[INC-263] Fallback to SHA-256

.eslintrc

@@ -77,7 +77,7 @@
         "eqeqeq": "error",
         "grouped-accessor-pairs": "warn",
         "guard-for-in": "warn",
-        "max-classes-per-file": ["error", 1],
+        "max-classes-per-file": "off",
         "max-lines-per-function": "off",
         "no-alert": "error",
         "no-caller": "error",
@@ -359,7 +359,7 @@
         "lodash/chain-style": ["error", "as-needed"],
         "lodash/chaining": ["error", "always", 3],
         "lodash/consistent-compose": ["error", "flow"],
-        "lodash/identity-shorthand": ["error", "always"],
+        "lodash/identity-shorthand": "off",
         "lodash/import-scope": "off",
         "lodash/matches-prop-shorthand": ["error", "always"],
         "lodash/matches-shorthand": ["error", "always", 3],

index.js

@@ -0,0 +1,4 @@
+const LetsEncryptManager = require('./lib/LetsEncryptManager');
+
+module.exports = LetsEncryptManager;
+

lib/AccountsManager.js

@@ -0,0 +1,107 @@
+const _ = require('lodash'),
+    async = require('async'),
+
+    { generateKey, formatKey, jwkToKey } = require('./util/crypto'),
+    { AcmeError } = require('./util/errors');
+
+class AccountsManager {
+    constructor (manager) {
+        this.manager = manager;
+    }
+
+    _register (key, email, tos, done) {
+        let payload = {
+                termsOfServiceAgreed: tos,
+                contact: [
+                    `mailto:${email}`
+                ]
+            },
+            protectedHeader = {
+                jwk: key.toJWK(false)
+            };
+
+        this.manager.requester.signedRequest({
+            resourceName: 'newAccount',
+            key: key,
+            payload: payload,
+            method: 'POST',
+            protectedHeader: protectedHeader
+        },
+        (err, result) => {
+            if (err) { return done(err); }
+
+            if (_.get(result, 'data.status') !== 'valid') {
+                return done(new AcmeError('Error creating new account', result));
+            }
+
+            let account = {
+                id: result.location,
+                meta: _.pick(result.data, ['contact', 'initialIp', 'createdAt', 'status'])
+            };
+
+            return done(null, { account: account, nonce: result.nonce });
+        });
+    }
+
+    registerAccount (email, tos, done) {
+        async.auto({
+            key: (next) => {
+                next(null, generateKey());
+            },
+            register: ['key', (results, next) => {
+                this._register(results.key, email, tos, next);
+            }],
+            storeKeypair: ['register', (results, next) => {
+                let opts = { email },
+                    keypair = formatKey(results.key);
+
+                this.manager.store.accounts.setKeypair(opts, keypair, next);
+            }],
+            store: ['storeKeypair', (results, next) => {
+                let opts = { email },
+                    formattedKey = formatKey(results.key),
+                    accountId = _.get(results.register, 'account.id'),
+                    registration = {
+                        keypair: formattedKey,
+                        receipt: {
+                            accountId: accountId,
+                            meta: _.get(results.register, 'account.meta', {})
+                        }
+                    };
+
+                this.manager.store.accounts.set(opts, registration, (err) => {
+                    if (err) { return next(err); }
+
+                    return next(null, { keypair: formattedKey, accountId: accountId });
+                });
+            }]
+        },
+        (err, results) => {
+            if (err) { return done(err); }
+
+            return done(null, {
+                key: results.key,
+                id: _.get(results.register, 'account.id')
+            });
+        });
+    }
+
+
+    getAccount (email, tos, done) {
+        this.manager.store.accounts.check({ email }, (err, data) => {
+            if (err) { return done(err); }
+
+            if (data && data.keypair) {
+                return done(null, {
+                    key: jwkToKey(data.keypair.privateKeyJwk),
+                    id: _.get(data, 'receipt.accountId')
+                });
+            }
+
+            this.registerAccount(email, tos, done);
+        });
+    }
+}
+
+module.exports = AccountsManager;
+

lib/CertificateManager.js

@@ -0,0 +1,155 @@
+const _ = require('lodash'),
+    async = require('async'),
+    moment = require('moment'),
+    { pki } = require('node-forge'),
+
+    Order = require('./Order'),
+    { generateKey, formatKey, generateCSR } = require('./util/crypto'),
+    { LCMError } = require('./util/errors');
+
+class CertificateManager {
+    constructor (manager) {
+        this.manager = manager;
+    }
+
+    static getCertificateExpiry (certificate) {
+        let pem = pki.certificateFromPem(certificate);
+
+        return moment.utc(pem.validity.notAfter);
+    }
+
+    static certificateRequiresRenewal (certificate, validityThreshold) {
+        let expiry = CertificateManager.getCertificateExpiry(certificate);
+
+        return expiry.diff(moment.utc(), 'd') < validityThreshold;
+    }
+
+    static formatDownloadedCertificate (downloadedCertificate) {
+        let regex = /^-+BEGIN CERTIFICATE[\s\S]+-+END CERTIFICATE-+[\n\r]{1}/,
+            certificate,
+            chain,
+            match;
+
+        downloadedCertificate = downloadedCertificate.trim();
+        match = downloadedCertificate.match(regex);
+
+        certificate = match.slice()[0];
+        chain = downloadedCertificate.substring(certificate.length + 1);
+
+        return {
+            certificate: certificate.trim(),
+            chain: chain.trim()
+        };
+    }
+
+    get (domain, email, tnc, done) {
+        this.manager.store.certificates.check({ domains: [domain] }, (err, certificate) => {
+            if (err) { return done(err); }
+
+            if (!certificate) {
+                return this.register(domain, email, tnc, (err, issuedCertificate) => {
+                    if (err) { return done(err); }
+
+                    return done(null, issuedCertificate, {
+                        issued: true,
+                        renewed: false
+                    });
+                });
+            }
+
+            let renew;
+
+            try {
+                renew = CertificateManager.certificateRequiresRenewal(certificate.cert, 30);
+            }
+            catch (certificateParseError) {
+                return done(new LCMError('Error parsing certificate', {
+                    domain
+                }));
+            }
+
+            if (renew) {
+                return this.register(domain, email, tnc, (err, renewedCertificate) => {
+                    if (err) { return done(err); }
+
+                    return done(null, renewedCertificate, {
+                        issued: true,
+                        renewed: true
+                    });
+                });
+            }
+
+            return done(null, _.pick(certificate, ['cert', 'chain', 'privkey']), { issued: false, renewed: false });
+        });
+    }
+
+    _getKeypair (domain, email, done) {
+        this.manager.store.certificates.checkKeypair({ domains: [domain] }, (err, keypair) => {
+            if (err) { return done(err); }
+
+            if (keypair) { return done(null, keypair); }
+
+            let generatedKeypair = formatKey(generateKey());
+
+            this.manager.store.certificates.setKeypair({
+                domains: [domain],
+                email: email
+            }, generatedKeypair,
+            (keypairStoreErr) => {
+                if (keypairStoreErr) { return done(err); }
+
+                return done(null, generatedKeypair);
+            });
+        });
+    }
+
+    register (domain, email, tos, done) {
+        async.auto({
+            keypair: (next) => {
+                this._getKeypair(domain, email, next);
+            },
+            account: (next) => {
+                this.manager.accountsManager.getAccount(email, tos, next);
+            },
+            csr: ['keypair', (results, next) => {
+                let { privateKeyPem, publicKeyPem } = results.keypair;
+
+                return next(null, generateCSR(privateKeyPem, publicKeyPem, domain));
+            }],
+            order: ['csr', 'account', (results, next) => {
+                let order = new Order(results.account, domain, results.csr, this.manager.requester, {
+                    type: this.manager.challengeType,
+                    manager: this.manager.challengeManager
+                });
+
+                order.procure((err, downloadedCertificate) => {
+                    if (err) { return next(err); }
+
+                    return next(null, CertificateManager.formatDownloadedCertificate(downloadedCertificate));
+                });
+            }],
+            store: ['order', (results, next) => {
+                this.manager.store.certificates.set({
+                    pems: {
+                        cert: results.order.certificate,
+                        chain: results.order.chain,
+                        privkey: results.keypair.privateKeyPem
+                    },
+                    domains: [domain],
+                    email: email
+                }, next);
+            }]
+        },
+        (err, results) => {
+            if (err) { return done(err); }
+
+            let { chain, certificate: cert } = results.order,
+                { privateKeyPem: privkey } = results.keypair;
+
+            return done(null, { chain, cert, privkey });
+        });
+    }
+}
+
+module.exports = CertificateManager;
+

lib/LetsEncryptManager.js

@@ -0,0 +1,102 @@
+const _ = require('lodash'),
+    { isEmail, isFQDN } = require('validator'),
+
+    AccountsManager = require('./AccountsManager'),
+    CertificateManager = require('./CertificateManager'),
+
+    Requester = require('./util/requester'),
+    { LCMError } = require('./util/errors'),
+
+    LE_ENVIRONMENTS = {
+        staging: {
+            directoryUrl: 'https://acme-staging-v02.api.letsencrypt.org/directory'
+        },
+        production: {
+            directoryUrl: 'https://acme-v02.api.letsencrypt.org/directory'
+        }
+    },
+
+    DEFAULT_ENVIRONMENT = 'staging';
+
+class LetsEncryptManager {
+    constructor (options) {
+        this.environment = _.get(LE_ENVIRONMENTS, options.environment, LE_ENVIRONMENTS[DEFAULT_ENVIRONMENT]);
+        this.directoryUrl = options.directoryUrl || this.environment.directoryUrl;
+
+        this.requester = new Requester({ directoryUrl: this.directoryUrl });
+
+        this.challengeType = options.challengeType || 'http-01';
+
+        this.accountsManager = new AccountsManager(this);
+        this.certificateManager = new CertificateManager(this);
+
+        this.store = options.store.create();
+        this.challengeManager = options.challenges[this.challengeType].create();
+    }
+
+    register (domain, email, tnc, done) {
+        if (!isFQDN(domain)) {
+            return done(new LCMError('Invalid domain', {
+                domain
+            }));
+        }
+
+        if (!isEmail(email)) {
+            return done(new LCMError('Invalid email', {
+                email
+            }));
+        }
+
+        if (tnc !== true) {
+            return done(new LCMError('Terms not accepted'));
+        }
+
+        this.certificateManager.get(domain, email, tnc, done);
+    }
+
+    middleware () {
+        const PREFIX = '/.well-known/acme-challenge/',
+            ChallengeManager = this.challengeManager;
+
+        return function (req, res, next) {
+            if (!req.url.startsWith(PREFIX)) {
+                return next();
+            }
+
+            let split = req.url.split('/'),
+                token = split.pop(),
+                hostname = req.hostname;
+
+            // if the url ends with a /
+            // unlikely, but still
+            if (!token) { token = split.pop(); }
+
+            // token not found, let the service deal with the request
+            if (!token) { return next(); }
+
+            ChallengeManager.get({}, hostname, token, (err, challenge) => {
+                if (err) {
+                    res.set('content-type', 'text/plain; charset=utf8');
+                    res.status(500);
+
+                    return res.send('Something went wrong');
+                }
+
+                if (!challenge) {
+                    res.set('content-type', 'text/plain; charset=utf8');
+                    res.status(404);
+
+                    return res.send('Not found');
+                }
+
+                res.set('content-type', 'application/octet-stream');
+                res.status(200);
+
+                return res.send(challenge);
+            });
+        };
+    }
+}
+
+module.exports = LetsEncryptManager;
+