implement dvsni challenge checking

2026-06-08 16:22:18 -04:00 · 2012-07-10 00:25:11 -07:00 · 2012-07-10 00:25:11 -07:00 · 3f03dc4e5c
commit 3f03dc4e5c
parent cfc4cbaae3
1 changed files with 37 additions and 7 deletions
--- a/server-ca/daemon.py
+++ b/server-ca/daemon.py
@ -102,14 +102,47 @@ def testchallenge(session):
    # that it has completed the challenges.  Information about
    # the client's reporting could be stored in the database.
    # Then the CA doesn't need to poll prematurely.
-    if False:  # if challenges all succeed
+    all_satisfied = True
+    for i, name in enumerate(r.lrange("%s:names" % session, 0, -1)):
+        challenge = "%s:%d" % (session, i)
+        challtime = r.hget(challenge, "challtime")
+        challtype = r.hget(challenge, "type")
+        name = r.hget(challenge, "name")
+        satisfied = r.hget(challenge, "satisfied") == "True"
+        failed = r.hget(challenge, "failed") == "True"
+        # TODO: check whether this challenge is too old
+        if not satisfied and not failed:
+            if challtype == 0:  # DomainValidateSNI
+                dvsni_nonce = r.hget(challenge, "dvsni:nonce")
+                dvsni_r = r.hget(challenge, "dvsni:r")
+                dvsni_ext = r.hget(challenge, "dvsni:ext")
+                if verify_challenge(name, dvsni_r, dvsni_nonce)[0]:
+                    r.hset(challenge, "satisfied", True)
+                else: 
+                    all_satisfied = False
+                # TODO: distinguish permanent and temporarily failures
+                # can cause a permanent failure under some conditions, causing
+                # the session to become dead.  TODO: need to articulate what
+                # those conditions are
+            else:
+                # Don't know how to handle this challenge type
+                all_satisfied = False
+        elif not satisfied:
+             all_satisfied = False
+    if all_satisfied:
+        # Challenges all succeeded, so we should prepare to issue
+        # the requested cert.
+        # TODO: double-check that there were > 0 challenges,
+        # so that we don't somehow mistakenly issue a cert in
+        # response to an empty list of challenges (even though
+        # the daemon that put this session on the queue should
+        # also have implicitly guaranteed this).
        r.hset(session, "state", "issue")
        r.lpush("pending-issue", session)
    else:
+        # Some challenges are not verified.
+        # Put this session back on the stack to try to verify again.
        r.lpush("pending-testchallenge", session)
-    # can also cause a failure under some conditions, causing the
-    # session to become dead.  TODO: need to articulate what those
-    # conditions are

 def issue(session):
    if r.hget(session, "live") != "True":
@ -130,9 +163,6 @@ def issue(session):
        # should never happen.
        r.lrem("pending-requests", session)
        return
-    # Note that we can push this back into the original queue.
-    # TODO: need to add a way to make sure we don't test the same
-    # TODO: actually make this call issue the cert
    csr = r.hget(session, "csr")
    cert = CSR.issue(csr)
    r.hset(session, "cert", cert)