greenlock.js/backends/ursa.js

'use strict';

var PromiseA = require('bluebird');
var path = require('path');
var fs = PromiseA.promisifyAll(require('fs'));
var cutils = PromiseA.promisifyAll(require('../lib/crypto-utils-ursa'));
//var futils = require('letsencrypt-forge/lib/crypto-utils');
var requestAsync = PromiseA.promisify(require('request'));
var lef = PromiseA.promisifyAll(require('letsencrypt-forge'));
var knownUrls = ['new-authz', 'new-cert', 'new-reg', 'revoke-cert'];

var ipc = {}; // in-process cache

//function noop() {}
function getAcmeUrls(args) {
  var now = Date.now();

  // TODO check response header on request for cache time
  if ((now - ipc.acmeUrlsUpdatedAt) < 10 * 60 * 1000) {
    return PromiseA.resolve(ipc.acmeUrls);
  }

  return requestAsync({
    url: args.server
  }).then(function (resp) {
    var data = resp.body;

    if ('string' === typeof data) {
      try {
        data = JSON.parse(data);
      } catch(e) {
        return PromiseA.reject(e);
      }
    }

    if (4 !== Object.keys(data).length) {
      console.warn("This Let's Encrypt / ACME server has been updated with urls that this client doesn't understand");
      console.warn(data);
    }
    if (!knownUrls.every(function (url) {
      return data[url];
    })) {
      console.warn("This Let's Encrypt / ACME server is missing urls that this client may need.");
      console.warn(data);
    }

    ipc.acmeUrlsUpdatedAt = Date.now();
    ipc.acmeUrls = {
      newAuthz: data['new-authz']
    , newCert: data['new-cert']
    , newReg: data['new-reg']
    , revokeCert: data['revoke-cert']
    };

    return ipc.acmeUrls;
  });
}

function createAccount(args, handlers) {
  var mkdirpAsync = PromiseA.promisify(require('mkdirp'));
  var os = require("os");
  var localname = os.hostname();

  // TODO support ECDSA
  // arg.rsaBitLength args.rsaExponent
  return cutils.generateRsaKeypairAsync(args.rsaBitLength, args.rsaExponent).then(function (pems) {
    /* pems = { privateKeyPem, privateKeyJwk, publicKeyPem, publicKeyMd5 } */

    return lef.registerNewAccountAsync({
      email: args.email
    , newReg: args._acmeUrls.newReg
    , debug: args.debug || handlers.debug
    , agreeToTerms: function (tosUrl, agree) {
        // args.email = email; // already there
        args.tosUrl = tosUrl;
        handlers.agreeToTerms(args, agree);
      }
    , accountPrivateKeyPem: pems.privateKeyPem
    }).then(function (body) {
      if (body instanceof Buffer) {
        body = body.toString('utf8');
      }
      if ('string' === typeof body) {
        try {
          body = JSON.parse(body);
        } catch(e) {
          // ignore
        }
      }

      var accountDir = path.join(args.accountsDir, pems.publicKeyMd5);

      return mkdirpAsync(accountDir).then(function () {

        var isoDate = new Date().toISOString();
        var accountMeta = {
          creation_host: localname
        , creation_dt: isoDate
        };

        // meta.json {"creation_host": "ns1.redirect-www.org", "creation_dt": "2015-12-11T04:14:38Z"}
        // private_key.json { "e", "d", "n", "q", "p", "kty", "qi", "dp", "dq" }
        // regr.json:
        /*
        { body:
        { contact: [ 'mailto:coolaj86@gmail.com' ],
         agreement: 'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf',
         key: { e: 'AQAB', kty: 'RSA', n: '...' } },
          uri: 'https://acme-v01.api.letsencrypt.org/acme/reg/71272',
          new_authzr_uri: 'https://acme-v01.api.letsencrypt.org/acme/new-authz',
          terms_of_service: 'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf' }
         */
        return PromiseA.all([
          fs.writeFileAsync(path.join(accountDir, 'meta.json'), JSON.stringify(accountMeta), 'utf8')
        , fs.writeFileAsync(path.join(accountDir, 'private_key.json'), JSON.stringify(pems.privateKeyJwk), 'utf8')
        , fs.writeFileAsync(path.join(accountDir, 'regr.json'), JSON.stringify({ body: body }), 'utf8')
        ]).then(function () {
          return pems;
        });
      });
    });
  });
}

function getAccount(accountId, args, handlers) {
  var accountDir = path.join(args.accountsDir, accountId);
  var files = {};
  var configs = ['meta.json', 'private_key.json', 'regr.json'];

  return PromiseA.all(configs.map(function (filename) {
    var keyname = filename.slice(0, -5);

    return fs.readFileAsync(path.join(accountDir, filename), 'utf8').then(function (text) {
      var data;

      try {
        data = JSON.parse(text);
      } catch(e) {
        files[keyname] = { error: e };
        return;
      }

      files[keyname] = data;
    }, function (err) {
      files[keyname] = { error: err };
    });
  })).then(function () {

    if (!Object.keys(files).every(function (key) {
      return !files[key].error;
    })) {
      console.warn("Account '" + accountId + "' was currupt. No big deal (I think?). Creating a new one...");
      return createAccount(args, handlers);
    }

    return cutils.parseAccountPrivateKeyAsync(files.private_key).then(function (keypair) {
      files.accountId = accountId;                  // md5sum(publicKeyPem)
      files.publicKeyMd5 = accountId;               // md5sum(publicKeyPem)
      files.publicKeyPem = keypair.publicKeyPem;    // ascii PEM: ----BEGIN...
      files.privateKeyPem = keypair.privateKeyPem;  // ascii PEM: ----BEGIN...
      files.privateKeyJson = keypair.private_key;   // json { n: ..., e: ..., iq: ..., etc }

      return files;
    });
  });
}

function getAccountByEmail(args) {
  // If we read 10,000 account directories looking for
  // just one email address, that could get crazy.
  // We should have a folder per email and list
  // each account as a file in the folder
  // TODO
  return PromiseA.resolve(null);
}

module.exports.create = function (defaults, handlers) {
  var LE = require('../');
  var pyconf = PromiseA.promisifyAll(require('pyconf'));

  defaults.server = defaults.server || LE.liveServer;

  var wrapped = {
    registerAsync: function (args) {
      args.server = args.server || defaults.server || LE.liveServer; // https://acme-v01.api.letsencrypt.org/directory
      var acmeHostname = require('url').parse(args.server).hostname;
      var configDir = args.configDir || defaults.configDir || LE.configDir;
      args.renewalDir = args.renewalDir || path.join(configDir, 'renewal', args.domains[0] + '.conf');
      args.accountsDir = args.accountsDir || path.join(configDir, 'accounts', acmeHostname, 'directory');

      return pyconf.readFileAsync(args.renewalDir).then(function (renewal) {
        return renewal.account;
      }, function (err) {
        if ("EENOENT" === err.code) {
          return getAccountByEmail(args, handlers);
        }

        return PromiseA.reject(err);
      }).then(function (accountId) {
        // Note: the ACME urls are always fetched fresh on purpose
        return getAcmeUrls(args).then(function (urls) {
          args._acmeUrls = urls;

          if (accountId) {
            return getAccount(accountId, args, handlers);
          } else {
            return createAccount(args, handlers);
          }
        });
      }).then(function (account) {
      /*
        , domains: Array.isArray(args.domains) || (args.domains||'').split(',')
        , webroot: args.webrootPath
        , accountPrivateKeyPem: obj.privateKeyPem
        , setChallenge: function (domain, key, value, done) {
            args.domains = [domain];
            handlers.setChallenge(args, key, value, done);
          }
        , removeChallenge: function (domain, key, done) {
            args.domains = [domain];
            handlers.removeChallenge(args, key, done);
          }
      */
        console.log(account);
        throw new Error("IMPLEMENTATION NOT COMPLETE");
      });
/*
      return fs.readdirAsync(accountsDir, function (nodes) {
        return PromiseA.all(nodes.map(function (node) {
          var reMd5 = /[a-f0-9]{32}/i;
          if (reMd5.test(node)) {
          }
        }));
      });
*/
    }
  , fetchAsync: function (args) {
      var hostname = args.domains[0];
      var crtpath = defaults.configDir + defaults.fullchainTpl.replace(/:hostname/, hostname);
      var privpath = defaults.configDir + defaults.privkeyTpl.replace(/:hostname/, hostname);

      return PromiseA.all([
        fs.readFileAsync(privpath, 'ascii')
      , fs.readFileAsync(crtpath, 'ascii')
        // stat the file, not the link
      , fs.statAsync(crtpath)
      ]).then(function (arr) {
        return {
          key: arr[0]  // privkey.pem
        , cert: arr[1] // fullchain.pem
          // TODO parse centificate for lifetime / expiresAt
        , issuedAt: arr[2].mtime.valueOf()
        };
      }, function () {
        return null;
      });
    }
  };

  return wrapped;
};
begin ursa 2015-12-15 11:37:39 +00:00			`'use strict';`

			`var PromiseA = require('bluebird');`
			`var path = require('path');`
			`var fs = PromiseA.promisifyAll(require('fs'));`
updates 2015-12-15 12:01:05 +00:00			`var cutils = PromiseA.promisifyAll(require('../lib/crypto-utils-ursa'));`
begin ursa 2015-12-15 11:37:39 +00:00			`//var futils = require('letsencrypt-forge/lib/crypto-utils');`
			`var requestAsync = PromiseA.promisify(require('request'));`
			`var lef = PromiseA.promisifyAll(require('letsencrypt-forge'));`
			`var knownUrls = ['new-authz', 'new-cert', 'new-reg', 'revoke-cert'];`

			`var ipc = {}; // in-process cache`

			`//function noop() {}`
			`function getAcmeUrls(args) {`
			`var now = Date.now();`

			`// TODO check response header on request for cache time`
			`if ((now - ipc.acmeUrlsUpdatedAt) < 10 * 60 * 1000) {`
			`return PromiseA.resolve(ipc.acmeUrls);`
			`}`

			`return requestAsync({`
			`url: args.server`
more working 2015-12-15 13:11:19 +00:00			`}).then(function (resp) {`
			`var data = resp.body;`

			`if ('string' === typeof data) {`
			`try {`
			`data = JSON.parse(data);`
			`} catch(e) {`
			`return PromiseA.reject(e);`
			`}`
			`}`

begin ursa 2015-12-15 11:37:39 +00:00			`if (4 !== Object.keys(data).length) {`
			`console.warn("This Let's Encrypt / ACME server has been updated with urls that this client doesn't understand");`
more working 2015-12-15 13:11:19 +00:00			`console.warn(data);`
begin ursa 2015-12-15 11:37:39 +00:00			`}`
			`if (!knownUrls.every(function (url) {`
			`return data[url];`
			`})) {`
			`console.warn("This Let's Encrypt / ACME server is missing urls that this client may need.");`
more working 2015-12-15 13:11:19 +00:00			`console.warn(data);`
begin ursa 2015-12-15 11:37:39 +00:00			`}`

			`ipc.acmeUrlsUpdatedAt = Date.now();`
			`ipc.acmeUrls = {`
			`newAuthz: data['new-authz']`
			`, newCert: data['new-cert']`
			`, newReg: data['new-reg']`
			`, revokeCert: data['revoke-cert']`
			`};`

			`return ipc.acmeUrls;`
			`});`
			`}`

			`function createAccount(args, handlers) {`
			`var mkdirpAsync = PromiseA.promisify(require('mkdirp'));`
			`var os = require("os");`
			`var localname = os.hostname();`

			`// TODO support ECDSA`
			`// arg.rsaBitLength args.rsaExponent`
updates 2015-12-15 12:45:36 +00:00			`return cutils.generateRsaKeypairAsync(args.rsaBitLength, args.rsaExponent).then(function (pems) {`
			`/* pems = { privateKeyPem, privateKeyJwk, publicKeyPem, publicKeyMd5 } */`
begin ursa 2015-12-15 11:37:39 +00:00
			`return lef.registerNewAccountAsync({`
			`email: args.email`
more working 2015-12-15 13:11:19 +00:00			`, newReg: args._acmeUrls.newReg`
begin ursa 2015-12-15 11:37:39 +00:00			`, debug: args.debug \|\| handlers.debug`
			`, agreeToTerms: function (tosUrl, agree) {`
updates 2015-12-15 12:45:36 +00:00			`// args.email = email; // already there`
begin ursa 2015-12-15 11:37:39 +00:00			`args.tosUrl = tosUrl;`
			`handlers.agreeToTerms(args, agree);`
			`}`
updates 2015-12-15 12:45:36 +00:00			`, accountPrivateKeyPem: pems.privateKeyPem`
begin ursa 2015-12-15 11:37:39 +00:00			`}).then(function (body) {`
one step closer 2015-12-15 13:21:26 +00:00			`if (body instanceof Buffer) {`
			`body = body.toString('utf8');`
			`}`
begin ursa 2015-12-15 11:37:39 +00:00			`if ('string' === typeof body) {`
			`try {`
			`body = JSON.parse(body);`
			`} catch(e) {`
			`// ignore`
			`}`
			`}`
updates 2015-12-15 12:45:36 +00:00
one step closer 2015-12-15 13:21:26 +00:00			`var accountDir = path.join(args.accountsDir, pems.publicKeyMd5);`

			`return mkdirpAsync(accountDir).then(function () {`
updates 2015-12-15 12:45:36 +00:00
			`var isoDate = new Date().toISOString();`
			`var accountMeta = {`
			`creation_host: localname`
			`, creation_dt: isoDate`
			`};`

begin ursa 2015-12-15 11:37:39 +00:00			`// meta.json {"creation_host": "ns1.redirect-www.org", "creation_dt": "2015-12-11T04:14:38Z"}`
			`// private_key.json { "e", "d", "n", "q", "p", "kty", "qi", "dp", "dq" }`
updates 2015-12-15 12:45:36 +00:00			`// regr.json:`
begin ursa 2015-12-15 11:37:39 +00:00			`/*`
			`{ body:`
			`{ contact: [ 'mailto:coolaj86@gmail.com' ],`
			`agreement: 'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf',`
updates 2015-12-15 12:45:36 +00:00			`key: { e: 'AQAB', kty: 'RSA', n: '...' } },`
begin ursa 2015-12-15 11:37:39 +00:00			`uri: 'https://acme-v01.api.letsencrypt.org/acme/reg/71272',`
			`new_authzr_uri: 'https://acme-v01.api.letsencrypt.org/acme/new-authz',`
			`terms_of_service: 'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf' }`
			`*/`
			`return PromiseA.all([`
updates 2015-12-15 12:45:36 +00:00			`fs.writeFileAsync(path.join(accountDir, 'meta.json'), JSON.stringify(accountMeta), 'utf8')`
			`, fs.writeFileAsync(path.join(accountDir, 'private_key.json'), JSON.stringify(pems.privateKeyJwk), 'utf8')`
begin ursa 2015-12-15 11:37:39 +00:00			`, fs.writeFileAsync(path.join(accountDir, 'regr.json'), JSON.stringify({ body: body }), 'utf8')`
updates 2015-12-15 12:45:36 +00:00			`]).then(function () {`
			`return pems;`
			`});`
begin ursa 2015-12-15 11:37:39 +00:00			`});`
			`});`
			`});`
			`}`

updates 2015-12-15 12:45:36 +00:00			`function getAccount(accountId, args, handlers) {`
begin ursa 2015-12-15 11:37:39 +00:00			`var accountDir = path.join(args.accountsDir, accountId);`
			`var files = {};`
			`var configs = ['meta.json', 'private_key.json', 'regr.json'];`

			`return PromiseA.all(configs.map(function (filename) {`
			`var keyname = filename.slice(0, -5);`

			`return fs.readFileAsync(path.join(accountDir, filename), 'utf8').then(function (text) {`
			`var data;`

			`try {`
			`data = JSON.parse(text);`
			`} catch(e) {`
			`files[keyname] = { error: e };`
			`return;`
			`}`

			`files[keyname] = data;`
			`}, function (err) {`
updates 2015-12-15 12:45:36 +00:00			`files[keyname] = { error: err };`
begin ursa 2015-12-15 11:37:39 +00:00			`});`
			`})).then(function () {`

			`if (!Object.keys(files).every(function (key) {`
			`return !files[key].error;`
			`})) {`
			`console.warn("Account '" + accountId + "' was currupt. No big deal (I think?). Creating a new one...");`
updates 2015-12-15 12:45:36 +00:00			`return createAccount(args, handlers);`
begin ursa 2015-12-15 11:37:39 +00:00			`}`

			`return cutils.parseAccountPrivateKeyAsync(files.private_key).then(function (keypair) {`
			`files.accountId = accountId; // md5sum(publicKeyPem)`
updates 2015-12-15 12:45:36 +00:00			`files.publicKeyMd5 = accountId; // md5sum(publicKeyPem)`
begin ursa 2015-12-15 11:37:39 +00:00			`files.publicKeyPem = keypair.publicKeyPem; // ascii PEM: ----BEGIN...`
			`files.privateKeyPem = keypair.privateKeyPem; // ascii PEM: ----BEGIN...`
			`files.privateKeyJson = keypair.private_key; // json { n: ..., e: ..., iq: ..., etc }`

			`return files;`
			`});`
			`});`
			`}`

			`function getAccountByEmail(args) {`
			`// If we read 10,000 account directories looking for`
			`// just one email address, that could get crazy.`
			`// We should have a folder per email and list`
			`// each account as a file in the folder`
			`// TODO`
			`return PromiseA.resolve(null);`
			`}`

updates 2015-12-15 12:45:36 +00:00			`module.exports.create = function (defaults, handlers) {`
can register new accounts 2015-12-15 12:12:15 +00:00			`var LE = require('../');`
begin ursa 2015-12-15 11:37:39 +00:00			`var pyconf = PromiseA.promisifyAll(require('pyconf'));`

			`defaults.server = defaults.server \|\| LE.liveServer;`

			`var wrapped = {`
			`registerAsync: function (args) {`
			`args.server = args.server \|\| defaults.server \|\| LE.liveServer; // https://acme-v01.api.letsencrypt.org/directory`
can register new accounts 2015-12-15 12:12:15 +00:00			`var acmeHostname = require('url').parse(args.server).hostname;`
begin ursa 2015-12-15 11:37:39 +00:00			`var configDir = args.configDir \|\| defaults.configDir \|\| LE.configDir;`
can register new accounts 2015-12-15 12:12:15 +00:00			`args.renewalDir = args.renewalDir \|\| path.join(configDir, 'renewal', args.domains[0] + '.conf');`
			`args.accountsDir = args.accountsDir \|\| path.join(configDir, 'accounts', acmeHostname, 'directory');`
begin ursa 2015-12-15 11:37:39 +00:00
more working 2015-12-15 13:11:19 +00:00			`return pyconf.readFileAsync(args.renewalDir).then(function (renewal) {`
begin ursa 2015-12-15 11:37:39 +00:00			`return renewal.account;`
			`}, function (err) {`
			`if ("EENOENT" === err.code) {`
updates 2015-12-15 12:45:36 +00:00			`return getAccountByEmail(args, handlers);`
begin ursa 2015-12-15 11:37:39 +00:00			`}`

can register new accounts 2015-12-15 12:12:15 +00:00			`return PromiseA.reject(err);`
begin ursa 2015-12-15 11:37:39 +00:00			`}).then(function (accountId) {`
			`// Note: the ACME urls are always fetched fresh on purpose`
			`return getAcmeUrls(args).then(function (urls) {`
			`args._acmeUrls = urls;`

			`if (accountId) {`
updates 2015-12-15 12:45:36 +00:00			`return getAccount(accountId, args, handlers);`
begin ursa 2015-12-15 11:37:39 +00:00			`} else {`
more working 2015-12-15 13:11:19 +00:00			`return createAccount(args, handlers);`
begin ursa 2015-12-15 11:37:39 +00:00			`}`
			`});`
			`}).then(function (account) {`
updates 2015-12-15 12:45:36 +00:00			`/*`
			`, domains: Array.isArray(args.domains) \|\| (args.domains\|\|'').split(',')`
			`, webroot: args.webrootPath`
			`, accountPrivateKeyPem: obj.privateKeyPem`
			`, setChallenge: function (domain, key, value, done) {`
			`args.domains = [domain];`
			`handlers.setChallenge(args, key, value, done);`
			`}`
			`, removeChallenge: function (domain, key, done) {`
			`args.domains = [domain];`
			`handlers.removeChallenge(args, key, done);`
			`}`
			`*/`
can register new accounts 2015-12-15 12:12:15 +00:00			`console.log(account);`
begin ursa 2015-12-15 11:37:39 +00:00			`throw new Error("IMPLEMENTATION NOT COMPLETE");`
			`});`
			`/*`
			`return fs.readdirAsync(accountsDir, function (nodes) {`
			`return PromiseA.all(nodes.map(function (node) {`
			`var reMd5 = /[a-f0-9]{32}/i;`
			`if (reMd5.test(node)) {`
			`}`
			`}));`
			`});`
			`*/`
			`}`
			`, fetchAsync: function (args) {`
			`var hostname = args.domains[0];`
			`var crtpath = defaults.configDir + defaults.fullchainTpl.replace(/:hostname/, hostname);`
			`var privpath = defaults.configDir + defaults.privkeyTpl.replace(/:hostname/, hostname);`

			`return PromiseA.all([`
			`fs.readFileAsync(privpath, 'ascii')`
			`, fs.readFileAsync(crtpath, 'ascii')`
			`// stat the file, not the link`
			`, fs.statAsync(crtpath)`
			`]).then(function (arr) {`
			`return {`
			`key: arr[0] // privkey.pem`
			`, cert: arr[1] // fullchain.pem`
			`// TODO parse centificate for lifetime / expiresAt`
			`, issuedAt: arr[2].mtime.valueOf()`
			`};`
			`}, function () {`
			`return null;`
			`});`
			`}`
			`};`

			`return wrapped;`
			`};`