@certd/acme-client 1.20.2 → 1.20.6

package/src/verify.js

@@ -3,15 +3,17 @@
  */
 
 const dns = require('dns').promises;
+const https = require('https');
 const { log } = require('./logger');
 const axios = require('./axios');
 const util = require('./util');
+const { isAlpnCertificateAuthorizationValid } = require('./crypto');
 
 
 /**
  * Verify ACME HTTP challenge
  *
- * https://tools.ietf.org/html/rfc8555#section-8.3
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8.3
  *
  * @param {object} authz Identifier authorization
  * @param {object} challenge Authorization challenge
@@ -24,8 +26,11 @@ async function verifyHttpChallenge(authz, challenge, keyAuthorization, suffix =
     const httpPort = axios.defaults.acmeSettings.httpChallengePort || 80;
     const challengeUrl = `http://${authz.identifier.value}:${httpPort}${suffix}`;
 
+    /* May redirect to HTTPS with invalid/self-signed cert - https://letsencrypt.org/docs/challenge-types/#http-01-challenge */
+    const httpsAgent = new https.Agent({ rejectUnauthorized: false });
+
     log(`Sending HTTP query to ${authz.identifier.value}, suffix: ${suffix}, port: ${httpPort}`);
-    const resp = await axios.get(challengeUrl);
+    const resp = await axios.get(challengeUrl, { httpsAgent });
     const data = (resp.data || '').replace(/\s+$/, '');
 
     log(`Query successful, HTTP status code: ${resp.status}`);
@@ -80,7 +85,7 @@ async function walkDnsChallengeRecord(recordName, resolver = dns) {
 /**
  * Verify ACME DNS challenge
  *
- * https://tools.ietf.org/html/rfc8555#section-8.4
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8.4
  *
  * @param {object} authz Identifier authorization
  * @param {object} challenge Authorization challenge
@@ -117,11 +122,40 @@ async function verifyDnsChallenge(authz, challenge, keyAuthorization, prefix = '
 }
 
 
+/**
+ * Verify ACME TLS ALPN challenge
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8737
+ *
+ * @param {object} authz Identifier authorization
+ * @param {object} challenge Authorization challenge
+ * @param {string} keyAuthorization Challenge key authorization
+ * @returns {Promise<boolean>}
+ */
+
+async function verifyTlsAlpnChallenge(authz, challenge, keyAuthorization) {
+    const tlsAlpnPort = axios.defaults.acmeSettings.tlsAlpnChallengePort || 443;
+    const host = authz.identifier.value;
+    log(`Establishing TLS connection with host: ${host}:${tlsAlpnPort}`);
+
+    const certificate = await util.retrieveTlsAlpnCertificate(host, tlsAlpnPort);
+    log('Certificate received from server successfully, matching key authorization in ALPN');
+
+    if (!isAlpnCertificateAuthorizationValid(certificate, keyAuthorization)) {
+        throw new Error(`Authorization not found in certificate from ${authz.identifier.value}`);
+    }
+
+    log(`Key authorization match for ${challenge.type}/${authz.identifier.value}, ACME challenge verified`);
+    return true;
+}
+
+
 /**
  * Export API
  */
 
 module.exports = {
     'http-01': verifyHttpChallenge,
-    'dns-01': verifyDnsChallenge
+    'dns-01': verifyDnsChallenge,
+    'tls-alpn-01': verifyTlsAlpnChallenge
 };

package/types/index.d.ts

@@ -156,6 +156,8 @@ export interface CryptoInterface {
     readCsrDomains(csrPem: CsrBuffer | CsrString): CertificateDomains;
     readCertificateInfo(certPem: CertificateBuffer | CertificateString): CertificateInfo;
     createCsr(data: CsrOptions, keyPem?: PrivateKeyBuffer | PrivateKeyString): Promise<[PrivateKeyBuffer, CsrBuffer]>;
+    createAlpnCertificate(authz: Authorization, keyAuthorization: string, keyPem?: PrivateKeyBuffer | PrivateKeyString): Promise<[PrivateKeyBuffer, CertificateBuffer]>;
+    isAlpnCertificateAuthorizationValid(certPem: CertificateBuffer | CertificateString, keyAuthorization: string): boolean;
 }
 
 export const crypto: CryptoInterface;

package/types/rfc8555.d.ts

@@ -1,9 +1,9 @@
 /**
  * Account
  *
- * https://tools.ietf.org/html/rfc8555#section-7.1.2
- * https://tools.ietf.org/html/rfc8555#section-7.3
- * https://tools.ietf.org/html/rfc8555#section-7.3.2
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.2
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
  */
 
 export interface Account {
@@ -31,8 +31,8 @@ export interface AccountUpdateRequest {
 /**
  * Order
  *
- * https://tools.ietf.org/html/rfc8555#section-7.1.3
- * https://tools.ietf.org/html/rfc8555#section-7.4
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.3
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
  */
 
 export interface Order {
@@ -57,7 +57,7 @@ export interface OrderCreateRequest {
 /**
  * Authorization
  *
- * https://tools.ietf.org/html/rfc8555#section-7.1.4
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.4
  */
 
 export interface Authorization {
@@ -77,9 +77,9 @@ export interface Identifier {
 /**
  * Challenge
  *
- * https://tools.ietf.org/html/rfc8555#section-8
- * https://tools.ietf.org/html/rfc8555#section-8.3
- * https://tools.ietf.org/html/rfc8555#section-8.4
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8.3
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8.4
  */
 
 export interface ChallengeAbstract {
@@ -106,7 +106,7 @@ export type Challenge = HttpChallenge | DnsChallenge;
 /**
  * Certificate
  *
- * https://tools.ietf.org/html/rfc8555#section-7.6
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
  */
 
 export enum CertificateRevocationReason {

package/types/tsconfig.json

@@ -1,11 +0,0 @@
-{
-    "compilerOptions": {
-        "module": "commonjs",
-        "lib": ["es6"],
-        "strict": true,
-        "noEmit": true,
-        "esModuleInterop": true,
-        "baseUrl": ".",
-        "paths": { "acme-client": ["."] }
-    }
-}

package/types/tslint.json

@@ -1,6 +0,0 @@
-{
-    "extends": "dtslint/dtslint.json",
-    "rules": {
-        "no-consecutive-blank-lines": [true, 2]
-    }
-}