package acme import ( "crypto/x509" "encoding/json" "errors" "log" "net/http" "regexp" "time" ) // Provider ... type Provider struct { Directory nonces chan string http.Client http.Transport } var ( errNoNonces = errors.New("out of nonces") errContentType = errors.New("unknown content type") errChalType = errors.New("unknown challenge") errStatus = errors.New("unexpected status") ) const ( mimeJson = "application/json" mimeJose = "application/jose+json" mimeProblem = "application/problem+json" mimePkix = "application/pkix-cert" ) // RoundTrip implements RoundTipper func (p Provider) RoundTrip(req *http.Request) (*http.Response, error) { resp, err := p.Transport.RoundTrip(req) if err != nil { return nil, err } if nonce := resp.Header.Get("Replay-Nonce"); nonce != "" { if len(p.nonces) == cap(p.nonces) { <-p.nonces // drop oldest } p.nonces <- nonce } return resp, nil } // Nonce implements jose nonce provider func (p Provider) Nonce() (string, error) { select { case nonce := <-p.nonces: return nonce, nil case <-time.After(5 * time.Second): return "", errNoNonces } } // DialProvider fetches directory and initializes nonce func DialProvider(directory string) (*Provider, error) { p := &Provider{nonces: make(chan string, 100)} p.Client = http.Client{ Transport: p, Timeout: time.Duration(5 * time.Second), } resp, err := p.Get(directory) if err != nil { return nil, err } return p, parseJson(resp, &p.Directory) } func (p *Provider) post(uri string, s Signer, v interface{}) (*http.Response, error) { msg, err := json.Marshal(v) if err != nil { return nil, err } signed, err := s.Sign(msg, p) if err != nil { return nil, err } return p.Post(uri, mimeJose, signed) } type nextStep struct { Link map[string]string Location string } var linksRe = regexp.MustCompile(`^<(.*)>;rel="(.*)"`) func parseHeader(resp *http.Response) nextStep { var ns nextStep if lo, _ := resp.Location(); lo != nil { ns.Location = lo.String() } ns.Link = make(map[string]string) for _, li := range resp.Header["Link"] { re := linksRe.FindStringSubmatch(li) if len(re) == 3 { ns.Link[re[2]] = re[1] } } return ns } func parseJson(resp *http.Response, v interface{}) error { defer resp.Body.Close() switch resp.Header.Get("Content-Type") { case mimeJson: return json.NewDecoder(resp.Body).Decode(v) case mimeProblem: return problem(resp.Body) default: return errContentType } } func parseCert(resp *http.Response) (*x509.Certificate, error) { defer resp.Body.Close() switch resp.Header.Get("Content-Type") { case mimePkix: return readCert(resp.Body) case mimeProblem: return nil, problem(resp.Body) default: return nil, errContentType } } func (p *Provider) Register(s Signer, c Contacts) error { // first step: new-reg req := &Registration{ Resource: ResNewReg, Contact: c, } resp, err := p.post(p.NewReg, s, req) if err != nil { return err } ns := parseHeader(resp) // second step: reg, agree to tos req = &Registration{ Resource: ResReg, Agreement: ns.Link["terms-of-service"], } resp, err = p.post(ns.Location, s, req) if err != nil { return err } resp.Body.Close() return nil } func (p *Provider) solve(s Signer, ch Challenge, sol Solver) error { ka, err := s.KeyAuth(ch.Token) if err != nil { return err } err = sol.Solve(ch.Token, ka) if err != nil { return err } defer sol.Solved() // update challenge ch.Resource = ResChallenge ch.KeyAuthorization = ka resp, err := p.post(ch.URI, s, ch) if err != nil { return err } ns := parseHeader(resp) if err := p.pollStatus(ns.Location); err != nil { return err } return nil } func (p *Provider) authz(s Signer, domain string, sol map[ChalType]Solver) error { // first step: pocke req := &Authorization{ Resource: ResNewAuthz, Identifier: Identifier{ Type: IdentDNS, Value: domain, }, } resp, err := p.post(p.NewAuthz, s, req) if err != nil { return err } err = parseJson(resp, req) if err != nil { return err } // second step: choose and start solver for _, ch := range req.Supported(sol) { if err = p.solve(s, ch, sol[ch.Type]); err != nil { return err } } return nil } func (p *Provider) Authorize(s Signer, d *Desire) error { for _, domain := range d.altnames { if err := p.authz(s, domain, d.solver); err != nil { return err } } return nil } func (p *Provider) pollStatus(uri string) error { t := time.NewTicker(time.Second) defer t.Stop() for range t.C { resp, err := p.Get(uri) if err != nil { return err } req := new(Challenge) err = parseJson(resp, req) if err != nil { return err } if req.Err != nil { return req.Err } log.Println("status", req.Status) if req.Status == StatusValid { return nil } } return nil } func (p *Provider) Bundle(s Signer, d *Desire) error { // first step: post csr csr, err := d.CSR() if err != nil { return err } req := &CSR{ Resource: ResNewCert, CSR: csr, } resp, err := p.post(p.NewCert, s, req) if err != nil { return err } crt, err := parseCert(resp) if err != nil { return err } d.cert = append(d.cert, crt) ns := parseHeader(resp) // second step: cet CA resp, err = p.Get(ns.Link["up"]) if err != nil { return err } crt, err = parseCert(resp) if err != nil { return err } d.cert = append(d.cert, crt) return nil }