408 lines
13 KiB
Erlang
408 lines
13 KiB
Erlang
-module(ejabberd_acme_comm).
|
|
-export([%% Directory
|
|
directory/1,
|
|
%% Account
|
|
new_account/4,
|
|
update_account/4,
|
|
get_account/3,
|
|
delete_account/3,
|
|
%% Authorization
|
|
new_authz/4,
|
|
get_authz/1,
|
|
complete_challenge/4,
|
|
%% Authorization polling
|
|
get_authz_until_valid/1,
|
|
%% Certificate
|
|
new_cert/4,
|
|
get_cert/1,
|
|
revoke_cert/4,
|
|
get_issuer_cert/1
|
|
%% Not yet implemented
|
|
%% key_roll_over/5
|
|
%% delete_authz/3
|
|
]).
|
|
|
|
-include("logger.hrl").
|
|
-include("xmpp.hrl").
|
|
|
|
-include("ejabberd_acme.hrl").
|
|
-include_lib("public_key/include/public_key.hrl").
|
|
|
|
-define(REQUEST_TIMEOUT, 5000). % 5 seconds.
|
|
-define(MAX_POLL_REQUESTS, 20).
|
|
-define(POLL_WAIT_TIME, 500). % 500 ms.
|
|
|
|
%%%
|
|
%%% This module contains functions that implement all necessary http
|
|
%%% requests to the ACME Certificate Authority. Its purpose is to
|
|
%%% facilitate the acme client implementation by separating the
|
|
%%% handling/validating/parsing of all the needed http requests.
|
|
%%%
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Directory
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
-spec directory(url()) -> {ok, dirs(), nonce()} | {error, _}.
|
|
directory(CAUrl) ->
|
|
Url = CAUrl ++ "/directory",
|
|
prepare_get_request(Url, fun get_dirs/1).
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Account Handling
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
-spec new_account(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
|
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
|
new_account(Dirs, PrivateKey, Req, Nonce) ->
|
|
#{"new-reg" := Url} = Dirs,
|
|
EJson = {[{ <<"resource">>, <<"new-reg">>}] ++ Req},
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
|
|
|
-spec update_account({url(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
|
{ok, proplist(), nonce()} | {error, _}.
|
|
update_account({CAUrl, AccId}, PrivateKey, Req, Nonce) ->
|
|
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
|
EJson = {[{ <<"resource">>, <<"reg">>}] ++ Req},
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
|
|
|
-spec get_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
|
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
|
get_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
|
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
|
EJson = {[{<<"resource">>, <<"reg">>}]},
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
|
|
|
-spec delete_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
|
{ok, proplist(), nonce()} | {error, _}.
|
|
delete_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
|
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
|
EJson =
|
|
{[{<<"resource">>, <<"reg">>},
|
|
{<<"status">>, <<"deactivated">>}]},
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Authorization Handling
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
-spec new_authz(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
|
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
|
new_authz(Dirs, PrivateKey, Req, Nonce) ->
|
|
#{"new-authz" := Url} = Dirs,
|
|
EJson = {[{<<"resource">>, <<"new-authz">>}] ++ Req},
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1).
|
|
|
|
-spec get_authz({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
|
get_authz({CAUrl, AuthzId}) ->
|
|
Url = CAUrl ++ "/acme/authz/" ++ AuthzId,
|
|
prepare_get_request(Url, fun get_response/1).
|
|
|
|
-spec complete_challenge({url(), string(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
|
{ok, proplist(), nonce()} | {error, _}.
|
|
complete_challenge({CAUrl, AuthzId, ChallId}, PrivateKey, Req, Nonce) ->
|
|
Url = CAUrl ++ "/acme/challenge/" ++ AuthzId ++ "/" ++ ChallId,
|
|
EJson = {[{<<"resource">>, <<"challenge">>}] ++ Req},
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Certificate Handling
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
-spec new_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
|
{ok, {url(), list()}, nonce()} | {error, _}.
|
|
new_cert(Dirs, PrivateKey, Req, Nonce) ->
|
|
#{"new-cert" := Url} = Dirs,
|
|
EJson = {[{<<"resource">>, <<"new-cert">>}] ++ Req},
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_link_up/1,
|
|
"application/pkix-cert").
|
|
|
|
-spec get_cert({url(), string()}) -> {ok, list(), nonce()} | {error, _}.
|
|
get_cert({CAUrl, CertId}) ->
|
|
Url = CAUrl ++ "/acme/cert/" ++ CertId,
|
|
prepare_get_request(Url, fun get_response/1, "application/pkix-cert").
|
|
|
|
-spec revoke_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
|
{ok, _, nonce()} | {error, _}.
|
|
revoke_cert(Dirs, PrivateKey, Req, Nonce) ->
|
|
#{"revoke-cert" := Url} = Dirs,
|
|
EJson = {[{<<"resource">>, <<"revoke-cert">>}] ++ Req},
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1,
|
|
"application/pkix-cert").
|
|
|
|
-spec get_issuer_cert(url()) -> {ok, list(), nonce()} | {error, _}.
|
|
get_issuer_cert(IssuerCertUrl) ->
|
|
prepare_get_request(IssuerCertUrl, fun get_response/1, "application/pkix-cert").
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Handle Response Functions
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
-spec get_dirs({ok, proplist(), proplist()}) -> {ok, map(), nonce()}.
|
|
get_dirs({ok, Head, Return}) ->
|
|
NewNonce = get_nonce(Head),
|
|
StrDirectories = [{bitstring_to_list(X), bitstring_to_list(Y)} ||
|
|
{X, Y} <- Return, is_bitstring(X) andalso is_bitstring(Y)],
|
|
NewDirs = maps:from_list(StrDirectories),
|
|
{ok, NewDirs, NewNonce}.
|
|
|
|
-spec get_response({ok, proplist(), proplist()}) -> {ok, proplist(), nonce()}.
|
|
get_response({ok, Head, Return}) ->
|
|
NewNonce = get_nonce(Head),
|
|
{ok, Return, NewNonce}.
|
|
|
|
-spec get_response_tos({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
|
|
get_response_tos({ok, Head, Return}) ->
|
|
TOSUrl = get_tos(Head),
|
|
NewNonce = get_nonce(Head),
|
|
{ok, {TOSUrl, Return}, NewNonce}.
|
|
|
|
-spec get_response_location({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
|
|
get_response_location({ok, Head, Return}) ->
|
|
Location = get_location(Head),
|
|
NewNonce = get_nonce(Head),
|
|
{ok, {Location, Return}, NewNonce}.
|
|
|
|
-spec get_response_link_up({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
|
|
get_response_link_up({ok, Head, Return}) ->
|
|
LinkUp = get_link_up(Head),
|
|
NewNonce = get_nonce(Head),
|
|
{ok, {LinkUp, Return}, NewNonce}.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Authorization Polling
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
-spec get_authz_until_valid({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
|
get_authz_until_valid({CAUrl, AuthzId}) ->
|
|
get_authz_until_valid({CAUrl, AuthzId}, ?MAX_POLL_REQUESTS).
|
|
|
|
-spec get_authz_until_valid({url(), string()}, non_neg_integer()) ->
|
|
{ok, proplist(), nonce()} | {error, _}.
|
|
get_authz_until_valid({_CAUrl, _AuthzId}, 0) ->
|
|
?ERROR_MSG("Maximum request limit waiting for validation reached", []),
|
|
{error, max_request_limit};
|
|
get_authz_until_valid({CAUrl, AuthzId}, N) ->
|
|
case get_authz({CAUrl, AuthzId}) of
|
|
{ok, Resp, Nonce} ->
|
|
case is_authz_valid(Resp) of
|
|
true ->
|
|
{ok, Resp, Nonce};
|
|
false ->
|
|
timer:sleep(?POLL_WAIT_TIME),
|
|
get_authz_until_valid({CAUrl, AuthzId}, N-1)
|
|
end;
|
|
{error, _} = Err ->
|
|
Err
|
|
end.
|
|
|
|
-spec is_authz_valid(proplist()) -> boolean().
|
|
is_authz_valid(Authz) ->
|
|
case proplists:lookup(<<"status">>, Authz) of
|
|
{<<"status">>, <<"valid">>} ->
|
|
true;
|
|
_ ->
|
|
false
|
|
end.
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Request Functions
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
%% TODO: Fix the duplicated code at the below 4 functions
|
|
-spec make_post_request(url(), bitstring(), string()) ->
|
|
{ok, proplist(), proplist()} | {error, _}.
|
|
make_post_request(Url, ReqBody, ResponseType) ->
|
|
Options = [],
|
|
HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
|
|
case httpc:request(post,
|
|
{Url, [], "application/jose+json", ReqBody}, HttpOptions, Options) of
|
|
{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
|
|
decode_response(Head, Body, ResponseType);
|
|
Error ->
|
|
failed_http_request(Error, Url)
|
|
end.
|
|
|
|
-spec make_get_request(url(), string()) ->
|
|
{ok, proplist(), proplist()} | {error, _}.
|
|
make_get_request(Url, ResponseType) ->
|
|
Options = [],
|
|
HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
|
|
case httpc:request(get, {Url, []}, HttpOptions, Options) of
|
|
{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
|
|
decode_response(Head, Body, ResponseType);
|
|
Error ->
|
|
failed_http_request(Error, Url)
|
|
end.
|
|
|
|
-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
|
|
nonce(), handle_resp_fun()) -> {ok, _, nonce()} | {error, _}.
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun) ->
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, "application/jose+json").
|
|
|
|
-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
|
|
nonce(), handle_resp_fun(), string()) -> {ok, _, nonce()} | {error, _}.
|
|
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, ResponseType) ->
|
|
case encode(EJson) of
|
|
{ok, ReqBody} ->
|
|
FinalBody = sign_encode_json_jose(PrivateKey, ReqBody, Nonce),
|
|
case make_post_request(Url, FinalBody, ResponseType) of
|
|
{ok, Head, Return} ->
|
|
HandleRespFun({ok, Head, Return});
|
|
Error ->
|
|
Error
|
|
end;
|
|
{error, Reason} ->
|
|
?ERROR_MSG("Error: ~p when encoding: ~p", [Reason, EJson]),
|
|
{error, Reason}
|
|
end.
|
|
|
|
-spec prepare_get_request(url(), handle_resp_fun()) ->
|
|
{ok, _, nonce()} | {error, _}.
|
|
prepare_get_request(Url, HandleRespFun) ->
|
|
prepare_get_request(Url, HandleRespFun, "application/jose+json").
|
|
|
|
-spec prepare_get_request(url(), handle_resp_fun(), string()) ->
|
|
{ok, _, nonce()} | {error, _}.
|
|
prepare_get_request(Url, HandleRespFun, ResponseType) ->
|
|
case make_get_request(Url, ResponseType) of
|
|
{ok, Head, Return} ->
|
|
HandleRespFun({ok, Head, Return});
|
|
Error ->
|
|
Error
|
|
end.
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Jose Json Functions
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
-spec sign_json_jose(jose_jwk:key(), bitstring(), nonce()) -> {_, jws()}.
|
|
sign_json_jose(Key, Json, Nonce) ->
|
|
PubKey = ejabberd_acme:to_public(Key),
|
|
{_, BinaryPubKey} = jose_jwk:to_binary(PubKey),
|
|
PubKeyJson = jiffy:decode(BinaryPubKey),
|
|
%% TODO: Ensure this works for all cases
|
|
AlgMap = jose_jwk:signer(Key),
|
|
JwsMap =
|
|
#{ <<"jwk">> => PubKeyJson,
|
|
%% <<"b64">> => true,
|
|
<<"nonce">> => list_to_bitstring(Nonce)
|
|
},
|
|
JwsObj0 = maps:merge(JwsMap, AlgMap),
|
|
JwsObj = jose_jws:from(JwsObj0),
|
|
jose_jws:sign(Key, Json, JwsObj).
|
|
|
|
-spec sign_encode_json_jose(jose_jwk:key(), bitstring(), nonce()) -> bitstring().
|
|
sign_encode_json_jose(Key, Json, Nonce) ->
|
|
{_, Signed} = sign_json_jose(Key, Json, Nonce),
|
|
%% This depends on jose library, so we can consider it safe
|
|
jiffy:encode(Signed).
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Useful funs
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
-spec get_nonce(proplist()) -> nonce() | 'none'.
|
|
get_nonce(Head) ->
|
|
case proplists:lookup("replay-nonce", Head) of
|
|
{"replay-nonce", Nonce} -> Nonce;
|
|
none -> none
|
|
end.
|
|
|
|
-spec get_location(proplist()) -> url() | 'none'.
|
|
get_location(Head) ->
|
|
case proplists:lookup("location", Head) of
|
|
{"location", Location} -> Location;
|
|
none -> none
|
|
end.
|
|
|
|
-spec get_tos(proplist()) -> url() | 'none'.
|
|
get_tos(Head) ->
|
|
get_header_link(Head, "\"terms-of-service\"").
|
|
|
|
-spec get_link_up(proplist()) -> url() | 'none'.
|
|
get_link_up(Head) ->
|
|
get_header_link(Head, "rel=\"up\"").
|
|
|
|
%% TODO: Find a more reliable way to extract this
|
|
-spec get_header_link(proplist(), string()) -> url() | 'none'.
|
|
get_header_link(Head, Suffix) ->
|
|
try
|
|
[{_, Link}] = [{K, V} || {K, V} <- Head,
|
|
K =:= "link" andalso
|
|
lists:suffix(Suffix, V)],
|
|
[Link1, _] = string:tokens(Link, ";"),
|
|
Link2 = string:strip(Link1, left, $<),
|
|
string:strip(Link2, right, $>)
|
|
catch
|
|
_:_ ->
|
|
none
|
|
end.
|
|
|
|
decode_response(Head, Body, "application/pkix-cert") ->
|
|
{ok, Head, Body};
|
|
decode_response(Head, Body, "application/jose+json") ->
|
|
case decode(Body) of
|
|
{ok, Return} ->
|
|
{ok, Head, Return};
|
|
{error, Reason} ->
|
|
?ERROR_MSG("Problem decoding: ~s", [Body]),
|
|
{error, Reason}
|
|
end.
|
|
|
|
encode(EJson) ->
|
|
try
|
|
{ok, jiffy:encode(EJson)}
|
|
catch
|
|
_:Reason ->
|
|
{error, Reason}
|
|
end.
|
|
|
|
decode(Json) ->
|
|
try
|
|
{Result} = jiffy:decode(Json),
|
|
{ok, Result}
|
|
catch
|
|
_:Reason ->
|
|
{error, Reason}
|
|
end.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%
|
|
%% Handle Failed HTTP Requests
|
|
%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
-spec failed_http_request({ok, _} | {error, _}, url()) -> {error, _}.
|
|
failed_http_request({ok, {{_, Code, Reason}, _Head, Body}}, Url) ->
|
|
?ERROR_MSG("Unexpected status code from <~s>: ~B, Body: ~s",
|
|
[Url, Code, Body]),
|
|
throw({error, {unexpected_code, Code, Reason}});
|
|
failed_http_request({error, Reason}, Url) ->
|
|
?ERROR_MSG("Error making a request to <~s>: ~p",
|
|
[Url, Reason]),
|
|
throw({error, Reason}).
|