1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
//
use std::sync::Arc;
use crate::acc::AcmeKey;
use crate::api::{ApiAccount, ApiDirectory};
use crate::persist::{Persist, PersistKey, PersistKind};
use crate::req::{req_expect_header, req_get, req_handle_error};
use crate::trans::{NoncePool, Transport};
use crate::util::read_json;
use crate::{Account, Result};
const LETSENCRYPT: &str = "https://acme-v02.api.letsencrypt.org/directory";
const LETSENCRYPT_STAGING: &str = "https://acme-staging-v02.api.letsencrypt.org/directory";
/// Enumeration of known ACME API directories.
#[derive(Debug, Clone)]
pub enum DirectoryUrl<'a> {
/// The main Let's Encrypt directory. Not appropriate for testing and dev.
LetsEncrypt,
/// The staging Let's Encrypt directory. Use for testing and dev. Doesn't issue
/// "valid" certificates. The root signing certificate is not supposed
/// to be in any trust chains.
LetsEncryptStaging,
/// Provide an arbitrary director URL to connect to.
Other(&'a str),
}
impl<'a> DirectoryUrl<'a> {
fn to_url(&self) -> &str {
match self {
DirectoryUrl::LetsEncrypt => LETSENCRYPT,
DirectoryUrl::LetsEncryptStaging => LETSENCRYPT_STAGING,
DirectoryUrl::Other(s) => s,
}
}
}
/// Entry point for accessing an ACME API.
#[derive(Clone)]
pub struct Directory<P: Persist> {
persist: P,
nonce_pool: Arc<NoncePool>,
api_directory: ApiDirectory,
}
impl<P: Persist> Directory<P> {
/// Create a directory over a persistence implementation and directory url.
pub fn from_url(persist: P, url: DirectoryUrl) -> Result<Directory<P>> {
let dir_url = url.to_url();
let res = req_handle_error(req_get(dir_url))?;
let api_directory: ApiDirectory = read_json(res)?;
let nonce_pool = Arc::new(NoncePool::new(&api_directory.newNonce));
Ok(Directory {
persist,
nonce_pool,
api_directory,
})
}
/// Access an account identified by a contact email.
///
/// If a persisted private key exists for the contact email, it will be read
/// and used for further access. This way we reuse the same ACME API account.
///
/// If one doesn't exist, it is created and the corresponding public key is
/// uploaded to the ACME API thus creating the account.
///
/// Either way the `newAccount` API endpoint is called and thereby ensures the
/// account is active and working.
///
/// This is the same as calling
/// `account_with_realm(contact_email, ["mailto: <contact_email>"]`)
pub fn account(&self, contact_email: &str) -> Result<Account<P>> {
// Contact email is the persistence realm when using this method.
let contact = vec![format!("mailto:{}", contact_email)];
self.account_with_realm(contact_email, Some(contact))
}
/// Access an account using a lower level method. The contact is optional
/// against the ACME API provider and there might be situations where you
/// either don't need it at all, or need it to be something else than
/// an email address.
///
/// The `realm` parameter is a persistence realm, i.e. a namespace in the
/// persistence where all values belonging to this Account will be stored.
///
/// If a persisted private key exists for the `realm`, it will be read
/// and used for further access. This way we reuse the same ACME API account.
///
/// If one doesn't exist, it is created and the corresponding public key is
/// uploaded to the ACME API thus creating the account.
///
/// Either way the `newAccount` API endpoint is called and thereby ensures the
/// account is active and working.
pub fn account_with_realm(
&self,
realm: &str,
contact: Option<Vec<String>>,
) -> Result<Account<P>> {
// key in persistence for acme account private key
let pem_key = PersistKey::new(realm, PersistKind::AccountPrivateKey, "acme_account");
// Get the key from a saved PEM, or from creating a new
let mut is_new = false;
let pem = self.persist().get(&pem_key)?;
let acme_key = if let Some(pem) = pem {
// we got a persisted private key. read it.
debug!("Read persisted acme account key");
AcmeKey::from_pem(&pem)?
} else {
// create a new key (and new account)
debug!("Create new acme account key");
is_new = true;
AcmeKey::new()
};
// Prepare making a call to newAccount. This is fine to do both for
// new keys and existing. For existing the spec says to return a 200
// with the Location header set to the key id (kid).
let acc = ApiAccount {
contact,
termsOfServiceAgreed: Some(true),
..Default::default()
};
let mut transport = Transport::new(&self.nonce_pool, acme_key);
let res = transport.call_jwk(&self.api_directory.newAccount, &acc)?;
let kid = req_expect_header(&res, "location")?;
debug!("Key id is: {}", kid);
let api_account: ApiAccount = read_json(res)?;
// fill in the server returned key id
transport.set_key_id(kid);
// If we did create a new key, save it back to the persistence.
if is_new {
debug!("Persist acme account key");
let pem = transport.acme_key().to_pem();
self.persist().put(&pem_key, &pem)?;
}
// The finished account
Ok(Account::new(
self.persist.clone(),
transport,
realm,
api_account,
self.api_directory.clone(),
))
}
/// Access the underlying JSON object for debugging.
pub fn api_directory(&self) -> &ApiDirectory {
&self.api_directory
}
pub(crate) fn persist(&self) -> &P {
&self.persist
}
}
#[cfg(test)]
mod test {
use super::*;
use crate::persist::*;
#[test]
fn test_create_directory() -> Result<()> {
let server = crate::test::with_directory_server();
let url = DirectoryUrl::Other(&server.dir_url);
let persist = MemoryPersist::new();
let _ = Directory::from_url(persist, url)?;
Ok(())
}
#[test]
fn test_create_acount() -> Result<()> {
let server = crate::test::with_directory_server();
let url = DirectoryUrl::Other(&server.dir_url);
let persist = MemoryPersist::new();
let dir = Directory::from_url(persist, url)?;
let _ = dir.account("foo@bar.com")?;
Ok(())
}
#[test]
fn test_persisted_acount() -> Result<()> {
let server = crate::test::with_directory_server();
let url = DirectoryUrl::Other(&server.dir_url);
let persist = MemoryPersist::new();
let dir = Directory::from_url(persist, url)?;
let acc1 = dir.account("foo@bar.com")?;
let acc2 = dir.account("foo@bar.com")?;
let acc3 = dir.account("karlfoo@bar.com")?;
assert_eq!(acc1.acme_private_key_pem(), acc2.acme_private_key_pem());
assert!(acc1.acme_private_key_pem() != acc3.acme_private_key_pem());
Ok(())
}
// #[test]
// fn test_the_whole_hog() -> Result<()> {
// std::env::set_var("RUST_LOG", "acme_lib=trace");
// let _ = env_logger::try_init();
// use crate::cert::create_p384_key;
// let url = DirectoryUrl::LetsEncryptStaging;
// let persist = FilePersist::new(".");
// let dir = Directory::from_url(persist, url)?;
// let acc = dir.account("foo@bar.com")?;
// let mut ord = acc.new_order("myspecialsite.com", &[])?;
// let ord = loop {
// if let Some(ord) = ord.confirm_validations() {
// break ord;
// }
// let auths = ord.authorizations()?;
// let chall = auths[0].dns_challenge();
// info!("Proof: {}", chall.dns_proof());
// use std::thread;
// use std::time::Duration;
// thread::sleep(Duration::from_millis(60_000));
// chall.validate(5000)?;
// ord.refresh()?;
// };
// let (pkey_pri, pkey_pub) = create_p384_key();
// let ord = ord.finalize_pkey(pkey_pri, pkey_pub, 5000)?;
// let cert = ord.download_and_save_cert()?;
// println!(
// "{}{}{}",
// cert.private_key(),
// cert.certificate(),
// cert.valid_days_left()
// );
// Ok(())
// }
}