From 806b7e6a91d1334cd90a6470ef9689f8a753b8a0 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Tue, 7 May 2019 02:08:40 -0600 Subject: [PATCH] cleanup --- index.html | 3 +- lib/browser-acme.js | 699 --------------------- lib/{bluecrypt-encoding.js => encoding.js} | 0 lib/keypairs.js.min2 | 86 --- 4 files changed, 2 insertions(+), 786 deletions(-) delete mode 100644 lib/browser-acme.js rename lib/{bluecrypt-encoding.js => encoding.js} (100%) delete mode 100644 lib/keypairs.js.min2 diff --git a/index.html b/index.html index cc01fa6..0ac62a0 100644 --- a/index.html +++ b/index.html @@ -129,9 +129,10 @@ 
 
+
- + diff --git a/lib/browser-acme.js b/lib/browser-acme.js deleted file mode 100644 index 4fba0fe..0000000 --- a/lib/browser-acme.js +++ /dev/null @@ -1,699 +0,0 @@ -/*global CSR*/ -// CSR takes a while to load after the page load -(function (exports) { -'use strict'; - -var BACME = exports.ACME = {}; -var webFetch = exports.fetch; -var Keypairs = exports.Keypairs; -var Promise = exports.Promise; - -var directoryUrl = 'https://acme-staging-v02.api.letsencrypt.org/directory'; -var directory; - -var nonceUrl; -var nonce; - -var accountKeypair; -var accountJwk; - -var accountUrl; - -BACME.challengePrefixes = { - 'http-01': '/.well-known/acme-challenge' -, 'dns-01': '_acme-challenge' -}; - -BACME._logHeaders = function (resp) { - console.log('Headers:'); - Array.from(resp.headers.entries()).forEach(function (h) { console.log(h[0] + ': ' + h[1]); }); -}; - -BACME._logBody = function (body) { - console.log('Body:'); - console.log(JSON.stringify(body, null, 2)); - console.log(''); -}; - -BACME.directory = function (opts) { - return webFetch(opts.directoryUrl || directoryUrl, { mode: 'cors' }).then(function (resp) { - BACME._logHeaders(resp); - return resp.json().then(function (reply) { - if (/error/.test(reply.type)) { - return Promise.reject(new Error(reply.detail || reply.type)); - } - directory = reply; - nonceUrl = directory.newNonce || 'https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'; - accountUrl = directory.newAccount || 'https://acme-staging-v02.api.letsencrypt.org/acme/new-account'; - orderUrl = directory.newOrder || "https://acme-staging-v02.api.letsencrypt.org/acme/new-order"; - BACME._logBody(reply); - return reply; - }); - }); -}; - -BACME.nonce = function () { - return webFetch(nonceUrl, { mode: 'cors' }).then(function (resp) { - BACME._logHeaders(resp); - nonce = resp.headers.get('replay-nonce'); - console.log('Nonce:', nonce); - // resp.body is empty - return resp.headers.get('replay-nonce'); - }); -}; - -BACME.accounts = {}; - -// type = ECDSA -// bitlength = 256 -BACME.accounts.generateKeypair = function (opts) { - return BACME.generateKeypair(opts).then(function (result) { - accountKeypair = result; - - return webCrypto.subtle.exportKey( - "jwk" - , result.privateKey - ).then(function (privJwk) { - - accountJwk = privJwk; - console.log('private jwk:'); - console.log(JSON.stringify(privJwk, null, 2)); - - return privJwk; - /* - return webCrypto.subtle.exportKey( - "pkcs8" - , result.privateKey - ).then(function (keydata) { - console.log('pkcs8:'); - console.log(Array.from(new Uint8Array(keydata))); - - return privJwk; - //return accountKeypair; - }); - */ - }); - }); -}; - -// json to url-safe base64 -BACME._jsto64 = function (json) { - return btoa(JSON.stringify(json)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, ''); -}; - -var textEncoder = new TextEncoder(); - -BACME._importKey = function (jwk) { - var alg; // I think the 256 refers to the hash - var wcOpts = {}; - var extractable = true; // TODO make optionally false? - var priv = jwk; - var pub; - - // ECDSA - if (/^EC/i.test(jwk.kty)) { - wcOpts.name = 'ECDSA'; - wcOpts.namedCurve = jwk.crv; - alg = 'ES256'; - pub = { - crv: priv.crv - , kty: priv.kty - , x: priv.x - , y: priv.y - }; - if (!priv.d) { - priv = null; - } - } - - // RSA - if (/^RS/i.test(jwk.kty)) { - wcOpts.name = 'RSASSA-PKCS1-v1_5'; - wcOpts.hash = { name: "SHA-256" }; - alg = 'RS256'; - pub = { - e: priv.e - , kty: priv.kty - , n: priv.n - }; - if (!priv.p) { - priv = null; - } - } - - return window.crypto.subtle.importKey( - "jwk" - , pub - , wcOpts - , extractable - , [ "verify" ] - ).then(function (publicKey) { - function give(privateKey) { - return { - wcPub: publicKey - , wcKey: privateKey - , wcKeypair: { publicKey: publicKey, privateKey: privateKey } - , meta: { - alg: alg - , name: wcOpts.name - , hash: wcOpts.hash - } - , jwk: jwk - }; - } - if (!priv) { - return give(); - } - return window.crypto.subtle.importKey( - "jwk" - , priv - , wcOpts - , extractable - , [ "sign"/*, "verify"*/ ] - ).then(give); - }); -}; -BACME._sign = function (opts) { - var wcPrivKey = opts.abstractKey.wcKeypair.privateKey; - var wcOpts = opts.abstractKey.meta; - var alg = opts.abstractKey.meta.alg; // I think the 256 refers to the hash - var signHash; - - console.log('kty', opts.abstractKey.jwk.kty); - signHash = { name: "SHA-" + alg.replace(/[a-z]+/ig, '') }; - - var msg = textEncoder.encode(opts.protected64 + '.' + opts.payload64); - console.log('msg:', msg); - return window.crypto.subtle.sign( - { name: wcOpts.name, hash: signHash } - , wcPrivKey - , msg - ).then(function (signature) { - //console.log('sig1:', signature); - //console.log('sig2:', new Uint8Array(signature)); - //console.log('sig3:', Array.prototype.slice.call(new Uint8Array(signature))); - // convert buffer to urlsafe base64 - var sig64 = btoa(Array.prototype.map.call(new Uint8Array(signature), function (ch) { - return String.fromCharCode(ch); - }).join('')).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, ''); - - console.log('[1] URL-safe Base64 Signature:'); - console.log(sig64); - - var signedMsg = { - protected: opts.protected64 - , payload: opts.payload64 - , signature: sig64 - }; - - console.log('Signed Base64 Msg:'); - console.log(JSON.stringify(signedMsg, null, 2)); - - return signedMsg; - }); -}; -// email = john.doe@gmail.com -// jwk = { ... } -// agree = true -BACME.accounts.sign = function (opts) { - - return BACME._importKey(opts.jwk).then(function (abstractKey) { - - var payloadJson = - { termsOfServiceAgreed: opts.agree - , onlyReturnExisting: false - , contact: opts.contacts || [ 'mailto:' + opts.email ] - }; - console.log('payload:'); - console.log(payloadJson); - var payload64 = BACME._jsto64( - payloadJson - ); - - var protectedJson = - { nonce: opts.nonce - , url: accountUrl - , alg: abstractKey.meta.alg - , jwk: null - }; - - if (/EC/i.test(opts.jwk.kty)) { - protectedJson.jwk = { - crv: opts.jwk.crv - , kty: opts.jwk.kty - , x: opts.jwk.x - , y: opts.jwk.y - }; - } else if (/RS/i.test(opts.jwk.kty)) { - protectedJson.jwk = { - e: opts.jwk.e - , kty: opts.jwk.kty - , n: opts.jwk.n - }; - } else { - return Promise.reject(new Error("[acme.accounts.sign] unsupported key type '" + opts.jwk.kty + "'")); - } - - console.log('protected:'); - console.log(protectedJson); - var protected64 = BACME._jsto64( - protectedJson - ); - - // Note: this function hashes before signing so send data, not the hash - return BACME._sign({ - abstractKey: abstractKey - , payload64: payload64 - , protected64: protected64 - }); - }); -}; - -var accountId; - -BACME.accounts.set = function (opts) { - nonce = null; - return window.fetch(accountUrl, { - mode: 'cors' - , method: 'POST' - , headers: { 'Content-Type': 'application/jose+json' } - , body: JSON.stringify(opts.signedAccount) - }).then(function (resp) { - BACME._logHeaders(resp); - nonce = resp.headers.get('replay-nonce'); - accountId = resp.headers.get('location'); - console.log('Next nonce:', nonce); - console.log('Location/kid:', accountId); - - if (!resp.headers.get('content-type')) { - console.log('Body: '); - - return { kid: accountId }; - } - - return resp.json().then(function (result) { - if (/^Error/i.test(result.detail)) { - return Promise.reject(new Error(result.detail)); - } - result.kid = accountId; - BACME._logBody(result); - - return result; - }); - }); -}; - -var orderUrl; - -BACME.orders = {}; - -// identifiers = [ { type: 'dns', value: 'example.com' }, { type: 'dns', value: '*.example.com' } ] -// signedAccount -BACME.orders.sign = function (opts) { - var payload64 = BACME._jsto64({ identifiers: opts.identifiers }); - - return BACME._importKey(opts.jwk).then(function (abstractKey) { - var protected64 = BACME._jsto64( - { nonce: nonce, alg: abstractKey.meta.alg/*'ES256'*/, url: orderUrl, kid: opts.kid } - ); - console.log('abstractKey:'); - console.log(abstractKey); - return BACME._sign({ - abstractKey: abstractKey - , payload64: payload64 - , protected64: protected64 - }).then(function (sig) { - if (!sig) { - throw new Error('sig is undefined... nonsense!'); - } - console.log('newsig', sig); - return sig; - }); - }); -}; - -var currentOrderUrl; -var authorizationUrls; -var finalizeUrl; - -BACME.orders.create = function (opts) { - nonce = null; - return window.fetch(orderUrl, { - mode: 'cors' - , method: 'POST' - , headers: { 'Content-Type': 'application/jose+json' } - , body: JSON.stringify(opts.signedOrder) - }).then(function (resp) { - BACME._logHeaders(resp); - currentOrderUrl = resp.headers.get('location'); - nonce = resp.headers.get('replay-nonce'); - console.log('Next nonce:', nonce); - - return resp.json().then(function (result) { - if (/^Error/i.test(result.detail)) { - return Promise.reject(new Error(result.detail)); - } - authorizationUrls = result.authorizations; - finalizeUrl = result.finalize; - BACME._logBody(result); - - result.url = currentOrderUrl; - return result; - }); - }); -}; - -BACME.challenges = {}; -BACME.challenges.all = function () { - var challenges = []; - - function next() { - if (!authorizationUrls.length) { - return challenges; - } - - return BACME.challenges.view().then(function (challenge) { - challenges.push(challenge); - return next(); - }); - } - - return next(); -}; -BACME.challenges.view = function () { - var authzUrl = authorizationUrls.pop(); - var token; - var challengeDomain; - var challengeUrl; - - return window.fetch(authzUrl, { - mode: 'cors' - }).then(function (resp) { - BACME._logHeaders(resp); - - return resp.json().then(function (result) { - // Note: select the challenge you wish to use - var challenge = result.challenges.slice(0).pop(); - token = challenge.token; - challengeUrl = challenge.url; - challengeDomain = result.identifier.value; - - BACME._logBody(result); - - return { - challenges: result.challenges - , expires: result.expires - , identifier: result.identifier - , status: result.status - , wildcard: result.wildcard - //, token: challenge.token - //, url: challenge.url - //, domain: result.identifier.value, - }; - }); - }); -}; - -var thumbprint; -var keyAuth; -var httpPath; -var dnsAuth; -var dnsRecord; - -BACME.thumbprint = function (opts) { - // https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk - - var accountJwk = opts.jwk; - var keys; - - if (/^EC/i.test(opts.jwk.kty)) { - keys = [ 'crv', 'kty', 'x', 'y' ]; - } else if (/^RS/i.test(opts.jwk.kty)) { - keys = [ 'e', 'kty', 'n' ]; - } - - var accountPublicStr = '{' + keys.map(function (key) { - return '"' + key + '":"' + accountJwk[key] + '"'; - }).join(',') + '}'; - - return window.crypto.subtle.digest( - { name: "SHA-256" } // SHA-256 is spec'd, non-optional - , textEncoder.encode(accountPublicStr) - ).then(function (hash) { - thumbprint = btoa(Array.prototype.map.call(new Uint8Array(hash), function (ch) { - return String.fromCharCode(ch); - }).join('')).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, ''); - - console.log('Thumbprint:'); - console.log(opts); - console.log(accountPublicStr); - console.log(thumbprint); - - return thumbprint; - }); -}; - -// { token, thumbprint, challengeDomain } -BACME.challenges['http-01'] = function (opts) { - // The contents of the key authorization file - keyAuth = opts.token + '.' + opts.thumbprint; - - // Where the key authorization file goes - httpPath = 'http://' + opts.challengeDomain + '/.well-known/acme-challenge/' + opts.token; - - console.log("echo '" + keyAuth + "' > '" + httpPath + "'"); - - return { - path: httpPath - , value: keyAuth - }; -}; - -// { keyAuth } -BACME.challenges['dns-01'] = function (opts) { - console.log('opts.keyAuth for DNS:'); - console.log(opts.keyAuth); - return window.crypto.subtle.digest( - { name: "SHA-256", } - , textEncoder.encode(opts.keyAuth) - ).then(function (hash) { - dnsAuth = btoa(Array.prototype.map.call(new Uint8Array(hash), function (ch) { - return String.fromCharCode(ch); - }).join('')).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, ''); - - dnsRecord = '_acme-challenge.' + opts.challengeDomain; - - console.log('DNS TXT Auth:'); - // The name of the record - console.log(dnsRecord); - // The TXT record value - console.log(dnsAuth); - - return { - type: 'TXT' - , host: dnsRecord - , answer: dnsAuth - }; - }); -}; - -var challengePollUrl; - -// { jwk, challengeUrl, accountId (kid) } -BACME.challenges.accept = function (opts) { - var payload64 = BACME._jsto64({}); - - return BACME._importKey(opts.jwk).then(function (abstractKey) { - var protected64 = BACME._jsto64( - { nonce: nonce, alg: abstractKey.meta.alg/*'ES256'*/, url: opts.challengeUrl, kid: opts.accountId } - ); - return BACME._sign({ - abstractKey: abstractKey - , payload64: payload64 - , protected64: protected64 - }); - }).then(function (signedAccept) { - - nonce = null; - return window.fetch( - opts.challengeUrl - , { mode: 'cors' - , method: 'POST' - , headers: { 'Content-Type': 'application/jose+json' } - , body: JSON.stringify(signedAccept) - } - ).then(function (resp) { - BACME._logHeaders(resp); - nonce = resp.headers.get('replay-nonce'); - console.log("ACCEPT NONCE:", nonce); - - return resp.json().then(function (reply) { - challengePollUrl = reply.url; - - console.log('Challenge ACK:'); - console.log(JSON.stringify(reply)); - return reply; - }); - }); - }); -}; - -BACME.challenges.check = function (opts) { - return window.fetch(opts.challengePollUrl, { mode: 'cors' }).then(function (resp) { - BACME._logHeaders(resp); - - return resp.json().then(function (reply) { - if (/error/.test(reply.type)) { - return Promise.reject(new Error(reply.detail || reply.type)); - } - challengePollUrl = reply.url; - - BACME._logBody(reply); - - return reply; - }); - }); -}; - -var domainKeypair; -var domainJwk; - -BACME.generateKeypair = function (opts) { - var wcOpts = {}; - - // ECDSA has only the P curves and an associated bitlength - if (/^EC/i.test(opts.type)) { - wcOpts.name = 'ECDSA'; - if (/256/.test(opts.bitlength)) { - wcOpts.namedCurve = 'P-256'; - } - } - - // RSA-PSS is another option, but I don't think it's used for Let's Encrypt - // I think the hash is only necessary for signing, not generation or import - if (/^RS/i.test(opts.type)) { - wcOpts.name = 'RSASSA-PKCS1-v1_5'; - wcOpts.modulusLength = opts.bitlength; - if (opts.bitlength < 2048) { - wcOpts.modulusLength = opts.bitlength * 8; - } - wcOpts.publicExponent = new Uint8Array([0x01, 0x00, 0x01]); - wcOpts.hash = { name: "SHA-256" }; - } - var extractable = true; - return window.crypto.subtle.generateKey( - wcOpts - , extractable - , [ 'sign', 'verify' ] - ); -}; -BACME.domains = {}; -// TODO factor out from BACME.accounts.generateKeypair even more -BACME.domains.generateKeypair = function (opts) { - return BACME.generateKeypair(opts).then(function (result) { - domainKeypair = result; - - return window.crypto.subtle.exportKey( - "jwk" - , result.privateKey - ).then(function (privJwk) { - - domainJwk = privJwk; - console.log('private jwk:'); - console.log(JSON.stringify(privJwk, null, 2)); - - return privJwk; - }); - }); -}; - -// { serverJwk, domains } -BACME.orders.generateCsr = function (opts) { - return BACME._importKey(opts.serverJwk).then(function (abstractKey) { - return Promise.resolve(CSR.generate({ keypair: abstractKey.wcKeypair, domains: opts.domains })); - }); -}; - -var certificateUrl; - -// { csr, jwk, finalizeUrl, accountId } -BACME.orders.finalize = function (opts) { - var payload64 = BACME._jsto64( - { csr: opts.csr } - ); - - return BACME._importKey(opts.jwk).then(function (abstractKey) { - var protected64 = BACME._jsto64( - { nonce: nonce, alg: abstractKey.meta.alg/*'ES256'*/, url: opts.finalizeUrl, kid: opts.accountId } - ); - return BACME._sign({ - abstractKey: abstractKey - , payload64: payload64 - , protected64: protected64 - }); - }).then(function (signedFinal) { - - nonce = null; - return window.fetch( - opts.finalizeUrl - , { mode: 'cors' - , method: 'POST' - , headers: { 'Content-Type': 'application/jose+json' } - , body: JSON.stringify(signedFinal) - } - ).then(function (resp) { - BACME._logHeaders(resp); - nonce = resp.headers.get('replay-nonce'); - - return resp.json().then(function (reply) { - if (/error/.test(reply.type)) { - return Promise.reject(new Error(reply.detail || reply.type)); - } - certificateUrl = reply.certificate; - BACME._logBody(reply); - - return reply; - }); - }); - }); -}; - -BACME.orders.receive = function (opts) { - return window.fetch( - opts.certificateUrl - , { mode: 'cors' - , method: 'GET' - } - ).then(function (resp) { - BACME._logHeaders(resp); - nonce = resp.headers.get('replay-nonce'); - - return resp.text().then(function (reply) { - BACME._logBody(reply); - - return reply; - }); - }); -}; - -BACME.orders.check = function (opts) { - return window.fetch( - opts.orderUrl - , { mode: 'cors' - , method: 'GET' - } - ).then(function (resp) { - BACME._logHeaders(resp); - - return resp.json().then(function (reply) { - if (/error/.test(reply.type)) { - return Promise.reject(new Error(reply.detail || reply.type)); - } - BACME._logBody(reply); - - return reply; - }); - }); -}; - -}(window)); diff --git a/lib/bluecrypt-encoding.js b/lib/encoding.js similarity index 100% rename from lib/bluecrypt-encoding.js rename to lib/encoding.js diff --git a/lib/keypairs.js.min2 b/lib/keypairs.js.min2 deleted file mode 100644 index bf530b8..0000000 --- a/lib/keypairs.js.min2 +++ /dev/null @@ -1,86 +0,0 @@ -/*global Promise*/ -(function (exports) { -'use strict'; - -var Keypairs = exports.Keypairs = {}; - -Keypairs._stance = "We take the stance that if you're knowledgeable enough to" - + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway."; -Keypairs._universal = "Bluecrypt only supports crypto with standard cross-browser and cross-platform support."; -Keypairs.generate = function (opts) { - var wcOpts = {}; - if (!opts) { - opts = {}; - } - if (!opts.kty) { - opts.kty = 'EC'; - } - - // ECDSA has only the P curves and an associated bitlength - if (/^EC/i.test(opts.kty)) { - wcOpts.name = 'ECDSA'; - if (!opts.namedCurve) { - opts.namedCurve = 'P-256'; - } - wcOpts.namedCurve = opts.namedCurve; // true for supported curves - if (/256/.test(wcOpts.namedCurve)) { - wcOpts.namedCurve = 'P-256'; - wcOpts.hash = { name: "SHA-256" }; - } else if (/384/.test(wcOpts.namedCurve)) { - wcOpts.namedCurve = 'P-384'; - wcOpts.hash = { name: "SHA-384" }; - } else { - return Promise.Reject(new Error("'" + wcOpts.namedCurve + "' is not an NIST approved ECDSA namedCurve. " - + " Please choose either 'P-256' or 'P-384'. " - + Keypairs._stance)); - } - } else if (/^RSA$/i.test(opts.kty)) { - // Support PSS? I don't think it's used for Let's Encrypt - wcOpts.name = 'RSASSA-PKCS1-v1_5'; - if (!opts.modulusLength) { - opts.modulusLength = 2048; - } - wcOpts.modulusLength = opts.modulusLength; - if (wcOpts.modulusLength >= 2048 && wcOpts.modulusLength < 3072) { - // erring on the small side... for no good reason - wcOpts.hash = { name: "SHA-256" }; - } else if (wcOpts.modulusLength >= 3072 && wcOpts.modulusLength < 4096) { - wcOpts.hash = { name: "SHA-384" }; - } else if (wcOpts.modulusLength < 4097) { - wcOpts.hash = { name: "SHA-512" }; - } else { - // Public key thumbprints should be paired with a hash of similar length, - // so anything above SHA-512's keyspace would be left under-represented anyway. - return Promise.Reject(new Error("'" + wcOpts.modulusLength + "' is not within the safe and universally" - + " acceptable range of 2048-4096. Typically you should pick 2048, 3072, or 4096, though other values" - + " divisible by 8 are allowed. " + Keypairs._stance)); - } - // TODO maybe allow this to be set to any of the standard values? - wcOpts.publicExponent = new Uint8Array([0x01, 0x00, 0x01]); - } else { - return Promise.Reject(new Error("'" + opts.kty + "' is not a well-supported key type." - + Keypairs._universal - + " Please choose either 'EC' or 'RSA' keys.")); - } - - var extractable = true; - return window.crypto.subtle.generateKey( - wcOpts - , extractable - , [ 'sign', 'verify' ] - ).then(function (result) { - return window.crypto.subtle.exportKey( - "jwk" - , result.privateKey - ).then(function (privJwk) { - // TODO remove - console.log('private jwk:'); - console.log(JSON.stringify(privJwk, null, 2)); - return { - privateKey: privJwk - }; - }); - }); -}; - -}(window));