Challenges¶

ACME Identifier Validation Challenges.

class acme.challenges.Challenge(**kwargs)[source]¶

Bases: acme.jose.json_util.TypedJSONObjectWithFields

ACME challenge.

class acme.challenges.ContinuityChallenge(**kwargs)[source]¶

Bases: acme.challenges.Challenge

Client validation challenges.

class acme.challenges.DVChallenge(**kwargs)[source]¶

Bases: acme.challenges.Challenge

Domain validation challenges.

class acme.challenges.ChallengeResponse(**kwargs)[source]¶

Bases: acme.jose.json_util.TypedJSONObjectWithFields

ACME challenge response.

class acme.challenges.UnrecognizedChallenge(jobj)[source]¶

Bases: acme.challenges.Challenge

Unrecognized challenge.

ACME specification defines a generic framework for challenges and defines some standard challenges that are implemented in this module. However, other implementations (including peers) might define additional challenge types, which should be ignored if unrecognized.

Variables:	jobj – Original JSON decoded object.

class acme.challenges._TokenDVChallenge(**kwargs)[source]¶

Bases: acme.challenges.DVChallenge

DV Challenge with token.

Variables:	token (bytes) –

TOKEN_SIZE = 16¶: Minimum size of the token in bytes.

good_token¶: Is token good?

Todo

acme-spec wants “It MUST NOT contain any non-ASCII characters”, but it should also warrant that it doesn’t contain ”..” or “/”...

class acme.challenges.KeyAuthorizationChallengeResponse(**kwargs)[source]¶

Bases: acme.challenges.ChallengeResponse

Response to Challenges based on Key Authorization.

Parameters:	key_authorization (unicode) –

verify(chall, account_public_key)[source]¶

Verify the key authorization.

Parameters:	chall (KeyAuthorization) – Challenge that corresponds to this response. account_public_key (JWK) –
Returns:	`True` iff verification of the key authorization was successful.
Return type:	bool

class acme.challenges.KeyAuthorizationChallenge(**kwargs)[source]¶

Bases: acme.challenges._TokenDVChallenge

Challenge based on Key Authorization.

Parameters:	response_cls – Subclass of `KeyAuthorizationChallengeResponse` that will be used to generate `response`.

key_authorization(account_key)[source]¶

Generate Key Authorization.

Parameters:	account_key (JWK) –
Rtype unicode:

response(account_key)[source]¶

Generate response to the challenge.

Parameters:	account_key (JWK) –
Returns:	Response (initialized `response_cls`) to the challenge.
Return type:	KeyAuthorizationChallengeResponse

validation(account_key, **kwargs)[source]¶

Generate validation for the challenge.

Subclasses must implement this method, but they are likely to return completely different data structures, depending on what’s necessary to complete the challenge. Interepretation of that return value must be known to the caller.

Parameters:	account_key (JWK) –
Returns:	Challenge-specific validation.

response_and_validation(account_key, *args, **kwargs)[source]¶

Generate response and validation.

Convenience function that return results of response and validation.

Parameters:	account_key (JWK) –
Return type:	tuple

class acme.challenges.HTTP01Response(**kwargs)[source]¶

Bases: acme.challenges.KeyAuthorizationChallengeResponse

ACME http-01 challenge response.

PORT = 80¶

Verification port as defined by the protocol.

You can override it (e.g. for testing) by passing port to simple_verify.

WHITESPACE_CUTSET = '\n\r\t '¶: Whitespace characters which should be ignored at the end of the body.

simple_verify(chall, domain, account_public_key, port=None)[source]¶

Simple verify.

Parameters:	chall (challenges.SimpleHTTP) – Corresponding challenge. domain (unicode) – Domain name being verified. account_public_key (JWK) – Public key for the key pair being authorized. port (int) – Port used in the validation.
Returns:	`True` iff validation is successful, `False` otherwise.
Return type:	bool

class acme.challenges.HTTP01(**kwargs)[source]¶

Bases: acme.challenges.KeyAuthorizationChallenge

ACME http-01 challenge.

response_cls¶: alias of HTTP01Response

URI_ROOT_PATH = '.well-known/acme-challenge'¶: URI root path for the server provisioned resource.

path¶

Path (starting with ‘/’) for provisioned resource.

Return type:	string

uri(domain)[source]¶

Create an URI to the provisioned resource.

Forms an URI to the HTTPS server provisioned resource (containing token).

Parameters:	domain (unicode) – Domain name being verified.
Return type:	string

validation(account_key, **unused_kwargs)[source]¶

Generate validation.

Parameters:	account_key (JWK) –
Return type:	unicode

class acme.challenges.TLSSNI01Response(**kwargs)[source]¶

Bases: acme.challenges.KeyAuthorizationChallengeResponse

ACME tls-sni-01 challenge response.

DOMAIN_SUFFIX = '.acme.invalid'¶: Domain name suffix.

PORT = 443¶

Verification port as defined by the protocol.

You can override it (e.g. for testing) by passing port to simple_verify.

z¶

z value used for verification.

Rtype bytes:

z_domain¶

Domain name used for verification, generated from z.

Rtype bytes:

gen_cert(key=None, bits=2048)[source]¶

Generate tls-sni-01 certificate.

Parameters:	key (OpenSSL.crypto.PKey) – Optional private key used in certificate generation. If not provided (`None`), then fresh key will be generated. bits (int) – Number of bits for newly generated key.
Return type:	`tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`

probe_cert(domain, **kwargs)[source]¶

Probe tls-sni-01 challenge certificate.

Parameters:	domain (unicode) –

verify_cert(cert)[source]¶

Verify tls-sni-01 challenge certificate.

Parameters:	cert (OpensSSL.crypto.X509) – Challenge certificate.
Returns:	Whether the certificate was successfully verified.
Return type:	bool

simple_verify(chall, domain, account_public_key, cert=None, **kwargs)[source]¶

Simple verify.

Verify validation using account_public_key, optionally probe tls-sni-01 certificate and check using verify_cert.

Parameters:	chall (challenges.TLSSNI01) – Corresponding challenge. domain (str) – Domain name being validated. account_public_key (JWK) – cert (OpenSSL.crypto.X509) – Optional certificate. If not provided (`None`) certificate will be retrieved using `probe_cert`. port (int) – Port used to probe the certificate.
Returns:	`True` iff client’s control of the domain has been verified, `False` otherwise.
Return type:	bool

class acme.challenges.TLSSNI01(**kwargs)[source]¶

Bases: acme.challenges.KeyAuthorizationChallenge

ACME tls-sni-01 challenge.

response_cls¶: alias of TLSSNI01Response

validation(account_key, **kwargs)[source]¶

Generate validation.

Parameters:	account_key (JWK) – cert_key (OpenSSL.crypto.PKey) – Optional private key used in certificate generation. If not provided (`None`), then fresh key will be generated.
Return type:	`tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`

class acme.challenges.RecoveryContact(**kwargs)[source]¶

Bases: acme.challenges.ContinuityChallenge

ACME “recoveryContact” challenge.

Variables:	activation_url (unicode) – success_url (unicode) – contact (unicode) –

class acme.challenges.RecoveryContactResponse(**kwargs)[source]¶

Bases: acme.challenges.ChallengeResponse

ACME “recoveryContact” challenge response.

Variables:	token (unicode) –

class acme.challenges.ProofOfPossession(**kwargs)[source]¶

Bases: acme.challenges.ContinuityChallenge

ACME “proofOfPossession” challenge.

Variables:	alg (JWAAlgorithm) – nonce (bytes) – Random data, not base64-encoded. hints – Various clues for the client (`Hints`).

class Hints(**kwargs)[source]¶

Bases: acme.jose.json_util.JSONObjectWithFields

Hints for “proofOfPossession” challenge.

Variables:	jwk (JWK) – JSON Web Key cert_fingerprints (tuple) – `tuple` of `unicode` certs (tuple) – Sequence of `acme.jose.ComparableX509` certificates. subject_key_identifiers (tuple) – `tuple` of `unicode` issuers (tuple) – `tuple` of `unicode` authorized_for (tuple) – `tuple` of `unicode`

class acme.challenges.ProofOfPossessionResponse(**kwargs)[source]¶

Bases: acme.challenges.ChallengeResponse

ACME “proofOfPossession” challenge response.

Variables:	nonce (bytes) – Random data, not base64-encoded. signature (acme.other.Signature) – Sugnature of this message.

verify()[source]¶: Verify the challenge.

class acme.challenges.DNS(**kwargs)[source]¶

Bases: acme.challenges._TokenDVChallenge

ACME “dns” challenge.

LABEL = '_acme-challenge'¶: Label clients prepend to the domain name being validated.

gen_validation(account_key, alg=RS256, **kwargs)[source]¶

Generate validation.

Parameters:	account_key (JWK) – Private account key. alg (JWA) –
Returns:	This challenge wrapped in `JWS`
Return type:	JWS

check_validation(validation, account_public_key)[source]¶

Check validation.

Parameters:	validation (JWS) – account_public_key (JWK) –
Return type:	bool

gen_response(account_key, **kwargs)[source]¶

Generate response.

Parameters:	account_key (JWK) – Private account key. alg (JWA) –
Return type:	DNSResponse

validation_domain_name(name)[source]¶

Domain name for TXT validation record.

Parameters:	name (unicode) – Domain name being validated.

class acme.challenges.DNSResponse(**kwargs)[source]¶

Bases: acme.challenges.ChallengeResponse

ACME “dns” challenge response.

Parameters:	validation (JWS) –

check_validation(chall, account_public_key)[source]¶

Check validation.

Parameters:	chall (challenges.DNS) – account_public_key (JWK) –
Return type:	bool