npm - @certd/acme-client - Versions diffs - 1.20.14 → 1.20.16 - Mend

@certd/acme-client 1.20.14 → 1.20.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/src/crypto/index.js CHANGED Viewed

@@ -22,7 +22,6 @@ const subjectAltNameOID = '2.5.29.17';
 /* id-pe-acmeIdentifier - https://datatracker.ietf.org/doc/html/rfc8737#section-6.1 */
 const alpnAcmeIdentifierOID = '1.3.6.1.5.5.7.1.31';
 /**
  * Determine key type and info by attempting to derive public key
  *
@@ -35,7 +34,7 @@ function getKeyInfo(keyPem) {
     const result = {
         isRSA: false,
         isECDSA: false,
-        publicKey: crypto.createPublicKey(keyPem)
+        publicKey: crypto.createPublicKey(keyPem),
     };
     if (result.publicKey.asymmetricKeyType === 'rsa') {
@@ -51,7 +50,6 @@ function getKeyInfo(keyPem) {
     return result;
 }
 /**
  * Generate a private RSA key
  *
@@ -74,8 +72,8 @@ async function createPrivateRsaKey(modulusLength = 2048) {
         modulusLength,
         privateKeyEncoding: {
             type: 'pkcs8',
-            format: 'pem'
-        }
+            format: 'pem',
+        },
     });
     return Buffer.from(pair.privateKey);
@@ -83,7 +81,6 @@ async function createPrivateRsaKey(modulusLength = 2048) {
 exports.createPrivateRsaKey = createPrivateRsaKey;
 /**
  * Alias of `createPrivateRsaKey()`
  *
@@ -92,7 +89,6 @@ exports.createPrivateRsaKey = createPrivateRsaKey;
 exports.createPrivateKey = createPrivateRsaKey;
 /**
  * Generate a private ECDSA key
  *
@@ -115,14 +111,13 @@ exports.createPrivateEcdsaKey = async (namedCurve = 'P-256') => {
         namedCurve,
         privateKeyEncoding: {
             type: 'pkcs8',
-            format: 'pem'
-        }
+            format: 'pem',
+        },
     });
     return Buffer.from(pair.privateKey);
 };
 /**
  * Get a public key derived from a RSA or ECDSA key
  *
@@ -140,13 +135,12 @@ exports.getPublicKey = (keyPem) => {
     const publicKey = info.publicKey.export({
         type: info.isECDSA ? 'spki' : 'pkcs1',
-        format: 'pem'
+        format: 'pem',
     });
     return Buffer.from(publicKey);
 };
 /**
  * Get a JSON Web Key derived from a RSA or ECDSA key
  *
@@ -163,7 +157,7 @@ exports.getPublicKey = (keyPem) => {
 function getJwk(keyPem) {
     const jwk = crypto.createPublicKey(keyPem).export({
-        format: 'jwk'
+        format: 'jwk',
     });
     /* Sort keys */
@@ -175,7 +169,6 @@ function getJwk(keyPem) {
 exports.getJwk = getJwk;
 /**
  * Produce CryptoKeyPair and signing algorithm from a PEM encoded private key
  *
@@ -191,7 +184,7 @@ async function getWebCryptoKeyPair(keyPem) {
     /* Signing algorithm */
     const sigalg = {
         name: 'RSASSA-PKCS1-v1_5',
-        hash: { name: 'SHA-256' }
+        hash: { name: 'SHA-256' },
     };
     if (info.isECDSA) {
@@ -215,7 +208,6 @@ async function getWebCryptoKeyPair(keyPem) {
     return [{ privateKey, publicKey }, sigalg];
 }
 /**
  * Split chain of PEM encoded objects from string into array
  *
@@ -235,7 +227,6 @@ function splitPemChain(chainPem) {
 exports.splitPemChain = splitPemChain;
 /**
  * Parse body of PEM encoded object and return a Base64URL string
  * If multiple objects are chained, the first body will be returned
@@ -256,7 +247,6 @@ exports.getPemBodyAsB64u = (pem) => {
     return Buffer.from(dec).toString('base64url');
 };
 /**
  * Parse domains from a certificate or CSR
  *
@@ -277,11 +267,10 @@ function parseDomains(input) {
     return {
         commonName,
-        altNames
+        altNames,
     };
 }
 /**
  * Read domains from a Certificate Signing Request
  *
@@ -307,7 +296,6 @@ exports.readCsrDomains = (csrPem) => {
     return parseDomains(csr);
 };
 /**
  * Read information from a certificate
  * If multiple certificates are chained, the first will be read
@@ -338,15 +326,14 @@ exports.readCertificateInfo = (certPem) => {
     return {
         issuer: {
-            commonName: cert.issuerName.getField('CN').pop() || null
+            commonName: cert.issuerName.getField('CN').pop() || null,
         },
         domains: parseDomains(cert),
         notBefore: cert.notBefore,
-        notAfter: cert.notAfter
+        notAfter: cert.notAfter,
     };
 };
 /**
  * Determine ASN.1 character string type for CSR subject field name
  *
@@ -369,7 +356,6 @@ function getCsrAsn1CharStringType(field) {
     }
 }
 /**
  * Create array of subject fields for a Certificate Signing Request
  *
@@ -391,7 +377,6 @@ function createCsrSubject(input) {
     }, []);
 }
 /**
  * Create x509 subject alternate name extension
  *
@@ -409,7 +394,6 @@ function createSubjectAltNameExtension(altNames) {
     }));
 }
 /**
  * Create a Certificate Signing Request
  *
@@ -429,29 +413,30 @@ function createSubjectAltNameExtension(altNames) {
  * @example Create a Certificate Signing Request
  * ```js
  * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
- *     commonName: 'test.example.com'
+ *     altNames: ['test.example.com'],
  * });
  * ```
  *
  * @example Certificate Signing Request with both common and alternative names
+ * > *Warning*: Certificate subject common name has been [deprecated](https://letsencrypt.org/docs/glossary/#def-CN) and its use is [discouraged](https://cabforum.org/uploads/BRv1.2.3.pdf).
  * ```js
  * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
  *     keySize: 4096,
  *     commonName: 'test.example.com',
- *     altNames: ['foo.example.com', 'bar.example.com']
+ *     altNames: ['foo.example.com', 'bar.example.com'],
  * });
  * ```
  *
  * @example Certificate Signing Request with additional information
  * ```js
  * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
- *     commonName: 'test.example.com',
+ *     altNames: ['test.example.com'],
  *     country: 'US',
  *     state: 'California',
  *     locality: 'Los Angeles',
  *     organization: 'The Company Inc.',
  *     organizationUnit: 'IT Department',
- *     emailAddress: 'contact@example.com'
+ *     emailAddress: 'contact@example.com',
  * });
  * ```
  *
@@ -460,8 +445,9 @@ function createSubjectAltNameExtension(altNames) {
  * const certificateKey = await acme.crypto.createPrivateEcdsaKey();
  *
  * const [, certificateRequest] = await acme.crypto.createCsr({
- *     commonName: 'test.example.com'
+ *     altNames: ['test.example.com'],
  * }, certificateKey);
+ * ```
  */
 exports.createCsr = async (data, keyPem = null) => {
@@ -489,7 +475,7 @@ exports.createCsr = async (data, keyPem = null) => {
         new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment), // eslint-disable-line no-bitwise
         /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
-        createSubjectAltNameExtension(data.altNames)
+        createSubjectAltNameExtension(data.altNames),
     ];
     /* Create CSR */
@@ -504,8 +490,8 @@ exports.createCsr = async (data, keyPem = null) => {
             L: data.locality,
             O: data.organization,
             OU: data.organizationUnit,
-            E: data.emailAddress
-        })
+            E: data.emailAddress,
+        }),
     });
     /* Done */
@@ -513,7 +499,6 @@ exports.createCsr = async (data, keyPem = null) => {
     return [keyPem, Buffer.from(pem)];
 };
 /**
  * Create a self-signed ALPN certificate for TLS-ALPN-01 challenges
  *
@@ -533,6 +518,7 @@ exports.createCsr = async (data, keyPem = null) => {
  * ```js
  * const alpnKey = await acme.crypto.createPrivateEcdsaKey();
  * const [, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization, alpnKey);
+ * ```
  */
 exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) => {
@@ -564,7 +550,7 @@ exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) =
         await x509.SubjectKeyIdentifierExtension.create(keys.publicKey),
         /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
-        createSubjectAltNameExtension([commonName])
+        createSubjectAltNameExtension([commonName]),
     ];
     /* ALPN extension */
@@ -581,8 +567,8 @@ exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) =
         notBefore: now,
         notAfter: now,
         name: createCsrSubject({
-            CN: commonName
-        })
+            CN: commonName,
+        }),
     });
     /* Done */
@@ -590,7 +576,6 @@ exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) =
     return [keyPem, Buffer.from(pem)];
 };
 /**
  * Validate that a ALPN certificate contains the expected key authorization
  *

package/src/http.js CHANGED Viewed

@@ -40,7 +40,6 @@ class HttpClient {
         this.jwk = null;
     }
     /**
      * HTTP request
      *
@@ -70,7 +69,6 @@ class HttpClient {
         return resp;
     }
     /**
      * Ensure provider directory exists
      *
@@ -95,7 +93,6 @@ class HttpClient {
         }
     }
     /**
      * Get JSON Web Key
      *
@@ -110,7 +107,6 @@ class HttpClient {
         return this.jwk;
     }
     /**
      * Get nonce from directory API endpoint
      *
@@ -130,7 +126,6 @@ class HttpClient {
         return resp.headers['replay-nonce'];
     }
     /**
      * Get URL for a directory resource
      *
@@ -148,7 +143,6 @@ class HttpClient {
         return this.directory[resource];
     }
     /**
      * Get directory meta field
      *
@@ -166,7 +160,6 @@ class HttpClient {
         return null;
     }
     /**
      * Prepare HTTP request body for signature
      *
@@ -199,11 +192,10 @@ class HttpClient {
         /* Body */
         return {
             payload: payload ? Buffer.from(JSON.stringify(payload)).toString('base64url') : '',
-            protected: Buffer.from(JSON.stringify(header)).toString('base64url')
+            protected: Buffer.from(JSON.stringify(header)).toString('base64url'),
         };
     }
     /**
      * Create JWS HTTP request body using HMAC
      *
@@ -226,7 +218,6 @@ class HttpClient {
         return result;
     }
     /**
      * Create JWS HTTP request body using RSA or ECC
      *
@@ -267,13 +258,12 @@ class HttpClient {
         result.signature = signer.sign({
             key: this.accountKey,
             padding: RSA_PKCS1_PADDING,
-            dsaEncoding: 'ieee-p1363'
+            dsaEncoding: 'ieee-p1363',
         }, 'base64url');
         return result;
     }
     /**
      * Signed HTTP request
      *
@@ -309,7 +299,7 @@ class HttpClient {
         const data = this.createSignedBody(url, payload, { nonce, kid });
         const resp = await this.request(url, 'post', { data });
-        /* Retry on bad nonce - https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-10#section-6.4 */
+        /* Retry on bad nonce - https://datatracker.ietf.org/doc/html/rfc8555#section-6.5 */
         if (resp.data && resp.data.type && (resp.status === 400) && (resp.data.type === 'urn:ietf:params:acme:error:badNonce') && (attempts < this.maxBadNonceRetries)) {
             nonce = resp.headers['replay-nonce'] || null;
             attempts += 1;
@@ -323,6 +313,5 @@ class HttpClient {
     }
 }
 /* Export client */
 module.exports = HttpClient;

package/src/index.js CHANGED Viewed

@@ -4,7 +4,6 @@
 exports.Client = require('./client');
 /**
  * Directory URLs
  */
@@ -12,18 +11,17 @@ exports.Client = require('./client');
 exports.directory = {
     buypass: {
         staging: 'https://api.test4.buypass.no/acme/directory',
-        production: 'https://api.buypass.com/acme/directory'
+        production: 'https://api.buypass.com/acme/directory',
     },
     letsencrypt: {
         staging: 'https://acme-staging-v02.api.letsencrypt.org/directory',
-        production: 'https://acme-v02.api.letsencrypt.org/directory'
+        production: 'https://acme-v02.api.letsencrypt.org/directory',
     },
     zerossl: {
-        production: 'https://acme.zerossl.com/v2/DV90'
-    }
+        production: 'https://acme.zerossl.com/v2/DV90',
+    },
 };
 /**
  * Crypto
  */
@@ -31,14 +29,12 @@ exports.directory = {
 exports.crypto = require('./crypto');
 exports.forge = require('./crypto/forge');
 /**
  * Axios
  */
 exports.axios = require('./axios');
 /**
  * Logger
  */

package/src/logger.js CHANGED Viewed

@@ -6,7 +6,6 @@ const debug = require('debug')('acme-client');
 let logger = () => {};
 /**
  * Set logger function
  *
@@ -17,11 +16,10 @@ exports.setLogger = (fn) => {
     logger = fn;
 };
 /**
  * Log message
  *
- * @param {string} Message
+ * @param {string} msg Message
  */
 exports.log = (msg) => {

package/src/util.js CHANGED Viewed

@@ -7,7 +7,6 @@ const dns = require('dns').promises;
 const { readCertificateInfo, splitPemChain } = require('./crypto');
 const { log } = require('./logger');
 /**
  * Exponential backoff
  *
@@ -26,7 +25,6 @@ class Backoff {
         this.attempts = 0;
     }
     /**
      * Get backoff duration
      *
@@ -40,7 +38,6 @@ class Backoff {
     }
 }
 /**
  * Retry promise
  *
@@ -70,7 +67,6 @@ async function retryPromise(fn, attempts, backoff) {
     }
 }
 /**
  * Retry promise
  *
@@ -87,7 +83,6 @@ function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}) {
     return retryPromise(fn, attempts, backoff);
 }
 /**
  * Parse URLs from link header
  *
@@ -107,7 +102,6 @@ function parseLinkHeader(header, rel = 'alternate') {
     return results.filter((r) => r);
 }
 /**
  * Find certificate chain with preferred issuer common name
  *  - If issuer is found in multiple chains, the closest to root wins
@@ -157,7 +151,6 @@ function findCertificateChainForIssuer(chains, issuer) {
     return chains[0];
 }
 /**
  * Find and format error in response object
  *
@@ -178,7 +171,6 @@ function formatResponseError(resp) {
     return result.replace(/\n/g, '');
 }
 /**
  * Resolve root domain name by looking for SOA record
  *
@@ -204,7 +196,6 @@ async function resolveDomainBySoaRecord(recordName) {
     }
 }
 /**
  * Get DNS resolver using domains authoritative NS records
  *
@@ -245,7 +236,6 @@ async function getAuthoritativeDnsResolver(recordName) {
     return resolver;
 }
 /**
  * Attempt to retrieve TLS ALPN certificate from peer
  *
@@ -267,7 +257,7 @@ async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
             port,
             servername: host,
             rejectUnauthorized: false,
-            ALPNProtocols: ['acme-tls/1']
+            ALPNProtocols: ['acme-tls/1'],
         });
         socket.setTimeout(timeout);
@@ -299,7 +289,6 @@ async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
     });
 }
 /**
  * Export utils
  */
@@ -310,5 +299,5 @@ module.exports = {
     findCertificateChainForIssuer,
     formatResponseError,
     getAuthoritativeDnsResolver,
-    retrieveTlsAlpnCertificate
+    retrieveTlsAlpnCertificate,
 };

package/src/verify.js CHANGED Viewed

@@ -9,7 +9,6 @@ const axios = require('./axios');
 const util = require('./util');
 const { isAlpnCertificateAuthorizationValid } = require('./crypto');
 /**
  * Verify ACME HTTP challenge
  *
@@ -43,7 +42,6 @@ async function verifyHttpChallenge(authz, challenge, keyAuthorization, suffix =
     return true;
 }
 /**
  * Walk DNS until TXT records are found
  */
@@ -81,7 +79,6 @@ async function walkDnsChallengeRecord(recordName, resolver = dns) {
     throw new Error(`No TXT records found for name: ${recordName}`);
 }
 /**
  * Verify ACME DNS challenge
  *
@@ -121,7 +118,6 @@ async function verifyDnsChallenge(authz, challenge, keyAuthorization, prefix = '
     return true;
 }
 /**
  * Verify ACME TLS ALPN challenge
  *
@@ -149,7 +145,6 @@ async function verifyTlsAlpnChallenge(authz, challenge, keyAuthorization) {
     return true;
 }
 /**
  * Export API
  */
@@ -157,5 +152,5 @@ async function verifyTlsAlpnChallenge(authz, challenge, keyAuthorization) {
 module.exports = {
     'http-01': verifyHttpChallenge,
     'dns-01': verifyDnsChallenge,
-    'tls-alpn-01': verifyTlsAlpnChallenge
+    'tls-alpn-01': verifyTlsAlpnChallenge,
 };

package/src/wait.js ADDED Viewed

@@ -0,0 +1,9 @@
+async function wait(ms) {
+    return new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}
+module.exports = {
+    wait
+};

package/types/index.d.ts CHANGED Viewed

@@ -15,7 +15,6 @@ export type PublicKeyString = string;
 export type CertificateString = string;
 export type CsrString = string;
 /**
  * Augmented ACME interfaces
  */
@@ -28,7 +27,6 @@ export interface Authorization extends rfc8555.Authorization {
     url: string;
 }
 /**
  * Client
  */
@@ -80,7 +78,6 @@ export class Client {
     auto(opts: ClientAutoOptions): Promise<string>;
 }
 /**
  * Directory URLs
  */
@@ -99,7 +96,6 @@ export const directory: {
     }
 };
 /**
  * Crypto
  */
@@ -177,14 +173,12 @@ export interface CryptoLegacyInterface {
 export const forge: CryptoLegacyInterface;
 /**
  * Axios
  */
 export const axios: AxiosInstance;
 /**
  * Logger
  */

package/types/index.test-d.ts CHANGED Viewed

@@ -4,7 +4,6 @@
 import * as acme from 'acme-client';
 (async () => {
     /* Client */
     const accountKey = await acme.crypto.createPrivateKey();

package/types/rfc8555.d.ts CHANGED Viewed

@@ -27,7 +27,6 @@ export interface AccountUpdateRequest {
     termsOfServiceAgreed?: boolean;
 }
 /**
  * Order
  *
@@ -53,7 +52,6 @@ export interface OrderCreateRequest {
     notAfter?: string;
 }
 /**
  * Authorization
  *
@@ -73,7 +71,6 @@ export interface Identifier {
     value: string;
 }
 /**
  * Challenge
  *
@@ -102,7 +99,6 @@ export interface DnsChallenge extends ChallengeAbstract {
 export type Challenge = HttpChallenge | DnsChallenge;
 /**
  * Certificate
  *