package acme import ( "crypto/x509" "encoding/json" "errors" "io" "log" "net/http" "regexp" "time" ) // Provider ... type Provider struct { Directory nonces chan string http.Client } var ( errNoNonces = errors.New("out of nonces") errContentType = errors.New("unknown content type") errChallengeType = errors.New("unknown challenge") errStatus = errors.New("unexpected status") ) // Nonce implements jose nonce provider func (p Provider) Nonce() (string, error) { select { case nonce := <-p.nonces: return nonce, nil default: return "", errNoNonces } } // NewProvider fetches directory and initializes nonce func NewProvider(directory string) (*Provider, error) { p := &Provider{ nonces: make(chan string, 100), Client: http.Client{ Timeout: time.Duration(5 * time.Second), }, } return p, p.getJson(directory, &p.Directory) } func (p *Provider) post(uri string, s Signer, v interface{}) (*http.Response, error) { signed, err := s.Sign(v, p) if err != nil { return nil, err } return p.Post(uri, "application/jose+json", signed) } func (p *Provider) postJson(uri string, s Signer, v interface{}) (nextStep, error) { log.Println("post json", uri) resp, err := p.post(uri, s, v) if err != nil { return nextStep{}, err } return p.parseJson(resp, v) } func (p *Provider) postCert(uri string, s Signer, v interface{}) (*x509.Certificate, nextStep, error) { log.Println("post cert", uri) resp, err := p.post(uri, s, v) if err != nil { return nil, nextStep{}, err } log.Println("post len", resp.ContentLength) return p.parseCert(resp) } func (p *Provider) getJson(uri string, v interface{}) error { resp, err := p.Get(uri) if err != nil { return err } _, err = p.parseJson(resp, v) return err } func (p *Provider) getCert(uri string) (*x509.Certificate, error) { resp, err := p.Get(uri) if err != nil { return nil, err } log.Println("get len", resp.ContentLength) crt, _, err := p.parseCert(resp) return crt, err } type nextStep struct { Link map[string]string Location string } var linksRe = regexp.MustCompile(`^<(.*)>;rel="(.*)"`) func (p *Provider) parseHeader(resp *http.Response) nextStep { var ns nextStep if lo, _ := resp.Location(); lo != nil { ns.Location = lo.String() } ns.Link = make(map[string]string) for _, li := range resp.Header["Link"] { re := linksRe.FindStringSubmatch(li) if len(re) == 3 { ns.Link[re[2]] = re[1] } } if rn := resp.Header.Get("Replay-Nonce"); rn != "" { p.nonces <- rn } return ns } func (p *Provider) parseJson(resp *http.Response, v interface{}) (nextStep, error) { ns := p.parseHeader(resp) defer resp.Body.Close() switch resp.Header.Get("Content-Type") { case "application/problem+json": return ns, problem(resp.Body) case "application/json": return ns, json.NewDecoder(resp.Body).Decode(v) default: return ns, errContentType } } func (p *Provider) parseCert(resp *http.Response) (*x509.Certificate, nextStep, error) { ns := p.parseHeader(resp) defer resp.Body.Close() switch resp.Header.Get("Content-Type") { case "application/problem+json": return nil, ns, problem(resp.Body) case "application/pkix-cert": c, err := readCert(resp.Body) return c, ns, err default: return nil, ns, errContentType } } func problem(r io.Reader) error { var p Problem if err := json.NewDecoder(r).Decode(&p); err != nil { return err } p.Err = urnErrors[p.Type] return p } func (p *Provider) newReg(uri string, s Signer, c Contacts) (nextStep, error) { r := &Registration{ Resource: ResNewReg, Contact: c, } return p.postJson(uri, s, r) } func (p *Provider) agree(uri string, s Signer, tos string) (nextStep, error) { r := &Registration{ Resource: ResReg, Agreement: tos, } return p.postJson(uri, s, r) } func (p *Provider) Register(s Signer, c Contacts) error { ns, err := p.newReg(p.NewReg, s, c) if err != nil && err.(Problem).Err != ErrMalformed { return err } _, err = p.agree(ns.Location, s, ns.Link["terms-of-service"]) return err } func (p *Provider) solve(s Signer, ch Challenge) error { ka, err := s.KeyAuth(ch.Token) if err != nil { return err } r := &Challenge{ Resource: ResChallenge, Type: ch.Type, KeyAuthorization: ka, } ns, err := p.postJson(ch.URI, s, r) if err != nil { return err } err = ch.Solve(ch.Token, ka) if err != nil { return err } var done bool for !done { done, err = p.queryStatus(ns.Location) if err != nil { return err } time.Sleep(time.Second) } return nil } func (p *Provider) Authorize(s Signer, d *Desire) error { for _, domain := range d.altnames { r := &Authorization{ Resource: ResNewAuthz, Identifier: NewIdent(domain), } _, err := p.postJson(p.NewAuthz, s, r) if err != nil { return err } for _, ch := range d.pick(r) { if err = p.solve(s, ch); err != nil { return err } } } return nil } func (p *Provider) queryStatus(url string) (bool, error) { log.Println("query", url) r := &Challenge{} err := p.getJson(url, r) if err != nil { return false, err } log.Println("status", r.Status) if r.Err != nil { return false, r.Err } return r.Status == StatusValid, nil } func (p *Provider) newCert(uri string, s Signer, d *Desire) (*x509.Certificate, nextStep, error) { csr, err := d.newCSR() if err != nil { return nil, nextStep{}, err } r := &CSR{ Resource: ResNewCert, CSR: csr, } return p.postCert(uri, s, r) } func (p *Provider) Cert(s Signer, d *Desire) error { crt, ns, err := p.newCert(p.NewCert, s, d) if err != nil { return err } d.cert = append(d.cert, crt) // TODO Get cert on empty response crt, err = p.getCert(ns.Link["up"]) if err != nil { return err } d.cert = append(d.cert, crt) return nil }