Factored out Network.ACME library

author: Andrew Cady <d@jerkface.net> 2016-01-22 11:36:37 -0500
committer: Andrew Cady <d@jerkface.net> 2016-01-22 18:19:25 -0500
commit: 15d6572b9fa0ff6b0105eaa26583f496b18f78b4 (patch)
tree: 2a60a040495c9c8080bae50e6dd871a42446ad6b /src
parent: 3581adc163fd0b41485d822944efe6cdd4607aed (diff)
1 files changed, 198 insertions, 0 deletions
diff --git a/src/Network/ACME.hs b/src/Network/ACME.hs
new file mode 100644
index 0000000..f8135e6
--- /dev/null
+++ b/src/Network/ACME.hs
@@ -0,0 +1,198 @@
+{-# LANGUAGE FlexibleContexts      #-}
+{-# LANGUAGE MultiParamTypeClasses #-}
+{-# LANGUAGE OverloadedStrings     #-}
+{-# LANGUAGE RecordWildCards       #-}
+{-# LANGUAGE ScopedTypeVariables   #-}
+module Network.ACME (
+    Keys(..),
+    thumbprint,
+    JWK(..),
+    toStrict,
+    csr,
+    challenge,
+    registration,
+    authz,
+    signPayload,
+    ) where
+import           Control.Lens               hiding ((.=))
+import           Control.Monad
+import           Control.Monad.RWS.Strict
+import           Crypto.Number.Serialize    (i2osp)
+import           Data.Aeson                 (ToJSON (..), Value, encode, object,
+                                             (.=))
+import           Data.Aeson.Lens            hiding (key)
+import qualified Data.Aeson.Lens            as JSON
+import           Data.ByteString            (ByteString)
+import qualified Data.ByteString            as B
+import qualified Data.ByteString.Base64.URL as Base64
+import qualified Data.ByteString.Char8      as BC
+import qualified Data.ByteString.Lazy       as LB
+import qualified Data.ByteString.Lazy.Char8 as LC
+import           Data.Coerce
+import           Data.Digest.Pure.SHA       (bytestringDigest, sha256)
+import           Data.Maybe
+import           Data.String                (fromString)
+import qualified Data.Text                  as T
+import           Data.Text.Encoding         (decodeUtf8, encodeUtf8)
+import           Data.Time.Clock.POSIX      (getPOSIXTime)
+import           Network.Wreq               (Response, checkStatus, defaults,
+                                             responseBody, responseHeader,
+                                             responseStatus, statusCode,
+                                             statusMessage)
+import qualified Network.Wreq               as W
+import qualified Network.Wreq.Session       as WS
+import           OpenSSL
+import           OpenSSL.EVP.Digest
+import           OpenSSL.EVP.PKey
+import           OpenSSL.EVP.Sign
+import           OpenSSL.PEM
+import           OpenSSL.RSA
+import           OpenSSL.X509.Request
+data Keys = Keys SomeKeyPair RSAPubKey
+--------------------------------------------------------------------------------
+-- | Sign return a payload with a nonce-protected header.
+signPayload :: Keys -> String -> ByteString -> IO LC.ByteString
+signPayload (Keys priv pub) nonce_ payload = withOpenSSL $ do
+  let protected = b64 (header pub nonce_)
+  Just dig <- getDigestByName "SHA256"
+  sig <- b64 <$> signBS dig priv (B.concat [protected, ".", payload])
+  return $ encode (Request (header' pub) protected payload sig)
+--------------------------------------------------------------------------------
+-- | Base64URL encoding of Integer with padding '=' removed.
+b64i :: Integer -> ByteString
+b64i = b64 . i2osp
+b64 :: ByteString -> ByteString
+b64 = B.takeWhile (/= 61) . Base64.encode
+toStrict :: LB.ByteString -> ByteString
+toStrict = B.concat . LB.toChunks
+header' :: RSAKey k => k -> Header
+header' key = Header "RS256" (JWK (rsaE key) "RSA" (rsaN key)) Nothing
+header :: RSAKey k => k -> String -> ByteString
+header key nonce = (toStrict . encode)
+                     (Header "RS256" (JWK (rsaE key) "RSA" (rsaN key)) (Just nonce))
+-- | Registration payload to sign with user key.
+registration :: String -> String -> ByteString
+registration emailAddr terms = (b64 . toStrict . encode) (Reg emailAddr terms)
+-- | Challenge request payload to sign with user key.
+authz :: String -> ByteString
+authz = b64. toStrict . encode . Authz
+-- | Challenge response payload to sign with user key.
+challenge :: ByteString -> ByteString
+challenge = b64 . toStrict . encode . Challenge . BC.unpack
+-- | CSR request payload to sign with user key.
+csr :: ByteString -> ByteString
+csr = b64 . toStrict . encode . CSR . b64
+thumbprint :: JWK -> ByteString
+thumbprint = b64 . toStrict . bytestringDigest . sha256 . encodeOrdered
+-- | There is an `encodePretty'` in `aeson-pretty`, but do it by hand here.
+encodeOrdered :: JWK -> LB.ByteString
+encodeOrdered JWK{..} = LC.pack $
+  "{\"e\":\"" ++ hE' ++ "\",\"kty\":\"" ++ hKty ++ "\",\"n\":\"" ++ hN' ++ "\"}"
+  where
+  hE' = BC.unpack (b64i hE)
+  hN' = BC.unpack (b64i hN)
+--------------------------------------------------------------------------------
+data Header = Header
+  { hAlg   :: String
+  , hJwk   :: JWK
+  , hNonce :: Maybe String
+  }
+  deriving Show
+data JWK = JWK
+  { hE   :: Integer
+  , hKty :: String
+  , hN   :: Integer
+  }
+  deriving Show
+instance ToJSON Header where
+  toJSON Header{..} = object $
+    [ "alg" .= hAlg
+    , "jwk" .= toJSON hJwk
+    ] ++ maybeToList (("nonce" .=) <$> hNonce)
+instance ToJSON JWK where
+  toJSON JWK{..} = object
+    [ "e" .= decodeUtf8 (b64i hE)
+    , "kty" .= hKty
+    , "n" .= decodeUtf8 (b64i hN)
+    ]
+data Reg = Reg
+  { rMail      :: String
+  , rAgreement :: String
+  }
+  deriving Show
+instance ToJSON Reg where
+  toJSON Reg{..} = object
+    [ "resource" .= ("new-reg" :: String)
+    , "contact" .= ["mailto:" ++ rMail]
+    , "agreement" .= rAgreement
+    ]
+data Request = Request
+  { rHeader    :: Header
+  , rProtected :: ByteString
+  , rPayload   :: ByteString
+  , rSignature :: ByteString
+  }
+  deriving Show
+instance ToJSON Request where
+  toJSON Request{..} = object
+    [ "header" .= toJSON rHeader
+    , "protected" .= decodeUtf8 rProtected
+    , "payload" .= decodeUtf8 rPayload
+    , "signature" .= decodeUtf8 rSignature
+    ]
+data Authz = Authz
+  { aDomain :: String
+  }
+instance ToJSON Authz where
+  toJSON Authz{..} = object
+    [ "resource" .= ("new-authz" :: String)
+    , "identifier" .= object
+      [ "type" .= ("dns" :: String)
+      , "value" .= aDomain
+      ]
+    ]
+data Challenge = Challenge
+  { cKeyAuth :: String
+  }
+instance ToJSON Challenge where
+  toJSON Challenge{..} = object
+    [ "resource" .= ("challenge" :: String)
+    , "keyAuthorization" .= cKeyAuth
+    ]
+data CSR = CSR ByteString
+  deriving Show
+instance ToJSON CSR where
+  toJSON (CSR s) = object
+    [ "resource" .= ("new-cert" :: String)
+    , "csr" .= decodeUtf8 s
+    ]
author	Andrew Cady <d@jerkface.net>	2016-01-22 11:36:37 -0500
committer	Andrew Cady <d@jerkface.net>	2016-01-22 18:19:25 -0500
commit	15d6572b9fa0ff6b0105eaa26583f496b18f78b4 (patch)
tree	2a60a040495c9c8080bae50e6dd871a42446ad6b /src
parent	3581adc163fd0b41485d822944efe6cdd4607aed (diff)

diff --git a/src/Network/ACME.hs b/src/Network/ACME.hs new file mode 100644 index 0000000..f8135e6 --- /dev/null +++ b/src/Network/ACME.hs
@@ -0,0 +1,198 @@
	1	{-# LANGUAGE FlexibleContexts #-}
	2	{-# LANGUAGE MultiParamTypeClasses #-}
	3	{-# LANGUAGE OverloadedStrings #-}
	4	{-# LANGUAGE RecordWildCards #-}
	5	{-# LANGUAGE ScopedTypeVariables #-}
	6
	7	module Network.ACME (
	8	Keys(..),
	9	thumbprint,
	10	JWK(..),
	11	toStrict,
	12	csr,
	13	challenge,
	14	registration,
	15	authz,
	16	signPayload,
	17	) where
	18
	19	import Control.Lens hiding ((.=))
	20	import Control.Monad
	21	import Control.Monad.RWS.Strict
	22	import Crypto.Number.Serialize (i2osp)
	23	import Data.Aeson (ToJSON (..), Value, encode, object,
	24	(.=))
	25	import Data.Aeson.Lens hiding (key)
	26	import qualified Data.Aeson.Lens as JSON
	27	import Data.ByteString (ByteString)
	28	import qualified Data.ByteString as B
	29	import qualified Data.ByteString.Base64.URL as Base64
	30	import qualified Data.ByteString.Char8 as BC
	31	import qualified Data.ByteString.Lazy as LB
	32	import qualified Data.ByteString.Lazy.Char8 as LC
	33	import Data.Coerce
	34	import Data.Digest.Pure.SHA (bytestringDigest, sha256)
	35	import Data.Maybe
	36	import Data.String (fromString)
	37	import qualified Data.Text as T
	38	import Data.Text.Encoding (decodeUtf8, encodeUtf8)
	39	import Data.Time.Clock.POSIX (getPOSIXTime)
	40	import Network.Wreq (Response, checkStatus, defaults,
	41	responseBody, responseHeader,
	42	responseStatus, statusCode,
	43	statusMessage)
	44	import qualified Network.Wreq as W
	45	import qualified Network.Wreq.Session as WS
	46	import OpenSSL
	47	import OpenSSL.EVP.Digest
	48	import OpenSSL.EVP.PKey
	49	import OpenSSL.EVP.Sign
	50	import OpenSSL.PEM
	51	import OpenSSL.RSA
	52	import OpenSSL.X509.Request
	53
	54	data Keys = Keys SomeKeyPair RSAPubKey
	55
	56	--------------------------------------------------------------------------------
	57	-- \| Sign return a payload with a nonce-protected header.
	58	signPayload :: Keys -> String -> ByteString -> IO LC.ByteString
	59	signPayload (Keys priv pub) nonce_ payload = withOpenSSL $ do
	60	let protected = b64 (header pub nonce_)
	61	Just dig <- getDigestByName "SHA256"
	62	sig <- b64 <$> signBS dig priv (B.concat [protected, ".", payload])
	63	return $ encode (Request (header' pub) protected payload sig)
	64
	65	--------------------------------------------------------------------------------
	66	-- \| Base64URL encoding of Integer with padding '=' removed.
	67	b64i :: Integer -> ByteString
	68	b64i = b64 . i2osp
	69
	70	b64 :: ByteString -> ByteString
	71	b64 = B.takeWhile (/= 61) . Base64.encode
	72
	73	toStrict :: LB.ByteString -> ByteString
	74	toStrict = B.concat . LB.toChunks
	75
	76	header' :: RSAKey k => k -> Header
	77	header' key = Header "RS256" (JWK (rsaE key) "RSA" (rsaN key)) Nothing
	78
	79	header :: RSAKey k => k -> String -> ByteString
	80	header key nonce = (toStrict . encode)
	81	(Header "RS256" (JWK (rsaE key) "RSA" (rsaN key)) (Just nonce))
	82
	83	-- \| Registration payload to sign with user key.
	84	registration :: String -> String -> ByteString
	85	registration emailAddr terms = (b64 . toStrict . encode) (Reg emailAddr terms)
	86
	87	-- \| Challenge request payload to sign with user key.
	88	authz :: String -> ByteString
	89	authz = b64. toStrict . encode . Authz
	90
	91	-- \| Challenge response payload to sign with user key.
	92	challenge :: ByteString -> ByteString
	93	challenge = b64 . toStrict . encode . Challenge . BC.unpack
	94
	95	-- \| CSR request payload to sign with user key.
	96	csr :: ByteString -> ByteString
	97	csr = b64 . toStrict . encode . CSR . b64
	98
	99	thumbprint :: JWK -> ByteString
	100	thumbprint = b64 . toStrict . bytestringDigest . sha256 . encodeOrdered
	101
	102	-- \| There is an `encodePretty'` in `aeson-pretty`, but do it by hand here.
	103	encodeOrdered :: JWK -> LB.ByteString
	104	encodeOrdered JWK{..} = LC.pack $
	105	"{\"e\":\"" ++ hE' ++ "\",\"kty\":\"" ++ hKty ++ "\",\"n\":\"" ++ hN' ++ "\"}"
	106	where
	107	hE' = BC.unpack (b64i hE)
	108	hN' = BC.unpack (b64i hN)
	109
	110
	111	--------------------------------------------------------------------------------
	112	data Header = Header
	113	{ hAlg :: String
	114	, hJwk :: JWK
	115	, hNonce :: Maybe String
	116	}
	117	deriving Show
	118
	119	data JWK = JWK
	120	{ hE :: Integer
	121	, hKty :: String
	122	, hN :: Integer
	123	}
	124	deriving Show
	125
	126	instance ToJSON Header where
	127	toJSON Header{..} = object $
	128	[ "alg" .= hAlg
	129	, "jwk" .= toJSON hJwk
	130	] ++ maybeToList (("nonce" .=) <$> hNonce)
	131
	132	instance ToJSON JWK where
	133	toJSON JWK{..} = object
	134	[ "e" .= decodeUtf8 (b64i hE)
	135	, "kty" .= hKty
	136	, "n" .= decodeUtf8 (b64i hN)
	137	]
	138
	139	data Reg = Reg
	140	{ rMail :: String
	141	, rAgreement :: String
	142	}
	143	deriving Show
	144
	145	instance ToJSON Reg where
	146	toJSON Reg{..} = object
	147	[ "resource" .= ("new-reg" :: String)
	148	, "contact" .= ["mailto:" ++ rMail]
	149	, "agreement" .= rAgreement
	150	]
	151
	152	data Request = Request
	153	{ rHeader :: Header
	154	, rProtected :: ByteString
	155	, rPayload :: ByteString
	156	, rSignature :: ByteString
	157	}
	158	deriving Show
	159
	160	instance ToJSON Request where
	161	toJSON Request{..} = object
	162	[ "header" .= toJSON rHeader
	163	, "protected" .= decodeUtf8 rProtected
	164	, "payload" .= decodeUtf8 rPayload
	165	, "signature" .= decodeUtf8 rSignature
	166	]
	167
	168	data Authz = Authz
	169	{ aDomain :: String
	170	}
	171
	172	instance ToJSON Authz where
	173	toJSON Authz{..} = object
	174	[ "resource" .= ("new-authz" :: String)
	175	, "identifier" .= object
	176	[ "type" .= ("dns" :: String)
	177	, "value" .= aDomain
	178	]
	179	]
	180
	181	data Challenge = Challenge
	182	{ cKeyAuth :: String
	183	}
	184
	185	instance ToJSON Challenge where
	186	toJSON Challenge{..} = object
	187	[ "resource" .= ("challenge" :: String)
	188	, "keyAuthorization" .= cKeyAuth
	189	]
	190
	191	data CSR = CSR ByteString
	192	deriving Show
	193
	194	instance ToJSON CSR where
	195	toJSON (CSR s) = object
	196	[ "resource" .= ("new-cert" :: String)
	197	, "csr" .= decodeUtf8 s
	198	]