line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Net::ACME2; |
2
|
|
|
|
|
|
|
|
3
|
2
|
|
|
2
|
|
328
|
use strict; |
|
2
|
|
|
|
|
2
|
|
|
2
|
|
|
|
|
40
|
|
4
|
2
|
|
|
2
|
|
7
|
use warnings; |
|
2
|
|
|
|
|
2
|
|
|
2
|
|
|
|
|
56
|
|
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
=encoding utf-8 |
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
=head1 NAME |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
Net::ACME2 - L-standard ACME (Let’s Encrypt) client |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
X X X |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
=head1 SYNOPSIS |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
package SomeCA::ACME; |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
use parent qw( Net::ACME2 ); |
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
use constant { |
21
|
|
|
|
|
|
|
HOST => 'acme.someca.net', |
22
|
|
|
|
|
|
|
DIRECTORY_PATH => '/acme-directory', |
23
|
|
|
|
|
|
|
}; |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
package main; |
26
|
|
|
|
|
|
|
|
27
|
|
|
|
|
|
|
my $acme = SomeCA::ACME->new( |
28
|
|
|
|
|
|
|
key => $account_key_pem_or_der, |
29
|
|
|
|
|
|
|
key_id => undef, |
30
|
|
|
|
|
|
|
); |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
#for a new account |
33
|
|
|
|
|
|
|
{ |
34
|
|
|
|
|
|
|
my $terms_url = $acme->get_terms_of_service(); |
35
|
|
|
|
|
|
|
|
36
|
|
|
|
|
|
|
$acme->create_new_account( |
37
|
|
|
|
|
|
|
termsOfServiceAgreed => 1, |
38
|
|
|
|
|
|
|
); |
39
|
|
|
|
|
|
|
} |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
#Save $acme->key_id() somewhere so you can use it again. |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
my $order = $acme->create_new_order( |
44
|
|
|
|
|
|
|
identifiers => [ |
45
|
|
|
|
|
|
|
{ type => 'dns', value => '*.example.com' }, |
46
|
|
|
|
|
|
|
], |
47
|
|
|
|
|
|
|
); |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
my $authz = $acme->get_authorization( ($order->authorizations())[0] ); |
50
|
|
|
|
|
|
|
|
51
|
|
|
|
|
|
|
my @challenges = $authz->challenges(); |
52
|
|
|
|
|
|
|
|
53
|
|
|
|
|
|
|
# ... Pick a challenge, and satisfy it. |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
$acme->accept_challenge($challenge); |
56
|
|
|
|
|
|
|
|
57
|
|
|
|
|
|
|
sleep 1 while 'valid' ne $acme->poll_authorization($authz); |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
# ... Make a key and CSR for *.example.com |
60
|
|
|
|
|
|
|
|
61
|
|
|
|
|
|
|
$acme->finalize_order($order, $csr_pem_or_der); |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
while ($order->status() ne 'valid') { |
64
|
|
|
|
|
|
|
sleep 1; |
65
|
|
|
|
|
|
|
$acme->poll_order($order); |
66
|
|
|
|
|
|
|
} |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
my $certificate_url = $order->certificate(); |
69
|
|
|
|
|
|
|
|
70
|
|
|
|
|
|
|
# ... Download your certificate! :) |
71
|
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
See F in the distribution for more fleshed-out examples. |
73
|
|
|
|
|
|
|
|
74
|
|
|
|
|
|
|
To use L, see |
75
|
|
|
|
|
|
|
L. |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
=head1 DESCRIPTION |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
This library implements client logic for the L-standard ACME |
80
|
|
|
|
|
|
|
(Automated Certificate Management Environment) protocol. As of this |
81
|
|
|
|
|
|
|
writing, that protocol remains in development; the latest draft will |
82
|
|
|
|
|
|
|
be available from L. |
83
|
|
|
|
|
|
|
|
84
|
|
|
|
|
|
|
Net::ACME2 derives from L, which implements the |
85
|
|
|
|
|
|
|
(significantly different) earlier draft of that protocol as initially |
86
|
|
|
|
|
|
|
deployed by L. |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
=head1 STATUS |
89
|
|
|
|
|
|
|
|
90
|
|
|
|
|
|
|
This is a beta-grade implementation. While the underlying protocol |
91
|
|
|
|
|
|
|
is L, |
92
|
|
|
|
|
|
|
it’s still not finalized; consequently, this distribution remains |
93
|
|
|
|
|
|
|
subject to change. It is expected that any further breaking changes |
94
|
|
|
|
|
|
|
will be small, but you still B check the changelog before upgrading! |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
=head1 FEATURES |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
=over |
99
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
=item * Support for both ECDSA and RSA encrytion. |
101
|
|
|
|
|
|
|
|
102
|
|
|
|
|
|
|
=item * Support for http-01, dns-01, and tls-alpn-01 challenges. |
103
|
|
|
|
|
|
|
|
104
|
|
|
|
|
|
|
=item * Comprehensive error handling with typed, L-based exceptions. |
105
|
|
|
|
|
|
|
|
106
|
|
|
|
|
|
|
=item * This is a pure-Perl solution. Most of its dependencies are |
107
|
|
|
|
|
|
|
either core modules or pure Perl themselves. XS is necessary to |
108
|
|
|
|
|
|
|
communicate with the ACME server via TLS; however, most Perl installations |
109
|
|
|
|
|
|
|
already include the necessary logic (i.e., L) for TLS. |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
In short, Net::ACME2 will run anywhere that Perl can speak TLS, which is |
112
|
|
|
|
|
|
|
I everywhere that Perl runs. |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
=back |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
=head1 ERROR HANDLING |
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
All thrown exceptions are instances of L. |
119
|
|
|
|
|
|
|
Specific error classes aren’t yet defined. |
120
|
|
|
|
|
|
|
|
121
|
|
|
|
|
|
|
=head1 SPEED |
122
|
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
If you notice speed problems, check to see if your L |
124
|
|
|
|
|
|
|
installation can be made faster. |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
=cut |
127
|
|
|
|
|
|
|
|
128
|
2
|
|
|
2
|
|
6
|
use Crypt::Format; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
30
|
|
129
|
2
|
|
|
2
|
|
329
|
use Crypt::Perl::PK; |
|
2
|
|
|
|
|
3811
|
|
|
2
|
|
|
|
|
40
|
|
130
|
2
|
|
|
2
|
|
357
|
use MIME::Base64 (); |
|
2
|
|
|
|
|
573
|
|
|
2
|
|
|
|
|
51
|
|
131
|
|
|
|
|
|
|
|
132
|
2
|
|
|
2
|
|
667
|
use Net::ACME2::HTTP; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
44
|
|
133
|
2
|
|
|
2
|
|
626
|
use Net::ACME2::Order; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
40
|
|
134
|
2
|
|
|
2
|
|
609
|
use Net::ACME2::Authorization; |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
63
|
|
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
our $VERSION = '0.21-TRIAL2'; |
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
use constant { |
139
|
2
|
|
|
|
|
77
|
_JWK_THUMBPRINT_DIGEST => 'sha256', |
140
|
2
|
|
|
2
|
|
9
|
}; |
|
2
|
|
|
|
|
3
|
|
141
|
|
|
|
|
|
|
|
142
|
|
|
|
|
|
|
# accessed from test |
143
|
2
|
|
|
|
|
71
|
use constant newAccount_booleans => qw( |
144
|
|
|
|
|
|
|
termsOfServiceAgreed |
145
|
|
|
|
|
|
|
onlyReturnExisting |
146
|
2
|
|
|
2
|
|
7
|
); |
|
2
|
|
|
|
|
2
|
|
147
|
|
|
|
|
|
|
|
148
|
|
|
|
|
|
|
# the list of methods that need a “jwk” in their JWS Protected Header |
149
|
|
|
|
|
|
|
# (cf. section 6.2 of the spec) |
150
|
2
|
|
|
|
|
2097
|
use constant FULL_JWT_METHODS => qw( |
151
|
|
|
|
|
|
|
newAccount |
152
|
|
|
|
|
|
|
revokeCert |
153
|
2
|
|
|
2
|
|
6
|
); |
|
2
|
|
|
|
|
4
|
|
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
=head1 METHODS |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
=head2 I->new( %OPTS ) |
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
Instantiates an ACME2 object, which you’ll use for all |
160
|
|
|
|
|
|
|
interactions with the ACME server. %OPTS is: |
161
|
|
|
|
|
|
|
|
162
|
|
|
|
|
|
|
=over |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
=item * C - Required. The private key to associate with the ACME2 |
165
|
|
|
|
|
|
|
user. Anything that C can parse is acceptable. |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
=item * C - Optional. As returned by C. |
168
|
|
|
|
|
|
|
Saves a round-trip to the ACME2 server, so you should give this |
169
|
|
|
|
|
|
|
if you have it. |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
=item * C - Optional. A hash reference to use as the |
172
|
|
|
|
|
|
|
directory contents. Saves a round-trip to the ACME2 server, but there’s |
173
|
|
|
|
|
|
|
no built-in logic to determine when the cache goes invalid. Caveat |
174
|
|
|
|
|
|
|
emptor. |
175
|
|
|
|
|
|
|
|
176
|
|
|
|
|
|
|
=back |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
=cut |
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
sub new { |
181
|
7
|
|
|
7
|
1
|
6304
|
my ( $class, %opts ) = @_; |
182
|
|
|
|
|
|
|
|
183
|
7
|
50
|
|
|
|
26
|
_die_generic('Need “key”!') if !$opts{'key'}; |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
my $self = { |
186
|
|
|
|
|
|
|
_host => $class->HOST(), |
187
|
|
|
|
|
|
|
_key => $opts{'key'}, |
188
|
|
|
|
|
|
|
_key_id => $opts{'key_id'}, |
189
|
7
|
|
|
|
|
44
|
_directory => $opts{'directory'}, |
190
|
|
|
|
|
|
|
}; |
191
|
|
|
|
|
|
|
|
192
|
7
|
|
|
|
|
16
|
bless $self, $class; |
193
|
|
|
|
|
|
|
|
194
|
7
|
|
|
|
|
27
|
$self->_set_ua(); |
195
|
|
|
|
|
|
|
|
196
|
7
|
|
|
|
|
38
|
return $self; |
197
|
|
|
|
|
|
|
} |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
=head2 $id = I->key_id() |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
Returns the object’s cached key ID, either as given at instantiation |
202
|
|
|
|
|
|
|
or as fetched in C. |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
=cut |
205
|
|
|
|
|
|
|
|
206
|
|
|
|
|
|
|
sub key_id { |
207
|
12
|
|
|
12
|
1
|
8814
|
my ($self) = @_; |
208
|
|
|
|
|
|
|
|
209
|
12
|
|
|
|
|
40
|
return $self->{'_key_id'}; |
210
|
|
|
|
|
|
|
} |
211
|
|
|
|
|
|
|
|
212
|
|
|
|
|
|
|
=head2 $url = I->get_terms_of_service() |
213
|
|
|
|
|
|
|
|
214
|
|
|
|
|
|
|
Returns the URL for the terms of service. |
215
|
|
|
|
|
|
|
|
216
|
|
|
|
|
|
|
B For L you can |
217
|
|
|
|
|
|
|
unofficially resolve against |
218
|
|
|
|
|
|
|
L to see the terms |
219
|
|
|
|
|
|
|
of service. |
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
=cut |
222
|
|
|
|
|
|
|
|
223
|
|
|
|
|
|
|
sub get_terms_of_service { |
224
|
6
|
|
|
6
|
1
|
3179
|
my ($self) = @_; |
225
|
|
|
|
|
|
|
|
226
|
|
|
|
|
|
|
#We want to be able to call this as a class method. |
227
|
6
|
50
|
|
|
|
25
|
if (!ref $self) { |
228
|
0
|
|
|
|
|
0
|
$self = $self->new(); |
229
|
|
|
|
|
|
|
} |
230
|
|
|
|
|
|
|
|
231
|
6
|
|
|
|
|
23
|
my $dir = $self->_get_directory(); |
232
|
|
|
|
|
|
|
|
233
|
|
|
|
|
|
|
# Exceptions here indicate an ACME violation and should be |
234
|
|
|
|
|
|
|
# practically nonexistent. |
235
|
6
|
50
|
|
|
|
19
|
my $url = $dir->{'meta'} or _die_generic('No “meta” in directory!'); |
236
|
6
|
50
|
|
|
|
17
|
$url = $url->{'termsOfService'} or _die_generic('No “termsOfService” in directory metadata!'); |
237
|
|
|
|
|
|
|
|
238
|
6
|
|
|
|
|
14
|
return $url; |
239
|
|
|
|
|
|
|
} |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
=head2 $created_yn = I->create_new_account( %OPTS ) |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
Creates a new account using the ACME2 object’s key and the passed |
244
|
|
|
|
|
|
|
%OPTS, which are as described in the ACME2 spec (cf. C). |
245
|
|
|
|
|
|
|
Boolean values may be given as simple Perl booleans. |
246
|
|
|
|
|
|
|
|
247
|
|
|
|
|
|
|
Returns 1 if the account is newly created |
248
|
|
|
|
|
|
|
or 0 if the account already existed. |
249
|
|
|
|
|
|
|
|
250
|
|
|
|
|
|
|
=cut |
251
|
|
|
|
|
|
|
|
252
|
|
|
|
|
|
|
sub create_new_account { |
253
|
12
|
|
|
12
|
1
|
4377
|
my ($self, %opts) = @_; |
254
|
|
|
|
|
|
|
|
255
|
12
|
|
|
|
|
44
|
for my $name (newAccount_booleans()) { |
256
|
24
|
100
|
|
|
|
183
|
next if !exists $opts{$name}; |
257
|
6
|
|
33
|
|
|
44
|
($opts{$name} &&= JSON::true()) ||= JSON::false(); |
|
|
|
33
|
|
|
|
|
258
|
|
|
|
|
|
|
} |
259
|
|
|
|
|
|
|
|
260
|
12
|
|
|
|
|
44
|
my $resp = $self->_post( |
261
|
|
|
|
|
|
|
'newAccount', |
262
|
|
|
|
|
|
|
\%opts, |
263
|
|
|
|
|
|
|
); |
264
|
|
|
|
|
|
|
|
265
|
12
|
|
|
|
|
56
|
$self->{'_key_id'} = $resp->header('location'); |
266
|
|
|
|
|
|
|
|
267
|
12
|
|
|
|
|
120
|
$self->{'_ua'}->set_key_id( $self->{'_key_id'} ); |
268
|
|
|
|
|
|
|
|
269
|
12
|
100
|
|
|
|
194
|
return 0 if $resp->status() == 200; |
270
|
|
|
|
|
|
|
|
271
|
6
|
50
|
|
|
|
92
|
$resp->die_because_unexpected() if $resp->status() != 201; |
272
|
|
|
|
|
|
|
|
273
|
6
|
|
|
|
|
55
|
my $struct = $resp->content_struct(); |
274
|
|
|
|
|
|
|
|
275
|
6
|
50
|
|
|
|
69
|
if ($struct) { |
276
|
6
|
|
|
|
|
18
|
for my $name (newAccount_booleans()) { |
277
|
12
|
100
|
|
|
|
83
|
next if !exists $struct->{$name}; |
278
|
6
|
|
50
|
|
|
35
|
($struct->{$name} &&= 1) ||= 0; |
|
|
|
50
|
|
|
|
|
279
|
|
|
|
|
|
|
} |
280
|
|
|
|
|
|
|
} |
281
|
|
|
|
|
|
|
|
282
|
6
|
|
|
|
|
18
|
return 1; |
283
|
|
|
|
|
|
|
} |
284
|
|
|
|
|
|
|
|
285
|
|
|
|
|
|
|
#sub update_account { |
286
|
|
|
|
|
|
|
# my ($self, %opts) = @_; |
287
|
|
|
|
|
|
|
# |
288
|
|
|
|
|
|
|
# $self->_require_key_id(\%opts); |
289
|
|
|
|
|
|
|
# |
290
|
|
|
|
|
|
|
# my $set = $self->_post_url( |
291
|
|
|
|
|
|
|
# $opts{'kid'}, |
292
|
|
|
|
|
|
|
# \%opts, |
293
|
|
|
|
|
|
|
# ); |
294
|
|
|
|
|
|
|
# |
295
|
|
|
|
|
|
|
# return $set; |
296
|
|
|
|
|
|
|
#} |
297
|
|
|
|
|
|
|
|
298
|
|
|
|
|
|
|
=head2 $order = I->create_new_order( %OPTS ) |
299
|
|
|
|
|
|
|
|
300
|
|
|
|
|
|
|
Returns a L object. %OPTS is as described in the |
301
|
|
|
|
|
|
|
ACME spec (cf. C). Boolean values may be given as simple |
302
|
|
|
|
|
|
|
Perl booleans. |
303
|
|
|
|
|
|
|
|
304
|
|
|
|
|
|
|
=cut |
305
|
|
|
|
|
|
|
|
306
|
|
|
|
|
|
|
sub create_new_order { |
307
|
0
|
|
|
0
|
1
|
0
|
my ($self, %opts) = @_; |
308
|
|
|
|
|
|
|
|
309
|
0
|
|
|
|
|
0
|
$self->_require_key_id(\%opts); |
310
|
|
|
|
|
|
|
|
311
|
0
|
|
|
|
|
0
|
my $resp = $self->_post( 'newOrder', \%opts ); |
312
|
|
|
|
|
|
|
|
313
|
0
|
0
|
|
|
|
0
|
$resp->die_because_unexpected() if $resp->status() != 201; |
314
|
|
|
|
|
|
|
|
315
|
|
|
|
|
|
|
return Net::ACME2::Order->new( |
316
|
|
|
|
|
|
|
id => $resp->header('location'), |
317
|
0
|
|
|
|
|
0
|
%{ $resp->content_struct() }, |
|
0
|
|
|
|
|
0
|
|
318
|
|
|
|
|
|
|
); |
319
|
|
|
|
|
|
|
} |
320
|
|
|
|
|
|
|
|
321
|
|
|
|
|
|
|
=head2 $authz = I->get_authorization( $URL ) |
322
|
|
|
|
|
|
|
|
323
|
|
|
|
|
|
|
Fetches the authorization’s information based on the given $URL |
324
|
|
|
|
|
|
|
and returns a L object. |
325
|
|
|
|
|
|
|
|
326
|
|
|
|
|
|
|
The URL is as given by L’s C method. |
327
|
|
|
|
|
|
|
|
328
|
|
|
|
|
|
|
=cut |
329
|
|
|
|
|
|
|
|
330
|
|
|
|
|
|
|
sub get_authorization { |
331
|
0
|
|
|
0
|
1
|
0
|
my ($self, $id) = @_; |
332
|
|
|
|
|
|
|
|
333
|
0
|
|
|
|
|
0
|
my $resp = $self->{'_ua'}->get($id); |
334
|
|
|
|
|
|
|
|
335
|
|
|
|
|
|
|
return Net::ACME2::Authorization->new( |
336
|
|
|
|
|
|
|
id => $id, |
337
|
0
|
|
|
|
|
0
|
%{ $resp->content_struct() }, |
|
0
|
|
|
|
|
0
|
|
338
|
|
|
|
|
|
|
); |
339
|
|
|
|
|
|
|
} |
340
|
|
|
|
|
|
|
|
341
|
|
|
|
|
|
|
#Server may not support! (Pebble doesn’t, and LE won’t?) |
342
|
|
|
|
|
|
|
#sub create_new_authorization { |
343
|
|
|
|
|
|
|
# my ($self, $type, $value) = @_; |
344
|
|
|
|
|
|
|
# |
345
|
|
|
|
|
|
|
# my %opts = ( |
346
|
|
|
|
|
|
|
# identifier => { type => $type, value => $value }, |
347
|
|
|
|
|
|
|
# ); |
348
|
|
|
|
|
|
|
# |
349
|
|
|
|
|
|
|
# $self->_require_key_id(\%opts); |
350
|
|
|
|
|
|
|
# |
351
|
|
|
|
|
|
|
# return $self->_post( 'newAuthz', \%opts ); |
352
|
|
|
|
|
|
|
#} |
353
|
|
|
|
|
|
|
|
354
|
|
|
|
|
|
|
#TODO: separate distribution? |
355
|
|
|
|
|
|
|
#sub __unix2iso { |
356
|
|
|
|
|
|
|
# my ($unix) = @_; |
357
|
|
|
|
|
|
|
# |
358
|
|
|
|
|
|
|
# my (@smhdmy) = gmtime $unix; |
359
|
|
|
|
|
|
|
# $smhdmy[5] += 1900; |
360
|
|
|
|
|
|
|
# $smhdmy[4]++; |
361
|
|
|
|
|
|
|
# |
362
|
|
|
|
|
|
|
# return join( q<>, |
363
|
|
|
|
|
|
|
# join( '-', @smhdmy[ 5, 4, 3 ] ), |
364
|
|
|
|
|
|
|
# 'T', |
365
|
|
|
|
|
|
|
# join( ':', @smhdmy[ 2, 1, 0 ] ), |
366
|
|
|
|
|
|
|
# 'Z', |
367
|
|
|
|
|
|
|
# ); |
368
|
|
|
|
|
|
|
#} |
369
|
|
|
|
|
|
|
|
370
|
|
|
|
|
|
|
=head2 $str = I->make_key_authorization( $CHALLENGE ) |
371
|
|
|
|
|
|
|
|
372
|
|
|
|
|
|
|
Accepts an instance of L (probably a subclass |
373
|
|
|
|
|
|
|
thereof) and returns |
374
|
|
|
|
|
|
|
a key authorization string suitable for handling the given $CHALLENGE. |
375
|
|
|
|
|
|
|
See F in the distribution for example usage. |
376
|
|
|
|
|
|
|
|
377
|
|
|
|
|
|
|
If you’re using HTTP authorization and are on the same server as the |
378
|
|
|
|
|
|
|
domains’ document roots, then look at the handler logic in |
379
|
|
|
|
|
|
|
L for a potentially simpler way to |
380
|
|
|
|
|
|
|
handle HTTP challenges. |
381
|
|
|
|
|
|
|
|
382
|
|
|
|
|
|
|
=cut |
383
|
|
|
|
|
|
|
|
384
|
|
|
|
|
|
|
sub make_key_authorization { |
385
|
2
|
|
|
2
|
1
|
13
|
my ($self, $challenge_obj) = @_; |
386
|
|
|
|
|
|
|
|
387
|
2
|
50
|
|
|
|
8
|
_die_generic('Need a challenge object!') if !$challenge_obj; |
388
|
|
|
|
|
|
|
|
389
|
2
|
|
|
|
|
17
|
return $challenge_obj->token() . '.' . $self->_key_thumbprint(); |
390
|
|
|
|
|
|
|
} |
391
|
|
|
|
|
|
|
|
392
|
|
|
|
|
|
|
=head2 I->accept_challenge( CHALLENGE ) |
393
|
|
|
|
|
|
|
|
394
|
|
|
|
|
|
|
Signal to the ACME server that the CHALLENGE is ready. |
395
|
|
|
|
|
|
|
|
396
|
|
|
|
|
|
|
=cut |
397
|
|
|
|
|
|
|
|
398
|
|
|
|
|
|
|
sub accept_challenge { |
399
|
0
|
|
|
0
|
1
|
0
|
my ($self, $challenge_obj) = @_; |
400
|
|
|
|
|
|
|
|
401
|
0
|
|
|
|
|
0
|
$self->_post_url( |
402
|
|
|
|
|
|
|
$challenge_obj->url(), |
403
|
|
|
|
|
|
|
{ |
404
|
|
|
|
|
|
|
keyAuthorization => $self->make_key_authorization($challenge_obj), |
405
|
|
|
|
|
|
|
}, |
406
|
|
|
|
|
|
|
); |
407
|
|
|
|
|
|
|
|
408
|
0
|
|
|
|
|
0
|
return; |
409
|
|
|
|
|
|
|
} |
410
|
|
|
|
|
|
|
|
411
|
|
|
|
|
|
|
=head2 $status = I->poll_authorization( $AUTHORIZATION ) |
412
|
|
|
|
|
|
|
|
413
|
|
|
|
|
|
|
Accepts a L instance and polls the |
414
|
|
|
|
|
|
|
ACME server for that authorization’s status. The AUTHORIZATION |
415
|
|
|
|
|
|
|
object is then updated with the results of the poll. |
416
|
|
|
|
|
|
|
|
417
|
|
|
|
|
|
|
As a courtesy, this returns the object’s new C. |
418
|
|
|
|
|
|
|
|
419
|
|
|
|
|
|
|
=cut |
420
|
|
|
|
|
|
|
|
421
|
|
|
|
|
|
|
#This has to handle updates to the authz and challenge objects |
422
|
|
|
|
|
|
|
*poll_authorization = *_poll_order_or_authz; |
423
|
|
|
|
|
|
|
|
424
|
|
|
|
|
|
|
=head2 $status = I->finalize_order( $ORDER, $CSR ) |
425
|
|
|
|
|
|
|
|
426
|
|
|
|
|
|
|
Finalizes an order and updates the $ORDER object with the returned |
427
|
|
|
|
|
|
|
status. $CSR may be in either DER or PEM format. |
428
|
|
|
|
|
|
|
|
429
|
|
|
|
|
|
|
As a courtesy, this returns the $ORDER’s C. If this does |
430
|
|
|
|
|
|
|
not equal C, then you should probably C |
431
|
|
|
|
|
|
|
until it does. |
432
|
|
|
|
|
|
|
|
433
|
|
|
|
|
|
|
=cut |
434
|
|
|
|
|
|
|
|
435
|
|
|
|
|
|
|
sub finalize_order { |
436
|
0
|
|
|
0
|
1
|
0
|
my ($self, $order_obj, $csr) = @_; |
437
|
|
|
|
|
|
|
|
438
|
0
|
|
|
|
|
0
|
my $csr_der; |
439
|
0
|
0
|
|
|
|
0
|
if (index($csr, '-----') == 0) { |
440
|
0
|
|
|
|
|
0
|
$csr_der = Crypt::Format::pem2der($csr); |
441
|
|
|
|
|
|
|
} |
442
|
|
|
|
|
|
|
else { |
443
|
0
|
|
|
|
|
0
|
$csr_der = $csr; |
444
|
|
|
|
|
|
|
} |
445
|
|
|
|
|
|
|
|
446
|
0
|
|
|
|
|
0
|
$csr = MIME::Base64::encode_base64url($csr_der); |
447
|
|
|
|
|
|
|
|
448
|
0
|
|
|
|
|
0
|
my $post = $self->_post_url( |
449
|
|
|
|
|
|
|
$order_obj->finalize(), |
450
|
|
|
|
|
|
|
{ |
451
|
|
|
|
|
|
|
csr => $csr, |
452
|
|
|
|
|
|
|
}, |
453
|
|
|
|
|
|
|
); |
454
|
|
|
|
|
|
|
|
455
|
0
|
|
|
|
|
0
|
my $content = $post->content_struct(); |
456
|
|
|
|
|
|
|
|
457
|
0
|
|
|
|
|
0
|
$order_obj->update($content); |
458
|
|
|
|
|
|
|
|
459
|
0
|
|
|
|
|
0
|
return $order_obj->status(); |
460
|
|
|
|
|
|
|
} |
461
|
|
|
|
|
|
|
|
462
|
|
|
|
|
|
|
=head2 $status = I->poll_order( $ORDER ) |
463
|
|
|
|
|
|
|
|
464
|
|
|
|
|
|
|
Like C but handles a |
465
|
|
|
|
|
|
|
L object instead. |
466
|
|
|
|
|
|
|
|
467
|
|
|
|
|
|
|
=cut |
468
|
|
|
|
|
|
|
|
469
|
|
|
|
|
|
|
*poll_order = *_poll_order_or_authz; |
470
|
|
|
|
|
|
|
|
471
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
472
|
|
|
|
|
|
|
|
473
|
|
|
|
|
|
|
sub _key_thumbprint { |
474
|
2
|
|
|
2
|
|
5
|
my ($self) = @_; |
475
|
|
|
|
|
|
|
|
476
|
2
|
|
66
|
|
|
17
|
return $self->{'_key_thumbprint'} ||= $self->_key_obj()->get_jwk_thumbprint( _JWK_THUMBPRINT_DIGEST() ); |
477
|
|
|
|
|
|
|
} |
478
|
|
|
|
|
|
|
|
479
|
|
|
|
|
|
|
sub _get_directory { |
480
|
30
|
|
|
30
|
|
40
|
my ($self) = @_; |
481
|
|
|
|
|
|
|
|
482
|
30
|
|
66
|
|
|
82
|
$self->{'_directory'} ||= do { |
483
|
6
|
|
|
|
|
21
|
my $dir_path = $self->DIRECTORY_PATH(); |
484
|
6
|
|
|
|
|
100
|
$self->{'_ua'}->get("https://$self->{'_host'}$dir_path")->content_struct(); |
485
|
|
|
|
|
|
|
}; |
486
|
|
|
|
|
|
|
|
487
|
30
|
50
|
|
|
|
131
|
my $new_nonce_url = $self->{'_directory'}{'newNonce'} or do { |
488
|
0
|
|
|
|
|
0
|
_die_generic('Directory is missing “newNonce”.'); |
489
|
|
|
|
|
|
|
}; |
490
|
|
|
|
|
|
|
|
491
|
30
|
|
|
|
|
161
|
$self->{'_ua'}->set_new_nonce_url( $new_nonce_url ); |
492
|
|
|
|
|
|
|
|
493
|
30
|
|
|
|
|
80
|
return $self->{'_directory'}; |
494
|
|
|
|
|
|
|
} |
495
|
|
|
|
|
|
|
|
496
|
|
|
|
|
|
|
sub _require_key_id { |
497
|
0
|
|
|
0
|
|
0
|
my ($self, $opts_hr) = @_; |
498
|
|
|
|
|
|
|
|
499
|
0
|
0
|
|
|
|
0
|
$opts_hr->{'_key_id'} = $self->{'_key_id'} or do { |
500
|
0
|
|
|
|
|
0
|
_die_generic('No key ID has been set. Either pass “key_id” to new(), or create_new_account().'); |
501
|
|
|
|
|
|
|
}; |
502
|
|
|
|
|
|
|
|
503
|
|
|
|
|
|
|
return |
504
|
0
|
|
|
|
|
0
|
} |
505
|
|
|
|
|
|
|
|
506
|
|
|
|
|
|
|
sub _poll_order_or_authz { |
507
|
0
|
|
|
0
|
|
0
|
my ($self, $order_or_authz_obj) = @_; |
508
|
|
|
|
|
|
|
|
509
|
0
|
|
|
|
|
0
|
my $get = $self->{'_ua'}->get( $order_or_authz_obj->id() ); |
510
|
|
|
|
|
|
|
|
511
|
0
|
|
|
|
|
0
|
my $content = $get->content_struct(); |
512
|
|
|
|
|
|
|
|
513
|
0
|
|
|
|
|
0
|
$order_or_authz_obj->update($content); |
514
|
|
|
|
|
|
|
|
515
|
0
|
|
|
|
|
0
|
return $order_or_authz_obj->status(); |
516
|
|
|
|
|
|
|
} |
517
|
|
|
|
|
|
|
|
518
|
|
|
|
|
|
|
sub _key_obj { |
519
|
8
|
|
|
8
|
|
21
|
my ($self) = @_; |
520
|
|
|
|
|
|
|
|
521
|
8
|
|
66
|
|
|
73
|
return $self->{'_key_obj'} ||= Crypt::Perl::PK::parse_key($self->{'_key'}); |
522
|
|
|
|
|
|
|
} |
523
|
|
|
|
|
|
|
|
524
|
|
|
|
|
|
|
sub _set_ua { |
525
|
7
|
|
|
7
|
|
16
|
my ($self) = @_; |
526
|
|
|
|
|
|
|
|
527
|
|
|
|
|
|
|
$self->{'_ua'} = Net::ACME2::HTTP->new( |
528
|
|
|
|
|
|
|
key => $self->_key_obj(), |
529
|
7
|
|
|
|
|
27
|
key_id => $self->{'_key_id'}, |
530
|
|
|
|
|
|
|
); |
531
|
|
|
|
|
|
|
|
532
|
7
|
|
|
|
|
19
|
return; |
533
|
|
|
|
|
|
|
} |
534
|
|
|
|
|
|
|
|
535
|
|
|
|
|
|
|
our $_POST_METHOD; |
536
|
|
|
|
|
|
|
|
537
|
|
|
|
|
|
|
sub _post { |
538
|
12
|
|
|
12
|
|
29
|
my ( $self, $link_name, $data ) = @_; |
539
|
|
|
|
|
|
|
|
540
|
12
|
|
|
|
|
21
|
my $post_method; |
541
|
12
|
50
|
|
|
|
30
|
$post_method = 'post_full_jwt' if grep { $link_name eq $_ } FULL_JWT_METHODS(); |
|
24
|
|
|
|
|
63
|
|
542
|
|
|
|
|
|
|
|
543
|
|
|
|
|
|
|
# Since the $link_name will come from elsewhere in this module |
544
|
|
|
|
|
|
|
# there really shouldn’t be an error here, but just in case. |
545
|
12
|
50
|
|
|
|
40
|
my $url = $self->_get_directory()->{$link_name} or _die_generic("Unknown link name: “$link_name”"); |
546
|
|
|
|
|
|
|
|
547
|
12
|
|
|
|
|
46
|
return $self->_post_url( $url, $data, $post_method ); |
548
|
|
|
|
|
|
|
} |
549
|
|
|
|
|
|
|
|
550
|
|
|
|
|
|
|
sub _post_url { |
551
|
12
|
|
|
12
|
|
28
|
my ( $self, $url, $data, $opt_post_method ) = @_; |
552
|
|
|
|
|
|
|
|
553
|
|
|
|
|
|
|
#Do this in case we haven’t initialized the directory yet. |
554
|
|
|
|
|
|
|
#Initializing the directory is necessary to get a nonce. |
555
|
12
|
|
|
|
|
29
|
$self->_get_directory(); |
556
|
|
|
|
|
|
|
|
557
|
12
|
|
50
|
|
|
28
|
my $post_method = $opt_post_method || 'post_key_id'; |
558
|
|
|
|
|
|
|
|
559
|
12
|
|
|
|
|
41
|
return $self->{'_ua'}->$post_method( $url, $data ); |
560
|
|
|
|
|
|
|
} |
561
|
|
|
|
|
|
|
|
562
|
|
|
|
|
|
|
sub _die_generic { |
563
|
0
|
|
|
0
|
|
|
die Net::ACME2::X->create('Generic', @_); |
564
|
|
|
|
|
|
|
} |
565
|
|
|
|
|
|
|
|
566
|
|
|
|
|
|
|
1; |
567
|
|
|
|
|
|
|
|
568
|
|
|
|
|
|
|
=head1 TODO |
569
|
|
|
|
|
|
|
|
570
|
|
|
|
|
|
|
=over |
571
|
|
|
|
|
|
|
|
572
|
|
|
|
|
|
|
=item * Add pre-authorization support if there is ever a production |
573
|
|
|
|
|
|
|
use for it. |
574
|
|
|
|
|
|
|
|
575
|
|
|
|
|
|
|
=item * Expose the Retry-After header via the module API. |
576
|
|
|
|
|
|
|
|
577
|
|
|
|
|
|
|
=item * Add (more) tests. |
578
|
|
|
|
|
|
|
|
579
|
|
|
|
|
|
|
=back |
580
|
|
|
|
|
|
|
|
581
|
|
|
|
|
|
|
=head1 SEE ALSO |
582
|
|
|
|
|
|
|
|
583
|
|
|
|
|
|
|
L provides pure-Perl cryptography for this library. See the |
584
|
|
|
|
|
|
|
present library distribution’s F directory for sample usage |
585
|
|
|
|
|
|
|
to generate keys and CSRs. |
586
|
|
|
|
|
|
|
|
587
|
|
|
|
|
|
|
=cut |