Fixed ACME response. Now it sends the b64 SHA256 digest of the key au…

…thorization (instead of the key authorization itself). Signed-off-by: Trocotronic <[email protected]>
polhenarejos · Aug 23, 2021 · dc7a5ab · dc7a5ab
1 parent 715c892
commit dc7a5ab
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/certbot_castle/_version.py b/certbot_castle/_version.py
@@ -1 +1 @@
-__version__ = "0.8.4.dev"
+__version__ = "0.9.0.dev"
diff --git a/certbot_castle/plugins/imap.py b/certbot_castle/plugins/imap.py
@@ -21,6 +21,7 @@
 import ssl, email
 
 from cryptography.hazmat.primitives.serialization import pkcs7
+from cryptography.hazmat.primitives import hashes  # type: ignore
 from cryptography.x509.oid import ExtensionOID
 from cryptography import x509
 
@@ -168,7 +169,10 @@ def _perform_emailreply00(self, achall):
                                 message += 'To: {}\n'.format(to)
                                 message += 'In-Reply-To: {}\n'.format(msg['Message-ID'])
                                 message += 'Subject: Re: {}\n\n'.format(subject)
-                                message += '-----BEGIN ACME RESPONSE-----\n{}\n-----END ACME RESPONSE-----\n'.format(validation)
+                                digest = hashes.Hash(hashes.SHA256())
+                                digest.update(validation.encode())
+                                thumbprint = jose.b64encode(digest.finalize()).decode()
+                                message += '-----BEGIN ACME RESPONSE-----\n{}\n-----END ACME RESPONSE-----\n'.format(thumbprint)
                                 self.smtp.sendmail(me,to,message)
 
                                 self.imap.add_flags(message_id,imapclient.SEEN)

diff --git a/certbot_castle/plugins/interactive.py b/certbot_castle/plugins/interactive.py
@@ -11,6 +11,8 @@
 
 import josepy as jose
 
+from cryptography.hazmat.primitives import hashes  # type: ignore
+
 logger = logging.getLogger(__name__)
 
 class Authenticator(common.Plugin, interfaces.Authenticator, metaclass=abc.ABCMeta):
@@ -56,10 +58,13 @@ def _perform_emailreply00(self, achall):
         # We reconstruct the ChallengeBody
         challt = messages.ChallengeBody.from_json({ 'type': 'email-reply-00', 'token': jose.b64.b64encode(bytes(full_token)).decode('ascii'), 'url': achall.challb.uri, 'status': achall.challb.status.to_json(), 'from': achall.challb.chall.from_addr })
         response, validation = challt.response_and_validation(achall.account_key)
+        digest = hashes.Hash(hashes.SHA256())
+        digest.update(validation.encode())
+        thumbprint = jose.b64encode(digest.finalize()).decode()
         notify('A challenge response has been generated. Please, copy the following text, reply the e-mail you have received from ACME server and paste this text in the TOP of the message\'s body: ',pause=False)
         print('\n-----BEGIN ACME RESPONSE-----\n'
             '{}\n'
-            '-----END ACME RESPONSE-----\n'.format(validation))
+            '-----END ACME RESPONSE-----\n'.format(thumbprint))
         return response
 
     def cleanup(self, achalls):  # pylint: disable=missing-function-docstring