1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
|
{-# LANGUAGE FlexibleContexts #-}
{-# LANGUAGE MultiParamTypeClasses #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE ScopedTypeVariables #-}
{-# LANGUAGE ViewPatterns #-}
--------------------------------------------------------------------------------
-- | Get a certificate from Let's Encrypt using the ACME protocol.
--
-- https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md
module Network.ACME where
import Control.Arrow
import Control.Error
import Control.Lens hiding (each, (.=))
import Control.Monad
import Control.Monad.RWS.Strict
import Control.Monad.Trans.Resource hiding (register)
import Data.Aeson (Value)
import Data.Aeson.Lens hiding (key)
import qualified Data.Aeson.Lens as JSON
import Data.ByteString (ByteString)
import qualified Data.ByteString.Char8 as BC
import qualified Data.ByteString.Lazy as LB
import qualified Data.ByteString.Lazy.Char8 as LC
import Data.Coerce
import Data.List
import Data.String (fromString)
import qualified Data.Text as T
import Data.Text.Encoding (decodeUtf8, encodeUtf8)
import Data.Time.Clock.POSIX (getPOSIXTime)
import Network.ACME.Encoding
import Network.Connection
import Network.HTTP.Conduit (Manager, mkManagerSettings,
newManager)
import Network.URI
import Network.Wreq (Response, checkResponse, defaults,
responseBody, responseHeader,
responseStatus, statusCode,
statusMessage)
import qualified Network.Wreq as W
import qualified Network.Wreq.Session as WS
import OpenSSL
import OpenSSL.EVP.Digest
import OpenSSL.EVP.PKey
import OpenSSL.EVP.Sign hiding (sign)
import OpenSSL.PEM
import OpenSSL.RSA
import OpenSSL.X509 (X509, readDerX509)
import OpenSSL.X509.Request
import System.Directory
import Text.Domain.Validate hiding (validate)
import Text.Email.Validate
-- The `certify` function
certify :: URI -> Keys -> Maybe (URI, EmailAddress) -> Keys -> [(DomainName, HttpProvisioner)] -> IO (Either String X509)
certify directoryUrl keys reg domainKeys domains = do
certReq <- genReq domainKeys $ map fst domains
let provision = dispatchProvisioner domains
(mapM readDerX509 =<<) $ runACME directoryUrl keys $ do
forM_ reg $ uncurry register >=> statusReport
let performChallenge domain (ChallengeRequest nextUri token thumbtoken) = do
liftResourceT $ provision domain token thumbtoken
notifyChallenge nextUri thumbtoken >>= statusReport >>= ncErrorReport
cr dom = challengeRequest dom >>= statusReport >>= extractCR >>= performChallenge dom
do
challengeResultLinks <- forM (map fst domains) cr
runExceptT $ do
ExceptT $ pollResults challengeResultLinks <&> left ("certificate receipt was not attempted because a challenge failed: " ++)
ExceptT $ retrieveCert certReq >>= statusReport <&> checkCertResponse
pollResults :: [Response LC.ByteString] -> ACME (Either String ())
pollResults [] = return $ Right ()
pollResults (link:links) = do
-- TODO: use "Retry-After" header if present
let Just uri = link ^? responseBody . JSON.key "uri" . _String
r <- liftIO $ W.get (T.unpack uri) >>= statusReport
let status = r ^. responseBody . JSON.key "status" . _String
case status of
"pending" -> pollResults $ links ++ [r]
"valid" -> pollResults links
"invalid" -> return . Left $ r ^. responseBody . JSON.key "error" . to extractAcmeError
_ -> return . Left $ "unexpected response from ACME server: " ++ show r
-- Provisioner callback
type DispatchHttpProvisioner = DomainName -> ByteString -> ByteString -> ResIO ()
fileProvisioner :: WritableDir -> DispatchHttpProvisioner
fileProvisioner challengeDir _ = provisionViaFile challengeDir
type HttpProvisioner = ByteString -> ByteString -> ResIO ()
dispatchProvisioner :: [(DomainName, HttpProvisioner)] -> DispatchHttpProvisioner
dispatchProvisioner xs = dispatch (`lookup` xs)
where
dispatch :: (DomainName -> Maybe HttpProvisioner) -> DispatchHttpProvisioner
dispatch dispatchFunc (dispatchFunc -> Just provision) = provision
dispatch _ dom = const . const . liftIO $ fail errmsg
where errmsg = "No means specified to provision files over HTTP for domain: " ++ show dom
provisionViaFile :: WritableDir -> HttpProvisioner
provisionViaFile dir tok thumbtoken = do
void $ allocate (return f) removeFile
liftIO $ BC.writeFile f thumbtoken
where
f = (coerce dir </>) (T.unpack $ decodeUtf8 tok)
newtype WritableDir = WritableDir String
ensureWritableDir :: FilePath -> String -> IO WritableDir
ensureWritableDir file name = do
(writable <$> getPermissions file) >>= flip unless (e name)
return $ WritableDir file
where e n = error $ "Error: " ++ n ++ " is not writable"
canProvision :: DomainName -> HttpProvisioner -> IO Bool
canProvision domain provision = do
token <- (".test." ++) . show <$> getPOSIXTime
clientManager <- noSSLVerifyManager
let opts = defaults & W.manager .~ Right clientManager
r <- runResourceT $ do
provision (fromString token) (fromString token)
liftIO $ W.getWith opts $ show $ acmeChallengeURI domain (fromString token)
return $ r ^. responseBody == fromString token
-- From http://stackoverflow.com/questions/21310690/
-- disable-ssl-tls-certificate-validation-in-network-http-conduit/21310691#21310691
noSSLVerifyManager :: IO Manager
noSSLVerifyManager = newManager $ mkManagerSettings tlsSettings Nothing
where
tlsSettings = TLSSettingsSimple
{ settingDisableCertificateValidation = True
, settingDisableSession = False
, settingUseServerName = True
}
canProvisionDir :: WritableDir -> DomainName -> IO Bool
canProvisionDir challengeDir domain = canProvision domain (provisionViaFile challengeDir)
-- The ACME monad
data Directory = Directory {
_newCert :: String,
_newAuthz :: String,
_revokeCert :: String,
_newReg :: String
}
newtype Nonce = Nonce String
data Env = Env { getDir :: Directory, getKeys :: Keys, getSession :: WS.Session }
type ACME = RWST Env () Nonce ResIO
runACME :: URI -> Keys -> ACME a -> IO a
runACME url keys f = do
sess <- WS.newSession
Just (dir, nonce) <- getDirectory sess (show url)
runResourceT $ fst <$> evalRWST f (Env dir keys sess) nonce
post :: (MonadReader Env m, MonadState Nonce m, MonadIO m) => String -> LC.ByteString -> m (Response LC.ByteString)
post url payload = do
sess <- asks getSession
r <- liftIO $ WS.postWith noStatusCheck sess url payload
put $ r ^?! responseHeader "Replay-Nonce" . to (Nonce . T.unpack . decodeUtf8)
return r
where
noStatusCheck = defaults & checkResponse .~ Just nullChecker
nullChecker _ _ = return ()
sendPayload :: (MonadIO m, MonadState Nonce m, MonadReader Env m) => (Directory -> String) -> ByteString -> m (Response LC.ByteString)
sendPayload reqType payload = do
keys <- asks getKeys
dir <- asks getDir
nonce <- gets coerce
signed <- liftIO $ signPayload keys nonce payload
post (reqType dir) signed
signPayload :: Keys -> String -> ByteString -> IO LC.ByteString
signPayload (Keys priv pub) = signPayload' sign pub
where
sign x = do
Just dig <- getDigestByName "SHA256"
signBS dig priv x
-- Generating ACME requests
getDirectory :: WS.Session -> String -> IO (Maybe (Directory, Nonce))
getDirectory sess url = do
r <- WS.get sess url
let nonce = r ^? responseHeader "Replay-Nonce" . to (Nonce . T.unpack . decodeUtf8)
k x = r ^? responseBody . JSON.key x . _String . to T.unpack
return $ (,) <$> (Directory <$> k "new-cert" <*> k "new-authz" <*> k "revoke-cert" <*> k "new-reg") <*> nonce
retrieveCert :: (MonadReader Env m, MonadState Nonce m, MonadIO m) => CSR -> m (Response LC.ByteString)
retrieveCert input = sendPayload _newCert (csr $ csrData input)
notifyChallenge :: (MonadReader Env m, MonadState Nonce m, MonadIO m) => String -> ByteString -> m (Response LC.ByteString)
notifyChallenge uri thumbtoken = sendPayload (const uri) (challenge thumbtoken)
register :: URI -> EmailAddress -> ACME (Response LC.ByteString)
register terms email = sendPayload _newReg (registration email (show terms))
challengeRequest :: (MonadIO m, MonadState Nonce m, MonadReader Env m) => DomainName -> m (Response LC.ByteString)
challengeRequest = sendPayload _newAuthz . authz . domainToString
-- Handling ACME responses
data ChallengeRequest = ChallengeRequest { crUri :: String, crToken :: ByteString, crThumbToken :: ByteString }
extractCR :: MonadReader Env m => Response LC.ByteString -> m ChallengeRequest
extractCR r = do
Keys _ pub <- asks getKeys
let httpChallenge :: (Value -> Const (Endo s) Value) -> Response LC.ByteString -> Const (Endo s) (Response LC.ByteString)
httpChallenge = responseBody .
JSON.key "challenges" .
to universe .
traverse .
(filtered . has $ ix "type" . only "http-01")
token = r ^?! httpChallenge . JSON.key "token" . _String . to encodeUtf8
nextU = r ^?! httpChallenge . JSON.key "uri" . _String . to T.unpack
thumb = thumbprint (JWK (rsaE pub) "RSA" (rsaN pub))
thumbtoken = toStrict (LB.fromChunks [token, ".", thumb])
return $ ChallengeRequest nextU token thumbtoken
ncErrorReport :: (Show body, AsValue body, MonadIO m) => Response body -> m (Response body)
ncErrorReport r = do
when (Just "pending" /= r ^? responseBody . JSON.key "status" . _String) $ liftIO $ do
putStrLn "Unexpected response to challenge-response request:"
print r
return r
extractAcmeError :: forall s. AsValue s => s -> String
extractAcmeError r = summary ++ " ---- " ++ details
where
(Just summary, Just details) = (k "type", k "detail")
k x = r ^? JSON.key x . _String . to T.unpack
checkCertResponse :: Response LC.ByteString -> Either String LC.ByteString
checkCertResponse r =
if isSuccess $ r ^. responseStatus . statusCode
then Right $ r ^. responseBody
else Left $ r ^. responseBody . to extractAcmeError
where
isSuccess n = n >= 200 && n < 300
statusLine :: Response body -> String
statusLine r = x ++ " " ++ y
where
x = r ^. responseStatus . statusCode . to show
y = r ^. responseStatus . statusMessage . to (T.unpack . decodeUtf8)
statusReport :: MonadIO m => Response body -> m (Response body)
statusReport r = do
liftIO $ putStrLn $ statusLine r
return r
-- OpenSSL operations
data CSR = CSR { csrData :: ByteString }
genReq :: Keys -> [DomainName] -> IO CSR
genReq _ [] = error "genReq called with zero domains"
genReq (Keys priv pub) domains@(domain:_) = withOpenSSL $ do
Just dig <- getDigestByName "SHA256"
req <- newX509Req
setSubjectName req [("CN", domainToString domain)]
setVersion req 0
setPublicKey req pub
void $ addExtensions req [(nidSubjectAltName, intercalate ", " (map (("DNS:" ++) . domainToString) domains))]
signX509Req req priv (Just dig)
CSR . toStrict <$> writeX509ReqDER req
where
nidSubjectAltName = 85
data Keys = Keys RSAKeyPair RSAPubKey
readKeys :: String -> IO (Maybe Keys)
readKeys privKeyData = do
priv <- toKeyPair <$> readPrivateKey privKeyData PwTTY
pub <- mapM rsaCopyPublic priv
return $ Keys <$> priv <*> pub
-- General utility
(</>) :: String -> String -> String
a </> b = a ++ "/" ++ b
infixr 5 </>
domainToString :: DomainName -> String
domainToString = T.unpack . decodeUtf8 . Text.Domain.Validate.toByteString
acmeChallengeURI :: DomainName -> BC.ByteString -> URI
acmeChallengeURI dom tok = URI "http:" dom' tok' "" ""
where
dom' = Just $ URIAuth "" (domainToString dom) ""
tok' = "/.well-known/acme-challenge" </> BC.unpack tok
|
