mirror of https://github.com/moepman/acertmgr.git
authority.v2: invalidate nonces after 2 minutes and re-request
Boulder seems to invalidate older nonces after some time. Therefore we allow nonces from the cache to be used for up to 2 minutes and after those they will be considered invalid (and re-requested with an extra request to the nonce endpoint when necessary)
This commit is contained in:
parent
514ff7cbad
commit
1a4272f11a
|
@ -14,6 +14,9 @@ from acertmgr import tools
|
||||||
from acertmgr.authority.acme import ACMEAuthority as AbstractACMEAuthority
|
from acertmgr.authority.acme import ACMEAuthority as AbstractACMEAuthority
|
||||||
from acertmgr.tools import log
|
from acertmgr.tools import log
|
||||||
|
|
||||||
|
# Maximum age for nonce values (Boulder invalidates them after some time, so we use a low value of 2 minutes here)
|
||||||
|
MAX_NONCE_AGE = 120
|
||||||
|
|
||||||
|
|
||||||
class ACMEAuthority(AbstractACMEAuthority):
|
class ACMEAuthority(AbstractACMEAuthority):
|
||||||
# @brief Init class with config
|
# @brief Init class with config
|
||||||
|
@ -45,6 +48,7 @@ class ACMEAuthority(AbstractACMEAuthority):
|
||||||
log("API directory retrieval failed ({}). Guessed necessary values: {}".format(code, self.directory),
|
log("API directory retrieval failed ({}). Guessed necessary values: {}".format(code, self.directory),
|
||||||
warning=True)
|
warning=True)
|
||||||
self.nonce = None
|
self.nonce = None
|
||||||
|
self.nonce_time = 0
|
||||||
|
|
||||||
self.algorithm, jwk = tools.get_key_alg_and_jwk(key)
|
self.algorithm, jwk = tools.get_key_alg_and_jwk(key)
|
||||||
self.account_protected = {
|
self.account_protected = {
|
||||||
|
@ -71,6 +75,7 @@ class ACMEAuthority(AbstractACMEAuthority):
|
||||||
# Store next Replay-Nonce if it is in the header
|
# Store next Replay-Nonce if it is in the header
|
||||||
if 'Replay-Nonce' in resp.headers:
|
if 'Replay-Nonce' in resp.headers:
|
||||||
self.nonce = resp.headers['Replay-Nonce']
|
self.nonce = resp.headers['Replay-Nonce']
|
||||||
|
self.nonce_time = time.time()
|
||||||
|
|
||||||
body = resp.read()
|
body = resp.read()
|
||||||
if getattr(body, 'decode', None):
|
if getattr(body, 'decode', None):
|
||||||
|
@ -95,7 +100,7 @@ class ACMEAuthority(AbstractACMEAuthority):
|
||||||
payload64 = "" # for POST-as-GET
|
payload64 = "" # for POST-as-GET
|
||||||
|
|
||||||
# Request a new nonce if there is none in cache
|
# Request a new nonce if there is none in cache
|
||||||
if not self.nonce:
|
if not self.nonce or time.time() > self.nonce_time + MAX_NONCE_AGE:
|
||||||
self._request_url(self.directory['newNonce'])
|
self._request_url(self.directory['newNonce'])
|
||||||
# Set request nonce to current cache value
|
# Set request nonce to current cache value
|
||||||
protected["nonce"] = self.nonce
|
protected["nonce"] = self.nonce
|
||||||
|
|
Loading…
Reference in New Issue