summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorsiddharth ravikumar <s@ricketyspace.net>2022-07-18 21:26:44 -0400
committersiddharth ravikumar <s@ricketyspace.net>2022-07-18 21:26:44 -0400
commitd6130f9f8cf7d7b0f39de0a4c0bc4befa5d822ec (patch)
tree672f83ce60e2d8ced8e437efde60897cf418dff9
parentab9b4d727313b5954f10726211eae64234e509ca (diff)
acmens.py: update `_send_signed_request`
Comply with Section 6.5 of RFC8555. Re-try when server returns `urn:ietf:params:acme:error:badNonce`.
-rw-r--r--acmens.py18
1 files changed, 13 insertions, 5 deletions
diff --git a/acmens.py b/acmens.py
index 735a36c..1ea174c 100644
--- a/acmens.py
+++ b/acmens.py
@@ -81,11 +81,13 @@ def _do_request(url, data=None, err_msg="Error"):
return resp_data, code, headers
-def _send_signed_request(url, payload, nonce_url, auth, account_key, err_msg):
- """Make signed request to ACME endpoint"""
+def _mk_signed_req_body(url, payload, nonce, auth, account_key):
+ if len(nonce) < 1:
+ sys.stderr.write("_mk_signed_req_body: nonce invalid: {}".format(nonce))
+ sys.exit(1)
+
payload64 = "" if payload is None else _b64(json.dumps(payload).encode("utf8"))
- new_nonce = _do_request(nonce_url)[2]["Replay-Nonce"]
- protected = {"url": url, "alg": "RS256", "nonce": new_nonce}
+ protected = {"url": url, "alg": "RS256", "nonce": nonce}
protected.update(auth)
protected64 = _b64(json.dumps(protected).encode("utf8"))
protected_input = "{0}.{1}".format(protected64, payload64).encode("utf8")
@@ -95,12 +97,17 @@ def _send_signed_request(url, payload, nonce_url, auth, account_key, err_msg):
cmd_input=protected_input,
err_msg="OpenSSL Error",
)
- data = json.dumps(
+ return json.dumps(
{"protected": protected64, "payload": payload64, "signature": _b64(out)}
)
+
+def _send_signed_request(url, payload, nonce_url, auth, account_key, err_msg):
+ """Make signed request to ACME endpoint"""
tried = 0
+ nonce = _do_request(nonce_url)[2]["Replay-Nonce"]
while True:
+ data = _mk_signed_req_body(url, payload, nonce, auth, account_key)
resp_data, resp_code, headers = _do_request(
url, data=data.encode("utf8"), err_msg=err_msg
)
@@ -111,6 +118,7 @@ def _send_signed_request(url, payload, nonce_url, auth, account_key, err_msg):
and resp_data.get("type", "") == "urn:ietf:params:acme:error:badNonce"
and tried < 100
):
+ nonce = headers.get("Replay-Nonce", "")
tried += 1
continue
else: