From aa779d1f1658a1244e2cba03b07ea9be3c4ee2a0 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 21 Aug 2019 18:55:48 +0200
Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)

For the  authorizations, order and certificate URLs.
See RFC 8555 sec. 7.1.

Let's Encrypt will remove support of unauthenticated GETs from the V2
API on 01 Nov 2019:

    https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
---
 debian/changelog                                   |  11 ++
 debian/gbp.conf                                    |   2 +-
 .../0002-Issue-GET-and-POST-as-GET-requests.patch  | 121 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 4 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch

(limited to 'debian')

diff --git a/debian/changelog b/debian/changelog
index d18bc4c..3366d21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+lacme (0.5-1+deb10u1) buster; urgency=medium
+
+  * Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
+    ACME I-D URL.
+  * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
+    authorizations, order and certificate URLs.   Let's Encrypt will remove
+    support of unauthenticated GETs from the V2 API on 01 Nov 2019.
+    Closes: #935799.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Thu, 22 Aug 2019 00:14:42 +0200
+
 lacme (0.5-1) unstable; urgency=medium
 
   * New upstream release, adding support for v2 ACME endpoints.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 4daf79f..b100207 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = master
-debian-branch = debian
+debian-branch = debian-buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = False
diff --git a/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch b/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
new file mode 100644
index 0000000..2f07327
--- /dev/null
+++ b/debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch
@@ -0,0 +1,121 @@
+From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001
+From: Guilhem Moulin <guilhem@fripost.org>
+Date: Wed, 21 Aug 2019 17:29:19 +0200
+Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)
+
+For the  authorizations, order and certificate URLs.
+See RFC 8555 sec. 7.1.
+---
+ client            |   22 +++++++++++-----------
+ lacme-accountd.md |    2 +-
+ lacme.md          |    2 +-
+ 3 files changed, 13 insertions(+), 13 deletions(-)
+
+--- a/client
++++ b/client
+@@ -165,16 +165,16 @@ sub request_json_decode($;$$) {
+ #############################################################################
+ # JSON-encode the hash reference $h and send it to the ACME server $uri
+ # encapsulated it in a JSON Web Signature (JWS).
+-# https://tools.ietf.org/html/draft-ietf-acme-acme-12
++# https://tools.ietf.org/html/rfc8555
+ #
+-sub acme($@) {
+-    my $uri = shift;
++sub acme($;$) {
++    my ($uri, $h) = @_;
+     die "Missing nonce\n" unless defined $NONCE;
+ 
+     # Produce the JSON Web Signature: RFC 7515 section 5
+     my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri );
+     defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK);
+-    my $payload = encode_base64url(json()->encode({ @_ }));
++    my $payload = defined $h ? encode_base64url(json()->encode($h)) : "";
+     my $protected = encode_base64url(json()->encode(\%header));
+     my $data = $protected .'.'. $payload;
+     $S->printflush($data, "\r\n");
+@@ -204,7 +204,7 @@ sub acme_resource($%) {
+         request(HEAD => $RES{newNonce});
+     }
+     my $uri = $RES{$r} // die "Unknown resource '$r'\n";
+-    acme($uri, @_);
++    acme($uri, {@_});
+ }
+ 
+ # Set the key ID (registration URI)
+@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') {
+ 
+     if ($r->is_success()) {
+         $KID = $r->header('Location');
+-        $r = acme($KID, %h);
++        $r = acme($KID, \%h);
+         request_json_decode($r, 1, \*STDOUT)
+             if $r->is_success() and $r->content_type() eq 'application/json';
+     }
+@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') {
+     my $order = request_json_decode($r);
+ 
+     foreach (@{$order->{authorizations}}) {
+-        my $authz = request_json_decode(request(GET => $_));
++        my $authz = request_json_decode(acme($_));
+         next unless $authz->{status} eq 'pending';
+ 
+         my $identifier = $authz->{identifier}->{value};
+@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') {
+             die "Can't open $challenge->{token}: $!";
+         }
+ 
+-        $r = acme($challenge->{url});
++        $r = acme($challenge->{url}, {});
+ 
+         # poll until the status become 'valid'
+         # XXX poll the order URL instead, to get the status of all
+@@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') {
+               $resp = request_json_decode($r),
+               $status = $resp->{status} // 'pending',
+               $status ne 'valid';
+-              $r = request('GET' => $challenge->{url})) {
++              $r = acme($challenge->{url}, {})) {
+             if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807)
+                 my $msg = $problem->{status};
+                 $msg .= " " .$problem->{title}      if defined $problem->{title};
+@@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') {
+         }
+     }
+ 
+-    $r = acme($order->{finalize}, csr => encode_base64url($csr));
++    $r = acme($order->{finalize}, {csr => encode_base64url($csr)});
+     my $resp = request_json_decode($r);
+ 
+     my $uri = $resp->{certificate};
+@@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') {
+ 
+     # pool until the cert is available
+     for (my $i = 0;;) {
+-        $r = request('GET' => $uri);
++        $r = acme($uri);
+         die request_status_line($r), "\n" unless $r->is_success();
+         last unless $r->code == 202; # Accepted
+         my $retry_after = $r->header('Retry-After') // 1;
+--- a/lacme-accountd.md
++++ b/lacme-accountd.md
+@@ -141,7 +141,7 @@ See also
+ 
+ [`lacme`(1)], [`ssh`(1)]
+ 
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme`(1)]: lacme.1.html
+ [`signal`(7)]: http://linux.die.net/man/7/signal
+ [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html
+--- a/lacme.md
++++ b/lacme.md
+@@ -412,7 +412,7 @@ See also
+ 
+ [`lacme-accountd`(1)]
+ 
+-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12
++[ACME]: https://tools.ietf.org/html/rfc8555
+ [`lacme-accountd`(1)]: lacme-accountd.1.html
+ [`iptables`(8)]: http://linux.die.net/man/8/iptables
+ [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
diff --git a/debian/patches/series b/debian/patches/series
index 98a1097..ddf7cce 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Mention-the-Debian-BTS-in-the-manpages.patch
+0002-Issue-GET-and-POST-as-GET-requests.patch
-- 
cgit v1.2.3