From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 21 Aug 2019 17:29:19 +0200 Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) For the authorizations, order and certificate URLs. See RFC 8555 sec. 7.1. --- Changelog | 2 ++ client | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/Changelog b/Changelog index 948b3f4..0f74a85 100644 --- a/Changelog +++ b/Changelog @@ -8,6 +8,8 @@ lacme (0.6) UNRELEASED drop compatibility symlinks once Bullseye is released. - Link to RFC 8555 instead of the ACME I-D URL. + - Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the + authorizations, order and certificate URLs. -- Guilhem Moulin Mon, 21 Jan 2019 02:07:58 +0100 diff --git a/client b/client index 9dbcc3f..b567516 100755 --- a/client +++ b/client @@ -183,14 +183,14 @@ sub request_json_decode($;$$) { # encapsulated it in a JSON Web Signature (JWS). # https://tools.ietf.org/html/rfc8555 # -sub acme($@) { - my $uri = shift; +sub acme($;$) { + my ($uri, $h) = @_; die "Missing nonce\n" unless defined $NONCE; # Produce the JSON Web Signature: RFC 7515 section 5 my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri ); defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK); - my $payload = encode_base64url(json()->encode({ @_ })); + my $payload = defined $h ? encode_base64url(json()->encode($h)) : ""; my $protected = encode_base64url(json()->encode(\%header)); my $data = $protected .'.'. $payload; $S->printflush($data, "\r\n"); @@ -220,7 +220,7 @@ sub acme_resource($%) { request(HEAD => $RES{newNonce}); } my $uri = $RES{$r} // die "Unknown resource '$r'\n"; - acme($uri, @_); + acme($uri, {@_}); } # Set the key ID (registration URI) @@ -253,7 +253,7 @@ if ($COMMAND eq 'account') { if ($r->is_success()) { $KID = $r->header('Location'); - $r = acme($KID, %h); + $r = acme($KID, \%h); request_json_decode($r, 1, \*STDOUT) if $r->is_success() and $r->content_type() eq 'application/json'; } @@ -281,7 +281,7 @@ elsif ($COMMAND eq 'newOrder') { my $orderurl = $r->header('Location'); foreach (@{$order->{authorizations}}) { - my $authz = request_json_decode(request(GET => $_)); + my $authz = request_json_decode(acme($_)); next unless $authz->{status} eq 'pending'; my $identifier = $authz->{identifier}->{value}; @@ -304,7 +304,7 @@ elsif ($COMMAND eq 'newOrder') { } else { die "Can't open $challenge->{token}: $!"; } - my $r = acme($challenge->{url}); + my $r = acme($challenge->{url}, {}); request_json_decode($r); } @@ -313,7 +313,7 @@ elsif ($COMMAND eq 'newOrder') { my $orderstr = join(', ', map {uc($_->{type}) .":". $_->{value}} @identifiers); my $certuri; for (my $i = 0;;) { - my $r = request('GET' => $orderurl); + my $r = acme($orderurl); my $resp = request_json_decode($r); if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807) my $msg = $problem->{status}; @@ -326,7 +326,7 @@ elsif ($COMMAND eq 'newOrder') { die "Error: Invalid order $orderstr\n"; } elsif ($status eq "ready") { - my $r = acme($order->{finalize}, csr => encode_base64url($csr)); + my $r = acme($order->{finalize}, {csr => encode_base64url($csr)}); my $resp = request_json_decode($r); $certuri = $resp->{certificate}; last; @@ -351,7 +351,7 @@ elsif ($COMMAND eq 'newOrder') { # poll until the cert is available print STDERR "Certificate URI: $certuri\n"; for (my $i = 0;;) { - $r = request('GET' => $certuri); + $r = acme($certuri); die request_status_line($r), "\n" unless $r->is_success(); last unless $r->code == 202; # Accepted my $retry_after = request_retry_after($r) // 1; -- cgit v1.2.3