acme.go

package acmeserver

import (
	"bytes"
	"context"
	"crypto"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/x509"
	"errors"
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"path/filepath"
	"strings"
	"sync"

	"golang.org/x/crypto/acme"
)

// ACME handles the certificate creation/renewal workflow using acme
// http-01 challenges. It serves validation tokens under the
// /.well-known/acme-challenge path when used as an HTTP handler.
type ACME struct {
	email          string
	accountKeyPath string
	client         *acme.Client

	mx         sync.Mutex
	httpTokens map[string][]byte
}

// NewACME returns a new ACME object with the provided config.
func NewACME(config *Config) (*ACME, error) {
	if config.Email == "" {
		return nil, errors.New("configuration parameter 'email' is unset")
	}

	return &ACME{
		email:          config.Email,
		accountKeyPath: filepath.Join(config.Dir, "account.key"),
		httpTokens:     make(map[string][]byte),
	}, nil
}

func (a *ACME) accountKey(ctx context.Context) (crypto.Signer, error) {
	if key, err := parsePrivateKeyFromFile(a.accountKeyPath); err == nil {
		return key, err
	}

	log.Printf("generating new account key")
	eckey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return nil, err
	}
	var buf bytes.Buffer
	if err = encodeECDSAKey(&buf, eckey); err != nil {
		return nil, err
	}
	if err = ioutil.WriteFile(a.accountKeyPath, buf.Bytes(), 0600); err != nil {
		return nil, err
	}

	return eckey, err
}

func (a *ACME) acmeClient(ctx context.Context) (*acme.Client, error) {
	if a.client != nil {
		return a.client, nil
	}

	client := &acme.Client{
		DirectoryURL: acme.LetsEncryptURL,
	}
	key, err := a.accountKey(ctx)
	if err != nil {
		return nil, err
	}
	client.Key = key
	ac := &acme.Account{
		Contact: []string{"mailto:" + a.email},
	}
	_, err = client.Register(ctx, ac, func(_ string) bool { return true })
	if ae, ok := err.(*acme.Error); err == nil || ok && ae.StatusCode == http.StatusConflict {
		a.client = client
		err = nil
	}
	return a.client, err
}

// GetCertificate returns a certificate chain (and the parsed leaf
// cert), given a private key and a list of domains. The first domain
// will be the subject CN, the others will be added as subjectAltNames.
func (a *ACME) GetCertificate(ctx context.Context, key crypto.Signer, domains []string) (der [][]byte, leaf *x509.Certificate, err error) {
	client, err := a.acmeClient(ctx)
	if err != nil {
		return nil, nil, err
	}

	if err = a.verifyAll(ctx, client, domains); err != nil {
		return nil, nil, err
	}

	csr, err := certRequest(key, domains)
	if err != nil {
		return nil, nil, err
	}
	der, _, err = client.CreateCert(ctx, csr, 0, true)
	if err != nil {
		return nil, nil, err
	}
	leaf, err = validCert(domains, der, key)
	if err != nil {
		return nil, nil, err
	}
	return der, leaf, nil
}

func (a *ACME) verifyAll(ctx context.Context, client *acme.Client, domains []string) error {
	for _, domain := range domains {
		if err := a.verify(ctx, client, domain); err != nil {
			return err
		}
	}
	return nil
}

func (a *ACME) verify(ctx context.Context, client *acme.Client, domain string) error {
	authz, err := client.Authorize(ctx, domain)
	if err != nil {
		return err
	}

	switch authz.Status {
	case acme.StatusValid:
		return nil // already authorized
	case acme.StatusInvalid:
		return fmt.Errorf("invalid authorization %q", authz.URI)
	}

	chal := pickChallenge("http-01", authz.Challenges)
	if chal == nil {
		return fmt.Errorf("unable to authorize %q", domain)
	}
	cleanup, err := a.fulfill(ctx, client, chal)
	if err != nil {
		return err
	}
	defer cleanup()

	if _, err = client.Accept(ctx, chal); err != nil {
		return err
	}
	_, err = client.WaitAuthorization(ctx, authz.URI)
	return err
}

func (a *ACME) fulfill(ctx context.Context, client *acme.Client, chal *acme.Challenge) (cleanup func(), err error) {
	if chal.Type != "http-01" {
		return nil, errors.New("unsupported challenge type")
	}

	resp, err := client.HTTP01ChallengeResponse(chal.Token)
	if err != nil {
		return nil, err
	}
	p := client.HTTP01ChallengePath(chal.Token)
	a.putHTTPToken(ctx, p, resp)
	return func() { go a.deleteHTTPToken(p) }, nil
}

func (a *ACME) httpToken(ctx context.Context, tokenPath string) ([]byte, error) {
	a.mx.Lock()
	defer a.mx.Unlock()

	if v, ok := a.httpTokens[tokenPath]; ok {
		return v, nil
	}
	return nil, errors.New("token not found")
}

func (a *ACME) putHTTPToken(ctx context.Context, tokenPath, val string) {
	a.mx.Lock()
	a.httpTokens[tokenPath] = []byte(val)
	a.mx.Unlock()
}

func (a *ACME) deleteHTTPToken(tokenPath string) {
	a.mx.Lock()
	delete(a.httpTokens, tokenPath)
	a.mx.Unlock()
}

func (a *ACME) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	if !strings.HasPrefix(r.URL.Path, "/.well-known/acme-challenge/") {
		http.NotFound(w, r)
		return
	}

	a.mx.Lock()
	defer a.mx.Unlock()

	data, err := a.httpToken(r.Context(), r.URL.Path)
	if err != nil {
		http.Error(w, err.Error(), http.StatusNotFound)
		return
	}

	w.Write(data)
}