@certd/acme-client 0.2.0 → 0.3.1

package/src/http.js

@@ -2,13 +2,10 @@
  * ACME HTTP client
  */
 
-const crypto = require('crypto');
-const logger = require('./util.log.js');
-
-const debug = logger.info;
+const { createHmac, createSign, constants: { RSA_PKCS1_PADDING } } = require('crypto');
+const { getJwk } = require('./crypto');
+const { log } = require('./logger');
 const axios = require('./axios');
-const util = require('./util');
-const forge = require('./crypto/forge');
 
 
 /**
@@ -17,12 +14,16 @@ const forge = require('./crypto/forge');
  * @class
  * @param {string} directoryUrl ACME directory URL
  * @param {buffer} accountKey PEM encoded account private key
+ * @param {object} [opts.externalAccountBinding]
+ * @param {string} [opts.externalAccountBinding.kid] External account binding KID
+ * @param {string} [opts.externalAccountBinding.hmacKey] External account binding HMAC key
  */
 
 class HttpClient {
-    constructor(directoryUrl, accountKey) {
+    constructor(directoryUrl, accountKey, externalAccountBinding = {}) {
         this.directoryUrl = directoryUrl;
         this.accountKey = accountKey;
+        this.externalAccountBinding = externalAccountBinding;
 
         this.maxBadNonceRetries = 5;
         this.directory = null;
@@ -52,10 +53,10 @@ class HttpClient {
         opts.headers['Content-Type'] = 'application/jose+json';
 
         /* Request */
-        logger.info(`HTTP request: ${method} ${url}`);
+        log(`HTTP request: ${method} ${url}`);
         const resp = await axios.request(opts);
 
-        logger.info(`RESP ${resp.status} ${method} ${url}`);
+        log(`RESP ${resp.status} ${method} ${url}`);
         return resp;
     }
 
@@ -71,6 +72,15 @@ class HttpClient {
     async getDirectory() {
         if (!this.directory) {
             const resp = await this.request(this.directoryUrl, 'get');
+
+            if (resp.status >= 400) {
+                throw new Error(`Attempting to read ACME directory returned error ${resp.status}: ${this.directoryUrl}`);
+            }
+
+            if (!resp.data) {
+                throw new Error('Attempting to read ACME directory returned no data');
+            }
+
             this.directory = resp.data;
         }
     }
@@ -79,23 +89,14 @@ class HttpClient {
     /**
      * Get JSON Web Key
      *
-     * @returns {Promise<object>} {e, kty, n}
+     * @returns {object} JSON Web Key
      */
 
-    async getJwk() {
-        if (this.jwk) {
-            return this.jwk;
+    getJwk() {
+        if (!this.jwk) {
+            this.jwk = getJwk(this.accountKey);
         }
 
-        const exponent = await forge.getPublicExponent(this.accountKey);
-        const modulus = await forge.getModulus(this.accountKey);
-
-        this.jwk = {
-            e: util.b64encode(exponent),
-            kty: 'RSA',
-            n: util.b64encode(modulus)
-        };
-
         return this.jwk;
     }
 
@@ -131,7 +132,7 @@ class HttpClient {
         await this.getDirectory();
 
         if (!this.directory[resource]) {
-            throw new Error(`Could not resolve URL for API resource: "${resource}"`);
+            throw new Error(`Unable to locate API resource URL in ACME directory: "${resource}"`);
         }
 
         return this.directory[resource];
@@ -157,24 +158,23 @@ class HttpClient {
 
 
     /**
-     * Create signed HTTP request body
+     * Prepare HTTP request body for signature
      *
+     * @param {string} alg JWS algorithm
      * @param {string} url Request URL
-     * @param {object} payload Request payload
-     * @param {string} [nonce] Request nonce
-     * @param {string} [kid] Request KID
-     * @returns {Promise<object>} Signed HTTP request body
+     * @param {object} [payload] Request payload
+     * @param {object} [opts]
+     * @param {string} [opts.nonce] JWS anti-replay nonce
+     * @param {string} [opts.kid] JWS KID
+     * @returns {object} Signed HTTP request body
      */
 
-    async createSignedBody(url, payload = null, nonce = null, kid = null) {
-        /* JWS header */
-        const header = {
-            url,
-            alg: 'RS256'
-        };
+    prepareSignedBody(alg, url, payload = null, { nonce = null, kid = null } = {}) {
+        const header = { alg, url };
 
+        /* Nonce */
         if (nonce) {
-            logger.info(`Using nonce: ${nonce}`);
+            log(`Using nonce: ${nonce}`);
             header.nonce = nonce;
         }
 
@@ -183,18 +183,82 @@ class HttpClient {
             header.kid = kid;
         }
         else {
-            header.jwk = await this.getJwk();
+            header.jwk = this.getJwk();
         }
 
-        /* Request payload */
-        const result = {
-            payload: payload ? util.b64encode(JSON.stringify(payload)) : '',
-            protected: util.b64encode(JSON.stringify(header))
+        /* Body */
+        return {
+            payload: payload ? Buffer.from(JSON.stringify(payload)).toString('base64url') : '',
+            protected: Buffer.from(JSON.stringify(header)).toString('base64url')
         };
+    }
+
+
+    /**
+     * Create JWS HTTP request body using HMAC
+     *
+     * @param {string} hmacKey HMAC key
+     * @param {string} url Request URL
+     * @param {object} [payload] Request payload
+     * @param {object} [opts]
+     * @param {string} [opts.nonce] JWS anti-replay nonce
+     * @param {string} [opts.kid] JWS KID
+     * @returns {object} Signed HMAC request body
+     */
+
+    createSignedHmacBody(hmacKey, url, payload = null, { nonce = null, kid = null } = {}) {
+        const result = this.prepareSignedBody('HS256', url, payload, { nonce, kid });
 
         /* Signature */
-        const signer = crypto.createSign('RSA-SHA256').update(`${result.protected}.${result.payload}`, 'utf8');
-        result.signature = util.b64escape(signer.sign(this.accountKey, 'base64'));
+        const signer = createHmac('SHA256', Buffer.from(hmacKey, 'base64')).update(`${result.protected}.${result.payload}`, 'utf8');
+        result.signature = signer.digest().toString('base64url');
+
+        return result;
+    }
+
+
+    /**
+     * Create JWS HTTP request body using RSA or ECC
+     *
+     * https://datatracker.ietf.org/doc/html/rfc7515
+     *
+     * @param {string} url Request URL
+     * @param {object} [payload] Request payload
+     * @param {object} [opts]
+     * @param {string} [opts.nonce] JWS nonce
+     * @param {string} [opts.kid] JWS KID
+     * @returns {object} JWS request body
+     */
+
+    createSignedBody(url, payload = null, { nonce = null, kid = null } = {}) {
+        const jwk = this.getJwk();
+        let headerAlg = 'RS256';
+        let signerAlg = 'SHA256';
+
+        /* https://datatracker.ietf.org/doc/html/rfc7518#section-3.1 */
+        if (jwk.crv && (jwk.kty === 'EC')) {
+            headerAlg = 'ES256';
+
+            if (jwk.crv === 'P-384') {
+                headerAlg = 'ES384';
+                signerAlg = 'SHA384';
+            }
+            else if (jwk.crv === 'P-521') {
+                headerAlg = 'ES512';
+                signerAlg = 'SHA512';
+            }
+        }
+
+        /* Prepare body and signer */
+        const result = this.prepareSignedBody(headerAlg, url, payload, { nonce, kid });
+        const signer = createSign(signerAlg).update(`${result.protected}.${result.payload}`, 'utf8');
+
+        /* Signature - https://stackoverflow.com/questions/39554165 */
+        result.signature = signer.sign({
+            key: this.accountKey,
+            padding: RSA_PKCS1_PADDING,
+            dsaEncoding: 'ieee-p1363'
+        }, 'base64url');
 
         return result;
     }
@@ -207,28 +271,41 @@ class HttpClient {
      *
      * @param {string} url Request URL
      * @param {object} payload Request payload
-     * @param {string} [kid] Request KID
-     * @param {string} [nonce] Request anti-replay nonce
+     * @param {object} [opts]
+     * @param {string} [opts.kid] JWS KID
+     * @param {string} [opts.nonce] JWS anti-replay nonce
+     * @param {boolean} [opts.includeExternalAccountBinding] Include EAB in request
      * @param {number} [attempts] Request attempt counter
      * @returns {Promise<object>} HTTP response
      */
 
-    async signedRequest(url, payload, kid = null, nonce = null, attempts = 0) {
+    async signedRequest(url, payload, { kid = null, nonce = null, includeExternalAccountBinding = false } = {}, attempts = 0) {
         if (!nonce) {
             nonce = await this.getNonce();
         }
 
+        /* External account binding */
+        if (includeExternalAccountBinding && this.externalAccountBinding) {
+            if (this.externalAccountBinding.kid && this.externalAccountBinding.hmacKey) {
+                const jwk = this.getJwk();
+                const eabKid = this.externalAccountBinding.kid;
+                const eabHmacKey = this.externalAccountBinding.hmacKey;
+
+                payload.externalAccountBinding = this.createSignedHmacBody(eabHmacKey, url, jwk, { kid: eabKid });
+            }
+        }
+
         /* Sign body and send request */
-        const data = await this.createSignedBody(url, payload, nonce, kid);
+        const data = this.createSignedBody(url, payload, { nonce, kid });
         const resp = await this.request(url, 'post', { data });
 
         /* Retry on bad nonce - https://tools.ietf.org/html/draft-ietf-acme-acme-10#section-6.4 */
         if (resp.data && resp.data.type && (resp.status === 400) && (resp.data.type === 'urn:ietf:params:acme:error:badNonce') && (attempts < this.maxBadNonceRetries)) {
-            const newNonce = resp.headers['replay-nonce'] || null;
+            nonce = resp.headers['replay-nonce'] || null;
             attempts += 1;
 
-            logger.info(`Caught invalid nonce error, retrying (${attempts}/${this.maxBadNonceRetries}) signed request to: ${url}`);
-            return this.signedRequest(url, payload, kid, newNonce, attempts);
+            log(`Caught invalid nonce error, retrying (${attempts}/${this.maxBadNonceRetries}) signed request to: ${url}`);
+            return this.signedRequest(url, payload, { kid, nonce, includeExternalAccountBinding }, attempts);
         }
 
         /* Return response */

package/src/index.js

@@ -10,9 +10,16 @@ exports.Client = require('./client');
  */
 
 exports.directory = {
+    buypass: {
+        staging: 'https://api.test4.buypass.no/acme/directory',
+        production: 'https://api.buypass.com/acme/directory'
+    },
     letsencrypt: {
         staging: 'https://acme-staging-v02.api.letsencrypt.org/directory',
         production: 'https://acme-v02.api.letsencrypt.org/directory'
+    },
+    zerossl: {
+        production: 'https://acme.zerossl.com/v2/DV90'
     }
 };
 
@@ -21,6 +28,7 @@ exports.directory = {
  * Crypto
  */
 
+exports.crypto = require('./crypto');
 exports.forge = require('./crypto/forge');
 
 
@@ -29,3 +37,10 @@ exports.forge = require('./crypto/forge');
  */
 
 exports.axios = require('./axios');
+
+
+/**
+ * Logger
+ */
+
+exports.setLogger = require('./logger').setLogger;

package/src/logger.js

@@ -0,0 +1,30 @@
+/**
+ * ACME logger
+ */
+
+const debug = require('debug')('acme-client');
+
+let logger = () => {};
+
+
+/**
+ * Set logger function
+ *
+ * @param {function} fn Logger function
+ */
+
+exports.setLogger = (fn) => {
+    logger = fn;
+};
+
+
+/**
+ * Log message
+ *
+ * @param {string} Message
+ */
+
+exports.log = (msg) => {
+    debug(msg);
+    logger(msg);
+};

package/src/util.js

@@ -2,12 +2,42 @@
  * Utility methods
  */
 
-const Promise = require('bluebird');
-const Backoff = require('backo2');
-const logger = require('./util.log.js');
+const dns = require('dns').promises;
+const { readCertificateInfo, splitPemChain } = require('./crypto');
+const { log } = require('./logger');
 
-const debug = logger.info;
-const forge = require('./crypto/forge');
+
+/**
+ * Exponential backoff
+ *
+ * https://github.com/mokesmokes/backo
+ *
+ * @class
+ * @param {object} [opts]
+ * @param {number} [opts.min] Minimum backoff duration in ms
+ * @param {number} [opts.max] Maximum backoff duration in ms
+ */
+
+class Backoff {
+    constructor({ min = 100, max = 10000 } = {}) {
+        this.min = min;
+        this.max = max;
+        this.attempts = 0;
+    }
+
+
+    /**
+     * Get backoff duration
+     *
+     * @returns {number} Backoff duration in ms
+     */
+
+    duration() {
+        const ms = this.min * (2 ** this.attempts);
+        this.attempts += 1;
+        return Math.min(ms, this.max);
+    }
+}
 
 
 /**
@@ -28,14 +58,13 @@ async function retryPromise(fn, attempts, backoff) {
     }
     catch (e) {
         if (aborted || ((backoff.attempts + 1) >= attempts)) {
-            logger.error(e);
             throw e;
         }
 
         const duration = backoff.duration();
-        logger.info(`Promise rejected attempt #${backoff.attempts}, retrying in ${duration}ms: ${e.message}`);
+        log(`Promise rejected attempt #${backoff.attempts}, retrying in ${duration}ms: ${e.message}`);
 
-        await Promise.delay(duration);
+        await new Promise((resolve) => { setTimeout(resolve, duration); });
         return retryPromise(fn, attempts, backoff);
     }
 }
@@ -58,33 +87,6 @@ function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}) {
 }
 
 
-/**
- * Escape base64 encoded string
- *
- * @param {string} str Base64 encoded string
- * @returns {string} Escaped string
- */
-
-function b64escape(str) {
-    return str.replace(/\+/g, '-')
-        .replace(/\//g, '_')
-        .replace(/=/g, '');
-}
-
-
-/**
- * Base64 encode and escape buffer or string
- *
- * @param {buffer|string} str Buffer or string to be encoded
- * @returns {string} Escaped base64 encoded string
- */
-
-function b64encode(str) {
-    const buf = Buffer.isBuffer(str) ? str : Buffer.from(str);
-    return b64escape(buf.toString('base64'));
-}
-
-
 /**
  * Parse URLs from link header
  *
@@ -106,38 +108,52 @@ function parseLinkHeader(header, rel = 'alternate') {
 
 
 /**
- * Find certificate chain with preferred issuer
- * If issuer can not be located, the first certificate will be returned
+ * Find certificate chain with preferred issuer common name
+ *  - If issuer is found in multiple chains, the closest to root wins
+ *  - If issuer can not be located, the first chain will be returned
  *
  * @param {array} certificates Array of PEM encoded certificate chains
  * @param {string} issuer Preferred certificate issuer
- * @returns {Promise<string>} PEM encoded certificate chain
+ * @returns {string} PEM encoded certificate chain
  */
 
-async function findCertificateChainForIssuer(chains, issuer) {
-    try {
-        return await Promise.any(chains.map(async (chain) => {
-            /* Look up all issuers */
-            const certs = forge.splitPemChain(chain);
-            const infoCollection = await Promise.map(certs, forge.readCertificateInfo);
-            const issuerCollection = infoCollection.map((i) => i.issuer.commonName);
-
-            /* Found match, return it */
-            if (issuerCollection.includes(issuer)) {
-                logger.info(`Found matching certificate for preferred issuer="${issuer}", issuers=${JSON.stringify(issuerCollection)}`);
-                return chain;
+function findCertificateChainForIssuer(chains, issuer) {
+    log(`Attempting to find match for issuer="${issuer}" in ${chains.length} certificate chains`);
+    let bestMatch = null;
+    let bestDistance = null;
+
+    chains.forEach((chain) => {
+        /* Look up all issuers */
+        const certs = splitPemChain(chain);
+        const infoCollection = certs.map((c) => readCertificateInfo(c));
+        const issuerCollection = infoCollection.map((i) => i.issuer.commonName);
+
+        /* Found issuer match, get distance from root - lower is better */
+        if (issuerCollection.includes(issuer)) {
+            const distance = (issuerCollection.length - issuerCollection.indexOf(issuer));
+            log(`Found matching chain for preferred issuer="${issuer}" distance=${distance} issuers=${JSON.stringify(issuerCollection)}`);
+
+            /* Chain wins, use it */
+            if (!bestDistance || (distance < bestDistance)) {
+                log(`Issuer is closer to root than previous match, using it (${distance} < ${bestDistance || 'undefined'})`);
+                bestMatch = chain;
+                bestDistance = distance;
             }
+        }
+        else {
+            /* No match */
+            log(`Unable to match certificate for preferred issuer="${issuer}", issuers=${JSON.stringify(issuerCollection)}`);
+        }
+    });
 
-            /* No match, throw error */
-            logger.info(`Unable to match certificate for preferred issuer="${issuer}", issuers=${JSON.stringify(issuerCollection)}`);
-            throw new Error('Certificate issuer mismatch');
-        }));
-    }
-    catch (e) {
-        /* No certificates matched, return default */
-        logger.info(`Found no match in ${chains.length} certificate chains for preferred issuer="${issuer}", returning default certificate chain`);
-        return chains[0];
+    /* Return found match */
+    if (bestMatch) {
+        return bestMatch;
     }
+
+    /* No chains matched, return default */
+    log(`Found no match in ${chains.length} certificate chains for preferred issuer="${issuer}", returning default certificate chain`);
+    return chains[0];
 }
 
 
@@ -162,12 +178,81 @@ function formatResponseError(resp) {
 }
 
 
-/* Export utils */
+/**
+ * Resolve root domain name by looking for SOA record
+ *
+ * @param {string} recordName DNS record name
+ * @returns {Promise<string>} Root domain name
+ */
+
+async function resolveDomainBySoaRecord(recordName) {
+    try {
+        await dns.resolveSoa(recordName);
+        log(`Found SOA record, considering domain to be: ${recordName}`);
+        return recordName;
+    }
+    catch (e) {
+        log(`Unable to locate SOA record for name: ${recordName}`);
+        const parentRecordName = recordName.split('.').slice(1).join('.');
+
+        if (!parentRecordName.includes('.')) {
+            throw new Error('Unable to resolve domain by SOA record');
+        }
+
+        return resolveDomainBySoaRecord(parentRecordName);
+    }
+}
+
+
+/**
+ * Get DNS resolver using domains authoritative NS records
+ *
+ * @param {string} recordName DNS record name
+ * @returns {Promise<dns.Resolver>} DNS resolver
+ */
+
+async function getAuthoritativeDnsResolver(recordName) {
+    log(`Locating authoritative NS records for name: ${recordName}`);
+    const resolver = new dns.Resolver();
+
+    try {
+        /* Resolve root domain by SOA */
+        const domain = await resolveDomainBySoaRecord(recordName);
+
+        /* Resolve authoritative NS addresses */
+        log(`Looking up authoritative NS records for domain: ${domain}`);
+        const nsRecords = await dns.resolveNs(domain);
+        const nsAddrArray = await Promise.all(nsRecords.map(async (r) => dns.resolve4(r)));
+        const nsAddresses = [].concat(...nsAddrArray).filter((a) => a);
+
+        if (!nsAddresses.length) {
+            throw new Error(`Unable to locate any valid authoritative NS addresses for domain: ${domain}`);
+        }
+
+        /* Authoritative NS success */
+        log(`Found ${nsAddresses.length} authoritative NS addresses for domain: ${domain}`);
+        resolver.setServers(nsAddresses);
+    }
+    catch (e) {
+        log(`Authoritative NS lookup error: ${e.message}`);
+    }
+
+    /* Return resolver */
+    const addresses = resolver.getServers();
+    log(`DNS resolver addresses: ${addresses.join(', ')}`);
+
+    return resolver;
+}
+
+
+/**
+ * Export utils
+ */
+
 module.exports = {
     retry,
-    b64escape,
-    b64encode,
     parseLinkHeader,
     findCertificateChainForIssuer,
-    formatResponseError
+    formatResponseError,
+    getAuthoritativeDnsResolver
 };