diff --git a/src/ejabberd_acme.erl b/src/ejabberd_acme.erl index c9e50c678..9a09211ba 100644 --- a/src/ejabberd_acme.erl +++ b/src/ejabberd_acme.erl @@ -10,11 +10,7 @@ is_valid_verbose_opt/1, %% Misc generate_key/0, - to_public/1, - %% Debugging Scenarios - scenario/3, - scenario0/2, - new_user_scenario/2 + to_public/1 ]). -include("ejabberd.hrl"). @@ -945,152 +941,6 @@ get_config_cert_dir() -> CertDir end. -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% -%% Transaction Fun -%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -transaction([{Fun, Rollback} | Rest]) -> - try - {ok, Result} = Fun(), - [Result | transaction(Rest)] - catch Type:Reason -> - Rollback(), - erlang:raise(Type, Reason, erlang:get_stacktrace()) - end; -transaction([Fun | Rest]) -> - % not every action require cleanup on error - transaction([{Fun, fun () -> ok end} | Rest]); -transaction([]) -> []. - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% -%% Debugging Funcs -- They are only used for the development phase -%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%% A typical acme workflow -scenario(CAUrl, AccId, PrivateKey) -> - {ok, Dirs, Nonce0} = ejabberd_acme_comm:directory(CAUrl), - - {ok, {_TOS, Account}, Nonce1} = - ejabberd_acme_comm:get_account({CAUrl, AccId}, PrivateKey, Nonce0), - ?INFO_MSG("Account: ~p~n", [Account]), - - Req = - [{<<"identifier">>, - {[{<<"type">>, <<"dns">>}, - {<<"value">>, <<"my-acme-test-ejabberd.com">>}]}}, - {<<"existing">>, <<"accept">>} - ], - {ok, Authz, Nonce2} = ejabberd_acme_comm:new_authz(Dirs, PrivateKey, Req, Nonce1), - - {Account, Authz, PrivateKey}. - - -new_user_scenario(CAUrl, HttpDir) -> - PrivateKey = generate_key(), - - {ok, Dirs, Nonce0} = ejabberd_acme_comm:directory(CAUrl), - %% ?INFO_MSG("Directories: ~p", [Dirs]), - - Req0 = [{ <<"contact">>, [<<"mailto:cert-example-admin@example2.com">>]}], - {ok, {TOS, Account}, Nonce1} = ejabberd_acme_comm:new_account(Dirs, PrivateKey, Req0, Nonce0), - - {_, AccIdInt} = proplists:lookup(<<"id">>, Account), - AccId = integer_to_list(AccIdInt), - {ok, {_TOS, Account1}, Nonce2} = - ejabberd_acme_comm:get_account({CAUrl, AccId}, PrivateKey, Nonce1), - %% ?INFO_MSG("Old account: ~p~n", [Account1]), - - Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}], - {ok, Account2, Nonce3} = - ejabberd_acme_comm:update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce2), - - %% NewKey = generate_key(), - %% KeyChangeUrl = CAUrl ++ "/acme/key-change/", - %% {ok, Account3, Nonce4} = key_roll_over(KeyChangeUrl, AccURL, PrivateKey, NewKey, Nonce3), - %% ?INFO_MSG("Changed key: ~p~n", [Account3]), - - %% {ok, {_TOS, Account4}, Nonce5} = get_account(AccURL, NewKey, Nonce4), - %% ?INFO_MSG("New account:~p~n", [Account4]), - %% {Account4, PrivateKey}. - - AccIdBin = list_to_bitstring(integer_to_list(AccIdInt)), - DomainName = << <<"my-acme-test-ejabberd">>/binary, AccIdBin/binary, <<".com">>/binary >>, - Req2 = - [{<<"identifier">>, - {[{<<"type">>, <<"dns">>}, - {<<"value">>, DomainName}]}}, - {<<"existing">>, <<"accept">>} - ], - {ok, {AuthzUrl, Authz}, Nonce4} = - ejabberd_acme_comm:new_authz(Dirs, PrivateKey, Req2, Nonce3), - - {ok, AuthzId} = location_to_id(AuthzUrl), - {ok, Authz2, Nonce5} = ejabberd_acme_comm:get_authz({CAUrl, AuthzId}), - ?INFO_MSG("AuthzUrl: ~p~n", [AuthzUrl]), - - Challenges = get_challenges(Authz2), - ?INFO_MSG("Challenges: ~p~n", [Challenges]), - - {ok, ChallengeUrl, KeyAuthz} = - acme_challenge:solve_challenge(<<"http-01">>, Challenges, {PrivateKey, HttpDir}), - ?INFO_MSG("File for http-01 challenge written correctly", []), - - {ok, ChallengeId} = location_to_id(ChallengeUrl), - Req3 = - [ {<<"type">>, <<"http-01">>} - , {<<"keyAuthorization">>, KeyAuthz} - ], - {ok, SolvedChallenge, Nonce6} = ejabberd_acme_comm:complete_challenge( - {CAUrl, AuthzId, ChallengeId}, PrivateKey, Req3, Nonce5), - %% ?INFO_MSG("SolvedChallenge: ~p~n", [SolvedChallenge]), - - %% timer:sleep(2000), - {ok, Authz3, Nonce7} = ejabberd_acme_comm:get_authz_until_valid({CAUrl, AuthzId}), - - #{"new-cert" := NewCert} = Dirs, - CSRSubject = [{commonName, bitstring_to_list(DomainName)}], - {CSR, CSRKey} = make_csr(CSRSubject), - {MegS, Sec, MicS} = erlang:timestamp(), - NotBefore = xmpp_util:encode_timestamp({MegS-1, Sec, MicS}), - NotAfter = xmpp_util:encode_timestamp({MegS+1, Sec, MicS}), - Req4 = - [{<<"csr">>, CSR}, - {<<"notBefore">>, NotBefore}, - {<<"NotAfter">>, NotAfter} - ], - {ok, {CertUrl, Certificate}, Nonce8} = - ejabberd_acme_comm:new_cert(Dirs, PrivateKey, Req4, Nonce7), - ?INFO_MSG("CertUrl: ~p~n", [CertUrl]), - - {ok, CertId} = location_to_id(CertUrl), - {ok, Certificate2, Nonce9} = ejabberd_acme_comm:get_cert({CAUrl, CertId}), - - DecodedCert = public_key:pkix_decode_cert(list_to_binary(Certificate2), plain), - %% ?INFO_MSG("DecodedCert: ~p~n", [DecodedCert]), - PemEntryCert = public_key:pem_entry_encode('Certificate', DecodedCert), - %% ?INFO_MSG("PemEntryCert: ~p~n", [PemEntryCert]), - - {_, CSRKeyKey} = jose_jwk:to_key(CSRKey), - PemEntryKey = public_key:pem_entry_encode('ECPrivateKey', CSRKeyKey), - %% ?INFO_MSG("PemKey: ~p~n", [jose_jwk:to_pem(CSRKey)]), - %% ?INFO_MSG("PemEntryKey: ~p~n", [PemEntryKey]), - - PemCert = public_key:pem_encode([PemEntryKey, PemEntryCert]), - %% ?INFO_MSG("PemCert: ~p~n", [PemCert]), - - ok = file:write_file(HttpDir ++ "/my_server.pem", PemCert), - - Base64Cert = base64url:encode(Certificate2), - Req5 = [{<<"certificate">>, Base64Cert}], - {ok, [], Nonce10} = ejabberd_acme_comm:revoke_cert(Dirs, PrivateKey, Req5, Nonce9), - - {ok, Certificate3, Nonce11} = ejabberd_acme_comm:get_cert({CAUrl, CertId}), - - {Account2, Authz3, CSR, Certificate, PrivateKey}. -ifdef(GENERATE_RSA_KEY). generate_key() -> @@ -1105,63 +955,3 @@ generate_key() -> jose_jwk:generate_key({ec, secp256r1}). -endif. - -scenario3() -> - CSRSubject = [{commonName, "my-acme-test-ejabberd.com"}, - {organizationName, "Example Corp"}], - {CSR, CSRKey} = make_csr(CSRSubject). - - -%% It doesn't seem to work, The user can get a new authorization even though the account has been deleted -delete_account_scenario(CAUrl) -> - PrivateKey = generate_key(), - - DirURL = CAUrl ++ "/directory", - {ok, Dirs, Nonce0} = ejabberd_acme_comm:directory(DirURL), - %% ?INFO_MSG("Directories: ~p", [Dirs]), - - Req0 = [{ <<"contact">>, [<<"mailto:cert-example-admin@example2.com">>]}], - {ok, {TOS, Account}, Nonce1} = ejabberd_acme_comm:new_account(Dirs, PrivateKey, Req0, Nonce0), - - {_, AccIdInt} = proplists:lookup(<<"id">>, Account), - AccId = integer_to_list(AccIdInt), - {ok, {_TOS, Account1}, Nonce2} = - ejabberd_acme_comm:get_account({CAUrl, AccId}, PrivateKey, Nonce1), - %% ?INFO_MSG("Old account: ~p~n", [Account1]), - - Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}], - {ok, Account2, Nonce3} = - ejabberd_acme_comm:update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce2), - - %% Delete account - {ok, Account3, Nonce4} = - ejabberd_acme_comm:delete_account({CAUrl, AccId}, PrivateKey, Nonce3), - - timer:sleep(3000), - - {ok, {_TOS, Account4}, Nonce5} = - ejabberd_acme_comm:get_account({CAUrl, AccId}, PrivateKey, Nonce4), - ?INFO_MSG("New account: ~p~n", [Account4]), - - AccIdBin = list_to_bitstring(integer_to_list(AccIdInt)), - DomainName = << <<"my-acme-test-ejabberd">>/binary, AccIdBin/binary, <<".com">>/binary >>, - Req2 = - [{<<"identifier">>, - {[{<<"type">>, <<"dns">>}, - {<<"value">>, DomainName}]}}, - {<<"existing">>, <<"accept">>} - ], - {ok, {AuthzUrl, Authz}, Nonce6} = - ejabberd_acme_comm:new_authz(Dirs, PrivateKey, Req2, Nonce5), - - {ok, Account1, Account3, Authz}. - -%% Just a test -scenario0(KeyFile, HttpDir) -> - PrivateKey = jose_jwk:from_file(KeyFile), - %% scenario("http://localhost:4000", "2", PrivateKey). - %% delete_account_scenario("http://localhost:4000"). - new_user_scenario("http://localhost:4000", HttpDir). - -%% scenario3(). -