lkddi/certd
1
0
Fork 0
mirror of https://github.com/certd/certd.git synced 2026-04-28 16:17:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/acme_sync' into v2

Browse Source 
# Conflicts:
#	packages/core/acme-client/package.json
#	packages/core/acme-client/src/auto.js
#	packages/core/acme-client/src/axios.js
#	packages/core/acme-client/src/http.js
This commit is contained in:
xiaojunnuo
2024-07-01 23:09:57 +08:00
parent 19a6b94680 162e10909b
commit 1b7debc6a4
39 changed files with 262 additions and 503 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/acme-client/src/api.js
+1 -17
View File
@@ -4,7 +4,6 @@
const util = require('./util');
/**
* AcmeApi
*
@@ -18,7 +17,6 @@ class AcmeApi {
this.accountUrl = accountUrl;
}
/**
* Get account URL
*
@@ -34,7 +32,6 @@ class AcmeApi {
return this.accountUrl;
}
/**
* ACME API request
*
@@ -59,7 +56,6 @@ class AcmeApi {
return resp;
}
/**
* ACME API request by resource name helper
*
@@ -78,7 +74,6 @@ class AcmeApi {
return this.apiRequest(resourceUrl, payload, validStatusCodes, { includeJwsKid, includeExternalAccountBinding });
}
/**
* Get Terms of Service URL if available
*
@@ -91,7 +86,6 @@ class AcmeApi {
return this.http.getMetaField('termsOfService');
}
/**
* Create new account
*
@@ -104,7 +98,7 @@ class AcmeApi {
async createAccount(data) {
const resp = await this.apiResourceRequest('newAccount', data, [200, 201], {
includeJwsKid: false,
includeExternalAccountBinding: (data.onlyReturnExisting !== true)
includeExternalAccountBinding: (data.onlyReturnExisting !== true),
});
/* Set account URL */
@@ -115,7 +109,6 @@ class AcmeApi {
return resp;
}
/**
* Update account
*
@@ -129,7 +122,6 @@ class AcmeApi {
return this.apiRequest(this.getAccountUrl(), data, [200, 202]);
}
/**
* Update account key
*
@@ -143,7 +135,6 @@ class AcmeApi {
return this.apiResourceRequest('keyChange', data, [200]);
}
/**
* Create new order
*
@@ -157,7 +148,6 @@ class AcmeApi {
return this.apiResourceRequest('newOrder', data, [201]);
}
/**
* Get order
*
@@ -171,7 +161,6 @@ class AcmeApi {
return this.apiRequest(url, null, [200]);
}
/**
* Finalize order
*
@@ -186,7 +175,6 @@ class AcmeApi {
return this.apiRequest(url, data, [200]);
}
/**
* Get identifier authorization
*
@@ -200,7 +188,6 @@ class AcmeApi {
return this.apiRequest(url, null, [200]);
}
/**
* Update identifier authorization
*
@@ -215,7 +202,6 @@ class AcmeApi {
return this.apiRequest(url, data, [200]);
}
/**
* Complete challenge
*
@@ -230,7 +216,6 @@ class AcmeApi {
return this.apiRequest(url, data, [200]);
}
/**
* Revoke certificate
*
@@ -245,6 +230,5 @@ class AcmeApi {
}
}
/* Export API */
module.exports = AcmeApi;
packages/core/acme-client/src/auto.js
+3 -9
View File
@@ -14,10 +14,9 @@ const defaultOpts = {
skipChallengeVerification: false,
challengePriority: ['http-01', 'dns-01'],
challengeCreateFn: async () => { throw new Error('Missing challengeCreateFn()'); },
challengeRemoveFn: async () => { throw new Error('Missing challengeRemoveFn()'); }
challengeRemoveFn: async () => { throw new Error('Missing challengeRemoveFn()'); },
};
/**
* ACME client auto mode
*
@@ -26,8 +25,8 @@ const defaultOpts = {
* @returns {Promise<buffer>} Certificate
*/
module.exports = async function(client, userOpts) {
const opts = Object.assign({}, defaultOpts, userOpts);
module.exports = async (client, userOpts) => {
const opts = { ...defaultOpts, ...userOpts };
const accountPayload = { termsOfServiceAgreed: opts.termsOfServiceAgreed };
if (!Buffer.isBuffer(opts.csr)) {
@@ -38,7 +37,6 @@ module.exports = async function(client, userOpts) {
accountPayload.contact = [`mailto:${opts.email}`];
}
/**
* Register account
*/
@@ -54,7 +52,6 @@ module.exports = async function(client, userOpts) {
await client.createAccount(accountPayload);
}
/**
* Parse domains from CSR
*/
@@ -65,7 +62,6 @@ module.exports = async function(client, userOpts) {
log(`[auto] Resolved ${uniqueDomains.length} unique domains from parsing the Certificate Signing Request`);
/**
* Place order
*/
@@ -77,7 +73,6 @@ module.exports = async function(client, userOpts) {
log(`[auto] Placed certificate order successfully, received ${authorizations.length} identity authorizations`);
/**
* Resolve and satisfy challenges
*/
@@ -196,7 +191,6 @@ module.exports = async function(client, userOpts) {
return Promise.all(results);
}
try {
log('开始challenge');
await runPromisePa(challengePromises);
packages/core/acme-client/src/axios.js
+1 -4
View File
@@ -5,7 +5,6 @@
const axios = require('axios');
const pkg = require('./../package.json');
/**
* Instance
*/
@@ -19,9 +18,8 @@ instance.defaults.headers.common['User-Agent'] = `node-${pkg.name}/${pkg.version
instance.defaults.acmeSettings = {
httpChallengePort: 80,
httpsChallengePort: 443,
tlsAlpnChallengePort: 443
tlsAlpnChallengePort: 443,
};
// instance.defaults.proxy = {
// host: '192.168.34.139',
// port: 10811
@@ -35,7 +33,6 @@ instance.defaults.acmeSettings = {
instance.defaults.adapter = 'http';
/**
* Export instance
*/
packages/core/acme-client/src/client.js
+18 -42
View File
@@ -13,7 +13,6 @@ const verify = require('./verify');
const util = require('./util');
const auto = require('./auto');
/**
* ACME states
*
@@ -24,7 +23,6 @@ const validStates = ['ready', 'valid'];
const pendingStates = ['pending', 'processing'];
const invalidStates = ['invalid'];
/**
* Default options
*
@@ -38,10 +36,9 @@ const defaultOpts = {
externalAccountBinding: {},
backoffAttempts: 10,
backoffMin: 5000,
backoffMax: 30000
backoffMax: 30000,
};
/**
* AcmeClient
*
@@ -61,7 +58,7 @@ const defaultOpts = {
* ```js
* const client = new acme.Client({
* directoryUrl: acme.directory.letsencrypt.staging,
* accountKey: 'Private key goes here'
* accountKey: 'Private key goes here',
* });
* ```
*
@@ -73,7 +70,7 @@ const defaultOpts = {
* accountUrl: 'Optional account URL goes here',
* backoffAttempts: 10,
* backoffMin: 5000,
* backoffMax: 30000
* backoffMax: 30000,
* });
* ```
*
@@ -84,8 +81,8 @@ const defaultOpts = {
* accountKey: 'Private key goes here',
* externalAccountBinding: {
* kid: 'YOUR-EAB-KID',
* hmacKey: 'YOUR-EAB-HMAC-KEY'
* }
* hmacKey: 'YOUR-EAB-HMAC-KEY',
* },
* });
* ```
*/
@@ -96,19 +93,17 @@ class AcmeClient {
opts.accountKey = Buffer.from(opts.accountKey);
}
this.opts = Object.assign({}, defaultOpts, opts);
this.opts = { ...defaultOpts, ...opts };
this.backoffOpts = {
attempts: this.opts.backoffAttempts,
min: this.opts.backoffMin,
max: this.opts.backoffMax
max: this.opts.backoffMax,
};
this.http = new HttpClient(this.opts.directoryUrl, this.opts.accountKey, this.opts.externalAccountBinding);
this.api = new AcmeApi(this.http, this.opts.accountUrl);
}
/**
* Get Terms of Service URL if available
*
@@ -128,7 +123,6 @@ class AcmeClient {
return this.api.getTermsOfServiceUrl();
}
/**
* Get current account URL
*
@@ -150,7 +144,6 @@ class AcmeClient {
return this.api.getAccountUrl();
}
/**
* Create a new account
*
@@ -162,7 +155,7 @@ class AcmeClient {
* @example Create a new account
* ```js
* const account = await client.createAccount({
* termsOfServiceAgreed: true
* termsOfServiceAgreed: true,
* });
* ```
*
@@ -170,7 +163,7 @@ class AcmeClient {
* ```js
* const account = await client.createAccount({
* termsOfServiceAgreed: true,
* contact: ['mailto:test@example.com']
* contact: ['mailto:test@example.com'],
* });
* ```
*/
@@ -196,7 +189,6 @@ class AcmeClient {
}
}
/**
* Update existing account
*
@@ -208,7 +200,7 @@ class AcmeClient {
* @example Update existing account
* ```js
* const account = await client.updateAccount({
* contact: ['mailto:foo@example.com']
* contact: ['mailto:foo@example.com'],
* });
* ```
*/
@@ -236,7 +228,6 @@ class AcmeClient {
return resp.data;
}
/**
* Update account private key
*
@@ -282,7 +273,6 @@ class AcmeClient {
return resp.data;
}
/**
* Create a new order
*
@@ -296,8 +286,8 @@ class AcmeClient {
* const order = await client.createOrder({
* identifiers: [
* { type: 'dns', value: 'example.com' },
* { type: 'dns', value: 'test.example.com' }
* ]
* { type: 'dns', value: 'test.example.com' },
* ],
* });
* ```
*/
@@ -314,7 +304,6 @@ class AcmeClient {
return resp.data;
}
/**
* Refresh order object from CA
*
@@ -376,7 +365,6 @@ class AcmeClient {
return resp.data;
}
/**
* Get identifier authorizations from order
*
@@ -406,7 +394,6 @@ class AcmeClient {
}));
}
/**
* Deactivate identifier authorization
*
@@ -427,10 +414,7 @@ class AcmeClient {
throw new Error('Unable to deactivate identifier authorization, URL not found');
}
const data = {
status: 'deactivated'
};
const data = { status: 'deactivated' };
const resp = await this.api.updateAuthorization(authz.url, data);
/* Add URL to response */
@@ -438,7 +422,6 @@ class AcmeClient {
return resp.data;
}
/**
* Get key authorization for ACME challenge
*
@@ -480,7 +463,6 @@ class AcmeClient {
throw new Error(`Unable to produce key authorization, unknown challenge type: ${challenge.type}`);
}
/**
* Verify that ACME challenge is satisfied
*
@@ -515,7 +497,6 @@ class AcmeClient {
return util.retry(verifyFn, this.backoffOpts);
}
/**
* Notify CA that challenge has been completed
*
@@ -536,7 +517,6 @@ class AcmeClient {
return resp.data;
}
/**
* Wait for ACME provider to verify status on a order, authorization or challenge
*
@@ -593,7 +573,6 @@ class AcmeClient {
return util.retry(verifyFn, this.backoffOpts);
}
/**
* Get certificate from ACME order
*
@@ -640,7 +619,6 @@ class AcmeClient {
return resp.data;
}
/**
* Revoke certificate
*
@@ -660,7 +638,7 @@ class AcmeClient {
* ```js
* const certificate = { ... }; // Previously created certificate
* const result = await client.revokeCertificate(certificate, {
* reason: 4
* reason: 4,
* });
* ```
*/
@@ -671,7 +649,6 @@ class AcmeClient {
return resp.data;
}
/**
* Auto mode
*
@@ -689,7 +666,7 @@ class AcmeClient {
* @example Order a certificate using auto mode
* ```js
* const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
* commonName: 'test.example.com'
* altNames: ['test.example.com'],
* });
*
* const certificate = await client.auto({
@@ -701,14 +678,14 @@ class AcmeClient {
* },
* challengeRemoveFn: async (authz, challenge, keyAuthorization) => {
* // Clean up challenge here
* }
* },
* });
* ```
*
* @example Order a certificate using auto mode with preferred chain
* ```js
* const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
* commonName: 'test.example.com'
* altNames: ['test.example.com'],
* });
*
* const certificate = await client.auto({
@@ -717,7 +694,7 @@ class AcmeClient {
* termsOfServiceAgreed: true,
* preferredChain: 'DST Root CA X3',
* challengeCreateFn: async () => {},
* challengeRemoveFn: async () => {}
* challengeRemoveFn: async () => {},
* });
* ```
*/
@@ -727,6 +704,5 @@ class AcmeClient {
}
}
/* Export client */
module.exports = AcmeClient;
packages/core/acme-client/src/crypto/forge.js
+18 -31
View File
@@ -13,7 +13,6 @@ const forge = require('node-forge');
const generateKeyPair = promisify(forge.pki.rsa.generateKeyPair);
/**
* Attempt to parse forge object from PEM encoded string
*
@@ -54,7 +53,6 @@ function forgeObjectFromPem(input) {
return result;
}
/**
* Parse domain names from a certificate or CSR
*
@@ -93,11 +91,10 @@ function parseDomains(obj) {
return {
commonName,
altNames
altNames,
};
}
/**
* Generate a private RSA key
*
@@ -123,7 +120,6 @@ async function createPrivateKey(size = 2048) {
exports.createPrivateKey = createPrivateKey;
/**
* Create public key from a private RSA key
*
@@ -136,14 +132,13 @@ exports.createPrivateKey = createPrivateKey;
* ```
*/
exports.createPublicKey = async function(key) {
exports.createPublicKey = async (key) => {
const privateKey = forge.pki.privateKeyFromPem(key);
const publicKey = forge.pki.rsa.setPublicKey(privateKey.n, privateKey.e);
const pemKey = forge.pki.publicKeyToPem(publicKey);
return Buffer.from(pemKey);
};
/**
* Parse body of PEM encoded object from buffer or string
* If multiple objects are chained, the first body will be returned
@@ -157,7 +152,6 @@ exports.getPemBody = (str) => {
return forge.util.encode64(msg.body);
};
/**
* Split chain of PEM encoded objects from buffer or string into array
*
@@ -167,7 +161,6 @@ exports.getPemBody = (str) => {
exports.splitPemChain = (str) => forge.pem.decode(str).map(forge.pem.encode);
/**
* Get modulus
*
@@ -182,7 +175,7 @@ exports.splitPemChain = (str) => forge.pem.decode(str).map(forge.pem.encode);
* ```
*/
exports.getModulus = async function(input) {
exports.getModulus = async (input) => {
if (!Buffer.isBuffer(input)) {
input = Buffer.from(input);
}
@@ -191,7 +184,6 @@ exports.getModulus = async function(input) {
return Buffer.from(forge.util.hexToBytes(obj.n.toString(16)), 'binary');
};
/**
* Get public exponent
*
@@ -206,7 +198,7 @@ exports.getModulus = async function(input) {
* ```
*/
exports.getPublicExponent = async function(input) {
exports.getPublicExponent = async (input) => {
if (!Buffer.isBuffer(input)) {
input = Buffer.from(input);
}
@@ -215,7 +207,6 @@ exports.getPublicExponent = async function(input) {
return Buffer.from(forge.util.hexToBytes(obj.e.toString(16)), 'binary');
};
/**
* Read domains from a Certificate Signing Request
*
@@ -231,7 +222,7 @@ exports.getPublicExponent = async function(input) {
* ```
*/
exports.readCsrDomains = async function(csr) {
exports.readCsrDomains = async (csr) => {
if (!Buffer.isBuffer(csr)) {
csr = Buffer.from(csr);
}
@@ -240,7 +231,6 @@ exports.readCsrDomains = async function(csr) {
return parseDomains(obj);
};
/**
* Read information from a certificate
*
@@ -260,7 +250,7 @@ exports.readCsrDomains = async function(csr) {
* ```
*/
exports.readCertificateInfo = async function(cert) {
exports.readCertificateInfo = async (cert) => {
if (!Buffer.isBuffer(cert)) {
cert = Buffer.from(cert);
}
@@ -270,15 +260,14 @@ exports.readCertificateInfo = async function(cert) {
return {
issuer: {
commonName: issuerCn ? issuerCn.value : null
commonName: issuerCn ? issuerCn.value : null,
},
domains: parseDomains(obj),
notAfter: obj.validity.notAfter,
notBefore: obj.validity.notBefore
notBefore: obj.validity.notBefore,
};
};
/**
* Determine ASN.1 type for CSR subject short name
* Note: https://datatracker.ietf.org/doc/html/rfc5280
@@ -299,7 +288,6 @@ function getCsrValueTagClass(shortName) {
}
}
/**
* Create array of short names and values for Certificate Signing Request subjects
*
@@ -319,7 +307,6 @@ function createCsrSubject(subjectObj) {
}, []);
}
/**
* Create array of alt names for Certificate Signing Requests
* Note: https://github.com/digitalbazaar/forge/blob/dfdde475677a8a25c851e33e8f81dca60d90cfb9/lib/x509.js#L1444-L1454
@@ -336,7 +323,6 @@ function formatCsrAltNames(altNames) {
});
}
/**
* Create a Certificate Signing Request
*
@@ -356,29 +342,30 @@ function formatCsrAltNames(altNames) {
* @example Create a Certificate Signing Request
* ```js
* const [certificateKey, certificateRequest] = await acme.forge.createCsr({
* commonName: 'test.example.com'
* altNames: ['test.example.com'],
* });
* ```
*
* @example Certificate Signing Request with both common and alternative names
* > *Warning*: Certificate subject common name has been [deprecated](https://letsencrypt.org/docs/glossary/#def-CN) and its use is [discouraged](https://cabforum.org/uploads/BRv1.2.3.pdf).
* ```js
* const [certificateKey, certificateRequest] = await acme.forge.createCsr({
* keySize: 4096,
* commonName: 'test.example.com',
* altNames: ['foo.example.com', 'bar.example.com']
* altNames: ['foo.example.com', 'bar.example.com'],
* });
* ```
*
* @example Certificate Signing Request with additional information
* ```js
* const [certificateKey, certificateRequest] = await acme.forge.createCsr({
* commonName: 'test.example.com',
* altNames: ['test.example.com'],
* country: 'US',
* state: 'California',
* locality: 'Los Angeles',
* organization: 'The Company Inc.',
* organizationUnit: 'IT Department',
* emailAddress: 'contact@example.com'
* emailAddress: 'contact@example.com',
* });
* ```
*
@@ -387,11 +374,11 @@ function formatCsrAltNames(altNames) {
* const certificateKey = await acme.forge.createPrivateKey();
*
* const [, certificateRequest] = await acme.forge.createCsr({
* commonName: 'test.example.com'
* altNames: ['test.example.com'],
* }, certificateKey);
*/
exports.createCsr = async function(data, key = null) {
exports.createCsr = async (data, key = null) => {
if (!key) {
key = await createPrivateKey(data.keySize);
}
@@ -423,7 +410,7 @@ exports.createCsr = async function(data, key = null) {
L: data.locality,
O: data.organization,
OU: data.organizationUnit,
E: data.emailAddress
E: data.emailAddress,
});
csr.setSubject(subject);
@@ -434,8 +421,8 @@ exports.createCsr = async function(data, key = null) {
name: 'extensionRequest',
extensions: [{
name: 'subjectAltName',
altNames: formatCsrAltNames(data.altNames)
}]
altNames: formatCsrAltNames(data.altNames),
}],
}]);
}
packages/core/acme-client/src/crypto/index.js
+25 -40
View File
@@ -22,7 +22,6 @@ const subjectAltNameOID = '2.5.29.17';
/* id-pe-acmeIdentifier - https://datatracker.ietf.org/doc/html/rfc8737#section-6.1 */
const alpnAcmeIdentifierOID = '1.3.6.1.5.5.7.1.31';
/**
* Determine key type and info by attempting to derive public key
*
@@ -35,7 +34,7 @@ function getKeyInfo(keyPem) {
const result = {
isRSA: false,
isECDSA: false,
publicKey: crypto.createPublicKey(keyPem)
publicKey: crypto.createPublicKey(keyPem),
};
if (result.publicKey.asymmetricKeyType === 'rsa') {
@@ -51,7 +50,6 @@ function getKeyInfo(keyPem) {
return result;
}
/**
* Generate a private RSA key
*
@@ -74,8 +72,8 @@ async function createPrivateRsaKey(modulusLength = 2048) {
modulusLength,
privateKeyEncoding: {
type: 'pkcs8',
format: 'pem'
}
format: 'pem',
},
});
return Buffer.from(pair.privateKey);
@@ -83,7 +81,6 @@ async function createPrivateRsaKey(modulusLength = 2048) {
exports.createPrivateRsaKey = createPrivateRsaKey;
/**
* Alias of `createPrivateRsaKey()`
*
@@ -92,7 +89,6 @@ exports.createPrivateRsaKey = createPrivateRsaKey;
exports.createPrivateKey = createPrivateRsaKey;
/**
* Generate a private ECDSA key
*
@@ -115,14 +111,13 @@ exports.createPrivateEcdsaKey = async (namedCurve = 'P-256') => {
namedCurve,
privateKeyEncoding: {
type: 'pkcs8',
format: 'pem'
}
format: 'pem',
},
});
return Buffer.from(pair.privateKey);
};
/**
* Get a public key derived from a RSA or ECDSA key
*
@@ -140,13 +135,12 @@ exports.getPublicKey = (keyPem) => {
const publicKey = info.publicKey.export({
type: info.isECDSA ? 'spki' : 'pkcs1',
format: 'pem'
format: 'pem',
});
return Buffer.from(publicKey);
};
/**
* Get a JSON Web Key derived from a RSA or ECDSA key
*
@@ -163,7 +157,7 @@ exports.getPublicKey = (keyPem) => {
function getJwk(keyPem) {
const jwk = crypto.createPublicKey(keyPem).export({
format: 'jwk'
format: 'jwk',
});
/* Sort keys */
@@ -175,7 +169,6 @@ function getJwk(keyPem) {
exports.getJwk = getJwk;
/**
* Produce CryptoKeyPair and signing algorithm from a PEM encoded private key
*
@@ -191,7 +184,7 @@ async function getWebCryptoKeyPair(keyPem) {
/* Signing algorithm */
const sigalg = {
name: 'RSASSA-PKCS1-v1_5',
hash: { name: 'SHA-256' }
hash: { name: 'SHA-256' },
};
if (info.isECDSA) {
@@ -215,7 +208,6 @@ async function getWebCryptoKeyPair(keyPem) {
return [{ privateKey, publicKey }, sigalg];
}
/**
* Split chain of PEM encoded objects from string into array
*
@@ -235,7 +227,6 @@ function splitPemChain(chainPem) {
exports.splitPemChain = splitPemChain;
/**
* Parse body of PEM encoded object and return a Base64URL string
* If multiple objects are chained, the first body will be returned
@@ -256,7 +247,6 @@ exports.getPemBodyAsB64u = (pem) => {
return Buffer.from(dec).toString('base64url');
};
/**
* Parse domains from a certificate or CSR
*
@@ -277,11 +267,10 @@ function parseDomains(input) {
return {
commonName,
altNames
altNames,
};
}
/**
* Read domains from a Certificate Signing Request
*
@@ -307,7 +296,6 @@ exports.readCsrDomains = (csrPem) => {
return parseDomains(csr);
};
/**
* Read information from a certificate
* If multiple certificates are chained, the first will be read
@@ -338,15 +326,14 @@ exports.readCertificateInfo = (certPem) => {
return {
issuer: {
commonName: cert.issuerName.getField('CN').pop() || null
commonName: cert.issuerName.getField('CN').pop() || null,
},
domains: parseDomains(cert),
notBefore: cert.notBefore,
notAfter: cert.notAfter
notAfter: cert.notAfter,
};
};
/**
* Determine ASN.1 character string type for CSR subject field name
*
@@ -369,7 +356,6 @@ function getCsrAsn1CharStringType(field) {
}
}
/**
* Create array of subject fields for a Certificate Signing Request
*
@@ -391,7 +377,6 @@ function createCsrSubject(input) {
}, []);
}
/**
* Create x509 subject alternate name extension
*
@@ -409,7 +394,6 @@ function createSubjectAltNameExtension(altNames) {
}));
}
/**
* Create a Certificate Signing Request
*
@@ -429,29 +413,30 @@ function createSubjectAltNameExtension(altNames) {
* @example Create a Certificate Signing Request
* ```js
* const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
* commonName: 'test.example.com'
* altNames: ['test.example.com'],
* });
* ```
*
* @example Certificate Signing Request with both common and alternative names
* > *Warning*: Certificate subject common name has been [deprecated](https://letsencrypt.org/docs/glossary/#def-CN) and its use is [discouraged](https://cabforum.org/uploads/BRv1.2.3.pdf).
* ```js
* const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
* keySize: 4096,
* commonName: 'test.example.com',
* altNames: ['foo.example.com', 'bar.example.com']
* altNames: ['foo.example.com', 'bar.example.com'],
* });
* ```
*
* @example Certificate Signing Request with additional information
* ```js
* const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
* commonName: 'test.example.com',
* altNames: ['test.example.com'],
* country: 'US',
* state: 'California',
* locality: 'Los Angeles',
* organization: 'The Company Inc.',
* organizationUnit: 'IT Department',
* emailAddress: 'contact@example.com'
* emailAddress: 'contact@example.com',
* });
* ```
*
@@ -460,8 +445,9 @@ function createSubjectAltNameExtension(altNames) {
* const certificateKey = await acme.crypto.createPrivateEcdsaKey();
*
* const [, certificateRequest] = await acme.crypto.createCsr({
* commonName: 'test.example.com'
* altNames: ['test.example.com'],
* }, certificateKey);
* ```
*/
exports.createCsr = async (data, keyPem = null) => {
@@ -489,7 +475,7 @@ exports.createCsr = async (data, keyPem = null) => {
new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment), // eslint-disable-line no-bitwise
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
createSubjectAltNameExtension(data.altNames)
createSubjectAltNameExtension(data.altNames),
];
/* Create CSR */
@@ -504,8 +490,8 @@ exports.createCsr = async (data, keyPem = null) => {
L: data.locality,
O: data.organization,
OU: data.organizationUnit,
E: data.emailAddress
})
E: data.emailAddress,
}),
});
/* Done */
@@ -513,7 +499,6 @@ exports.createCsr = async (data, keyPem = null) => {
return [keyPem, Buffer.from(pem)];
};
/**
* Create a self-signed ALPN certificate for TLS-ALPN-01 challenges
*
@@ -533,6 +518,7 @@ exports.createCsr = async (data, keyPem = null) => {
* ```js
* const alpnKey = await acme.crypto.createPrivateEcdsaKey();
* const [, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization, alpnKey);
* ```
*/
exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) => {
@@ -564,7 +550,7 @@ exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) =
await x509.SubjectKeyIdentifierExtension.create(keys.publicKey),
/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
createSubjectAltNameExtension([commonName])
createSubjectAltNameExtension([commonName]),
];
/* ALPN extension */
@@ -581,8 +567,8 @@ exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) =
notBefore: now,
notAfter: now,
name: createCsrSubject({
CN: commonName
})
CN: commonName,
}),
});
/* Done */
@@ -590,7 +576,6 @@ exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) =
return [keyPem, Buffer.from(pem)];
};
/**
* Validate that a ALPN certificate contains the expected key authorization
*
packages/core/acme-client/src/http.js
+3 -14
View File
@@ -40,7 +40,6 @@ class HttpClient {
this.jwk = null;
}
/**
* HTTP request
*
@@ -70,7 +69,6 @@ class HttpClient {
return resp;
}
/**
* Ensure provider directory exists
*
@@ -95,7 +93,6 @@ class HttpClient {
}
}
/**
* Get JSON Web Key
*
@@ -110,7 +107,6 @@ class HttpClient {
return this.jwk;
}
/**
* Get nonce from directory API endpoint
*
@@ -130,7 +126,6 @@ class HttpClient {
return resp.headers['replay-nonce'];
}
/**
* Get URL for a directory resource
*
@@ -148,7 +143,6 @@ class HttpClient {
return this.directory[resource];
}
/**
* Get directory meta field
*
@@ -166,7 +160,6 @@ class HttpClient {
return null;
}
/**
* Prepare HTTP request body for signature
*
@@ -199,11 +192,10 @@ class HttpClient {
/* Body */
return {
payload: payload ? Buffer.from(JSON.stringify(payload)).toString('base64url') : '',
protected: Buffer.from(JSON.stringify(header)).toString('base64url')
protected: Buffer.from(JSON.stringify(header)).toString('base64url'),
};
}
/**
* Create JWS HTTP request body using HMAC
*
@@ -226,7 +218,6 @@ class HttpClient {
return result;
}
/**
* Create JWS HTTP request body using RSA or ECC
*
@@ -267,13 +258,12 @@ class HttpClient {
result.signature = signer.sign({
key: this.accountKey,
padding: RSA_PKCS1_PADDING,
dsaEncoding: 'ieee-p1363'
dsaEncoding: 'ieee-p1363',
}, 'base64url');
return result;
}
/**
* Signed HTTP request
*
@@ -309,7 +299,7 @@ class HttpClient {
const data = this.createSignedBody(url, payload, { nonce, kid });
const resp = await this.request(url, 'post', { data });
/* Retry on bad nonce - https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-10#section-6.4 */
/* Retry on bad nonce - https://datatracker.ietf.org/doc/html/rfc8555#section-6.5 */
if (resp.data && resp.data.type && (resp.status === 400) && (resp.data.type === 'urn:ietf:params:acme:error:badNonce') && (attempts < this.maxBadNonceRetries)) {
nonce = resp.headers['replay-nonce'] || null;
attempts += 1;
@@ -323,6 +313,5 @@ class HttpClient {
}
}
/* Export client */
module.exports = HttpClient;
packages/core/acme-client/src/index.js
+4 -8
View File
@@ -4,7 +4,6 @@
exports.Client = require('./client');
/**
* Directory URLs
*/
@@ -12,18 +11,17 @@ exports.Client = require('./client');
exports.directory = {
buypass: {
staging: 'https://api.test4.buypass.no/acme/directory',
production: 'https://api.buypass.com/acme/directory'
production: 'https://api.buypass.com/acme/directory',
},
letsencrypt: {
staging: 'https://acme-staging-v02.api.letsencrypt.org/directory',
production: 'https://acme-v02.api.letsencrypt.org/directory'
production: 'https://acme-v02.api.letsencrypt.org/directory',
},
zerossl: {
production: 'https://acme.zerossl.com/v2/DV90'
}
production: 'https://acme.zerossl.com/v2/DV90',
},
};
/**
* Crypto
*/
@@ -31,14 +29,12 @@ exports.directory = {
exports.crypto = require('./crypto');
exports.forge = require('./crypto/forge');
/**
* Axios
*/
exports.axios = require('./axios');
/**
* Logger
*/
packages/core/acme-client/src/logger.js
+1 -3
View File
@@ -6,7 +6,6 @@ const debug = require('debug')('acme-client');
let logger = () => {};
/**
* Set logger function
*
@@ -17,11 +16,10 @@ exports.setLogger = (fn) => {
logger = fn;
};
/**
* Log message
*
* @param {string} Message
* @param {string} msg Message
*/
exports.log = (msg) => {
packages/core/acme-client/src/util.js
+2 -13
View File
@@ -7,7 +7,6 @@ const dns = require('dns').promises;
const { readCertificateInfo, splitPemChain } = require('./crypto');
const { log } = require('./logger');
/**
* Exponential backoff
*
@@ -26,7 +25,6 @@ class Backoff {
this.attempts = 0;
}
/**
* Get backoff duration
*
@@ -40,7 +38,6 @@ class Backoff {
}
}
/**
* Retry promise
*
@@ -70,7 +67,6 @@ async function retryPromise(fn, attempts, backoff) {
}
}
/**
* Retry promise
*
@@ -87,7 +83,6 @@ function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}) {
return retryPromise(fn, attempts, backoff);
}
/**
* Parse URLs from link header
*
@@ -107,7 +102,6 @@ function parseLinkHeader(header, rel = 'alternate') {
return results.filter((r) => r);
}
/**
* Find certificate chain with preferred issuer common name
* - If issuer is found in multiple chains, the closest to root wins
@@ -157,7 +151,6 @@ function findCertificateChainForIssuer(chains, issuer) {
return chains[0];
}
/**
* Find and format error in response object
*
@@ -178,7 +171,6 @@ function formatResponseError(resp) {
return result.replace(/\n/g, '');
}
/**
* Resolve root domain name by looking for SOA record
*
@@ -204,7 +196,6 @@ async function resolveDomainBySoaRecord(recordName) {
}
}
/**
* Get DNS resolver using domains authoritative NS records
*
@@ -245,7 +236,6 @@ async function getAuthoritativeDnsResolver(recordName) {
return resolver;
}
/**
* Attempt to retrieve TLS ALPN certificate from peer
*
@@ -267,7 +257,7 @@ async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
port,
servername: host,
rejectUnauthorized: false,
ALPNProtocols: ['acme-tls/1']
ALPNProtocols: ['acme-tls/1'],
});
socket.setTimeout(timeout);
@@ -299,7 +289,6 @@ async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
});
}
/**
* Export utils
*/
@@ -310,5 +299,5 @@ module.exports = {
findCertificateChainForIssuer,
formatResponseError,
getAuthoritativeDnsResolver,
retrieveTlsAlpnCertificate
retrieveTlsAlpnCertificate,
};
packages/core/acme-client/src/verify.js
+1 -6
View File
@@ -9,7 +9,6 @@ const axios = require('./axios');
const util = require('./util');
const { isAlpnCertificateAuthorizationValid } = require('./crypto');
/**
* Verify ACME HTTP challenge
*
@@ -43,7 +42,6 @@ async function verifyHttpChallenge(authz, challenge, keyAuthorization, suffix =
return true;
}
/**
* Walk DNS until TXT records are found
*/
@@ -81,7 +79,6 @@ async function walkDnsChallengeRecord(recordName, resolver = dns) {
throw new Error(`No TXT records found for name: ${recordName}`);
}
/**
* Verify ACME DNS challenge
*
@@ -121,7 +118,6 @@ async function verifyDnsChallenge(authz, challenge, keyAuthorization, prefix = '
return true;
}
/**
* Verify ACME TLS ALPN challenge
*
@@ -149,7 +145,6 @@ async function verifyTlsAlpnChallenge(authz, challenge, keyAuthorization) {
return true;
}
/**
* Export API
*/
@@ -157,5 +152,5 @@ async function verifyTlsAlpnChallenge(authz, challenge, keyAuthorization) {
module.exports = {
'http-01': verifyHttpChallenge,
'dns-01': verifyDnsChallenge,
'tls-alpn-01': verifyTlsAlpnChallenge
'tls-alpn-01': verifyTlsAlpnChallenge,
};