line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Net::ACME2; |
2
|
|
|
|
|
|
|
|
3
|
3
|
|
|
3
|
|
374
|
use strict; |
|
3
|
|
|
|
|
5
|
|
|
3
|
|
|
|
|
79
|
|
4
|
3
|
|
|
3
|
|
12
|
use warnings; |
|
3
|
|
|
|
|
4
|
|
|
3
|
|
|
|
|
113
|
|
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
=encoding utf-8 |
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
=head1 NAME |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
Net::ACME2 - Client logic for the ACME (Let's Encrypt) protocol |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
X X X |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
=head1 SYNOPSIS |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
package SomeCA::ACME; |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
use parent qw( Net::ACME2 ); |
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
use constant { |
21
|
|
|
|
|
|
|
DIRECTORY_PATH => '/acme-directory', |
22
|
|
|
|
|
|
|
}; |
23
|
|
|
|
|
|
|
|
24
|
|
|
|
|
|
|
# %opts are the parameters given to new(). |
25
|
|
|
|
|
|
|
sub HOST { |
26
|
|
|
|
|
|
|
my ($class, %opts) = @_; |
27
|
|
|
|
|
|
|
|
28
|
|
|
|
|
|
|
# You can make this depend on the %opts if you want. |
29
|
|
|
|
|
|
|
return 'acme.someca.net'; |
30
|
|
|
|
|
|
|
} |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
package main; |
33
|
|
|
|
|
|
|
|
34
|
|
|
|
|
|
|
my $acme = SomeCA::ACME->new( |
35
|
|
|
|
|
|
|
key => $account_key_pem_or_der, |
36
|
|
|
|
|
|
|
key_id => undef, |
37
|
|
|
|
|
|
|
); |
38
|
|
|
|
|
|
|
|
39
|
|
|
|
|
|
|
#for a new account |
40
|
|
|
|
|
|
|
{ |
41
|
|
|
|
|
|
|
my $terms_url = $acme->get_terms_of_service(); |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
$acme->create_account( |
44
|
|
|
|
|
|
|
termsOfServiceAgreed => 1, |
45
|
|
|
|
|
|
|
); |
46
|
|
|
|
|
|
|
} |
47
|
|
|
|
|
|
|
|
48
|
|
|
|
|
|
|
#Save $acme->key_id() somewhere so you can use it again. |
49
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
|
my $order = $acme->create_order( |
51
|
|
|
|
|
|
|
identifiers => [ |
52
|
|
|
|
|
|
|
{ type => 'dns', value => '*.example.com' }, |
53
|
|
|
|
|
|
|
], |
54
|
|
|
|
|
|
|
); |
55
|
|
|
|
|
|
|
|
56
|
|
|
|
|
|
|
my $authz = $acme->get_authorization( ($order->authorizations())[0] ); |
57
|
|
|
|
|
|
|
|
58
|
|
|
|
|
|
|
my @challenges = $authz->challenges(); |
59
|
|
|
|
|
|
|
|
60
|
|
|
|
|
|
|
# ... Pick a challenge, and satisfy it. |
61
|
|
|
|
|
|
|
|
62
|
|
|
|
|
|
|
$acme->accept_challenge($challenge); |
63
|
|
|
|
|
|
|
|
64
|
|
|
|
|
|
|
sleep 1 while 'valid' ne $acme->poll_authorization($authz); |
65
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
# ... Make a key and CSR for *.example.com |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
$acme->finalize_order($order, $csr_pem_or_der); |
69
|
|
|
|
|
|
|
|
70
|
|
|
|
|
|
|
while ($order->status() ne 'valid') { |
71
|
|
|
|
|
|
|
sleep 1; |
72
|
|
|
|
|
|
|
$acme->poll_order($order); |
73
|
|
|
|
|
|
|
} |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
# ... and now fetch the certificate chain: |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
my $pem_chain = $acme->get_certificate_chain($order); |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
See F in the distribution for more fleshed-out examples. |
80
|
|
|
|
|
|
|
|
81
|
|
|
|
|
|
|
To use L, see |
82
|
|
|
|
|
|
|
L. |
83
|
|
|
|
|
|
|
|
84
|
|
|
|
|
|
|
=head1 DESCRIPTION |
85
|
|
|
|
|
|
|
|
86
|
|
|
|
|
|
|
This library implements client logic for the |
87
|
|
|
|
|
|
|
ACME (Automated Certificate Management Environment) protocol, as |
88
|
|
|
|
|
|
|
standardized in L |
89
|
|
|
|
|
|
|
and popularized by L. |
90
|
|
|
|
|
|
|
|
91
|
|
|
|
|
|
|
=head1 STATUS |
92
|
|
|
|
|
|
|
|
93
|
|
|
|
|
|
|
This is a production-grade implementation. While breaking changes at this |
94
|
|
|
|
|
|
|
point are unlikely, please always check the changelog before upgrading to |
95
|
|
|
|
|
|
|
a new version of this module. |
96
|
|
|
|
|
|
|
|
97
|
|
|
|
|
|
|
=head1 FEATURES |
98
|
|
|
|
|
|
|
|
99
|
|
|
|
|
|
|
=over |
100
|
|
|
|
|
|
|
|
101
|
|
|
|
|
|
|
=item * Support for both ECDSA and RSA encrytion. |
102
|
|
|
|
|
|
|
|
103
|
|
|
|
|
|
|
=item * Support for http-01, dns-01, and L challenges. |
104
|
|
|
|
|
|
|
|
105
|
|
|
|
|
|
|
=item * Comprehensive error handling with typed, L-based exceptions. |
106
|
|
|
|
|
|
|
|
107
|
|
|
|
|
|
|
=item * L errors.|https://tools.ietf.org/html/rfc8555#section-6.5> |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
=item * This is a pure-Perl solution. Most of its dependencies are |
110
|
|
|
|
|
|
|
either core modules or pure Perl themselves. XS is necessary to |
111
|
|
|
|
|
|
|
communicate with the ACME server via TLS; however, most Perl installations |
112
|
|
|
|
|
|
|
already include the necessary logic (i.e., L) for TLS. |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
In short, Net::ACME2 will run anywhere that Perl can speak TLS, which is |
115
|
|
|
|
|
|
|
I everywhere that Perl runs. |
116
|
|
|
|
|
|
|
|
117
|
|
|
|
|
|
|
=back |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
=head1 ERROR HANDLING |
120
|
|
|
|
|
|
|
|
121
|
|
|
|
|
|
|
All thrown exceptions are instances of L. |
122
|
|
|
|
|
|
|
Specific error classes aren’t yet defined. |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
=head1 CRYPTOGRAPHY & SPEED |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
L provides all cryptographic operations that this library |
127
|
|
|
|
|
|
|
needs using pure Perl. While this satisfies this module’s intent to be |
128
|
|
|
|
|
|
|
as pure-Perl as possible, there are a couple of significant drawbacks |
129
|
|
|
|
|
|
|
to this approach: firstly, it’s slower than XS-based code, and secondly, |
130
|
|
|
|
|
|
|
it loses the security benefits of the vetting that more widely-used |
131
|
|
|
|
|
|
|
cryptography libraries receive. |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
To address these problems, Net::ACME2 will, after parsing a key, look |
134
|
|
|
|
|
|
|
for and prefer the following XS-based libraries for cryptography instead: |
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
=over |
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
=item * L (based on L) |
139
|
|
|
|
|
|
|
|
140
|
|
|
|
|
|
|
=item * L (based on L) |
141
|
|
|
|
|
|
|
|
142
|
|
|
|
|
|
|
=back |
143
|
|
|
|
|
|
|
|
144
|
|
|
|
|
|
|
If the above are unavailable to you, then you may be able to speed up |
145
|
|
|
|
|
|
|
your L installation; see that module’s documentation |
146
|
|
|
|
|
|
|
for more details. |
147
|
|
|
|
|
|
|
|
148
|
|
|
|
|
|
|
=cut |
149
|
|
|
|
|
|
|
|
150
|
3
|
|
|
3
|
|
14
|
use Crypt::Format; |
|
3
|
|
|
|
|
4
|
|
|
3
|
|
|
|
|
65
|
|
151
|
3
|
|
|
3
|
|
392
|
use MIME::Base64 (); |
|
3
|
|
|
|
|
528
|
|
|
3
|
|
|
|
|
52
|
|
152
|
|
|
|
|
|
|
|
153
|
3
|
|
|
3
|
|
1140
|
use Net::ACME2::AccountKey; |
|
3
|
|
|
|
|
6
|
|
|
3
|
|
|
|
|
168
|
|
154
|
|
|
|
|
|
|
|
155
|
3
|
|
|
3
|
|
1249
|
use Net::ACME2::HTTP; |
|
3
|
|
|
|
|
8
|
|
|
3
|
|
|
|
|
96
|
|
156
|
3
|
|
|
3
|
|
1118
|
use Net::ACME2::Order; |
|
3
|
|
|
|
|
7
|
|
|
3
|
|
|
|
|
78
|
|
157
|
3
|
|
|
3
|
|
1100
|
use Net::ACME2::Authorization; |
|
3
|
|
|
|
|
9
|
|
|
3
|
|
|
|
|
120
|
|
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
our $VERSION = '0.34'; |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
use constant { |
162
|
3
|
|
|
|
|
165
|
_HTTP_OK => 200, |
163
|
|
|
|
|
|
|
_HTTP_CREATED => 201, |
164
|
3
|
|
|
3
|
|
17
|
}; |
|
3
|
|
|
|
|
4
|
|
165
|
|
|
|
|
|
|
|
166
|
|
|
|
|
|
|
# accessed from test |
167
|
3
|
|
|
|
|
129
|
use constant newAccount_booleans => qw( |
168
|
|
|
|
|
|
|
termsOfServiceAgreed |
169
|
|
|
|
|
|
|
onlyReturnExisting |
170
|
3
|
|
|
3
|
|
16
|
); |
|
3
|
|
|
|
|
5
|
|
171
|
|
|
|
|
|
|
|
172
|
|
|
|
|
|
|
# the list of methods that need a “jwk” in their JWS Protected Header |
173
|
|
|
|
|
|
|
# (cf. section 6.2 of the spec) |
174
|
3
|
|
|
|
|
4242
|
use constant FULL_JWT_METHODS => qw( |
175
|
|
|
|
|
|
|
newAccount |
176
|
|
|
|
|
|
|
revokeCert |
177
|
3
|
|
|
3
|
|
14
|
); |
|
3
|
|
|
|
|
5
|
|
178
|
|
|
|
|
|
|
|
179
|
|
|
|
|
|
|
=head1 METHODS |
180
|
|
|
|
|
|
|
|
181
|
|
|
|
|
|
|
=head2 I->new( %OPTS ) |
182
|
|
|
|
|
|
|
|
183
|
|
|
|
|
|
|
Instantiates an ACME2 object, which you’ll use for all |
184
|
|
|
|
|
|
|
interactions with the ACME server. %OPTS is: |
185
|
|
|
|
|
|
|
|
186
|
|
|
|
|
|
|
=over |
187
|
|
|
|
|
|
|
|
188
|
|
|
|
|
|
|
=item * C - Required. The private key to associate with the ACME2 |
189
|
|
|
|
|
|
|
user. Anything that C can parse is acceptable. |
190
|
|
|
|
|
|
|
|
191
|
|
|
|
|
|
|
=item * C - Optional. As returned by C. |
192
|
|
|
|
|
|
|
Saves a round-trip to the ACME2 server, so you should give this |
193
|
|
|
|
|
|
|
if you have it. |
194
|
|
|
|
|
|
|
|
195
|
|
|
|
|
|
|
=item * C - Optional. A hash reference to use as the |
196
|
|
|
|
|
|
|
directory contents. Saves a round-trip to the ACME2 server, but there’s |
197
|
|
|
|
|
|
|
no built-in logic to determine when the cache goes invalid. Caveat |
198
|
|
|
|
|
|
|
emptor. |
199
|
|
|
|
|
|
|
|
200
|
|
|
|
|
|
|
=back |
201
|
|
|
|
|
|
|
|
202
|
|
|
|
|
|
|
=cut |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
sub new { |
205
|
13
|
|
|
13
|
1
|
15162
|
my ( $class, %opts ) = @_; |
206
|
|
|
|
|
|
|
|
207
|
13
|
50
|
|
|
|
58
|
_die_generic('Need “key”!') if !$opts{'key'}; |
208
|
|
|
|
|
|
|
|
209
|
13
|
|
|
|
|
65
|
return $class->_new_without_key_check(%opts); |
210
|
|
|
|
|
|
|
} |
211
|
|
|
|
|
|
|
|
212
|
|
|
|
|
|
|
sub _new_without_key_check { |
213
|
19
|
|
|
19
|
|
60
|
my ( $class, %opts ) = @_; |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
my $self = { |
216
|
|
|
|
|
|
|
_host => $class->HOST(%opts), |
217
|
|
|
|
|
|
|
_key => $opts{'key'}, |
218
|
|
|
|
|
|
|
_key_id => $opts{'key_id'}, |
219
|
19
|
|
|
|
|
123
|
_directory => $opts{'directory'}, |
220
|
|
|
|
|
|
|
}; |
221
|
|
|
|
|
|
|
|
222
|
19
|
|
|
|
|
50
|
bless $self, $class; |
223
|
|
|
|
|
|
|
|
224
|
19
|
|
|
|
|
74
|
$self->_set_http(); |
225
|
|
|
|
|
|
|
|
226
|
19
|
|
|
|
|
74
|
return $self; |
227
|
|
|
|
|
|
|
} |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
230
|
|
|
|
|
|
|
|
231
|
|
|
|
|
|
|
=head2 $id = I->key_id() |
232
|
|
|
|
|
|
|
|
233
|
|
|
|
|
|
|
Returns the object’s cached key ID, either as given at instantiation |
234
|
|
|
|
|
|
|
or as fetched in C. |
235
|
|
|
|
|
|
|
|
236
|
|
|
|
|
|
|
=cut |
237
|
|
|
|
|
|
|
|
238
|
|
|
|
|
|
|
sub key_id { |
239
|
24
|
|
|
24
|
1
|
22770
|
my ($self) = @_; |
240
|
|
|
|
|
|
|
|
241
|
24
|
|
|
|
|
84
|
return $self->{'_key_id'}; |
242
|
|
|
|
|
|
|
} |
243
|
|
|
|
|
|
|
|
244
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
245
|
|
|
|
|
|
|
|
246
|
|
|
|
|
|
|
=head2 I->http_timeout( [$NEW] ) |
247
|
|
|
|
|
|
|
|
248
|
|
|
|
|
|
|
A passthrough interface to the underlying L object’s |
249
|
|
|
|
|
|
|
C method. |
250
|
|
|
|
|
|
|
|
251
|
|
|
|
|
|
|
=cut |
252
|
|
|
|
|
|
|
|
253
|
|
|
|
|
|
|
sub http_timeout { |
254
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
255
|
|
|
|
|
|
|
|
256
|
0
|
|
|
|
|
0
|
return $self->{'_http'}->timeout(@_); |
257
|
|
|
|
|
|
|
} |
258
|
|
|
|
|
|
|
|
259
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
=head2 $url = I->get_terms_of_service() |
262
|
|
|
|
|
|
|
|
263
|
|
|
|
|
|
|
Returns the URL for the terms of service. Callable as either |
264
|
|
|
|
|
|
|
a class method or an instance method. |
265
|
|
|
|
|
|
|
|
266
|
|
|
|
|
|
|
=cut |
267
|
|
|
|
|
|
|
|
268
|
|
|
|
|
|
|
sub get_terms_of_service { |
269
|
18
|
|
|
18
|
1
|
11969
|
my ($self) = @_; |
270
|
|
|
|
|
|
|
|
271
|
|
|
|
|
|
|
# We want to be able to call this as a class method. |
272
|
18
|
100
|
|
|
|
60
|
if (!ref $self) { |
273
|
6
|
|
|
|
|
21
|
$self = $self->_new_without_key_check(); |
274
|
|
|
|
|
|
|
} |
275
|
|
|
|
|
|
|
|
276
|
18
|
|
|
|
|
61
|
my $dir = $self->_get_directory(); |
277
|
|
|
|
|
|
|
|
278
|
|
|
|
|
|
|
# Exceptions here indicate an ACME violation and should be |
279
|
|
|
|
|
|
|
# practically nonexistent. |
280
|
18
|
50
|
|
|
|
47
|
my $url = $dir->{'meta'} or _die_generic('No “meta” in directory!'); |
281
|
18
|
50
|
|
|
|
51
|
$url = $url->{'termsOfService'} or _die_generic('No “termsOfService” in directory metadata!'); |
282
|
|
|
|
|
|
|
|
283
|
18
|
|
|
|
|
86
|
return $url; |
284
|
|
|
|
|
|
|
} |
285
|
|
|
|
|
|
|
|
286
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
287
|
|
|
|
|
|
|
|
288
|
|
|
|
|
|
|
=head2 $created_yn = I->create_account( %OPTS ) |
289
|
|
|
|
|
|
|
|
290
|
|
|
|
|
|
|
Creates an account using the ACME2 object’s key and the passed |
291
|
|
|
|
|
|
|
%OPTS, which are as described in the ACME2 spec (cf. C). |
292
|
|
|
|
|
|
|
Boolean values may be given as simple Perl booleans. |
293
|
|
|
|
|
|
|
|
294
|
|
|
|
|
|
|
Returns 1 if the account is newly created |
295
|
|
|
|
|
|
|
or 0 if the account already existed. |
296
|
|
|
|
|
|
|
|
297
|
|
|
|
|
|
|
NB: C is an alias for this method. |
298
|
|
|
|
|
|
|
|
299
|
|
|
|
|
|
|
=cut |
300
|
|
|
|
|
|
|
|
301
|
|
|
|
|
|
|
sub create_account { |
302
|
24
|
|
|
24
|
1
|
10822
|
my ($self, %opts) = @_; |
303
|
|
|
|
|
|
|
|
304
|
24
|
|
|
|
|
85
|
for my $name (newAccount_booleans()) { |
305
|
48
|
100
|
|
|
|
401
|
next if !exists $opts{$name}; |
306
|
12
|
|
33
|
|
|
81
|
($opts{$name} &&= JSON::true()) ||= JSON::false(); |
|
|
|
33
|
|
|
|
|
307
|
|
|
|
|
|
|
} |
308
|
|
|
|
|
|
|
|
309
|
24
|
|
|
|
|
93
|
my $resp = $self->_post( |
310
|
|
|
|
|
|
|
'newAccount', |
311
|
|
|
|
|
|
|
\%opts, |
312
|
|
|
|
|
|
|
); |
313
|
|
|
|
|
|
|
|
314
|
24
|
|
|
|
|
90
|
$self->{'_key_id'} = $resp->header('location'); |
315
|
|
|
|
|
|
|
|
316
|
24
|
|
|
|
|
299
|
$self->{'_http'}->set_key_id( $self->{'_key_id'} ); |
317
|
|
|
|
|
|
|
|
318
|
24
|
100
|
|
|
|
473
|
return 0 if $resp->status() == _HTTP_OK; |
319
|
|
|
|
|
|
|
|
320
|
12
|
50
|
|
|
|
229
|
$resp->die_because_unexpected() if $resp->status() != _HTTP_CREATED; |
321
|
|
|
|
|
|
|
|
322
|
12
|
|
|
|
|
110
|
my $struct = $resp->content_struct(); |
323
|
|
|
|
|
|
|
|
324
|
12
|
50
|
|
|
|
155
|
if ($struct) { |
325
|
12
|
|
|
|
|
39
|
for my $name (newAccount_booleans()) { |
326
|
24
|
100
|
|
|
|
199
|
next if !exists $struct->{$name}; |
327
|
12
|
|
50
|
|
|
69
|
($struct->{$name} &&= 1) ||= 0; |
|
|
|
50
|
|
|
|
|
328
|
|
|
|
|
|
|
} |
329
|
|
|
|
|
|
|
} |
330
|
|
|
|
|
|
|
|
331
|
12
|
|
|
|
|
48
|
return 1; |
332
|
|
|
|
|
|
|
} |
333
|
|
|
|
|
|
|
|
334
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
335
|
|
|
|
|
|
|
|
336
|
|
|
|
|
|
|
=head2 $order = I->create_order( %OPTS ) |
337
|
|
|
|
|
|
|
|
338
|
|
|
|
|
|
|
Returns a L object. %OPTS is as described in the |
339
|
|
|
|
|
|
|
ACME spec (cf. C). Boolean values may be given as simple |
340
|
|
|
|
|
|
|
Perl booleans. |
341
|
|
|
|
|
|
|
|
342
|
|
|
|
|
|
|
NB: C is an alias for this method. |
343
|
|
|
|
|
|
|
|
344
|
|
|
|
|
|
|
=cut |
345
|
|
|
|
|
|
|
|
346
|
|
|
|
|
|
|
sub create_order { |
347
|
0
|
|
|
0
|
1
|
0
|
my ($self, %opts) = @_; |
348
|
|
|
|
|
|
|
|
349
|
0
|
|
|
|
|
0
|
$self->_require_key_id(\%opts); |
350
|
|
|
|
|
|
|
|
351
|
0
|
|
|
|
|
0
|
my $resp = $self->_post( 'newOrder', \%opts ); |
352
|
|
|
|
|
|
|
|
353
|
0
|
0
|
|
|
|
0
|
$resp->die_because_unexpected() if $resp->status() != _HTTP_CREATED; |
354
|
|
|
|
|
|
|
|
355
|
|
|
|
|
|
|
return Net::ACME2::Order->new( |
356
|
|
|
|
|
|
|
id => $resp->header('location'), |
357
|
0
|
|
|
|
|
0
|
%{ $resp->content_struct() }, |
|
0
|
|
|
|
|
0
|
|
358
|
|
|
|
|
|
|
); |
359
|
|
|
|
|
|
|
} |
360
|
|
|
|
|
|
|
|
361
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
362
|
|
|
|
|
|
|
|
363
|
|
|
|
|
|
|
=head2 $authz = I->get_authorization( $URL ) |
364
|
|
|
|
|
|
|
|
365
|
|
|
|
|
|
|
Fetches the authorization’s information based on the given $URL |
366
|
|
|
|
|
|
|
and returns a L object. |
367
|
|
|
|
|
|
|
|
368
|
|
|
|
|
|
|
The URL is as given by L’s C method. |
369
|
|
|
|
|
|
|
|
370
|
|
|
|
|
|
|
=cut |
371
|
|
|
|
|
|
|
|
372
|
|
|
|
|
|
|
sub get_authorization { |
373
|
0
|
|
|
0
|
1
|
0
|
my ($self, $id) = @_; |
374
|
|
|
|
|
|
|
|
375
|
0
|
|
|
|
|
0
|
my $resp = $self->_post_as_get($id); |
376
|
|
|
|
|
|
|
|
377
|
|
|
|
|
|
|
return Net::ACME2::Authorization->new( |
378
|
|
|
|
|
|
|
id => $id, |
379
|
0
|
|
|
|
|
0
|
%{ $resp->content_struct() }, |
|
0
|
|
|
|
|
0
|
|
380
|
|
|
|
|
|
|
); |
381
|
|
|
|
|
|
|
} |
382
|
|
|
|
|
|
|
|
383
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
384
|
|
|
|
|
|
|
|
385
|
|
|
|
|
|
|
=head2 $str = I->make_key_authorization( $CHALLENGE ) |
386
|
|
|
|
|
|
|
|
387
|
|
|
|
|
|
|
Accepts an instance of L (probably a subclass |
388
|
|
|
|
|
|
|
thereof) and returns |
389
|
|
|
|
|
|
|
a key authorization string suitable for handling the given $CHALLENGE. |
390
|
|
|
|
|
|
|
See F in the distribution for example usage. |
391
|
|
|
|
|
|
|
|
392
|
|
|
|
|
|
|
If you’re using HTTP authorization and are on the same server as the |
393
|
|
|
|
|
|
|
domains’ document roots, then look at the handler logic in |
394
|
|
|
|
|
|
|
L for a potentially simpler way to |
395
|
|
|
|
|
|
|
handle HTTP challenges. |
396
|
|
|
|
|
|
|
|
397
|
|
|
|
|
|
|
=cut |
398
|
|
|
|
|
|
|
|
399
|
|
|
|
|
|
|
sub make_key_authorization { |
400
|
2
|
|
|
2
|
1
|
15
|
my ($self, $challenge_obj) = @_; |
401
|
|
|
|
|
|
|
|
402
|
2
|
50
|
|
|
|
10
|
_die_generic('Need a challenge object!') if !$challenge_obj; |
403
|
|
|
|
|
|
|
|
404
|
2
|
|
|
|
|
34
|
return $challenge_obj->token() . '.' . $self->_key_thumbprint(); |
405
|
|
|
|
|
|
|
} |
406
|
|
|
|
|
|
|
|
407
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
408
|
|
|
|
|
|
|
|
409
|
|
|
|
|
|
|
=head2 I->accept_challenge( $CHALLENGE ) |
410
|
|
|
|
|
|
|
|
411
|
|
|
|
|
|
|
Signal to the ACME server that the CHALLENGE is ready. |
412
|
|
|
|
|
|
|
|
413
|
|
|
|
|
|
|
=cut |
414
|
|
|
|
|
|
|
|
415
|
|
|
|
|
|
|
sub accept_challenge { |
416
|
0
|
|
|
0
|
1
|
0
|
my ($self, $challenge_obj) = @_; |
417
|
|
|
|
|
|
|
|
418
|
0
|
|
|
|
|
0
|
$self->_post_url( |
419
|
|
|
|
|
|
|
$challenge_obj->url(), |
420
|
|
|
|
|
|
|
{ |
421
|
|
|
|
|
|
|
keyAuthorization => $self->make_key_authorization($challenge_obj), |
422
|
|
|
|
|
|
|
}, |
423
|
|
|
|
|
|
|
); |
424
|
|
|
|
|
|
|
|
425
|
0
|
|
|
|
|
0
|
return; |
426
|
|
|
|
|
|
|
} |
427
|
|
|
|
|
|
|
|
428
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
429
|
|
|
|
|
|
|
|
430
|
|
|
|
|
|
|
=head2 $status = I->poll_authorization( $AUTHORIZATION ) |
431
|
|
|
|
|
|
|
|
432
|
|
|
|
|
|
|
Accepts a L instance and polls the |
433
|
|
|
|
|
|
|
ACME server for that authorization’s status. The $AUTHORIZATION |
434
|
|
|
|
|
|
|
object is then updated with the results of the poll. |
435
|
|
|
|
|
|
|
|
436
|
|
|
|
|
|
|
As a courtesy, this returns the $AUTHORIZATION’s new C. |
437
|
|
|
|
|
|
|
|
438
|
|
|
|
|
|
|
=cut |
439
|
|
|
|
|
|
|
|
440
|
|
|
|
|
|
|
#This has to handle updates to the authz and challenge objects |
441
|
|
|
|
|
|
|
*poll_authorization = *_poll_order_or_authz; |
442
|
|
|
|
|
|
|
|
443
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
444
|
|
|
|
|
|
|
|
445
|
|
|
|
|
|
|
=head2 $status = I->finalize_order( $ORDER, $CSR ) |
446
|
|
|
|
|
|
|
|
447
|
|
|
|
|
|
|
Finalizes an order and updates the $ORDER object with the returned |
448
|
|
|
|
|
|
|
status. $CSR may be in either DER or PEM format. |
449
|
|
|
|
|
|
|
|
450
|
|
|
|
|
|
|
As a courtesy, this returns the $ORDER’s C. If this does |
451
|
|
|
|
|
|
|
not equal C, then you should probably C |
452
|
|
|
|
|
|
|
until it does. |
453
|
|
|
|
|
|
|
|
454
|
|
|
|
|
|
|
=cut |
455
|
|
|
|
|
|
|
|
456
|
|
|
|
|
|
|
sub finalize_order { |
457
|
0
|
|
|
0
|
1
|
0
|
my ($self, $order_obj, $csr) = @_; |
458
|
|
|
|
|
|
|
|
459
|
0
|
|
|
|
|
0
|
my $csr_der; |
460
|
0
|
0
|
|
|
|
0
|
if (index($csr, '-----') == 0) { |
461
|
0
|
|
|
|
|
0
|
$csr_der = Crypt::Format::pem2der($csr); |
462
|
|
|
|
|
|
|
} |
463
|
|
|
|
|
|
|
else { |
464
|
0
|
|
|
|
|
0
|
$csr_der = $csr; |
465
|
|
|
|
|
|
|
} |
466
|
|
|
|
|
|
|
|
467
|
0
|
|
|
|
|
0
|
$csr = MIME::Base64::encode_base64url($csr_der); |
468
|
|
|
|
|
|
|
|
469
|
0
|
|
|
|
|
0
|
my $post = $self->_post_url( |
470
|
|
|
|
|
|
|
$order_obj->finalize(), |
471
|
|
|
|
|
|
|
{ |
472
|
|
|
|
|
|
|
csr => $csr, |
473
|
|
|
|
|
|
|
}, |
474
|
|
|
|
|
|
|
); |
475
|
|
|
|
|
|
|
|
476
|
0
|
|
|
|
|
0
|
my $content = $post->content_struct(); |
477
|
|
|
|
|
|
|
|
478
|
0
|
|
|
|
|
0
|
$order_obj->update($content); |
479
|
|
|
|
|
|
|
|
480
|
0
|
|
|
|
|
0
|
return $order_obj->status(); |
481
|
|
|
|
|
|
|
} |
482
|
|
|
|
|
|
|
|
483
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
484
|
|
|
|
|
|
|
|
485
|
|
|
|
|
|
|
=head2 $status = I->poll_order( $ORDER ) |
486
|
|
|
|
|
|
|
|
487
|
|
|
|
|
|
|
Like C but handles a |
488
|
|
|
|
|
|
|
L object instead. |
489
|
|
|
|
|
|
|
|
490
|
|
|
|
|
|
|
=cut |
491
|
|
|
|
|
|
|
|
492
|
|
|
|
|
|
|
*poll_order = *_poll_order_or_authz; |
493
|
|
|
|
|
|
|
|
494
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
495
|
|
|
|
|
|
|
|
496
|
|
|
|
|
|
|
=head2 $cert = I->get_certificate_chain( $ORDER ) |
497
|
|
|
|
|
|
|
|
498
|
|
|
|
|
|
|
Fetches the $ORDER’s certificate chain and returns |
499
|
|
|
|
|
|
|
it in the format implied by the |
500
|
|
|
|
|
|
|
C MIME type. See the ACME |
501
|
|
|
|
|
|
|
protocol specification for details about this format. |
502
|
|
|
|
|
|
|
|
503
|
|
|
|
|
|
|
=cut |
504
|
|
|
|
|
|
|
|
505
|
|
|
|
|
|
|
sub get_certificate_chain { |
506
|
0
|
|
|
0
|
1
|
0
|
my ($self, $order) = @_; |
507
|
|
|
|
|
|
|
|
508
|
0
|
|
|
|
|
0
|
return $self->_post_as_get( $order->certificate() )->content(); |
509
|
|
|
|
|
|
|
} |
510
|
|
|
|
|
|
|
|
511
|
|
|
|
|
|
|
#---------------------------------------------------------------------- |
512
|
|
|
|
|
|
|
|
513
|
|
|
|
|
|
|
sub _key_thumbprint { |
514
|
2
|
|
|
2
|
|
5
|
my ($self) = @_; |
515
|
|
|
|
|
|
|
|
516
|
2
|
|
66
|
|
|
14
|
return $self->{'_key_thumbprint'} ||= $self->_key_obj()->get_jwk_thumbprint(); |
517
|
|
|
|
|
|
|
} |
518
|
|
|
|
|
|
|
|
519
|
|
|
|
|
|
|
sub _get_directory { |
520
|
66
|
|
|
66
|
|
104
|
my ($self) = @_; |
521
|
|
|
|
|
|
|
|
522
|
66
|
|
66
|
|
|
158
|
$self->{'_directory'} ||= do { |
523
|
18
|
|
|
|
|
54
|
my $dir_path = $self->DIRECTORY_PATH(); |
524
|
18
|
|
|
|
|
86
|
$self->{'_http'}->get("https://$self->{'_host'}$dir_path")->content_struct(); |
525
|
|
|
|
|
|
|
}; |
526
|
|
|
|
|
|
|
|
527
|
66
|
50
|
|
|
|
378
|
my $new_nonce_url = $self->{'_directory'}{'newNonce'} or do { |
528
|
0
|
|
|
|
|
0
|
_die_generic('Directory is missing “newNonce”.'); |
529
|
|
|
|
|
|
|
}; |
530
|
|
|
|
|
|
|
|
531
|
66
|
|
|
|
|
410
|
$self->{'_http'}->set_new_nonce_url( $new_nonce_url ); |
532
|
|
|
|
|
|
|
|
533
|
66
|
|
|
|
|
129
|
return $self->{'_directory'}; |
534
|
|
|
|
|
|
|
} |
535
|
|
|
|
|
|
|
|
536
|
|
|
|
|
|
|
sub _require_key_id { |
537
|
0
|
|
|
0
|
|
0
|
my ($self, $opts_hr) = @_; |
538
|
|
|
|
|
|
|
|
539
|
0
|
0
|
|
|
|
0
|
$opts_hr->{'_key_id'} = $self->{'_key_id'} or do { |
540
|
0
|
|
|
|
|
0
|
_die_generic('No key ID has been set. Either pass “key_id” to new(), or create_account().'); |
541
|
|
|
|
|
|
|
}; |
542
|
|
|
|
|
|
|
|
543
|
|
|
|
|
|
|
return |
544
|
0
|
|
|
|
|
0
|
} |
545
|
|
|
|
|
|
|
|
546
|
|
|
|
|
|
|
sub _poll_order_or_authz { |
547
|
0
|
|
|
0
|
|
0
|
my ($self, $order_or_authz_obj) = @_; |
548
|
|
|
|
|
|
|
|
549
|
0
|
|
|
|
|
0
|
my $get = $self->_post_as_get( $order_or_authz_obj->id() ); |
550
|
|
|
|
|
|
|
|
551
|
0
|
|
|
|
|
0
|
my $content = $get->content_struct(); |
552
|
|
|
|
|
|
|
|
553
|
0
|
|
|
|
|
0
|
$order_or_authz_obj->update($content); |
554
|
|
|
|
|
|
|
|
555
|
0
|
|
|
|
|
0
|
return $order_or_authz_obj->status(); |
556
|
|
|
|
|
|
|
} |
557
|
|
|
|
|
|
|
|
558
|
|
|
|
|
|
|
sub _key_obj { |
559
|
14
|
|
|
14
|
|
27
|
my ($self) = @_; |
560
|
|
|
|
|
|
|
|
561
|
14
|
|
66
|
|
|
119
|
return $self->{'_key_obj'} ||= Net::ACME2::AccountKey->new($self->{'_key'}); |
562
|
|
|
|
|
|
|
} |
563
|
|
|
|
|
|
|
|
564
|
|
|
|
|
|
|
sub _set_http { |
565
|
19
|
|
|
19
|
|
41
|
my ($self) = @_; |
566
|
|
|
|
|
|
|
|
567
|
|
|
|
|
|
|
$self->{'_http'} = Net::ACME2::HTTP->new( |
568
|
|
|
|
|
|
|
key => $self->{'_key'} && $self->_key_obj(), |
569
|
19
|
|
66
|
|
|
116
|
key_id => $self->{'_key_id'}, |
570
|
|
|
|
|
|
|
); |
571
|
|
|
|
|
|
|
|
572
|
19
|
|
|
|
|
39
|
return; |
573
|
|
|
|
|
|
|
} |
574
|
|
|
|
|
|
|
|
575
|
|
|
|
|
|
|
our $_POST_METHOD; |
576
|
|
|
|
|
|
|
|
577
|
|
|
|
|
|
|
sub _post { |
578
|
24
|
|
|
24
|
|
67
|
my ( $self, $link_name, $data ) = @_; |
579
|
|
|
|
|
|
|
|
580
|
24
|
|
|
|
|
39
|
my $post_method; |
581
|
24
|
50
|
|
|
|
62
|
$post_method = 'post_full_jwt' if grep { $link_name eq $_ } FULL_JWT_METHODS(); |
|
48
|
|
|
|
|
152
|
|
582
|
|
|
|
|
|
|
|
583
|
|
|
|
|
|
|
# Since the $link_name will come from elsewhere in this module |
584
|
|
|
|
|
|
|
# there really shouldn’t be an error here, but just in case. |
585
|
24
|
50
|
|
|
|
82
|
my $url = $self->_get_directory()->{$link_name} or _die_generic("Unknown link name: “$link_name”"); |
586
|
|
|
|
|
|
|
|
587
|
24
|
|
|
|
|
88
|
return $self->_post_url( $url, $data, $post_method ); |
588
|
|
|
|
|
|
|
} |
589
|
|
|
|
|
|
|
|
590
|
|
|
|
|
|
|
sub _post_as_get { |
591
|
0
|
|
|
0
|
|
0
|
my ( $self, $url ) = @_; |
592
|
|
|
|
|
|
|
|
593
|
0
|
|
|
|
|
0
|
return $self->_post_url( $url, q<> ); |
594
|
|
|
|
|
|
|
} |
595
|
|
|
|
|
|
|
|
596
|
|
|
|
|
|
|
sub _post_url { |
597
|
24
|
|
|
24
|
|
61
|
my ( $self, $url, $data, $opt_post_method ) = @_; |
598
|
|
|
|
|
|
|
|
599
|
|
|
|
|
|
|
#Do this in case we haven’t initialized the directory yet. |
600
|
|
|
|
|
|
|
#Initializing the directory is necessary to get a nonce. |
601
|
24
|
|
|
|
|
50
|
$self->_get_directory(); |
602
|
|
|
|
|
|
|
|
603
|
24
|
|
50
|
|
|
63
|
my $post_method = $opt_post_method || 'post_key_id'; |
604
|
|
|
|
|
|
|
|
605
|
24
|
|
|
|
|
87
|
return $self->{'_http'}->$post_method( $url, $data ); |
606
|
|
|
|
|
|
|
} |
607
|
|
|
|
|
|
|
|
608
|
|
|
|
|
|
|
sub _die_generic { |
609
|
0
|
|
|
0
|
|
|
die Net::ACME2::X->create('Generic', @_); |
610
|
|
|
|
|
|
|
} |
611
|
|
|
|
|
|
|
|
612
|
|
|
|
|
|
|
#legacy aliases |
613
|
|
|
|
|
|
|
*create_new_account = *create_account; |
614
|
|
|
|
|
|
|
*create_new_order = *create_order; |
615
|
|
|
|
|
|
|
|
616
|
|
|
|
|
|
|
1; |
617
|
|
|
|
|
|
|
|
618
|
|
|
|
|
|
|
=head1 TODO |
619
|
|
|
|
|
|
|
|
620
|
|
|
|
|
|
|
=over |
621
|
|
|
|
|
|
|
|
622
|
|
|
|
|
|
|
=item * Add pre-authorization support if there is ever a production |
623
|
|
|
|
|
|
|
use for it. |
624
|
|
|
|
|
|
|
|
625
|
|
|
|
|
|
|
=item * Expose the Retry-After header via the module API. |
626
|
|
|
|
|
|
|
|
627
|
|
|
|
|
|
|
=item * There is currently no way to fetch an order or challenge’s |
628
|
|
|
|
|
|
|
properties via URL. Prior to ACME’s adoption of “POST-as-GET” this was |
629
|
|
|
|
|
|
|
doable via a plain GET to the URL, but that’s no longer possible. |
630
|
|
|
|
|
|
|
If there’s a need, I’ll consider adding such logic to Net::ACME2. |
631
|
|
|
|
|
|
|
(It’s trivial to add; I’d just like to keep things as |
632
|
|
|
|
|
|
|
simple as possible.) |
633
|
|
|
|
|
|
|
|
634
|
|
|
|
|
|
|
=item * Add (more) tests. |
635
|
|
|
|
|
|
|
|
636
|
|
|
|
|
|
|
=back |
637
|
|
|
|
|
|
|
|
638
|
|
|
|
|
|
|
=head1 SEE ALSO |
639
|
|
|
|
|
|
|
|
640
|
|
|
|
|
|
|
L is another ACME client library. |
641
|
|
|
|
|
|
|
|
642
|
|
|
|
|
|
|
L provides this library’s default cryptography backend. |
643
|
|
|
|
|
|
|
See this distribution’s F directory for sample usage |
644
|
|
|
|
|
|
|
to generate keys and CSRs. |
645
|
|
|
|
|
|
|
|
646
|
|
|
|
|
|
|
L implements client logic for the variant of this |
647
|
|
|
|
|
|
|
protocol that Let’s Encrypt first deployed. |
648
|
|
|
|
|
|
|
|
649
|
|
|
|
|
|
|
=cut |