From d5d7aed46cc34dfbba521dc216f6f75a4309de10 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 21 Jan 2019 02:07:22 +0100
Subject: client: poll order URL instead of each authz URL successively.

We were blocking on https://github.com/letsencrypt/boulder/issues/3530 .
---
 client | 100 ++++++++++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 61 insertions(+), 39 deletions(-)

(limited to 'client')

diff --git a/client b/client
index 838b184..9ce52a0 100755
--- a/client
+++ b/client
@@ -142,6 +142,22 @@ sub request_status_line($) {
     return $msg;
 }
 
+# The request's Retry-After header (RFC 7231 sec. 7.1.3), converted to
+# waiting time in seconds.
+sub request_retry_after($) {
+    my $r = shift;
+    my $v = $r->header('Retry-After');
+    if (defined $v and $v !~ /\A\d+\z/) {
+        require 'Date/Parse.pm';
+        $v = Date::Parse::str2time($v);
+        if (defined $v) {
+            $v = $v - time;
+            undef $v if $v <= 0;
+        }
+    }
+    return $v;
+}
+
 # Parse and return the request's decoded content as JSON; or print the
 # Status Line and fail if the request failed.
 # If $dump is set, also pretty-print the decoded content.
@@ -262,6 +278,7 @@ elsif ($COMMAND eq 'newOrder') {
     my @identifiers = map {{ type => 'dns', value => $_ }} @ARGV;
     my $r = acme_resource('newOrder', identifiers => \@identifiers);
     my $order = request_json_decode($r);
+    my $orderurl = $r->header('Location');
 
     foreach (@{$order->{authorizations}}) {
         my $authz = request_json_decode(request(GET => $_));
@@ -287,52 +304,57 @@ elsif ($COMMAND eq 'newOrder') {
         } else {
             die "Can't open $challenge->{token}: $!";
         }
-
-        $r = acme($challenge->{url});
-
-        # poll until the status become 'valid'
-        # XXX poll the order URL instead, to get the status of all
-        # challenges at once
-        # https://github.com/letsencrypt/boulder/issues/3530
-        for ( my $i = 0, my $resp, my $status;
-              $resp = request_json_decode($r),
-              $status = $resp->{status} // 'pending',
-              $status ne 'valid';
-              $r = request('GET' => $challenge->{url})) {
-            if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807)
-                my $msg = $problem->{status};
-                $msg .= " " .$problem->{title}      if defined $problem->{title};
-                $msg .= " (".$problem->{detail}.")" if defined $problem->{detail};
-                die $msg, "\n";
-            }
-            die "Error: Invalid challenge for $identifier (status: ".$status.")\n"
-                if $status ne 'pending';
-
-            my $sleep = 1;
-            if (defined (my $retry_after = $r->header('Retry-After'))) {
-                print STDERR "Retrying after $retry_after seconds...\n";
-                $sleep = $retry_after;
-            }
-
-            $i += $sleep;
-            die "Timeout exceeded while waiting for challenges to pass ($identifier)\n"
-                if $timeout > 0 and $i >= $timeout;
-            sleep $sleep;
-        }
+        my $r = acme($challenge->{url});
+        request_json_decode($r);
     }
 
-    $r = acme($order->{finalize}, csr => encode_base64url($csr));
-    my $resp = request_json_decode($r);
+    # poll the order URL (to get the status of all challenges at once)
+    # until the status become 'valid'
+    my $orderstr = join(', ', map {uc($_->{type}) .":". $_->{value}} @identifiers);
+    my $certuri;
+    for (my $i = 0;;) {
+        my $r = request('GET' => $orderurl);
+        my $resp = request_json_decode($r);
+        if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807)
+            my $msg = $problem->{status};
+            $msg .= " " .$problem->{title}      if defined $problem->{title};
+            $msg .= " (".$problem->{detail}.")" if defined $problem->{detail};
+            die $msg, "\n";
+        }
+        my $status = $resp->{status};
+        if (!defined $status or $status eq "invalid") {
+            die "Error: Invalid order $orderstr\n";
+        }
+        elsif ($status eq "ready") {
+            my $r = acme($order->{finalize}, csr => encode_base64url($csr));
+            my $resp = request_json_decode($r);
+            $certuri = $resp->{certificate};
+            last;
+        }
+        elsif ($status eq "valid") {
+            $certuri = $resp->{certificate} //
+                die "Error: Missing \"certificate\" field in \"valid\" order\n";
+            last;
+        }
+        elsif ($status ne "pending" and $status ne "processing") {
+            warn "Unknown order status: $status\n";
+        }
 
-    my $uri = $resp->{certificate};
-    print STDERR "Certificate URI: $uri\n";
+        my $retry_after = request_retry_after($r) // 1;
+        print STDERR "Retrying after $retry_after seconds...\n";
+        $i += $retry_after;
+        die "Timeout exceeded while waiting for challenges to pass ($orderstr)\n"
+            if $timeout > 0 and $i >= $timeout;
+        sleep $retry_after;
+    }
 
-    # pool until the cert is available
+    # poll until the cert is available
+    print STDERR "Certificate URI: $certuri\n";
     for (my $i = 0;;) {
-        $r = request('GET' => $uri);
+        $r = request('GET' => $certuri);
         die request_status_line($r), "\n" unless $r->is_success();
         last unless $r->code == 202; # Accepted
-        my $retry_after = $r->header('Retry-After') // 1;
+        my $retry_after = request_retry_after($r) // 1;
         print STDERR "Retrying after $retry_after seconds...\n";
         $i += $retry_after;
         die "Timeout exceeded while waiting for certificate\n" if $timeout > 0 and $i >= $timeout;
-- 
cgit v1.2.3


From 57ddc5ca505adeb3e44542335b01a6f0e8887ddc Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 21 Jan 2019 02:13:06 +0100
Subject: lacme, client: new dependency Date::Parse.

---
 client | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'client')

diff --git a/client b/client
index 9ce52a0..c152e30 100755
--- a/client
+++ b/client
@@ -50,6 +50,7 @@ use Fcntl qw/O_CREAT O_EXCL O_WRONLY/;
 use Digest::SHA qw/sha256 sha256_hex/;
 use MIME::Base64 qw/encode_base64 encode_base64url/;
 
+use Date::Parse ();
 use LWP::UserAgent ();
 use Types::Serialiser ();
 use JSON ();
@@ -148,7 +149,6 @@ sub request_retry_after($) {
     my $r = shift;
     my $v = $r->header('Retry-After');
     if (defined $v and $v !~ /\A\d+\z/) {
-        require 'Date/Parse.pm';
         $v = Date::Parse::str2time($v);
         if (defined $v) {
             $v = $v - time;
-- 
cgit v1.2.3


From a3978219bab85e650d963276823cb142ecde6a21 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 21 Aug 2019 17:19:59 +0200
Subject: Link to RFC 8555 instead of the ACME I-D URL.

---
 client | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'client')

diff --git a/client b/client
index c152e30..9dbcc3f 100755
--- a/client
+++ b/client
@@ -181,7 +181,7 @@ sub request_json_decode($;$$) {
 #############################################################################
 # JSON-encode the hash reference $h and send it to the ACME server $uri
 # encapsulated it in a JSON Web Signature (JWS).
-# https://tools.ietf.org/html/draft-ietf-acme-acme-12
+# https://tools.ietf.org/html/rfc8555
 #
 sub acme($@) {
     my $uri = shift;
-- 
cgit v1.2.3


From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 21 Aug 2019 17:29:19 +0200
Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)

For the  authorizations, order and certificate URLs.
See RFC 8555 sec. 7.1.
---
 client | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'client')

diff --git a/client b/client
index 9dbcc3f..b567516 100755
--- a/client
+++ b/client
@@ -183,14 +183,14 @@ sub request_json_decode($;$$) {
 # encapsulated it in a JSON Web Signature (JWS).
 # https://tools.ietf.org/html/rfc8555
 #
-sub acme($@) {
-    my $uri = shift;
+sub acme($;$) {
+    my ($uri, $h) = @_;
     die "Missing nonce\n" unless defined $NONCE;
 
     # Produce the JSON Web Signature: RFC 7515 section 5
     my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri );
     defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK);
-    my $payload = encode_base64url(json()->encode({ @_ }));
+    my $payload = defined $h ? encode_base64url(json()->encode($h)) : "";
     my $protected = encode_base64url(json()->encode(\%header));
     my $data = $protected .'.'. $payload;
     $S->printflush($data, "\r\n");
@@ -220,7 +220,7 @@ sub acme_resource($%) {
         request(HEAD => $RES{newNonce});
     }
     my $uri = $RES{$r} // die "Unknown resource '$r'\n";
-    acme($uri, @_);
+    acme($uri, {@_});
 }
 
 # Set the key ID (registration URI)
@@ -253,7 +253,7 @@ if ($COMMAND eq 'account') {
 
     if ($r->is_success()) {
         $KID = $r->header('Location');
-        $r = acme($KID, %h);
+        $r = acme($KID, \%h);
         request_json_decode($r, 1, \*STDOUT)
             if $r->is_success() and $r->content_type() eq 'application/json';
     }
@@ -281,7 +281,7 @@ elsif ($COMMAND eq 'newOrder') {
     my $orderurl = $r->header('Location');
 
     foreach (@{$order->{authorizations}}) {
-        my $authz = request_json_decode(request(GET => $_));
+        my $authz = request_json_decode(acme($_));
         next unless $authz->{status} eq 'pending';
 
         my $identifier = $authz->{identifier}->{value};
@@ -304,7 +304,7 @@ elsif ($COMMAND eq 'newOrder') {
         } else {
             die "Can't open $challenge->{token}: $!";
         }
-        my $r = acme($challenge->{url});
+        my $r = acme($challenge->{url}, {});
         request_json_decode($r);
     }
 
@@ -313,7 +313,7 @@ elsif ($COMMAND eq 'newOrder') {
     my $orderstr = join(', ', map {uc($_->{type}) .":". $_->{value}} @identifiers);
     my $certuri;
     for (my $i = 0;;) {
-        my $r = request('GET' => $orderurl);
+        my $r = acme($orderurl);
         my $resp = request_json_decode($r);
         if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807)
             my $msg = $problem->{status};
@@ -326,7 +326,7 @@ elsif ($COMMAND eq 'newOrder') {
             die "Error: Invalid order $orderstr\n";
         }
         elsif ($status eq "ready") {
-            my $r = acme($order->{finalize}, csr => encode_base64url($csr));
+            my $r = acme($order->{finalize}, {csr => encode_base64url($csr)});
             my $resp = request_json_decode($r);
             $certuri = $resp->{certificate};
             last;
@@ -351,7 +351,7 @@ elsif ($COMMAND eq 'newOrder') {
     # poll until the cert is available
     print STDERR "Certificate URI: $certuri\n";
     for (my $i = 0;;) {
-        $r = request('GET' => $certuri);
+        $r = acme($certuri);
         die request_status_line($r), "\n" unless $r->is_success();
         last unless $r->code == 202; # Accepted
         my $retry_after = request_retry_after($r) // 1;
-- 
cgit v1.2.3


From 8a2d319476dbcd7840893616b1399658ddd71b27 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 21 Aug 2019 17:57:15 +0200
Subject: lacme: new option 'account --deactivate'

For client-initiated account deactivation.  See RFC 8555 sec. 7.3.6.
---
 client | 1 +
 1 file changed, 1 insertion(+)

(limited to 'client')

diff --git a/client b/client
index b567516..2eebbf0 100755
--- a/client
+++ b/client
@@ -244,6 +244,7 @@ if ($COMMAND eq 'account') {
     my %h = ( contact => \@ARGV ) if @ARGV;
     $h{onlyReturnExisting}   = Types::Serialiser::true unless $flags & 0x01;
     $h{termsOfServiceAgreed} = Types::Serialiser::true if     $flags & 0x02;
+    $h{status}               = "deactivated"           if     $flags & 0x04;
 
     print STDERR "Requesting new registration ".(@ARGV ? ("for ".join(', ', @ARGV)) : "")."\n"
         if $flags & 0x01;
-- 
cgit v1.2.3