archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Reference RFC 8555 instead of latest draft. (#53674) (#53836)

Browse Source 
(cherry picked from commit a043570579)
pull/54037/head
Felix Fontein 6 years ago committed by Toshio Kuratomi
parent 833b29b39c
commit d8a75faa53
5 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File

16
lib/ansible/module_utils/acme.py
Unescape Escape View File

@ -443,7 +443,7 @@ class ACMEDirectory(object):
and allows to obtain a Replay-Nonce. The acme_directory URL and allows to obtain a Replay-Nonce. The acme_directory URL
needs to support unauthenticated GET requests; ACME endpoints needs to support unauthenticated GET requests; ACME endpoints
requiring authentication are not supported. requiring authentication are not supported.
https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.1.1 https://tools.ietf.org/html/rfc8555#section-7.1.1
''' '''
def __init__(self, module, account): def __init__(self, module, account):
@ -514,7 +514,7 @@ class ACMEAccount(object):
def get_keyauthorization(self, token): def get_keyauthorization(self, token):
''' '''
Returns the key authorization for the given token Returns the key authorization for the given token
https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-8.1 https://tools.ietf.org/html/rfc8555#section-8.1
''' '''
accountkey_json = json.dumps(self.jwk, sort_keys=True, separators=(',', ':')) accountkey_json = json.dumps(self.jwk, sort_keys=True, separators=(',', ':'))
thumbprint = nopad_b64(hashlib.sha256(accountkey_json.encode('utf8')).digest()) thumbprint = nopad_b64(hashlib.sha256(accountkey_json.encode('utf8')).digest())
@ -551,10 +551,10 @@ class ACMEAccount(object):
''' '''
Sends a JWS signed HTTP POST request to the ACME server and returns Sends a JWS signed HTTP POST request to the ACME server and returns
the response as dictionary the response as dictionary
https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-6.2 https://tools.ietf.org/html/rfc8555#section-6.2
If payload is None, a POST-as-GET is performed. If payload is None, a POST-as-GET is performed.
(https://tools.ietf.org/html/draft-ietf-acme-acme-15#section-6.3) (https://tools.ietf.org/html/rfc8555#section-6.3)
''' '''
key_data = key_data or self.key_data key_data = key_data or self.key_data
jws_header = jws_header or self.jws_header jws_header = jws_header or self.jws_header
@ -585,7 +585,7 @@ class ACMEAccount(object):
try: try:
decoded_result = self.module.from_json(content.decode('utf8')) decoded_result = self.module.from_json(content.decode('utf8'))
# In case of badNonce error, try again (up to 5 times) # In case of badNonce error, try again (up to 5 times)
# (https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-6.6) # (https://tools.ietf.org/html/rfc8555#section-6.7)
if (400 <= info['status'] < 600 and if (400 <= info['status'] < 600 and
decoded_result.get('type') == 'urn:ietf:params:acme:error:badNonce' and decoded_result.get('type') == 'urn:ietf:params:acme:error:badNonce' and
failed_tries <= 5): failed_tries <= 5):
@ -659,7 +659,7 @@ class ACMEAccount(object):
Registers a new ACME account. Returns True if the account was Registers a new ACME account. Returns True if the account was
created and False if it already existed (e.g. it was not newly created and False if it already existed (e.g. it was not newly
created). created).
https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.3 https://tools.ietf.org/html/rfc8555#section-7.3
''' '''
contact = [] if contact is None else contact contact = [] if contact is None else contact
@ -695,7 +695,7 @@ class ACMEAccount(object):
if result.get('status') == 'deactivated': if result.get('status') == 'deactivated':
# A probable bug in Pebble (https://github.com/letsencrypt/pebble/issues/179) # A probable bug in Pebble (https://github.com/letsencrypt/pebble/issues/179)
# and Boulder: this should not return a valid account object according to # and Boulder: this should not return a valid account object according to
# https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3.6: # https://tools.ietf.org/html/rfc8555#section-7.3.6:
# "Once an account is deactivated, the server MUST NOT accept further # "Once an account is deactivated, the server MUST NOT accept further
# requests authorized by that account's key." # requests authorized by that account's key."
if not allow_creation: if not allow_creation:
@ -762,7 +762,7 @@ class ACMEAccount(object):
will be stored in self.uri; if it is None, the account does not will be stored in self.uri; if it is None, the account does not
exist. exist.
https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.3 https://tools.ietf.org/html/rfc8555#section-7.3
''' '''
new_account = True new_account = True

6
lib/ansible/modules/crypto/acme/acme_account.py
Unescape Escape View File

@ -21,7 +21,7 @@ version_added: "2.6"
short_description: Create, modify or delete ACME accounts short_description: Create, modify or delete ACME accounts
description: description:
- "Allows to create, modify or delete accounts with a CA supporting the - "Allows to create, modify or delete accounts with a CA supporting the
L(ACME protocol,https://tools.ietf.org/html/draft-ietf-acme-acme-14), L(ACME protocol,https://tools.ietf.org/html/rfc8555),
such as L(Let's Encrypt,https://letsencrypt.org/)." such as L(Let's Encrypt,https://letsencrypt.org/)."
- "This module only works with the ACME v2 protocol." - "This module only works with the ACME v2 protocol."
notes: notes:
@ -55,7 +55,7 @@ options:
description: description:
- "A list of contact URLs." - "A list of contact URLs."
- "Email addresses must be prefixed with C(mailto:)." - "Email addresses must be prefixed with C(mailto:)."
- "See https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.1.2 - "See U(https://tools.ietf.org/html/rfc8555#section-7.3)
for what is allowed." for what is allowed."
- "Must be specified when state is C(present). Will be ignored - "Must be specified when state is C(present). Will be ignored
if state is C(absent) or C(changed_key)." if state is C(absent) or C(changed_key)."
@ -223,7 +223,7 @@ def main():
# Now we can start the account key rollover # Now we can start the account key rollover
if not module.check_mode: if not module.check_mode:
# Compose inner signed message # Compose inner signed message
# https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.3.6 # https://tools.ietf.org/html/rfc8555#section-7.3.5
url = account.directory['keyChange'] url = account.directory['keyChange']
protected = { protected = {
"alg": new_key_data['alg'], "alg": new_key_data['alg'],

2
lib/ansible/modules/crypto/acme/acme_account_facts.py
Unescape Escape View File

@ -21,7 +21,7 @@ version_added: "2.7"
short_description: Retrieves information on ACME accounts short_description: Retrieves information on ACME accounts
description: description:
- "Allows to retrieve information on accounts a CA supporting the - "Allows to retrieve information on accounts a CA supporting the
L(ACME protocol,https://tools.ietf.org/html/draft-ietf-acme-acme-14), L(ACME protocol,https://tools.ietf.org/html/rfc8555),
such as L(Let's Encrypt,https://letsencrypt.org/)." such as L(Let's Encrypt,https://letsencrypt.org/)."
- "This module only works with the ACME v2 protocol." - "This module only works with the ACME v2 protocol."
notes: notes:

18
lib/ansible/modules/crypto/acme/acme_certificate.py
Unescape Escape View File

@ -21,7 +21,7 @@ version_added: "2.2"
short_description: Create SSL/TLS certificates with the ACME protocol short_description: Create SSL/TLS certificates with the ACME protocol
description: description:
- "Create and renew SSL/TLS certificates with a CA supporting the - "Create and renew SSL/TLS certificates with a CA supporting the
L(ACME protocol,https://tools.ietf.org/html/draft-ietf-acme-acme-14), L(ACME protocol,https://tools.ietf.org/html/rfc8555),
such as L(Let's Encrypt,https://letsencrypt.org/). The current such as L(Let's Encrypt,https://letsencrypt.org/). The current
implementation supports the C(http-01), C(dns-01) and C(tls-alpn-01) implementation supports the C(http-01), C(dns-01) and C(tls-alpn-01)
challenges." challenges."
@ -36,7 +36,7 @@ description:
the necessary certificate has to be created and served. the necessary certificate has to be created and served.
It is I(not) the responsibility of this module to perform these steps." It is I(not) the responsibility of this module to perform these steps."
- "For details on how to fulfill these challenges, you might have to read through - "For details on how to fulfill these challenges, you might have to read through
L(the main ACME specification,https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-8) L(the main ACME specification,https://tools.ietf.org/html/rfc8555#section-8)
and the L(TLS-ALPN-01 specification,https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-3). and the L(TLS-ALPN-01 specification,https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-3).
Also, consider the examples provided for this module." Also, consider the examples provided for this module."
notes: notes:
@ -311,7 +311,7 @@ authorizations:
type: complex type: complex
contains: contains:
authorization: authorization:
description: ACME authorization object. See U(https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.1.4) description: ACME authorization object. See U(https://tools.ietf.org/html/rfc8555#section-7.1.4)
returned: success returned: success
type: dict type: dict
order_uri: order_uri:
@ -496,11 +496,11 @@ class ACMEClient(object):
keyauthorization = self.account.get_keyauthorization(token) keyauthorization = self.account.get_keyauthorization(token)
if type == 'http-01': if type == 'http-01':
# https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-8.3 # https://tools.ietf.org/html/rfc8555#section-8.3
resource = '.well-known/acme-challenge/' + token resource = '.well-known/acme-challenge/' + token
data[type] = {'resource': resource, 'resource_value': keyauthorization} data[type] = {'resource': resource, 'resource_value': keyauthorization}
elif type == 'dns-01': elif type == 'dns-01':
# https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-8.4 # https://tools.ietf.org/html/rfc8555#section-8.4
resource = '_acme-challenge' resource = '_acme-challenge'
value = nopad_b64(hashlib.sha256(to_bytes(keyauthorization)).digest()) value = nopad_b64(hashlib.sha256(to_bytes(keyauthorization)).digest())
record = (resource + domain[1:]) if domain.startswith('*.') else (resource + '.' + domain) record = (resource + domain[1:]) if domain.startswith('*.') else (resource + '.' + domain)
@ -577,7 +577,7 @@ class ACMEClient(object):
''' '''
Create a new certificate based on the csr. Create a new certificate based on the csr.
Return the certificate object as dict Return the certificate object as dict
https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.4 https://tools.ietf.org/html/rfc8555#section-7.4
''' '''
csr = pem_to_der(self.csr) csr = pem_to_der(self.csr)
new_cert = { new_cert = {
@ -611,7 +611,7 @@ class ACMEClient(object):
def _download_cert(self, url): def _download_cert(self, url):
''' '''
Download and parse the certificate chain. Download and parse the certificate chain.
https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.4.2 https://tools.ietf.org/html/rfc8555#section-7.4.2
''' '''
content, info = self.account.get_request(url, parse_json_result=False, headers={'Accept': 'application/pem-certificate-chain'}) content, info = self.account.get_request(url, parse_json_result=False, headers={'Accept': 'application/pem-certificate-chain'})
@ -679,7 +679,7 @@ class ACMEClient(object):
def _new_order_v2(self): def _new_order_v2(self):
''' '''
Start a new certificate order (ACME v2 protocol). Start a new certificate order (ACME v2 protocol).
https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.4 https://tools.ietf.org/html/rfc8555#section-7.4
''' '''
identifiers = [] identifiers = []
for domain in self.domains: for domain in self.domains:
@ -836,7 +836,7 @@ class ACMEClient(object):
''' '''
Deactivates all valid authz's. Does not raise exceptions. Deactivates all valid authz's. Does not raise exceptions.
https://community.letsencrypt.org/t/authorization-deactivation/19860/2 https://community.letsencrypt.org/t/authorization-deactivation/19860/2
https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.5.2 https://tools.ietf.org/html/rfc8555#section-7.5.2
''' '''
authz_deactivate = { authz_deactivate = {
'status': 'deactivated' 'status': 'deactivated'

4
lib/ansible/modules/crypto/acme/acme_certificate_revoke.py
Unescape Escape View File

@ -21,7 +21,7 @@ version_added: "2.7"
short_description: Revoke certificates with the ACME protocol short_description: Revoke certificates with the ACME protocol
description: description:
- "Allows to revoke certificates issued by a CA supporting the - "Allows to revoke certificates issued by a CA supporting the
L(ACME protocol,https://tools.ietf.org/html/draft-ietf-acme-acme-14), L(ACME protocol,https://tools.ietf.org/html/rfc8555),
such as L(Let's Encrypt,https://letsencrypt.org/)." such as L(Let's Encrypt,https://letsencrypt.org/)."
notes: notes:
- "Exactly one of C(account_key_src), C(account_key_content), - "Exactly one of C(account_key_src), C(account_key_content),
@ -188,7 +188,7 @@ def main():
result, info = account.send_signed_request(endpoint, payload) result, info = account.send_signed_request(endpoint, payload)
if info['status'] != 200: if info['status'] != 200:
already_revoked = False already_revoked = False
# Standarized error in draft 14 (https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.6) # Standarized error from draft 14 on (https://tools.ietf.org/html/rfc8555#section-7.6)
if result.get('type') == 'urn:ietf:params:acme:error:alreadyRevoked': if result.get('type') == 'urn:ietf:params:acme:error:alreadyRevoked':
already_revoked = True already_revoked = True
else: else:

Write Preview
Loading…
Cancel
Save