lkddi/certd
1
0
Fork 0
mirror of https://github.com/certd/certd.git synced 2026-04-24 20:57:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/acme_sync' into v2

Browse Source 
# Conflicts:
#	packages/core/acme-client/CHANGELOG.md
#	packages/core/acme-client/package.json
#	packages/core/acme-client/src/auto.js
This commit is contained in:
xiaojunnuo
2024-03-06 18:35:44 +08:00
parent 370a12e88a 960f61d158
commit 09c9b42cab
55 changed files with 1646 additions and 668 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/acme-client/src/api.js
+13 -13
View File
@@ -41,7 +41,7 @@ class AcmeApi {
* @private
* @param {string} url Request URL
* @param {object} [payload] Request payload, default: `null`
* @param {array} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
* @param {number[]} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
* @param {object} [opts]
* @param {boolean} [opts.includeJwsKid] Include KID instead of JWK in JWS header, default: `true`
* @param {boolean} [opts.includeExternalAccountBinding] Include EAB in request, default: `false`
@@ -66,7 +66,7 @@ class AcmeApi {
* @private
* @param {string} resource Request resource name
* @param {object} [payload] Request payload, default: `null`
* @param {array} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
* @param {number[]} [validStatusCodes] Array of valid HTTP response status codes, default: `[]`
* @param {object} [opts]
* @param {boolean} [opts.includeJwsKid] Include KID instead of JWK in JWS header, default: `true`
* @param {boolean} [opts.includeExternalAccountBinding] Include EAB in request, default: `false`
@@ -82,7 +82,7 @@ class AcmeApi {
/**
* Get Terms of Service URL if available
*
* https://tools.ietf.org/html/rfc8555#section-7.1.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
*
* @returns {Promise<string|null>} ToS URL
*/
@@ -95,7 +95,7 @@ class AcmeApi {
/**
* Create new account
*
* https://tools.ietf.org/html/rfc8555#section-7.3
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
@@ -119,7 +119,7 @@ class AcmeApi {
/**
* Update account
*
* https://tools.ietf.org/html/rfc8555#section-7.3.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
@@ -133,7 +133,7 @@ class AcmeApi {
/**
* Update account key
*
* https://tools.ietf.org/html/rfc8555#section-7.3.5
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.5
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
@@ -147,7 +147,7 @@ class AcmeApi {
/**
* Create new order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
@@ -161,7 +161,7 @@ class AcmeApi {
/**
* Get order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {string} url Order URL
* @returns {Promise<object>} HTTP response
@@ -175,7 +175,7 @@ class AcmeApi {
/**
* Finalize order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {string} url Finalization URL
* @param {object} data Request payload
@@ -190,7 +190,7 @@ class AcmeApi {
/**
* Get identifier authorization
*
* https://tools.ietf.org/html/rfc8555#section-7.5
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5
*
* @param {string} url Authorization URL
* @returns {Promise<object>} HTTP response
@@ -204,7 +204,7 @@ class AcmeApi {
/**
* Update identifier authorization
*
* https://tools.ietf.org/html/rfc8555#section-7.5.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.2
*
* @param {string} url Authorization URL
* @param {object} data Request payload
@@ -219,7 +219,7 @@ class AcmeApi {
/**
* Complete challenge
*
* https://tools.ietf.org/html/rfc8555#section-7.5.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
*
* @param {string} url Challenge URL
* @param {object} data Request payload
@@ -234,7 +234,7 @@ class AcmeApi {
/**
* Revoke certificate
*
* https://tools.ietf.org/html/rfc8555#section-7.6
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
*
* @param {object} data Request payload
* @returns {Promise<object>} HTTP response
packages/core/acme-client/src/auto.js
+1
View File
@@ -182,6 +182,7 @@ module.exports = async function(client, userOpts) {
return promise;
}
await runPromisesSerially(challengePromises);
log('challenge结束');
packages/core/acme-client/src/axios.js
+3 -3
View File
@@ -3,7 +3,6 @@
*/
const axios = require('axios');
const adapter = require('axios/lib/adapters/http');
const pkg = require('./../package.json');
@@ -19,7 +18,8 @@ instance.defaults.headers.common['User-Agent'] = `node-${pkg.name}/${pkg.version
/* Default ACME settings */
instance.defaults.acmeSettings = {
httpChallengePort: 80,
bypassCustomDnsResolver: false
httpsChallengePort: 443,
tlsAlpnChallengePort: 443
};
@@ -30,7 +30,7 @@ instance.defaults.acmeSettings = {
* https://stackoverflow.com/questions/42677387
*/
instance.defaults.adapter = adapter;
instance.defaults.adapter = 'http';
/**
packages/core/acme-client/src/client.js
+22 -25
View File
@@ -154,7 +154,7 @@ class AcmeClient {
/**
* Create a new account
*
* https://tools.ietf.org/html/rfc8555#section-7.3
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
*
* @param {object} [data] Request data
* @returns {Promise<object>} Account
@@ -200,7 +200,7 @@ class AcmeClient {
/**
* Update existing account
*
* https://tools.ietf.org/html/rfc8555#section-7.3.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
*
* @param {object} [data] Request data
* @returns {Promise<object>} Account
@@ -240,7 +240,7 @@ class AcmeClient {
/**
* Update account private key
*
* https://tools.ietf.org/html/rfc8555#section-7.3.5
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.5
*
* @param {buffer|string} newAccountKey New PEM encoded private key
* @param {object} [data] Additional request data
@@ -286,7 +286,7 @@ class AcmeClient {
/**
* Create a new order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {object} data Request data
* @returns {Promise<object>} Order
@@ -318,7 +318,7 @@ class AcmeClient {
/**
* Refresh order object from CA
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {object} order Order object
* @returns {Promise<object>} Order
@@ -345,7 +345,7 @@ class AcmeClient {
/**
* Finalize order
*
* https://tools.ietf.org/html/rfc8555#section-7.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
*
* @param {object} order Order object
* @param {buffer|string} csr PEM encoded Certificate Signing Request
@@ -380,7 +380,7 @@ class AcmeClient {
/**
* Get identifier authorizations from order
*
* https://tools.ietf.org/html/rfc8555#section-7.5
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5
*
* @param {object} order Order
* @returns {Promise<object[]>} Authorizations
@@ -410,7 +410,7 @@ class AcmeClient {
/**
* Deactivate identifier authorization
*
* https://tools.ietf.org/html/rfc8555#section-7.5.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.2
*
* @param {object} authz Identifier authorization
* @returns {Promise<object>} Authorization
@@ -442,7 +442,7 @@ class AcmeClient {
/**
* Get key authorization for ACME challenge
*
* https://tools.ietf.org/html/rfc8555#section-8.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-8.1
*
* @param {object} challenge Challenge object returned by API
* @returns {Promise<string>} Key authorization
@@ -462,22 +462,19 @@ class AcmeClient {
const thumbprint = keysum.digest('base64url');
const result = `${challenge.token}.${thumbprint}`;
/**
* https://tools.ietf.org/html/rfc8555#section-8.3
*/
/* https://datatracker.ietf.org/doc/html/rfc8555#section-8.3 */
if (challenge.type === 'http-01') {
return result;
}
/**
* https://tools.ietf.org/html/rfc8555#section-8.4
* https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01
*/
/* https://datatracker.ietf.org/doc/html/rfc8555#section-8.4 */
if (challenge.type === 'dns-01') {
return createHash('sha256').update(result).digest('base64url');
}
if ((challenge.type === 'dns-01') || (challenge.type === 'tls-alpn-01')) {
const shasum = createHash('sha256').update(result);
return shasum.digest('base64url');
/* https://datatracker.ietf.org/doc/html/rfc8737 */
if (challenge.type === 'tls-alpn-01') {
return result;
}
throw new Error(`Unable to produce key authorization, unknown challenge type: ${challenge.type}`);
@@ -522,7 +519,7 @@ class AcmeClient {
/**
* Notify CA that challenge has been completed
*
* https://tools.ietf.org/html/rfc8555#section-7.5.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
*
* @param {object} challenge Challenge object returned by API
* @returns {Promise<object>} Challenge
@@ -543,7 +540,7 @@ class AcmeClient {
/**
* Wait for ACME provider to verify status on a order, authorization or challenge
*
* https://tools.ietf.org/html/rfc8555#section-7.5.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1
*
* @param {object} item An order, authorization or challenge object
* @returns {Promise<object>} Valid order, authorization or challenge
@@ -554,7 +551,7 @@ class AcmeClient {
* await client.waitForValidStatus(challenge);
* ```
*
* @example Wait for valid authoriation status
* @example Wait for valid authorization status
* ```js
* const authz = { ... };
* await client.waitForValidStatus(authz);
@@ -600,7 +597,7 @@ class AcmeClient {
/**
* Get certificate from ACME order
*
* https://tools.ietf.org/html/rfc8555#section-7.4.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2
*
* @param {object} order Order object
* @param {string} [preferredChain] Indicate which certificate chain is preferred if a CA offers multiple, by exact issuer common name, default: `null`
@@ -647,7 +644,7 @@ class AcmeClient {
/**
* Revoke certificate
*
* https://tools.ietf.org/html/rfc8555#section-7.6
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
*
* @param {buffer|string} cert PEM encoded certificate
* @param {object} [data] Additional request data
packages/core/acme-client/src/crypto/forge.js
+2 -2
View File
@@ -281,7 +281,7 @@ exports.readCertificateInfo = async function(cert) {
/**
* Determine ASN.1 type for CSR subject short name
* Note: https://tools.ietf.org/html/rfc5280
* Note: https://datatracker.ietf.org/doc/html/rfc5280
*
* @private
* @param {string} shortName CSR subject short name
@@ -343,7 +343,7 @@ function formatCsrAltNames(altNames) {
* @param {object} data
* @param {number} [data.keySize] Size of newly created private key, default: `2048`
* @param {string} [data.commonName]
* @param {array} [data.altNames] default: `[]`
* @param {string[]} [data.altNames] default: `[]`
* @param {string} [data.country]
* @param {string} [data.state]
* @param {string} [data.locality]
packages/core/acme-client/src/crypto/index.js
+217 -124
View File
@@ -7,10 +7,21 @@
const net = require('net');
const { promisify } = require('util');
const crypto = require('crypto');
const jsrsasign = require('jsrsasign');
const asn1js = require('asn1js');
const x509 = require('@peculiar/x509');
const randomInt = promisify(crypto.randomInt);
const generateKeyPair = promisify(crypto.generateKeyPair);
/* Use Node.js Web Crypto API */
x509.cryptoProvider.set(crypto.webcrypto);
/* id-ce-subjectAltName - https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
const subjectAltNameOID = '2.5.29.17';
/* id-pe-acmeIdentifier - https://datatracker.ietf.org/doc/html/rfc8737#section-6.1 */
const alpnAcmeIdentifierOID = '1.3.6.1.5.5.7.1.31';
/**
* Determine key type and info by attempting to derive public key
@@ -24,17 +35,14 @@ function getKeyInfo(keyPem) {
const result = {
isRSA: false,
isECDSA: false,
signatureAlgorithm: null,
publicKey: crypto.createPublicKey(keyPem)
};
if (result.publicKey.asymmetricKeyType === 'rsa') {
result.isRSA = true;
result.signatureAlgorithm = 'SHA256withRSA';
}
else if (result.publicKey.asymmetricKeyType === 'ec') {
result.isECDSA = true;
result.signatureAlgorithm = 'SHA256withECDSA';
}
else {
throw new Error('Unable to parse key information, unknown format');
@@ -169,24 +177,42 @@ exports.getJwk = getJwk;
/**
* Fix missing support for NIST curve names in jsrsasign
* Produce CryptoKeyPair and signing algorithm from a PEM encoded private key
*
* @private
* @param {string} crv NIST curve name
* @returns {string} SECG curve name
* @param {buffer|string} keyPem PEM encoded private key
* @returns {Promise<array>} [keyPair, signingAlgorithm]
*/
function convertNistCurveNameToSecg(nistName) {
switch (nistName) {
case 'P-256':
return 'secp256r1';
case 'P-384':
return 'secp384r1';
case 'P-521':
return 'secp521r1';
default:
return nistName;
async function getWebCryptoKeyPair(keyPem) {
const info = getKeyInfo(keyPem);
const jwk = getJwk(keyPem);
/* Signing algorithm */
const sigalg = {
name: 'RSASSA-PKCS1-v1_5',
hash: { name: 'SHA-256' }
};
if (info.isECDSA) {
sigalg.name = 'ECDSA';
sigalg.namedCurve = jwk.crv;
if (jwk.crv === 'P-384') {
sigalg.hash.name = 'SHA-384';
}
if (jwk.crv === 'P-521') {
sigalg.hash.name = 'SHA-512';
}
}
/* Decode PEM and import into CryptoKeyPair */
const privateKeyDec = x509.PemConverter.decodeFirst(keyPem.toString());
const privateKey = await crypto.webcrypto.subtle.importKey('pkcs8', privateKeyDec, sigalg, true, ['sign']);
const publicKey = await crypto.webcrypto.subtle.importKey('jwk', jwk, sigalg, true, ['verify']);
return [{ privateKey, publicKey }, sigalg];
}
@@ -194,7 +220,7 @@ function convertNistCurveNameToSecg(nistName) {
* Split chain of PEM encoded objects from string into array
*
* @param {buffer|string} chainPem PEM encoded object chain
* @returns {array} Array of PEM objects including headers
* @returns {string[]} Array of PEM objects including headers
*/
function splitPemChain(chainPem) {
@@ -202,15 +228,9 @@ function splitPemChain(chainPem) {
chainPem = chainPem.toString();
}
return chainPem
/* Split chain into chunks, starting at every header */
.split(/\s*(?=-----BEGIN [A-Z0-9- ]+-----\r?\n?)/g)
/* Match header, PEM body and footer */
.map((pem) => pem.match(/\s*-----BEGIN ([A-Z0-9- ]+)-----\r?\n?([\S\s]+)\r?\n?-----END \1-----/))
/* Filter out non-matches or empty bodies */
.filter((pem) => pem && pem[2] && pem[2].replace(/[\r\n]+/g, '').trim())
/* Decode to hex, and back to PEM for formatting etc */
.map(([pem, header]) => jsrsasign.hextopem(jsrsasign.pemtohex(pem, header), header));
/* Decode into array and re-encode */
return x509.PemConverter.decodeWithHeaders(chainPem)
.map((params) => x509.PemConverter.encode([params]));
}
exports.splitPemChain = splitPemChain;
@@ -231,43 +251,28 @@ exports.getPemBodyAsB64u = (pem) => {
throw new Error('Unable to parse PEM body from string');
}
/* First object, hex and back to b64 without new lines */
return jsrsasign.hextob64u(jsrsasign.pemtohex(chain[0]));
/* Select first object, extract body and convert to b64u */
const dec = x509.PemConverter.decodeFirst(chain[0]);
return Buffer.from(dec).toString('base64url');
};
/**
* Parse common name from a subject object
*
* @private
* @param {object} subj Subject returned from jsrsasign
* @returns {string} Common name value
*/
function parseCommonName(subj) {
const subjectArr = (subj && subj.array) ? subj.array : [];
const cnArr = subjectArr.find((s) => (s[0] && s[0].type && s[0].value && (s[0].type === 'CN')));
return (cnArr && cnArr.length && cnArr[0].value) ? cnArr[0].value : null;
}
/**
* Parse domains from a certificate or CSR
*
* @private
* @param {object} params Certificate or CSR params returned from jsrsasign
* @param {object} input x509.Certificate or x509.Pkcs10CertificateRequest
* @returns {object} {commonName, altNames}
*/
function parseDomains(params) {
const commonName = parseCommonName(params.subject);
const extensionArr = (params.ext || params.extreq || []);
function parseDomains(input) {
const commonName = input.subjectName.getField('CN').pop() || null;
const altNamesRaw = input.getExtension(subjectAltNameOID);
let altNames = [];
if (extensionArr && extensionArr.length) {
const altNameExt = extensionArr.find((e) => (e.extname && (e.extname === 'subjectAltName')));
const altNameArr = (altNameExt && altNameExt.array && altNameExt.array.length) ? altNameExt.array : [];
altNames = altNameArr.map((a) => Object.values(a)[0] || null).filter((a) => a);
if (altNamesRaw) {
const altNamesExt = new x509.SubjectAlternativeNameExtension(altNamesRaw.rawData);
altNames = altNames.concat(altNamesExt.names.items.map((i) => i.value));
}
return {
@@ -297,9 +302,9 @@ exports.readCsrDomains = (csrPem) => {
csrPem = csrPem.toString();
}
/* Parse CSR */
const params = jsrsasign.KJUR.asn1.csr.CSRUtil.getParam(csrPem);
return parseDomains(params);
const dec = x509.PemConverter.decodeFirst(csrPem);
const csr = new x509.Pkcs10CertificateRequest(dec);
return parseDomains(csr);
};
@@ -324,48 +329,43 @@ exports.readCsrDomains = (csrPem) => {
*/
exports.readCertificateInfo = (certPem) => {
const chain = splitPemChain(certPem);
if (!chain.length) {
throw new Error('Unable to parse PEM body from string');
if (Buffer.isBuffer(certPem)) {
certPem = certPem.toString();
}
/* Parse certificate */
const obj = new jsrsasign.X509();
obj.readCertPEM(chain[0]);
const params = obj.getParam();
const dec = x509.PemConverter.decodeFirst(certPem);
const cert = new x509.X509Certificate(dec);
return {
issuer: {
commonName: parseCommonName(params.issuer)
commonName: cert.issuerName.getField('CN').pop() || null
},
domains: parseDomains(params),
notBefore: jsrsasign.zulutodate(params.notbefore),
notAfter: jsrsasign.zulutodate(params.notafter)
domains: parseDomains(cert),
notBefore: cert.notBefore,
notAfter: cert.notAfter
};
};
/**
* Determine ASN.1 character string type for CSR subject field
* Determine ASN.1 character string type for CSR subject field name
*
* https://tools.ietf.org/html/rfc5280
* https://github.com/kjur/jsrsasign/blob/2613c64559768b91dde9793dfa318feacb7c3b8a/src/x509-1.1.js#L2404-L2412
* https://github.com/kjur/jsrsasign/blob/2613c64559768b91dde9793dfa318feacb7c3b8a/src/asn1x509-1.0.js#L3526-L3535
* https://datatracker.ietf.org/doc/html/rfc5280
* https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/name.ts#L65-L71
*
* @private
* @param {string} field CSR subject field
* @returns {string} ASN.1 jsrsasign character string type
* @param {string} field CSR subject field name
* @returns {string} ASN.1 character string type
*/
function getCsrAsn1CharStringType(field) {
switch (field) {
case 'C':
return 'prn';
return 'printableString';
case 'E':
return 'ia5';
return 'ia5String';
default:
return 'utf8';
return 'utf8String';
}
}
@@ -373,6 +373,8 @@ function getCsrAsn1CharStringType(field) {
/**
* Create array of subject fields for a Certificate Signing Request
*
* https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/name.ts#L65-L71
*
* @private
* @param {object} input Key-value of subject fields
* @returns {object[]} Certificate Signing Request subject array
@@ -382,7 +384,7 @@ function createCsrSubject(input) {
return Object.entries(input).reduce((result, [type, value]) => {
if (value) {
const ds = getCsrAsn1CharStringType(type);
result.push([{ type, value, ds }]);
result.push({ [type]: [{ [ds]: value }] });
}
return result;
@@ -391,20 +393,20 @@ function createCsrSubject(input) {
/**
* Create array of alt names for Certificate Signing Requests
* Create x509 subject alternate name extension
*
* https://github.com/kjur/jsrsasign/blob/3edc0070846922daea98d9588978e91d855577ec/src/x509-1.1.js#L1355-L1410
* https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/extensions/subject_alt_name.ts
*
* @private
* @param {string[]} altNames Array of alt names
* @returns {object[]} Certificate Signing Request alt names array
* @returns {x509.SubjectAlternativeNameExtension} Subject alternate name extension
*/
function formatCsrAltNames(altNames) {
return altNames.map((value) => {
const key = net.isIP(value) ? 'ip' : 'dns';
return { [key]: value };
});
function createSubjectAltNameExtension(altNames) {
return new x509.SubjectAlternativeNameExtension(altNames.map((value) => {
const type = net.isIP(value) ? 'ip' : 'dns';
return { type, value };
}));
}
@@ -414,14 +416,14 @@ function formatCsrAltNames(altNames) {
* @param {object} data
* @param {number} [data.keySize] Size of newly created RSA private key modulus in bits, default: `2048`
* @param {string} [data.commonName] FQDN of your server
* @param {array} [data.altNames] SAN (Subject Alternative Names), default: `[]`
* @param {string[]} [data.altNames] SAN (Subject Alternative Names), default: `[]`
* @param {string} [data.country] 2 letter country code
* @param {string} [data.state] State or province
* @param {string} [data.locality] City
* @param {string} [data.organization] Organization name
* @param {string} [data.organizationUnit] Organizational unit name
* @param {string} [data.emailAddress] Email address
* @param {string} [keyPem] PEM encoded CSR private key
* @param {buffer|string} [keyPem] PEM encoded CSR private key
* @returns {Promise<buffer[]>} [privateKey, certificateSigningRequest]
*
* @example Create a Certificate Signing Request
@@ -474,53 +476,144 @@ exports.createCsr = async (data, keyPem = null) => {
data.altNames = [];
}
/* Get key info and JWK */
const info = getKeyInfo(keyPem);
const jwk = getJwk(keyPem);
const extensionRequests = [];
/* Missing support for NIST curve names in jsrsasign - https://github.com/kjur/jsrsasign/blob/master/src/asn1x509-1.0.js#L4388-L4393 */
if (jwk.crv && (jwk.kty === 'EC')) {
jwk.crv = convertNistCurveNameToSecg(jwk.crv);
}
/* Ensure subject common name is present in SAN - https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf */
if (data.commonName && !data.altNames.includes(data.commonName)) {
data.altNames.unshift(data.commonName);
}
/* Subject */
const subject = createCsrSubject({
CN: data.commonName,
C: data.country,
ST: data.state,
L: data.locality,
O: data.organization,
OU: data.organizationUnit,
E: data.emailAddress
});
/* CryptoKeyPair and signing algorithm from private key */
const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
/* SAN extension */
if (data.altNames.length) {
extensionRequests.push({
extname: 'subjectAltName',
array: formatCsrAltNames(data.altNames)
});
}
const extensions = [
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment), // eslint-disable-line no-bitwise
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
createSubjectAltNameExtension(data.altNames)
];
/* Create CSR */
const csr = new jsrsasign.KJUR.asn1.csr.CertificationRequest({
subject: { array: subject },
sigalg: info.signatureAlgorithm,
sbjprvkey: keyPem.toString(),
sbjpubkey: jwk,
extreq: extensionRequests
const csr = await x509.Pkcs10CertificateRequestGenerator.create({
keys,
extensions,
signingAlgorithm,
name: createCsrSubject({
CN: data.commonName,
C: data.country,
ST: data.state,
L: data.locality,
O: data.organization,
OU: data.organizationUnit,
E: data.emailAddress
})
});
/* Sign CSR, get PEM */
csr.sign();
const pem = csr.getPEM();
/* Done */
const pem = csr.toString('pem');
return [keyPem, Buffer.from(pem)];
};
/**
* Create a self-signed ALPN certificate for TLS-ALPN-01 challenges
*
* https://datatracker.ietf.org/doc/html/rfc8737
*
* @param {object} authz Identifier authorization
* @param {string} keyAuthorization Challenge key authorization
* @param {buffer|string} [keyPem] PEM encoded CSR private key
* @returns {Promise<buffer[]>} [privateKey, certificate]
*
* @example Create a ALPN certificate
* ```js
* const [alpnKey, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization);
* ```
*
* @example Create a ALPN certificate with ECDSA private key
* ```js
* const alpnKey = await acme.crypto.createPrivateEcdsaKey();
* const [, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization, alpnKey);
*/
exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) => {
if (!keyPem) {
keyPem = await createPrivateRsaKey();
}
else if (!Buffer.isBuffer(keyPem)) {
keyPem = Buffer.from(keyPem);
}
const now = new Date();
const commonName = authz.identifier.value;
/* Pseudo-random serial - max 20 bytes, 11 for epoch (year 5138), 9 random */
const random = await randomInt(1, 999999999);
const serialNumber = `${Math.floor(now.getTime() / 1000)}${random}`;
/* CryptoKeyPair and signing algorithm from private key */
const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
const extensions = [
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true), // eslint-disable-line no-bitwise
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9 */
new x509.BasicConstraintsExtension(true, 2, true),
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 */
await x509.SubjectKeyIdentifierExtension.create(keys.publicKey),
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
createSubjectAltNameExtension([commonName])
];
/* ALPN extension */
const payload = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
const octstr = new asn1js.OctetString({ valueHex: Buffer.from(payload, 'hex') });
extensions.push(new x509.Extension(alpnAcmeIdentifierOID, true, octstr.toBER()));
/* Self-signed ALPN certificate */
const cert = await x509.X509CertificateGenerator.createSelfSigned({
keys,
signingAlgorithm,
extensions,
serialNumber,
notBefore: now,
notAfter: now,
name: createCsrSubject({
CN: commonName
})
});
/* Done */
const pem = cert.toString('pem');
return [keyPem, Buffer.from(pem)];
};
/**
* Validate that a ALPN certificate contains the expected key authorization
*
* @param {buffer|string} certPem PEM encoded certificate
* @param {string} keyAuthorization Expected challenge key authorization
* @returns {boolean} True when valid
*/
exports.isAlpnCertificateAuthorizationValid = (certPem, keyAuthorization) => {
const expected = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
/* Attempt to locate ALPN extension */
const cert = new x509.X509Certificate(certPem);
const ext = cert.getExtension(alpnAcmeIdentifierOID);
if (!ext) {
throw new Error('Unable to locate ALPN extension within parsed certificate');
}
/* Decode extension value */
const parsed = asn1js.fromBER(ext.value);
const result = Buffer.from(parsed.result.valueBlock.valueHexView).toString('hex');
/* Return true if match */
return (result === expected);
};
packages/core/acme-client/src/http.js
+4 -4
View File
@@ -64,7 +64,7 @@ class HttpClient {
/**
* Ensure provider directory exists
*
* https://tools.ietf.org/html/rfc8555#section-7.1.1
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
*
* @returns {Promise}
*/
@@ -104,7 +104,7 @@ class HttpClient {
/**
* Get nonce from directory API endpoint
*
* https://tools.ietf.org/html/rfc8555#section-7.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-7.2
*
* @returns {Promise<string>} nonce
*/
@@ -267,7 +267,7 @@ class HttpClient {
/**
* Signed HTTP request
*
* https://tools.ietf.org/html/rfc8555#section-6.2
* https://datatracker.ietf.org/doc/html/rfc8555#section-6.2
*
* @param {string} url Request URL
* @param {object} payload Request payload
@@ -299,7 +299,7 @@ class HttpClient {
const data = this.createSignedBody(url, payload, { nonce, kid });
const resp = await this.request(url, 'post', { data });
/* Retry on bad nonce - https://tools.ietf.org/html/draft-ietf-acme-acme-10#section-6.4 */
/* Retry on bad nonce - https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-10#section-6.4 */
if (resp.data && resp.data.type && (resp.status === 400) && (resp.data.type === 'urn:ietf:params:acme:error:badNonce') && (attempts < this.maxBadNonceRetries)) {
nonce = resp.headers['replay-nonce'] || null;
attempts += 1;
packages/core/acme-client/src/util.js
+59 -3
View File
@@ -2,6 +2,7 @@
* Utility methods
*/
const tls = require('tls');
const dns = require('dns').promises;
const { readCertificateInfo, splitPemChain } = require('./crypto');
const { log } = require('./logger');
@@ -92,7 +93,7 @@ function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}) {
*
* @param {string} header Link header contents
* @param {string} rel Link relation, default: `alternate`
* @returns {array} Array of URLs
* @returns {string[]} Array of URLs
*/
function parseLinkHeader(header, rel = 'alternate') {
@@ -112,7 +113,7 @@ function parseLinkHeader(header, rel = 'alternate') {
* - If issuer is found in multiple chains, the closest to root wins
* - If issuer can not be located, the first chain will be returned
*
* @param {array} certificates Array of PEM encoded certificate chains
* @param {string[]} certificates Array of PEM encoded certificate chains
* @param {string} issuer Preferred certificate issuer
* @returns {string} PEM encoded certificate chain
*/
@@ -245,6 +246,60 @@ async function getAuthoritativeDnsResolver(recordName) {
}
/**
* Attempt to retrieve TLS ALPN certificate from peer
*
* https://nodejs.org/api/tls.html#tlsconnectoptions-callback
*
* @param {string} host Host the TLS client should connect to
* @param {number} port Port the client should connect to
* @param {string} servername Server name for the SNI (Server Name Indication)
* @returns {Promise<string>} PEM encoded certificate
*/
async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
return new Promise((resolve, reject) => {
let result;
/* TLS connection */
const socket = tls.connect({
host,
port,
servername: host,
rejectUnauthorized: false,
ALPNProtocols: ['acme-tls/1']
});
socket.setTimeout(timeout);
socket.setEncoding('utf-8');
/* Grab certificate once connected and close */
socket.on('secureConnect', () => {
result = socket.getPeerX509Certificate();
socket.end();
});
/* Errors */
socket.on('error', (err) => {
reject(err);
});
socket.on('timeout', () => {
socket.destroy(new Error('TLS ALPN certificate lookup request timed out'));
});
/* Done, return cert as PEM if found */
socket.on('end', () => {
if (result) {
return resolve(result.toString());
}
return reject(new Error('TLS ALPN lookup failed to retrieve certificate'));
});
});
}
/**
* Export utils
*/
@@ -254,5 +309,6 @@ module.exports = {
parseLinkHeader,
findCertificateChainForIssuer,
formatResponseError,
getAuthoritativeDnsResolver
getAuthoritativeDnsResolver,
retrieveTlsAlpnCertificate
};
packages/core/acme-client/src/verify.js
+38 -4
View File
@@ -3,15 +3,17 @@
*/
const dns = require('dns').promises;
const https = require('https');
const { log } = require('./logger');
const axios = require('./axios');
const util = require('./util');
const { isAlpnCertificateAuthorizationValid } = require('./crypto');
/**
* Verify ACME HTTP challenge
*
* https://tools.ietf.org/html/rfc8555#section-8.3
* https://datatracker.ietf.org/doc/html/rfc8555#section-8.3
*
* @param {object} authz Identifier authorization
* @param {object} challenge Authorization challenge
@@ -24,8 +26,11 @@ async function verifyHttpChallenge(authz, challenge, keyAuthorization, suffix =
const httpPort = axios.defaults.acmeSettings.httpChallengePort || 80;
const challengeUrl = `http://${authz.identifier.value}:${httpPort}${suffix}`;
/* May redirect to HTTPS with invalid/self-signed cert - https://letsencrypt.org/docs/challenge-types/#http-01-challenge */
const httpsAgent = new https.Agent({ rejectUnauthorized: false });
log(`Sending HTTP query to ${authz.identifier.value}, suffix: ${suffix}, port: ${httpPort}`);
const resp = await axios.get(challengeUrl);
const resp = await axios.get(challengeUrl, { httpsAgent });
const data = (resp.data || '').replace(/\s+$/, '');
log(`Query successful, HTTP status code: ${resp.status}`);
@@ -80,7 +85,7 @@ async function walkDnsChallengeRecord(recordName, resolver = dns) {
/**
* Verify ACME DNS challenge
*
* https://tools.ietf.org/html/rfc8555#section-8.4
* https://datatracker.ietf.org/doc/html/rfc8555#section-8.4
*
* @param {object} authz Identifier authorization
* @param {object} challenge Authorization challenge
@@ -117,11 +122,40 @@ async function verifyDnsChallenge(authz, challenge, keyAuthorization, prefix = '
}
/**
* Verify ACME TLS ALPN challenge
*
* https://datatracker.ietf.org/doc/html/rfc8737
*
* @param {object} authz Identifier authorization
* @param {object} challenge Authorization challenge
* @param {string} keyAuthorization Challenge key authorization
* @returns {Promise<boolean>}
*/
async function verifyTlsAlpnChallenge(authz, challenge, keyAuthorization) {
const tlsAlpnPort = axios.defaults.acmeSettings.tlsAlpnChallengePort || 443;
const host = authz.identifier.value;
log(`Establishing TLS connection with host: ${host}:${tlsAlpnPort}`);
const certificate = await util.retrieveTlsAlpnCertificate(host, tlsAlpnPort);
log('Certificate received from server successfully, matching key authorization in ALPN');
if (!isAlpnCertificateAuthorizationValid(certificate, keyAuthorization)) {
throw new Error(`Authorization not found in certificate from ${authz.identifier.value}`);
}
log(`Key authorization match for ${challenge.type}/${authz.identifier.value}, ACME challenge verified`);
return true;
}
/**
* Export API
*/
module.exports = {
'http-01': verifyHttpChallenge,
'dns-01': verifyDnsChallenge
'dns-01': verifyDnsChallenge,
'tls-alpn-01': verifyTlsAlpnChallenge
};