le-acme-core.js/lib/get-certificate.js

421 lines
12 KiB
JavaScript

/*!
* letiny
* Copyright(c) 2015 Anatol Sommer <anatol@anatol.at>
* Some code used from https://github.com/letsencrypt/boulder/tree/master/test/js
* MPL 2.0
*/
'use strict';
function _toStandardBase64(str) {
var b64 = str.replace(/-/g, "+").replace(/_/g, "/").replace(/=/g, "");
switch (b64.length % 4) {
case 2: b64 += "=="; break;
case 3: b64 += "="; break;
}
return b64;
}
module.exports.create = function (deps) {
var request=deps.request;
var Acme = deps.Acme;
var RSA = deps.RSA;
// getCertificate // returns "pems", meaning "certs"
function getCert(options, cb) {
function bodyToError(res, body) {
var err;
if (!body) {
err = new Error("[Error] letiny-core: no request body");
err.code = "E_NO_RESPONSE_BODY";
throw err;
}
if ('{' === body[0] || '{' === String.fromCharCode(body[0])) {
try {
body = JSON.parse(body.toString('utf8'));
} catch(e) {
err = new Error("[Error] letiny-core: body could not be parsed");
err.code = "E_BODY_PARSE";
err.description = body;
throw err;
}
}
if (Math.floor(res.statusCode / 100) !== 2) {
err = new Error("[Error] letiny-core: not 200 ok");
err.code = "E_STATUS_CODE";
err.type = body.type;
err.description = body;
err.detail = body.detail;
console.error("TODO: modules which depend on this module should expose this error properly but since some of them don't, I expose it here directly:");
console.error(err.stack);
console.error(body);
throw err;
}
if (body.type && body.detail) {
err = new Error("[Error] letiny-core: " + body.detail);
err.code = body.type;
err.type = body.type;
err.description = body.detail;
err.detail = body.detail;
throw err;
}
return body;
}
function nextDomain() {
if (state.domains.length > 0) {
getChallenges(state.domains.shift());
return;
} else {
getCertificate();
}
}
function getChallenges(domain) {
state.domain = domain;
state.acme.post(state.newAuthzUrl, {
resource: 'new-authz',
identifier: {
type: 'dns',
value: state.domain,
}
}, function (err, res, body) {
if (!err && res.body) {
try {
body = bodyToError(res, body);
} catch(e) {
err = e;
}
}
getReadyToValidate(err, res, body);
});
}
function getReadyToValidate(err, res, body) {
var links;
var authz;
var httpChallenges;
var challenge;
var thumbprint;
var keyAuthorization;
function challengeDone(err) {
if (err) {
console.error('[letiny-core] setChallenge Error:');
console.error(err && err.stack || err);
ensureValidation(err, null, null, function () {
options.removeChallenge(state.domain, challenge.token, function () {
// ignore
});
});
return;
}
state.acme.post(state.responseUrl, {
resource: 'challenge',
keyAuthorization: keyAuthorization
}, function(err, res, body) {
if (!err && res.body) {
try {
body = bodyToError(res, body);
} catch(e) {
err = e;
}
}
ensureValidation(err, res, body, function unlink() {
options.removeChallenge(state.domain, challenge.token, function () {
// ignore
});
});
});
}
if (err) {
return handleErr(err);
}
if (Math.floor(res.statusCode/100)!==2) {
return handleErr(null, 'Authorization request failed ('+res.statusCode+')');
}
links = Acme.parseLink(res.headers.link);
if (!links || !('next' in links)) {
return handleErr(err, 'Server didn\'t provide information to proceed (2)');
}
state.authorizationUrl = res.headers.location;
state.newCertUrl = links.next;
authz = body;
httpChallenges = authz.challenges.filter(function(x) {
return x.type === options.challengeType;
});
if (httpChallenges.length === 0) {
return handleErr(null, 'Server didn\'t offer any challenge we can handle.');
}
challenge = httpChallenges[0];
thumbprint = RSA.thumbprint(state.accountKeypair);
keyAuthorization = challenge.token + '.' + thumbprint;
state.responseUrl = challenge.uri;
options.setChallenge(state.domain, challenge.token, keyAuthorization, challengeDone);
}
function ensureValidation(err, res, body, unlink) {
var authz, challengesState;
if (err || Math.floor(res.statusCode/100)!==2) {
unlink();
return handleErr(err, 'Authorization status request failed ('
+ (res && res.statusCode || err.code || err.message || err) + ')');
}
authz=body;
if (authz.status==='pending') {
setTimeout(function() {
request({
method: 'GET'
, url: state.authorizationUrl
}, function(err, res, body) {
if (!err && res.body) {
try {
body = bodyToError(res, body);
} catch(e) {
err = e;
}
}
ensureValidation(err, res, body, unlink);
});
}, 1000);
} else if (authz.status==='valid') {
log('Validating domain ... done');
state.validatedDomains.push(state.domain);
state.validAuthorizationUrls.push(state.authorizationUrl);
unlink();
nextDomain();
} else if (authz.status==='invalid') {
unlink();
challengesState = (authz.challenges || []).map(function (challenge) {
var result = ' - ' + challenge.uri + ' [' + challenge.status + ']';
if (challenge.error) {
result += '\n ' + challenge.error.detail;
}
return result;
}).join('\n');
return handleErr(null,
'The CA was unable to validate the file you provisioned. '
+ (authz.detail ? 'Details: ' + authz.detail : '')
+ (challengesState ? '\n' + challengesState : ''), body);
} else {
unlink();
return handleErr(null, 'CA returned an authorization in an unexpected state' + authz.detail, authz);
}
}
function getCertificate() {
var csr=RSA.generateCsrWeb64(state.certKeypair, state.validatedDomains);
log('Requesting certificate...');
state.acme.post(state.newCertUrl, {
resource:'new-cert',
csr:csr,
authorizations:state.validAuthorizationUrls
}, function (err, res, body ) {
if (!err && res.body) {
try {
body = bodyToError(res, body);
} catch(e) {
err = e;
}
}
downloadCertificate(err, res, body);
});
}
function downloadCertificate(err, res, body) {
var links, certUrl;
if (err) {
handleErr(err, 'Certificate request failed');
return;
}
if (Math.floor(res.statusCode/100)!==2) {
err = new Error("invalid status code: " + res.statusCode);
err.code = "E_STATUS_CODE";
err.description = body;
handleErr(err);
return;
}
links=Acme.parseLink(res.headers.link);
if (!links || !('up' in links)) {
return handleErr(err, 'Failed to fetch issuer certificate');
}
log('Requesting certificate: done');
state.certificate=body;
certUrl=res.headers.location;
request({
method: 'GET'
, url: certUrl
, encoding: null
}, function(err, res, body) {
if (!err) {
try {
body = bodyToError(res, body);
} catch(e) {
err = e;
}
}
if (err) {
return handleErr(err, 'Failed to fetch cert from '+certUrl);
}
if (res.statusCode!==200) {
return handleErr(err, 'Failed to fetch cert from '+certUrl, res.body.toString());
}
if (body.toString()!==state.certificate.toString()) {
return handleErr(null, 'Cert at '+certUrl+' did not match returned cert');
}
log('Successfully verified cert at '+certUrl);
log('Requesting issuer certificate...');
request({
method: 'GET'
, url: links.up
, encoding: null
}, function(err, res, body) {
if (!err) {
try {
body = bodyToError(res, body);
} catch(e) {
err = e;
}
}
if (err || res.statusCode!==200) {
return handleErr(err, 'Failed to fetch issuer certificate');
}
state.caCertPem=certBufferToPem(body);
log('Requesting issuer certificate: done');
done();
});
});
}
function done() {
var certPem;
var privkeyPem;
try {
certPem = certBufferToPem(state.certificate);
} catch(e) {
console.error(e.stack);
//cb(new Error("Could not write output files. Please check permissions!"));
handleErr(e, 'Could not write output files. Please check permissions!');
return;
}
privkeyPem = RSA.exportPrivatePem(state.certKeypair);
cb(null, {
cert: certPem
// TODO privkey isn't necessary
, privkey: privkeyPem
, chain: state.caCertPem
// TODO nix key, ca
, key: privkeyPem
, ca: state.caCertPem
});
}
function handleErr(err, text, info) {
log(text, err, info);
cb(err || new Error(text));
}
var NOOP = function () {};
var log = options.debug ? console.log : NOOP;
var state={
validatedDomains:[]
, validAuthorizationUrls:[]
, newAuthzUrl: options.newAuthzUrl
, newCertUrl: options.newCertUrl
};
if (!options.challengeType) {
options.challengeType = 'http-01';
}
if (-1 === [ 'http-01', 'tls-sni-01', 'dns-01' ].indexOf(options.challengeType)) {
return handleErr(new Error("options.challengeType '" + options.challengeType + "' is not yet supported"));
}
if (!options.newAuthzUrl) {
return handleErr(new Error("options.newAuthzUrl must be the authorization url"));
}
if (!options.newCertUrl) {
return handleErr(new Error("options.newCertUrl must be the new certificate url"));
}
if (!options.accountKeypair) {
if (!options.accountPrivateKeyPem) {
return handleErr(new Error("options.accountKeypair must be an object with `privateKeyPem` and/or `privateKeyJwk`"));
}
console.warn("'accountPrivateKeyPem' is deprecated. Use options.accountKeypair.privateKeyPem instead.");
options.accountKeypair = RSA.import({ privateKeyPem: options.accountPrivateKeyPem });
}
if (!options.domainKeypair) {
if (!options.domainPrivateKeyPem) {
return handleErr(new Error("options.domainKeypair must be an object with `privateKeyPem` and/or `privateKeyJwk`"));
}
console.warn("'domainPrivateKeyPem' is deprecated. Use options.domainKeypair.privateKeyPem instead.");
options.domainKeypair = RSA.import({ privateKeyPem: options.domainPrivateKeyPem });
}
if (!options.setChallenge) {
return handleErr(new Error("options.setChallenge must be function(hostname, challengeKey, tokenValue, done) {}"));
}
if (!options.removeChallenge) {
return handleErr(new Error("options.removeChallenge must be function(hostname, challengeKey, done) {}"));
}
if (!(options.domains && options.domains.length)) {
return handleErr(new Error("options.domains must be an array of domains such as ['example.com', 'www.example.com']"));
}
state.domains = options.domains.slice(0); // copy array
try {
state.accountKeypair = options.accountKeypair;
state.certKeypair = options.domainKeypair;
state.acme = new Acme(state.accountKeypair);
} catch(err) {
return handleErr(err, 'Failed to parse privateKey');
}
nextDomain();
}
function certBufferToPem(cert) {
cert=_toStandardBase64(cert.toString('base64'));
cert=cert.match(/.{1,64}/g).join('\n');
return '-----BEGIN CERTIFICATE-----\n'+cert+'\n-----END CERTIFICATE-----';
}
return getCert;
};