, separators=(",", ":"))
thumbprint = _b64(hashlib.sha256(accountkey_json.encode("utf8")).digest()) thumbprint = _b64(hashlib.sha256(accountkey_json.encode("utf8")).digest())
jws_nonce = None
log.info("Parsing CSR looking for domains.") log.info("Parsing CSR looking for domains.")
csr = _openssl("req", ["-in", config["acmednstiny"]["CSRFile"], "-noout", "-text"]).decode("utf8") csr = _openssl("req", ["-in", config["acmednstiny"]["CSRFile"], "-noout", "-text"]).decode("utf8")
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment