@certd/acme-client 0.2.0 → 0.3.1

package/src/client.js

@@ -4,28 +4,39 @@
  * @namespace Client
  */
 
-const crypto = require('crypto');
-const logger = require('./util.log.js');
-
-const debug = logger.info;
-const Promise = require('bluebird');
+const { createHash } = require('crypto');
+const { getPemBodyAsB64u } = require('./crypto');
+const { log } = require('./logger');
 const HttpClient = require('./http');
 const AcmeApi = require('./api');
 const verify = require('./verify');
 const util = require('./util');
 const auto = require('./auto');
-const forge = require('./crypto/forge');
+
+
+/**
+ * ACME states
+ *
+ * @private
+ */
+
+const validStates = ['ready', 'valid'];
+const pendingStates = ['pending', 'processing'];
+const invalidStates = ['invalid'];
 
 
 /**
  * Default options
+ *
+ * @private
  */
 
 const defaultOpts = {
     directoryUrl: undefined,
     accountKey: undefined,
     accountUrl: null,
-    backoffAttempts: 5,
+    externalAccountBinding: {},
+    backoffAttempts: 10,
     backoffMin: 5000,
     backoffMax: 30000
 };
@@ -39,7 +50,10 @@ const defaultOpts = {
  * @param {string} opts.directoryUrl ACME directory URL
  * @param {buffer|string} opts.accountKey PEM encoded account private key
  * @param {string} [opts.accountUrl] Account URL, default: `null`
- * @param {number} [opts.backoffAttempts] Maximum number of backoff attempts, default: `5`
+ * @param {object} [opts.externalAccountBinding]
+ * @param {string} [opts.externalAccountBinding.kid] External account binding KID
+ * @param {string} [opts.externalAccountBinding.hmacKey] External account binding HMAC key
+ * @param {number} [opts.backoffAttempts] Maximum number of backoff attempts, default: `10`
  * @param {number} [opts.backoffMin] Minimum backoff attempt delay in milliseconds, default: `5000`
  * @param {number} [opts.backoffMax] Maximum backoff attempt delay in milliseconds, default: `30000`
  *
@@ -57,11 +71,23 @@ const defaultOpts = {
  *     directoryUrl: acme.directory.letsencrypt.staging,
  *     accountKey: 'Private key goes here',
  *     accountUrl: 'Optional account URL goes here',
- *     backoffAttempts: 5,
+ *     backoffAttempts: 10,
  *     backoffMin: 5000,
  *     backoffMax: 30000
  * });
  * ```
+ *
+ * @example Create ACME client with external account binding
+ * ```js
+ * const client = new acme.Client({
+ *     directoryUrl: 'https://acme-provider.example.com/directory-url',
+ *     accountKey: 'Private key goes here',
+ *     externalAccountBinding: {
+ *         kid: 'YOUR-EAB-KID',
+ *         hmacKey: 'YOUR-EAB-HMAC-KEY'
+ *     }
+ * });
+ * ```
  */
 
 class AcmeClient {
@@ -78,7 +104,7 @@ class AcmeClient {
             max: this.opts.backoffMax
         };
 
-        this.http = new HttpClient(this.opts.directoryUrl, this.opts.accountKey);
+        this.http = new HttpClient(this.opts.directoryUrl, this.opts.accountKey, this.opts.externalAccountBinding);
         this.api = new AcmeApi(this.http, this.opts.accountUrl);
     }
 
@@ -154,17 +180,17 @@ class AcmeClient {
             this.getAccountUrl();
 
             /* Account URL exists */
-            logger.info('Account URL exists, returning updateAccount()');
+            log('Account URL exists, returning updateAccount()');
             return this.updateAccount(data);
         }
         catch (e) {
             const resp = await this.api.createAccount(data);
-            // TODO 先注释，可加快速度
+
             /* HTTP 200: Account exists */
-            // if (resp.status === 200) {
-            //     logger.info('Account already exists (HTTP 200), returning updateAccount()');
-            //     return this.updateAccount(data);
-            // }
+            if (resp.status === 200) {
+                log('Account already exists (HTTP 200), returning updateAccount()');
+                return this.updateAccount(data);
+            }
 
             return resp.data;
         }
@@ -192,7 +218,7 @@ class AcmeClient {
             this.api.getAccountUrl();
         }
         catch (e) {
-            logger.info('No account URL found, returning createAccount()');
+            log('No account URL found, returning createAccount()');
             return this.createAccount(data);
         }
 
@@ -238,16 +264,13 @@ class AcmeClient {
         const newHttpClient = new HttpClient(this.opts.directoryUrl, newAccountKey);
         const newApiClient = new AcmeApi(newHttpClient, accountUrl);
 
-        /* Get new JWK */
+        /* Get old JWK */
         data.account = accountUrl;
-        data.oldKey = await this.http.getJwk();
-
-        /* TODO: Backward-compatibility with draft-ietf-acme-12, remove this in a later release */
-        data.newKey = await newHttpClient.getJwk();
+        data.oldKey = this.http.getJwk();
 
         /* Get signed request body from new client */
         const url = await newHttpClient.getResourceUrl('keyChange');
-        const body = await newHttpClient.createSignedBody(url, data);
+        const body = newHttpClient.createSignedBody(url, data);
 
         /* Change key using old client */
         const resp = await this.api.updateAccountKey(body);
@@ -345,9 +368,7 @@ class AcmeClient {
             csr = Buffer.from(csr);
         }
 
-        const body = forge.getPemBody(csr);
-        const data = { csr: util.b64escape(body) };
-
+        const data = { csr: getPemBodyAsB64u(csr) };
         const resp = await this.api.finalizeOrder(order.finalize, data);
 
         /* Add URL to response */
@@ -376,13 +397,13 @@ class AcmeClient {
      */
 
     async getAuthorizations(order) {
-        return Promise.map((order.authorizations || []), async (url) => {
+        return Promise.all((order.authorizations || []).map(async (url) => {
             const resp = await this.api.getAuthorization(url);
 
             /* Add URL to response */
             resp.data.url = url;
             return resp.data;
-        });
+        }));
     }
 
 
@@ -436,9 +457,9 @@ class AcmeClient {
      */
 
     async getChallengeKeyAuthorization(challenge) {
-        const jwk = await this.http.getJwk();
-        const keysum = crypto.createHash('sha256').update(JSON.stringify(jwk));
-        const thumbprint = util.b64escape(keysum.digest('base64'));
+        const jwk = this.http.getJwk();
+        const keysum = createHash('sha256').update(JSON.stringify(jwk));
+        const thumbprint = keysum.digest('base64url');
         const result = `${challenge.token}.${thumbprint}`;
 
         /**
@@ -455,8 +476,8 @@ class AcmeClient {
          */
 
         if ((challenge.type === 'dns-01') || (challenge.type === 'tls-alpn-01')) {
-            const shasum = crypto.createHash('sha256').update(result);
-            return util.b64escape(shasum.digest('base64'));
+            const shasum = createHash('sha256').update(result);
+            return shasum.digest('base64url');
         }
 
         throw new Error(`Unable to produce key authorization, unknown challenge type: ${challenge.type}`);
@@ -493,7 +514,7 @@ class AcmeClient {
             await verify[challenge.type](authz, challenge, keyAuthorization);
         };
 
-        logger.info('Waiting for ACME challenge verification', this.backoffOpts);
+        log('Waiting for ACME challenge verification', this.backoffOpts);
         return util.retry(verifyFn, this.backoffOpts);
     }
 
@@ -555,23 +576,23 @@ class AcmeClient {
             const resp = await this.api.apiRequest(item.url, null, [200]);
 
             /* Verify status */
-            logger.info(`Item has status: ${resp.data.status}`);
+            log(`Item has status: ${resp.data.status}`);
 
-            if (resp.data.status === 'invalid') {
+            if (invalidStates.includes(resp.data.status)) {
                 abort();
-                throw new Error(`Operation is invalid:${util.formatResponseError(resp)}`);
+                throw new Error(util.formatResponseError(resp));
             }
-            else if (resp.data.status === 'pending') {
-                throw new Error('Operation is pending');
+            else if (pendingStates.includes(resp.data.status)) {
+                throw new Error('Operation is pending or processing');
             }
-            else if (resp.data.status === 'valid') {
+            else if (validStates.includes(resp.data.status)) {
                 return resp.data;
             }
 
             throw new Error(`Unexpected item status: ${resp.data.status}`);
         };
 
-        logger.info(`Waiting for valid status from: ${item.url}`, this.backoffOpts);
+        log(`Waiting for valid status from: ${item.url}`, this.backoffOpts);
         return util.retry(verifyFn, this.backoffOpts);
     }
 
@@ -599,7 +620,7 @@ class AcmeClient {
      */
 
     async getCertificate(order, preferredChain = null) {
-        if (order.status !== 'valid') {
+        if (!validStates.includes(order.status)) {
             order = await this.waitForValidStatus(order);
         }
 
@@ -612,7 +633,7 @@ class AcmeClient {
         /* Handle alternate certificate chains */
         if (preferredChain && resp.headers.link) {
             const alternateLinks = util.parseLinkHeader(resp.headers.link);
-            const alternates = await Promise.map(alternateLinks, async (link) => this.api.apiRequest(link, null, [200]));
+            const alternates = await Promise.all(alternateLinks.map(async (link) => this.api.apiRequest(link, null, [200])));
             const certificates = [resp].concat(alternates).map((c) => c.data);
 
             return util.findCertificateChainForIssuer(certificates, preferredChain);
@@ -648,9 +669,7 @@ class AcmeClient {
      */
 
     async revokeCertificate(cert, data = {}) {
-        const body = forge.getPemBody(cert);
-        data.certificate = util.b64escape(body);
-
+        data.certificate = getPemBodyAsB64u(cert);
         const resp = await this.api.revokeCert(data);
         return resp.data;
     }
@@ -672,7 +691,7 @@ class AcmeClient {
      *
      * @example Order a certificate using auto mode
      * ```js
-     * const [certificateKey, certificateRequest] = await acme.forge.createCsr({
+     * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
      *     commonName: 'test.example.com'
      * });
      *
@@ -691,7 +710,7 @@ class AcmeClient {
      *
      * @example Order a certificate using auto mode with preferred chain
      * ```js
-     * const [certificateKey, certificateRequest] = await acme.forge.createCsr({
+     * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
      *     commonName: 'test.example.com'
      * });
      *

package/src/crypto/forge.js

@@ -1,14 +1,17 @@
 /**
- * node-forge crypto engine
+ * Legacy node-forge crypto interface
+ *
+ * DEPRECATION WARNING: This crypto interface is deprecated and will be removed from acme-client in a future
+ * major release. Please migrate to the new `acme.crypto` interface at your earliest convenience.
  *
  * @namespace forge
  */
 
 const net = require('net');
-const Promise = require('bluebird');
+const { promisify } = require('util');
 const forge = require('node-forge');
 
-const generateKeyPair = Promise.promisify(forge.pki.rsa.generateKeyPair);
+const generateKeyPair = promisify(forge.pki.rsa.generateKeyPair);
 
 
 /**
@@ -123,7 +126,6 @@ async function createPrivateKey(size = 2048) {
 
 // convert a PKCS#8 ASN.1 PrivateKeyInfo to PEM
     var pemKey = forge.pki.privateKeyInfoToPem(privateKeyInfo);
-    console.log('privatekey ', pemKey)
     return Buffer.from(pemKey);
 }
 
@@ -152,7 +154,7 @@ exports.createPublicKey = async function (key) {
 
 
 /**
- * Parse body of PEM encoded object form buffer or string
+ * Parse body of PEM encoded object from buffer or string
  * If multiple objects are chained, the first body will be returned
  *
  * @param {buffer|string} str PEM encoded buffer or string
@@ -445,8 +447,8 @@ exports.createCsr = async function (data, key = null) {
         }]);
     }
 
-    /* Sign CSR */
-    csr.sign(privateKey);
+    /* Sign CSR using SHA-256 */
+    csr.sign(privateKey, forge.md.sha256.create());
 
     /* Done */
     const pemCsr = forge.pki.certificationRequestToPem(csr);