// Copyright 2015 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Package acme provides an implementation of the // Automatic Certificate Management Environment (ACME) spec, // most famously used by Let's Encrypt. // // The initial implementation of this package was based on an early version // of the spec. The current implementation supports only the modern // RFC 8555 but some of the old API surface remains for compatibility. // While code using the old API will still compile, it will return an error. // Note the deprecation comments to update your code. // // See https://tools.ietf.org/html/rfc8555 for the spec. // // Most common scenarios will want to use autocert subdirectory instead, // which provides automatic access to certificates from Let's Encrypt // and any other ACME-based CA. package acme import ( "context" "crypto" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/sha256" "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" "encoding/base64" "encoding/hex" "encoding/json" "encoding/pem" "errors" "fmt" "math/big" "net/http" "strings" "sync" "time" ) const ( // LetsEncryptURL is the Directory endpoint of Let's Encrypt CA. LetsEncryptURL = "https://acme-v02.api.letsencrypt.org/directory" // ALPNProto is the ALPN protocol name used by a CA server when validating // tls-alpn-01 challenges. // // Package users must ensure their servers can negotiate the ACME ALPN in // order for tls-alpn-01 challenge verifications to succeed. // See the crypto/tls package's Config.NextProtos field. ALPNProto = "acme-tls/1" ) // idPeACMEIdentifier is the OID for the ACME extension for the TLS-ALPN challenge. // https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1 var idPeACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31} const ( maxChainLen = 5 // max depth and breadth of a certificate chain maxCertSize = 1 << 20 // max size of a certificate, in DER bytes // Used for decoding certs from application/pem-certificate-chain response, // the default when in RFC mode. maxCertChainSize = maxCertSize * maxChainLen // Max number of collected nonces kept in memory. // Expect usual peak of 1 or 2. maxNonces = 100 ) // Client is an ACME client. // // The only required field is Key. An example of creating a client with a new key // is as follows: // // key, err := rsa.GenerateKey(rand.Reader, 2048) // if err != nil { // log.Fatal(err) // } // client := &Client{Key: key} type Client struct { // Key is the account key used to register with a CA and sign requests. // Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey. // // The following algorithms are supported: // RS256, ES256, ES384 and ES512. // See RFC 7518 for more details about the algorithms. Key crypto.Signer // HTTPClient optionally specifies an HTTP client to use // instead of http.DefaultClient. HTTPClient *http.Client // DirectoryURL points to the CA directory endpoint. // If empty, LetsEncryptURL is used. // Mutating this value after a successful call of Client's Discover method // will have no effect. DirectoryURL string // RetryBackoff computes the duration after which the nth retry of a failed request // should occur. The value of n for the first call on failure is 1. // The values of r and resp are the request and response of the last failed attempt. // If the returned value is negative or zero, no more retries are done and an error // is returned to the caller of the original method. // // Requests which result in a 4xx client error are not retried, // except for 400 Bad Request due to "bad nonce" errors and 429 Too Many Requests. // // If RetryBackoff is nil, a truncated exponential backoff algorithm // with the ceiling of 10 seconds is used, where each subsequent retry n // is done after either ("Retry-After" + jitter) or (2^n seconds + jitter), // preferring the former if "Retry-After" header is found in the resp. // The jitter is a random value up to 1 second. RetryBackoff func(n int, r *http.Request, resp *http.Response) time.Duration // UserAgent is prepended to the User-Agent header sent to the ACME server, // which by default is this package's name and version. // // Reusable libraries and tools in particular should set this value to be // identifiable by the server, in case they are causing issues. UserAgent string cacheMu sync.Mutex dir *Directory // cached result of Client's Discover method // KID is the key identifier provided by the CA. If not provided it will be // retrieved from the CA by making a call to the registration endpoint. KID KeyID noncesMu sync.Mutex nonces map[string]struct{} // nonces collected from previous responses } // accountKID returns a key ID associated with c.Key, the account identity // provided by the CA during RFC based registration. // It assumes c.Discover has already been called. // // accountKID requires at most one network roundtrip. // It caches only successful result. // // When in pre-RFC mode or when c.getRegRFC responds with an error, accountKID // returns noKeyID. func (c *Client) accountKID(ctx context.Context) KeyID { c.cacheMu.Lock() defer c.cacheMu.Unlock() if c.KID != noKeyID { return c.KID } a, err := c.getRegRFC(ctx) if err != nil { return noKeyID } c.KID = KeyID(a.URI) return c.KID } var errPreRFC = errors.New("acme: server does not support the RFC 8555 version of ACME") // Discover performs ACME server discovery using c.DirectoryURL. // // It caches successful result. So, subsequent calls will not result in // a network round-trip. This also means mutating c.DirectoryURL after successful call // of this method will have no effect. func (c *Client) Discover(ctx context.Context) (Directory, error) { c.cacheMu.Lock() defer c.cacheMu.Unlock() if c.dir != nil { return *c.dir, nil } res, err := c.get(ctx, c.directoryURL(), wantStatus(http.StatusOK)) if err != nil { return Directory{}, err } defer res.Body.Close() c.addNonce(res.Header) var v struct { Reg string `json:"newAccount"` Authz string `json:"newAuthz"` Order string `json:"newOrder"` Revoke string `json:"revokeCert"` Nonce string `json:"newNonce"` KeyChange string `json:"keyChange"` RenewalInfo string `json:"renewalInfo"` Meta struct { Terms string `json:"termsOfService"` Website string `json:"website"` CAA []string `json:"caaIdentities"` ExternalAcct bool `json:"externalAccountRequired"` } } if err := json.NewDecoder(res.Body).Decode(&v); err != nil { return Directory{}, err } if v.Order == "" { return Directory{}, errPreRFC } c.dir = &Directory{ RegURL: v.Reg, AuthzURL: v.Authz, OrderURL: v.Order, RevokeURL: v.Revoke, NonceURL: v.Nonce, KeyChangeURL: v.KeyChange, RenewalInfoURL: v.RenewalInfo, Terms: v.Meta.Terms, Website: v.Meta.Website, CAA: v.Meta.CAA, ExternalAccountRequired: v.Meta.ExternalAcct, } return *c.dir, nil } func (c *Client) directoryURL() string { if c.DirectoryURL != "" { return c.DirectoryURL } return LetsEncryptURL } // CreateCert was part of the old version of ACME. It is incompatible with RFC 8555. // // Deprecated: this was for the pre-RFC 8555 version of ACME. Callers should use CreateOrderCert. func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, bundle bool) (der [][]byte, certURL string, err error) { return nil, "", errPreRFC } // FetchCert retrieves already issued certificate from the given url, in DER format. // It retries the request until the certificate is successfully retrieved, // context is cancelled by the caller or an error response is received. // // If the bundle argument is true, the returned value also contains the CA (issuer) // certificate chain. // // FetchCert returns an error if the CA's response or chain was unreasonably large. // Callers are encouraged to parse the returned value to ensure the certificate is valid // and has expected features. func (c *Client) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) { if _, err := c.Discover(ctx); err != nil { return nil, err } return c.fetchCertRFC(ctx, url, bundle) } // RevokeCert revokes a previously issued certificate cert, provided in DER format. // // The key argument, used to sign the request, must be authorized // to revoke the certificate. It's up to the CA to decide which keys are authorized. // For instance, the key pair of the certificate may be authorized. // If the key is nil, c.Key is used instead. func (c *Client) RevokeCert(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error { if _, err := c.Discover(ctx); err != nil { return err } return c.revokeCertRFC(ctx, key, cert, reason) } // FetchRenewalInfo retrieves the RenewalInfo from Directory.RenewalInfoURL. func (c *Client) FetchRenewalInfo(ctx context.Context, leaf []byte) (*RenewalInfo, error) { if _, err := c.Discover(ctx); err != nil { return nil, err } parsedLeaf, err := x509.ParseCertificate(leaf) if err != nil { return nil, fmt.Errorf("parsing leaf certificate: %w", err) } renewalURL, err := c.getRenewalURL(parsedLeaf) if err != nil { return nil, fmt.Errorf("generating renewal info URL: %w", err) } res, err := c.get(ctx, renewalURL, wantStatus(http.StatusOK)) if err != nil { return nil, fmt.Errorf("fetching renewal info: %w", err) } defer res.Body.Close() var info RenewalInfo if err := json.NewDecoder(res.Body).Decode(&info); err != nil { return nil, fmt.Errorf("parsing renewal info response: %w", err) } return &info, nil } func (c *Client) getRenewalURL(cert *x509.Certificate) (string, error) { // See https://www.ietf.org/archive/id/draft-ietf-acme-ari-04.html#name-the-renewalinfo-resource // for how the request URL is built. url := c.dir.RenewalInfoURL if !strings.HasSuffix(url, "/") { url += "/" } aki := base64.RawURLEncoding.EncodeToString(cert.AuthorityKeyId) serial := base64.RawURLEncoding.EncodeToString(cert.SerialNumber.Bytes()) return fmt.Sprintf("%s%s.%s", url, aki, serial), nil } // AcceptTOS always returns true to indicate the acceptance of a CA's Terms of Service // during account registration. See Register method of Client for more details. func AcceptTOS(tosURL string) bool { return true } // Register creates a new account with the CA using c.Key. // It returns the registered account. The account acct is not modified. // // The registration may require the caller to agree to the CA's Terms of Service (TOS). // If so, and the account has not indicated the acceptance of the terms (see Account for details), // Register calls prompt with a TOS URL provided by the CA. Prompt should report // whether the caller agrees to the terms. To always accept the terms, the caller can use AcceptTOS. // // When interfacing with an RFC-compliant CA, non-RFC 8555 fields of acct are ignored // and prompt is called if Directory's Terms field is non-zero. // Also see Error's Instance field for when a CA requires already registered accounts to agree // to an updated Terms of Service. func (c *Client) Register(ctx context.Context, acct *Account, prompt func(tosURL string) bool) (*Account, error) { if c.Key == nil { return nil, errors.New("acme: client.Key must be set to Register") } if _, err := c.Discover(ctx); err != nil { return nil, err } return c.registerRFC(ctx, acct, prompt) } // GetReg retrieves an existing account associated with c.Key. // // The url argument is a legacy artifact of the pre-RFC 8555 API // and is ignored. func (c *Client) GetReg(ctx context.Context, url string) (*Account, error) { if _, err := c.Discover(ctx); err != nil { return nil, err } return c.getRegRFC(ctx) } // UpdateReg updates an existing registration. // It returns an updated account copy. The provided account is not modified. // // The account's URI is ignored and the account URL associated with // c.Key is used instead. func (c *Client) UpdateReg(ctx context.Context, acct *Account) (*Account, error) { if _, err := c.Discover(ctx); err != nil { return nil, err } return c.updateRegRFC(ctx, acct) } // AccountKeyRollover attempts to transition a client's account key to a new key. // On success client's Key is updated which is not concurrency safe. // On failure an error will be returned. // The new key is already registered with the ACME provider if the following is true: // - error is of type acme.Error // - StatusCode should be 409 (Conflict) // - Location header will have the KID of the associated account // // More about account key rollover can be found at // https://tools.ietf.org/html/rfc8555#section-7.3.5. func (c *Client) AccountKeyRollover(ctx context.Context, newKey crypto.Signer) error { return c.accountKeyRollover(ctx, newKey) } // Authorize performs the initial step in the pre-authorization flow, // as opposed to order-based flow. // The caller will then need to choose from and perform a set of returned // challenges using c.Accept in order to successfully complete authorization. // // Once complete, the caller can use AuthorizeOrder which the CA // should provision with the already satisfied authorization. // For pre-RFC CAs, the caller can proceed directly to requesting a certificate // using CreateCert method. // // If an authorization has been previously granted, the CA may return // a valid authorization which has its Status field set to StatusValid. // // More about pre-authorization can be found at // https://tools.ietf.org/html/rfc8555#section-7.4.1. func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, error) { return c.authorize(ctx, "dns", domain) } // AuthorizeIP is the same as Authorize but requests IP address authorization. // Clients which successfully obtain such authorization may request to issue // a certificate for IP addresses. // // See the ACME spec extension for more details about IP address identifiers: // https://tools.ietf.org/html/draft-ietf-acme-ip. func (c *Client) AuthorizeIP(ctx context.Context, ipaddr string) (*Authorization, error) { return c.authorize(ctx, "ip", ipaddr) } func (c *Client) authorize(ctx context.Context, typ, val string) (*Authorization, error) { if _, err := c.Discover(ctx); err != nil { return nil, err } type authzID struct { Type string `json:"type"` Value string `json:"value"` } req := struct { Resource string `json:"resource"` Identifier authzID `json:"identifier"` }{ Resource: "new-authz", Identifier: authzID{Type: typ, Value: val}, } res, err := c.post(ctx, nil, c.dir.AuthzURL, req, wantStatus(http.StatusCreated)) if err != nil { return nil, err } defer res.Body.Close() var v wireAuthz if err := json.NewDecoder(res.Body).Decode(&v); err != nil { return nil, fmt.Errorf("acme: invalid response: %v", err) } if v.Status != StatusPending && v.Status != StatusValid { return nil, fmt.Errorf("acme: unexpected status: %s", v.Status) } return v.authorization(res.Header.Get("Location")), nil } // GetAuthorization retrieves an authorization identified by the given URL. // // If a caller needs to poll an authorization until its status is final, // see the WaitAuthorization method. func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) { if _, err := c.Discover(ctx); err != nil { return nil, err } res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK)) if err != nil { return nil, err } defer res.Body.Close() var v wireAuthz if err := json.NewDecoder(res.Body).Decode(&v); err != nil { return nil, fmt.Errorf("acme: invalid response: %v", err) } return v.authorization(url), nil } // RevokeAuthorization relinquishes an existing authorization identified // by the given URL. // The url argument is an Authorization.URI value. // // If successful, the caller will be required to obtain a new authorization // using the Authorize or AuthorizeOrder methods before being able to request // a new certificate for the domain associated with the authorization. // // It does not revoke existing certificates. func (c *Client) RevokeAuthorization(ctx context.Context, url string) error { if _, err := c.Discover(ctx); err != nil { return err } req := struct { Resource string `json:"resource"` Status string `json:"status"` Delete bool `json:"delete"` }{ Resource: "authz", Status: "deactivated", Delete: true, } res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK)) if err != nil { return err } defer res.Body.Close() return nil } // WaitAuthorization polls an authorization at the given URL // until it is in one of the final states, StatusValid or StatusInvalid, // the ACME CA responded with a 4xx error code, or the context is done. // // It returns a non-nil Authorization only if its Status is StatusValid. // In all other cases WaitAuthorization returns an error. // If the Status is StatusInvalid, the returned error is of type *AuthorizationError. func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) { if _, err := c.Discover(ctx); err != nil { return nil, err } for { res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted)) if err != nil { return nil, err } var raw wireAuthz err = json.NewDecoder(res.Body).Decode(&raw) res.Body.Close() switch { case err != nil: // Skip and retry. case raw.Status == StatusValid: return raw.authorization(url), nil case raw.Status == StatusInvalid: return nil, raw.error(url) } // Exponential backoff is implemented in c.get above. // This is just to prevent continuously hitting the CA // while waiting for a final authorization status. d := retryAfter(res.Header.Get("Retry-After")) if d == 0 { // Given that the fastest challenges TLS-SNI and HTTP-01 // require a CA to make at least 1 network round trip // and most likely persist a challenge state, // this default delay seems reasonable. d = time.Second } t := time.NewTimer(d) select { case <-ctx.Done(): t.Stop() return nil, ctx.Err() case <-t.C: // Retry. } } } // GetChallenge retrieves the current status of an challenge. // // A client typically polls a challenge status using this method. func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) { if _, err := c.Discover(ctx); err != nil { return nil, err } res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted)) if err != nil { return nil, err } defer res.Body.Close() v := wireChallenge{URI: url} if err := json.NewDecoder(res.Body).Decode(&v); err != nil { return nil, fmt.Errorf("acme: invalid response: %v", err) } return v.challenge(), nil } // Accept informs the server that the client accepts one of its challenges // previously obtained with c.Authorize. // // The server will then perform the validation asynchronously. func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error) { if _, err := c.Discover(ctx); err != nil { return nil, err } res, err := c.post(ctx, nil, chal.URI, json.RawMessage("{}"), wantStatus( http.StatusOK, // according to the spec http.StatusAccepted, // Let's Encrypt: see https://goo.gl/WsJ7VT (acme-divergences.md) )) if err != nil { return nil, err } defer res.Body.Close() var v wireChallenge if err := json.NewDecoder(res.Body).Decode(&v); err != nil { return nil, fmt.Errorf("acme: invalid response: %v", err) } return v.challenge(), nil } // DNS01ChallengeRecord returns a DNS record value for a dns-01 challenge response. // A TXT record containing the returned value must be provisioned under // "_acme-challenge" name of the domain being validated. // // The token argument is a Challenge.Token value. func (c *Client) DNS01ChallengeRecord(token string) (string, error) { ka, err := keyAuth(c.Key.Public(), token) if err != nil { return "", err } b := sha256.Sum256([]byte(ka)) return base64.RawURLEncoding.EncodeToString(b[:]), nil } // HTTP01ChallengeResponse returns the response for an http-01 challenge. // Servers should respond with the value to HTTP requests at the URL path // provided by HTTP01ChallengePath to validate the challenge and prove control // over a domain name. // // The token argument is a Challenge.Token value. func (c *Client) HTTP01ChallengeResponse(token string) (string, error) { return keyAuth(c.Key.Public(), token) } // HTTP01ChallengePath returns the URL path at which the response for an http-01 challenge // should be provided by the servers. // The response value can be obtained with HTTP01ChallengeResponse. // // The token argument is a Challenge.Token value. func (c *Client) HTTP01ChallengePath(token string) string { return "/.well-known/acme-challenge/" + token } // TLSSNI01ChallengeCert creates a certificate for TLS-SNI-01 challenge response. // // Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec. func (c *Client) TLSSNI01ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) { ka, err := keyAuth(c.Key.Public(), token) if err != nil { return tls.Certificate{}, "", err } b := sha256.Sum256([]byte(ka)) h := hex.EncodeToString(b[:]) name = fmt.Sprintf("%s.%s.acme.invalid", h[:32], h[32:]) cert, err = tlsChallengeCert([]string{name}, opt) if err != nil { return tls.Certificate{}, "", err } return cert, name, nil } // TLSSNI02ChallengeCert creates a certificate for TLS-SNI-02 challenge response. // // Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec. func (c *Client) TLSSNI02ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) { b := sha256.Sum256([]byte(token)) h := hex.EncodeToString(b[:]) sanA := fmt.Sprintf("%s.%s.token.acme.invalid", h[:32], h[32:]) ka, err := keyAuth(c.Key.Public(), token) if err != nil { return tls.Certificate{}, "", err } b = sha256.Sum256([]byte(ka)) h = hex.EncodeToString(b[:]) sanB := fmt.Sprintf("%s.%s.ka.acme.invalid", h[:32], h[32:]) cert, err = tlsChallengeCert([]string{sanA, sanB}, opt) if err != nil { return tls.Certificate{}, "", err } return cert, sanA, nil } // TLSALPN01ChallengeCert creates a certificate for TLS-ALPN-01 challenge response. // Servers can present the certificate to validate the challenge and prove control // over a domain name. For more details on TLS-ALPN-01 see // https://tools.ietf.org/html/draft-shoemaker-acme-tls-alpn-00#section-3 // // The token argument is a Challenge.Token value. // If a WithKey option is provided, its private part signs the returned cert, // and the public part is used to specify the signee. // If no WithKey option is provided, a new ECDSA key is generated using P-256 curve. // // The returned certificate is valid for the next 24 hours and must be presented only when // the server name in the TLS ClientHello matches the domain, and the special acme-tls/1 ALPN protocol // has been specified. func (c *Client) TLSALPN01ChallengeCert(token, domain string, opt ...CertOption) (cert tls.Certificate, err error) { ka, err := keyAuth(c.Key.Public(), token) if err != nil { return tls.Certificate{}, err } shasum := sha256.Sum256([]byte(ka)) extValue, err := asn1.Marshal(shasum[:]) if err != nil { return tls.Certificate{}, err } acmeExtension := pkix.Extension{ Id: idPeACMEIdentifier, Critical: true, Value: extValue, } tmpl := defaultTLSChallengeCertTemplate() var newOpt []CertOption for _, o := range opt { switch o := o.(type) { case *certOptTemplate: t := *(*x509.Certificate)(o) // shallow copy is ok tmpl = &t default: newOpt = append(newOpt, o) } } tmpl.ExtraExtensions = append(tmpl.ExtraExtensions, acmeExtension) newOpt = append(newOpt, WithTemplate(tmpl)) return tlsChallengeCert([]string{domain}, newOpt) } // popNonce returns a nonce value previously stored with c.addNonce // or fetches a fresh one from c.dir.NonceURL. // If NonceURL is empty, it first tries c.directoryURL() and, failing that, // the provided url. func (c *Client) popNonce(ctx context.Context, url string) (string, error) { c.noncesMu.Lock() defer c.noncesMu.Unlock() if len(c.nonces) == 0 { if c.dir != nil && c.dir.NonceURL != "" { return c.fetchNonce(ctx, c.dir.NonceURL) } dirURL := c.directoryURL() v, err := c.fetchNonce(ctx, dirURL) if err != nil && url != dirURL { v, err = c.fetchNonce(ctx, url) } return v, err } var nonce string for nonce = range c.nonces { delete(c.nonces, nonce) break } return nonce, nil } // clearNonces clears any stored nonces func (c *Client) clearNonces() { c.noncesMu.Lock() defer c.noncesMu.Unlock() c.nonces = make(map[string]struct{}) } // addNonce stores a nonce value found in h (if any) for future use. func (c *Client) addNonce(h http.Header) { v := nonceFromHeader(h) if v == "" { return } c.noncesMu.Lock() defer c.noncesMu.Unlock() if len(c.nonces) >= maxNonces { return } if c.nonces == nil { c.nonces = make(map[string]struct{}) } c.nonces[v] = struct{}{} } func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) { r, err := http.NewRequest("HEAD", url, nil) if err != nil { return "", err } resp, err := c.doNoRetry(ctx, r) if err != nil { return "", err } defer resp.Body.Close() nonce := nonceFromHeader(resp.Header) if nonce == "" { if resp.StatusCode > 299 { return "", responseError(resp) } return "", errors.New("acme: nonce not found") } return nonce, nil } func nonceFromHeader(h http.Header) string { return h.Get("Replay-Nonce") } // linkHeader returns URI-Reference values of all Link headers // with relation-type rel. // See https://tools.ietf.org/html/rfc5988#section-5 for details. func linkHeader(h http.Header, rel string) []string { var links []string for _, v := range h["Link"] { parts := strings.Split(v, ";") for _, p := range parts { p = strings.TrimSpace(p) if !strings.HasPrefix(p, "rel=") { continue } if v := strings.Trim(p[4:], `"`); v == rel { links = append(links, strings.Trim(parts[0], "<>")) } } } return links } // keyAuth generates a key authorization string for a given token. func keyAuth(pub crypto.PublicKey, token string) (string, error) { th, err := JWKThumbprint(pub) if err != nil { return "", err } return fmt.Sprintf("%s.%s", token, th), nil } // defaultTLSChallengeCertTemplate is a template used to create challenge certs for TLS challenges. func defaultTLSChallengeCertTemplate() *x509.Certificate { return &x509.Certificate{ SerialNumber: big.NewInt(1), NotBefore: time.Now(), NotAfter: time.Now().Add(24 * time.Hour), BasicConstraintsValid: true, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, } } // tlsChallengeCert creates a temporary certificate for TLS-SNI challenges // with the given SANs and auto-generated public/private key pair. // The Subject Common Name is set to the first SAN to aid debugging. // To create a cert with a custom key pair, specify WithKey option. func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) { var key crypto.Signer tmpl := defaultTLSChallengeCertTemplate() for _, o := range opt { switch o := o.(type) { case *certOptKey: if key != nil { return tls.Certificate{}, errors.New("acme: duplicate key option") } key = o.key case *certOptTemplate: t := *(*x509.Certificate)(o) // shallow copy is ok tmpl = &t default: // package's fault, if we let this happen: panic(fmt.Sprintf("unsupported option type %T", o)) } } if key == nil { var err error if key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader); err != nil { return tls.Certificate{}, err } } tmpl.DNSNames = san if len(san) > 0 { tmpl.Subject.CommonName = san[0] } der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key) if err != nil { return tls.Certificate{}, err } return tls.Certificate{ Certificate: [][]byte{der}, PrivateKey: key, }, nil } // encodePEM returns b encoded as PEM with block of type typ. func encodePEM(typ string, b []byte) []byte { pb := &pem.Block{Type: typ, Bytes: b} return pem.EncodeToMemory(pb) } // timeNow is time.Now, except in tests which can mess with it. var timeNow = time.Now