package acme import ( "crypto/x509" "encoding/json" "errors" "io" "log" "net/http" "regexp" "time" ) // Provider ... type Provider struct { Directory nonces chan string http.Client } var ( errNoNonces = errors.New("out of nonces") errContentType = errors.New("unknown content type") errChallengeType = errors.New("unknown challenge") errStatus = errors.New("unexpected status") ) // Nonce implements jose nonce provider func (p Provider) Nonce() (string, error) { select { case nonce := <-p.nonces: return nonce, nil default: return "", errNoNonces } } func (p Provider) nonce(resp *http.Response) { rn := resp.Header.Get("Replay-Nonce") if rn != "" && len(p.nonces) < cap(p.nonces) { p.nonces <- rn } } // DialProvider fetches directory and initializes nonce func DialProvider(directory string) (*Provider, error) { p := &Provider{ nonces: make(chan string, 10), Client: http.Client{ Timeout: time.Duration(5 * time.Second), }, } resp, err := p.get(directory) if err != nil { return nil, err } return p, parseJson(resp, &p.Directory) } func (p *Provider) post(uri string, s Signer, v interface{}) (*http.Response, error) { signed, err := s.Sign(v, p) if err != nil { return nil, err } resp, err := p.Post(uri, "application/jose+json", signed) if err != nil { return nil, err } p.nonce(resp) if hasProblem(resp) { defer resp.Body.Close() return nil, problem(resp.Body) } return resp, nil } func (p *Provider) get(uri string) (*http.Response, error) { resp, err := p.Get(uri) if err != nil { return nil, err } p.nonce(resp) if hasProblem(resp) { defer resp.Body.Close() return nil, problem(resp.Body) } return resp, nil } type nextStep struct { Link map[string]string Location string } var linksRe = regexp.MustCompile(`^<(.*)>;rel="(.*)"`) func parseHeader(resp *http.Response) nextStep { var ns nextStep if lo, _ := resp.Location(); lo != nil { ns.Location = lo.String() } ns.Link = make(map[string]string) for _, li := range resp.Header["Link"] { re := linksRe.FindStringSubmatch(li) if len(re) == 3 { ns.Link[re[2]] = re[1] } } return ns } func parseJson(resp *http.Response, v interface{}) error { defer resp.Body.Close() if resp.Header.Get("Content-Type") != "application/json" { return errContentType } return json.NewDecoder(resp.Body).Decode(v) } func parseCert(resp *http.Response) (*x509.Certificate, error) { defer resp.Body.Close() if resp.Header.Get("Content-Type") != "application/pkix-cert" { return nil, errContentType } return readCert(resp.Body) } func hasProblem(resp *http.Response) bool { return resp.Header.Get("Content-Type") == "application/problem+json" } func problem(r io.Reader) error { var p Problem if err := json.NewDecoder(r).Decode(&p); err != nil { return err } p.Err = urnErrors[p.Type] return p } func (p *Provider) Register(s Signer, c Contacts) error { // first step: new-reg r := &Registration{ Resource: ResNewReg, Contact: c, } resp, err := p.post(p.NewReg, s, r) if err != nil && err.(Problem).Err != ErrMalformed { return err } ns := parseHeader(resp) // second step: reg, agree to tos r = &Registration{ Resource: ResReg, Agreement: ns.Link["terms-of-service"], } resp, err = p.post(ns.Location, s, r) if err != nil { return err } resp.Body.Close() return nil } func (p *Provider) solve(s Signer, ch Challenge) error { ka, err := s.KeyAuth(ch.Token) if err != nil { return err } r := &Challenge{ Resource: ResChallenge, Type: ch.Type, KeyAuthorization: ka, } resp, err := p.post(ch.URI, s, r) if err != nil { return err } ns := parseHeader(resp) err = ch.Solve(ch.Token, ka) if err != nil { return err } var done bool for !done { done, err = p.queryStatus(ns.Location) if err != nil { return err } time.Sleep(time.Second) } return nil } func (p *Provider) Authorize(s Signer, d *Desire) error { for _, domain := range d.altnames { r := &Authorization{ Resource: ResNewAuthz, Identifier: Identifier{ Type: IdentDNS, Value: domain, }, } resp, err := p.post(p.NewAuthz, s, r) if err != nil { return err } err = parseJson(resp, r) for _, ch := range d.pick(r) { if err = p.solve(s, ch); err != nil { return err } } } return nil } func (p *Provider) queryStatus(uri string) (bool, error) { log.Println("query", uri) r := &Challenge{} resp, err := p.get(uri) if err != nil { return false, err } err = parseJson(resp, r) if err != nil { return false, err } log.Println("status", r.Status) if r.Err != nil { return false, r.Err } return r.Status == StatusValid, nil } func (p *Provider) Cert(s Signer, d *Desire) error { // first step: post csr csr, err := d.newCSR() if err != nil { return err } r := &CSR{ Resource: ResNewCert, CSR: csr, } resp, err := p.post(p.NewCert, s, r) if err != nil { return err } crt, err := parseCert(resp) if err != nil { return err } d.cert = append(d.cert, crt) ns := parseHeader(resp) // second step: cet CA resp, err = p.get(ns.Link["up"]) if err != nil { return err } crt, err = parseCert(resp) if err != nil { return err } d.cert = append(d.cert, crt) return nil }