mirror of
https://github.com/processone/ejabberd.git
synced 2024-06-18 22:15:20 +02:00
Split ACME module into two
1. A communications module that handles all requets/responses and other low level stuff that have to do with the ACME CA 2. A head module that will do all the useful stuff
This commit is contained in:
parent
d3c477646f
commit
56fc0efbc8
|
@ -1,24 +1,11 @@
|
||||||
-module (ejabberd_acme).
|
-module (ejabberd_acme).
|
||||||
|
|
||||||
-export([%% Directory
|
-export([%% Ejabberdctl Commands
|
||||||
directory/1,
|
|
||||||
%% Account
|
|
||||||
new_account/4,
|
|
||||||
update_account/4,
|
|
||||||
get_account/3,
|
|
||||||
delete_account/3,
|
|
||||||
%% Authorization
|
|
||||||
new_authz/4,
|
|
||||||
get_authz/1,
|
|
||||||
complete_challenge/4,
|
|
||||||
%% Certificate
|
|
||||||
new_cert/4,
|
|
||||||
get_cert/1,
|
|
||||||
revoke_cert/4,
|
|
||||||
%% Ejabberdctl Commands
|
|
||||||
get_certificates/3,
|
get_certificates/3,
|
||||||
%% Command Options Validity
|
%% Command Options Validity
|
||||||
is_valid_account_opt/1,
|
is_valid_account_opt/1,
|
||||||
|
%% Misc
|
||||||
|
generate_key/0,
|
||||||
%% Debugging Scenarios
|
%% Debugging Scenarios
|
||||||
scenario/3,
|
scenario/3,
|
||||||
scenario0/2,
|
scenario0/2,
|
||||||
|
@ -35,144 +22,6 @@
|
||||||
-include("ejabberd_acme.hrl").
|
-include("ejabberd_acme.hrl").
|
||||||
-include_lib("public_key/include/public_key.hrl").
|
-include_lib("public_key/include/public_key.hrl").
|
||||||
|
|
||||||
-define(REQUEST_TIMEOUT, 5000). % 5 seconds.
|
|
||||||
-define(MAX_POLL_REQUESTS, 20).
|
|
||||||
-define(POLL_WAIT_TIME, 500). % 500 ms.
|
|
||||||
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
%%
|
|
||||||
%% Directory
|
|
||||||
%%
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
|
|
||||||
-spec directory(url()) -> {ok, dirs(), nonce()} | {error, _}.
|
|
||||||
directory(CAUrl) ->
|
|
||||||
Url = CAUrl ++ "/directory",
|
|
||||||
prepare_get_request(Url, fun get_dirs/1).
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
%%
|
|
||||||
%% Account Handling
|
|
||||||
%%
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
|
|
||||||
-spec new_account(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
|
||||||
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
|
||||||
new_account(Dirs, PrivateKey, Req, Nonce) ->
|
|
||||||
#{"new-reg" := Url} = Dirs,
|
|
||||||
EJson = {[{ <<"resource">>, <<"new-reg">>}] ++ Req},
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
|
||||||
|
|
||||||
-spec update_account({url(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
|
||||||
{ok, proplist(), nonce()} | {error, _}.
|
|
||||||
update_account({CAUrl, AccId}, PrivateKey, Req, Nonce) ->
|
|
||||||
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
|
||||||
EJson = {[{ <<"resource">>, <<"reg">>}] ++ Req},
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
|
||||||
|
|
||||||
-spec get_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
|
||||||
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
|
||||||
get_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
|
||||||
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
|
||||||
EJson = {[{<<"resource">>, <<"reg">>}]},
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
|
||||||
|
|
||||||
-spec delete_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
|
||||||
{ok, proplist(), nonce()} | {error, _}.
|
|
||||||
delete_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
|
||||||
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
|
||||||
EJson =
|
|
||||||
{[{<<"resource">>, <<"reg">>},
|
|
||||||
{<<"status">>, <<"deactivated">>}]},
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
|
||||||
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
%%
|
|
||||||
%% Authorization Handling
|
|
||||||
%%
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
|
|
||||||
-spec new_authz(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
|
||||||
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
|
||||||
new_authz(Dirs, PrivateKey, Req, Nonce) ->
|
|
||||||
#{"new-authz" := Url} = Dirs,
|
|
||||||
EJson = {[{<<"resource">>, <<"new-authz">>}] ++ Req},
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1).
|
|
||||||
|
|
||||||
-spec get_authz({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
|
||||||
get_authz({CAUrl, AuthzId}) ->
|
|
||||||
Url = CAUrl ++ "/acme/authz/" ++ AuthzId,
|
|
||||||
prepare_get_request(Url, fun get_response/1).
|
|
||||||
|
|
||||||
-spec complete_challenge({url(), string(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
|
||||||
{ok, proplist(), nonce()} | {error, _}.
|
|
||||||
complete_challenge({CAUrl, AuthzId, ChallId}, PrivateKey, Req, Nonce) ->
|
|
||||||
Url = CAUrl ++ "/acme/challenge/" ++ AuthzId ++ "/" ++ ChallId,
|
|
||||||
EJson = {[{<<"resource">>, <<"challenge">>}] ++ Req},
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
|
||||||
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
%%
|
|
||||||
%% Certificate Handling
|
|
||||||
%%
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
|
|
||||||
-spec new_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
|
||||||
{ok, {url(), list()}, nonce()} | {error, _}.
|
|
||||||
new_cert(Dirs, PrivateKey, Req, Nonce) ->
|
|
||||||
#{"new-cert" := Url} = Dirs,
|
|
||||||
EJson = {[{<<"resource">>, <<"new-cert">>}] ++ Req},
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1,
|
|
||||||
"application/pkix-cert").
|
|
||||||
|
|
||||||
-spec get_cert({url(), string()}) -> {ok, list(), nonce()} | {error, _}.
|
|
||||||
get_cert({CAUrl, CertId}) ->
|
|
||||||
Url = CAUrl ++ "/acme/cert/" ++ CertId,
|
|
||||||
prepare_get_request(Url, fun get_response/1, "application/pkix-cert").
|
|
||||||
|
|
||||||
-spec revoke_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
|
||||||
{ok, _, nonce()} | {error, _}.
|
|
||||||
revoke_cert(Dirs, PrivateKey, Req, Nonce) ->
|
|
||||||
#{"revoke-cert" := Url} = Dirs,
|
|
||||||
EJson = {[{<<"resource">>, <<"revoke-cert">>}] ++ Req},
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1,
|
|
||||||
"application/pkix-cert").
|
|
||||||
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
%%
|
|
||||||
%% Handle Response Functions
|
|
||||||
%%
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
|
|
||||||
-spec get_dirs({ok, proplist(), proplist()}) -> {ok, map(), nonce()}.
|
|
||||||
get_dirs({ok, Head, Return}) ->
|
|
||||||
NewNonce = get_nonce(Head),
|
|
||||||
StrDirectories = [{bitstring_to_list(X), bitstring_to_list(Y)} ||
|
|
||||||
{X, Y} <- Return],
|
|
||||||
NewDirs = maps:from_list(StrDirectories),
|
|
||||||
{ok, NewDirs, NewNonce}.
|
|
||||||
|
|
||||||
-spec get_response({ok, proplist(), proplist()}) -> {ok, proplist(), nonce()}.
|
|
||||||
get_response({ok, Head, Return}) ->
|
|
||||||
NewNonce = get_nonce(Head),
|
|
||||||
{ok, Return, NewNonce}.
|
|
||||||
|
|
||||||
-spec get_response_tos({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
|
|
||||||
get_response_tos({ok, Head, Return}) ->
|
|
||||||
TOSUrl = get_tos(Head),
|
|
||||||
NewNonce = get_nonce(Head),
|
|
||||||
{ok, {TOSUrl, Return}, NewNonce}.
|
|
||||||
|
|
||||||
-spec get_response_location({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
|
|
||||||
get_response_location({ok, Head, Return}) ->
|
|
||||||
Location = get_location(Head),
|
|
||||||
NewNonce = get_nonce(Head),
|
|
||||||
{ok, {Location, Return}, NewNonce}.
|
|
||||||
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
%%
|
%%
|
||||||
|
@ -320,143 +169,6 @@ attribute_oid(organizationName) -> ?'id-at-organizationName';
|
||||||
attribute_oid(_) -> error(bad_attributes).
|
attribute_oid(_) -> error(bad_attributes).
|
||||||
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
%%
|
|
||||||
%% Authorization Polling
|
|
||||||
%%
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
|
|
||||||
-spec get_authz_until_valid({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
|
||||||
get_authz_until_valid({CAUrl, AuthzId}) ->
|
|
||||||
get_authz_until_valid({CAUrl, AuthzId}, ?MAX_POLL_REQUESTS).
|
|
||||||
|
|
||||||
-spec get_authz_until_valid({url(), string()}, non_neg_integer()) ->
|
|
||||||
{ok, proplist(), nonce()} | {error, _}.
|
|
||||||
get_authz_until_valid({_CAUrl, _AuthzId}, 0) ->
|
|
||||||
?ERROR_MSG("Maximum request limit waiting for validation reached", []),
|
|
||||||
{error, max_request_limit};
|
|
||||||
get_authz_until_valid({CAUrl, AuthzId}, N) ->
|
|
||||||
case get_authz({CAUrl, AuthzId}) of
|
|
||||||
{ok, Resp, Nonce} ->
|
|
||||||
case is_authz_valid(Resp) of
|
|
||||||
true ->
|
|
||||||
{ok, Resp, Nonce};
|
|
||||||
false ->
|
|
||||||
timer:sleep(?POLL_WAIT_TIME),
|
|
||||||
get_authz_until_valid({CAUrl, AuthzId}, N-1)
|
|
||||||
end;
|
|
||||||
{error, _} = Err ->
|
|
||||||
Err
|
|
||||||
end.
|
|
||||||
|
|
||||||
-spec is_authz_valid(proplist()) -> boolean().
|
|
||||||
is_authz_valid(Authz) ->
|
|
||||||
case proplists:lookup(<<"status">>, Authz) of
|
|
||||||
{<<"status">>, <<"valid">>} ->
|
|
||||||
true;
|
|
||||||
_ ->
|
|
||||||
false
|
|
||||||
end.
|
|
||||||
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
%%
|
|
||||||
%% Request Functions
|
|
||||||
%%
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
|
|
||||||
%% TODO: Fix the duplicated code at the below 4 functions
|
|
||||||
-spec make_post_request(url(), bitstring(), string()) ->
|
|
||||||
{ok, proplist(), proplist()} | {error, _}.
|
|
||||||
make_post_request(Url, ReqBody, ResponseType) ->
|
|
||||||
Options = [],
|
|
||||||
HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
|
|
||||||
case httpc:request(post,
|
|
||||||
{Url, [], "application/jose+json", ReqBody}, HttpOptions, Options) of
|
|
||||||
{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
|
|
||||||
decode_response(Head, Body, ResponseType);
|
|
||||||
Error ->
|
|
||||||
failed_http_request(Error, Url)
|
|
||||||
end.
|
|
||||||
|
|
||||||
-spec make_get_request(url(), string()) ->
|
|
||||||
{ok, proplist(), proplist()} | {error, _}.
|
|
||||||
make_get_request(Url, ResponseType) ->
|
|
||||||
Options = [],
|
|
||||||
HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
|
|
||||||
case httpc:request(get, {Url, []}, HttpOptions, Options) of
|
|
||||||
{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
|
|
||||||
decode_response(Head, Body, ResponseType);
|
|
||||||
Error ->
|
|
||||||
failed_http_request(Error, Url)
|
|
||||||
end.
|
|
||||||
|
|
||||||
-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
|
|
||||||
nonce(), handle_resp_fun()) -> {ok, _, nonce()} | {error, _}.
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun) ->
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, "application/jose+json").
|
|
||||||
|
|
||||||
-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
|
|
||||||
nonce(), handle_resp_fun(), string()) -> {ok, _, nonce()} | {error, _}.
|
|
||||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, ResponseType) ->
|
|
||||||
case encode(EJson) of
|
|
||||||
{ok, ReqBody} ->
|
|
||||||
FinalBody = sign_encode_json_jose(PrivateKey, ReqBody, Nonce),
|
|
||||||
case make_post_request(Url, FinalBody, ResponseType) of
|
|
||||||
{ok, Head, Return} ->
|
|
||||||
HandleRespFun({ok, Head, Return});
|
|
||||||
Error ->
|
|
||||||
Error
|
|
||||||
end;
|
|
||||||
{error, Reason} ->
|
|
||||||
?ERROR_MSG("Error: ~p when encoding: ~p", [Reason, EJson]),
|
|
||||||
{error, Reason}
|
|
||||||
end.
|
|
||||||
|
|
||||||
-spec prepare_get_request(url(), handle_resp_fun()) ->
|
|
||||||
{ok, _, nonce()} | {error, _}.
|
|
||||||
prepare_get_request(Url, HandleRespFun) ->
|
|
||||||
prepare_get_request(Url, HandleRespFun, "application/jose+json").
|
|
||||||
|
|
||||||
-spec prepare_get_request(url(), handle_resp_fun(), string()) ->
|
|
||||||
{ok, _, nonce()} | {error, _}.
|
|
||||||
prepare_get_request(Url, HandleRespFun, ResponseType) ->
|
|
||||||
case make_get_request(Url, ResponseType) of
|
|
||||||
{ok, Head, Return} ->
|
|
||||||
HandleRespFun({ok, Head, Return});
|
|
||||||
Error ->
|
|
||||||
Error
|
|
||||||
end.
|
|
||||||
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
%%
|
|
||||||
%% Jose Json Functions
|
|
||||||
%%
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
|
|
||||||
-spec sign_json_jose(jose_jwk:key(), bitstring(), nonce()) -> {_, jws()}.
|
|
||||||
sign_json_jose(Key, Json, Nonce) ->
|
|
||||||
PubKey = jose_jwk:to_public(Key),
|
|
||||||
{_, BinaryPubKey} = jose_jwk:to_binary(PubKey),
|
|
||||||
PubKeyJson = jiffy:decode(BinaryPubKey),
|
|
||||||
%% TODO: Ensure this works for all cases
|
|
||||||
AlgMap = jose_jwk:signer(Key),
|
|
||||||
JwsMap =
|
|
||||||
#{ <<"jwk">> => PubKeyJson,
|
|
||||||
%% <<"b64">> => true,
|
|
||||||
<<"nonce">> => list_to_bitstring(Nonce)
|
|
||||||
},
|
|
||||||
JwsObj0 = maps:merge(JwsMap, AlgMap),
|
|
||||||
JwsObj = jose_jws:from(JwsObj0),
|
|
||||||
jose_jws:sign(Key, Json, JwsObj).
|
|
||||||
|
|
||||||
-spec sign_encode_json_jose(jose_jwk:key(), bitstring(), nonce()) -> bitstring().
|
|
||||||
sign_encode_json_jose(Key, Json, Nonce) ->
|
|
||||||
{_, Signed} = sign_json_jose(Key, Json, Nonce),
|
|
||||||
%% This depends on jose library, so we can consider it safe
|
|
||||||
jiffy:encode(Signed).
|
|
||||||
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
%%
|
%%
|
||||||
|
@ -464,20 +176,6 @@ sign_encode_json_jose(Key, Json, Nonce) ->
|
||||||
%%
|
%%
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
-spec get_nonce(proplist()) -> nonce() | 'none'.
|
|
||||||
get_nonce(Head) ->
|
|
||||||
case proplists:lookup("replay-nonce", Head) of
|
|
||||||
{"replay-nonce", Nonce} -> Nonce;
|
|
||||||
none -> none
|
|
||||||
end.
|
|
||||||
|
|
||||||
-spec get_location(proplist()) -> url() | 'none'.
|
|
||||||
get_location(Head) ->
|
|
||||||
case proplists:lookup("location", Head) of
|
|
||||||
{"location", Location} -> Location;
|
|
||||||
none -> none
|
|
||||||
end.
|
|
||||||
|
|
||||||
-spec location_to_id(url()) -> {ok, string()} | {error, not_found}.
|
-spec location_to_id(url()) -> {ok, string()} | {error, not_found}.
|
||||||
location_to_id(Url0) ->
|
location_to_id(Url0) ->
|
||||||
Url = string:strip(Url0, right, $/),
|
Url = string:strip(Url0, right, $/),
|
||||||
|
@ -489,74 +187,14 @@ location_to_id(Url0) ->
|
||||||
{ok, string:sub_string(Url, Ind+1)}
|
{ok, string:sub_string(Url, Ind+1)}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% Very bad way to extract this
|
|
||||||
%% TODO: Find a better way
|
|
||||||
-spec get_tos(proplist()) -> url() | 'none'.
|
|
||||||
get_tos(Head) ->
|
|
||||||
try
|
|
||||||
[{_, Link}] = [{K, V} || {K, V} <- Head,
|
|
||||||
K =:= "link" andalso
|
|
||||||
lists:suffix("\"terms-of-service\"", V)],
|
|
||||||
[Link1, _] = string:tokens(Link, ";"),
|
|
||||||
Link2 = string:strip(Link1, left, $<),
|
|
||||||
string:strip(Link2, right, $>)
|
|
||||||
catch
|
|
||||||
_:_ ->
|
|
||||||
none
|
|
||||||
end.
|
|
||||||
|
|
||||||
-spec get_challenges(proplist()) -> [{proplist()}].
|
-spec get_challenges(proplist()) -> [{proplist()}].
|
||||||
get_challenges(Body) ->
|
get_challenges(Body) ->
|
||||||
{<<"challenges">>, Challenges} = proplists:lookup(<<"challenges">>, Body),
|
{<<"challenges">>, Challenges} = proplists:lookup(<<"challenges">>, Body),
|
||||||
Challenges.
|
Challenges.
|
||||||
|
|
||||||
decode_response(Head, Body, "application/pkix-cert") ->
|
|
||||||
{ok, Head, Body};
|
|
||||||
decode_response(Head, Body, "application/jose+json") ->
|
|
||||||
case decode(Body) of
|
|
||||||
{ok, Return} ->
|
|
||||||
{ok, Head, Return};
|
|
||||||
{error, Reason} ->
|
|
||||||
?ERROR_MSG("Problem decoding: ~s", [Body]),
|
|
||||||
{error, Reason}
|
|
||||||
end.
|
|
||||||
|
|
||||||
encode(EJson) ->
|
|
||||||
try
|
|
||||||
{ok, jiffy:encode(EJson)}
|
|
||||||
catch
|
|
||||||
_:Reason ->
|
|
||||||
{error, Reason}
|
|
||||||
end.
|
|
||||||
|
|
||||||
decode(Json) ->
|
|
||||||
try
|
|
||||||
{Result} = jiffy:decode(Json),
|
|
||||||
{ok, Result}
|
|
||||||
catch
|
|
||||||
_:Reason ->
|
|
||||||
{error, Reason}
|
|
||||||
end.
|
|
||||||
|
|
||||||
is_error({error, _}) -> true;
|
is_error({error, _}) -> true;
|
||||||
is_error(_) -> false.
|
is_error(_) -> false.
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
%%
|
|
||||||
%% Handle Failed HTTP Requests
|
|
||||||
%%
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
||||||
|
|
||||||
-spec failed_http_request({ok, _} | {error, _}, url()) -> {error, _}.
|
|
||||||
failed_http_request({ok, {{_, Code, _}, _Head, Body}}, Url) ->
|
|
||||||
?ERROR_MSG("Got unexpected status code from <~s>: ~B, Body: ~s",
|
|
||||||
[Url, Code, Body]),
|
|
||||||
{error, unexpected_code};
|
|
||||||
failed_http_request({error, Reason}, Url) ->
|
|
||||||
?ERROR_MSG("Error making a request to <~s>: ~p",
|
|
||||||
[Url, Reason]),
|
|
||||||
{error, Reason}.
|
|
||||||
|
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
%%
|
%%
|
||||||
%% Handle Config and Persistence Files
|
%% Handle Config and Persistence Files
|
||||||
|
@ -670,11 +308,11 @@ get_certificates0(CAUrl, HttpDir, "new-account") ->
|
||||||
PrivateKey = generate_key(),
|
PrivateKey = generate_key(),
|
||||||
|
|
||||||
%% Create a new account
|
%% Create a new account
|
||||||
{ok, _Id} = create_new_account(CAUrl, Contact, Key),
|
{ok, Id} = create_new_account(CAUrl, Contact, PrivateKey),
|
||||||
|
|
||||||
%% Write Persistent Data
|
%% Write Persistent Data
|
||||||
{ok, Data} = read_persistent(),
|
{ok, Data} = read_persistent(),
|
||||||
NewData = set_account_persistent(Data, {Id, Key}),
|
NewData = set_account_persistent(Data, {Id, PrivateKey}),
|
||||||
ok = write_persistent(NewData),
|
ok = write_persistent(NewData),
|
||||||
|
|
||||||
get_certificates1(CAUrl, HttpDir, PrivateKey).
|
get_certificates1(CAUrl, HttpDir, PrivateKey).
|
||||||
|
@ -686,13 +324,13 @@ get_certificates1(CAUrl, HttpDir, PrivateKey) ->
|
||||||
|
|
||||||
%% Get a certificate for each host
|
%% Get a certificate for each host
|
||||||
PemCertKeys = [get_certificate(CAUrl, Host, PrivateKey, HttpDir) || Host <- Hosts],
|
PemCertKeys = [get_certificate(CAUrl, Host, PrivateKey, HttpDir) || Host <- Hosts],
|
||||||
{AccId, PrivateKey, PemCertKeys}.
|
{ok, PrivateKey, PemCertKeys}.
|
||||||
|
|
||||||
|
|
||||||
get_certificate(CAUrl, DomainName, PrivateKey, HttpDir) ->
|
get_certificate(CAUrl, DomainName, PrivateKey, HttpDir) ->
|
||||||
?INFO_MSG("Getting a Certificate for domain: ~p~n", [DomainName]),
|
?INFO_MSG("Getting a Certificate for domain: ~p~n", [DomainName]),
|
||||||
case create_new_authorization(CAUrl, DomainName, PrivateKey, HttpDir) of
|
case create_new_authorization(CAUrl, DomainName, PrivateKey, HttpDir) of
|
||||||
{ok, Authz} ->
|
{ok, _Authz} ->
|
||||||
create_new_certificate(CAUrl, DomainName, PrivateKey);
|
create_new_certificate(CAUrl, DomainName, PrivateKey);
|
||||||
{error, authorization} ->
|
{error, authorization} ->
|
||||||
{error, {authorization, {host, DomainName}}}
|
{error, {authorization, {host, DomainName}}}
|
||||||
|
@ -702,13 +340,15 @@ get_certificate(CAUrl, DomainName, PrivateKey, HttpDir) ->
|
||||||
%% Find a way to ask the user if he accepts the TOS
|
%% Find a way to ask the user if he accepts the TOS
|
||||||
create_new_account(CAUrl, Contact, PrivateKey) ->
|
create_new_account(CAUrl, Contact, PrivateKey) ->
|
||||||
try
|
try
|
||||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
{ok, Dirs, Nonce0} = ejabberd_acme_comm:directory(CAUrl),
|
||||||
Req0 = [{ <<"contact">>, [Contact]}],
|
Req0 = [{ <<"contact">>, [Contact]}],
|
||||||
{ok, {TOS, Account}, Nonce1} = new_account(Dirs, PrivateKey, Req0, Nonce0),
|
{ok, {TOS, Account}, Nonce1} =
|
||||||
|
ejabberd_acme_comm:new_account(Dirs, PrivateKey, Req0, Nonce0),
|
||||||
{<<"id">>, AccIdInt} = lists:keyfind(<<"id">>, 1, Account),
|
{<<"id">>, AccIdInt} = lists:keyfind(<<"id">>, 1, Account),
|
||||||
AccId = integer_to_list(AccIdInt),
|
AccId = integer_to_list(AccIdInt),
|
||||||
Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}],
|
Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}],
|
||||||
{ok, Account2, _Nonce2} = update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce1),
|
{ok, _Account2, _Nonce2} =
|
||||||
|
ejabberd_acme_comm:update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce1),
|
||||||
{ok, AccId}
|
{ok, AccId}
|
||||||
catch
|
catch
|
||||||
E:R ->
|
E:R ->
|
||||||
|
@ -718,12 +358,13 @@ create_new_account(CAUrl, Contact, PrivateKey) ->
|
||||||
|
|
||||||
create_new_authorization(CAUrl, DomainName, PrivateKey, HttpDir) ->
|
create_new_authorization(CAUrl, DomainName, PrivateKey, HttpDir) ->
|
||||||
try
|
try
|
||||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
{ok, Dirs, Nonce0} = ejabberd_acme_comm:directory(CAUrl),
|
||||||
Req0 = [{<<"identifier">>,
|
Req0 = [{<<"identifier">>,
|
||||||
{[{<<"type">>, <<"dns">>},
|
{[{<<"type">>, <<"dns">>},
|
||||||
{<<"value">>, DomainName}]}},
|
{<<"value">>, DomainName}]}},
|
||||||
{<<"existing">>, <<"accept">>}],
|
{<<"existing">>, <<"accept">>}],
|
||||||
{ok, {AuthzUrl, Authz}, Nonce1} = new_authz(Dirs, PrivateKey, Req0, Nonce0),
|
{ok, {AuthzUrl, Authz}, Nonce1} =
|
||||||
|
ejabberd_acme_comm:new_authz(Dirs, PrivateKey, Req0, Nonce0),
|
||||||
{ok, AuthzId} = location_to_id(AuthzUrl),
|
{ok, AuthzId} = location_to_id(AuthzUrl),
|
||||||
|
|
||||||
Challenges = get_challenges(Authz),
|
Challenges = get_challenges(Authz),
|
||||||
|
@ -731,10 +372,10 @@ create_new_authorization(CAUrl, DomainName, PrivateKey, HttpDir) ->
|
||||||
acme_challenge:solve_challenge(<<"http-01">>, Challenges, {PrivateKey, HttpDir}),
|
acme_challenge:solve_challenge(<<"http-01">>, Challenges, {PrivateKey, HttpDir}),
|
||||||
{ok, ChallengeId} = location_to_id(ChallengeUrl),
|
{ok, ChallengeId} = location_to_id(ChallengeUrl),
|
||||||
Req3 = [{<<"type">>, <<"http-01">>},{<<"keyAuthorization">>, KeyAuthz}],
|
Req3 = [{<<"type">>, <<"http-01">>},{<<"keyAuthorization">>, KeyAuthz}],
|
||||||
{ok, SolvedChallenge, Nonce2} =
|
{ok, SolvedChallenge, Nonce2} = ejabberd_acme_comm:complete_challenge(
|
||||||
complete_challenge({CAUrl, AuthzId, ChallengeId}, PrivateKey, Req3, Nonce1),
|
{CAUrl, AuthzId, ChallengeId}, PrivateKey, Req3, Nonce1),
|
||||||
|
|
||||||
{ok, AuthzValid, _Nonce} = get_authz_until_valid({CAUrl, AuthzId}),
|
{ok, AuthzValid, _Nonce} = ejabberd_acme_comm:get_authz_until_valid({CAUrl, AuthzId}),
|
||||||
{ok, AuthzValid}
|
{ok, AuthzValid}
|
||||||
catch
|
catch
|
||||||
E:R ->
|
E:R ->
|
||||||
|
@ -745,7 +386,7 @@ create_new_authorization(CAUrl, DomainName, PrivateKey, HttpDir) ->
|
||||||
|
|
||||||
create_new_certificate(CAUrl, DomainName, PrivateKey) ->
|
create_new_certificate(CAUrl, DomainName, PrivateKey) ->
|
||||||
try
|
try
|
||||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
{ok, Dirs, Nonce0} = ejabberd_acme_comm:directory(CAUrl),
|
||||||
CSRSubject = [{commonName, bitstring_to_list(DomainName)}],
|
CSRSubject = [{commonName, bitstring_to_list(DomainName)}],
|
||||||
{CSR, CSRKey} = make_csr(CSRSubject),
|
{CSR, CSRKey} = make_csr(CSRSubject),
|
||||||
{NotBefore, NotAfter} = not_before_not_after(),
|
{NotBefore, NotAfter} = not_before_not_after(),
|
||||||
|
@ -754,7 +395,7 @@ create_new_certificate(CAUrl, DomainName, PrivateKey) ->
|
||||||
{<<"notBefore">>, NotBefore},
|
{<<"notBefore">>, NotBefore},
|
||||||
{<<"NotAfter">>, NotAfter}
|
{<<"NotAfter">>, NotAfter}
|
||||||
],
|
],
|
||||||
{ok, {CertUrl, Certificate}, Nonce1} = new_cert(Dirs, PrivateKey, Req, Nonce0),
|
{ok, {CertUrl, Certificate}, Nonce1} = ejabberd_acme_comm:new_cert(Dirs, PrivateKey, Req, Nonce0),
|
||||||
|
|
||||||
{ok, CertId} = location_to_id(CertUrl),
|
{ok, CertId} = location_to_id(CertUrl),
|
||||||
|
|
||||||
|
@ -788,9 +429,10 @@ not_before_not_after() ->
|
||||||
|
|
||||||
%% A typical acme workflow
|
%% A typical acme workflow
|
||||||
scenario(CAUrl, AccId, PrivateKey) ->
|
scenario(CAUrl, AccId, PrivateKey) ->
|
||||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
{ok, Dirs, Nonce0} = ejabberd_acme_comm:directory(CAUrl),
|
||||||
|
|
||||||
{ok, {_TOS, Account}, Nonce1} = get_account({CAUrl, AccId}, PrivateKey, Nonce0),
|
{ok, {_TOS, Account}, Nonce1} =
|
||||||
|
ejabberd_acme_comm:get_account({CAUrl, AccId}, PrivateKey, Nonce0),
|
||||||
?INFO_MSG("Account: ~p~n", [Account]),
|
?INFO_MSG("Account: ~p~n", [Account]),
|
||||||
|
|
||||||
Req =
|
Req =
|
||||||
|
@ -799,7 +441,7 @@ scenario(CAUrl, AccId, PrivateKey) ->
|
||||||
{<<"value">>, <<"my-acme-test-ejabberd.com">>}]}},
|
{<<"value">>, <<"my-acme-test-ejabberd.com">>}]}},
|
||||||
{<<"existing">>, <<"accept">>}
|
{<<"existing">>, <<"accept">>}
|
||||||
],
|
],
|
||||||
{ok, Authz, Nonce2} = new_authz(Dirs, PrivateKey, Req, Nonce1),
|
{ok, Authz, Nonce2} = ejabberd_acme_comm:new_authz(Dirs, PrivateKey, Req, Nonce1),
|
||||||
|
|
||||||
{Account, Authz, PrivateKey}.
|
{Account, Authz, PrivateKey}.
|
||||||
|
|
||||||
|
@ -807,19 +449,21 @@ scenario(CAUrl, AccId, PrivateKey) ->
|
||||||
new_user_scenario(CAUrl, HttpDir) ->
|
new_user_scenario(CAUrl, HttpDir) ->
|
||||||
PrivateKey = generate_key(),
|
PrivateKey = generate_key(),
|
||||||
|
|
||||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
{ok, Dirs, Nonce0} = ejabberd_acme_comm:directory(CAUrl),
|
||||||
%% ?INFO_MSG("Directories: ~p", [Dirs]),
|
%% ?INFO_MSG("Directories: ~p", [Dirs]),
|
||||||
|
|
||||||
Req0 = [{ <<"contact">>, [<<"mailto:cert-example-admin@example2.com">>]}],
|
Req0 = [{ <<"contact">>, [<<"mailto:cert-example-admin@example2.com">>]}],
|
||||||
{ok, {TOS, Account}, Nonce1} = new_account(Dirs, PrivateKey, Req0, Nonce0),
|
{ok, {TOS, Account}, Nonce1} = ejabberd_acme_comm:new_account(Dirs, PrivateKey, Req0, Nonce0),
|
||||||
|
|
||||||
{_, AccIdInt} = proplists:lookup(<<"id">>, Account),
|
{_, AccIdInt} = proplists:lookup(<<"id">>, Account),
|
||||||
AccId = integer_to_list(AccIdInt),
|
AccId = integer_to_list(AccIdInt),
|
||||||
{ok, {_TOS, Account1}, Nonce2} = get_account({CAUrl, AccId}, PrivateKey, Nonce1),
|
{ok, {_TOS, Account1}, Nonce2} =
|
||||||
|
ejabberd_acme_comm:get_account({CAUrl, AccId}, PrivateKey, Nonce1),
|
||||||
%% ?INFO_MSG("Old account: ~p~n", [Account1]),
|
%% ?INFO_MSG("Old account: ~p~n", [Account1]),
|
||||||
|
|
||||||
Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}],
|
Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}],
|
||||||
{ok, Account2, Nonce3} = update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce2),
|
{ok, Account2, Nonce3} =
|
||||||
|
ejabberd_acme_comm:update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce2),
|
||||||
|
|
||||||
%% NewKey = generate_key(),
|
%% NewKey = generate_key(),
|
||||||
%% KeyChangeUrl = CAUrl ++ "/acme/key-change/",
|
%% KeyChangeUrl = CAUrl ++ "/acme/key-change/",
|
||||||
|
@ -838,10 +482,11 @@ new_user_scenario(CAUrl, HttpDir) ->
|
||||||
{<<"value">>, DomainName}]}},
|
{<<"value">>, DomainName}]}},
|
||||||
{<<"existing">>, <<"accept">>}
|
{<<"existing">>, <<"accept">>}
|
||||||
],
|
],
|
||||||
{ok, {AuthzUrl, Authz}, Nonce4} = new_authz(Dirs, PrivateKey, Req2, Nonce3),
|
{ok, {AuthzUrl, Authz}, Nonce4} =
|
||||||
|
ejabberd_acme_comm:new_authz(Dirs, PrivateKey, Req2, Nonce3),
|
||||||
|
|
||||||
{ok, AuthzId} = location_to_id(AuthzUrl),
|
{ok, AuthzId} = location_to_id(AuthzUrl),
|
||||||
{ok, Authz2, Nonce5} = get_authz({CAUrl, AuthzId}),
|
{ok, Authz2, Nonce5} = ejabberd_acme_comm:get_authz({CAUrl, AuthzId}),
|
||||||
?INFO_MSG("AuthzUrl: ~p~n", [AuthzUrl]),
|
?INFO_MSG("AuthzUrl: ~p~n", [AuthzUrl]),
|
||||||
|
|
||||||
Challenges = get_challenges(Authz2),
|
Challenges = get_challenges(Authz2),
|
||||||
|
@ -856,11 +501,12 @@ new_user_scenario(CAUrl, HttpDir) ->
|
||||||
[ {<<"type">>, <<"http-01">>}
|
[ {<<"type">>, <<"http-01">>}
|
||||||
, {<<"keyAuthorization">>, KeyAuthz}
|
, {<<"keyAuthorization">>, KeyAuthz}
|
||||||
],
|
],
|
||||||
{ok, SolvedChallenge, Nonce6} = complete_challenge({CAUrl, AuthzId, ChallengeId}, PrivateKey, Req3, Nonce5),
|
{ok, SolvedChallenge, Nonce6} = ejabberd_acme_comm:complete_challenge(
|
||||||
|
{CAUrl, AuthzId, ChallengeId}, PrivateKey, Req3, Nonce5),
|
||||||
%% ?INFO_MSG("SolvedChallenge: ~p~n", [SolvedChallenge]),
|
%% ?INFO_MSG("SolvedChallenge: ~p~n", [SolvedChallenge]),
|
||||||
|
|
||||||
%% timer:sleep(2000),
|
%% timer:sleep(2000),
|
||||||
{ok, Authz3, Nonce7} = get_authz_until_valid({CAUrl, AuthzId}),
|
{ok, Authz3, Nonce7} = ejabberd_acme_comm:get_authz_until_valid({CAUrl, AuthzId}),
|
||||||
|
|
||||||
#{"new-cert" := NewCert} = Dirs,
|
#{"new-cert" := NewCert} = Dirs,
|
||||||
CSRSubject = [{commonName, bitstring_to_list(DomainName)},
|
CSRSubject = [{commonName, bitstring_to_list(DomainName)},
|
||||||
|
@ -874,11 +520,12 @@ new_user_scenario(CAUrl, HttpDir) ->
|
||||||
{<<"notBefore">>, NotBefore},
|
{<<"notBefore">>, NotBefore},
|
||||||
{<<"NotAfter">>, NotAfter}
|
{<<"NotAfter">>, NotAfter}
|
||||||
],
|
],
|
||||||
{ok, {CertUrl, Certificate}, Nonce8} = new_cert(Dirs, PrivateKey, Req4, Nonce7),
|
{ok, {CertUrl, Certificate}, Nonce8} =
|
||||||
|
ejabberd_acme_comm:new_cert(Dirs, PrivateKey, Req4, Nonce7),
|
||||||
?INFO_MSG("CertUrl: ~p~n", [CertUrl]),
|
?INFO_MSG("CertUrl: ~p~n", [CertUrl]),
|
||||||
|
|
||||||
{ok, CertId} = location_to_id(CertUrl),
|
{ok, CertId} = location_to_id(CertUrl),
|
||||||
{ok, Certificate2, Nonce9} = get_cert({CAUrl, CertId}),
|
{ok, Certificate2, Nonce9} = ejabberd_acme_comm:get_cert({CAUrl, CertId}),
|
||||||
|
|
||||||
DecodedCert = public_key:pkix_decode_cert(list_to_binary(Certificate2), plain),
|
DecodedCert = public_key:pkix_decode_cert(list_to_binary(Certificate2), plain),
|
||||||
%% ?INFO_MSG("DecodedCert: ~p~n", [DecodedCert]),
|
%% ?INFO_MSG("DecodedCert: ~p~n", [DecodedCert]),
|
||||||
|
@ -897,9 +544,9 @@ new_user_scenario(CAUrl, HttpDir) ->
|
||||||
|
|
||||||
Base64Cert = base64url:encode(Certificate2),
|
Base64Cert = base64url:encode(Certificate2),
|
||||||
Req5 = [{<<"certificate">>, Base64Cert}],
|
Req5 = [{<<"certificate">>, Base64Cert}],
|
||||||
{ok, [], Nonce10} = revoke_cert(Dirs, PrivateKey, Req5, Nonce9),
|
{ok, [], Nonce10} = ejabberd_acme_comm:revoke_cert(Dirs, PrivateKey, Req5, Nonce9),
|
||||||
|
|
||||||
{ok, Certificate3, Nonce11} = get_cert(CertUrl),
|
{ok, Certificate3, Nonce11} = ejabberd_acme_comm:get_cert(CertUrl),
|
||||||
|
|
||||||
{Account2, Authz3, CSR, Certificate, PrivateKey}.
|
{Account2, Authz3, CSR, Certificate, PrivateKey}.
|
||||||
|
|
||||||
|
@ -918,26 +565,30 @@ delete_account_scenario(CAUrl) ->
|
||||||
PrivateKey = generate_key(),
|
PrivateKey = generate_key(),
|
||||||
|
|
||||||
DirURL = CAUrl ++ "/directory",
|
DirURL = CAUrl ++ "/directory",
|
||||||
{ok, Dirs, Nonce0} = directory(DirURL),
|
{ok, Dirs, Nonce0} = ejabberd_acme_comm:directory(DirURL),
|
||||||
%% ?INFO_MSG("Directories: ~p", [Dirs]),
|
%% ?INFO_MSG("Directories: ~p", [Dirs]),
|
||||||
|
|
||||||
Req0 = [{ <<"contact">>, [<<"mailto:cert-example-admin@example2.com">>]}],
|
Req0 = [{ <<"contact">>, [<<"mailto:cert-example-admin@example2.com">>]}],
|
||||||
{ok, {TOS, Account}, Nonce1} = new_account(Dirs, PrivateKey, Req0, Nonce0),
|
{ok, {TOS, Account}, Nonce1} = ejabberd_acme_comm:new_account(Dirs, PrivateKey, Req0, Nonce0),
|
||||||
|
|
||||||
{_, AccIdInt} = proplists:lookup(<<"id">>, Account),
|
{_, AccIdInt} = proplists:lookup(<<"id">>, Account),
|
||||||
AccId = integer_to_list(AccIdInt),
|
AccId = integer_to_list(AccIdInt),
|
||||||
{ok, {_TOS, Account1}, Nonce2} = get_account({CAUrl, AccId}, PrivateKey, Nonce1),
|
{ok, {_TOS, Account1}, Nonce2} =
|
||||||
|
ejabberd_acme_comm:get_account({CAUrl, AccId}, PrivateKey, Nonce1),
|
||||||
%% ?INFO_MSG("Old account: ~p~n", [Account1]),
|
%% ?INFO_MSG("Old account: ~p~n", [Account1]),
|
||||||
|
|
||||||
Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}],
|
Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}],
|
||||||
{ok, Account2, Nonce3} = update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce2),
|
{ok, Account2, Nonce3} =
|
||||||
|
ejabberd_acme_comm:update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce2),
|
||||||
|
|
||||||
%% Delete account
|
%% Delete account
|
||||||
{ok, Account3, Nonce4} = delete_account({CAUrl, AccId}, PrivateKey, Nonce3),
|
{ok, Account3, Nonce4} =
|
||||||
|
ejabberd_acme_comm:delete_account({CAUrl, AccId}, PrivateKey, Nonce3),
|
||||||
|
|
||||||
timer:sleep(3000),
|
timer:sleep(3000),
|
||||||
|
|
||||||
{ok, {_TOS, Account4}, Nonce5} = get_account({CAUrl, AccId}, PrivateKey, Nonce4),
|
{ok, {_TOS, Account4}, Nonce5} =
|
||||||
|
ejabberd_acme_comm:get_account({CAUrl, AccId}, PrivateKey, Nonce4),
|
||||||
?INFO_MSG("New account: ~p~n", [Account4]),
|
?INFO_MSG("New account: ~p~n", [Account4]),
|
||||||
|
|
||||||
AccIdBin = list_to_bitstring(integer_to_list(AccIdInt)),
|
AccIdBin = list_to_bitstring(integer_to_list(AccIdInt)),
|
||||||
|
@ -948,7 +599,8 @@ delete_account_scenario(CAUrl) ->
|
||||||
{<<"value">>, DomainName}]}},
|
{<<"value">>, DomainName}]}},
|
||||||
{<<"existing">>, <<"accept">>}
|
{<<"existing">>, <<"accept">>}
|
||||||
],
|
],
|
||||||
{ok, {AuthzUrl, Authz}, Nonce6} = new_authz(Dirs, PrivateKey, Req2, Nonce5),
|
{ok, {AuthzUrl, Authz}, Nonce6} =
|
||||||
|
ejabberd_acme_comm:new_authz(Dirs, PrivateKey, Req2, Nonce5),
|
||||||
|
|
||||||
{ok, Account1, Account3, Authz}.
|
{ok, Account1, Account3, Authz}.
|
||||||
|
|
||||||
|
|
387
src/ejabberd_acme_comm.erl
Normal file
387
src/ejabberd_acme_comm.erl
Normal file
|
@ -0,0 +1,387 @@
|
||||||
|
-module(ejabberd_acme_comm).
|
||||||
|
-export([%% Directory
|
||||||
|
directory/1,
|
||||||
|
%% Account
|
||||||
|
new_account/4,
|
||||||
|
update_account/4,
|
||||||
|
get_account/3,
|
||||||
|
delete_account/3,
|
||||||
|
%% Authorization
|
||||||
|
new_authz/4,
|
||||||
|
get_authz/1,
|
||||||
|
complete_challenge/4,
|
||||||
|
%% Authorization polling
|
||||||
|
get_authz_until_valid/1,
|
||||||
|
%% Certificate
|
||||||
|
new_cert/4,
|
||||||
|
get_cert/1,
|
||||||
|
revoke_cert/4
|
||||||
|
%% Not yet implemented
|
||||||
|
%% key_roll_over/5
|
||||||
|
%% delete_authz/3
|
||||||
|
]).
|
||||||
|
|
||||||
|
-include("ejabberd.hrl").
|
||||||
|
-include("logger.hrl").
|
||||||
|
-include("xmpp.hrl").
|
||||||
|
|
||||||
|
-include("ejabberd_acme.hrl").
|
||||||
|
-include_lib("public_key/include/public_key.hrl").
|
||||||
|
|
||||||
|
-define(REQUEST_TIMEOUT, 5000). % 5 seconds.
|
||||||
|
-define(MAX_POLL_REQUESTS, 20).
|
||||||
|
-define(POLL_WAIT_TIME, 500). % 500 ms.
|
||||||
|
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Directory
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
-spec directory(url()) -> {ok, dirs(), nonce()} | {error, _}.
|
||||||
|
directory(CAUrl) ->
|
||||||
|
Url = CAUrl ++ "/directory",
|
||||||
|
prepare_get_request(Url, fun get_dirs/1).
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Account Handling
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
-spec new_account(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||||
|
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
||||||
|
new_account(Dirs, PrivateKey, Req, Nonce) ->
|
||||||
|
#{"new-reg" := Url} = Dirs,
|
||||||
|
EJson = {[{ <<"resource">>, <<"new-reg">>}] ++ Req},
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
||||||
|
|
||||||
|
-spec update_account({url(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
||||||
|
{ok, proplist(), nonce()} | {error, _}.
|
||||||
|
update_account({CAUrl, AccId}, PrivateKey, Req, Nonce) ->
|
||||||
|
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||||
|
EJson = {[{ <<"resource">>, <<"reg">>}] ++ Req},
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
||||||
|
|
||||||
|
-spec get_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
||||||
|
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
||||||
|
get_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
||||||
|
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||||
|
EJson = {[{<<"resource">>, <<"reg">>}]},
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
||||||
|
|
||||||
|
-spec delete_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
||||||
|
{ok, proplist(), nonce()} | {error, _}.
|
||||||
|
delete_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
||||||
|
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||||
|
EJson =
|
||||||
|
{[{<<"resource">>, <<"reg">>},
|
||||||
|
{<<"status">>, <<"deactivated">>}]},
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
||||||
|
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Authorization Handling
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
-spec new_authz(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||||
|
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
||||||
|
new_authz(Dirs, PrivateKey, Req, Nonce) ->
|
||||||
|
#{"new-authz" := Url} = Dirs,
|
||||||
|
EJson = {[{<<"resource">>, <<"new-authz">>}] ++ Req},
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1).
|
||||||
|
|
||||||
|
-spec get_authz({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
||||||
|
get_authz({CAUrl, AuthzId}) ->
|
||||||
|
Url = CAUrl ++ "/acme/authz/" ++ AuthzId,
|
||||||
|
prepare_get_request(Url, fun get_response/1).
|
||||||
|
|
||||||
|
-spec complete_challenge({url(), string(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
||||||
|
{ok, proplist(), nonce()} | {error, _}.
|
||||||
|
complete_challenge({CAUrl, AuthzId, ChallId}, PrivateKey, Req, Nonce) ->
|
||||||
|
Url = CAUrl ++ "/acme/challenge/" ++ AuthzId ++ "/" ++ ChallId,
|
||||||
|
EJson = {[{<<"resource">>, <<"challenge">>}] ++ Req},
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
||||||
|
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Certificate Handling
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
-spec new_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||||
|
{ok, {url(), list()}, nonce()} | {error, _}.
|
||||||
|
new_cert(Dirs, PrivateKey, Req, Nonce) ->
|
||||||
|
#{"new-cert" := Url} = Dirs,
|
||||||
|
EJson = {[{<<"resource">>, <<"new-cert">>}] ++ Req},
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1,
|
||||||
|
"application/pkix-cert").
|
||||||
|
|
||||||
|
-spec get_cert({url(), string()}) -> {ok, list(), nonce()} | {error, _}.
|
||||||
|
get_cert({CAUrl, CertId}) ->
|
||||||
|
Url = CAUrl ++ "/acme/cert/" ++ CertId,
|
||||||
|
prepare_get_request(Url, fun get_response/1, "application/pkix-cert").
|
||||||
|
|
||||||
|
-spec revoke_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||||
|
{ok, _, nonce()} | {error, _}.
|
||||||
|
revoke_cert(Dirs, PrivateKey, Req, Nonce) ->
|
||||||
|
#{"revoke-cert" := Url} = Dirs,
|
||||||
|
EJson = {[{<<"resource">>, <<"revoke-cert">>}] ++ Req},
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1,
|
||||||
|
"application/pkix-cert").
|
||||||
|
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Handle Response Functions
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
-spec get_dirs({ok, proplist(), proplist()}) -> {ok, map(), nonce()}.
|
||||||
|
get_dirs({ok, Head, Return}) ->
|
||||||
|
NewNonce = get_nonce(Head),
|
||||||
|
StrDirectories = [{bitstring_to_list(X), bitstring_to_list(Y)} ||
|
||||||
|
{X, Y} <- Return],
|
||||||
|
NewDirs = maps:from_list(StrDirectories),
|
||||||
|
{ok, NewDirs, NewNonce}.
|
||||||
|
|
||||||
|
-spec get_response({ok, proplist(), proplist()}) -> {ok, proplist(), nonce()}.
|
||||||
|
get_response({ok, Head, Return}) ->
|
||||||
|
NewNonce = get_nonce(Head),
|
||||||
|
{ok, Return, NewNonce}.
|
||||||
|
|
||||||
|
-spec get_response_tos({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
|
||||||
|
get_response_tos({ok, Head, Return}) ->
|
||||||
|
TOSUrl = get_tos(Head),
|
||||||
|
NewNonce = get_nonce(Head),
|
||||||
|
{ok, {TOSUrl, Return}, NewNonce}.
|
||||||
|
|
||||||
|
-spec get_response_location({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
|
||||||
|
get_response_location({ok, Head, Return}) ->
|
||||||
|
Location = get_location(Head),
|
||||||
|
NewNonce = get_nonce(Head),
|
||||||
|
{ok, {Location, Return}, NewNonce}.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Authorization Polling
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
-spec get_authz_until_valid({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
||||||
|
get_authz_until_valid({CAUrl, AuthzId}) ->
|
||||||
|
get_authz_until_valid({CAUrl, AuthzId}, ?MAX_POLL_REQUESTS).
|
||||||
|
|
||||||
|
-spec get_authz_until_valid({url(), string()}, non_neg_integer()) ->
|
||||||
|
{ok, proplist(), nonce()} | {error, _}.
|
||||||
|
get_authz_until_valid({_CAUrl, _AuthzId}, 0) ->
|
||||||
|
?ERROR_MSG("Maximum request limit waiting for validation reached", []),
|
||||||
|
{error, max_request_limit};
|
||||||
|
get_authz_until_valid({CAUrl, AuthzId}, N) ->
|
||||||
|
case get_authz({CAUrl, AuthzId}) of
|
||||||
|
{ok, Resp, Nonce} ->
|
||||||
|
case is_authz_valid(Resp) of
|
||||||
|
true ->
|
||||||
|
{ok, Resp, Nonce};
|
||||||
|
false ->
|
||||||
|
timer:sleep(?POLL_WAIT_TIME),
|
||||||
|
get_authz_until_valid({CAUrl, AuthzId}, N-1)
|
||||||
|
end;
|
||||||
|
{error, _} = Err ->
|
||||||
|
Err
|
||||||
|
end.
|
||||||
|
|
||||||
|
-spec is_authz_valid(proplist()) -> boolean().
|
||||||
|
is_authz_valid(Authz) ->
|
||||||
|
case proplists:lookup(<<"status">>, Authz) of
|
||||||
|
{<<"status">>, <<"valid">>} ->
|
||||||
|
true;
|
||||||
|
_ ->
|
||||||
|
false
|
||||||
|
end.
|
||||||
|
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Request Functions
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
%% TODO: Fix the duplicated code at the below 4 functions
|
||||||
|
-spec make_post_request(url(), bitstring(), string()) ->
|
||||||
|
{ok, proplist(), proplist()} | {error, _}.
|
||||||
|
make_post_request(Url, ReqBody, ResponseType) ->
|
||||||
|
Options = [],
|
||||||
|
HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
|
||||||
|
case httpc:request(post,
|
||||||
|
{Url, [], "application/jose+json", ReqBody}, HttpOptions, Options) of
|
||||||
|
{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
|
||||||
|
decode_response(Head, Body, ResponseType);
|
||||||
|
Error ->
|
||||||
|
failed_http_request(Error, Url)
|
||||||
|
end.
|
||||||
|
|
||||||
|
-spec make_get_request(url(), string()) ->
|
||||||
|
{ok, proplist(), proplist()} | {error, _}.
|
||||||
|
make_get_request(Url, ResponseType) ->
|
||||||
|
Options = [],
|
||||||
|
HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
|
||||||
|
case httpc:request(get, {Url, []}, HttpOptions, Options) of
|
||||||
|
{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
|
||||||
|
decode_response(Head, Body, ResponseType);
|
||||||
|
Error ->
|
||||||
|
failed_http_request(Error, Url)
|
||||||
|
end.
|
||||||
|
|
||||||
|
-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
|
||||||
|
nonce(), handle_resp_fun()) -> {ok, _, nonce()} | {error, _}.
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun) ->
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, "application/jose+json").
|
||||||
|
|
||||||
|
-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
|
||||||
|
nonce(), handle_resp_fun(), string()) -> {ok, _, nonce()} | {error, _}.
|
||||||
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, ResponseType) ->
|
||||||
|
case encode(EJson) of
|
||||||
|
{ok, ReqBody} ->
|
||||||
|
FinalBody = sign_encode_json_jose(PrivateKey, ReqBody, Nonce),
|
||||||
|
case make_post_request(Url, FinalBody, ResponseType) of
|
||||||
|
{ok, Head, Return} ->
|
||||||
|
HandleRespFun({ok, Head, Return});
|
||||||
|
Error ->
|
||||||
|
Error
|
||||||
|
end;
|
||||||
|
{error, Reason} ->
|
||||||
|
?ERROR_MSG("Error: ~p when encoding: ~p", [Reason, EJson]),
|
||||||
|
{error, Reason}
|
||||||
|
end.
|
||||||
|
|
||||||
|
-spec prepare_get_request(url(), handle_resp_fun()) ->
|
||||||
|
{ok, _, nonce()} | {error, _}.
|
||||||
|
prepare_get_request(Url, HandleRespFun) ->
|
||||||
|
prepare_get_request(Url, HandleRespFun, "application/jose+json").
|
||||||
|
|
||||||
|
-spec prepare_get_request(url(), handle_resp_fun(), string()) ->
|
||||||
|
{ok, _, nonce()} | {error, _}.
|
||||||
|
prepare_get_request(Url, HandleRespFun, ResponseType) ->
|
||||||
|
case make_get_request(Url, ResponseType) of
|
||||||
|
{ok, Head, Return} ->
|
||||||
|
HandleRespFun({ok, Head, Return});
|
||||||
|
Error ->
|
||||||
|
Error
|
||||||
|
end.
|
||||||
|
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Jose Json Functions
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
-spec sign_json_jose(jose_jwk:key(), bitstring(), nonce()) -> {_, jws()}.
|
||||||
|
sign_json_jose(Key, Json, Nonce) ->
|
||||||
|
PubKey = jose_jwk:to_public(Key),
|
||||||
|
{_, BinaryPubKey} = jose_jwk:to_binary(PubKey),
|
||||||
|
PubKeyJson = jiffy:decode(BinaryPubKey),
|
||||||
|
%% TODO: Ensure this works for all cases
|
||||||
|
AlgMap = jose_jwk:signer(Key),
|
||||||
|
JwsMap =
|
||||||
|
#{ <<"jwk">> => PubKeyJson,
|
||||||
|
%% <<"b64">> => true,
|
||||||
|
<<"nonce">> => list_to_bitstring(Nonce)
|
||||||
|
},
|
||||||
|
JwsObj0 = maps:merge(JwsMap, AlgMap),
|
||||||
|
JwsObj = jose_jws:from(JwsObj0),
|
||||||
|
jose_jws:sign(Key, Json, JwsObj).
|
||||||
|
|
||||||
|
-spec sign_encode_json_jose(jose_jwk:key(), bitstring(), nonce()) -> bitstring().
|
||||||
|
sign_encode_json_jose(Key, Json, Nonce) ->
|
||||||
|
{_, Signed} = sign_json_jose(Key, Json, Nonce),
|
||||||
|
%% This depends on jose library, so we can consider it safe
|
||||||
|
jiffy:encode(Signed).
|
||||||
|
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Useful funs
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
-spec get_nonce(proplist()) -> nonce() | 'none'.
|
||||||
|
get_nonce(Head) ->
|
||||||
|
case proplists:lookup("replay-nonce", Head) of
|
||||||
|
{"replay-nonce", Nonce} -> Nonce;
|
||||||
|
none -> none
|
||||||
|
end.
|
||||||
|
|
||||||
|
-spec get_location(proplist()) -> url() | 'none'.
|
||||||
|
get_location(Head) ->
|
||||||
|
case proplists:lookup("location", Head) of
|
||||||
|
{"location", Location} -> Location;
|
||||||
|
none -> none
|
||||||
|
end.
|
||||||
|
|
||||||
|
%% Very bad way to extract this
|
||||||
|
%% TODO: Find a better way
|
||||||
|
-spec get_tos(proplist()) -> url() | 'none'.
|
||||||
|
get_tos(Head) ->
|
||||||
|
try
|
||||||
|
[{_, Link}] = [{K, V} || {K, V} <- Head,
|
||||||
|
K =:= "link" andalso
|
||||||
|
lists:suffix("\"terms-of-service\"", V)],
|
||||||
|
[Link1, _] = string:tokens(Link, ";"),
|
||||||
|
Link2 = string:strip(Link1, left, $<),
|
||||||
|
string:strip(Link2, right, $>)
|
||||||
|
catch
|
||||||
|
_:_ ->
|
||||||
|
none
|
||||||
|
end.
|
||||||
|
|
||||||
|
decode_response(Head, Body, "application/pkix-cert") ->
|
||||||
|
{ok, Head, Body};
|
||||||
|
decode_response(Head, Body, "application/jose+json") ->
|
||||||
|
case decode(Body) of
|
||||||
|
{ok, Return} ->
|
||||||
|
{ok, Head, Return};
|
||||||
|
{error, Reason} ->
|
||||||
|
?ERROR_MSG("Problem decoding: ~s", [Body]),
|
||||||
|
{error, Reason}
|
||||||
|
end.
|
||||||
|
|
||||||
|
encode(EJson) ->
|
||||||
|
try
|
||||||
|
{ok, jiffy:encode(EJson)}
|
||||||
|
catch
|
||||||
|
_:Reason ->
|
||||||
|
{error, Reason}
|
||||||
|
end.
|
||||||
|
|
||||||
|
decode(Json) ->
|
||||||
|
try
|
||||||
|
{Result} = jiffy:decode(Json),
|
||||||
|
{ok, Result}
|
||||||
|
catch
|
||||||
|
_:Reason ->
|
||||||
|
{error, Reason}
|
||||||
|
end.
|
||||||
|
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
%%
|
||||||
|
%% Handle Failed HTTP Requests
|
||||||
|
%%
|
||||||
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
||||||
|
-spec failed_http_request({ok, _} | {error, _}, url()) -> {error, _}.
|
||||||
|
failed_http_request({ok, {{_, Code, _}, _Head, Body}}, Url) ->
|
||||||
|
?ERROR_MSG("Got unexpected status code from <~s>: ~B, Body: ~s",
|
||||||
|
[Url, Code, Body]),
|
||||||
|
{error, unexpected_code};
|
||||||
|
failed_http_request({error, Reason}, Url) ->
|
||||||
|
?ERROR_MSG("Error making a request to <~s>: ~p",
|
||||||
|
[Url, Reason]),
|
||||||
|
{error, Reason}.
|
Loading…
Reference in New Issue
Block a user