Documentation
¶
Overview ¶
Package client provides a low-level ACME v2 client.
Index ¶
- type B64CSR
- type Client
- func (c *Client) ActiveAccountID() string
- func (c *Client) AuthzByIdentifier(order *resources.Order, identifier string) (*resources.Authorization, error)
- func (c *Client) CSR(commonName string, names []string, keyID string) (B64CSR, PEMCSR, error)
- func (c *Client) CreateAccount(acct *resources.Account) error
- func (c *Client) CreateOrder(order *resources.Order) error
- func (c *Client) Directory() (map[string]interface{}, error)
- func (c *Client) GetEndpointURL(name string) (string, bool)
- func (c *Client) GetURL(url string) (*net.NetResponse, error)
- func (c *Client) Nonce() (string, error)
- func (c *Client) OrderByIndex(index int) (*resources.Order, error)
- func (c *Client) PostAsGetURL(url string) (*net.NetResponse, error)
- func (c *Client) PostURL(url string, body []byte) (*net.NetResponse, error)
- func (c *Client) Printf(format string, vals ...interface{})
- func (c *Client) RefreshNonce() error
- func (c *Client) Rollover(newKey crypto.Signer) error
- func (c *Client) Sign(url string, data []byte, opts *SigningOptions) (*SignResult, error)
- func (c *Client) UpdateAuthz(authz *resources.Authorization) error
- func (c *Client) UpdateChallenge(chall *resources.Challenge) error
- func (c *Client) UpdateDirectory() error
- func (c *Client) UpdateOrder(order *resources.Order) error
- type ClientConfig
- type OutputOptions
- type PEMCSR
- type SignResult
- type SigningOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type B64CSR ¶
type B64CSR string
B64CSR is the Base64URLSafe encoding of an x509 Certificate Signing Request (CSR)
type Client ¶
type Client struct {
// A parsed *url.URL pointer for the ACME server's directory URL.
DirectoryURL *url.URL
// A pointer to the Account object that is considered currently active for
// signing JWS for ACME requests.
ActiveAccount *resources.Account
// A map of key identifiers to Signers. These keys are used for signing
// operations that shouldn't use an Account's associated key.
Keys map[string]crypto.Signer
// A slice of Account object pointers. The ActiveAccount is selected from this
// list of available accounts.
Accounts []*resources.Account
// Options controlling the Client's output.
Output OutputOptions
// Use POST-as-GET requests instead of GET
PostAsGet bool
// contains filtered or unexported fields
}
Client allows interaction with an ACME server. A client may have many Accounts, each associated with a keypair and corresponding server-side Account resource. Each client uses the ActiveAccount to authenticate requests to the ACME server. In addition to Accounts a client maintains a map of Keys holding private keys that can be used for signing CSRs when finalizing orders. Internally the Client uses the https://godoc.org/cpu/acmeshell/net package to perform HTTP requests to the ACME server.
The Client's DirectoryURL field is a parsed *url.URL for the ACME server's directory. The client configures itself with the correct URLs for ACME operations using the directory resource accessed at this URL. See https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.7.1.1
The Client's ActiveAccount field is a pointer to an Account that should be used for authenticating ACME requests with JSON Web Signatures (JWS). Switching the ActiveAccount between entries from the Accounts array allows performing complex multi-user tests (e.g. verifying access control restrictions on resources) with an ACME server.
The Client's Keys field is a map of crypto.Signer's that can be used for signing operations that should not use the ActiveAccount's keypair. One example of this being helpful is for certificate signing requests (CSRs) used during order finalization which SHOULD NOT be the account keypair (see https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.11.1). Each signer is indexed in the Keys map by a string key identifier which will often be a human readable name (e.g. "example-key", "cpu-throwaway"). The key identifier for the Keys entry has no relation to ACME JWS key identifiers.
The Client's Accounts field is a slice of Account object pointers. These are the available Accounts that have been registered by the client with the ACME server, or loaded from a previous session.
func NewClient ¶
func NewClient(config ClientConfig) (*Client, error)
NewClient creates a Client instance from the given ClientConfig. If the config is not valid or if another error occurs it will be returned along with a nil Client.
TODO(@cpu): This function is way too long/messy. Refactor ASAP!
func (*Client) ActiveAccountID ¶
ActiveAccountID returns the ID of the ActiveAccount. If the ActiveAccount is nil, an empty string is returned. If the ActiveAccount has not yet been created with the ACME server an empty string is returned.
func (*Client) AuthzByIdentifier ¶
func (*Client) CSR ¶
CSR produces a CertificateSigningRequest for the provided commonName and SAN names. The keyID will be used to look up a client Keys entry to sign the CSR. The CSR will use the public component of this key as the CSR public key. If no commonName is provided the first of the names will be used. CSR returns the PEM encoding of the CSR as well as the Base64URL encoding of the CSR.
func (*Client) CreateAccount ¶
CreateAccount creates the given Account resource with the ACME server. The Account is updated with the ID returned in the server's response's Location header if the operation is successful, otherwise an error is returned.
Important: This function always unconditionally agrees to the server's terms of service (e.g. it sends "termsOfServiceAgreed:"true" in all account creation requests). This is one of MANY reasons why you should not be using ACME Shell for anything except development and testing!
For more information on account creation see https://tools.ietf.org/html/rfc8555#section-7.3
func (*Client) CreateOrder ¶
CreateOrder creates the given Order resource with the ACME server. If the operation is successful, the order is mutated in place with the response from the server's reply. Otherwise a non-nil error is returned.
For more information on Order creation see "Applying for Certificate Issuance" in RFC 8555: https://tools.ietf.org/html/rfc8555#section-7.4
func (*Client) Directory ¶
Directory fetches the ACME Directory resource from the ACME server and returns it deserialized as a map.
func (*Client) GetEndpointURL ¶
GetEndpintURL gets a URL for a specific ACME endpoint URL by first fetching the ACME server's directory and then checking that directory resource for the a key with the given name. If the key is found its value is returned along with a true bool. If the key is not found an empty string is returned with a false bool.
func (*Client) Nonce ¶
Nonce satisfies the JWS "NonceSource" interface by using a nonce stored by the client from previous responses. That nonce value will be returned after first getting a replacement nonce to store from the ACME server's NewNonce endpoint. This ensures a constant supply of fresh nonces by always fetching a replacement at the same time we use the old nonce.
func (*Client) PostAsGetURL ¶
func (c *Client) PostAsGetURL(url string) (*net.NetResponse, error)
func (*Client) RefreshNonce ¶
RefreshNonce fetches a new nonce from the ACME server's NewNonce endpoint and stores it in the client's memory to be used in subsequent Nonce calls.
func (*Client) Sign ¶
func (c *Client) Sign(url string, data []byte, opts *SigningOptions) (*SignResult, error)
Sign produces a SignResult by Signing the provided data (with a protected URL header) according to the SigningOptions provided. If no Signer is specified in the SigningOptions then the ActiveAccount's Signer is used. If the SigningOptions specify not to embed a JWK but do not specify a Key ID to use then the ActiveAccount's ID is used as the JWS Key ID. If the SigningOptions do not specify an explicit NonceSource the Client is used as the NonceSource.
func (*Client) UpdateAuthz ¶
func (c *Client) UpdateAuthz(authz *resources.Authorization) error
UpdateAuthz refreshes a given Authz by fetching its ID URL from the ACME server. If this is successful the Authz is updated in place. Otherwise an error is returned.
Calling UpdateAuthz is required to refresh an Authz's Status field to synchronize the resource with the server-side representation.
func (*Client) UpdateChallenge ¶
UpdateChallenge refreshes a given Challenge by fetching its URL from the ACME server. If this is successful the Challenge is updated in place. Otherwise an error is returned.
func (*Client) UpdateDirectory ¶
UpdateDirectory updates the Client's cached directory used when referencing the endpoints for updating nonces, creating accounts, and creating orders.
TODO(@cpu): I don't think it makes sense for both Directory and UpdateDirectory to be exported/defined on the client.
func (*Client) UpdateOrder ¶
UpdateOrder refreshes a given Order by fetching its ID URL from the ACME server. If this is successful the Order is mutated in place. Otherwise a nil Order and a non-nil error are returned.
Calling UpdateOrder is required to refresh an Order's Status field to synchronize the resource with the server-side representation.
type ClientConfig ¶
type ClientConfig struct {
// A fully qualified URL for the ACME server's directory resource. Must
// include an HTTP/HTTPS protocol prefix.
DirectoryURL string
// An optional file path to one or more PEM encoded CA certificates to be used
// as trust roots for HTTPS requests to the ACME server.
CACert string
// An optional email address to use if AutoRegister is true and an Account is
// created with the ACME server. It should not have a protocol prefix,
// acmeshell will automatically add a "mailto://" prefix. This field only
// supports one email address.
ContactEmail string
// An optional file path to a previously saved ACME Shell account. It will be
// loaded and used as the ActiveAccount. If provided this field takes
// precedence over AutoRegister and will prevent an account from being
// auto-registered even if AutoRegister is true.
AccountPath string
// If AutoRegister is true NewClient will automatically create a new Account
// with the ACME server and use it as the ActiveAccount. If ContactEmail is
// specified it will be used as the new ACME account's Contact mailto address.
AutoRegister bool
// If POSTAsGET is true then GET requests to Orders, Authorizations,
// Challenges and Certificates will be made as POST-as-GET requests. Using false
// is suggested when interacting with legacy pre RFC 8555 ACME servers. It
// will cause most requests to fail with modern RFC 8555 compatible servers.
POSTAsGET bool
// Initial OutputOptions settings
InitialOutput OutputOptions
}
ClientConfig contains configuration options provided to NewClient when creating a Client instance.
The DirectoryURL field is a string containing the URL for the ACME server's directory endpoint. This field is mandatory and must not be empty. It should be a fully qualified URL with a HTTP/HTTPS protocol prefix ("http://" or "https://"). See https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.7.1.1 for more information about the ACME directory resource.
The CACert field is an optional string containing a file path to a file containing one or more PEM encoded CA certificate that should be used as trust roots for HTTPS requests to the ACME server. If empty the default system roots are used. For example, if you are using Pebble as the ACME server, it should be the file path to the "test/certs/pebble.minica.pem" file from the Pebble source directory. If you are using a public ACME server with a trusted HTTPS certificate you should provide the path to a file containing the combination of all of the PEM encoded system trusted root CA certificates. Often this is something like "/etc/ssl/certs.pem".
The ContactEmail field is a string expected to contain a single email address or to be empty. It will be used as a "mailto://" contact address when auto-registering an ACME account. Because this field is only referenced during auto-registering an Account it is only used when AutoRegister is true. You can not include multiple email addresses in the ContactEmail field. For more complex account creation set AutoRegister to false and use the "newAccount" shell command.
The AccountPath field is a string expected to contain a file path for a previously saved Account, or to be empty. If the AccountPath field is populated NewClient will not auto-register an account (even when AutoRegister is true) and will instead load the Account serialized in the provided filepath. It will be the ActiveAccount once loaded.
type OutputOptions ¶
type OutputOptions struct {
// Print all HTTP requests made to the ACME server.
PrintRequests bool
// Print all HTTP responses from the ACME server.
PrintResponses bool
// Print all the input to JWS produced.
PrintSignedData bool
// Print the JSON serialization of all JWS produced.
PrintJWS bool
// Print HEAD requests to newNonce and the updated Replay-Nonce value.
PrintNonceUpdates bool
}
OutputOptions holds runtime output settings for a client.
type PEMCSR ¶
type PEMCSR string
PEMCSR is the PEM encoding of an x509 Certificate Signing Request (CSR)
type SignResult ¶
type SignResult struct {
// The url argument given to Sign.
InputURL string
// The data argument given to sign.
InputData []byte
// The JWS produced by signing the given data.
JWS *jose.JSONWebSignature
// The JWS in serialized form.
SerializedJWS []byte
}
SignResult holds the input and output from a Sign operation.
type SigningOptions ¶
type SigningOptions struct {
// If true, embed the Account's public key as a JWK in the signed JWS instead
// of using a KeyID header. This is useful for endpoints like NewAccount.
// Setting EmbedKey to true is mutually exclusive with a non-empty KeyID.
EmbedKey bool
// If not-empty, a KeyID value to use for the JWS Key ID header to identify the ACME
// account. If empty the Account's ID field will be used. Providing a KeyID is
// mutually exclusive with setting EmbedKey to true.
KeyID string
// A Signer to use to sign the JWS. The associated public key
// will be computed and used for the embedded JWK if EmbedKey is true.
Signer crypto.Signer
// NonceSource is a jose.NonceSource implementation that provides the
// Replay-Nonce header value for the produced JWS. Often this will be a Client
// instance.
NonceSource jose.NonceSource
}
SigningOptions allows specifying signature related options when calling an Account's Sign function.
Source Files