@certd/acme-client 1.39.12 → 1.39.13

package/{src → dist}/http.js

@@ -1,3 +1,4 @@
+// @ts-nocheck
 /**
  * ACME HTTP client
  */
@@ -6,7 +7,6 @@ const { RSA_PKCS1_PADDING } = constants;
 import axios from './axios.js';
 import { log } from './logger.js';
 import { getJwk } from './crypto/index.js';
-
 /**
  * ACME HTTP client
  *
@@ -17,16 +17,13 @@ import { getJwk } from './crypto/index.js';
  * @param {string} [opts.externalAccountBinding.kid] External account binding KID
  * @param {string} [opts.externalAccountBinding.hmacKey] External account binding HMAC key
  */
-
 class HttpClient {
-    constructor(directoryUrl, accountKey, externalAccountBinding = {}, urlMapping = {}, logger, cacheNonce= false) {
+    constructor(directoryUrl, accountKey, externalAccountBinding = {}, urlMapping = {}, logger, cacheNonce = false) {
         this.directoryUrl = directoryUrl;
         this.accountKey = accountKey;
         this.externalAccountBinding = externalAccountBinding;
-
         this.maxBadNonceRetries = 5;
         this.jwk = null;
-
         this.directoryCache = null;
         this.directoryMaxAge = 86400;
         this.directoryTimestamp = 0;
@@ -35,14 +32,13 @@ class HttpClient {
         this.nonces = [];
         this.cacheNonce = cacheNonce;
     }
-
     pushNonce(nonce) {
         if (!this.cacheNonce || !nonce) {
             return;
         }
         this.nonces.push({
             nonce,
-            expires: Date.now() + 30*1000,
+            expires: Date.now() + 30 * 1000,
         });
     }
     popNonce() {
@@ -60,7 +56,6 @@ class HttpClient {
             return item.nonce;
         }
     }
-
     /**
      * HTTP request
      *
@@ -69,7 +64,6 @@ class HttpClient {
      * @param {object} [opts] Request options
      * @returns {Promise<object>} HTTP response
      */
-
     async request(url, method, opts = {}) {
         if (this.urlMapping && this.urlMapping.enabled && this.urlMapping.mappings) {
             // eslint-disable-next-line no-restricted-syntax
@@ -85,29 +79,22 @@ class HttpClient {
         opts.url = url;
         opts.method = method;
         opts.validateStatus = null;
-
         /* Headers */
         if (typeof opts.headers === 'undefined') {
             opts.headers = {};
         }
-
         opts.headers['Content-Type'] = 'application/jose+json';
-
         /* Request */
         this.log(`HTTP request: ${method} ${url}`);
         const resp = await axios.request(opts);
-
         this.log(`RESP ${resp.status} ${method} ${url}`);
-
         const nonce = resp.headers['replay-nonce'];
         if (nonce) {
             //如果有nonce
             this.pushNonce(nonce);
         }
-
         return resp;
     }
-
     /**
      * Get ACME provider directory
      *
@@ -115,44 +102,34 @@ class HttpClient {
      *
      * @returns {Promise<object>} ACME directory contents
      */
-
     async getDirectory() {
         const now = Math.floor(Date.now() / 1000);
         const age = (now - this.directoryTimestamp);
-
         if (!this.directoryCache || (age > this.directoryMaxAge)) {
             this.log(`Refreshing ACME directory, age: ${age}`);
             const resp = await this.request(this.directoryUrl, 'get');
-
             if (resp.status >= 400) {
                 throw new Error(`Attempting to read ACME directory returned error ${resp.status}: ${this.directoryUrl}`);
             }
-
             if (!resp.data) {
                 throw new Error('Attempting to read ACME directory returned no data');
             }
-
             this.directoryCache = resp.data;
             this.directoryTimestamp = now;
         }
-
         return this.directoryCache;
     }
-
     /**
      * Get JSON Web Key
      *
      * @returns {object} JSON Web Key
      */
-
     getJwk() {
         if (!this.jwk) {
             this.jwk = getJwk(this.accountKey);
         }
-
         return this.jwk;
     }
-
     /**
      * Get nonce from directory API endpoint
      *
@@ -160,63 +137,48 @@ class HttpClient {
      *
      * @returns {Promise<string>} Nonce
      */
-
     async getNonce() {
-
         //尝试从队列中pop一个nonce
         const nonce = this.popNonce();
         if (nonce) {
             return nonce;
         }
-
         const url = await this.getResourceUrl('newNonce');
         const resp = await this.request(url, 'head');
-
         if (!resp.headers['replay-nonce']) {
             throw new Error('Failed to get nonce from ACME provider');
         }
-
         if (this.cacheNonce) {
             return this.popNonce();
         }
         return resp.headers['replay-nonce'];
-       
     }
-
     /**
      * Get URL for a directory resource
      *
      * @param {string} resource API resource name
      * @returns {Promise<string>} URL
      */
-
     async getResourceUrl(resource) {
         const dir = await this.getDirectory();
-
         if (!dir[resource]) {
             throw new Error(`Unable to locate API resource URL in ACME directory: "${resource}"，获取ACME接口地址信息失败，可能网络不稳定或该证书颁发机构服务器崩溃，目录地址：${this.directoryUrl}，请测试地址是否可以正常访问并显示json格式的URL地址列表`);
         }
-
         return dir[resource];
     }
-
     /**
      * Get directory meta field
      *
      * @param {string} field Meta field name
      * @returns {Promise<string|null>} Meta field value
      */
-
     async getMetaField(field) {
         const dir = await this.getDirectory();
-
         if (('meta' in dir) && (field in dir.meta)) {
             return dir.meta[field];
         }
-
         return null;
     }
-
     /**
      * Prepare HTTP request body for signature
      *
@@ -228,16 +190,13 @@ class HttpClient {
      * @param {string} [opts.kid] JWS KID
      * @returns {object} Signed HTTP request body
      */
-
     prepareSignedBody(alg, url, payload = null, { nonce = null, kid = null } = {}) {
         const header = { alg, url };
-
         /* Nonce */
         if (nonce) {
             this.log(`Using nonce: ${nonce}`);
             header.nonce = nonce;
         }
-
         /* KID or JWK */
         if (kid) {
             header.kid = kid;
@@ -245,14 +204,12 @@ class HttpClient {
         else {
             header.jwk = this.getJwk();
         }
-
         /* Body */
         return {
             payload: payload ? Buffer.from(JSON.stringify(payload)).toString('base64url') : '',
             protected: Buffer.from(JSON.stringify(header)).toString('base64url'),
         };
     }
-
     /**
      * Create JWS HTTP request body using HMAC
      *
@@ -264,17 +221,13 @@ class HttpClient {
      * @param {string} [opts.kid] JWS KID
      * @returns {object} Signed HMAC request body
      */
-
     createSignedHmacBody(hmacKey, url, payload = null, { nonce = null, kid = null } = {}) {
         const result = this.prepareSignedBody('HS256', url, payload, { nonce, kid });
-
         /* Signature */
         const signer = createHmac('SHA256', Buffer.from(hmacKey, 'base64')).update(`${result.protected}.${result.payload}`, 'utf8');
         result.signature = signer.digest().toString('base64url');
-
         return result;
     }
-
     /**
      * Create JWS HTTP request body using RSA or ECC
      *
@@ -287,16 +240,13 @@ class HttpClient {
      * @param {string} [opts.kid] JWS KID
      * @returns {object} JWS request body
      */
-
     createSignedBody(url, payload = null, { nonce = null, kid = null } = {}) {
         const jwk = this.getJwk();
         let headerAlg = 'RS256';
         let signerAlg = 'SHA256';
-
         /* https://datatracker.ietf.org/doc/html/rfc7518#section-3.1 */
         if (jwk.crv && (jwk.kty === 'EC')) {
             headerAlg = 'ES256';
-
             if (jwk.crv === 'P-384') {
                 headerAlg = 'ES384';
                 signerAlg = 'SHA384';
@@ -306,21 +256,17 @@ class HttpClient {
                 signerAlg = 'SHA512';
             }
         }
-
         /* Prepare body and signer */
         const result = this.prepareSignedBody(headerAlg, url, payload, { nonce, kid });
         const signer = createSign(signerAlg).update(`${result.protected}.${result.payload}`, 'utf8');
-
         /* Signature - https://stackoverflow.com/questions/39554165 */
         result.signature = signer.sign({
             key: this.accountKey,
             padding: RSA_PKCS1_PADDING,
             dsaEncoding: 'ieee-p1363',
         }, 'base64url');
-
         return result;
     }
-
     /**
      * Signed HTTP request
      *
@@ -335,40 +281,32 @@ class HttpClient {
      * @param {number} [attempts] Request attempt counter
      * @returns {Promise<object>} HTTP response
      */
-
     async signedRequest(url, payload, { kid = null, nonce = null, includeExternalAccountBinding = false } = {}, attempts = 0) {
         if (!nonce) {
             nonce = await this.getNonce();
         }
-
         /* External account binding */
         if (includeExternalAccountBinding && this.externalAccountBinding) {
             if (this.externalAccountBinding.kid && this.externalAccountBinding.hmacKey) {
                 const jwk = this.getJwk();
                 const eabKid = this.externalAccountBinding.kid;
                 const eabHmacKey = this.externalAccountBinding.hmacKey;
-
                 payload.externalAccountBinding = this.createSignedHmacBody(eabHmacKey, url, jwk, { kid: eabKid });
             }
         }
-
         /* Sign body and send request */
         const data = this.createSignedBody(url, payload, { nonce, kid });
         const resp = await this.request(url, 'post', { data });
-
         /* Retry on bad nonce - https://datatracker.ietf.org/doc/html/rfc8555#section-6.5 */
         if (resp.data && resp.data.type && (resp.status === 400) && (resp.data.type === 'urn:ietf:params:acme:error:badNonce') && (attempts < this.maxBadNonceRetries)) {
             nonce = resp.headers['replay-nonce'] || null;
             attempts += 1;
-
             this.log(`Caught invalid nonce error, retrying (${attempts}/${this.maxBadNonceRetries}) signed request to: ${url}`);
             return this.signedRequest(url, payload, { kid, nonce, includeExternalAccountBinding }, attempts);
         }
-
         /* Return response */
         return resp;
     }
 }
-
 /* Export client */
 export default HttpClient;

package/dist/index.d.ts

@@ -0,0 +1,58 @@
+/**
+ * acme-client
+ */
+export { default as Client } from './client.js';
+export type * from './types.js';
+/**
+ * Directory URLs
+ */
+export declare const directory: {
+    buypass: {
+        staging: string;
+        production: string;
+    };
+    google: {
+        staging: string;
+        production: string;
+    };
+    letsencrypt: {
+        staging: string;
+        production: string;
+    };
+    letsencrypt_staging: {
+        production: string;
+    };
+    zerossl: {
+        staging: string;
+        production: string;
+    };
+    sslcom: {
+        staging: string;
+        production: string;
+        ec: string;
+    };
+    litessl: {
+        staging: string;
+        production: string;
+    };
+};
+export declare function getDirectoryUrl(opts: any): any;
+export declare function getAllSslProviderDomains(): string[];
+export declare function getSslProviderReverseProxies(): {};
+export declare function setSslProviderReverseProxies(reverseProxies: any): void;
+/**
+ * Crypto
+ */
+export * as crypto from './crypto/index.js';
+export * as forge from './crypto/forge.js';
+/**
+ * Axios
+ */
+export * from './axios.js';
+/**
+ * Logger
+ */
+export * from './logger.js';
+export * from './verify.js';
+export * from './error.js';
+export * from './util.js';

package/dist/index.js

@@ -0,0 +1,90 @@
+// @ts-nocheck
+/**
+ * acme-client
+ */
+export { default as Client } from './client.js';
+/**
+ * Directory URLs
+ */
+export const directory = {
+    buypass: {
+        staging: 'https://api.test4.buypass.no/acme/directory',
+        production: 'https://api.buypass.com/acme/directory',
+    },
+    google: {
+        staging: 'https://dv.acme-v02.test-api.pki.goog/directory',
+        production: 'https://dv.acme-v02.api.pki.goog/directory',
+    },
+    letsencrypt: {
+        staging: 'https://acme-staging-v02.api.letsencrypt.org/directory',
+        production: 'https://acme-v02.api.letsencrypt.org/directory',
+    },
+    letsencrypt_staging: {
+        production: 'https://acme-staging-v02.api.letsencrypt.org/directory',
+    },
+    zerossl: {
+        staging: 'https://acme.zerossl.com/v2/DV90',
+        production: 'https://acme.zerossl.com/v2/DV90',
+    },
+    sslcom: {
+        staging: 'https://acme.ssl.com/sslcom-dv-rsa',
+        production: 'https://acme.ssl.com/sslcom-dv-rsa',
+        ec: 'https://acme.ssl.com/sslcom-dv-ecc',
+    },
+    litessl: {
+        staging: 'https://acme.litessl.com/acme/v2/directory',
+        production: 'https://acme.litessl.com/acme/v2/directory',
+    },
+};
+export function getDirectoryUrl(opts) {
+    const { sslProvider, pkType } = opts;
+    const list = directory[sslProvider];
+    if (!list) {
+        throw new Error(`sslProvider ${sslProvider} not found`);
+    }
+    let pkTypePrefix = pkType || 'rsa';
+    if (pkType) {
+        pkTypePrefix = pkType.toLowerCase().split("_")[0];
+    }
+    if (pkTypePrefix && list[pkTypePrefix]) {
+        return list[pkTypePrefix];
+    }
+    return list.production;
+}
+export function getAllSslProviderDomains() {
+    const list = Object.values(directory).map((item) => {
+        let url = item.production.replace('https://', '');
+        url = url.substring(0, url.indexOf('/'));
+        return url;
+    });
+    return list;
+}
+let sslProviderReverseProxies = {};
+function initSslProviderReverseProxies() {
+    for (const sslProvider of getAllSslProviderDomains()) {
+        sslProviderReverseProxies[sslProvider] = "";
+    }
+}
+initSslProviderReverseProxies();
+export function getSslProviderReverseProxies() {
+    return sslProviderReverseProxies;
+}
+export function setSslProviderReverseProxies(reverseProxies) {
+    Object.assign(sslProviderReverseProxies, reverseProxies);
+}
+/**
+ * Crypto
+ */
+export * as crypto from './crypto/index.js';
+export * as forge from './crypto/forge.js';
+/**
+ * Axios
+ */
+export * from './axios.js';
+/**
+ * Logger
+ */
+export * from './logger.js';
+export * from './verify.js';
+export * from './error.js';
+export * from './util.js';

package/dist/logger.d.ts

@@ -0,0 +1,15 @@
+/**
+ * ACME logger
+ */
+/**
+ * Set logger function
+ *
+ * @param {function} fn Logger function
+ */
+export declare const setLogger: (fn: any) => void;
+/**
+ * Log message
+ *
+ * @param {string} msg Message
+ */
+export declare const log: (...msg: any[]) => void;

package/{src → dist}/logger.js

@@ -1,29 +1,24 @@
+// @ts-nocheck
 /**
  * ACME logger
  */
-
-import debugg from 'debug'
+import debugg from 'debug';
 const debug = debugg('acme-client');
-
-let logger = () => {};
-
+let logger = () => { };
 /**
  * Set logger function
  *
  * @param {function} fn Logger function
  */
-
 export const setLogger = (fn) => {
     logger = fn;
 };
-
 /**
  * Log message
  *
  * @param {string} msg Message
  */
-
-export const  log = (...msg) => {
+export const log = (...msg) => {
     debug(...msg);
     logger(...msg);
 };

package/dist/rfc8555.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Account
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.2
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
+ */
+export interface Account {
+    status: "valid" | "deactivated" | "revoked";
+    orders: string;
+    contact?: string[];
+    termsOfServiceAgreed?: boolean;
+    externalAccountBinding?: object;
+}
+export interface AccountCreateRequest {
+    contact?: string[];
+    termsOfServiceAgreed?: boolean;
+    onlyReturnExisting?: boolean;
+    externalAccountBinding?: object;
+}
+export interface AccountUpdateRequest {
+    status?: string;
+    contact?: string[];
+    termsOfServiceAgreed?: boolean;
+}
+/**
+ * Order
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.3
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4
+ */
+export interface Order {
+    status: "pending" | "ready" | "processing" | "valid" | "invalid";
+    identifiers: Identifier[];
+    authorizations: string[];
+    finalize: string;
+    expires?: string;
+    notBefore?: string;
+    notAfter?: string;
+    error?: object;
+    certificate?: string;
+}
+export interface OrderCreateRequest {
+    identifiers: Identifier[];
+    notBefore?: string;
+    notAfter?: string;
+}
+/**
+ * Authorization
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.4
+ */
+export interface Authorization {
+    identifier: Identifier;
+    status: "pending" | "valid" | "invalid" | "deactivated" | "expired" | "revoked";
+    challenges: Challenge[];
+    expires?: string;
+    wildcard?: boolean;
+}
+export interface Identifier {
+    type: string;
+    value: string;
+}
+/**
+ * Challenge
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8.3
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-8.4
+ */
+export interface ChallengeAbstract {
+    type: string;
+    url: string;
+    status: "pending" | "processing" | "valid" | "invalid";
+    validated?: string;
+    error?: object;
+}
+export interface HttpChallenge extends ChallengeAbstract {
+    type: "http-01";
+    token: string;
+}
+export interface DnsChallenge extends ChallengeAbstract {
+    type: "dns-01";
+    token: string;
+}
+export type Challenge = HttpChallenge | DnsChallenge;
+/**
+ * Certificate
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
+ */
+export declare enum CertificateRevocationReason {
+    Unspecified = 0,
+    KeyCompromise = 1,
+    CACompromise = 2,
+    AffiliationChanged = 3,
+    Superseded = 4,
+    CessationOfOperation = 5,
+    CertificateHold = 6,
+    RemoveFromCRL = 8,
+    PrivilegeWithdrawn = 9,
+    AACompromise = 10
+}
+export interface CertificateRevocationRequest {
+    reason?: CertificateRevocationReason;
+}

package/dist/rfc8555.js

@@ -0,0 +1,25 @@
+/**
+ * Account
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.2
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.2
+ */
+/**
+ * Certificate
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.6
+ */
+export var CertificateRevocationReason;
+(function (CertificateRevocationReason) {
+    CertificateRevocationReason[CertificateRevocationReason["Unspecified"] = 0] = "Unspecified";
+    CertificateRevocationReason[CertificateRevocationReason["KeyCompromise"] = 1] = "KeyCompromise";
+    CertificateRevocationReason[CertificateRevocationReason["CACompromise"] = 2] = "CACompromise";
+    CertificateRevocationReason[CertificateRevocationReason["AffiliationChanged"] = 3] = "AffiliationChanged";
+    CertificateRevocationReason[CertificateRevocationReason["Superseded"] = 4] = "Superseded";
+    CertificateRevocationReason[CertificateRevocationReason["CessationOfOperation"] = 5] = "CessationOfOperation";
+    CertificateRevocationReason[CertificateRevocationReason["CertificateHold"] = 6] = "CertificateHold";
+    CertificateRevocationReason[CertificateRevocationReason["RemoveFromCRL"] = 8] = "RemoveFromCRL";
+    CertificateRevocationReason[CertificateRevocationReason["PrivilegeWithdrawn"] = 9] = "PrivilegeWithdrawn";
+    CertificateRevocationReason[CertificateRevocationReason["AACompromise"] = 10] = "AACompromise";
+})(CertificateRevocationReason || (CertificateRevocationReason = {}));