debian/patches/0002-Issue-GET-and-POST-as-GET-requests.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 21 Aug 2019 17:29:19 +0200
Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3)

For the  authorizations, order and certificate URLs.
See RFC 8555 sec. 7.1.
---
 client            |   22 +++++++++++-----------
 lacme-accountd.md |    2 +-
 lacme.md          |    2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)

--- a/client
+++ b/client
@@ -165,16 +165,16 @@ sub request_json_decode($;$$) {
 #############################################################################
 # JSON-encode the hash reference $h and send it to the ACME server $uri
 # encapsulated it in a JSON Web Signature (JWS).
-# https://tools.ietf.org/html/draft-ietf-acme-acme-12
+# https://tools.ietf.org/html/rfc8555
 #
-sub acme($@) {
-    my $uri = shift;
+sub acme($;$) {
+    my ($uri, $h) = @_;
     die "Missing nonce\n" unless defined $NONCE;
 
     # Produce the JSON Web Signature: RFC 7515 section 5
     my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri );
     defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK);
-    my $payload = encode_base64url(json()->encode({ @_ }));
+    my $payload = defined $h ? encode_base64url(json()->encode($h)) : "";
     my $protected = encode_base64url(json()->encode(\%header));
     my $data = $protected .'.'. $payload;
     $S->printflush($data, "\r\n");
@@ -204,7 +204,7 @@ sub acme_resource($%) {
         request(HEAD => $RES{newNonce});
     }
     my $uri = $RES{$r} // die "Unknown resource '$r'\n";
-    acme($uri, @_);
+    acme($uri, {@_});
 }
 
 # Set the key ID (registration URI)
@@ -237,7 +237,7 @@ if ($COMMAND eq 'account') {
 
     if ($r->is_success()) {
         $KID = $r->header('Location');
-        $r = acme($KID, %h);
+        $r = acme($KID, \%h);
         request_json_decode($r, 1, \*STDOUT)
             if $r->is_success() and $r->content_type() eq 'application/json';
     }
@@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') {
     my $order = request_json_decode($r);
 
     foreach (@{$order->{authorizations}}) {
-        my $authz = request_json_decode(request(GET => $_));
+        my $authz = request_json_decode(acme($_));
         next unless $authz->{status} eq 'pending';
 
         my $identifier = $authz->{identifier}->{value};
@@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') {
             die "Can't open $challenge->{token}: $!";
         }
 
-        $r = acme($challenge->{url});
+        $r = acme($challenge->{url}, {});
 
         # poll until the status become 'valid'
         # XXX poll the order URL instead, to get the status of all
@@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') {
               $resp = request_json_decode($r),
               $status = $resp->{status} // 'pending',
               $status ne 'valid';
-              $r = request('GET' => $challenge->{url})) {
+              $r = acme($challenge->{url}, {})) {
             if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807)
                 my $msg = $problem->{status};
                 $msg .= " " .$problem->{title}      if defined $problem->{title};
@@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') {
         }
     }
 
-    $r = acme($order->{finalize}, csr => encode_base64url($csr));
+    $r = acme($order->{finalize}, {csr => encode_base64url($csr)});
     my $resp = request_json_decode($r);
 
     my $uri = $resp->{certificate};
@@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') {
 
     # pool until the cert is available
     for (my $i = 0;;) {
-        $r = request('GET' => $uri);
+        $r = acme($uri);
         die request_status_line($r), "\n" unless $r->is_success();
         last unless $r->code == 202; # Accepted
         my $retry_after = $r->header('Retry-After') // 1;
--- a/lacme-accountd.md
+++ b/lacme-accountd.md
@@ -141,7 +141,7 @@ See also
 
 [`lacme`(1)], [`ssh`(1)]
 
-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02
+[ACME]: https://tools.ietf.org/html/rfc8555
 [`lacme`(1)]: lacme.1.html
 [`signal`(7)]: http://linux.die.net/man/7/signal
 [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html
--- a/lacme.md
+++ b/lacme.md
@@ -412,7 +412,7 @@ See also
 
 [`lacme-accountd`(1)]
 
-[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12
+[ACME]: https://tools.ietf.org/html/rfc8555
 [`lacme-accountd`(1)]: lacme-accountd.1.html
 [`iptables`(8)]: http://linux.die.net/man/8/iptables
 [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html