1 files changed, 2 insertions, 144 deletions
diff --git a/acme.hs b/acme.hs
index 5ea5eeb..8257390 100644
--- a/acme.hs
+++ b/acme.hs
@@ -49,6 +49,8 @@ import           Options.Applicative        hiding (header)
 import qualified Options.Applicative        as Opt
 import           System.Directory
+import Network.ACME
 stagingDirectoryUrl, liveDirectoryUrl :: String
 liveDirectoryUrl = "https://acme-v01.api.letsencrypt.org/directory"
 stagingDirectoryUrl = "https://acme-staging.api.letsencrypt.org/directory"
@@ -118,7 +120,6 @@ genReq domainKeyFile domain = withOpenSSL $ do
  signX509Req req priv (Just dig)
  writeX509ReqDER req
-data Keys = Keys SomeKeyPair RSAPubKey
 readKeys :: String -> IO Keys
 readKeys privKeyFile = do
  priv <- readFile privKeyFile >>= flip readPrivateKey PwTTY
@@ -288,146 +289,3 @@ post url payload = do
    noStatusCheck = defaults & checkStatus .~ Just nullChecker
    nullChecker _ _ _ = Nothing
--------------------------------------------------------------------------------
-- | Sign return a payload with a nonce-protected header.
-signPayload :: Keys -> String -> ByteString -> IO LC.ByteString
-signPayload (Keys priv pub) nonce_ payload = withOpenSSL $ do
-  let protected = b64 (header pub nonce_)
-  Just dig <- getDigestByName "SHA256"
-  sig <- b64 <$> signBS dig priv (B.concat [protected, ".", payload])
-  return $ encode (Request (header' pub) protected payload sig)
--------------------------------------------------------------------------------
-- | Base64URL encoding of Integer with padding '=' removed.
-b64i :: Integer -> ByteString
-b64i = b64 . i2osp
-b64 :: ByteString -> ByteString
-b64 = B.takeWhile (/= 61) . Base64.encode
-toStrict :: LB.ByteString -> ByteString
-toStrict = B.concat . LB.toChunks
-header' :: RSAKey k => k -> Header
-header' key = Header "RS256" (JWK (rsaE key) "RSA" (rsaN key)) Nothing
-header :: RSAKey k => k -> String -> ByteString
-header key nonce = (toStrict . encode)
-                     (Header "RS256" (JWK (rsaE key) "RSA" (rsaN key)) (Just nonce))
-- | Registration payload to sign with user key.
-registration :: String -> String -> ByteString
-registration emailAddr terms = (b64 . toStrict . encode) (Reg emailAddr terms)
-- | Challenge request payload to sign with user key.
-authz :: String -> ByteString
-authz = b64. toStrict . encode . Authz
-- | Challenge response payload to sign with user key.
-challenge :: ByteString -> ByteString
-challenge = b64 . toStrict . encode . Challenge . BC.unpack
-- | CSR request payload to sign with user key.
-csr :: ByteString -> ByteString
-csr = b64 . toStrict . encode . CSR . b64
-thumbprint :: JWK -> ByteString
-thumbprint = b64 . toStrict . bytestringDigest . sha256 . encodeOrdered
-- | There is an `encodePretty'` in `aeson-pretty`, but do it by hand here.
-encodeOrdered :: JWK -> LB.ByteString
-encodeOrdered JWK{..} = LC.pack $
-  "{\"e\":\"" ++ hE' ++ "\",\"kty\":\"" ++ hKty ++ "\",\"n\":\"" ++ hN' ++ "\"}"
-  where
-  hE' = BC.unpack (b64i hE)
-  hN' = BC.unpack (b64i hN)
--------------------------------------------------------------------------------
-data Header = Header
-  { hAlg   :: String
-  , hJwk   :: JWK
-  , hNonce :: Maybe String
-  }
-  deriving Show
-data JWK = JWK
-  { hE   :: Integer
-  , hKty :: String
-  , hN   :: Integer
-  }
-  deriving Show
-instance ToJSON Header where
-  toJSON Header{..} = object $
-    [ "alg" .= hAlg
-    , "jwk" .= toJSON hJwk
-    ] ++ maybeToList (("nonce" .=) <$> hNonce)
-instance ToJSON JWK where
-  toJSON JWK{..} = object
-    [ "e" .= decodeUtf8 (b64i hE)
-    , "kty" .= hKty
-    , "n" .= decodeUtf8 (b64i hN)
-    ]
-data Reg = Reg
-  { rMail      :: String
-  , rAgreement :: String
-  }
-  deriving Show
-instance ToJSON Reg where
-  toJSON Reg{..} = object
-    [ "resource" .= ("new-reg" :: String)
-    , "contact" .= ["mailto:" ++ rMail]
-    , "agreement" .= rAgreement
-    ]
-data Request = Request
-  { rHeader    :: Header
-  , rProtected :: ByteString
-  , rPayload   :: ByteString
-  , rSignature :: ByteString
-  }
-  deriving Show
-instance ToJSON Request where
-  toJSON Request{..} = object
-    [ "header" .= toJSON rHeader
-    , "protected" .= decodeUtf8 rProtected
-    , "payload" .= decodeUtf8 rPayload
-    , "signature" .= decodeUtf8 rSignature
-    ]
-data Authz = Authz
-  { aDomain :: String
-  }
-instance ToJSON Authz where
-  toJSON Authz{..} = object
-    [ "resource" .= ("new-authz" :: String)
-    , "identifier" .= object
-      [ "type" .= ("dns" :: String)
-      , "value" .= aDomain
-      ]
-    ]
-data Challenge = Challenge
-  { cKeyAuth :: String
-  }
-instance ToJSON Challenge where
-  toJSON Challenge{..} = object
-    [ "resource" .= ("challenge" :: String)
-    , "keyAuthorization" .= cKeyAuth
-    ]
-data CSR = CSR ByteString
-  deriving Show
-instance ToJSON CSR where
-  toJSON (CSR s) = object
-    [ "resource" .= ("new-cert" :: String)
-    , "csr" .= decodeUtf8 s
-    ]

diff --git a/acme.hs b/acme.hs index 5ea5eeb..8257390 100644 --- a/acme.hs +++ b/acme.hs
@@ -49,6 +49,8 @@ import Options.Applicative hiding (header)
49	import qualified Options.Applicative as Opt	49	import qualified Options.Applicative as Opt
50	import System.Directory	50	import System.Directory
51		51
		52	import Network.ACME
		53
52	stagingDirectoryUrl, liveDirectoryUrl :: String	54	stagingDirectoryUrl, liveDirectoryUrl :: String
53	liveDirectoryUrl = "https://acme-v01.api.letsencrypt.org/directory"	55	liveDirectoryUrl = "https://acme-v01.api.letsencrypt.org/directory"
54	stagingDirectoryUrl = "https://acme-staging.api.letsencrypt.org/directory"	56	stagingDirectoryUrl = "https://acme-staging.api.letsencrypt.org/directory"
@@ -118,7 +120,6 @@ genReq domainKeyFile domain = withOpenSSL $ do
118	signX509Req req priv (Just dig)	120	signX509Req req priv (Just dig)
119	writeX509ReqDER req	121	writeX509ReqDER req
120		122
121	data Keys = Keys SomeKeyPair RSAPubKey
122	readKeys :: String -> IO Keys	123	readKeys :: String -> IO Keys
123	readKeys privKeyFile = do	124	readKeys privKeyFile = do
124	priv <- readFile privKeyFile >>= flip readPrivateKey PwTTY	125	priv <- readFile privKeyFile >>= flip readPrivateKey PwTTY
@@ -288,146 +289,3 @@ post url payload = do
288	noStatusCheck = defaults & checkStatus .~ Just nullChecker	289	noStatusCheck = defaults & checkStatus .~ Just nullChecker
289	nullChecker _ _ _ = Nothing	290	nullChecker _ _ _ = Nothing
290		291
291	--------------------------------------------------------------------------------
292	-- \| Sign return a payload with a nonce-protected header.
293	signPayload :: Keys -> String -> ByteString -> IO LC.ByteString
294	signPayload (Keys priv pub) nonce_ payload = withOpenSSL $ do
295	let protected = b64 (header pub nonce_)
296	Just dig <- getDigestByName "SHA256"
297	sig <- b64 <$> signBS dig priv (B.concat [protected, ".", payload])
298	return $ encode (Request (header' pub) protected payload sig)
299
300	--------------------------------------------------------------------------------
301	-- \| Base64URL encoding of Integer with padding '=' removed.
302	b64i :: Integer -> ByteString
303	b64i = b64 . i2osp
304
305	b64 :: ByteString -> ByteString
306	b64 = B.takeWhile (/= 61) . Base64.encode
307
308	toStrict :: LB.ByteString -> ByteString
309	toStrict = B.concat . LB.toChunks
310
311	header' :: RSAKey k => k -> Header
312	header' key = Header "RS256" (JWK (rsaE key) "RSA" (rsaN key)) Nothing
313
314	header :: RSAKey k => k -> String -> ByteString
315	header key nonce = (toStrict . encode)
316	(Header "RS256" (JWK (rsaE key) "RSA" (rsaN key)) (Just nonce))
317
318	-- \| Registration payload to sign with user key.
319	registration :: String -> String -> ByteString
320	registration emailAddr terms = (b64 . toStrict . encode) (Reg emailAddr terms)
321
322	-- \| Challenge request payload to sign with user key.
323	authz :: String -> ByteString
324	authz = b64. toStrict . encode . Authz
325
326	-- \| Challenge response payload to sign with user key.
327	challenge :: ByteString -> ByteString
328	challenge = b64 . toStrict . encode . Challenge . BC.unpack
329
330	-- \| CSR request payload to sign with user key.
331	csr :: ByteString -> ByteString
332	csr = b64 . toStrict . encode . CSR . b64
333
334	thumbprint :: JWK -> ByteString
335	thumbprint = b64 . toStrict . bytestringDigest . sha256 . encodeOrdered
336
337	-- \| There is an `encodePretty'` in `aeson-pretty`, but do it by hand here.
338	encodeOrdered :: JWK -> LB.ByteString
339	encodeOrdered JWK{..} = LC.pack $
340	"{\"e\":\"" ++ hE' ++ "\",\"kty\":\"" ++ hKty ++ "\",\"n\":\"" ++ hN' ++ "\"}"
341	where
342	hE' = BC.unpack (b64i hE)
343	hN' = BC.unpack (b64i hN)
344
345
346	--------------------------------------------------------------------------------
347	data Header = Header
348	{ hAlg :: String
349	, hJwk :: JWK
350	, hNonce :: Maybe String
351	}
352	deriving Show
353
354	data JWK = JWK
355	{ hE :: Integer
356	, hKty :: String
357	, hN :: Integer
358	}
359	deriving Show
360
361	instance ToJSON Header where
362	toJSON Header{..} = object $
363	[ "alg" .= hAlg
364	, "jwk" .= toJSON hJwk
365	] ++ maybeToList (("nonce" .=) <$> hNonce)
366
367	instance ToJSON JWK where
368	toJSON JWK{..} = object
369	[ "e" .= decodeUtf8 (b64i hE)
370	, "kty" .= hKty
371	, "n" .= decodeUtf8 (b64i hN)
372	]
373
374	data Reg = Reg
375	{ rMail :: String
376	, rAgreement :: String
377	}
378	deriving Show
379
380	instance ToJSON Reg where
381	toJSON Reg{..} = object
382	[ "resource" .= ("new-reg" :: String)
383	, "contact" .= ["mailto:" ++ rMail]
384	, "agreement" .= rAgreement
385	]
386
387	data Request = Request
388	{ rHeader :: Header
389	, rProtected :: ByteString
390	, rPayload :: ByteString
391	, rSignature :: ByteString
392	}
393	deriving Show
394
395	instance ToJSON Request where
396	toJSON Request{..} = object
397	[ "header" .= toJSON rHeader
398	, "protected" .= decodeUtf8 rProtected
399	, "payload" .= decodeUtf8 rPayload
400	, "signature" .= decodeUtf8 rSignature
401	]
402
403	data Authz = Authz
404	{ aDomain :: String
405	}
406
407	instance ToJSON Authz where
408	toJSON Authz{..} = object
409	[ "resource" .= ("new-authz" :: String)
410	, "identifier" .= object
411	[ "type" .= ("dns" :: String)
412	, "value" .= aDomain
413	]
414	]
415
416	data Challenge = Challenge
417	{ cKeyAuth :: String
418	}
419
420	instance ToJSON Challenge where
421	toJSON Challenge{..} = object
422	[ "resource" .= ("challenge" :: String)
423	, "keyAuthorization" .= cKeyAuth
424	]
425
426	data CSR = CSR ByteString
427	deriving Show
428
429	instance ToJSON CSR where
430	toJSON (CSR s) = object
431	[ "resource" .= ("new-cert" :: String)
432	, "csr" .= decodeUtf8 s
433	]