Merge branch 'lets_encrypt_acme_support' of git://github.com/angelhof/ejabberd into angelhof-lets_encrypt_acme_support

Conflicts:
	rebar.config
	src/ejabberd_pkix.erl

ejabberd.yml.example

@@ -655,6 +655,38 @@ language: "en"
 ##
 ## captcha_limit: 5
 
+###.  ====
+###'  ACME
+##
+## In order to use the acme certificate acquiring through "Let's Encrypt"
+## an http listener has to be configured to listen to port 80 so that
+## the authorization challenges posed by "Let's Encrypt" can be solved.
+## 
+## A simple way of doing this would be to add the following in the listen
+## configuration field:
+##   - 
+##    port: 80
+##    ip: "::"
+##    module: ejabberd_http
+
+acme:
+
+   ## A contact mail that the ACME Certificate Authority can contact in case of
+   ## an authorization issue, such as a server-initiated certificate revocation.
+   ## It is not mandatory to provide an email address but it is highly suggested.
+   contact: "mailto:example-admin@example.com"
+
+
+   ## The ACME Certificate Authority URL.
+   ## This could either be:
+   ##   - https://acme-v01.api.letsencrypt.org - (Default) for the production CA
+   ##   - https://acme-staging.api.letsencrypt.org - for the staging CA
+   ##   - http://localhost:4000 - for a local version of the CA
+   ca_url: "https://acme-v01.api.letsencrypt.org"
+
+## The directory in which certificates will be saved
+cert_dir: "/usr/local/var/lib/ejabberd/"
+
 ###.  =======
 ###'  MODULES
 

include/ejabberd_acme.hrl

@@ -0,0 +1,53 @@
+
+-record(challenge, {
+	  type  = <<"http-01">> :: bitstring(),
+	  status = pending :: pending | valid | invalid,
+	  uri = "" :: url(),
+	  token = <<"">> :: bitstring()
+	 }).
+
+-record(data_acc, {
+	  id     :: list(),
+	  ca_url :: url(),
+	  key    :: jose_jwk:key()
+	 }).
+-type data_acc() :: #data_acc{}.
+
+-record(data_cert, {
+	  domain  :: bitstring(),
+	  pem     :: pem(),
+	  path    :: string()
+	 }).
+-type data_cert() :: #data_cert{}.
+
+%%
+%% Types
+%%
+
+%% Acme configuration
+-type acme_config() :: [{ca_url, url()} | {contact, bitstring()}].
+
+%% The main data type that ejabberd_acme keeps
+-type acme_data() :: proplist().
+
+%% The list of certificates kept in data
+-type data_certs() :: proplist(bitstring(), data_cert()).
+
+%% The certificate saved in pem format
+-type pem() :: bitstring().
+
+-type nonce() :: string().
+-type url() :: string().
+-type proplist() :: [{_, _}].
+-type proplist(X,Y) :: [{X,Y}].
+-type dirs() :: #{string() => url()}.
+-type jws() :: map().
+-type handle_resp_fun() :: fun(({ok, proplist(), proplist()}) -> {ok, _, nonce()}).
+
+-type acme_challenge() :: #challenge{}.
+
+%% Options
+-type account_opt() :: string().
+-type verbose_opt() :: string().
+-type domains_opt() :: string().
+

rebar.config

@@ -30,6 +30,7 @@
         {jiffy, ".*", {git, "https://github.com/davisp/jiffy", {tag, "0.14.8"}}},
         {p1_oauth2, ".*", {git, "https://github.com/processone/p1_oauth2", {tag, "0.6.2"}}},
         {luerl, ".*", {git, "https://github.com/rvirding/luerl", {tag, "v0.2"}}},
+	{jose, ".*", {git, "git://github.com/potatosalad/erlang-jose.git", {tag, "1.8.4"}}},
 	{fs, ".*", {git, "https://github.com/synrc/fs.git", {tag, "2.12.0"}}},
 	{if_var_true, stun, {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.0.15"}}}},
 	{if_var_true, sip, {esip, ".*", {git, "https://github.com/processone/esip", {tag, "1.0.16"}}}},

src/acme_challenge.erl

@@ -0,0 +1,145 @@
+-module(acme_challenge).
+
+-export ([key_authorization/2,
+	  solve_challenge/3,
+	  process/2,
+	  register_hooks/1,
+	  unregister_hooks/1,
+	  acme_handler/3
+         ]).
+%% Challenge Types
+%% ================
+%% 1. http-01: https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.2
+%% 2. dns-01: https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.3
+%% 3. tls-sni-01: https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.4
+%% 4. (?) oob-01:  https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.5
+
+-include("ejabberd.hrl").
+-include("logger.hrl").
+-include("xmpp.hrl").
+-include("ejabberd_http.hrl").
+-include("ejabberd_acme.hrl").
+
+%% This is the default endpoint for the http challenge
+%% This hooks is called from ejabberd_http
+acme_handler(Handlers, _Host, Request) ->
+    case Request#request.path of
+	[<<".well-known">>|_] ->
+	    [{[<<".well-known">>],acme_challenge}|Handlers];
+	_ ->
+	    Handlers
+    end.
+
+%% TODO: Maybe validate request here??
+process(LocalPath, _Request) ->
+    Result = ets_get_key_authorization(LocalPath),
+    {200, 
+     [{<<"Content-Type">>, <<"text/plain">>}], 
+     Result}. 
+
+register_hooks(_Domain) ->
+    ?INFO_MSG("Registering hook for ACME HTTP headers", []),
+    ejabberd_hooks:add(http_request_handlers, ?MODULE, acme_handler, 50).
+
+unregister_hooks(_Domain) ->
+    ?INFO_MSG("Unregistering hook for ACME HTTP headers", []),
+    ejabberd_hooks:delete(http_request_handlers, ?MODULE, acme_handler, 50).
+
+-spec key_authorization(bitstring(), jose_jwk:key()) -> bitstring().
+key_authorization(Token, Key) ->
+    Thumbprint = jose_jwk:thumbprint(Key),
+    KeyAuthorization = erlang:iolist_to_binary([Token, <<".">>, Thumbprint]),
+    KeyAuthorization.
+
+-spec parse_challenge({proplist()}) -> {ok, acme_challenge()} | {error, _}.
+parse_challenge(Challenge0) ->
+    try
+	{Challenge} = Challenge0,
+	{<<"type">>,Type} = proplists:lookup(<<"type">>, Challenge),
+	{<<"status">>,Status} = proplists:lookup(<<"status">>, Challenge),
+	{<<"uri">>,Uri} = proplists:lookup(<<"uri">>, Challenge),
+	{<<"token">>,Token} = proplists:lookup(<<"token">>, Challenge),
+	Res =
+	    #challenge{
+	       type = Type,
+	       status = list_to_atom(bitstring_to_list(Status)),
+	       uri = bitstring_to_list(Uri),
+	       token = Token
+	      },
+	{ok, Res}
+    catch
+	_:Error ->
+	    {error, Error}
+    end.
+
+
+
+-spec solve_challenge(bitstring(), [{proplist()}], _) ->
+			     {ok, url(), bitstring()} | {error, _}.
+solve_challenge(ChallengeType, Challenges, Options) ->
+    ParsedChallenges = [parse_challenge(Chall) || Chall <- Challenges],
+    case lists:any(fun is_error/1, ParsedChallenges) of
+	true ->
+	    ?ERROR_MSG("Error parsing challenges: ~p~n", [Challenges]),
+	    {error, parse_challenge};
+	false ->
+	    case [C || {ok, C} <- ParsedChallenges, is_challenge_type(ChallengeType, C)] of
+		[Challenge] ->
+		    solve_challenge1(Challenge, Options);
+		_ ->
+		    ?ERROR_MSG("Challenge ~p not found in challenges: ~p~n", [ChallengeType, Challenges]),
+		    {error, not_found}
+	    end
+    end.
+
+-spec solve_challenge1(acme_challenge(), {jose_jwk:key(), string()}) ->
+			      {ok, url(), bitstring()} | {error, _}.
+solve_challenge1(Chal = #challenge{type = <<"http-01">>, token=Tkn}, Key) ->
+    KeyAuthz = key_authorization(Tkn, Key),
+    %% save_key_authorization(Chal, Tkn, KeyAuthz, HttpDir);
+    ets_put_key_authorization(Tkn, KeyAuthz),
+    {ok, Chal#challenge.uri, KeyAuthz};
+solve_challenge1(Challenge, _Key) ->
+    ?ERROR_MSG("Unkown Challenge Type: ~p", [Challenge]),
+    {error, unknown_challenge}.
+
+
+-spec ets_put_key_authorization(bitstring(), bitstring()) -> ok.
+ets_put_key_authorization(Tkn, KeyAuthz) ->
+    Tab = ets_get_acme_table(),
+    Key = [<<"acme-challenge">>, Tkn],
+    ets:insert(Tab, {Key, KeyAuthz}),
+    ok.
+ 
+-spec ets_get_key_authorization([bitstring()]) -> bitstring().
+ets_get_key_authorization(Key) ->
+    Tab = ets_get_acme_table(),
+    case ets:lookup(Tab, Key) of
+	[{Key, KeyAuthz}] ->
+	    ets:delete(Tab, Key),
+	    KeyAuthz;
+	_ ->
+	    ?ERROR_MSG("Unable to serve key authorization in: ~p", [Key]),
+	    <<"">>
+    end.
+
+-spec ets_get_acme_table() -> atom().
+ets_get_acme_table() ->
+    case ets:info(acme) of
+	undefined ->
+	    ets:new(acme, [named_table, public]);
+	_ ->
+	    acme
+    end.
+
+%% Useful functions
+
+is_challenge_type(DesiredType, #challenge{type = Type}) when DesiredType =:= Type ->
+    true;
+is_challenge_type(_DesiredType, #challenge{type = _Type}) ->
+    false.
+
+-spec is_error({'error', _}) -> 'true';
+	      ({'ok', _}) -> 'false'.
+is_error({error, _}) -> true;
+is_error(_) -> false.

src/ejabberd_acme_comm.erl

@@ -0,0 +1,393 @@
+-module(ejabberd_acme_comm).
+-export([%% Directory
+	 directory/1,
+         %% Account
+	 new_account/4,
+	 update_account/4,
+	 get_account/3,
+	 delete_account/3,
+         %% Authorization
+	 new_authz/4,
+	 get_authz/1,
+	 complete_challenge/4,
+         %% Authorization polling
+	 get_authz_until_valid/1,
+	 %% Certificate
+	 new_cert/4,
+         get_cert/1,
+         revoke_cert/4
+         %% Not yet implemented
+	 %% key_roll_over/5
+         %% delete_authz/3
+	]).
+
+-include("ejabberd.hrl").
+-include("logger.hrl").
+-include("xmpp.hrl").
+
+-include("ejabberd_acme.hrl").
+-include_lib("public_key/include/public_key.hrl").
+
+-define(REQUEST_TIMEOUT, 5000). % 5 seconds.
+-define(MAX_POLL_REQUESTS, 20).
+-define(POLL_WAIT_TIME, 500). % 500 ms.
+
+%%%
+%%% This module contains functions that implement all necessary http
+%%% requests to the ACME Certificate Authority. Its purpose is to
+%%% facilitate the acme client implementation by separating the
+%%% handling/validating/parsing of all the needed http requests.
+%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Directory
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-spec directory(url()) -> {ok, dirs(), nonce()} | {error, _}.
+directory(CAUrl) ->
+    Url = CAUrl ++ "/directory",
+    prepare_get_request(Url, fun get_dirs/1).
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Account Handling
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-spec new_account(dirs(), jose_jwk:key(), proplist(), nonce()) ->
+			 {ok, {url(), proplist()}, nonce()} | {error, _}.
+new_account(Dirs, PrivateKey, Req, Nonce) ->
+    #{"new-reg" := Url} = Dirs,
+    EJson = {[{ <<"resource">>, <<"new-reg">>}] ++ Req},
+    prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
+
+-spec update_account({url(), string()}, jose_jwk:key(), proplist(), nonce()) ->
+			    {ok, proplist(), nonce()} | {error, _}.
+update_account({CAUrl, AccId}, PrivateKey, Req, Nonce) ->
+    Url = CAUrl ++ "/acme/reg/" ++ AccId,
+    EJson = {[{ <<"resource">>, <<"reg">>}] ++ Req},
+    prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
+
+-spec get_account({url(), string()}, jose_jwk:key(), nonce()) ->
+			 {ok, {url(), proplist()}, nonce()} | {error, _}.
+get_account({CAUrl, AccId}, PrivateKey, Nonce) ->
+    Url = CAUrl ++ "/acme/reg/" ++ AccId,
+    EJson = {[{<<"resource">>, <<"reg">>}]},
+    prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
+
+-spec delete_account({url(), string()}, jose_jwk:key(), nonce()) ->
+			    {ok, proplist(), nonce()} | {error, _}.
+delete_account({CAUrl, AccId}, PrivateKey, Nonce) ->
+    Url = CAUrl ++ "/acme/reg/" ++ AccId,
+    EJson =
+	{[{<<"resource">>, <<"reg">>},
+	  {<<"status">>, <<"deactivated">>}]},
+    prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Authorization Handling
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-spec new_authz(dirs(), jose_jwk:key(), proplist(), nonce()) ->
+		       {ok, {url(), proplist()}, nonce()} | {error, _}.
+new_authz(Dirs, PrivateKey, Req, Nonce) ->
+    #{"new-authz" := Url} = Dirs,
+    EJson = {[{<<"resource">>, <<"new-authz">>}] ++ Req},
+    prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1).
+
+-spec get_authz({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
+get_authz({CAUrl, AuthzId}) ->
+    Url = CAUrl ++ "/acme/authz/" ++ AuthzId,
+    prepare_get_request(Url, fun get_response/1).
+
+-spec complete_challenge({url(), string(), string()}, jose_jwk:key(), proplist(), nonce()) ->
+				{ok, proplist(), nonce()} | {error, _}.
+complete_challenge({CAUrl, AuthzId, ChallId}, PrivateKey, Req, Nonce) ->
+    Url = CAUrl ++ "/acme/challenge/" ++ AuthzId ++ "/" ++ ChallId,
+    EJson = {[{<<"resource">>, <<"challenge">>}] ++ Req},
+    prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Certificate Handling
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-spec new_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
+		      {ok, {url(), list()}, nonce()} | {error, _}.
+new_cert(Dirs, PrivateKey, Req, Nonce) ->
+    #{"new-cert" := Url} = Dirs,
+    EJson = {[{<<"resource">>, <<"new-cert">>}] ++ Req},
+    prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1,
+			 "application/pkix-cert").
+
+-spec get_cert({url(), string()}) -> {ok, list(), nonce()} | {error, _}.
+get_cert({CAUrl, CertId}) ->
+    Url = CAUrl ++ "/acme/cert/" ++ CertId,
+    prepare_get_request(Url, fun get_response/1, "application/pkix-cert").
+
+-spec revoke_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
+			 {ok, _, nonce()} | {error, _}.
+revoke_cert(Dirs, PrivateKey, Req, Nonce) ->
+    #{"revoke-cert" := Url} = Dirs,
+    EJson = {[{<<"resource">>, <<"revoke-cert">>}] ++ Req},
+    prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1,
+                         "application/pkix-cert").
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Handle Response Functions
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-spec get_dirs({ok, proplist(), proplist()}) -> {ok, map(), nonce()}.
+get_dirs({ok, Head, Return}) ->
+    NewNonce = get_nonce(Head),
+    StrDirectories = [{bitstring_to_list(X), bitstring_to_list(Y)} ||
+			 {X, Y} <- Return, is_bitstring(X) andalso is_bitstring(Y)],
+    NewDirs = maps:from_list(StrDirectories),
+    {ok, NewDirs, NewNonce}.
+
+-spec get_response({ok, proplist(), proplist()}) -> {ok, proplist(), nonce()}.
+get_response({ok, Head, Return}) ->
+    NewNonce = get_nonce(Head),
+    {ok, Return, NewNonce}.
+
+-spec get_response_tos({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
+get_response_tos({ok, Head, Return}) ->
+    TOSUrl = get_tos(Head),
+    NewNonce = get_nonce(Head),
+    {ok, {TOSUrl, Return}, NewNonce}.
+
+-spec get_response_location({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
+get_response_location({ok, Head, Return}) ->
+    Location = get_location(Head),
+    NewNonce = get_nonce(Head),
+    {ok, {Location, Return}, NewNonce}.
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Authorization Polling
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-spec get_authz_until_valid({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
+get_authz_until_valid({CAUrl, AuthzId}) ->
+    get_authz_until_valid({CAUrl, AuthzId}, ?MAX_POLL_REQUESTS).
+
+-spec get_authz_until_valid({url(), string()}, non_neg_integer()) ->
+				   {ok, proplist(), nonce()} | {error, _}.
+get_authz_until_valid({_CAUrl, _AuthzId}, 0) ->
+    ?ERROR_MSG("Maximum request limit waiting for validation reached", []),
+    {error, max_request_limit};
+get_authz_until_valid({CAUrl, AuthzId}, N) ->
+    case get_authz({CAUrl, AuthzId}) of
+	{ok, Resp, Nonce} ->
+	    case is_authz_valid(Resp) of
+		true ->
+		    {ok, Resp, Nonce};
+		false ->
+		    timer:sleep(?POLL_WAIT_TIME),
+		    get_authz_until_valid({CAUrl, AuthzId}, N-1)
+	    end;
+	{error, _} = Err ->
+	    Err
+    end.
+
+-spec is_authz_valid(proplist()) -> boolean().
+is_authz_valid(Authz) ->
+    case proplists:lookup(<<"status">>, Authz) of
+	{<<"status">>, <<"valid">>} ->
+	    true;
+	_ ->
+	    false
+    end.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Request Functions
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%% TODO: Fix the duplicated code at the below 4 functions
+-spec make_post_request(url(), bitstring(), string()) ->
+			       {ok, proplist(), proplist()} | {error, _}.
+make_post_request(Url, ReqBody, ResponseType) ->
+    Options = [],
+    HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
+    case httpc:request(post,
+		       {Url, [], "application/jose+json", ReqBody}, HttpOptions, Options) of
+	{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
+	    decode_response(Head, Body, ResponseType);
+	Error ->
+	    failed_http_request(Error, Url)
+    end.
+
+-spec make_get_request(url(), string()) ->
+			      {ok, proplist(), proplist()} | {error, _}.
+make_get_request(Url, ResponseType) ->
+    Options = [],
+    HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
+    case httpc:request(get, {Url, []}, HttpOptions, Options) of
+	{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
+	    decode_response(Head, Body, ResponseType);
+	Error ->
+	    failed_http_request(Error, Url)
+    end.
+
+-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
+			   nonce(), handle_resp_fun()) -> {ok, _, nonce()} | {error, _}.
+prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun) ->
+    prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, "application/jose+json").
+
+-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
+			   nonce(), handle_resp_fun(), string()) -> {ok, _, nonce()} | {error, _}.
+prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, ResponseType) ->
+    case encode(EJson) of
+	{ok, ReqBody} ->
+	    FinalBody = sign_encode_json_jose(PrivateKey, ReqBody, Nonce),
+	    case make_post_request(Url, FinalBody, ResponseType) of
+		{ok, Head, Return} ->
+		    HandleRespFun({ok, Head, Return});
+		Error ->
+		    Error
+	    end;
+	{error, Reason} ->
+	    ?ERROR_MSG("Error: ~p when encoding: ~p", [Reason, EJson]),
+	    {error, Reason}
+    end.
+
+-spec prepare_get_request(url(), handle_resp_fun()) ->
+				 {ok, _, nonce()} | {error, _}.
+prepare_get_request(Url, HandleRespFun) ->
+    prepare_get_request(Url, HandleRespFun, "application/jose+json").
+
+-spec prepare_get_request(url(), handle_resp_fun(), string()) ->
+				 {ok, _, nonce()} | {error, _}.
+prepare_get_request(Url, HandleRespFun, ResponseType) ->
+    case make_get_request(Url, ResponseType) of
+	{ok, Head, Return} ->
+	    HandleRespFun({ok, Head, Return});
+	Error ->
+	    Error
+    end.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Jose Json Functions
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-spec sign_json_jose(jose_jwk:key(), bitstring(), nonce()) -> {_, jws()}.
+sign_json_jose(Key, Json, Nonce) ->
+    PubKey = ejabberd_acme:to_public(Key),
+    {_, BinaryPubKey} = jose_jwk:to_binary(PubKey),
+    PubKeyJson = jiffy:decode(BinaryPubKey),
+    %% TODO: Ensure this works for all cases
+    AlgMap = jose_jwk:signer(Key),
+    JwsMap =
+	#{ <<"jwk">> => PubKeyJson,
+	   %% <<"b64">> => true,
+	   <<"nonce">> => list_to_bitstring(Nonce)
+	 },
+    JwsObj0 = maps:merge(JwsMap, AlgMap),
+    JwsObj = jose_jws:from(JwsObj0),
+    jose_jws:sign(Key, Json, JwsObj).
+
+-spec sign_encode_json_jose(jose_jwk:key(), bitstring(), nonce()) -> bitstring().
+sign_encode_json_jose(Key, Json, Nonce) ->
+    {_, Signed} = sign_json_jose(Key, Json, Nonce),
+    %% This depends on jose library, so we can consider it safe
+    jiffy:encode(Signed).
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Useful funs
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-spec get_nonce(proplist()) -> nonce() | 'none'.
+get_nonce(Head) ->
+    case proplists:lookup("replay-nonce", Head) of
+	{"replay-nonce", Nonce} -> Nonce;
+	none -> none
+    end.
+
+-spec get_location(proplist()) -> url() | 'none'.
+get_location(Head) ->
+    case proplists:lookup("location", Head) of
+	{"location", Location} -> Location;
+	none -> none
+    end.
+
+%% Very bad way to extract this
+%% TODO: Find a better way
+-spec get_tos(proplist()) -> url() | 'none'.
+get_tos(Head) ->
+    try
+	[{_, Link}] = [{K, V} || {K, V} <- Head,
+				 K =:= "link" andalso
+				     lists:suffix("\"terms-of-service\"", V)],
+	[Link1, _] = string:tokens(Link, ";"),
+	Link2 = string:strip(Link1, left, $<),
+	string:strip(Link2, right, $>)
+    catch
+	_:_ ->
+	    none
+    end.
+
+decode_response(Head, Body, "application/pkix-cert") ->
+    {ok, Head, Body};
+decode_response(Head, Body, "application/jose+json") ->
+    case decode(Body) of
+	{ok, Return} ->
+	    {ok, Head, Return};
+	{error, Reason} ->
+	    ?ERROR_MSG("Problem decoding: ~s", [Body]),
+	    {error, Reason}
+    end.
+
+encode(EJson) ->
+    try
+	{ok, jiffy:encode(EJson)}
+    catch
+	_:Reason ->
+	    {error, Reason}
+    end.
+
+decode(Json) ->
+    try
+	{Result} = jiffy:decode(Json),
+	{ok, Result}
+    catch
+	_:Reason ->
+	    {error, Reason}
+    end.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% Handle Failed HTTP Requests
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-spec failed_http_request({ok, _} | {error, _}, url()) -> {error, _}.
+failed_http_request({ok, {{_, Code, Reason}, _Head, Body}}, Url) ->
+    ?ERROR_MSG("Got unexpected status code from <~s>: ~B, Body: ~s",
+	       [Url, Code, Body]),
+    throw({error, {unexpected_code, Code, Reason}});
+failed_http_request({error, Reason}, Url) ->
+    ?ERROR_MSG("Error making a request to <~s>: ~p",
+	       [Url, Reason]),
+    throw({error, Reason}).

src/ejabberd_admin.erl

@@ -44,6 +44,11 @@
 	 registered_users/1,
 	 %% Migration jabberd1.4
 	 import_file/1, import_dir/1,
+         %% Acme
+         get_certificate/1,
+	 renew_certificate/0,
+	 list_certificates/1,
+	 revoke_certificate/1,
 	 %% Purge DB
 	 delete_expired_messages/0, delete_old_messages/1,
 	 %% Mnesia
@@ -242,6 +247,30 @@ get_commands_spec() ->
 			args_example = ["/var/lib/ejabberd/jabberd14/"],
 			args = [{file, string}],
 			result = {res, restuple}},
+     #ejabberd_commands{name = get_certificate, tags = [acme],
+			desc = "Gets a certificate for all or the specified domains {all|domain1;domain2;...}.",
+			module = ?MODULE, function = get_certificate,
+			args_desc = ["Domains for which to acquire a certificate"],
+			args_example = ["all | www.example.com;www.example1.net"],
+			args = [{domains, string}],
+			result = {certificates, string}},
+     #ejabberd_commands{name = renew_certificate, tags = [acme],
+			desc = "Renews all certificates that are close to expiring",
+			module = ?MODULE, function = renew_certificate,
+			args = [],
+			result = {certificates, string}},
+     #ejabberd_commands{name = list_certificates, tags = [acme],
+			desc = "Lists all curently handled certificates and their respective domains in {plain|verbose} format",
+			module = ?MODULE, function = list_certificates,
+			args_desc = ["Whether to print the whole certificate or just some metadata. Possible values: plain | verbose"],
+			args = [{option, string}],
+			result = {certificates, {list, {certificate, string}}}},
+     #ejabberd_commands{name = revoke_certificate, tags = [acme],
+			desc = "Revokes the selected certificate",
+			module = ?MODULE, function = revoke_certificate,
+			args_desc = ["The domain or file (in pem format) of the certificate in question {domain:Domain | file:File}"],
+			args = [{domain_or_file, string}],
+			result = {res, restuple}},
 
      #ejabberd_commands{name = import_piefxis, tags = [mnesia],
 			desc = "Import users data from a PIEFXIS file (XEP-0227)",
@@ -542,6 +571,38 @@ import_dir(Path) ->
 	    {cannot_import_dir, String}
     end.
 
+%%%
+%%% Acme
+%%%
+
+get_certificate(Domains) ->
+    case ejabberd_acme:is_valid_domain_opt(Domains) of 
+	true ->
+	    ejabberd_acme:get_certificates(Domains);
+	false ->
+	    io_lib:format("Invalid domains: ~p", [Domains])
+    end.
+
+renew_certificate() ->
+    ejabberd_acme:renew_certificates().
+
+list_certificates(Verbose) ->
+    case ejabberd_acme:is_valid_verbose_opt(Verbose) of
+	true ->
+	    ejabberd_acme:list_certificates(Verbose);
+	false ->
+	    String = io_lib:format("Invalid verbose  option: ~p", [Verbose]),
+	    {invalid_option, String}
+    end.
+
+revoke_certificate(DomainOrFile) ->
+    case ejabberd_acme:is_valid_revoke_cert(DomainOrFile) of
+	true ->
+	    ejabberd_acme:revoke_certificate(DomainOrFile);
+	false ->
+	    String = io_lib:format("Bad argument: ~s", [DomainOrFile]),
+	    {invalid_argument, String}
+    end.
 
 %%%
 %%% Purge DB

src/ejabberd_http.erl

@@ -465,7 +465,9 @@ process_request(#state{request_method = Method,
 			       opts = Options,
                                headers = RequestHeaders,
                                ip = IP},
-	    Res = case process(RequestHandlers, Request, Socket, SockMod, Trail) of
+	    RequestHandlers1 = ejabberd_hooks:run_fold(
+				http_request_handlers, RequestHandlers, [Host, Request]),
+	    Res = case process(RequestHandlers1, Request, Socket, SockMod, Trail) of
 		      El when is_record(El, xmlel) ->
 			  make_xhtml_output(State, 200, CustomHeaders, El);
 		      {Status, Headers, El}

src/ejabberd_pkix.erl

@@ -301,7 +301,14 @@ add_certfiles(Host, State) ->
 			       NewAccState
 		       end
 	       end, State, certfiles_from_config_options()),
-    if State /= State1 ->
+    State2 = case ejabberd_acme:certificate_exists(Host) of
+		 {true, Path} ->
+		     {_, State3} = add_certfile(Path, State1),
+		     State3;
+		 false ->
+		     State1
+	     end,
+    if State /= State2 ->
 	    case build_chain_and_check(State1) of
 		ok -> {ok, State1};
 		{error, _} = Err -> Err