certificates/acme/order.go

227 lines
6.6 KiB
Go
Raw Normal View History

2021-02-28 18:09:06 +00:00
package acme
2019-05-27 00:41:10 +00:00
import (
"context"
"crypto/x509"
"encoding/json"
"sort"
"strings"
2019-05-27 00:41:10 +00:00
"time"
"github.com/smallstep/certificates/authority/provisioner"
"go.step.sm/crypto/x509util"
2019-05-27 00:41:10 +00:00
)
2021-03-01 06:49:20 +00:00
// Identifier encodes the type that an order pertains to.
type Identifier struct {
Type string `json:"type"`
Value string `json:"value"`
}
2019-05-27 00:41:10 +00:00
// Order contains order metadata for the ACME protocol order type.
type Order struct {
2021-03-03 23:16:25 +00:00
Status Status `json:"status"`
Expires time.Time `json:"expires,omitempty"`
Identifiers []Identifier `json:"identifiers"`
NotBefore time.Time `json:"notBefore,omitempty"`
NotAfter time.Time `json:"notAfter,omitempty"`
Error interface{} `json:"error,omitempty"`
AuthorizationIDs []string `json:"-"`
2021-03-05 07:10:46 +00:00
AuthorizationURLs []string `json:"authorizations"`
2021-03-03 23:16:25 +00:00
FinalizeURL string `json:"finalize"`
2021-03-05 07:10:46 +00:00
CertificateID string `json:"-"`
CertificateURL string `json:"certificate,omitempty"`
2021-03-03 23:16:25 +00:00
ID string `json:"-"`
AccountID string `json:"-"`
ProvisionerID string `json:"-"`
DefaultDuration time.Duration `json:"-"`
Backdate time.Duration `json:"-"`
2019-05-27 00:41:10 +00:00
}
// ToLog enables response logging.
func (o *Order) ToLog() (interface{}, error) {
b, err := json.Marshal(o)
if err != nil {
2021-03-05 07:10:46 +00:00
return nil, WrapErrorISE(err, "error marshaling order for logging")
2019-05-27 00:41:10 +00:00
}
return string(b), nil
}
2021-02-28 01:05:37 +00:00
// UpdateStatus updates the ACME Order Status if necessary.
// Changes to the order are saved using the database interface.
func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
now := time.Now().UTC()
2019-05-27 00:41:10 +00:00
switch o.Status {
case StatusInvalid:
2021-02-28 01:05:37 +00:00
return nil
2019-05-27 00:41:10 +00:00
case StatusValid:
2021-02-28 01:05:37 +00:00
return nil
2019-05-27 00:41:10 +00:00
case StatusReady:
2021-02-28 01:05:37 +00:00
// Check expiry
2021-03-03 23:16:25 +00:00
if now.After(o.Expires) {
2021-02-28 01:05:37 +00:00
o.Status = StatusInvalid
2021-03-01 07:33:18 +00:00
o.Error = NewError(ErrorMalformedType, "order has expired")
2019-05-27 00:41:10 +00:00
break
}
2021-02-28 01:05:37 +00:00
return nil
2019-05-27 00:41:10 +00:00
case StatusPending:
2021-02-28 01:05:37 +00:00
// Check expiry
2021-03-03 23:16:25 +00:00
if now.After(o.Expires) {
2021-02-28 01:05:37 +00:00
o.Status = StatusInvalid
2021-03-01 07:33:18 +00:00
o.Error = NewError(ErrorMalformedType, "order has expired")
2019-05-27 00:41:10 +00:00
break
}
2021-03-01 06:49:20 +00:00
var count = map[Status]int{
2019-05-27 00:41:10 +00:00
StatusValid: 0,
StatusInvalid: 0,
StatusPending: 0,
}
2021-03-03 23:16:25 +00:00
for _, azID := range o.AuthorizationIDs {
2021-02-28 01:05:37 +00:00
az, err := db.GetAuthorization(ctx, azID)
2019-05-27 00:41:10 +00:00
if err != nil {
2021-03-01 06:49:20 +00:00
return err
2019-05-27 00:41:10 +00:00
}
2021-03-01 06:49:20 +00:00
if err = az.UpdateStatus(ctx, db); err != nil {
return err
2019-05-27 00:41:10 +00:00
}
2021-02-28 01:05:37 +00:00
st := az.Status
2019-05-27 00:41:10 +00:00
count[st]++
}
switch {
case count[StatusInvalid] > 0:
2021-02-28 01:05:37 +00:00
o.Status = StatusInvalid
// No change in the order status, so just return the order as is -
// without writing any changes.
2019-05-27 00:41:10 +00:00
case count[StatusPending] > 0:
2021-02-28 01:05:37 +00:00
return nil
2021-03-03 23:16:25 +00:00
case count[StatusValid] == len(o.AuthorizationIDs):
2021-02-28 01:05:37 +00:00
o.Status = StatusReady
2019-05-27 00:41:10 +00:00
default:
2021-03-03 23:16:25 +00:00
return NewErrorISE("unexpected authz status")
2019-05-27 00:41:10 +00:00
}
default:
2021-03-03 23:16:25 +00:00
return NewErrorISE("unrecognized order status: %s", o.Status)
2019-05-27 00:41:10 +00:00
}
2021-02-28 01:05:37 +00:00
return db.UpdateOrder(ctx, o)
2019-05-27 00:41:10 +00:00
}
2021-03-01 06:49:20 +00:00
// Finalize signs a certificate if the necessary conditions for Order completion
2019-05-27 00:41:10 +00:00
// have been met.
2021-03-05 07:10:46 +00:00
func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateRequest, auth CertificateAuthority, p Provisioner) error {
2021-03-01 06:49:20 +00:00
if err := o.UpdateStatus(ctx, db); err != nil {
return err
2019-05-27 00:41:10 +00:00
}
2019-05-27 00:41:10 +00:00
switch o.Status {
case StatusInvalid:
2021-03-01 07:33:18 +00:00
return NewError(ErrorOrderNotReadyType, "order %s has been abandoned", o.ID)
2019-05-27 00:41:10 +00:00
case StatusValid:
2021-02-28 01:05:37 +00:00
return nil
2019-05-27 00:41:10 +00:00
case StatusPending:
2021-03-01 07:33:18 +00:00
return NewError(ErrorOrderNotReadyType, "order %s is not ready", o.ID)
2019-05-27 00:41:10 +00:00
case StatusReady:
break
default:
2021-03-03 23:16:25 +00:00
return NewErrorISE("unexpected status %s for order %s", o.Status, o.ID)
2019-05-27 00:41:10 +00:00
}
// RFC8555: The CSR MUST indicate the exact same set of requested
// identifiers as the initial newOrder request. Identifiers of type "dns"
// MUST appear either in the commonName portion of the requested subject
// name or in an extensionRequest attribute [RFC2985] requesting a
// subjectAltName extension, or both.
if csr.Subject.CommonName != "" {
csr.DNSNames = append(csr.DNSNames, csr.Subject.CommonName)
2019-05-27 00:41:10 +00:00
}
2021-03-01 06:49:20 +00:00
csr.DNSNames = uniqueSortedLowerNames(csr.DNSNames)
orderNames := make([]string, len(o.Identifiers))
for i, n := range o.Identifiers {
orderNames[i] = n.Value
2019-05-27 00:41:10 +00:00
}
2021-02-28 01:05:37 +00:00
orderNames = uniqueSortedLowerNames(orderNames)
// Validate identifier names against CSR alternative names.
//
2020-07-31 17:45:59 +00:00
// Note that with certificate templates we are not going to check for the
// absence of other SANs as they will only be set if the templates allows
// them.
if len(csr.DNSNames) != len(orderNames) {
2021-03-01 07:33:18 +00:00
return NewError(ErrorBadCSRType, "CSR names do not match identifiers exactly: "+
"CSR names = %v, Order names = %v", csr.DNSNames, orderNames)
}
sans := make([]x509util.SubjectAlternativeName, len(csr.DNSNames))
for i := range csr.DNSNames {
if csr.DNSNames[i] != orderNames[i] {
2021-03-01 07:33:18 +00:00
return NewError(ErrorBadCSRType, "CSR names do not match identifiers exactly: "+
"CSR names = %v, Order names = %v", csr.DNSNames, orderNames)
}
sans[i] = x509util.SubjectAlternativeName{
Type: x509util.DNSType,
Value: csr.DNSNames[i],
}
2020-06-23 18:10:45 +00:00
}
2019-05-27 00:41:10 +00:00
// Get authorizations from the ACME provisioner.
2021-03-01 06:49:20 +00:00
ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
2019-05-27 00:41:10 +00:00
signOps, err := p.AuthorizeSign(ctx, "")
if err != nil {
2021-03-05 07:10:46 +00:00
return WrapErrorISE(err, "error retrieving authorization options from ACME provisioner")
2019-05-27 00:41:10 +00:00
}
// Template data
data := x509util.NewTemplateData()
data.SetCommonName(csr.Subject.CommonName)
data.Set(x509util.SANsKey, sans)
templateOptions, err := provisioner.TemplateOptions(p.GetOptions(), data)
if err != nil {
2021-03-05 07:10:46 +00:00
return WrapErrorISE(err, "error creating template options from ACME provisioner")
}
signOps = append(signOps, templateOptions)
2021-03-01 06:49:20 +00:00
// Sign a new certificate.
certChain, err := auth.Sign(csr, provisioner.SignOptions{
2021-03-03 23:16:25 +00:00
NotBefore: provisioner.NewTimeDuration(o.NotBefore),
NotAfter: provisioner.NewTimeDuration(o.NotAfter),
2019-05-27 00:41:10 +00:00
}, signOps...)
if err != nil {
2021-03-05 07:10:46 +00:00
return WrapErrorISE(err, "error signing certificate for order %s", o.ID)
2019-05-27 00:41:10 +00:00
}
2021-03-01 06:49:20 +00:00
cert := &Certificate{
2019-05-27 00:41:10 +00:00
AccountID: o.AccountID,
OrderID: o.ID,
Leaf: certChain[0],
Intermediates: certChain[1:],
2021-03-01 06:49:20 +00:00
}
if err := db.CreateCertificate(ctx, cert); err != nil {
return err
2019-05-27 00:41:10 +00:00
}
2021-03-05 07:10:46 +00:00
o.CertificateID = cert.ID
2021-02-28 01:05:37 +00:00
o.Status = StatusValid
return db.UpdateOrder(ctx, o)
2019-05-27 00:41:10 +00:00
}
2021-02-28 01:05:37 +00:00
// uniqueSortedLowerNames returns the set of all unique names in the input after all
// of them are lowercased. The returned names will be in their lowercased form
// and sorted alphabetically.
2021-02-28 01:05:37 +00:00
func uniqueSortedLowerNames(names []string) (unique []string) {
nameMap := make(map[string]int, len(names))
for _, name := range names {
nameMap[strings.ToLower(name)] = 1
}
unique = make([]string, 0, len(nameMap))
for name := range nameMap {
unique = append(unique, name)
}
sort.Strings(unique)
return
}