forked from TrueCloudLab/lego
42941ccea6
- Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
134 lines
3 KiB
Go
134 lines
3 KiB
Go
package secure
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rsa"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/xenolf/lego/acme/api/internal/nonces"
|
|
"gopkg.in/square/go-jose.v2"
|
|
)
|
|
|
|
// JWS Represents a JWS.
|
|
type JWS struct {
|
|
privKey crypto.PrivateKey
|
|
kid string // Key identifier
|
|
nonces *nonces.Manager
|
|
}
|
|
|
|
// NewJWS Create a new JWS.
|
|
func NewJWS(privateKey crypto.PrivateKey, kid string, nonceManager *nonces.Manager) *JWS {
|
|
return &JWS{
|
|
privKey: privateKey,
|
|
nonces: nonceManager,
|
|
kid: kid,
|
|
}
|
|
}
|
|
|
|
// SetKid Sets a key identifier.
|
|
func (j *JWS) SetKid(kid string) {
|
|
j.kid = kid
|
|
}
|
|
|
|
// SignContent Signs a content with the JWS.
|
|
func (j *JWS) SignContent(url string, content []byte) (*jose.JSONWebSignature, error) {
|
|
var alg jose.SignatureAlgorithm
|
|
switch k := j.privKey.(type) {
|
|
case *rsa.PrivateKey:
|
|
alg = jose.RS256
|
|
case *ecdsa.PrivateKey:
|
|
if k.Curve == elliptic.P256() {
|
|
alg = jose.ES256
|
|
} else if k.Curve == elliptic.P384() {
|
|
alg = jose.ES384
|
|
}
|
|
}
|
|
|
|
signKey := jose.SigningKey{
|
|
Algorithm: alg,
|
|
Key: jose.JSONWebKey{Key: j.privKey, KeyID: j.kid},
|
|
}
|
|
|
|
options := jose.SignerOptions{
|
|
NonceSource: j.nonces,
|
|
ExtraHeaders: map[jose.HeaderKey]interface{}{
|
|
"url": url,
|
|
},
|
|
}
|
|
|
|
if j.kid == "" {
|
|
options.EmbedJWK = true
|
|
}
|
|
|
|
signer, err := jose.NewSigner(signKey, &options)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create jose signer -> %v", err)
|
|
}
|
|
|
|
signed, err := signer.Sign(content)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to sign content -> %v", err)
|
|
}
|
|
return signed, nil
|
|
}
|
|
|
|
// SignEABContent Signs an external account binding content with the JWS.
|
|
func (j *JWS) SignEABContent(url, kid string, hmac []byte) (*jose.JSONWebSignature, error) {
|
|
jwk := jose.JSONWebKey{Key: j.privKey}
|
|
jwkJSON, err := jwk.Public().MarshalJSON()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("acme: error encoding eab jwk key: %v", err)
|
|
}
|
|
|
|
signer, err := jose.NewSigner(
|
|
jose.SigningKey{Algorithm: jose.HS256, Key: hmac},
|
|
&jose.SignerOptions{
|
|
EmbedJWK: false,
|
|
ExtraHeaders: map[jose.HeaderKey]interface{}{
|
|
"kid": kid,
|
|
"url": url,
|
|
},
|
|
},
|
|
)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create External Account Binding jose signer -> %v", err)
|
|
}
|
|
|
|
signed, err := signer.Sign(jwkJSON)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to External Account Binding sign content -> %v", err)
|
|
}
|
|
|
|
return signed, nil
|
|
}
|
|
|
|
// GetKeyAuthorization Gets the key authorization for a token.
|
|
func (j *JWS) GetKeyAuthorization(token string) (string, error) {
|
|
var publicKey crypto.PublicKey
|
|
switch k := j.privKey.(type) {
|
|
case *ecdsa.PrivateKey:
|
|
publicKey = k.Public()
|
|
case *rsa.PrivateKey:
|
|
publicKey = k.Public()
|
|
}
|
|
|
|
// Generate the Key Authorization for the challenge
|
|
jwk := &jose.JSONWebKey{Key: publicKey}
|
|
if jwk == nil {
|
|
return "", errors.New("could not generate JWK from key")
|
|
}
|
|
|
|
thumbBytes, err := jwk.Thumbprint(crypto.SHA256)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// unpad the base64URL
|
|
keyThumb := base64.RawURLEncoding.EncodeToString(thumbBytes)
|
|
|
|
return token + "." + keyThumb, nil
|
|
}
|