temp testfixes

.azure-pipelines/INSTALL.md

@@ -69,12 +69,12 @@ Access can be defined for all or only selected repositories, which is nice.
 ```
 
 - Redirected to Azure DevOps, select the account created in _Having an Azure DevOps account_ section.
-- Select the organization, and click "Create a new project" (let's name it the same than the targeted github repo)
+- Select the organization, and click "Create a new project" (let's name it the same than the targetted github repo)
 - The Visibility is public, to profit from 10 parallel jobs
 
 ```
 !!! ACCESS !!!
-Azure Pipelines needs access to the GitHub account (in term of being able to check it is valid), and the Resources shared between the GitHub account and Azure Pipelines.
+Azure Pipelines needs access to the GitHub account (in term of beeing able to check it is valid), and the Resources shared between the GitHub account and Azure Pipelines.
 ```
 
 _Done. We can move to pipelines configuration._

.azure-pipelines/advanced-test.yml

@@ -1,15 +0,0 @@
-# Advanced pipeline for running our full test suite on demand.
-trigger:
-  # When changing these triggers, please ensure the documentation under
-  # "Running tests in CI" is still correct.
-  - test-*
-pr: none
-
-variables:
-  # We don't publish our Docker images in this pipeline, but when building them
-  # for testing, let's use the nightly tag.
-  dockerTag: nightly
-  snapBuildTimeout: 5400
-
-stages:
-  - template: templates/stages/test-and-package-stage.yml

.azure-pipelines/advanced.yml

@@ -0,0 +1,20 @@
+# Advanced pipeline for isolated checks and release purpose
+trigger:
+  - test-*
+  - '*.x'
+pr:
+  - test-*
+# This pipeline is also nightly run on master
+schedules:
+  - cron: "0 4 * * *"
+    displayName: Nightly build
+    branches:
+      include:
+      - master
+    always: true
+
+jobs:
+  # Any addition here should be reflected in the release pipeline.
+  # It is advised to declare all jobs here as templates to improve maintainability.
+  - template: templates/tests-suite.yml
+  - template: templates/installer-tests.yml

.azure-pipelines/main.yml

@@ -1,18 +1,12 @@
-# We run the test suite on commits to master so codecov gets coverage data
-# about the master branch and can use it to track coverage changes.
 trigger:
+  # apache-parser-v2 is a temporary branch for doing work related to
+  # rewriting the parser in the Apache plugin.
+  - apache-parser-v2
   - master
 pr:
+  - apache-parser-v2
   - master
   - '*.x'
 
-variables:
-  # We set this here to avoid coverage data being uploaded from things like our
-  # nightly pipeline. This is done because codecov (helpfully) keeps track of
-  # the number of coverage uploads for a commit and displays a warning when
-  # comparing two commits with an unequal number of uploads. Only uploading
-  # coverage here should keep the number of uploads it sees consistent.
-  uploadCoverage: true
-
 jobs:
-  - template: templates/jobs/standard-tests-jobs.yml
+  - template: templates/tests-suite.yml

.azure-pipelines/nightly.yml

@@ -1,19 +0,0 @@
-# Nightly pipeline running each day for master.
-trigger: none
-pr: none
-schedules:
-  - cron: "30 4 * * *"
-    displayName: Nightly build
-    branches:
-      include:
-      - master
-    always: true
-
-variables:
-  dockerTag: nightly
-  snapBuildTimeout: 19800
-
-stages:
-  - template: templates/stages/test-and-package-stage.yml
-  - template: templates/stages/nightly-deploy-stage.yml
-  - template: templates/stages/notify-failure-stage.yml

.azure-pipelines/release.yml

@@ -1,17 +1,13 @@
-# Release pipeline to run our full test suite, build artifacts, and deploy them
-# for GitHub release tags.
+# Release pipeline to build and deploy Certbot for Windows for GitHub release tags
 trigger:
   tags:
     include:
       - v*
 pr: none
 
-variables:
-  dockerTag: ${{variables['Build.SourceBranchName']}}
-  snapBuildTimeout: 19800
-
-stages:
-  - template: templates/stages/test-and-package-stage.yml
-  - template: templates/stages/changelog-stage.yml
-  - template: templates/stages/release-deploy-stage.yml
-  - template: templates/stages/notify-failure-stage.yml
+jobs:
+  # Any addition here should be reflected in the advanced pipeline.
+  # It is advised to declare all jobs here as templates to improve maintainability.
+  - template: templates/tests-suite.yml
+  - template: templates/installer-tests.yml
+  - template: templates/changelog.yml

.azure-pipelines/templates/changelog.yml

@@ -0,0 +1,14 @@
+jobs:
+  - job: changelog
+    pool:
+      vmImage: vs2017-win2016
+    steps:
+      - bash: |
+          CERTBOT_VERSION="$(cd certbot && python -c "import certbot; print(certbot.__version__)" && cd ~-)"
+          "${BUILD_REPOSITORY_LOCALPATH}\tools\extract_changelog.py" "${CERTBOT_VERSION}" >> "${BUILD_ARTIFACTSTAGINGDIRECTORY}/release_notes.md"
+        displayName: Prepare changelog
+      - task: PublishPipelineArtifact@1
+        inputs:
+          path: $(Build.ArtifactStagingDirectory)
+          artifact: changelog
+        displayName: Publish changelog

.azure-pipelines/templates/installer-tests.yml

@@ -0,0 +1,54 @@
+jobs:
+  - job: installer_build
+    pool:
+      vmImage: vs2017-win2016
+    steps:
+      - task: UsePythonVersion@0
+        inputs:
+          versionSpec: 3.7
+          architecture: x86
+          addToPath: true
+      - script: python windows-installer/construct.py
+        displayName: Build Certbot installer
+      - task: CopyFiles@2
+        inputs:
+          sourceFolder: $(System.DefaultWorkingDirectory)/windows-installer/build/nsis
+          contents: '*.exe'
+          targetFolder: $(Build.ArtifactStagingDirectory)
+      - task: PublishPipelineArtifact@1
+        inputs:
+          path: $(Build.ArtifactStagingDirectory)
+          artifact: windows-installer
+        displayName: Publish Windows installer
+  - job: installer_run
+    dependsOn: installer_build
+    strategy:
+      matrix:
+        win2019:
+          imageName: windows-2019
+        win2016:
+          imageName: vs2017-win2016
+        win2012r2:
+          imageName: vs2015-win2012r2
+    pool:
+      vmImage: $(imageName)
+    steps:
+      - task: DownloadPipelineArtifact@2
+        inputs:
+          artifact: windows-installer
+          path: $(Build.SourcesDirectory)/bin
+        displayName: Retrieve Windows installer
+      - script: $(Build.SourcesDirectory)\bin\certbot-beta-installer-win32.exe /S
+        displayName: Install Certbot
+      - powershell: Invoke-WebRequest https://www.python.org/ftp/python/3.8.0/python-3.8.0-amd64-webinstall.exe -OutFile C:\py3-setup.exe
+        displayName: Get Python
+      - script: C:\py3-setup.exe /quiet PrependPath=1 InstallAllUsers=1 Include_launcher=1 InstallLauncherAllUsers=1 Include_test=0 Include_doc=0 Include_dev=1 Include_debug=0 Include_tcltk=0 TargetDir=C:\py3
+        displayName: Install Python
+      - script: |
+          py -3 -m venv venv
+          venv\Scripts\python tools\pip_install.py -e certbot-ci
+        displayName: Prepare Certbot-CI
+      - script: |
+          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
+          venv\Scripts\python -m pytest certbot-ci\certbot_integration_tests\certbot_tests -n 4
+        displayName: Run integration tests

.azure-pipelines/templates/jobs/common-deploy-jobs.yml

@@ -1,128 +0,0 @@
-# As (somewhat) described at
-# https://docs.microsoft.com/en-us/azure/devops/pipelines/process/templates?view=azure-devops#context,
-# each template only has access to the parameters passed into it. To help make
-# use of this design, we define snapReleaseChannel without a default value
-# which requires the user of this template to define it as described at
-# https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema/parameters-name?view=azure-pipelines#remarks.
-# This makes the user of this template be explicit while allowing them to
-# define their own parameters with defaults that make sense for that context.
-parameters:
-- name: snapReleaseChannel
-  type: string
-  values:
-  - edge
-  - beta
-
-jobs:
-  # This job relies on credentials used to publish the Certbot snaps. This
-  # credential file was created by running:
-  #
-  #   snapcraft logout
-  #   snapcraft export-login --channels=beta,edge snapcraft.cfg
-  #     (provide the shared snapcraft credentials when prompted)
-  #
-  # Then the file was added as a secure file in Azure pipelines
-  # with the name snapcraft.cfg by following the instructions at
-  # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops
-  # including authorizing the file for use in the "nightly" and "release"
-  # pipelines as described at
-  # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops#q-how-do-i-authorize-a-secure-file-for-use-in-a-specific-pipeline.
-  #
-  # This file has a maximum lifetime of one year and the current file will
-  # expire on 2024-02-10. The file will need to be updated before then to
-  # prevent automated deploys from breaking.
-  #
-  # Revoking these credentials can be done by changing the password of the
-  # account used to generate the credentials. See
-  # https://forum.snapcraft.io/t/revoking-exported-credentials/19031 for
-  # more info.
-  - job: publish_snap
-    pool:
-      vmImage: ubuntu-22.04
-    variables:
-      - group: certbot-common
-    strategy:
-      matrix:
-        amd64:
-          SNAP_ARCH: amd64
-        arm32v6:
-          SNAP_ARCH: armhf
-        arm64v8:
-          SNAP_ARCH: arm64
-    steps:
-      - bash: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends snapd
-          sudo snap install --classic snapcraft
-        displayName: Install dependencies
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: snaps_$(SNAP_ARCH)
-          path: $(Build.SourcesDirectory)/snap
-        displayName: Retrieve Certbot snaps
-      - task: DownloadSecureFile@1
-        name: snapcraftCfg
-        inputs:
-          secureFile: snapcraft.cfg
-      - bash: |
-          set -e
-          export SNAPCRAFT_STORE_CREDENTIALS=$(cat "$(snapcraftCfg.secureFilePath)")
-          for SNAP_FILE in snap/*.snap; do
-            tools/retry.sh eval snapcraft upload --release=${{ parameters.snapReleaseChannel }} "${SNAP_FILE}"
-          done
-        displayName: Publish to Snap store
-  # The credentials used in the following jobs are for the shared
-  # certbotbot account on Docker Hub. The credentials are stored
-  # in a service account which was created by following the
-  # instructions at
-  # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#sep-docreg.
-  # The name given to this service account must match the value
-  # given to containerRegistry below. The authentication used when
-  # creating this service account was a personal access token
-  # rather than a password to bypass 2FA. When Brad set this up,
-  # Azure Pipelines failed to verify the credentials with an error
-  # like "access is forbidden with a JWT issued from a personal
-  # access token", but after saving them without verification, the
-  # access token worked when the pipeline actually ran. "Grant
-  # access to all pipelines" should also be checked on the service
-  # account. The access token can be deleted on Docker Hub if
-  # these credentials need to be revoked.
-  - job: publish_docker_by_arch
-    pool:
-      vmImage: ubuntu-22.04
-    strategy:
-      matrix:
-        arm32v6:
-          DOCKER_ARCH: arm32v6
-        arm64v8:
-          DOCKER_ARCH: arm64v8
-        amd64:
-          DOCKER_ARCH: amd64
-    steps:
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: docker_$(DOCKER_ARCH)
-          path: $(Build.SourcesDirectory)
-        displayName: Retrieve Docker images
-      - bash: set -e && docker load --input $(Build.SourcesDirectory)/images.tar
-        displayName: Load Docker images
-      - task: Docker@2
-        inputs:
-          command: login
-          containerRegistry: docker-hub
-        displayName: Login to Docker Hub
-      - bash: set -e && tools/docker/deploy_images.sh $(dockerTag) $DOCKER_ARCH
-        displayName: Deploy the Docker images by architecture
-  - job: publish_docker_multiarch
-    dependsOn: publish_docker_by_arch
-    pool:
-      vmImage: ubuntu-22.04
-    steps:
-      - task: Docker@2
-        inputs:
-          command: login
-          containerRegistry: docker-hub
-        displayName: Login to Docker Hub
-      - bash: set -e && tools/docker/deploy_manifests.sh $(dockerTag) all
-        displayName: Deploy the Docker multiarch manifests

.azure-pipelines/templates/jobs/extended-tests-jobs.yml

@@ -1,57 +0,0 @@
-jobs:
-  - job: extended_test
-    variables:
-      - name: IMAGE_NAME
-        value: ubuntu-22.04
-      - name: PYTHON_VERSION
-        value: 3.12
-      - group: certbot-common
-    strategy:
-      matrix:
-        linux-py39:
-          PYTHON_VERSION: 3.9
-          TOXENV: py39
-        linux-py310:
-          PYTHON_VERSION: 3.10
-          TOXENV: py310
-        linux-py311:
-          PYTHON_VERSION: 3.11
-          TOXENV: py311
-        linux-isolated:
-          TOXENV: 'isolated-acme,isolated-certbot,isolated-apache,isolated-cloudflare,isolated-digitalocean,isolated-dnsimple,isolated-dnsmadeeasy,isolated-gehirn,isolated-google,isolated-linode,isolated-luadns,isolated-nsone,isolated-ovh,isolated-rfc2136,isolated-route53,isolated-sakuracloud,isolated-nginx'
-        linux-integration-certbot-oldest:
-          PYTHON_VERSION: 3.8
-          TOXENV: integration-certbot-oldest
-        linux-integration-nginx-oldest:
-          PYTHON_VERSION: 3.8
-          TOXENV: integration-nginx-oldest
-        # python 3.8 integration tests are not run here because they're run as    
-        # part of the standard test suite 
-        linux-py39-integration:
-          PYTHON_VERSION: 3.9
-          TOXENV: integration
-        linux-py310-integration:
-          PYTHON_VERSION: 3.10
-          TOXENV: integration
-        linux-py311-integration:
-          PYTHON_VERSION: 3.11
-          TOXENV: integration
-        linux-py312-integration:
-          PYTHON_VERSION: 3.12
-          TOXENV: integration
-        nginx-compat:
-          TOXENV: nginx_compat
-        linux-integration-rfc2136:
-          IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.8
-          TOXENV: integration-dns-rfc2136
-        le-modification:
-          IMAGE_NAME: ubuntu-22.04
-          TOXENV: modification
-        farmtest-apache2:
-          PYTHON_VERSION: 3.8
-          TOXENV: test-farm-apache2
-    pool:
-      vmImage: $(IMAGE_NAME)
-    steps:
-      - template: ../steps/tox-steps.yml

.azure-pipelines/templates/jobs/packaging-jobs.yml

@@ -1,159 +0,0 @@
-jobs:
-  - job: docker_build
-    pool:
-      vmImage: ubuntu-22.04
-    strategy:
-      matrix:
-        arm32v6:
-          DOCKER_ARCH: arm32v6
-        arm64v8:
-          DOCKER_ARCH: arm64v8
-        amd64:
-          DOCKER_ARCH: amd64
-    # The default timeout of 60 minutes is a little low for compiling
-    # cryptography on ARM architectures.
-    timeoutInMinutes: 180
-    steps:
-      - bash: set -e && tools/docker/build.sh $(dockerTag) $DOCKER_ARCH
-        displayName: Build the Docker images
-      # We don't filter for the Docker Hub organization to continue to allow
-      # easy testing of these scripts on forks.
-      - bash: |
-          set -e
-          DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}')
-          docker save --output images.tar $DOCKER_IMAGES
-        displayName: Save the Docker images
-      # If the name of the tar file or artifact changes, the deploy stage will
-      # also need to be updated.
-      - bash: set -e && mv images.tar $(Build.ArtifactStagingDirectory)
-        displayName: Prepare Docker artifact
-      - task: PublishPipelineArtifact@1
-        inputs:
-          path: $(Build.ArtifactStagingDirectory)
-          artifact: docker_$(DOCKER_ARCH)
-        displayName: Store Docker artifact
-  - job: docker_test
-    dependsOn: docker_build
-    pool:
-      vmImage: ubuntu-22.04
-    strategy:
-      matrix:
-        arm32v6:
-          DOCKER_ARCH: arm32v6
-        arm64v8:
-          DOCKER_ARCH: arm64v8
-        amd64:
-          DOCKER_ARCH: amd64
-    steps:
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: docker_$(DOCKER_ARCH)
-          path: $(Build.SourcesDirectory)
-        displayName: Retrieve Docker images
-      - bash: set -e && docker load --input $(Build.SourcesDirectory)/images.tar
-        displayName: Load Docker images
-      - bash: |
-          set -e && tools/docker/test.sh $(dockerTag) $DOCKER_ARCH
-        displayName: Run integration tests for Docker images
-  - job: snaps_build
-    pool:
-      vmImage: ubuntu-22.04
-    strategy:
-      matrix:
-        amd64:
-          SNAP_ARCH: amd64
-        armhf:
-          SNAP_ARCH: armhf
-        arm64:
-          SNAP_ARCH: arm64
-    timeoutInMinutes: 0
-    steps:
-      - script: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends snapd
-          sudo snap install --classic snapcraft
-        displayName: Install dependencies
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.12
-          addToPath: true
-      - task: DownloadSecureFile@1
-        name: credentials
-        inputs:
-          secureFile: launchpad-credentials
-      - script: |
-          set -e
-          git config --global user.email "$(Build.RequestedForEmail)"
-          git config --global user.name "$(Build.RequestedFor)"
-          mkdir -p ~/.local/share/snapcraft/provider/launchpad
-          cp $(credentials.secureFilePath) ~/.local/share/snapcraft/provider/launchpad/credentials
-          python3 tools/snap/build_remote.py ALL --archs ${SNAP_ARCH} --timeout $(snapBuildTimeout)
-        displayName: Build snaps
-      - script: |
-          set -e
-          mv *.snap $(Build.ArtifactStagingDirectory)
-          mv certbot-dns-*/*.snap $(Build.ArtifactStagingDirectory)
-        displayName: Prepare artifacts
-      - task: PublishPipelineArtifact@1
-        inputs:
-          path: $(Build.ArtifactStagingDirectory)
-          artifact: snaps_$(SNAP_ARCH)
-        displayName: Store snaps artifacts
-  - job: snap_run
-    dependsOn: snaps_build
-    pool:
-      vmImage: ubuntu-22.04
-    steps:
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.12
-          addToPath: true
-      - script: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends nginx-light snapd
-          python3 -m venv venv
-          venv/bin/python tools/pip_install.py -U tox
-        displayName: Install dependencies
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: snaps_amd64
-          path: $(Build.SourcesDirectory)/snap
-        displayName: Retrieve Certbot snaps
-      - script: |
-          set -e
-          sudo snap install --dangerous --classic snap/certbot_*.snap
-        displayName: Install Certbot snap
-      - script: |
-          set -e
-          venv/bin/python -m tox run -e integration-external,apacheconftest-external-with-pebble
-        displayName: Run tox
-  - job: snap_dns_run
-    dependsOn: snaps_build
-    pool:
-      vmImage: ubuntu-22.04
-    steps:
-      - script: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends snapd
-        displayName: Install dependencies
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.12
-          addToPath: true
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: snaps_amd64
-          path: $(Build.SourcesDirectory)/snap
-        displayName: Retrieve Certbot snaps
-      - script: |
-          set -e
-          python3 -m venv venv
-          venv/bin/python tools/pip_install.py -e certbot-ci
-        displayName: Prepare Certbot-CI
-      - script: |
-          set -e
-          sudo -E venv/bin/pytest certbot-ci/snap_integration_tests/dns_tests --allow-persistent-changes --snap-folder $(Build.SourcesDirectory)/snap --snap-arch amd64
-        displayName: Test DNS plugins snaps

.azure-pipelines/templates/jobs/standard-tests-jobs.yml

@@ -1,57 +0,0 @@
-jobs:
-  - job: test
-    variables:
-      PYTHON_VERSION: 3.12
-    strategy:
-      matrix:
-        macos-py38-cover:
-          IMAGE_NAME: macOS-12
-          PYTHON_VERSION: 3.8
-          TOXENV: cover
-          # As of pip 23.1.0, builds started failing on macOS unless this flag was set.
-          # See https://github.com/certbot/certbot/pull/9717#issuecomment-1610861794.
-          PIP_USE_PEP517: "true"
-        macos-cover:
-          IMAGE_NAME: macOS-13
-          TOXENV: cover
-          # See explanation under macos-py38-cover.
-          PIP_USE_PEP517: "true"
-        linux-oldest:
-          IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.8
-          TOXENV: oldest
-        linux-py38:
-          IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.8
-          TOXENV: py38
-        linux-cover:
-          IMAGE_NAME: ubuntu-22.04
-          TOXENV: cover
-        linux-lint:
-          IMAGE_NAME: ubuntu-22.04
-          TOXENV: lint-posix
-        linux-mypy:
-          IMAGE_NAME: ubuntu-22.04
-          TOXENV: mypy
-        linux-integration:
-          IMAGE_NAME: ubuntu-22.04
-          PYTHON_VERSION: 3.8
-          TOXENV: integration
-        apache-compat:
-          IMAGE_NAME: ubuntu-22.04
-          TOXENV: apache_compat
-        apacheconftest:
-          IMAGE_NAME: ubuntu-22.04
-          TOXENV: apacheconftest-with-pebble
-        nginxroundtrip:
-          IMAGE_NAME: ubuntu-22.04
-          TOXENV: nginxroundtrip
-    pool:
-      vmImage: $(IMAGE_NAME)
-    steps:
-      - template: ../steps/tox-steps.yml
-  - job: test_sphinx_builds
-    pool:
-      vmImage: ubuntu-20.04
-    steps:
-      - template: ../steps/sphinx-steps.yml

.azure-pipelines/templates/stages/changelog-stage.yml

@@ -1,19 +0,0 @@
-stages:
-  - stage: Changelog
-    jobs:
-      - job: prepare
-        pool:
-          vmImage: windows-2019
-        steps:
-          # If we change the output filename from `release_notes.md`, it should also be changed in tools/create_github_release.py
-          - bash: |
-              set -e
-              CERTBOT_VERSION="$(cd certbot && python -c "import certbot; print(certbot.__version__)" && cd ~-)"
-              "${BUILD_REPOSITORY_LOCALPATH}\tools\extract_changelog.py" "${CERTBOT_VERSION}" >> "${BUILD_ARTIFACTSTAGINGDIRECTORY}/release_notes.md"
-            displayName: Prepare changelog
-          - task: PublishPipelineArtifact@1
-            inputs:
-              path: $(Build.ArtifactStagingDirectory)
-              # If we change the artifact's name, it should also be changed in tools/create_github_release.py
-              artifact: changelog
-            displayName: Publish changelog

.azure-pipelines/templates/stages/nightly-deploy-stage.yml

@@ -1,6 +0,0 @@
-stages:
-  - stage: Deploy
-    jobs:
-      - template: ../jobs/common-deploy-jobs.yml
-        parameters:
-          snapReleaseChannel: edge

.azure-pipelines/templates/stages/notify-failure-stage.yml

@@ -1,19 +0,0 @@
-stages:
-  - stage: On_Failure
-    jobs:
-      - job: notify_mattermost
-        variables:
-          - group: certbot-common
-        pool:
-          vmImage: ubuntu-20.04
-        steps:
-          - bash: |
-              set -e
-              MESSAGE="\
-              ---\n\
-              ##### Azure Pipeline
-              *Repo* $(Build.Repository.ID) - *Pipeline* $(Build.DefinitionName) #$(Build.BuildNumber) - *Branch/PR* $(Build.SourceBranchName)\n\
-              :warning: __Pipeline has failed__: [Link to the build](https://dev.azure.com/$(Build.Repository.ID)/_build/results?buildId=$(Build.BuildId)&view=results)\n\n\
-              ---"
-              curl -i -X POST --data-urlencode "payload={\"text\":\"${MESSAGE}\"}" "$(MATTERMOST_URL)"
-    condition: failed()

.azure-pipelines/templates/stages/release-deploy-stage.yml

@@ -1,38 +0,0 @@
-stages:
-  - stage: Deploy
-    jobs:
-      - template: ../jobs/common-deploy-jobs.yml
-        parameters:
-          snapReleaseChannel: beta
-      - job: create_github_release
-        pool:
-          vmImage: ubuntu-22.04
-        steps:
-        - task: DownloadPipelineArtifact@2
-          inputs:
-            artifact: changelog
-            path: '$(Pipeline.Workspace)'
-        - task: GitHubRelease@1
-          inputs:
-            # this "github-releases" credential is what azure pipelines calls a
-            # "service connection". it was created using the instructions at
-            # https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#github-service-connection
-            # with a fine-grained personal access token from github to limit
-            # the permissions given to azure pipelines. the connection on azure
-            # needs permissions for the "release" pipeline (and maybe the
-            # "full-test-suite" pipeline to simplify testing it). information
-            # on how to set up these permissions can be found at
-            # https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#secure-a-service-connection.
-            # the github token that is used needs "contents:write" and
-            # "workflows:write" permissions for the certbot repo
-            #
-            # as of writing this, the current token will expire on 3/15/2025.
-            # when recreating it, you may also want to create it using the
-            # shared "certbotbot" github account so the credentials aren't tied
-            # to any one dev's github account and their access to the certbot
-            # repo
-            gitHubConnection: github-releases
-            title: ${{ format('Certbot {0}', replace(variables['Build.SourceBranchName'], 'v', '')) }}
-            releaseNotesFilePath: '$(Pipeline.Workspace)/release_notes.md'
-            assets: '$(Build.SourcesDirectory)/packages/{*.tar.gz,SHA256SUMS*}'
-            addChangeLog: false

.azure-pipelines/templates/stages/test-and-package-stage.yml

@@ -1,6 +0,0 @@
-stages:
-  - stage: TestAndPackage
-    jobs:
-      - template: ../jobs/standard-tests-jobs.yml
-      - template: ../jobs/extended-tests-jobs.yml
-      - template: ../jobs/packaging-jobs.yml

.azure-pipelines/templates/steps/sphinx-steps.yml

@@ -1,24 +0,0 @@
-steps:
-  - bash: |
-      set -e
-      sudo apt-get update
-      sudo apt-get install -y --no-install-recommends libaugeas0
-      FINAL_STATUS=0
-      declare -a FAILED_BUILDS
-      tools/venv.py
-      source venv/bin/activate
-      for doc_path in */docs
-      do
-        echo ""
-        echo "##[group]Building $doc_path"
-        if ! sphinx-build -W --keep-going -b html $doc_path $doc_path/_build/html; then
-          FINAL_STATUS=1
-          FAILED_BUILDS[${#FAILED_BUILDS[@]}]="${doc_path%/docs}"
-        fi
-        echo "##[endgroup]"
-      done
-      if [[ $FINAL_STATUS -ne 0 ]]; then
-        echo "##[error]The following builds failed: ${FAILED_BUILDS[*]}"
-        exit 1
-      fi
-    displayName: Build Sphinx Documentation

.azure-pipelines/templates/steps/tox-steps.yml

@@ -1,77 +0,0 @@
-# This does not include the dependencies needed to build cryptography. See
-# https://cryptography.io/en/latest/installation/
-steps:
-  # We run brew update because we've seen attempts to install an older version
-  # of a package fail. See
-  # https://github.com/actions/virtual-environments/issues/3165.
-  #
-  # We untap homebrew/core and homebrew/cask and unset HOMEBREW_NO_INSTALL_FROM_API (which
-  # is set by the CI macOS env) because GitHub has been having issues, making these jobs
-  # fail on git clones: https://github.com/orgs/Homebrew/discussions/4612.
-  - bash: |
-      set -e
-      unset HOMEBREW_NO_INSTALL_FROM_API
-      brew untap homebrew/core homebrew/cask
-      brew update
-      brew install augeas
-    condition: startswith(variables['IMAGE_NAME'], 'macOS')
-    displayName: Install MacOS dependencies
-  - bash: |
-      set -e
-      sudo apt-get update
-      sudo apt-get install -y --no-install-recommends \
-        libaugeas0 \
-        nginx-light
-      sudo systemctl stop nginx
-      sudo sysctl net.ipv4.ip_unprivileged_port_start=0
-    condition: startswith(variables['IMAGE_NAME'], 'ubuntu')
-    displayName: Install Linux dependencies
-  - task: UsePythonVersion@0
-    inputs:
-      versionSpec: $(PYTHON_VERSION)
-      addToPath: true
-  - bash: |
-      set -e
-      python3 tools/pip_install.py tox
-    displayName: Install runtime dependencies
-  - task: DownloadSecureFile@1
-    name: testFarmPem
-    inputs:
-      secureFile: azure-test-farm.pem
-    condition: contains(variables['TOXENV'], 'test-farm')
-  - bash: |
-      set -e
-      export TARGET_BRANCH="`echo "${BUILD_SOURCEBRANCH}" | sed -E 's!refs/(heads|tags)/!!g'`"
-      [ -z "${SYSTEM_PULLREQUEST_TARGETBRANCH}" ] || export TARGET_BRANCH="${SYSTEM_PULLREQUEST_TARGETBRANCH}"
-      env
-      python3 -m tox run
-    env:
-      AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID)
-      AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
-      AWS_EC2_PEM_FILE: $(testFarmPem.secureFilePath)
-    displayName: Run tox
-    # For now, let's omit `set -e` and avoid the script exiting with a nonzero
-    # status code to prevent problems here from causing build failures.  If
-    # this turns out to work well, we can change this.
-  - bash: |
-      python3 tools/pip_install.py -I coverage
-      case "$AGENT_OS" in
-        Darwin)
-          CODECOV_URL="https://uploader.codecov.io/latest/macos/codecov"
-          ;;
-        Linux)
-          CODECOV_URL="https://uploader.codecov.io/latest/linux/codecov"
-          ;;
-        Windows_NT)
-          CODECOV_URL="https://uploader.codecov.io/latest/windows/codecov.exe"
-          ;;
-        *)
-          echo "Unexpected OS"
-          exit 0
-      esac
-      curl --retry 3 -o codecov "$CODECOV_URL"
-      chmod +x codecov
-      coverage xml
-      ./codecov || echo "Uploading coverage data failed"
-    condition: and(eq(variables['uploadCoverage'], true), or(startsWith(variables['TOXENV'], 'cover'), startsWith(variables['TOXENV'], 'integration')))
-    displayName: Upload coverage data

.azure-pipelines/templates/tests-suite.yml

@@ -0,0 +1,38 @@
+jobs:
+  - job: test
+    pool:
+      vmImage: vs2017-win2016
+    strategy:
+      matrix:
+        py35:
+          PYTHON_VERSION: 3.5
+          TOXENV: py35
+        py37-cover:
+          PYTHON_VERSION: 3.7
+          TOXENV: py37-cover
+        integration-certbot:
+          PYTHON_VERSION: 3.7
+          TOXENV: integration-certbot
+          PYTEST_ADDOPTS: --numprocesses 4
+    variables:
+    - group: certbot-common
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: $(PYTHON_VERSION)
+        addToPath: true
+    - script: python tools/pip_install.py -U tox coverage
+      displayName: Install dependencies
+    - script: python -m tox
+      displayName: Run tox
+    # We do not require codecov report upload to succeed. So to avoid to break the pipeline if
+    # something goes wrong, each command is suffixed with a command that hides any non zero exit
+    # codes and echoes an informative message instead.
+    - bash: |
+        curl -s https://codecov.io/bash -o codecov-bash || echo "Failed to download codecov-bash"
+        chmod +x codecov-bash || echo "Failed to apply execute permissions on codecov-bash"
+        ./codecov-bash -F windows  || echo "Codecov did not collect coverage reports"
+      condition: in(variables['TOXENV'], 'py37-cover', 'integration-certbot')
+      env:
+        CODECOV_TOKEN: $(codecov_token)
+      displayName: Publish coverage

.codecov.yml

@@ -0,0 +1,18 @@
+coverage:
+  status:
+    project:
+      default: off
+      linux:
+        flags: linux
+        # Fixed target instead of auto set by #7173, can
+        # be removed when flags in Codecov are added back.
+        target: 97.4
+        threshold: 0.1
+        base: auto
+      windows:
+        flags: windows
+        # Fixed target instead of auto set by #7173, can
+        # be removed when flags in Codecov are added back.
+        target: 97.4
+        threshold: 0.1
+        base: auto

.coveragerc

@@ -1,24 +1,5 @@
 [run]
 omit = */setup.py
-source =
-    acme
-    certbot
-    certbot-apache
-    certbot-dns-cloudflare
-    certbot-dns-digitalocean
-    certbot-dns-dnsimple
-    certbot-dns-dnsmadeeasy
-    certbot-dns-gehirn
-    certbot-dns-google
-    certbot-dns-linode
-    certbot-dns-luadns
-    certbot-dns-nsone
-    certbot-dns-ovh
-    certbot-dns-rfc2136
-    certbot-dns-route53
-    certbot-dns-sakuracloud
-    certbot-nginx
 
 [report]
 omit = */setup.py
-show_missing = True

.dockerignore

@@ -8,4 +8,5 @@
 .git
 .tox
 venv
+venv3
 docs

.editorconfig

@@ -1,18 +0,0 @@
-# https://editorconfig.org/
-
-root = true
-
-[*]
-insert_final_newline = true
-trim_trailing_whitespace = true
-end_of_line = lf
-
-[*.py]
-indent_style = space
-indent_size = 4
-charset = utf-8
-max_line_length = 100
-
-[*.yaml]
-indent_style = space
-indent_size = 2

.github/FUNDING.yml

@@ -1 +0,0 @@
-custom: https://supporters.eff.org/donate/support-work-on-certbot

.github/codecov.yml

@@ -1,7 +0,0 @@
-# This disables all reporting from codecov. Let's just set it up to collect
-# data for now and then we can play with the settings here.
-comment: false
-coverage:
-  status:
-    project: off
-    patch: off

.github/stale.yml

@@ -0,0 +1,35 @@
+# Configuration for https://github.com/marketplace/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 365
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
+# When changing this value, be sure to also update markComment below.
+daysUntilClose: 30
+
+# Ignore issues with an assignee (defaults to false)
+exemptAssignees: true
+
+# Label to use when marking as stale
+staleLabel: needs-update
+
+# Comment to post when marking as stale. Set to `false` to disable
+markComment: >
+  We've made a lot of changes to Certbot since this issue was opened. If you
+  still have this issue with an up-to-date version of Certbot, can you please
+  add a comment letting us know? This helps us to better see what issues are
+  still affecting our users. If there is no activity in the next 30 days, this
+  issue will be automatically closed.
+
+# Comment to post when closing a stale Issue or Pull Request.
+closeComment: >
+  This issue has been closed due to lack of activity, but if you think it
+  should be reopened, please open a new issue with a link to this one and we'll
+  take a look.
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 1
+
+# Don't mark pull requests as stale.
+only: issues

.github/workflows/merged.yaml

@@ -1,21 +0,0 @@
-name: Merge Event
-
-on:
-  pull_request:
-    types:
-      - closed
-
-jobs:
-  if_merged:
-    # Forked repos can not access Mattermost secret.
-    if: github.event.pull_request.merged == true && !github.event.pull_request.head.repo.fork 
-    runs-on: ubuntu-latest
-    steps:
-    - uses: mattermost/action-mattermost-notify@master
-      with:
-        MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_MERGE_WEBHOOK }}
-        TEXT: >
-          [${{ github.repository }}] |
-          [${{ github.event.pull_request.title }}
-          #${{ github.event.number }}](https://github.com/${{ github.repository }}/pull/${{ github.event.number }}
-          was merged into master by ${{ github.actor }}

.github/workflows/notify_weekly.yaml

@@ -1,25 +0,0 @@
-name: Weekly Github Update
-
-on:
-  schedule:
-    # Every week on Thursday @ 13:00
-    - cron: "0 13 * * 4"
-jobs:
-  send-mattermost-message:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Create Mattermost Message
-      run: |
-        DATE=$(date  --date="7 days ago" +"%Y-%m-%d")
-        MERGED_URL="https://github.com/pulls?q=merged%3A%3E${DATE}+org%3Acertbot"
-        UPDATED_URL="https://github.com/pulls?q=updated%3A%3E${DATE}+org%3Acertbot"
-        echo "{\"text\":\"## Updates Across Certbot Repos\n\n
-        - Certbot team members SHOULD look at: [link]($MERGED_URL)\n\n
-        - Certbot team members MAY also want to look at: [link]($UPDATED_URL)\n\n
-        - Want to Discuss something today? Place it [here](https://docs.google.com/document/d/17YMUbtC1yg6MfiTMwT8zVm9LmO-cuGVBom0qFn8XJBM/edit?usp=sharing) and we can meet today on Zoom.\n\n 
-        - The key words SHOULD and MAY in this message are to be interpreted as described in [RFC 8147](https://www.rfc-editor.org/rfc/rfc8174). \"
-        }" > mattermost.json
-    - uses: mattermost/action-mattermost-notify@master
-      env:
-        MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK_URL }}

.github/workflows/stale.yml

@@ -1,47 +0,0 @@
-name: Update Stale Issues
-on:
-  schedule:
-    # Run 1:24AM every night
-    - cron: '24 1 * * *'
-permissions:
-  issues: write
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/stale@v6
-        with:
-          # Idle number of days before marking issues stale
-          days-before-issue-stale: 365
-
-          # Never mark PRs as stale
-          days-before-pr-stale: -1
-
-          # Idle number of days before closing stale issues
-          days-before-issue-close: 30
-
-          # Never close PRs
-          days-before-pr-close: -1
-
-          # Ignore issues with an assignee
-          exempt-all-issue-assignees: true
-
-          # Label to use when marking as stale
-          stale-issue-label: needs-update
-
-          stale-issue-message: >
-            We've made a lot of changes to Certbot since this issue was opened. If you
-            still have this issue with an up-to-date version of Certbot, can you please
-            add a comment letting us know? This helps us to better see what issues are
-            still affecting our users. If there is no activity in the next 30 days, this
-            issue will be automatically closed.
-
-          close-issue-message: >
-            This issue has been closed due to lack of activity, but if you think it
-            should be reopened, please open a new issue with a link to this one and we'll
-            take a look.
-
-          # Limit the number of actions per run. As of writing this, GitHub's
-          # rate limit is 1000 requests per hour so we're still a ways off. See
-          # https://docs.github.com/en/rest/overview/resources-in-the-rest-api?apiVersion=2022-11-28#rate-limits-for-requests-from-github-actions.
-          operations-per-run: 180

.gitignore

@@ -4,16 +4,16 @@
 build/
 dist*/
 /venv*/
+/kgs/
 /.tox/
 /releases*/
 /log*
 letsencrypt.log
 certbot.log
-poetry.lock
+letsencrypt-auto-source/letsencrypt-auto.sig.lzma.base64
 
 # coverage
 .coverage
-.coverage.*
 /htmlcov/
 
 /.vagrant
@@ -26,11 +26,15 @@ tags
 \#*#
 .idea
 .ropeproject
-.vscode
 
 # auth --cert-path --chain-path
 /*.pem
 
+# letstest
+tests/letstest/letest-*/
+tests/letstest/*.pem
+tests/letstest/venv/
+
 .venv
 
 # pytest cache
@@ -45,18 +49,3 @@ tags
 .certbot_test_workspace
 **/assets/pebble*
 **/assets/challtestsrv*
-
-# snap files
-.snapcraft
-parts
-prime
-stage
-*.snap
-snap-constraints.txt
-qemu-*
-certbot-dns*/certbot-dns*_amd64*.txt
-certbot-dns*/certbot-dns*_arm*.txt
-/certbot_amd64*.txt
-/certbot_arm*.txt
-certbot-dns*/snap
-snapcraft.cfg

.isort.cfg

@@ -1,7 +1,7 @@
 [settings]
 skip_glob=venv*
+skip=letsencrypt-auto-source
 force_sort_within_sections=True
 force_single_line=True
 order_by_type=False
 line_length=400
-src_paths=acme/acme,acme/tests,certbot*/certbot*,certbot*/tests

.pylintrc

@@ -1,373 +1,51 @@
-[MAIN]
+[MASTER]
 
-# Analyse import fallback blocks. This can be used to support both Python 2 and
-# 3 compatible code, which means that the block might have code that exists
-# only in one or another interpreter, leading to false positives when analysed.
-analyse-fallback-blocks=no
+# use as many jobs as there are cores
+jobs=0
 
-# Load and enable all available extensions. Use --list-extensions to see a list
-# all available extensions.
-#enable-all-extensions=
-
-# In error mode, messages with a category besides ERROR or FATAL are
-# suppressed, and no reports are done by default. Error mode is compatible with
-# disabling specific errors.
-#errors-only=
-
-# Always return a 0 (non-error) status code, even if lint errors are found.
-# This is primarily useful in continuous integration scripts.
-#exit-zero=
-
-# A comma-separated list of package or module names from where C extensions may
-# be loaded. Extensions are loading into the active Python interpreter and may
-# run arbitrary code.
-extension-pkg-allow-list=
-
-# A comma-separated list of package or module names from where C extensions may
-# be loaded. Extensions are loading into the active Python interpreter and may
-# run arbitrary code. (This is an alternative name to extension-pkg-allow-list
-# for backward compatibility.)
-extension-pkg-whitelist=pywintypes,win32api,win32file,win32security
-
-# Return non-zero exit code if any of these messages/categories are detected,
-# even if score is above --fail-under value. Syntax same as enable. Messages
-# specified are enabled, while categories only check already-enabled messages.
-fail-on=
-
-# Specify a score threshold under which the program will exit with error.
-fail-under=10
-
-# Interpret the stdin as a python script, whose filename needs to be passed as
-# the module_or_package argument.
-#from-stdin=
-
-# Files or directories to be skipped. They should be base names, not paths.
-ignore=CVS
-
-# Add files or directories matching the regular expressions patterns to the
-# ignore-list. The regex matches against paths and can be in Posix or Windows
-# format. Because '\' represents the directory delimiter on Windows systems, it
-# can't be used as an escape character.
-# CERTBOT COMMENT
-# Changing this line back to the default of `ignore-paths=` is being tracked by
-# https://github.com/certbot/certbot/issues/7908.
-ignore-paths=.*/_internal/tests/
-
-# Files or directories matching the regular expression patterns are skipped.
-# The regex matches against base names, not paths. The default value ignores
-# Emacs file locks
-ignore-patterns=^\.#
-
-# List of module names for which member attributes should not be checked
-# (useful for modules/projects where namespaces are manipulated during runtime
-# and thus existing member attributes cannot be deduced by static analysis). It
-# supports qualified module names, as well as Unix pattern matching.
-ignored-modules=
+# Specify a configuration file.
+#rcfile=
 
 # Python code to execute, usually for sys.path manipulation such as
 # pygtk.require().
-# CERTBOT COMMENT
-# This is needed for pylint to import linter_plugin.py since
-# https://github.com/PyCQA/pylint/pull/3396.
-init-hook="import pylint.config, os, sys; sys.path.append(os.path.dirname(next(pylint.config.find_default_config_files())))"
+#init-hook=
 
-# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the
-# number of processors available to use, and will cap the count on Windows to
-# avoid hangs.
-jobs=0
+# Profiled execution.
+profile=no
 
-# Control the amount of potential inferred values when inferring a single
-# object. This can help the performance when dealing with large functions or
-# complex, nested conditions.
-limit-inference-results=100
-
-# List of plugins (as comma separated values of python module names) to load,
-# usually to register additional checkers.
-load-plugins=linter_plugin
+# Add files or directories to the blacklist. They should be base names, not
+# paths.
+ignore=CVS
 
 # Pickle collected data for later comparisons.
 persistent=yes
 
-# Minimum Python version to use for version dependent checks. Will default to
-# the version used to run pylint.
-py-version=3.10
-
-# Discover python modules and packages in the file system subtree.
-recursive=no
-
-# When enabled, pylint would attempt to guess common misconfiguration and emit
-# user-friendly hints instead of false-positive error messages.
-suggestion-mode=yes
-
-# Allow loading of arbitrary C extensions. Extensions are imported into the
-# active Python interpreter and may run arbitrary code.
-unsafe-load-any-extension=no
-
-# In verbose mode, extra non-checker-related info will be displayed.
-#verbose=
-
-
-[BASIC]
-
-# Naming style matching correct argument names.
-argument-naming-style=snake_case
-
-# Regular expression matching correct argument names. Overrides argument-
-# naming-style. If left empty, argument names will be checked with the set
-# naming style.
-#argument-rgx=
-
-# Naming style matching correct attribute names.
-attr-naming-style=snake_case
-
-# Regular expression matching correct attribute names. Overrides attr-naming-
-# style. If left empty, attribute names will be checked with the set naming
-# style.
-#attr-rgx=
-
-# Bad variable names which should always be refused, separated by a comma.
-bad-names=foo,
-          bar,
-          baz,
-          toto,
-          tutu,
-          tata
-
-# Bad variable names regexes, separated by a comma. If names match any regex,
-# they will always be refused
-bad-names-rgxs=
-
-# Naming style matching correct class attribute names.
-class-attribute-naming-style=any
-
-# Regular expression matching correct class attribute names. Overrides class-
-# attribute-naming-style. If left empty, class attribute names will be checked
-# with the set naming style.
-#class-attribute-rgx=
-
-# Naming style matching correct class constant names.
-class-const-naming-style=UPPER_CASE
-
-# Regular expression matching correct class constant names. Overrides class-
-# const-naming-style. If left empty, class constant names will be checked with
-# the set naming style.
-#class-const-rgx=
-
-# Naming style matching correct class names.
-class-naming-style=PascalCase
-
-# Regular expression matching correct class names. Overrides class-naming-
-# style. If left empty, class names will be checked with the set naming style.
-#class-rgx=
-
-# Naming style matching correct constant names.
-const-naming-style=UPPER_CASE
-
-# Regular expression matching correct constant names. Overrides const-naming-
-# style. If left empty, constant names will be checked with the set naming
-# style.
-#const-rgx=
-
-# Minimum line length for functions/classes that require docstrings, shorter
-# ones are exempt.
-docstring-min-length=-1
-
-# Naming style matching correct function names.
-function-naming-style=snake_case
-
-# Regular expression matching correct function names. Overrides function-
-# naming-style. If left empty, function names will be checked with the set
-# naming style.
-function-rgx=[a-z_][a-z0-9_]{2,40}$
-
-# Good variable names which should always be accepted, separated by a comma.
-good-names=i,
-           j,
-           k,
-           ex,
-           Run,
-           _,
-           fd,
-           logger
-
-# Good variable names regexes, separated by a comma. If names match any regex,
-# they will always be accepted
-good-names-rgxs=
-
-# Include a hint for the correct naming format with invalid-name.
-include-naming-hint=no
-
-# Naming style matching correct inline iteration names.
-inlinevar-naming-style=any
-
-# Regular expression matching correct inline iteration names. Overrides
-# inlinevar-naming-style. If left empty, inline iteration names will be checked
-# with the set naming style.
-#inlinevar-rgx=
-
-# Naming style matching correct method names.
-method-naming-style=snake_case
-
-# Regular expression matching correct method names. Overrides method-naming-
-# style. If left empty, method names will be checked with the set naming style.
-method-rgx=[a-z_][a-z0-9_]{2,50}$
-
-# Naming style matching correct module names.
-module-naming-style=snake_case
-
-# Regular expression matching correct module names. Overrides module-naming-
-# style. If left empty, module names will be checked with the set naming style.
-#module-rgx=
-
-# Colon-delimited sets of names that determine each other's naming style when
-# the name regexes allow several styles.
-name-group=
-
-# Regular expression which should only match function or class names that do
-# not require a docstring.
-no-docstring-rgx=(__.*__)|(test_[A-Za-z0-9_]*)|(_.*)|(.*Test$)
-
-# List of decorators that produce properties, such as abc.abstractproperty. Add
-# to this list to register other decorators that produce valid properties.
-# These decorators are taken in consideration only for invalid-name.
-property-classes=abc.abstractproperty
-
-# Regular expression matching correct type variable names. If left empty, type
-# variable names will be checked with the set naming style.
-#typevar-rgx=
-
-# Naming style matching correct variable names.
-variable-naming-style=snake_case
-
-# Regular expression matching correct variable names. Overrides variable-
-# naming-style. If left empty, variable names will be checked with the set
-# naming style.
-variable-rgx=[a-z_][a-z0-9_]{1,30}$
-
-
-[CLASSES]
-
-# Warn about protected attribute access inside special methods
-check-protected-access-in-special-methods=no
-
-# List of method names used to declare (i.e. assign) instance attributes.
-defining-attr-methods=__init__,
-                      __new__,
-                      setUp,
-                      __post_init__
-
-# List of valid names for the first argument in a class method.
-valid-classmethod-first-arg=cls
-
-# List of valid names for the first argument in a metaclass class method.
-valid-metaclass-classmethod-first-arg=cls
-
-
-[EXCEPTIONS]
-
-# Exceptions that will emit a warning when caught.
-overgeneral-exceptions=builtins.BaseException,
-                       builtins.Exception
-
-
-[FORMAT]
-
-# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
-expected-line-ending-format=
-
-# Regexp for a line that is allowed to be longer than the limit.
-ignore-long-lines=^\s*(# )?<?https?://\S+>?$
-
-# Number of spaces of indent required inside a hanging or continued line.
-# git history told me that "This does something silly/broken..."
-#indent-after-paren=4
-
-# String used as indentation unit. This is usually "    " (4 spaces) or "\t" (1
-# tab).
-indent-string='    '
-
-# Maximum number of characters on a single line.
-max-line-length=100
-
-# Maximum number of lines in a module.
-max-module-lines=1250
-
-# Allow the body of a class to be on the same line as the declaration if body
-# contains single statement.
-single-line-class-stmt=no
-
-# Allow the body of an if to be on the same line as the test if there is no
-# else.
-single-line-if-stmt=no
-
-
-[IMPORTS]
-
-# List of modules that can be imported at any level, not just the top level
-# one.
-allow-any-import-level=
-
-# Allow wildcard imports from modules that define __all__.
-allow-wildcard-with-all=no
-
-# Deprecated modules which should not be used, separated by a comma.
-deprecated-modules=
-
-# Output a graph (.gv or any supported image format) of external dependencies
-# to the given file (report RP0402 must not be disabled).
-ext-import-graph=
-
-# Output a graph (.gv or any supported image format) of all (i.e. internal and
-# external) dependencies to the given file (report RP0402 must not be
-# disabled).
-import-graph=
-
-# Output a graph (.gv or any supported image format) of internal dependencies
-# to the given file (report RP0402 must not be disabled).
-int-import-graph=
-
-# Force import order to recognize a module as part of the standard
-# compatibility libraries.
-known-standard-library=
-
-# Force import order to recognize a module as part of a third party library.
-known-third-party=enchant
-
-# Couples of modules and preferred modules, separated by a comma.
-preferred-modules=
-
-
-[LOGGING]
-
-# The type of string formatting that logging methods do. `old` means using %
-# formatting, `new` is for `{}` formatting.
-logging-format-style=old
-
-# Logging modules to check that the string format arguments are in logging
-# function parameter format.
-logging-modules=logging,logger
+# List of plugins (as comma separated values of python modules names) to load,
+# usually to register additional checkers.
+load-plugins=linter_plugin
+
+# A comma-separated list of package or module names from where C extensions may
+# be loaded. Extensions are loading into the active Python interpreter and may
+# run arbitrary code.
+extension-pkg-whitelist=pywintypes,win32api,win32file,win32security
 
 
 [MESSAGES CONTROL]
 
-# Only show warnings with the listed confidence levels. Leave empty to show
-# all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE,
-# UNDEFINED.
-confidence=HIGH,
-           CONTROL_FLOW,
-           INFERENCE,
-           INFERENCE_FAILURE,
-           UNDEFINED
+# Enable the message, report, category or checker with the given id(s). You can
+# either give multiple identifier separated by comma (,) or put this option
+# multiple time. See also the "--disable" option for examples.
+#enable=
 
 # Disable the message, report, category or checker with the given id(s). You
 # can either give multiple identifiers separated by comma (,) or put this
 # option multiple times (only on the command line, not in the configuration
-# file where it should appear only once). You can also use "--disable=all" to
-# disable everything first and then re-enable specific checks. For example, if
+# file where it should appear only once).You can also use "--disable=all" to
+# disable everything first and then reenable specific checks. For example, if
 # you want to run only the similarities checker, you can use "--disable=all
 # --enable=similarities". If you want to run only the classes checker, but have
-# no Warning level messages displayed, use "--disable=all --enable=classes
-# --disable=W".
+# no Warning level messages displayed, use"--disable=all --enable=classes
+# --disable=W"
 # CERTBOT COMMENT
 # 1) Once certbot codebase is claimed to be compatible exclusively with Python 3,
 #    the useless-object-inheritance check can be enabled again, and code fixed accordingly.
@@ -375,203 +53,261 @@ confidence=HIGH,
 #    See https://github.com/PyCQA/pylint/issues/1498.
 # 3) Same as point 2 for no-value-for-parameter.
 #    See https://github.com/PyCQA/pylint/issues/2820.
-# 4) raise-missing-from makes it an error to raise an exception from except
-#    block without using explicit exception chaining. While explicit exception
-#    chaining results in a slightly more informative traceback, I don't think
-#    it's beneficial enough for us to change all of our current instances and
-#    give Certbot developers errors about this when they're working on new code
-#    in the future. You can read more about exception chaining and this pylint
-#    check at
-#    https://blog.ram.rachum.com/post/621791438475296768/improving-python-exception-chaining-with.
-# 5) wrong-import-order generates false positives and a pylint developer
-#    suggests that people using isort should disable this check at
-#    https://github.com/PyCQA/pylint/issues/3817#issuecomment-687892090.
-# 6) unspecified-encoding generates errors when encoding is not specified in
-#    in a call to the built-in open function. This relates more to a design decision
-#    (unspecified encoding makes the open function use the default encoding of the system)
-#    than a clear flaw on which a check should be enforced. Anyway the project does
-#    not need to enforce encoding on files so we disable this check.
-# 7) consider-using-f-string is "suggesting" to move to f-string when possible with an error. This
-#    clearly relates to code design and not to potential defects in the code, let's just ignore that.
-disable=fixme,locally-disabled,invalid-name,cyclic-import,duplicate-code,design,import-outside-toplevel,useless-object-inheritance,unsubscriptable-object,no-value-for-parameter,no-else-return,no-else-raise,no-else-break,no-else-continue,raise-missing-from,wrong-import-order,unspecified-encoding,consider-using-f-string,raw-checker-failed,bad-inline-option,file-ignored,suppressed-message,useless-suppression,deprecated-pragma,use-symbolic-message-instead
+disable=fixme,locally-disabled,locally-enabled,bad-continuation,no-self-use,invalid-name,cyclic-import,duplicate-code,design,import-outside-toplevel,useless-object-inheritance,unsubscriptable-object,no-value-for-parameter,no-else-return,no-else-raise,no-else-break,no-else-continue
 
-# Enable the message, report, category or checker with the given id(s). You can
-# either give multiple identifier separated by comma (,) or put this option
-# multiple time (only on the command line, not in the configuration file where
-# it should appear only once). See also the "--disable" option for examples.
-enable=c-extension-no-member
+[REPORTS]
+
+# Set the output format. Available formats are text, parseable, colorized, msvs
+# (visual studio) and html. You can also give a reporter class, eg
+# mypackage.mymodule.MyReporterClass.
+output-format=text
+
+# Put messages in a separate file for each module / package specified on the
+# command line instead of printing them on stdout. Reports (if any) will be
+# written in a file name "pylint_global.[txt|html]".
+files-output=no
+
+# Tells whether to display a full report or only the messages
+reports=yes
+
+# Python expression which should return a note less than 10 (10 is the highest
+# note). You have access to the variables errors warning, statement which
+# respectively contain the number of errors / warnings messages and the total
+# number of statements analyzed. This is used by the global evaluation report
+# (RP0004).
+evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
+
+# Add a comment according to your evaluation note. This is used by the global
+# evaluation report (RP0004).
+comment=no
+
+# Template used to display messages. This is a python new-style format string
+# used to format the message information. See doc for all details
+#msg-template=
 
 
-[METHOD_ARGS]
+[BASIC]
 
-# List of qualified names (i.e., library.method) which require a timeout
-# parameter e.g. 'requests.api.get,requests.api.post'
-timeout-methods=requests.api.delete,requests.api.get,requests.api.head,requests.api.options,requests.api.patch,requests.api.post,requests.api.put,requests.api.request
+# Required attributes for module, separated by a comma
+required-attributes=
+
+# List of builtins function names that should not be used, separated by a comma
+bad-functions=map,filter,apply,input,file
+
+# Good variable names which should always be accepted, separated by a comma
+good-names=f,i,j,k,ex,Run,_,fd,logger
+
+# Bad variable names which should always be refused, separated by a comma
+bad-names=foo,bar,baz,toto,tutu,tata
+
+# Colon-delimited sets of names that determine each other's naming style when
+# the name regexes allow several styles.
+name-group=
+
+# Include a hint for the correct naming format with invalid-name
+include-naming-hint=no
+
+# Regular expression matching correct function names
+function-rgx=[a-z_][a-z0-9_]{2,40}$
+
+# Naming hint for function names
+function-name-hint=[a-z_][a-z0-9_]{2,40}$
+
+# Regular expression matching correct variable names
+variable-rgx=[a-z_][a-z0-9_]{1,30}$
+
+# Naming hint for variable names
+variable-name-hint=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression matching correct constant names
+const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$
+
+# Naming hint for constant names
+const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$
+
+# Regular expression matching correct attribute names
+attr-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Naming hint for attribute names
+attr-name-hint=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression matching correct argument names
+argument-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Naming hint for argument names
+argument-name-hint=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression matching correct class attribute names
+class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
+
+# Naming hint for class attribute names
+class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
+
+# Regular expression matching correct inline iteration names
+inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
+
+# Naming hint for inline iteration names
+inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$
+
+# Regular expression matching correct class names
+class-rgx=[A-Z_][a-zA-Z0-9]+$
+
+# Naming hint for class names
+class-name-hint=[A-Z_][a-zA-Z0-9]+$
+
+# Regular expression matching correct module names
+module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
+
+# Naming hint for module names
+module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
+
+# Regular expression matching correct method names
+method-rgx=[a-z_][a-z0-9_]{2,50}$
+
+# Naming hint for method names
+method-name-hint=[a-z_][a-z0-9_]{2,50}$
+
+# Regular expression which should only match function or class names that do
+# not require a docstring.
+no-docstring-rgx=(__.*__)|(test_[A-Za-z0-9_]*)|(_.*)|(.*Test$)
+
+# Minimum line length for functions/classes that require docstrings, shorter
+# ones are exempt.
+docstring-min-length=-1
 
 
 [MISCELLANEOUS]
 
 # List of note tags to take in consideration, separated by a comma.
-notes=FIXME,
-      XXX,
-      TODO
-
-# Regular expression of note tags to take in consideration.
-notes-rgx=
+notes=FIXME,XXX,TODO
 
 
-[REFACTORING]
+[LOGGING]
 
-# Maximum number of nested blocks for function / method body
-max-nested-blocks=5
-
-# Complete name of functions that never returns. When checking for
-# inconsistent-return-statements if a never returning function is called then
-# it will be considered as an explicit return statement and no message will be
-# printed.
-never-returning-functions=sys.exit,argparse.parse_error
-
-
-[REPORTS]
-
-# Python expression which should return a score less than or equal to 10. You
-# have access to the variables 'fatal', 'error', 'warning', 'refactor',
-# 'convention', and 'info' which contain the number of messages in each
-# category, as well as 'statement' which is the total number of statements
-# analyzed. This score is used by the global evaluation report (RP0004).
-evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10))
-
-# Template used to display messages. This is a python new-style format string
-# used to format the message information. See doc for all details.
-msg-template=
-
-# Set the output format. Available formats are text, parseable, colorized, json
-# and msvs (visual studio). You can also give a reporter class, e.g.
-# mypackage.mymodule.MyReporterClass.
-#output-format=
-
-# Tells whether to display a full report or only the messages.
-reports=no
-
-# Activate the evaluation score.
-score=yes
-
-
-[SIMILARITIES]
-
-# Comments are removed from the similarity computation
-ignore-comments=yes
-
-# Docstrings are removed from the similarity computation
-ignore-docstrings=yes
-
-# Imports are removed from the similarity computation
-ignore-imports=yes
-
-# Signatures are removed from the similarity computation
-ignore-signatures=yes
-
-# Minimum lines number of a similarity.
-min-similarity-lines=6
-
-
-[STRING]
-
-# This flag controls whether inconsistent-quotes generates a warning when the
-# character used as a quote delimiter is used inconsistently within a module.
-check-quote-consistency=no
-
-# This flag controls whether the implicit-str-concat should generate a warning
-# on implicit string concatenation in sequences defined over several lines.
-check-str-concat-over-line-jumps=no
-
-
-[TYPECHECK]
-
-# List of decorators that produce context managers, such as
-# contextlib.contextmanager. Add to this list to register other decorators that
-# produce valid context managers.
-contextmanager-decorators=contextlib.contextmanager
-
-# List of members which are set dynamically and missed by pylint inference
-# system, and so shouldn't trigger E1101 when accessed. Python regular
-# expressions are accepted.
-generated-members=
-
-# Tells whether to warn about missing members when the owner of the attribute
-# is inferred to be None.
-ignore-none=yes
-
-# This flag controls whether pylint should warn about no-member and similar
-# checks whenever an opaque object is returned when inferring. The inference
-# can return multiple potential results while evaluating a Python object, but
-# some branches might not be evaluated, which results in partial inference. In
-# that case, it might be useful to still emit no-member and other checks for
-# the rest of the inferred objects.
-ignore-on-opaque-inference=yes
-
-# List of symbolic message names to ignore for Mixin members.
-ignored-checks-for-mixins=no-member,
-                          not-async-context-manager,
-                          not-context-manager,
-                          attribute-defined-outside-init
-
-# List of class names for which member attributes should not be checked (useful
-# for classes with dynamically set attributes). This supports the use of
-# qualified names.
-ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace,Field,Header,JWS,closing
-
-# List of module names for which member attributes should not be checked
-# (useful for modules/projects where namespaces are manipulated during runtime
-# and thus existing member attributes cannot be deduced by static analysis
-ignored-modules=confargparse,argparse
-
-# Show a hint with possible names when a member name was not found. The aspect
-# of finding the hint is based on edit distance.
-missing-member-hint=yes
-
-# The minimum edit distance a name should have in order to be considered a
-# similar match for a missing member name.
-missing-member-hint-distance=1
-
-# The total number of similar names that should be taken in consideration when
-# showing a hint for a missing member.
-missing-member-max-choices=1
-
-# Regex pattern to define which classes are considered mixins.
-mixin-class-rgx=.*[Mm]ixin
-
-# List of decorators that change the signature of a decorated function.
-signature-mutators=
+# Logging modules to check that the string format arguments are in logging
+# function parameter format
+logging-modules=logging,logger
 
 
 [VARIABLES]
 
-# List of additional names supposed to be defined in builtins. Remember that
-# you should avoid defining new builtins when possible.
-additional-builtins=
-
-# Tells whether unused global variables should be treated as a violation.
-allow-global-unused-variables=yes
-
-# List of names allowed to shadow builtins
-allowed-redefined-builtins=
-
-# List of strings which can identify a callback function by name. A callback
-# name must start or end with one of those strings.
-callbacks=cb_,
-          _cb
-
-# A regular expression matching the name of dummy variables (i.e. expected to
-# not be used).
-dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_
-
-# Argument names that match this expression will be ignored.
-ignored-argument-names=_.*|^ignored_|^unused_
-
 # Tells whether we should check for unused import in __init__ files.
 init-import=no
 
-# List of qualified module names which can have objects that can redefine
-# builtins.
-redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io
+# A regular expression matching the name of dummy variables (i.e. expectedly
+# not used).
+dummy-variables-rgx=(unused)?_.*|dummy
+
+# List of additional names supposed to be defined in builtins. Remember that
+# you should avoid to define new builtins when possible.
+additional-builtins=
+
+
+[SIMILARITIES]
+
+# Minimum lines number of a similarity.
+min-similarity-lines=6
+
+# Ignore comments when computing similarities.
+ignore-comments=yes
+
+# Ignore docstrings when computing similarities.
+ignore-docstrings=yes
+
+# Ignore imports when computing similarities.
+ignore-imports=yes
+
+
+[FORMAT]
+
+# Maximum number of characters on a single line.
+max-line-length=100
+
+# Regexp for a line that is allowed to be longer than the limit.
+ignore-long-lines=^\s*(# )?<?https?://\S+>?$
+
+# Allow the body of an if to be on the same line as the test if there is no
+# else.
+single-line-if-stmt=no
+
+# List of optional constructs for which whitespace checking is disabled
+no-space-check=trailing-comma
+
+# Maximum number of lines in a module
+max-module-lines=1250
+
+# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1
+# tab).
+indent-string='    '
+
+# Number of spaces of indent required inside a hanging or continued line.
+# This does something silly/broken...
+#indent-after-paren=4
+
+
+[TYPECHECK]
+
+# Tells whether missing members accessed in mixin class should be ignored. A
+# mixin class is detected if its name ends with "mixin" (case insensitive).
+ignore-mixin-members=yes
+
+# List of module names for which member attributes should not be checked
+# (useful for modules/projects where namespaces are manipulated during runtime
+# and thus existing member attributes cannot be deduced by static analysis
+ignored-modules=pkg_resources,confargparse,argparse,six.moves,six.moves.urllib
+# import errors ignored only in 1.4.4
+# https://bitbucket.org/logilab/pylint/commits/cd000904c9e2
+
+# List of classes names for which member attributes should not be checked
+# (useful for classes with attributes dynamically set).
+ignored-classes=Field,Header,JWS,closing
+
+# When zope mode is activated, add a predefined set of Zope acquired attributes
+# to generated-members.
+zope=yes
+
+# List of members which are set dynamically and missed by pylint inference
+# system, and so shouldn't trigger E0201 when accessed. Python regular
+# expressions are accepted.
+generated-members=REQUEST,acl_users,aq_parent
+
+
+[IMPORTS]
+
+# Deprecated modules which should not be used, separated by a comma
+deprecated-modules=regsub,TERMIOS,Bastion,rexec
+
+# Create a graph of every (i.e. internal and external) dependencies in the
+# given file (report RP0402 must not be disabled)
+import-graph=
+
+# Create a graph of external dependencies in the given file (report RP0402 must
+# not be disabled)
+ext-import-graph=
+
+# Create a graph of internal dependencies in the given file (report RP0402 must
+# not be disabled)
+int-import-graph=
+
+
+[CLASSES]
+
+# List of interface methods to ignore, separated by a comma. This is used for
+# instance to not check methods defined in Zope's Interface base class.
+ignore-iface-methods=isImplementedBy,deferred,extends,names,namesAndDescriptions,queryDescriptionFor,getBases,getDescriptionFor,getDoc,getName,getTaggedValue,getTaggedValueTags,isEqualOrExtendedBy,setTaggedValue,isImplementedByInstancesOf,adaptWith,is_implemented_by,implementedBy,providedBy
+
+# List of method names used to declare (i.e. assign) instance attributes.
+defining-attr-methods=__init__,__new__,setUp
+
+# List of valid names for the first argument in a class method.
+valid-classmethod-first-arg=cls
+
+# List of valid names for the first argument in a metaclass class method.
+valid-metaclass-classmethod-first-arg=mcs
+
+
+[EXCEPTIONS]
+
+# Exceptions that will emit a warning when being caught. Defaults to
+# "Exception"
+overgeneral-exceptions=Exception

.travis.yml

@@ -0,0 +1,309 @@
+language: python
+dist: xenial
+
+cache:
+    directories:
+        - $HOME/.cache/pip
+
+before_script:
+  - 'if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then ulimit -n 1024 ; fi'
+  # On Travis, the fastest parallelization for integration tests has proved to be 4.
+  - 'if [[ "$TOXENV" == *"integration"* ]]; then export PYTEST_ADDOPTS="--numprocesses 4"; fi'
+  # Use Travis retry feature for farm tests since they are flaky
+  - 'if [[ "$TOXENV" == "travis-test-farm"* ]]; then export TRAVIS_RETRY=travis_retry; fi'
+  - export TOX_TESTENV_PASSENV=TRAVIS
+
+# Only build pushes to the master branch, PRs, and branches beginning with
+# `test-` or of the form `digit(s).digit(s).x`. This reduces the number of
+# simultaneous Travis runs, which speeds turnaround time on review since there
+# is a cap of on the number of simultaneous runs.
+branches:
+  only:
+    # apache-parser-v2 is a temporary branch for doing work related to
+    # rewriting the parser in the Apache plugin.
+    - apache-parser-v2
+    - master
+    - /^\d+\.\d+\.x$/
+    - /^test-.*$/
+
+# Jobs for the main test suite are always executed (including on PRs) except for pushes on master.
+not-on-master: &not-on-master
+  if: NOT (type = push AND branch = master)
+
+# Jobs for the extended test suite are executed for cron jobs and pushes to
+# non-development branches. See the explanation for apache-parser-v2 above.
+extended-test-suite: &extended-test-suite
+  if: type = cron OR (type = push AND branch NOT IN (apache-parser-v2, master))
+
+matrix:
+  include:
+    # Main test suite
+    - python: "2.7"
+      env: ACME_SERVER=pebble TOXENV=integration
+      <<: *not-on-master
+
+    # This job is always executed, including on master
+    - python: "2.7"
+      env: TOXENV=py27-cover FYI="py27 tests + code coverage"
+
+    - python: "3.7"
+      env: TOXENV=lint
+      <<: *not-on-master
+    - python: "3.5"
+      env: TOXENV=mypy
+      <<: *not-on-master
+    - python: "2.7"
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      env: TOXENV='py27-{acme,apache,apache-v2,certbot,dns,nginx}-oldest'
+      <<: *not-on-master
+    - python: "3.4"
+      env: TOXENV=py34
+      <<: *not-on-master
+    - python: "3.7"
+      env: TOXENV=py37
+      <<: *not-on-master
+    - python: "3.8"
+      env: TOXENV=py38
+      <<: *not-on-master
+    - sudo: required
+      env: TOXENV=apache_compat
+      services: docker
+      before_install:
+      addons:
+      <<: *not-on-master
+    - sudo: required
+      env: TOXENV=le_auto_xenial
+      services: docker
+      <<: *not-on-master
+    - python: "2.7"
+      env: TOXENV=apacheconftest-with-pebble
+      <<: *not-on-master
+    - python: "2.7"
+      env: TOXENV=nginxroundtrip
+      <<: *not-on-master
+
+    # Extended test suite on cron jobs and pushes to tested branches other than master
+    - sudo: required
+      env: TOXENV=nginx_compat
+      services: docker
+      before_install:
+      addons:
+      <<: *extended-test-suite
+    - python: "2.7"
+      env:
+        - TOXENV=travis-test-farm-apache2
+        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
+      <<: *extended-test-suite
+    - python: "2.7"
+      env:
+        - TOXENV=travis-test-farm-leauto-upgrades
+        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
+      git:
+        depth: false  # This is needed to have the history to checkout old versions of certbot-auto.
+      <<: *extended-test-suite
+    - python: "2.7"
+      env:
+        - TOXENV=travis-test-farm-certonly-standalone
+        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
+      <<: *extended-test-suite
+    - python: "2.7"
+      env:
+        - TOXENV=travis-test-farm-sdists
+        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
+      <<: *extended-test-suite
+    - python: "3.7"
+      env: TOXENV=py37 CERTBOT_NO_PIN=1
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration-certbot-oldest
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration-certbot-oldest
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration-nginx-oldest
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration-nginx-oldest
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.4"
+      env: TOXENV=py34
+      <<: *extended-test-suite
+    - python: "3.5"
+      env: TOXENV=py35
+      <<: *extended-test-suite
+    - python: "3.6"
+      env: TOXENV=py36
+      <<: *extended-test-suite
+    - python: "3.7"
+      env: TOXENV=py37
+      <<: *extended-test-suite
+    - python: "3.8"
+      env: TOXENV=py38
+      <<: *extended-test-suite
+    - python: "3.4"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.4"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.5"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.5"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.6"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.6"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.7"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.7"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.8"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      <<: *extended-test-suite
+    - python: "3.8"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      <<: *extended-test-suite
+    - sudo: required
+      env: TOXENV=le_auto_jessie
+      services: docker
+      <<: *extended-test-suite
+    - sudo: required
+      env: TOXENV=le_auto_centos6
+      services: docker
+      <<: *extended-test-suite
+    - sudo: required
+      env: TOXENV=docker_dev
+      services: docker
+      addons:
+        apt:
+          packages:  # don't install nginx and apache
+            - libaugeas0
+      <<: *extended-test-suite
+    - language: generic
+      env: TOXENV=py27
+      os: osx
+      # Using this osx_image is a workaround for
+      # https://travis-ci.community/t/xcode-8-3-homebrew-outdated-error/3798.
+      osx_image: xcode10.2
+      addons:
+        homebrew:
+          packages:
+            - augeas
+            - python2
+      <<: *extended-test-suite
+    - language: generic
+      env: TOXENV=py3
+      os: osx
+      # Using this osx_image is a workaround for
+      # https://travis-ci.community/t/xcode-8-3-homebrew-outdated-error/3798.
+      osx_image: xcode10.2
+      addons:
+        homebrew:
+          packages:
+            - augeas
+            - python3
+      <<: *extended-test-suite
+
+# container-based infrastructure
+sudo: false
+
+addons:
+  apt:
+    packages:  # Keep in sync with letsencrypt-auto-source/pieces/bootstrappers/deb_common.sh and Boulder.
+    - python-dev
+    - gcc
+    - libaugeas0
+    - libssl-dev
+    - libffi-dev
+    - ca-certificates
+    # For certbot-nginx integration testing
+    - nginx-light
+    - openssl
+
+# tools/pip_install.py is used to pin packages to a known working version
+# except in tests where the environment variable CERTBOT_NO_PIN is set.
+# virtualenv is listed here explicitly to make sure it is upgraded when
+# CERTBOT_NO_PIN is set to work around failures we've seen when using an older
+# version of virtualenv.
+install: 'tools/pip_install.py -U codecov tox virtualenv'
+# Most of the time TRAVIS_RETRY is an empty string, and has no effect on the
+# script command. It is set only to `travis_retry` during farm tests, in
+# order to trigger the Travis retry feature, and compensate the inherent
+# flakiness of these specific tests.
+script: '$TRAVIS_RETRY tox'
+
+after_success: '[ "$TOXENV" == "py27-cover" ] && codecov -F linux'
+
+notifications:
+  email: false
+  irc:
+    channels:
+      # This is set to a secure variable to prevent forks from sending
+      # notifications. This value was created by installing
+      # https://github.com/travis-ci/travis.rb and running
+      # `travis encrypt "chat.freenode.net#certbot-devel"`.
+      - secure: "EWW66E2+KVPZyIPR8ViENZwfcup4Gx3/dlimmAZE0WuLwxDCshBBOd3O8Rf6pBokEoZlXM5eDT6XdyJj8n0DLslgjO62pExdunXpbcMwdY7l1ELxX2/UbnDTE6UnPYa09qVBHNG7156Z6yE0x2lH4M9Ykvp0G0cubjPQHylAwo0="
+    on_cancel: never
+    on_success: never
+    on_failure: always

AUTHORS.md

@@ -1,7 +1,6 @@
 Authors
 =======
 
-* [Aaron Gable](https://github.com/aarongable)
 * [Aaron Zirbes](https://github.com/aaronzirbes)
 * Aaron Zuehlke
 * Ada Lovelace
@@ -17,16 +16,11 @@ Authors
 * [Alex Halderman](https://github.com/jhalderm)
 * [Alex Jordan](https://github.com/strugee)
 * [Alex Zorin](https://github.com/alexzorin)
-* [Alexis Hancock](https://github.com/zoracon)
-* [Amir Omidi](https://github.com/aaomidi)
 * [Amjad Mashaal](https://github.com/TheNavigat)
-* [amplifi](https://github.com/amplifi)
 * [Andrew Murray](https://github.com/radarhere)
 * [Andrzej Górski](https://github.com/andrzej3393)
-* [Anna Glasgall](https://github.com/aglasgall)
 * [Anselm Levskaya](https://github.com/levskaya)
 * [Antoine Jacoutot](https://github.com/ajacoutot)
-* [April King](https://github.com/april)
 * [asaph](https://github.com/asaph)
 * [Axel Beckert](https://github.com/xtaran)
 * [Bas](https://github.com/Mechazawa)
@@ -41,9 +35,7 @@ Authors
 * [Blake Griffith](https://github.com/cowlicks)
 * [Brad Warren](https://github.com/bmw)
 * [Brandon Kraft](https://github.com/kraftbj)
-* [Brandon Kreisel](https://github.com/BKreisel)
-* [Brian Heim](https://github.com/brianlheim)
-* [Cameron Steel](https://github.com/Tugzrida)
+* [Brandon Kreisel](https://github.com/kraftbj)
 * [Ceesjan Luiten](https://github.com/quinox)
 * [Chad Whitacre](https://github.com/whit537)
 * [Chhatoi Pritam Baral](https://github.com/pritambaral)
@@ -65,11 +57,8 @@ Authors
 * [DanCld](https://github.com/DanCld)
 * [Daniel Albers](https://github.com/AID)
 * [Daniel Aleksandersen](https://github.com/da2x)
-* [Daniel Almasi](https://github.com/almasen)
 * [Daniel Convissor](https://github.com/convissor)
-* [Daniel "Drex" Drexler](https://github.com/aeturnum)
 * [Daniel Huang](https://github.com/dhuang)
-* [Daniel McMahon] (https://github.com/igloodan)
 * [Dave Guarino](https://github.com/daguar)
 * [David cz](https://github.com/dave-cz)
 * [David Dworken](https://github.com/ddworken)
@@ -93,8 +82,6 @@ Authors
 * [Felix Schwarz](https://github.com/FelixSchwarz)
 * [Felix Yan](https://github.com/felixonmars)
 * [Filip Ochnik](https://github.com/filipochnik)
-* [Florian Klink](https://github.com/flokli)
-* [Francesco Colista](https://github.com/fcolista)
 * [Francois Marier](https://github.com/fmarier)
 * [Frank](https://github.com/Frankkkkk)
 * [Frederic BLANC](https://github.com/fblanc)
@@ -113,18 +100,14 @@ Authors
 * [Harlan Lieberman-Berg](https://github.com/hlieberman)
 * [Henri Salo](https://github.com/fgeek)
 * [Henry Chen](https://github.com/henrychen95)
-* [Hugo van Kemenade](https://github.com/hugovk)
 * [Ingolf Becker](https://github.com/watercrossing)
-* [Ivan Nejgebauer](https://github.com/inejge)
 * [Jaap Eldering](https://github.com/eldering)
 * [Jacob Hoffman-Andrews](https://github.com/jsha)
 * [Jacob Sachs](https://github.com/jsachs)
 * [Jairo Llopis](https://github.com/Yajo)
 * [Jakub Warmuz](https://github.com/kuba)
-* [James Balazs](https://github.com/jamesbalazs)
 * [James Kasten](https://github.com/jdkasten)
 * [Jason Grinblat](https://github.com/ptychomancer)
-* [Jawshua](https://github.com/jawshua)
 * [Jay Faulkner](https://github.com/jayofdoom)
 * [J.C. Jones](https://github.com/jcjones)
 * [Jeff Hodges](https://github.com/jmhodges)
@@ -141,12 +124,10 @@ Authors
 * [Jonathan Herlin](https://github.com/Jonher937)
 * [Jon Walsh](https://github.com/code-tree)
 * [Joona Hoikkala](https://github.com/joohoi)
-* [Josh McCullough](https://github.com/JoshMcCullough)
 * [Josh Soref](https://github.com/jsoref)
 * [Joubin Jabbari](https://github.com/joubin)
 * [Juho Juopperi](https://github.com/jkjuopperi)
 * [Kane York](https://github.com/riking)
-* [Katsuyoshi Ozaki](https://github.com/moratori)
 * [Kenichi Maehashi](https://github.com/kmaehashi)
 * [Kenneth Skovhede](https://github.com/kenkendk)
 * [Kevin Burke](https://github.com/kevinburke)
@@ -155,20 +136,16 @@ Authors
 * [LeCoyote](https://github.com/LeCoyote)
 * [Lee Watson](https://github.com/TheReverend403)
 * [Leo Famulari](https://github.com/lfam)
-* [Leon G](https://github.com/LeonGr)
 * [lf](https://github.com/lf-)
 * [Liam Marshall](https://github.com/liamim)
 * [Lior Sabag](https://github.com/liorsbg)
 * [Lipis](https://github.com/lipis)
 * [lord63](https://github.com/lord63)
-* [Lorenzo Fundaró](https://github.com/lfundaro)
 * [Luca Beltrame](https://github.com/lbeltrame)
 * [Luca Ebach](https://github.com/lucebac)
 * [Luca Olivetti](https://github.com/olivluca)
 * [Luke Rogers](https://github.com/lukeroge)
-* [Lukhnos Liu](https://github.com/lukhnos)
 * [Maarten](https://github.com/mrtndwrd)
-* [Mads Jensen](https://github.com/atombrella)
 * [Maikel Martens](https://github.com/krukas)
 * [Malte Janduda](https://github.com/MalteJ)
 * [Mantas Mikulėnas](https://github.com/grawity)
@@ -184,7 +161,6 @@ Authors
 * [Mathieu Leduc-Hamel](https://github.com/mlhamel)
 * [Matt Bostock](https://github.com/mattbostock)
 * [Matthew Ames](https://github.com/SuperMatt)
-* [Matthew W. Thomas](https://github.com/mwt)
 * [Michael Schumacher](https://github.com/schumaml)
 * [Michael Strache](https://github.com/Jarodiv)
 * [Michael Sverdlin](https://github.com/sveder)
@@ -209,33 +185,25 @@ Authors
 * [osirisinferi](https://github.com/osirisinferi)
 * Patrick Figel
 * [Patrick Heppler](https://github.com/PatrickHeppler)
-* [Paul Buonopane](https://github.com/Zenexer)
 * [Paul Feitzinger](https://github.com/pfeyz)
-* [Paulo Dias](https://github.com/paulojmdias)
 * [Pavan Gupta](https://github.com/pavgup)
 * [Pavel Pavlov](https://github.com/ghost355)
 * [Peter Conrad](https://github.com/pconrad-fb)
 * [Peter Eckersley](https://github.com/pde)
 * [Peter Mosmans](https://github.com/PeterMosmans)
-* [Phil Martin](https://github.com/frillip)
 * [Philippe Langlois](https://github.com/langloisjp)
 * [Philipp Spitzer](https://github.com/spitza)
 * [Piero Steinger](https://github.com/Jadaw1n)
 * [Pierre Jaury](https://github.com/kaiyou)
 * [Piotr Kasprzyk](https://github.com/kwadrat)
 * [Prayag Verma](https://github.com/pra85)
-* [Preston Locke](https://github.com/Preston12321)
-* [Q Misell][https://magicalcodewit.ch]
-* [Rasesh Patel](https://github.com/raspat1)
 * [Reinaldo de Souza Jr](https://github.com/juniorz)
 * [Remi Rampin](https://github.com/remram44)
 * [Rémy HUBSCHER](https://github.com/Natim)
 * [Rémy Léone](https://github.com/sieben)
 * [Richard Barnes](https://github.com/r-barnes)
-* [Richard Harman](https://github.com/warewolf)
 * [Richard Panek](https://github.com/kernelpanek)
 * [Robert Buchholz](https://github.com/rbu)
-* [Robert Dailey](https://github.com/pahrohfit)
 * [Robert Habermann](https://github.com/frennkie)
 * [Robert Xiao](https://github.com/nneonneo)
 * [Roland Shoemaker](https://github.com/rolandshoemaker)
@@ -261,11 +229,9 @@ Authors
 * [Spencer Bliven](https://github.com/sbliven)
 * [Stacey Sheldon](https://github.com/solidgoldbomb)
 * [Stavros Korokithakis](https://github.com/skorokithakis)
-* [Ștefan Talpalaru](https://github.com/stefantalpalaru)
 * [Stefan Weil](https://github.com/stweil)
 * [Steve Desmond](https://github.com/stevedesmond-ca)
 * [sydneyli](https://github.com/sydneyli)
-* [taixx046](https://github.com/taixx046)
 * [Tan Jay Jun](https://github.com/jayjun)
 * [Tapple Gao](https://github.com/tapple)
 * [Telepenin Nikolay](https://github.com/telepenin)
@@ -290,7 +256,6 @@ Authors
 * [Wilfried Teiken](https://github.com/wteiken)
 * [Willem Fibbe](https://github.com/fibbers)
 * [William Budington](https://github.com/Hainish)
-* [Will Greenberg](https://github.com/wgreenberg)
 * [Will Newby](https://github.com/willnewby)
 * [Will Oller](https://github.com/willoller)
 * [Yan](https://github.com/diracdeltas)
@@ -298,7 +263,5 @@ Authors
 * [Yomna](https://github.com/ynasser)
 * [Yoni Jah](https://github.com/yonjah)
 * [YourDaddyIsHere](https://github.com/YourDaddyIsHere)
-* [Yuseong Cho](https://github.com/g6123)
 * [Zach Shepherd](https://github.com/zjs)
 * [陈三](https://github.com/chenxsan)
-* [Shahar Naveh](https://github.com/ShaharNaveh)

CONTRIBUTING.md

@@ -11,7 +11,7 @@ to the Sphinx generated docs is provided below.
 
 
 [1] https://github.com/blog/1184-contributing-guidelines
-[2] https://docutils.sourceforge.io/docs/user/rst/quickref.html#hyperlink-targets
+[2] http://docutils.sourceforge.net/docs/user/rst/quickref.html#hyperlink-targets
 
 -->
 

Dockerfile-dev

@@ -0,0 +1,20 @@
+# This Dockerfile builds an image for development.
+FROM debian:buster
+
+# Note: this only exposes the port to other docker containers.
+EXPOSE 80 443
+
+WORKDIR /opt/certbot/src
+
+COPY . .
+RUN apt-get update && \
+    apt-get install apache2 git python3-dev python3-venv gcc libaugeas0 \
+                    libssl-dev libffi-dev ca-certificates openssl nginx-light -y && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* \
+           /tmp/* \
+           /var/tmp/*
+
+RUN VENV_NAME="../venv3" python3 tools/venv3.py
+
+ENV PATH /opt/certbot/venv3/bin:$PATH

ISSUE_TEMPLATE.md

@@ -7,7 +7,7 @@ questions.
 ## My operating system is (include version):
 
 
-## I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):
+## I installed Certbot with (certbot-auto, OS package manager, pip, etc):
 
 
 ## I ran this command and it produced this output:

SECURITY.md

@@ -1,5 +0,0 @@
-# Security Policy
-
-## Reporting a Vulnerability
-
-Security vulnerabilities can be reported using GitHub's [private vulnerability reporting tool](https://github.com/certbot/certbot/security/advisories/new).

acme/.readthedocs.yaml

@@ -1,33 +0,0 @@
-# Read the Docs configuration file for Sphinx projects
-# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
-
-# Required
-version: 2
-
-# Set the OS, Python version and other tools you might need
-build:
-  os: ubuntu-22.04
-  tools:
-    python: "3.11"
-    # You can also specify other tool versions:
-
-
-# Build documentation in the "docs/" directory with Sphinx
-sphinx:
-  configuration: acme/docs/conf.py
-  # You can configure Sphinx to use a different builder, for instance use the dirhtml builder for simpler URLs
-  # builder: "dirhtml"
-  # Fail on all warnings to avoid broken references
-  fail_on_warning: true
-
-# Optionally build your docs in additional formats such as PDF and ePub
-formats:
-   - pdf
-   - epub
-
-# Optional but recommended, declare the Python requirements required
-# to build your documentation
-# See https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html
-python:
-   install:
-   - requirements: acme/readthedocs.org.requirements.txt

acme/MANIFEST.in

@@ -3,7 +3,6 @@ include README.rst
 include pytest.ini
 recursive-include docs *
 recursive-include examples *
-recursive-include acme/_internal/tests/testdata *
-include acme/py.typed
+recursive-include tests *
 global-exclude __pycache__
 global-exclude *.py[cod]

acme/acme/__init__.py

@@ -2,10 +2,11 @@
 
 This module is an implementation of the `ACME protocol`_.
 
-.. _`ACME protocol`: https://datatracker.ietf.org/doc/html/rfc8555
+.. _`ACME protocol`: https://ietf-wg-acme.github.io/acme
 
 """
 import sys
+import warnings
 
 # This code exists to keep backwards compatibility with people using acme.jose
 # before it became the standalone josepy package.

acme/acme/_internal/__init__.py

@@ -1 +0,0 @@
-"""acme's internal implementation"""

acme/acme/_internal/tests/__init__.py

@@ -1 +0,0 @@
-"""acme tests"""

acme/acme/_internal/tests/client_test.py

@@ -1,794 +0,0 @@
-"""Tests for acme.client."""
-# pylint: disable=too-many-lines
-import copy
-import datetime
-import http.client as http_client
-import json
-import sys
-from typing import Dict
-import unittest
-from unittest import mock
-
-import josepy as jose
-import pytest
-import requests
-
-from acme import challenges
-from acme import errors
-from acme import jws as acme_jws
-from acme import messages
-from acme._internal.tests import messages_test
-from acme._internal.tests import test_util
-from acme.client import ClientNetwork
-from acme.client import ClientV2
-
-CERT_SAN_PEM = test_util.load_vector('cert-san.pem')
-CSR_MIXED_PEM = test_util.load_vector('csr-mixed.pem')
-KEY = jose.JWKRSA.load(test_util.load_vector('rsa512_key.pem'))
-
-DIRECTORY_V2 = messages.Directory({
-    'newAccount': 'https://www.letsencrypt-demo.org/acme/new-account',
-    'newNonce': 'https://www.letsencrypt-demo.org/acme/new-nonce',
-    'newOrder': 'https://www.letsencrypt-demo.org/acme/new-order',
-    'revokeCert': 'https://www.letsencrypt-demo.org/acme/revoke-cert',
-    'meta': messages.Directory.Meta(),
-})
-
-
-class ClientV2Test(unittest.TestCase):
-    """Tests for acme.client.ClientV2."""
-
-    def setUp(self):
-        self.response = mock.MagicMock(
-            ok=True, status_code=http_client.OK, headers={}, links={})
-        self.net = mock.MagicMock()
-        self.net.post.return_value = self.response
-        self.net.get.return_value = self.response
-
-        self.identifier = messages.Identifier(
-            typ=messages.IDENTIFIER_FQDN, value='example.com')
-
-        # Registration
-        self.contact = ('mailto:cert-admin@example.com', 'tel:+12025551212')
-        reg = messages.Registration(
-            contact=self.contact, key=KEY.public_key())
-        the_arg: Dict = dict(reg)
-        self.new_reg = messages.NewRegistration(**the_arg)
-        self.regr = messages.RegistrationResource(
-            body=reg, uri='https://www.letsencrypt-demo.org/acme/reg/1')
-
-        # Authorization
-        authzr_uri = 'https://www.letsencrypt-demo.org/acme/authz/1'
-        challb = messages.ChallengeBody(
-            uri=(authzr_uri + '/1'), status=messages.STATUS_VALID,
-            chall=challenges.DNS(token=jose.b64decode(
-                'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA')))
-        self.challr = messages.ChallengeResource(
-            body=challb, authzr_uri=authzr_uri)
-        self.authz = messages.Authorization(
-            identifier=messages.Identifier(
-                typ=messages.IDENTIFIER_FQDN, value='example.com'),
-            challenges=(challb,))
-        self.authzr = messages.AuthorizationResource(
-            body=self.authz, uri=authzr_uri)
-
-        # Reason code for revocation
-        self.rsn = 1
-
-        self.directory = DIRECTORY_V2
-
-        self.client = ClientV2(self.directory, self.net)
-
-        self.new_reg = self.new_reg.update(terms_of_service_agreed=True)
-
-        self.authzr_uri2 = 'https://www.letsencrypt-demo.org/acme/authz/2'
-        self.authz2 = self.authz.update(identifier=messages.Identifier(
-            typ=messages.IDENTIFIER_FQDN, value='www.example.com'),
-            status=messages.STATUS_PENDING)
-        self.authzr2 = messages.AuthorizationResource(
-            body=self.authz2, uri=self.authzr_uri2)
-
-        self.order = messages.Order(
-            identifiers=(self.authz.identifier, self.authz2.identifier),
-            status=messages.STATUS_PENDING,
-            authorizations=(self.authzr.uri, self.authzr_uri2),
-            finalize='https://www.letsencrypt-demo.org/acme/acct/1/order/1/finalize')
-        self.orderr = messages.OrderResource(
-            body=self.order,
-            uri='https://www.letsencrypt-demo.org/acme/acct/1/order/1',
-            authorizations=[self.authzr, self.authzr2], csr_pem=CSR_MIXED_PEM)
-
-    def test_new_account(self):
-        self.response.status_code = http_client.CREATED
-        self.response.json.return_value = self.regr.body.to_json()
-        self.response.headers['Location'] = self.regr.uri
-
-        assert self.regr == self.client.new_account(self.new_reg)
-
-    def test_new_account_tos_link(self):
-        self.response.status_code = http_client.CREATED
-        self.response.json.return_value = self.regr.body.to_json()
-        self.response.headers['Location'] = self.regr.uri
-        self.response.links.update({
-            'terms-of-service': {'url': 'https://www.letsencrypt-demo.org/tos'},
-        })
-
-        assert self.client.new_account(self.new_reg).terms_of_service == \
-                         'https://www.letsencrypt-demo.org/tos'
-
-
-    def test_new_account_conflict(self):
-        self.response.status_code = http_client.OK
-        self.response.headers['Location'] = self.regr.uri
-        with pytest.raises(errors.ConflictError):
-            self.client.new_account(self.new_reg)
-
-    def test_deactivate_account(self):
-        deactivated_regr = self.regr.update(
-            body=self.regr.body.update(status='deactivated'))
-        self.response.json.return_value = deactivated_regr.body.to_json()
-        self.response.status_code = http_client.OK
-        self.response.headers['Location'] = self.regr.uri
-        assert self.client.deactivate_registration(self.regr) == deactivated_regr
-
-    def test_deactivate_authorization(self):
-        deactivated_authz = self.authzr.update(
-            body=self.authzr.body.update(status=messages.STATUS_DEACTIVATED))
-        self.response.json.return_value = deactivated_authz.body.to_json()
-        authzr = self.client.deactivate_authorization(self.authzr)
-        assert deactivated_authz.body == authzr.body
-        assert self.client.net.post.call_count == 1
-        assert self.authzr.uri in self.net.post.call_args_list[0][0]
-
-    def test_new_order(self):
-        order_response = copy.deepcopy(self.response)
-        order_response.status_code = http_client.CREATED
-        order_response.json.return_value = self.order.to_json()
-        order_response.headers['Location'] = self.orderr.uri
-        self.net.post.return_value = order_response
-
-        authz_response = copy.deepcopy(self.response)
-        authz_response.json.return_value = self.authz.to_json()
-        authz_response.headers['Location'] = self.authzr.uri
-        authz_response2 = self.response
-        authz_response2.json.return_value = self.authz2.to_json()
-        authz_response2.headers['Location'] = self.authzr2.uri
-
-        with mock.patch('acme.client.ClientV2._post_as_get') as mock_post_as_get:
-            mock_post_as_get.side_effect = (authz_response, authz_response2)
-            assert self.client.new_order(CSR_MIXED_PEM) == self.orderr
-
-    def test_answer_challege(self):
-        self.response.links['up'] = {'url': self.challr.authzr_uri}
-        self.response.json.return_value = self.challr.body.to_json()
-        chall_response = challenges.DNSResponse(validation=None)
-        self.client.answer_challenge(self.challr.body, chall_response)
-
-        with pytest.raises(errors.UnexpectedUpdate):
-            self.client.answer_challenge(self.challr.body.update(uri='foo'), chall_response)
-
-    def test_answer_challenge_missing_next(self):
-        with pytest.raises(errors.ClientError):
-            self.client.answer_challenge(self.challr.body, challenges.DNSResponse(validation=None))
-
-    @mock.patch('acme.client.datetime')
-    def test_poll_and_finalize(self, mock_datetime):
-        mock_datetime.datetime.now.return_value = datetime.datetime(2018, 2, 15)
-        mock_datetime.timedelta = datetime.timedelta
-        expected_deadline = mock_datetime.datetime.now() + datetime.timedelta(seconds=90)
-
-        self.client.poll_authorizations = mock.Mock(return_value=self.orderr)
-        self.client.finalize_order = mock.Mock(return_value=self.orderr)
-
-        assert self.client.poll_and_finalize(self.orderr) == self.orderr
-        self.client.poll_authorizations.assert_called_once_with(self.orderr, expected_deadline)
-        self.client.finalize_order.assert_called_once_with(self.orderr, expected_deadline)
-
-    @mock.patch('acme.client.datetime')
-    def test_poll_authorizations_timeout(self, mock_datetime):
-        now_side_effect = [datetime.datetime(2018, 2, 15),
-                           datetime.datetime(2018, 2, 16),
-                           datetime.datetime(2018, 2, 17)]
-        mock_datetime.datetime.now.side_effect = now_side_effect
-        self.response.json.side_effect = [
-            self.authz.to_json(), self.authz2.to_json(), self.authz2.to_json()]
-
-        with pytest.raises(errors.TimeoutError):
-            self.client.poll_authorizations(self.orderr, now_side_effect[1])
-
-    def test_poll_authorizations_failure(self):
-        deadline = datetime.datetime(9999, 9, 9)
-        challb = self.challr.body.update(status=messages.STATUS_INVALID,
-                                         error=messages.Error.with_code('unauthorized'))
-        authz = self.authz.update(status=messages.STATUS_INVALID, challenges=(challb,))
-        self.response.json.return_value = authz.to_json()
-
-        with pytest.raises(errors.ValidationError):
-            self.client.poll_authorizations(self.orderr, deadline)
-
-    def test_poll_authorizations_success(self):
-        deadline = datetime.datetime(9999, 9, 9)
-        updated_authz2 = self.authz2.update(status=messages.STATUS_VALID)
-        updated_authzr2 = messages.AuthorizationResource(
-            body=updated_authz2, uri=self.authzr_uri2)
-        updated_orderr = self.orderr.update(authorizations=[self.authzr, updated_authzr2])
-
-        self.response.json.side_effect = (
-            self.authz.to_json(), self.authz2.to_json(), updated_authz2.to_json())
-        assert self.client.poll_authorizations(self.orderr, deadline) == updated_orderr
-
-    def test_poll_unexpected_update(self):
-        updated_authz = self.authz.update(identifier=self.identifier.update(value='foo'))
-        self.response.json.return_value = updated_authz.to_json()
-        with pytest.raises(errors.UnexpectedUpdate):
-            self.client.poll(self.authzr)
-
-    def test_finalize_order_success(self):
-        updated_order = self.order.update(
-            certificate='https://www.letsencrypt-demo.org/acme/cert/',
-            status=messages.STATUS_VALID)
-        updated_orderr = self.orderr.update(body=updated_order, fullchain_pem=CERT_SAN_PEM)
-
-        self.response.json.return_value = updated_order.to_json()
-        self.response.text = CERT_SAN_PEM
-
-        deadline = datetime.datetime(9999, 9, 9)
-        assert self.client.finalize_order(self.orderr, deadline) == updated_orderr
-
-    def test_finalize_order_error(self):
-        updated_order = self.order.update(
-            error=messages.Error.with_code('unauthorized'),
-            status=messages.STATUS_INVALID)
-        self.response.json.return_value = updated_order.to_json()
-
-        deadline = datetime.datetime(9999, 9, 9)
-        with pytest.raises(errors.IssuanceError):
-            self.client.finalize_order(self.orderr, deadline)
-
-    def test_finalize_order_invalid_status(self):
-        # https://github.com/certbot/certbot/issues/9296
-        order = self.order.update(error=None, status=messages.STATUS_INVALID)
-        self.response.json.return_value = order.to_json()
-        with pytest.raises(errors.Error, match="The certificate order failed"):
-            self.client.finalize_order(self.orderr, datetime.datetime(9999, 9, 9))
-
-    def test_finalize_order_timeout(self):
-        deadline = datetime.datetime.now() - datetime.timedelta(seconds=60)
-        with pytest.raises(errors.TimeoutError):
-            self.client.finalize_order(self.orderr, deadline)
-
-    def test_finalize_order_alt_chains(self):
-        updated_order = self.order.update(
-            certificate='https://www.letsencrypt-demo.org/acme/cert/',
-            status=messages.STATUS_VALID
-        )
-        updated_orderr = self.orderr.update(body=updated_order,
-                                            fullchain_pem=CERT_SAN_PEM,
-                                            alternative_fullchains_pem=[CERT_SAN_PEM,
-                                                                        CERT_SAN_PEM])
-        self.response.json.return_value = updated_order.to_json()
-        self.response.text = CERT_SAN_PEM
-        self.response.headers['Link'] ='<https://example.com/acme/cert/1>;rel="alternate", ' + \
-            '<https://example.com/dir>;rel="index", ' + \
-            '<https://example.com/acme/cert/2>;title="foo";rel="alternate"'
-
-        deadline = datetime.datetime(9999, 9, 9)
-        resp = self.client.finalize_order(self.orderr, deadline, fetch_alternative_chains=True)
-        self.net.post.assert_any_call('https://example.com/acme/cert/1',
-                                      mock.ANY, new_nonce_url=mock.ANY)
-        self.net.post.assert_any_call('https://example.com/acme/cert/2',
-                                      mock.ANY, new_nonce_url=mock.ANY)
-        assert resp == updated_orderr
-
-        del self.response.headers['Link']
-        resp = self.client.finalize_order(self.orderr, deadline, fetch_alternative_chains=True)
-        assert resp == updated_orderr.update(alternative_fullchains_pem=[])
-
-    def test_revoke(self):
-        self.client.revoke(messages_test.CERT, self.rsn)
-        self.net.post.assert_called_once_with(
-            self.directory["revokeCert"], mock.ANY, new_nonce_url=DIRECTORY_V2['newNonce'])
-
-    def test_revoke_bad_status_raises_error(self):
-        self.response.status_code = http_client.METHOD_NOT_ALLOWED
-        with pytest.raises(errors.ClientError):
-            self.client.revoke(messages_test.CERT,
-            self.rsn)
-
-    def test_update_registration(self):
-        # "Instance of 'Field' has no to_json/update member" bug:
-        self.response.headers['Location'] = self.regr.uri
-        self.response.json.return_value = self.regr.body.to_json()
-        assert self.regr == self.client.update_registration(self.regr)
-        assert self.client.net.account is not None
-        assert self.client.net.post.call_count == 2
-        assert DIRECTORY_V2.newAccount in self.net.post.call_args_list[0][0]
-
-        self.response.json.return_value = self.regr.body.update(
-            contact=()).to_json()
-
-    def test_external_account_required_true(self):
-        self.client.directory = messages.Directory({
-            'meta': messages.Directory.Meta(external_account_required=True)
-        })
-
-        assert self.client.external_account_required()
-
-    def test_external_account_required_false(self):
-        self.client.directory = messages.Directory({
-            'meta': messages.Directory.Meta(external_account_required=False)
-        })
-
-        assert not self.client.external_account_required()
-
-    def test_external_account_required_default(self):
-        assert not self.client.external_account_required()
-
-    def test_query_registration_client(self):
-        self.response.json.return_value = self.regr.body.to_json()
-        self.response.headers['Location'] = 'https://www.letsencrypt-demo.org/acme/reg/1'
-        assert self.regr == self.client.query_registration(self.regr)
-
-    def test_post_as_get(self):
-        with mock.patch('acme.client.ClientV2._authzr_from_response') as mock_client:
-            mock_client.return_value = self.authzr2
-
-            self.client.poll(self.authzr2)  # pylint: disable=protected-access
-
-            self.client.net.post.assert_called_once_with(
-                self.authzr2.uri, None,
-                new_nonce_url='https://www.letsencrypt-demo.org/acme/new-nonce')
-            self.client.net.get.assert_not_called()
-
-    def test_retry_after_date(self):
-        self.response.headers['Retry-After'] = 'Fri, 31 Dec 1999 23:59:59 GMT'
-        assert datetime.datetime(1999, 12, 31, 23, 59, 59) == \
-            self.client.retry_after(response=self.response, default=10)
-
-    @mock.patch('acme.client.datetime')
-    def test_retry_after_invalid(self, dt_mock):
-        dt_mock.datetime.now.return_value = datetime.datetime(2015, 3, 27)
-        dt_mock.timedelta = datetime.timedelta
-
-        self.response.headers['Retry-After'] = 'foooo'
-        assert datetime.datetime(2015, 3, 27, 0, 0, 10) == \
-            self.client.retry_after(response=self.response, default=10)
-
-    @mock.patch('acme.client.datetime')
-    def test_retry_after_overflow(self, dt_mock):
-        dt_mock.datetime.now.return_value = datetime.datetime(2015, 3, 27)
-        dt_mock.timedelta = datetime.timedelta
-        dt_mock.datetime.side_effect = datetime.datetime
-
-        self.response.headers['Retry-After'] = "Tue, 116 Feb 2016 11:50:00 MST"
-        assert datetime.datetime(2015, 3, 27, 0, 0, 10) == \
-            self.client.retry_after(response=self.response, default=10)
-
-    @mock.patch('acme.client.datetime')
-    def test_retry_after_seconds(self, dt_mock):
-        dt_mock.datetime.now.return_value = datetime.datetime(2015, 3, 27)
-        dt_mock.timedelta = datetime.timedelta
-
-        self.response.headers['Retry-After'] = '50'
-        assert datetime.datetime(2015, 3, 27, 0, 0, 50) == \
-            self.client.retry_after(response=self.response, default=10)
-
-    @mock.patch('acme.client.datetime')
-    def test_retry_after_missing(self, dt_mock):
-        dt_mock.datetime.now.return_value = datetime.datetime(2015, 3, 27)
-        dt_mock.timedelta = datetime.timedelta
-
-        assert datetime.datetime(2015, 3, 27, 0, 0, 10) == \
-            self.client.retry_after(response=self.response, default=10)
-
-    def test_get_directory(self):
-        self.response.json.return_value = DIRECTORY_V2.to_json()
-        assert DIRECTORY_V2.to_partial_json() == \
-            ClientV2.get_directory('https://example.com/dir', self.net).to_partial_json()
-
-
-class MockJSONDeSerializable(jose.JSONDeSerializable):
-    # pylint: disable=missing-docstring
-    def __init__(self, value):
-        self.value = value
-
-    def to_partial_json(self):
-        return {'foo': self.value}
-
-    @classmethod
-    def from_json(cls, jobj):
-        pass  # pragma: no cover
-
-
-class ClientNetworkTest(unittest.TestCase):
-    """Tests for acme.client.ClientNetwork."""
-
-    def setUp(self):
-        self.verify_ssl = mock.MagicMock()
-        self.wrap_in_jws = mock.MagicMock(return_value=mock.sentinel.wrapped)
-
-        self.net = ClientNetwork(
-            key=KEY, alg=jose.RS256, verify_ssl=self.verify_ssl,
-            user_agent='acme-python-test')
-
-        self.response = mock.MagicMock(ok=True, status_code=http_client.OK)
-        self.response.headers = {}
-        self.response.links = {}
-
-    def test_init(self):
-        assert self.net.verify_ssl is self.verify_ssl
-
-    def test_wrap_in_jws(self):
-        # pylint: disable=protected-access
-        jws_dump = self.net._wrap_in_jws(
-            MockJSONDeSerializable('foo'), nonce=b'Tg', url="url")
-        jws = acme_jws.JWS.json_loads(jws_dump)
-        assert json.loads(jws.payload.decode()) == {'foo': 'foo'}
-        assert jws.signature.combined.nonce == b'Tg'
-
-    def test_wrap_in_jws_v2(self):
-        self.net.account = {'uri': 'acct-uri'}
-        # pylint: disable=protected-access
-        jws_dump = self.net._wrap_in_jws(
-            MockJSONDeSerializable('foo'), nonce=b'Tg', url="url")
-        jws = acme_jws.JWS.json_loads(jws_dump)
-        assert json.loads(jws.payload.decode()) == {'foo': 'foo'}
-        assert jws.signature.combined.nonce == b'Tg'
-        assert jws.signature.combined.kid == u'acct-uri'
-        assert jws.signature.combined.url == u'url'
-
-    def test_check_response_not_ok_jobj_no_error(self):
-        self.response.ok = False
-        self.response.json.return_value = {}
-        with mock.patch('acme.client.messages.Error.from_json') as from_json:
-            from_json.side_effect = jose.DeserializationError
-            # pylint: disable=protected-access
-            with pytest.raises(errors.ClientError):
-                self.net._check_response(self.response)
-
-    def test_check_response_not_ok_jobj_error(self):
-        self.response.ok = False
-        self.response.json.return_value = messages.Error.with_code(
-            'serverInternal', detail='foo', title='some title').to_json()
-        # pylint: disable=protected-access
-        with pytest.raises(messages.Error):
-            self.net._check_response(self.response)
-
-    def test_check_response_not_ok_no_jobj(self):
-        self.response.ok = False
-        self.response.json.side_effect = ValueError
-        # pylint: disable=protected-access
-        with pytest.raises(errors.ClientError):
-            self.net._check_response(self.response)
-
-    def test_check_response_ok_no_jobj_ct_required(self):
-        self.response.json.side_effect = ValueError
-        for response_ct in [self.net.JSON_CONTENT_TYPE, 'foo']:
-            self.response.headers['Content-Type'] = response_ct
-            # pylint: disable=protected-access
-            with pytest.raises(errors.ClientError):
-                self.net._check_response(self.response,
-                content_type=self.net.JSON_CONTENT_TYPE)
-
-    def test_check_response_ok_no_jobj_no_ct(self):
-        self.response.json.side_effect = ValueError
-        for response_ct in [self.net.JSON_CONTENT_TYPE, 'foo']:
-            self.response.headers['Content-Type'] = response_ct
-            # pylint: disable=protected-access
-            assert self.response == self.net._check_response(self.response)
-
-    @mock.patch('acme.client.logger')
-    def test_check_response_ok_ct_with_charset(self, mock_logger):
-        self.response.json.return_value = {}
-        self.response.headers['Content-Type'] = 'application/json; charset=utf-8'
-        # pylint: disable=protected-access
-        assert self.response == self.net._check_response(
-            self.response, content_type='application/json')
-        try:
-            mock_logger.debug.assert_called_with(
-                'Ignoring wrong Content-Type (%r) for JSON decodable response',
-                'application/json; charset=utf-8'
-            )
-        except AssertionError:
-            return
-        raise AssertionError('Expected Content-Type warning ' #pragma: no cover
-            'to not have been logged')
-
-    @mock.patch('acme.client.logger')
-    def test_check_response_ok_bad_ct(self, mock_logger):
-        self.response.json.return_value = {}
-        self.response.headers['Content-Type'] = 'text/plain'
-        # pylint: disable=protected-access
-        assert self.response == self.net._check_response(
-            self.response, content_type='application/json')
-        mock_logger.debug.assert_called_with(
-            'Ignoring wrong Content-Type (%r) for JSON decodable response',
-            'text/plain'
-        )
-
-    def test_check_response_conflict(self):
-        self.response.ok = False
-        self.response.status_code = 409
-        # pylint: disable=protected-access
-        with pytest.raises(errors.ConflictError):
-            self.net._check_response(self.response)
-
-    def test_check_response_jobj(self):
-        self.response.json.return_value = {}
-        for response_ct in [self.net.JSON_CONTENT_TYPE, 'foo']:
-            self.response.headers['Content-Type'] = response_ct
-            # pylint: disable=protected-access
-            assert self.response == self.net._check_response(self.response)
-
-    def test_send_request(self):
-        self.net.session = mock.MagicMock()
-        self.net.session.request.return_value = self.response
-        # pylint: disable=protected-access
-        assert self.response == self.net._send_request(
-            'HEAD', 'http://example.com/', 'foo', bar='baz')
-        self.net.session.request.assert_called_once_with(
-            'HEAD', 'http://example.com/', 'foo',
-            headers=mock.ANY, verify=mock.ANY, timeout=mock.ANY, bar='baz')
-
-    @mock.patch('acme.client.logger')
-    def test_send_request_get_der(self, mock_logger):
-        self.net.session = mock.MagicMock()
-        self.net.session.request.return_value = mock.MagicMock(
-            ok=True, status_code=http_client.OK,
-            content=b"hi")
-        # pylint: disable=protected-access
-        self.net._send_request('HEAD', 'http://example.com/', 'foo',
-          timeout=mock.ANY, bar='baz', headers={'Accept': 'application/pkix-cert'})
-        mock_logger.debug.assert_called_with(
-            'Received response:\nHTTP %d\n%s\n\n%s', 200,
-            '', b'aGk=')
-
-    def test_send_request_post(self):
-        self.net.session = mock.MagicMock()
-        self.net.session.request.return_value = self.response
-        # pylint: disable=protected-access
-        assert self.response == self.net._send_request(
-            'POST', 'http://example.com/', 'foo', data='qux', bar='baz')
-        self.net.session.request.assert_called_once_with(
-            'POST', 'http://example.com/', 'foo',
-            headers=mock.ANY, verify=mock.ANY, timeout=mock.ANY, data='qux', bar='baz')
-
-    def test_send_request_verify_ssl(self):
-        # pylint: disable=protected-access
-        for verify in True, False:
-            self.net.session = mock.MagicMock()
-            self.net.session.request.return_value = self.response
-            self.net.verify_ssl = verify
-            # pylint: disable=protected-access
-            assert self.response == \
-                self.net._send_request('GET', 'http://example.com/')
-            self.net.session.request.assert_called_once_with(
-                'GET', 'http://example.com/', verify=verify,
-                timeout=mock.ANY, headers=mock.ANY)
-
-    def test_send_request_user_agent(self):
-        self.net.session = mock.MagicMock()
-        # pylint: disable=protected-access
-        self.net._send_request('GET', 'http://example.com/',
-                               headers={'bar': 'baz'})
-        self.net.session.request.assert_called_once_with(
-            'GET', 'http://example.com/', verify=mock.ANY,
-            timeout=mock.ANY,
-            headers={'User-Agent': 'acme-python-test', 'bar': 'baz'})
-
-        self.net._send_request('GET', 'http://example.com/',
-                               headers={'User-Agent': 'foo2'})
-        self.net.session.request.assert_called_with(
-            'GET', 'http://example.com/',
-            verify=mock.ANY, timeout=mock.ANY, headers={'User-Agent': 'foo2'})
-
-    def test_send_request_timeout(self):
-        self.net.session = mock.MagicMock()
-        # pylint: disable=protected-access
-        self.net._send_request('GET', 'http://example.com/',
-                               headers={'bar': 'baz'})
-        self.net.session.request.assert_called_once_with(
-            mock.ANY, mock.ANY, verify=mock.ANY, headers=mock.ANY,
-            timeout=45)
-
-    def test_del(self, close_exception=None):
-        sess = mock.MagicMock()
-
-        if close_exception is not None:
-            sess.close.side_effect = close_exception
-
-        self.net.session = sess
-        del self.net
-        sess.close.assert_called_once_with()
-
-    def test_del_error(self):
-        self.test_del(ReferenceError)
-
-    @mock.patch('acme.client.requests')
-    def test_requests_error_passthrough(self, mock_requests):
-        mock_requests.exceptions = requests.exceptions
-        mock_requests.request.side_effect = requests.exceptions.RequestException
-        # pylint: disable=protected-access
-        with pytest.raises(requests.exceptions.RequestException):
-            self.net._send_request('GET', 'uri')
-
-    def test_urllib_error(self):
-        # Using a connection error to test a properly formatted error message
-        try:
-            # pylint: disable=protected-access
-            self.net._send_request('GET', "http://localhost:19123/nonexistent.txt")
-
-        # Value Error Generated Exceptions
-        except ValueError as y:
-            assert "Requesting localhost/nonexistent: " \
-                             "Connection refused" == str(y)
-
-        # Requests Library Exceptions
-        except requests.exceptions.ConnectionError as z: #pragma: no cover
-            assert "'Connection aborted.'" in str(z) or "[WinError 10061]" in str(z)
-
-
-class ClientNetworkWithMockedResponseTest(unittest.TestCase):
-    """Tests for acme.client.ClientNetwork which mock out response."""
-
-    def setUp(self):
-        self.net = ClientNetwork(key=None, alg=None)
-
-        self.response = mock.MagicMock(ok=True, status_code=http_client.OK)
-        self.response.headers = {}
-        self.response.links = {}
-        self.response.checked = False
-        self.acmev1_nonce_response = mock.MagicMock(
-            ok=False, status_code=http_client.METHOD_NOT_ALLOWED)
-        self.acmev1_nonce_response.headers = {}
-        self.obj = mock.MagicMock()
-        self.wrapped_obj = mock.MagicMock()
-        self.content_type = mock.sentinel.content_type
-
-        self.all_nonces = [
-            jose.b64encode(b'Nonce'),
-            jose.b64encode(b'Nonce2'), jose.b64encode(b'Nonce3')]
-        self.available_nonces = self.all_nonces[:]
-
-        def send_request(*args, **kwargs):
-            # pylint: disable=unused-argument,missing-docstring
-            assert "new_nonce_url" not in kwargs
-            method = args[0]
-            uri = args[1]
-            if method == 'HEAD' and uri != "new_nonce_uri":
-                response = self.acmev1_nonce_response
-            else:
-                response = self.response
-
-            if self.available_nonces:
-                response.headers = {
-                    self.net.REPLAY_NONCE_HEADER:
-                    self.available_nonces.pop().decode()}
-            else:
-                response.headers = {}
-            return response
-
-        # pylint: disable=protected-access
-        self.net._send_request = self.send_request = mock.MagicMock(
-            side_effect=send_request)
-        self.net._check_response = self.check_response
-        self.net._wrap_in_jws = mock.MagicMock(return_value=self.wrapped_obj)
-
-    def check_response(self, response, content_type):
-        # pylint: disable=missing-docstring
-        assert self.response == response
-        assert self.content_type == content_type
-        assert self.response.ok
-        self.response.checked = True
-        return self.response
-
-    def test_head(self):
-        assert self.acmev1_nonce_response == self.net.head(
-            'http://example.com/', 'foo', bar='baz')
-        self.send_request.assert_called_once_with(
-            'HEAD', 'http://example.com/', 'foo', bar='baz')
-
-    def test_head_v2(self):
-        assert self.response == self.net.head(
-            'new_nonce_uri', 'foo', bar='baz')
-        self.send_request.assert_called_once_with(
-            'HEAD', 'new_nonce_uri', 'foo', bar='baz')
-
-    def test_get(self):
-        assert self.response == self.net.get(
-            'http://example.com/', content_type=self.content_type, bar='baz')
-        assert self.response.checked
-        self.send_request.assert_called_once_with(
-            'GET', 'http://example.com/', bar='baz')
-
-    def test_post_no_content_type(self):
-        self.content_type = self.net.JOSE_CONTENT_TYPE
-        assert self.response == self.net.post('uri', self.obj)
-        assert self.response.checked
-
-    def test_post(self):
-        # pylint: disable=protected-access
-        assert self.response == self.net.post(
-            'uri', self.obj, content_type=self.content_type)
-        assert self.response.checked
-        self.net._wrap_in_jws.assert_called_once_with(
-            self.obj, jose.b64decode(self.all_nonces.pop()), "uri")
-
-        self.available_nonces = []
-        with pytest.raises(errors.MissingNonce):
-            self.net.post('uri', self.obj, content_type=self.content_type)
-        self.net._wrap_in_jws.assert_called_with(
-            self.obj, jose.b64decode(self.all_nonces.pop()), "uri")
-
-    def test_post_wrong_initial_nonce(self):  # HEAD
-        self.available_nonces = [b'f', jose.b64encode(b'good')]
-        with pytest.raises(errors.BadNonce):
-            self.net.post('uri',
-                          self.obj, content_type=self.content_type)
-
-    def test_post_wrong_post_response_nonce(self):
-        self.available_nonces = [jose.b64encode(b'good'), b'f']
-        with pytest.raises(errors.BadNonce):
-            self.net.post('uri',
-                          self.obj, content_type=self.content_type)
-
-    def test_post_failed_retry(self):
-        check_response = mock.MagicMock()
-        check_response.side_effect = messages.Error.with_code('badNonce')
-
-        # pylint: disable=protected-access
-        self.net._check_response = check_response
-        with pytest.raises(messages.Error):
-            self.net.post('uri',
-                          self.obj, content_type=self.content_type)
-
-    def test_post_not_retried(self):
-        check_response = mock.MagicMock()
-        check_response.side_effect = [messages.Error.with_code('malformed'),
-                                      self.response]
-
-        # pylint: disable=protected-access
-        self.net._check_response = check_response
-        with pytest.raises(messages.Error):
-            self.net.post('uri',
-                          self.obj, content_type=self.content_type)
-
-    def test_post_successful_retry(self):
-        post_once = mock.MagicMock()
-        post_once.side_effect = [messages.Error.with_code('badNonce'),
-                                      self.response]
-
-        # pylint: disable=protected-access
-        assert self.response == self.net.post(
-            'uri', self.obj, content_type=self.content_type)
-
-    def test_head_get_post_error_passthrough(self):
-        self.send_request.side_effect = requests.exceptions.RequestException
-        for method in self.net.head, self.net.get:
-            with pytest.raises(requests.exceptions.RequestException):
-                method('GET', 'uri')
-        with pytest.raises(requests.exceptions.RequestException):
-            self.net.post('uri', obj=self.obj)
-
-    def test_post_bad_nonce_head(self):
-        # pylint: disable=protected-access
-        # regression test for https://github.com/certbot/certbot/issues/6092
-        bad_response = mock.MagicMock(ok=False, status_code=http_client.SERVICE_UNAVAILABLE)
-        self.net._send_request = mock.MagicMock()
-        self.net._send_request.return_value = bad_response
-        self.content_type = None
-        check_response = mock.MagicMock()
-        self.net._check_response = check_response
-        with pytest.raises(errors.ClientError):
-            self.net.post('uri',
-                          self.obj, content_type=self.content_type,
-                          new_nonce_url='new_nonce_uri')
-        assert check_response.call_count == 1
-
-    def test_new_nonce_uri_removed(self):
-        self.content_type = None
-        self.net.post('uri', self.obj, content_type=None, new_nonce_url='new_nonce_uri')
-
-
-if __name__ == '__main__':
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover

acme/acme/_internal/tests/fields_test.py

@@ -1,60 +0,0 @@
-"""Tests for acme.fields."""
-import datetime
-import sys
-import unittest
-import warnings
-
-import josepy as jose
-import pytest
-import pytz
-
-
-class FixedTest(unittest.TestCase):
-    """Tests for acme.fields.Fixed."""
-
-    def setUp(self):
-        from acme.fields import fixed
-        self.field = fixed('name', 'x')
-
-    def test_decode(self):
-        assert 'x' == self.field.decode('x')
-
-    def test_decode_bad(self):
-        with pytest.raises(jose.DeserializationError):
-            self.field.decode('y')
-
-    def test_encode(self):
-        assert 'x' == self.field.encode('x')
-
-    def test_encode_override(self):
-        assert 'y' == self.field.encode('y')
-
-
-class RFC3339FieldTest(unittest.TestCase):
-    """Tests for acme.fields.RFC3339Field."""
-
-    def setUp(self):
-        self.decoded = datetime.datetime(2015, 3, 27, tzinfo=pytz.UTC)
-        self.encoded = '2015-03-27T00:00:00Z'
-
-    def test_default_encoder(self):
-        from acme.fields import RFC3339Field
-        assert self.encoded == RFC3339Field.default_encoder(self.decoded)
-
-    def test_default_encoder_naive_fails(self):
-        from acme.fields import RFC3339Field
-        with pytest.raises(ValueError):
-            RFC3339Field.default_encoder(datetime.datetime.now())
-
-    def test_default_decoder(self):
-        from acme.fields import RFC3339Field
-        assert self.decoded == RFC3339Field.default_decoder(self.encoded)
-
-    def test_default_decoder_raises_deserialization_error(self):
-        from acme.fields import RFC3339Field
-        with pytest.raises(jose.DeserializationError):
-            RFC3339Field.default_decoder('')
-
-
-if __name__ == '__main__':
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover

acme/acme/_internal/tests/jose_test.py

@@ -1,54 +0,0 @@
-"""Tests for acme.jose shim."""
-import importlib
-import sys
-import unittest
-
-import pytest
-
-
-def _test_it(submodule, attribute):
-    if submodule:
-        acme_jose_path = 'acme.jose.' + submodule
-        josepy_path = 'josepy.' + submodule
-    else:
-        acme_jose_path = 'acme.jose'
-        josepy_path = 'josepy'
-    acme_jose_mod = importlib.import_module(acme_jose_path)
-    josepy_mod = importlib.import_module(josepy_path)
-
-    assert acme_jose_mod is josepy_mod
-    assert getattr(acme_jose_mod, attribute) is getattr(josepy_mod, attribute)
-
-    # We use the imports below with eval, but pylint doesn't
-    # understand that.
-    import josepy  # pylint: disable=unused-import
-
-    import acme  # pylint: disable=unused-import
-    acme_jose_mod = eval(acme_jose_path)  # pylint: disable=eval-used
-    josepy_mod = eval(josepy_path)  # pylint: disable=eval-used
-    assert acme_jose_mod is josepy_mod
-    assert getattr(acme_jose_mod, attribute) is getattr(josepy_mod, attribute)
-
-def test_top_level():
-    _test_it('', 'RS512')
-
-def test_submodules():
-    # This test ensures that the modules in josepy that were
-    # available at the time it was moved into its own package are
-    # available under acme.jose. Backwards compatibility with new
-    # modules or testing code is not maintained.
-    mods_and_attrs = [('b64', 'b64decode',),
-                      ('errors', 'Error',),
-                      ('interfaces', 'JSONDeSerializable',),
-                      ('json_util', 'Field',),
-                      ('jwa', 'HS256',),
-                      ('jwk', 'JWK',),
-                      ('jws', 'JWS',),
-                      ('util', 'ImmutableMap',),]
-
-    for mod, attr in mods_and_attrs:
-        _test_it(mod, attr)
-
-
-if __name__ == '__main__':
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover

acme/acme/_internal/tests/testdata/README

@@ -1,21 +0,0 @@
-In order for acme.test_util._guess_loader to work properly, make sure
-to use appropriate extension for vector filenames: .pem for PEM and
-.der for DER.
-
-The following command has been used to generate test keys:
-
-  for k in 256 512 1024 2048 4096; do openssl genrsa -out rsa${k}_key.pem $k; done
-
-and for the CSR:
-
-  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -outform DER > csr.der
-
-and for the certificates:
-
-  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der
-  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 > rsa2048_cert.pem
-  openssl req -key rsa1024_key.pem -new -subj '/CN=example.com' -x509 > rsa1024_cert.pem
-
-and for the elliptic key curves:
-
-  openssl genpkey -algorithm EC -out ec_secp384r1.pem -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve

acme/acme/_internal/tests/testdata/cert-ipsans.pem

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDizCCAnOgAwIBAgIIPNBLQXwhoUkwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UE
-AxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAxNzNiMjYwHhcNMjAwNTI5MTkxODA5
-WhcNMjUwNTI5MTkxODA5WjAWMRQwEgYDVQQDEwsxOTIuMC4yLjE0NTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALyChb+NDA26GF1AfC0nzEdfOTchKw0h
-q41xEjonvg5UXgZf/aH/ntvugIkYP0MaFifNAjebOVVsemEVEtyWcUKTfBHKZGbZ
-ukTDwFIjfTccCfo6U/B2H7ZLzJIywl8DcUw9DypadeQBm8PS0VVR2ncy73dvaqym
-crhAwlASyXU0mhLqRDMMxfg5Bn/FWpcsIcDpLmPn8Q/FvdRc2t5ryBNw/aWOlwqT
-Oy16nbfLj2T0zG1A3aPuD+eT/JFUe/o3K7R+FAx7wt+RziQO46wLVVF1SueZUrIU
-zqN04Gl8Kt1WM2SniZ0gq/rORUNcPtT0NAEsEslTQfA+Trq6j2peqyMCAwEAAaOB
-yjCBxzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
-BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHj1mwZzP//nMIH2i58NRUl/arHn
-MB8GA1UdIwQYMBaAFF5DVAKabvIUvKFHGouscA2Qdpe6MDEGCCsGAQUFBwEBBCUw
-IzAhBggrBgEFBQcwAYYVaHR0cDovLzEyNy4wLjAuMTo0MDAyMBUGA1UdEQQOMAyH
-BMAAApGHBMsAcQEwDQYJKoZIhvcNAQELBQADggEBAHjSgDg76/UCIMSYddyhj18r
-LdNKjA7p8ovnErSkebFT4lIZ9f3Sma9moNr0w64M33NamuFyHe/KTdk90mvoW8Uu
-26aDekiRIeeMakzbAtDKn67tt2tbedKIYRATcSYVwsV46uZKbM621dZKIjjxOWpo
-IY6rZYrku8LYhoXJXOqRduV3cTRVuTm5bBa9FfVNtt6N1T5JOtKKDEhuSaF4RSug
-PDy3hQIiHrVvhPfVrXU3j6owz/8UCS5549inES9ONTFrvM9o0H1R/MsmGNXR5hF5
-iJqHKC7n8LZujhVnoFIpHu2Dsiefbfr+yRYJS4I+ezy6Nq/Ok8rc8zp0eoX+uyY=
------END CERTIFICATE-----

acme/acme/_internal/tests/testdata/cert-ipv6sans.pem

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDmzCCAoOgAwIBAgIIFdxeZP+v2rgwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UE
-AxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSA0M2M5NTcwHhcNMjAwNTMwMDQwNzMw
-WhcNMjUwNTMwMDQwNzMwWjAOMQwwCgYDVQQDEwM6OjEwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQC7VidVduJvqKtrSH0fw6PjE0cqL4Kfzo7klexWUkHG
-KVAa0fRVZFZ462jxKOt417V2U4WJQ6WHHO9PJ+3gW62d/MhCw8FRtUQS4nYFjqB6
-32+RFU21VRN7cWoQEqSwnEPbh/v/zv/KS5JhQ+swWUo79AOLm1kjnZWCKtcqh1Lc
-Ug5Tkpot6luoxTKp52MkchvXDpj0q2B/XpLJ8/pw5cqjv7mH12EDOK2HXllA+WwX
-ZpstcEhaA4FqtaHOW/OHnwTX5MUbINXE5YYHVEDR6moVM31/W/3pe9NDUMTDE7Si
-lVQnZbXM9NYbzZqlh+WhemDWwnIfGI6rtsfNEiirVEOlAgMBAAGjgeIwgd8wDgYD
-VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
-HRMBAf8EAjAAMB0GA1UdDgQWBBS8DL+MZfDIy6AKky69Tgry2Vxq5DAfBgNVHSME
-GDAWgBRAsFqVenRRKgB1YPzWKzb9bzZ/ozAxBggrBgEFBQcBAQQlMCMwIQYIKwYB
-BQUHMAGGFWh0dHA6Ly8xMjcuMC4wLjE6NDAwMjAtBgNVHREEJjAkhxAAAAAAAAAA
-AAAAAAAAAAABhxCjvjLzIG7HXQlWDO6YWF7FMA0GCSqGSIb3DQEBCwUAA4IBAQBY
-M9UTZ3uaKMQ+He9kWR3p9jh6hTSD0FNi79ZdfkG0lgSzhhduhN7OhzQH2ihUUfa6
-rtKTw74fGbszhizCd9UB8YPKlm3si1Xbg6ZUQlA1RtoQo7RUGEa6ZbR68PKGm9Go
-hTTFIl/JS8jzxBR8jywZdyqtprUx+nnNUDiNk0hJtFLhw7OJH0AHlAUNqHsfD08m
-HXRdaV6q14HXU5g31slBat9H4D6tCU/2uqBURwW0wVdnqh4QeRfAeqiatJS9EmSF
-ctbc7n894Idy2Xce7NFoIy5cht3m6Rd42o/LmBsJopBmQcDPZT70/XzRtc2qE0cS
-CzBIGQHUJ6BfmBjrCQnp
------END CERTIFICATE-----

acme/acme/_internal/tests/testdata/csr-ipsans.pem

@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICbTCCAVUCAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKT/
-CE7Y5EYBvI4p7Frt763upIKHDHO/R5/TWMjG8Jm9qTMui8sbMgyh2Yh+lR/j/5Xd
-tQrhgC6wx10MrW2+3JtYS88HP1p6si8zU1dbK34n3NyyklR2RivW0R7dXgnYNy7t
-5YcDYLCrbRMIPINV/uHrmzIHWYUDNcZVdAfIM2AHfKYuV6Mepcn///5GR+l4GcAh
-Nkf9CW8OdAIuKdbyLCxVr0mUW/vJz1b12uxPsgUdax9sjXgZdT4pfMXADsFd1NeF
-atpsXU073inqtHru+2F9ijHTQ75TC+u/rr6eYl3BnBntac0gp/ADtDBii7/Q1JOO
-Bhq7xJNqqxIEdiyM7zcCAwEAAaAoMCYGCSqGSIb3DQEJDjEZMBcwFQYDVR0RBA4w
-DIcEwAACkYcEywBxATANBgkqhkiG9w0BAQsFAAOCAQEADG5g3zdbSCaXpZhWHkzE
-Mek3f442TUE1pB+ITRpthmM4N3zZWETYmbLCIAO624uMrRnbCCMvAoLs/L/9ETg/
-XMMFtonQC8u9i9tV8B1ceBh8lpIfa+8b9TMWH3bqnrbWQ+YIl+Yd0gXiCZWJ9vK4
-eM1Gddu/2bR6s/k4h/XAWRgEexqk57EHr1z0N+T9OoX939n3mVcNI+u9kfd5VJ0z
-VyA3R8WR6T6KlEl5P5pcWe5Kuyhi7xMmLVImXqBtvKq4O1AMfM+gQr/yn9aE8IRq
-khP7JrMBLUIub1c/qu2TfvnynNPSM/ZcOX+6PHdHmRkR3nI0Ndpv7Ntv31FTplAm
-Dw==
------END CERTIFICATE REQUEST-----

acme/acme/_internal/tests/testdata/csr-ipv6sans.pem

@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIChTCCAW0CAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOIc
-UAppcqJfTkSqqOFqGt1v7lIJZPOcF4bcKI3d5cHAGbOuVxbC7uMaDuObwYLzoiED
-qnvs1NaEq2phO6KsgGESB7IE2LUjJivO7OnSZjNRpL5si/9egvBiNCn/50lULaWG
-gLEuyMfk3awZy2mVAymy7Grhbx069A4TH8TqsHuq2RpKyuDL27e/jUt6yYecb3pu
-hWMiWy3segif4tI46pkOW0/I6DpxyYD2OqOvzxm/voS9RMqE2+7YJA327H7bEi3N
-lJZEZ1zy7clZ9ga5fBQaetzbg2RyxTrZ7F919NQXSFoXgxb10Eg64wIpz0L3ooCm
-GEHehsZZexa3J5ccIvMCAwEAAaBAMD4GCSqGSIb3DQEJDjExMC8wLQYDVR0RBCYw
-JIcQAAAAAAAAAAAAAAAAAAAAAYcQo74y8yBux10JVgzumFhexTANBgkqhkiG9w0B
-AQsFAAOCAQEALvwVn0A/JPTCiNzcozHFnp5M23C9PXCplWc5u4k34d4XXzpSeFDz
-fL4gy7NpYIueme2K2ppw2j3PNQUdR6vQ5a75sriegWYrosL+7Q6Joh51ZyEUZQoD
-mNl4M4S4oX85EaChR6NFGBywTfjFarYi32XBTbFE7rK8N8KM+DQkNdwL1MXqaHWz
-F1obQKpNXlLedbCBOteV5Eg4zG3565zu/Gw/NhwzzV3mQmgxUcd1sMJxAfHQz4Vl
-ImLL+xMcR03nDsH2bgtDbK2tJm7WszSxA9tC+Xp2lRewxrnQloRWPYDz177WGQ5Q
-SoGDzTTtA6uWZxG8h7CkNLOGvA8LtU2rNA==
------END CERTIFICATE REQUEST-----

acme/acme/_internal/tests/testdata/csr-mixed.pem

@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICdjCCAV4CAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMXq
-v1y8EIcCbaUIzCtOcLkLS0MJ35oS+6DmV5WB1A0cIk6YrjsHIsY2lwMm13BWIvmw
-tY+Y6n0rr7eViNx5ZRGHpHEI/TL3Neb+VefTydL5CgvK3dd4ex2kSbTaed3fmpOx
-qMajEduwNcZPCcmoEXPkfrCP8w2vKQUkQ+JRPcdX1nTuzticeRP5B7YCmJsmxkEh
-Y0tzzZ+NIRDARoYNofefY86h3e5q66gtJxccNchmIM3YQahhg5n3Xoo8hGfM/TIc
-R7ncCBCLO6vtqo0QFva/NQODrgOmOsmgvqPkUWQFdZfWM8yIaU826dktx0CPB78t
-TudnJ1rBRvGsjHMsZikCAwEAAaAxMC8GCSqGSIb3DQEJDjEiMCAwHgYDVR0RBBcw
-FYINYS5leGVtcGxlLmNvbYcEwAACbzANBgkqhkiG9w0BAQsFAAOCAQEAdGMcRCxq
-1X09gn1TNdMt64XUv+wdJCKDaJ+AgyIJj7QvVw8H5k7dOnxS4I+a/yo4jE+LDl2/
-AuHcBLFEI4ddewdJSMrTNZjuRYuOdr3KP7fL7MffICSBi45vw5EOXg0tnjJCEiKu
-6gcJgbLSP5JMMd7Haf33Q/VWsmHofR3VwOMdrnakwAU3Ff5WTuXTNVhL1kT/uLFX
-yW1ru6BF4unwNqSR2UeulljpNfRBsiN4zJK11W6n9KT0NkBr9zY5WCM4sW7i8k9V
-TeypWGo3jBKzYAGeuxZsB97U77jZ2lrGdBLZKfbcjnTeRVqCvCRrui4El7UGYFmj
-7s6OJyWx5DSV8w==
------END CERTIFICATE REQUEST-----

acme/acme/_internal/tests/testdata/ec_secp384r1_key.pem

@@ -1,6 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDArTn0pbFk3xHfKeXte
-xJgS4JVdJQ8mqvezhaNpULZPnwb+mcKLlrj6f5SRM52yREGhZANiAAQcrMoPMVqV
-rHnDGGz5HUKLNmXfChlNgsrwsruawXF+M283CA6eckAjTXNyiC/ounWmvtoKsZG0
-2UQOfQUNSCANId/r986yRGc03W6RJSkcRp86qBYjNsLgbZpber/3+M4=
------END PRIVATE KEY-----

acme/acme/_internal/tests/testdata/rsa1024_cert.pem

@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB/TCCAWagAwIBAgIJAOyRIBs3QT8QMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
-BAMMC2V4YW1wbGUuY29tMB4XDTE4MDQyMzEwMzE0NFoXDTE4MDUyMzEwMzE0NFow
-FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBAJqJ87R8aVwByONxgQA9hwgvQd/QqI1r1UInXhEF2VnEtZGtUWLi100IpIqr
-Mq4qusDwNZ3g8cUPtSkvJGs89djoajMDIJP7lQUEKUYnYrI0q755Tr/DgLWSk7iW
-l5ezym0VzWUD0/xXUz8yRbNMTjTac80rS5SZk2ja2wWkYlRJAgMBAAGjUzBRMB0G
-A1UdDgQWBBSsaX0IVZ4XXwdeffVAbG7gnxSYjTAfBgNVHSMEGDAWgBSsaX0IVZ4X
-XwdeffVAbG7gnxSYjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GB
-ADe7SVmvGH2nkwVfONk8TauRUDkePN1CJZKFb2zW1uO9ANJ2v5Arm/OQp0BG/xnI
-Djw/aLTNVESF89oe15dkrUErtcaF413MC1Ld5lTCaJLHLGqDKY69e02YwRuxW7jY
-qarpt7k7aR5FbcfO5r4V/FK/Gvp4Dmoky8uap7SJIW6x
------END CERTIFICATE-----

acme/acme/_internal/tests/testdata/rsa4096_cert.pem

@@ -1,30 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFDTCCAvWgAwIBAgIUImqDrP53V69vFROsjP/gL0YtoA4wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAwNTI3MjMyNDE0WhcNMjAw
-NjI2MjMyNDE0WjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBANY9LKLk9Dxn0MUMQFHwBoTN4ehDSWBws2KcytpF
-mc8m9Mfk1wmb4fQSKYtK3wIFMfIyo9HQu0nKqMkkUw52o3ZXyOv+oWwF5qNy2BKu
-lh5OMSkaZ0o13zoPpW42e+IUnyxvg70+0urD+sUue4cyTHh/nBIUjrM/05ZJ/ac8
-HR0RK3H41YoqBjq69JjMZczZZhbNFit3s6p0R1TbVAgc3ckqbtX5BDyQMQQCP4Ed
-m4DgbAFVqdcPUCC5W3F3fmuQiPKHiADzONZnXpy6lUvLDWqcd6loKp+nKHM6OkXX
-8hmD7pE1PYMQo4hqOfhBR2IgMjAShwd5qUFjl1m2oo0Qm3PFXOk6i2ZQdS6AA/yd
-B5/mX0RnM2oIdFZPb6UZFSmtEgs9sTzn+hMUyNSZQRE54px1ur1xws2R+vbsCyM5
-+KoFVxDjVjU9TlZx3GvDvnqz/tbHjji6l8VHZYOBMBUXbKHu2U6pJFZ5Zp7k68/z
-a3Fb9Pjtn3iRkXEyC0N5kLgqO4QTlExnxebV8aMvQpWd/qefnMn9qPYIZPEXSQAR
-mEBIahkcACb60s+acG0WFFluwBPtBqEr8Q67XlSF0Ibf4iBiRzpPobhlWta1nrFg
-4IWHMSoZ0PE75bhIGBEkhrpcXQCAxXmAfxfjKDH7jdJ1fRdnZ/9+OzwYGVX5GH/l
-0QDtAgMBAAGjUzBRMB0GA1UdDgQWBBQh3xiz/o1nEU2ySylZ9gxCXvIPGzAfBgNV
-HSMEGDAWgBQh3xiz/o1nEU2ySylZ9gxCXvIPGzAPBgNVHRMBAf8EBTADAQH/MA0G
-CSqGSIb3DQEBCwUAA4ICAQAELoXz31oR9pdAwidlv9ZBOKiC7KBWy8VMqXNVkfTn
-bVRxAUex7zleLFIOkWnqadsMesU9sIwrbLzBcZ8Q/vBY+z2xOPdXcgcAoAmdKWoq
-YBQNiqng9r54sqlzB/77QZCf5fdktESe7NTxhCifgx5SAWq7IUQs/lm3tnMUSAfE
-5ctuN6M+w8K54y3WDprcfMHpnc3ZHeSPhVQApHM0h/bDvXq0bRS7kmq27Hb153Qm
-nH3TwYB5pPSWW38NbUc+s/a7mItO7S8ly8yGbA0j9c/IbN5lM+OCdk06asz3+c8E
-uo8nuCBoYO5+6AqC2N7WJ3Tdr/pFA8jTbd6VNVlgCWTIR8ZosL5Fgkfv+4fUBrHt
-zdVUqMUzvga5rvZnwnJ5Qfu/drHeAAo9MTNFQNe2QgDlYfWBh5GweolgmFSwrpkY
-v/5wLtIyv/ASHKswybbqMIlpttcLTXjx5yuh8swttT6Wh+FQqqQ32KSRB3StiwyK
-oH0ZhrwYHiFYNlPxecGX6XUta6rFtTlEdkBGSnXzgiTzL2l+Nc0as0V5B9RninZG
-qJ+VOChSQ0OFvg1riSXv7tMvbLdGQnxwTRL3t6BMS8I4LA2m3ZfWUcuXT783ODTH
-16f1Q1AgXd2csstTWO9cv+N/0fpX31nqrm6+CrGduSr2u4HjYYnlLIUhmdTvK3fX
-Fg==
------END CERTIFICATE-----

acme/acme/_internal/tests/testdata/rsa4096_key.pem

@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKgIBAAKCAgEA1j0souT0PGfQxQxAUfAGhM3h6ENJYHCzYpzK2kWZzyb0x+TX
-CZvh9BIpi0rfAgUx8jKj0dC7ScqoySRTDnajdlfI6/6hbAXmo3LYEq6WHk4xKRpn
-SjXfOg+lbjZ74hSfLG+DvT7S6sP6xS57hzJMeH+cEhSOsz/Tlkn9pzwdHRErcfjV
-iioGOrr0mMxlzNlmFs0WK3ezqnRHVNtUCBzdySpu1fkEPJAxBAI/gR2bgOBsAVWp
-1w9QILlbcXd+a5CI8oeIAPM41mdenLqVS8sNapx3qWgqn6coczo6RdfyGYPukTU9
-gxCjiGo5+EFHYiAyMBKHB3mpQWOXWbaijRCbc8Vc6TqLZlB1LoAD/J0Hn+ZfRGcz
-agh0Vk9vpRkVKa0SCz2xPOf6ExTI1JlBETninHW6vXHCzZH69uwLIzn4qgVXEONW
-NT1OVnHca8O+erP+1seOOLqXxUdlg4EwFRdsoe7ZTqkkVnlmnuTrz/NrcVv0+O2f
-eJGRcTILQ3mQuCo7hBOUTGfF5tXxoy9ClZ3+p5+cyf2o9ghk8RdJABGYQEhqGRwA
-JvrSz5pwbRYUWW7AE+0GoSvxDrteVIXQht/iIGJHOk+huGVa1rWesWDghYcxKhnQ
-8TvluEgYESSGulxdAIDFeYB/F+MoMfuN0nV9F2dn/347PBgZVfkYf+XRAO0CAwEA
-AQKCAgEA0hZdTkQtCYtYm9LexDsXeWYX8VcCfrMmBj7xYcg9A3oVMmzDPuYBVwH0
-gWbjd6y2hOaJ5TfGYZ99kvmvBRDsTSHaoyopC7BhssjtAKz6Ay/0X3VH8usPQ3WS
-aZi+NT65tK6KRqtz08ppgLGLa1G00bl5x/Um1rpxeACI4FU/y4BJ1VMJvJpnT3KE
-Z86Qyagqx5NH+UpCApZSWPFX3zjHePzGgcfXErjniCHYOnpZQrFQ2KIzkfSvQ9fg
-x01ByKOM2CB2C1B33TCzBAioXRH6zyAu7A59NeCK9ywTduhDvie1a+oEryFC7IQW
-4s7I/H3MGX4hsf/pLXlHMy+5CZJOjRaC2h+pypfbbcuiXu6Sn64kHNpiI7SxI5DI
-MIRjyG7MdUcrzq0Rt8ogwwpbCoRqrl/w3bhxtqmeZaEZtyxbjlm7reK2YkIFDgyz
-JMqiJK5ZAi+9L/8c0xhjjAQQ0sIzrjmjA8U+6YnWL9jU5qXTVnBB8XQucyeeZGgk
-yRHyMur71qOXN8z3UEva7MHkDTUBlj8DgTz6sEjqCipaWl0CXfDNa4IhHIXD5qiF
-wplhq7OeS0v6EGG/UFa3Q/lFntxtrayxJX7uvvSccGzjPKXTjpWUELLi/FdnIsum
-eXT3RgIEYozj4BibDXaBLfHTCVzxOr7AAEvKM9XWSUgLA0paSWECggEBAO9ZBeE1
-GWzd1ejTTkcxBC9AK2rNsYG8PdNqiof/iTbuJWNeRqpG+KB/0CNIpjZ2X5xZd0tM
-FDpHTFehlP26Roxuq50iRAFc+SN5KoiO0A3JuJAidreIgRTia1saUUrypHqWrYEA
-VZVj2AI8Pyg3s1OkR2frFskY7hXBVb/pJNDP/m9xTXXIYiIXYkHYe+4RIJCnAxRv
-q5YHKaX+0Ull9YCZJCxmwvcHat8sgu8qkiwUMEM6QSNEkrEbdnWYBABvC1AR6sws
-7MP1h9+j22n4Zc/3D6kpFZEL9Erx8nNyhbOZ6q2Tdnf6YKVVjZdyVa8VyNnR0ROl
-3BjkFaHb/bg4e4kCggEBAOUk8ZJS3qBeGCOjug384zbHGcnhUBYtYJiOz+RXBtP+
-PRksbFtTkgk1sHuSGO8YRddU4Qv7Av1xL8o+DEsLBSD0YQ7pmLrR/LK+iDQ5N63O
-Fve9uJH0ybxAOkiua7G24+lTsVUP//KWToL4Wh5zbHBBjL5D2Z9zoeVbcE87xhva
-lImMVr4Ex252DqNP9wkZxBjudFyJ/C/TnXrjPcgwhxWTC7sLQMhE5p+490G7c4hX
-PywkIKrANbu37KDiAvVS+dC66ZgpL/NUDkeloAmGNO08LGzbV6YKchlvDyWU/AvW
-0hYjbL0FUq7K/wp1G9fumolB+fbI25K9c13X93STzUUCggEBAJDsNFUyk5yJjbYW
-C/WrRj9d+WwH9Az77+uNPSgvn+O0usq6EMuVgYGdImfa21lqv2Wp/kOHY1AOT7lX
-yyD+oyzw7dSNJOQ2aVwDR6+72Vof5DLRy1RBwPbmSd61xrc8yD658YCEtU1pUSe5
-VvyBDYH9nIbdn8RP5gkiMUusXXBaIFNWJXLFzDWcNxBrhk6V7EPp/EFphFmpKJyr
-+AkbRVWCZJbF+hMdWKadCwLJogwyhS6PnVU/dhrq6AU38GRa2Fy5HJRYN1xH1Oej
-DX3Su8L6c28Xw0k6FcczTHx+wVoIPkKvYTIwVkiFzt/+iMckx6KsGo5tBSHFKRwC
-WlQrTxECggEBALjUruLnY1oZ7AC7bTUhOimSOfQEgTQSUCtebsRxijlvhtsKYTDd
-XRt+qidStjgN7S/+8DRYuZWzOeg5WnMhpXZqiOudcyume922IGl3ibjxVsdoyjs5
-J4xohlrgDlBgBMDNWGoTqNGFejjcmNydH+gAh8VlN2INxJYbxqCyx17qVgwJHmLR
-uggYxD/pHYvCs9GkbknCp5/wYsOgDtKuihfV741lS1D/esN1UEQ+LrfYIEW7snno
-5q7Pcdhn1hkKYCWEzy2Ec4Aj2gzixQ9JqOF/OxpnZvCw1k47rg0TeqcWFYnz8x8Y
-7xO8/DH0OoxXk2GJzVXJuItJs4gLzzfCjL0CggEAJFHfC9jisdy7CoWiOpNCSF1B
-S0/CWDz77cZdlWkpTdaXGGp1MA/UKUFPIH8sOHfvpKS660+X4G/1ZBHmFb4P5kFF
-Qy8UyUMKtSOEdZS6KFlRlfSCAMd5aSTmCvq4OSjYEpMRwUhU/iEJNkn9Z1Soehe0
-U3dxJ8KiT1071geO6rRquSHoSJs6Y0WQKriYYQJOhh4Axs3PQihER2eyh+WGk8YJ
-02m0mMsjntqnXtdc6IcdKaHp9ko+OpM9QZLsvt19fxBcrXj/i21uUXrzuNtKfO6M
-JqGhsOrO2dh8lMhvodENvgKA0DmYDC9N7ogo7bxTNSedcjBF46FhJoqii8m70Q==
------END RSA PRIVATE KEY-----

acme/acme/_internal/tests/util_test.py

@@ -1,16 +0,0 @@
-"""Tests for acme.util."""
-import sys
-import unittest
-
-import pytest
-
-
-def test_it():
-    from acme.util import map_keys
-    assert {'a': 'b', 'c': 'd'} == \
-                     map_keys({'a': 'b', 'c': 'd'}, lambda key: key)
-    assert {2: 2, 4: 4} == map_keys({1: 2, 3: 4}, lambda x: x + 1)
-
-
-if __name__ == '__main__':
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover

acme/acme/challenges.py

@@ -1,44 +1,28 @@
 """ACME Identifier Validation Challenges."""
 import abc
-import codecs
 import functools
 import hashlib
 import logging
-import socket
-from typing import Any
-from typing import cast
-from typing import Dict
-from typing import Mapping
-from typing import Optional
-from typing import Tuple
-from typing import Type
-from typing import TypeVar
-from typing import Union
 
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes  # type: ignore
 import josepy as jose
-from OpenSSL import crypto
-from OpenSSL import SSL
 import requests
+import six
 
-from acme import crypto_util
-from acme import errors
+from acme import fields
 
 logger = logging.getLogger(__name__)
 
-GenericChallenge = TypeVar('GenericChallenge', bound='Challenge')
-
 
 class Challenge(jose.TypedJSONObjectWithFields):
     # _fields_to_partial_json
     """ACME challenge."""
-    TYPES: Dict[str, Type['Challenge']] = {}
+    TYPES = {}  # type: dict
 
     @classmethod
-    def from_json(cls: Type[GenericChallenge],
-                  jobj: Mapping[str, Any]) -> Union[GenericChallenge, 'UnrecognizedChallenge']:
+    def from_json(cls, jobj):
         try:
-            return cast(GenericChallenge, super().from_json(jobj))
+            return super(Challenge, cls).from_json(jobj)
         except jose.UnrecognizedTypeError as error:
             logger.debug(error)
             return UnrecognizedChallenge.from_json(jobj)
@@ -47,14 +31,9 @@ class Challenge(jose.TypedJSONObjectWithFields):
 class ChallengeResponse(jose.TypedJSONObjectWithFields):
     # _fields_to_partial_json
     """ACME challenge response."""
-    TYPES: Dict[str, Type['ChallengeResponse']] = {}
-
-    def to_partial_json(self) -> Dict[str, Any]:
-        # Removes the `type` field which is inserted by TypedJSONObjectWithFields.to_partial_json.
-        # This field breaks RFC8555 compliance.
-        jobj = super().to_partial_json()
-        jobj.pop(self.type_field_name, None)
-        return jobj
+    TYPES = {}  # type: dict
+    resource_type = 'challenge'
+    resource = fields.Resource(resource_type)
 
 
 class UnrecognizedChallenge(Challenge):
@@ -69,17 +48,16 @@ class UnrecognizedChallenge(Challenge):
     :ivar jobj: Original JSON decoded object.
 
     """
-    jobj: Dict[str, Any]
 
-    def __init__(self, jobj: Mapping[str, Any]) -> None:
-        super().__init__()
+    def __init__(self, jobj):
+        super(UnrecognizedChallenge, self).__init__()
         object.__setattr__(self, "jobj", jobj)
 
-    def to_partial_json(self) -> Dict[str, Any]:
+    def to_partial_json(self):
         return self.jobj  # pylint: disable=no-member
 
     @classmethod
-    def from_json(cls, jobj: Mapping[str, Any]) -> 'UnrecognizedChallenge':
+    def from_json(cls, jobj):
         return cls(jobj)
 
 
@@ -93,13 +71,13 @@ class _TokenChallenge(Challenge):
     """Minimum size of the :attr:`token` in bytes."""
 
     # TODO: acme-spec doesn't specify token as base64-encoded value
-    token: bytes = jose.field(
+    token = jose.Field(
         "token", encoder=jose.encode_b64jose, decoder=functools.partial(
             jose.decode_b64jose, size=TOKEN_SIZE, minimum=True))
 
     # XXX: rename to ~token_good_for_url
     @property
-    def good_token(self) -> bool:  # XXX: @token.decoder
+    def good_token(self):  # XXX: @token.decoder
         """Is `token` good?
 
         .. todo:: acme-spec wants "It MUST NOT contain any non-ASCII
@@ -116,13 +94,13 @@ class _TokenChallenge(Challenge):
 class KeyAuthorizationChallengeResponse(ChallengeResponse):
     """Response to Challenges based on Key Authorization.
 
-    :param str key_authorization:
+    :param unicode key_authorization:
 
     """
-    key_authorization: str = jose.field("keyAuthorization")
+    key_authorization = jose.Field("keyAuthorization")
     thumbprint_hash_function = hashes.SHA256
 
-    def verify(self, chall: 'KeyAuthorizationChallenge', account_public_key: jose.JWK) -> bool:
+    def verify(self, chall, account_public_key):
         """Verify the key authorization.
 
         :param KeyAuthorization chall: Challenge that corresponds to
@@ -134,7 +112,7 @@ class KeyAuthorizationChallengeResponse(ChallengeResponse):
         :rtype: bool
 
         """
-        parts = self.key_authorization.split('.')  # pylint: disable=no-member
+        parts = self.key_authorization.split('.')
         if len(parts) != 2:
             logger.debug("Key authorization (%r) is not well formed",
                          self.key_authorization)
@@ -154,39 +132,37 @@ class KeyAuthorizationChallengeResponse(ChallengeResponse):
 
         return True
 
-    def to_partial_json(self) -> Dict[str, Any]:
-        jobj = super().to_partial_json()
+    def to_partial_json(self):
+        jobj = super(KeyAuthorizationChallengeResponse, self).to_partial_json()
         jobj.pop('keyAuthorization', None)
         return jobj
 
 
-# TODO: Make this method a generic of K (bound=KeyAuthorizationChallenge), response_cls of type
-#  Type[K] and use it in response/response_and_validation return types once Python 3.6 support is
-#  dropped (do not support generic ABC classes, see https://github.com/python/typing/issues/449).
-class KeyAuthorizationChallenge(_TokenChallenge, metaclass=abc.ABCMeta):
+@six.add_metaclass(abc.ABCMeta)
+class KeyAuthorizationChallenge(_TokenChallenge):
     """Challenge based on Key Authorization.
 
     :param response_cls: Subclass of `KeyAuthorizationChallengeResponse`
-        that will be used to generate ``response``.
+        that will be used to generate `response`.
     :param str typ: type of the challenge
     """
-    typ: str = NotImplemented
-    response_cls: Type[KeyAuthorizationChallengeResponse] = NotImplemented
+    typ = NotImplemented
+    response_cls = NotImplemented
     thumbprint_hash_function = (
         KeyAuthorizationChallengeResponse.thumbprint_hash_function)
 
-    def key_authorization(self, account_key: jose.JWK) -> str:
+    def key_authorization(self, account_key):
         """Generate Key Authorization.
 
         :param JWK account_key:
-        :rtype str:
+        :rtype unicode:
 
         """
         return self.encode("token") + "." + jose.b64encode(
             account_key.thumbprint(
                 hash_function=self.thumbprint_hash_function)).decode()
 
-    def response(self, account_key: jose.JWK) -> KeyAuthorizationChallengeResponse:
+    def response(self, account_key):
         """Generate response to the challenge.
 
         :param JWK account_key:
@@ -199,7 +175,7 @@ class KeyAuthorizationChallenge(_TokenChallenge, metaclass=abc.ABCMeta):
             key_authorization=self.key_authorization(account_key))
 
     @abc.abstractmethod
-    def validation(self, account_key: jose.JWK, **kwargs: Any) -> Any:
+    def validation(self, account_key, **kwargs):
         """Generate validation for the challenge.
 
         Subclasses must implement this method, but they are likely to
@@ -213,8 +189,7 @@ class KeyAuthorizationChallenge(_TokenChallenge, metaclass=abc.ABCMeta):
         """
         raise NotImplementedError()  # pragma: no cover
 
-    def response_and_validation(self, account_key: jose.JWK, *args: Any, **kwargs: Any
-                                ) -> Tuple[KeyAuthorizationChallengeResponse, Any]:
+    def response_and_validation(self, account_key, *args, **kwargs):
         """Generate response and validation.
 
         Convenience function that return results of `response` and
@@ -233,14 +208,14 @@ class DNS01Response(KeyAuthorizationChallengeResponse):
     """ACME dns-01 challenge response."""
     typ = "dns-01"
 
-    def simple_verify(self, chall: 'DNS01', domain: str, account_public_key: jose.JWK) -> bool:  # pylint: disable=unused-argument
+    def simple_verify(self, chall, domain, account_public_key):  # pylint: disable=unused-argument
         """Simple verify.
 
         This method no longer checks DNS records and is a simple wrapper
         around `KeyAuthorizationChallengeResponse.verify`.
 
         :param challenges.DNS01 chall: Corresponding challenge.
-        :param str domain: Domain name being verified.
+        :param unicode domain: Domain name being verified.
         :param JWK account_public_key: Public key for the key pair
             being authorized.
 
@@ -264,24 +239,23 @@ class DNS01(KeyAuthorizationChallenge):
     LABEL = "_acme-challenge"
     """Label clients prepend to the domain name being validated."""
 
-    def validation(self, account_key: jose.JWK, **unused_kwargs: Any) -> str:
+    def validation(self, account_key, **unused_kwargs):
         """Generate validation.
 
         :param JWK account_key:
-        :rtype: str
+        :rtype: unicode
 
         """
         return jose.b64encode(hashlib.sha256(self.key_authorization(
             account_key).encode("utf-8")).digest()).decode()
 
-    def validation_domain_name(self, name: str) -> str:
+    def validation_domain_name(self, name):
         """Domain name for TXT validation record.
 
-        :param str name: Domain name being validated.
-        :rtype: str
+        :param unicode name: Domain name being validated.
 
         """
-        return f"{self.LABEL}.{name}"
+        return "{0}.{1}".format(self.LABEL, name)
 
 
 @ChallengeResponse.register
@@ -300,16 +274,14 @@ class HTTP01Response(KeyAuthorizationChallengeResponse):
     WHITESPACE_CUTSET = "\n\r\t "
     """Whitespace characters which should be ignored at the end of the body."""
 
-    def simple_verify(self, chall: 'HTTP01', domain: str, account_public_key: jose.JWK,
-                      port: Optional[int] = None, timeout: int = 30) -> bool:
+    def simple_verify(self, chall, domain, account_public_key, port=None):
         """Simple verify.
 
         :param challenges.SimpleHTTP chall: Corresponding challenge.
-        :param str domain: Domain name being verified.
+        :param unicode domain: Domain name being verified.
         :param JWK account_public_key: Public key for the key pair
             being authorized.
         :param int port: Port used in the validation.
-        :param int timeout: Timeout in seconds.
 
         :returns: ``True`` iff validation with the files currently served by the
             HTTP server is successful.
@@ -331,19 +303,10 @@ class HTTP01Response(KeyAuthorizationChallengeResponse):
         uri = chall.uri(domain)
         logger.debug("Verifying %s at %s...", chall.typ, uri)
         try:
-            http_response = requests.get(uri, verify=False, timeout=timeout)
+            http_response = requests.get(uri)
         except requests.exceptions.RequestException as error:
             logger.error("Unable to reach %s: %s", uri, error)
             return False
-        # By default, http_response.text will try to guess the encoding to use
-        # when decoding the response to Python unicode strings. This guesswork
-        # is error prone. RFC 8555 specifies that HTTP-01 responses should be
-        # key authorizations with possible trailing whitespace. Since key
-        # authorizations must be composed entirely of the base64url alphabet
-        # plus ".", we tell requests that the response should be ASCII. See
-        # https://datatracker.ietf.org/doc/html/rfc8555#section-8.3 for more
-        # info.
-        http_response.encoding = "ascii"
         logger.debug("Received %s: %s. Headers: %s", http_response,
                      http_response.text, http_response.headers)
 
@@ -367,31 +330,31 @@ class HTTP01(KeyAuthorizationChallenge):
     """URI root path for the server provisioned resource."""
 
     @property
-    def path(self) -> str:
+    def path(self):
         """Path (starting with '/') for provisioned resource.
 
-        :rtype: str
+        :rtype: string
 
         """
         return '/' + self.URI_ROOT_PATH + '/' + self.encode('token')
 
-    def uri(self, domain: str) -> str:
+    def uri(self, domain):
         """Create an URI to the provisioned resource.
 
         Forms an URI to the HTTPS server provisioned resource
         (containing :attr:`~SimpleHTTP.token`).
 
-        :param str domain: Domain name being verified.
-        :rtype: str
+        :param unicode domain: Domain name being verified.
+        :rtype: string
 
         """
         return "http://" + domain + self.path
 
-    def validation(self, account_key: jose.JWK, **unused_kwargs: Any) -> str:
+    def validation(self, account_key, **unused_kwargs):
         """Generate validation.
 
         :param JWK account_key:
-        :rtype: str
+        :rtype: unicode
 
         """
         return self.key_authorization(account_key)
@@ -399,169 +362,29 @@ class HTTP01(KeyAuthorizationChallenge):
 
 @ChallengeResponse.register
 class TLSALPN01Response(KeyAuthorizationChallengeResponse):
-    """ACME tls-alpn-01 challenge response."""
+    """ACME TLS-ALPN-01 challenge response.
+
+    This class only allows initiating a TLS-ALPN-01 challenge returned from the
+    CA. Full support for responding to TLS-ALPN-01 challenges by generating and
+    serving the expected response certificate is not currently provided.
+    """
     typ = "tls-alpn-01"
 
-    PORT = 443
-    """Verification port as defined by the protocol.
 
-    You can override it (e.g. for testing) by passing ``port`` to
-    `simple_verify`.
+@Challenge.register
+class TLSALPN01(KeyAuthorizationChallenge):
+    """ACME tls-alpn-01 challenge.
+
+    This class simply allows parsing the TLS-ALPN-01 challenge returned from
+    the CA. Full TLS-ALPN-01 support is not currently provided.
 
     """
-
-    ID_PE_ACME_IDENTIFIER_V1 = b"1.3.6.1.5.5.7.1.30.1"
-    ACME_TLS_1_PROTOCOL = b"acme-tls/1"
-
-    @property
-    def h(self) -> bytes:
-        """Hash value stored in challenge certificate"""
-        return hashlib.sha256(self.key_authorization.encode('utf-8')).digest()
-
-    def gen_cert(self, domain: str, key: Optional[crypto.PKey] = None, bits: int = 2048
-                 ) -> Tuple[crypto.X509, crypto.PKey]:
-        """Generate tls-alpn-01 certificate.
-
-        :param str domain: Domain verified by the challenge.
-        :param OpenSSL.crypto.PKey key: Optional private key used in
-            certificate generation. If not provided (``None``), then
-            fresh key will be generated.
-        :param int bits: Number of bits for newly generated key.
-
-        :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
-
-        """
-        if key is None:
-            key = crypto.PKey()
-            key.generate_key(crypto.TYPE_RSA, bits)
-
-        der_value = b"DER:" + codecs.encode(self.h, 'hex')
-        acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1,
-                                              critical=True, value=der_value)
-
-        return crypto_util.gen_ss_cert(key, [domain], force_san=True,
-                                       extensions=[acme_extension]), key
-
-    def probe_cert(self, domain: str, host: Optional[str] = None,
-                   port: Optional[int] = None) -> crypto.X509:
-        """Probe tls-alpn-01 challenge certificate.
-
-        :param str domain: domain being validated, required.
-        :param str host: IP address used to probe the certificate.
-        :param int port: Port used to probe the certificate.
-
-        """
-        if host is None:
-            host = socket.gethostbyname(domain)
-            logger.debug('%s resolved to %s', domain, host)
-        if port is None:
-            port = self.PORT
-
-        return crypto_util.probe_sni(host=host.encode(), port=port, name=domain.encode(),
-                                     alpn_protocols=[self.ACME_TLS_1_PROTOCOL])
-
-    def verify_cert(self, domain: str, cert: crypto.X509) -> bool:
-        """Verify tls-alpn-01 challenge certificate.
-
-        :param str domain: Domain name being validated.
-        :param OpensSSL.crypto.X509 cert: Challenge certificate.
-
-        :returns: Whether the certificate was successfully verified.
-        :rtype: bool
-
-        """
-        # pylint: disable=protected-access
-        names = crypto_util._pyopenssl_cert_or_req_all_names(cert)
-        # Type ignore needed due to
-        # https://github.com/pyca/pyopenssl/issues/730.
-        logger.debug('Certificate %s. SANs: %s',
-                     cert.digest('sha256'), names)
-        if len(names) != 1 or names[0].lower() != domain.lower():
-            return False
-
-        for i in range(cert.get_extension_count()):
-            ext = cert.get_extension(i)
-            # FIXME: assume this is the ACME extension. Currently there is no
-            # way to get full OID of an unknown extension from pyopenssl.
-            if ext.get_short_name() == b'UNDEF':
-                data = ext.get_data()
-                return data == self.h
-
-        return False
-
-    # pylint: disable=too-many-arguments
-    def simple_verify(self, chall: 'TLSALPN01', domain: str, account_public_key: jose.JWK,
-                      cert: Optional[crypto.X509] = None, host: Optional[str] = None,
-                      port: Optional[int] = None) -> bool:
-        """Simple verify.
-
-        Verify ``validation`` using ``account_public_key``, optionally
-        probe tls-alpn-01 certificate and check using `verify_cert`.
-
-        :param .challenges.TLSALPN01 chall: Corresponding challenge.
-        :param str domain: Domain name being validated.
-        :param JWK account_public_key:
-        :param OpenSSL.crypto.X509 cert: Optional certificate. If not
-            provided (``None``) certificate will be retrieved using
-            `probe_cert`.
-        :param string host: IP address used to probe the certificate.
-        :param int port: Port used to probe the certificate.
-
-
-        :returns: ``True`` if and only if client's control of the domain has been verified.
-        :rtype: bool
-
-        """
-        if not self.verify(chall, account_public_key):
-            logger.debug("Verification of key authorization in response failed")
-            return False
-
-        if cert is None:
-            try:
-                cert = self.probe_cert(domain=domain, host=host, port=port)
-            except errors.Error as error:
-                logger.debug(str(error), exc_info=True)
-                return False
-
-        return self.verify_cert(domain, cert)
-
-
-@Challenge.register  # pylint: disable=too-many-ancestors
-class TLSALPN01(KeyAuthorizationChallenge):
-    """ACME tls-alpn-01 challenge."""
+    typ = "tls-alpn-01"
     response_cls = TLSALPN01Response
-    typ = response_cls.typ
 
-    def validation(self, account_key: jose.JWK, **kwargs: Any) -> Tuple[crypto.X509, crypto.PKey]:
-        """Generate validation.
-
-        :param JWK account_key:
-        :param str domain: Domain verified by the challenge.
-        :param OpenSSL.crypto.PKey cert_key: Optional private key used
-            in certificate generation. If not provided (``None``), then
-            fresh key will be generated.
-
-        :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
-
-        """
-        # TODO: Remove cast when response() is generic.
-        return cast(TLSALPN01Response, self.response(account_key)).gen_cert(
-            key=kwargs.get('cert_key'),
-            domain=cast(str, kwargs.get('domain')))
-
-    @staticmethod
-    def is_supported() -> bool:
-        """
-        Check if TLS-ALPN-01 challenge is supported on this machine.
-        This implies that a recent version of OpenSSL is installed (>= 1.0.2),
-        or a recent cryptography version shipped with the OpenSSL library is installed.
-
-        :returns: ``True`` if TLS-ALPN-01 is supported on this machine, ``False`` otherwise.
-        :rtype: bool
-
-        """
-        return (hasattr(SSL.Connection, "set_alpn_protos")
-                and hasattr(SSL.Context, "set_alpn_select_callback"))
+    def validation(self, account_key, **kwargs):
+        """Generate validation for the challenge."""
+        raise NotImplementedError()
 
 
 @Challenge.register
@@ -572,8 +395,7 @@ class DNS(_TokenChallenge):
     LABEL = "_acme-challenge"
     """Label clients prepend to the domain name being validated."""
 
-    def gen_validation(self, account_key: jose.JWK, alg: jose.JWASignature = jose.RS256,
-                       **kwargs: Any) -> jose.JWS:
+    def gen_validation(self, account_key, alg=jose.RS256, **kwargs):
         """Generate validation.
 
         :param .JWK account_key: Private account key.
@@ -587,7 +409,7 @@ class DNS(_TokenChallenge):
             payload=self.json_dumps(sort_keys=True).encode('utf-8'),
             key=account_key, alg=alg, **kwargs)
 
-    def check_validation(self, validation: jose.JWS, account_public_key: jose.JWK) -> bool:
+    def check_validation(self, validation, account_public_key):
         """Check validation.
 
         :param JWS validation:
@@ -604,7 +426,7 @@ class DNS(_TokenChallenge):
             logger.debug("Checking validation for DNS failed: %s", error)
             return False
 
-    def gen_response(self, account_key: jose.JWK, **kwargs: Any) -> 'DNSResponse':
+    def gen_response(self, account_key, **kwargs):
         """Generate response.
 
         :param .JWK account_key: Private account key.
@@ -613,12 +435,13 @@ class DNS(_TokenChallenge):
         :rtype: DNSResponse
 
         """
-        return DNSResponse(validation=self.gen_validation(account_key, **kwargs))
+        return DNSResponse(validation=self.gen_validation(
+            account_key, **kwargs))
 
-    def validation_domain_name(self, name: str) -> str:
+    def validation_domain_name(self, name):
         """Domain name for TXT validation record.
 
-        :param str name: Domain name being validated.
+        :param unicode name: Domain name being validated.
 
         """
         return "{0}.{1}".format(self.LABEL, name)
@@ -633,9 +456,9 @@ class DNSResponse(ChallengeResponse):
     """
     typ = "dns"
 
-    validation: jose.JWS = jose.field("validation", decoder=jose.JWS.from_json)
+    validation = jose.Field("validation", decoder=jose.JWS.from_json)
 
-    def check_validation(self, chall: 'DNS', account_public_key: jose.JWK) -> bool:
+    def check_validation(self, chall, account_public_key):
         """Check validation.
 
         :param challenges.DNS chall:

acme/acme/crypto_util.py

@@ -1,26 +1,20 @@
 """Crypto utilities."""
 import binascii
 import contextlib
-import ipaddress
 import logging
 import os
 import re
 import socket
-from typing import Any
-from typing import Callable
-from typing import List
-from typing import Mapping
-from typing import Optional
-from typing import Sequence
-from typing import Set
-from typing import Tuple
-from typing import Union
 
 import josepy as jose
 from OpenSSL import crypto
-from OpenSSL import SSL
+from OpenSSL import SSL  # type: ignore # https://github.com/python/typeshed/issues/2052
 
 from acme import errors
+from acme.magic_typing import Callable  # pylint: disable=unused-import, no-name-in-module
+from acme.magic_typing import Optional  # pylint: disable=unused-import, no-name-in-module
+from acme.magic_typing import Tuple  # pylint: disable=unused-import, no-name-in-module
+from acme.magic_typing import Union  # pylint: disable=unused-import, no-name-in-module
 
 logger = logging.getLogger(__name__)
 
@@ -31,60 +25,27 @@ logger = logging.getLogger(__name__)
 # https://www.openssl.org/docs/ssl/SSLv23_method.html). _serve_sni
 # should be changed to use "set_options" to disable SSLv2 and SSLv3,
 # in case it's used for things other than probing/serving!
-_DEFAULT_SSL_METHOD = SSL.SSLv23_METHOD
+_DEFAULT_SSL_METHOD = SSL.SSLv23_METHOD  # type: ignore
 
 
-class _DefaultCertSelection:
-    def __init__(self, certs: Mapping[bytes, Tuple[crypto.PKey, crypto.X509]]):
-        self.certs = certs
-
-    def __call__(self, connection: SSL.Connection) -> Optional[Tuple[crypto.PKey, crypto.X509]]:
-        server_name = connection.get_servername()
-        if server_name:
-            return self.certs.get(server_name, None)
-        return None # pragma: no cover
-
-
-class SSLSocket:  # pylint: disable=too-few-public-methods
+class SSLSocket(object):
     """SSL wrapper for sockets.
 
     :ivar socket sock: Original wrapped socket.
     :ivar dict certs: Mapping from domain names (`bytes`) to
         `OpenSSL.crypto.X509`.
     :ivar method: See `OpenSSL.SSL.Context` for allowed values.
-    :ivar alpn_selection: Hook to select negotiated ALPN protocol for
-        connection.
-    :ivar cert_selection: Hook to select certificate for connection. If given,
-        `certs` parameter would be ignored, and therefore must be empty.
 
     """
-    def __init__(self, sock: socket.socket,
-                 certs: Optional[Mapping[bytes, Tuple[crypto.PKey, crypto.X509]]] = None,
-                 method: int = _DEFAULT_SSL_METHOD,
-                 alpn_selection: Optional[Callable[[SSL.Connection, List[bytes]], bytes]] = None,
-                 cert_selection: Optional[Callable[[SSL.Connection],
-                                                   Optional[Tuple[crypto.PKey,
-                                                                  crypto.X509]]]] = None
-                 ) -> None:
+    def __init__(self, sock, certs, method=_DEFAULT_SSL_METHOD):
         self.sock = sock
-        self.alpn_selection = alpn_selection
+        self.certs = certs
         self.method = method
-        if not cert_selection and not certs:
-            raise ValueError("Neither cert_selection or certs specified.")
-        if cert_selection and certs:
-            raise ValueError("Both cert_selection and certs specified.")
-        actual_cert_selection: Union[_DefaultCertSelection,
-                                     Optional[Callable[[SSL.Connection],
-                                                       Optional[Tuple[crypto.PKey,
-                                                                crypto.X509]]]]] = cert_selection
-        if actual_cert_selection is None:
-            actual_cert_selection = _DefaultCertSelection(certs if certs else {})
-        self.cert_selection = actual_cert_selection
 
-    def __getattr__(self, name: str) -> Any:
+    def __getattr__(self, name):
         return getattr(self.sock, name)
 
-    def _pick_certificate_cb(self, connection: SSL.Connection) -> None:
+    def _pick_certificate_cb(self, connection):
         """SNI certificate callback.
 
         This method will set a new OpenSSL context object for this
@@ -96,78 +57,59 @@ class SSLSocket:  # pylint: disable=too-few-public-methods
         :type connection: :class:`OpenSSL.Connection`
 
         """
-        pair = self.cert_selection(connection)
-        if pair is None:
-            logger.debug("Certificate selection for server name %s failed, dropping SSL",
-                         connection.get_servername())
+        server_name = connection.get_servername()
+        try:
+            key, cert = self.certs[server_name]
+        except KeyError:
+            logger.debug("Server name (%s) not recognized, dropping SSL",
+                         server_name)
             return
-        key, cert = pair
         new_context = SSL.Context(self.method)
         new_context.set_options(SSL.OP_NO_SSLv2)
         new_context.set_options(SSL.OP_NO_SSLv3)
         new_context.use_privatekey(key)
         new_context.use_certificate(cert)
-        if self.alpn_selection is not None:
-            new_context.set_alpn_select_callback(self.alpn_selection)
         connection.set_context(new_context)
 
-    class FakeConnection:
+    class FakeConnection(object):
         """Fake OpenSSL.SSL.Connection."""
 
-        # pylint: disable=missing-function-docstring
+        # pylint: disable=missing-docstring
 
-        def __init__(self, connection: SSL.Connection) -> None:
+        def __init__(self, connection):
             self._wrapped = connection
 
-        def __getattr__(self, name: str) -> Any:
+        def __getattr__(self, name):
             return getattr(self._wrapped, name)
 
-        def shutdown(self, *unused_args: Any) -> bool:
+        def shutdown(self, *unused_args):
             # OpenSSL.SSL.Connection.shutdown doesn't accept any args
-            try:
-                return self._wrapped.shutdown()
-            except SSL.Error as error:
-                # We wrap the error so we raise the same error type as sockets
-                # in the standard library. This is useful when this object is
-                # used by code which expects a standard socket such as
-                # socketserver in the standard library.
-                raise socket.error(error)
+            return self._wrapped.shutdown()
 
-    def accept(self) -> Tuple[FakeConnection, Any]:  # pylint: disable=missing-function-docstring
+    def accept(self):  # pylint: disable=missing-docstring
         sock, addr = self.sock.accept()
 
+        context = SSL.Context(self.method)
+        context.set_options(SSL.OP_NO_SSLv2)
+        context.set_options(SSL.OP_NO_SSLv3)
+        context.set_tlsext_servername_callback(self._pick_certificate_cb)
+
+        ssl_sock = self.FakeConnection(SSL.Connection(context, sock))
+        ssl_sock.set_accept_state()
+
+        logger.debug("Performing handshake with %s", addr)
         try:
-            context = SSL.Context(self.method)
-            context.set_options(SSL.OP_NO_SSLv2)
-            context.set_options(SSL.OP_NO_SSLv3)
-            context.set_tlsext_servername_callback(self._pick_certificate_cb)
-            if self.alpn_selection is not None:
-                context.set_alpn_select_callback(self.alpn_selection)
+            ssl_sock.do_handshake()
+        except SSL.Error as error:
+            # _pick_certificate_cb might have returned without
+            # creating SSL context (wrong server name)
+            raise socket.error(error)
 
-            ssl_sock = self.FakeConnection(SSL.Connection(context, sock))
-            ssl_sock.set_accept_state()
-
-            # This log line is especially desirable because without it requests to
-            # our standalone TLSALPN server would not be logged.
-            logger.debug("Performing handshake with %s", addr)
-            try:
-                ssl_sock.do_handshake()
-            except SSL.Error as error:
-                # _pick_certificate_cb might have returned without
-                # creating SSL context (wrong server name)
-                raise socket.error(error)
-
-            return ssl_sock, addr
-        except:
-            # If we encounter any error, close the new socket before reraising
-            # the exception.
-            sock.close()
-            raise
+        return ssl_sock, addr
 
 
-def probe_sni(name: bytes, host: bytes, port: int = 443, timeout: int = 300,  # pylint: disable=too-many-arguments
-              method: int = _DEFAULT_SSL_METHOD, source_address: Tuple[str, int] = ('', 0),
-              alpn_protocols: Optional[Sequence[bytes]] = None) -> crypto.X509:
+def probe_sni(name, host, port=443, timeout=300,
+              method=_DEFAULT_SSL_METHOD, source_address=('', 0)):
     """Probe SNI server for SSL certificate.
 
     :param bytes name: Byte string to send as the server name in the
@@ -179,8 +121,6 @@ def probe_sni(name: bytes, host: bytes, port: int = 443, timeout: int = 300,  #
     :param tuple source_address: Enables multi-path probing (selection
         of source interface). See `socket.creation_connection` for more
         info. Available only in Python 2.7+.
-    :param alpn_protocols: Protocols to request using ALPN.
-    :type alpn_protocols: `Sequence` of `bytes`
 
     :raises acme.errors.Error: In case of any problems.
 
@@ -199,10 +139,10 @@ def probe_sni(name: bytes, host: bytes, port: int = 443, timeout: int = 300,  #
             " from {0}:{1}".format(
                 source_address[0],
                 source_address[1]
-            ) if any(source_address) else ""
+            ) if socket_kwargs else ""
         )
-        socket_tuple: Tuple[bytes, int] = (host, port)
-        sock = socket.create_connection(socket_tuple, **socket_kwargs)  # type: ignore[arg-type]
+        socket_tuple = (host, port)  # type: Tuple[str, int]
+        sock = socket.create_connection(socket_tuple, **socket_kwargs)  # type: ignore
     except socket.error as error:
         raise errors.Error(error)
 
@@ -210,57 +150,30 @@ def probe_sni(name: bytes, host: bytes, port: int = 443, timeout: int = 300,  #
         client_ssl = SSL.Connection(context, client)
         client_ssl.set_connect_state()
         client_ssl.set_tlsext_host_name(name)  # pyOpenSSL>=0.13
-        if alpn_protocols is not None:
-            client_ssl.set_alpn_protos(alpn_protocols)
         try:
             client_ssl.do_handshake()
             client_ssl.shutdown()
         except SSL.Error as error:
             raise errors.Error(error)
-    cert = client_ssl.get_peer_certificate()
-    assert cert # Appease mypy. We would have crashed out by now if there was no certificate.
-    return cert
+    return client_ssl.get_peer_certificate()
 
-
-def make_csr(private_key_pem: bytes, domains: Optional[Union[Set[str], List[str]]] = None,
-             must_staple: bool = False,
-             ipaddrs: Optional[List[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]] = None
-             ) -> bytes:
-    """Generate a CSR containing domains or IPs as subjectAltNames.
+def make_csr(private_key_pem, domains, must_staple=False):
+    """Generate a CSR containing a list of domains as subjectAltNames.
 
     :param buffer private_key_pem: Private key, in PEM PKCS#8 format.
     :param list domains: List of DNS names to include in subjectAltNames of CSR.
     :param bool must_staple: Whether to include the TLS Feature extension (aka
         OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
-    :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address)
-    names to include in subbjectAltNames of CSR.
-    params ordered this way for backward competablity when called by positional argument.
     :returns: buffer PEM-encoded Certificate Signing Request.
     """
     private_key = crypto.load_privatekey(
         crypto.FILETYPE_PEM, private_key_pem)
     csr = crypto.X509Req()
-    sanlist = []
-    # if domain or ip list not supplied make it empty list so it's easier to iterate
-    if domains is None:
-        domains = []
-    if ipaddrs is None:
-        ipaddrs = []
-    if len(domains)+len(ipaddrs) == 0:
-        raise ValueError("At least one of domains or ipaddrs parameter need to be not empty")
-    for address in domains:
-        sanlist.append('DNS:' + address)
-    for ips in ipaddrs:
-        sanlist.append('IP:' + ips.exploded)
-    # make sure its ascii encoded
-    san_string = ', '.join(sanlist).encode('ascii')
-    # for IP san it's actually need to be octet-string,
-    # but somewhere downsteam thankfully handle it for us
     extensions = [
         crypto.X509Extension(
             b'subjectAltName',
             critical=False,
-            value=san_string
+            value=', '.join('DNS:' + d for d in domains).encode('ascii')
         ),
     ]
     if must_staple:
@@ -270,16 +183,12 @@ def make_csr(private_key_pem: bytes, domains: Optional[Union[Set[str], List[str]
             value=b"DER:30:03:02:01:05"))
     csr.add_extensions(extensions)
     csr.set_pubkey(private_key)
-    # RFC 2986 Section 4.1 only defines version 0
-    csr.set_version(0)
+    csr.set_version(2)
     csr.sign(private_key, 'sha256')
     return crypto.dump_certificate_request(
         crypto.FILETYPE_PEM, csr)
 
-
-def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req: Union[crypto.X509, crypto.X509Req]
-                                     ) -> List[str]:
-    # unlike its name this only outputs DNS names, other type of idents will ignored
+def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req):
     common_name = loaded_cert_or_req.get_subject().CN
     sans = _pyopenssl_cert_or_req_san(loaded_cert_or_req)
 
@@ -287,8 +196,7 @@ def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req: Union[crypto.X509, cryp
         return sans
     return [common_name] + [d for d in sans if d != common_name]
 
-
-def _pyopenssl_cert_or_req_san(cert_or_req: Union[crypto.X509, crypto.X509Req]) -> List[str]:
+def _pyopenssl_cert_or_req_san(cert_or_req):
     """Get Subject Alternative Names from certificate or CSR using pyOpenSSL.
 
     .. todo:: Implement directly in PyOpenSSL!
@@ -299,87 +207,45 @@ def _pyopenssl_cert_or_req_san(cert_or_req: Union[crypto.X509, crypto.X509Req])
     :param cert_or_req: Certificate or CSR.
     :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.
 
-    :returns: A list of Subject Alternative Names that is DNS.
-    :rtype: `list` of `str`
+    :returns: A list of Subject Alternative Names.
+    :rtype: `list` of `unicode`
 
     """
-    # This function finds SANs with dns name
+    # This function finds SANs by dumping the certificate/CSR to text and
+    # searching for "X509v3 Subject Alternative Name" in the text. This method
+    # is used to support PyOpenSSL version 0.13 where the
+    # `_subjectAltNameString` and `get_extensions` methods are not available
+    # for CSRs.
 
     # constants based on PyOpenSSL certificate/CSR text dump
     part_separator = ":"
+    parts_separator = ", "
     prefix = "DNS" + part_separator
 
-    sans_parts = _pyopenssl_extract_san_list_raw(cert_or_req)
+    if isinstance(cert_or_req, crypto.X509):
+        # pylint: disable=line-too-long
+        func = crypto.dump_certificate # type: Union[Callable[[int, crypto.X509Req], bytes], Callable[[int, crypto.X509], bytes]]
+    else:
+        func = crypto.dump_certificate_request
+    text = func(crypto.FILETYPE_TEXT, cert_or_req).decode("utf-8")
+    # WARNING: this function does not support multiple SANs extensions.
+    # Multiple X509v3 extensions of the same type is disallowed by RFC 5280.
+    match = re.search(r"X509v3 Subject Alternative Name:(?: critical)?\s*(.*)", text)
+    # WARNING: this function assumes that no SAN can include
+    # parts_separator, hence the split!
+    sans_parts = [] if match is None else match.group(1).split(parts_separator)
 
     return [part.split(part_separator)[1]
             for part in sans_parts if part.startswith(prefix)]
 
 
-def _pyopenssl_cert_or_req_san_ip(cert_or_req: Union[crypto.X509, crypto.X509Req]) -> List[str]:
-    """Get Subject Alternative Names IPs from certificate or CSR using pyOpenSSL.
-
-    :param cert_or_req: Certificate or CSR.
-    :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.
-
-    :returns: A list of Subject Alternative Names that are IP Addresses.
-    :rtype: `list` of `str`. note that this returns as string, not IPaddress object
-
-    """
-
-    # constants based on PyOpenSSL certificate/CSR text dump
-    part_separator = ":"
-    prefix = "IP Address" + part_separator
-
-    sans_parts = _pyopenssl_extract_san_list_raw(cert_or_req)
-
-    return [part[len(prefix):] for part in sans_parts if part.startswith(prefix)]
-
-
-def _pyopenssl_extract_san_list_raw(cert_or_req: Union[crypto.X509, crypto.X509Req]) -> List[str]:
-    """Get raw SAN string from cert or csr, parse it as UTF-8 and return.
-
-    :param cert_or_req: Certificate or CSR.
-    :type cert_or_req: `OpenSSL.crypto.X509` or `OpenSSL.crypto.X509Req`.
-
-    :returns: raw san strings, parsed byte as utf-8
-    :rtype: `list` of `str`
-
-    """
-    # This function finds SANs by dumping the certificate/CSR to text and
-    # searching for "X509v3 Subject Alternative Name" in the text. This method
-    # is used to because in PyOpenSSL version <0.17 `_subjectAltNameString` methods are
-    # not able to Parse IP Addresses in subjectAltName string.
-
-    if isinstance(cert_or_req, crypto.X509):
-        # pylint: disable=line-too-long
-        text = crypto.dump_certificate(crypto.FILETYPE_TEXT, cert_or_req).decode('utf-8')
-    else:
-        text = crypto.dump_certificate_request(crypto.FILETYPE_TEXT, cert_or_req).decode('utf-8')
-    # WARNING: this function does not support multiple SANs extensions.
-    # Multiple X509v3 extensions of the same type is disallowed by RFC 5280.
-    raw_san = re.search(r"X509v3 Subject Alternative Name:(?: critical)?\s*(.*)", text)
-
-    parts_separator = ", "
-    # WARNING: this function assumes that no SAN can include
-    # parts_separator, hence the split!
-    sans_parts = [] if raw_san is None else raw_san.group(1).split(parts_separator)
-    return sans_parts
-
-
-def gen_ss_cert(key: crypto.PKey, domains: Optional[List[str]] = None,
-                not_before: Optional[int] = None,
-                validity: int = (7 * 24 * 60 * 60), force_san: bool = True,
-                extensions: Optional[List[crypto.X509Extension]] = None,
-                ips: Optional[List[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]] = None
-                ) -> crypto.X509:
+def gen_ss_cert(key, domains, not_before=None,
+                validity=(7 * 24 * 60 * 60), force_san=True):
     """Generate new self-signed certificate.
 
-    :type domains: `list` of `str`
+    :type domains: `list` of `unicode`
     :param OpenSSL.crypto.PKey key:
     :param bool force_san:
-    :param extensions: List of additional extensions to include in the cert.
-    :type extensions: `list` of `OpenSSL.crypto.X509Extension`
-    :type ips: `list` of (`ipaddress.IPv4Address` or `ipaddress.IPv6Address`)
 
     If more than one domain is provided, all of the domains are put into
     ``subjectAltName`` X.509 extension and first domain is set as the
@@ -387,39 +253,25 @@ def gen_ss_cert(key: crypto.PKey, domains: Optional[List[str]] = None,
     extension is used, unless `force_san` is ``True``.
 
     """
-    assert domains or ips, "Must provide one or more hostnames or IPs for the cert."
-
+    assert domains, "Must provide one or more hostnames for the cert."
     cert = crypto.X509()
     cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16))
     cert.set_version(2)
 
-    if extensions is None:
-        extensions = []
-    if domains is None:
-        domains = []
-    if ips is None:
-        ips = []
-    extensions.append(
+    extensions = [
         crypto.X509Extension(
             b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
-    )
+    ]
 
-    if len(domains) > 0:
-        cert.get_subject().CN = domains[0]
+    cert.get_subject().CN = domains[0]
     # TODO: what to put into cert.get_subject()?
     cert.set_issuer(cert.get_subject())
 
-    sanlist = []
-    for address in domains:
-        sanlist.append('DNS:' + address)
-    for ip in ips:
-        sanlist.append('IP:' + ip.exploded)
-    san_string = ', '.join(sanlist).encode('ascii')
-    if force_san or len(domains) > 1 or len(ips) > 0:
+    if force_san or len(domains) > 1:
         extensions.append(crypto.X509Extension(
             b"subjectAltName",
             critical=False,
-            value=san_string
+            value=b", ".join(b"DNS:" + d.encode() for d in domains)
         ))
 
     cert.add_extensions(extensions)
@@ -431,9 +283,7 @@ def gen_ss_cert(key: crypto.PKey, domains: Optional[List[str]] = None,
     cert.sign(key, "sha256")
     return cert
 
-
-def dump_pyopenssl_chain(chain: Union[List[jose.ComparableX509], List[crypto.X509]],
-                         filetype: int = crypto.FILETYPE_PEM) -> bytes:
+def dump_pyopenssl_chain(chain, filetype=crypto.FILETYPE_PEM):
     """Dump certificate chain into a bundle.
 
     :param list chain: List of `OpenSSL.crypto.X509` (or wrapped in
@@ -446,10 +296,9 @@ def dump_pyopenssl_chain(chain: Union[List[jose.ComparableX509], List[crypto.X50
     # XXX: returns empty string when no chain is available, which
     # shuts up RenewableCert, but might not be the best solution...
 
-    def _dump_cert(cert: Union[jose.ComparableX509, crypto.X509]) -> bytes:
+    def _dump_cert(cert):
         if isinstance(cert, jose.ComparableX509):
-            if isinstance(cert.wrapped, crypto.X509Req):
-                raise errors.Error("Unexpected CSR provided.")  # pragma: no cover
+            # pylint: disable=protected-access
             cert = cert.wrapped
         return crypto.dump_certificate(filetype, cert)
 

acme/acme/errors.py

@@ -1,17 +1,5 @@
 """ACME errors."""
-import typing
-from typing import Any
-from typing import List
-from typing import Mapping
-from typing import Set
-
 from josepy import errors as jose_errors
-import requests
-
-# We import acme.messages only during type check to avoid circular dependencies. Type references
-# to acme.message.* must be quoted to be lazily initialized and avoid compilation errors.
-if typing.TYPE_CHECKING:
-    from acme import messages  # pragma: no cover
 
 
 class Error(Exception):
@@ -40,12 +28,17 @@ class NonceError(ClientError):
 
 class BadNonce(NonceError):
     """Bad nonce error."""
-    def __init__(self, nonce: str, error: Exception, *args: Any) -> None:
-        super().__init__(*args)
+    def __init__(self, nonce, error, *args, **kwargs):
+        # MyPy complains here that there is too many arguments for BaseException constructor.
+        # This is an error fixed in typeshed, see https://github.com/python/mypy/issues/4183
+        # The fix is included in MyPy>=0.740, but upgrading it would bring dozen of errors due to
+        #   new types definitions. So we ignore the error until the code base is fixed to match
+        #   with MyPy>=0.740 referential.
+        super(BadNonce, self).__init__(*args, **kwargs)  # type: ignore
         self.nonce = nonce
         self.error = error
 
-    def __str__(self) -> str:
+    def __str__(self):
         return 'Invalid nonce ({0!r}): {1}'.format(self.nonce, self.error)
 
 
@@ -56,14 +49,15 @@ class MissingNonce(NonceError):
     Replay-Nonce header field in each successful response to a POST it
     provides to a client (...)".
 
-    :ivar requests.Response ~.response: HTTP Response
+    :ivar requests.Response response: HTTP Response
 
     """
-    def __init__(self, response: requests.Response, *args: Any) -> None:
-        super().__init__(*args)
+    def __init__(self, response, *args, **kwargs):
+        # See comment in BadNonce constructor above for an explanation of type: ignore here.
+        super(MissingNonce, self).__init__(*args, **kwargs)  # type: ignore
         self.response = response
 
-    def __str__(self) -> str:
+    def __str__(self):
         return ('Server {0} response did not include a replay '
                 'nonce, headers: {1} (This may be a service outage)'.format(
                     self.response.request.method, self.response.headers))
@@ -81,20 +75,17 @@ class PollError(ClientError):
         to the most recently updated one
 
     """
-    def __init__(self, exhausted: Set['messages.AuthorizationResource'],
-                 updated: Mapping['messages.AuthorizationResource',
-                                  'messages.AuthorizationResource']
-                 ) -> None:
+    def __init__(self, exhausted, updated):
         self.exhausted = exhausted
         self.updated = updated
-        super().__init__()
+        super(PollError, self).__init__()
 
     @property
-    def timeout(self) -> bool:
+    def timeout(self):
         """Was the error caused by timeout?"""
         return bool(self.exhausted)
 
-    def __repr__(self) -> str:
+    def __repr__(self):
         return '{0}(exhausted={1!r}, updated={2!r})'.format(
             self.__class__.__name__, self.exhausted, self.updated)
 
@@ -103,9 +94,9 @@ class ValidationError(Error):
     """Error for authorization failures. Contains a list of authorization
     resources, each of which is invalid and should have an error field.
     """
-    def __init__(self, failed_authzrs: List['messages.AuthorizationResource']) -> None:
+    def __init__(self, failed_authzrs):
         self.failed_authzrs = failed_authzrs
-        super().__init__()
+        super(ValidationError, self).__init__()
 
 
 class TimeoutError(Error):  # pylint: disable=redefined-builtin
@@ -115,13 +106,13 @@ class TimeoutError(Error):  # pylint: disable=redefined-builtin
 class IssuanceError(Error):
     """Error sent by the server after requesting issuance of a certificate."""
 
-    def __init__(self, error: 'messages.Error') -> None:
+    def __init__(self, error):
         """Initialize.
 
         :param messages.Error error: The error provided by the server.
         """
         self.error = error
-        super().__init__()
+        super(IssuanceError, self).__init__()
 
 
 class ConflictError(ClientError):
@@ -132,9 +123,9 @@ class ConflictError(ClientError):
 
     Also used in V2 of the ACME client for the same purpose.
     """
-    def __init__(self, location: str) -> None:
+    def __init__(self, location):
         self.location = location
-        super().__init__()
+        super(ConflictError, self).__init__()
 
 
 class WildcardUnsupportedError(Error):

acme/acme/fields.py

@@ -1,7 +1,5 @@
 """ACME JSON fields."""
-import datetime
 import logging
-from typing import Any
 
 import josepy as jose
 import pyrfc3339
@@ -12,17 +10,17 @@ logger = logging.getLogger(__name__)
 class Fixed(jose.Field):
     """Fixed field."""
 
-    def __init__(self, json_name: str, value: Any) -> None:
+    def __init__(self, json_name, value):
         self.value = value
-        super().__init__(
+        super(Fixed, self).__init__(
             json_name=json_name, default=value, omitempty=False)
 
-    def decode(self, value: Any) -> Any:
+    def decode(self, value):
         if value != self.value:
             raise jose.DeserializationError('Expected {0!r}'.format(self.value))
         return self.value
 
-    def encode(self, value: Any) -> Any:
+    def encode(self, value):
         if value != self.value:
             logger.warning(
                 'Overriding fixed field (%s) with %r', self.json_name, value)
@@ -34,27 +32,33 @@ class RFC3339Field(jose.Field):
 
     Handles decoding/encoding between RFC3339 strings and aware (not
     naive) `datetime.datetime` objects
-    (e.g. ``datetime.datetime.now(pytz.UTC)``).
+    (e.g. ``datetime.datetime.now(pytz.utc)``).
 
     """
 
     @classmethod
-    def default_encoder(cls, value: datetime.datetime) -> str:
+    def default_encoder(cls, value):
         return pyrfc3339.generate(value)
 
     @classmethod
-    def default_decoder(cls, value: str) -> datetime.datetime:
+    def default_decoder(cls, value):
         try:
             return pyrfc3339.parse(value)
         except ValueError as error:
             raise jose.DeserializationError(error)
 
 
-def fixed(json_name: str, value: Any) -> Any:
-    """Generates a type-friendly Fixed field."""
-    return Fixed(json_name, value)
+class Resource(jose.Field):
+    """Resource MITM field."""
 
+    def __init__(self, resource_type, *args, **kwargs):
+        self.resource_type = resource_type
+        super(Resource, self).__init__(
+            'resource', default=resource_type, *args, **kwargs)
 
-def rfc3339(json_name: str, omitempty: bool = False) -> Any:
-    """Generates a type-friendly RFC3339 field."""
-    return RFC3339Field(json_name, omitempty=omitempty)
+    def decode(self, value):
+        if value != self.resource_type:
+            raise jose.DeserializationError(
+                'Wrong resource type: {0} instead of {1}'.format(
+                    value, self.resource_type))
+        return value

acme/acme/jws.py

@@ -4,22 +4,18 @@ The JWS implementation in josepy only implements the base JOSE standard. In
 order to support the new header fields defined in ACME, this module defines some
 ACME-specific classes that layer on top of josepy.
 """
-from typing import Optional
-
 import josepy as jose
 
 
 class Header(jose.Header):
     """ACME-specific JOSE Header. Implements nonce, kid, and url.
     """
-    nonce: Optional[bytes] = jose.field('nonce', omitempty=True, encoder=jose.encode_b64jose)
-    kid: Optional[str] = jose.field('kid', omitempty=True)
-    url: Optional[str] = jose.field('url', omitempty=True)
+    nonce = jose.Field('nonce', omitempty=True, encoder=jose.encode_b64jose)
+    kid = jose.Field('kid', omitempty=True)
+    url = jose.Field('url', omitempty=True)
 
-    # Mypy does not understand the josepy magic happening here, and falsely claims
-    # that nonce is redefined. Let's ignore the type check here.
-    @nonce.decoder  # type: ignore[no-redef,union-attr]
-    def nonce(value: str) -> bytes:  # type: ignore[misc]  # pylint: disable=no-self-argument,missing-function-docstring
+    @nonce.decoder
+    def nonce(value):  # pylint: disable=missing-docstring,no-self-argument
         try:
             return jose.decode_b64jose(value)
         except jose.DeserializationError as error:
@@ -29,12 +25,12 @@ class Header(jose.Header):
 
 class Signature(jose.Signature):
     """ACME-specific Signature. Uses ACME-specific Header for customer fields."""
-    __slots__ = jose.Signature._orig_slots  # pylint: disable=protected-access,no-member
+    __slots__ = jose.Signature._orig_slots  # pylint: disable=no-member
 
     # TODO: decoder/encoder should accept cls? Otherwise, subclassing
     # JSONObjectWithFields is tricky...
     header_cls = Header
-    header: Header = jose.field(
+    header = jose.Field(
         'header', omitempty=True, default=header_cls(),
         decoder=header_cls.from_json)
 
@@ -44,16 +40,15 @@ class Signature(jose.Signature):
 class JWS(jose.JWS):
     """ACME-specific JWS. Includes none, url, and kid in protected header."""
     signature_cls = Signature
-    __slots__ = jose.JWS._orig_slots  # pylint: disable=protected-access
+    __slots__ = jose.JWS._orig_slots
 
     @classmethod
-    # type: ignore[override]  # pylint: disable=arguments-differ
-    def sign(cls, payload: bytes, key: jose.JWK, alg: jose.JWASignature, nonce: Optional[bytes],
-             url: Optional[str] = None, kid: Optional[str] = None) -> jose.JWS:
+    # pylint: disable=arguments-differ
+    def sign(cls, payload, key, alg, nonce, url=None, kid=None):
         # Per ACME spec, jwk and kid are mutually exclusive, so only include a
         # jwk field if kid is not provided.
         include_jwk = kid is None
-        return super().sign(payload, key=key, alg=alg,
-                            protect=frozenset(['nonce', 'url', 'kid', 'jwk', 'alg']),
-                            nonce=nonce, url=url, kid=kid,
-                            include_jwk=include_jwk)
+        return super(JWS, cls).sign(payload, key=key, alg=alg,
+                                    protect=frozenset(['nonce', 'url', 'kid', 'jwk', 'alg']),
+                                    nonce=nonce, url=url, kid=kid,
+                                    include_jwk=include_jwk)

acme/acme/magic_typing.py

@@ -0,0 +1,17 @@
+"""Shim class to not have to depend on typing module in prod."""
+import sys
+
+
+class TypingClass(object):
+    """Ignore import errors by getting anything"""
+    def __getattr__(self, name):
+        return None
+
+try:
+    # mypy doesn't respect modifying sys.modules
+    from typing import *  # pylint: disable=wildcard-import, unused-wildcard-import
+    # pylint: disable=unused-import
+    from typing import Collection, IO  # type: ignore
+    # pylint: enable=unused-import
+except ImportError:
+    sys.modules[__name__] = TypingClass()

acme/acme/messages.py

@@ -1,19 +1,8 @@
 """ACME protocol messages."""
-from collections.abc import Hashable
-import datetime
 import json
-from typing import Any
-from typing import Dict
-from typing import Iterator
-from typing import List
-from typing import Mapping
-from typing import MutableMapping
-from typing import Optional
-from typing import Tuple
-from typing import Type
-from typing import TypeVar
 
 import josepy as jose
+import six
 
 from acme import challenges
 from acme import errors
@@ -21,6 +10,14 @@ from acme import fields
 from acme import jws
 from acme import util
 
+try:
+    from collections.abc import Hashable  # pylint: disable=no-name-in-module
+except ImportError:  # pragma: no cover
+    from collections import Hashable
+
+
+
+OLD_ERROR_PREFIX = "urn:acme:error:"
 ERROR_PREFIX = "urn:ietf:params:acme:error:"
 
 ERROR_CODES = {
@@ -39,7 +36,7 @@ ERROR_CODES = {
                    ' domain'),
     'dns': 'There was a problem with a DNS query during identifier validation',
     'dnssec': 'The server could not validate a DNSSEC signed domain',
-    'incorrectResponse': 'Response received didn\'t match the challenge\'s requirements',
+    'incorrectResponse': 'Response recieved didn\'t match the challenge\'s requirements',
     # deprecate invalidEmail
     'invalidEmail': 'The provided email for a registration was invalid',
     'invalidContact': 'The provided contact URI was invalid',
@@ -56,101 +53,40 @@ ERROR_CODES = {
     'externalAccountRequired': 'The server requires external account binding',
 }
 
-ERROR_TYPE_DESCRIPTIONS = {**{
-    ERROR_PREFIX + name: desc for name, desc in ERROR_CODES.items()
-}}
+ERROR_TYPE_DESCRIPTIONS = dict(
+    (ERROR_PREFIX + name, desc) for name, desc in ERROR_CODES.items())
+
+ERROR_TYPE_DESCRIPTIONS.update(dict(  # add errors with old prefix, deprecate me
+    (OLD_ERROR_PREFIX + name, desc) for name, desc in ERROR_CODES.items()))
 
 
-def is_acme_error(err: BaseException) -> bool:
+def is_acme_error(err):
     """Check if argument is an ACME error."""
     if isinstance(err, Error) and (err.typ is not None):
-        return ERROR_PREFIX in err.typ
+        return (ERROR_PREFIX in err.typ) or (OLD_ERROR_PREFIX in err.typ)
     return False
 
 
-class _Constant(jose.JSONDeSerializable, Hashable):
-    """ACME constant."""
-    __slots__ = ('name',)
-    POSSIBLE_NAMES: Dict[str, '_Constant'] = NotImplemented
-
-    def __init__(self, name: str) -> None:
-        super().__init__()
-        self.POSSIBLE_NAMES[name] = self  # pylint: disable=unsupported-assignment-operation
-        self.name = name
-
-    def to_partial_json(self) -> str:
-        return self.name
-
-    @classmethod
-    def from_json(cls, jobj: str) -> '_Constant':
-        if jobj not in cls.POSSIBLE_NAMES:  # pylint: disable=unsupported-membership-test
-            raise jose.DeserializationError(f'{cls.__name__} not recognized')
-        return cls.POSSIBLE_NAMES[jobj]
-
-    def __repr__(self) -> str:
-        return f'{self.__class__.__name__}({self.name})'
-
-    def __eq__(self, other: Any) -> bool:
-        return isinstance(other, type(self)) and other.name == self.name
-
-    def __hash__(self) -> int:
-        return hash((self.__class__, self.name))
-
-
-class IdentifierType(_Constant):
-    """ACME identifier type."""
-    POSSIBLE_NAMES: Dict[str, _Constant] = {}
-
-
-IDENTIFIER_FQDN = IdentifierType('dns')  # IdentifierDNS in Boulder
-IDENTIFIER_IP = IdentifierType('ip') # IdentifierIP in pebble - not in Boulder yet
-
-
-class Identifier(jose.JSONObjectWithFields):
-    """ACME identifier.
-
-    :ivar IdentifierType typ:
-    :ivar str value:
-
-    """
-    typ: IdentifierType = jose.field('type', decoder=IdentifierType.from_json)
-    value: str = jose.field('value')
-
-
+@six.python_2_unicode_compatible
 class Error(jose.JSONObjectWithFields, errors.Error):
     """ACME error.
 
-    https://datatracker.ietf.org/doc/html/rfc7807
+    https://tools.ietf.org/html/draft-ietf-appsawg-http-problem-00
 
-    Note: Although Error inherits from JSONObjectWithFields, which is immutable,
-    we add mutability for Error to comply with the Python exception API.
-
-    :ivar str typ:
-    :ivar str title:
-    :ivar str detail:
-    :ivar Identifier identifier:
-    :ivar tuple subproblems: An array of ACME Errors which may be present when the CA
-            returns multiple errors related to the same request, `tuple` of `Error`.
+    :ivar unicode typ:
+    :ivar unicode title:
+    :ivar unicode detail:
 
     """
-    typ: str = jose.field('type', omitempty=True, default='about:blank')
-    title: str = jose.field('title', omitempty=True)
-    detail: str = jose.field('detail', omitempty=True)
-    identifier: Optional['Identifier'] = jose.field(
-        'identifier', decoder=Identifier.from_json, omitempty=True)
-    subproblems: Optional[Tuple['Error', ...]] = jose.field('subproblems', omitempty=True)
-
-    # Mypy does not understand the josepy magic happening here, and falsely claims
-    # that subproblems is redefined. Let's ignore the type check here.
-    @subproblems.decoder  # type: ignore
-    def subproblems(value: List[Dict[str, Any]]) -> Tuple['Error', ...]:  # pylint: disable=no-self-argument,missing-function-docstring
-        return tuple(Error.from_json(subproblem) for subproblem in value)
+    typ = jose.Field('type', omitempty=True, default='about:blank')
+    title = jose.Field('title', omitempty=True)
+    detail = jose.Field('detail', omitempty=True)
 
     @classmethod
-    def with_code(cls, code: str, **kwargs: Any) -> 'Error':
+    def with_code(cls, code, **kwargs):
         """Create an Error instance with an ACME Error code.
 
-        :str code: An ACME error code, like 'dnssec'.
+        :unicode code: An ACME error code, like 'dnssec'.
         :kwargs: kwargs to pass to Error.
 
         """
@@ -158,57 +94,76 @@ class Error(jose.JSONObjectWithFields, errors.Error):
             raise ValueError("The supplied code: %s is not a known ACME error"
                              " code" % code)
         typ = ERROR_PREFIX + code
-        # Mypy will not understand that the Error constructor accepts a named argument
-        # "typ" because of josepy magic. Let's ignore the type check here.
         return cls(typ=typ, **kwargs)
 
     @property
-    def description(self) -> Optional[str]:
+    def description(self):
         """Hardcoded error description based on its type.
 
         :returns: Description if standard ACME error or ``None``.
-        :rtype: str
+        :rtype: unicode
 
         """
         return ERROR_TYPE_DESCRIPTIONS.get(self.typ)
 
     @property
-    def code(self) -> Optional[str]:
+    def code(self):
         """ACME error code.
 
         Basically self.typ without the ERROR_PREFIX.
 
         :returns: error code if standard ACME code or ``None``.
-        :rtype: str
+        :rtype: unicode
 
         """
-        code = str(self.typ).rsplit(':', maxsplit=1)[-1]
+        code = str(self.typ).split(':')[-1]
         if code in ERROR_CODES:
             return code
         return None
 
-    # Hack to allow mutability on Errors (see GH #9539)
-    def __setattr__(self, name: str, value: Any) -> None:
-        return object.__setattr__(self, name, value)
-
-    def __str__(self) -> str:
-        result = b' :: '.join(
+    def __str__(self):
+        return b' :: '.join(
             part.encode('ascii', 'backslashreplace') for part in
             (self.typ, self.description, self.detail, self.title)
             if part is not None).decode()
-        if self.identifier:
-            result = f'Problem for {self.identifier.value}: ' + result # pylint: disable=no-member
-        if self.subproblems and len(self.subproblems) > 0:
-            for subproblem in self.subproblems:
-                result += f'\n{subproblem}'
-        return result
+
+
+class _Constant(jose.JSONDeSerializable, Hashable):  # type: ignore
+    """ACME constant."""
+    __slots__ = ('name',)
+    POSSIBLE_NAMES = NotImplemented
+
+    def __init__(self, name):
+        super(_Constant, self).__init__()
+        self.POSSIBLE_NAMES[name] = self  # pylint: disable=unsupported-assignment-operation
+        self.name = name
+
+    def to_partial_json(self):
+        return self.name
+
+    @classmethod
+    def from_json(cls, jobj):
+        if jobj not in cls.POSSIBLE_NAMES:  # pylint: disable=unsupported-membership-test
+            raise jose.DeserializationError(
+                '{0} not recognized'.format(cls.__name__))
+        return cls.POSSIBLE_NAMES[jobj]
+
+    def __repr__(self):
+        return '{0}({1})'.format(self.__class__.__name__, self.name)
+
+    def __eq__(self, other):
+        return isinstance(other, type(self)) and other.name == self.name
+
+    def __hash__(self):
+        return hash((self.__class__, self.name))
+
+    def __ne__(self, other):
+        return not self == other
 
 
 class Status(_Constant):
     """ACME "status" field."""
-    POSSIBLE_NAMES: Dict[str, _Constant] = {}
-
-
+    POSSIBLE_NAMES = {}  # type: dict
 STATUS_UNKNOWN = Status('unknown')
 STATUS_PENDING = Status('pending')
 STATUS_PROCESSING = Status('processing')
@@ -219,57 +174,90 @@ STATUS_READY = Status('ready')
 STATUS_DEACTIVATED = Status('deactivated')
 
 
-class Directory(jose.JSONDeSerializable):
-    """Directory.
+class IdentifierType(_Constant):
+    """ACME identifier type."""
+    POSSIBLE_NAMES = {}  # type: dict
+IDENTIFIER_FQDN = IdentifierType('dns')  # IdentifierDNS in Boulder
+
+
+class Identifier(jose.JSONObjectWithFields):
+    """ACME identifier.
+
+    :ivar IdentifierType typ:
+    :ivar unicode value:
 
-    Directory resources must be accessed by the exact field name in RFC8555 (section 9.7.5).
     """
+    typ = jose.Field('type', decoder=IdentifierType.from_json)
+    value = jose.Field('value')
+
+
+class Directory(jose.JSONDeSerializable):
+    """Directory."""
+
+    _REGISTERED_TYPES = {}  # type: dict
 
     class Meta(jose.JSONObjectWithFields):
         """Directory Meta."""
-        _terms_of_service: str = jose.field('termsOfService', omitempty=True)
-        website: str = jose.field('website', omitempty=True)
-        caa_identities: List[str] = jose.field('caaIdentities', omitempty=True)
-        external_account_required: bool = jose.field('externalAccountRequired', omitempty=True)
+        _terms_of_service = jose.Field('terms-of-service', omitempty=True)
+        _terms_of_service_v2 = jose.Field('termsOfService', omitempty=True)
+        website = jose.Field('website', omitempty=True)
+        caa_identities = jose.Field('caaIdentities', omitempty=True)
+        external_account_required = jose.Field('externalAccountRequired', omitempty=True)
 
-        def __init__(self, **kwargs: Any) -> None:
-            kwargs = {self._internal_name(k): v for k, v in kwargs.items()}
-            super().__init__(**kwargs)
+        def __init__(self, **kwargs):
+            kwargs = dict((self._internal_name(k), v) for k, v in kwargs.items())
+            super(Directory.Meta, self).__init__(**kwargs)
 
         @property
-        def terms_of_service(self) -> str:
+        def terms_of_service(self):
             """URL for the CA TOS"""
-            return self._terms_of_service
+            return self._terms_of_service or self._terms_of_service_v2
 
-        def __iter__(self) -> Iterator[str]:
+        def __iter__(self):
             # When iterating over fields, use the external name 'terms_of_service' instead of
             # the internal '_terms_of_service'.
-            for name in super().__iter__():
+            for name in super(Directory.Meta, self).__iter__():
                 yield name[1:] if name == '_terms_of_service' else name
 
-        def _internal_name(self, name: str) -> str:
+        def _internal_name(self, name):
             return '_' + name if name == 'terms_of_service' else name
 
-    def __init__(self, jobj: Mapping[str, Any]) -> None:
-        self._jobj = jobj
-
-    def __getattr__(self, name: str) -> Any:
-        try:
-            return self[name]
-        except KeyError as error:
-            raise AttributeError(str(error))
-
-    def __getitem__(self, name: str) -> Any:
-        try:
-            return self._jobj[name]
-        except KeyError:
-            raise KeyError(f'Directory field "{name}" not found')
-
-    def to_partial_json(self) -> Dict[str, Any]:
-        return util.map_keys(self._jobj, lambda k: k)
 
     @classmethod
-    def from_json(cls, jobj: MutableMapping[str, Any]) -> 'Directory':
+    def _canon_key(cls, key):
+        return getattr(key, 'resource_type', key)
+
+    @classmethod
+    def register(cls, resource_body_cls):
+        """Register resource."""
+        resource_type = resource_body_cls.resource_type
+        assert resource_type not in cls._REGISTERED_TYPES
+        cls._REGISTERED_TYPES[resource_type] = resource_body_cls
+        return resource_body_cls
+
+    def __init__(self, jobj):
+        canon_jobj = util.map_keys(jobj, self._canon_key)
+        # TODO: check that everything is an absolute URL; acme-spec is
+        # not clear on that
+        self._jobj = canon_jobj
+
+    def __getattr__(self, name):
+        try:
+            return self[name.replace('_', '-')]
+        except KeyError as error:
+            raise AttributeError(str(error) + ': ' + name)
+
+    def __getitem__(self, name):
+        try:
+            return self._jobj[self._canon_key(name)]
+        except KeyError:
+            raise KeyError('Directory field not found')
+
+    def to_partial_json(self):
+        return self._jobj
+
+    @classmethod
+    def from_json(cls, jobj):
         jobj['meta'] = cls.Meta.from_json(jobj.pop('meta', {}))
         return cls(jobj)
 
@@ -280,28 +268,27 @@ class Resource(jose.JSONObjectWithFields):
     :ivar acme.messages.ResourceBody body: Resource body.
 
     """
-    body: "ResourceBody" = jose.field('body')
+    body = jose.Field('body')
 
 
 class ResourceWithURI(Resource):
     """ACME Resource with URI.
 
-    :ivar str uri: Location of the resource.
+    :ivar unicode uri: Location of the resource.
 
     """
-    uri: str = jose.field('uri')  # no ChallengeResource.uri
+    uri = jose.Field('uri')  # no ChallengeResource.uri
 
 
 class ResourceBody(jose.JSONObjectWithFields):
     """ACME Resource Body."""
 
 
-class ExternalAccountBinding:
+class ExternalAccountBinding(object):
     """ACME External Account Binding"""
 
     @classmethod
-    def from_data(cls, account_public_key: jose.JWK, kid: str, hmac_key: str,
-                  directory: Directory) -> Dict[str, Any]:
+    def from_data(cls, account_public_key, kid, hmac_key, directory):
         """Create External Account Binding Resource from contact details, kid and hmac."""
 
         key_json = json.dumps(account_public_key.to_partial_json()).encode()
@@ -315,137 +302,83 @@ class ExternalAccountBinding:
         return eab.to_partial_json()
 
 
-GenericRegistration = TypeVar('GenericRegistration', bound='Registration')
-
-
 class Registration(ResourceBody):
     """Registration Resource Body.
 
-    :ivar jose.JWK key: Public key.
+    :ivar josepy.jwk.JWK key: Public key.
     :ivar tuple contact: Contact information following ACME spec,
-        `tuple` of `str`.
-    :ivar str agreement:
+        `tuple` of `unicode`.
+    :ivar unicode agreement:
 
     """
     # on new-reg key server ignores 'key' and populates it based on
     # JWS.signature.combined.jwk
-    key: jose.JWK = jose.field('key', omitempty=True, decoder=jose.JWK.from_json)
-    # Contact field implements special behavior to allow messages that clear existing
-    # contacts while not expecting the `contact` field when loading from json.
-    # This is implemented in the constructor and *_json methods.
-    contact: Tuple[str, ...] = jose.field('contact', omitempty=True, default=())
-    agreement: str = jose.field('agreement', omitempty=True)
-    status: Status = jose.field('status', omitempty=True)
-    terms_of_service_agreed: bool = jose.field('termsOfServiceAgreed', omitempty=True)
-    only_return_existing: bool = jose.field('onlyReturnExisting', omitempty=True)
-    external_account_binding: Dict[str, Any] = jose.field('externalAccountBinding',
-                                                          omitempty=True)
+    key = jose.Field('key', omitempty=True, decoder=jose.JWK.from_json)
+    contact = jose.Field('contact', omitempty=True, default=())
+    agreement = jose.Field('agreement', omitempty=True)
+    status = jose.Field('status', omitempty=True)
+    terms_of_service_agreed = jose.Field('termsOfServiceAgreed', omitempty=True)
+    only_return_existing = jose.Field('onlyReturnExisting', omitempty=True)
+    external_account_binding = jose.Field('externalAccountBinding', omitempty=True)
 
     phone_prefix = 'tel:'
     email_prefix = 'mailto:'
 
     @classmethod
-    def from_data(cls: Type[GenericRegistration], phone: Optional[str] = None,
-                  email: Optional[str] = None,
-                  external_account_binding: Optional[Dict[str, Any]] = None,
-                  **kwargs: Any) -> GenericRegistration:
-        """
-        Create registration resource from contact details.
-
-        The `contact` keyword being passed to a Registration object is meaningful, so
-        this function represents empty iterables in its kwargs by passing on an empty
-        `tuple`.
-        """
-
-        # Note if `contact` was in kwargs.
-        contact_provided = 'contact' in kwargs
-
-        # Pop `contact` from kwargs and add formatted email or phone numbers
+    def from_data(cls, phone=None, email=None, external_account_binding=None, **kwargs):
+        """Create registration resource from contact details."""
         details = list(kwargs.pop('contact', ()))
         if phone is not None:
             details.append(cls.phone_prefix + phone)
         if email is not None:
             details.extend([cls.email_prefix + mail for mail in email.split(',')])
-
-        # Insert formatted contact information back into kwargs
-        # or insert an empty tuple if `contact` provided.
-        if details or contact_provided:
-            kwargs['contact'] = tuple(details)
+        kwargs['contact'] = tuple(details)
 
         if external_account_binding:
             kwargs['external_account_binding'] = external_account_binding
 
         return cls(**kwargs)
 
-    def __init__(self, **kwargs: Any) -> None:
-        """Note if the user provides a value for the `contact` member."""
-        if 'contact' in kwargs and kwargs['contact'] is not None:
-            # Avoid the __setattr__ used by jose.TypedJSONObjectWithFields
-            object.__setattr__(self, '_add_contact', True)
-        super().__init__(**kwargs)
-
-    def _filter_contact(self, prefix: str) -> Tuple[str, ...]:
+    def _filter_contact(self, prefix):
         return tuple(
             detail[len(prefix):] for detail in self.contact  # pylint: disable=not-an-iterable
             if detail.startswith(prefix))
 
-    def _add_contact_if_appropriate(self, jobj: Dict[str, Any]) -> Dict[str, Any]:
-        """
-        The `contact` member of Registration objects should not be required when
-        de-serializing (as it would be if the Fields' `omitempty` flag were `False`), but
-        it should be included in serializations if it was provided.
-
-        :param jobj: Dictionary containing this Registrations' data
-        :type jobj: dict
-
-        :returns: Dictionary containing Registrations data to transmit to the server
-        :rtype: dict
-        """
-        if getattr(self, '_add_contact', False):
-            jobj['contact'] = self.encode('contact')
-
-        return jobj
-
-    def to_partial_json(self) -> Dict[str, Any]:
-        """Modify josepy.JSONDeserializable.to_partial_json()"""
-        jobj = super().to_partial_json()
-        return self._add_contact_if_appropriate(jobj)
-
-    def fields_to_partial_json(self) -> Dict[str, Any]:
-        """Modify josepy.JSONObjectWithFields.fields_to_partial_json()"""
-        jobj = super().fields_to_partial_json()
-        return self._add_contact_if_appropriate(jobj)
-
     @property
-    def phones(self) -> Tuple[str, ...]:
+    def phones(self):
         """All phones found in the ``contact`` field."""
         return self._filter_contact(self.phone_prefix)
 
     @property
-    def emails(self) -> Tuple[str, ...]:
+    def emails(self):
         """All emails found in the ``contact`` field."""
         return self._filter_contact(self.email_prefix)
 
 
+@Directory.register
 class NewRegistration(Registration):
     """New registration."""
+    resource_type = 'new-reg'
+    resource = fields.Resource(resource_type)
 
 
 class UpdateRegistration(Registration):
     """Update registration."""
+    resource_type = 'reg'
+    resource = fields.Resource(resource_type)
 
 
 class RegistrationResource(ResourceWithURI):
     """Registration Resource.
 
     :ivar acme.messages.Registration body:
-    :ivar str new_authzr_uri: Deprecated. Do not use.
-    :ivar str terms_of_service: URL for the CA TOS.
+    :ivar unicode new_authzr_uri: Deprecated. Do not use.
+    :ivar unicode terms_of_service: URL for the CA TOS.
 
     """
-    body: Registration = jose.field('body', decoder=Registration.from_json)
-    new_authzr_uri: str = jose.field('new_authzr_uri', omitempty=True)
-    terms_of_service: str = jose.field('terms_of_service', omitempty=True)
+    body = jose.Field('body', decoder=Registration.from_json)
+    new_authzr_uri = jose.Field('new_authzr_uri', omitempty=True)
+    terms_of_service = jose.Field('terms_of_service', omitempty=True)
 
 
 class ChallengeBody(ResourceBody):
@@ -470,63 +403,65 @@ class ChallengeBody(ResourceBody):
     # challenge object supports either one, but should be accessed through the
     # name "uri". In Client.answer_challenge, whichever one is set will be
     # used.
-    _url: str = jose.field('url', omitempty=True, default=None)
-    status: Status = jose.field('status', decoder=Status.from_json,
+    _uri = jose.Field('uri', omitempty=True, default=None)
+    _url = jose.Field('url', omitempty=True, default=None)
+    status = jose.Field('status', decoder=Status.from_json,
                         omitempty=True, default=STATUS_PENDING)
-    validated: datetime.datetime = fields.rfc3339('validated', omitempty=True)
-    error: Error = jose.field('error', decoder=Error.from_json,
+    validated = fields.RFC3339Field('validated', omitempty=True)
+    error = jose.Field('error', decoder=Error.from_json,
                        omitempty=True, default=None)
 
-    def __init__(self, **kwargs: Any) -> None:
-        kwargs = {self._internal_name(k): v for k, v in kwargs.items()}
-        super().__init__(**kwargs)
+    def __init__(self, **kwargs):
+        kwargs = dict((self._internal_name(k), v) for k, v in kwargs.items())
+        super(ChallengeBody, self).__init__(**kwargs)
 
-    def encode(self, name: str) -> Any:
-        return super().encode(self._internal_name(name))
+    def encode(self, name):
+        return super(ChallengeBody, self).encode(self._internal_name(name))
 
-    def to_partial_json(self) -> Dict[str, Any]:
-        jobj = super().to_partial_json()
+    def to_partial_json(self):
+        jobj = super(ChallengeBody, self).to_partial_json()
         jobj.update(self.chall.to_partial_json())
         return jobj
 
     @classmethod
-    def fields_from_json(cls, jobj: Mapping[str, Any]) -> Dict[str, Any]:
-        jobj_fields = super().fields_from_json(jobj)
+    def fields_from_json(cls, jobj):
+        jobj_fields = super(ChallengeBody, cls).fields_from_json(jobj)
         jobj_fields['chall'] = challenges.Challenge.from_json(jobj)
         return jobj_fields
 
     @property
-    def uri(self) -> str:
+    def uri(self):
         """The URL of this challenge."""
-        return self._url
+        return self._url or self._uri
 
-    def __getattr__(self, name: str) -> Any:
+    def __getattr__(self, name):
         return getattr(self.chall, name)
 
-    def __iter__(self) -> Iterator[str]:
+    def __iter__(self):
         # When iterating over fields, use the external name 'uri' instead of
         # the internal '_uri'.
-        for name in super().__iter__():
-            yield 'uri' if name == '_url' else name
+        for name in super(ChallengeBody, self).__iter__():
+            yield name[1:] if name == '_uri' else name
 
-    def _internal_name(self, name: str) -> str:
-        return '_url' if name == 'uri' else name
+    def _internal_name(self, name):
+        return '_' + name if name == 'uri' else name
 
 
 class ChallengeResource(Resource):
     """Challenge Resource.
 
     :ivar acme.messages.ChallengeBody body:
-    :ivar str authzr_uri: URI found in the 'up' ``Link`` header.
+    :ivar unicode authzr_uri: URI found in the 'up' ``Link`` header.
 
     """
-    body: ChallengeBody = jose.field('body', decoder=ChallengeBody.from_json)
-    authzr_uri: str = jose.field('authzr_uri')
+    body = jose.Field('body', decoder=ChallengeBody.from_json)
+    authzr_uri = jose.Field('authzr_uri')
 
     @property
-    def uri(self) -> str:
+    def uri(self):
         """The URL of the challenge body."""
-        return self.body.uri  # pylint: disable=no-member
+        # pylint: disable=function-redefined,no-member
+        return self.body.uri
 
 
 class Authorization(ResourceBody):
@@ -534,55 +469,70 @@ class Authorization(ResourceBody):
 
     :ivar acme.messages.Identifier identifier:
     :ivar list challenges: `list` of `.ChallengeBody`
+    :ivar tuple combinations: Challenge combinations (`tuple` of `tuple`
+        of `int`, as opposed to `list` of `list` from the spec).
     :ivar acme.messages.Status status:
     :ivar datetime.datetime expires:
 
     """
-    identifier: Identifier = jose.field('identifier', decoder=Identifier.from_json, omitempty=True)
-    challenges: List[ChallengeBody] = jose.field('challenges', omitempty=True)
+    identifier = jose.Field('identifier', decoder=Identifier.from_json, omitempty=True)
+    challenges = jose.Field('challenges', omitempty=True)
+    combinations = jose.Field('combinations', omitempty=True)
 
-    status: Status = jose.field('status', omitempty=True, decoder=Status.from_json)
+    status = jose.Field('status', omitempty=True, decoder=Status.from_json)
     # TODO: 'expires' is allowed for Authorization Resources in
     # general, but for Key Authorization '[t]he "expires" field MUST
     # be absent'... then acme-spec gives example with 'expires'
     # present... That's confusing!
-    expires: datetime.datetime = fields.rfc3339('expires', omitempty=True)
-    wildcard: bool = jose.field('wildcard', omitempty=True)
+    expires = fields.RFC3339Field('expires', omitempty=True)
+    wildcard = jose.Field('wildcard', omitempty=True)
 
-    # Mypy does not understand the josepy magic happening here, and falsely claims
-    # that challenge is redefined. Let's ignore the type check here.
-    @challenges.decoder  # type: ignore
-    def challenges(value: List[Dict[str, Any]]) -> Tuple[ChallengeBody, ...]:  # pylint: disable=no-self-argument,missing-function-docstring
+    @challenges.decoder
+    def challenges(value):  # pylint: disable=missing-docstring,no-self-argument
         return tuple(ChallengeBody.from_json(chall) for chall in value)
 
+    @property
+    def resolved_combinations(self):
+        """Combinations with challenges instead of indices."""
+        return tuple(tuple(self.challenges[idx] for idx in combo)
+                     for combo in self.combinations)  # pylint: disable=not-an-iterable
 
+
+@Directory.register
 class NewAuthorization(Authorization):
     """New authorization."""
+    resource_type = 'new-authz'
+    resource = fields.Resource(resource_type)
 
 
 class UpdateAuthorization(Authorization):
     """Update authorization."""
+    resource_type = 'authz'
+    resource = fields.Resource(resource_type)
 
 
 class AuthorizationResource(ResourceWithURI):
     """Authorization Resource.
 
     :ivar acme.messages.Authorization body:
-    :ivar str new_cert_uri: Deprecated. Do not use.
+    :ivar unicode new_cert_uri: Deprecated. Do not use.
 
     """
-    body: Authorization = jose.field('body', decoder=Authorization.from_json)
-    new_cert_uri: str = jose.field('new_cert_uri', omitempty=True)
+    body = jose.Field('body', decoder=Authorization.from_json)
+    new_cert_uri = jose.Field('new_cert_uri', omitempty=True)
 
 
+@Directory.register
 class CertificateRequest(jose.JSONObjectWithFields):
-    """ACME newOrder request.
+    """ACME new-cert request.
 
-    :ivar jose.ComparableX509 csr:
+    :ivar josepy.util.ComparableX509 csr:
         `OpenSSL.crypto.X509Req` wrapped in `.ComparableX509`
 
     """
-    csr: jose.ComparableX509 = jose.field('csr', decoder=jose.decode_csr, encoder=jose.encode_csr)
+    resource_type = 'new-cert'
+    resource = fields.Resource(resource_type)
+    csr = jose.Field('csr', decoder=jose.decode_csr, encoder=jose.encode_csr)
 
 
 class CertificateResource(ResourceWithURI):
@@ -590,92 +540,70 @@ class CertificateResource(ResourceWithURI):
 
     :ivar josepy.util.ComparableX509 body:
         `OpenSSL.crypto.X509` wrapped in `.ComparableX509`
-    :ivar str cert_chain_uri: URI found in the 'up' ``Link`` header
+    :ivar unicode cert_chain_uri: URI found in the 'up' ``Link`` header
     :ivar tuple authzrs: `tuple` of `AuthorizationResource`.
 
     """
-    cert_chain_uri: str = jose.field('cert_chain_uri')
-    authzrs: Tuple[AuthorizationResource, ...] = jose.field('authzrs')
+    cert_chain_uri = jose.Field('cert_chain_uri')
+    authzrs = jose.Field('authzrs')
 
 
+@Directory.register
 class Revocation(jose.JSONObjectWithFields):
     """Revocation message.
 
-    :ivar jose.ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in
-        `jose.ComparableX509`
+    :ivar .ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in
+        `.ComparableX509`
 
     """
-    certificate: jose.ComparableX509 = jose.field(
+    resource_type = 'revoke-cert'
+    resource = fields.Resource(resource_type)
+    certificate = jose.Field(
         'certificate', decoder=jose.decode_cert, encoder=jose.encode_cert)
-    reason: int = jose.field('reason')
+    reason = jose.Field('reason')
 
 
 class Order(ResourceBody):
     """Order Resource Body.
 
-    :ivar identifiers: List of identifiers for the certificate.
-    :vartype identifiers: `list` of `.Identifier`
+    :ivar list of .Identifier: List of identifiers for the certificate.
     :ivar acme.messages.Status status:
-    :ivar authorizations: URLs of authorizations.
-    :vartype authorizations: `list` of `str`
+    :ivar list of str authorizations: URLs of authorizations.
     :ivar str certificate: URL to download certificate as a fullchain PEM.
     :ivar str finalize: URL to POST to to request issuance once all
         authorizations have "valid" status.
     :ivar datetime.datetime expires: When the order expires.
-    :ivar ~.Error error: Any error that occurred during finalization, if applicable.
+    :ivar .Error error: Any error that occurred during finalization, if applicable.
     """
-    identifiers: List[Identifier] = jose.field('identifiers', omitempty=True)
-    status: Status = jose.field('status', decoder=Status.from_json, omitempty=True)
-    authorizations: List[str] = jose.field('authorizations', omitempty=True)
-    certificate: str = jose.field('certificate', omitempty=True)
-    finalize: str = jose.field('finalize', omitempty=True)
-    expires: datetime.datetime = fields.rfc3339('expires', omitempty=True)
-    error: Error = jose.field('error', omitempty=True, decoder=Error.from_json)
+    identifiers = jose.Field('identifiers', omitempty=True)
+    status = jose.Field('status', decoder=Status.from_json,
+                        omitempty=True)
+    authorizations = jose.Field('authorizations', omitempty=True)
+    certificate = jose.Field('certificate', omitempty=True)
+    finalize = jose.Field('finalize', omitempty=True)
+    expires = fields.RFC3339Field('expires', omitempty=True)
+    error = jose.Field('error', omitempty=True, decoder=Error.from_json)
 
-    # Mypy does not understand the josepy magic happening here, and falsely claims
-    # that identifiers is redefined. Let's ignore the type check here.
-    @identifiers.decoder  # type: ignore
-    def identifiers(value: List[Dict[str, Any]]) -> Tuple[Identifier, ...]:  # pylint: disable=no-self-argument,missing-function-docstring
+    @identifiers.decoder
+    def identifiers(value):  # pylint: disable=missing-docstring,no-self-argument
         return tuple(Identifier.from_json(identifier) for identifier in value)
 
-
 class OrderResource(ResourceWithURI):
     """Order Resource.
 
     :ivar acme.messages.Order body:
-    :ivar bytes csr_pem: The CSR this Order will be finalized with.
-    :ivar authorizations: Fully-fetched AuthorizationResource objects.
-    :vartype authorizations: `list` of `acme.messages.AuthorizationResource`
+    :ivar str csr_pem: The CSR this Order will be finalized with.
+    :ivar list of acme.messages.AuthorizationResource authorizations:
+        Fully-fetched AuthorizationResource objects.
     :ivar str fullchain_pem: The fetched contents of the certificate URL
         produced once the order was finalized, if it's present.
-    :ivar alternative_fullchains_pem: The fetched contents of alternative certificate
-        chain URLs produced once the order was finalized, if present and requested during
-        finalization.
-    :vartype alternative_fullchains_pem: `list` of `str`
     """
-    body: Order = jose.field('body', decoder=Order.from_json)
-    csr_pem: bytes = jose.field('csr_pem', omitempty=True,
-                                # This looks backwards, but it's not -
-                                # we want the deserialized value to be
-                                # `bytes`, but anything we put into
-                                # JSON needs to be `str`, so we encode
-                                # to decode and decode to
-                                # encode. Otherwise we end up with an
-                                # array of ints on serialization
-                                decoder=lambda s: s.encode("utf-8"),
-                                encoder=lambda b: b.decode("utf-8"))
-
-    authorizations: List[AuthorizationResource] = jose.field('authorizations')
-    fullchain_pem: str = jose.field('fullchain_pem', omitempty=True)
-    alternative_fullchains_pem: List[str] = jose.field('alternative_fullchains_pem',
-                                                       omitempty=True)
-
-    # Mypy does not understand the josepy magic happening here, and falsely claims
-    # that authorizations is redefined. Let's ignore the type check here.
-    @authorizations.decoder  # type: ignore
-    def authorizations(value: List[Dict[str, Any]]) -> Tuple[AuthorizationResource, ...]: # pylint: disable=no-self-argument,missing-function-docstring
-        return tuple(AuthorizationResource.from_json(authz) for authz in value)
-
+    body = jose.Field('body', decoder=Order.from_json)
+    csr_pem = jose.Field('csr_pem', omitempty=True)
+    authorizations = jose.Field('authorizations')
+    fullchain_pem = jose.Field('fullchain_pem', omitempty=True)
 
+@Directory.register
 class NewOrder(Order):
     """New order."""
+    resource_type = 'new-order'

acme/acme/standalone.py

@@ -1,59 +1,45 @@
 """Support for standalone client challenge solvers. """
 import collections
 import functools
-import http.client as http_client
-import http.server as BaseHTTPServer
 import logging
 import socket
-import socketserver
 import threading
-from typing import Any
-from typing import cast
-from typing import List
-from typing import Mapping
-from typing import Optional
-from typing import Set
-from typing import Tuple
-from typing import Type
 
-from OpenSSL import crypto
-from OpenSSL import SSL
+from six.moves import BaseHTTPServer  # type: ignore  # pylint: disable=import-error
+from six.moves import http_client  # pylint: disable=import-error
+from six.moves import socketserver  # type: ignore  # pylint: disable=import-error
 
 from acme import challenges
 from acme import crypto_util
+from acme.magic_typing import List  # pylint: disable=unused-import, no-name-in-module
 
 logger = logging.getLogger(__name__)
 
+# six.moves.* | pylint: disable=no-member,attribute-defined-outside-init
+# pylint: disable=no-init
+
 
 class TLSServer(socketserver.TCPServer):
     """Generic TLS Server."""
 
-    def __init__(self, *args: Any, **kwargs: Any) -> None:
+    def __init__(self, *args, **kwargs):
         self.ipv6 = kwargs.pop("ipv6", False)
         if self.ipv6:
             self.address_family = socket.AF_INET6
         else:
             self.address_family = socket.AF_INET
         self.certs = kwargs.pop("certs", {})
-        self.method = kwargs.pop("method", crypto_util._DEFAULT_SSL_METHOD)
+        self.method = kwargs.pop(
+            # pylint: disable=protected-access
+            "method", crypto_util._DEFAULT_SSL_METHOD)
         self.allow_reuse_address = kwargs.pop("allow_reuse_address", True)
-        super().__init__(*args, **kwargs)
+        socketserver.TCPServer.__init__(self, *args, **kwargs)
 
-    def _wrap_sock(self) -> None:
-        self.socket = cast(socket.socket, crypto_util.SSLSocket(
-            self.socket, cert_selection=self._cert_selection,
-            alpn_selection=getattr(self, '_alpn_selection', None),
-            method=self.method))
+    def _wrap_sock(self):
+        self.socket = crypto_util.SSLSocket(
+            self.socket, certs=self.certs, method=self.method)
 
-    def _cert_selection(self, connection: SSL.Connection
-                        ) -> Optional[Tuple[crypto.PKey, crypto.X509]]:  # pragma: no cover
-        """Callback selecting certificate for connection."""
-        server_name = connection.get_servername()
-        if server_name:
-            return self.certs.get(server_name, None)
-        return None
-
-    def server_bind(self) -> None:
+    def server_bind(self):  # pylint: disable=missing-docstring
         self._wrap_sock()
         return socketserver.TCPServer.server_bind(self)
 
@@ -65,7 +51,7 @@ class ACMEServerMixin:
     allow_reuse_address = True
 
 
-class BaseDualNetworkedServers:
+class BaseDualNetworkedServers(object):
     """Base class for a pair of IPv6 and IPv4 servers that tries to do everything
        it's asked for both servers, but where failures in one server don't
        affect the other.
@@ -73,14 +59,10 @@ class BaseDualNetworkedServers:
        If two servers are instantiated, they will serve on the same port.
        """
 
-    def __init__(self, ServerClass: Type[socketserver.TCPServer], server_address: Tuple[str, int],
-                 *remaining_args: Any, **kwargs: Any) -> None:
+    def __init__(self, ServerClass, server_address, *remaining_args, **kwargs):
         port = server_address[1]
-        self.threads: List[threading.Thread] = []
-        self.servers: List[socketserver.BaseServer] = []
-
-        # Preserve socket error for re-raising, if no servers can be started
-        last_socket_err: Optional[socket.error] = None
+        self.threads = [] # type: List[threading.Thread]
+        self.servers = [] # type: List[ACMEServerMixin]
 
         # Must try True first.
         # Ubuntu, for example, will fail to bind to IPv4 if we've already bound
@@ -98,8 +80,7 @@ class BaseDualNetworkedServers:
                 logger.debug(
                     "Successfully bound to %s:%s using %s", new_address[0],
                     new_address[1], "IPv6" if ip_version else "IPv4")
-            except socket.error as e:
-                last_socket_err = e
+            except socket.error:
                 if self.servers:
                     # Already bound using IPv6.
                     logger.debug(
@@ -118,12 +99,9 @@ class BaseDualNetworkedServers:
                 # bind to the same port for both servers.
                 port = server.socket.getsockname()[1]
         if not self.servers:
-            if last_socket_err:
-                raise last_socket_err
-            else: # pragma: no cover
-                raise socket.error("Could not bind to IPv4 or IPv6.")
+            raise socket.error("Could not bind to IPv4 or IPv6.")
 
-    def serve_forever(self) -> None:
+    def serve_forever(self):
         """Wraps socketserver.TCPServer.serve_forever"""
         for server in self.servers:
             thread = threading.Thread(
@@ -131,11 +109,11 @@ class BaseDualNetworkedServers:
             thread.start()
             self.threads.append(thread)
 
-    def getsocknames(self) -> List[Tuple[str, int]]:
+    def getsocknames(self):
         """Wraps socketserver.TCPServer.socket.getsockname"""
         return [server.socket.getsockname() for server in self.servers]
 
-    def shutdown_and_server_close(self) -> None:
+    def shutdown_and_server_close(self):
         """Wraps socketserver.TCPServer.shutdown, socketserver.TCPServer.server_close, and
            threading.Thread.join"""
         for server in self.servers:
@@ -146,77 +124,33 @@ class BaseDualNetworkedServers:
         self.threads = []
 
 
-class TLSALPN01Server(TLSServer, ACMEServerMixin):
-    """TLSALPN01 Server."""
-
-    ACME_TLS_1_PROTOCOL = b"acme-tls/1"
-
-    def __init__(self, server_address: Tuple[str, int],
-                 certs: List[Tuple[crypto.PKey, crypto.X509]],
-                 challenge_certs: Mapping[bytes, Tuple[crypto.PKey, crypto.X509]],
-                 ipv6: bool = False) -> None:
-        # We don't need to implement a request handler here because the work
-        # (including logging) is being done by wrapped socket set up in the
-        # parent TLSServer class.
-        TLSServer.__init__(
-            self, server_address, socketserver.BaseRequestHandler, certs=certs,
-            ipv6=ipv6)
-        self.challenge_certs = challenge_certs
-
-    def _cert_selection(self, connection: SSL.Connection) -> Optional[Tuple[crypto.PKey,
-                                                                            crypto.X509]]:
-        # TODO: We would like to serve challenge cert only if asked for it via
-        # ALPN. To do this, we need to retrieve the list of protos from client
-        # hello, but this is currently impossible with openssl [0], and ALPN
-        # negotiation is done after cert selection.
-        # Therefore, currently we always return challenge cert, and terminate
-        # handshake in alpn_selection() if ALPN protos are not what we expect.
-        # [0] https://github.com/openssl/openssl/issues/4952
-        server_name = connection.get_servername()
-        if server_name:
-            logger.debug("Serving challenge cert for server name %s", server_name)
-            return self.challenge_certs[server_name]
-        return None # pragma: no cover
-
-    def _alpn_selection(self, _connection: SSL.Connection, alpn_protos: List[bytes]) -> bytes:
-        """Callback to select alpn protocol."""
-        if len(alpn_protos) == 1 and alpn_protos[0] == self.ACME_TLS_1_PROTOCOL:
-            logger.debug("Agreed on %s ALPN", self.ACME_TLS_1_PROTOCOL)
-            return self.ACME_TLS_1_PROTOCOL
-        logger.debug("Cannot agree on ALPN proto. Got: %s", str(alpn_protos))
-        # Explicitly close the connection now, by returning an empty string.
-        # See https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_alpn_select_callback  # pylint: disable=line-too-long
-        return b""
-
-
 class HTTPServer(BaseHTTPServer.HTTPServer):
     """Generic HTTP Server."""
 
-    def __init__(self, *args: Any, **kwargs: Any) -> None:
+    def __init__(self, *args, **kwargs):
         self.ipv6 = kwargs.pop("ipv6", False)
         if self.ipv6:
             self.address_family = socket.AF_INET6
         else:
             self.address_family = socket.AF_INET
-        super().__init__(*args, **kwargs)
+        BaseHTTPServer.HTTPServer.__init__(self, *args, **kwargs)
 
 
 class HTTP01Server(HTTPServer, ACMEServerMixin):
     """HTTP01 Server."""
 
-    def __init__(self, server_address: Tuple[str, int], resources: Set[challenges.HTTP01],
-                 ipv6: bool = False, timeout: int = 30) -> None:
-        super().__init__(
-            server_address, HTTP01RequestHandler.partial_init(
-                simple_http_resources=resources, timeout=timeout), ipv6=ipv6)
+    def __init__(self, server_address, resources, ipv6=False):
+        HTTPServer.__init__(
+            self, server_address, HTTP01RequestHandler.partial_init(
+                simple_http_resources=resources), ipv6=ipv6)
 
 
 class HTTP01DualNetworkedServers(BaseDualNetworkedServers):
     """HTTP01Server Wrapper. Tries everything for both. Failures for one don't
        affect the other."""
 
-    def __init__(self, *args: Any, **kwargs: Any) -> None:
-        super().__init__(HTTP01Server, *args, **kwargs)
+    def __init__(self, *args, **kwargs):
+        BaseDualNetworkedServers.__init__(self, HTTP01Server, *args, **kwargs)
 
 
 class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
@@ -231,37 +165,20 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
     HTTP01Resource = collections.namedtuple(
         "HTTP01Resource", "chall response validation")
 
-    def __init__(self, *args: Any, **kwargs: Any) -> None:
+    def __init__(self, *args, **kwargs):
         self.simple_http_resources = kwargs.pop("simple_http_resources", set())
-        self._timeout = kwargs.pop('timeout', 30)
-        super().__init__(*args, **kwargs)
-        self.server: HTTP01Server
+        BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args, **kwargs)
 
-    # In parent class BaseHTTPRequestHandler, 'timeout' is a class-level property but we
-    # need to define its value during the initialization phase in HTTP01RequestHandler.
-    # However MyPy does not appreciate that we dynamically shadow a class-level property
-    # with an instance-level property (eg. self.timeout = ... in __init__()). So to make
-    # everyone happy, we statically redefine 'timeout' as a method property, and set the
-    # timeout value in a new internal instance-level property _timeout.
-    @property
-    def timeout(self) -> int:  # type: ignore[override]
-        """
-        The default timeout this server should apply to requests.
-        :return: timeout to apply
-        :rtype: int
-        """
-        return self._timeout
-
-    def log_message(self, format: str, *args: Any) -> None:  # pylint: disable=redefined-builtin
+    def log_message(self, format, *args):  # pylint: disable=redefined-builtin
         """Log arbitrary message."""
         logger.debug("%s - - %s", self.client_address[0], format % args)
 
-    def handle(self) -> None:
+    def handle(self):
         """Handle request."""
         self.log_message("Incoming request")
         BaseHTTPServer.BaseHTTPRequestHandler.handle(self)
 
-    def do_GET(self) -> None:  # pylint: disable=invalid-name,missing-function-docstring
+    def do_GET(self):  # pylint: disable=invalid-name,missing-docstring
         if self.path == "/":
             self.handle_index()
         elif self.path.startswith("/" + challenges.HTTP01.URI_ROOT_PATH):
@@ -269,21 +186,21 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
         else:
             self.handle_404()
 
-    def handle_index(self) -> None:
+    def handle_index(self):
         """Handle index page."""
         self.send_response(200)
         self.send_header("Content-Type", "text/html")
         self.end_headers()
         self.wfile.write(self.server.server_version.encode())
 
-    def handle_404(self) -> None:
+    def handle_404(self):
         """Handler 404 Not Found errors."""
         self.send_response(http_client.NOT_FOUND, message="Not Found")
         self.send_header("Content-type", "text/html")
         self.end_headers()
         self.wfile.write(b"404")
 
-    def handle_simple_http_resource(self) -> None:
+    def handle_simple_http_resource(self):
         """Handle HTTP01 provisioned resources."""
         for resource in self.simple_http_resources:
             if resource.chall.path == self.path:
@@ -299,8 +216,7 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
                          self.path)
 
     @classmethod
-    def partial_init(cls, simple_http_resources: Set[challenges.HTTP01],
-                     timeout: int) -> 'functools.partial[HTTP01RequestHandler]':
+    def partial_init(cls, simple_http_resources):
         """Partially initialize this handler.
 
         This is useful because `socketserver.BaseServer` takes
@@ -309,5 +225,4 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
 
         """
         return functools.partial(
-            cls, simple_http_resources=simple_http_resources,
-            timeout=timeout)
+            cls, simple_http_resources=simple_http_resources)

acme/acme/util.py

@@ -1,10 +1,7 @@
 """ACME utilities."""
-from typing import Any
-from typing import Callable
-from typing import Dict
-from typing import Mapping
+import six
 
 
-def map_keys(dikt: Mapping[Any, Any], func: Callable[[Any], Any]) -> Dict[Any, Any]:
+def map_keys(dikt, func):
     """Map dictionary keys."""
-    return {func(key): value for key, value in dikt.items()}
+    return dict((func(key), value) for key, value in six.iteritems(dikt))

acme/docs/Makefile

@@ -9,7 +9,7 @@ BUILDDIR      = _build
 
 # User-friendly check for sphinx-build
 ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
-$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from https://www.sphinx-doc.org/)
+$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
 endif
 
 # Internal variables.

acme/docs/conf.py

@@ -13,6 +13,7 @@
 # serve to show the default.
 
 import os
+import shlex
 import sys
 
 here = os.path.abspath(os.path.dirname(__file__))
@@ -37,11 +38,10 @@ extensions = [
     'sphinx.ext.todo',
     'sphinx.ext.coverage',
     'sphinx.ext.viewcode',
-    'sphinx_rtd_theme',
 ]
 
 autodoc_member_order = 'bysource'
-autodoc_default_flags = ['show-inheritance']
+autodoc_default_flags = ['show-inheritance', 'private-members']
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@@ -59,7 +59,7 @@ master_doc = 'index'
 
 # General information about the project.
 project = u'acme-python'
-copyright = u'2015, Let\'s Encrypt Project'
+copyright = u'2015-2015, Let\'s Encrypt Project'
 author = u'Let\'s Encrypt Project'
 
 # The version info for the project you're documenting, acts as replacement for
@@ -86,9 +86,7 @@ language = 'en'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-exclude_patterns = [
-    '_build',
-]
+exclude_patterns = ['_build']
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
@@ -115,7 +113,7 @@ pygments_style = 'sphinx'
 #keep_warnings = False
 
 # If true, `todo` and `todoList` produce output, else they produce nothing.
-todo_include_todos = False
+todo_include_todos = True
 
 
 # -- Options for HTML output ----------------------------------------------
@@ -123,7 +121,14 @@ todo_include_todos = False
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 
-html_theme = 'sphinx_rtd_theme'
+# http://docs.readthedocs.org/en/latest/theme.html#how-do-i-use-this-locally-and-on-read-the-docs
+# on_rtd is whether we are on readthedocs.org
+on_rtd = os.environ.get('READTHEDOCS', None) == 'True'
+if not on_rtd:  # only import and set the theme if we're building docs locally
+    import sphinx_rtd_theme
+    html_theme = 'sphinx_rtd_theme'
+    html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
+# otherwise, readthedocs.org uses their theme by default, so no need to specify it
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the

acme/docs/jws-help.txt

@@ -3,6 +3,6 @@ usage: jws [-h] [--compact] {sign,verify} ...
 positional arguments:
   {sign,verify}
 
-options:
+optional arguments:
   -h, --help     show this help message and exit
   --compact

acme/docs/make.bat

@@ -65,7 +65,7 @@ if errorlevel 9009 (
 	echo.may add the Sphinx directory to PATH.
 	echo.
 	echo.If you don't have Sphinx installed, grab it from
-	echo.https://www.sphinx-doc.org/
+	echo.http://sphinx-doc.org/
 	exit /b 1
 )
 

acme/docs/man/jws.rst

@@ -1,3 +1 @@
-:orphan:
-
 .. literalinclude:: ../jws-help.txt

acme/examples/http01_example.py

@@ -163,7 +163,7 @@ def example_http():
     # Register account and accept TOS
 
     net = client.ClientNetwork(acc_key, user_agent=USER_AGENT)
-    directory = client.ClientV2.get_directory(DIRECTORY_URL, net)
+    directory = messages.Directory.from_json(net.get(DIRECTORY_URL).json())
     client_acme = client.ClientV2(directory, net=net)
 
     # Terms of Service URL is in client_acme.directory.meta.terms_of_service
@@ -215,7 +215,8 @@ def example_http():
     try:
         regr = client_acme.query_registration(regr)
     except errors.Error as err:
-        if err.typ == messages.ERROR_PREFIX + 'unauthorized':
+        if err.typ == messages.OLD_ERROR_PREFIX + 'unauthorized' \
+                or err.typ == messages.ERROR_PREFIX + 'unauthorized':
             # Status is deactivated.
             pass
         raise

acme/examples/standalone/README

@@ -0,0 +1,2 @@
+python -m acme.standalone -p 1234
+curl -k https://localhost:1234

acme/examples/standalone/localhost/cert.pem

@@ -0,0 +1 @@
+../../../acme/testdata/rsa2048_cert.pem

acme/examples/standalone/localhost/key.pem

@@ -0,0 +1 @@
+../../../acme/testdata/rsa2048_key.pem

acme/readthedocs.org.requirements.txt

@@ -7,7 +7,4 @@
 # in --editable mode (-e), just "pip install acme[docs]" does not work as
 # expected and "pip install -e acme[docs]" must be used instead
 
-# We also pin our dependencies for increased stability.
-
--c ../tools/requirements.txt
 -e acme[docs]

acme/setup.cfg

@@ -0,0 +1,2 @@
+[bdist_wheel]
+universal = 1

acme/setup.py

@@ -2,20 +2,34 @@ import sys
 
 from setuptools import find_packages
 from setuptools import setup
+from setuptools.command.test import test as TestCommand
 
-version = '2.12.0.dev0'
+version = '1.1.0.dev0'
 
+# Please update tox.ini when modifying dependency version requirements
 install_requires = [
-    'cryptography>=3.2.1',
-    # Josepy 2+ may introduce backward incompatible changes by droping usage of
-    # deprecated PyOpenSSL APIs.
-    'josepy>=1.13.0, <2',
-    # pyOpenSSL 23.1.0 is a bad release: https://github.com/pyca/pyopenssl/issues/1199
-    'PyOpenSSL>=17.5.0,!=23.1.0',
+    # load_pem_private/public_key (>=0.6)
+    # rsa_recover_prime_factors (>=0.8)
+    'cryptography>=1.2.3',
+    # formerly known as acme.jose:
+    # 1.1.0+ is required to avoid the warnings described at
+    # https://github.com/certbot/josepy/issues/13.
+    'josepy>=1.1.0',
+    'mock',
+    # Connection.set_tlsext_host_name (>=0.13)
+    'PyOpenSSL>=0.13.1',
     'pyrfc3339',
-    'pytz>=2019.3',
-    'requests>=2.20.0',
-    'setuptools>=41.6.0',
+    'pytz',
+    'requests[security]>=2.6.0',  # security extras added in 2.4.1
+    'requests-toolbelt>=0.3.0',
+    'setuptools',
+    'six>=1.9.0',  # needed for python_2_unicode_compatible
+]
+
+dev_extras = [
+    'pytest',
+    'pytest-xdist',
+    'tox',
 ]
 
 docs_extras = [
@@ -23,41 +37,44 @@ docs_extras = [
     'sphinx_rtd_theme',
 ]
 
-test_extras = [
-    # In theory we could scope importlib_resources to env marker 'python_version<"3.9"'. But this
-    # makes the pinning mechanism emit warnings when running `poetry lock` because in the corner
-    # case of an extra dependency with env marker coming from a setup.py file, it generate the
-    # invalid requirement 'importlib_resource>=1.3.1;python<=3.9;extra=="test"'.
-    # To fix the issue, we do not pass the env marker. This is fine because:
-    # - importlib_resources can be applied to any Python version,
-    # - this is a "test" extra dependency for limited audience,
-    # - it does not change anything at the end for the generated requirement files.
-    'importlib_resources>=1.3.1',
-    'pytest',
-    'pytest-xdist',
-    'typing-extensions',
-]
+
+class PyTest(TestCommand):
+    user_options = []
+
+    def initialize_options(self):
+        TestCommand.initialize_options(self)
+        self.pytest_args = ''
+
+    def run_tests(self):
+        import shlex
+        # import here, cause outside the eggs aren't loaded
+        import pytest
+        errno = pytest.main(shlex.split(self.pytest_args))
+        sys.exit(errno)
+
 
 setup(
     name='acme',
     version=version,
     description='ACME protocol implementation in Python',
-    url='https://github.com/certbot/certbot',
+    url='https://github.com/letsencrypt/letsencrypt',
     author="Certbot Project",
-    author_email='certbot-dev@eff.org',
+    author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=3.8',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Intended Audience :: Developers',
         'License :: OSI Approved :: Apache Software License',
         'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.4',
+        'Programming Language :: Python :: 3.5',
+        'Programming Language :: Python :: 3.6',
+        'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
-        'Programming Language :: Python :: 3.10',
-        'Programming Language :: Python :: 3.11',
-        'Programming Language :: Python :: 3.12',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
     ],
@@ -66,7 +83,10 @@ setup(
     include_package_data=True,
     install_requires=install_requires,
     extras_require={
+        'dev': dev_extras,
         'docs': docs_extras,
-        'test': test_extras,
     },
+    test_suite='acme',
+    tests_require=["pytest"],
+    cmdclass={"test": PyTest},
 )

acme/tests/challenges_test.py

@@ -1,17 +1,12 @@
 """Tests for acme.challenges."""
-import sys
 import unittest
-from unittest import mock
-import urllib.parse as urllib_parse
 
 import josepy as jose
-from josepy.jwk import JWKEC
-import OpenSSL
-import pytest
+import mock
 import requests
+from six.moves.urllib import parse as urllib_parse
 
-from acme import errors
-from acme._internal.tests import test_util
+import test_util
 
 CERT = test_util.load_comparable_cert('cert.pem')
 KEY = jose.JWKRSA(key=test_util.load_rsa_private_key('rsa512_key.pem'))
@@ -23,7 +18,7 @@ class ChallengeTest(unittest.TestCase):
         from acme.challenges import Challenge
         from acme.challenges import UnrecognizedChallenge
         chall = UnrecognizedChallenge({"type": "foo"})
-        assert chall == Challenge.from_json(chall.jobj)
+        self.assertEqual(chall, Challenge.from_json(chall.jobj))
 
 
 class UnrecognizedChallengeTest(unittest.TestCase):
@@ -34,11 +29,12 @@ class UnrecognizedChallengeTest(unittest.TestCase):
         self.chall = UnrecognizedChallenge(self.jobj)
 
     def test_to_partial_json(self):
-        assert self.jobj == self.chall.to_partial_json()
+        self.assertEqual(self.jobj, self.chall.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import UnrecognizedChallenge
-        assert self.chall == UnrecognizedChallenge.from_json(self.jobj)
+        self.assertEqual(
+            self.chall, UnrecognizedChallenge.from_json(self.jobj))
 
 
 class KeyAuthorizationChallengeResponseTest(unittest.TestCase):
@@ -54,26 +50,26 @@ class KeyAuthorizationChallengeResponseTest(unittest.TestCase):
         from acme.challenges import KeyAuthorizationChallengeResponse
         response = KeyAuthorizationChallengeResponse(
             key_authorization='foo.oKGqedy-b-acd5eoybm2f-NVFxvyOoET5CNy3xnv8WY')
-        assert response.verify(self.chall, KEY.public_key())
+        self.assertTrue(response.verify(self.chall, KEY.public_key()))
 
     def test_verify_wrong_token(self):
         from acme.challenges import KeyAuthorizationChallengeResponse
         response = KeyAuthorizationChallengeResponse(
             key_authorization='bar.oKGqedy-b-acd5eoybm2f-NVFxvyOoET5CNy3xnv8WY')
-        assert not response.verify(self.chall, KEY.public_key())
+        self.assertFalse(response.verify(self.chall, KEY.public_key()))
 
     def test_verify_wrong_thumbprint(self):
         from acme.challenges import KeyAuthorizationChallengeResponse
         response = KeyAuthorizationChallengeResponse(
             key_authorization='foo.oKGqedy-b-acd5eoybm2f-NVFxv')
-        assert not response.verify(self.chall, KEY.public_key())
+        self.assertFalse(response.verify(self.chall, KEY.public_key()))
 
     def test_verify_wrong_form(self):
         from acme.challenges import KeyAuthorizationChallengeResponse
         response = KeyAuthorizationChallengeResponse(
             key_authorization='.foo.oKGqedy-b-acd5eoybm2f-'
             'NVFxvyOoET5CNy3xnv8WY')
-        assert not response.verify(self.chall, KEY.public_key())
+        self.assertFalse(response.verify(self.chall, KEY.public_key()))
 
 
 class DNS01ResponseTest(unittest.TestCase):
@@ -92,11 +88,12 @@ class DNS01ResponseTest(unittest.TestCase):
         self.response = self.chall.response(KEY)
 
     def test_to_partial_json(self):
-        assert {} == self.msg.to_partial_json()
+        self.assertEqual({k: v for k, v in self.jmsg.items() if k != 'keyAuthorization'},
+                         self.msg.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import DNS01Response
-        assert self.msg == DNS01Response.from_json(self.jmsg)
+        self.assertEqual(self.msg, DNS01Response.from_json(self.jmsg))
 
     def test_from_json_hashable(self):
         from acme.challenges import DNS01Response
@@ -106,12 +103,12 @@ class DNS01ResponseTest(unittest.TestCase):
         key2 = jose.JWKRSA.load(test_util.load_vector('rsa256_key.pem'))
         public_key = key2.public_key()
         verified = self.response.simple_verify(self.chall, "local", public_key)
-        assert not verified
+        self.assertFalse(verified)
 
     def test_simple_verify_success(self):
         public_key = KEY.public_key()
         verified = self.response.simple_verify(self.chall, "local", public_key)
-        assert verified
+        self.assertTrue(verified)
 
 
 class DNS01Test(unittest.TestCase):
@@ -126,19 +123,20 @@ class DNS01Test(unittest.TestCase):
         }
 
     def test_validation_domain_name(self):
-        assert '_acme-challenge.www.example.com' == \
-                         self.msg.validation_domain_name('www.example.com')
+        self.assertEqual('_acme-challenge.www.example.com',
+                         self.msg.validation_domain_name('www.example.com'))
 
     def test_validation(self):
-        assert "rAa7iIg4K2y63fvUhCfy8dP1Xl7wEhmQq0oChTcE3Zk" == \
-            self.msg.validation(KEY)
+        self.assertEqual(
+            "rAa7iIg4K2y63fvUhCfy8dP1Xl7wEhmQq0oChTcE3Zk",
+            self.msg.validation(KEY))
 
     def test_to_partial_json(self):
-        assert self.jmsg == self.msg.to_partial_json()
+        self.assertEqual(self.jmsg, self.msg.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import DNS01
-        assert self.msg == DNS01.from_json(self.jmsg)
+        self.assertEqual(self.msg, DNS01.from_json(self.jmsg))
 
     def test_from_json_hashable(self):
         from acme.challenges import DNS01
@@ -161,11 +159,13 @@ class HTTP01ResponseTest(unittest.TestCase):
         self.response = self.chall.response(KEY)
 
     def test_to_partial_json(self):
-        assert {} == self.msg.to_partial_json()
+        self.assertEqual({k: v for k, v in self.jmsg.items() if k != 'keyAuthorization'},
+                         self.msg.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import HTTP01Response
-        assert self.msg == HTTP01Response.from_json(self.jmsg)
+        self.assertEqual(
+            self.msg, HTTP01Response.from_json(self.jmsg))
 
     def test_from_json_hashable(self):
         from acme.challenges import HTTP01Response
@@ -179,16 +179,15 @@ class HTTP01ResponseTest(unittest.TestCase):
     def test_simple_verify_good_validation(self, mock_get):
         validation = self.chall.validation(KEY)
         mock_get.return_value = mock.MagicMock(text=validation)
-        assert self.response.simple_verify(
-            self.chall, "local", KEY.public_key())
-        mock_get.assert_called_once_with(self.chall.uri("local"), verify=False,
-                                         timeout=mock.ANY)
+        self.assertTrue(self.response.simple_verify(
+            self.chall, "local", KEY.public_key()))
+        mock_get.assert_called_once_with(self.chall.uri("local"))
 
     @mock.patch("acme.challenges.requests.get")
     def test_simple_verify_bad_validation(self, mock_get):
         mock_get.return_value = mock.MagicMock(text="!")
-        assert not self.response.simple_verify(
-            self.chall, "local", KEY.public_key())
+        self.assertFalse(self.response.simple_verify(
+            self.chall, "local", KEY.public_key()))
 
     @mock.patch("acme.challenges.requests.get")
     def test_simple_verify_whitespace_validation(self, mock_get):
@@ -196,34 +195,23 @@ class HTTP01ResponseTest(unittest.TestCase):
         mock_get.return_value = mock.MagicMock(
             text=(self.chall.validation(KEY) +
                   HTTP01Response.WHITESPACE_CUTSET))
-        assert self.response.simple_verify(
-            self.chall, "local", KEY.public_key())
-        mock_get.assert_called_once_with(self.chall.uri("local"), verify=False,
-                                         timeout=mock.ANY)
+        self.assertTrue(self.response.simple_verify(
+            self.chall, "local", KEY.public_key()))
+        mock_get.assert_called_once_with(self.chall.uri("local"))
 
     @mock.patch("acme.challenges.requests.get")
     def test_simple_verify_connection_error(self, mock_get):
         mock_get.side_effect = requests.exceptions.RequestException
-        assert not self.response.simple_verify(
-            self.chall, "local", KEY.public_key())
+        self.assertFalse(self.response.simple_verify(
+            self.chall, "local", KEY.public_key()))
 
     @mock.patch("acme.challenges.requests.get")
     def test_simple_verify_port(self, mock_get):
         self.response.simple_verify(
             self.chall, domain="local",
             account_public_key=KEY.public_key(), port=8080)
-        assert "local:8080" == urllib_parse.urlparse(
-            mock_get.mock_calls[0][1][0]).netloc
-
-    @mock.patch("acme.challenges.requests.get")
-    def test_simple_verify_timeout(self, mock_get):
-        self.response.simple_verify(self.chall, "local", KEY.public_key())
-        mock_get.assert_called_once_with(self.chall.uri("local"), verify=False,
-                                         timeout=30)
-        mock_get.reset_mock()
-        self.response.simple_verify(self.chall, "local", KEY.public_key(), timeout=1234)
-        mock_get.assert_called_once_with(self.chall.uri("local"), verify=False,
-                                         timeout=1234)
+        self.assertEqual("local:8080", urllib_parse.urlparse(
+            mock_get.mock_calls[0][1][0]).netloc)
 
 
 class HTTP01Test(unittest.TestCase):
@@ -239,112 +227,59 @@ class HTTP01Test(unittest.TestCase):
         }
 
     def test_path(self):
-        assert self.msg.path == '/.well-known/acme-challenge/' \
-                         'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA'
+        self.assertEqual(self.msg.path, '/.well-known/acme-challenge/'
+                         'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA')
 
     def test_uri(self):
-        assert 'http://example.com/.well-known/acme-challenge/' \
-            'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA' == \
-            self.msg.uri('example.com')
+        self.assertEqual(
+            'http://example.com/.well-known/acme-challenge/'
+            'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA',
+            self.msg.uri('example.com'))
 
     def test_to_partial_json(self):
-        assert self.jmsg == self.msg.to_partial_json()
+        self.assertEqual(self.jmsg, self.msg.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import HTTP01
-        assert self.msg == HTTP01.from_json(self.jmsg)
+        self.assertEqual(self.msg, HTTP01.from_json(self.jmsg))
 
     def test_from_json_hashable(self):
         from acme.challenges import HTTP01
         hash(HTTP01.from_json(self.jmsg))
 
     def test_good_token(self):
-        assert self.msg.good_token
-        assert not self.msg.update(token=b'..').good_token
+        self.assertTrue(self.msg.good_token)
+        self.assertFalse(
+            self.msg.update(token=b'..').good_token)
 
 
 class TLSALPN01ResponseTest(unittest.TestCase):
 
     def setUp(self):
-        from acme.challenges import TLSALPN01
-        self.chall = TLSALPN01(
-            token=jose.b64decode(b'a82d5ff8ef740d12881f6d3c2277ab2e'))
-        self.domain = u'example.com'
-        self.domain2 = u'example2.com'
-
-        self.response = self.chall.response(KEY)
+        from acme.challenges import TLSALPN01Response
+        self.msg = TLSALPN01Response(key_authorization=u'foo')
         self.jmsg = {
             'resource': 'challenge',
             'type': 'tls-alpn-01',
-            'keyAuthorization': self.response.key_authorization,
+            'keyAuthorization': u'foo',
         }
 
+        from acme.challenges import TLSALPN01
+        self.chall = TLSALPN01(token=(b'x' * 16))
+        self.response = self.chall.response(KEY)
+
     def test_to_partial_json(self):
-        assert {} == self.response.to_partial_json()
+        self.assertEqual({k: v for k, v in self.jmsg.items() if k != 'keyAuthorization'},
+                         self.msg.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import TLSALPN01Response
-        assert self.response == TLSALPN01Response.from_json(self.jmsg)
+        self.assertEqual(self.msg, TLSALPN01Response.from_json(self.jmsg))
 
     def test_from_json_hashable(self):
         from acme.challenges import TLSALPN01Response
         hash(TLSALPN01Response.from_json(self.jmsg))
 
-    def test_gen_verify_cert(self):
-        key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
-        cert, key2 = self.response.gen_cert(self.domain, key1)
-        assert key1 == key2
-        assert self.response.verify_cert(self.domain, cert)
-
-    def test_gen_verify_cert_gen_key(self):
-        cert, key = self.response.gen_cert(self.domain)
-        assert isinstance(key, OpenSSL.crypto.PKey)
-        assert self.response.verify_cert(self.domain, cert)
-
-    def test_verify_bad_cert(self):
-        assert not self.response.verify_cert(self.domain,
-            test_util.load_cert('cert.pem'))
-
-    def test_verify_bad_domain(self):
-        key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
-        cert, key2 = self.response.gen_cert(self.domain, key1)
-        assert key1 == key2
-        assert not self.response.verify_cert(self.domain2, cert)
-
-    def test_simple_verify_bad_key_authorization(self):
-        key2 = jose.JWKRSA.load(test_util.load_vector('rsa256_key.pem'))
-        self.response.simple_verify(self.chall, "local", key2.public_key())
-
-    @mock.patch('acme.challenges.TLSALPN01Response.verify_cert', autospec=True)
-    def test_simple_verify(self, mock_verify_cert):
-        mock_verify_cert.return_value = mock.sentinel.verification
-        assert mock.sentinel.verification == self.response.simple_verify(
-                self.chall, self.domain, KEY.public_key(),
-                cert=mock.sentinel.cert)
-        mock_verify_cert.assert_called_once_with(
-            self.response, self.domain, mock.sentinel.cert)
-
-    @mock.patch('acme.challenges.socket.gethostbyname')
-    @mock.patch('acme.challenges.crypto_util.probe_sni')
-    def test_probe_cert(self, mock_probe_sni, mock_gethostbyname):
-        mock_gethostbyname.return_value = '127.0.0.1'
-        self.response.probe_cert('foo.com')
-        mock_gethostbyname.assert_called_once_with('foo.com')
-        mock_probe_sni.assert_called_once_with(
-            host=b'127.0.0.1', port=self.response.PORT, name=b'foo.com',
-            alpn_protocols=[b'acme-tls/1'])
-
-        self.response.probe_cert('foo.com', host='8.8.8.8')
-        mock_probe_sni.assert_called_with(
-            host=b'8.8.8.8', port=mock.ANY, name=b'foo.com',
-            alpn_protocols=[b'acme-tls/1'])
-
-    @mock.patch('acme.challenges.TLSALPN01Response.probe_cert')
-    def test_simple_verify_false_on_probe_error(self, mock_probe_cert):
-        mock_probe_cert.side_effect = errors.Error
-        assert not self.response.simple_verify(
-            self.chall, self.domain, KEY.public_key())
-
 
 class TLSALPN01Test(unittest.TestCase):
 
@@ -358,11 +293,11 @@ class TLSALPN01Test(unittest.TestCase):
         }
 
     def test_to_partial_json(self):
-        assert self.jmsg == self.msg.to_partial_json()
+        self.assertEqual(self.jmsg, self.msg.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import TLSALPN01
-        assert self.msg == TLSALPN01.from_json(self.jmsg)
+        self.assertEqual(self.msg, TLSALPN01.from_json(self.jmsg))
 
     def test_from_json_hashable(self):
         from acme.challenges import TLSALPN01
@@ -371,16 +306,11 @@ class TLSALPN01Test(unittest.TestCase):
     def test_from_json_invalid_token_length(self):
         from acme.challenges import TLSALPN01
         self.jmsg['token'] = jose.encode_b64jose(b'abcd')
-        with pytest.raises(jose.DeserializationError):
-            TLSALPN01.from_json(self.jmsg)
+        self.assertRaises(
+            jose.DeserializationError, TLSALPN01.from_json, self.jmsg)
 
-    @mock.patch('acme.challenges.TLSALPN01Response.gen_cert')
-    def test_validation(self, mock_gen_cert):
-        mock_gen_cert.return_value = ('cert', 'key')
-        assert ('cert', 'key') == self.msg.validation(
-            KEY, cert_key=mock.sentinel.cert_key, domain=mock.sentinel.domain)
-        mock_gen_cert.assert_called_once_with(key=mock.sentinel.cert_key,
-                                              domain=mock.sentinel.domain)
+    def test_validation(self):
+        self.assertRaises(NotImplementedError, self.msg.validation, KEY)
 
 
 class DNSTest(unittest.TestCase):
@@ -395,27 +325,24 @@ class DNSTest(unittest.TestCase):
         }
 
     def test_to_partial_json(self):
-        assert self.jmsg == self.msg.to_partial_json()
+        self.assertEqual(self.jmsg, self.msg.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import DNS
-        assert self.msg == DNS.from_json(self.jmsg)
+        self.assertEqual(self.msg, DNS.from_json(self.jmsg))
 
     def test_from_json_hashable(self):
         from acme.challenges import DNS
         hash(DNS.from_json(self.jmsg))
 
     def test_gen_check_validation(self):
-        ec_key_secp384r1 = JWKEC(key=test_util.load_ecdsa_private_key('ec_secp384r1_key.pem'))
-        for key, alg in [(KEY, jose.RS256), (ec_key_secp384r1, jose.ES384)]:
-            with self.subTest(key=key, alg=alg):
-                assert self.msg.check_validation(
-                    self.msg.gen_validation(key, alg=alg), key.public_key())
+        self.assertTrue(self.msg.check_validation(
+            self.msg.gen_validation(KEY), KEY.public_key()))
 
     def test_gen_check_validation_wrong_key(self):
         key2 = jose.JWKRSA.load(test_util.load_vector('rsa1024_key.pem'))
-        assert not self.msg.check_validation(
-            self.msg.gen_validation(KEY), key2.public_key())
+        self.assertFalse(self.msg.check_validation(
+            self.msg.gen_validation(KEY), key2.public_key()))
 
     def test_check_validation_wrong_payload(self):
         validations = tuple(
@@ -423,32 +350,28 @@ class DNSTest(unittest.TestCase):
             for payload in (b'', b'{}')
         )
         for validation in validations:
-            assert not self.msg.check_validation(
-                validation, KEY.public_key())
+            self.assertFalse(self.msg.check_validation(
+                validation, KEY.public_key()))
 
     def test_check_validation_wrong_fields(self):
         bad_validation = jose.JWS.sign(
             payload=self.msg.update(
                 token=b'x' * 20).json_dumps().encode('utf-8'),
             alg=jose.RS256, key=KEY)
-        assert not self.msg.check_validation(bad_validation, KEY.public_key())
+        self.assertFalse(self.msg.check_validation(
+            bad_validation, KEY.public_key()))
 
     def test_gen_response(self):
         with mock.patch('acme.challenges.DNS.gen_validation') as mock_gen:
             mock_gen.return_value = mock.sentinel.validation
             response = self.msg.gen_response(KEY)
         from acme.challenges import DNSResponse
-        assert isinstance(response, DNSResponse)
-        assert response.validation == mock.sentinel.validation
+        self.assertTrue(isinstance(response, DNSResponse))
+        self.assertEqual(response.validation, mock.sentinel.validation)
 
     def test_validation_domain_name(self):
-        assert '_acme-challenge.le.wtf' == self.msg.validation_domain_name('le.wtf')
-
-    def test_validation_domain_name_ecdsa(self):
-        ec_key_secp384r1 = JWKEC(key=test_util.load_ecdsa_private_key('ec_secp384r1_key.pem'))
-        assert self.msg.check_validation(
-            self.msg.gen_validation(ec_key_secp384r1, alg=jose.ES384),
-            ec_key_secp384r1.public_key()) is True
+        self.assertEqual(
+            '_acme-challenge.le.wtf', self.msg.validation_domain_name('le.wtf'))
 
 
 class DNSResponseTest(unittest.TestCase):
@@ -464,6 +387,8 @@ class DNSResponseTest(unittest.TestCase):
         from acme.challenges import DNSResponse
         self.msg = DNSResponse(validation=self.validation)
         self.jmsg_to = {
+            'resource': 'challenge',
+            'type': 'dns',
             'validation': self.validation,
         }
         self.jmsg_from = {
@@ -473,31 +398,20 @@ class DNSResponseTest(unittest.TestCase):
         }
 
     def test_to_partial_json(self):
-        assert self.jmsg_to == self.msg.to_partial_json()
+        self.assertEqual(self.jmsg_to, self.msg.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import DNSResponse
-        assert self.msg == DNSResponse.from_json(self.jmsg_from)
+        self.assertEqual(self.msg, DNSResponse.from_json(self.jmsg_from))
 
     def test_from_json_hashable(self):
         from acme.challenges import DNSResponse
         hash(DNSResponse.from_json(self.jmsg_from))
 
     def test_check_validation(self):
-        assert self.msg.check_validation(self.chall, KEY.public_key())
-
-
-class JWSPayloadRFC8555Compliant(unittest.TestCase):
-    """Test for RFC8555 compliance of JWS generated from resources/challenges"""
-    def test_challenge_payload(self):
-        from acme.challenges import HTTP01Response
-
-        challenge_body = HTTP01Response()
-
-        jobj = challenge_body.json_dumps(indent=2).encode()
-        # RFC8555 states that challenge responses must have an empty payload.
-        assert jobj == b'{}'
+        self.assertTrue(
+            self.msg.check_validation(self.chall, KEY.public_key()))
 
 
 if __name__ == '__main__':
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover
+    unittest.main()  # pragma: no cover

acme/tests/crypto_util_test.py

@@ -1,25 +1,24 @@
 """Tests for acme.crypto_util."""
-import ipaddress
 import itertools
 import socket
-import socketserver
-import sys
 import threading
 import time
-from typing import List
 import unittest
 
 import josepy as jose
 import OpenSSL
-import pytest
+import six
+from six.moves import socketserver  # type: ignore  # pylint: disable=import-error
 
 from acme import errors
-from acme._internal.tests import test_util
+from acme.magic_typing import List  # pylint: disable=unused-import, no-name-in-module
+import test_util
 
 
 class SSLSocketAndProbeSNITest(unittest.TestCase):
     """Tests for acme.crypto_util.SSLSocket/probe_sni."""
 
+
     def setUp(self):
         self.cert = test_util.load_comparable_cert('rsa2048_cert.pem')
         key = test_util.load_pyopenssl_private_key('rsa2048_key.pem')
@@ -29,9 +28,12 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):
         from acme.crypto_util import SSLSocket
 
         class _TestServer(socketserver.TCPServer):
-            def __init__(self, *args, **kwargs):
-                super().__init__(*args, **kwargs)
-                self.socket = SSLSocket(self.socket, certs)
+
+            # six.moves.* | pylint: disable=attribute-defined-outside-init,no-init
+
+            def server_bind(self):  # pylint: disable=missing-docstring
+                self.socket = SSLSocket(socket.socket(), certs=certs)
+                socketserver.TCPServer.server_bind(self)
 
         self.server = _TestServer(('', 0), socketserver.BaseRequestHandler)
         self.port = self.server.socket.getsockname()[1]
@@ -42,7 +44,6 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):
         if self.server_thread.is_alive():
             # The thread may have already terminated.
             self.server_thread.join()  # pragma: no cover
-        self.server.server_close()
 
     def _probe(self, name):
         from acme.crypto_util import probe_sni
@@ -55,36 +56,23 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):
 
     def test_probe_ok(self):
         self._start_server()
-        assert self.cert == self._probe(b'foo')
+        self.assertEqual(self.cert, self._probe(b'foo'))
 
     def test_probe_not_recognized_name(self):
         self._start_server()
-        with pytest.raises(errors.Error):
-            self._probe(b'bar')
+        self.assertRaises(errors.Error, self._probe, b'bar')
 
     def test_probe_connection_error(self):
+        # pylint has a hard time with six
         self.server.server_close()
         original_timeout = socket.getdefaulttimeout()
         try:
             socket.setdefaulttimeout(1)
-            with pytest.raises(errors.Error):
-                self._probe(b'bar')
+            self.assertRaises(errors.Error, self._probe, b'bar')
         finally:
             socket.setdefaulttimeout(original_timeout)
 
 
-class SSLSocketTest(unittest.TestCase):
-    """Tests for acme.crypto_util.SSLSocket."""
-
-    def test_ssl_socket_invalid_arguments(self):
-        from acme.crypto_util import SSLSocket
-        with pytest.raises(ValueError):
-            _ = SSLSocket(None, {'sni': ('key', 'cert')},
-                    cert_selection=lambda _: None)
-        with pytest.raises(ValueError):
-            _ = SSLSocket(None)
-
-
 class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase):
     """Test for acme.crypto_util._pyopenssl_cert_or_req_all_names."""
 
@@ -98,20 +86,21 @@ class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase):
         return self._call(test_util.load_cert, name)
 
     def test_cert_one_san_no_common(self):
-        assert self._call_cert('cert-nocn.der') == \
-                         ['no-common-name.badssl.com']
+        self.assertEqual(self._call_cert('cert-nocn.der'),
+                         ['no-common-name.badssl.com'])
 
     def test_cert_no_sans_yes_common(self):
-        assert self._call_cert('cert.pem') == ['example.com']
+        self.assertEqual(self._call_cert('cert.pem'), ['example.com'])
 
     def test_cert_two_sans_yes_common(self):
-        assert self._call_cert('cert-san.pem') == \
-                         ['example.com', 'www.example.com']
+        self.assertEqual(self._call_cert('cert-san.pem'),
+                         ['example.com', 'www.example.com'])
 
 
 class PyOpenSSLCertOrReqSANTest(unittest.TestCase):
     """Test for acme.crypto_util._pyopenssl_cert_or_req_san."""
 
+
     @classmethod
     def _call(cls, loader, name):
         # pylint: disable=protected-access
@@ -121,9 +110,9 @@ class PyOpenSSLCertOrReqSANTest(unittest.TestCase):
     @classmethod
     def _get_idn_names(cls):
         """Returns expected names from '{cert,csr}-idnsans.pem'."""
-        chars = [chr(i) for i in itertools.chain(range(0x3c3, 0x400),
-                                                 range(0x641, 0x6fc),
-                                                 range(0x1820, 0x1877))]
+        chars = [six.unichr(i) for i in itertools.chain(range(0x3c3, 0x400),
+                                                        range(0x641, 0x6fc),
+                                                        range(0x1820, 0x1877))]
         return [''.join(chars[i: i + 45]) + '.invalid'
                 for i in range(0, len(chars), 45)]
 
@@ -134,116 +123,67 @@ class PyOpenSSLCertOrReqSANTest(unittest.TestCase):
         return self._call(test_util.load_csr, name)
 
     def test_cert_no_sans(self):
-        assert self._call_cert('cert.pem') == []
+        self.assertEqual(self._call_cert('cert.pem'), [])
 
     def test_cert_two_sans(self):
-        assert self._call_cert('cert-san.pem') == \
-                         ['example.com', 'www.example.com']
+        self.assertEqual(self._call_cert('cert-san.pem'),
+                         ['example.com', 'www.example.com'])
 
     def test_cert_hundred_sans(self):
-        assert self._call_cert('cert-100sans.pem') == \
-                         ['example{0}.com'.format(i) for i in range(1, 101)]
+        self.assertEqual(self._call_cert('cert-100sans.pem'),
+                         ['example{0}.com'.format(i) for i in range(1, 101)])
 
     def test_cert_idn_sans(self):
-        assert self._call_cert('cert-idnsans.pem') == \
-                         self._get_idn_names()
+        self.assertEqual(self._call_cert('cert-idnsans.pem'),
+                         self._get_idn_names())
 
     def test_csr_no_sans(self):
-        assert self._call_csr('csr-nosans.pem') == []
+        self.assertEqual(self._call_csr('csr-nosans.pem'), [])
 
     def test_csr_one_san(self):
-        assert self._call_csr('csr.pem') == ['example.com']
+        self.assertEqual(self._call_csr('csr.pem'), ['example.com'])
 
     def test_csr_two_sans(self):
-        assert self._call_csr('csr-san.pem') == \
-                         ['example.com', 'www.example.com']
+        self.assertEqual(self._call_csr('csr-san.pem'),
+                         ['example.com', 'www.example.com'])
 
     def test_csr_six_sans(self):
-        assert self._call_csr('csr-6sans.pem') == \
+        self.assertEqual(self._call_csr('csr-6sans.pem'),
                          ['example.com', 'example.org', 'example.net',
                           'example.info', 'subdomain.example.com',
-                          'other.subdomain.example.com']
+                          'other.subdomain.example.com'])
 
     def test_csr_hundred_sans(self):
-        assert self._call_csr('csr-100sans.pem') == \
-                         ['example{0}.com'.format(i) for i in range(1, 101)]
+        self.assertEqual(self._call_csr('csr-100sans.pem'),
+                         ['example{0}.com'.format(i) for i in range(1, 101)])
 
     def test_csr_idn_sans(self):
-        assert self._call_csr('csr-idnsans.pem') == \
-                         self._get_idn_names()
+        self.assertEqual(self._call_csr('csr-idnsans.pem'),
+                         self._get_idn_names())
 
     def test_critical_san(self):
-        assert self._call_cert('critical-san.pem') == \
-                         ['chicago-cubs.venafi.example', 'cubs.venafi.example']
+        self.assertEqual(self._call_cert('critical-san.pem'),
+                         ['chicago-cubs.venafi.example', 'cubs.venafi.example'])
 
 
-class PyOpenSSLCertOrReqSANIPTest(unittest.TestCase):
-    """Test for acme.crypto_util._pyopenssl_cert_or_req_san_ip."""
 
-    @classmethod
-    def _call(cls, loader, name):
-        # pylint: disable=protected-access
-        from acme.crypto_util import _pyopenssl_cert_or_req_san_ip
-        return _pyopenssl_cert_or_req_san_ip(loader(name))
-
-    def _call_cert(self, name):
-        return self._call(test_util.load_cert, name)
-
-    def _call_csr(self, name):
-        return self._call(test_util.load_csr, name)
-
-    def test_cert_no_sans(self):
-        assert self._call_cert('cert.pem') == []
-
-    def test_csr_no_sans(self):
-        assert self._call_csr('csr-nosans.pem') == []
-
-    def test_cert_domain_sans(self):
-        assert self._call_cert('cert-san.pem') == []
-
-    def test_csr_domain_sans(self):
-        assert self._call_csr('csr-san.pem') == []
-
-    def test_cert_ip_two_sans(self):
-        assert self._call_cert('cert-ipsans.pem') == ['192.0.2.145', '203.0.113.1']
-
-    def test_csr_ip_two_sans(self):
-        assert self._call_csr('csr-ipsans.pem') == ['192.0.2.145', '203.0.113.1']
-
-    def test_csr_ipv6_sans(self):
-        assert self._call_csr('csr-ipv6sans.pem') == \
-                         ['0:0:0:0:0:0:0:1', 'A3BE:32F3:206E:C75D:956:CEE:9858:5EC5']
-
-    def test_cert_ipv6_sans(self):
-        assert self._call_cert('cert-ipv6sans.pem') == \
-                         ['0:0:0:0:0:0:0:1', 'A3BE:32F3:206E:C75D:956:CEE:9858:5EC5']
-
-
-class GenSsCertTest(unittest.TestCase):
-    """Test for gen_ss_cert (generation of self-signed cert)."""
+class RandomSnTest(unittest.TestCase):
+    """Test for random certificate serial numbers."""
 
 
     def setUp(self):
         self.cert_count = 5
-        self.serial_num: List[int] = []
+        self.serial_num = [] # type: List[int]
         self.key = OpenSSL.crypto.PKey()
         self.key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
 
     def test_sn_collisions(self):
         from acme.crypto_util import gen_ss_cert
+
         for _ in range(self.cert_count):
-            cert = gen_ss_cert(self.key, ['dummy'], force_san=True,
-                               ips=[ipaddress.ip_address("10.10.10.10")])
+            cert = gen_ss_cert(self.key, ['dummy'], force_san=True)
             self.serial_num.append(cert.get_serial_number())
-        assert len(set(self.serial_num)) >= self.cert_count
-
-
-    def test_no_name(self):
-        from acme.crypto_util import gen_ss_cert
-        with pytest.raises(AssertionError):
-            gen_ss_cert(self.key, ips=[ipaddress.ip_address("1.1.1.1")])
-            gen_ss_cert(self.key)
-
+        self.assertTrue(len(set(self.serial_num)) > 1)
 
 class MakeCSRTest(unittest.TestCase):
     """Test for standalone functions."""
@@ -258,41 +198,22 @@ class MakeCSRTest(unittest.TestCase):
 
     def test_make_csr(self):
         csr_pem = self._call_with_key(["a.example", "b.example"])
-        assert b'--BEGIN CERTIFICATE REQUEST--' in csr_pem
-        assert b'--END CERTIFICATE REQUEST--' in csr_pem
+        self.assertTrue(b'--BEGIN CERTIFICATE REQUEST--' in csr_pem)
+        self.assertTrue(b'--END CERTIFICATE REQUEST--' in csr_pem)
         csr = OpenSSL.crypto.load_certificate_request(
             OpenSSL.crypto.FILETYPE_PEM, csr_pem)
         # In pyopenssl 0.13 (used with TOXENV=py27-oldest), csr objects don't
         # have a get_extensions() method, so we skip this test if the method
         # isn't available.
         if hasattr(csr, 'get_extensions'):
-            assert len(csr.get_extensions()) == 1
-            assert csr.get_extensions()[0].get_data() == \
+            self.assertEqual(len(csr.get_extensions()), 1)
+            self.assertEqual(csr.get_extensions()[0].get_data(),
                 OpenSSL.crypto.X509Extension(
                     b'subjectAltName',
                     critical=False,
                     value=b'DNS:a.example, DNS:b.example',
-                ).get_data()
-
-    def test_make_csr_ip(self):
-        csr_pem = self._call_with_key(["a.example"], False, [ipaddress.ip_address('127.0.0.1'), ipaddress.ip_address('::1')])
-        assert b'--BEGIN CERTIFICATE REQUEST--' in csr_pem
-        assert b'--END CERTIFICATE REQUEST--' in csr_pem
-        csr = OpenSSL.crypto.load_certificate_request(
-            OpenSSL.crypto.FILETYPE_PEM, csr_pem)
-        # In pyopenssl 0.13 (used with TOXENV=py27-oldest), csr objects don't
-        # have a get_extensions() method, so we skip this test if the method
-        # isn't available.
-        if hasattr(csr, 'get_extensions'):
-            assert len(csr.get_extensions()) == 1
-            assert csr.get_extensions()[0].get_data() == \
-                             OpenSSL.crypto.X509Extension(
-                                 b'subjectAltName',
-                                 critical=False,
-                                 value=b'DNS:a.example, IP:127.0.0.1, IP:::1',
-                             ).get_data()
-            # for IP san it's actually need to be octet-string,
-            # but somewhere downstream thankfully handle it for us
+                ).get_data(),
+            )
 
     def test_make_csr_must_staple(self):
         csr_pem = self._call_with_key(["a.example"], must_staple=True)
@@ -303,26 +224,14 @@ class MakeCSRTest(unittest.TestCase):
         # have a get_extensions() method, so we skip this test if the method
         # isn't available.
         if hasattr(csr, 'get_extensions'):
-            assert len(csr.get_extensions()) == 2
+            self.assertEqual(len(csr.get_extensions()), 2)
             # NOTE: Ideally we would filter by the TLS Feature OID, but
             # OpenSSL.crypto.X509Extension doesn't give us the extension's raw OID,
             # and the shortname field is just "UNDEF"
             must_staple_exts = [e for e in csr.get_extensions()
                 if e.get_data() == b"0\x03\x02\x01\x05"]
-            assert len(must_staple_exts) == 1, \
-                "Expected exactly one Must Staple extension"
-
-    def test_make_csr_without_hostname(self):
-        with pytest.raises(ValueError):
-            self._call_with_key()
-
-    def test_make_csr_correct_version(self):
-        csr_pem = self._call_with_key(["a.example"])
-        csr = OpenSSL.crypto.load_certificate_request(
-            OpenSSL.crypto.FILETYPE_PEM, csr_pem)
-
-        assert csr.get_version() == 0, \
-            "Expected CSR version to be v1 (encoded as 0), per RFC 2986, section 4"
+            self.assertEqual(len(must_staple_exts), 1,
+                "Expected exactly one Must Staple extension")
 
 
 class DumpPyopensslChainTest(unittest.TestCase):
@@ -340,7 +249,7 @@ class DumpPyopensslChainTest(unittest.TestCase):
         length = sum(
             len(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert))
             for cert in loaded)
-        assert len(self._call(loaded)) == length
+        self.assertEqual(len(self._call(loaded)), length)
 
     def test_dump_pyopenssl_chain_wrapped(self):
         names = ['cert.pem', 'cert-san.pem', 'cert-idnsans.pem']
@@ -349,8 +258,8 @@ class DumpPyopensslChainTest(unittest.TestCase):
         wrapped = [wrap_func(cert) for cert in loaded]
         dump_func = OpenSSL.crypto.dump_certificate
         length = sum(len(dump_func(OpenSSL.crypto.FILETYPE_PEM, cert)) for cert in loaded)
-        assert len(self._call(wrapped)) == length
+        self.assertEqual(len(self._call(wrapped)), length)
 
 
 if __name__ == '__main__':
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover
+    unittest.main()  # pragma: no cover

acme/tests/errors_test.py

@@ -1,9 +1,7 @@
 """Tests for acme.errors."""
-import sys
 import unittest
-from unittest import mock
 
-import pytest
+import mock
 
 
 class BadNonceTest(unittest.TestCase):
@@ -14,7 +12,7 @@ class BadNonceTest(unittest.TestCase):
         self.error = BadNonce(nonce="xxx", error="error")
 
     def test_str(self):
-        assert "Invalid nonce ('xxx'): error" == str(self.error)
+        self.assertEqual("Invalid nonce ('xxx'): error", str(self.error))
 
 
 class MissingNonceTest(unittest.TestCase):
@@ -27,8 +25,8 @@ class MissingNonceTest(unittest.TestCase):
         self.error = MissingNonce(self.response)
 
     def test_str(self):
-        assert "FOO" in str(self.error)
-        assert "{}" in str(self.error)
+        self.assertTrue("FOO" in str(self.error))
+        self.assertTrue("{}" in str(self.error))
 
 
 class PollErrorTest(unittest.TestCase):
@@ -37,19 +35,19 @@ class PollErrorTest(unittest.TestCase):
     def setUp(self):
         from acme.errors import PollError
         self.timeout = PollError(
-            exhausted={mock.sentinel.AR},
+            exhausted=set([mock.sentinel.AR]),
             updated={})
         self.invalid = PollError(exhausted=set(), updated={
             mock.sentinel.AR: mock.sentinel.AR2})
 
     def test_timeout(self):
-        assert self.timeout.timeout
-        assert not self.invalid.timeout
+        self.assertTrue(self.timeout.timeout)
+        self.assertFalse(self.invalid.timeout)
 
     def test_repr(self):
-        assert 'PollError(exhausted=%s, updated={sentinel.AR: ' \
-                         'sentinel.AR2})' % repr(set()) == repr(self.invalid)
+        self.assertEqual('PollError(exhausted=%s, updated={sentinel.AR: '
+                         'sentinel.AR2})' % repr(set()), repr(self.invalid))
 
 
 if __name__ == "__main__":
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover
+    unittest.main()  # pragma: no cover

acme/tests/fields_test.py

@@ -0,0 +1,72 @@
+"""Tests for acme.fields."""
+import datetime
+import unittest
+
+import josepy as jose
+import pytz
+
+
+class FixedTest(unittest.TestCase):
+    """Tests for acme.fields.Fixed."""
+
+    def setUp(self):
+        from acme.fields import Fixed
+        self.field = Fixed('name', 'x')
+
+    def test_decode(self):
+        self.assertEqual('x', self.field.decode('x'))
+
+    def test_decode_bad(self):
+        self.assertRaises(jose.DeserializationError, self.field.decode, 'y')
+
+    def test_encode(self):
+        self.assertEqual('x', self.field.encode('x'))
+
+    def test_encode_override(self):
+        self.assertEqual('y', self.field.encode('y'))
+
+
+class RFC3339FieldTest(unittest.TestCase):
+    """Tests for acme.fields.RFC3339Field."""
+
+    def setUp(self):
+        self.decoded = datetime.datetime(2015, 3, 27, tzinfo=pytz.utc)
+        self.encoded = '2015-03-27T00:00:00Z'
+
+    def test_default_encoder(self):
+        from acme.fields import RFC3339Field
+        self.assertEqual(
+            self.encoded, RFC3339Field.default_encoder(self.decoded))
+
+    def test_default_encoder_naive_fails(self):
+        from acme.fields import RFC3339Field
+        self.assertRaises(
+            ValueError, RFC3339Field.default_encoder, datetime.datetime.now())
+
+    def test_default_decoder(self):
+        from acme.fields import RFC3339Field
+        self.assertEqual(
+            self.decoded, RFC3339Field.default_decoder(self.encoded))
+
+    def test_default_decoder_raises_deserialization_error(self):
+        from acme.fields import RFC3339Field
+        self.assertRaises(
+            jose.DeserializationError, RFC3339Field.default_decoder, '')
+
+
+class ResourceTest(unittest.TestCase):
+    """Tests for acme.fields.Resource."""
+
+    def setUp(self):
+        from acme.fields import Resource
+        self.field = Resource('x')
+
+    def test_decode_good(self):
+        self.assertEqual('x', self.field.decode('x'))
+
+    def test_decode_wrong(self):
+        self.assertRaises(jose.DeserializationError, self.field.decode, 'y')
+
+
+if __name__ == '__main__':
+    unittest.main()  # pragma: no cover

acme/tests/jose_test.py

@@ -0,0 +1,53 @@
+"""Tests for acme.jose shim."""
+import importlib
+import unittest
+
+
+class JoseTest(unittest.TestCase):
+    """Tests for acme.jose shim."""
+
+    def _test_it(self, submodule, attribute):
+        if submodule:
+            acme_jose_path = 'acme.jose.' + submodule
+            josepy_path = 'josepy.' + submodule
+        else:
+            acme_jose_path = 'acme.jose'
+            josepy_path = 'josepy'
+        acme_jose_mod = importlib.import_module(acme_jose_path)
+        josepy_mod = importlib.import_module(josepy_path)
+
+        self.assertIs(acme_jose_mod, josepy_mod)
+        self.assertIs(getattr(acme_jose_mod, attribute), getattr(josepy_mod, attribute))
+
+        # We use the imports below with eval, but pylint doesn't
+        # understand that.
+        import acme  # pylint: disable=unused-import
+        import josepy  # pylint: disable=unused-import
+        acme_jose_mod = eval(acme_jose_path)  # pylint: disable=eval-used
+        josepy_mod = eval(josepy_path)  # pylint: disable=eval-used
+        self.assertIs(acme_jose_mod, josepy_mod)
+        self.assertIs(getattr(acme_jose_mod, attribute), getattr(josepy_mod, attribute))
+
+    def test_top_level(self):
+        self._test_it('', 'RS512')
+
+    def test_submodules(self):
+        # This test ensures that the modules in josepy that were
+        # available at the time it was moved into its own package are
+        # available under acme.jose. Backwards compatibility with new
+        # modules or testing code is not maintained.
+        mods_and_attrs = [('b64', 'b64decode',),
+                          ('errors', 'Error',),
+                          ('interfaces', 'JSONDeSerializable',),
+                          ('json_util', 'Field',),
+                          ('jwa', 'HS256',),
+                          ('jwk', 'JWK',),
+                          ('jws', 'JWS',),
+                          ('util', 'ImmutableMap',),]
+
+        for mod, attr in mods_and_attrs:
+            self._test_it(mod, attr)
+
+
+if __name__ == '__main__':
+    unittest.main()  # pragma: no cover

acme/tests/jws_test.py

@@ -1,11 +1,9 @@
 """Tests for acme.jws."""
-import sys
 import unittest
 
 import josepy as jose
-import pytest
 
-from acme._internal.tests import test_util
+import test_util
 
 KEY = jose.JWKRSA.load(test_util.load_vector('rsa512_key.pem'))
 
@@ -27,9 +25,9 @@ class HeaderTest(unittest.TestCase):
         from acme.jws import Header
         nonce_field = Header._fields['nonce']
 
-        with pytest.raises(jose.DeserializationError):
-            nonce_field.decode(self.wrong_nonce)
-        assert b'foo' == nonce_field.decode(self.good_nonce)
+        self.assertRaises(
+            jose.DeserializationError, nonce_field.decode, self.wrong_nonce)
+        self.assertEqual(b'foo', nonce_field.decode(self.good_nonce))
 
 
 class JWSTest(unittest.TestCase):
@@ -47,22 +45,22 @@ class JWSTest(unittest.TestCase):
         jws = JWS.sign(payload=b'foo', key=self.privkey,
                        alg=jose.RS256, nonce=self.nonce,
                        url=self.url, kid=self.kid)
-        assert jws.signature.combined.nonce == self.nonce
-        assert jws.signature.combined.url == self.url
-        assert jws.signature.combined.kid == self.kid
-        assert jws.signature.combined.jwk is None
+        self.assertEqual(jws.signature.combined.nonce, self.nonce)
+        self.assertEqual(jws.signature.combined.url, self.url)
+        self.assertEqual(jws.signature.combined.kid, self.kid)
+        self.assertEqual(jws.signature.combined.jwk, None)
         # TODO: check that nonce is in protected header
 
-        assert jws == JWS.from_json(jws.to_json())
+        self.assertEqual(jws, JWS.from_json(jws.to_json()))
 
     def test_jwk_serialize(self):
         from acme.jws import JWS
         jws = JWS.sign(payload=b'foo', key=self.privkey,
                        alg=jose.RS256, nonce=self.nonce,
                        url=self.url)
-        assert jws.signature.combined.kid is None
-        assert jws.signature.combined.jwk == self.pubkey
+        self.assertEqual(jws.signature.combined.kid, None)
+        self.assertEqual(jws.signature.combined.jwk, self.pubkey)
 
 
 if __name__ == '__main__':
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover
+    unittest.main()  # pragma: no cover

acme/tests/magic_typing_test.py

@@ -0,0 +1,41 @@
+"""Tests for acme.magic_typing."""
+import sys
+import unittest
+
+import mock
+
+
+class MagicTypingTest(unittest.TestCase):
+    """Tests for acme.magic_typing."""
+    def test_import_success(self):
+        try:
+            import typing as temp_typing
+        except ImportError: # pragma: no cover
+            temp_typing = None # pragma: no cover
+        typing_class_mock = mock.MagicMock()
+        text_mock = mock.MagicMock()
+        typing_class_mock.Text = text_mock
+        sys.modules['typing'] = typing_class_mock
+        if 'acme.magic_typing' in sys.modules:
+            del sys.modules['acme.magic_typing'] # pragma: no cover
+        from acme.magic_typing import Text # pylint: disable=no-name-in-module
+        self.assertEqual(Text, text_mock)
+        del sys.modules['acme.magic_typing']
+        sys.modules['typing'] = temp_typing
+
+    def test_import_failure(self):
+        try:
+            import typing as temp_typing
+        except ImportError: # pragma: no cover
+            temp_typing = None # pragma: no cover
+        sys.modules['typing'] = None
+        if 'acme.magic_typing' in sys.modules:
+            del sys.modules['acme.magic_typing'] # pragma: no cover
+        from acme.magic_typing import Text # pylint: disable=no-name-in-module
+        self.assertTrue(Text is None)
+        del sys.modules['acme.magic_typing']
+        sys.modules['typing'] = temp_typing
+
+
+if __name__ == '__main__':
+    unittest.main()  # pragma: no cover

acme/tests/messages_test.py

@@ -1,16 +1,12 @@
 """Tests for acme.messages."""
-import contextlib
-import sys
-from typing import Dict
 import unittest
-from unittest import mock
-import warnings
 
 import josepy as jose
-import pytest
+import mock
 
 from acme import challenges
-from acme._internal.tests import test_util
+from acme.magic_typing import Dict  # pylint: disable=unused-import, no-name-in-module
+import test_util
 
 CERT = test_util.load_comparable_cert('cert.der')
 CSR = test_util.load_comparable_csr('csr.der')
@@ -21,10 +17,7 @@ class ErrorTest(unittest.TestCase):
     """Tests for acme.messages.Error."""
 
     def setUp(self):
-        from acme.messages import Error
-        from acme.messages import ERROR_PREFIX
-        from acme.messages import Identifier
-        from acme.messages import IDENTIFIER_FQDN
+        from acme.messages import Error, ERROR_PREFIX
         self.error = Error.with_code('malformed', detail='foo', title='title')
         self.jobj = {
             'detail': 'foo',
@@ -32,84 +25,54 @@ class ErrorTest(unittest.TestCase):
             'type': ERROR_PREFIX + 'malformed',
         }
         self.error_custom = Error(typ='custom', detail='bar')
-        self.identifier = Identifier(typ=IDENTIFIER_FQDN, value='example.com')
-        self.subproblem = Error.with_code('caa', detail='bar', title='title', identifier=self.identifier)
-        self.error_with_subproblems = Error.with_code('malformed', detail='foo', title='title', subproblems=[self.subproblem])
         self.empty_error = Error()
 
     def test_default_typ(self):
         from acme.messages import Error
-        assert Error().typ == 'about:blank'
+        self.assertEqual(Error().typ, 'about:blank')
 
     def test_from_json_empty(self):
         from acme.messages import Error
-        assert Error() == Error.from_json('{}')
+        self.assertEqual(Error(), Error.from_json('{}'))
 
     def test_from_json_hashable(self):
         from acme.messages import Error
         hash(Error.from_json(self.error.to_json()))
 
-    def test_from_json_with_subproblems(self):
-        from acme.messages import Error
-
-        parsed_error = Error.from_json(self.error_with_subproblems.to_json())
-
-        assert 1 == len(parsed_error.subproblems)
-        assert self.subproblem == parsed_error.subproblems[0]
-
     def test_description(self):
-        assert 'The request message was malformed' == self.error.description
-        assert self.error_custom.description is None
+        self.assertEqual('The request message was malformed', self.error.description)
+        self.assertTrue(self.error_custom.description is None)
 
     def test_code(self):
         from acme.messages import Error
-        assert 'malformed' == self.error.code
-        assert self.error_custom.code is None
-        assert Error().code is None
+        self.assertEqual('malformed', self.error.code)
+        self.assertEqual(None, self.error_custom.code)
+        self.assertEqual(None, Error().code)
 
     def test_is_acme_error(self):
-        from acme.messages import Error
-        from acme.messages import is_acme_error
-        assert is_acme_error(self.error)
-        assert not is_acme_error(self.error_custom)
-        assert not is_acme_error(Error())
-        assert not is_acme_error(self.empty_error)
-        assert not is_acme_error("must pet all the {dogs|rabbits}")
+        from acme.messages import is_acme_error, Error
+        self.assertTrue(is_acme_error(self.error))
+        self.assertFalse(is_acme_error(self.error_custom))
+        self.assertFalse(is_acme_error(Error()))
+        self.assertFalse(is_acme_error(self.empty_error))
+        self.assertFalse(is_acme_error("must pet all the {dogs|rabbits}"))
 
     def test_unicode_error(self):
-        from acme.messages import Error
-        from acme.messages import is_acme_error
+        from acme.messages import Error, is_acme_error
         arabic_error = Error.with_code(
             'malformed', detail=u'\u0639\u062f\u0627\u0644\u0629', title='title')
-        assert is_acme_error(arabic_error)
+        self.assertTrue(is_acme_error(arabic_error))
 
     def test_with_code(self):
-        from acme.messages import Error
-        from acme.messages import is_acme_error
-        assert is_acme_error(Error.with_code('badCSR'))
-        with pytest.raises(ValueError):
-            Error.with_code('not an ACME error code')
+        from acme.messages import Error, is_acme_error
+        self.assertTrue(is_acme_error(Error.with_code('badCSR')))
+        self.assertRaises(ValueError, Error.with_code, 'not an ACME error code')
 
     def test_str(self):
-        assert str(self.error) == \
-            u"{0.typ} :: {0.description} :: {0.detail} :: {0.title}" \
-            .format(self.error)
-        assert str(self.error_with_subproblems) == \
-            (u"{0.typ} :: {0.description} :: {0.detail} :: {0.title}\n"+
-            u"Problem for {1.identifier.value}: {1.typ} :: {1.description} :: {1.detail} :: {1.title}").format(
-        self.error_with_subproblems, self.subproblem)
-
-    # this test is based on a minimal reproduction of a contextmanager/immutable
-    # exception related error: https://github.com/python/cpython/issues/99856
-    def test_setting_traceback(self):
-        assert self.error_custom.__traceback__ is None
-
-        try:
-            1/0
-        except ZeroDivisionError as e:
-            self.error_custom.__traceback__ = e.__traceback__
-
-        assert self.error_custom.__traceback__ is not None
+        self.assertEqual(
+            str(self.error),
+            u"{0.typ} :: {0.description} :: {0.detail} :: {0.title}"
+            .format(self.error))
 
 
 class ConstantTest(unittest.TestCase):
@@ -119,35 +82,35 @@ class ConstantTest(unittest.TestCase):
         from acme.messages import _Constant
 
         class MockConstant(_Constant):  # pylint: disable=missing-docstring
-            POSSIBLE_NAMES: Dict = {}
+            POSSIBLE_NAMES = {} # type: Dict
 
         self.MockConstant = MockConstant  # pylint: disable=invalid-name
         self.const_a = MockConstant('a')
         self.const_b = MockConstant('b')
 
     def test_to_partial_json(self):
-        assert 'a' == self.const_a.to_partial_json()
-        assert 'b' == self.const_b.to_partial_json()
+        self.assertEqual('a', self.const_a.to_partial_json())
+        self.assertEqual('b', self.const_b.to_partial_json())
 
     def test_from_json(self):
-        assert self.const_a == self.MockConstant.from_json('a')
-        with pytest.raises(jose.DeserializationError):
-            self.MockConstant.from_json('c')
+        self.assertEqual(self.const_a, self.MockConstant.from_json('a'))
+        self.assertRaises(
+            jose.DeserializationError, self.MockConstant.from_json, 'c')
 
     def test_from_json_hashable(self):
         hash(self.MockConstant.from_json('a'))
 
     def test_repr(self):
-        assert 'MockConstant(a)' == repr(self.const_a)
-        assert 'MockConstant(b)' == repr(self.const_b)
+        self.assertEqual('MockConstant(a)', repr(self.const_a))
+        self.assertEqual('MockConstant(b)', repr(self.const_b))
 
     def test_equality(self):
         const_a_prime = self.MockConstant('a')
-        assert self.const_a != self.const_b
-        assert self.const_a == const_a_prime
+        self.assertFalse(self.const_a == self.const_b)
+        self.assertTrue(self.const_a == const_a_prime)
 
-        assert self.const_a != self.const_b
-        assert self.const_a == const_a_prime
+        self.assertTrue(self.const_a != self.const_b)
+        self.assertFalse(self.const_a != const_a_prime)
 
 
 class DirectoryTest(unittest.TestCase):
@@ -156,8 +119,8 @@ class DirectoryTest(unittest.TestCase):
     def setUp(self):
         from acme.messages import Directory
         self.dir = Directory({
-            'newReg': 'reg',
-            'newCert': 'cert',
+            'new-reg': 'reg',
+            mock.MagicMock(resource_type='new-cert'): 'cert',
             'meta': Directory.Meta(
                 terms_of_service='https://example.com/acme/terms',
                 website='https://www.example.com/',
@@ -170,29 +133,30 @@ class DirectoryTest(unittest.TestCase):
         Directory({'foo': 'bar'})
 
     def test_getitem(self):
-        assert 'reg' == self.dir['newReg']
+        self.assertEqual('reg', self.dir['new-reg'])
+        from acme.messages import NewRegistration
+        self.assertEqual('reg', self.dir[NewRegistration])
+        self.assertEqual('reg', self.dir[NewRegistration()])
 
     def test_getitem_fails_with_key_error(self):
-        with pytest.raises(KeyError):
-            self.dir.__getitem__('foo')
+        self.assertRaises(KeyError, self.dir.__getitem__, 'foo')
 
     def test_getattr(self):
-        assert 'reg' == self.dir.newReg
+        self.assertEqual('reg', self.dir.new_reg)
 
     def test_getattr_fails_with_attribute_error(self):
-        with pytest.raises(AttributeError):
-            self.dir.__getattr__('foo')
+        self.assertRaises(AttributeError, self.dir.__getattr__, 'foo')
 
     def test_to_json(self):
-        assert self.dir.to_json() == {
-            'newReg': 'reg',
-            'newCert': 'cert',
+        self.assertEqual(self.dir.to_json(), {
+            'new-reg': 'reg',
+            'new-cert': 'cert',
             'meta': {
-                'termsOfService': 'https://example.com/acme/terms',
+                'terms-of-service': 'https://example.com/acme/terms',
                 'website': 'https://www.example.com/',
                 'caaIdentities': ['example.com'],
             },
-        }
+        })
 
     def test_from_json_deserialization_unknown_key_success(self):  # pylint: disable=no-self-use
         from acme.messages import Directory
@@ -203,7 +167,7 @@ class DirectoryTest(unittest.TestCase):
         for k in self.dir.meta:
             if k == 'terms_of_service':
                 result = self.dir.meta[k] == 'https://example.com/acme/terms'
-        assert result
+        self.assertTrue(result)
 
 
 class ExternalAccountBindingTest(unittest.TestCase):
@@ -220,8 +184,8 @@ class ExternalAccountBindingTest(unittest.TestCase):
         from acme.messages import ExternalAccountBinding
         eab = ExternalAccountBinding.from_data(self.key, self.kid, self.hmac_key, self.dir)
 
-        assert len(eab) == 3
-        assert sorted(eab.keys()) == sorted(['protected', 'payload', 'signature'])
+        self.assertEqual(len(eab), 3)
+        self.assertEqual(sorted(eab.keys()), sorted(['protected', 'payload', 'signature']))
 
 
 class RegistrationTest(unittest.TestCase):
@@ -250,15 +214,13 @@ class RegistrationTest(unittest.TestCase):
     def test_from_data(self):
         from acme.messages import Registration
         reg = Registration.from_data(phone='1234', email='admin@foo.com')
-        assert reg.contact == (
+        self.assertEqual(reg.contact, (
             'tel:1234',
             'mailto:admin@foo.com',
-        )
+        ))
 
     def test_new_registration_from_data_with_eab(self):
-        from acme.messages import Directory
-        from acme.messages import ExternalAccountBinding
-        from acme.messages import NewRegistration
+        from acme.messages import NewRegistration, ExternalAccountBinding, Directory
         key = jose.jwk.JWKRSA(key=KEY.public_key())
         kid = "kid-for-testing"
         hmac_key = "hmac-key-for-testing"
@@ -267,42 +229,29 @@ class RegistrationTest(unittest.TestCase):
         })
         eab = ExternalAccountBinding.from_data(key, kid, hmac_key, directory)
         reg = NewRegistration.from_data(email='admin@foo.com', external_account_binding=eab)
-        assert reg.contact == (
+        self.assertEqual(reg.contact, (
             'mailto:admin@foo.com',
-        )
-        assert sorted(reg.external_account_binding.keys()) == \
-                         sorted(['protected', 'payload', 'signature'])
+        ))
+        self.assertEqual(sorted(reg.external_account_binding.keys()),
+                         sorted(['protected', 'payload', 'signature']))
 
     def test_phones(self):
-        assert ('1234',) == self.reg.phones
+        self.assertEqual(('1234',), self.reg.phones)
 
     def test_emails(self):
-        assert ('admin@foo.com',) == self.reg.emails
+        self.assertEqual(('admin@foo.com',), self.reg.emails)
 
     def test_to_partial_json(self):
-        assert self.jobj_to == self.reg.to_partial_json()
+        self.assertEqual(self.jobj_to, self.reg.to_partial_json())
 
     def test_from_json(self):
         from acme.messages import Registration
-        assert self.reg == Registration.from_json(self.jobj_from)
+        self.assertEqual(self.reg, Registration.from_json(self.jobj_from))
 
     def test_from_json_hashable(self):
         from acme.messages import Registration
         hash(Registration.from_json(self.jobj_from))
 
-    def test_default_not_transmitted(self):
-        from acme.messages import NewRegistration
-        empty_new_reg = NewRegistration()
-        new_reg_with_contact = NewRegistration(contact=())
-
-        assert empty_new_reg.contact == ()
-        assert new_reg_with_contact.contact == ()
-
-        assert 'contact' not in empty_new_reg.to_partial_json()
-        assert 'contact' not in empty_new_reg.fields_to_partial_json()
-        assert 'contact' in new_reg_with_contact.to_partial_json()
-        assert 'contact' in new_reg_with_contact.fields_to_partial_json()
-
 
 class UpdateRegistrationTest(unittest.TestCase):
     """Tests for acme.messages.UpdateRegistration."""
@@ -310,8 +259,9 @@ class UpdateRegistrationTest(unittest.TestCase):
     def test_empty(self):
         from acme.messages import UpdateRegistration
         jstring = '{"resource": "reg"}'
-        assert '{}' == UpdateRegistration().json_dumps()
-        assert UpdateRegistration() == UpdateRegistration.json_loads(jstring)
+        self.assertEqual(jstring, UpdateRegistration().json_dumps())
+        self.assertEqual(
+            UpdateRegistration(), UpdateRegistration.json_loads(jstring))
 
 
 class RegistrationResourceTest(unittest.TestCase):
@@ -324,11 +274,11 @@ class RegistrationResourceTest(unittest.TestCase):
             terms_of_service=mock.sentinel.terms_of_service)
 
     def test_to_partial_json(self):
-        assert self.regr.to_json() == {
+        self.assertEqual(self.regr.to_json(), {
             'body': mock.sentinel.body,
             'uri': mock.sentinel.uri,
             'terms_of_service': mock.sentinel.terms_of_service,
-        }
+        })
 
 
 class ChallengeResourceTest(unittest.TestCase):
@@ -336,8 +286,8 @@ class ChallengeResourceTest(unittest.TestCase):
 
     def test_uri(self):
         from acme.messages import ChallengeResource
-        assert 'http://challb' == ChallengeResource(body=mock.MagicMock(
-            uri='http://challb'), authzr_uri='http://authz').uri
+        self.assertEqual('http://challb', ChallengeResource(body=mock.MagicMock(
+            uri='http://challb'), authzr_uri='http://authz').uri)
 
 
 class ChallengeBodyTest(unittest.TestCase):
@@ -357,7 +307,7 @@ class ChallengeBodyTest(unittest.TestCase):
             error=error)
 
         self.jobj_to = {
-            'url': 'http://challb',
+            'uri': 'http://challb',
             'status': self.status,
             'type': 'dns',
             'token': 'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA',
@@ -371,22 +321,22 @@ class ChallengeBodyTest(unittest.TestCase):
         }
 
     def test_encode(self):
-        assert self.challb.encode('uri') == self.challb.uri
+        self.assertEqual(self.challb.encode('uri'), self.challb.uri)
 
     def test_to_partial_json(self):
-        assert self.jobj_to == self.challb.to_partial_json()
+        self.assertEqual(self.jobj_to, self.challb.to_partial_json())
 
     def test_from_json(self):
         from acme.messages import ChallengeBody
-        assert self.challb == ChallengeBody.from_json(self.jobj_from)
+        self.assertEqual(self.challb, ChallengeBody.from_json(self.jobj_from))
 
     def test_from_json_hashable(self):
         from acme.messages import ChallengeBody
         hash(ChallengeBody.from_json(self.jobj_from))
 
     def test_proxy(self):
-        assert jose.b64decode(
-            'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA') == self.challb.token
+        self.assertEqual(jose.b64decode(
+            'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA'), self.challb.token)
 
 
 class AuthorizationTest(unittest.TestCase):
@@ -404,17 +354,20 @@ class AuthorizationTest(unittest.TestCase):
                           chall=challenges.DNS(
                               token=b'DGyRejmCefe7v4NfDGDKfA')),
         )
+        combinations = ((0,), (1,))
 
         from acme.messages import Authorization
         from acme.messages import Identifier
         from acme.messages import IDENTIFIER_FQDN
         identifier = Identifier(typ=IDENTIFIER_FQDN, value='example.com')
         self.authz = Authorization(
-            identifier=identifier, challenges=self.challbs)
+            identifier=identifier, combinations=combinations,
+            challenges=self.challbs)
 
         self.jobj_from = {
             'identifier': identifier.to_json(),
             'challenges': [challb.to_json() for challb in self.challbs],
+            'combinations': combinations,
         }
 
     def test_from_json(self):
@@ -425,6 +378,12 @@ class AuthorizationTest(unittest.TestCase):
         from acme.messages import Authorization
         hash(Authorization.from_json(self.jobj_from))
 
+    def test_resolved_combinations(self):
+        self.assertEqual(self.authz.resolved_combinations, (
+            (self.challbs[0],),
+            (self.challbs[1],),
+        ))
+
 
 class AuthorizationResourceTest(unittest.TestCase):
     """Tests for acme.messages.AuthorizationResource."""
@@ -434,7 +393,7 @@ class AuthorizationResourceTest(unittest.TestCase):
         authzr = AuthorizationResource(
             uri=mock.sentinel.uri,
             body=mock.sentinel.body)
-        assert isinstance(authzr, jose.JSONDeSerializable)
+        self.assertTrue(isinstance(authzr, jose.JSONDeSerializable))
 
 
 class CertificateRequestTest(unittest.TestCase):
@@ -445,9 +404,10 @@ class CertificateRequestTest(unittest.TestCase):
         self.req = CertificateRequest(csr=CSR)
 
     def test_json_de_serializable(self):
-        assert isinstance(self.req, jose.JSONDeSerializable)
+        self.assertTrue(isinstance(self.req, jose.JSONDeSerializable))
         from acme.messages import CertificateRequest
-        assert self.req == CertificateRequest.from_json(self.req.to_json())
+        self.assertEqual(
+            self.req, CertificateRequest.from_json(self.req.to_json()))
 
 
 class CertificateResourceTest(unittest.TestCase):
@@ -460,9 +420,10 @@ class CertificateResourceTest(unittest.TestCase):
             cert_chain_uri=mock.sentinel.cert_chain_uri)
 
     def test_json_de_serializable(self):
-        assert isinstance(self.certr, jose.JSONDeSerializable)
+        self.assertTrue(isinstance(self.certr, jose.JSONDeSerializable))
         from acme.messages import CertificateResource
-        assert self.certr == CertificateResource.from_json(self.certr.to_json())
+        self.assertEqual(
+            self.certr, CertificateResource.from_json(self.certr.to_json()))
 
 
 class RevocationTest(unittest.TestCase):
@@ -486,42 +447,11 @@ class OrderResourceTest(unittest.TestCase):
             body=mock.sentinel.body, uri=mock.sentinel.uri)
 
     def test_to_partial_json(self):
-        assert self.regr.to_json() == {
+        self.assertEqual(self.regr.to_json(), {
             'body': mock.sentinel.body,
             'uri': mock.sentinel.uri,
             'authorizations': None,
-        }
-
-    def test_json_de_serializable(self):
-        from acme.messages import ChallengeBody
-        from acme.messages import STATUS_PENDING
-        challbs = (
-            ChallengeBody(
-                uri='http://challb1', status=STATUS_PENDING,
-                chall=challenges.HTTP01(token=b'IlirfxKKXAsHtmzK29Pj8A')),
-            ChallengeBody(uri='http://challb2', status=STATUS_PENDING,
-                          chall=challenges.DNS(
-                              token=b'DGyRejmCefe7v4NfDGDKfA')),
-        )
-
-        from acme.messages import Authorization
-        from acme.messages import AuthorizationResource
-        from acme.messages import Identifier
-        from acme.messages import IDENTIFIER_FQDN
-        identifier = Identifier(typ=IDENTIFIER_FQDN, value='example.com')
-        authz = AuthorizationResource(uri="http://authz1",
-                                      body=Authorization(
-                                          identifier=identifier,
-                                          challenges=challbs))
-        from acme.messages import Order
-        body = Order(identifiers=(identifier,), status=STATUS_PENDING,
-                     authorizations=tuple(challb.uri for challb in challbs))
-        from acme.messages import OrderResource
-        orderr = OrderResource(uri="http://order1", body=body,
-                               csr_pem=b'test blob',
-                               authorizations=(authz,))
-        self.assertEqual(orderr,
-                         OrderResource.from_json(orderr.to_json()))
+        })
 
 class NewOrderTest(unittest.TestCase):
     """Tests for acme.messages.NewOrder."""
@@ -532,22 +462,10 @@ class NewOrderTest(unittest.TestCase):
             identifiers=mock.sentinel.identifiers)
 
     def test_to_partial_json(self):
-        assert self.reg.to_json() == {
+        self.assertEqual(self.reg.to_json(), {
             'identifiers': mock.sentinel.identifiers,
-        }
-
-
-class JWSPayloadRFC8555Compliant(unittest.TestCase):
-    """Test for RFC8555 compliance of JWS generated from resources/challenges"""
-    def test_message_payload(self):
-        from acme.messages import NewAuthorization
-
-        new_order = NewAuthorization()
-
-        jobj = new_order.json_dumps(indent=2).encode()
-        # RFC8555 states that JWS bodies must not have a resource field.
-        assert jobj == b'{}'
+        })
 
 
 if __name__ == '__main__':
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover
+    unittest.main()  # pragma: no cover

acme/tests/standalone_test.py

@@ -1,21 +1,17 @@
 """Tests for acme.standalone."""
-import http.client as http_client
 import socket
-import socketserver
-import sys
 import threading
-from typing import Set
 import unittest
-from unittest import mock
 
 import josepy as jose
-import pytest
+import mock
 import requests
+from six.moves import http_client  # pylint: disable=import-error
+from six.moves import socketserver  # type: ignore  # pylint: disable=import-error
 
 from acme import challenges
-from acme import crypto_util
-from acme import errors
-from acme._internal.tests import test_util
+from acme.magic_typing import Set  # pylint: disable=unused-import, no-name-in-module
+import test_util
 
 
 class TLSServerTest(unittest.TestCase):
@@ -43,7 +39,7 @@ class HTTP01ServerTest(unittest.TestCase):
     def setUp(self):
         self.account_key = jose.JWK.load(
             test_util.load_vector('rsa1024_key.pem'))
-        self.resources: Set = set()
+        self.resources = set() # type: Set
 
         from acme.standalone import HTTP01Server
         self.server = HTTP01Server(('', 0), resources=self.resources)
@@ -55,18 +51,18 @@ class HTTP01ServerTest(unittest.TestCase):
     def tearDown(self):
         self.server.shutdown()
         self.thread.join()
-        self.server.server_close()
 
     def test_index(self):
         response = requests.get(
             'http://localhost:{0}'.format(self.port), verify=False)
-        assert response.text == 'ACME client standalone challenge solver'
-        assert response.ok
+        self.assertEqual(
+            response.text, 'ACME client standalone challenge solver')
+        self.assertTrue(response.ok)
 
     def test_404(self):
         response = requests.get(
             'http://localhost:{0}/foo'.format(self.port), verify=False)
-        assert response.status_code == http_client.NOT_FOUND
+        self.assertEqual(response.status_code, http_client.NOT_FOUND)
 
     def _test_http01(self, add):
         chall = challenges.HTTP01(token=(b'x' * 16))
@@ -82,89 +78,16 @@ class HTTP01ServerTest(unittest.TestCase):
             port=self.port)
 
     def test_http01_found(self):
-        assert self._test_http01(add=True)
+        self.assertTrue(self._test_http01(add=True))
 
     def test_http01_not_found(self):
-        assert not self._test_http01(add=False)
-
-    def test_timely_shutdown(self):
-        from acme.standalone import HTTP01Server
-        with HTTP01Server(('', 0), resources=set(), timeout=0.05) as server:
-            server_thread = threading.Thread(target=server.serve_forever)
-            server_thread.start()
-
-            with socket.socket() as client:
-                client.connect(('localhost', server.socket.getsockname()[1]))
-
-                stop_thread = threading.Thread(target=server.shutdown)
-                stop_thread.start()
-                server_thread.join(5.)
-
-                is_hung = server_thread.is_alive()
-                try:
-                    client.shutdown(socket.SHUT_RDWR)
-                except: # pragma: no cover, pylint: disable=bare-except
-                    # may raise error because socket could already be closed
-                    pass
-
-                assert not is_hung, 'Server shutdown should not be hung'
-
-
-@unittest.skipIf(not challenges.TLSALPN01.is_supported(), "pyOpenSSL too old")
-class TLSALPN01ServerTest(unittest.TestCase):
-    """Test for acme.standalone.TLSALPN01Server."""
-
-    def setUp(self):
-        self.certs = {b'localhost': (
-            test_util.load_pyopenssl_private_key('rsa2048_key.pem'),
-            test_util.load_cert('rsa2048_cert.pem'),
-        )}
-        # Use different certificate for challenge.
-        self.challenge_certs = {b'localhost': (
-            test_util.load_pyopenssl_private_key('rsa4096_key.pem'),
-            test_util.load_cert('rsa4096_cert.pem'),
-        )}
-        from acme.standalone import TLSALPN01Server
-        self.server = TLSALPN01Server(("localhost", 0), certs=self.certs,
-                challenge_certs=self.challenge_certs)
-        # pylint: disable=no-member
-        self.thread = threading.Thread(target=self.server.serve_forever)
-        self.thread.start()
-
-    def tearDown(self):
-        self.server.shutdown()  # pylint: disable=no-member
-        self.thread.join()
-        self.server.server_close()
-
-    # TODO: This is not implemented yet, see comments in standalone.py
-    # def test_certs(self):
-    #    host, port = self.server.socket.getsockname()[:2]
-    #    cert = crypto_util.probe_sni(
-    #        b'localhost', host=host, port=port, timeout=1)
-    #    # Expect normal cert when connecting without ALPN.
-    #    self.assertEqual(jose.ComparableX509(cert),
-    #                     jose.ComparableX509(self.certs[b'localhost'][1]))
-
-    def test_challenge_certs(self):
-        host, port = self.server.socket.getsockname()[:2]
-        cert = crypto_util.probe_sni(
-            b'localhost', host=host, port=port, timeout=1,
-            alpn_protocols=[b"acme-tls/1"])
-        #  Expect challenge cert when connecting with ALPN.
-        assert jose.ComparableX509(cert) == \
-                jose.ComparableX509(self.challenge_certs[b'localhost'][1])
-
-    def test_bad_alpn(self):
-        host, port = self.server.socket.getsockname()[:2]
-        with pytest.raises(errors.Error):
-            crypto_util.probe_sni(
-                b'localhost', host=host, port=port, timeout=1,
-                alpn_protocols=[b"bad-alpn"])
+        self.assertFalse(self._test_http01(add=False))
 
 
 class BaseDualNetworkedServersTest(unittest.TestCase):
     """Test for acme.standalone.BaseDualNetworkedServers."""
 
+
     class SingleProtocolServer(socketserver.TCPServer):
         """Server that only serves on a single protocol. FreeBSD has this behavior for AF_INET6."""
         def __init__(self, *args, **kwargs):
@@ -174,7 +97,7 @@ class BaseDualNetworkedServersTest(unittest.TestCase):
                 kwargs["bind_and_activate"] = False
             else:
                 self.address_family = socket.AF_INET
-            super().__init__(*args, **kwargs)
+            socketserver.TCPServer.__init__(self, *args, **kwargs)
             if ipv6:
                 # NB: On Windows, socket.IPPROTO_IPV6 constant may be missing.
                 # We use the corresponding value (41) instead.
@@ -189,18 +112,12 @@ class BaseDualNetworkedServersTest(unittest.TestCase):
 
     @mock.patch("socket.socket.bind")
     def test_fail_to_bind(self, mock_bind):
-        from errno import EADDRINUSE
-
+        mock_bind.side_effect = socket.error
         from acme.standalone import BaseDualNetworkedServers
-
-        mock_bind.side_effect = socket.error(EADDRINUSE, "Fake addr in use error")
-
-        with pytest.raises(socket.error) as exc_info:
-            BaseDualNetworkedServers(
-                BaseDualNetworkedServersTest.SingleProtocolServer,
-                ('', 0), socketserver.BaseRequestHandler)
-
-        assert exc_info.value.errno == EADDRINUSE
+        self.assertRaises(socket.error, BaseDualNetworkedServers,
+                          BaseDualNetworkedServersTest.SingleProtocolServer,
+                          ('', 0),
+                          socketserver.BaseRequestHandler)
 
     def test_ports_equal(self):
         from acme.standalone import BaseDualNetworkedServers
@@ -214,19 +131,18 @@ class BaseDualNetworkedServersTest(unittest.TestCase):
         for sockname in socknames:
             port = sockname[1]
             if prev_port:
-                assert prev_port == port
+                self.assertEqual(prev_port, port)
             prev_port = port
-        for server in servers.servers:
-            server.server_close()
 
 
 class HTTP01DualNetworkedServersTest(unittest.TestCase):
     """Tests for acme.standalone.HTTP01DualNetworkedServers."""
 
+
     def setUp(self):
         self.account_key = jose.JWK.load(
             test_util.load_vector('rsa1024_key.pem'))
-        self.resources: Set = set()
+        self.resources = set() # type: Set
 
         from acme.standalone import HTTP01DualNetworkedServers
         self.servers = HTTP01DualNetworkedServers(('', 0), resources=self.resources)
@@ -240,13 +156,14 @@ class HTTP01DualNetworkedServersTest(unittest.TestCase):
     def test_index(self):
         response = requests.get(
             'http://localhost:{0}'.format(self.port), verify=False)
-        assert response.text == 'ACME client standalone challenge solver'
-        assert response.ok
+        self.assertEqual(
+            response.text, 'ACME client standalone challenge solver')
+        self.assertTrue(response.ok)
 
     def test_404(self):
         response = requests.get(
             'http://localhost:{0}/foo'.format(self.port), verify=False)
-        assert response.status_code == http_client.NOT_FOUND
+        self.assertEqual(response.status_code, http_client.NOT_FOUND)
 
     def _test_http01(self, add):
         chall = challenges.HTTP01(token=(b'x' * 16))
@@ -262,11 +179,11 @@ class HTTP01DualNetworkedServersTest(unittest.TestCase):
             port=self.port)
 
     def test_http01_found(self):
-        assert self._test_http01(add=True)
+        self.assertTrue(self._test_http01(add=True))
 
     def test_http01_not_found(self):
-        assert not self._test_http01(add=False)
+        self.assertFalse(self._test_http01(add=False))
 
 
 if __name__ == "__main__":
-    sys.exit(pytest.main(sys.argv[1:] + [__file__]))  # pragma: no cover
+    unittest.main()  # pragma: no cover

acme/tests/test_util.py

@@ -4,25 +4,19 @@
 
 """
 import os
-import sys
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 import josepy as jose
-from josepy.util import ComparableECKey
 from OpenSSL import crypto
-
-if sys.version_info >= (3, 9):  # pragma: no cover
-    import importlib.resources as importlib_resources
-else:  # pragma: no cover
-    import importlib_resources
+import pkg_resources
 
 
 def load_vector(*names):
     """Load contents of a test vector."""
     # luckily, resource_string opens file in binary mode
-    vector_ref = importlib_resources.files(__package__).joinpath('testdata', *names)
-    return vector_ref.read_bytes()
+    return pkg_resources.resource_string(
+        __name__, os.path.join('testdata', *names))
 
 
 def _guess_loader(filename, loader_pem, loader_der):
@@ -66,14 +60,6 @@ def load_rsa_private_key(*names):
         load_vector(*names), password=None, backend=default_backend()))
 
 
-def load_ecdsa_private_key(*names):
-    """Load ECDSA private key."""
-    loader = _guess_loader(names[-1], serialization.load_pem_private_key,
-                           serialization.load_der_private_key)
-    return ComparableECKey(loader(
-        load_vector(*names), password=None, backend=default_backend()))
-
-
 def load_pyopenssl_private_key(*names):
     """Load pyOpenSSL private key."""
     loader = _guess_loader(

acme/tests/testdata/README

@@ -0,0 +1,15 @@
+In order for acme.test_util._guess_loader to work properly, make sure
+to use appropriate extension for vector filenames: .pem for PEM and
+.der for DER.
+
+The following command has been used to generate test keys:
+
+  for x in 256 512 1024 2048; do openssl genrsa -out rsa${k}_key.pem $k; done
+
+and for the CSR:
+
+  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -outform DER > csr.der
+
+and for the certificate:
+
+  openssl req -key rsa2047_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der