From 513fb992c9516c40ce0c6d09dcc5fe699128704f Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Fri, 31 May 2019 21:52:12 -0600 Subject: [PATCH] =?UTF-8?q?make=20Prettier=E2=84=A2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .prettierrc | 4 + README.md | 15 +- app/index.html | 778 ++++-- app/js/bluecrypt-acme.js | 5737 +++++++++++++++++++++----------------- app/js/greenlock.js | 1005 ++++--- app/styles/main.css | 285 +- index.html | 250 +- js/app.js | 55 +- legal.html | 416 ++- styles/main.css | 137 +- 10 files changed, 4876 insertions(+), 3806 deletions(-) create mode 100644 .prettierrc diff --git a/.prettierrc b/.prettierrc new file mode 100644 index 0000000..e5cdb84 --- /dev/null +++ b/.prettierrc @@ -0,0 +1,4 @@ +{ + "trailingComma": "none", + "useTabs": true +} diff --git a/README.md b/README.md index 2dbfa7b..232ef48 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,8 @@ -Greenlock™ in your Browser -========================= +# Greenlock™ in your Browser Taking greenlock™ (Let's Encrypt v2 / ACME client) where it's never been before: Your browser! -Official Site -============= +# Official Site This app is available at . @@ -14,14 +12,12 @@ If it doesn't, please open an issue to let us know why. We'd much rather improve the app than have a hundred different versions running in the wild. However, in keeping to our values we've released the source for others to inspect, improve, and modify. -Trademark Notice -================ +# Trademark Notice Greenlock™ is our trademark. If you do host your own copy of this app, please do provide attribution, but please also use your branding. -Install -======= +# Install ```bash git clone ssh://gitea@git.coolaj86.com:22042/coolaj86/greenlock.html.git @@ -30,8 +26,7 @@ pushd greenlock.html/ popd ``` -Usage -===== +# Usage Simply host from your webserver. diff --git a/app/index.html b/app/index.html index 4d657f1..133f964 100644 --- a/app/index.html +++ b/app/index.html @@ -1,262 +1,403 @@ + - - Greenlock™ - - + + Greenlock™ + + - - - + + + - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
+ + + + + + + + + + + + + + + + + + + + +
+
+
+
+
+ + + +
+
Details
+
+
+
+ + + +
+
Verify domain
+
+
+
+ + + +
+
+
Install certificates
+
+
+ -
-
-
Greenlock
-
-
-
-

-

Certificates are valid for 90 days. Renewal is free :)

- -
- +
+
+ +
+
Greenlock
+
+
+ +

+

Certificates are valid for 90 days. Renewal is free :)

+ +
+ -
-
-
- - -
- - +
+
+
+ + +
+ + - - + + + - -
+ + +

Let's verify your domain

+
+
+ + +
+
+
+

Upload each file

+
+
+
+
+
FILENAME
+
...loading
+
+
+
+
CONTENTS
+
...loading
+
+
+ + + + + Download + +
+
+
+
LOCATION
+
..loading
+
+
+
+
+
+
+

Set each DNS Record

+
+
TXT Host
+
loading...
+
TXT Value
+
loading...
+
+
+

+ Warning: You should wait at least 30 seconds + after setting DNS records before continuing. +

+

+ Google DNS Users: You may need to wait up to + 5 minutes. +

+
+
-

Let's verify your domain

-
-
- - -
-
-
-

Upload each file

-
-
-
-
-
FILENAME
-
...loading
-
-
-
-
CONTENTS
-
...loading
-
-
- - - - - Download - -
-
-
-
LOCATION
-
..loading
-
-
-
-
-
-
-

Set each DNS Record

-
-
TXT Host
-
loading...
-
TXT Value
-
loading...
-
-
-

Warning: - You should wait at least 30 seconds after setting DNS records before continuing.

-

Google DNS Users: - You may need to wait up to 5 minutes.

-
-
+
+
+

Set each DNS Record (for wildcards)

+
+
TXT Host
+
loading...
+
TXT Value
+
loading...
+
+
+

+ Warning: You should wait at least 30 seconds + after setting DNS records before continuing. +

+

+ Google DNS: You may need to wait up to 5 + minutes. +

+
+
+
-
-
-

Set each DNS Record (for wildcards)

-
-
TXT Host
-
loading...
-
TXT Value
-
loading...
-
-
-

Warning: - You should wait at least 30 seconds after setting DNS records before continuing.

-

Google DNS: - You may need to wait up to 5 minutes.

-
-
-
+ +
- - + +
+ Verifying Domains... (give us 5 seconds or so...) + - - - Verifying Domains... (give us 5 seconds or so...) - - - -
+ - -
-
-

-
-
-
-              
-
-
- - - - - Download - -
-

-
-
-
-              
-
-
- - - - - Download - -
-
-

node.js https server example

-
    'use strict';
+				
+				
+					
+

+
+
+

+						
+
+ + + + + Download + +
+

+
+
+

+						
+
+ + + + + Download + +
+
+

node.js https server example

+
    'use strict';
 
     var https = require('https');
     var server = https.createServer({
@@ -325,9 +482,9 @@
       console.log('Listening on', this.address());
     })
             
-
+
- - -
+ -->
+ -
-
- A Root Project - | View Source (git) - | Terms of Service - | Privacy Policy -
- -
-
+ +
+
+ + - - + + + - -
-
- + gtag("config", "UA-118745161-2"); + +
+ + diff --git a/app/js/bluecrypt-acme.js b/app/js/bluecrypt-acme.js index 0744c8e..3e8dd30 100644 --- a/app/js/bluecrypt-acme.js +++ b/app/js/bluecrypt-acme.js @@ -2,1814 +2,2186 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -;(function (exports) { +(function(exports) { + var Enc = (exports.Enc = {}); -var Enc = exports.Enc = {}; + Enc.bufToBin = function(buf) { + var bin = ""; + // cannot use .map() because Uint8Array would return only 0s + buf.forEach(function(ch) { + bin += String.fromCharCode(ch); + }); + return bin; + }; -Enc.bufToBin = function (buf) { - var bin = ''; - // cannot use .map() because Uint8Array would return only 0s - buf.forEach(function (ch) { - bin += String.fromCharCode(ch); - }); - return bin; -}; + Enc.bufToHex = function toHex(u8) { + var hex = []; + var i, h; + var len = u8.byteLength || u8.length; -Enc.bufToHex = function toHex(u8) { - var hex = []; - var i, h; - var len = (u8.byteLength || u8.length); + for (i = 0; i < len; i += 1) { + h = u8[i].toString(16); + if (h.length % 2) { + h = "0" + h; + } + hex.push(h); + } - for (i = 0; i < len; i += 1) { - h = u8[i].toString(16); - if (h.length % 2) { h = '0' + h; } - hex.push(h); - } + return hex.join("").toLowerCase(); + }; - return hex.join('').toLowerCase(); -}; + Enc.urlBase64ToBase64 = function urlsafeBase64ToBase64(str) { + var r = str % 4; + if (2 === r) { + str += "=="; + } else if (3 === r) { + str += "="; + } + return str.replace(/-/g, "+").replace(/_/g, "/"); + }; -Enc.urlBase64ToBase64 = function urlsafeBase64ToBase64(str) { - var r = str % 4; - if (2 === r) { - str += '=='; - } else if (3 === r) { - str += '='; - } - return str.replace(/-/g, '+').replace(/_/g, '/'); -}; + Enc.base64ToBuf = function(b64) { + return Enc.binToBuf(atob(b64)); + }; + Enc.binToBuf = function(bin) { + var arr = bin.split("").map(function(ch) { + return ch.charCodeAt(0); + }); + return "undefined" !== typeof Uint8Array ? new Uint8Array(arr) : arr; + }; + Enc.bufToHex = function(u8) { + var hex = []; + var i, h; + var len = u8.byteLength || u8.length; -Enc.base64ToBuf = function (b64) { - return Enc.binToBuf(atob(b64)); -}; -Enc.binToBuf = function (bin) { - var arr = bin.split('').map(function (ch) { - return ch.charCodeAt(0); - }); - return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr; -}; -Enc.bufToHex = function (u8) { - var hex = []; - var i, h; - var len = (u8.byteLength || u8.length); + for (i = 0; i < len; i += 1) { + h = u8[i].toString(16); + if (h.length % 2) { + h = "0" + h; + } + hex.push(h); + } - for (i = 0; i < len; i += 1) { - h = u8[i].toString(16); - if (h.length % 2) { h = '0' + h; } - hex.push(h); - } + return hex.join("").toLowerCase(); + }; + Enc.numToHex = function(d) { + d = d.toString(16); + if (d.length % 2) { + return "0" + d; + } + return d; + }; - return hex.join('').toLowerCase(); -}; -Enc.numToHex = function (d) { - d = d.toString(16); - if (d.length % 2) { - return '0' + d; - } - return d; -}; + Enc.bufToUrlBase64 = function(u8) { + return Enc.base64ToUrlBase64(Enc.bufToBase64(u8)); + }; -Enc.bufToUrlBase64 = function (u8) { - return Enc.base64ToUrlBase64(Enc.bufToBase64(u8)); -}; + Enc.base64ToUrlBase64 = function(str) { + return str + .replace(/\+/g, "-") + .replace(/\//g, "_") + .replace(/=/g, ""); + }; -Enc.base64ToUrlBase64 = function (str) { - return str.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); -}; + Enc.bufToBase64 = function(u8) { + var bin = ""; + u8.forEach(function(i) { + bin += String.fromCharCode(i); + }); + return btoa(bin); + }; -Enc.bufToBase64 = function (u8) { - var bin = ''; - u8.forEach(function (i) { - bin += String.fromCharCode(i); - }); - return btoa(bin); -}; + Enc.hexToBuf = function(hex) { + var arr = []; + hex.match(/.{2}/g).forEach(function(h) { + arr.push(parseInt(h, 16)); + }); + return "undefined" !== typeof Uint8Array ? new Uint8Array(arr) : arr; + }; -Enc.hexToBuf = function (hex) { - var arr = []; - hex.match(/.{2}/g).forEach(function (h) { - arr.push(parseInt(h, 16)); - }); - return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr; -}; + Enc.numToHex = function(d) { + d = d.toString(16); + if (d.length % 2) { + return "0" + d; + } + return d; + }; -Enc.numToHex = function (d) { - d = d.toString(16); - if (d.length % 2) { - return '0' + d; - } - return d; -}; + // + // JWK to SSH (tested working) + // + Enc.base64ToHex = function(b64) { + var bin = atob(Enc.urlBase64ToBase64(b64)); + return Enc.binToHex(bin); + }; + Enc.binToHex = function(bin) { + return bin + .split("") + .map(function(ch) { + var h = ch.charCodeAt(0).toString(16); + if (h.length % 2) { + h = "0" + h; + } + return h; + }) + .join(""); + }; + // TODO are there any nuance differences here? + Enc.utf8ToHex = Enc.binToHex; -// -// JWK to SSH (tested working) -// -Enc.base64ToHex = function (b64) { - var bin = atob(Enc.urlBase64ToBase64(b64)); - return Enc.binToHex(bin); -}; + Enc.hexToBase64 = function(hex) { + return btoa(Enc.hexToBin(hex)); + }; -Enc.binToHex = function (bin) { - return bin.split('').map(function (ch) { - var h = ch.charCodeAt(0).toString(16); - if (h.length % 2) { h = '0' + h; } - return h; - }).join(''); -}; -// TODO are there any nuance differences here? -Enc.utf8ToHex = Enc.binToHex; + Enc.hexToBin = function(hex) { + return hex + .match(/.{2}/g) + .map(function(h) { + return String.fromCharCode(parseInt(h, 16)); + }) + .join(""); + }; -Enc.hexToBase64 = function (hex) { - return btoa(Enc.hexToBin(hex)); -}; + Enc.urlBase64ToBase64 = function urlsafeBase64ToBase64(str) { + var r = str % 4; + if (2 === r) { + str += "=="; + } else if (3 === r) { + str += "="; + } + return str.replace(/-/g, "+").replace(/_/g, "/"); + }; +})("undefined" !== typeof exports ? module.exports : window); +(function(exports) { + "use strict"; -Enc.hexToBin = function (hex) { - return hex.match(/.{2}/g).map(function (h) { - return String.fromCharCode(parseInt(h, 16)); - }).join(''); -}; + if (!exports.ASN1) { + exports.ASN1 = {}; + } + if (!exports.Enc) { + exports.Enc = {}; + } + if (!exports.PEM) { + exports.PEM = {}; + } -Enc.urlBase64ToBase64 = function urlsafeBase64ToBase64(str) { - var r = str % 4; - if (2 === r) { - str += '=='; - } else if (3 === r) { - str += '='; - } - return str.replace(/-/g, '+').replace(/_/g, '/'); -}; + var ASN1 = exports.ASN1; + var Enc = exports.Enc; + var PEM = exports.PEM; + // + // Packer + // -}('undefined' !== typeof exports ? module.exports : window )); -;(function (exports) { -'use strict'; + // Almost every ASN.1 type that's important for CSR + // can be represented generically with only a few rules. + exports.ASN1 = function ASN1(/*type, hexstrings...*/) { + var args = Array.prototype.slice.call(arguments); + var typ = args.shift(); + var str = args + .join("") + .replace(/\s+/g, "") + .toLowerCase(); + var len = str.length / 2; + var lenlen = 0; + var hex = typ; -if (!exports.ASN1) { exports.ASN1 = {}; } -if (!exports.Enc) { exports.Enc = {}; } -if (!exports.PEM) { exports.PEM = {}; } + // We can't have an odd number of hex chars + if (len !== Math.round(len)) { + throw new Error("invalid hex"); + } -var ASN1 = exports.ASN1; -var Enc = exports.Enc; -var PEM = exports.PEM; + // The first byte of any ASN.1 sequence is the type (Sequence, Integer, etc) + // The second byte is either the size of the value, or the size of its size -// -// Packer -// + // 1. If the second byte is < 0x80 (128) it is considered the size + // 2. If it is > 0x80 then it describes the number of bytes of the size + // ex: 0x82 means the next 2 bytes describe the size of the value + // 3. The special case of exactly 0x80 is "indefinite" length (to end-of-file) -// Almost every ASN.1 type that's important for CSR -// can be represented generically with only a few rules. -exports.ASN1 = function ASN1(/*type, hexstrings...*/) { - var args = Array.prototype.slice.call(arguments); - var typ = args.shift(); - var str = args.join('').replace(/\s+/g, '').toLowerCase(); - var len = (str.length/2); - var lenlen = 0; - var hex = typ; + if (len > 127) { + lenlen += 1; + while (len > 255) { + lenlen += 1; + len = len >> 8; + } + } - // We can't have an odd number of hex chars - if (len !== Math.round(len)) { - throw new Error("invalid hex"); - } + if (lenlen) { + hex += Enc.numToHex(0x80 + lenlen); + } + return hex + Enc.numToHex(str.length / 2) + str; + }; - // The first byte of any ASN.1 sequence is the type (Sequence, Integer, etc) - // The second byte is either the size of the value, or the size of its size + // The Integer type has some special rules + ASN1.UInt = function UINT() { + var str = Array.prototype.slice.call(arguments).join(""); + var first = parseInt(str.slice(0, 2), 16); - // 1. If the second byte is < 0x80 (128) it is considered the size - // 2. If it is > 0x80 then it describes the number of bytes of the size - // ex: 0x82 means the next 2 bytes describe the size of the value - // 3. The special case of exactly 0x80 is "indefinite" length (to end-of-file) + // If the first byte is 0x80 or greater, the number is considered negative + // Therefore we add a '00' prefix if the 0x80 bit is set + if (0x80 & first) { + str = "00" + str; + } - if (len > 127) { - lenlen += 1; - while (len > 255) { - lenlen += 1; - len = len >> 8; - } - } + return ASN1("02", str); + }; - if (lenlen) { hex += Enc.numToHex(0x80 + lenlen); } - return hex + Enc.numToHex(str.length/2) + str; -}; + // The Bit String type also has a special rule + ASN1.BitStr = function BITSTR() { + var str = Array.prototype.slice.call(arguments).join(""); + // '00' is a mask of how many bits of the next byte to ignore + return ASN1("03", "00" + str); + }; -// The Integer type has some special rules -ASN1.UInt = function UINT() { - var str = Array.prototype.slice.call(arguments).join(''); - var first = parseInt(str.slice(0, 2), 16); + ASN1.pack = function(arr) { + var typ = Enc.numToHex(arr[0]); + var str = ""; + if (Array.isArray(arr[1])) { + arr[1].forEach(function(a) { + str += ASN1.pack(a); + }); + } else if ("string" === typeof arr[1]) { + str = arr[1]; + } else { + throw new Error("unexpected array"); + } + if ("03" === typ) { + return ASN1.BitStr(str); + } else if ("02" === typ) { + return ASN1.UInt(str); + } else { + return ASN1(typ, str); + } + }; + Object.keys(ASN1).forEach(function(k) { + exports.ASN1[k] = ASN1[k]; + }); + ASN1 = exports.ASN1; - // If the first byte is 0x80 or greater, the number is considered negative - // Therefore we add a '00' prefix if the 0x80 bit is set - if (0x80 & first) { str = '00' + str; } + PEM.packBlock = function(opts) { + // TODO allow for headers? + return ( + "-----BEGIN " + + opts.type + + "-----\n" + + Enc.bufToBase64(opts.bytes) + .match(/.{1,64}/g) + .join("\n") + + "\n" + + "-----END " + + opts.type + + "-----" + ); + }; - return ASN1('02', str); -}; + Enc.bufToBase64 = function(u8) { + var bin = ""; + u8.forEach(function(i) { + bin += String.fromCharCode(i); + }); + return btoa(bin); + }; -// The Bit String type also has a special rule -ASN1.BitStr = function BITSTR() { - var str = Array.prototype.slice.call(arguments).join(''); - // '00' is a mask of how many bits of the next byte to ignore - return ASN1('03', '00' + str); -}; + Enc.hexToBuf = function(hex) { + var arr = []; + hex.match(/.{2}/g).forEach(function(h) { + arr.push(parseInt(h, 16)); + }); + return "undefined" !== typeof Uint8Array ? new Uint8Array(arr) : arr; + }; -ASN1.pack = function (arr) { - var typ = Enc.numToHex(arr[0]); - var str = ''; - if (Array.isArray(arr[1])) { - arr[1].forEach(function (a) { - str += ASN1.pack(a); - }); - } else if ('string' === typeof arr[1]) { - str = arr[1]; - } else { - throw new Error("unexpected array"); - } - if ('03' === typ) { - return ASN1.BitStr(str); - } else if ('02' === typ) { - return ASN1.UInt(str); - } else { - return ASN1(typ, str); - } -}; -Object.keys(ASN1).forEach(function (k) { - exports.ASN1[k] = ASN1[k]; -}); -ASN1 = exports.ASN1; + Enc.numToHex = function(d) { + d = d.toString(16); + if (d.length % 2) { + return "0" + d; + } + return d; + }; +})("undefined" !== typeof window ? window : module.exports); +(function(exports) { + "use strict"; -PEM.packBlock = function (opts) { - // TODO allow for headers? - return '-----BEGIN ' + opts.type + '-----\n' - + Enc.bufToBase64(opts.bytes).match(/.{1,64}/g).join('\n') + '\n' - + '-----END ' + opts.type + '-----' - ; -}; + var x509 = (exports.x509 = {}); + var ASN1 = exports.ASN1; + var Enc = exports.Enc; -Enc.bufToBase64 = function (u8) { - var bin = ''; - u8.forEach(function (i) { - bin += String.fromCharCode(i); - }); - return btoa(bin); -}; + // 1.2.840.10045.3.1.7 + // prime256v1 (ANSI X9.62 named elliptic curve) + var OBJ_ID_EC = "06 08 2A8648CE3D030107".replace(/\s+/g, "").toLowerCase(); + // 1.3.132.0.34 + // secp384r1 (SECG (Certicom) named elliptic curve) + var OBJ_ID_EC_384 = "06 05 2B81040022".replace(/\s+/g, "").toLowerCase(); + // 1.2.840.10045.2.1 + // ecPublicKey (ANSI X9.62 public key type) + var OBJ_ID_EC_PUB = "06 07 2A8648CE3D0201".replace(/\s+/g, "").toLowerCase(); -Enc.hexToBuf = function (hex) { - var arr = []; - hex.match(/.{2}/g).forEach(function (h) { - arr.push(parseInt(h, 16)); - }); - return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr; -}; + x509.parseSec1 = function parseEcOnlyPrivkey(u8, jwk) { + var index = 7; + var len = 32; + var olen = OBJ_ID_EC.length / 2; -Enc.numToHex = function (d) { - d = d.toString(16); - if (d.length % 2) { - return '0' + d; - } - return d; -}; + if ("P-384" === jwk.crv) { + olen = OBJ_ID_EC_384.length / 2; + index = 8; + len = 48; + } + if (len !== u8[index - 1]) { + throw new Error("Unexpected bitlength " + len); + } -}('undefined' !== typeof window ? window : module.exports)); -(function (exports) { - 'use strict'; + // private part is d + var d = u8.slice(index, index + len); + // compression bit index + var ci = index + len + 2 + olen + 2 + 3; + var c = u8[ci]; + var x, y; - var x509 = exports.x509 = {}; - var ASN1 = exports.ASN1; - var Enc = exports.Enc; + if (0x04 === c) { + y = u8.slice(ci + 1 + len, ci + 1 + len + len); + } else if (0x02 !== c) { + throw new Error("not a supported EC private key"); + } + x = u8.slice(ci + 1, ci + 1 + len); - // 1.2.840.10045.3.1.7 - // prime256v1 (ANSI X9.62 named elliptic curve) - var OBJ_ID_EC = '06 08 2A8648CE3D030107'.replace(/\s+/g, '').toLowerCase(); - // 1.3.132.0.34 - // secp384r1 (SECG (Certicom) named elliptic curve) - var OBJ_ID_EC_384 = '06 05 2B81040022'.replace(/\s+/g, '').toLowerCase(); - // 1.2.840.10045.2.1 - // ecPublicKey (ANSI X9.62 public key type) - var OBJ_ID_EC_PUB = '06 07 2A8648CE3D0201'.replace(/\s+/g, '').toLowerCase(); + return { + kty: jwk.kty, + crv: jwk.crv, + d: Enc.bufToUrlBase64(d), + //, dh: Enc.bufToHex(d) + x: Enc.bufToUrlBase64(x), + //, xh: Enc.bufToHex(x) + y: Enc.bufToUrlBase64(y) + //, yh: Enc.bufToHex(y) + }; + }; - x509.parseSec1 = function parseEcOnlyPrivkey(u8, jwk) { - var index = 7; - var len = 32; - var olen = OBJ_ID_EC.length / 2; + x509.packPkcs1 = function(jwk) { + var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); + var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); - if ("P-384" === jwk.crv) { - olen = OBJ_ID_EC_384.length / 2; - index = 8; - len = 48; - } - if (len !== u8[index - 1]) { - throw new Error("Unexpected bitlength " + len); - } + if (!jwk.d) { + return Enc.hexToBuf(ASN1("30", n, e)); + } - // private part is d - var d = u8.slice(index, index + len); - // compression bit index - var ci = index + len + 2 + olen + 2 + 3; - var c = u8[ci]; - var x, y; + return Enc.hexToBuf( + ASN1( + "30", + ASN1.UInt("00"), + n, + e, + ASN1.UInt(Enc.base64ToHex(jwk.d)), + ASN1.UInt(Enc.base64ToHex(jwk.p)), + ASN1.UInt(Enc.base64ToHex(jwk.q)), + ASN1.UInt(Enc.base64ToHex(jwk.dp)), + ASN1.UInt(Enc.base64ToHex(jwk.dq)), + ASN1.UInt(Enc.base64ToHex(jwk.qi)) + ) + ); + }; - if (0x04 === c) { - y = u8.slice(ci + 1 + len, ci + 1 + len + len); - } else if (0x02 !== c) { - throw new Error("not a supported EC private key"); - } - x = u8.slice(ci + 1, ci + 1 + len); + x509.parsePkcs8 = function parseEcPkcs8(u8, jwk) { + var index = 24 + OBJ_ID_EC.length / 2; + var len = 32; + if ("P-384" === jwk.crv) { + index = 24 + OBJ_ID_EC_384.length / 2 + 2; + len = 48; + } - return { - kty: jwk.kty - , crv: jwk.crv - , d: Enc.bufToUrlBase64(d) - //, dh: Enc.bufToHex(d) - , x: Enc.bufToUrlBase64(x) - //, xh: Enc.bufToHex(x) - , y: Enc.bufToUrlBase64(y) - //, yh: Enc.bufToHex(y) - }; - }; + //console.log(index, u8.slice(index)); + if (0x04 !== u8[index]) { + //console.log(jwk); + throw new Error("privkey not found"); + } + var d = u8.slice(index + 2, index + 2 + len); + var ci = index + 2 + len + 5; + var xi = ci + 1; + var x = u8.slice(xi, xi + len); + var yi = xi + len; + var y; + if (0x04 === u8[ci]) { + y = u8.slice(yi, yi + len); + } else if (0x02 !== u8[ci]) { + throw new Error("invalid compression bit (expected 0x04 or 0x02)"); + } - x509.packPkcs1 = function (jwk) { - var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); - var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); + return { + kty: jwk.kty, + crv: jwk.crv, + d: Enc.bufToUrlBase64(d), + //, dh: Enc.bufToHex(d) + x: Enc.bufToUrlBase64(x), + //, xh: Enc.bufToHex(x) + y: Enc.bufToUrlBase64(y) + //, yh: Enc.bufToHex(y) + }; + }; - if (!jwk.d) { - return Enc.hexToBuf(ASN1('30', n, e)); - } + x509.parseSpki = function parsePem(u8, jwk) { + var ci = 16 + OBJ_ID_EC.length / 2; + var len = 32; - return Enc.hexToBuf(ASN1('30' - , ASN1.UInt('00') - , n - , e - , ASN1.UInt(Enc.base64ToHex(jwk.d)) - , ASN1.UInt(Enc.base64ToHex(jwk.p)) - , ASN1.UInt(Enc.base64ToHex(jwk.q)) - , ASN1.UInt(Enc.base64ToHex(jwk.dp)) - , ASN1.UInt(Enc.base64ToHex(jwk.dq)) - , ASN1.UInt(Enc.base64ToHex(jwk.qi)) - )); - }; + if ("P-384" === jwk.crv) { + ci = 16 + OBJ_ID_EC_384.length / 2; + len = 48; + } - x509.parsePkcs8 = function parseEcPkcs8(u8, jwk) { - var index = 24 + (OBJ_ID_EC.length / 2); - var len = 32; - if ("P-384" === jwk.crv) { - index = 24 + (OBJ_ID_EC_384.length / 2) + 2; - len = 48; - } + var c = u8[ci]; + var xi = ci + 1; + var x = u8.slice(xi, xi + len); + var yi = xi + len; + var y; + if (0x04 === c) { + y = u8.slice(yi, yi + len); + } else if (0x02 !== c) { + throw new Error("not a supported EC private key"); + } - //console.log(index, u8.slice(index)); - if (0x04 !== u8[index]) { - //console.log(jwk); - throw new Error("privkey not found"); - } - var d = u8.slice(index + 2, index + 2 + len); - var ci = index + 2 + len + 5; - var xi = ci + 1; - var x = u8.slice(xi, xi + len); - var yi = xi + len; - var y; - if (0x04 === u8[ci]) { - y = u8.slice(yi, yi + len); - } else if (0x02 !== u8[ci]) { - throw new Error("invalid compression bit (expected 0x04 or 0x02)"); - } + return { + kty: jwk.kty, + crv: jwk.crv, + x: Enc.bufToUrlBase64(x), + //, xh: Enc.bufToHex(x) + y: Enc.bufToUrlBase64(y) + //, yh: Enc.bufToHex(y) + }; + }; + x509.parsePkix = x509.parseSpki; - return { - kty: jwk.kty - , crv: jwk.crv - , d: Enc.bufToUrlBase64(d) - //, dh: Enc.bufToHex(d) - , x: Enc.bufToUrlBase64(x) - //, xh: Enc.bufToHex(x) - , y: Enc.bufToUrlBase64(y) - //, yh: Enc.bufToHex(y) - }; - }; + x509.packSec1 = function(jwk) { + var d = Enc.base64ToHex(jwk.d); + var x = Enc.base64ToHex(jwk.x); + var y = Enc.base64ToHex(jwk.y); + var objId = "P-256" === jwk.crv ? OBJ_ID_EC : OBJ_ID_EC_384; + return Enc.hexToBuf( + ASN1( + "30", + ASN1.UInt("01"), + ASN1("04", d), + ASN1("A0", objId), + ASN1("A1", ASN1.BitStr("04" + x + y)) + ) + ); + }; + /** + * take a private jwk and creates a der from it + * @param {*} jwk + */ + x509.packPkcs8 = function(jwk) { + if ("RSA" === jwk.kty) { + if (!jwk.d) { + // Public RSA + return Enc.hexToBuf( + ASN1( + "30", + ASN1("30", ASN1("06", "2a864886f70d010101"), ASN1("05")), + ASN1.BitStr( + ASN1( + "30", + ASN1.UInt(Enc.base64ToHex(jwk.n)), + ASN1.UInt(Enc.base64ToHex(jwk.e)) + ) + ) + ) + ); + } - x509.parseSpki = function parsePem(u8, jwk) { - var ci = 16 + OBJ_ID_EC.length / 2; - var len = 32; + // Private RSA + return Enc.hexToBuf( + ASN1( + "30", + ASN1.UInt("00"), + ASN1("30", ASN1("06", "2a864886f70d010101"), ASN1("05")), + ASN1( + "04", + ASN1( + "30", + ASN1.UInt("00"), + ASN1.UInt(Enc.base64ToHex(jwk.n)), + ASN1.UInt(Enc.base64ToHex(jwk.e)), + ASN1.UInt(Enc.base64ToHex(jwk.d)), + ASN1.UInt(Enc.base64ToHex(jwk.p)), + ASN1.UInt(Enc.base64ToHex(jwk.q)), + ASN1.UInt(Enc.base64ToHex(jwk.dp)), + ASN1.UInt(Enc.base64ToHex(jwk.dq)), + ASN1.UInt(Enc.base64ToHex(jwk.qi)) + ) + ) + ) + ); + } - if ("P-384" === jwk.crv) { - ci = 16 + OBJ_ID_EC_384.length / 2; - len = 48; - } + var d = Enc.base64ToHex(jwk.d); + var x = Enc.base64ToHex(jwk.x); + var y = Enc.base64ToHex(jwk.y); + var objId = "P-256" === jwk.crv ? OBJ_ID_EC : OBJ_ID_EC_384; + return Enc.hexToBuf( + ASN1( + "30", + ASN1.UInt("00"), + ASN1("30", OBJ_ID_EC_PUB, objId), + ASN1( + "04", + ASN1( + "30", + ASN1.UInt("01"), + ASN1("04", d), + ASN1("A1", ASN1.BitStr("04" + x + y)) + ) + ) + ) + ); + }; + x509.packSpki = function(jwk) { + if (/EC/i.test(jwk.kty)) { + return x509.packSpkiEc(jwk); + } + return x509.packSpkiRsa(jwk); + }; + x509.packSpkiRsa = function(jwk) { + if (!jwk.d) { + // Public RSA + return Enc.hexToBuf( + ASN1( + "30", + ASN1("30", ASN1("06", "2a864886f70d010101"), ASN1("05")), + ASN1.BitStr( + ASN1( + "30", + ASN1.UInt(Enc.base64ToHex(jwk.n)), + ASN1.UInt(Enc.base64ToHex(jwk.e)) + ) + ) + ) + ); + } - var c = u8[ci]; - var xi = ci + 1; - var x = u8.slice(xi, xi + len); - var yi = xi + len; - var y; - if (0x04 === c) { - y = u8.slice(yi, yi + len); - } else if (0x02 !== c) { - throw new Error("not a supported EC private key"); - } - - return { - kty: jwk.kty - , crv: jwk.crv - , x: Enc.bufToUrlBase64(x) - //, xh: Enc.bufToHex(x) - , y: Enc.bufToUrlBase64(y) - //, yh: Enc.bufToHex(y) - }; - }; - x509.parsePkix = x509.parseSpki; - - x509.packSec1 = function (jwk) { - var d = Enc.base64ToHex(jwk.d); - var x = Enc.base64ToHex(jwk.x); - var y = Enc.base64ToHex(jwk.y); - var objId = ('P-256' === jwk.crv) ? OBJ_ID_EC : OBJ_ID_EC_384; - return Enc.hexToBuf( - ASN1('30' - , ASN1.UInt('01') - , ASN1('04', d) - , ASN1('A0', objId) - , ASN1('A1', ASN1.BitStr('04' + x + y))) - ); - }; - /** - * take a private jwk and creates a der from it - * @param {*} jwk - */ - x509.packPkcs8 = function (jwk) { - if ('RSA' === jwk.kty) { - if (!jwk.d) { - // Public RSA - return Enc.hexToBuf(ASN1('30' - , ASN1('30' - , ASN1('06', '2a864886f70d010101') - , ASN1('05') - ) - , ASN1.BitStr(ASN1('30' - , ASN1.UInt(Enc.base64ToHex(jwk.n)) - , ASN1.UInt(Enc.base64ToHex(jwk.e)) - )) - )); - } - - // Private RSA - return Enc.hexToBuf(ASN1('30' - , ASN1.UInt('00') - , ASN1('30' - , ASN1('06', '2a864886f70d010101') - , ASN1('05') - ) - , ASN1('04' - , ASN1('30' - , ASN1.UInt('00') - , ASN1.UInt(Enc.base64ToHex(jwk.n)) - , ASN1.UInt(Enc.base64ToHex(jwk.e)) - , ASN1.UInt(Enc.base64ToHex(jwk.d)) - , ASN1.UInt(Enc.base64ToHex(jwk.p)) - , ASN1.UInt(Enc.base64ToHex(jwk.q)) - , ASN1.UInt(Enc.base64ToHex(jwk.dp)) - , ASN1.UInt(Enc.base64ToHex(jwk.dq)) - , ASN1.UInt(Enc.base64ToHex(jwk.qi)) - ) - ) - )); - } - - var d = Enc.base64ToHex(jwk.d); - var x = Enc.base64ToHex(jwk.x); - var y = Enc.base64ToHex(jwk.y); - var objId = ('P-256' === jwk.crv) ? OBJ_ID_EC : OBJ_ID_EC_384; - return Enc.hexToBuf( - ASN1('30' - , ASN1.UInt('00') - , ASN1('30' - , OBJ_ID_EC_PUB - , objId - ) - , ASN1('04' - , ASN1('30' - , ASN1.UInt('01') - , ASN1('04', d) - , ASN1('A1', ASN1.BitStr('04' + x + y))))) - ); - }; - x509.packSpki = function (jwk) { - if (/EC/i.test(jwk.kty)) { - return x509.packSpkiEc(jwk); - } - return x509.packSpkiRsa(jwk); - }; - x509.packSpkiRsa = function (jwk) { - if (!jwk.d) { - // Public RSA - return Enc.hexToBuf(ASN1('30' - , ASN1('30' - , ASN1('06', '2a864886f70d010101') - , ASN1('05') - ) - , ASN1.BitStr(ASN1('30' - , ASN1.UInt(Enc.base64ToHex(jwk.n)) - , ASN1.UInt(Enc.base64ToHex(jwk.e)) - )) - )); - } - - // Private RSA - return Enc.hexToBuf(ASN1('30' - , ASN1.UInt('00') - , ASN1('30' - , ASN1('06', '2a864886f70d010101') - , ASN1('05') - ) - , ASN1('04' - , ASN1('30' - , ASN1.UInt('00') - , ASN1.UInt(Enc.base64ToHex(jwk.n)) - , ASN1.UInt(Enc.base64ToHex(jwk.e)) - , ASN1.UInt(Enc.base64ToHex(jwk.d)) - , ASN1.UInt(Enc.base64ToHex(jwk.p)) - , ASN1.UInt(Enc.base64ToHex(jwk.q)) - , ASN1.UInt(Enc.base64ToHex(jwk.dp)) - , ASN1.UInt(Enc.base64ToHex(jwk.dq)) - , ASN1.UInt(Enc.base64ToHex(jwk.qi)) - ) - ) - )); -}; - x509.packSpkiEc = function (jwk) { - var x = Enc.base64ToHex(jwk.x); - var y = Enc.base64ToHex(jwk.y); - var objId = ('P-256' === jwk.crv) ? OBJ_ID_EC : OBJ_ID_EC_384; - return Enc.hexToBuf( - ASN1('30' - , ASN1('30' - , OBJ_ID_EC_PUB - , objId - ) - , ASN1.BitStr('04' + x + y)) - ); - }; - x509.packPkix = x509.packSpki; - -}('undefined' !== typeof module ? module.exports : window)); + // Private RSA + return Enc.hexToBuf( + ASN1( + "30", + ASN1.UInt("00"), + ASN1("30", ASN1("06", "2a864886f70d010101"), ASN1("05")), + ASN1( + "04", + ASN1( + "30", + ASN1.UInt("00"), + ASN1.UInt(Enc.base64ToHex(jwk.n)), + ASN1.UInt(Enc.base64ToHex(jwk.e)), + ASN1.UInt(Enc.base64ToHex(jwk.d)), + ASN1.UInt(Enc.base64ToHex(jwk.p)), + ASN1.UInt(Enc.base64ToHex(jwk.q)), + ASN1.UInt(Enc.base64ToHex(jwk.dp)), + ASN1.UInt(Enc.base64ToHex(jwk.dq)), + ASN1.UInt(Enc.base64ToHex(jwk.qi)) + ) + ) + ) + ); + }; + x509.packSpkiEc = function(jwk) { + var x = Enc.base64ToHex(jwk.x); + var y = Enc.base64ToHex(jwk.y); + var objId = "P-256" === jwk.crv ? OBJ_ID_EC : OBJ_ID_EC_384; + return Enc.hexToBuf( + ASN1("30", ASN1("30", OBJ_ID_EC_PUB, objId), ASN1.BitStr("04" + x + y)) + ); + }; + x509.packPkix = x509.packSpki; +})("undefined" !== typeof module ? module.exports : window); /*global Promise*/ -(function (exports) { -'use strict'; +(function(exports) { + "use strict"; -var EC = exports.Eckles = {}; -var x509 = exports.x509; -if ('undefined' !== typeof module) { module.exports = EC; } -var PEM = exports.PEM; -var SSH = exports.SSH; -var Enc = {}; -var textEncoder = new TextEncoder(); + var EC = (exports.Eckles = {}); + var x509 = exports.x509; + if ("undefined" !== typeof module) { + module.exports = EC; + } + var PEM = exports.PEM; + var SSH = exports.SSH; + var Enc = {}; + var textEncoder = new TextEncoder(); -EC._stance = "We take the stance that if you're knowledgeable enough to" - + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway."; -EC._universal = "Bluecrypt only supports crypto with standard cross-browser and cross-platform support."; -EC.generate = function (opts) { - var wcOpts = {}; - if (!opts) { opts = {}; } - if (!opts.kty) { opts.kty = 'EC'; } + EC._stance = + "We take the stance that if you're knowledgeable enough to" + + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway."; + EC._universal = + "Bluecrypt only supports crypto with standard cross-browser and cross-platform support."; + EC.generate = function(opts) { + var wcOpts = {}; + if (!opts) { + opts = {}; + } + if (!opts.kty) { + opts.kty = "EC"; + } - // ECDSA has only the P curves and an associated bitlength - wcOpts.name = 'ECDSA'; - if (!opts.namedCurve) { - opts.namedCurve = 'P-256'; - } - wcOpts.namedCurve = opts.namedCurve; // true for supported curves - if (/256/.test(wcOpts.namedCurve)) { - wcOpts.namedCurve = 'P-256'; - wcOpts.hash = { name: "SHA-256" }; - } else if (/384/.test(wcOpts.namedCurve)) { - wcOpts.namedCurve = 'P-384'; - wcOpts.hash = { name: "SHA-384" }; - } else { - return Promise.Reject(new Error("'" + wcOpts.namedCurve + "' is not an NIST approved ECDSA namedCurve. " - + " Please choose either 'P-256' or 'P-384'. " - + EC._stance)); - } + // ECDSA has only the P curves and an associated bitlength + wcOpts.name = "ECDSA"; + if (!opts.namedCurve) { + opts.namedCurve = "P-256"; + } + wcOpts.namedCurve = opts.namedCurve; // true for supported curves + if (/256/.test(wcOpts.namedCurve)) { + wcOpts.namedCurve = "P-256"; + wcOpts.hash = { name: "SHA-256" }; + } else if (/384/.test(wcOpts.namedCurve)) { + wcOpts.namedCurve = "P-384"; + wcOpts.hash = { name: "SHA-384" }; + } else { + return Promise.Reject( + new Error( + "'" + + wcOpts.namedCurve + + "' is not an NIST approved ECDSA namedCurve. " + + " Please choose either 'P-256' or 'P-384'. " + + EC._stance + ) + ); + } - var extractable = true; - return window.crypto.subtle.generateKey( - wcOpts - , extractable - , [ 'sign', 'verify' ] - ).then(function (result) { - return window.crypto.subtle.exportKey( - "jwk" - , result.privateKey - ).then(function (privJwk) { - privJwk.key_ops = undefined; - privJwk.ext = undefined; - return { - private: privJwk - , public: EC.neuter({ jwk: privJwk }) - }; - }); - }); -}; + var extractable = true; + return window.crypto.subtle + .generateKey(wcOpts, extractable, ["sign", "verify"]) + .then(function(result) { + return window.crypto.subtle + .exportKey("jwk", result.privateKey) + .then(function(privJwk) { + privJwk.key_ops = undefined; + privJwk.ext = undefined; + return { + private: privJwk, + public: EC.neuter({ jwk: privJwk }) + }; + }); + }); + }; -EC.export = function (opts) { - return Promise.resolve().then(function () { - if (!opts || !opts.jwk || 'object' !== typeof opts.jwk) { - throw new Error("must pass { jwk: jwk } as a JSON object"); - } - var jwk = JSON.parse(JSON.stringify(opts.jwk)); - var format = opts.format; - if (opts.public || -1 !== [ 'spki', 'pkix', 'ssh', 'rfc4716' ].indexOf(format)) { - jwk.d = null; - } - if ('EC' !== jwk.kty) { - throw new Error("options.jwk.kty must be 'EC' for EC keys"); - } - if (!jwk.d) { - if (!format || -1 !== [ 'spki', 'pkix' ].indexOf(format)) { - format = 'spki'; - } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) { - format = 'ssh'; - } else { - throw new Error("options.format must be 'spki' or 'ssh' for public EC keys, not (" - + typeof format + ") " + format); - } - } else { - if (!format || 'sec1' === format) { - format = 'sec1'; - } else if ('pkcs8' !== format) { - throw new Error("options.format must be 'sec1' or 'pkcs8' for private EC keys, not '" + format + "'"); - } - } - if (-1 === [ 'P-256', 'P-384' ].indexOf(jwk.crv)) { - throw new Error("options.jwk.crv must be either P-256 or P-384 for EC keys, not '" + jwk.crv + "'"); - } - if (!jwk.y) { - throw new Error("options.jwk.y must be a urlsafe base64-encoded either P-256 or P-384"); - } + EC.export = function(opts) { + return Promise.resolve().then(function() { + if (!opts || !opts.jwk || "object" !== typeof opts.jwk) { + throw new Error("must pass { jwk: jwk } as a JSON object"); + } + var jwk = JSON.parse(JSON.stringify(opts.jwk)); + var format = opts.format; + if ( + opts.public || + -1 !== ["spki", "pkix", "ssh", "rfc4716"].indexOf(format) + ) { + jwk.d = null; + } + if ("EC" !== jwk.kty) { + throw new Error("options.jwk.kty must be 'EC' for EC keys"); + } + if (!jwk.d) { + if (!format || -1 !== ["spki", "pkix"].indexOf(format)) { + format = "spki"; + } else if (-1 !== ["ssh", "rfc4716"].indexOf(format)) { + format = "ssh"; + } else { + throw new Error( + "options.format must be 'spki' or 'ssh' for public EC keys, not (" + + typeof format + + ") " + + format + ); + } + } else { + if (!format || "sec1" === format) { + format = "sec1"; + } else if ("pkcs8" !== format) { + throw new Error( + "options.format must be 'sec1' or 'pkcs8' for private EC keys, not '" + + format + + "'" + ); + } + } + if (-1 === ["P-256", "P-384"].indexOf(jwk.crv)) { + throw new Error( + "options.jwk.crv must be either P-256 or P-384 for EC keys, not '" + + jwk.crv + + "'" + ); + } + if (!jwk.y) { + throw new Error( + "options.jwk.y must be a urlsafe base64-encoded either P-256 or P-384" + ); + } - if ('sec1' === format) { - return PEM.packBlock({ type: "EC PRIVATE KEY", bytes: x509.packSec1(jwk) }); - } else if ('pkcs8' === format) { - return PEM.packBlock({ type: "PRIVATE KEY", bytes: x509.packPkcs8(jwk) }); - } else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) { - return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) }); - } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) { - return SSH.packSsh(jwk); - } else { - throw new Error("Sanity Error: reached unreachable code block with format: " + format); - } - }); -}; -EC.pack = function (opts) { - return Promise.resolve().then(function () { - return EC.exportSync(opts); - }); -}; + if ("sec1" === format) { + return PEM.packBlock({ + type: "EC PRIVATE KEY", + bytes: x509.packSec1(jwk) + }); + } else if ("pkcs8" === format) { + return PEM.packBlock({ + type: "PRIVATE KEY", + bytes: x509.packPkcs8(jwk) + }); + } else if (-1 !== ["spki", "pkix"].indexOf(format)) { + return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) }); + } else if (-1 !== ["ssh", "rfc4716"].indexOf(format)) { + return SSH.packSsh(jwk); + } else { + throw new Error( + "Sanity Error: reached unreachable code block with format: " + format + ); + } + }); + }; + EC.pack = function(opts) { + return Promise.resolve().then(function() { + return EC.exportSync(opts); + }); + }; -// Chopping off the private parts is now part of the public API. -// I thought it sounded a little too crude at first, but it really is the best name in every possible way. -EC.neuter = function (opts) { - // trying to find the best balance of an immutable copy with custom attributes - var jwk = {}; - Object.keys(opts.jwk).forEach(function (k) { - if ('undefined' === typeof opts.jwk[k]) { return; } - // ignore EC private parts - if ('d' === k) { return; } - jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k])); - }); - return jwk; -}; + // Chopping off the private parts is now part of the public API. + // I thought it sounded a little too crude at first, but it really is the best name in every possible way. + EC.neuter = function(opts) { + // trying to find the best balance of an immutable copy with custom attributes + var jwk = {}; + Object.keys(opts.jwk).forEach(function(k) { + if ("undefined" === typeof opts.jwk[k]) { + return; + } + // ignore EC private parts + if ("d" === k) { + return; + } + jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k])); + }); + return jwk; + }; -// https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk -EC.__thumbprint = function (jwk) { - // Use the same entropy for SHA as for key - var alg = 'SHA-256'; - if (/384/.test(jwk.crv)) { - alg = 'SHA-384'; - } - return window.crypto.subtle.digest( - { name: alg } - , textEncoder.encode('{"crv":"' + jwk.crv + '","kty":"EC","x":"' + jwk.x + '","y":"' + jwk.y + '"}') - ).then(function (hash) { - return Enc.bufToUrlBase64(new Uint8Array(hash)); - }); -}; + // https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk + EC.__thumbprint = function(jwk) { + // Use the same entropy for SHA as for key + var alg = "SHA-256"; + if (/384/.test(jwk.crv)) { + alg = "SHA-384"; + } + return window.crypto.subtle + .digest( + { name: alg }, + textEncoder.encode( + '{"crv":"' + + jwk.crv + + '","kty":"EC","x":"' + + jwk.x + + '","y":"' + + jwk.y + + '"}' + ) + ) + .then(function(hash) { + return Enc.bufToUrlBase64(new Uint8Array(hash)); + }); + }; -EC.thumbprint = function (opts) { - return Promise.resolve().then(function () { - var jwk; - if ('EC' === opts.kty) { - jwk = opts; - } else if (opts.jwk) { - jwk = opts.jwk; - } else { - return EC.import(opts).then(function (jwk) { - return EC.__thumbprint(jwk); - }); - } - return EC.__thumbprint(jwk); - }); -}; + EC.thumbprint = function(opts) { + return Promise.resolve().then(function() { + var jwk; + if ("EC" === opts.kty) { + jwk = opts; + } else if (opts.jwk) { + jwk = opts.jwk; + } else { + return EC.import(opts).then(function(jwk) { + return EC.__thumbprint(jwk); + }); + } + return EC.__thumbprint(jwk); + }); + }; -Enc.bufToUrlBase64 = function (u8) { - return Enc.bufToBase64(u8) - .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); -}; + Enc.bufToUrlBase64 = function(u8) { + return Enc.bufToBase64(u8) + .replace(/\+/g, "-") + .replace(/\//g, "_") + .replace(/=/g, ""); + }; -Enc.bufToBase64 = function (u8) { - var bin = ''; - u8.forEach(function (i) { - bin += String.fromCharCode(i); - }); - return btoa(bin); -}; - -}('undefined' !== typeof module ? module.exports : window)); + Enc.bufToBase64 = function(u8) { + var bin = ""; + u8.forEach(function(i) { + bin += String.fromCharCode(i); + }); + return btoa(bin); + }; +})("undefined" !== typeof module ? module.exports : window); /*global Promise*/ -(function (exports) { -'use strict'; +(function(exports) { + "use strict"; -var RSA = exports.Rasha = {}; -var x509 = exports.x509; -if ('undefined' !== typeof module) { module.exports = RSA; } -var PEM = exports.PEM; -var SSH = exports.SSH; -var Enc = {}; -var textEncoder = new TextEncoder(); + var RSA = (exports.Rasha = {}); + var x509 = exports.x509; + if ("undefined" !== typeof module) { + module.exports = RSA; + } + var PEM = exports.PEM; + var SSH = exports.SSH; + var Enc = {}; + var textEncoder = new TextEncoder(); -RSA._stance = "We take the stance that if you're knowledgeable enough to" - + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway."; -RSA._universal = "Bluecrypt only supports crypto with standard cross-browser and cross-platform support."; -RSA.generate = function (opts) { - var wcOpts = {}; - if (!opts) { opts = {}; } - if (!opts.kty) { opts.kty = 'RSA'; } + RSA._stance = + "We take the stance that if you're knowledgeable enough to" + + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway."; + RSA._universal = + "Bluecrypt only supports crypto with standard cross-browser and cross-platform support."; + RSA.generate = function(opts) { + var wcOpts = {}; + if (!opts) { + opts = {}; + } + if (!opts.kty) { + opts.kty = "RSA"; + } - // Support PSS? I don't think it's used for Let's Encrypt - wcOpts.name = 'RSASSA-PKCS1-v1_5'; - if (!opts.modulusLength) { - opts.modulusLength = 2048; - } - wcOpts.modulusLength = opts.modulusLength; - if (wcOpts.modulusLength >= 2048 && wcOpts.modulusLength < 3072) { - // erring on the small side... for no good reason - wcOpts.hash = { name: "SHA-256" }; - } else if (wcOpts.modulusLength >= 3072 && wcOpts.modulusLength < 4096) { - wcOpts.hash = { name: "SHA-384" }; - } else if (wcOpts.modulusLength < 4097) { - wcOpts.hash = { name: "SHA-512" }; - } else { - // Public key thumbprints should be paired with a hash of similar length, - // so anything above SHA-512's keyspace would be left under-represented anyway. - return Promise.Reject(new Error("'" + wcOpts.modulusLength + "' is not within the safe and universally" - + " acceptable range of 2048-4096. Typically you should pick 2048, 3072, or 4096, though other values" - + " divisible by 8 are allowed. " + RSA._stance)); - } - // TODO maybe allow this to be set to any of the standard values? - wcOpts.publicExponent = new Uint8Array([0x01, 0x00, 0x01]); + // Support PSS? I don't think it's used for Let's Encrypt + wcOpts.name = "RSASSA-PKCS1-v1_5"; + if (!opts.modulusLength) { + opts.modulusLength = 2048; + } + wcOpts.modulusLength = opts.modulusLength; + if (wcOpts.modulusLength >= 2048 && wcOpts.modulusLength < 3072) { + // erring on the small side... for no good reason + wcOpts.hash = { name: "SHA-256" }; + } else if (wcOpts.modulusLength >= 3072 && wcOpts.modulusLength < 4096) { + wcOpts.hash = { name: "SHA-384" }; + } else if (wcOpts.modulusLength < 4097) { + wcOpts.hash = { name: "SHA-512" }; + } else { + // Public key thumbprints should be paired with a hash of similar length, + // so anything above SHA-512's keyspace would be left under-represented anyway. + return Promise.Reject( + new Error( + "'" + + wcOpts.modulusLength + + "' is not within the safe and universally" + + " acceptable range of 2048-4096. Typically you should pick 2048, 3072, or 4096, though other values" + + " divisible by 8 are allowed. " + + RSA._stance + ) + ); + } + // TODO maybe allow this to be set to any of the standard values? + wcOpts.publicExponent = new Uint8Array([0x01, 0x00, 0x01]); - var extractable = true; - return window.crypto.subtle.generateKey( - wcOpts - , extractable - , [ 'sign', 'verify' ] - ).then(function (result) { - return window.crypto.subtle.exportKey( - "jwk" - , result.privateKey - ).then(function (privJwk) { - return { - private: privJwk - , public: RSA.neuter({ jwk: privJwk }) - }; - }); - }); -}; + var extractable = true; + return window.crypto.subtle + .generateKey(wcOpts, extractable, ["sign", "verify"]) + .then(function(result) { + return window.crypto.subtle + .exportKey("jwk", result.privateKey) + .then(function(privJwk) { + return { + private: privJwk, + public: RSA.neuter({ jwk: privJwk }) + }; + }); + }); + }; -// Chopping off the private parts is now part of the public API. -// I thought it sounded a little too crude at first, but it really is the best name in every possible way. -RSA.neuter = function (opts) { - // trying to find the best balance of an immutable copy with custom attributes - var jwk = {}; - Object.keys(opts.jwk).forEach(function (k) { - if ('undefined' === typeof opts.jwk[k]) { return; } - // ignore RSA private parts - if (-1 !== ['d', 'p', 'q', 'dp', 'dq', 'qi'].indexOf(k)) { return; } - jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k])); - }); - return jwk; -}; + // Chopping off the private parts is now part of the public API. + // I thought it sounded a little too crude at first, but it really is the best name in every possible way. + RSA.neuter = function(opts) { + // trying to find the best balance of an immutable copy with custom attributes + var jwk = {}; + Object.keys(opts.jwk).forEach(function(k) { + if ("undefined" === typeof opts.jwk[k]) { + return; + } + // ignore RSA private parts + if (-1 !== ["d", "p", "q", "dp", "dq", "qi"].indexOf(k)) { + return; + } + jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k])); + }); + return jwk; + }; -// https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk -RSA.__thumbprint = function (jwk) { - // Use the same entropy for SHA as for key - var len = Math.floor(jwk.n.length * 0.75); - var alg = 'SHA-256'; - // TODO this may be a bug - // need to confirm that the padding is no more or less than 1 byte - if (len >= 511) { - alg = 'SHA-512'; - } else if (len >= 383) { - alg = 'SHA-384'; - } - return window.crypto.subtle.digest( - { name: alg } - , textEncoder.encode('{"e":"' + jwk.e + '","kty":"RSA","n":"' + jwk.n + '"}') - ).then(function (hash) { - return Enc.bufToUrlBase64(new Uint8Array(hash)); - }); -}; + // https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk + RSA.__thumbprint = function(jwk) { + // Use the same entropy for SHA as for key + var len = Math.floor(jwk.n.length * 0.75); + var alg = "SHA-256"; + // TODO this may be a bug + // need to confirm that the padding is no more or less than 1 byte + if (len >= 511) { + alg = "SHA-512"; + } else if (len >= 383) { + alg = "SHA-384"; + } + return window.crypto.subtle + .digest( + { name: alg }, + textEncoder.encode( + '{"e":"' + jwk.e + '","kty":"RSA","n":"' + jwk.n + '"}' + ) + ) + .then(function(hash) { + return Enc.bufToUrlBase64(new Uint8Array(hash)); + }); + }; -RSA.thumbprint = function (opts) { - return Promise.resolve().then(function () { - var jwk; - if ('EC' === opts.kty) { - jwk = opts; - } else if (opts.jwk) { - jwk = opts.jwk; - } else { - return RSA.import(opts).then(function (jwk) { - return RSA.__thumbprint(jwk); - }); - } - return RSA.__thumbprint(jwk); - }); -}; + RSA.thumbprint = function(opts) { + return Promise.resolve().then(function() { + var jwk; + if ("EC" === opts.kty) { + jwk = opts; + } else if (opts.jwk) { + jwk = opts.jwk; + } else { + return RSA.import(opts).then(function(jwk) { + return RSA.__thumbprint(jwk); + }); + } + return RSA.__thumbprint(jwk); + }); + }; -RSA.export = function (opts) { - return Promise.resolve().then(function () { - if (!opts || !opts.jwk || 'object' !== typeof opts.jwk) { - throw new Error("must pass { jwk: jwk }"); - } - var jwk = JSON.parse(JSON.stringify(opts.jwk)); - var format = opts.format; - var pub = opts.public; - if (pub || -1 !== [ 'spki', 'pkix', 'ssh', 'rfc4716' ].indexOf(format)) { - jwk = RSA.neuter({ jwk: jwk }); - } - if ('RSA' !== jwk.kty) { - throw new Error("options.jwk.kty must be 'RSA' for RSA keys"); - } - if (!jwk.p) { - // TODO test for n and e - pub = true; - if (!format || 'pkcs1' === format) { - format = 'pkcs1'; - } else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) { - format = 'spki'; - } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) { - format = 'ssh'; - } else { - throw new Error("options.format must be 'spki', 'pkcs1', or 'ssh' for public RSA keys, not (" - + typeof format + ") " + format); - } - } else { - // TODO test for all necessary keys (d, p, q ...) - if (!format || 'pkcs1' === format) { - format = 'pkcs1'; - } else if ('pkcs8' !== format) { - throw new Error("options.format must be 'pkcs1' or 'pkcs8' for private RSA keys"); - } - } + RSA.export = function(opts) { + return Promise.resolve().then(function() { + if (!opts || !opts.jwk || "object" !== typeof opts.jwk) { + throw new Error("must pass { jwk: jwk }"); + } + var jwk = JSON.parse(JSON.stringify(opts.jwk)); + var format = opts.format; + var pub = opts.public; + if (pub || -1 !== ["spki", "pkix", "ssh", "rfc4716"].indexOf(format)) { + jwk = RSA.neuter({ jwk: jwk }); + } + if ("RSA" !== jwk.kty) { + throw new Error("options.jwk.kty must be 'RSA' for RSA keys"); + } + if (!jwk.p) { + // TODO test for n and e + pub = true; + if (!format || "pkcs1" === format) { + format = "pkcs1"; + } else if (-1 !== ["spki", "pkix"].indexOf(format)) { + format = "spki"; + } else if (-1 !== ["ssh", "rfc4716"].indexOf(format)) { + format = "ssh"; + } else { + throw new Error( + "options.format must be 'spki', 'pkcs1', or 'ssh' for public RSA keys, not (" + + typeof format + + ") " + + format + ); + } + } else { + // TODO test for all necessary keys (d, p, q ...) + if (!format || "pkcs1" === format) { + format = "pkcs1"; + } else if ("pkcs8" !== format) { + throw new Error( + "options.format must be 'pkcs1' or 'pkcs8' for private RSA keys" + ); + } + } - if ('pkcs1' === format) { - if (jwk.d) { - return PEM.packBlock({ type: "RSA PRIVATE KEY", bytes: x509.packPkcs1(jwk) }); - } else { - return PEM.packBlock({ type: "RSA PUBLIC KEY", bytes: x509.packPkcs1(jwk) }); - } - } else if ('pkcs8' === format) { - return PEM.packBlock({ type: "PRIVATE KEY", bytes: x509.packPkcs8(jwk) }); - } else if (-1 !== [ 'spki', 'pkix' ].indexOf(format)) { - return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) }); - } else if (-1 !== [ 'ssh', 'rfc4716' ].indexOf(format)) { - return SSH.pack({ jwk: jwk, comment: opts.comment }); - } else { - throw new Error("Sanity Error: reached unreachable code block with format: " + format); - } - }); -}; -RSA.pack = function (opts) { - // wrapped in a promise for API compatibility - // with the forthcoming browser version - // (and potential future native node capability) - return Promise.resolve().then(function () { - return RSA.export(opts); - }); -}; + if ("pkcs1" === format) { + if (jwk.d) { + return PEM.packBlock({ + type: "RSA PRIVATE KEY", + bytes: x509.packPkcs1(jwk) + }); + } else { + return PEM.packBlock({ + type: "RSA PUBLIC KEY", + bytes: x509.packPkcs1(jwk) + }); + } + } else if ("pkcs8" === format) { + return PEM.packBlock({ + type: "PRIVATE KEY", + bytes: x509.packPkcs8(jwk) + }); + } else if (-1 !== ["spki", "pkix"].indexOf(format)) { + return PEM.packBlock({ type: "PUBLIC KEY", bytes: x509.packSpki(jwk) }); + } else if (-1 !== ["ssh", "rfc4716"].indexOf(format)) { + return SSH.pack({ jwk: jwk, comment: opts.comment }); + } else { + throw new Error( + "Sanity Error: reached unreachable code block with format: " + format + ); + } + }); + }; + RSA.pack = function(opts) { + // wrapped in a promise for API compatibility + // with the forthcoming browser version + // (and potential future native node capability) + return Promise.resolve().then(function() { + return RSA.export(opts); + }); + }; -Enc.bufToUrlBase64 = function (u8) { - return Enc.bufToBase64(u8) - .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); -}; + Enc.bufToUrlBase64 = function(u8) { + return Enc.bufToBase64(u8) + .replace(/\+/g, "-") + .replace(/\//g, "_") + .replace(/=/g, ""); + }; -Enc.bufToBase64 = function (u8) { - var bin = ''; - u8.forEach(function (i) { - bin += String.fromCharCode(i); - }); - return btoa(bin); -}; - -}('undefined' !== typeof module ? module.exports : window)); + Enc.bufToBase64 = function(u8) { + var bin = ""; + u8.forEach(function(i) { + bin += String.fromCharCode(i); + }); + return btoa(bin); + }; +})("undefined" !== typeof module ? module.exports : window); /*global Promise*/ -(function (exports) { -'use strict'; +(function(exports) { + "use strict"; -var Keypairs = exports.Keypairs = {}; -var Rasha = exports.Rasha; -var Eckles = exports.Eckles; -var Enc = exports.Enc || {}; + var Keypairs = (exports.Keypairs = {}); + var Rasha = exports.Rasha; + var Eckles = exports.Eckles; + var Enc = exports.Enc || {}; -Keypairs._stance = "We take the stance that if you're knowledgeable enough to" - + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway."; -Keypairs._universal = "Bluecrypt only supports crypto with standard cross-browser and cross-platform support."; -Keypairs.generate = function (opts) { - opts = opts || {}; - var p; - if (!opts.kty) { opts.kty = opts.type; } - if (!opts.kty) { opts.kty = 'EC'; } - if (/^EC/i.test(opts.kty)) { - p = Eckles.generate(opts); - } else if (/^RSA$/i.test(opts.kty)) { - p = Rasha.generate(opts); - } else { - return Promise.Reject(new Error("'" + opts.kty + "' is not a well-supported key type." - + Keypairs._universal - + " Please choose 'EC', or 'RSA' if you have good reason to.")); - } - return p.then(function (pair) { - return Keypairs.thumbprint({ jwk: pair.public }).then(function (thumb) { - pair.private.kid = thumb; // maybe not the same id on the private key? - pair.public.kid = thumb; - return pair; - }); - }); -}; + Keypairs._stance = + "We take the stance that if you're knowledgeable enough to" + + " properly and securely use non-standard crypto then you shouldn't need Bluecrypt anyway."; + Keypairs._universal = + "Bluecrypt only supports crypto with standard cross-browser and cross-platform support."; + Keypairs.generate = function(opts) { + opts = opts || {}; + var p; + if (!opts.kty) { + opts.kty = opts.type; + } + if (!opts.kty) { + opts.kty = "EC"; + } + if (/^EC/i.test(opts.kty)) { + p = Eckles.generate(opts); + } else if (/^RSA$/i.test(opts.kty)) { + p = Rasha.generate(opts); + } else { + return Promise.Reject( + new Error( + "'" + + opts.kty + + "' is not a well-supported key type." + + Keypairs._universal + + " Please choose 'EC', or 'RSA' if you have good reason to." + ) + ); + } + return p.then(function(pair) { + return Keypairs.thumbprint({ jwk: pair.public }).then(function(thumb) { + pair.private.kid = thumb; // maybe not the same id on the private key? + pair.public.kid = thumb; + return pair; + }); + }); + }; -Keypairs.export = function (opts) { - return Eckles.export(opts).catch(function (err) { - return Rasha.export(opts).catch(function () { - return Promise.reject(err); - }); - }); -}; + Keypairs.export = function(opts) { + return Eckles.export(opts).catch(function(err) { + return Rasha.export(opts).catch(function() { + return Promise.reject(err); + }); + }); + }; + /** + * Chopping off the private parts is now part of the public API. + * I thought it sounded a little too crude at first, but it really is the best name in every possible way. + */ + Keypairs.neuter = function(opts) { + /** trying to find the best balance of an immutable copy with custom attributes */ + var jwk = {}; + Object.keys(opts.jwk).forEach(function(k) { + if ("undefined" === typeof opts.jwk[k]) { + return; + } + // ignore RSA and EC private parts + if (-1 !== ["d", "p", "q", "dp", "dq", "qi"].indexOf(k)) { + return; + } + jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k])); + }); + return jwk; + }; -/** - * Chopping off the private parts is now part of the public API. - * I thought it sounded a little too crude at first, but it really is the best name in every possible way. - */ -Keypairs.neuter = function (opts) { - /** trying to find the best balance of an immutable copy with custom attributes */ - var jwk = {}; - Object.keys(opts.jwk).forEach(function (k) { - if ('undefined' === typeof opts.jwk[k]) { return; } - // ignore RSA and EC private parts - if (-1 !== ['d', 'p', 'q', 'dp', 'dq', 'qi'].indexOf(k)) { return; } - jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k])); - }); - return jwk; -}; + Keypairs.thumbprint = function(opts) { + return Promise.resolve().then(function() { + if (/EC/i.test(opts.jwk.kty)) { + return Eckles.thumbprint(opts); + } else { + return Rasha.thumbprint(opts); + } + }); + }; -Keypairs.thumbprint = function (opts) { - return Promise.resolve().then(function () { - if (/EC/i.test(opts.jwk.kty)) { - return Eckles.thumbprint(opts); - } else { - return Rasha.thumbprint(opts); - } - }); -}; + Keypairs.publish = function(opts) { + if ("object" !== typeof opts.jwk || !opts.jwk.kty) { + throw new Error("invalid jwk: " + JSON.stringify(opts.jwk)); + } -Keypairs.publish = function (opts) { - if ('object' !== typeof opts.jwk || !opts.jwk.kty) { throw new Error("invalid jwk: " + JSON.stringify(opts.jwk)); } + /** returns a copy */ + var jwk = Keypairs.neuter(opts); - /** returns a copy */ - var jwk = Keypairs.neuter(opts); + if (jwk.exp) { + jwk.exp = setTime(jwk.exp); + } else { + if (opts.exp) { + jwk.exp = setTime(opts.exp); + } else if (opts.expiresIn) { + jwk.exp = Math.round(Date.now() / 1000) + opts.expiresIn; + } else if (opts.expiresAt) { + jwk.exp = opts.expiresAt; + } + } + if (!jwk.use && false !== jwk.use) { + jwk.use = "sig"; + } - if (jwk.exp) { - jwk.exp = setTime(jwk.exp); - } else { - if (opts.exp) { jwk.exp = setTime(opts.exp); } - else if (opts.expiresIn) { jwk.exp = Math.round(Date.now()/1000) + opts.expiresIn; } - else if (opts.expiresAt) { jwk.exp = opts.expiresAt; } - } - if (!jwk.use && false !== jwk.use) { jwk.use = "sig"; } + if (jwk.kid) { + return Promise.resolve(jwk); + } + return Keypairs.thumbprint({ jwk: jwk }).then(function(thumb) { + jwk.kid = thumb; + return jwk; + }); + }; - if (jwk.kid) { return Promise.resolve(jwk); } - return Keypairs.thumbprint({ jwk: jwk }).then(function (thumb) { jwk.kid = thumb; return jwk; }); -}; + // JWT a.k.a. JWS with Claims using Compact Serialization + Keypairs.signJwt = function(opts) { + return Keypairs.thumbprint({ jwk: opts.jwk }).then(function(thumb) { + var header = opts.header || {}; + var claims = JSON.parse(JSON.stringify(opts.claims || {})); + header.typ = "JWT"; -// JWT a.k.a. JWS with Claims using Compact Serialization -Keypairs.signJwt = function (opts) { - return Keypairs.thumbprint({ jwk: opts.jwk }).then(function (thumb) { - var header = opts.header || {}; - var claims = JSON.parse(JSON.stringify(opts.claims || {})); - header.typ = 'JWT'; + if (!header.kid) { + header.kid = thumb; + } + if (!header.alg && opts.alg) { + header.alg = opts.alg; + } + if (!claims.iat && (false === claims.iat || false === opts.iat)) { + claims.iat = undefined; + } else if (!claims.iat) { + claims.iat = Math.round(Date.now() / 1000); + } - if (!header.kid) { header.kid = thumb; } - if (!header.alg && opts.alg) { header.alg = opts.alg; } - if (!claims.iat && (false === claims.iat || false === opts.iat)) { - claims.iat = undefined; - } else if (!claims.iat) { - claims.iat = Math.round(Date.now()/1000); - } + if (opts.exp) { + claims.exp = setTime(opts.exp); + } else if (!claims.exp && (false === claims.exp || false === opts.exp)) { + claims.exp = undefined; + } else if (!claims.exp) { + throw new Error( + "opts.claims.exp should be the expiration date as seconds, human form (i.e. '1h' or '15m') or false" + ); + } - if (opts.exp) { - claims.exp = setTime(opts.exp); - } else if (!claims.exp && (false === claims.exp || false === opts.exp)) { - claims.exp = undefined; - } else if (!claims.exp) { - throw new Error("opts.claims.exp should be the expiration date as seconds, human form (i.e. '1h' or '15m') or false"); - } + if (opts.iss) { + claims.iss = opts.iss; + } + if (!claims.iss && (false === claims.iss || false === opts.iss)) { + claims.iss = undefined; + } else if (!claims.iss) { + throw new Error( + "opts.claims.iss should be in the form of https://example.com/, a secure OIDC base url" + ); + } - if (opts.iss) { claims.iss = opts.iss; } - if (!claims.iss && (false === claims.iss || false === opts.iss)) { - claims.iss = undefined; - } else if (!claims.iss) { - throw new Error("opts.claims.iss should be in the form of https://example.com/, a secure OIDC base url"); - } + return Keypairs.signJws({ + jwk: opts.jwk, + pem: opts.pem, + protected: header, + header: undefined, + payload: claims + }).then(function(jws) { + return [jws.protected, jws.payload, jws.signature].join("."); + }); + }); + }; - return Keypairs.signJws({ - jwk: opts.jwk - , pem: opts.pem - , protected: header - , header: undefined - , payload: claims - }).then(function (jws) { - return [ jws.protected, jws.payload, jws.signature ].join('.'); - }); - }); -}; + Keypairs.signJws = function(opts) { + return Keypairs.thumbprint(opts).then(function(thumb) { + function alg() { + if (!opts.jwk) { + throw new Error("opts.jwk must exist and must declare 'typ'"); + } + if (opts.jwk.alg) { + return opts.jwk.alg; + } + var typ = "RSA" === opts.jwk.kty ? "RS" : "ES"; + return typ + Keypairs._getBits(opts); + } -Keypairs.signJws = function (opts) { - return Keypairs.thumbprint(opts).then(function (thumb) { + function sign() { + var protect = opts.protected; + var payload = opts.payload; - function alg() { - if (!opts.jwk) { - throw new Error("opts.jwk must exist and must declare 'typ'"); - } - if (opts.jwk.alg) { return opts.jwk.alg; } - var typ = ('RSA' === opts.jwk.kty) ? "RS" : "ES"; - return typ + Keypairs._getBits(opts); - } + // Compute JWS signature + var protectedHeader = ""; + // Because unprotected headers are allowed, regrettably... + // https://stackoverflow.com/a/46288694 + if (false !== protect) { + if (!protect) { + protect = {}; + } + if (!protect.alg) { + protect.alg = alg(); + } + // There's a particular request where ACME / Let's Encrypt explicitly doesn't use a kid + if (false === protect.kid) { + protect.kid = undefined; + } else if (!protect.kid) { + protect.kid = thumb; + } + protectedHeader = JSON.stringify(protect); + } - function sign() { - var protect = opts.protected; - var payload = opts.payload; + // Trying to detect if it's a plain object (not Buffer, ArrayBuffer, Array, Uint8Array, etc) + if ( + payload && + "string" !== typeof payload && + "undefined" === typeof payload.byteLength && + "undefined" === typeof payload.buffer + ) { + payload = JSON.stringify(payload); + } + // Converting to a buffer, even if it was just converted to a string + if ("string" === typeof payload) { + payload = Enc.binToBuf(payload); + } - // Compute JWS signature - var protectedHeader = ""; - // Because unprotected headers are allowed, regrettably... - // https://stackoverflow.com/a/46288694 - if (false !== protect) { - if (!protect) { protect = {}; } - if (!protect.alg) { protect.alg = alg(); } - // There's a particular request where ACME / Let's Encrypt explicitly doesn't use a kid - if (false === protect.kid) { protect.kid = undefined; } - else if (!protect.kid) { protect.kid = thumb; } - protectedHeader = JSON.stringify(protect); - } + // node specifies RSA-SHAxxx even when it's actually ecdsa (it's all encoded x509 shasums anyway) + var protected64 = Enc.strToUrlBase64(protectedHeader); + var payload64 = Enc.bufToUrlBase64(payload); + var msg = protected64 + "." + payload64; - // Trying to detect if it's a plain object (not Buffer, ArrayBuffer, Array, Uint8Array, etc) - if (payload && ('string' !== typeof payload) - && ('undefined' === typeof payload.byteLength) - && ('undefined' === typeof payload.buffer) - ) { - payload = JSON.stringify(payload); - } - // Converting to a buffer, even if it was just converted to a string - if ('string' === typeof payload) { - payload = Enc.binToBuf(payload); - } + return Keypairs._sign(opts, msg).then(function(buf) { + var signedMsg = { + protected: protected64, + payload: payload64, + signature: Enc.bufToUrlBase64(buf) + }; - // node specifies RSA-SHAxxx even when it's actually ecdsa (it's all encoded x509 shasums anyway) - var protected64 = Enc.strToUrlBase64(protectedHeader); - var payload64 = Enc.bufToUrlBase64(payload); - var msg = protected64 + '.' + payload64; + return signedMsg; + }); + } - return Keypairs._sign(opts, msg).then(function (buf) { - var signedMsg = { - protected: protected64 - , payload: payload64 - , signature: Enc.bufToUrlBase64(buf) - }; + if (opts.jwk) { + return sign(); + } else { + return Keypairs.import({ pem: opts.pem }).then(function(pair) { + opts.jwk = pair.private; + return sign(); + }); + } + }); + }; - return signedMsg; - }); - } + Keypairs._sign = function(opts, payload) { + return Keypairs._import(opts).then(function(privkey) { + if ("string" === typeof payload) { + payload = new TextEncoder().encode(payload); + } + return window.crypto.subtle + .sign( + { + name: Keypairs._getName(opts), + hash: { name: "SHA-" + Keypairs._getBits(opts) } + }, + privkey, + payload + ) + .then(function(signature) { + signature = new Uint8Array(signature); // ArrayBuffer -> u8 + // This will come back into play for CSRs, but not for JOSE + if ("EC" === opts.jwk.kty && /x509|asn1/i.test(opts.format)) { + return Keypairs._ecdsaJoseSigToAsn1Sig(signature); + } else { + // jose/jws/jwt + return signature; + } + }); + }); + }; + Keypairs._getBits = function(opts) { + if (opts.alg) { + return opts.alg.replace(/[a-z\-]/gi, ""); + } + // base64 len to byte len + var len = Math.floor((opts.jwk.n || "").length * 0.75); - if (opts.jwk) { - return sign(); - } else { - return Keypairs.import({ pem: opts.pem }).then(function (pair) { - opts.jwk = pair.private; - return sign(); - }); - } - }); -}; + // TODO this may be a bug + // need to confirm that the padding is no more or less than 1 byte + if (/521/.test(opts.jwk.crv) || len >= 511) { + return "512"; + } else if (/384/.test(opts.jwk.crv) || len >= 383) { + return "384"; + } -Keypairs._sign = function (opts, payload) { - return Keypairs._import(opts).then(function (privkey) { - if ('string' === typeof payload) { - payload = (new TextEncoder()).encode(payload); - } - return window.crypto.subtle.sign( - { name: Keypairs._getName(opts) - , hash: { name: 'SHA-' + Keypairs._getBits(opts) } - } - , privkey - , payload - ).then(function (signature) { - signature = new Uint8Array(signature); // ArrayBuffer -> u8 - // This will come back into play for CSRs, but not for JOSE - if ('EC' === opts.jwk.kty && /x509|asn1/i.test(opts.format)) { - return Keypairs._ecdsaJoseSigToAsn1Sig(signature); - } else { - // jose/jws/jwt - return signature; - } - }); - }); -}; -Keypairs._getBits = function (opts) { - if (opts.alg) { return opts.alg.replace(/[a-z\-]/ig, ''); } - // base64 len to byte len - var len = Math.floor((opts.jwk.n||'').length * 0.75); + return "256"; + }; + Keypairs._getName = function(opts) { + if (/EC/i.test(opts.jwk.kty)) { + return "ECDSA"; + } else { + return "RSASSA-PKCS1-v1_5"; + } + }; + Keypairs._import = function(opts) { + return Promise.resolve().then(function() { + var ops; + // all private keys just happen to have a 'd' + if (opts.jwk.d) { + ops = ["sign"]; + } else { + ops = ["verify"]; + } + // gotta mark it as extractable, as if it matters + opts.jwk.ext = true; + opts.jwk.key_ops = ops; - // TODO this may be a bug - // need to confirm that the padding is no more or less than 1 byte - if (/521/.test(opts.jwk.crv) || len >= 511) { - return '512'; - } else if (/384/.test(opts.jwk.crv) || len >= 383) { - return '384'; - } + return window.crypto.subtle + .importKey( + "jwk", + opts.jwk, + { + name: Keypairs._getName(opts), + namedCurve: opts.jwk.crv, + hash: { name: "SHA-" + Keypairs._getBits(opts) } + }, + true, + ops + ) + .then(function(privkey) { + delete opts.jwk.ext; + return privkey; + }); + }); + }; + // ECDSA JOSE / JWS / JWT signatures differ from "normal" ASN1/X509 ECDSA signatures + // https://tools.ietf.org/html/rfc7518#section-3.4 + Keypairs._ecdsaJoseSigToAsn1Sig = function(bufsig) { + // it's easier to do the manipulation in the browser with an array + bufsig = Array.from(bufsig); + var hlen = bufsig.length / 2; // should be even + var r = bufsig.slice(0, hlen); + var s = bufsig.slice(hlen); + // unpad positive ints less than 32 bytes wide + while (!r[0]) { + r = r.slice(1); + } + while (!s[0]) { + s = s.slice(1); + } + // pad (or re-pad) ambiguously non-negative BigInts, up to 33 bytes wide + if (0x80 & r[0]) { + r.unshift(0); + } + if (0x80 & s[0]) { + s.unshift(0); + } - return '256'; -}; -Keypairs._getName = function (opts) { - if (/EC/i.test(opts.jwk.kty)) { - return 'ECDSA'; - } else { - return 'RSASSA-PKCS1-v1_5'; - } -}; -Keypairs._import = function (opts) { - return Promise.resolve().then(function () { - var ops; - // all private keys just happen to have a 'd' - if (opts.jwk.d) { - ops = [ 'sign' ]; - } else { - ops = [ 'verify' ]; - } - // gotta mark it as extractable, as if it matters - opts.jwk.ext = true; - opts.jwk.key_ops = ops; + var len = 2 + r.length + 2 + s.length; + var head = [0x30]; + // hard code 0x80 + 1 because it won't be longer than + // two SHA512 plus two pad bytes (130 bytes <= 256) + if (len >= 0x80) { + head.push(0x81); + } + head.push(len); - return window.crypto.subtle.importKey( - "jwk" - , opts.jwk - , { name: Keypairs._getName(opts) - , namedCurve: opts.jwk.crv - , hash: { name: 'SHA-' + Keypairs._getBits(opts) } } - , true - , ops - ).then(function (privkey) { - delete opts.jwk.ext; - return privkey; - }); - }); -}; -// ECDSA JOSE / JWS / JWT signatures differ from "normal" ASN1/X509 ECDSA signatures -// https://tools.ietf.org/html/rfc7518#section-3.4 -Keypairs._ecdsaJoseSigToAsn1Sig = function (bufsig) { - // it's easier to do the manipulation in the browser with an array - bufsig = Array.from(bufsig); - var hlen = bufsig.length / 2; // should be even - var r = bufsig.slice(0, hlen); - var s = bufsig.slice(hlen); - // unpad positive ints less than 32 bytes wide - while (!r[0]) { r = r.slice(1); } - while (!s[0]) { s = s.slice(1); } - // pad (or re-pad) ambiguously non-negative BigInts, up to 33 bytes wide - if (0x80 & r[0]) { r.unshift(0); } - if (0x80 & s[0]) { s.unshift(0); } + return Uint8Array.from( + head.concat([0x02, r.length], r, [0x02, s.length], s) + ); + }; - var len = 2 + r.length + 2 + s.length; - var head = [0x30]; - // hard code 0x80 + 1 because it won't be longer than - // two SHA512 plus two pad bytes (130 bytes <= 256) - if (len >= 0x80) { head.push(0x81); } - head.push(len); + function setTime(time) { + if ("number" === typeof time) { + return time; + } - return Uint8Array.from(head.concat([0x02, r.length], r, [0x02, s.length], s)); -}; + var t = time.match(/^(\-?\d+)([dhms])$/i); + if (!t || !t[0]) { + throw new Error( + "'" + + time + + "' should be datetime in seconds or human-readable format (i.e. 3d, 1h, 15m, 30s" + ); + } -function setTime(time) { - if ('number' === typeof time) { return time; } + var now = Math.round(Date.now() / 1000); + var num = parseInt(t[1], 10); + var unit = t[2]; + var mult = 1; + switch (unit) { + // fancy fallthrough, what fun! + case "d": + mult *= 24; + /*falls through*/ + case "h": + mult *= 60; + /*falls through*/ + case "m": + mult *= 60; + /*falls through*/ + case "s": + mult *= 1; + } - var t = time.match(/^(\-?\d+)([dhms])$/i); - if (!t || !t[0]) { - throw new Error("'" + time + "' should be datetime in seconds or human-readable format (i.e. 3d, 1h, 15m, 30s"); - } + return now + mult * num; + } - var now = Math.round(Date.now()/1000); - var num = parseInt(t[1], 10); - var unit = t[2]; - var mult = 1; - switch(unit) { - // fancy fallthrough, what fun! - case 'd': - mult *= 24; - /*falls through*/ - case 'h': - mult *= 60; - /*falls through*/ - case 'm': - mult *= 60; - /*falls through*/ - case 's': - mult *= 1; - } - - return now + (mult * num); -} - -Enc.hexToBuf = function (hex) { - var arr = []; - hex.match(/.{2}/g).forEach(function (h) { - arr.push(parseInt(h, 16)); - }); - return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr; -}; -Enc.strToUrlBase64 = function (str) { - return Enc.bufToUrlBase64(Enc.binToBuf(str)); -}; -Enc.binToBuf = function (bin) { - var arr = bin.split('').map(function (ch) { - return ch.charCodeAt(0); - }); - return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr; -}; - -}('undefined' !== typeof module ? module.exports : window)); + Enc.hexToBuf = function(hex) { + var arr = []; + hex.match(/.{2}/g).forEach(function(h) { + arr.push(parseInt(h, 16)); + }); + return "undefined" !== typeof Uint8Array ? new Uint8Array(arr) : arr; + }; + Enc.strToUrlBase64 = function(str) { + return Enc.bufToUrlBase64(Enc.binToBuf(str)); + }; + Enc.binToBuf = function(bin) { + var arr = bin.split("").map(function(ch) { + return ch.charCodeAt(0); + }); + return "undefined" !== typeof Uint8Array ? new Uint8Array(arr) : arr; + }; +})("undefined" !== typeof module ? module.exports : window); // Copyright 2018 AJ ONeal. All rights reserved /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -;(function (exports) { -'use strict'; +(function(exports) { + "use strict"; -if (!exports.ASN1) { exports.ASN1 = {}; } -if (!exports.Enc) { exports.Enc = {}; } -if (!exports.PEM) { exports.PEM = {}; } + if (!exports.ASN1) { + exports.ASN1 = {}; + } + if (!exports.Enc) { + exports.Enc = {}; + } + if (!exports.PEM) { + exports.PEM = {}; + } -var ASN1 = exports.ASN1; -var Enc = exports.Enc; -var PEM = exports.PEM; + var ASN1 = exports.ASN1; + var Enc = exports.Enc; + var PEM = exports.PEM; -// -// Parser -// + // + // Parser + // -// Although I've only seen 9 max in https certificates themselves, -// but each domain list could have up to 100 -ASN1.ELOOPN = 102; -ASN1.ELOOP = "uASN1.js Error: iterated over " + ASN1.ELOOPN + "+ elements (probably a malformed file)"; -// I've seen https certificates go 29 deep -ASN1.EDEEPN = 60; -ASN1.EDEEP = "uASN1.js Error: element nested " + ASN1.EDEEPN + "+ layers deep (probably a malformed file)"; -// Container Types are Sequence 0x30, Container Array? (0xA0, 0xA1) -// Value Types are Boolean 0x01, Integer 0x02, Null 0x05, Object ID 0x06, String 0x0C, 0x16, 0x13, 0x1e Value Array? (0x82) -// Bit String (0x03) and Octet String (0x04) may be values or containers -// Sometimes Bit String is used as a container (RSA Pub Spki) -ASN1.CTYPES = [ 0x30, 0x31, 0xa0, 0xa1 ]; -ASN1.VTYPES = [ 0x01, 0x02, 0x05, 0x06, 0x0c, 0x82 ]; -ASN1.parse = function parseAsn1Helper(buf) { - //var ws = ' '; - function parseAsn1(buf, depth, eager) { - if (depth.length >= ASN1.EDEEPN) { throw new Error(ASN1.EDEEP); } + // Although I've only seen 9 max in https certificates themselves, + // but each domain list could have up to 100 + ASN1.ELOOPN = 102; + ASN1.ELOOP = + "uASN1.js Error: iterated over " + + ASN1.ELOOPN + + "+ elements (probably a malformed file)"; + // I've seen https certificates go 29 deep + ASN1.EDEEPN = 60; + ASN1.EDEEP = + "uASN1.js Error: element nested " + + ASN1.EDEEPN + + "+ layers deep (probably a malformed file)"; + // Container Types are Sequence 0x30, Container Array? (0xA0, 0xA1) + // Value Types are Boolean 0x01, Integer 0x02, Null 0x05, Object ID 0x06, String 0x0C, 0x16, 0x13, 0x1e Value Array? (0x82) + // Bit String (0x03) and Octet String (0x04) may be values or containers + // Sometimes Bit String is used as a container (RSA Pub Spki) + ASN1.CTYPES = [0x30, 0x31, 0xa0, 0xa1]; + ASN1.VTYPES = [0x01, 0x02, 0x05, 0x06, 0x0c, 0x82]; + ASN1.parse = function parseAsn1Helper(buf) { + //var ws = ' '; + function parseAsn1(buf, depth, eager) { + if (depth.length >= ASN1.EDEEPN) { + throw new Error(ASN1.EDEEP); + } - var index = 2; // we know, at minimum, data starts after type (0) and lengthSize (1) - var asn1 = { type: buf[0], lengthSize: 0, length: buf[1] }; - var child; - var iters = 0; - var adjust = 0; - var adjustedLen; + var index = 2; // we know, at minimum, data starts after type (0) and lengthSize (1) + var asn1 = { type: buf[0], lengthSize: 0, length: buf[1] }; + var child; + var iters = 0; + var adjust = 0; + var adjustedLen; - // Determine how many bytes the length uses, and what it is - if (0x80 & asn1.length) { - asn1.lengthSize = 0x7f & asn1.length; - // I think that buf->hex->int solves the problem of Endianness... not sure - asn1.length = parseInt(Enc.bufToHex(buf.slice(index, index + asn1.lengthSize)), 16); - index += asn1.lengthSize; - } + // Determine how many bytes the length uses, and what it is + if (0x80 & asn1.length) { + asn1.lengthSize = 0x7f & asn1.length; + // I think that buf->hex->int solves the problem of Endianness... not sure + asn1.length = parseInt( + Enc.bufToHex(buf.slice(index, index + asn1.lengthSize)), + 16 + ); + index += asn1.lengthSize; + } - // High-order bit Integers have a leading 0x00 to signify that they are positive. - // Bit Streams use the first byte to signify padding, which x.509 doesn't use. - if (0x00 === buf[index] && (0x02 === asn1.type || 0x03 === asn1.type)) { - // However, 0x00 on its own is a valid number - if (asn1.length > 1) { - index += 1; - adjust = -1; - } - } - adjustedLen = asn1.length + adjust; + // High-order bit Integers have a leading 0x00 to signify that they are positive. + // Bit Streams use the first byte to signify padding, which x.509 doesn't use. + if (0x00 === buf[index] && (0x02 === asn1.type || 0x03 === asn1.type)) { + // However, 0x00 on its own is a valid number + if (asn1.length > 1) { + index += 1; + adjust = -1; + } + } + adjustedLen = asn1.length + adjust; - //console.warn(depth.join(ws) + '0x' + Enc.numToHex(asn1.type), index, 'len:', asn1.length, asn1); + //console.warn(depth.join(ws) + '0x' + Enc.numToHex(asn1.type), index, 'len:', asn1.length, asn1); - function parseChildren(eager) { - asn1.children = []; - //console.warn('1 len:', (2 + asn1.lengthSize + asn1.length), 'idx:', index, 'clen:', 0); - while (iters < ASN1.ELOOPN && index < (2 + asn1.length + asn1.lengthSize)) { - iters += 1; - depth.length += 1; - child = parseAsn1(buf.slice(index, index + adjustedLen), depth, eager); - depth.length -= 1; - // The numbers don't match up exactly and I don't remember why... - // probably something with adjustedLen or some such, but the tests pass - index += (2 + child.lengthSize + child.length); - //console.warn('2 len:', (2 + asn1.lengthSize + asn1.length), 'idx:', index, 'clen:', (2 + child.lengthSize + child.length)); - if (index > (2 + asn1.lengthSize + asn1.length)) { - if (!eager) { console.error(JSON.stringify(asn1, ASN1._replacer, 2)); } - throw new Error("Parse error: child value length (" + child.length - + ") is greater than remaining parent length (" + (asn1.length - index) - + " = " + asn1.length + " - " + index + ")"); - } - asn1.children.push(child); - //console.warn(depth.join(ws) + '0x' + Enc.numToHex(asn1.type), index, 'len:', asn1.length, asn1); - } - if (index !== (2 + asn1.lengthSize + asn1.length)) { - //console.warn('index:', index, 'length:', (2 + asn1.lengthSize + asn1.length)); - throw new Error("premature end-of-file"); - } - if (iters >= ASN1.ELOOPN) { throw new Error(ASN1.ELOOP); } + function parseChildren(eager) { + asn1.children = []; + //console.warn('1 len:', (2 + asn1.lengthSize + asn1.length), 'idx:', index, 'clen:', 0); + while ( + iters < ASN1.ELOOPN && + index < 2 + asn1.length + asn1.lengthSize + ) { + iters += 1; + depth.length += 1; + child = parseAsn1( + buf.slice(index, index + adjustedLen), + depth, + eager + ); + depth.length -= 1; + // The numbers don't match up exactly and I don't remember why... + // probably something with adjustedLen or some such, but the tests pass + index += 2 + child.lengthSize + child.length; + //console.warn('2 len:', (2 + asn1.lengthSize + asn1.length), 'idx:', index, 'clen:', (2 + child.lengthSize + child.length)); + if (index > 2 + asn1.lengthSize + asn1.length) { + if (!eager) { + console.error(JSON.stringify(asn1, ASN1._replacer, 2)); + } + throw new Error( + "Parse error: child value length (" + + child.length + + ") is greater than remaining parent length (" + + (asn1.length - index) + + " = " + + asn1.length + + " - " + + index + + ")" + ); + } + asn1.children.push(child); + //console.warn(depth.join(ws) + '0x' + Enc.numToHex(asn1.type), index, 'len:', asn1.length, asn1); + } + if (index !== 2 + asn1.lengthSize + asn1.length) { + //console.warn('index:', index, 'length:', (2 + asn1.lengthSize + asn1.length)); + throw new Error("premature end-of-file"); + } + if (iters >= ASN1.ELOOPN) { + throw new Error(ASN1.ELOOP); + } - delete asn1.value; - return asn1; - } + delete asn1.value; + return asn1; + } - // Recurse into types that are _always_ containers - if (-1 !== ASN1.CTYPES.indexOf(asn1.type)) { return parseChildren(eager); } + // Recurse into types that are _always_ containers + if (-1 !== ASN1.CTYPES.indexOf(asn1.type)) { + return parseChildren(eager); + } - // Return types that are _always_ values - asn1.value = buf.slice(index, index + adjustedLen); - if (-1 !== ASN1.VTYPES.indexOf(asn1.type)) { return asn1; } + // Return types that are _always_ values + asn1.value = buf.slice(index, index + adjustedLen); + if (-1 !== ASN1.VTYPES.indexOf(asn1.type)) { + return asn1; + } - // For ambigious / unknown types, recurse and return on failure - // (and return child array size to zero) - try { return parseChildren(true); } - catch(e) { asn1.children.length = 0; return asn1; } - } + // For ambigious / unknown types, recurse and return on failure + // (and return child array size to zero) + try { + return parseChildren(true); + } catch (e) { + asn1.children.length = 0; + return asn1; + } + } - var asn1 = parseAsn1(buf, []); - var len = buf.byteLength || buf.length; - if (len !== 2 + asn1.lengthSize + asn1.length) { - throw new Error("Length of buffer does not match length of ASN.1 sequence."); - } - return asn1; -}; -ASN1._replacer = function (k, v) { - if ('type' === k) { return '0x' + Enc.numToHex(v); } - if (v && 'value' === k) { return '0x' + Enc.bufToHex(v.data || v); } - return v; -}; + var asn1 = parseAsn1(buf, []); + var len = buf.byteLength || buf.length; + if (len !== 2 + asn1.lengthSize + asn1.length) { + throw new Error( + "Length of buffer does not match length of ASN.1 sequence." + ); + } + return asn1; + }; + ASN1._replacer = function(k, v) { + if ("type" === k) { + return "0x" + Enc.numToHex(v); + } + if (v && "value" === k) { + return "0x" + Enc.bufToHex(v.data || v); + } + return v; + }; -// don't replace the full parseBlock, if it exists -PEM.parseBlock = PEM.parseBlock || function (str) { - var der = str.split(/\n/).filter(function (line) { - return !/-----/.test(line); - }).join(''); - return { bytes: Enc.base64ToBuf(der) }; -}; + // don't replace the full parseBlock, if it exists + PEM.parseBlock = + PEM.parseBlock || + function(str) { + var der = str + .split(/\n/) + .filter(function(line) { + return !/-----/.test(line); + }) + .join(""); + return { bytes: Enc.base64ToBuf(der) }; + }; -Enc.base64ToBuf = function (b64) { - return Enc.binToBuf(atob(b64)); -}; -Enc.binToBuf = function (bin) { - var arr = bin.split('').map(function (ch) { - return ch.charCodeAt(0); - }); - return 'undefined' !== typeof Uint8Array ? new Uint8Array(arr) : arr; -}; -Enc.bufToHex = function (u8) { - var hex = []; - var i, h; - var len = (u8.byteLength || u8.length); + Enc.base64ToBuf = function(b64) { + return Enc.binToBuf(atob(b64)); + }; + Enc.binToBuf = function(bin) { + var arr = bin.split("").map(function(ch) { + return ch.charCodeAt(0); + }); + return "undefined" !== typeof Uint8Array ? new Uint8Array(arr) : arr; + }; + Enc.bufToHex = function(u8) { + var hex = []; + var i, h; + var len = u8.byteLength || u8.length; - for (i = 0; i < len; i += 1) { - h = u8[i].toString(16); - if (h.length % 2) { h = '0' + h; } - hex.push(h); - } + for (i = 0; i < len; i += 1) { + h = u8[i].toString(16); + if (h.length % 2) { + h = "0" + h; + } + hex.push(h); + } - return hex.join('').toLowerCase(); -}; -Enc.numToHex = function (d) { - d = d.toString(16); - if (d.length % 2) { - return '0' + d; - } - return d; -}; - -}('undefined' !== typeof window ? window : module.exports)); + return hex.join("").toLowerCase(); + }; + Enc.numToHex = function(d) { + d = d.toString(16); + if (d.length % 2) { + return "0" + d; + } + return d; + }; +})("undefined" !== typeof window ? window : module.exports); // Copyright 2018-present AJ ONeal. All rights reserved /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -(function (exports) { -'use strict'; -/*global Promise*/ +(function(exports) { + "use strict"; + /*global Promise*/ -var ASN1 = exports.ASN1; -var Enc = exports.Enc; -var PEM = exports.PEM; -var X509 = exports.x509; -var Keypairs = exports.Keypairs; + var ASN1 = exports.ASN1; + var Enc = exports.Enc; + var PEM = exports.PEM; + var X509 = exports.x509; + var Keypairs = exports.Keypairs; -// TODO find a way that the prior node-ish way of `module.exports = function () {}` isn't broken -var CSR = exports.CSR = function (opts) { - // We're using a Promise here to be compatible with the browser version - // which will probably use the webcrypto API for some of the conversions - return CSR._prepare(opts).then(function (opts) { - return CSR.create(opts).then(function (bytes) { - return CSR._encode(opts, bytes); - }); - }); -}; + // TODO find a way that the prior node-ish way of `module.exports = function () {}` isn't broken + var CSR = (exports.CSR = function(opts) { + // We're using a Promise here to be compatible with the browser version + // which will probably use the webcrypto API for some of the conversions + return CSR._prepare(opts).then(function(opts) { + return CSR.create(opts).then(function(bytes) { + return CSR._encode(opts, bytes); + }); + }); + }); -CSR._prepare = function (opts) { - return Promise.resolve().then(function () { - var Keypairs; - opts = JSON.parse(JSON.stringify(opts)); + CSR._prepare = function(opts) { + return Promise.resolve().then(function() { + var Keypairs; + opts = JSON.parse(JSON.stringify(opts)); - // We do a bit of extra error checking for user convenience - if (!opts) { throw new Error("You must pass options with key and domains to rsacsr"); } - if (!Array.isArray(opts.domains) || 0 === opts.domains.length) { - new Error("You must pass options.domains as a non-empty array"); - } + // We do a bit of extra error checking for user convenience + if (!opts) { + throw new Error("You must pass options with key and domains to rsacsr"); + } + if (!Array.isArray(opts.domains) || 0 === opts.domains.length) { + new Error("You must pass options.domains as a non-empty array"); + } - // I need to check that 例.中国 is a valid domain name - if (!opts.domains.every(function (d) { - // allow punycode? xn-- - if ('string' === typeof d /*&& /\./.test(d) && !/--/.test(d)*/) { - return true; - } - })) { - throw new Error("You must pass options.domains as strings"); - } + // I need to check that 例.中国 is a valid domain name + if ( + !opts.domains.every(function(d) { + // allow punycode? xn-- + if ("string" === typeof d /*&& /\./.test(d) && !/--/.test(d)*/) { + return true; + } + }) + ) { + throw new Error("You must pass options.domains as strings"); + } - if (opts.jwk) { return opts; } - if (opts.key && opts.key.kty) { - opts.jwk = opts.key; - return opts; - } - if (!opts.pem && !opts.key) { - throw new Error("You must pass options.key as a JSON web key"); - } + if (opts.jwk) { + return opts; + } + if (opts.key && opts.key.kty) { + opts.jwk = opts.key; + return opts; + } + if (!opts.pem && !opts.key) { + throw new Error("You must pass options.key as a JSON web key"); + } - Keypairs = exports.Keypairs; - if (!exports.Keypairs) { - throw new Error("Keypairs.js is an optional dependency for PEM-to-JWK.\n" - + "Install it if you'd like to use it:\n" - + "\tnpm install --save rasha\n" - + "Otherwise supply a jwk as the private key." - ); - } + Keypairs = exports.Keypairs; + if (!exports.Keypairs) { + throw new Error( + "Keypairs.js is an optional dependency for PEM-to-JWK.\n" + + "Install it if you'd like to use it:\n" + + "\tnpm install --save rasha\n" + + "Otherwise supply a jwk as the private key." + ); + } - return Keypairs.import({ pem: opts.pem || opts.key }).then(function (pair) { - opts.jwk = pair.private; - return opts; - }); - }); -}; + return Keypairs.import({ pem: opts.pem || opts.key }).then(function( + pair + ) { + opts.jwk = pair.private; + return opts; + }); + }); + }; -CSR._encode = function (opts, bytes) { - if ('der' === (opts.encoding||'').toLowerCase()) { - return bytes; - } - return PEM.packBlock({ - type: "CERTIFICATE REQUEST" - , bytes: bytes /* { jwk: jwk, domains: opts.domains } */ - }); -}; + CSR._encode = function(opts, bytes) { + if ("der" === (opts.encoding || "").toLowerCase()) { + return bytes; + } + return PEM.packBlock({ + type: "CERTIFICATE REQUEST", + bytes: bytes /* { jwk: jwk, domains: opts.domains } */ + }); + }; -CSR.create = function createCsr(opts) { - var hex = CSR.request(opts.jwk, opts.domains); - return CSR._sign(opts.jwk, hex).then(function (csr) { - return Enc.hexToBuf(csr); - }); -}; + CSR.create = function createCsr(opts) { + var hex = CSR.request(opts.jwk, opts.domains); + return CSR._sign(opts.jwk, hex).then(function(csr) { + return Enc.hexToBuf(csr); + }); + }; -// -// EC / RSA -// -CSR.request = function createCsrBodyEc(jwk, domains) { - var asn1pub; - if (/^EC/i.test(jwk.kty)) { - asn1pub = X509.packCsrEcPublicKey(jwk); - } else { - asn1pub = X509.packCsrRsaPublicKey(jwk); - } - return X509.packCsr(asn1pub, domains); -}; + // + // EC / RSA + // + CSR.request = function createCsrBodyEc(jwk, domains) { + var asn1pub; + if (/^EC/i.test(jwk.kty)) { + asn1pub = X509.packCsrEcPublicKey(jwk); + } else { + asn1pub = X509.packCsrRsaPublicKey(jwk); + } + return X509.packCsr(asn1pub, domains); + }; -CSR._sign = function csrEcSig(jwk, request) { - // Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a - // TODO will have to convert web ECDSA signatures to PEM ECDSA signatures (but RSA should be the same) - // TODO have a consistent non-private way to sign - return Keypairs._sign({ jwk: jwk, format: 'x509' }, Enc.hexToBuf(request)).then(function (sig) { - return CSR._toDer({ request: request, signature: sig, kty: jwk.kty }); - }); -}; + CSR._sign = function csrEcSig(jwk, request) { + // Took some tips from https://gist.github.com/codermapuche/da4f96cdb6d5ff53b7ebc156ec46a10a + // TODO will have to convert web ECDSA signatures to PEM ECDSA signatures (but RSA should be the same) + // TODO have a consistent non-private way to sign + return Keypairs._sign( + { jwk: jwk, format: "x509" }, + Enc.hexToBuf(request) + ).then(function(sig) { + return CSR._toDer({ request: request, signature: sig, kty: jwk.kty }); + }); + }; -CSR._toDer = function encode(opts) { - var sty; - if (/^EC/i.test(opts.kty)) { - // 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256) - sty = ASN1('30', ASN1('06', '2a8648ce3d040302')); - } else { - // 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1) - sty = ASN1('30', ASN1('06', '2a864886f70d01010b'), ASN1('05')); - } - return ASN1('30' - // The Full CSR Request Body - , opts.request - // The Signature Type - , sty - // The Signature - , ASN1.BitStr(Enc.bufToHex(opts.signature)) - ); -}; + CSR._toDer = function encode(opts) { + var sty; + if (/^EC/i.test(opts.kty)) { + // 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256) + sty = ASN1("30", ASN1("06", "2a8648ce3d040302")); + } else { + // 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1) + sty = ASN1("30", ASN1("06", "2a864886f70d01010b"), ASN1("05")); + } + return ASN1( + "30", + // The Full CSR Request Body + opts.request, + // The Signature Type + sty, + // The Signature + ASN1.BitStr(Enc.bufToHex(opts.signature)) + ); + }; -X509.packCsr = function (asn1pubkey, domains) { - return ASN1('30' - // Version (0) - , ASN1.UInt('00') + X509.packCsr = function(asn1pubkey, domains) { + return ASN1( + "30", + // Version (0) + ASN1.UInt("00"), - // 2.5.4.3 commonName (X.520 DN component) - , ASN1('30', ASN1('31', ASN1('30', ASN1('06', '550403'), ASN1('0c', Enc.utf8ToHex(domains[0]))))) + // 2.5.4.3 commonName (X.520 DN component) + ASN1( + "30", + ASN1( + "31", + ASN1( + "30", + ASN1("06", "550403"), + ASN1("0c", Enc.utf8ToHex(domains[0])) + ) + ) + ), - // Public Key (RSA or EC) - , asn1pubkey + // Public Key (RSA or EC) + asn1pubkey, - // Request Body - , ASN1('a0' - , ASN1('30' - // 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF) - , ASN1('06', '2a864886f70d01090e') - , ASN1('31' - , ASN1('30' - , ASN1('30' - // 2.5.29.17 subjectAltName (X.509 extension) - , ASN1('06', '551d11') - , ASN1('04' - , ASN1('30', domains.map(function (d) { - return ASN1('82', Enc.utf8ToHex(d)); - }).join('')))))))) - ); -}; + // Request Body + ASN1( + "a0", + ASN1( + "30", + // 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF) + ASN1("06", "2a864886f70d01090e"), + ASN1( + "31", + ASN1( + "30", + ASN1( + "30", + // 2.5.29.17 subjectAltName (X.509 extension) + ASN1("06", "551d11"), + ASN1( + "04", + ASN1( + "30", + domains + .map(function(d) { + return ASN1("82", Enc.utf8ToHex(d)); + }) + .join("") + ) + ) + ) + ) + ) + ) + ) + ); + }; -// TODO finish this later -// we want to parse the domains, the public key, and verify the signature -CSR._info = function (der) { - // standard base64 PEM - if ('string' === typeof der && '-' === der[0]) { - der = PEM.parseBlock(der).bytes; - } - // jose urlBase64 not-PEM - if ('string' === typeof der) { - der = Enc.base64ToBuf(der); - } - // not supporting binary-encoded bas64 - var c = ASN1.parse(der); - var kty; - // A cert has 3 parts: cert, signature meta, signature - if (c.children.length !== 3) { - throw new Error("doesn't look like a certificate request: expected 3 parts of header"); - } - var sig = c.children[2]; - if (sig.children.length) { - // ASN1/X509 EC - sig = sig.children[0]; - sig = ASN1('30', ASN1.UInt(Enc.bufToHex(sig.children[0].value)), ASN1.UInt(Enc.bufToHex(sig.children[1].value))); - sig = Enc.hexToBuf(sig); - kty = 'EC'; - } else { - // Raw RSA Sig - sig = sig.value; - kty = 'RSA'; - } - //c.children[1]; // signature type - var req = c.children[0]; - // TODO utf8 - if (4 !== req.children.length) { - throw new Error("doesn't look like a certificate request: expected 4 parts to request"); - } - // 0 null - // 1 commonName / subject - var sub = Enc.bufToBin(req.children[1].children[0].children[0].children[1].value); - // 3 public key (type, key) - //console.log('oid', Enc.bufToHex(req.children[2].children[0].children[0].value)); - var pub; - // TODO reuse ASN1 parser for these? - if ('EC' === kty) { - // throw away compression byte - pub = req.children[2].children[1].value.slice(1); - pub = { kty: kty, x: pub.slice(0, 32), y: pub.slice(32) }; - while (0 === pub.x[0]) { pub.x = pub.x.slice(1); } - while (0 === pub.y[0]) { pub.y = pub.y.slice(1); } - if ((pub.x.length || pub.x.byteLength) > 48) { - pub.crv = 'P-521'; - } else if ((pub.x.length || pub.x.byteLength) > 32) { - pub.crv = 'P-384'; - } else { - pub.crv = 'P-256'; - } - pub.x = Enc.bufToUrlBase64(pub.x); - pub.y = Enc.bufToUrlBase64(pub.y); - } else { - pub = req.children[2].children[1].children[0]; - pub = { kty: kty, n: pub.children[0].value, e: pub.children[1].value }; - while (0 === pub.n[0]) { pub.n = pub.n.slice(1); } - while (0 === pub.e[0]) { pub.e = pub.e.slice(1); } - pub.n = Enc.bufToUrlBase64(pub.n); - pub.e = Enc.bufToUrlBase64(pub.e); - } - // 4 extensions - var domains = req.children[3].children.filter(function (seq) { - // 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF) - if ('2a864886f70d01090e' === Enc.bufToHex(seq.children[0].value)) { - return true; - } - }).map(function (seq) { - return seq.children[1].children[0].children.filter(function (seq2) { - // subjectAltName (X.509 extension) - if ('551d11' === Enc.bufToHex(seq2.children[0].value)) { - return true; - } - }).map(function (seq2) { - return seq2.children[1].children[0].children.map(function (name) { - // TODO utf8 - return Enc.bufToBin(name.value); - }); - })[0]; - })[0]; + // TODO finish this later + // we want to parse the domains, the public key, and verify the signature + CSR._info = function(der) { + // standard base64 PEM + if ("string" === typeof der && "-" === der[0]) { + der = PEM.parseBlock(der).bytes; + } + // jose urlBase64 not-PEM + if ("string" === typeof der) { + der = Enc.base64ToBuf(der); + } + // not supporting binary-encoded bas64 + var c = ASN1.parse(der); + var kty; + // A cert has 3 parts: cert, signature meta, signature + if (c.children.length !== 3) { + throw new Error( + "doesn't look like a certificate request: expected 3 parts of header" + ); + } + var sig = c.children[2]; + if (sig.children.length) { + // ASN1/X509 EC + sig = sig.children[0]; + sig = ASN1( + "30", + ASN1.UInt(Enc.bufToHex(sig.children[0].value)), + ASN1.UInt(Enc.bufToHex(sig.children[1].value)) + ); + sig = Enc.hexToBuf(sig); + kty = "EC"; + } else { + // Raw RSA Sig + sig = sig.value; + kty = "RSA"; + } + //c.children[1]; // signature type + var req = c.children[0]; + // TODO utf8 + if (4 !== req.children.length) { + throw new Error( + "doesn't look like a certificate request: expected 4 parts to request" + ); + } + // 0 null + // 1 commonName / subject + var sub = Enc.bufToBin( + req.children[1].children[0].children[0].children[1].value + ); + // 3 public key (type, key) + //console.log('oid', Enc.bufToHex(req.children[2].children[0].children[0].value)); + var pub; + // TODO reuse ASN1 parser for these? + if ("EC" === kty) { + // throw away compression byte + pub = req.children[2].children[1].value.slice(1); + pub = { kty: kty, x: pub.slice(0, 32), y: pub.slice(32) }; + while (0 === pub.x[0]) { + pub.x = pub.x.slice(1); + } + while (0 === pub.y[0]) { + pub.y = pub.y.slice(1); + } + if ((pub.x.length || pub.x.byteLength) > 48) { + pub.crv = "P-521"; + } else if ((pub.x.length || pub.x.byteLength) > 32) { + pub.crv = "P-384"; + } else { + pub.crv = "P-256"; + } + pub.x = Enc.bufToUrlBase64(pub.x); + pub.y = Enc.bufToUrlBase64(pub.y); + } else { + pub = req.children[2].children[1].children[0]; + pub = { kty: kty, n: pub.children[0].value, e: pub.children[1].value }; + while (0 === pub.n[0]) { + pub.n = pub.n.slice(1); + } + while (0 === pub.e[0]) { + pub.e = pub.e.slice(1); + } + pub.n = Enc.bufToUrlBase64(pub.n); + pub.e = Enc.bufToUrlBase64(pub.e); + } + // 4 extensions + var domains = req.children[3].children + .filter(function(seq) { + // 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF) + if ("2a864886f70d01090e" === Enc.bufToHex(seq.children[0].value)) { + return true; + } + }) + .map(function(seq) { + return seq.children[1].children[0].children + .filter(function(seq2) { + // subjectAltName (X.509 extension) + if ("551d11" === Enc.bufToHex(seq2.children[0].value)) { + return true; + } + }) + .map(function(seq2) { + return seq2.children[1].children[0].children.map(function(name) { + // TODO utf8 + return Enc.bufToBin(name.value); + }); + })[0]; + })[0]; - return { - subject: sub - , altnames: domains - , jwk: pub - , signature: sig - }; -}; + return { + subject: sub, + altnames: domains, + jwk: pub, + signature: sig + }; + }; -X509.packCsrRsaPublicKey = function (jwk) { - // Sequence the key - var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); - var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); - var asn1pub = ASN1('30', n, e); + X509.packCsrRsaPublicKey = function(jwk) { + // Sequence the key + var n = ASN1.UInt(Enc.base64ToHex(jwk.n)); + var e = ASN1.UInt(Enc.base64ToHex(jwk.e)); + var asn1pub = ASN1("30", n, e); - // Add the CSR pub key header - return ASN1('30', ASN1('30', ASN1('06', '2a864886f70d010101'), ASN1('05')), ASN1.BitStr(asn1pub)); -}; + // Add the CSR pub key header + return ASN1( + "30", + ASN1("30", ASN1("06", "2a864886f70d010101"), ASN1("05")), + ASN1.BitStr(asn1pub) + ); + }; -X509.packCsrEcPublicKey = function (jwk) { - var ecOid = X509._oids[jwk.crv]; - if (!ecOid) { - throw new Error("Unsupported namedCurve '" + jwk.crv + "'. Supported types are " + Object.keys(X509._oids)); - } - var cmp = '04'; // 04 == x+y, 02 == x-only - var hxy = ''; - // Placeholder. I'm not even sure if compression should be supported. - if (!jwk.y) { cmp = '02'; } - hxy += Enc.base64ToHex(jwk.x); - if (jwk.y) { hxy += Enc.base64ToHex(jwk.y); } + X509.packCsrEcPublicKey = function(jwk) { + var ecOid = X509._oids[jwk.crv]; + if (!ecOid) { + throw new Error( + "Unsupported namedCurve '" + + jwk.crv + + "'. Supported types are " + + Object.keys(X509._oids) + ); + } + var cmp = "04"; // 04 == x+y, 02 == x-only + var hxy = ""; + // Placeholder. I'm not even sure if compression should be supported. + if (!jwk.y) { + cmp = "02"; + } + hxy += Enc.base64ToHex(jwk.x); + if (jwk.y) { + hxy += Enc.base64ToHex(jwk.y); + } - // 1.2.840.10045.2.1 ecPublicKey - return ASN1('30', ASN1('30', ASN1('06', '2a8648ce3d0201'), ASN1('06', ecOid)), ASN1.BitStr(cmp + hxy)); -}; -X509._oids = { - // 1.2.840.10045.3.1.7 prime256v1 - // (ANSI X9.62 named elliptic curve) (06 08 - 2A 86 48 CE 3D 03 01 07) - 'P-256': '2a8648ce3d030107' - // 1.3.132.0.34 P-384 (06 05 - 2B 81 04 00 22) - // (SEC 2 recommended EC domain secp256r1) -, 'P-384': '2b81040022' - // requires more logic and isn't a recommended standard - // 1.3.132.0.35 P-521 (06 05 - 2B 81 04 00 23) - // (SEC 2 alternate P-521) -//, 'P-521': '2B 81 04 00 23' -}; + // 1.2.840.10045.2.1 ecPublicKey + return ASN1( + "30", + ASN1("30", ASN1("06", "2a8648ce3d0201"), ASN1("06", ecOid)), + ASN1.BitStr(cmp + hxy) + ); + }; + X509._oids = { + // 1.2.840.10045.3.1.7 prime256v1 + // (ANSI X9.62 named elliptic curve) (06 08 - 2A 86 48 CE 3D 03 01 07) + "P-256": "2a8648ce3d030107", + // 1.3.132.0.34 P-384 (06 05 - 2B 81 04 00 22) + // (SEC 2 recommended EC domain secp256r1) + "P-384": "2b81040022" + // requires more logic and isn't a recommended standard + // 1.3.132.0.35 P-521 (06 05 - 2B 81 04 00 23) + // (SEC 2 alternate P-521) + //, 'P-521': '2B 81 04 00 23' + }; -// don't replace the full parseBlock, if it exists -PEM.parseBlock = PEM.parseBlock || function (str) { - var der = str.split(/\n/).filter(function (line) { - return !/-----/.test(line); - }).join(''); - return { bytes: Enc.base64ToBuf(der) }; -}; - -}('undefined' === typeof window ? module.exports : window)); + // don't replace the full parseBlock, if it exists + PEM.parseBlock = + PEM.parseBlock || + function(str) { + var der = str + .split(/\n/) + .filter(function(line) { + return !/-----/.test(line); + }) + .join(""); + return { bytes: Enc.base64ToBuf(der) }; + }; +})("undefined" === typeof window ? module.exports : window); // Copyright 2018-present AJ ONeal. All rights reserved /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -(function (exports) { -'use strict'; -/* globals Promise */ +(function(exports) { + "use strict"; + /* globals Promise */ -var ACME = exports.ACME = {}; -//var Keypairs = exports.Keypairs || {}; -//var CSR = exports.CSR; -var Enc = exports.Enc || {}; -var Crypto = exports.Crypto || {}; + var ACME = (exports.ACME = {}); + //var Keypairs = exports.Keypairs || {}; + //var CSR = exports.CSR; + var Enc = exports.Enc || {}; + var Crypto = exports.Crypto || {}; -ACME.formatPemChain = function formatPemChain(str) { - return str.trim().replace(/[\r\n]+/g, '\n').replace(/\-\n\-/g, '-\n\n-') + '\n'; -}; -ACME.splitPemChain = function splitPemChain(str) { - return str.trim().split(/[\r\n]{2,}/g).map(function (str) { - return str + '\n'; - }); -}; + ACME.formatPemChain = function formatPemChain(str) { + return ( + str + .trim() + .replace(/[\r\n]+/g, "\n") + .replace(/\-\n\-/g, "-\n\n-") + "\n" + ); + }; + ACME.splitPemChain = function splitPemChain(str) { + return str + .trim() + .split(/[\r\n]{2,}/g) + .map(function(str) { + return str + "\n"; + }); + }; + // http-01: GET https://example.org/.well-known/acme-challenge/{{token}} => {{keyAuth}} + // dns-01: TXT _acme-challenge.example.org. => "{{urlSafeBase64(sha256(keyAuth))}}" + ACME.challengePrefixes = { + "http-01": "/.well-known/acme-challenge", + "dns-01": "_acme-challenge" + }; + ACME.challengeTests = { + "http-01": function(me, auth) { + return me.http01(auth).then(function(keyAuth) { + var err; -// http-01: GET https://example.org/.well-known/acme-challenge/{{token}} => {{keyAuth}} -// dns-01: TXT _acme-challenge.example.org. => "{{urlSafeBase64(sha256(keyAuth))}}" -ACME.challengePrefixes = { - 'http-01': '/.well-known/acme-challenge' -, 'dns-01': '_acme-challenge' -}; -ACME.challengeTests = { - 'http-01': function (me, auth) { - return me.http01(auth).then(function (keyAuth) { - var err; + // TODO limit the number of bytes that are allowed to be downloaded + if (auth.keyAuthorization === (keyAuth || "").trim()) { + return true; + } - // TODO limit the number of bytes that are allowed to be downloaded - if (auth.keyAuthorization === (keyAuth||'').trim()) { - return true; - } + err = new Error( + "Error: Failed HTTP-01 Pre-Flight / Dry Run.\n" + + "curl '" + + auth.challengeUrl + + "'\n" + + "Expected: '" + + auth.keyAuthorization + + "'\n" + + "Got: '" + + keyAuth + + "'\n" + + "See https://git.coolaj86.com/coolaj86/acme-v2.js/issues/4" + ); + err.code = "E_FAIL_DRY_CHALLENGE"; + return Promise.reject(err); + }); + }, + "dns-01": function(me, auth) { + // remove leading *. on wildcard domains + return me.dns01(auth).then(function(ans) { + var err; - err = new Error( - "Error: Failed HTTP-01 Pre-Flight / Dry Run.\n" - + "curl '" + auth.challengeUrl + "'\n" - + "Expected: '" + auth.keyAuthorization + "'\n" - + "Got: '" + keyAuth + "'\n" - + "See https://git.coolaj86.com/coolaj86/acme-v2.js/issues/4" - ); - err.code = 'E_FAIL_DRY_CHALLENGE'; - return Promise.reject(err); - }); - } -, 'dns-01': function (me, auth) { - // remove leading *. on wildcard domains - return me.dns01(auth).then(function (ans) { - var err; + if ( + ans.answer.some(function(txt) { + return auth.dnsAuthorization === txt.data[0]; + }) + ) { + return true; + } - if (ans.answer.some(function (txt) { - return auth.dnsAuthorization === txt.data[0]; - })) { - return true; - } + err = new Error( + "Error: Failed DNS-01 Pre-Flight Dry Run.\n" + + "dig TXT '" + + auth.dnsHost + + "' does not return '" + + auth.dnsAuthorization + + "'\n" + + "See https://git.coolaj86.com/coolaj86/acme-v2.js/issues/4" + ); + err.code = "E_FAIL_DRY_CHALLENGE"; + return Promise.reject(err); + }); + } + }; - err = new Error( - "Error: Failed DNS-01 Pre-Flight Dry Run.\n" - + "dig TXT '" + auth.dnsHost + "' does not return '" + auth.dnsAuthorization + "'\n" - + "See https://git.coolaj86.com/coolaj86/acme-v2.js/issues/4" - ); - err.code = 'E_FAIL_DRY_CHALLENGE'; - return Promise.reject(err); - }); - } -}; - -ACME._directory = function (me) { - // GET-as-GET ok - return ACME._request(me, { method: 'GET', url: me.directoryUrl }); -}; -ACME._getNonce = function (me) { - // GET-as-GET, HEAD-as-HEAD ok - var nonce; - while (true) { - nonce = me._nonces.shift(); - if (!nonce) { break; } - if (Date.now() - nonce.createdAt > (15 * 60 * 1000)) { - nonce = null; - } else { - break; - } - } - if (nonce) { return Promise.resolve(nonce.nonce); } - // GET-as-GET ok - return ACME._request(me, { method: 'HEAD', url: me._directoryUrls.newNonce }).then(function (resp) { - return resp.headers['replay-nonce']; - }); -}; -ACME._setNonce = function (me, nonce) { - me._nonces.unshift({ nonce: nonce, createdAt: Date.now() }); -}; -// ACME RFC Section 7.3 Account Creation -/* + ACME._directory = function(me) { + // GET-as-GET ok + return ACME._request(me, { method: "GET", url: me.directoryUrl }); + }; + ACME._getNonce = function(me) { + // GET-as-GET, HEAD-as-HEAD ok + var nonce; + while (true) { + nonce = me._nonces.shift(); + if (!nonce) { + break; + } + if (Date.now() - nonce.createdAt > 15 * 60 * 1000) { + nonce = null; + } else { + break; + } + } + if (nonce) { + return Promise.resolve(nonce.nonce); + } + // GET-as-GET ok + return ACME._request(me, { + method: "HEAD", + url: me._directoryUrls.newNonce + }).then(function(resp) { + return resp.headers["replay-nonce"]; + }); + }; + ACME._setNonce = function(me, nonce) { + me._nonces.unshift({ nonce: nonce, createdAt: Date.now() }); + }; + // ACME RFC Section 7.3 Account Creation + /* { "protected": base64url({ "alg": "ES256", @@ -1828,93 +2200,104 @@ ACME._setNonce = function (me, nonce) { "signature": "RZPOnYoPs1PhjszF...-nh6X1qtOFPB519I" } */ -ACME._registerAccount = function (me, options) { - //#console.debug('[acme-v2] accounts.create'); + ACME._registerAccount = function(me, options) { + //#console.debug('[acme-v2] accounts.create'); - function agree(tosUrl) { - var err; - if (me._tos !== tosUrl) { - err = new Error("You must agree to the ToS at '" + me._tos + "'"); - err.code = "E_AGREE_TOS"; - throw err; - } + function agree(tosUrl) { + var err; + if (me._tos !== tosUrl) { + err = new Error("You must agree to the ToS at '" + me._tos + "'"); + err.code = "E_AGREE_TOS"; + throw err; + } - return ACME._importKeypair(me, options.accountKey || options.accountKeypair).then(function (pair) { - var contact; - if (options.contact) { - contact = options.contact.slice(0); - } else if (options.email) { - contact = [ 'mailto:' + options.email ]; - } - var body = { - termsOfServiceAgreed: tosUrl === me._tos - , onlyReturnExisting: false - , contact: contact - }; - var pExt; - if (options.externalAccount) { - pExt = me.Keypairs.signJws({ - // TODO is HMAC the standard, or is this arbitrary? - secret: options.externalAccount.secret - , protected: { - alg: options.externalAccount.alg || "HS256" - , kid: options.externalAccount.id - , url: me._directoryUrls.newAccount - } - , payload: Enc.binToBuf(JSON.stringify(pair.public)) - }).then(function (jws) { - body.externalAccountBinding = jws; - return body; - }); - } else { - pExt = Promise.resolve(body); - } - return pExt.then(function (body) { - var payload = JSON.stringify(body); - return ACME._jwsRequest(me, { - options: options - , url: me._directoryUrls.newAccount - , protected: { kid: false, jwk: pair.public } - , payload: Enc.binToBuf(payload) - }).then(function (resp) { - var account = resp.body; + return ACME._importKeypair( + me, + options.accountKey || options.accountKeypair + ).then(function(pair) { + var contact; + if (options.contact) { + contact = options.contact.slice(0); + } else if (options.email) { + contact = ["mailto:" + options.email]; + } + var body = { + termsOfServiceAgreed: tosUrl === me._tos, + onlyReturnExisting: false, + contact: contact + }; + var pExt; + if (options.externalAccount) { + pExt = me.Keypairs.signJws({ + // TODO is HMAC the standard, or is this arbitrary? + secret: options.externalAccount.secret, + protected: { + alg: options.externalAccount.alg || "HS256", + kid: options.externalAccount.id, + url: me._directoryUrls.newAccount + }, + payload: Enc.binToBuf(JSON.stringify(pair.public)) + }).then(function(jws) { + body.externalAccountBinding = jws; + return body; + }); + } else { + pExt = Promise.resolve(body); + } + return pExt.then(function(body) { + var payload = JSON.stringify(body); + return ACME._jwsRequest(me, { + options: options, + url: me._directoryUrls.newAccount, + protected: { kid: false, jwk: pair.public }, + payload: Enc.binToBuf(payload) + }).then(function(resp) { + var account = resp.body; - if (2 !== Math.floor(resp.statusCode / 100)) { - throw new Error('account error: ' + JSON.stringify(resp.body)); - } + if (2 !== Math.floor(resp.statusCode / 100)) { + throw new Error("account error: " + JSON.stringify(resp.body)); + } - var location = resp.headers.location; - // the account id url - options._kid = location; - //#console.debug('[DEBUG] new account location:'); - //#console.debug(location); - //#console.debug(resp); + var location = resp.headers.location; + // the account id url + options._kid = location; + //#console.debug('[DEBUG] new account location:'); + //#console.debug(location); + //#console.debug(resp); - /* + /* { contact: ["mailto:jon@example.com"], orders: "https://some-url", status: 'valid' } */ - if (!account) { account = { _emptyResponse: true }; } - // https://git.coolaj86.com/coolaj86/acme-v2.js/issues/8 - if (!account.key) { account.key = {}; } - account.key.kid = options._kid; - return account; - }); - }); - }); - } + if (!account) { + account = { _emptyResponse: true }; + } + // https://git.coolaj86.com/coolaj86/acme-v2.js/issues/8 + if (!account.key) { + account.key = {}; + } + account.key.kid = options._kid; + return account; + }); + }); + }); + } - return Promise.resolve().then(function () { - if (true === options.agreeToTerms) { - options.agreeToTerms = function (tos) { return tos; }; - } - return options.agreeToTerms(me._tos); - }).then(agree); -}; -/* + return Promise.resolve() + .then(function() { + if (true === options.agreeToTerms) { + options.agreeToTerms = function(tos) { + return tos; + }; + } + return options.agreeToTerms(me._tos); + }) + .then(agree); + }; + /* POST /acme/new-order HTTP/1.1 Host: example.com Content-Type: application/jose+json @@ -1934,200 +2317,229 @@ ACME._registerAccount = function (me, options) { "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g" } */ -ACME._getChallenges = function (me, options, authUrl) { - //#console.debug('\n[DEBUG] getChallenges\n'); - return ACME._jwsRequest(me, { - options: options - , protected: { kid: options._kid } - , payload: '' - , url: authUrl - }).then(function (resp) { - // Pre-emptive rather than lazy for interfaces that need to show the challenges to the user first - return ACME._computeAuths(me, options, resp.body, false).then(function (auths) { - resp.body._rawChallenges = resp.body.challenges; - resp.body.challenges = auths; - return resp.body; - }); - }); -}; -ACME._wait = function wait(ms) { - return new Promise(function (resolve) { - setTimeout(resolve, (ms || 1100)); - }); -}; + ACME._getChallenges = function(me, options, authUrl) { + //#console.debug('\n[DEBUG] getChallenges\n'); + return ACME._jwsRequest(me, { + options: options, + protected: { kid: options._kid }, + payload: "", + url: authUrl + }).then(function(resp) { + // Pre-emptive rather than lazy for interfaces that need to show the challenges to the user first + return ACME._computeAuths(me, options, resp.body, false).then(function( + auths + ) { + resp.body._rawChallenges = resp.body.challenges; + resp.body.challenges = auths; + return resp.body; + }); + }); + }; + ACME._wait = function wait(ms) { + return new Promise(function(resolve) { + setTimeout(resolve, ms || 1100); + }); + }; -ACME._testChallengeOptions = function () { - var chToken = ACME._prnd(16); - return [ - { - "type": "http-01", - "status": "pending", - "url": "https://acme-staging-v02.example.com/0", - "token": "test-" + chToken + "-0" - } - , { - "type": "dns-01", - "status": "pending", - "url": "https://acme-staging-v02.example.com/1", - "token": "test-" + chToken + "-1", - "_wildcard": true - } - , { - "type": "tls-alpn-01", - "status": "pending", - "url": "https://acme-staging-v02.example.com/3", - "token": "test-" + chToken + "-3" - } - ]; -}; -ACME._testChallenges = function (me, reals) { - //#console.log('[DEBUG] testChallenges'); - if (me.skipDryRun || me.skipChallengeTest) { - return Promise.resolve(); - } + ACME._testChallengeOptions = function() { + var chToken = ACME._prnd(16); + return [ + { + type: "http-01", + status: "pending", + url: "https://acme-staging-v02.example.com/0", + token: "test-" + chToken + "-0" + }, + { + type: "dns-01", + status: "pending", + url: "https://acme-staging-v02.example.com/1", + token: "test-" + chToken + "-1", + _wildcard: true + }, + { + type: "tls-alpn-01", + status: "pending", + url: "https://acme-staging-v02.example.com/3", + token: "test-" + chToken + "-3" + } + ]; + }; + ACME._testChallenges = function(me, reals) { + //#console.log('[DEBUG] testChallenges'); + if (me.skipDryRun || me.skipChallengeTest) { + return Promise.resolve(); + } - var nopts = {}; - Object.keys(reals).forEach(function (key) { - nopts[key] = reals[key]; - }); - nopts.order = {}; + var nopts = {}; + Object.keys(reals).forEach(function(key) { + nopts[key] = reals[key]; + }); + nopts.order = {}; - return Promise.all(nopts.domains.map(function (name) { - var challenges = ACME._testChallengeOptions(); - var wild = '*.' === name.slice(0, 2); - if (wild) { - challenges = challenges.filter(function (ch) { return ch._wildcard; }); - } - var resp = { - body: { - identifier: { type: 'dns' , value: name.replace('*.', '') } - , challenges: challenges - , expires: new Date(Date.now() + (60 * 1000)).toISOString() - , wildcard: name.includes('*.') || undefined - } - }; - // The dry-run comes first in the spirit of "fail fast" - // (and protecting against challenge failure rate limits) - var dryrun = true; - return ACME._computeAuths(me, nopts, resp.body, dryrun).then(function (auths) { - resp.body.challenges = auths; - }); - })).then(function (claims) { - nopts.order.claims = claims; - nopts.setChallengeWait = 0; + return Promise.all( + nopts.domains.map(function(name) { + var challenges = ACME._testChallengeOptions(); + var wild = "*." === name.slice(0, 2); + if (wild) { + challenges = challenges.filter(function(ch) { + return ch._wildcard; + }); + } + var resp = { + body: { + identifier: { type: "dns", value: name.replace("*.", "") }, + challenges: challenges, + expires: new Date(Date.now() + 60 * 1000).toISOString(), + wildcard: name.includes("*.") || undefined + } + }; + // The dry-run comes first in the spirit of "fail fast" + // (and protecting against challenge failure rate limits) + var dryrun = true; + return ACME._computeAuths(me, nopts, resp.body, dryrun).then(function( + auths + ) { + resp.body.challenges = auths; + }); + }) + ).then(function(claims) { + nopts.order.claims = claims; + nopts.setChallengeWait = 0; - return ACME._setChallengesAll(me, nopts).then(function (valids) { - return Promise.all(valids.map(function (auth) { - ACME._removeChallenge(me, nopts, auth); - })); - }); - }); -}; -ACME._chooseType = function(options, auths) { - // For each of the challenge types that we support - var auth; - var challengeTypes = Object.keys(options.challenges || ACME._challengesMap); - // ordered from most to least preferred - challengeTypes = (options.challengePriority||[ 'tls-alpn-01', 'http-01', 'dns-01' ]).filter(function (chType) { - return challengeTypes.includes(chType); - }); + return ACME._setChallengesAll(me, nopts).then(function(valids) { + return Promise.all( + valids.map(function(auth) { + ACME._removeChallenge(me, nopts, auth); + }) + ); + }); + }); + }; + ACME._chooseType = function(options, auths) { + // For each of the challenge types that we support + var auth; + var challengeTypes = Object.keys(options.challenges || ACME._challengesMap); + // ordered from most to least preferred + challengeTypes = ( + options.challengePriority || ["tls-alpn-01", "http-01", "dns-01"] + ).filter(function(chType) { + return challengeTypes.includes(chType); + }); - challengeTypes.some(function (chType) { - // And for each of the challenge types that are allowed - return auths.some(function (ch) { - // Check to see if there are any matches - if (ch.type === chType) { - auth = ch; - return true; - } - }); - }); + challengeTypes.some(function(chType) { + // And for each of the challenge types that are allowed + return auths.some(function(ch) { + // Check to see if there are any matches + if (ch.type === chType) { + auth = ch; + return true; + } + }); + }); - return auth; -}; -ACME._challengesMap = {'http-01':0,'dns-01':0,'tls-alpn-01':0}; -ACME._computeAuths = function (me, options, request, dryrun) { - //#console.log('[DEBUG] computeAuths'); - // we don't poison the dns cache with our dummy request - var dnsPrefix = ACME.challengePrefixes['dns-01']; - if (dryrun) { - dnsPrefix = dnsPrefix.replace('acme-challenge', 'greenlock-dryrun-' + ACME._prnd(4)); - } - var challengeTypes = Object.keys(options.challenges || ACME._challengesMap); + return auth; + }; + ACME._challengesMap = { "http-01": 0, "dns-01": 0, "tls-alpn-01": 0 }; + ACME._computeAuths = function(me, options, request, dryrun) { + //#console.log('[DEBUG] computeAuths'); + // we don't poison the dns cache with our dummy request + var dnsPrefix = ACME.challengePrefixes["dns-01"]; + if (dryrun) { + dnsPrefix = dnsPrefix.replace( + "acme-challenge", + "greenlock-dryrun-" + ACME._prnd(4) + ); + } + var challengeTypes = Object.keys(options.challenges || ACME._challengesMap); - return ACME._importKeypair(me, options.accountKey || options.accountKeypair).then(function (pair) { - return me.Keypairs.thumbprint({ jwk: pair.public }).then(function (thumb) { - return Promise.all(request.challenges.map(function (challenge) { - // Don't do extra work for challenges that we can't satisfy - if (!challengeTypes.includes(challenge.type)) { - return null; - } + return ACME._importKeypair( + me, + options.accountKey || options.accountKeypair + ).then(function(pair) { + return me.Keypairs.thumbprint({ jwk: pair.public }).then(function(thumb) { + return Promise.all( + request.challenges.map(function(challenge) { + // Don't do extra work for challenges that we can't satisfy + if (!challengeTypes.includes(challenge.type)) { + return null; + } - var auth = {}; + var auth = {}; - // straight copy from the new order response - // { identifier, status, expires, challenges, wildcard } - Object.keys(request).forEach(function (key) { - auth[key] = request[key]; - }); + // straight copy from the new order response + // { identifier, status, expires, challenges, wildcard } + Object.keys(request).forEach(function(key) { + auth[key] = request[key]; + }); - // copy from the challenge we've chosen - // { type, status, url, token } - // (note the duplicate status overwrites the one above, but they should be the same) - Object.keys(challenge).forEach(function (key) { - // don't confused devs with the id url - auth[key] = challenge[key]; - }); + // copy from the challenge we've chosen + // { type, status, url, token } + // (note the duplicate status overwrites the one above, but they should be the same) + Object.keys(challenge).forEach(function(key) { + // don't confused devs with the id url + auth[key] = challenge[key]; + }); - // batteries-included helpers - auth.hostname = auth.identifier.value; - // because I'm not 100% clear if the wildcard identifier does or doesn't have the leading *. in all cases - auth.altname = ACME._untame(auth.identifier.value, auth.wildcard); + // batteries-included helpers + auth.hostname = auth.identifier.value; + // because I'm not 100% clear if the wildcard identifier does or doesn't have the leading *. in all cases + auth.altname = ACME._untame(auth.identifier.value, auth.wildcard); - auth.thumbprint = thumb; - // keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) - auth.keyAuthorization = challenge.token + '.' + auth.thumbprint; + auth.thumbprint = thumb; + // keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey)) + auth.keyAuthorization = challenge.token + "." + auth.thumbprint; - if ('http-01' === auth.type) { - // conflicts with ACME challenge id url is already in use, so we call this challengeUrl instead - // TODO auth.http01Url ? - auth.challengeUrl = 'http://' + auth.identifier.value + ACME.challengePrefixes['http-01'] + '/' + auth.token; - return auth; - } + if ("http-01" === auth.type) { + // conflicts with ACME challenge id url is already in use, so we call this challengeUrl instead + // TODO auth.http01Url ? + auth.challengeUrl = + "http://" + + auth.identifier.value + + ACME.challengePrefixes["http-01"] + + "/" + + auth.token; + return auth; + } - if ('dns-01' !== auth.type) { - return auth; - } + if ("dns-01" !== auth.type) { + return auth; + } - return Crypto._sha('sha256', auth.keyAuthorization).then(function (hash) { - auth.dnsHost = dnsPrefix + '.' + auth.hostname.replace('*.', ''); - auth.dnsAuthorization = hash; - auth.keyAuthorizationDigest = hash; - return auth; - }); - })).then(function (auths) { - return auths.filter(Boolean); - }); - }); - }); -}; + return Crypto._sha("sha256", auth.keyAuthorization).then(function( + hash + ) { + auth.dnsHost = dnsPrefix + "." + auth.hostname.replace("*.", ""); + auth.dnsAuthorization = hash; + auth.keyAuthorizationDigest = hash; + return auth; + }); + }) + ).then(function(auths) { + return auths.filter(Boolean); + }); + }); + }); + }; -ACME._untame = function (name, wild) { - if (wild) { name = '*.' + name.replace('*.', ''); } - return name; -}; + ACME._untame = function(name, wild) { + if (wild) { + name = "*." + name.replace("*.", ""); + } + return name; + }; -// https://tools.ietf.org/html/draft-ietf-acme-acme-10#section-7.5.1 -ACME._postChallenge = function (me, options, auth) { - var RETRY_INTERVAL = me.retryInterval || 5000; - var DEAUTH_INTERVAL = me.deauthWait || 10 * 1000; - var MAX_POLL = me.retryPoll || 8; - var MAX_PEND = me.retryPending || 4; - var count = 0; + // https://tools.ietf.org/html/draft-ietf-acme-acme-10#section-7.5.1 + ACME._postChallenge = function(me, options, auth) { + var RETRY_INTERVAL = me.retryInterval || 5000; + var DEAUTH_INTERVAL = me.deauthWait || 10 * 1000; + var MAX_POLL = me.retryPoll || 8; + var MAX_PEND = me.retryPending || 4; + var count = 0; - var altname = ACME._untame(auth.identifier.value, auth.wildcard); + var altname = ACME._untame(auth.identifier.value, auth.wildcard); - /* + /* POST /acme/authz/1234 HTTP/1.1 Host: example.com Content-Type: application/jose+json @@ -2145,753 +2557,932 @@ ACME._postChallenge = function (me, options, auth) { "signature": "srX9Ji7Le9bjszhu...WTFdtujObzMtZcx4" } */ - function deactivate() { - //#console.debug('[acme-v2.js] deactivate:'); - return ACME._jwsRequest(me, { - options: options - , url: auth.url - , protected: { kid: options._kid } - , payload: Enc.binToBuf(JSON.stringify({ "status": "deactivated" })) - }).then(function (/*#resp*/) { - //#console.debug('deactivate challenge: resp.body:'); - //#console.debug(resp.body); - return ACME._wait(DEAUTH_INTERVAL); - }); - } + function deactivate() { + //#console.debug('[acme-v2.js] deactivate:'); + return ACME._jwsRequest(me, { + options: options, + url: auth.url, + protected: { kid: options._kid }, + payload: Enc.binToBuf(JSON.stringify({ status: "deactivated" })) + }).then(function(/*#resp*/) { + //#console.debug('deactivate challenge: resp.body:'); + //#console.debug(resp.body); + return ACME._wait(DEAUTH_INTERVAL); + }); + } - function pollStatus() { - if (count >= MAX_POLL) { - var err = new Error( - "[acme-v2] stuck in bad pending/processing state for '" + altname + "'" - ); - err.detail = "Too many attempts to validate challenge."; - return Promise.reject(); - } + function pollStatus() { + if (count >= MAX_POLL) { + var err = new Error( + "[acme-v2] stuck in bad pending/processing state for '" + + altname + + "'" + ); + err.detail = "Too many attempts to validate challenge."; + return Promise.reject(); + } - count += 1; + count += 1; - //#console.debug('\n[DEBUG] statusChallenge\n'); - // POST-as-GET - return ACME._jwsRequest(me, { - options: options - , url: auth.url - , protected: { kid: options._kid } - , payload: Enc.binToBuf('') - }).then(checkResult).catch(transformError); - } + //#console.debug('\n[DEBUG] statusChallenge\n'); + // POST-as-GET + return ACME._jwsRequest(me, { + options: options, + url: auth.url, + protected: { kid: options._kid }, + payload: Enc.binToBuf("") + }) + .then(checkResult) + .catch(transformError); + } - function checkResult(resp) { - if (options.onChallengeStatus) { - try { - options.onChallengeStatus({ - altname: altname, type: auth.type, status: resp.body.status, wildcard: auth.wildcard - }); - } catch(e) { - console.warn('options.onChallengeStatus Error:'); - console.warn(e); - } - } + function checkResult(resp) { + if (options.onChallengeStatus) { + try { + options.onChallengeStatus({ + altname: altname, + type: auth.type, + status: resp.body.status, + wildcard: auth.wildcard + }); + } catch (e) { + console.warn("options.onChallengeStatus Error:"); + console.warn(e); + } + } - if ('processing' === resp.body.status) { - //#console.debug('poll: again'); - return ACME._wait(RETRY_INTERVAL).then(pollStatus); - } + if ("processing" === resp.body.status) { + //#console.debug('poll: again'); + return ACME._wait(RETRY_INTERVAL).then(pollStatus); + } - // This state should never occur - if ('pending' === resp.body.status) { - if (count >= MAX_PEND) { - return ACME._wait(RETRY_INTERVAL).then(deactivate).then(respondToChallenge); - } - //#console.debug('poll: again'); - return ACME._wait(RETRY_INTERVAL).then(pollStatus); - } + // This state should never occur + if ("pending" === resp.body.status) { + if (count >= MAX_PEND) { + return ACME._wait(RETRY_INTERVAL) + .then(deactivate) + .then(respondToChallenge); + } + //#console.debug('poll: again'); + return ACME._wait(RETRY_INTERVAL).then(pollStatus); + } - if ('valid' === resp.body.status) { - //#console.debug('poll: valid'); + if ("valid" === resp.body.status) { + //#console.debug('poll: valid'); - try { - ACME._removeChallenge(me, options, auth); - } catch(e) {} - return resp.body; - } + try { + ACME._removeChallenge(me, options, auth); + } catch (e) {} + return resp.body; + } - var code = 'E_ACME_UNKNOWN'; - var err = new Error("[acme-v2] " + auth.altname + " (" + code + "): " + JSON.stringify(resp.body, null, 2)); - err.code = code; + var code = "E_ACME_UNKNOWN"; + var err = new Error( + "[acme-v2] " + + auth.altname + + " (" + + code + + "): " + + JSON.stringify(resp.body, null, 2) + ); + err.code = code; - return Promise.reject(err); - } + return Promise.reject(err); + } - function transformError(e) { - var err = e; - if (err.urn) { - err = new Error("[acme-v2] " + auth.altname + " status:" + e.status + " " + e.detail); - err.auth = auth; - err.altname = auth.altname; - err.type = auth.type; - err.code = ('invalid' === e.status) ? 'E_ACME_CHALLENGE' : 'E_ACME_UNKNOWN'; - } + function transformError(e) { + var err = e; + if (err.urn) { + err = new Error( + "[acme-v2] " + auth.altname + " status:" + e.status + " " + e.detail + ); + err.auth = auth; + err.altname = auth.altname; + err.type = auth.type; + err.code = + "invalid" === e.status ? "E_ACME_CHALLENGE" : "E_ACME_UNKNOWN"; + } - throw err; - } + throw err; + } - function respondToChallenge() { - //#console.debug('[acme-v2.js] responding to accept challenge:'); - // POST-as-POST (empty JSON object) - return ACME._jwsRequest(me, { - options: options - , url: auth.url - , protected: { kid: options._kid } - , payload: Enc.binToBuf(JSON.stringify({})) - }).then(checkResult).catch(transformError); - } + function respondToChallenge() { + //#console.debug('[acme-v2.js] responding to accept challenge:'); + // POST-as-POST (empty JSON object) + return ACME._jwsRequest(me, { + options: options, + url: auth.url, + protected: { kid: options._kid }, + payload: Enc.binToBuf(JSON.stringify({})) + }) + .then(checkResult) + .catch(transformError); + } - return respondToChallenge(); -}; + return respondToChallenge(); + }; -// options = { domains, claims, challenges, challengePriority } -ACME._setChallengesAll = function (me, options) { - //#console.log("[DEBUG] setChallengesAll"); - var claims = options.order.claims.slice(0); - var valids = []; - var auths = []; - // TODO: Do we still need this delay? Or shall we leave it to plugins to account for themselves? - var DELAY = options.setChallengeWait || me.setChallengeWait || 500; + // options = { domains, claims, challenges, challengePriority } + ACME._setChallengesAll = function(me, options) { + //#console.log("[DEBUG] setChallengesAll"); + var claims = options.order.claims.slice(0); + var valids = []; + var auths = []; + // TODO: Do we still need this delay? Or shall we leave it to plugins to account for themselves? + var DELAY = options.setChallengeWait || me.setChallengeWait || 500; - // Set any challenges, excpting ones that have already been validated - function setNext() { - var claim = claims.shift(); - if (!claim) { return Promise.resolve(); } + // Set any challenges, excpting ones that have already been validated + function setNext() { + var claim = claims.shift(); + if (!claim) { + return Promise.resolve(); + } - return Promise.resolve().then(function () { - // For any challenges that are already valid, - // add to the list and skip any checks. - if (claim.challenges.some(function (ch) { - if ('valid' === ch.status) { - valids.push(ch); - return true; - } - })) { - return; - } + return Promise.resolve() + .then(function() { + // For any challenges that are already valid, + // add to the list and skip any checks. + if ( + claim.challenges.some(function(ch) { + if ("valid" === ch.status) { + valids.push(ch); + return true; + } + }) + ) { + return; + } - // Get the list of challenge types we can validate. - // Then order that list by preference - // Select the first matching offered challenge type - var usable = Object.keys(options.challenges || ACME._challengesMap); - var selected = (options.challengePriority||[ 'tls-alpn-01', 'http-01', 'dns-01' ]).map(function (chType) { - if (!usable.includes(chType)) { return; } - return claim.challenges.filter(function (ch) { - return ch.type === chType; - })[0]; - }).filter(Boolean)[0]; - var ch; + // Get the list of challenge types we can validate. + // Then order that list by preference + // Select the first matching offered challenge type + var usable = Object.keys(options.challenges || ACME._challengesMap); + var selected = ( + options.challengePriority || ["tls-alpn-01", "http-01", "dns-01"] + ) + .map(function(chType) { + if (!usable.includes(chType)) { + return; + } + return claim.challenges.filter(function(ch) { + return ch.type === chType; + })[0]; + }) + .filter(Boolean)[0]; + var ch; - // Bail with a descriptive message if no usable challenge could be selected - if (!selected) { - var enabled = usable.join(', ') || 'none'; - var suitable = claim.challenges.map(function (r) { return r.type; }).join(', ') || 'none'; - throw new Error( - "None of the challenge types that you've enabled ( " + enabled + " )" - + " are suitable for validating the domain you've selected (" + claim.altname + ")." - + " You must enable one of ( " + suitable + " )." - ); - } - auths.push(selected); + // Bail with a descriptive message if no usable challenge could be selected + if (!selected) { + var enabled = usable.join(", ") || "none"; + var suitable = + claim.challenges + .map(function(r) { + return r.type; + }) + .join(", ") || "none"; + throw new Error( + "None of the challenge types that you've enabled ( " + + enabled + + " )" + + " are suitable for validating the domain you've selected (" + + claim.altname + + ")." + + " You must enable one of ( " + + suitable + + " )." + ); + } + auths.push(selected); - // Give the nameservers a moment to propagate - if ('dns-01' === selected.type) { - DELAY = 1.5 * 1000; - } + // Give the nameservers a moment to propagate + if ("dns-01" === selected.type) { + DELAY = 1.5 * 1000; + } - if (false === options.challenges) { return; } - ch = options.challenges[selected.type] || {}; - if (!ch.set) { - throw new Error("no handler for setting challenge"); - } - return ch.set(selected); - }).then(setNext); - } + if (false === options.challenges) { + return; + } + ch = options.challenges[selected.type] || {}; + if (!ch.set) { + throw new Error("no handler for setting challenge"); + } + return ch.set(selected); + }) + .then(setNext); + } - function checkNext() { - var auth = auths.shift(); - if (!auth) { return Promise.resolve(valids); } + function checkNext() { + var auth = auths.shift(); + if (!auth) { + return Promise.resolve(valids); + } - // These are not as much "valids" as they are "not invalids" - if (!me._canUse[auth.type] || me.skipChallengeTest) { - valids.push(auth); - return checkNext(); - } + // These are not as much "valids" as they are "not invalids" + if (!me._canUse[auth.type] || me.skipChallengeTest) { + valids.push(auth); + return checkNext(); + } - return ACME.challengeTests[auth.type](me, auth).then(function () { - valids.push(auth); - }).then(checkNext); - } + return ACME.challengeTests[auth.type](me, auth) + .then(function() { + valids.push(auth); + }) + .then(checkNext); + } - // The reason we set every challenge in a batch first before checking any - // is so that we don't poison our own DNS cache with misses. - return setNext().then(function () { - //#console.debug('\n[DEBUG] waitChallengeDelay %s\n', DELAY); - return ACME._wait(DELAY); - }).then(checkNext); -}; -ACME._finalizeOrder = function (me, options) { - return ACME._getAccountKid(me, options).then(function () { - if (!options.challenges && !options.challengePriority) { - throw new Error("You must set either challenges or challengePrority"); - } - return ACME._setChallengesAll(me, options).then(function (valids) { - // options._kid added - //#console.debug('finalizeOrder:'); - var order = options.order; - var validatedDomains = options.order.identifiers.map(function (ident) { - return ident.value; - }); + // The reason we set every challenge in a batch first before checking any + // is so that we don't poison our own DNS cache with misses. + return setNext() + .then(function() { + //#console.debug('\n[DEBUG] waitChallengeDelay %s\n', DELAY); + return ACME._wait(DELAY); + }) + .then(checkNext); + }; + ACME._finalizeOrder = function(me, options) { + return ACME._getAccountKid(me, options).then(function() { + if (!options.challenges && !options.challengePriority) { + throw new Error("You must set either challenges or challengePrority"); + } + return ACME._setChallengesAll(me, options).then(function(valids) { + // options._kid added + //#console.debug('finalizeOrder:'); + var order = options.order; + var validatedDomains = options.order.identifiers.map(function(ident) { + return ident.value; + }); - // Actually sets the challenge via ACME - function challengeNext() { - var auth = valids.shift(); - if (!auth) { return Promise.resolve(); } - return ACME._postChallenge(me, options, auth).then(challengeNext); - } - return challengeNext().then(function () { - //#console.debug("[getCertificate] next.then"); - //#console.log('DEBUG order:'); - //#console.log(options.order); - return options.order.identifiers.map(function (ident) { - return ident.value; - }); - }).then(function () { - return ACME._getCsrWeb64(me, options, validatedDomains).then(function (csr) { - var body = { csr: csr }; - var payload = JSON.stringify(body); + // Actually sets the challenge via ACME + function challengeNext() { + var auth = valids.shift(); + if (!auth) { + return Promise.resolve(); + } + return ACME._postChallenge(me, options, auth).then(challengeNext); + } + return challengeNext() + .then(function() { + //#console.debug("[getCertificate] next.then"); + //#console.log('DEBUG order:'); + //#console.log(options.order); + return options.order.identifiers.map(function(ident) { + return ident.value; + }); + }) + .then(function() { + return ACME._getCsrWeb64(me, options, validatedDomains) + .then(function(csr) { + var body = { csr: csr }; + var payload = JSON.stringify(body); - function pollCert() { - //#console.debug('[acme-v2.js] pollCert:'); - return ACME._jwsRequest(me, { - options: options - , url: options.order.finalizeUrl - , protected: { kid: options._kid } - , payload: Enc.binToBuf(payload) - }).then(function (resp) { - //#console.debug('order finalized: resp.body:'); - //#console.debug(resp.body); + function pollCert() { + //#console.debug('[acme-v2.js] pollCert:'); + return ACME._jwsRequest(me, { + options: options, + url: options.order.finalizeUrl, + protected: { kid: options._kid }, + payload: Enc.binToBuf(payload) + }).then(function(resp) { + //#console.debug('order finalized: resp.body:'); + //#console.debug(resp.body); - // https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.1.3 - // Possible values are: "pending" => ("invalid" || "ready") => "processing" => "valid" - if ('valid' === resp.body.status) { - options._expires = resp.body.expires; - options._certificate = resp.body.certificate; + // https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.1.3 + // Possible values are: "pending" => ("invalid" || "ready") => "processing" => "valid" + if ("valid" === resp.body.status) { + options._expires = resp.body.expires; + options._certificate = resp.body.certificate; - return resp.body; // return order - } + return resp.body; // return order + } - if ('processing' === resp.body.status) { - return ACME._wait().then(pollCert); - } + if ("processing" === resp.body.status) { + return ACME._wait().then(pollCert); + } - //#console.debug("Error: bad status:\n" + JSON.stringify(resp.body, null, 2)); + //#console.debug("Error: bad status:\n" + JSON.stringify(resp.body, null, 2)); - if ('pending' === resp.body.status) { - return Promise.reject(new Error( - "Did not finalize order: status 'pending'." - + " Best guess: You have not accepted at least one challenge for each domain:\n" - + "Requested: '" + options.domains.join(', ') + "'\n" - + "Validated: '" + validatedDomains.join(', ') + "'\n" - + JSON.stringify(resp.body, null, 2) - )); - } + if ("pending" === resp.body.status) { + return Promise.reject( + new Error( + "Did not finalize order: status 'pending'." + + " Best guess: You have not accepted at least one challenge for each domain:\n" + + "Requested: '" + + options.domains.join(", ") + + "'\n" + + "Validated: '" + + validatedDomains.join(", ") + + "'\n" + + JSON.stringify(resp.body, null, 2) + ) + ); + } - if ('invalid' === resp.body.status) { - return Promise.reject(new Error( - "Did not finalize order: status 'invalid'." - + " Best guess: One or more of the domain challenges could not be verified" - + " (or the order was canceled).\n" - + "Requested: '" + options.domains.join(', ') + "'\n" - + "Validated: '" + validatedDomains.join(', ') + "'\n" - + JSON.stringify(resp.body, null, 2) - )); - } + if ("invalid" === resp.body.status) { + return Promise.reject( + new Error( + "Did not finalize order: status 'invalid'." + + " Best guess: One or more of the domain challenges could not be verified" + + " (or the order was canceled).\n" + + "Requested: '" + + options.domains.join(", ") + + "'\n" + + "Validated: '" + + validatedDomains.join(", ") + + "'\n" + + JSON.stringify(resp.body, null, 2) + ) + ); + } - if ('ready' === resp.body.status) { - return Promise.reject(new Error( - "Did not finalize order: status 'ready'." - + " Hmmm... this state shouldn't be possible here. That was the last state." - + " This one should at least be 'processing'.\n" - + "Requested: '" + options.domains.join(', ') + "'\n" - + "Validated: '" + validatedDomains.join(', ') + "'\n" - + JSON.stringify(resp.body, null, 2) + "\n\n" - + "Please open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js" - )); - } + if ("ready" === resp.body.status) { + return Promise.reject( + new Error( + "Did not finalize order: status 'ready'." + + " Hmmm... this state shouldn't be possible here. That was the last state." + + " This one should at least be 'processing'.\n" + + "Requested: '" + + options.domains.join(", ") + + "'\n" + + "Validated: '" + + validatedDomains.join(", ") + + "'\n" + + JSON.stringify(resp.body, null, 2) + + "\n\n" + + "Please open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js" + ) + ); + } - return Promise.reject(new Error( - "Didn't finalize order: Unhandled status '" + resp.body.status + "'." - + " This is not one of the known statuses...\n" - + "Requested: '" + options.domains.join(', ') + "'\n" - + "Validated: '" + validatedDomains.join(', ') + "'\n" - + JSON.stringify(resp.body, null, 2) + "\n\n" - + "Please open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js" - )); - }); - } + return Promise.reject( + new Error( + "Didn't finalize order: Unhandled status '" + + resp.body.status + + "'." + + " This is not one of the known statuses...\n" + + "Requested: '" + + options.domains.join(", ") + + "'\n" + + "Validated: '" + + validatedDomains.join(", ") + + "'\n" + + JSON.stringify(resp.body, null, 2) + + "\n\n" + + "Please open an issue at https://git.coolaj86.com/coolaj86/acme-v2.js" + ) + ); + }); + } - return pollCert(); - }).then(function () { - //#console.debug('acme-v2: order was finalized'); - // POST-as-GET - return ACME._jwsRequest(me, { - options: options - , url: options._certificate - , protected: { kid: options._kid } - , payload: Enc.binToBuf('') - }).then(function (resp) { - //#console.debug('acme-v2: csr submitted and cert received:'); - // https://github.com/certbot/certbot/issues/5721 - var certsarr = ACME.splitPemChain(ACME.formatPemChain((resp.body||''))); - // cert, chain, fullchain, privkey, /*TODO, subject, altnames, issuedAt, expiresAt */ - // TODO CSR.info - var certs = { - expires: order.expires - , identifiers: order.identifiers - , cert: certsarr.shift() - , chain: certsarr.join('\n') - }; - //#console.debug(certs); - return certs; - }); - }); - }); - }); - }); -}; -ACME._createOrder = function (me, options) { - return ACME._getAccountKid(me, options).then(function () { - // options._kid added - var body = { - // raw wildcard syntax MUST be used here - identifiers: options.domains.sort(function (a, b) { - // the first in the list will be the subject of the certificate, I believe (and hope) - if (!options.subject) { return 0; } - if (options.subject === a) { return -1; } - if (options.subject === b) { return 1; } - return 0; - }).map(function (hostname) { - return { type: "dns", value: hostname }; - }) - //, "notBefore": "2016-01-01T00:00:00Z" - //, "notAfter": "2016-01-08T00:00:00Z" - }; + return pollCert(); + }) + .then(function() { + //#console.debug('acme-v2: order was finalized'); + // POST-as-GET + return ACME._jwsRequest(me, { + options: options, + url: options._certificate, + protected: { kid: options._kid }, + payload: Enc.binToBuf("") + }).then(function(resp) { + //#console.debug('acme-v2: csr submitted and cert received:'); + // https://github.com/certbot/certbot/issues/5721 + var certsarr = ACME.splitPemChain( + ACME.formatPemChain(resp.body || "") + ); + // cert, chain, fullchain, privkey, /*TODO, subject, altnames, issuedAt, expiresAt */ + // TODO CSR.info + var certs = { + expires: order.expires, + identifiers: order.identifiers, + cert: certsarr.shift(), + chain: certsarr.join("\n") + }; + //#console.debug(certs); + return certs; + }); + }); + }); + }); + }); + }; + ACME._createOrder = function(me, options) { + return ACME._getAccountKid(me, options).then(function() { + // options._kid added + var body = { + // raw wildcard syntax MUST be used here + identifiers: options.domains + .sort(function(a, b) { + // the first in the list will be the subject of the certificate, I believe (and hope) + if (!options.subject) { + return 0; + } + if (options.subject === a) { + return -1; + } + if (options.subject === b) { + return 1; + } + return 0; + }) + .map(function(hostname) { + return { type: "dns", value: hostname }; + }) + //, "notBefore": "2016-01-01T00:00:00Z" + //, "notAfter": "2016-01-08T00:00:00Z" + }; - var payload = JSON.stringify(body); - //#console.debug('\n[DEBUG] newOrder\n'); - return ACME._jwsRequest(me, { - options: options - , url: me._directoryUrls.newOrder - , protected: { kid: options._kid } - , payload: Enc.binToBuf(payload) - }).then(function (resp) { - var order = { - orderUrl: resp.headers.location - , finalizeUrl: resp.body.finalize - , authorizations: resp.body.authorizations - , identifiers: body.identifiers - , _response: resp.body - }; - //#console.debug('[ordered]', location); // the account id url - //#console.debug(resp); + var payload = JSON.stringify(body); + //#console.debug('\n[DEBUG] newOrder\n'); + return ACME._jwsRequest(me, { + options: options, + url: me._directoryUrls.newOrder, + protected: { kid: options._kid }, + payload: Enc.binToBuf(payload) + }) + .then(function(resp) { + var order = { + orderUrl: resp.headers.location, + finalizeUrl: resp.body.finalize, + authorizations: resp.body.authorizations, + identifiers: body.identifiers, + _response: resp.body + }; + //#console.debug('[ordered]', location); // the account id url + //#console.debug(resp); - if (!order.authorizations) { - return Promise.reject(new Error( - "[acme-v2.js] authorizations were not fetched for '" + options.domains.join() + "':\n" - + JSON.stringify(resp.body) - )); - } + if (!order.authorizations) { + return Promise.reject( + new Error( + "[acme-v2.js] authorizations were not fetched for '" + + options.domains.join() + + "':\n" + + JSON.stringify(resp.body) + ) + ); + } - return order; - }).then(function (order) { - var claims = []; - //#console.debug("[acme-v2] POST newOrder has authorizations"); - var challengeAuths = order.authorizations.slice(0); + return order; + }) + .then(function(order) { + var claims = []; + //#console.debug("[acme-v2] POST newOrder has authorizations"); + var challengeAuths = order.authorizations.slice(0); - function getNext() { - var authUrl = challengeAuths.shift(); - if (!authUrl) { return claims; } + function getNext() { + var authUrl = challengeAuths.shift(); + if (!authUrl) { + return claims; + } - return ACME._getChallenges(me, options, authUrl).then(function (claim) { - // var domain = options.domains[i]; // claim.identifier.value - claims.push(claim); - return getNext(); - }); - } + return ACME._getChallenges(me, options, authUrl).then(function( + claim + ) { + // var domain = options.domains[i]; // claim.identifier.value + claims.push(claim); + return getNext(); + }); + } - return getNext().then(function () { - order.claims = claims; - options.order = order; - return order; - }); - }); - }); -}; -ACME._getAccountKid = function (me, options) { - // It's just fine if there's no account, we'll go get the key id we need via the existing key - options._kid = options._kid || options.accountKid - || (options.account && (options.account.kid - || (options.account.key && options.account.key.kid))); - if (options._kid) { - return Promise.resolve(options._kid); - } + return getNext().then(function() { + order.claims = claims; + options.order = order; + return order; + }); + }); + }); + }; + ACME._getAccountKid = function(me, options) { + // It's just fine if there's no account, we'll go get the key id we need via the existing key + options._kid = + options._kid || + options.accountKid || + (options.account && + (options.account.kid || + (options.account.key && options.account.key.kid))); + if (options._kid) { + return Promise.resolve(options._kid); + } - //return Promise.reject(new Error("must include KeyID")); - // This is an idempotent request. It'll return the same account for the same public key. - return ACME._registerAccount(me, options).then(function (account) { - options._kid = account.key.kid; - // start back from the top - return options._kid; - }); -}; + //return Promise.reject(new Error("must include KeyID")); + // This is an idempotent request. It'll return the same account for the same public key. + return ACME._registerAccount(me, options).then(function(account) { + options._kid = account.key.kid; + // start back from the top + return options._kid; + }); + }; -// -// Helper Methods -// -ACME._getCertificate = function (me, options) { - //#console.debug('[acme-v2] DEBUG get cert 1'); + // + // Helper Methods + // + ACME._getCertificate = function(me, options) { + //#console.debug('[acme-v2] DEBUG get cert 1'); - if (options.csr) { - // TODO validate csr signature - options._csr = me.CSR._info(options.csr); - options.domains = options._csr.altnames; - if (options._csr.subject !== options.domains[0]) { - return Promise.reject(new Error("certificate subject (commonName) does not match first altname (SAN)")); - } - } - if (!(options.domains && options.domains.length)) { - return Promise.reject(new Error("options.domains must be a list of string domain names," - + " with the first being the subject of the certificate (or options.subject must specified).")); - } - if (!options.challenges) { - return Promise.reject(new Error("You must specify challenge handlers.")); - } + if (options.csr) { + // TODO validate csr signature + options._csr = me.CSR._info(options.csr); + options.domains = options._csr.altnames; + if (options._csr.subject !== options.domains[0]) { + return Promise.reject( + new Error( + "certificate subject (commonName) does not match first altname (SAN)" + ) + ); + } + } + if (!(options.domains && options.domains.length)) { + return Promise.reject( + new Error( + "options.domains must be a list of string domain names," + + " with the first being the subject of the certificate (or options.subject must specified)." + ) + ); + } + if (!options.challenges) { + return Promise.reject(new Error("You must specify challenge handlers.")); + } - // Do a little dry-run / self-test - return ACME._testChallenges(me, options).then(function () { - //#console.debug('[acme-v2] certificates.create'); - return ACME._createOrder(me, options).then(function (/*order*/) { - // options.order = order; - return ACME._finalizeOrder(me, options); - }); - }); -}; -ACME._getCsrWeb64 = function (me, options, validatedDomains) { - var csr; - if (options.csr) { - csr = options.csr; - // if der, convert to base64 - if ('string' !== typeof csr) { csr = Enc.bufToUrlBase64(csr); } - // nix PEM headers, if any - if ('-' === csr[0]) { csr = csr.split(/\n+/).slice(1, -1).join(''); } - csr = Enc.base64ToUrlBase64(csr.trim().replace(/\s+/g, '')); - return Promise.resolve(csr); - } + // Do a little dry-run / self-test + return ACME._testChallenges(me, options).then(function() { + //#console.debug('[acme-v2] certificates.create'); + return ACME._createOrder(me, options).then(function(/*order*/) { + // options.order = order; + return ACME._finalizeOrder(me, options); + }); + }); + }; + ACME._getCsrWeb64 = function(me, options, validatedDomains) { + var csr; + if (options.csr) { + csr = options.csr; + // if der, convert to base64 + if ("string" !== typeof csr) { + csr = Enc.bufToUrlBase64(csr); + } + // nix PEM headers, if any + if ("-" === csr[0]) { + csr = csr + .split(/\n+/) + .slice(1, -1) + .join(""); + } + csr = Enc.base64ToUrlBase64(csr.trim().replace(/\s+/g, "")); + return Promise.resolve(csr); + } - return ACME._importKeypair(me, options.serverKey || options.serverKeypair || options.domainKeypair).then(function (pair) { - return me.CSR({ jwk: pair.private, domains: validatedDomains, encoding: 'der' }).then(function (der) { - return Enc.bufToUrlBase64(der); - }); - }); -}; + return ACME._importKeypair( + me, + options.serverKey || options.serverKeypair || options.domainKeypair + ).then(function(pair) { + return me + .CSR({ jwk: pair.private, domains: validatedDomains, encoding: "der" }) + .then(function(der) { + return Enc.bufToUrlBase64(der); + }); + }); + }; -ACME.create = function create(me) { - if (!me) { me = {}; } - // me.debug = true; - me.challengePrefixes = ACME.challengePrefixes; - me.Keypairs = me.Keypairs || exports.Keypairs || require('keypairs').Keypairs; - me.CSR = me.CSR || exports.CSR || require('CSR').CSR; - me._nonces = []; - me._canUse = {}; - if (!me._baseUrl) { - me._baseUrl = ""; - } - //me.Keypairs = me.Keypairs || require('keypairs'); - //me.request = me.request || require('@root/request'); - if (!me.dns01) { - me.dns01 = function (auth) { - return ACME._dns01(me, auth); - }; - } - // backwards compat - if (!me.dig) { me.dig = me.dns01; } - if (!me.http01) { - me.http01 = function (auth) { - return ACME._http01(me, auth); - }; - } + ACME.create = function create(me) { + if (!me) { + me = {}; + } + // me.debug = true; + me.challengePrefixes = ACME.challengePrefixes; + me.Keypairs = + me.Keypairs || exports.Keypairs || require("keypairs").Keypairs; + me.CSR = me.CSR || exports.CSR || require("CSR").CSR; + me._nonces = []; + me._canUse = {}; + if (!me._baseUrl) { + me._baseUrl = ""; + } + //me.Keypairs = me.Keypairs || require('keypairs'); + //me.request = me.request || require('@root/request'); + if (!me.dns01) { + me.dns01 = function(auth) { + return ACME._dns01(me, auth); + }; + } + // backwards compat + if (!me.dig) { + me.dig = me.dns01; + } + if (!me.http01) { + me.http01 = function(auth) { + return ACME._http01(me, auth); + }; + } - if ('function' !== typeof me.request) { - me.request = ACME._defaultRequest; - } + if ("function" !== typeof me.request) { + me.request = ACME._defaultRequest; + } - me.init = function (opts) { - function fin(dir) { - me._directoryUrls = dir; - me._tos = dir.meta.termsOfService; - return dir; - } - if (opts && opts.meta && opts.termsOfService) { - return Promise.resolve(fin(opts)); - } - if (!me.directoryUrl) { me.directoryUrl = opts; } - if ('string' !== typeof me.directoryUrl) { - throw new Error("you must supply either the ACME directory url as a string or an object of the ACME urls"); - } - var p = Promise.resolve(); - if (!me.skipChallengeTest) { - // Not ACME - p = me.request({ url: me._baseUrl + "/api/_acme_api_/" }).then(function (resp) { - if (resp.body.success) { - me._canCheck['http-01'] = true; - me._canCheck['dns-01'] = true; - } - }).catch(function () { - // ignore - }); - } - return p.then(function () { - return ACME._directory(me).then(function (resp) { - return fin(resp.body); - }); - }); - }; - me.accounts = { - create: function (options) { - return ACME._registerAccount(me, options); - } - }; - me.orders = { - // create + get challlenges - request: function (options) { - return ACME._createOrder(me, options); - } - // set challenges, check challenges, finalize order, return order - , complete: function (options) { - return ACME._finalizeOrder(me, options); - } - }; - me.certificates = { - create: function (options) { - return ACME._getCertificate(me, options); - } - }; - return me; -}; + me.init = function(opts) { + function fin(dir) { + me._directoryUrls = dir; + me._tos = dir.meta.termsOfService; + return dir; + } + if (opts && opts.meta && opts.termsOfService) { + return Promise.resolve(fin(opts)); + } + if (!me.directoryUrl) { + me.directoryUrl = opts; + } + if ("string" !== typeof me.directoryUrl) { + throw new Error( + "you must supply either the ACME directory url as a string or an object of the ACME urls" + ); + } + var p = Promise.resolve(); + if (!me.skipChallengeTest) { + // Not ACME + p = me + .request({ url: me._baseUrl + "/api/_acme_api_/" }) + .then(function(resp) { + if (resp.body.success) { + me._canCheck["http-01"] = true; + me._canCheck["dns-01"] = true; + } + }) + .catch(function() { + // ignore + }); + } + return p.then(function() { + return ACME._directory(me).then(function(resp) { + return fin(resp.body); + }); + }); + }; + me.accounts = { + create: function(options) { + return ACME._registerAccount(me, options); + } + }; + me.orders = { + // create + get challlenges + request: function(options) { + return ACME._createOrder(me, options); + }, + // set challenges, check challenges, finalize order, return order + complete: function(options) { + return ACME._finalizeOrder(me, options); + } + }; + me.certificates = { + create: function(options) { + return ACME._getCertificate(me, options); + } + }; + return me; + }; -// Handle nonce, signing, and request altogether -ACME._jwsRequest = function (me, bigopts) { - return ACME._getNonce(me).then(function (nonce) { - bigopts.protected.nonce = nonce; - bigopts.protected.url = bigopts.url; - // protected.alg: added by Keypairs.signJws - if (!bigopts.protected.jwk) { - // protected.kid must be overwritten due to ACME's interpretation of the spec - if (!bigopts.protected.kid) { bigopts.protected.kid = bigopts.options._kid; } - } - return me.Keypairs.signJws( - { jwk: bigopts.accountKey || bigopts.options.accountKeypair.privateKeyJwk - , protected: bigopts.protected - , payload: bigopts.payload - } - ).then(function (jws) { - //#console.debug('[acme-v2] ' + bigopts.url + ':'); - //#console.debug(jws); - return ACME._request(me, { url: bigopts.url, json: jws }); - }).catch(function (e) { - if (/badNonce$/.test(e.urn)) { - // retry badNonces - var retryable = (bigopts._retries >= 2); - if (!retryable) { - bigopts._retries = (bigopts._retries || 0) + 1; - return ACME._jwsRequest(me, bigopts); - } - } - throw e; - }); - }); -}; -// Handle some ACME-specific defaults -ACME._request = function (me, opts) { - if (!opts.headers) { opts.headers = {}; } - if (opts.json && true !== opts.json) { - opts.headers['Content-Type'] = 'application/jose+json'; - opts.body = JSON.stringify(opts.json); - if (!opts.method) { opts.method = 'POST'; } - } - return me.request(opts).then(function (resp) { - if (resp.toJSON) { resp = resp.toJSON(); } - if (resp.headers['replay-nonce']) { - ACME._setNonce(me, resp.headers['replay-nonce']); - } + // Handle nonce, signing, and request altogether + ACME._jwsRequest = function(me, bigopts) { + return ACME._getNonce(me).then(function(nonce) { + bigopts.protected.nonce = nonce; + bigopts.protected.url = bigopts.url; + // protected.alg: added by Keypairs.signJws + if (!bigopts.protected.jwk) { + // protected.kid must be overwritten due to ACME's interpretation of the spec + if (!bigopts.protected.kid) { + bigopts.protected.kid = bigopts.options._kid; + } + } + return me.Keypairs.signJws({ + jwk: bigopts.accountKey || bigopts.options.accountKeypair.privateKeyJwk, + protected: bigopts.protected, + payload: bigopts.payload + }) + .then(function(jws) { + //#console.debug('[acme-v2] ' + bigopts.url + ':'); + //#console.debug(jws); + return ACME._request(me, { url: bigopts.url, json: jws }); + }) + .catch(function(e) { + if (/badNonce$/.test(e.urn)) { + // retry badNonces + var retryable = bigopts._retries >= 2; + if (!retryable) { + bigopts._retries = (bigopts._retries || 0) + 1; + return ACME._jwsRequest(me, bigopts); + } + } + throw e; + }); + }); + }; + // Handle some ACME-specific defaults + ACME._request = function(me, opts) { + if (!opts.headers) { + opts.headers = {}; + } + if (opts.json && true !== opts.json) { + opts.headers["Content-Type"] = "application/jose+json"; + opts.body = JSON.stringify(opts.json); + if (!opts.method) { + opts.method = "POST"; + } + } + return me.request(opts).then(function(resp) { + if (resp.toJSON) { + resp = resp.toJSON(); + } + if (resp.headers["replay-nonce"]) { + ACME._setNonce(me, resp.headers["replay-nonce"]); + } - var e; - var err; - if (resp.body) { - err = resp.body.error; - e = new Error(""); - if (400 === resp.body.status) { - err = { type: resp.body.type, detail: resp.body.detail }; - } - if (err) { - e.status = resp.body.status; - e.code = 'E_ACME'; - if (e.status) { - e.message = "[" + e.status + "] "; - } - e.detail = err.detail; - e.message += (err.detail || JSON.stringify(err)); - e.urn = err.type; - e.uri = resp.body.url; - e._rawError = err; - e._rawBody = resp.body; - throw e; - } - } + var e; + var err; + if (resp.body) { + err = resp.body.error; + e = new Error(""); + if (400 === resp.body.status) { + err = { type: resp.body.type, detail: resp.body.detail }; + } + if (err) { + e.status = resp.body.status; + e.code = "E_ACME"; + if (e.status) { + e.message = "[" + e.status + "] "; + } + e.detail = err.detail; + e.message += err.detail || JSON.stringify(err); + e.urn = err.type; + e.uri = resp.body.url; + e._rawError = err; + e._rawBody = resp.body; + throw e; + } + } - return resp; - }); -}; -// A very generic, swappable request lib -ACME._defaultRequest = function (opts) { - // Note: normally we'd have to supply a User-Agent string, but not here in a browser - if (!opts.headers) { opts.headers = {}; } - if (opts.json) { - opts.headers.Accept = 'application/json'; - if (true !== opts.json) { opts.body = JSON.stringify(opts.json); } - } - if (!opts.method) { - opts.method = 'GET'; - if (opts.body) { opts.method = 'POST'; } - } - opts.cors = true; - return window.fetch(opts.url, opts).then(function (resp) { - var headers = {}; - var result = { statusCode: resp.status, headers: headers, toJSON: function () { return this; } }; - Array.from(resp.headers.entries()).forEach(function (h) { headers[h[0]] = h[1]; }); - if (!headers['content-type']) { - return result; - } - if (/json/.test(headers['content-type'])) { - return resp.json().then(function (json) { - result.body = json; - return result; - }); - } - return resp.text().then(function (txt) { - result.body = txt; - return result; - }); - }); -}; + return resp; + }); + }; + // A very generic, swappable request lib + ACME._defaultRequest = function(opts) { + // Note: normally we'd have to supply a User-Agent string, but not here in a browser + if (!opts.headers) { + opts.headers = {}; + } + if (opts.json) { + opts.headers.Accept = "application/json"; + if (true !== opts.json) { + opts.body = JSON.stringify(opts.json); + } + } + if (!opts.method) { + opts.method = "GET"; + if (opts.body) { + opts.method = "POST"; + } + } + opts.cors = true; + return window.fetch(opts.url, opts).then(function(resp) { + var headers = {}; + var result = { + statusCode: resp.status, + headers: headers, + toJSON: function() { + return this; + } + }; + Array.from(resp.headers.entries()).forEach(function(h) { + headers[h[0]] = h[1]; + }); + if (!headers["content-type"]) { + return result; + } + if (/json/.test(headers["content-type"])) { + return resp.json().then(function(json) { + result.body = json; + return result; + }); + } + return resp.text().then(function(txt) { + result.body = txt; + return result; + }); + }); + }; -ACME._importKeypair = function (me, kp) { - var jwk = kp.privateKeyJwk || kp.kty && kp; - var p; - if (jwk) { - // nix the browser jwk extras - jwk.key_ops = undefined; - jwk.ext = undefined; - p = Promise.resolve({ private: jwk, public: me.Keypairs.neuter({ jwk: jwk }) }); - } else { - p = me.Keypairs.import({ pem: kp.privateKeyPem }); - } - return p.then(function (pair) { - kp.privateKeyJwk = pair.private; - kp.publicKeyJwk = pair.public; - if (pair.public.kid) { - pair = JSON.parse(JSON.stringify(pair)); - delete pair.public.kid; - delete pair.private.kid; - } - return pair; - }); -}; + ACME._importKeypair = function(me, kp) { + var jwk = kp.privateKeyJwk || (kp.kty && kp); + var p; + if (jwk) { + // nix the browser jwk extras + jwk.key_ops = undefined; + jwk.ext = undefined; + p = Promise.resolve({ + private: jwk, + public: me.Keypairs.neuter({ jwk: jwk }) + }); + } else { + p = me.Keypairs.import({ pem: kp.privateKeyPem }); + } + return p.then(function(pair) { + kp.privateKeyJwk = pair.private; + kp.publicKeyJwk = pair.public; + if (pair.public.kid) { + pair = JSON.parse(JSON.stringify(pair)); + delete pair.public.kid; + delete pair.private.kid; + } + return pair; + }); + }; -ACME._toWebsafeBase64 = function (b64) { - return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g,""); -}; + ACME._toWebsafeBase64 = function(b64) { + return b64 + .replace(/\+/g, "-") + .replace(/\//g, "_") + .replace(/=/g, ""); + }; -// In v8 this is crypto random, but we're just using it for pseudorandom -ACME._prnd = function (n) { - var rnd = ''; - while (rnd.length / 2 < n) { - var num = Math.random().toString().substr(2); - if (num.length % 2) { - num = '0' + num; - } - var pairs = num.match(/(..?)/g); - rnd += pairs.map(ACME._toHex).join(''); - } - return rnd.substr(0, n*2); -}; -ACME._toHex = function (pair) { - return parseInt(pair, 10).toString(16); -}; -ACME._dns01 = function (me, auth) { - // Not ACME - return new me.request({ url: me._baseUrl + "/api/dns/" + auth.dnsHost + "?type=TXT" }).then(function (resp) { - var err; - if (!resp.body || !Array.isArray(resp.body.answer)) { - err = new Error("failed to get DNS response"); - console.error(err); - throw err; - } - if (!resp.body.answer.length) { - err = new Error("failed to get DNS answer record in response"); - console.error(err); - throw err; - } - return { - answer: resp.body.answer.map(function (ans) { - return { data: ans.data, ttl: ans.ttl }; - }) - }; - }); -}; -ACME._http01 = function (me, auth) { - var url = encodeURIComponent(auth.challengeUrl); - // Not ACME - return new me.request({ url: me._baseUrl + "/api/http?url=" + url }).then(function (resp) { - return resp.body; - }); -}; -ACME._removeChallenge = function (me, options, auth) { - return Promise.resolve().then(function () { - if (!options.challenges) { return; } - var ch = options.challenges[auth.type]; - ch.remove(auth).catch(function (e) { - console.warn("challenge.remove error:"); - console.warn(e); - }); - }); -}; + // In v8 this is crypto random, but we're just using it for pseudorandom + ACME._prnd = function(n) { + var rnd = ""; + while (rnd.length / 2 < n) { + var num = Math.random() + .toString() + .substr(2); + if (num.length % 2) { + num = "0" + num; + } + var pairs = num.match(/(..?)/g); + rnd += pairs.map(ACME._toHex).join(""); + } + return rnd.substr(0, n * 2); + }; + ACME._toHex = function(pair) { + return parseInt(pair, 10).toString(16); + }; + ACME._dns01 = function(me, auth) { + // Not ACME + return new me.request({ + url: me._baseUrl + "/api/dns/" + auth.dnsHost + "?type=TXT" + }).then(function(resp) { + var err; + if (!resp.body || !Array.isArray(resp.body.answer)) { + err = new Error("failed to get DNS response"); + console.error(err); + throw err; + } + if (!resp.body.answer.length) { + err = new Error("failed to get DNS answer record in response"); + console.error(err); + throw err; + } + return { + answer: resp.body.answer.map(function(ans) { + return { data: ans.data, ttl: ans.ttl }; + }) + }; + }); + }; + ACME._http01 = function(me, auth) { + var url = encodeURIComponent(auth.challengeUrl); + // Not ACME + return new me.request({ url: me._baseUrl + "/api/http?url=" + url }).then( + function(resp) { + return resp.body; + } + ); + }; + ACME._removeChallenge = function(me, options, auth) { + return Promise.resolve().then(function() { + if (!options.challenges) { + return; + } + var ch = options.challenges[auth.type]; + ch.remove(auth).catch(function(e) { + console.warn("challenge.remove error:"); + console.warn(e); + }); + }); + }; -Enc.bufToUrlBase64 = function (u8) { - return Enc.bufToBase64(u8) - .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); -}; -Enc.bufToBase64 = function (u8) { - var bin = ''; - u8.forEach(function (i) { - bin += String.fromCharCode(i); - }); - return btoa(bin); -}; + Enc.bufToUrlBase64 = function(u8) { + return Enc.bufToBase64(u8) + .replace(/\+/g, "-") + .replace(/\//g, "_") + .replace(/=/g, ""); + }; + Enc.bufToBase64 = function(u8) { + var bin = ""; + u8.forEach(function(i) { + bin += String.fromCharCode(i); + }); + return btoa(bin); + }; -Crypto._sha = function (sha, str) { - var encoder = new TextEncoder(); - var data = encoder.encode(str); - sha = 'SHA-' + sha.replace(/^sha-?/i, ''); - return window.crypto.subtle.digest(sha, data).then(function (hash) { - return Enc.bufToUrlBase64(new Uint8Array(hash)); - }); -}; - -}('undefined' === typeof window ? module.exports : window)); + Crypto._sha = function(sha, str) { + var encoder = new TextEncoder(); + var data = encoder.encode(str); + sha = "SHA-" + sha.replace(/^sha-?/i, ""); + return window.crypto.subtle.digest(sha, data).then(function(hash) { + return Enc.bufToUrlBase64(new Uint8Array(hash)); + }); + }; +})("undefined" === typeof window ? module.exports : window); diff --git a/app/js/greenlock.js b/app/js/greenlock.js index 6466c13..c1fd567 100644 --- a/app/js/greenlock.js +++ b/app/js/greenlock.js @@ -1,504 +1,607 @@ -(function () { -'use strict'; +(function() { + "use strict"; - /*global URLSearchParams,Headers*/ - var PromiseA = window.Promise; - var VERSION = '2'; - // ACME recommends ECDSA P-256, but RSA 2048 is still required by some old servers (like what replicated.io uses ) - // ECDSA P-384, P-521, and RSA 3072, 4096 are NOT recommend standards (and not properly supported) - var BROWSER_SUPPORTS_RSA = false; - var ECDSA_OPTS = { kty: 'EC', namedCurve: 'P-256' }; - var RSA_OPTS = { kty: 'RSA', modulusLength: 2048 }; - var Promise = window.Promise; - var Keypairs = window.Keypairs; - var ACME = window.ACME; - var CSR = window.CSR; - var $qs = function (s) { return window.document.querySelector(s); }; - var $qsa = function (s) { return window.document.querySelectorAll(s); }; - var acme; - var info = {}; - var steps = {}; - var i = 1; - var apiUrl = 'https://acme-{{env}}.api.letsencrypt.org/directory'; + /*global URLSearchParams,Headers*/ + var PromiseA = window.Promise; + var VERSION = "2"; + // ACME recommends ECDSA P-256, but RSA 2048 is still required by some old servers (like what replicated.io uses ) + // ECDSA P-384, P-521, and RSA 3072, 4096 are NOT recommend standards (and not properly supported) + var BROWSER_SUPPORTS_RSA = false; + var ECDSA_OPTS = { kty: "EC", namedCurve: "P-256" }; + var RSA_OPTS = { kty: "RSA", modulusLength: 2048 }; + var Promise = window.Promise; + var Keypairs = window.Keypairs; + var ACME = window.ACME; + var CSR = window.CSR; + var $qs = function(s) { + return window.document.querySelector(s); + }; + var $qsa = function(s) { + return window.document.querySelectorAll(s); + }; + var acme; + var info = {}; + var steps = {}; + var i = 1; + var apiUrl = "https://acme-{{env}}.api.letsencrypt.org/directory"; - // fix previous browsers - var isCurrent = (localStorage.getItem('version') === VERSION); - if (!isCurrent) { - localStorage.clear(); - localStorage.setItem('version', VERSION); - } - localStorage.setItem('version', VERSION); + // fix previous browsers + var isCurrent = localStorage.getItem("version") === VERSION; + if (!isCurrent) { + localStorage.clear(); + localStorage.setItem("version", VERSION); + } + localStorage.setItem("version", VERSION); - function updateApiType() { - /*jshint validthis: true */ - var input = this || Array.prototype.filter.call( - $qsa('.js-acme-api-type'), function ($el) { return $el.checked; } - )[0]; - //#console.log('ACME api type radio:', input.value); - $qs('.js-acme-directory-url').value = apiUrl.replace(/{{env}}/g, input.value); - } + function updateApiType() { + /*jshint validthis: true */ + var input = + this || + Array.prototype.filter.call($qsa(".js-acme-api-type"), function($el) { + return $el.checked; + })[0]; + //#console.log('ACME api type radio:', input.value); + $qs(".js-acme-directory-url").value = apiUrl.replace( + /{{env}}/g, + input.value + ); + } - function hideForms() { - $qsa('.js-acme-form').forEach(function (el) { - el.hidden = true; - }); - } + function hideForms() { + $qsa(".js-acme-form").forEach(function(el) { + el.hidden = true; + }); + } - function updateProgress(currentStep) { - var progressSteps = $qs("#js-progress-bar").children; - var j; - for (j = 0; j < progressSteps.length; j += 1) { - if (j < currentStep) { - progressSteps[j].classList.add("js-progress-step-complete"); - progressSteps[j].classList.remove("js-progress-step-started"); - } else if (j === currentStep) { - progressSteps[j].classList.remove("js-progress-step-complete"); - progressSteps[j].classList.add("js-progress-step-started"); - } else { - progressSteps[j].classList.remove("js-progress-step-complete"); - progressSteps[j].classList.remove("js-progress-step-started"); - } - } - } + function updateProgress(currentStep) { + var progressSteps = $qs("#js-progress-bar").children; + var j; + for (j = 0; j < progressSteps.length; j += 1) { + if (j < currentStep) { + progressSteps[j].classList.add("js-progress-step-complete"); + progressSteps[j].classList.remove("js-progress-step-started"); + } else if (j === currentStep) { + progressSteps[j].classList.remove("js-progress-step-complete"); + progressSteps[j].classList.add("js-progress-step-started"); + } else { + progressSteps[j].classList.remove("js-progress-step-complete"); + progressSteps[j].classList.remove("js-progress-step-started"); + } + } + } - function newAlert(str) { - return new Promise(function () { - setTimeout(function () { - window.alert(str); - if (window.confirm("Start over?")) { - document.location.href = document.location.href.replace(/\/app.*/, '/'); - } - }, 10); - }); - } + function newAlert(str) { + return new Promise(function() { + setTimeout(function() { + window.alert(str); + if (window.confirm("Start over?")) { + document.location.href = document.location.href.replace( + /\/app.*/, + "/" + ); + } + }, 10); + }); + } - function submitForm(ev) { - var j = i; - i += 1; + function submitForm(ev) { + var j = i; + i += 1; - return PromiseA.resolve().then(function () { - return steps[j].submit(ev); - }).catch(function (err) { - var ourfault = true; - console.error(err); - if (/failed to fetch/i.test(err.message)) { - return newAlert("Network connection failure."); - } + return PromiseA.resolve() + .then(function() { + return steps[j].submit(ev); + }) + .catch(function(err) { + var ourfault = true; + console.error(err); + if (/failed to fetch/i.test(err.message)) { + return newAlert("Network connection failure."); + } - if ('E_ACME_CHALLENGE' === err.code) { - if ('dns-01' === err.type) { - ourfault = false; - return newAlert("It looks like the DNS record you set for " - + err.altname + " was incorrect or did not propagate. " - + "The error message was '" + err.message + "'"); - } else if ('http-01' === err.type) { - ourfault = false; - return newAlert("It looks like the file you uploaded for " - + err.altname + " was incorrect or could not be downloaded. " - + "The error message was '" + err.message + "'"); - } - } + if ("E_ACME_CHALLENGE" === err.code) { + if ("dns-01" === err.type) { + ourfault = false; + return newAlert( + "It looks like the DNS record you set for " + + err.altname + + " was incorrect or did not propagate. " + + "The error message was '" + + err.message + + "'" + ); + } else if ("http-01" === err.type) { + ourfault = false; + return newAlert( + "It looks like the file you uploaded for " + + err.altname + + " was incorrect or could not be downloaded. " + + "The error message was '" + + err.message + + "'" + ); + } + } - if (ourfault) { - err.auth = undefined; - window.alert("Something went wrong. It's probably our fault, not yours." - + " Please email aj@rootprojects.org to let him know. The error message is: \n" - + JSON.stringify(err, null, 2)); - return new Promise(function () {}); - } - }); - } + if (ourfault) { + err.auth = undefined; + window.alert( + "Something went wrong. It's probably our fault, not yours." + + " Please email aj@rootprojects.org to let him know. The error message is: \n" + + JSON.stringify(err, null, 2) + ); + return new Promise(function() {}); + } + }); + } - function testKeypairSupport() { - return Keypairs.generate(RSA_OPTS).then(function () { - console.info("[crypto] RSA is supported"); - BROWSER_SUPPORTS_RSA = true; - }).catch(function () { - console.warn("[crypto] RSA is NOT supported"); - return Keypairs.generate(ECDSA_OPTS).then(function () { - console.info('[crypto] ECDSA is supported'); - }).catch(function (e) { - console.warn("[crypto] EC is NOT supported"); - throw e; - }); - }); - } + function testKeypairSupport() { + return Keypairs.generate(RSA_OPTS) + .then(function() { + console.info("[crypto] RSA is supported"); + BROWSER_SUPPORTS_RSA = true; + }) + .catch(function() { + console.warn("[crypto] RSA is NOT supported"); + return Keypairs.generate(ECDSA_OPTS) + .then(function() { + console.info("[crypto] ECDSA is supported"); + }) + .catch(function(e) { + console.warn("[crypto] EC is NOT supported"); + throw e; + }); + }); + } - function getServerKeypair() { - var sortedAltnames = info.identifiers.map(function (ident) { return ident.value; }).sort().join(','); - var serverJwk = JSON.parse(localStorage.getItem('server:' + sortedAltnames) || 'null'); - if (serverJwk) { - return PromiseA.resolve(serverJwk); - } + function getServerKeypair() { + var sortedAltnames = info.identifiers + .map(function(ident) { + return ident.value; + }) + .sort() + .join(","); + var serverJwk = JSON.parse( + localStorage.getItem("server:" + sortedAltnames) || "null" + ); + if (serverJwk) { + return PromiseA.resolve(serverJwk); + } - var keypairOpts; - // TODO allow for user preference - if (BROWSER_SUPPORTS_RSA) { - keypairOpts = RSA_OPTS; - } else { - keypairOpts = ECDSA_OPTS; - } + var keypairOpts; + // TODO allow for user preference + if (BROWSER_SUPPORTS_RSA) { + keypairOpts = RSA_OPTS; + } else { + keypairOpts = ECDSA_OPTS; + } - return Keypairs.generate(RSA_OPTS).catch(function (err) { - console.error("[Error] Keypairs.generate(" + JSON.stringify(RSA_OPTS) + "):"); - throw err; - }).then(function (pair) { - localStorage.setItem('server:'+sortedAltnames, JSON.stringify(pair.private)); - return pair.private; - }); - } + return Keypairs.generate(RSA_OPTS) + .catch(function(err) { + console.error( + "[Error] Keypairs.generate(" + JSON.stringify(RSA_OPTS) + "):" + ); + throw err; + }) + .then(function(pair) { + localStorage.setItem( + "server:" + sortedAltnames, + JSON.stringify(pair.private) + ); + return pair.private; + }); + } - function getAccountKeypair(email) { - var json = localStorage.getItem('account:'+email); - if (json) { - return Promise.resolve(JSON.parse(json)); - } + function getAccountKeypair(email) { + var json = localStorage.getItem("account:" + email); + if (json) { + return Promise.resolve(JSON.parse(json)); + } - return Keypairs.generate(ECDSA_OPTS).catch(function (err) { - console.warn("[Error] Keypairs.generate(" + JSON.stringify(ECDSA_OPTS) + "):\n", err); - return Keypairs.generate(RSA_OPTS).catch(function (err) { - console.error("[Error] Keypairs.generate(" + JSON.stringify(RSA_OPTS) + "):"); - throw err; - }); - }).then(function (pair) { - localStorage.setItem('account:'+email, JSON.stringify(pair.private)); - return pair.private; - }); - } + return Keypairs.generate(ECDSA_OPTS) + .catch(function(err) { + console.warn( + "[Error] Keypairs.generate(" + JSON.stringify(ECDSA_OPTS) + "):\n", + err + ); + return Keypairs.generate(RSA_OPTS).catch(function(err) { + console.error( + "[Error] Keypairs.generate(" + JSON.stringify(RSA_OPTS) + "):" + ); + throw err; + }); + }) + .then(function(pair) { + localStorage.setItem("account:" + email, JSON.stringify(pair.private)); + return pair.private; + }); + } - function updateChallengeType() { - /*jshint validthis: true*/ - var input = this || Array.prototype.filter.call( - $qsa('.js-acme-challenge-type'), function ($el) { return $el.checked; } - )[0]; - $qs('.js-acme-verification-wildcard').hidden = true; - $qs('.js-acme-verification-http-01').hidden = true; - $qs('.js-acme-verification-dns-01').hidden = true; - if (info.challenges.wildcard) { - $qs('.js-acme-verification-wildcard').hidden = false; - } - if (info.challenges[input.value]) { - $qs('.js-acme-verification-' + input.value).hidden = false; - } - } + function updateChallengeType() { + /*jshint validthis: true*/ + var input = + this || + Array.prototype.filter.call($qsa(".js-acme-challenge-type"), function( + $el + ) { + return $el.checked; + })[0]; + $qs(".js-acme-verification-wildcard").hidden = true; + $qs(".js-acme-verification-http-01").hidden = true; + $qs(".js-acme-verification-dns-01").hidden = true; + if (info.challenges.wildcard) { + $qs(".js-acme-verification-wildcard").hidden = false; + } + if (info.challenges[input.value]) { + $qs(".js-acme-verification-" + input.value).hidden = false; + } + } - function saveContact(email, domains) { - // to be used for good, not evil - return window.fetch('https://api.rootprojects.org/api/rootprojects.org/public/community', { - method: 'POST' - , cors: true - , headers: new Headers({ 'Content-Type': 'application/json' }) - , body: JSON.stringify({ - address: email - , project: 'greenlock-domains@rootprojects.org' - , timezone: new Intl.DateTimeFormat().resolvedOptions().timeZone - , domain: domains.join(',') - }) - }).catch(function (err) { - console.error(err); - }); - } + function saveContact(email, domains) { + // to be used for good, not evil + return window + .fetch( + "https://api.rootprojects.org/api/rootprojects.org/public/community", + { + method: "POST", + cors: true, + headers: new Headers({ "Content-Type": "application/json" }), + body: JSON.stringify({ + address: email, + project: "greenlock-domains@rootprojects.org", + timezone: new Intl.DateTimeFormat().resolvedOptions().timeZone, + domain: domains.join(",") + }) + } + ) + .catch(function(err) { + console.error(err); + }); + } - steps[1] = function () { - console.info("\n1. Show domains form"); - updateProgress(0); - hideForms(); - $qs('.js-acme-form-domains').hidden = false; - }; - steps[1].submit = function () { - console.info("[submit] 1. Process domains, create ACME client", info.domains); - info.domains = $qs('.js-acme-domains').value - .replace(/https?:\/\//g, ' ').replace(/[,+]/g, ' ').trim().split(/\s+/g); - console.info("[domains]", info.domains.join(' ')); + steps[1] = function() { + console.info("\n1. Show domains form"); + updateProgress(0); + hideForms(); + $qs(".js-acme-form-domains").hidden = false; + }; + steps[1].submit = function() { + console.info( + "[submit] 1. Process domains, create ACME client", + info.domains + ); + info.domains = $qs(".js-acme-domains") + .value.replace(/https?:\/\//g, " ") + .replace(/[,+]/g, " ") + .trim() + .split(/\s+/g); + console.info("[domains]", info.domains.join(" ")); - info.identifiers = info.domains.map(function (hostname) { - return { type: 'dns', value: hostname.toLowerCase().trim() }; - }); - info.identifiers.sort(function (a, b) { - if (a === b) { return 0; } - if (a < b) { return 1; } - if (a > b) { return -1; } - }); + info.identifiers = info.domains.map(function(hostname) { + return { type: "dns", value: hostname.toLowerCase().trim() }; + }); + info.identifiers.sort(function(a, b) { + if (a === b) { + return 0; + } + if (a < b) { + return 1; + } + if (a > b) { + return -1; + } + }); - var acmeDirectoryUrl = $qs('.js-acme-directory-url').value; - acme = ACME.create({ Keypairs: Keypairs, CSR: CSR }); - return acme.init(acmeDirectoryUrl).then(function (directory) { - $qs('.js-acme-tos-url').href = directory.meta.termsOfService; - return steps[i](); - }); - }; + var acmeDirectoryUrl = $qs(".js-acme-directory-url").value; + acme = ACME.create({ Keypairs: Keypairs, CSR: CSR }); + return acme.init(acmeDirectoryUrl).then(function(directory) { + $qs(".js-acme-tos-url").href = directory.meta.termsOfService; + return steps[i](); + }); + }; - steps[2] = function () { - console.info("\n2. Show account (email, ToS) form"); + steps[2] = function() { + console.info("\n2. Show account (email, ToS) form"); - updateProgress(0); - hideForms(); - $qs('.js-acme-form-account').hidden = false; - }; - steps[2].submit = function () { - console.info("[submit] 2. Create ACME account (get Key ID)"); + updateProgress(0); + hideForms(); + $qs(".js-acme-form-account").hidden = false; + }; + steps[2].submit = function() { + console.info("[submit] 2. Create ACME account (get Key ID)"); - var email = $qs('.js-acme-account-email').value.toLowerCase().trim(); - info.email = email; - info.contact = [ 'mailto:' + email ]; - info.agree = $qs('.js-acme-account-tos').checked; - //info.greenlockAgree = $qs('.js-gl-tos').checked; + var email = $qs(".js-acme-account-email") + .value.toLowerCase() + .trim(); + info.email = email; + info.contact = ["mailto:" + email]; + info.agree = $qs(".js-acme-account-tos").checked; + //info.greenlockAgree = $qs('.js-gl-tos').checked; - // TODO ping with version and account creation - setTimeout(saveContact, 100, email, info.domains); + // TODO ping with version and account creation + setTimeout(saveContact, 100, email, info.domains); - $qs('.js-account-next').disabled = true; + $qs(".js-account-next").disabled = true; - return info.cryptoCheck.then(function () { - return getAccountKeypair(email).then(function (jwk) { - // TODO save account id rather than always retrieving it? - console.info("[accounts] upsert for", email); - return acme.accounts.create({ - email: email - , agreeToTerms: info.agree && true - , accountKeypair: { privateKeyJwk: jwk } - }).then(function (account) { - console.info("[accounts] result:", account); - info.account = account; - info.privateJwk = jwk; - info.email = email; - }).catch(function (err) { - console.error("[accounts] failed to upsert account:"); - console.error(err); - return newAlert(err.message || JSON.stringify(err, null, 2)); - }); - }); - }).then(function () { - var jwk = info.privateJwk; - var account = info.account; + return info.cryptoCheck + .then(function() { + return getAccountKeypair(email).then(function(jwk) { + // TODO save account id rather than always retrieving it? + console.info("[accounts] upsert for", email); + return acme.accounts + .create({ + email: email, + agreeToTerms: info.agree && true, + accountKeypair: { privateKeyJwk: jwk } + }) + .then(function(account) { + console.info("[accounts] result:", account); + info.account = account; + info.privateJwk = jwk; + info.email = email; + }) + .catch(function(err) { + console.error("[accounts] failed to upsert account:"); + console.error(err); + return newAlert(err.message || JSON.stringify(err, null, 2)); + }); + }); + }) + .then(function() { + var jwk = info.privateJwk; + var account = info.account; - console.info("[orders] requesting"); - return acme.orders.request({ - account: account - , accountKeypair: { privateKeyJwk: jwk } - , domains: info.domains - }).then(function (order) { - info.order = order; - console.info("[orders] created ", order); + console.info("[orders] requesting"); + return acme.orders + .request({ + account: account, + accountKeypair: { privateKeyJwk: jwk }, + domains: info.domains + }) + .then(function(order) { + info.order = order; + console.info("[orders] created ", order); - var claims = order.claims; + var claims = order.claims; - var obj = { 'dns-01': [], 'http-01': [], 'wildcard': [] }; - info.challenges = obj; + var obj = { "dns-01": [], "http-01": [], wildcard: [] }; + info.challenges = obj; - var $httpList = $qs('.js-acme-http'); - var $dnsList = $qs('.js-acme-dns'); - var $wildList = $qs('.js-acme-wildcard'); - var httpTpl = $httpList.innerHTML; - var dnsTpl = $dnsList.innerHTML; - var wildTpl = $wildList.innerHTML; - $httpList.innerHTML = ''; - $dnsList.innerHTML = ''; - $wildList.innerHTML = ''; + var $httpList = $qs(".js-acme-http"); + var $dnsList = $qs(".js-acme-dns"); + var $wildList = $qs(".js-acme-wildcard"); + var httpTpl = $httpList.innerHTML; + var dnsTpl = $dnsList.innerHTML; + var wildTpl = $wildList.innerHTML; + $httpList.innerHTML = ""; + $dnsList.innerHTML = ""; + $wildList.innerHTML = ""; - claims.forEach(function (claim) { - //#console.log("claims[i]", claim); - var hostname = claim.identifier.value; - claim.challenges.forEach(function (c) { - var auth = c; - var data = { - type: c.type - , hostname: hostname - , url: c.url - , token: c.token - , httpPath: auth.challengeUrl - , httpAuth: auth.keyAuthorization - , dnsType: 'TXT' - , dnsHost: auth.dnsHost - , dnsAnswer: auth.keyAuthorizationDigest - }; - //#console.log("claims[i].challenge", data); + claims.forEach(function(claim) { + //#console.log("claims[i]", claim); + var hostname = claim.identifier.value; + claim.challenges.forEach(function(c) { + var auth = c; + var data = { + type: c.type, + hostname: hostname, + url: c.url, + token: c.token, + httpPath: auth.challengeUrl, + httpAuth: auth.keyAuthorization, + dnsType: "TXT", + dnsHost: auth.dnsHost, + dnsAnswer: auth.keyAuthorizationDigest + }; + //#console.log("claims[i].challenge", data); - var $tpl = document.createElement("div"); - if (claim.wildcard) { - obj.wildcard.push(data); - $tpl.innerHTML = wildTpl; - $tpl.querySelector(".js-acme-ver-txt-host").innerHTML = data.dnsHost; - $tpl.querySelector(".js-acme-ver-txt-value").innerHTML = data.dnsAnswer; - $wildList.appendChild($tpl); - } else if(obj[data.type]) { + var $tpl = document.createElement("div"); + if (claim.wildcard) { + obj.wildcard.push(data); + $tpl.innerHTML = wildTpl; + $tpl.querySelector(".js-acme-ver-txt-host").innerHTML = + data.dnsHost; + $tpl.querySelector(".js-acme-ver-txt-value").innerHTML = + data.dnsAnswer; + $wildList.appendChild($tpl); + } else if (obj[data.type]) { + obj[data.type].push(data); - obj[data.type].push(data); + if ("dns-01" === data.type) { + $tpl.innerHTML = dnsTpl; + $tpl.querySelector(".js-acme-ver-txt-host").innerHTML = + data.dnsHost; + $tpl.querySelector(".js-acme-ver-txt-value").innerHTML = + data.dnsAnswer; + $dnsList.appendChild($tpl); + } else if ("http-01" === data.type) { + $tpl.innerHTML = httpTpl; + $tpl.querySelector( + ".js-acme-ver-file-location" + ).innerHTML = data.httpPath.split("/").slice(-1); + $tpl.querySelector(".js-acme-ver-content").innerHTML = + data.httpAuth; + $tpl.querySelector(".js-acme-ver-uri").innerHTML = + data.httpPath; + $tpl.querySelector(".js-download-verify-link").href = + "data:text/octet-stream;base64," + + window.btoa(data.httpAuth); + $tpl.querySelector( + ".js-download-verify-link" + ).download = data.httpPath.split("/").slice(-1); + $httpList.appendChild($tpl); + } + } + }); + }); - if ('dns-01' === data.type) { - $tpl.innerHTML = dnsTpl; - $tpl.querySelector(".js-acme-ver-txt-host").innerHTML = data.dnsHost; - $tpl.querySelector(".js-acme-ver-txt-value").innerHTML = data.dnsAnswer; - $dnsList.appendChild($tpl); - } else if ('http-01' === data.type) { - $tpl.innerHTML = httpTpl; - $tpl.querySelector(".js-acme-ver-file-location").innerHTML = data.httpPath.split("/").slice(-1); - $tpl.querySelector(".js-acme-ver-content").innerHTML = data.httpAuth; - $tpl.querySelector(".js-acme-ver-uri").innerHTML = data.httpPath; - $tpl.querySelector(".js-download-verify-link").href = - "data:text/octet-stream;base64," + window.btoa(data.httpAuth); - $tpl.querySelector(".js-download-verify-link").download = data.httpPath.split("/").slice(-1); - $httpList.appendChild($tpl); - } - } - }); - }); + // hide wildcard if no wildcard + // hide http-01 and dns-01 if only wildcard + if (!obj.wildcard.length) { + $qs(".js-acme-wildcard-challenges").hidden = true; + } + if (!obj["http-01"].length) { + $qs(".js-acme-challenges").hidden = true; + } - // hide wildcard if no wildcard - // hide http-01 and dns-01 if only wildcard - if (!obj.wildcard.length) { - $qs('.js-acme-wildcard-challenges').hidden = true; - } - if (!obj['http-01'].length) { - $qs('.js-acme-challenges').hidden = true; - } + console.info("[housekeeping] challenges", info.challenges); - console.info("[housekeeping] challenges", info.challenges); + updateChallengeType(); + return steps[i](); + }) + .catch(function(err) { + if (err.detail || err.urn) { + console.error("(Probably) User Error:"); + console.error(err); + return newAlert( + "There was an error, probably with your email or domain:\n" + + err.message + ); + } + throw err; + }); + }) + .catch(function(err) { + console.error("Step '' Error:"); + console.error(err, err.stack); + return newAlert( + "An error happened (but it's not your fault)." + + " Email aj@rootprojects.org to let him know that 'order and get challenges' failed." + ); + }); + }; - updateChallengeType(); - return steps[i](); - }).catch(function (err) { - if (err.detail || err.urn) { - console.error("(Probably) User Error:"); - console.error(err); - return newAlert("There was an error, probably with your email or domain:\n" + err.message); - } - throw err; - }); - }).catch(function (err) { - console.error('Step \'\' Error:'); - console.error(err, err.stack); - return newAlert("An error happened (but it's not your fault)." - + " Email aj@rootprojects.org to let him know that 'order and get challenges' failed."); - }); - }; + steps[3] = function() { + console.info("\n3. Present challenge options"); + updateProgress(1); + hideForms(); + $qs(".js-acme-form-challenges").hidden = false; + }; + steps[3].submit = function() { + console.info("[submit] 3. Fulfill challenges, fetch certificate"); - steps[3] = function () { - console.info("\n3. Present challenge options"); - updateProgress(1); - hideForms(); - $qs('.js-acme-form-challenges').hidden = false; - }; - steps[3].submit = function () { - console.info("[submit] 3. Fulfill challenges, fetch certificate"); + var challengePriority = ["dns-01"]; + if ("http-01" === $qs(".js-acme-challenge-type:checked").value) { + challengePriority.unshift("http-01"); + } + console.info("[challenge] selected ", challengePriority[0]); - var challengePriority = [ 'dns-01' ]; - if ('http-01' === $qs('.js-acme-challenge-type:checked').value) { - challengePriority.unshift('http-01'); - } - console.info("[challenge] selected ", challengePriority[0]); + // for now just show the next page immediately (its a spinner) + steps[i](); - // for now just show the next page immediately (its a spinner) - steps[i](); + return getAccountKeypair(info.email).then(function(jwk) { + // TODO put a test challenge in the list + // info.order.claims.push(...) + // TODO warn about wait-time if DNS + return getServerKeypair().then(function(serverJwk) { + return acme.orders + .complete({ + account: info.account, + accountKeypair: { privateKeyJwk: jwk }, + order: info.order, + domains: info.domains, + domainKeypair: { privateKeyJwk: serverJwk }, + challengePriority: challengePriority, + challenges: false, + onChallengeStatus: function(details) { + $qs(".js-challenge-responses").hidden = false; + $qs(".js-challenge-response-type").innerText = details.type; + $qs(".js-challenge-response-status").innerText = details.status; + $qs(".js-challenge-response-altname").innerText = details.altname; + } + }) + .then(function(certs) { + return Keypairs.export({ jwk: serverJwk }).then(function(keyPem) { + console.info("WINNING!"); + console.info(certs); + $qs("#js-fullchain").innerHTML = [ + certs.cert.trim() + "\n", + certs.chain + "\n" + ].join("\n"); + $qs("#js-download-fullchain-link").href = + "data:text/octet-stream;base64," + window.btoa(certs); - return getAccountKeypair(info.email).then(function (jwk) { - // TODO put a test challenge in the list - // info.order.claims.push(...) - // TODO warn about wait-time if DNS - return getServerKeypair().then(function (serverJwk) { - return acme.orders.complete({ - account: info.account - , accountKeypair: { privateKeyJwk: jwk } - , order: info.order - , domains: info.domains - , domainKeypair: { privateKeyJwk: serverJwk } - , challengePriority: challengePriority - , challenges: false - , onChallengeStatus: function (details) { - $qs('.js-challenge-responses').hidden = false; - $qs('.js-challenge-response-type').innerText = details.type; - $qs('.js-challenge-response-status').innerText = details.status; - $qs('.js-challenge-response-altname').innerText = details.altname; - } - }).then(function (certs) { - return Keypairs.export({ jwk: serverJwk }).then(function (keyPem) { - console.info('WINNING!'); - console.info(certs); - $qs('#js-fullchain').innerHTML = [ - certs.cert.trim() + "\n" - , certs.chain + "\n" - ].join("\n"); - $qs("#js-download-fullchain-link").href = - "data:text/octet-stream;base64," + window.btoa(certs); + $qs("#js-privkey").innerHTML = keyPem; + $qs("#js-download-privkey-link").href = + "data:text/octet-stream;base64," + window.btoa(keyPem); + return submitForm(); + }); + }); + }); + }); + }; - $qs('#js-privkey').innerHTML = keyPem; - $qs("#js-download-privkey-link").href = - "data:text/octet-stream;base64," + window.btoa(keyPem); - return submitForm(); - }); - }); - }); - }); - }; + // spinner + steps[4] = function() { + console.info("\n4. Show loading spinner"); + updateProgress(1); + hideForms(); + $qs(".js-acme-form-poll").hidden = false; + }; + steps[4].submit = function() { + console.info("[submit] 4. Order complete"); - // spinner - steps[4] = function () { - console.info('\n4. Show loading spinner'); - updateProgress(1); - hideForms(); - $qs('.js-acme-form-poll').hidden = false; - }; - steps[4].submit = function () { - console.info('[submit] 4. Order complete'); + return steps[i](); + }; - return steps[i](); - }; + steps[5] = function() { + console.info("\n5. Present certificates (yay!)"); + updateProgress(2); + hideForms(); + $qs(".js-acme-form-download").hidden = false; + }; - steps[5] = function () { - console.info('\n5. Present certificates (yay!)'); - updateProgress(2); - hideForms(); - $qs('.js-acme-form-download').hidden = false; - }; + function init() { + $qsa(".js-acme-api-type").forEach(function($el) { + $el.addEventListener("change", updateApiType); + }); + updateApiType(); - function init() { - $qsa('.js-acme-api-type').forEach(function ($el) { - $el.addEventListener('change', updateApiType); - }); - updateApiType(); + $qsa(".js-acme-form").forEach(function($el) { + $el.addEventListener("submit", function(ev) { + ev.preventDefault(); + return submitForm(ev); + }); + }); - $qsa('.js-acme-form').forEach(function ($el) { - $el.addEventListener('submit', function (ev) { - ev.preventDefault(); - return submitForm(ev); - }); - }); + $qsa(".js-acme-challenge-type").forEach(function($el) { + $el.addEventListener("change", updateChallengeType); + }); - $qsa('.js-acme-challenge-type').forEach(function ($el) { - $el.addEventListener('change', updateChallengeType); - }); + var params = new URLSearchParams(window.location.search); + var apiType = params.get("acme-api-type") || "staging-v02"; + if (params.has("acme-domains")) { + $qs(".js-acme-domains").value = params.get("acme-domains"); + $qsa(".js-acme-api-type").forEach(function(ele) { + if (ele.value === apiType) { + ele.checked = true; + } + }); - var params = new URLSearchParams(window.location.search); - var apiType = params.get('acme-api-type') || "staging-v02"; - if (params.has('acme-domains')) { - $qs('.js-acme-domains').value = params.get('acme-domains'); + updateApiType(); + steps[2](); + return submitForm(); + } else { + steps[1](); + } + } - $qsa('.js-acme-api-type').forEach(function(ele) { - if(ele.value === apiType) { - ele.checked = true; - } - }); + init(); + $qs("body").hidden = false; - updateApiType(); - steps[2](); - return submitForm(); - } else { - steps[1](); - } - } - - init(); - $qs('body').hidden = false; - - // in the background - info.cryptoCheck = testKeypairSupport().then(function () { - console.info("[crypto] self-check: passed"); - }).catch(function (err) { - console.error('[crypto] could not use either RSA nor EC.'); - console.error(err); - window.alert("Generating secure certificates requires a browser with cryptography support." - + "Please consider a recent version of Chrome, Firefox, or Safari."); - throw err; - }); -}()); + // in the background + info.cryptoCheck = testKeypairSupport() + .then(function() { + console.info("[crypto] self-check: passed"); + }) + .catch(function(err) { + console.error("[crypto] could not use either RSA nor EC."); + console.error(err); + window.alert( + "Generating secure certificates requires a browser with cryptography support." + + "Please consider a recent version of Chrome, Firefox, or Safari." + ); + throw err; + }); +})(); diff --git a/app/styles/main.css b/app/styles/main.css index d735684..4b0fe2c 100644 --- a/app/styles/main.css +++ b/app/styles/main.css @@ -1,263 +1,270 @@ body { - font-size: 18px; - font-family: Source Sans Pro, sans-serif; - margin: 0; - line-height: 1.33; - color: #1a1a1a; + font-size: 18px; + font-family: Source Sans Pro, sans-serif; + margin: 0; + line-height: 1.33; + color: #1a1a1a; } h1 { - text-align: center; - font-size: 1.77777778em; + text-align: center; + font-size: 1.77777778em; } a { - color: #1a1a1a; + color: #1a1a1a; } -input[type=email], input[type=text] { - font-size: 1em; - padding: 0.444444444em 0.888889em; - width: 100%; - border: solid 1px #d9d9d9; - border-radius: 2px; +input[type="email"], +input[type="text"] { + font-size: 1em; + padding: 0.444444444em 0.888889em; + width: 100%; + border: solid 1px #d9d9d9; + border-radius: 2px; } pre { - margin: 0; - font-family: Source Code Pro, monospace; + margin: 0; + font-family: Source Code Pro, monospace; } .column-row { - width: 22.222222em; + width: 22.222222em; } .column-container { - display: flex; - flex-direction: column; - align-items: center; + display: flex; + flex-direction: column; + align-items: center; } .progress-bar { - height: 0; - border: solid 1px #5bc17f; - background-color: #5bc17f; - display: flex; - justify-content: space-between; - align-items: center; - width: 22em; - margin: 1.388888889em auto; + height: 0; + border: solid 1px #5bc17f; + background-color: #5bc17f; + display: flex; + justify-content: space-between; + align-items: center; + width: 22em; + margin: 1.388888889em auto; } .greenlock-logo-badge > img { - width: 100%; + width: 100%; } .greenlock-logo-badge { - display: inline-block; - border: solid 1px #d9d9d9; - border-radius: 500px; - width: 5.333333333em; - height: 5.333333333em; - margin-top: 4.277777778em; + display: inline-block; + border: solid 1px #d9d9d9; + border-radius: 500px; + width: 5.333333333em; + height: 5.333333333em; + margin-top: 4.277777778em; } .header-row { - text-align: center; + text-align: center; } .progress-bar-step { - position: relative; - margin: -0.722222222em -0.166666667em; - display: inline-block; - background-color: white; - /* border-radius: 100%; */ - padding: 0 0.111111em; + position: relative; + margin: -0.722222222em -0.166666667em; + display: inline-block; + background-color: white; + /* border-radius: 100%; */ + padding: 0 0.111111em; } .progress-bar-step > .circle { - content: ""; - display: inline-block; - border: solid 0.111111111em #5bc17f; - width: 0.888888889em; - height: 0.888888889em; - border-radius: 100%; - background: white; + content: ""; + display: inline-block; + border: solid 0.111111111em #5bc17f; + width: 0.888888889em; + height: 0.888888889em; + border-radius: 100%; + background: white; } .progress-step-label { - text-align: center; - position: absolute; - left: 50%; - =: block font-size: ; - top: 139%; - font-size: 0.722222222em; - white-space: nowrap; + text-align: center; + position: absolute; + left: 50%; + top: 139%; + font-size: 0.722222222em; + white-space: nowrap; } .progress-step-label > div { - position: relative; - right: 50%; + position: relative; + right: 50%; } .greenlock-name { - color: #808080; + color: #808080; } .file-preview { - background: #f7f7f7; - position: relative; - font-size: 0.833333333em; - padding: 1.6em 2.9333em 1.6em 1.6em; + background: #f7f7f7; + position: relative; + font-size: 0.833333333em; + padding: 1.6em 2.9333em 1.6em 1.6em; } -.js-progress-step-complete > .circle, .js-progress-step-started > .circle { - background-color: #5bc17f; +.js-progress-step-complete > .circle, +.js-progress-step-started > .circle { + background-color: #5bc17f; } .progress-bar-step.js-progress-step-complete svg { - fill: white; - /* stroke: none; */ - display: initial; + fill: white; + /* stroke: none; */ + display: initial; } .checkbox-array { - display: flex; - flex-direction: column; - padding: 1em 0; + display: flex; + flex-direction: column; + padding: 1em 0; } -.checkbox-array input[type=checkbox] { - opacity: 0; - position: absolute; +.checkbox-array input[type="checkbox"] { + opacity: 0; + position: absolute; } -.checkbox-array input[type=checkbox] ~ .icon-checked-box { - display: none; +.checkbox-array input[type="checkbox"] ~ .icon-checked-box { + display: none; } -.checkbox-array input[type=checkbox] ~ .icon-unchecked-box { - display: initial; +.checkbox-array input[type="checkbox"] ~ .icon-unchecked-box { + display: initial; } -.checkbox-array input[type=checkbox]:checked ~ .icon-checked-box { - display: initial; +.checkbox-array input[type="checkbox"]:checked ~ .icon-checked-box { + display: initial; } -.checkbox-array input[type=checkbox]:checked ~ .icon-unchecked-box { - display: none; +.checkbox-array input[type="checkbox"]:checked ~ .icon-unchecked-box { + display: none; } -.checkbox-array .icon-checked-box, .checkbox-array .icon-unchecked-box { - width: 1.333333333em; - fill: #5bc17f; - margin-right: 0.666666667em; +.checkbox-array .icon-checked-box, +.checkbox-array .icon-unchecked-box { + width: 1.333333333em; + fill: #5bc17f; + margin-right: 0.666666667em; } .checkbox-array label { - display: flex; - height: 1.333333333em; - font-size: 0.833333333em; - margin: 0.4em 0; + display: flex; + height: 1.333333333em; + font-size: 0.833333333em; + margin: 0.4em 0; } -.checkbox-array input[type=checkbox]:focus ~ .icon-checked-box, .checkbox-array input[type=checkbox]:focus ~ .icon-unchecked-box { - background: #5bc17f52; +.checkbox-array input[type="checkbox"]:focus ~ .icon-checked-box, +.checkbox-array input[type="checkbox"]:focus ~ .icon-unchecked-box { + background: #5bc17f52; } .email-usage { - color: #666666; - font-size: 0.833333333em; - margin: 2em 0; + color: #666666; + font-size: 0.833333333em; + margin: 2em 0; } .button-next { - width: 100%; - background-color: #5bc17f; - border: none; - font-size: 1em; - color: white; - padding: 0.44444em; - margin: 1em 0; + width: 100%; + background-color: #5bc17f; + border: none; + font-size: 1em; + color: white; + padding: 0.44444em; + margin: 1em 0; } .tabbed-selector label { - width: 50%; - padding: 0.5em 0; + width: 50%; + padding: 0.5em 0; } .tabbed-selector { - display: flex; - font-weight: bold; - text-align: center; + display: flex; + font-weight: bold; + text-align: center; } -.tabbed-selector input[type=radio] { - display: none; +.tabbed-selector input[type="radio"] { + display: none; } .download-file svg { - fill: #5bc17f; - width: 1.333333333em; + fill: #5bc17f; + width: 1.333333333em; } .download-file a { - color: #5bc17f; + color: #5bc17f; } .mdicon { - position: relative; - top: 0.4em; + position: relative; + top: 0.4em; } .http-verification-info { - padding-right: 6.933333333em; + padding-right: 6.933333333em; } .paper-fold { - position: absolute; - width: 2em; - height: 2em; - border-left: solid #d9d9d9 1px; - border-bottom: solid #d9d9d9 1px; - right: 0; - top: 0; - background: linear-gradient(45deg, #f7f7f7 0%,#f7f7f7 50%,#ffffff 50%,#ffffff 100%); + position: absolute; + width: 2em; + height: 2em; + border-left: solid #d9d9d9 1px; + border-bottom: solid #d9d9d9 1px; + right: 0; + top: 0; + background: linear-gradient( + 45deg, + #f7f7f7 0%, + #f7f7f7 50%, + #ffffff 50%, + #ffffff 100% + ); } .file-ver-info-header { - color: #808080; + color: #808080; } .http-verification-info hr { - border: none; - border-bottom: solid 1px #d9d9d9; + border: none; + border-bottom: solid 1px #d9d9d9; } .acme-ver-uri { - word-break: break-all; - margin: auto; + word-break: break-all; + margin: auto; } .acme-ver-dns-label { - margin: 1.777777778em 0 0.444444444em 0; - border-bottom: solid 1px #d9d9d9; - font-weight: bold; - padding-bottom: 0.166666667em; + margin: 1.777777778em 0 0.444444444em 0; + border-bottom: solid 1px #d9d9d9; + font-weight: bold; + padding-bottom: 0.166666667em; } .tabbed-selector input[type="radio"]:checked ~ div { - border: solid 1px #5bc17f; - background-color: #5bc17f; + border: solid 1px #5bc17f; + background-color: #5bc17f; } .file-preview pre { - white-space: pre-line; - word-break: break-all; + white-space: pre-line; + word-break: break-all; } - .cert-download-container { - margin: 0 -31%; + margin: 0 -31%; } - diff --git a/index.html b/index.html index 940ba2c..034ee05 100644 --- a/index.html +++ b/index.html @@ -1,99 +1,171 @@ - - Greenlock™ - - - - - - - - - - - - -
+ + Greenlock™ + + + + + + + + + + + + +
+
+ Greenlock logo +
+
+

Get the green lock for your website

+
+
+
+ Greenlock will process the CSR in the browser and request the + certificates directly from letsencrypt.org. Please enable Javascript + before continuing. +
+
+
+ Secure | + https:// +
+ +
+ Domain, subdomain, or wildcard domain +
-
- -
-
-

Get the green lock for your website

-
-
-
- Greenlock will process the CSR in the browser and request the certificates directly from letsencrypt.org. - Please enable Javascript before continuing. -
- -
- Secure | https:// -
- -
Domain, subdomain, or wildcard domain
- -
- - - -
- API Compatibility: Let's Encrypt v2 / ACME draft 15 -
-
- A Root Project - | View Source (git) - | Terms of Service - | Privacy Policy -
-
- -
-
-
-

Why you need HTTPS

- SSL Certificates are required for secure login, accepting payments, and for browsers like Google Chrome to stop showing security warnings to your users. -
-
- - + - - - + -
- + gtag("config", "UA-118745161-2"); + +
+ diff --git a/js/app.js b/js/app.js index c4e2cb4..d792b3b 100644 --- a/js/app.js +++ b/js/app.js @@ -1,32 +1,39 @@ -(function () { -'use strict'; +(function() { + "use strict"; - var $qs = function (s) { return window.document.querySelector(s); }; + var $qs = function(s) { + return window.document.querySelector(s); + }; - $qs('.js-javascript-warning').hidden = true; + $qs(".js-javascript-warning").hidden = true; - var apiUrl = 'https://acme-{{env}}.api.letsencrypt.org/directory'; + var apiUrl = "https://acme-{{env}}.api.letsencrypt.org/directory"; - function updateApiType() { - var formData = new FormData($qs("#js-acme-form")); + function updateApiType() { + var formData = new FormData($qs("#js-acme-form")); - console.log('ACME api type radio:'); + console.log("ACME api type radio:"); - var value = formData.get("acme-api-type"); - $qs('#js-acme-api-url').value = apiUrl.replace(/{{env}}/g, value); - } + var value = formData.get("acme-api-type"); + $qs("#js-acme-api-url").value = apiUrl.replace(/{{env}}/g, value); + } - $qs('#js-acme-form').addEventListener('change', updateApiType); - //$qs('#js-acme-form').addEventListener('submit', prettyRedirect); + $qs("#js-acme-form").addEventListener("change", updateApiType); + //$qs('#js-acme-form').addEventListener('submit', prettyRedirect); - updateApiType(); - try { - document.fonts.load().then(function() { - $qs('body').classList.add("js-app-ready"); - }).catch(function(e) { - $qs('body').classList.add("js-app-ready"); - }); - } catch(e) { - setTimeout(function() {$qs('body').classList.add("js-app-ready");}, 200); - } -}()); + updateApiType(); + try { + document.fonts + .load() + .then(function() { + $qs("body").classList.add("js-app-ready"); + }) + .catch(function(e) { + $qs("body").classList.add("js-app-ready"); + }); + } catch (e) { + setTimeout(function() { + $qs("body").classList.add("js-app-ready"); + }, 200); + } +})(); diff --git a/legal.html b/legal.html index 1998036..06a321c 100644 --- a/legal.html +++ b/legal.html @@ -1,201 +1,315 @@ -

Greetings!

+ + + + Root Legal + + +

Greetings!

-

I, AJ ONeal, am not a big fan of legalize, but I am a fan of communicating -clearly. I hope that this accomplish both defining some legal boundaries as well -as communicating in a friendly and clear way, at least to the degree that suits -our needs for the current stage of our products and services. +

+ I, AJ ONeal, am not a big fan of legalize, but I am a fan of communicating + clearly. I hope that this accomplish both defining some legal boundaries + as well as communicating in a friendly and clear way, at least to the + degree that suits our needs for the current stage of our products and + services. +

-

This is important because it is our intent to create sustainable open source -projects, which means that we do want to create brand value, grow community, -and, eventually, be able to work full time on creating more great software and services. +

+ This is important because it is our intent to create sustainable open + source projects, which means that we do want to create brand value, grow + community, and, eventually, be able to work full time on creating more + great software and services. +

-

If you'd like to contact me, especially if you feel that I (or we) have made -a mistake in how we operate, please do so: +

+ If you'd like to contact me, especially if you feel that I (or we) have + made a mistake in how we operate, please do so: +

- + -

Contents

-

Here's what I've worked through so far: +

Contents

+

Here's what I've worked through so far:

- + -

Greenlock Domains™

+

Greenlock Domains™

-

Greenlock Domains is a service provided by -AJ, Brian, - John, & Josh -(collectively Root) -for automated TLS, SSL, and HTTPS. +

+ Greenlock Domains is a service provided by + AJ, Brian, + John, & Josh + (collectively Root) for automated + TLS, SSL, and HTTPS. +

- -

Greenlock Domains is an important product / service combo to us -because it's a huge milestone on the path to a more decentralized web. -We believe in ownership and control and we're -building a Home Server -because we envision a world in which everyone is empowered to make -the choice of whether to rent or own their stuff. +

+ Greenlock Domains is an important product / service combo to us because + it's a huge milestone on the path to a more decentralized web. We believe + in + ownership and control and we're building a + Home Server because we envision a + world in which everyone is empowered to make the choice of whether to rent + or own their stuff. +

-

If we don't do this, well, with the way the cloud is headed, -renting may be the only option in the future. +

+ If we don't do this, well, with the way the cloud is headed, renting may + be the only option in the future. +

-

We need Root because we want ownership. +

We need Root because we want ownership.

-

If at any time you feel that any of our messaging or practices -are in conflict with our mission or these values, please let us know. +

+ If at any time you feel that any of our messaging or practices are in + conflict with our mission or these values, please let us know. +

-

Licensing

+

Licensing

-

Each of our products comes with its own LICENSE file and the license(s) -may alse be in some sort of manifest file (such as package.json). +

+ Each of our products comes with its own LICENSE file and the license(s) + may alse be in some sort of manifest file (such as package.json). +

-

We typically use the MIT and Apache-2.0 licenses for libraries that we -actively want others to copy, modify, use and redistribute. +

+ We typically use the MIT and Apache-2.0 licenses for libraries that we + actively want others to copy, modify, use and redistribute. +

-

We typically use ISC and MPL-2.0 with products for which we're a little more -concerned about branding or about which we have particularly strong opinions. +

+ We typically use ISC and MPL-2.0 with products for which we're a little + more concerned about branding or about which we have particularly strong + opinions. +

-

Although we do keep some of our software proprietary and we do use trademarks, -because we believe in empowerment and choice we do our best to provide usable -self-service forms of our products and services for personal use. +

+ Although we do keep some of our software proprietary and we do use + trademarks, because we believe in empowerment and choice we do our best to + provide usable self-service forms of our products and services for + personal use. +

-

If at any time you feel that our Licensing is in conflict with our mission or values, -please let us know. +

+ If at any time you feel that our Licensing is in conflict with our mission + or values, please let us know. +

-

Terms of Service

+

Terms of Service

-

We want to make the world a better place. -Everyone has a different definition of what "a better place" means, -so the purpose of our terms is to rule out some things that -we think makes the world (and particularly our world) a worse place: +

+ We want to make the world a better place. Everyone has a different + definition of what "a better place" means, so the purpose of our terms is + to rule out some things that we think makes the world (and particularly + our world) a worse place: +

-

You agree that you will use the Greenlock™ service, code, libraries, -documentation, etc (provided by us) -primarily for securing network connections for yourself, your customers, -on your and your customer's devices on internets, intranets, and... other nets. +

+ You agree that you will use the Greenlock™ service, code, libraries, + documentation, etc (provided by us) primarily for + securing network connections for yourself, your customers, on your and + your customer's devices on internets, intranets, and... other nets. +

-

You agree that you will take reasonable measures to keep up-to-date with security -releases. +

+ You agree that you will take reasonable measures to keep up-to-date with + security releases. +

-

You agree to not use our products or services in a way that would cause unusual -or undue burden on our servers or services, our partners servers or services, or our -customers servers or services, or in a way that harms or misrepresents the reputation -or brand value (including causing brand confusion) of the aforementioned parties -(or really anybody). +

+ You agree to not use our products or services in a way that would cause + unusual or undue burden on our servers or services, our partners servers + or services, or our customers servers or services, or in a way that harms + or misrepresents the reputation or brand value (including causing brand + confusion) of the aforementioned parties (or really anybody). +

-

This is not to say that you can't publicly have a negative opinion, but don't -bite the hand that feeds and don't be vicious or misrepresentative. +

+ This is not to say that you can't publicly have a negative opinion, but + don't bite the hand that feeds and don't be vicious or misrepresentative. +

-

If you have a use case that may be in violation of these terms (particularly -the part about undue burden), but you feel contributes to making the world a better -place, we're here to help (assuming it also aligns with our values). -Although it may not be appropriate to use our services, but perhaps we can help -you with a solution based on our no-cost, low-cost or open source products. +

+ If you have a use case that may be in violation of these terms + (particularly the part about undue burden), but you feel contributes to + making the world a better place, we're here to help (assuming it also + aligns with our values). Although it may not be appropriate to use our + services, but perhaps we can help you with a solution based on our + no-cost, low-cost or open source products. +

-

If at any time you feel that our Terms of Service are in conflict with our -mission or values, please let us know. +

+ If at any time you feel that our Terms of Service are in conflict with our + mission or values, please let us know. +

-

Trademark

+

Trademark

-

"Greenlock" and the "green G lock" mark are Trademarks of -AJ ONeal. +

+ "Greenlock" and the "green G lock" mark are Trademarks of + AJ ONeal. +

-

We'll be coming out with a brand guide as to how you should use -the marks. In the meantime: don't change the proportions, colors -(excepting the case of greyscale and black and white). +

+ We'll be coming out with a brand guide as to how you should use the marks. + In the meantime: don't change the proportions, colors (excepting the case + of greyscale and black and white). +

-

It is appropriate to use the trademark in a way that promotes the -brand with proper attribution, linking to the official project repositories, etc. +

+ It is appropriate to use the trademark in a way that promotes the brand + with proper attribution, linking to the official project repositories, + etc. +

-

It is appropriate use the name greenlock in a plugin for Greenlock™, -as long as it is clear that it is a community contribution. +

+ It is appropriate use the name greenlock in a plugin for Greenlock™, + as long as it is clear that it is a community contribution. +

-

If you create a "hard" fork of our code or any products or services, -you should give your fork its own name, and not use ours. -That sound, we gladly welcome your suggestiosn and pull requests. +

+ If you create a "hard" fork of our code or any products or services, you + should give your fork its own name, and not use ours. That sound, we + gladly welcome your suggestiosn and pull requests. +

-

If you mirror our code you should make it clear that it is a mirror -and link to the official repository. -in association with usand the disclose that you use Greenlock +

+ If you mirror our code you should make it clear that it is a mirror and + link to the official repository. in association with usand the disclose + that you use Greenlock +

-

If at any time you feel that our Trademark policies are in conflict with our -values, please let us know. +

+ If at any time you feel that our Trademark policies are in conflict with + our values, please let us know. +

-

Privacy Policy

+

Privacy Policy

-

What we collect and (more importantly) Why: +

What we collect and (more importantly) Why:

-

Name: -

In the cases that we collect your name, it's because we want to know how to address you. -All four of us want to be personable if and when we reach out. +

Name:

+

+ In the cases that we collect your name, it's because we want to know how + to address you. All four of us want to be personable if and when we reach + out. +

-

Email: -

There are three main purposes for which we may use your email address: +

Email:

+

+ There are three main purposes for which we may use your email address: +

-

1. A one-time outreach to ask if you were able to do what you intended to do. -We want to make a great product. Although open source projects traditionally have -a reactive approach to communication (i.e. you file a bug and wait for a response), -we believe that creating sustainable open source requires a proactive approach. +

+ 1. A one-time outreach to ask if you were able to do what you intended to + do. We want to make a great product. Although open source projects + traditionally have a reactive approach to communication (i.e. you + file a bug and wait for a response), we believe that creating sustainable + open source requires a proactive approach. +

-

2. Security and legal notifications. It's important that we have a way to contact you -if we've made a mistake or discover a mistake that needs to be addressed. This -may include vulnerabilities as well as mandatory upgrades (such as when a -significant change to the Let's Encrypt API is made). Making sure that our products -work and are secure aligns with our values and contributes to our brand identity. +

+ 2. Security and legal notifications. It's important that we have a way to + contact you if we've made a mistake or discover a mistake that needs to be + addressed. This may include vulnerabilities as well as mandatory upgrades + (such as when a significant change to the Let's Encrypt API is made). + Making sure that our products work and are secure aligns with our values + and contributes to our brand identity. +

-

3. Opt-in updates. Many of you want to know when we have significant feature updates -or when we have something that we believe is really valuable to share. We've created an -opt-in avenue for that. And you can always opt-out as well. +

+ 3. Opt-in updates. Many of you want to know when we have significant + feature updates or when we have something that we believe is really + valuable to share. We've created an opt-in avenue for that. And you can + always opt-out as well. +

-

Telemetry: -

We believe that the current open source model needs improvement - it often -relies heavily on large centralized platforms which aggregate a lot of user -information for the platform without appropriately targeting the relationship -between authors and users of projcts (i.e. npm, github, etc). We believe that -making open source sustainable means a greater focus on empowering authors -and users. We've learned from other projects (Caddy, Heroku, and others) which -use telemetry as part of a proactive approach to open source and we believe that -it can be a great avenue for us to be proactive as well. +

Telemetry:

+

+ We believe that the current open source model needs improvement - it often + relies heavily on large centralized platforms which aggregate a lot of + user information for the platform without appropriately targeting the + relationship between authors and users of projcts (i.e. npm, github, etc). + We believe that making open source sustainable means a greater focus on + empowering authors and users. We've learned from other projects (Caddy, + Heroku, and others) which use telemetry as part of a proactive approach to + open source and we believe that it can be a great avenue for us to be + proactive as well. +

-

We may use telemetry about operating system, browser, node version, code version, -and other system-level information to better understand how we can serve our users (you) -and proactively solve problems that we might not otherwise hear about. For example, if -we see many page visits in a certain browser (or installs with a new version of node), -but few successful registrations, we know that something is wrong. +

+ We may use telemetry about operating system, browser, node version, code + version, and other system-level information to better understand how we + can serve our users (you) and proactively solve problems that we might not + otherwise hear about. For example, if we see many page visits in a certain + browser (or installs with a new version of node), but few successful + registrations, we know that something is wrong. +

-

Other: -

We also use Google Analytics on our web sites for basic functionality. -Other than that, nothing else comes to mind right now. -As we consider what we will do in the future, it will be measured against our mission and values. -We never want to come across as spammy or forceful. We want to do things that help us build -our brand, acknowledge our customers; things that are proactive, and that -promote sustainable source. +

Other:

+

+ We also use Google Analytics on our web sites for basic functionality. + Other than that, nothing else comes to mind right now. As we consider what + we will do in the future, it will be measured against our mission and + values. We never want to come across as spammy or forceful. We want to do + things that help us build our brand, acknowledge our customers; things + that are proactive, and that promote sustainable source. +

-

If at any time you feel that our Privacy policy is in conflict with our mission or values, -please let us know. +

+ If at any time you feel that our Privacy policy is in conflict with our + mission or values, please let us know. +

-
-
-

Copyright 2018 AJ ONeal +
+
+

Copyright 2018 AJ ONeal

+ + diff --git a/styles/main.css b/styles/main.css index 43dda6b..7ba1fb9 100644 --- a/styles/main.css +++ b/styles/main.css @@ -1,115 +1,114 @@ .column-row { - display: flex; - flex-direction: column; - text-align: center; - align-items: center; + display: flex; + flex-direction: column; + text-align: center; + align-items: center; } body { - position: relative; - margin-top: 5.777777778em; - min-height: 36em; - font-size: 18px; - font-family: 'Source Sans Pro', sans-serif; - font-stretch: normal; - line-height: 1.33; - letter-spacing: -0.4px; - color: #1a1a1a; - opacity: 0; + position: relative; + margin-top: 5.777777778em; + min-height: 36em; + font-size: 18px; + font-family: "Source Sans Pro", sans-serif; + font-stretch: normal; + line-height: 1.33; + letter-spacing: -0.4px; + color: #1a1a1a; + opacity: 0; } h1 { - font-size: 2.666666667em; - max-width: 8em; - text-align: center; + font-size: 2.666666667em; + max-width: 8em; + text-align: center; } input { - font-size: 1em; - padding: 0.444444444em; - border: solid #d9d9d9 1px; - border-radius: 2px; - font-family: inherit; + font-size: 1em; + padding: 0.444444444em; + border: solid #d9d9d9 1px; + border-radius: 2px; + font-family: inherit; } button { - padding: 0.444444444em 1.2em; - font-size: 1em; - background-color: #5bc17f; - border: solid 1px #5bc17f; - border-radius: 2px; - font-weight: normal; - font-stretch: normal; - letter-spacing: -0.4px; - font-family: inherit; - text-align: center; - color: white; - height: 40px; - line-height: 1.13; + padding: 0.444444444em 1.2em; + font-size: 1em; + background-color: #5bc17f; + border: solid 1px #5bc17f; + border-radius: 2px; + font-weight: normal; + font-stretch: normal; + letter-spacing: -0.4px; + font-family: inherit; + text-align: center; + color: white; + height: 40px; + line-height: 1.13; } .acme-advanced-fields { - position: absolute; - bottom: 0; - padding: 1em; - text-align: center; + position: absolute; + bottom: 0; + padding: 1em; + text-align: center; } .domain-subtext { - font-size: 0.833333333em; - color: #666; - text-align: center; - margin: 0.5em; + font-size: 0.833333333em; + color: #666; + text-align: center; + margin: 0.5em; } input#acme-domains:before { - content: "Secure | https://"; + content: "Secure | https://"; } .domain-psuedo-input { - display: inline-block; - margin-right: .6666667em; - border: solid #d9d9d9 1px; - border-radius: 2px; - padding: 0.44444444em; - color: #d9d9d9; + display: inline-block; + margin-right: 0.6666667em; + border: solid #d9d9d9 1px; + border-radius: 2px; + padding: 0.44444444em; + color: #d9d9d9; } input#acme-domains { - border: none; - padding: 0; - padding-right: 0; - width: 17.2222222em; - color: #222; + border: none; + padding: 0; + padding-right: 0; + width: 17.2222222em; + color: #222; } input#acme-domains:focus { - outline: none; + outline: none; } span.secure-green { - color: #5bc17f; + color: #5bc17f; } .why-you-need { - width: 26.555556em; + width: 26.555556em; } body.js-app-ready { - transition: opacity 0.2s; - opacity: 1; + transition: opacity 0.2s; + opacity: 1; } .acme-advanced-fields > * { - margin: 0 0.5em; + margin: 0 0.5em; } .js-javascript-warning { - border: solid 1px red; - background-color: #ffc0cb40; - border-radius: 2px; - margin: 0.6em; - padding: 0.5em 1em; - width: 30em; - } - \ No newline at end of file + border: solid 1px red; + background-color: #ffc0cb40; + border-radius: 2px; + margin: 0.6em; + padding: 0.5em 1em; + width: 30em; +}