From 7c9e7f7d0cccd1445eb6ba68a1ce81420e07e6cb Mon Sep 17 00:00:00 2001
From: Kishi85 <git@eightyfive.net>
Date: Thu, 4 Apr 2019 15:12:55 +0200
Subject: [PATCH] authority.v2: use POST-as-GET to remove unauthenticated GET
 requests

As unauthenticated GET requests are soon to be deprecated,
remove all unacceptable usages and replace with POST-as-GET.
See also https://tools.ietf.org/html/rfc8555#section-6.3
---
 acertmgr/authority/v2.py | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/acertmgr/authority/v2.py b/acertmgr/authority/v2.py
index e76ba64..1daa1f0 100644
--- a/acertmgr/authority/v2.py
+++ b/acertmgr/authority/v2.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 
-# acertmgr - acme api v2 functions
+# acertmgr - acme api v2 functions (implements RFC8555)
 # Copyright (c) Rudolf Mayerhofer, 2019.
 # available under the ISC license, see LICENSE
 
@@ -84,17 +84,19 @@ class ACMEAuthority(AbstractACMEAuthority):
 
         return resp.getcode(), body, resp.headers
 
-    # @brief helper function to make signed requests
+    # @brief fetch an url with a signed request
     def _request_acme_url(self, url, payload=None, protected=None, raw_result=False):
-        if not payload:
-            payload = {}
         if not protected:
             protected = {}
-        payload64 = tools.bytes_to_base64url(json.dumps(payload).encode('utf8'))
+
+        if payload:
+            payload64 = tools.bytes_to_base64url(json.dumps(payload).encode('utf8'))
+        else:
+            payload64 = ""  # for POST-as-GET
 
         # Request a new nonce if there is none in cache
         if not self.nonce:
-            self._request_endpoint('newNonce')
+            self._request_url(self.directory['newNonce'])
 
         protected["nonce"] = self.nonce
         protected["url"] = url
@@ -111,10 +113,6 @@ class ACMEAuthority(AbstractACMEAuthority):
         })
         return self._request_url(url, data, raw_result)
 
-    # @brief send a request to authority
-    def _request_endpoint(self, request, data=None, raw_result=False):
-        return self._request_url(self.directory[request], data, raw_result)
-
     # @brief send a signed request to authority
     def _request_acme_endpoint(self, request, payload=None, protected=None, raw_result=False):
         return self._request_acme_url(self.directory[request], payload, protected, raw_result)
@@ -163,7 +161,7 @@ class ACMEAuthority(AbstractACMEAuthority):
         try:
             for authorizationUrl in order['authorizations']:
                 # get new challenge
-                code, authorization, _ = self._request_url(authorizationUrl)
+                code, authorization, _ = self._request_acme_url(authorizationUrl)
                 if code >= 400:
                     raise ValueError("Error requesting authorization: {0} {1}".format(code, authorization))
 
@@ -208,7 +206,7 @@ class ACMEAuthority(AbstractACMEAuthority):
                     # wait for challenge to be verified
                     while code < 400 and challenge_status.get('status') == "pending":
                         time.sleep(5)
-                        code, challenge_status, _ = self._request_url(authorization['_challenge']['url'])
+                        code, challenge_status, _ = self._request_acme_url(authorization['_challenge']['url'])
 
                     if challenge_status.get('status') == "valid":
                         log("{0} verified".format(authorization['_domain']))
@@ -230,10 +228,10 @@ class ACMEAuthority(AbstractACMEAuthority):
                     log('Challenge destruction failed: {}'.format(e), error=True)
 
         # check order status and retry once
-        code, order, _ = self._request_url(order_url)
+        code, order, _ = self._request_acme_url(order_url)
         if code < 400 and order.get('status') == 'pending':
             time.sleep(5)
-            code, order, _ = self._request_url(order_url)
+            code, order, _ = self._request_acme_url(order_url)
         if code >= 400:
             raise ValueError("Order is still not ready to be finalized: {0} {1}".format(code, order))
 
@@ -244,13 +242,13 @@ class ACMEAuthority(AbstractACMEAuthority):
         })
         while code < 400 and (finalize.get('status') == 'pending' or finalize.get('status') == 'processing'):
             time.sleep(5)
-            code, finalize, _ = self._request_url(order_url)
+            code, finalize, _ = self._request_acme_url(order_url)
         if code >= 400:
             raise ValueError("Error finalizing certificate: {0} {1}".format(code, finalize))
         log("Certificate ready!")
 
         # return certificate
-        code, certificate, _ = self._request_url(finalize['certificate'], raw_result=True)
+        code, certificate, _ = self._request_acme_url(finalize['certificate'], raw_result=True)
         if code >= 400:
             raise ValueError("Error downloading certificate chain: {0} {1}".format(code, certificate))