line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Net::ACME2; |
2
|
|
|
|
|
|
|
|
3
|
2
|
|
|
2
|
|
327
|
use strict; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
50
|
|
4
|
2
|
|
|
2
|
|
10
|
use warnings; |
|
2
|
|
|
|
|
2
|
|
|
2
|
|
|
|
|
57
|
|
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
=encoding utf-8 |
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
=head1 NAME |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
Net::ACME2 - L-standard ACME (Let’s Encrypt) client |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
X X X |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
=head1 SYNOPSIS |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
package SomeCA::ACME; |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
use parent qw( Net::ACME2 ); |
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
use constant { |
21
|
|
|
|
|
|
|
HOST => 'acme.someca.net', |
22
|
|
|
|
|
|
|
DIRECTORY_PATH => '/acme-directory', |
23
|
|
|
|
|
|
|
}; |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
package main; |
26
|
|
|
|
|
|
|
|
27
|
|
|
|
|
|
|
my $acme = SomeCA::ACME->new( |
28
|
|
|
|
|
|
|
key => $account_key_pem_or_der, |
29
|
|
|
|
|
|
|
key_id => undef, |
30
|
|
|
|
|
|
|
); |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
#for a new account |
33
|
|
|
|
|
|
|
{ |
34
|
|
|
|
|
|
|
my $terms_url = $acme->get_terms_of_service(); |
35
|
|
|
|
|
|
|
|
36
|
|
|
|
|
|
|
$acme->create_new_account( |
37
|
|
|
|
|
|
|
termsOfServiceAgreed => 1, |
38
|
|
|
|
|
|
|
); |
39
|
|
|
|
|
|
|
} |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
#Save $acme->key_id() somewhere so you can use it again. |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
my $order = $acme->create_new_order( |
44
|
|
|
|
|
|
|
identifiers => [ |
45
|
|
|
|
|
|
|
{ type => 'dns', value => '*.example.com' }, |
46
|
|
|
|
|
|
|
], |
47
|
|
|
|
|
|
|
); |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
my $authz = $acme->get_authorization( ($order->authorizations())[0] ); |
50
|
|
|
|
|
|
|
|
51
|
|
|
|
|
|
|
my @challenges = $authz->challenges(); |
52
|
|
|
|
|
|
|
|
53
|
|
|
|
|
|
|
# ... Pick a challenge, and satisfy it. |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
$acme->accept_challenge($challenge); |
56
|
|
|
|
|
|
|
|
57
|
|
|
|
|
|
|
sleep 1 while 'valid' ne $acme->poll_authorization($authz); |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
# ... Make a key and CSR for *.example.com |
60
|
|
|
|
|
|
|
|
61
|
|
|
|
|
|
|
$acme->finalize_order($order, $csr_pem_or_der); |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
while ($order->status() ne 'valid') { |
64
|
|
|
|
|
|
|
sleep 1; |
65
|
|
|
|
|
|
|
$acme->poll_order($order); |
66
|
|
|
|
|
|
|
} |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
my $certificate_url = $order->certificate(); |
69
|
|
|
|
|
|
|
|
70
|
|
|
|
|
|
|
# ... Download your certificate! :) |
71
|
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
See F in the distribution for a more fleshed-out example. |
73
|
|
|
|
|
|
|
|
74
|
|
|
|
|
|
|
To use L, see |
75
|
|
|
|
|
|
|
L. |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
=head1 DESCRIPTION |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
This library implements client logic for the L-standard ACME |
80
|
|
|
|
|
|
|
(Automated Certificate Management Environment) protocol. As of this |
81
|
|
|
|
|
|
|
writing, that protocol remains in development; the latest draft will |
82
|
|
|
|
|
|
|
be available from L. |
83
|
|
|
|
|
|
|
|
84
|
|
|
|
|
|
|
Net::ACME2 derives from L, which implements the |
85
|
|
|
|
|
|
|
(significantly different) earlier draft of that protocol as initially |
86
|
|
|
|
|
|
|
deployed by L. |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
Net::ACME2 is pure Perl, and all of its dependencies are either pure Perl |
89
|
|
|
|
|
|
|
or core modules. |
90
|
|
|
|
|
|
|
|
91
|
|
|
|
|
|
|
=head1 STATUS |
92
|
|
|
|
|
|
|
|
93
|
|
|
|
|
|
|
This is an alpha-grade implementation. While the underlying protocol |
94
|
|
|
|
|
|
|
is L, |
95
|
|
|
|
|
|
|
it’s still not finalized; consequently, this distribution remains |
96
|
|
|
|
|
|
|
subject to change. |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
=head1 FEATURES |
99
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
=over |
101
|
|
|
|
|
|
|
|
102
|
|
|
|
|
|
|
=item * This is a pure-Perl solution, all of whose dependencies are either |
103
|
|
|
|
|
|
|
core modules or pure-Perl themselves. Net::ACME2 will run anywhere that Perl |
104
|
|
|
|
|
|
|
runs. :) |
105
|
|
|
|
|
|
|
|
106
|
|
|
|
|
|
|
=item * Support for both ECDSA and RSA encrytion. |
107
|
|
|
|
|
|
|
|
108
|
|
|
|
|
|
|
=item * Comprehensive error handling with typed, L-based exceptions. |
109
|
|
|
|
|
|
|
|
110
|
|
|
|
|
|
|
=back |
111
|
|
|
|
|
|
|
|
112
|
|
|
|
|
|
|
=head1 ERROR HANDLING |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
All thrown exceptions are instances of L. |
115
|
|
|
|
|
|
|
Specific error classes aren’t yet defined. |
116
|
|
|
|
|
|
|
|
117
|
|
|
|
|
|
|
=cut |
118
|
|
|
|
|
|
|
|
119
|
2
|
|
|
2
|
|
293
|
use Crypt::Format (); |
|
2
|
|
|
|
|
365
|
|
|
2
|
|
|
|
|
24
|
|
120
|
2
|
|
|
2
|
|
331
|
use Crypt::Perl::PK (); |
|
2
|
|
|
|
|
3936
|
|
|
2
|
|
|
|
|
30
|
|
121
|
2
|
|
|
2
|
|
352
|
use MIME::Base64 (); |
|
2
|
|
|
|
|
557
|
|
|
2
|
|
|
|
|
27
|
|
122
|
|
|
|
|
|
|
|
123
|
2
|
|
|
2
|
|
637
|
use Net::ACME2::HTTP (); |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
31
|
|
124
|
2
|
|
|
2
|
|
638
|
use Net::ACME2::Order (); |
|
2
|
|
|
|
|
3
|
|
|
2
|
|
|
|
|
30
|
|
125
|
2
|
|
|
2
|
|
585
|
use Net::ACME2::Authorization (); |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
56
|
|
126
|
|
|
|
|
|
|
|
127
|
|
|
|
|
|
|
our $VERSION = '0.2-TRIAL4'; |
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
use constant { |
130
|
2
|
|
|
|
|
89
|
JWS_FORMAT => undef, |
131
|
|
|
|
|
|
|
|
132
|
|
|
|
|
|
|
_JWK_THUMBPRINT_DIGEST => 'sha256', |
133
|
2
|
|
|
2
|
|
9
|
}; |
|
2
|
|
|
|
|
4
|
|
134
|
|
|
|
|
|
|
|
135
|
|
|
|
|
|
|
# accessed from test |
136
|
2
|
|
|
|
|
71
|
use constant newAccount_booleans => qw( |
137
|
|
|
|
|
|
|
termsOfServiceAgreed |
138
|
|
|
|
|
|
|
onlyReturnExisting |
139
|
2
|
|
|
2
|
|
8
|
); |
|
2
|
|
|
|
|
4
|
|
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
# the list of methods that need a “jwk” in their JWS Protected Header |
142
|
|
|
|
|
|
|
# (cf. section 6.2 of the spec) |
143
|
2
|
|
|
|
|
2232
|
use constant FULL_JWT_METHODS => qw( |
144
|
|
|
|
|
|
|
newAccount |
145
|
|
|
|
|
|
|
revokeCert |
146
|
2
|
|
|
2
|
|
8
|
); |
|
2
|
|
|
|
|
2
|
|
147
|
|
|
|
|
|
|
|
148
|
|
|
|
|
|
|
=head1 METHODS |
149
|
|
|
|
|
|
|
|
150
|
|
|
|
|
|
|
=head2 I->new( %OPTS ) |
151
|
|
|
|
|
|
|
|
152
|
|
|
|
|
|
|
Instantiates an ACME2 object, which you’ll use for all |
153
|
|
|
|
|
|
|
interactions with the ACME server. %OPTS is: |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
=over |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
=item * C - Required. The private key to associate with the ACME2 |
158
|
|
|
|
|
|
|
user. Anything that C can parse is acceptable. |
159
|
|
|
|
|
|
|
|
160
|
|
|
|
|
|
|
=item * C - Optional. As returned by C. |
161
|
|
|
|
|
|
|
Saves a round-trip to the ACME2 server, so you should give this |
162
|
|
|
|
|
|
|
if you have it. |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
=item * C - Optional. A hash reference to use as the |
165
|
|
|
|
|
|
|
directory contents. Saves a round-trip to the ACME2 server, but there’s |
166
|
|
|
|
|
|
|
no built-in logic to determine when the cache goes invalid. Caveat |
167
|
|
|
|
|
|
|
emptor. |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
=back |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
=cut |
172
|
|
|
|
|
|
|
|
173
|
|
|
|
|
|
|
sub new { |
174
|
2
|
|
|
2
|
1
|
195
|
my ( $class, %opts ) = @_; |
175
|
|
|
|
|
|
|
|
176
|
2
|
50
|
|
|
|
8
|
_die_generic('Need “key”!') if !$opts{'key'}; |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
my $self = { |
179
|
|
|
|
|
|
|
_host => $class->HOST(), |
180
|
|
|
|
|
|
|
_key => $opts{'key'}, |
181
|
|
|
|
|
|
|
_key_id => $opts{'key_id'}, |
182
|
2
|
|
|
|
|
12
|
_directory => $opts{'directory'}, |
183
|
|
|
|
|
|
|
}; |
184
|
|
|
|
|
|
|
|
185
|
2
|
|
|
|
|
4
|
bless $self, $class; |
186
|
|
|
|
|
|
|
|
187
|
2
|
|
|
|
|
10
|
$self->_set_ua(); |
188
|
|
|
|
|
|
|
|
189
|
2
|
|
|
|
|
8
|
return $self; |
190
|
|
|
|
|
|
|
} |
191
|
|
|
|
|
|
|
|
192
|
|
|
|
|
|
|
=head2 I->key_id() |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
Returns the object’s cached key ID, either as given at instantiation |
195
|
|
|
|
|
|
|
or as fetched in C. |
196
|
|
|
|
|
|
|
|
197
|
|
|
|
|
|
|
=cut |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
sub key_id { |
200
|
2
|
|
|
2
|
1
|
1239
|
my ($self) = @_; |
201
|
|
|
|
|
|
|
|
202
|
2
|
|
|
|
|
8
|
return $self->{'_key_id'}; |
203
|
|
|
|
|
|
|
} |
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
=head2 I->get_terms_of_service() |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
Callable as either an instance method or a class method. |
208
|
|
|
|
|
|
|
Returns the URL for the terms of service. |
209
|
|
|
|
|
|
|
|
210
|
|
|
|
|
|
|
B For L you can |
211
|
|
|
|
|
|
|
unofficially resolve against |
212
|
|
|
|
|
|
|
L to see the terms |
213
|
|
|
|
|
|
|
of service. |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
=cut |
216
|
|
|
|
|
|
|
|
217
|
|
|
|
|
|
|
sub get_terms_of_service { |
218
|
1
|
|
|
1
|
1
|
494
|
my ($self) = @_; |
219
|
|
|
|
|
|
|
|
220
|
|
|
|
|
|
|
#We want to be able to call this as a class method. |
221
|
1
|
50
|
|
|
|
4
|
if (!ref $self) { |
222
|
0
|
|
|
|
|
0
|
$self = $self->new(); |
223
|
|
|
|
|
|
|
} |
224
|
|
|
|
|
|
|
|
225
|
1
|
|
|
|
|
6
|
my $dir = $self->_get_directory(); |
226
|
|
|
|
|
|
|
|
227
|
|
|
|
|
|
|
# Exceptions here indicate an ACME violation and should be |
228
|
|
|
|
|
|
|
# practically nonexistent. |
229
|
1
|
50
|
|
|
|
5
|
my $url = $dir->{'meta'} or _die_generic('No “meta” in directory!'); |
230
|
1
|
50
|
|
|
|
4
|
$url = $url->{'termsOfService'} or _die_generic('No “termsOfService” in directory metadata!'); |
231
|
|
|
|
|
|
|
|
232
|
1
|
|
|
|
|
4
|
return $url; |
233
|
|
|
|
|
|
|
} |
234
|
|
|
|
|
|
|
|
235
|
|
|
|
|
|
|
=head2 I->create_new_account( %OPTS ) |
236
|
|
|
|
|
|
|
|
237
|
|
|
|
|
|
|
Creates a new account using the ACME2 object’s key and the passed |
238
|
|
|
|
|
|
|
%OPTS, which are as described in the ACME2 spec (cf. C). |
239
|
|
|
|
|
|
|
Boolean values may be given as simple Perl booleans. |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
Returns 1 if the account is newly created |
242
|
|
|
|
|
|
|
or 0 if the account already existed. |
243
|
|
|
|
|
|
|
|
244
|
|
|
|
|
|
|
=cut |
245
|
|
|
|
|
|
|
|
246
|
|
|
|
|
|
|
sub create_new_account { |
247
|
2
|
|
|
2
|
1
|
683
|
my ($self, %opts) = @_; |
248
|
|
|
|
|
|
|
|
249
|
2
|
|
|
|
|
7
|
for my $name (newAccount_booleans()) { |
250
|
4
|
100
|
|
|
|
51
|
next if !exists $opts{$name}; |
251
|
1
|
|
33
|
|
|
6
|
($opts{$name} &&= JSON::true()) ||= JSON::false(); |
|
|
|
33
|
|
|
|
|
252
|
|
|
|
|
|
|
} |
253
|
|
|
|
|
|
|
|
254
|
2
|
|
|
|
|
9
|
my $resp = $self->_post( |
255
|
|
|
|
|
|
|
'newAccount', |
256
|
|
|
|
|
|
|
\%opts, |
257
|
|
|
|
|
|
|
); |
258
|
|
|
|
|
|
|
|
259
|
2
|
|
|
|
|
6
|
$self->{'_key_id'} = $resp->header('location'); |
260
|
|
|
|
|
|
|
|
261
|
2
|
|
|
|
|
21
|
$self->{'_ua'}->set_key_id( $self->{'_key_id'} ); |
262
|
|
|
|
|
|
|
|
263
|
2
|
100
|
|
|
|
34
|
return 0 if $resp->status() == 200; |
264
|
|
|
|
|
|
|
|
265
|
1
|
50
|
|
|
|
17
|
$resp->die_because_unexpected() if $resp->status() != 201; |
266
|
|
|
|
|
|
|
|
267
|
1
|
|
|
|
|
8
|
my $struct = $resp->content_struct(); |
268
|
|
|
|
|
|
|
|
269
|
1
|
50
|
|
|
|
14
|
if ($struct) { |
270
|
1
|
|
|
|
|
2
|
for my $name (newAccount_booleans()) { |
271
|
2
|
100
|
|
|
|
17
|
next if !exists $struct->{$name}; |
272
|
1
|
50
|
|
|
|
6
|
$struct->{$name} = $struct->{$name} ? 1 : 0; |
273
|
|
|
|
|
|
|
} |
274
|
|
|
|
|
|
|
} |
275
|
|
|
|
|
|
|
|
276
|
1
|
|
|
|
|
4
|
return 1; |
277
|
|
|
|
|
|
|
} |
278
|
|
|
|
|
|
|
|
279
|
|
|
|
|
|
|
#sub update_account { |
280
|
|
|
|
|
|
|
# my ($self, %opts) = @_; |
281
|
|
|
|
|
|
|
# |
282
|
|
|
|
|
|
|
# $self->_require_key_id(\%opts); |
283
|
|
|
|
|
|
|
# |
284
|
|
|
|
|
|
|
# my $set = $self->_post_url( |
285
|
|
|
|
|
|
|
# $opts{'kid'}, |
286
|
|
|
|
|
|
|
# \%opts, |
287
|
|
|
|
|
|
|
# ); |
288
|
|
|
|
|
|
|
# |
289
|
|
|
|
|
|
|
# return $set; |
290
|
|
|
|
|
|
|
#} |
291
|
|
|
|
|
|
|
|
292
|
|
|
|
|
|
|
=head2 I->create_new_order( %OPTS ) |
293
|
|
|
|
|
|
|
|
294
|
|
|
|
|
|
|
Returns a L object. %OPTS is as described in the |
295
|
|
|
|
|
|
|
ACME spec (cf. C). Boolean values may be given as simple |
296
|
|
|
|
|
|
|
Perl booleans. |
297
|
|
|
|
|
|
|
|
298
|
|
|
|
|
|
|
=cut |
299
|
|
|
|
|
|
|
|
300
|
|
|
|
|
|
|
sub create_new_order { |
301
|
0
|
|
|
0
|
1
|
0
|
my ($self, %opts) = @_; |
302
|
|
|
|
|
|
|
|
303
|
0
|
|
|
|
|
0
|
$self->_require_key_id(\%opts); |
304
|
|
|
|
|
|
|
|
305
|
0
|
|
|
|
|
0
|
my $resp = $self->_post( 'newOrder', \%opts ); |
306
|
|
|
|
|
|
|
|
307
|
0
|
0
|
|
|
|
0
|
$resp->die_because_unexpected() if $resp->status() != 201; |
308
|
|
|
|
|
|
|
|
309
|
|
|
|
|
|
|
return Net::ACME2::Order->new( |
310
|
|
|
|
|
|
|
id => $resp->header('location'), |
311
|
0
|
|
|
|
|
0
|
%{ $resp->content_struct() }, |
|
0
|
|
|
|
|
0
|
|
312
|
|
|
|
|
|
|
); |
313
|
|
|
|
|
|
|
} |
314
|
|
|
|
|
|
|
|
315
|
|
|
|
|
|
|
=head2 I->get_authorization( URL ) |
316
|
|
|
|
|
|
|
|
317
|
|
|
|
|
|
|
Fetches the authorization’s information based on the given URL |
318
|
|
|
|
|
|
|
and returns a L object. |
319
|
|
|
|
|
|
|
|
320
|
|
|
|
|
|
|
The URL is as given by L’s C method. |
321
|
|
|
|
|
|
|
|
322
|
|
|
|
|
|
|
=cut |
323
|
|
|
|
|
|
|
|
324
|
|
|
|
|
|
|
sub get_authorization { |
325
|
0
|
|
|
0
|
1
|
0
|
my ($self, $id) = @_; |
326
|
|
|
|
|
|
|
|
327
|
0
|
|
|
|
|
0
|
my $resp = $self->{'_ua'}->get($id); |
328
|
|
|
|
|
|
|
|
329
|
|
|
|
|
|
|
return Net::ACME2::Authorization->new( |
330
|
|
|
|
|
|
|
id => $id, |
331
|
0
|
|
|
|
|
0
|
%{ $resp->content_struct() }, |
|
0
|
|
|
|
|
0
|
|
332
|
|
|
|
|
|
|
); |
333
|
|
|
|
|
|
|
} |
334
|
|
|
|
|
|
|
|
335
|
|
|
|
|
|
|
#Server may not support! (Pebble doesn’t, and LE won’t?) |
336
|
|
|
|
|
|
|
#sub create_new_authorization { |
337
|
|
|
|
|
|
|
# my ($self, $type, $value) = @_; |
338
|
|
|
|
|
|
|
# |
339
|
|
|
|
|
|
|
# my %opts = ( |
340
|
|
|
|
|
|
|
# identifier => { type => $type, value => $value }, |
341
|
|
|
|
|
|
|
# ); |
342
|
|
|
|
|
|
|
# |
343
|
|
|
|
|
|
|
# $self->_require_key_id(\%opts); |
344
|
|
|
|
|
|
|
# |
345
|
|
|
|
|
|
|
# return $self->_post( 'newAuthz', \%opts ); |
346
|
|
|
|
|
|
|
#} |
347
|
|
|
|
|
|
|
|
348
|
|
|
|
|
|
|
#TODO: separate distribution? |
349
|
|
|
|
|
|
|
#sub __unix2iso { |
350
|
|
|
|
|
|
|
# my ($unix) = @_; |
351
|
|
|
|
|
|
|
# |
352
|
|
|
|
|
|
|
# my (@smhdmy) = gmtime $unix; |
353
|
|
|
|
|
|
|
# $smhdmy[5] += 1900; |
354
|
|
|
|
|
|
|
# $smhdmy[4]++; |
355
|
|
|
|
|
|
|
# |
356
|
|
|
|
|
|
|
# return join( q<>, |
357
|
|
|
|
|
|
|
# join( '-', @smhdmy[ 5, 4, 3 ] ), |
358
|
|
|
|
|
|
|
# 'T', |
359
|
|
|
|
|
|
|
# join( ':', @smhdmy[ 2, 1, 0 ] ), |
360
|
|
|
|
|
|
|
# 'Z', |
361
|
|
|
|
|
|
|
# ); |
362
|
|
|
|
|
|
|
#} |
363
|
|
|
|
|
|
|
|
364
|
|
|
|
|
|
|
=head2 I->make_key_authorization( CHALLENGE ) |
365
|
|
|
|
|
|
|
|
366
|
|
|
|
|
|
|
Accepts an instance of L (probably a subclass |
367
|
|
|
|
|
|
|
thereof) and returns |
368
|
|
|
|
|
|
|
a key authorization string suitable for handling the given CHALLENGE. |
369
|
|
|
|
|
|
|
See F in the distribution for example usage. |
370
|
|
|
|
|
|
|
|
371
|
|
|
|
|
|
|
If you’re using HTTP authorization and are on the same server as the |
372
|
|
|
|
|
|
|
domains’ document roots, then look at the handler logic in |
373
|
|
|
|
|
|
|
L for a potentially simpler way to |
374
|
|
|
|
|
|
|
handle HTTP challenges. |
375
|
|
|
|
|
|
|
|
376
|
|
|
|
|
|
|
=cut |
377
|
|
|
|
|
|
|
|
378
|
|
|
|
|
|
|
sub make_key_authorization { |
379
|
2
|
|
|
2
|
1
|
10
|
my ($self, $challenge_obj) = @_; |
380
|
|
|
|
|
|
|
|
381
|
2
|
50
|
|
|
|
7
|
_die_generic('Need a challenge object!') if !$challenge_obj; |
382
|
|
|
|
|
|
|
|
383
|
2
|
|
|
|
|
18
|
return $challenge_obj->token() . '.' . $self->_key_thumbprint(); |
384
|
|
|
|
|
|
|
} |
385
|
|
|
|
|
|
|
|
386
|
|
|
|
|
|
|
=head2 I->accept_challenge( CHALLENGE ) |
387
|
|
|
|
|
|
|
|
388
|
|
|
|
|
|
|
Signal to the ACME server that the CHALLENGE is ready. |
389
|
|
|
|
|
|
|
|
390
|
|
|
|
|
|
|
=cut |
391
|
|
|
|
|
|
|
|
392
|
|
|
|
|
|
|
sub accept_challenge { |
393
|
0
|
|
|
0
|
1
|
0
|
my ($self, $challenge_obj) = @_; |
394
|
|
|
|
|
|
|
|
395
|
0
|
|
|
|
|
0
|
my $post = $self->_post_url( |
396
|
|
|
|
|
|
|
$challenge_obj->url(), |
397
|
|
|
|
|
|
|
{ |
398
|
|
|
|
|
|
|
keyAuthorization => $self->make_key_authorization($challenge_obj), |
399
|
|
|
|
|
|
|
}, |
400
|
|
|
|
|
|
|
); |
401
|
|
|
|
|
|
|
|
402
|
0
|
|
|
|
|
0
|
return; |
403
|
|
|
|
|
|
|
} |
404
|
|
|
|
|
|
|
|
405
|
|
|
|
|
|
|
=head2 $status = I->poll_authorization( AUTHORIZATION ) |
406
|
|
|
|
|
|
|
|
407
|
|
|
|
|
|
|
Accepts a L instance and polls the |
408
|
|
|
|
|
|
|
ACME server for that authorization’s status. The AUTHORIZATION |
409
|
|
|
|
|
|
|
object is then updated with the results of the poll. |
410
|
|
|
|
|
|
|
|
411
|
|
|
|
|
|
|
As a courtesy, this returns the object’s new C. |
412
|
|
|
|
|
|
|
|
413
|
|
|
|
|
|
|
=cut |
414
|
|
|
|
|
|
|
|
415
|
|
|
|
|
|
|
#This has to handle updates to the authz and challenge objects |
416
|
|
|
|
|
|
|
*poll_authorization = *_poll_order_or_authz; |
417
|
|
|
|
|
|
|
|
418
|
|
|
|
|
|
|
=head2 $status = I->finalize_order( ORDER, CSR ) |
419
|
|
|
|
|
|
|
|
420
|
|
|
|
|
|
|
Finalizes an order and updates the ORDER object with the returned |
421
|
|
|
|
|
|
|
status. The CSR may be in either DER or PEM format. |
422
|
|
|
|
|
|
|
|
423
|
|
|
|
|
|
|
As a courtesy, this returns the ORDER’s C. If this does |
424
|
|
|
|
|
|
|
not equal C, then you should probably C |
425
|
|
|
|
|
|
|
until it does. |
426
|
|
|
|
|
|
|
|
427
|
|
|
|
|
|
|
=cut |
428
|
|
|
|
|
|
|
|
429
|
|
|
|
|
|
|
sub finalize_order { |
430
|
0
|
|
|
0
|
1
|
0
|
my ($self, $order_obj, $csr) = @_; |
431
|
|
|
|
|
|
|
|
432
|
0
|
|
|
|
|
0
|
my $csr_der; |
433
|
0
|
0
|
|
|
|
0
|
if (index($csr, '-----') == 0) { |
434
|
0
|
|
|
|
|
0
|
$csr_der = Crypt::Format::pem2der($csr); |
435
|
|
|
|
|
|
|
} |
436
|
|
|
|
|
|
|
else { |
437
|
0
|
|
|
|
|
0
|
$csr_der = $csr; |
438
|
|
|
|
|
|
|
} |
439
|
|
|
|
|
|
|
|
440
|
0
|
|
|
|
|
0
|
$csr = MIME::Base64::encode_base64url($csr_der); |
441
|
|
|
|
|
|
|
|
442
|
0
|
|
|
|
|
0
|
my $post = $self->_post_url( |
443
|
|
|
|
|
|
|
$order_obj->finalize(), |
444
|
|
|
|
|
|
|
{ |
445
|
|
|
|
|
|
|
csr => $csr, |
446
|
|
|
|
|
|
|
}, |
447
|
|
|
|
|
|
|
); |
448
|
|
|
|
|
|
|
|
449
|
0
|
|
|
|
|
0
|
my $content = $post->content_struct(); |
450
|
|
|
|
|
|
|
|
451
|
0
|
|
|
|
|
0
|
$order_obj->update($content); |
452
|
|
|
|
|
|
|
|
453
|
0
|
|
|
|
|
0
|
return $order_obj->status(); |
454
|
|
|
|
|
|
|
} |
455
|
|
|
|
|
|
|
|
456
|
|
|
|
|
|
|
=head2 I->poll_order( ORDER ) |
457
|
|
|
|
|
|
|
|
458
|
|
|
|
|
|
|
Like C but handles a |
459
|
|
|
|
|
|
|
L object instead. |
460
|
|
|
|
|
|
|
|
461
|
|
|
|
|
|
|
=cut |
462
|
|
|
|
|
|
|
|
463
|
|
|
|
|
|
|
*poll_order = *_poll_order_or_authz; |
464
|
|
|
|
|
|
|
|
465
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
466
|
|
|
|
|
|
|
|
467
|
|
|
|
|
|
|
sub _key_thumbprint { |
468
|
2
|
|
|
2
|
|
5
|
my ($self) = @_; |
469
|
|
|
|
|
|
|
|
470
|
2
|
|
66
|
|
|
13
|
return $self->{'_key_thumbprint'} ||= $self->_key_obj()->get_jwk_thumbprint( _JWK_THUMBPRINT_DIGEST() ); |
471
|
|
|
|
|
|
|
} |
472
|
|
|
|
|
|
|
|
473
|
|
|
|
|
|
|
sub _get_directory { |
474
|
5
|
|
|
5
|
|
8
|
my ($self) = @_; |
475
|
|
|
|
|
|
|
|
476
|
5
|
|
66
|
|
|
19
|
$self->{'_directory'} ||= do { |
477
|
1
|
|
|
|
|
5
|
my $dir_path = $self->DIRECTORY_PATH(); |
478
|
1
|
|
|
|
|
7
|
$self->{'_ua'}->get("https://$self->{'_host'}$dir_path")->content_struct(); |
479
|
|
|
|
|
|
|
}; |
480
|
|
|
|
|
|
|
|
481
|
5
|
50
|
|
|
|
26
|
my $new_nonce_url = $self->{'_directory'}{'newNonce'} or do { |
482
|
0
|
|
|
|
|
0
|
_die_generic('Directory is missing “newNonce”.'); |
483
|
|
|
|
|
|
|
}; |
484
|
|
|
|
|
|
|
|
485
|
5
|
|
|
|
|
28
|
$self->{'_ua'}->set_new_nonce_url( $new_nonce_url ); |
486
|
|
|
|
|
|
|
|
487
|
5
|
|
|
|
|
9
|
return $self->{'_directory'}; |
488
|
|
|
|
|
|
|
} |
489
|
|
|
|
|
|
|
|
490
|
|
|
|
|
|
|
sub _require_key_id { |
491
|
0
|
|
|
0
|
|
0
|
my ($self, $opts_hr) = @_; |
492
|
|
|
|
|
|
|
|
493
|
0
|
0
|
|
|
|
0
|
$opts_hr->{'_key_id'} = $self->{'_key_id'} or do { |
494
|
0
|
|
|
|
|
0
|
_die_generic('No key ID has been set. Either pass “key_id” to new(), or create_new_account().'); |
495
|
|
|
|
|
|
|
}; |
496
|
|
|
|
|
|
|
|
497
|
|
|
|
|
|
|
return |
498
|
0
|
|
|
|
|
0
|
} |
499
|
|
|
|
|
|
|
|
500
|
|
|
|
|
|
|
sub _poll_order_or_authz { |
501
|
0
|
|
|
0
|
|
0
|
my ($self, $order_or_authz_obj) = @_; |
502
|
|
|
|
|
|
|
|
503
|
0
|
|
|
|
|
0
|
my $get = $self->{'_ua'}->get( $order_or_authz_obj->id() ); |
504
|
|
|
|
|
|
|
|
505
|
0
|
|
|
|
|
0
|
my $content = $get->content_struct(); |
506
|
|
|
|
|
|
|
|
507
|
0
|
|
|
|
|
0
|
$order_or_authz_obj->update($content); |
508
|
|
|
|
|
|
|
|
509
|
0
|
|
|
|
|
0
|
return $order_or_authz_obj->status(); |
510
|
|
|
|
|
|
|
} |
511
|
|
|
|
|
|
|
|
512
|
|
|
|
|
|
|
sub _key_obj { |
513
|
3
|
|
|
3
|
|
8
|
my ($self) = @_; |
514
|
|
|
|
|
|
|
|
515
|
3
|
|
66
|
|
|
30
|
return $self->{'_key_obj'} ||= Crypt::Perl::PK::parse_key($self->{'_key'}); |
516
|
|
|
|
|
|
|
} |
517
|
|
|
|
|
|
|
|
518
|
|
|
|
|
|
|
sub _set_ua { |
519
|
2
|
|
|
2
|
|
5
|
my ($self) = @_; |
520
|
|
|
|
|
|
|
|
521
|
|
|
|
|
|
|
$self->{'_ua'} = Net::ACME2::HTTP->new( |
522
|
|
|
|
|
|
|
key => $self->_key_obj(), |
523
|
2
|
|
|
|
|
8
|
key_id => $self->{'_key_id'}, |
524
|
|
|
|
|
|
|
jws_format => $self->JWS_FORMAT(), |
525
|
|
|
|
|
|
|
); |
526
|
|
|
|
|
|
|
|
527
|
2
|
|
|
|
|
6
|
return; |
528
|
|
|
|
|
|
|
} |
529
|
|
|
|
|
|
|
|
530
|
|
|
|
|
|
|
our $_POST_METHOD; |
531
|
|
|
|
|
|
|
|
532
|
|
|
|
|
|
|
sub _post { |
533
|
2
|
|
|
2
|
|
7
|
my ( $self, $link_name, $data ) = @_; |
534
|
|
|
|
|
|
|
|
535
|
2
|
|
|
|
|
2
|
my $post_method; |
536
|
2
|
50
|
|
|
|
5
|
$post_method = 'post_full_jwt' if grep { $link_name eq $_ } FULL_JWT_METHODS(); |
|
4
|
|
|
|
|
12
|
|
537
|
|
|
|
|
|
|
|
538
|
|
|
|
|
|
|
# Since the $link_name will come from elsewhere in this module |
539
|
|
|
|
|
|
|
# there really shouldn’t be an error here, but just in case. |
540
|
2
|
50
|
|
|
|
5
|
my $url = $self->_get_directory()->{$link_name} or _die_generic("Unknown link name: “$link_name”"); |
541
|
|
|
|
|
|
|
|
542
|
2
|
|
|
|
|
8
|
return $self->_post_url( $url, $data, $post_method ); |
543
|
|
|
|
|
|
|
} |
544
|
|
|
|
|
|
|
|
545
|
|
|
|
|
|
|
sub _post_url { |
546
|
2
|
|
|
2
|
|
4
|
my ( $self, $url, $data, $opt_post_method ) = @_; |
547
|
|
|
|
|
|
|
|
548
|
|
|
|
|
|
|
#Do this in case we haven’t initialized the directory yet. |
549
|
|
|
|
|
|
|
#Initializing the directory is necessary to get a nonce. |
550
|
2
|
|
|
|
|
4
|
$self->_get_directory(); |
551
|
|
|
|
|
|
|
|
552
|
2
|
|
50
|
|
|
4
|
my $post_method = $opt_post_method || 'post_key_id'; |
553
|
|
|
|
|
|
|
|
554
|
2
|
|
|
|
|
7
|
return $self->{'_ua'}->$post_method( $url, $data ); |
555
|
|
|
|
|
|
|
} |
556
|
|
|
|
|
|
|
|
557
|
|
|
|
|
|
|
sub _die_generic { |
558
|
0
|
|
|
0
|
|
|
die Net::ACME2::X->create('Generic', @_); |
559
|
|
|
|
|
|
|
} |
560
|
|
|
|
|
|
|
|
561
|
|
|
|
|
|
|
1; |
562
|
|
|
|
|
|
|
|
563
|
|
|
|
|
|
|
=head1 TODO |
564
|
|
|
|
|
|
|
|
565
|
|
|
|
|
|
|
=over |
566
|
|
|
|
|
|
|
|
567
|
|
|
|
|
|
|
=item * Add pre-authorization support if there is ever a production |
568
|
|
|
|
|
|
|
use for it. |
569
|
|
|
|
|
|
|
|
570
|
|
|
|
|
|
|
=item * Expose the Retry-After header via the module API. |
571
|
|
|
|
|
|
|
|
572
|
|
|
|
|
|
|
=item * Add (more) tests. |
573
|
|
|
|
|
|
|
|
574
|
|
|
|
|
|
|
=back |
575
|
|
|
|
|
|
|
|
576
|
|
|
|
|
|
|
=head1 SEE ALSO |
577
|
|
|
|
|
|
|
|
578
|
|
|
|
|
|
|
L provides pure-Perl cryptography for this library. See the |
579
|
|
|
|
|
|
|
present library distribution’s F directory for sample usage |
580
|
|
|
|
|
|
|
to generate keys and CSRs. |
581
|
|
|
|
|
|
|
|
582
|
|
|
|
|
|
|
=cut |