2015-06-11 22:13:43 +00:00
|
|
|
package acme
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
2016-01-27 01:01:39 +00:00
|
|
|
"crypto"
|
2015-10-23 14:24:02 +00:00
|
|
|
"crypto/ecdsa"
|
2016-01-27 01:01:39 +00:00
|
|
|
"crypto/elliptic"
|
2015-06-11 22:13:43 +00:00
|
|
|
"crypto/rsa"
|
2015-09-26 17:45:52 +00:00
|
|
|
"fmt"
|
2015-06-11 22:13:43 +00:00
|
|
|
"net/http"
|
|
|
|
|
2016-03-27 19:38:49 +00:00
|
|
|
"gopkg.in/square/go-jose.v1"
|
2016-04-11 04:03:21 +00:00
|
|
|
"errors"
|
2015-06-11 22:13:43 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type jws struct {
|
2015-11-12 01:55:28 +00:00
|
|
|
directoryURL string
|
2016-01-27 01:01:39 +00:00
|
|
|
privKey crypto.PrivateKey
|
2015-11-12 01:55:28 +00:00
|
|
|
nonces []string
|
2015-06-11 22:13:43 +00:00
|
|
|
}
|
|
|
|
|
2015-11-12 01:06:22 +00:00
|
|
|
func keyAsJWK(key interface{}) *jose.JsonWebKey {
|
|
|
|
switch k := key.(type) {
|
|
|
|
case *ecdsa.PublicKey:
|
|
|
|
return &jose.JsonWebKey{Key: k, Algorithm: "EC"}
|
|
|
|
case *rsa.PublicKey:
|
|
|
|
return &jose.JsonWebKey{Key: k, Algorithm: "RSA"}
|
|
|
|
|
|
|
|
default:
|
|
|
|
return nil
|
2015-10-23 14:24:02 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-06-11 22:13:43 +00:00
|
|
|
// Posts a JWS signed message to the specified URL
|
|
|
|
func (j *jws) post(url string, content []byte) (*http.Response, error) {
|
2015-09-26 17:45:52 +00:00
|
|
|
signedContent, err := j.signContent(content)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2015-12-30 22:01:21 +00:00
|
|
|
resp, err := httpPost(url, "application/jose+json", bytes.NewBuffer([]byte(signedContent.FullSerialize())))
|
2015-09-26 17:45:52 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
j.getNonceFromResponse(resp)
|
|
|
|
|
|
|
|
return resp, err
|
|
|
|
}
|
|
|
|
|
|
|
|
func (j *jws) signContent(content []byte) (*jose.JsonWebSignature, error) {
|
2016-01-27 01:01:39 +00:00
|
|
|
|
|
|
|
var alg jose.SignatureAlgorithm
|
|
|
|
switch k := j.privKey.(type) {
|
|
|
|
case *rsa.PrivateKey:
|
|
|
|
alg = jose.RS256
|
|
|
|
case *ecdsa.PrivateKey:
|
|
|
|
if k.Curve == elliptic.P256() {
|
|
|
|
alg = jose.ES256
|
|
|
|
} else if k.Curve == elliptic.P384() {
|
|
|
|
alg = jose.ES384
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
signer, err := jose.NewSigner(alg, j.privKey)
|
2015-06-11 22:13:43 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-11-12 01:06:22 +00:00
|
|
|
signer.SetNonceSource(j)
|
2015-06-11 22:13:43 +00:00
|
|
|
|
2015-11-12 01:06:22 +00:00
|
|
|
signed, err := signer.Sign(content)
|
2015-06-11 22:13:43 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-09-26 17:45:52 +00:00
|
|
|
return signed, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (j *jws) getNonceFromResponse(resp *http.Response) error {
|
|
|
|
nonce := resp.Header.Get("Replay-Nonce")
|
|
|
|
if nonce == "" {
|
|
|
|
return fmt.Errorf("Server did not respond with a proper nonce header.")
|
|
|
|
}
|
|
|
|
|
|
|
|
j.nonces = append(j.nonces, nonce)
|
|
|
|
return nil
|
|
|
|
}
|
2015-06-11 22:13:43 +00:00
|
|
|
|
2015-11-12 01:55:28 +00:00
|
|
|
func (j *jws) getNonce() error {
|
2015-12-30 22:01:21 +00:00
|
|
|
resp, err := httpHead(j.directoryURL)
|
2015-06-11 22:13:43 +00:00
|
|
|
if err != nil {
|
2015-09-26 17:45:52 +00:00
|
|
|
return err
|
2015-06-11 22:13:43 +00:00
|
|
|
}
|
|
|
|
|
2015-09-26 17:45:52 +00:00
|
|
|
return j.getNonceFromResponse(resp)
|
|
|
|
}
|
|
|
|
|
2015-11-12 01:06:22 +00:00
|
|
|
func (j *jws) Nonce() (string, error) {
|
2015-09-26 17:45:52 +00:00
|
|
|
nonce := ""
|
|
|
|
if len(j.nonces) == 0 {
|
2015-11-12 01:55:28 +00:00
|
|
|
err := j.getNonce()
|
|
|
|
if err != nil {
|
|
|
|
return nonce, err
|
|
|
|
}
|
2016-04-11 04:03:21 +00:00
|
|
|
if len(j.nonces) == 0 {
|
|
|
|
return "", errors.New("Can't get nonce")
|
|
|
|
}
|
2015-09-26 17:45:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
nonce, j.nonces = j.nonces[len(j.nonces)-1], j.nonces[:len(j.nonces)-1]
|
2015-11-12 01:06:22 +00:00
|
|
|
return nonce, nil
|
2015-06-11 22:13:43 +00:00
|
|
|
}
|