npm - @certd/acme-client - Versions diffs - 1.39.12 → 1.39.13 - Mend

@certd/acme-client 1.39.12 → 1.39.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/dist/api.d.ts +151 -0
package/{src → dist}/api.js +2 -38
package/dist/auto.d.ts +9 -0
package/{src → dist}/auto.js +45 -79
package/dist/axios.d.ts +8 -0
package/{src → dist}/axios.js +3 -31
package/dist/client.d.ts +396 -0
package/{src → dist}/client.js +16 -108
package/dist/crypto/forge.d.ts +174 -0
package/{src → dist}/crypto/forge.js +7 -63
package/dist/crypto/index.d.ts +215 -0
package/{src → dist}/crypto/index.js +2 -87
package/dist/error.d.ts +3 -0
package/{src → dist}/error.js +1 -3
package/dist/http.d.ts +135 -0
package/{src → dist}/http.js +3 -65
package/dist/index.d.ts +58 -0
package/dist/index.js +90 -0
package/dist/logger.d.ts +15 -0
package/{src → dist}/logger.js +4 -9
package/dist/rfc8555.d.ts +106 -0
package/dist/rfc8555.js +25 -0
package/dist/types.d.ts +117 -0
package/dist/types.js +1 -0
package/dist/util.d.ts +85 -0
package/{src → dist}/util.js +11 -78
package/dist/verify.d.ts +14 -0
package/{src → dist}/verify.js +46 -78
package/dist/wait.d.ts +1 -0
package/{src → dist}/wait.js +1 -0
package/package.json +18 -12
package/types/index.d.ts +14 -5
package/types/index.test-d.ts +10 -3
package/src/index.js +0 -106
package/src/logs/app.log +0 -0

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,117 @@
+import type * as rfc8555 from "./rfc8555.js";
+import type { Challenge } from "./rfc8555.js";
+export type * from "./rfc8555.js";
+export type PrivateKeyBuffer = Buffer;
+export type PublicKeyBuffer = Buffer;
+export type CertificateBuffer = Buffer;
+export type CsrBuffer = Buffer;
+export type PrivateKeyString = string;
+export type PublicKeyString = string;
+export type CertificateString = string;
+export type CsrString = string;
+export interface Order extends rfc8555.Order {
+    url: string;
+}
+export interface Authorization extends rfc8555.Authorization {
+    url: string;
+}
+export type UrlMapping = {
+    enabled: boolean;
+    mappings: Record<string, string>;
+};
+export interface ClientExternalAccountBindingOptions {
+    kid: string;
+    hmacKey: string;
+}
+export interface ClientOptions {
+    sslProvider: string;
+    directoryUrl: string;
+    accountKey: PrivateKeyBuffer | PrivateKeyString;
+    accountUrl?: string;
+    externalAccountBinding?: ClientExternalAccountBindingOptions;
+    backoffAttempts?: number;
+    backoffMin?: number;
+    backoffMax?: number;
+    urlMapping?: UrlMapping;
+    signal?: AbortSignal;
+    logger?: any;
+}
+export interface ClientAutoOptions {
+    csr: CsrBuffer | CsrString;
+    challengeCreateFn: (authz: Authorization, keyAuthorization: (challenge: Challenge) => Promise<string>) => Promise<{
+        recordReq?: any;
+        recordRes?: any;
+        dnsProvider?: any;
+        challenge: Challenge;
+        keyAuthorization: string;
+    }>;
+    challengeRemoveFn: (authz: Authorization, challenge: Challenge, keyAuthorization: string, recordReq: any, recordRes: any, dnsProvider: any, httpUploader: any) => Promise<any>;
+    email?: string;
+    termsOfServiceAgreed?: boolean;
+    skipChallengeVerification?: boolean;
+    challengePriority?: string[];
+    preferredChain?: string;
+    signal?: AbortSignal;
+    profile?: string;
+    waitDnsDiffuseTime?: number;
+}
+export interface CertificateDomains {
+    commonName: string;
+    altNames: string[];
+}
+export interface CertificateIssuer {
+    commonName: string;
+}
+export interface CertificateInfo {
+    issuer: CertificateIssuer;
+    domains: CertificateDomains;
+    notAfter: Date;
+    notBefore: Date;
+}
+export interface CsrOptions {
+    keySize?: number;
+    commonName?: string;
+    altNames?: string[];
+    country?: string;
+    state?: string;
+    locality?: string;
+    organization?: string;
+    organizationUnit?: string;
+    emailAddress?: string;
+}
+export interface RsaPublicJwk {
+    e: string;
+    kty: string;
+    n: string;
+}
+export interface EcdsaPublicJwk {
+    crv: string;
+    kty: string;
+    x: string;
+    y: string;
+}
+export interface CryptoInterface {
+    createPrivateKey(keySize?: number, encodingType?: string): Promise<PrivateKeyBuffer>;
+    createPrivateRsaKey(keySize?: number, encodingType?: string): Promise<PrivateKeyBuffer>;
+    createPrivateEcdsaKey(namedCurve?: "P-256" | "P-384" | "P-521", encodingType?: string): Promise<PrivateKeyBuffer>;
+    getPublicKey(keyPem: PrivateKeyBuffer | PrivateKeyString | PublicKeyBuffer | PublicKeyString): PublicKeyBuffer;
+    getJwk(keyPem: PrivateKeyBuffer | PrivateKeyString | PublicKeyBuffer | PublicKeyString): RsaPublicJwk | EcdsaPublicJwk;
+    splitPemChain(chainPem: CertificateBuffer | CertificateString): string[];
+    getPemBodyAsB64u(pem: CertificateBuffer | CertificateString): string;
+    readCsrDomains(csrPem: CsrBuffer | CsrString): CertificateDomains;
+    readCertificateInfo(certPem: CertificateBuffer | CertificateString): CertificateInfo;
+    createCsr(data: CsrOptions, keyPem?: PrivateKeyBuffer | PrivateKeyString, encodingType?: string): Promise<[PrivateKeyBuffer, CsrBuffer]>;
+    createAlpnCertificate(authz: Authorization, keyAuthorization: string, keyPem?: PrivateKeyBuffer | PrivateKeyString): Promise<[PrivateKeyBuffer, CertificateBuffer]>;
+    isAlpnCertificateAuthorizationValid(certPem: CertificateBuffer | CertificateString, keyAuthorization: string): boolean;
+}
+export interface CryptoLegacyInterface {
+    createPrivateKey(size?: number): Promise<PrivateKeyBuffer>;
+    createPublicKey(key: PrivateKeyBuffer | PrivateKeyString): Promise<PublicKeyBuffer>;
+    getPemBody(str: string): string;
+    splitPemChain(str: string): string[];
+    getModulus(input: PrivateKeyBuffer | PrivateKeyString | PublicKeyBuffer | PublicKeyString | CertificateBuffer | CertificateString | CsrBuffer | CsrString): Promise<Buffer>;
+    getPublicExponent(input: PrivateKeyBuffer | PrivateKeyString | PublicKeyBuffer | PublicKeyString | CertificateBuffer | CertificateString | CsrBuffer | CsrString): Promise<Buffer>;
+    readCsrDomains(csr: CsrBuffer | CsrString): Promise<CertificateDomains>;
+    readCertificateInfo(cert: CertificateBuffer | CertificateString): Promise<CertificateInfo>;
+    createCsr(data: CsrOptions, key?: PrivateKeyBuffer | PrivateKeyString): Promise<[PrivateKeyBuffer, CsrBuffer]>;
+}

package/dist/types.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/util.d.ts ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * Utility methods
+ */
+import dnsSdk from 'dns';
+/**
+ * Retry promise
+ *
+ * @param {function} fn Function returning promise that should be retried
+ * @param {object} [backoffOpts] Backoff options
+ * @param {number} [backoffOpts.attempts] Maximum number of attempts, default: `5`
+ * @param {number} [backoffOpts.min] Minimum attempt delay in milliseconds, default: `5000`
+ * @param {number} [backoffOpts.max] Maximum attempt delay in milliseconds, default: `30000`
+ * @returns {Promise}
+ */
+declare function retry(fn: any, { attempts, min, max }?: {
+    attempts?: number;
+    min?: number;
+    max?: number;
+}, logger?: (...msg: any[]) => void): Promise<any>;
+/**
+ * Parse URLs from Link header
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link
+ *
+ * @param {string} header Header contents
+ * @param {string} rel Link relation, default: `alternate`
+ * @returns {string[]} Array of URLs
+ */
+declare function parseLinkHeader(header: any, rel?: string): any;
+/**
+ * Parse date or duration from Retry-After header
+ *
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After
+ *
+ * @param {string} header Header contents
+ * @returns {number} Retry duration in seconds
+ */
+declare function parseRetryAfterHeader(header: any): number;
+/**
+ * Find certificate chain with preferred issuer common name
+ *  - If issuer is found in multiple chains, the closest to root wins
+ *  - If issuer can not be located, the first chain will be returned
+ *
+ * @param {string[]} certificates Array of PEM encoded certificate chains
+ * @param {string} issuer Preferred certificate issuer
+ * @returns {string} PEM encoded certificate chain
+ */
+declare function findCertificateChainForIssuer(chains: any, issuer: any): any;
+/**
+ * Find and format error in response object
+ *
+ * @param {object} resp HTTP response
+ * @returns {string} Error message
+ */
+declare function formatResponseError(resp: any): any;
+/**
+ * Resolve root domain name by looking for SOA record
+ *
+ * @param {string} recordName DNS record name
+ * @returns {Promise<string>} Root domain name
+ */
+declare function resolveDomainBySoaRecord(recordName: any, logger?: (...msg: any[]) => void): Promise<any>;
+/**
+ * Get DNS resolver using domains authoritative NS records
+ *
+ * @param {string} recordName DNS record name
+ * @returns {Promise<dns.Resolver>} DNS resolver
+ */
+declare function getAuthoritativeDnsResolver(recordName: any, logger?: (...msg: any[]) => void): Promise<dnsSdk.promises.Resolver>;
+/**
+ * Attempt to retrieve TLS ALPN certificate from peer
+ *
+ * https://nodejs.org/api/tls.html#tlsconnectoptions-callback
+ *
+ * @param {string} host Host the TLS client should connect to
+ * @param {number} port Port the client should connect to
+ * @param {string} servername Server name for the SNI (Server Name Indication)
+ * @returns {Promise<string>} PEM encoded certificate
+ */
+declare function retrieveTlsAlpnCertificate(host: any, port: any, timeout?: number): Promise<unknown>;
+/**
+ * Export utils
+ */
+export { retry, parseLinkHeader, parseRetryAfterHeader, findCertificateChainForIssuer, formatResponseError, getAuthoritativeDnsResolver, retrieveTlsAlpnCertificate, resolveDomainBySoaRecord };

package/{src → dist}/util.js RENAMED Viewed

@@ -1,12 +1,11 @@
+// @ts-nocheck
 /**
  * Utility methods
  */
 import tls from 'tls';
 import dnsSdk from 'dns';
-import { readCertificateInfo, splitPemChain }from './crypto/index.js'
-import { log } from './logger.js'
+import { readCertificateInfo, splitPemChain } from './crypto/index.js';
+import { log } from './logger.js';
 const dns = dnsSdk.promises;
 /**
  * Exponential backoff
@@ -18,27 +17,23 @@ const dns = dnsSdk.promises;
  * @param {number} [opts.min] Minimum backoff duration in ms
  * @param {number} [opts.max] Maximum backoff duration in ms
  */
 class Backoff {
     constructor({ min = 100, max = 10000 } = {}) {
         this.min = min;
         this.max = max;
         this.attempts = 0;
     }
     /**
      * Get backoff duration
      *
      * @returns {number} Backoff duration in ms
      */
     duration() {
         const ms = this.min * (2 ** this.attempts);
         this.attempts += 1;
         return Math.min(ms, this.max);
     }
 }
 /**
  * Retry promise
  *
@@ -47,37 +42,32 @@ class Backoff {
  * @param {Backoff} backoff Backoff instance
  * @returns {Promise}
  */
 async function retryPromise(fn, attempts, backoff, logger = log) {
     let aborted = false;
     let abortedFromUser = false;
     try {
-        const setAbort = (fromUser = false) => { aborted = true; abortedFromUser = fromUser; }
+        const setAbort = (fromUser = false) => { aborted = true; abortedFromUser = fromUser; };
         const data = await fn(setAbort);
         return data;
     }
     catch (e) {
-        if (aborted){
-            if (abortedFromUser){
+        if (aborted) {
+            if (abortedFromUser) {
                 logger(`用户取消重试`);
             }
             throw e;
         }
-        if ( ((backoff.attempts + 1) >= attempts)) {
+        if (((backoff.attempts + 1) >= attempts)) {
             logger(`重试次数超过${attempts}次`);
             throw e;
         }
         logger(`Promise rejected: ${e.message}`);
         const duration = backoff.duration();
         logger(`Promise rejected attempt #${backoff.attempts}, ${duration}ms 后重试: ${e.message}`);
         await new Promise((resolve) => { setTimeout(resolve, duration); });
         return retryPromise(fn, attempts, backoff, logger);
     }
 }
 /**
  * Retry promise
  *
@@ -88,12 +78,10 @@ async function retryPromise(fn, attempts, backoff, logger = log) {
  * @param {number} [backoffOpts.max] Maximum attempt delay in milliseconds, default: `30000`
  * @returns {Promise}
  */
 function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}, logger = log) {
     const backoff = new Backoff({ min, max });
     return retryPromise(fn, attempts, backoff, logger);
 }
 /**
  * Parse URLs from Link header
  *
@@ -104,18 +92,14 @@ function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}, logger = log)
  * @param {string} rel Link relation, default: `alternate`
  * @returns {string[]} Array of URLs
  */
 function parseLinkHeader(header, rel = 'alternate') {
     const relRe = new RegExp(`\\s*rel\\s*=\\s*"?${rel}"?`, 'i');
     const results = (header || '').split(/,\s*</).map((link) => {
         const [, linkUrl, linkParts] = link.match(/<?([^>]*)>;(.*)/) || [];
         return (linkUrl && linkParts && linkParts.match(relRe)) ? linkUrl : null;
     });
     return results.filter((r) => r);
 }
 /**
  * Parse date or duration from Retry-After header
  *
@@ -124,29 +108,23 @@ function parseLinkHeader(header, rel = 'alternate') {
  * @param {string} header Header contents
  * @returns {number} Retry duration in seconds
  */
 function parseRetryAfterHeader(header) {
     const sec = parseInt(header, 10);
     const date = new Date(header);
     /* Seconds into the future */
     if (Number.isSafeInteger(sec) && (sec > 0)) {
         return sec;
     }
     /* Future date string */
     if (date instanceof Date && !Number.isNaN(date)) {
         const now = new Date();
         const diff = Math.ceil((date.getTime() - now.getTime()) / 1000);
         if (diff > 0) {
             return diff;
         }
     }
     return 0;
 }
 /**
  * Find certificate chain with preferred issuer common name
  *  - If issuer is found in multiple chains, the closest to root wins
@@ -156,23 +134,19 @@ function parseRetryAfterHeader(header) {
  * @param {string} issuer Preferred certificate issuer
  * @returns {string} PEM encoded certificate chain
  */
 function findCertificateChainForIssuer(chains, issuer) {
     log(`Attempting to find match for issuer="${issuer}" in ${chains.length} certificate chains`);
     let bestMatch = null;
     let bestDistance = null;
     chains.forEach((chain) => {
         /* Look up all issuers */
         const certs = splitPemChain(chain);
         const infoCollection = certs.map((c) => readCertificateInfo(c));
         const issuerCollection = infoCollection.map((i) => i.issuer.commonName);
         /* Found issuer match, get distance from root - lower is better */
         if (issuerCollection.includes(issuer)) {
             const distance = (issuerCollection.length - issuerCollection.indexOf(issuer));
             log(`Found matching chain for preferred issuer="${issuer}" distance=${distance} issuers=${JSON.stringify(issuerCollection)}`);
             /* Chain wins, use it */
             if (!bestDistance || (distance < bestDistance)) {
                 log(`Issuer is closer to root than previous match, using it (${distance} < ${bestDistance || 'undefined'})`);
@@ -185,27 +159,22 @@ function findCertificateChainForIssuer(chains, issuer) {
             log(`Unable to match certificate for preferred issuer="${issuer}", issuers=${JSON.stringify(issuerCollection)}`);
         }
     });
     /* Return found match */
     if (bestMatch) {
         return bestMatch;
     }
     /* No chains matched, return default */
     log(`Found no match in ${chains.length} certificate chains for preferred issuer="${issuer}", returning default certificate chain`);
     return chains[0];
 }
 /**
  * Find and format error in response object
  *
  * @param {object} resp HTTP response
  * @returns {string} Error message
  */
 function formatResponseError(resp) {
     let result;
     if (resp.data) {
         if (resp.data.error) {
             result = resp.data.error.detail || resp.data.error;
@@ -214,17 +183,14 @@ function formatResponseError(resp) {
             result = resp.data.detail || JSON.stringify(resp.data);
         }
     }
     return (result || '').replace(/\n/g, '');
 }
 /**
  * Resolve root domain name by looking for SOA record
  *
  * @param {string} recordName DNS record name
  * @returns {Promise<string>} Root domain name
  */
 async function resolveDomainBySoaRecord(recordName, logger = log) {
     try {
         await dns.resolveSoa(recordName);
@@ -234,41 +200,33 @@ async function resolveDomainBySoaRecord(recordName, logger = log) {
     catch (e) {
         logger(`找不到${recordName}的SOA记录,继续往主域名查找`);
         const parentRecordName = recordName.split('.').slice(1).join('.');
         if (!parentRecordName.includes('.')) {
             throw new Error('SOA record查找失败');
         }
-        return resolveDomainBySoaRecord(parentRecordName,logger);
+        return resolveDomainBySoaRecord(parentRecordName, logger);
     }
 }
 /**
  * Get DNS resolver using domains authoritative NS records
  *
  * @param {string} recordName DNS record name
  * @returns {Promise<dns.Resolver>} DNS resolver
  */
 async function getAuthoritativeDnsResolver(recordName, logger = log) {
     logger(`获取域名${recordName}的权威NS服务器: `);
-    const resolver = new dns.Resolver({timeout: 2000,tries: 2});
+    const resolver = new dns.Resolver({ timeout: 2000, tries: 2 });
     try {
         /* Resolve root domain by SOA */
-        const domain = await resolveDomainBySoaRecord(recordName,logger);
+        const domain = await resolveDomainBySoaRecord(recordName, logger);
         /* Resolve authoritative NS addresses */
         logger(`获取到权威NS服务器name: ${domain}`);
         const nsRecords = await dns.resolveNs(domain);
         logger(`域名权威NS服务器：${nsRecords}`);
         const nsAddrArray = await Promise.all(nsRecords.map(async (r) => dns.resolve4(r)));
         const nsAddresses = [].concat(...nsAddrArray).filter((a) => a);
         if (!nsAddresses.length) {
             throw new Error(`Unable to locate any valid authoritative NS addresses for domain（获取权威服务器IP失败）: ${domain}`);
         }
         /* Authoritative NS success */
         logger(`Found ${nsAddresses.length} authoritative NS addresses for domain: ${domain}`);
         resolver.setServers(nsAddresses);
@@ -276,14 +234,11 @@ async function getAuthoritativeDnsResolver(recordName, logger = log) {
     catch (e) {
         logger(`Authoritative NS lookup error（获取权威NS服务器地址失败）: ${e.message}`);
     }
     /* Return resolver */
     const addresses = resolver.getServers();
     logger(`DNS resolver addresses（域名的权威NS服务器地址）: ${addresses.join(', ')}`);
     return resolver;
 }
 /**
  * Attempt to retrieve TLS ALPN certificate from peer
  *
@@ -294,11 +249,9 @@ async function getAuthoritativeDnsResolver(recordName, logger = log) {
  * @param {string} servername Server name for the SNI (Server Name Indication)
  * @returns {Promise<string>} PEM encoded certificate
  */
 async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
     return new Promise((resolve, reject) => {
         let result;
         /* TLS connection */
         const socket = tls.connect({
             host,
@@ -307,50 +260,30 @@ async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
             rejectUnauthorized: false,
             ALPNProtocols: ['acme-tls/1'],
         });
         socket.setTimeout(timeout);
         socket.setEncoding('utf-8');
         /* Grab certificate once connected and close */
         socket.on('secureConnect', () => {
             result = socket.getPeerX509Certificate();
             socket.end();
         });
         /* Errors */
         socket.on('error', (err) => {
             reject(err);
         });
         socket.on('timeout', () => {
             socket.destroy(new Error('TLS ALPN certificate lookup request timed out'));
         });
         /* Done, return cert as PEM if found */
         socket.on('end', () => {
             if (result) {
                 return resolve(result.toString());
             }
             return reject(new Error('TLS ALPN lookup failed to retrieve certificate'));
         });
     });
 }
 /**
  * Export utils
  */
-export {
-    retry,
-    parseLinkHeader,
-    parseRetryAfterHeader,
-    findCertificateChainForIssuer,
-    formatResponseError,
-    getAuthoritativeDnsResolver,
-    retrieveTlsAlpnCertificate,
-    resolveDomainBySoaRecord
-};
+export { retry, parseLinkHeader, parseRetryAfterHeader, findCertificateChainForIssuer, formatResponseError, getAuthoritativeDnsResolver, retrieveTlsAlpnCertificate, resolveDomainBySoaRecord };

package/dist/verify.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * ACME challenge verification
+ */
+import dnsSdk from "dns";
+export declare function setWalkFromAuthoritative(value?: boolean): void;
+export declare function createChallengeFn(opts?: {}): {
+    challenges: {
+        'http-01': (authz: any, challenge: any, keyAuthorization: any, suffix?: string) => Promise<boolean>;
+        'dns-01': (authz: any, challenge: any, keyAuthorization: any, prefix?: string) => Promise<boolean>;
+        'tls-alpn-01': (authz: any, challenge: any, keyAuthorization: any) => Promise<boolean>;
+    };
+    walkTxtRecord: (recordName: any, deep?: number) => Promise<any[]>;
+    walkDnsChallengeRecord: (recordName: any, resolver?: typeof dnsSdk.promises, deep?: number) => Promise<any[]>;
+};