npm - @certd/acme-client - Versions diffs - 0.1.10 → 0.3.0 - Mend

@certd/acme-client 0.1.10 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/src/client.js CHANGED Viewed

@@ -4,28 +4,39 @@
  * @namespace Client
  */
-const crypto = require('crypto');
-const logger = require('./util.log.js');
-const debug = logger.info;
-const Promise = require('bluebird');
+const { createHash } = require('crypto');
+const { getPemBodyAsB64u } = require('./crypto');
+const { log } = require('./logger');
 const HttpClient = require('./http');
 const AcmeApi = require('./api');
 const verify = require('./verify');
 const util = require('./util');
 const auto = require('./auto');
-const forge = require('./crypto/forge');
+/**
+ * ACME states
+ *
+ * @private
+ */
+const validStates = ['ready', 'valid'];
+const pendingStates = ['pending', 'processing'];
+const invalidStates = ['invalid'];
 /**
  * Default options
+ *
+ * @private
  */
 const defaultOpts = {
     directoryUrl: undefined,
     accountKey: undefined,
     accountUrl: null,
-    backoffAttempts: 5,
+    externalAccountBinding: {},
+    backoffAttempts: 10,
     backoffMin: 5000,
     backoffMax: 30000
 };
@@ -39,7 +50,10 @@ const defaultOpts = {
  * @param {string} opts.directoryUrl ACME directory URL
  * @param {buffer|string} opts.accountKey PEM encoded account private key
  * @param {string} [opts.accountUrl] Account URL, default: `null`
- * @param {number} [opts.backoffAttempts] Maximum number of backoff attempts, default: `5`
+ * @param {object} [opts.externalAccountBinding]
+ * @param {string} [opts.externalAccountBinding.kid] External account binding KID
+ * @param {string} [opts.externalAccountBinding.hmacKey] External account binding HMAC key
+ * @param {number} [opts.backoffAttempts] Maximum number of backoff attempts, default: `10`
  * @param {number} [opts.backoffMin] Minimum backoff attempt delay in milliseconds, default: `5000`
  * @param {number} [opts.backoffMax] Maximum backoff attempt delay in milliseconds, default: `30000`
  *
@@ -57,11 +71,23 @@ const defaultOpts = {
  *     directoryUrl: acme.directory.letsencrypt.staging,
  *     accountKey: 'Private key goes here',
  *     accountUrl: 'Optional account URL goes here',
- *     backoffAttempts: 5,
+ *     backoffAttempts: 10,
  *     backoffMin: 5000,
  *     backoffMax: 30000
  * });
  * ```
+ *
+ * @example Create ACME client with external account binding
+ * ```js
+ * const client = new acme.Client({
+ *     directoryUrl: 'https://acme-provider.example.com/directory-url',
+ *     accountKey: 'Private key goes here',
+ *     externalAccountBinding: {
+ *         kid: 'YOUR-EAB-KID',
+ *         hmacKey: 'YOUR-EAB-HMAC-KEY'
+ *     }
+ * });
+ * ```
  */
 class AcmeClient {
@@ -78,7 +104,7 @@ class AcmeClient {
             max: this.opts.backoffMax
         };
-        this.http = new HttpClient(this.opts.directoryUrl, this.opts.accountKey);
+        this.http = new HttpClient(this.opts.directoryUrl, this.opts.accountKey, this.opts.externalAccountBinding);
         this.api = new AcmeApi(this.http, this.opts.accountUrl);
     }
@@ -154,17 +180,17 @@ class AcmeClient {
             this.getAccountUrl();
             /* Account URL exists */
-            logger.info('Account URL exists, returning updateAccount()');
+            log('Account URL exists, returning updateAccount()');
             return this.updateAccount(data);
         }
         catch (e) {
             const resp = await this.api.createAccount(data);
-            // TODO 先注释，可加快速度
             /* HTTP 200: Account exists */
-            // if (resp.status === 200) {
-            //     logger.info('Account already exists (HTTP 200), returning updateAccount()');
-            //     return this.updateAccount(data);
-            // }
+            if (resp.status === 200) {
+                log('Account already exists (HTTP 200), returning updateAccount()');
+                return this.updateAccount(data);
+            }
             return resp.data;
         }
@@ -192,7 +218,7 @@ class AcmeClient {
             this.api.getAccountUrl();
         }
         catch (e) {
-            logger.info('No account URL found, returning createAccount()');
+            log('No account URL found, returning createAccount()');
             return this.createAccount(data);
         }
@@ -238,16 +264,13 @@ class AcmeClient {
         const newHttpClient = new HttpClient(this.opts.directoryUrl, newAccountKey);
         const newApiClient = new AcmeApi(newHttpClient, accountUrl);
-        /* Get new JWK */
+        /* Get old JWK */
         data.account = accountUrl;
-        data.oldKey = await this.http.getJwk();
-        /* TODO: Backward-compatibility with draft-ietf-acme-12, remove this in a later release */
-        data.newKey = await newHttpClient.getJwk();
+        data.oldKey = this.http.getJwk();
         /* Get signed request body from new client */
         const url = await newHttpClient.getResourceUrl('keyChange');
-        const body = await newHttpClient.createSignedBody(url, data);
+        const body = newHttpClient.createSignedBody(url, data);
         /* Change key using old client */
         const resp = await this.api.updateAccountKey(body);
@@ -345,9 +368,7 @@ class AcmeClient {
             csr = Buffer.from(csr);
         }
-        const body = forge.getPemBody(csr);
-        const data = { csr: util.b64escape(body) };
+        const data = { csr: getPemBodyAsB64u(csr) };
         const resp = await this.api.finalizeOrder(order.finalize, data);
         /* Add URL to response */
@@ -376,13 +397,13 @@ class AcmeClient {
      */
     async getAuthorizations(order) {
-        return Promise.map((order.authorizations || []), async (url) => {
+        return Promise.all((order.authorizations || []).map(async (url) => {
             const resp = await this.api.getAuthorization(url);
             /* Add URL to response */
             resp.data.url = url;
             return resp.data;
-        });
+        }));
     }
@@ -436,9 +457,9 @@ class AcmeClient {
      */
     async getChallengeKeyAuthorization(challenge) {
-        const jwk = await this.http.getJwk();
-        const keysum = crypto.createHash('sha256').update(JSON.stringify(jwk));
-        const thumbprint = util.b64escape(keysum.digest('base64'));
+        const jwk = this.http.getJwk();
+        const keysum = createHash('sha256').update(JSON.stringify(jwk));
+        const thumbprint = keysum.digest('base64url');
         const result = `${challenge.token}.${thumbprint}`;
         /**
@@ -455,8 +476,8 @@ class AcmeClient {
          */
         if ((challenge.type === 'dns-01') || (challenge.type === 'tls-alpn-01')) {
-            const shasum = crypto.createHash('sha256').update(result);
-            return util.b64escape(shasum.digest('base64'));
+            const shasum = createHash('sha256').update(result);
+            return shasum.digest('base64url');
         }
         throw new Error(`Unable to produce key authorization, unknown challenge type: ${challenge.type}`);
@@ -493,7 +514,7 @@ class AcmeClient {
             await verify[challenge.type](authz, challenge, keyAuthorization);
         };
-        logger.info('Waiting for ACME challenge verification', this.backoffOpts);
+        log('Waiting for ACME challenge verification', this.backoffOpts);
         return util.retry(verifyFn, this.backoffOpts);
     }
@@ -555,23 +576,23 @@ class AcmeClient {
             const resp = await this.api.apiRequest(item.url, null, [200]);
             /* Verify status */
-            logger.info(`Item has status: ${resp.data.status}`);
+            log(`Item has status: ${resp.data.status}`);
-            if (resp.data.status === 'invalid') {
+            if (invalidStates.includes(resp.data.status)) {
                 abort();
-                throw new Error(`Operation is invalid:${util.formatResponseError(resp)}`);
+                throw new Error(util.formatResponseError(resp));
             }
-            else if (resp.data.status === 'pending') {
-                throw new Error('Operation is pending');
+            else if (pendingStates.includes(resp.data.status)) {
+                throw new Error('Operation is pending or processing');
             }
-            else if (resp.data.status === 'valid') {
+            else if (validStates.includes(resp.data.status)) {
                 return resp.data;
             }
             throw new Error(`Unexpected item status: ${resp.data.status}`);
         };
-        logger.info(`Waiting for valid status from: ${item.url}`, this.backoffOpts);
+        log(`Waiting for valid status from: ${item.url}`, this.backoffOpts);
         return util.retry(verifyFn, this.backoffOpts);
     }
@@ -599,7 +620,7 @@ class AcmeClient {
      */
     async getCertificate(order, preferredChain = null) {
-        if (order.status !== 'valid') {
+        if (!validStates.includes(order.status)) {
             order = await this.waitForValidStatus(order);
         }
@@ -612,7 +633,7 @@ class AcmeClient {
         /* Handle alternate certificate chains */
         if (preferredChain && resp.headers.link) {
             const alternateLinks = util.parseLinkHeader(resp.headers.link);
-            const alternates = await Promise.map(alternateLinks, async (link) => this.api.apiRequest(link, null, [200]));
+            const alternates = await Promise.all(alternateLinks.map(async (link) => this.api.apiRequest(link, null, [200])));
             const certificates = [resp].concat(alternates).map((c) => c.data);
             return util.findCertificateChainForIssuer(certificates, preferredChain);
@@ -648,9 +669,7 @@ class AcmeClient {
      */
     async revokeCertificate(cert, data = {}) {
-        const body = forge.getPemBody(cert);
-        data.certificate = util.b64escape(body);
+        data.certificate = getPemBodyAsB64u(cert);
         const resp = await this.api.revokeCert(data);
         return resp.data;
     }
@@ -672,7 +691,7 @@ class AcmeClient {
      *
      * @example Order a certificate using auto mode
      * ```js
-     * const [certificateKey, certificateRequest] = await acme.forge.createCsr({
+     * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
      *     commonName: 'test.example.com'
      * });
      *
@@ -691,7 +710,7 @@ class AcmeClient {
      *
      * @example Order a certificate using auto mode with preferred chain
      * ```js
-     * const [certificateKey, certificateRequest] = await acme.forge.createCsr({
+     * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
      *     commonName: 'test.example.com'
      * });
      *

package/src/crypto/forge.js CHANGED Viewed

@@ -1,14 +1,17 @@
 /**
- * node-forge crypto engine
+ * Legacy node-forge crypto interface
+ *
+ * DEPRECATION WARNING: This crypto interface is deprecated and will be removed from acme-client in a future
+ * major release. Please migrate to the new `acme.crypto` interface at your earliest convenience.
  *
  * @namespace forge
  */
 const net = require('net');
-const Promise = require('bluebird');
+const { promisify } = require('util');
 const forge = require('node-forge');
-const generateKeyPair = Promise.promisify(forge.pki.rsa.generateKeyPair);
+const generateKeyPair = promisify(forge.pki.rsa.generateKeyPair);
 /**
@@ -71,8 +74,7 @@ function parseDomains(obj) {
     if (rootAltNames && rootAltNames.altNames && rootAltNames.altNames.length) {
         altNamesDict = rootAltNames.altNames;
-    }
-    else if (rootExtensions && rootExtensions.extensions && rootExtensions.extensions.length) {
+    } else if (rootExtensions && rootExtensions.extensions && rootExtensions.extensions.length) {
         const extAltNames = rootExtensions.extensions.find((e) => 'altNames' in e);
         if (extAltNames && extAltNames.altNames && extAltNames.altNames.length) {
@@ -113,11 +115,21 @@ function parseDomains(obj) {
  */
 async function createPrivateKey(size = 2048) {
-    const keyPair = await generateKeyPair({ bits: size });
-    const pemKey = forge.pki.privateKeyToPem(keyPair.privateKey);
+    const keyPair = await generateKeyPair({bits: size});
+    // const privateKey = forge.pki.privateKeyToPem(keyPair.privateKey);
+    // convert a Forge private key to an ASN.1 RSAPrivateKey
+    var rsaPrivateKey = forge.pki.privateKeyToAsn1(keyPair.privateKey);
+// wrap an RSAPrivateKey ASN.1 object in a PKCS#8 ASN.1 PrivateKeyInfo
+    var privateKeyInfo = forge.pki.wrapRsaPrivateKey(rsaPrivateKey);
+// convert a PKCS#8 ASN.1 PrivateKeyInfo to PEM
+    var pemKey = forge.pki.privateKeyInfoToPem(privateKeyInfo);
     return Buffer.from(pemKey);
 }
 exports.createPrivateKey = createPrivateKey;
@@ -133,7 +145,7 @@ exports.createPrivateKey = createPrivateKey;
  * ```
  */
-exports.createPublicKey = async function(key) {
+exports.createPublicKey = async function (key) {
     const privateKey = forge.pki.privateKeyFromPem(key);
     const publicKey = forge.pki.rsa.setPublicKey(privateKey.n, privateKey.e);
     const pemKey = forge.pki.publicKeyToPem(publicKey);
@@ -142,7 +154,7 @@ exports.createPublicKey = async function(key) {
 /**
- * Parse body of PEM encoded object form buffer or string
+ * Parse body of PEM encoded object from buffer or string
  * If multiple objects are chained, the first body will be returned
  *
  * @param {buffer|string} str PEM encoded buffer or string
@@ -179,7 +191,7 @@ exports.splitPemChain = (str) => forge.pem.decode(str).map(forge.pem.encode);
  * ```
  */
-exports.getModulus = async function(input) {
+exports.getModulus = async function (input) {
     if (!Buffer.isBuffer(input)) {
         input = Buffer.from(input);
     }
@@ -203,7 +215,7 @@ exports.getModulus = async function(input) {
  * ```
  */
-exports.getPublicExponent = async function(input) {
+exports.getPublicExponent = async function (input) {
     if (!Buffer.isBuffer(input)) {
         input = Buffer.from(input);
     }
@@ -228,7 +240,7 @@ exports.getPublicExponent = async function(input) {
  * ```
  */
-exports.readCsrDomains = async function(csr) {
+exports.readCsrDomains = async function (csr) {
     if (!Buffer.isBuffer(csr)) {
         csr = Buffer.from(csr);
     }
@@ -257,7 +269,7 @@ exports.readCsrDomains = async function(csr) {
  * ```
  */
-exports.readCertificateInfo = async function(cert) {
+exports.readCertificateInfo = async function (cert) {
     if (!Buffer.isBuffer(cert)) {
         cert = Buffer.from(cert);
     }
@@ -309,7 +321,7 @@ function createCsrSubject(subjectObj) {
     return Object.entries(subjectObj).reduce((result, [shortName, value]) => {
         if (value) {
             const valueTagClass = getCsrValueTagClass(shortName);
-            result.push({ shortName, value, valueTagClass });
+            result.push({shortName, value, valueTagClass});
         }
         return result;
@@ -329,7 +341,7 @@ function createCsrSubject(subjectObj) {
 function formatCsrAltNames(altNames) {
     return altNames.map((value) => {
         const type = net.isIP(value) ? 7 : 2;
-        return { type, value };
+        return {type, value};
     });
 }
@@ -388,11 +400,10 @@ function formatCsrAltNames(altNames) {
  * }, certificateKey);
  */
-exports.createCsr = async function(data, key = null) {
+exports.createCsr = async function (data, key = null) {
     if (!key) {
         key = await createPrivateKey(data.keySize);
-    }
-    else if (!Buffer.isBuffer(key)) {
+    } else if (!Buffer.isBuffer(key)) {
         key = Buffer.from(key);
     }
@@ -436,8 +447,8 @@ exports.createCsr = async function(data, key = null) {
         }]);
     }
-    /* Sign CSR */
-    csr.sign(privateKey);
+    /* Sign CSR using SHA-256 */
+    csr.sign(privateKey, forge.md.sha256.create());
     /* Done */
     const pemCsr = forge.pki.certificationRequestToPem(csr);