npm - @certd/acme-client - Versions diffs - 0.2.0 → 0.3.0 - Mend

@certd/acme-client 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/src/verify.js CHANGED Viewed

@@ -2,12 +2,10 @@
  * ACME challenge verification
  */
-const Promise = require('bluebird');
-const dns = Promise.promisifyAll(require('dns'));
-const logger = require('./util.log.js');
-const debug = logger.info;
+const dns = require('dns').promises;
+const { log } = require('./logger');
 const axios = require('./axios');
+const util = require('./util');
 /**
@@ -26,21 +24,59 @@ async function verifyHttpChallenge(authz, challenge, keyAuthorization, suffix =
     const httpPort = axios.defaults.acmeSettings.httpChallengePort || 80;
     const challengeUrl = `http://${authz.identifier.value}:${httpPort}${suffix}`;
-    logger.info(`Sending HTTP query to ${authz.identifier.value}, suffix: ${suffix}, port: ${httpPort}`);
+    log(`Sending HTTP query to ${authz.identifier.value}, suffix: ${suffix}, port: ${httpPort}`);
     const resp = await axios.get(challengeUrl);
     const data = (resp.data || '').replace(/\s+$/, '');
-    logger.info(`Query successful, HTTP status code: ${resp.status}`);
+    log(`Query successful, HTTP status code: ${resp.status}`);
     if (!data || (data !== keyAuthorization)) {
         throw new Error(`Authorization not found in HTTP response from ${authz.identifier.value}`);
     }
-    logger.info(`Key authorization match for ${challenge.type}/${authz.identifier.value}, ACME challenge verified`);
+    log(`Key authorization match for ${challenge.type}/${authz.identifier.value}, ACME challenge verified`);
     return true;
 }
+/**
+ * Walk DNS until TXT records are found
+ */
+async function walkDnsChallengeRecord(recordName, resolver = dns) {
+    /* Resolve CNAME record first */
+    try {
+        log(`Checking name for CNAME records: ${recordName}`);
+        const cnameRecords = await resolver.resolveCname(recordName);
+        if (cnameRecords.length) {
+            log(`CNAME record found at ${recordName}, new challenge record name: ${cnameRecords[0]}`);
+            return walkDnsChallengeRecord(cnameRecords[0]);
+        }
+    }
+    catch (e) {
+        log(`No CNAME records found for name: ${recordName}`);
+    }
+    /* Resolve TXT records */
+    try {
+        log(`Checking name for TXT records: ${recordName}`);
+        const txtRecords = await resolver.resolveTxt(recordName);
+        if (txtRecords.length) {
+            log(`Found ${txtRecords.length} TXT records at ${recordName}`);
+            return [].concat(...txtRecords);
+        }
+    }
+    catch (e) {
+        log(`No TXT records found for name: ${recordName}`);
+    }
+    /* Found nothing */
+    throw new Error(`No TXT records found for name: ${recordName}`);
+}
 /**
  * Verify ACME DNS challenge
  *
@@ -54,34 +90,29 @@ async function verifyHttpChallenge(authz, challenge, keyAuthorization, suffix =
  */
 async function verifyDnsChallenge(authz, challenge, keyAuthorization, prefix = '_acme-challenge.') {
-    logger.info(`Resolving DNS TXT records for ${authz.identifier.value}, prefix: ${prefix}`);
-    let challengeRecord = `${prefix}${authz.identifier.value}`;
+    let recordValues = [];
+    const recordName = `${prefix}${authz.identifier.value}`;
+    log(`Resolving DNS TXT from record: ${recordName}`);
     try {
-        /* Attempt CNAME record first */
-        logger.info(`Checking CNAME for record ${challengeRecord}`);
-        const cnameRecords = await dns.resolveCnameAsync(challengeRecord);
-        if (cnameRecords.length) {
-            logger.info(`CNAME found at ${challengeRecord}, new challenge record: ${cnameRecords[0]}`);
-            challengeRecord = cnameRecords[0];
-        }
+        /* Default DNS resolver first */
+        log('Attempting to resolve TXT with default DNS resolver first');
+        recordValues = await walkDnsChallengeRecord(recordName);
     }
     catch (e) {
-        logger.info(`No CNAME found for record ${challengeRecord}`);
+        /* Authoritative DNS resolver */
+        log(`Error using default resolver, attempting to resolve TXT with authoritative NS: ${e.message}`);
+        const authoritativeResolver = await util.getAuthoritativeDnsResolver(recordName);
+        recordValues = await walkDnsChallengeRecord(recordName, authoritativeResolver);
     }
-    /* Read TXT record */
-    const result = await dns.resolveTxtAsync(challengeRecord);
-    const records = [].concat(...result);
-    logger.info(`Query successful, found ${records.length} DNS TXT records`);
+    log(`DNS query finished successfully, found ${recordValues.length} TXT records`);
-    if (records.indexOf(keyAuthorization) === -1) {
-        throw new Error(`Authorization not found in DNS TXT records for ${authz.identifier.value}`);
+    if (!recordValues.length || !recordValues.includes(keyAuthorization)) {
+        throw new Error(`Authorization not found in DNS TXT record: ${recordName}`);
     }
-    logger.info(`Key authorization match for ${challenge.type}/${authz.identifier.value}, ACME challenge verified`);
+    log(`Key authorization match for ${challenge.type}/${recordName}, ACME challenge verified`);
     return true;
 }

package/types/index.d.ts CHANGED Viewed

@@ -37,11 +37,17 @@ export interface ClientOptions {
     directoryUrl: string;
     accountKey: PrivateKeyBuffer | PrivateKeyString;
     accountUrl?: string;
+    externalAccountBinding?: ClientExternalAccountBindingOptions;
     backoffAttempts?: number;
     backoffMin?: number;
     backoffMax?: number;
 }
+export interface ClientExternalAccountBindingOptions {
+    kid: string;
+    hmacKey: string;
+}
 export interface ClientAutoOptions {
     csr: CsrBuffer | CsrString;
     challengeCreateFn: (authz: Authorization, challenge: rfc8555.Challenge, keyAuthorization: string) => Promise<any>;
@@ -69,7 +75,7 @@ export class Client {
     verifyChallenge(authz: Authorization, challenge: rfc8555.Challenge): Promise<boolean>;
     completeChallenge(challenge: rfc8555.Challenge): Promise<rfc8555.Challenge>;
     waitForValidStatus<T = Order | Authorization | rfc8555.Challenge>(item: T): Promise<T>;
-    getCertificate(order: Order, preferredChain?: string | null): Promise<string>;
+    getCertificate(order: Order, preferredChain?: string): Promise<string>;
     revokeCertificate(cert: CertificateBuffer | CertificateString, data?: rfc8555.CertificateRevocationRequest): Promise<void>;
     auto(opts: ClientAutoOptions): Promise<string>;
 }
@@ -80,9 +86,16 @@ export class Client {
  */
 export const directory: {
+    buypass: {
+        staging: string,
+        production: string
+    },
     letsencrypt: {
         staging: string,
         production: string
+    },
+    zerossl: {
+        production: string
     }
 };
@@ -119,7 +132,36 @@ export interface CsrOptions {
     emailAddress?: string;
 }
+export interface RsaPublicJwk {
+    e: string;
+    kty: string;
+    n: string;
+}
+export interface EcdsaPublicJwk {
+    crv: string;
+    kty: string;
+    x: string;
+    y: string;
+}
 export interface CryptoInterface {
+    createPrivateKey(keySize?: number): Promise<PrivateKeyBuffer>;
+    createPrivateRsaKey(keySize?: number): Promise<PrivateKeyBuffer>;
+    createPrivateEcdsaKey(namedCurve?: 'P-256' | 'P-384' | 'P-521'): Promise<PrivateKeyBuffer>;
+    getPublicKey(keyPem: PrivateKeyBuffer | PrivateKeyString | PublicKeyBuffer | PublicKeyString): PublicKeyBuffer;
+    getJwk(keyPem: PrivateKeyBuffer | PrivateKeyString | PublicKeyBuffer | PublicKeyString): RsaPublicJwk | EcdsaPublicJwk;
+    splitPemChain(chainPem: CertificateBuffer | CertificateString): string[];
+    getPemBodyAsB64u(pem: CertificateBuffer | CertificateString): string;
+    readCsrDomains(csrPem: CsrBuffer | CsrString): CertificateDomains;
+    readCertificateInfo(certPem: CertificateBuffer | CertificateString): CertificateInfo;
+    createCsr(data: CsrOptions, keyPem?: PrivateKeyBuffer | PrivateKeyString): Promise<[PrivateKeyBuffer, CsrBuffer]>;
+}
+export const crypto: CryptoInterface;
+/* TODO: LEGACY */
+export interface CryptoLegacyInterface {
     createPrivateKey(size?: number): Promise<PrivateKeyBuffer>;
     createPublicKey(key: PrivateKeyBuffer | PrivateKeyString): Promise<PublicKeyBuffer>;
     getPemBody(str: string): string;
@@ -131,7 +173,7 @@ export interface CryptoInterface {
     createCsr(data: CsrOptions, key?: PrivateKeyBuffer | PrivateKeyString): Promise<[PrivateKeyBuffer, CsrBuffer]>;
 }
-export const forge: CryptoInterface;
+export const forge: CryptoLegacyInterface;
 /**
@@ -139,3 +181,10 @@ export const forge: CryptoInterface;
  */
 export const axios: AxiosInstance;
+/**
+ * Logger
+ */
+export function setLogger(fn: (msg: string) => void): void;

package/types/test.ts CHANGED Viewed

@@ -7,7 +7,7 @@ import * as acme from 'acme-client';
 (async () => {
     /* Client */
-    const accountKey = await acme.forge.createPrivateKey();
+    const accountKey = await acme.crypto.createPrivateKey();
     const client = new acme.Client({
         accountKey,
@@ -41,7 +41,7 @@ import * as acme from 'acme-client';
     await client.waitForValidStatus(challenge);
     /* Finalize */
-    const [certKey, certCsr] = await acme.forge.createCsr({
+    const [certKey, certCsr] = await acme.crypto.createCsr({
         commonName: 'example.com',
         altNames: ['example.com', '*.example.com']
     });

package/CHANGELOG.md DELETED Viewed

@@ -1,152 +0,0 @@
-# Changelog
-## v4.1.2 (2020-11-16)
-* `fixed` Bug when encoding PEM payloads, potentially causing malformed requests
-## v4.1.1 (2020-11-13)
-* `fixed` Missing TypeScript definitions
-## v4.1.0 (2020-11-12)
-* `added` Option `preferredChain` added to `client.getCertificate()` and `client.auto()` to indicate which certificate chain is preferred if a CA offers multiple
-    * Related: [https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516](https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516)
-* `added` Method `client.getOrder()` to refresh order from CA
-* `fixed` Upgrade `axios@0.21.0`
-* `fixed` Error when attempting to revoke a certificate chain
-* `fixed` Missing URL augmentation in `client.finalizeOrder()` and `client.deactivateAuthorization()`
-* `fixed` Add certificate issuer to response from `forge.readCertificateInfo()`
-## v4.0.2 (2020-10-09)
-* `fixed` Explicitly set default `axios` HTTP adapter - [axios/axios#1180](https://github.com/axios/axios/issues/1180)
-## v4.0.1 (2020-09-15)
-* `fixed` Upgrade `node-forge@0.10.0` - [CVE-2020-7720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720)
-## v4.0.0 (2020-05-29)
-* `fixed` Incorrect TypeScript `CertificateInfo` definitions
-* `fixed` Allow trailing whitespace character in `http-01` challenge response
-* `breaking` Remove support for Node v8
-* `breaking` Remove deprecated `openssl` crypto module
-## v3.3.1 (2020-01-07)
-* `fixed` Improvements to TypeScript definitions
-## v3.3.0 (2019-12-19)
-* `added` TypeScript definitions
-* `fixed` Allow missing ACME directory meta field - [RFC 8555 Section 7.1.1](https://tools.ietf.org/html/rfc8555#section-7.1.1)
-## v3.2.1 (2019-11-14)
-* `added` New option `skipChallengeVerification` added to `client.auto()` to bypass internal challenge verification
-## v3.2.0 (2019-08-26)
-* `added` More extensive testing using [letsencrypt/pebble](https://github.com/letsencrypt/pebble)
-* `changed` When creating a CSR, `commonName` no longer defaults to `'localhost'`
-    * This change is not considered breaking since `commonName: 'localhost'` will result in an error when ordering a certificate
-* `fixed` Retry signed API requests on `urn:ietf:params:acme:error:badNonce` - [RFC 8555 Section 6.5](https://tools.ietf.org/html/rfc8555#section-6.5)
-* `fixed` Minor bugs related to `POST-as-GET` when calling `updateAccount()`
-* `fixed` Ensure subject common name is present in SAN when creating a CSR - [CAB v1.2.3 Section 9.2.2](https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf)
-* `fixed` Send empty JSON body when responding to challenges - [RFC 8555 Section 7.5.1](https://tools.ietf.org/html/rfc8555#section-7.5.1)
-## v2.3.1 (2019-08-26)
-* `backport` Minor bugs related to `POST-as-GET` when calling `client.updateAccount()`
-* `backport` Send empty JSON body when responding to challenges
-## v3.1.0 (2019-08-21)
-* `added` UTF-8 support when generating a CSR subject using forge - [RFC 5280](https://tools.ietf.org/html/rfc5280)
-* `fixed` Implemented `POST-as-GET` for all ACME API requests - [RFC 8555 Section 6.3](https://tools.ietf.org/html/rfc8555#section-6.3)
-## v2.3.0 (2019-08-21)
-* `backport` Implemented `POST-as-GET` for all ACME API requests
-## v3.0.0 (2019-07-13)
-* `added` Expose `axios` instance to allow manipulating HTTP client defaults
-* `breaking` Remove support for Node v4 and v6
-* `breaking` Remove Babel transpilation
-## v2.2.3 (2019-01-25)
-* `added` DNS CNAME detection when verifying `dns-01` challenges
-## v2.2.2 (2019-01-07)
-* `added` Support for `tls-alpn-01` challenge key authorization
-## v2.2.1 (2019-01-04)
-* `fixed` Handle and throw errors from OpenSSL process
-## v2.2.0 (2018-11-06)
-* `added` New [node-forge](https://www.npmjs.com/package/node-forge) crypto engine, removes OpenSSL CLI dependency
-* `added` Support native `crypto.generateKeyPair()` API when generating key pairs
-## v2.1.0 (2018-10-21)
-* `added` Ability to set and get current account URL
-* `fixed` Replace HTTP client `request` with `axios`
-* `fixed` Auto-mode no longer tries to create account when account URL exists
-## v2.0.1 (2018-08-17)
-* `fixed` Key rollover in compliance with [draft-ietf-acme-13](https://tools.ietf.org/html/draft-ietf-acme-acme-13)
-## v2.0.0 (2018-04-02)
-* `breaking` ACMEv2
-* `breaking` API changes
-* `breaking` Rewrite to ES6
-* `breaking` Promises instead of callbacks
-## v1.0.0 (2017-10-20)
-* API stable
-## v0.2.1 (2017-09-27)
-* `fixed` Bug causing invalid anti-replay nonce
-## v0.2.0 (2017-09-21)
-* `breaking` OpenSSL method `readCsrDomains` and `readCertificateInfo` now return domains as an object
-* `fixed` Added and fixed some tests
-## v0.1.0 (2017-09-14)
-* `acme-client` released

package/src/util.log.js DELETED Viewed

@@ -1,8 +0,0 @@
-const log4js = require('log4js');
-log4js.configure({
-    appenders: { std: { type: 'stdout' } },
-    categories: { default: { appenders: ['std'], level: 'info' } }
-});
-const logger = log4js.getLogger('certd');
-module.exports = logger;