@abtnode/certificate-manager 1.6.7 → 1.6.8

package/index.js

@@ -0,0 +1,5 @@
+const createRoutes = require('./routes');
+
+module.exports = {
+  createRoutes,
+};

package/libs/acme-manager.js

@@ -0,0 +1,211 @@
+const { EventEmitter } = require('events');
+const fs = require('fs');
+const path = require('path');
+const { Certificate } = require('@fidm/x509');
+const moment = require('moment');
+
+const pkg = require('../package.json');
+const AcmeWrapper = require('./acme-wrapper');
+const { CERT_STATUS, CERT_SOURCE } = require('./constant');
+const createQueue = require('./queue');
+const { md5 } = require('./util');
+const logger = require('./logger');
+const states = require('../states');
+
+const http01 = require('./http-01').create({});
+
+const DEFAULT_AGENT_NAME = 'blocklet-server';
+
+const DEFAULT_RENEWAL_OFFSET_IN_DAY = 30;
+
+class Manager extends EventEmitter {
+  constructor({ dataDir, maintainerEmail, staging = false, renewalOffsetInDay = DEFAULT_RENEWAL_OFFSET_IN_DAY }) {
+    super();
+    logger.info('initialize manager in data dir:', { dataDir });
+    this.acme = new AcmeWrapper({
+      packageAgent: `${DEFAULT_AGENT_NAME}/${pkg.version}`,
+      staging,
+      maintainerEmail,
+    });
+
+    this.maintainerEmail = maintainerEmail;
+    this.renewalOffsetInDay = renewalOffsetInDay;
+    this.dataDir = dataDir;
+    this.queue = createQueue({
+      name: 'create-cert-queue',
+      dataDir,
+      onJob: async ({ domain }) => {
+        const data = await states.certificate.findOne({ domain });
+        if (data) {
+          await this._createOrRenewCert({
+            domain: data.domain,
+            subscriberEmail: this.subscriberEmail,
+            challenges: { 'http-01': http01 },
+          });
+        }
+      },
+      options: {
+        maxRetries: 5,
+        retryDelay: 60 * 1000,
+        maxTimeout: 60 * 1000 * 5, // throw timeout error after 5 minutes
+        id: (job) => (job ? md5(`${job.domain}-${job.challenge}`) : ''),
+      },
+    });
+  }
+
+  getJobSchedular() {
+    return {
+      name: 'check-renewal-cert-job',
+      time: process.env.NODE_ENV === 'development' ? '0 * * * * *' : '0 */5 * * * *', // every 5 minutes
+      fn: this.checkRenewalCerts.bind(this),
+    };
+  }
+
+  async add(domain) {
+    if (!domain) {
+      throw new Error('domain is required when add domain');
+    }
+
+    const result = await states.certificate.insert({
+      domain,
+      source: CERT_SOURCE.letsEncrypt,
+      status: CERT_STATUS.waiting,
+    });
+
+    this.queue.push({ domain });
+    return result;
+  }
+
+  getCertState(domain) {
+    const certDir = path.join(this.acme.certDir, domain);
+    if (fs.existsSync(certDir)) {
+      return true;
+    }
+
+    return true;
+  }
+
+  readCert(domain) {
+    const certDir = path.join(this.acme.certDir, domain);
+    if (!fs.existsSync(certDir)) {
+      return null;
+    }
+
+    const chain = fs.readFileSync(path.join(certDir, 'fullchain.pem')).toString();
+    const privkey = fs.readFileSync(path.join(certDir, 'privkey.pem')).toString();
+
+    return {
+      domain,
+      chain,
+      privkey,
+    };
+  }
+
+  async _createOrRenewCert({ domain, subscriberEmail, force = false, challenges }) {
+    try {
+      if (!domain) {
+        throw new Error('domain is required when create certificate');
+      }
+
+      const cert = await states.certificate.findOne({ domain });
+      if (!cert) {
+        logger.warn(`create certificate failed: the cert ${domain} does not exist`);
+        return;
+      }
+
+      let status = CERT_STATUS.creating;
+
+      if (cert.certificate) {
+        const info = Certificate.fromPEM(cert.fullchain);
+        const days = moment(info.validTo).diff(moment(), 'days');
+
+        if (force === false && days > this.renewalOffsetInDay) {
+          logger.info(`no need to renewal ${cert.domain}, the certificate will expires more than ${days} days`);
+          return;
+        }
+
+        status = CERT_STATUS.renewaling;
+      }
+
+      await states.certificate.updateStatus(cert.domain, status);
+      await this.acme.create({
+        subject: cert.domain,
+        subscriberEmail,
+        challenges,
+      });
+    } catch (error) {
+      logger.error(`create certificate for ${domain} job failed`, error);
+      throw error;
+    }
+  }
+
+  async checkRenewalCerts() {
+    logger.info('run generate certificate job');
+    const certs = await states.certificate.find({
+      $or: [
+        {
+          source: CERT_SOURCE.letsEncrypt,
+          status: { $in: [CERT_STATUS.waiting, CERT_STATUS.error] },
+        },
+        {
+          source: CERT_SOURCE.letsEncrypt,
+          status: CERT_STATUS.generated,
+          validTo: { $lte: moment().add(this.renewalOffsetInDay, 'days') },
+        },
+      ],
+    });
+
+    if (certs.length > 0) {
+      certs.forEach(({ domain }) => this.queue.push({ domain }));
+    }
+  }
+}
+
+let instance = null;
+
+Manager.getInstance = async ({ maintainerEmail, baseDataDir }) => {
+  if (instance) {
+    return instance;
+  }
+
+  const dataDir = path.join(baseDataDir, '.data');
+
+  instance = new Manager({
+    packageRoot: baseDataDir,
+    dataDir,
+    maintainerEmail,
+    staging: typeof process.env.STAGING === 'undefined' ? process.env.NODE_ENV !== 'production' : !!process.env.STAGING,
+  });
+
+  await instance.acme.init();
+
+  instance.acme.on('cert.issued', async (data) => {
+    await states.certificate.update(
+      { domain: data.subject },
+      {
+        $set: {
+          status: CERT_STATUS.generated,
+          certificate: data.fullchain,
+          privateKey: data.privkey,
+        },
+      }
+    );
+
+    const cert = await states.certificate.findOne({ domain: data.subject });
+    instance.emit('cert.issued', { id: cert.id, domain: cert.domain });
+  });
+
+  instance.acme.on('cert.error', async (data) => {
+    if (data.domain) {
+      await states.certificate.updateStatus(data.domain, CERT_STATUS.error);
+    }
+
+    instance.emit('cert.error', data);
+  });
+
+  return instance;
+};
+
+Manager.initInstance = Manager.getInstance;
+
+module.exports = Manager;

package/libs/acme-wrapper.js

@@ -0,0 +1,129 @@
+const { EventEmitter } = require('events');
+const ACME = require('@root/acme');
+const Keypairs = require('@root/keypairs');
+const CSR = require('@root/csr');
+const PEM = require('@root/pem');
+const punycode = require('punycode/');
+const states = require('../states');
+const logger = require('./logger');
+
+const DIRECTORY_URL = 'https://acme-v02.api.letsencrypt.org/directory';
+const DIRECTORY_URL_STAGING = 'https://acme-staging-v02.api.letsencrypt.org/directory';
+
+class AcmeWrapper extends EventEmitter {
+  constructor({ maintainerEmail, packageAgent, staging = false }) {
+    super();
+
+    this.acme = ACME.create({
+      maintainerEmail,
+      packageAgent,
+      // events list:
+      // 1. error
+      // 2. warning
+      // 3. certificate_order
+      // 4. challenge_select
+      // 5. challenge_status
+      notify: (event, details) => {
+        if (event === 'error') {
+          logger.error('issue with error:', details);
+          this.emit('cert.error', { error: details });
+          return;
+        }
+
+        if (event === 'warning') {
+          logger.warn('issue with warning', { details });
+          this.emit('cert.warning', { details });
+          return;
+        }
+
+        if (['challenge_status', 'cert_issue'].includes(event)) {
+          logger.info(`notify ${event} details:`, details);
+        }
+
+        this.emit('cert.event:', event);
+      },
+    });
+
+    this.staging = staging;
+    this.directoryUrl = this.staging === true ? DIRECTORY_URL_STAGING : DIRECTORY_URL;
+    this.maintainerEmail = maintainerEmail;
+
+    logger.info('directory url', { url: this.directoryUrl });
+  }
+
+  async init() {
+    await this.acme.init(this.directoryUrl);
+  }
+
+  async create({ subject, subscriberEmail, agreeToTerms = true, challenges }) {
+    const domains = [subject].map((name) => punycode.toASCII(name));
+
+    const encoding = 'der';
+    const typ = 'CERTIFICATE REQUEST';
+
+    const serverKeypair = await Keypairs.generate({ kty: 'RSA', format: 'jwk' });
+    const serverKey = serverKeypair.private;
+    const serverPem = await Keypairs.export({ jwk: serverKey, encoding: 'pem' });
+
+    const csrDer = await CSR.csr({ jwk: serverKey, domains, encoding });
+    const csr = PEM.packBlock({ type: typ, bytes: csrDer });
+    logger.info(`validating domain authorization for ${domains.join(' ')}`);
+
+    const dbAccount = await this._createAccount(subscriberEmail, agreeToTerms);
+    const accountKey = dbAccount.private_key;
+
+    try {
+      const pems = await this.acme.certificates.create({
+        account: dbAccount.account,
+        accountKey,
+        csr,
+        domains,
+        challenges,
+      });
+
+      const fullchain = `${pems.cert}\n${pems.chain}\n`;
+
+      logger.info('certificates generated!');
+
+      this.emit('cert.issued', {
+        subject,
+        privkey: serverPem,
+        cert: pems.cert,
+        chain: pems.chain,
+        fullchain,
+        challenges,
+      });
+    } catch (error) {
+      logger.error('create certificate error', { domain: subject, error });
+      this.emit('cert.error', { domain: subject, error_message: error.message });
+    }
+  }
+
+  async _createAccount(subscriberEmail, agreeToTerms) {
+    const dbAccount = await states.account.findOne({ directoryUrl: this.directoryUrl });
+    if (dbAccount) {
+      return dbAccount;
+    }
+
+    // TODO: kty 可以是 RSA? 和 EC 有什么区别？
+    const accountKeypair = await Keypairs.generate({ kty: 'EC', format: 'jwk' });
+    const accountKey = accountKeypair.private;
+
+    const account = await this.acme.accounts.create({
+      subscriberEmail,
+      agreeToTerms,
+      accountKey,
+    });
+
+    await states.account.update(
+      { directoryUrl: this.directoryUrl },
+      { directoryUrl: this.directoryUrl, private_key: accountKey, account, maintainer_email: this.maintainerEmail },
+      { upsert: true }
+    );
+
+    logger.info('account was created', { directoryUrl: this.directoryUrl, maintainerEmail: this.maintainerEmail });
+    return states.account.findOne({ directoryUrl: this.directoryUrl });
+  }
+}
+
+module.exports = AcmeWrapper;

package/libs/constant.js

@@ -0,0 +1,13 @@
+module.exports = Object.freeze({
+  CERT_STATUS: {
+    waiting: 'waiting',
+    creating: 'creating',
+    generated: 'generated',
+    renewaling: 'renewaling',
+    error: 'error',
+  },
+  CERT_SOURCE: {
+    letsEncrypt: 'lets_encrypt',
+    upload: 'upload',
+  },
+});

package/libs/http-01.js

@@ -0,0 +1,62 @@
+/**
+ * base on: https://www.npmjs.com/package/acme-http-01-standalone
+ */
+
+const states = require('../states');
+const logger = require('./logger');
+
+const _memdb = {};
+
+const create = () => {
+  return {
+    init() {
+      return Promise.resolve(null);
+    },
+
+    set(data) {
+      return Promise.resolve().then(async () => {
+        const ch = data.challenge;
+        const key = ch.token;
+        logger.info('set key:', { key });
+        await states.httpChallenge.update({ key }, { key, value: ch.keyAuthorization }, { upsert: true });
+        logger.info('setted key:', { key });
+
+        return null;
+      });
+    },
+
+    get(data) {
+      return Promise.resolve().then(async () => {
+        const ch = data.challenge;
+        const key = ch.token;
+        logger.info('get key', { key });
+
+        const challengeResult = await states.httpChallenge.findOne({ key });
+        if (challengeResult) {
+          logger.info('got key', { key });
+          return { keyAuthorization: challengeResult.value };
+        }
+
+        logger.info('key not found', { key });
+        return null;
+      });
+    },
+
+    remove(data) {
+      return Promise.resolve().then(async () => {
+        const ch = data.challenge;
+        const key = ch.token;
+        logger.info('remove key', { key });
+        await states.httpChallenge.remove({ key });
+        logger.info('removed key', { key });
+
+        return null;
+      });
+    },
+  };
+};
+
+module.exports = {
+  create,
+  db: _memdb,
+};

package/libs/logger.js

@@ -0,0 +1 @@
+module.exports = require('@abtnode/logger')(require('../package.json').name);

package/libs/queue.js

@@ -0,0 +1,12 @@
+const path = require('path');
+const createQueue = require('@abtnode/queue');
+
+module.exports = ({ name, dataDir, onJob, options = {} }) => {
+  const queue = createQueue({
+    file: path.join(dataDir, `${name}.db`),
+    onJob,
+    options,
+  });
+
+  return queue;
+};

package/libs/util.js

@@ -0,0 +1,90 @@
+const crypto = require('crypto');
+const fs = require('fs');
+const get = require('lodash.get');
+const { Certificate, PrivateKey } = require('@fidm/x509');
+
+const md5 = (str) => crypto.createHash('md5').update(str).digest('hex');
+
+const ensureDir = (dir) => {
+  if (fs.existsSync(dir)) {
+    return dir;
+  }
+
+  fs.mkdirSync(dir, { recursive: true });
+  return dir;
+};
+const getFingerprint = (data, alg) => {
+  const shasum = crypto.createHash(alg);
+  // eslint-disable-next-line newline-per-chained-call
+  return shasum.update(data).digest('hex').match(/.{2}/g).join(':').toUpperCase();
+};
+
+const validateCertificate = (cert, domain) => {
+  const certificate = Certificate.fromPEM(cert.certificate);
+  const privateKey = PrivateKey.fromPEM(cert.privateKey);
+
+  const data = Buffer.allocUnsafe(100);
+  const signature = privateKey.sign(data, 'sha512');
+  if (!certificate.publicKey.verify(data, signature, 'sha512')) {
+    throw new Error('Invalid certificate: signature verify failed');
+  }
+
+  const certDomain = get(certificate, 'subject.commonName', '');
+  if (domain && domain !== certDomain) {
+    throw new Error('Invalid certificate: domain does not match');
+  }
+
+  const validFrom = get(certificate, 'validFrom', '');
+  if (!validFrom || new Date(validFrom).getTime() > Date.now()) {
+    throw new Error('Invalid certificate: not in valid period');
+  }
+  const validTo = get(certificate, 'validTo', '');
+  if (!validTo || new Date(validTo).getTime() < Date.now()) {
+    throw new Error('Invalid certificate: not in valid period');
+  }
+
+  return certificate;
+};
+
+const getCertInfo = (certificate) => {
+  const info = Certificate.fromPEM(certificate);
+
+  const domain = info.subject.commonName.valueOf();
+  const validFrom = info.validFrom.valueOf();
+  const validTo = info.validTo.valueOf();
+  const issuer = {
+    countryName: info.issuer.countryName.valueOf(),
+    organizationName: info.issuer.organizationName.valueOf(),
+    commonName: info.issuer.commonName.valueOf(),
+  };
+
+  return {
+    domain,
+    validFrom,
+    validTo,
+    issuer,
+    serialNumber: info.serialNumber,
+    sans: info.dnsNames,
+    validityPeriod: info.validTo - info.validFrom,
+    fingerprintAlg: 'SHA256',
+    fingerprint: getFingerprint(info.raw, 'sha256'),
+  };
+};
+
+const attachCertInfo = (certificates = []) => {
+  if (!certificates) {
+    return null;
+  }
+
+  if (Array.isArray(certificates)) {
+    return certificates.map((cert) => {
+      const info = cert.certificate ? getCertInfo(cert.certificate) : {};
+      return { ...cert, ...info };
+    });
+  }
+
+  const info = certificates.certificate ? getCertInfo(certificates.certificate) : {};
+  return { ...certificates, ...info };
+};
+
+module.exports = { md5, ensureDir, getFingerprint, validateCertificate, attachCertInfo };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abtnode/certificate-manager",
-  "version": "1.6.7",
+  "version": "1.6.8",
   "description": "Manage ABT Node SSL certificates",
   "author": "polunzh <polunzh@gmail.com>",
   "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -9,12 +9,14 @@
   "publishConfig": {
     "access": "public"
   },
-  "directories": {
-    "lib": "lib",
-    "test": "__tests__"
-  },
   "files": [
-    "lib"
+    "libs",
+    "routes",
+    "sdk",
+    "states",
+    "validators",
+    "index.js",
+    "README.md"
   ],
   "repository": {
     "type": "git",
@@ -29,10 +31,10 @@
     "url": "https://github.com/ArcBlock/blocklet-server/issues"
   },
   "dependencies": {
-    "@abtnode/cron": "1.6.7",
-    "@abtnode/db": "1.6.7",
-    "@abtnode/logger": "1.6.7",
-    "@abtnode/queue": "1.6.7",
+    "@abtnode/cron": "1.6.8",
+    "@abtnode/db": "1.6.8",
+    "@abtnode/logger": "1.6.8",
+    "@abtnode/queue": "1.6.8",
     "@fidm/x509": "^1.2.1",
     "@greenlock/manager": "^3.1.0",
     "@nedb/core": "^1.1.0",
@@ -52,5 +54,5 @@
     "punycode": "^2.1.1",
     "ursa-optional": "^0.10.2"
   },
-  "gitHead": "d681c03a398e3c7d4dbc878db93b2ab778dded81"
+  "gitHead": "f97ec3a44250e034ff4b5e3f088c1417f448a7bb"
 }

package/routes/index.js

@@ -0,0 +1,15 @@
+const express = require('express');
+const wellKnownRouter = require('./well-known');
+const states = require('../states');
+
+const router = express.Router();
+
+const createRoutes = (dataDir) => {
+  states.init(dataDir);
+
+  router.use(wellKnownRouter);
+
+  return router;
+};
+
+module.exports = createRoutes;

package/routes/well-known.js

@@ -0,0 +1,17 @@
+const express = require('express');
+const logger = require('../libs/logger');
+const states = require('../states');
+
+const router = express.Router();
+
+router.get('/.well-known/acme-challenge/:token', async (req, res) => {
+  const challenge = await states.httpChallenge.findOne({ key: req.params.token });
+  logger.debug('acme challenge', { token: req.params.token, challenge });
+  if (!challenge) {
+    return res.status(404).send();
+  }
+
+  return res.send(challenge.value);
+});
+
+module.exports = router;

package/sdk/manager.js

@@ -0,0 +1,180 @@
+const EventEmitter = require('events');
+const { Certificate } = require('@fidm/x509');
+const get = require('lodash.get');
+const Cron = require('@abtnode/cron');
+
+const AcmeManager = require('../libs/acme-manager');
+const { CERT_SOURCE, CERT_STATUS } = require('../libs/constant');
+const states = require('../states');
+const { validateAdd, validateUpdate, validateUpsertByDomain } = require('../validators/cert');
+const logger = require('../libs/logger');
+const { validateCertificate } = require('../libs/util');
+
+const DAY_IN_MS = 24 * 60 * 60 * 1000;
+const CERTIFICATE_EXPIRES_WARNING_OFFSET = 7 * DAY_IN_MS;
+
+class Manager extends EventEmitter {
+  constructor({ daysBeforeExpireToRenewal, maintainerEmail, dataDir }) {
+    super();
+    if (!dataDir) {
+      throw new Error('dataDir is required');
+    }
+
+    this.daysBeforeExpireToRenewal = daysBeforeExpireToRenewal;
+    this.maintainerEmail = maintainerEmail;
+    this.acmeManager = null;
+    this.dataDir = dataDir;
+
+    states.init(dataDir);
+  }
+
+  async start() {
+    const acmeManager = await AcmeManager.initInstance({
+      maintainerEmail: this.maintainerEmail,
+      daysBeforeExpireToRenewal: this.daysBeforeExpireToRenewal,
+      baseDataDir: this.dataDir,
+    });
+    this.acmeManager = acmeManager;
+
+    acmeManager.on('cert.issued', (...args) => {
+      this.emit('cert.issued', ...args);
+    });
+    acmeManager.on('cert.error', (...args) => this.emit('cert.error', ...args));
+
+    Cron.init({
+      context: {},
+      jobs: [
+        acmeManager.getJobSchedular(),
+        {
+          name: 'check-expired-certificates',
+          time: '0 0 9 * * *', // check on 09:00 every day
+          fn: this.checkCertificatesExpiration.bind(this),
+          options: { runOnInit: true },
+        },
+      ],
+    });
+  }
+
+  async checkCertificatesExpiration() {
+    try {
+      logger.info('check expired certificates');
+      const now = Date.now();
+
+      const certificates = await this.getAllNormal();
+      for (let i = 0; i < certificates.length; i++) {
+        const cert = certificates[i];
+        const alreadyExpired = now >= cert.validTo;
+        const aboutToExpire = cert.validTo - now > 0 && cert.validTo - now < CERTIFICATE_EXPIRES_WARNING_OFFSET;
+
+        const expireInDays = Math.ceil((cert.validTo - now) / DAY_IN_MS);
+        const data = { id: cert.id, domain: cert.domain, expireInDays, validTo: cert.validTo };
+
+        if (alreadyExpired) {
+          this.emit('cert.expired', data);
+        } else if (aboutToExpire) {
+          this.emit('cert.about_to_expire', data);
+        }
+      }
+    } catch (error) {
+      logger.error('check expired certificates failed', { error });
+    }
+  }
+
+  async getAll() {
+    return states.certificate.find({});
+  }
+
+  getAllNormal() {
+    return states.certificate.find({
+      $or: [
+        { status: CERT_STATUS.generated },
+        {
+          source: CERT_SOURCE.upload,
+        },
+      ],
+    });
+  }
+
+  getByDomain(domain) {
+    return states.certificate.findOne({ domain });
+  }
+
+  async add(data) {
+    await validateAdd(data);
+
+    validateCertificate(data);
+
+    const existed = await states.certificate.findOne({ name: data.name });
+    if (existed) {
+      throw new Error(`The name ${data.name} already exists!`);
+    }
+
+    if (!data.source) {
+      data.source = CERT_SOURCE.upload;
+    }
+
+    const info = Certificate.fromPEM(data.certificate);
+    data.domain = get(info, 'subject.commonName', '');
+
+    const result = await states.certificate.insert(data);
+    return result;
+  }
+
+  /**
+   * 生成域名，certificate-manager 会自动生成并更新该证书
+   * @param {string} domain
+   * @returns
+   */
+  async issue(domain) {
+    if (!domain) {
+      throw new Error('domain is required');
+    }
+
+    const existed = await states.certificate.findOne({ domain });
+    if (existed) {
+      throw new Error(`The name ${domain} already exists!`);
+    }
+
+    return this.acmeManager.add(domain);
+  }
+
+  async upsertByDomain(data) {
+    await validateUpsertByDomain(data);
+
+    if (!data.source) {
+      data.source = CERT_SOURCE.upload;
+    }
+
+    return states.certificate.update({ domain: data.domain }, data, { upsert: true });
+  }
+
+  async update(id, data) {
+    await validateUpdate(data);
+
+    const existed = await states.certificate.findOne({ _id: id });
+    if (!existed) {
+      throw new Error(`The name ${data.name} does not exists`);
+    }
+
+    if (existed.source !== CERT_SOURCE.upload) {
+      throw new Error('Can not update non-upload certificate');
+    }
+
+    return states.certificate.update({ _id: id }, { $set: data });
+  }
+
+  async remove(id) {
+    const existed = await states.certificate.findOne({ _id: id });
+    if (!existed) {
+      throw new Error(`The certificate ${id} does not exists!`);
+    }
+
+    return states.certificate.remove({ _id: id });
+  }
+
+  addWithoutValidations(data) {
+    return states.certificate.insert(data);
+  }
+}
+
+module.exports = Manager;

package/states/account.js

@@ -0,0 +1,9 @@
+const BaseSate = require('./base');
+
+class Account extends BaseSate {
+  constructor(dataDir) {
+    super(dataDir, { filename: 'account.db' });
+  }
+}
+
+module.exports = Account;

package/states/base.js

@@ -0,0 +1,15 @@
+const DB = require('@abtnode/db');
+
+module.exports = class BaseDB extends DB {
+  async find(...args) {
+    const dbEntity = await super.find(...args);
+
+    return DB.renameIdFiledName(dbEntity);
+  }
+
+  async findOne(...args) {
+    const dbEntity = await super.findOne(...args);
+
+    return DB.renameIdFiledName(dbEntity);
+  }
+};

package/states/certificate.js

@@ -0,0 +1,29 @@
+const { CERT_STATUS } = require('../libs/constant');
+const BaseSate = require('./base');
+const { attachCertInfo } = require('../libs/util');
+
+class Certificate extends BaseSate {
+  constructor(dataDir) {
+    super(dataDir, { filename: 'certificate.db' });
+  }
+
+  async updateStatus(domain, status) {
+    if (!Object.values(CERT_STATUS).includes(status)) {
+      throw new Error('invalid domain status');
+    }
+
+    return super.update({ domain }, { $set: { status } });
+  }
+
+  async find(...args) {
+    const result = await super.find(...args);
+    return attachCertInfo(result);
+  }
+
+  async findOne(...args) {
+    const result = await super.findOne(...args);
+    return attachCertInfo(result);
+  }
+}
+
+module.exports = Certificate;

package/states/http-challenge.js

@@ -0,0 +1,9 @@
+const BaseSate = require('./base');
+
+class HttpChallenge extends BaseSate {
+  constructor(dataDir) {
+    super(dataDir, { filename: 'http-challenge.db' });
+  }
+}
+
+module.exports = HttpChallenge;

package/states/index.js

@@ -0,0 +1,26 @@
+const path = require('path');
+const fs = require('fs');
+const stateFactory = require('@abtnode/db/lib/factory');
+
+const Account = require('./account');
+const Certificate = require('./certificate');
+const HttpChallenge = require('./http-challenge');
+
+const init = (dataDir) => {
+  const dbDir = path.join(dataDir, 'db');
+  if (!fs.existsSync(dbDir)) {
+    fs.mkdirSync(dbDir, { recursive: true });
+  }
+
+  const account = new Account(dbDir);
+  const certificate = new Certificate(dbDir);
+  const httpChallenge = new HttpChallenge(dbDir);
+
+  return {
+    account,
+    certificate,
+    httpChallenge,
+  };
+};
+
+module.exports = stateFactory(init);

package/validators/cert.js

@@ -0,0 +1,31 @@
+const Joi = require('joi');
+
+const nameSchema = Joi.string().trim().max(64);
+const publicSchema = Joi.bool().default(false);
+
+const addSchema = Joi.object({
+  name: nameSchema,
+  certificate: Joi.string().required(),
+  privateKey: Joi.string().required(),
+  public: publicSchema,
+});
+
+const updateSchema = Joi.object({
+  name: nameSchema.required(),
+  public: publicSchema,
+});
+
+const upsertByDomainSchema = Joi.object({
+  name: nameSchema,
+  domain: Joi.string().required(),
+  certificate: Joi.string().required(),
+  privateKey: Joi.string().required(),
+  public: publicSchema,
+  isProtected: Joi.boolean(),
+});
+
+module.exports = {
+  validateAdd: (entity) => addSchema.validateAsync(entity),
+  validateUpdate: (entity) => updateSchema.validateAsync(entity),
+  validateUpsertByDomain: (entity) => upsertByDomainSchema.validateAsync(entity),
+};