line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Net::ACME2::HTTP; |
2
|
|
|
|
|
|
|
|
3
|
|
|
|
|
|
|
=encoding utf-8 |
4
|
|
|
|
|
|
|
|
5
|
|
|
|
|
|
|
=head1 NAME |
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
Net::ACME2::HTTP - transport logic for C. |
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
=head1 DESCRIPTION |
10
|
|
|
|
|
|
|
|
11
|
|
|
|
|
|
|
This module handles communication with an ACME server at the HTTP level. |
12
|
|
|
|
|
|
|
It wraps POSTs in JWSes (JSON Web Signatures) as needed. |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
There should be no reason to interact with this class in production. |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
=cut |
17
|
|
|
|
|
|
|
|
18
|
2
|
|
|
2
|
|
14
|
use strict; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
55
|
|
19
|
2
|
|
|
2
|
|
10
|
use warnings; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
54
|
|
20
|
|
|
|
|
|
|
|
21
|
2
|
|
|
2
|
|
709
|
use JSON (); |
|
2
|
|
|
|
|
15080
|
|
|
2
|
|
|
|
|
52
|
|
22
|
|
|
|
|
|
|
|
23
|
2
|
|
|
2
|
|
987
|
use Net::ACME2::Error (); |
|
2
|
|
|
|
|
6
|
|
|
2
|
|
|
|
|
44
|
|
24
|
2
|
|
|
2
|
|
509
|
use Net::ACME2::HTTP_Tiny (); |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
42
|
|
25
|
2
|
|
|
2
|
|
874
|
use Net::ACME2::HTTP::Response (); |
|
2
|
|
|
|
|
6
|
|
|
2
|
|
|
|
|
38
|
|
26
|
2
|
|
|
2
|
|
10
|
use Net::ACME2::X (); |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
38
|
|
27
|
|
|
|
|
|
|
|
28
|
2
|
|
|
2
|
|
10
|
use constant _CONTENT_TYPE => 'application/jose+json'; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
2237
|
|
29
|
|
|
|
|
|
|
|
30
|
|
|
|
|
|
|
#accessed from tests |
31
|
|
|
|
|
|
|
our $_NONCE_HEADER = 'replay-nonce'; |
32
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
#Used in testing |
34
|
|
|
|
|
|
|
our $verify_SSL = 1; |
35
|
|
|
|
|
|
|
|
36
|
|
|
|
|
|
|
#NB: “key” isn’t needed if we’re just doing GETs. |
37
|
|
|
|
|
|
|
sub new { |
38
|
7
|
|
|
7
|
0
|
912859
|
my ( $class, %opts ) = @_; |
39
|
|
|
|
|
|
|
|
40
|
7
|
50
|
|
|
|
37
|
die Net::ACME2::X->create('Generic', 'need “key”!') if !$opts{'key'}; |
41
|
|
|
|
|
|
|
|
42
|
7
|
|
|
|
|
113
|
my $ua = Net::ACME2::HTTP_Tiny->new( verify_SSL => $verify_SSL ); |
43
|
|
|
|
|
|
|
|
44
|
|
|
|
|
|
|
my $self = bless { |
45
|
|
|
|
|
|
|
_ua => $ua, |
46
|
|
|
|
|
|
|
_acme_key => $opts{'key'}, |
47
|
7
|
|
|
|
|
38
|
_key_id => $opts{'key_id'}, |
48
|
|
|
|
|
|
|
}, $class; |
49
|
|
|
|
|
|
|
|
50
|
7
|
|
|
|
|
33
|
return bless $self, $class; |
51
|
|
|
|
|
|
|
} |
52
|
|
|
|
|
|
|
|
53
|
|
|
|
|
|
|
sub set_key_id { |
54
|
12
|
|
|
12
|
0
|
28
|
my ($self, $key_id) = @_; |
55
|
|
|
|
|
|
|
|
56
|
12
|
|
|
|
|
33
|
$self->{'_key_id'} = $key_id; |
57
|
|
|
|
|
|
|
|
58
|
12
|
|
|
|
|
21
|
return $self; |
59
|
|
|
|
|
|
|
} |
60
|
|
|
|
|
|
|
|
61
|
|
|
|
|
|
|
sub set_new_nonce_url { |
62
|
30
|
|
|
30
|
0
|
53
|
my ($self, $url) = @_; |
63
|
|
|
|
|
|
|
|
64
|
30
|
|
|
|
|
52
|
$self->{'_nonce_url'} = $url; |
65
|
|
|
|
|
|
|
|
66
|
30
|
|
|
|
|
43
|
return $self; |
67
|
|
|
|
|
|
|
} |
68
|
|
|
|
|
|
|
|
69
|
|
|
|
|
|
|
#GETs submit no data and thus are not signed. |
70
|
|
|
|
|
|
|
sub get { |
71
|
6
|
|
|
6
|
0
|
20
|
my ( $self, $url ) = @_; |
72
|
|
|
|
|
|
|
|
73
|
6
|
|
|
|
|
27
|
return $self->_request( 'GET', $url ); |
74
|
|
|
|
|
|
|
} |
75
|
|
|
|
|
|
|
|
76
|
|
|
|
|
|
|
# ACME spec 6.2: for all requests not signed using an existing account, |
77
|
|
|
|
|
|
|
# e.g., newAccount |
78
|
|
|
|
|
|
|
sub post_full_jwt { |
79
|
12
|
|
|
12
|
0
|
18
|
my $self = shift; |
80
|
|
|
|
|
|
|
|
81
|
12
|
|
|
|
|
51
|
return $self->_post( 'create_full_jws', @_ ); |
82
|
|
|
|
|
|
|
} |
83
|
|
|
|
|
|
|
|
84
|
|
|
|
|
|
|
# ACME spec 6.2: for all requests signed using an existing account |
85
|
|
|
|
|
|
|
sub post_key_id { |
86
|
0
|
|
|
0
|
0
|
0
|
my $self = shift; |
87
|
|
|
|
|
|
|
|
88
|
0
|
|
|
|
|
0
|
return $self->_post( |
89
|
|
|
|
|
|
|
'create_key_id_jws', |
90
|
|
|
|
|
|
|
@_, |
91
|
|
|
|
|
|
|
); |
92
|
|
|
|
|
|
|
} |
93
|
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
#POSTs are signed. |
97
|
|
|
|
|
|
|
sub _post { |
98
|
12
|
|
|
12
|
|
31
|
my ( $self, $jwt_method, $url, $data, $opts_hr ) = @_; |
99
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
# Shouldn’t be needed because the constructor requires “key”, |
101
|
|
|
|
|
|
|
# but just in case. |
102
|
12
|
50
|
|
|
|
34
|
die "Constructor needed “key” to do POST! ($url)" if !$self->{'_acme_key'}; |
103
|
|
|
|
|
|
|
|
104
|
12
|
|
|
|
|
41
|
my $jws = $self->_create_jwt( $jwt_method, $url, $data ); |
105
|
|
|
|
|
|
|
|
106
|
12
|
|
|
|
|
69
|
local $opts_hr->{'headers'}{'Content-Type'} = 'application/jose+json'; |
107
|
|
|
|
|
|
|
|
108
|
12
|
|
33
|
|
|
105
|
return $self->_request_and_set_last_nonce( |
109
|
|
|
|
|
|
|
'POST', |
110
|
|
|
|
|
|
|
$url, |
111
|
|
|
|
|
|
|
{ |
112
|
|
|
|
|
|
|
content => $jws, |
113
|
|
|
|
|
|
|
headers => { |
114
|
|
|
|
|
|
|
'content-type' => _CONTENT_TYPE, |
115
|
|
|
|
|
|
|
}, |
116
|
|
|
|
|
|
|
}, |
117
|
|
|
|
|
|
|
$opts_hr || (), |
118
|
|
|
|
|
|
|
); |
119
|
|
|
|
|
|
|
} |
120
|
|
|
|
|
|
|
|
121
|
|
|
|
|
|
|
sub _ua_request { |
122
|
24
|
|
|
24
|
|
59
|
my ( $self, $type, @args ) = @_; |
123
|
|
|
|
|
|
|
|
124
|
24
|
|
|
|
|
124
|
return $self->{'_ua'}->request( $type, @args ); |
125
|
|
|
|
|
|
|
} |
126
|
|
|
|
|
|
|
|
127
|
|
|
|
|
|
|
#overridden in tests |
128
|
|
|
|
|
|
|
sub _request { |
129
|
24
|
|
|
24
|
|
63
|
my ( $self, $type, @args ) = @_; |
130
|
|
|
|
|
|
|
|
131
|
24
|
|
|
|
|
35
|
my $resp; |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
#cf. eval_bug.readme |
134
|
24
|
|
|
|
|
40
|
my $eval_err = $@; |
135
|
|
|
|
|
|
|
|
136
|
24
|
|
|
|
|
37
|
eval { $resp = $self->_ua_request( $type, @args ); }; |
|
24
|
|
|
|
|
84
|
|
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
# Check ref() first to avoid potentially running overload.pm’s |
139
|
|
|
|
|
|
|
# stringification. |
140
|
24
|
50
|
33
|
|
|
138
|
if (ref($@) || $@) { |
141
|
0
|
|
|
|
|
0
|
my $exc = $@; |
142
|
|
|
|
|
|
|
|
143
|
0
|
0
|
|
|
|
0
|
if ( eval { $exc->isa('Net::ACME2::X::HTTP::Protocol') } ) { |
|
0
|
|
|
|
|
0
|
|
144
|
0
|
|
|
|
|
0
|
my $_nonce_header_lc = $_NONCE_HEADER; |
145
|
0
|
|
|
|
|
0
|
$_nonce_header_lc =~ tr; |
146
|
|
|
|
|
|
|
|
147
|
0
|
|
|
|
|
0
|
my $nonce = $exc->get('headers')->{$_nonce_header_lc}; |
148
|
0
|
0
|
|
|
|
0
|
$self->{'_last_nonce'} = $nonce if $nonce; |
149
|
|
|
|
|
|
|
|
150
|
|
|
|
|
|
|
#If the exception is able to be made into a Net::ACME2::Error, |
151
|
|
|
|
|
|
|
#then do so to get a nicer error message. |
152
|
0
|
|
|
|
|
0
|
my $acme_error = eval { |
153
|
|
|
|
|
|
|
Net::ACME2::Error->new( |
154
|
0
|
|
|
|
|
0
|
%{ JSON::decode_json( $exc->get('content') ) }, |
|
0
|
|
|
|
|
0
|
|
155
|
|
|
|
|
|
|
); |
156
|
|
|
|
|
|
|
}; |
157
|
|
|
|
|
|
|
|
158
|
0
|
0
|
|
|
|
0
|
if ($acme_error) { |
159
|
0
|
|
|
|
|
0
|
die Net::ACME2::X->create( |
160
|
|
|
|
|
|
|
'ACME', |
161
|
|
|
|
|
|
|
{ |
162
|
|
|
|
|
|
|
http => $exc, |
163
|
|
|
|
|
|
|
acme => $acme_error, |
164
|
|
|
|
|
|
|
}, |
165
|
|
|
|
|
|
|
); |
166
|
|
|
|
|
|
|
} |
167
|
|
|
|
|
|
|
} |
168
|
|
|
|
|
|
|
|
169
|
0
|
|
|
|
|
0
|
$@ = $exc; |
170
|
0
|
|
|
|
|
0
|
die; |
171
|
|
|
|
|
|
|
} |
172
|
|
|
|
|
|
|
|
173
|
24
|
|
|
|
|
45
|
$@ = $eval_err; |
174
|
|
|
|
|
|
|
|
175
|
24
|
|
|
|
|
99
|
return Net::ACME2::HTTP::Response->new($resp); |
176
|
|
|
|
|
|
|
} |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
sub _request_and_set_last_nonce { |
179
|
18
|
|
|
18
|
|
52
|
my ( $self, $type, $url, @args ) = @_; |
180
|
|
|
|
|
|
|
|
181
|
18
|
|
|
|
|
61
|
my $resp = $self->_request( $type, $url, @args ); |
182
|
|
|
|
|
|
|
|
183
|
|
|
|
|
|
|
#NB: ACME’s replay protection works thus: |
184
|
|
|
|
|
|
|
# - each server response includes a nonce |
185
|
|
|
|
|
|
|
# - each request must include ONE of the nonces that have been sent |
186
|
|
|
|
|
|
|
# - once used, a nonce can’t be reused |
187
|
|
|
|
|
|
|
# |
188
|
|
|
|
|
|
|
#This is subtly different from what was originally in mind (i.e., that |
189
|
|
|
|
|
|
|
#each request must use the most recently sent nonce). It implies that GETs |
190
|
|
|
|
|
|
|
#do not need to send nonces, though each GET will *receive* a nonce that |
191
|
|
|
|
|
|
|
#may be used. |
192
|
18
|
50
|
|
|
|
871
|
$self->{'_last_nonce'} = $resp->header($_NONCE_HEADER) or do { |
193
|
0
|
|
|
|
|
0
|
die Net::ACME2::X->create('Generic', "Received no $_NONCE_HEADER from $url!"); |
194
|
|
|
|
|
|
|
}; |
195
|
|
|
|
|
|
|
|
196
|
18
|
|
|
|
|
362
|
return $resp; |
197
|
|
|
|
|
|
|
} |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
sub _get_first_nonce { |
200
|
6
|
|
|
6
|
|
13
|
my ($self) = @_; |
201
|
|
|
|
|
|
|
|
202
|
6
|
50
|
|
|
|
21
|
my $url = $self->{'_nonce_url'} or do { |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
# Shouldn’t happen unless there’s an errant refactor. |
205
|
0
|
|
|
|
|
0
|
die Net::ACME2::X->create('Set newNonce URL first!'); |
206
|
|
|
|
|
|
|
}; |
207
|
|
|
|
|
|
|
|
208
|
6
|
|
|
|
|
22
|
$self->_request_and_set_last_nonce( 'HEAD', $url ); |
209
|
|
|
|
|
|
|
|
210
|
6
|
|
|
|
|
53
|
return; |
211
|
|
|
|
|
|
|
} |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
sub _create_jwt { |
214
|
12
|
|
|
12
|
|
38
|
my ( $self, $jwt_method, $url, $data ) = @_; |
215
|
|
|
|
|
|
|
|
216
|
12
|
100
|
|
|
|
54
|
$self->_get_first_nonce() if !$self->{'_last_nonce'}; |
217
|
|
|
|
|
|
|
|
218
|
12
|
|
66
|
|
|
42
|
$self->{'_jwt_maker'} ||= do { |
219
|
6
|
|
|
|
|
8
|
my $class; |
220
|
|
|
|
|
|
|
|
221
|
6
|
100
|
|
|
|
99
|
if ($self->{'_acme_key'}->isa('Crypt::Perl::RSA::PrivateKey')) { |
|
|
50
|
|
|
|
|
|
222
|
2
|
|
|
|
|
4
|
$class = 'Net::ACME2::JWTMaker::RSA'; |
223
|
|
|
|
|
|
|
} |
224
|
|
|
|
|
|
|
elsif ($self->{'_acme_key'}->isa('Crypt::Perl::ECDSA::PrivateKey')) { |
225
|
4
|
|
|
|
|
8
|
$class = 'Net::ACME2::JWTMaker::ECC'; |
226
|
|
|
|
|
|
|
} |
227
|
|
|
|
|
|
|
else { |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
# As of this writing, Crypt::Perl only does RSA and ECDSA keys. |
230
|
|
|
|
|
|
|
# If we get here, it’s possible that Crypt::Perl now supports |
231
|
|
|
|
|
|
|
# an additional key type that this library doesn’t recognize. |
232
|
0
|
|
|
|
|
0
|
die Net::ACME2::X->create('Generic', "Unrecognized key type: $self->{'_acme_key'}"); |
233
|
|
|
|
|
|
|
} |
234
|
|
|
|
|
|
|
|
235
|
6
|
100
|
|
|
|
59
|
if (!$class->can('new')) { |
236
|
2
|
|
|
|
|
20
|
require Module::Load; |
237
|
2
|
|
|
|
|
13
|
Module::Load::load($class); |
238
|
|
|
|
|
|
|
} |
239
|
|
|
|
|
|
|
|
240
|
|
|
|
|
|
|
$class->new( |
241
|
6
|
|
|
|
|
63
|
key => $self->{'_acme_key'}, |
242
|
|
|
|
|
|
|
); |
243
|
|
|
|
|
|
|
}; |
244
|
|
|
|
|
|
|
|
245
|
|
|
|
|
|
|
return $self->{'_jwt_maker'}->$jwt_method( |
246
|
|
|
|
|
|
|
key_id => $self->{'_key_id'}, |
247
|
|
|
|
|
|
|
payload => $data, |
248
|
|
|
|
|
|
|
extra_headers => { |
249
|
12
|
|
|
|
|
97
|
nonce => $self->{'_last_nonce'}, |
250
|
|
|
|
|
|
|
url => $url, |
251
|
|
|
|
|
|
|
}, |
252
|
|
|
|
|
|
|
); |
253
|
|
|
|
|
|
|
} |
254
|
|
|
|
|
|
|
|
255
|
|
|
|
|
|
|
1; |