ACMEv2 POST-as-GET support

©! I, Hugo Landau <[email protected]>, hereby licence these changes under the
©! licence with SHA256 hash
©! fd80a26fbb3f644af1fa994134446702932968519797227e07a1368dea80f0bc.

Author: hlandau

cli/main.go

@@ -10,8 +10,6 @@ import (
 	"strings"
 	"syscall"
 
-	"github.com/hlandau/acmeapi"
-	"github.com/hlandau/acmeapi/acmeutils"
 	"github.com/hlandau/acmetool/hooks"
 	"github.com/hlandau/acmetool/interaction"
 	"github.com/hlandau/acmetool/redirector"
@@ -21,6 +19,8 @@ import (
 	"github.com/hlandau/dexlogconfig"
 	"github.com/hlandau/xlog"
 	"gopkg.in/alecthomas/kingpin.v2"
+	"gopkg.in/hlandau/acmeapi.v2"
+	"gopkg.in/hlandau/acmeapi.v2/acmeutils"
 	"gopkg.in/hlandau/easyconfig.v1/adaptflag"
 	"gopkg.in/hlandau/service.v2"
 	"gopkg.in/square/go-jose.v1"

cli/main_ig_test.go

@@ -4,11 +4,11 @@ package cli
 
 import (
 	"fmt"
-	//"github.com/hlandau/acmeapi"
-	"github.com/hlandau/acmeapi/pebbletest"
+	//"gopkg.in/hlandau/acmeapi.v2"
 	"github.com/hlandau/acmetool/interaction"
 	"github.com/hlandau/acmetool/responder"
 	"github.com/hlandau/acmetool/storageops"
+	"gopkg.in/hlandau/acmeapi.v2/pebbletest"
 	"io/ioutil"
 	"path/filepath"
 	"strings"

cli/quickstart.go

@@ -4,12 +4,12 @@ import (
 	"bytes"
 	"crypto/rand"
 	"fmt"
-	"github.com/hlandau/acmeapi"
-	"github.com/hlandau/acmeapi/acmeendpoints"
 	"github.com/hlandau/acmetool/hooks"
 	"github.com/hlandau/acmetool/interaction"
 	"github.com/hlandau/acmetool/storage"
 	"github.com/hlandau/acmetool/storageops"
+	"gopkg.in/hlandau/acmeapi.v2"
+	"gopkg.in/hlandau/acmeapi.v2/acmeendpoints"
 	"gopkg.in/hlandau/svcutils.v1/exepath"
 	"gopkg.in/hlandau/svcutils.v1/passwd"
 	"io/ioutil"

responder/dns.go

@@ -4,7 +4,7 @@ import (
 	"crypto"
 	"encoding/json"
 	"fmt"
-	"github.com/hlandau/acmeapi/acmeutils"
+	"gopkg.in/hlandau/acmeapi.v2/acmeutils"
 )
 
 type DNSChallengeInfo struct {

responder/http.go

@@ -6,10 +6,10 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"github.com/hlandau/acmeapi/acmeutils"
 	"github.com/hlandau/acmetool/responder/reshttp"
 	denet "github.com/hlandau/goutils/net"
 	deos "github.com/hlandau/goutils/os"
+	"gopkg.in/hlandau/acmeapi.v2/acmeutils"
 	"io/ioutil"
 	"net"
 	"net/http"

solver/order.go

@@ -3,11 +3,11 @@ package solver
 import (
 	"context"
 	"fmt"
-	"github.com/hlandau/acmeapi"
 	"github.com/hlandau/acmetool/responder"
 	"github.com/hlandau/acmetool/util"
 	denet "github.com/hlandau/goutils/net"
 	"github.com/hlandau/xlog"
+	"gopkg.in/hlandau/acmeapi.v2"
 	"sync"
 	"time"
 )
@@ -100,7 +100,7 @@ func orderProcess(ctx context.Context, rc *acmeapi.RealmClient, acct *acmeapi.Ac
 		}
 
 		// Get a fresh picture of the order status. orderAuthorizeAll doesn't refresh it.
-		err = rc.LoadOrder(ctx, order)
+		err = rc.LoadOrder(ctx, acct, order)
 		if err != nil {
 			return true, err
 		}

solver/preference.go

@@ -1,7 +1,7 @@
 package solver
 
 import (
-	"github.com/hlandau/acmeapi"
+	"gopkg.in/hlandau/acmeapi.v2"
 	"sort"
 )
 

solver/register.go

@@ -2,9 +2,9 @@ package solver
 
 import (
 	"fmt"
-	"github.com/hlandau/acmeapi"
 	"github.com/hlandau/acmetool/interaction"
 	"golang.org/x/net/context"
+	"gopkg.in/hlandau/acmeapi.v2"
 	"net/mail"
 )
 

storage/abs.go

@@ -44,7 +44,7 @@ type Store interface {
 
 	ImportKey(privateKey crypto.PrivateKey) (*Key, error)                              // Imports the key if it isn't already imported.
 	ImportAccount(directoryURL string, privateKey crypto.PrivateKey) (*Account, error) // Imports an account key if it isn't already imported.
-	ImportCertificate(url string) (*Certificate, error)                                // Imports a certificate if it isn't already imported.
+	ImportCertificate(acct *Account, url string) (*Certificate, error)                 // Imports a certificate if it isn't already imported.
 
 	SetPreferredCertificateForHostname(hostname string, c *Certificate) error
 

storage/storage-fdb.go

@@ -6,11 +6,11 @@ import (
 	"crypto"
 	"crypto/x509"
 	"fmt"
-	"github.com/hlandau/acmeapi"
-	"github.com/hlandau/acmeapi/acmeutils"
 	"github.com/hlandau/acmetool/fdb"
 	"github.com/hlandau/acmetool/util"
 	"github.com/hlandau/xlog"
+	"gopkg.in/hlandau/acmeapi.v2"
+	"gopkg.in/hlandau/acmeapi.v2/acmeutils"
 	"gopkg.in/yaml.v2"
 	"io"
 	"io/ioutil"
@@ -491,6 +491,18 @@ func (s *fdbStore) validateCert(certID string, c *fdb.Collection) error {
 		crt.Cached = true
 	}
 
+	acctLink, err := c.ReadLink("account")
+	if err == nil {
+		if !strings.HasPrefix(acctLink.Target, "accounts/") {
+			return fmt.Errorf("malformed certificate account symlink: %q %q", certID, acctLink.Target)
+		}
+
+		crt.Account = s.AccountByID(acctLink.Target[9:])
+		if crt.Account == nil {
+			log.Warnf("certificate directory %#v contains account reference %#v but no such account was found", certID, acctLink.Target)
+		}
+	}
+
 	s.certs[certID] = crt
 
 	return nil
@@ -775,20 +787,27 @@ func (s *fdbStore) ImportKey(privateKey crypto.PrivateKey) (*Key, error) {
 // Given a certificate URL, imports the certificate into the store. The
 // certificate will be retrieved on the next reconcile. If a certificate with
 // that URL already exists, this is a no-op and returns nil.
-func (s *fdbStore) ImportCertificate(url string) (*Certificate, error) {
+func (s *fdbStore) ImportCertificate(acct *Account, url string) (*Certificate, error) {
 	certID := determineCertificateID(url)
 	c, ok := s.certs[certID]
 	if ok {
 		return c, nil
 	}
 
-	err := fdb.WriteBytes(s.db.Collection("certs/"+certID), "url", []byte(url))
+	coll := s.db.Collection("certs/" + certID)
+	err := coll.WriteLink("account", fdb.Link{"accounts/" + acct.ID()})
+	if err != nil {
+		return nil, err
+	}
+
+	err = fdb.WriteBytes(coll, "url", []byte(url))
 	if err != nil {
 		return nil, err
 	}
 
 	c = &Certificate{
-		URL: url,
+		URL:     url,
+		Account: acct,
 	}
 
 	s.certs[certID] = c

storage/types.go

@@ -6,8 +6,8 @@ import (
 	"crypto/rsa"
 	"encoding/base32"
 	"fmt"
-	"github.com/hlandau/acmeapi"
 	"github.com/satori/go.uuid"
+	"gopkg.in/hlandau/acmeapi.v2"
 	"strings"
 )
 
@@ -250,6 +250,11 @@ type Certificate struct {
 	// N (for now). Whether this certificate has been revoked.
 	Revoked bool
 
+	// N. Now required due to need to support POST-as-GET. The account under
+	// which the certificate was requested. nil if this is unknown due to being a
+	// legacy certificate directory.
+	Account *Account
+
 	// D. Certificate data retrieved from URL, plus chained certificates.
 	// The end certificate comes first, the root last, etc.
 	Certificates [][]byte

storage/util.go

@@ -9,7 +9,7 @@ import (
 	"crypto/x509"
 	"encoding/base32"
 	"fmt"
-	"github.com/hlandau/acmeapi/acmeutils"
+	"gopkg.in/hlandau/acmeapi.v2/acmeutils"
 	"io"
 	"math/big"
 	"net/url"

storageops/reconcile.go

@@ -9,15 +9,15 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"fmt"
-	"github.com/hlandau/acmeapi"
-	"github.com/hlandau/acmeapi/acmeendpoints"
 	"github.com/hlandau/acmetool/hooks"
 	"github.com/hlandau/acmetool/responder"
 	"github.com/hlandau/acmetool/solver"
 	"github.com/hlandau/acmetool/storage"
 	"github.com/hlandau/acmetool/util"
 	"github.com/hlandau/xlog"
 	"github.com/jmhodges/clock"
+	"gopkg.in/hlandau/acmeapi.v2"
+	"gopkg.in/hlandau/acmeapi.v2/acmeendpoints"
 	"net/http"
 	"path/filepath"
 	"sort"
@@ -458,7 +458,7 @@ func (r *reconcile) requestCertificateForTarget(t *storage.Target) error {
 		return err
 	}
 
-	c, err := r.store.ImportCertificate(order.URL)
+	c, err := r.store.ImportCertificate(acct, order.URL)
 	if err != nil {
 		log.Errore(err, "could not import certificate")
 		return err
@@ -590,14 +590,26 @@ func (r *reconcile) generateOrGetKey(trk *storage.TargetRequestKey) (crypto.Priv
 func (r *reconcile) downloadCertificateAdaptive(c *storage.Certificate) error {
 	log.Debugf("downloading certificate %v", c)
 
-	cl, err := r.getGenericClient()
+	if c.Account == nil {
+		return fmt.Errorf("cannot download certificate because it is unknown which account requested it: %v", c)
+	}
+
+	cl, err := r.getClientForDirectoryURL(c.Account.DirectoryURL)
 	if err != nil {
 		return err
 	}
 
+	acctAPI := c.Account.ToAPI()
+	if acctAPI.URL == "" {
+		err = cl.LocateAccount(context.TODO(), acctAPI)
+		if err != nil {
+			return err
+		}
+	}
+
 	order := &acmeapi.Order{}
 	cert := &acmeapi.Certificate{}
-	isCert, err := cl.LoadOrderOrCertificate(context.TODO(), c.URL, order, cert)
+	isCert, err := cl.LoadOrderOrCertificate(context.TODO(), c.URL, acctAPI, order, cert)
 	if err != nil {
 		return err
 	}
@@ -621,7 +633,7 @@ func (r *reconcile) downloadCertificateAdaptive(c *storage.Certificate) error {
 				return err
 			}
 
-			err = cl.WaitLoadOrder(context.TODO(), order)
+			err = cl.WaitLoadOrder(context.TODO(), acctAPI, order)
 			if err != nil {
 				return err
 			}
@@ -640,7 +652,7 @@ func (r *reconcile) downloadCertificateAdaptive(c *storage.Certificate) error {
 			URL: order.CertificateURL,
 		}
 
-		err = cl.LoadCertificate(context.TODO(), cert)
+		err = cl.LoadCertificate(context.TODO(), acctAPI, cert)
 		if err != nil {
 			return err
 		}