lego/acme/api/certificate.go

133 lines
3.6 KiB
Go
Raw Normal View History

2019-03-11 16:56:48 +00:00
package api
import (
"crypto/x509"
"encoding/pem"
"errors"
2021-08-25 09:44:11 +00:00
"io"
"net/http"
2020-09-02 01:20:01 +00:00
"github.com/go-acme/lego/v4/acme"
"github.com/go-acme/lego/v4/certcrypto"
"github.com/go-acme/lego/v4/log"
)
// maxBodySize is the maximum size of body that we will read.
const maxBodySize = 1024 * 1024
type CertificateService service
// Get Returns the certificate and the issuer certificate.
// 'bundle' is only applied if the issuer is provided by the 'up' link.
func (c *CertificateService) Get(certURL string, bundle bool) ([]byte, []byte, error) {
2020-11-21 19:24:11 +00:00
cert, _, err := c.get(certURL, bundle)
if err != nil {
return nil, nil, err
}
2020-11-21 19:24:11 +00:00
return cert.Cert, cert.Issuer, nil
}
2020-11-21 19:24:11 +00:00
// GetAll the certificates and the alternate certificates.
// bundle' is only applied if the issuer is provided by the 'up' link.
func (c *CertificateService) GetAll(certURL string, bundle bool) (map[string]*acme.RawCertificate, error) {
cert, headers, err := c.get(certURL, bundle)
if err != nil {
2020-11-21 19:24:11 +00:00
return nil, err
}
certs := map[string]*acme.RawCertificate{certURL: cert}
// URLs of "alternate" link relation
// - https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2
2020-11-21 19:24:11 +00:00
alts := getLinks(headers, "alternate")
for _, alt := range alts {
altCert, _, err := c.get(alt, bundle)
if err != nil {
return nil, err
}
2020-11-21 19:24:11 +00:00
certs[alt] = altCert
}
2020-11-21 19:24:11 +00:00
return certs, nil
}
// Revoke Revokes a certificate.
func (c *CertificateService) Revoke(req acme.RevokeCertMessage) error {
_, err := c.core.post(c.core.GetDirectory().RevokeCertURL, req, nil)
return err
}
// get Returns the certificate and the "up" link.
2020-11-21 19:24:11 +00:00
func (c *CertificateService) get(certURL string, bundle bool) (*acme.RawCertificate, http.Header, error) {
2021-03-04 19:16:59 +00:00
if certURL == "" {
2020-11-21 19:24:11 +00:00
return nil, nil, errors.New("certificate[get]: empty URL")
}
resp, err := c.core.postAsGet(certURL, nil)
if err != nil {
2020-11-21 19:24:11 +00:00
return nil, nil, err
}
2021-08-25 09:44:11 +00:00
data, err := io.ReadAll(http.MaxBytesReader(nil, resp.Body, maxBodySize))
if err != nil {
2020-11-21 19:24:11 +00:00
return nil, resp.Header, err
}
cert := c.getCertificateChain(data, resp.Header, bundle, certURL)
return cert, resp.Header, err
}
// getCertificateChain Returns the certificate and the issuer certificate.
func (c *CertificateService) getCertificateChain(cert []byte, headers http.Header, bundle bool, certURL string) *acme.RawCertificate {
// Get issuerCert from bundled response from Let's Encrypt
// See https://community.letsencrypt.org/t/acme-v2-no-up-link-in-response/64962
_, issuer := pem.Decode(cert)
if issuer != nil {
return &acme.RawCertificate{Cert: cert, Issuer: issuer}
}
// The issuer certificate link may be supplied via an "up" link
// in the response headers of a new certificate.
// See https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2
2020-11-21 19:24:11 +00:00
up := getLink(headers, "up")
issuer, err := c.getIssuerFromLink(up)
if err != nil {
// If we fail to acquire the issuer cert, return the issued certificate - do not fail.
log.Warnf("acme: Could not bundle issuer certificate [%s]: %v", certURL, err)
} else if len(issuer) > 0 {
// If bundle is true, we want to return a certificate bundle.
// To do this, we append the issuer cert to the issued cert.
if bundle {
cert = append(cert, issuer...)
}
}
2020-11-21 19:24:11 +00:00
return &acme.RawCertificate{Cert: cert, Issuer: issuer}
}
2020-05-08 17:35:25 +00:00
// getIssuerFromLink requests the issuer certificate.
func (c *CertificateService) getIssuerFromLink(up string) ([]byte, error) {
2021-03-04 19:16:59 +00:00
if up == "" {
return nil, nil
}
log.Infof("acme: Requesting issuer cert from %s", up)
2020-11-21 19:24:11 +00:00
cert, _, err := c.get(up, false)
if err != nil {
return nil, err
}
2020-11-21 19:24:11 +00:00
_, err = x509.ParseCertificate(cert.Cert)
if err != nil {
return nil, err
}
2020-11-21 19:24:11 +00:00
return certcrypto.PEMEncode(certcrypto.DERCertificateBytes(cert.Cert)), nil
}