mirror of
https://github.com/processone/ejabberd.git
synced 2024-11-20 16:15:59 +01:00
Add support for command get_certificates, very crude
This commit is contained in:
parent
637d9b054b
commit
d3c477646f
@ -659,6 +659,16 @@ language: "en"
|
||||
##
|
||||
## captcha_limit: 5
|
||||
|
||||
###. ====
|
||||
###' ACME
|
||||
|
||||
##
|
||||
## Must contain a contact and a directory that the Http Challenges can be solved at
|
||||
##
|
||||
acme:
|
||||
contact: "mailto:cert-admin-ejabberd@example.com"
|
||||
http_dir: "/home/konstantinos/Desktop/Programming/test-server-for-acme/"
|
||||
|
||||
###. =======
|
||||
###' MODULES
|
||||
|
||||
|
@ -2,13 +2,25 @@
|
||||
-record(challenge, {
|
||||
type = <<"http-01">> :: bitstring(),
|
||||
status = pending :: pending | valid | invalid,
|
||||
uri = <<"">> :: bitstring(),
|
||||
uri = "" :: url(),
|
||||
token = <<"">> :: bitstring()
|
||||
}).
|
||||
|
||||
-record(data_acc, {
|
||||
id :: list(),
|
||||
key :: jose_jwk:key()
|
||||
}).
|
||||
|
||||
-record(data, {
|
||||
account = none :: #data_acc{} | 'none'
|
||||
}).
|
||||
|
||||
|
||||
|
||||
-type nonce() :: string().
|
||||
-type url() :: string().
|
||||
-type proplist() :: [{_, _}].
|
||||
-type dirs() :: #{string() => url()}.
|
||||
-type jws() :: map().
|
||||
-type handle_resp_fun() :: fun(({ok, proplist(), proplist()}) -> {ok, _, nonce()}).
|
||||
|
||||
|
@ -1,10 +1,11 @@
|
||||
-module (ejabberd_acme).
|
||||
|
||||
-export([directory/1,
|
||||
-export([%% Directory
|
||||
directory/1,
|
||||
%% Account
|
||||
get_account/3,
|
||||
new_account/4,
|
||||
update_account/4,
|
||||
get_account/3,
|
||||
delete_account/3,
|
||||
%% Authorization
|
||||
new_authz/4,
|
||||
@ -14,9 +15,14 @@
|
||||
new_cert/4,
|
||||
get_cert/1,
|
||||
revoke_cert/4,
|
||||
%% Ejabberdctl Commands
|
||||
get_certificates/3,
|
||||
%% Command Options Validity
|
||||
is_valid_account_opt/1,
|
||||
%% Debugging Scenarios
|
||||
scenario/3,
|
||||
scenario0/2
|
||||
scenario0/2,
|
||||
new_user_scenario/2
|
||||
%% Not yet implemented
|
||||
%% key_roll_over/5
|
||||
%% delete_authz/3
|
||||
@ -40,8 +46,9 @@
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec directory(url()) -> {ok, map(), nonce()} | {error, _}.
|
||||
directory(Url) ->
|
||||
-spec directory(url()) -> {ok, dirs(), nonce()} | {error, _}.
|
||||
directory(CAUrl) ->
|
||||
Url = CAUrl ++ "/directory",
|
||||
prepare_get_request(Url, fun get_dirs/1).
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
@ -50,27 +57,31 @@ directory(Url) ->
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec new_account(url(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
-spec new_account(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
||||
new_account(Url, PrivateKey, Req, Nonce) ->
|
||||
new_account(Dirs, PrivateKey, Req, Nonce) ->
|
||||
#{"new-reg" := Url} = Dirs,
|
||||
EJson = {[{ <<"resource">>, <<"new-reg">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
||||
|
||||
-spec update_account(url(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
-spec update_account({url(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, proplist(), nonce()} | {error, _}.
|
||||
update_account(Url, PrivateKey, Req, Nonce) ->
|
||||
update_account({CAUrl, AccId}, PrivateKey, Req, Nonce) ->
|
||||
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||
EJson = {[{ <<"resource">>, <<"reg">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
||||
|
||||
-spec get_account(url(), jose_jwk:key(), nonce()) ->
|
||||
-spec get_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
||||
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
||||
get_account(Url, PrivateKey, Nonce) ->
|
||||
get_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
||||
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||
EJson = {[{<<"resource">>, <<"reg">>}]},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
||||
|
||||
-spec delete_account(url(), jose_jwk:key(), nonce()) ->
|
||||
-spec delete_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
||||
{ok, proplist(), nonce()} | {error, _}.
|
||||
delete_account(Url, PrivateKey, Nonce) ->
|
||||
delete_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
||||
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||
EJson =
|
||||
{[{<<"resource">>, <<"reg">>},
|
||||
{<<"status">>, <<"deactivated">>}]},
|
||||
@ -83,19 +94,22 @@ delete_account(Url, PrivateKey, Nonce) ->
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec new_authz(url(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
-spec new_authz(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
||||
new_authz(Url, PrivateKey, Req, Nonce) ->
|
||||
new_authz(Dirs, PrivateKey, Req, Nonce) ->
|
||||
#{"new-authz" := Url} = Dirs,
|
||||
EJson = {[{<<"resource">>, <<"new-authz">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1).
|
||||
|
||||
-spec get_authz(url()) -> {ok, proplist(), nonce()} | {error, _}.
|
||||
get_authz(Url) ->
|
||||
-spec get_authz({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
||||
get_authz({CAUrl, AuthzId}) ->
|
||||
Url = CAUrl ++ "/acme/authz/" ++ AuthzId,
|
||||
prepare_get_request(Url, fun get_response/1).
|
||||
|
||||
-spec complete_challenge(url(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
-spec complete_challenge({url(), string(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, proplist(), nonce()} | {error, _}.
|
||||
complete_challenge(Url, PrivateKey, Req, Nonce) ->
|
||||
complete_challenge({CAUrl, AuthzId, ChallId}, PrivateKey, Req, Nonce) ->
|
||||
Url = CAUrl ++ "/acme/challenge/" ++ AuthzId ++ "/" ++ ChallId,
|
||||
EJson = {[{<<"resource">>, <<"challenge">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
||||
|
||||
@ -106,20 +120,23 @@ complete_challenge(Url, PrivateKey, Req, Nonce) ->
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec new_cert(url(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
-spec new_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, {url(), list()}, nonce()} | {error, _}.
|
||||
new_cert(Url, PrivateKey, Req, Nonce) ->
|
||||
new_cert(Dirs, PrivateKey, Req, Nonce) ->
|
||||
#{"new-cert" := Url} = Dirs,
|
||||
EJson = {[{<<"resource">>, <<"new-cert">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1,
|
||||
"application/pkix-cert").
|
||||
|
||||
-spec get_cert(url()) -> {ok, list(), nonce()} | {error, _}.
|
||||
get_cert(Url) ->
|
||||
-spec get_cert({url(), string()}) -> {ok, list(), nonce()} | {error, _}.
|
||||
get_cert({CAUrl, CertId}) ->
|
||||
Url = CAUrl ++ "/acme/cert/" ++ CertId,
|
||||
prepare_get_request(Url, fun get_response/1, "application/pkix-cert").
|
||||
|
||||
-spec revoke_cert(url(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
-spec revoke_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, _, nonce()} | {error, _}.
|
||||
revoke_cert(Url, PrivateKey, Req, Nonce) ->
|
||||
revoke_cert(Dirs, PrivateKey, Req, Nonce) ->
|
||||
#{"revoke-cert" := Url} = Dirs,
|
||||
EJson = {[{<<"resource">>, <<"revoke-cert">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1,
|
||||
"application/pkix-cert").
|
||||
@ -294,7 +311,7 @@ attribute_parser_fun({AttrName, AttrVal}) ->
|
||||
{error, bad_attributes}
|
||||
end.
|
||||
|
||||
-spec attribute_oid(atom()) -> tuple().
|
||||
-spec attribute_oid(atom()) -> tuple() | no_return().
|
||||
attribute_oid(commonName) -> ?'id-at-commonName';
|
||||
attribute_oid(countryName) -> ?'id-at-countryName';
|
||||
attribute_oid(stateOrProvinceName) -> ?'id-at-stateOrProvinceName';
|
||||
@ -309,24 +326,24 @@ attribute_oid(_) -> error(bad_attributes).
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec get_authz_until_valid(url()) -> {ok, proplist(), nonce()} | {error, _}.
|
||||
get_authz_until_valid(Url) ->
|
||||
get_authz_until_valid(Url, ?MAX_POLL_REQUESTS).
|
||||
-spec get_authz_until_valid({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
||||
get_authz_until_valid({CAUrl, AuthzId}) ->
|
||||
get_authz_until_valid({CAUrl, AuthzId}, ?MAX_POLL_REQUESTS).
|
||||
|
||||
-spec get_authz_until_valid(url(), non_neg_integer()) ->
|
||||
-spec get_authz_until_valid({url(), string()}, non_neg_integer()) ->
|
||||
{ok, proplist(), nonce()} | {error, _}.
|
||||
get_authz_until_valid(Url, 0) ->
|
||||
get_authz_until_valid({_CAUrl, _AuthzId}, 0) ->
|
||||
?ERROR_MSG("Maximum request limit waiting for validation reached", []),
|
||||
{error, max_request_limit};
|
||||
get_authz_until_valid(Url, N) ->
|
||||
case get_authz(Url) of
|
||||
get_authz_until_valid({CAUrl, AuthzId}, N) ->
|
||||
case get_authz({CAUrl, AuthzId}) of
|
||||
{ok, Resp, Nonce} ->
|
||||
case is_authz_valid(Resp) of
|
||||
true ->
|
||||
{ok, Resp, Nonce};
|
||||
false ->
|
||||
timer:sleep(?POLL_WAIT_TIME),
|
||||
get_authz_until_valid(Url, N-1)
|
||||
get_authz_until_valid({CAUrl, AuthzId}, N-1)
|
||||
end;
|
||||
{error, _} = Err ->
|
||||
Err
|
||||
@ -461,6 +478,17 @@ get_location(Head) ->
|
||||
none -> none
|
||||
end.
|
||||
|
||||
-spec location_to_id(url()) -> {ok, string()} | {error, not_found}.
|
||||
location_to_id(Url0) ->
|
||||
Url = string:strip(Url0, right, $/),
|
||||
case string:rchr(Url, $/) of
|
||||
0 ->
|
||||
?ERROR_MSG("Couldn't find id in url: ~p~n", [Url]),
|
||||
{error, not_found};
|
||||
Ind ->
|
||||
{ok, string:sub_string(Url, Ind+1)}
|
||||
end.
|
||||
|
||||
%% Very bad way to extract this
|
||||
%% TODO: Find a better way
|
||||
-spec get_tos(proplist()) -> url() | 'none'.
|
||||
@ -529,7 +557,228 @@ failed_http_request({error, Reason}, Url) ->
|
||||
[Url, Reason]),
|
||||
{error, Reason}.
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Handle Config and Persistence Files
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
persistent_file() ->
|
||||
MnesiaDir = mnesia:system_info(directory),
|
||||
filename:join(MnesiaDir, "acme.DAT").
|
||||
|
||||
read_persistent() ->
|
||||
case file:read_file(persistent_file()) of
|
||||
{ok, Binary} ->
|
||||
{ok, binary_to_term(Binary)};
|
||||
{error, enoent} ->
|
||||
{ok, #data{}};
|
||||
{error, Reason} ->
|
||||
?ERROR_MSG("Error: ~p reading acme data file", [Reason]),
|
||||
{error, Reason}
|
||||
end.
|
||||
|
||||
write_persistent(Data) ->
|
||||
Binary = term_to_binary(Data),
|
||||
case file:write_file(persistent_file(), Binary) of
|
||||
ok -> ok;
|
||||
{error, Reason} ->
|
||||
?ERROR_MSG("Error: ~p writing acme data file", [Reason]),
|
||||
{error, Reason}
|
||||
end.
|
||||
|
||||
get_account_persistent(#data{account = Account}) ->
|
||||
case Account of
|
||||
#data_acc{id = AccId, key = PrivateKey} ->
|
||||
{ok, AccId, PrivateKey};
|
||||
none ->
|
||||
none
|
||||
end.
|
||||
|
||||
set_account_persistent(Data = #data{}, {AccId, PrivateKey}) ->
|
||||
NewAcc = #data_acc{id = AccId, key = PrivateKey},
|
||||
Data#data{account = NewAcc}.
|
||||
|
||||
get_config_contact() ->
|
||||
case ejabberd_config:get_option(acme, undefined) of
|
||||
undefined ->
|
||||
?ERROR_MSG("No acme configuration has been specified", []),
|
||||
{error, configuration};
|
||||
Acme ->
|
||||
case lists:keyfind(contact, 1, Acme) of
|
||||
{contact, Contact} ->
|
||||
{ok, Contact};
|
||||
false ->
|
||||
?ERROR_MSG("No contact has been specified", []),
|
||||
{error, configuration_contact}
|
||||
end
|
||||
end.
|
||||
|
||||
get_config_hosts() ->
|
||||
case ejabberd_config:get_option(hosts, undefined) of
|
||||
undefined ->
|
||||
?ERROR_MSG("No hosts have been specified", []),
|
||||
{error, configuration_hosts};
|
||||
Hosts ->
|
||||
{ok, Hosts}
|
||||
end.
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Command Functions
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
%%
|
||||
%% Check Validity of command options
|
||||
%%
|
||||
|
||||
is_valid_account_opt("old-account") -> true;
|
||||
is_valid_account_opt("new-account") -> true;
|
||||
is_valid_account_opt(_) -> false.
|
||||
|
||||
%%
|
||||
%% Get Certificate
|
||||
%%
|
||||
|
||||
%% Needs a hell lot of cleaning
|
||||
get_certificates(CAUrl, HttpDir, NewAccountOpt) ->
|
||||
try
|
||||
get_certificates0(CAUrl, HttpDir, NewAccountOpt)
|
||||
catch
|
||||
E:R ->
|
||||
{E,R}
|
||||
end.
|
||||
|
||||
get_certificates0(CAUrl, HttpDir, "old-account") ->
|
||||
%% Read Persistent Data
|
||||
{ok, Data} = read_persistent(),
|
||||
|
||||
%% Get the current account
|
||||
case get_account_persistent(Data) of
|
||||
none ->
|
||||
?ERROR_MSG("No existing account", []),
|
||||
{error, no_old_account};
|
||||
{ok, _AccId, PrivateKey} ->
|
||||
get_certificates1(CAUrl, HttpDir, PrivateKey)
|
||||
end;
|
||||
get_certificates0(CAUrl, HttpDir, "new-account") ->
|
||||
%% Get contact from configuration file
|
||||
{ok, Contact} = get_config_contact(),
|
||||
|
||||
%% Generate a Key
|
||||
PrivateKey = generate_key(),
|
||||
|
||||
%% Create a new account
|
||||
{ok, _Id} = create_new_account(CAUrl, Contact, Key),
|
||||
|
||||
%% Write Persistent Data
|
||||
{ok, Data} = read_persistent(),
|
||||
NewData = set_account_persistent(Data, {Id, Key}),
|
||||
ok = write_persistent(NewData),
|
||||
|
||||
get_certificates1(CAUrl, HttpDir, PrivateKey).
|
||||
|
||||
|
||||
get_certificates1(CAUrl, HttpDir, PrivateKey) ->
|
||||
%% Read Config
|
||||
{ok, Hosts} = get_config_hosts(),
|
||||
|
||||
%% Get a certificate for each host
|
||||
PemCertKeys = [get_certificate(CAUrl, Host, PrivateKey, HttpDir) || Host <- Hosts],
|
||||
{AccId, PrivateKey, PemCertKeys}.
|
||||
|
||||
|
||||
get_certificate(CAUrl, DomainName, PrivateKey, HttpDir) ->
|
||||
?INFO_MSG("Getting a Certificate for domain: ~p~n", [DomainName]),
|
||||
case create_new_authorization(CAUrl, DomainName, PrivateKey, HttpDir) of
|
||||
{ok, Authz} ->
|
||||
create_new_certificate(CAUrl, DomainName, PrivateKey);
|
||||
{error, authorization} ->
|
||||
{error, {authorization, {host, DomainName}}}
|
||||
end.
|
||||
|
||||
%% TODO:
|
||||
%% Find a way to ask the user if he accepts the TOS
|
||||
create_new_account(CAUrl, Contact, PrivateKey) ->
|
||||
try
|
||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
||||
Req0 = [{ <<"contact">>, [Contact]}],
|
||||
{ok, {TOS, Account}, Nonce1} = new_account(Dirs, PrivateKey, Req0, Nonce0),
|
||||
{<<"id">>, AccIdInt} = lists:keyfind(<<"id">>, 1, Account),
|
||||
AccId = integer_to_list(AccIdInt),
|
||||
Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}],
|
||||
{ok, Account2, _Nonce2} = update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce1),
|
||||
{ok, AccId}
|
||||
catch
|
||||
E:R ->
|
||||
{error,create_new_account}
|
||||
end.
|
||||
|
||||
|
||||
create_new_authorization(CAUrl, DomainName, PrivateKey, HttpDir) ->
|
||||
try
|
||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
||||
Req0 = [{<<"identifier">>,
|
||||
{[{<<"type">>, <<"dns">>},
|
||||
{<<"value">>, DomainName}]}},
|
||||
{<<"existing">>, <<"accept">>}],
|
||||
{ok, {AuthzUrl, Authz}, Nonce1} = new_authz(Dirs, PrivateKey, Req0, Nonce0),
|
||||
{ok, AuthzId} = location_to_id(AuthzUrl),
|
||||
|
||||
Challenges = get_challenges(Authz),
|
||||
{ok, ChallengeUrl, KeyAuthz} =
|
||||
acme_challenge:solve_challenge(<<"http-01">>, Challenges, {PrivateKey, HttpDir}),
|
||||
{ok, ChallengeId} = location_to_id(ChallengeUrl),
|
||||
Req3 = [{<<"type">>, <<"http-01">>},{<<"keyAuthorization">>, KeyAuthz}],
|
||||
{ok, SolvedChallenge, Nonce2} =
|
||||
complete_challenge({CAUrl, AuthzId, ChallengeId}, PrivateKey, Req3, Nonce1),
|
||||
|
||||
{ok, AuthzValid, _Nonce} = get_authz_until_valid({CAUrl, AuthzId}),
|
||||
{ok, AuthzValid}
|
||||
catch
|
||||
E:R ->
|
||||
?ERROR_MSG("Error: ~p getting an authorization for domain: ~p~n",
|
||||
[{E,R}, DomainName]),
|
||||
{error, authorization}
|
||||
end.
|
||||
|
||||
create_new_certificate(CAUrl, DomainName, PrivateKey) ->
|
||||
try
|
||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
||||
CSRSubject = [{commonName, bitstring_to_list(DomainName)}],
|
||||
{CSR, CSRKey} = make_csr(CSRSubject),
|
||||
{NotBefore, NotAfter} = not_before_not_after(),
|
||||
Req =
|
||||
[{<<"csr">>, CSR},
|
||||
{<<"notBefore">>, NotBefore},
|
||||
{<<"NotAfter">>, NotAfter}
|
||||
],
|
||||
{ok, {CertUrl, Certificate}, Nonce1} = new_cert(Dirs, PrivateKey, Req, Nonce0),
|
||||
|
||||
{ok, CertId} = location_to_id(CertUrl),
|
||||
|
||||
DecodedCert = public_key:pkix_decode_cert(list_to_binary(Certificate), plain),
|
||||
PemEntryCert = public_key:pem_entry_encode('Certificate', DecodedCert),
|
||||
|
||||
{_, CSRKeyKey} = jose_jwk:to_key(CSRKey),
|
||||
PemEntryKey = public_key:pem_entry_encode('ECPrivateKey', CSRKeyKey),
|
||||
|
||||
PemCertKey = public_key:pem_encode([PemEntryKey, PemEntryCert]),
|
||||
|
||||
{ok, PemCertKey}
|
||||
catch
|
||||
E:R ->
|
||||
?ERROR_MSG("Error: ~p getting an authorization for domain: ~p~n",
|
||||
[{E,R}, DomainName]),
|
||||
{error, certificate}
|
||||
end.
|
||||
not_before_not_after() ->
|
||||
%% TODO: Make notBefore and notAfter like they do it in other clients
|
||||
{MegS, Sec, MicS} = erlang:timestamp(),
|
||||
NotBefore = xmpp_util:encode_timestamp({MegS-1, Sec, MicS}),
|
||||
NotAfter = xmpp_util:encode_timestamp({MegS+1, Sec, MicS}),
|
||||
{NotBefore, NotAfter}.
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
@ -539,21 +788,18 @@ failed_http_request({error, Reason}, Url) ->
|
||||
|
||||
%% A typical acme workflow
|
||||
scenario(CAUrl, AccId, PrivateKey) ->
|
||||
DirURL = CAUrl ++ "/directory",
|
||||
{ok, Dirs, Nonce0} = directory(DirURL),
|
||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
||||
|
||||
AccURL = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||
{ok, {_TOS, Account}, Nonce1} = get_account(AccURL, PrivateKey, Nonce0),
|
||||
{ok, {_TOS, Account}, Nonce1} = get_account({CAUrl, AccId}, PrivateKey, Nonce0),
|
||||
?INFO_MSG("Account: ~p~n", [Account]),
|
||||
|
||||
#{"new-authz" := NewAuthz} = Dirs,
|
||||
Req =
|
||||
[{<<"identifier">>,
|
||||
{[{<<"type">>, <<"dns">>},
|
||||
{<<"value">>, <<"my-acme-test-ejabberd.com">>}]}},
|
||||
{<<"existing">>, <<"accept">>}
|
||||
],
|
||||
{ok, Authz, Nonce2} = new_authz(NewAuthz, PrivateKey, Req, Nonce1),
|
||||
{ok, Authz, Nonce2} = new_authz(Dirs, PrivateKey, Req, Nonce1),
|
||||
|
||||
{Account, Authz, PrivateKey}.
|
||||
|
||||
@ -561,21 +807,19 @@ scenario(CAUrl, AccId, PrivateKey) ->
|
||||
new_user_scenario(CAUrl, HttpDir) ->
|
||||
PrivateKey = generate_key(),
|
||||
|
||||
DirURL = CAUrl ++ "/directory",
|
||||
{ok, Dirs, Nonce0} = directory(DirURL),
|
||||
{ok, Dirs, Nonce0} = directory(CAUrl),
|
||||
%% ?INFO_MSG("Directories: ~p", [Dirs]),
|
||||
|
||||
#{"new-reg" := NewAccURL} = Dirs,
|
||||
Req0 = [{ <<"contact">>, [<<"mailto:cert-example-admin@example2.com">>]}],
|
||||
{ok, {TOS, Account}, Nonce1} = new_account(NewAccURL, PrivateKey, Req0, Nonce0),
|
||||
{ok, {TOS, Account}, Nonce1} = new_account(Dirs, PrivateKey, Req0, Nonce0),
|
||||
|
||||
{_, AccId} = proplists:lookup(<<"id">>, Account),
|
||||
AccURL = CAUrl ++ "/acme/reg/" ++ integer_to_list(AccId),
|
||||
{ok, {_TOS, Account1}, Nonce2} = get_account(AccURL, PrivateKey, Nonce1),
|
||||
{_, AccIdInt} = proplists:lookup(<<"id">>, Account),
|
||||
AccId = integer_to_list(AccIdInt),
|
||||
{ok, {_TOS, Account1}, Nonce2} = get_account({CAUrl, AccId}, PrivateKey, Nonce1),
|
||||
%% ?INFO_MSG("Old account: ~p~n", [Account1]),
|
||||
|
||||
Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}],
|
||||
{ok, Account2, Nonce3} = update_account(AccURL, PrivateKey, Req1, Nonce2),
|
||||
{ok, Account2, Nonce3} = update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce2),
|
||||
|
||||
%% NewKey = generate_key(),
|
||||
%% KeyChangeUrl = CAUrl ++ "/acme/key-change/",
|
||||
@ -586,8 +830,7 @@ new_user_scenario(CAUrl, HttpDir) ->
|
||||
%% ?INFO_MSG("New account:~p~n", [Account4]),
|
||||
%% {Account4, PrivateKey}.
|
||||
|
||||
AccIdBin = list_to_bitstring(integer_to_list(AccId)),
|
||||
#{"new-authz" := NewAuthz} = Dirs,
|
||||
AccIdBin = list_to_bitstring(integer_to_list(AccIdInt)),
|
||||
DomainName = << <<"my-acme-test-ejabberd">>/binary, AccIdBin/binary, <<".com">>/binary >>,
|
||||
Req2 =
|
||||
[{<<"identifier">>,
|
||||
@ -595,26 +838,29 @@ new_user_scenario(CAUrl, HttpDir) ->
|
||||
{<<"value">>, DomainName}]}},
|
||||
{<<"existing">>, <<"accept">>}
|
||||
],
|
||||
{ok, {AuthzUrl, Authz}, Nonce4} = new_authz(NewAuthz, PrivateKey, Req2, Nonce3),
|
||||
{ok, {AuthzUrl, Authz}, Nonce4} = new_authz(Dirs, PrivateKey, Req2, Nonce3),
|
||||
|
||||
{ok, Authz2, Nonce5} = get_authz(AuthzUrl),
|
||||
{ok, AuthzId} = location_to_id(AuthzUrl),
|
||||
{ok, Authz2, Nonce5} = get_authz({CAUrl, AuthzId}),
|
||||
?INFO_MSG("AuthzUrl: ~p~n", [AuthzUrl]),
|
||||
|
||||
Challenges = get_challenges(Authz2),
|
||||
%% ?INFO_MSG("Challenges: ~p~n", [Challenges]),
|
||||
?INFO_MSG("Challenges: ~p~n", [Challenges]),
|
||||
|
||||
{ok, ChallengeUrl, KeyAuthz} =
|
||||
acme_challenge:solve_challenge(<<"http-01">>, Challenges, {PrivateKey, HttpDir}),
|
||||
?INFO_MSG("File for http-01 challenge written correctly", []),
|
||||
|
||||
{ok, ChallengeId} = location_to_id(ChallengeUrl),
|
||||
Req3 =
|
||||
[ {<<"type">>, <<"http-01">>}
|
||||
, {<<"keyAuthorization">>, KeyAuthz}
|
||||
],
|
||||
{ok, SolvedChallenge, Nonce6} = complete_challenge(ChallengeUrl, PrivateKey, Req3, Nonce5),
|
||||
{ok, SolvedChallenge, Nonce6} = complete_challenge({CAUrl, AuthzId, ChallengeId}, PrivateKey, Req3, Nonce5),
|
||||
%% ?INFO_MSG("SolvedChallenge: ~p~n", [SolvedChallenge]),
|
||||
|
||||
%% timer:sleep(2000),
|
||||
{ok, Authz3, Nonce7} = get_authz_until_valid(AuthzUrl),
|
||||
{ok, Authz3, Nonce7} = get_authz_until_valid({CAUrl, AuthzId}),
|
||||
|
||||
#{"new-cert" := NewCert} = Dirs,
|
||||
CSRSubject = [{commonName, bitstring_to_list(DomainName)},
|
||||
@ -628,10 +874,11 @@ new_user_scenario(CAUrl, HttpDir) ->
|
||||
{<<"notBefore">>, NotBefore},
|
||||
{<<"NotAfter">>, NotAfter}
|
||||
],
|
||||
{ok, {CertUrl, Certificate}, Nonce8} = new_cert(NewCert, PrivateKey, Req4, Nonce7),
|
||||
{ok, {CertUrl, Certificate}, Nonce8} = new_cert(Dirs, PrivateKey, Req4, Nonce7),
|
||||
?INFO_MSG("CertUrl: ~p~n", [CertUrl]),
|
||||
|
||||
|
||||
{ok, Certificate2, Nonce9} = get_cert(CertUrl),
|
||||
{ok, CertId} = location_to_id(CertUrl),
|
||||
{ok, Certificate2, Nonce9} = get_cert({CAUrl, CertId}),
|
||||
|
||||
DecodedCert = public_key:pkix_decode_cert(list_to_binary(Certificate2), plain),
|
||||
%% ?INFO_MSG("DecodedCert: ~p~n", [DecodedCert]),
|
||||
@ -649,9 +896,8 @@ new_user_scenario(CAUrl, HttpDir) ->
|
||||
ok = file:write_file(HttpDir ++ "/my_server.pem", PemCert),
|
||||
|
||||
Base64Cert = base64url:encode(Certificate2),
|
||||
#{"revoke-cert" := RevokeCert} = Dirs,
|
||||
Req5 = [{<<"certificate">>, Base64Cert}],
|
||||
{ok, [], Nonce10} = revoke_cert(RevokeCert, PrivateKey, Req5, Nonce9),
|
||||
{ok, [], Nonce10} = revoke_cert(Dirs, PrivateKey, Req5, Nonce9),
|
||||
|
||||
{ok, Certificate3, Nonce11} = get_cert(CertUrl),
|
||||
|
||||
@ -675,28 +921,26 @@ delete_account_scenario(CAUrl) ->
|
||||
{ok, Dirs, Nonce0} = directory(DirURL),
|
||||
%% ?INFO_MSG("Directories: ~p", [Dirs]),
|
||||
|
||||
#{"new-reg" := NewAccURL} = Dirs,
|
||||
Req0 = [{ <<"contact">>, [<<"mailto:cert-example-admin@example2.com">>]}],
|
||||
{ok, {TOS, Account}, Nonce1} = new_account(NewAccURL, PrivateKey, Req0, Nonce0),
|
||||
{ok, {TOS, Account}, Nonce1} = new_account(Dirs, PrivateKey, Req0, Nonce0),
|
||||
|
||||
{_, AccId} = proplists:lookup(<<"id">>, Account),
|
||||
AccURL = CAUrl ++ "/acme/reg/" ++ integer_to_list(AccId),
|
||||
{ok, {_TOS, Account1}, Nonce2} = get_account(AccURL, PrivateKey, Nonce1),
|
||||
{_, AccIdInt} = proplists:lookup(<<"id">>, Account),
|
||||
AccId = integer_to_list(AccIdInt),
|
||||
{ok, {_TOS, Account1}, Nonce2} = get_account({CAUrl, AccId}, PrivateKey, Nonce1),
|
||||
%% ?INFO_MSG("Old account: ~p~n", [Account1]),
|
||||
|
||||
Req1 = [{ <<"agreement">>, list_to_bitstring(TOS)}],
|
||||
{ok, Account2, Nonce3} = update_account(AccURL, PrivateKey, Req1, Nonce2),
|
||||
{ok, Account2, Nonce3} = update_account({CAUrl, AccId}, PrivateKey, Req1, Nonce2),
|
||||
|
||||
%% Delete account
|
||||
{ok, Account3, Nonce4} = delete_account(AccURL, PrivateKey, Nonce3),
|
||||
{ok, Account3, Nonce4} = delete_account({CAUrl, AccId}, PrivateKey, Nonce3),
|
||||
|
||||
timer:sleep(3000),
|
||||
|
||||
{ok, {_TOS, Account4}, Nonce5} = get_account(AccURL, PrivateKey, Nonce4),
|
||||
{ok, {_TOS, Account4}, Nonce5} = get_account({CAUrl, AccId}, PrivateKey, Nonce4),
|
||||
?INFO_MSG("New account: ~p~n", [Account4]),
|
||||
|
||||
AccIdBin = list_to_bitstring(integer_to_list(AccId)),
|
||||
#{"new-authz" := NewAuthz} = Dirs,
|
||||
AccIdBin = list_to_bitstring(integer_to_list(AccIdInt)),
|
||||
DomainName = << <<"my-acme-test-ejabberd">>/binary, AccIdBin/binary, <<".com">>/binary >>,
|
||||
Req2 =
|
||||
[{<<"identifier">>,
|
||||
@ -704,7 +948,7 @@ delete_account_scenario(CAUrl) ->
|
||||
{<<"value">>, DomainName}]}},
|
||||
{<<"existing">>, <<"accept">>}
|
||||
],
|
||||
{ok, {AuthzUrl, Authz}, Nonce6} = new_authz(NewAuthz, PrivateKey, Req2, Nonce5),
|
||||
{ok, {AuthzUrl, Authz}, Nonce6} = new_authz(Dirs, PrivateKey, Req2, Nonce5),
|
||||
|
||||
{ok, Account1, Account3, Authz}.
|
||||
|
||||
|
@ -44,6 +44,8 @@
|
||||
registered_users/1,
|
||||
%% Migration jabberd1.4
|
||||
import_file/1, import_dir/1,
|
||||
%% Acme
|
||||
get_certificate/2,
|
||||
%% Purge DB
|
||||
delete_expired_messages/0, delete_old_messages/1,
|
||||
%% Mnesia
|
||||
@ -243,6 +245,14 @@ get_commands_spec() ->
|
||||
args = [{file, string}],
|
||||
result = {res, restuple}},
|
||||
|
||||
#ejabberd_commands{name = get_certificate, tags = [acme],
|
||||
desc = "Gets a certificate for the specified domain",
|
||||
module = ?MODULE, function = get_certificate,
|
||||
args_desc = ["Full path to the http serving directory",
|
||||
"Whether to create a new account or use the existing one"],
|
||||
args = [{dir, string}, {option, string}],
|
||||
result = {certificate, string}},
|
||||
|
||||
#ejabberd_commands{name = import_piefxis, tags = [mnesia],
|
||||
desc = "Import users data from a PIEFXIS file (XEP-0227)",
|
||||
module = ejabberd_piefxis, function = import_file,
|
||||
@ -542,6 +552,18 @@ import_dir(Path) ->
|
||||
{cannot_import_dir, String}
|
||||
end.
|
||||
|
||||
%%%
|
||||
%%% Acme
|
||||
%%%
|
||||
|
||||
get_certificate(HttpDir, UseNewAccount) ->
|
||||
case ejabberd_acme:is_valid_account_opt(UseNewAccount) of
|
||||
true ->
|
||||
ejabberd_acme:get_certificates("http://localhost:4000", HttpDir, UseNewAccount);
|
||||
false ->
|
||||
String = io_lib:format("Invalid account option: ~p", [UseNewAccount]),
|
||||
{invalid_option, String}
|
||||
end.
|
||||
|
||||
%%%
|
||||
%%% Purge DB
|
||||
@ -736,8 +758,8 @@ mnesia_change_nodename(FromString, ToString, Source, Target) ->
|
||||
io:format(" - Node: '~p' will not be modified (it is not '~p')~n", [Node, From]),
|
||||
Node
|
||||
end,
|
||||
Convert =
|
||||
fun
|
||||
Convert =
|
||||
fun
|
||||
({schema, db_nodes, Nodes}, Acc) ->
|
||||
io:format(" +++ db_nodes ~p~n", [Nodes]),
|
||||
{[{schema, db_nodes, lists:map(Switch,Nodes)}], Acc};
|
||||
@ -763,8 +785,8 @@ mnesia_change_nodename(FromString, ToString, Source, Target) ->
|
||||
Res;
|
||||
(Other, Acc) ->
|
||||
{[Other], Acc}
|
||||
end,
|
||||
mnesia:traverse_backup(Source, Target, Convert, switched).
|
||||
end,
|
||||
mnesia:traverse_backup(Source, Target, Convert, switched).
|
||||
|
||||
clear_cache() ->
|
||||
Nodes = ejabberd_cluster:get_nodes(),
|
||||
|
Loading…
Reference in New Issue
Block a user