[proxmox.git] / src / account.rs

//! ACME Account management and creation. The [`Account`] type also contains most of the ACME API
//! entry point helpers.

use std::collections::HashMap;
use std::convert::TryFrom;

use openssl::pkey::{PKey, Private};
use serde::{Deserialize, Serialize};
use serde_json::Value;

use crate::authorization::{Authorization, GetAuthorization};
use crate::b64u;
use crate::directory::Directory;
use crate::eab::ExternalAccountBinding;
use crate::jws::Jws;
use crate::key::{Jwk, PublicKey};
use crate::order::{NewOrder, Order, OrderData};
use crate::request::Request;
use crate::Error;

/// An ACME Account.
///
/// This contains the location URL, the account data and the private key for an account.
/// This can directly be serialized via serde to persist the account.
///
/// In order to register a new account with an ACME provider, see the [`Account::creator`] method.
#[derive(Deserialize, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct Account {
    /// Account location URL.
    pub location: String,

    /// Acme account data.
    pub data: AccountData,

    /// base64url encoded PEM formatted private key.
    pub private_key: String,
}

impl Account {
    /// Rebuild an account from its components.
    pub fn from_parts(location: String, private_key: String, data: AccountData) -> Self {
        Self {
            location,
            data,
            private_key,
        }
    }

    /// Builds an [`AccountCreator`]. This handles creation of the private key and account data as
    /// well as handling the response sent by the server for the registration request.
    pub fn creator() -> AccountCreator {
        AccountCreator::default()
    }

    /// Place a new order. This will build a [`NewOrder`] representing an in flight order creation
    /// request.
    ///
    /// The returned `NewOrder`'s `request` option is *guaranteed* to be `Some(Request)`.
    pub fn new_order(
        &self,
        order: &OrderData,
        directory: &Directory,
        nonce: &str,
    ) -> Result<NewOrder, Error> {
        let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;

        if order.identifiers.is_empty() {
            return Err(Error::EmptyOrder);
        }

        let url = directory.new_order_url();
        let body = serde_json::to_string(&Jws::new(
            &key,
            Some(self.location.clone()),
            url.to_owned(),
            nonce.to_owned(),
            order,
        )?)?;

        let request = Request {
            url: url.to_owned(),
            method: "POST",
            content_type: crate::request::JSON_CONTENT_TYPE,
            body,
            expected: crate::request::CREATED,
        };

        Ok(NewOrder::new(request))
    }

    /// Prepare a "POST-as-GET" request to fetch data. Low level helper.
    pub fn get_request(&self, url: &str, nonce: &str) -> Result<Request, Error> {
        let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;
        let body = serde_json::to_string(&Jws::new_full(
            &key,
            Some(self.location.clone()),
            url.to_owned(),
            nonce.to_owned(),
            String::new(),
        )?)?;

        Ok(Request {
            url: url.to_owned(),
            method: "POST",
            content_type: crate::request::JSON_CONTENT_TYPE,
            body,
            expected: 200,
        })
    }

    /// Prepare a JSON POST request. Low level helper.
    pub fn post_request<T: Serialize>(
        &self,
        url: &str,
        nonce: &str,
        data: &T,
    ) -> Result<Request, Error> {
        let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;
        let body = serde_json::to_string(&Jws::new(
            &key,
            Some(self.location.clone()),
            url.to_owned(),
            nonce.to_owned(),
            data,
        )?)?;

        Ok(Request {
            url: url.to_owned(),
            method: "POST",
            content_type: crate::request::JSON_CONTENT_TYPE,
            body,
            expected: 200,
        })
    }

    /// Prepare a JSON POST request.
    fn post_request_raw_payload(
        &self,
        url: &str,
        nonce: &str,
        payload: String,
    ) -> Result<Request, Error> {
        let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;
        let body = serde_json::to_string(&Jws::new_full(
            &key,
            Some(self.location.clone()),
            url.to_owned(),
            nonce.to_owned(),
            payload,
        )?)?;

        Ok(Request {
            url: url.to_owned(),
            method: "POST",
            content_type: crate::request::JSON_CONTENT_TYPE,
            body,
            expected: 200,
        })
    }

    /// Get the "key authorization" for a token.
    pub fn key_authorization(&self, token: &str) -> Result<String, Error> {
        let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;
        let thumbprint = PublicKey::try_from(&*key)?.thumbprint()?;
        Ok(format!("{}.{}", token, thumbprint))
    }

    /// Get the TXT field value for a dns-01 token. This is the base64url encoded sha256 digest of
    /// the key authorization value.
    pub fn dns_01_txt_value(&self, token: &str) -> Result<String, Error> {
        let key_authorization = self.key_authorization(token)?;
        let digest = openssl::sha::sha256(key_authorization.as_bytes());
        Ok(b64u::encode(&digest))
    }

    /// Prepare a request to update account data.
    ///
    /// This is a rather low level interface. You should know what you're doing.
    pub fn update_account_request<T: Serialize>(
        &self,
        nonce: &str,
        data: &T,
    ) -> Result<Request, Error> {
        self.post_request(&self.location, nonce, data)
    }

    /// Prepare a request to deactivate this account.
    pub fn deactivate_account_request<T: Serialize>(&self, nonce: &str) -> Result<Request, Error> {
        self.post_request_raw_payload(
            &self.location,
            nonce,
            r#"{"status":"deactivated"}"#.to_string(),
        )
    }

    /// Prepare a request to query an Authorization for an Order.
    ///
    /// Returns `Ok(None)` if `auth_index` is out of out of range. You can query the number of
    /// authorizations from via [`Order::authorization_len`] or by manually inspecting its
    /// `.data.authorization` vector.
    pub fn get_authorization(
        &self,
        order: &Order,
        auth_index: usize,
        nonce: &str,
    ) -> Result<Option<GetAuthorization>, Error> {
        match order.authorization(auth_index) {
            None => Ok(None),
            Some(url) => Ok(Some(GetAuthorization::new(self.get_request(url, nonce)?))),
        }
    }

    /// Prepare a request to validate a Challenge from an Authorization.
    ///
    /// Returns `Ok(None)` if `challenge_index` is out of out of range. The challenge count is
    /// available by inspecting the [`Authorization::challenges`] vector.
    ///
    /// This returns a raw `Request` since validation takes some time and the `Authorization`
    /// object has to be re-queried and its `status` inspected.
    pub fn validate_challenge(
        &self,
        authorization: &Authorization,
        challenge_index: usize,
        nonce: &str,
    ) -> Result<Option<Request>, Error> {
        match authorization.challenges.get(challenge_index) {
            None => Ok(None),
            Some(challenge) => self
                .post_request_raw_payload(&challenge.url, nonce, "{}".to_string())
                .map(Some),
        }
    }

    /// Prepare a request to revoke a certificate.
    ///
    /// The certificate can be either PEM or DER formatted.
    ///
    /// Note that this uses the account's key for authorization.
    ///
    /// Revocation using a certificate's private key is not yet implemented.
    pub fn revoke_certificate(
        &self,
        certificate: &[u8],
        reason: Option<u32>,
    ) -> Result<CertificateRevocation, Error> {
        let cert = if certificate.starts_with(b"-----BEGIN CERTIFICATE-----") {
            b64u::encode(&openssl::x509::X509::from_pem(certificate)?.to_der()?)
        } else {
            b64u::encode(certificate)
        };

        let data = match reason {
            Some(reason) => serde_json::json!({ "certificate": cert, "reason": reason }),
            None => serde_json::json!({ "certificate": cert }),
        };

        Ok(CertificateRevocation {
            account: self,
            data,
        })
    }
}

/// Certificate revocation involves converting the certificate to base64url encoded DER and then
/// embedding it in a json structure. Since we also need a nonce and possibly retry the request if
/// a `BadNonce` error happens, this caches the converted data for efficiency.
pub struct CertificateRevocation<'a> {
    account: &'a Account,
    data: Value,
}

impl CertificateRevocation<'_> {
    /// Create the revocation request using the specified nonce for the given directory.
    pub fn request(&self, directory: &Directory, nonce: &str) -> Result<Request, Error> {
        self.account
            .post_request(&directory.data.revoke_cert, nonce, &self.data)
    }
}

/// Status of an ACME account.
#[derive(Clone, Copy, Eq, PartialEq, Deserialize, Serialize)]
#[serde(rename_all = "camelCase")]
pub enum AccountStatus {
    /// This is not part of the ACME API, but a temporary marker for us until the ACME provider
    /// tells us the account's real status.
    #[serde(rename = "<invalid>")]
    New,

    /// Means the account is valid and can be used.
    Valid,

    /// The account has been deactivated by its user and cannot be used anymore.
    Deactivated,

    /// The account has been revoked by the server and cannot be used anymore.
    Revoked,
}

impl AccountStatus {
    #[inline]
    fn new() -> Self {
        AccountStatus::New
    }

    #[inline]
    fn is_new(&self) -> bool {
        *self == AccountStatus::New
    }
}

/// ACME Account data. This is the part of the account returned from and possibly sent to the ACME
/// provider. Some fields may be uptdated by the user via a request to the account location, others
/// may not be changed.
#[derive(Clone, Deserialize, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct AccountData {
    /// The current account status.
    #[serde(
        skip_serializing_if = "AccountStatus::is_new",
        default = "AccountStatus::new"
    )]
    pub status: AccountStatus,

    /// URLs to currently pending orders.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub orders: Option<String>,

    /// The acccount's contact info.
    ///
    /// This usually contains a `"mailto:<email address>"` entry but may also contain some other
    /// data if the server accepts it.
    #[serde(skip_serializing_if = "Vec::is_empty", default)]
    pub contact: Vec<String>,

    /// Indicated whether the user agreed to the ACME provider's terms of service.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub terms_of_service_agreed: Option<bool>,

    /// External account information.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub external_account_binding: Option<ExternalAccountBinding>,

    /// This is only used by the client when querying an account.
    #[serde(default = "default_true", skip_serializing_if = "is_false")]
    pub only_return_existing: bool,

    /// Stores unknown fields if there are any.
    #[serde(flatten, default, skip_serializing_if = "HashMap::is_empty")]
    pub extra: HashMap<String, Value>,
}

#[inline]
fn default_true() -> bool {
    true
}

#[inline]
fn is_false(b: &bool) -> bool {
    !*b
}

/// Helper to create an account.
///
/// This is used to generate a private key and set the contact info for the account. Afterwards the
/// creation request can be created via the [`request`](AccountCreator::request()) method, giving
/// it a nonce and a directory.  This can be repeated, if necessary, like when the nonce fails.
///
/// When the server sends a succesful response, it should be passed to the
/// [`response`](AccountCreator::response()) method to finish the creation of an [`Account`] which
/// can then be persisted.
#[derive(Default)]
#[must_use = "when creating an account you must pass the response to AccountCreator::response()!"]
pub struct AccountCreator {
    contact: Vec<String>,
    terms_of_service_agreed: bool,
    key: Option<PKey<Private>>,
    eab_credentials: Option<(String, PKey<Private>)>,
}

impl AccountCreator {
    /// Replace the contact infor with the provided ACME compatible data.
    pub fn set_contacts(mut self, contact: Vec<String>) -> Self {
        self.contact = contact;
        self
    }

    /// Append a contact string.
    pub fn contact(mut self, contact: String) -> Self {
        self.contact.push(contact);
        self
    }

    /// Append an email address to the contact list.
    pub fn email(self, email: String) -> Self {
        self.contact(format!("mailto:{}", email))
    }

    /// Change whether the account agrees to the terms of service. Use the directory's or client's
    /// `terms_of_service_url()` method to present the user with the Terms of Service.
    pub fn agree_to_tos(mut self, agree: bool) -> Self {
        self.terms_of_service_agreed = agree;
        self
    }

    /// Set the EAB credentials for the account registration
    pub fn set_eab_credentials(mut self, kid: String, hmac_key: String) -> Result<Self, Error> {
        let hmac_key = PKey::hmac(&base64::decode(hmac_key)?)?;
        self.eab_credentials = Some((kid, hmac_key));
        Ok(self)
    }

    /// Generate a new RSA key of the specified key size.
    pub fn generate_rsa_key(self, bits: u32) -> Result<Self, Error> {
        let key = openssl::rsa::Rsa::generate(bits)?;
        Ok(self.with_key(PKey::from_rsa(key)?))
    }

    /// Generate a new P-256 EC key.
    pub fn generate_ec_key(self) -> Result<Self, Error> {
        let key = openssl::ec::EcKey::generate(
            openssl::ec::EcGroup::from_curve_name(openssl::nid::Nid::X9_62_PRIME256V1)?.as_ref(),
        )?;
        Ok(self.with_key(PKey::from_ec_key(key)?))
    }

    /// Use an existing key. Note that only RSA and EC keys using the `P-256` curve are currently
    /// supported, however, this will not be checked at this point.
    pub fn with_key(mut self, key: PKey<Private>) -> Self {
        self.key = Some(key);
        self
    }

    /// Prepare a HTTP request to create this account.
    ///
    /// Changes to the user data made after this will have no effect on the account generated with
    /// the resulting request.
    /// Changing the private key between using the request and passing the response to
    /// [`response`](AccountCreator::response()) will render the account unusable!
    pub fn request(&self, directory: &Directory, nonce: &str) -> Result<Request, Error> {
        let key = self.key.as_deref().ok_or(Error::MissingKey)?;
        let url = directory.new_account_url();

        let external_account_binding = self
            .eab_credentials
            .as_ref()
            .map(|cred| {
                ExternalAccountBinding::new(&cred.0, &cred.1, Jwk::try_from(key)?, url.to_string())
            })
            .transpose()?;

        let data = AccountData {
            orders: None,
            status: AccountStatus::New,
            contact: self.contact.clone(),
            terms_of_service_agreed: if self.terms_of_service_agreed {
                Some(true)
            } else {
                None
            },
            external_account_binding,
            only_return_existing: false,
            extra: HashMap::new(),
        };

        let body = serde_json::to_string(&Jws::new(
            key,
            None,
            url.to_owned(),
            nonce.to_owned(),
            &data,
        )?)?;

        Ok(Request {
            url: url.to_owned(),
            method: "POST",
            content_type: crate::request::JSON_CONTENT_TYPE,
            body,
            expected: crate::request::CREATED,
        })
    }

    /// After issuing the request from [`request()`](AccountCreator::request()), the response's
    /// `Location` header and body must be passed to this for verification and to create an account
    /// which is to be persisted!
    pub fn response(self, location_header: String, response_body: &[u8]) -> Result<Account, Error> {
        let private_key = self
            .key
            .ok_or(Error::MissingKey)?
            .private_key_to_pem_pkcs8()?;
        let private_key = String::from_utf8(private_key).map_err(|_| {
            Error::Custom("PEM key contained illegal non-utf-8 characters".to_string())
        })?;

        Ok(Account {
            location: location_header,
            data: serde_json::from_slice(response_body)
                .map_err(|err| Error::BadAccountData(err.to_string()))?,
            private_key,
        })
    }
}
Commit	Line	Data
47af324d WB	1	//! ACME Account management and creation. The [`Account`] type also contains most of the ACME API
	2	//! entry point helpers.
	3
5aee14ac	4	use std::collections::HashMap;
aa230682 WB	5	use std::convert::TryFrom;
	6
	7	use openssl::pkey::{PKey, Private};
	8	use serde::{Deserialize, Serialize};
	9	use serde_json::Value;
	10
afc59f6d	11	use crate::authorization::{Authorization, GetAuthorization};
aa230682 WB	12	use crate::b64u;
aa230682 WB	13	use crate::directory::Directory;
88f7e190	14	use crate::eab::ExternalAccountBinding;
aa230682	15	use crate::jws::Jws;
88f7e190	16	use crate::key::{Jwk, PublicKey};
afc59f6d	17	use crate::order::{NewOrder, Order, OrderData};
aa230682 WB	18	use crate::request::Request;
	19	use crate::Error;
	20
47af324d WB	21	/// An ACME Account.
	22	///
	23	/// This contains the location URL, the account data and the private key for an account.
	24	/// This can directly be serialized via serde to persist the account.
	25	///
	26	/// In order to register a new account with an ACME provider, see the [`Account::creator`] method.
aa230682 WB	27	#[derive(Deserialize, Serialize)]
	28	#[serde(rename_all = "camelCase")]
	29	pub struct Account {
	30	/// Account location URL.
	31	pub location: String,
	32
	33	/// Acme account data.
	34	pub data: AccountData,
	35
	36	/// base64url encoded PEM formatted private key.
	37	pub private_key: String,
	38	}
	39
	40	impl Account {
47af324d	41	/// Rebuild an account from its components.
aa230682 WB	42	pub fn from_parts(location: String, private_key: String, data: AccountData) -> Self {
	43	Self {
	44	location,
aa230682	45	data,
1d1f80f5	46	private_key,
aa230682 WB	47	}
	48	}
	49
47af324d WB	50	/// Builds an [`AccountCreator`]. This handles creation of the private key and account data as
47af324d WB	51	/// well as handling the response sent by the server for the registration request.
aa230682 WB	52	pub fn creator() -> AccountCreator {
	53	AccountCreator::default()
	54	}
	55
47af324d WB	56	/// Place a new order. This will build a [`NewOrder`] representing an in flight order creation
	57	/// request.
	58	///
aa230682 WB	59	/// The returned `NewOrder`'s `request` option is guaranteed to be `Some(Request)`.
	60	pub fn new_order(
	61	&self,
	62	order: &OrderData,
	63	directory: &Directory,
	64	nonce: &str,
	65	) -> Result<NewOrder, Error> {
	66	let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;
	67
	68	if order.identifiers.is_empty() {
	69	return Err(Error::EmptyOrder);
	70	}
	71
	72	let url = directory.new_order_url();
	73	let body = serde_json::to_string(&Jws::new(
	74	&key,
	75	Some(self.location.clone()),
	76	url.to_owned(),
	77	nonce.to_owned(),
	78	order,
	79	)?)?;
	80
	81	let request = Request {
	82	url: url.to_owned(),
	83	method: "POST",
	84	content_type: crate::request::JSON_CONTENT_TYPE,
	85	body,
	86	expected: crate::request::CREATED,
	87	};
	88
	89	Ok(NewOrder::new(request))
	90	}
	91
47af324d	92	/// Prepare a "POST-as-GET" request to fetch data. Low level helper.
aa230682 WB	93	pub fn get_request(&self, url: &str, nonce: &str) -> Result<Request, Error> {
	94	let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;
	95	let body = serde_json::to_string(&Jws::new_full(
	96	&key,
	97	Some(self.location.clone()),
	98	url.to_owned(),
	99	nonce.to_owned(),
	100	String::new(),
	101	)?)?;
	102
	103	Ok(Request {
	104	url: url.to_owned(),
	105	method: "POST",
	106	content_type: crate::request::JSON_CONTENT_TYPE,
	107	body,
	108	expected: 200,
	109	})
	110	}
	111
47af324d	112	/// Prepare a JSON POST request. Low level helper.
aa230682 WB	113	pub fn post_request<T: Serialize>(
	114	&self,
	115	url: &str,
	116	nonce: &str,
	117	data: &T,
	118	) -> Result<Request, Error> {
	119	let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;
	120	let body = serde_json::to_string(&Jws::new(
	121	&key,
	122	Some(self.location.clone()),
	123	url.to_owned(),
	124	nonce.to_owned(),
	125	data,
	126	)?)?;
	127
	128	Ok(Request {
	129	url: url.to_owned(),
	130	method: "POST",
	131	content_type: crate::request::JSON_CONTENT_TYPE,
	132	body,
	133	expected: 200,
	134	})
	135	}
	136
afc59f6d WB	137	/// Prepare a JSON POST request.
	138	fn post_request_raw_payload(
	139	&self,
	140	url: &str,
	141	nonce: &str,
	142	payload: String,
	143	) -> Result<Request, Error> {
	144	let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;
	145	let body = serde_json::to_string(&Jws::new_full(
	146	&key,
	147	Some(self.location.clone()),
	148	url.to_owned(),
	149	nonce.to_owned(),
	150	payload,
	151	)?)?;
	152
	153	Ok(Request {
	154	url: url.to_owned(),
	155	method: "POST",
	156	content_type: crate::request::JSON_CONTENT_TYPE,
	157	body,
	158	expected: 200,
	159	})
	160	}
	161
aa230682 WB	162	/// Get the "key authorization" for a token.
	163	pub fn key_authorization(&self, token: &str) -> Result<String, Error> {
	164	let key = PKey::private_key_from_pem(self.private_key.as_bytes())?;
	165	let thumbprint = PublicKey::try_from(&*key)?.thumbprint()?;
	166	Ok(format!("{}.{}", token, thumbprint))
	167	}
	168
	169	/// Get the TXT field value for a dns-01 token. This is the base64url encoded sha256 digest of
	170	/// the key authorization value.
	171	pub fn dns_01_txt_value(&self, token: &str) -> Result<String, Error> {
	172	let key_authorization = self.key_authorization(token)?;
	173	let digest = openssl::sha::sha256(key_authorization.as_bytes());
	174	Ok(b64u::encode(&digest))
	175	}
afc59f6d WB	176
	177	/// Prepare a request to update account data.
	178	///
	179	/// This is a rather low level interface. You should know what you're doing.
	180	pub fn update_account_request<T: Serialize>(
	181	&self,
	182	nonce: &str,
	183	data: &T,
	184	) -> Result<Request, Error> {
	185	self.post_request(&self.location, nonce, data)
	186	}
	187
	188	/// Prepare a request to deactivate this account.
afc59f6d WB	189	pub fn deactivate_account_request<T: Serialize>(&self, nonce: &str) -> Result<Request, Error> {
	190	self.post_request_raw_payload(
	191	&self.location,
	192	nonce,
	193	r#"{"status":"deactivated"}"#.to_string(),
	194	)
	195	}
	196
	197	/// Prepare a request to query an Authorization for an Order.
	198	///
	199	/// Returns `Ok(None)` if `auth_index` is out of out of range. You can query the number of
	200	/// authorizations from via [`Order::authorization_len`] or by manually inspecting its
	201	/// `.data.authorization` vector.
	202	pub fn get_authorization(
	203	&self,
	204	order: &Order,
	205	auth_index: usize,
	206	nonce: &str,
	207	) -> Result<Option<GetAuthorization>, Error> {
	208	match order.authorization(auth_index) {
	209	None => Ok(None),
	210	Some(url) => Ok(Some(GetAuthorization::new(self.get_request(url, nonce)?))),
	211	}
	212	}
	213
	214	/// Prepare a request to validate a Challenge from an Authorization.
	215	///
7bd0bfe1 WB	216	/// Returns `Ok(None)` if `challenge_index` is out of out of range. The challenge count is
7bd0bfe1 WB	217	/// available by inspecting the [`Authorization::challenges`] vector.
afc59f6d WB	218	///
	219	/// This returns a raw `Request` since validation takes some time and the `Authorization`
	220	/// object has to be re-queried and its `status` inspected.
	221	pub fn validate_challenge(
	222	&self,
	223	authorization: &Authorization,
	224	challenge_index: usize,
	225	nonce: &str,
	226	) -> Result<Option<Request>, Error> {
	227	match authorization.challenges.get(challenge_index) {
	228	None => Ok(None),
	229	Some(challenge) => self
	230	.post_request_raw_payload(&challenge.url, nonce, "{}".to_string())
	231	.map(Some),
	232	}
	233	}
558f51a1 WB	234
	235	/// Prepare a request to revoke a certificate.
	236	///
	237	/// The certificate can be either PEM or DER formatted.
	238	///
	239	/// Note that this uses the account's key for authorization.
	240	///
	241	/// Revocation using a certificate's private key is not yet implemented.
	242	pub fn revoke_certificate(
	243	&self,
	244	certificate: &[u8],
	245	reason: Option<u32>,
	246	) -> Result<CertificateRevocation, Error> {
	247	let cert = if certificate.starts_with(b"-----BEGIN CERTIFICATE-----") {
	248	b64u::encode(&openssl::x509::X509::from_pem(certificate)?.to_der()?)
	249	} else {
	250	b64u::encode(certificate)
	251	};
	252
	253	let data = match reason {
	254	Some(reason) => serde_json::json!({ "certificate": cert, "reason": reason }),
	255	None => serde_json::json!({ "certificate": cert }),
	256	};
	257
	258	Ok(CertificateRevocation {
	259	account: self,
	260	data,
	261	})
	262	}
	263	}
	264
	265	/// Certificate revocation involves converting the certificate to base64url encoded DER and then
	266	/// embedding it in a json structure. Since we also need a nonce and possibly retry the request if
	267	/// a `BadNonce` error happens, this caches the converted data for efficiency.
	268	pub struct CertificateRevocation<'a> {
	269	account: &'a Account,
	270	data: Value,
	271	}
	272
	273	impl CertificateRevocation<'_> {
47af324d	274	/// Create the revocation request using the specified nonce for the given directory.
558f51a1	275	pub fn request(&self, directory: &Directory, nonce: &str) -> Result<Request, Error> {
f406e6fb WB	276	self.account
f406e6fb WB	277	.post_request(&directory.data.revoke_cert, nonce, &self.data)
558f51a1	278	}
aa230682 WB	279	}
aa230682 WB	280
47af324d	281	/// Status of an ACME account.
aa230682 WB	282	#[derive(Clone, Copy, Eq, PartialEq, Deserialize, Serialize)]
	283	#[serde(rename_all = "camelCase")]
	284	pub enum AccountStatus {
47af324d WB	285	/// This is not part of the ACME API, but a temporary marker for us until the ACME provider
47af324d WB	286	/// tells us the account's real status.
aa230682 WB	287	#[serde(rename = "<invalid>")]
aa230682 WB	288	New,
47af324d WB	289
47af324d WB	290	/// Means the account is valid and can be used.
aa230682	291	Valid,
47af324d WB	292
47af324d WB	293	/// The account has been deactivated by its user and cannot be used anymore.
aa230682	294	Deactivated,
47af324d WB	295
47af324d WB	296	/// The account has been revoked by the server and cannot be used anymore.
aa230682 WB	297	Revoked,
	298	}
	299
	300	impl AccountStatus {
	301	#[inline]
	302	fn new() -> Self {
	303	AccountStatus::New
	304	}
	305
	306	#[inline]
	307	fn is_new(&self) -> bool {
	308	*self == AccountStatus::New
	309	}
	310	}
	311
47af324d WB	312	/// ACME Account data. This is the part of the account returned from and possibly sent to the ACME
	313	/// provider. Some fields may be uptdated by the user via a request to the account location, others
	314	/// may not be changed.
aa230682 WB	315	#[derive(Clone, Deserialize, Serialize)]
	316	#[serde(rename_all = "camelCase")]
	317	pub struct AccountData {
47af324d	318	/// The current account status.
aa230682 WB	319	#[serde(
	320	skip_serializing_if = "AccountStatus::is_new",
	321	default = "AccountStatus::new"
	322	)]
cbfeb58c	323	pub status: AccountStatus,
aa230682	324
47af324d	325	/// URLs to currently pending orders.
aa230682	326	#[serde(skip_serializing_if = "Option::is_none")]
cbfeb58c	327	pub orders: Option<String>,
aa230682	328
47af324d WB	329	/// The acccount's contact info.
	330	///
	331	/// This usually contains a `"mailto:<email address>"` entry but may also contain some other
	332	/// data if the server accepts it.
aa230682	333	#[serde(skip_serializing_if = "Vec::is_empty", default)]
cbfeb58c	334	pub contact: Vec<String>,
aa230682	335
47af324d	336	/// Indicated whether the user agreed to the ACME provider's terms of service.
aa230682	337	#[serde(skip_serializing_if = "Option::is_none")]
cbfeb58c	338	pub terms_of_service_agreed: Option<bool>,
aa230682	339
88f7e190	340	/// External account information.
aa230682	341	#[serde(skip_serializing_if = "Option::is_none")]
88f7e190	342	pub external_account_binding: Option<ExternalAccountBinding>,
aa230682	343
47af324d	344	/// This is only used by the client when querying an account.
aa230682	345	#[serde(default = "default_true", skip_serializing_if = "is_false")]
cbfeb58c	346	pub only_return_existing: bool,
5aee14ac	347
47af324d	348	/// Stores unknown fields if there are any.
5aee14ac WB	349	#[serde(flatten, default, skip_serializing_if = "HashMap::is_empty")]
5aee14ac WB	350	pub extra: HashMap<String, Value>,
aa230682 WB	351	}
	352
	353	#[inline]
	354	fn default_true() -> bool {
	355	true
	356	}
	357
	358	#[inline]
	359	fn is_false(b: &bool) -> bool {
	360	!*b
	361	}
	362
47af324d WB	363	/// Helper to create an account.
	364	///
	365	/// This is used to generate a private key and set the contact info for the account. Afterwards the
7bd0bfe1 WB	366	/// creation request can be created via the [`request`](AccountCreator::request()) method, giving
7bd0bfe1 WB	367	/// it a nonce and a directory. This can be repeated, if necessary, like when the nonce fails.
47af324d	368	///
7bd0bfe1 WB	369	/// When the server sends a succesful response, it should be passed to the
	370	/// [`response`](AccountCreator::response()) method to finish the creation of an [`Account`] which
	371	/// can then be persisted.
aa230682 WB	372	#[derive(Default)]
	373	#[must_use = "when creating an account you must pass the response to AccountCreator::response()!"]
	374	pub struct AccountCreator {
	375	contact: Vec<String>,
	376	terms_of_service_agreed: bool,
	377	key: Option<PKey<Private>>,
88f7e190	378	eab_credentials: Option<(String, PKey<Private>)>,
aa230682 WB	379	}
	380
	381	impl AccountCreator {
	382	/// Replace the contact infor with the provided ACME compatible data.
	383	pub fn set_contacts(mut self, contact: Vec<String>) -> Self {
	384	self.contact = contact;
	385	self
	386	}
	387
	388	/// Append a contact string.
	389	pub fn contact(mut self, contact: String) -> Self {
	390	self.contact.push(contact);
	391	self
	392	}
	393
	394	/// Append an email address to the contact list.
	395	pub fn email(self, email: String) -> Self {
	396	self.contact(format!("mailto:{}", email))
	397	}
	398
	399	/// Change whether the account agrees to the terms of service. Use the directory's or client's
	400	/// `terms_of_service_url()` method to present the user with the Terms of Service.
	401	pub fn agree_to_tos(mut self, agree: bool) -> Self {
	402	self.terms_of_service_agreed = agree;
	403	self
	404	}
	405
88f7e190 FG	406	/// Set the EAB credentials for the account registration
	407	pub fn set_eab_credentials(mut self, kid: String, hmac_key: String) -> Result<Self, Error> {
	408	let hmac_key = PKey::hmac(&base64::decode(hmac_key)?)?;
	409	self.eab_credentials = Some((kid, hmac_key));
	410	Ok(self)
	411	}
	412
aa230682 WB	413	/// Generate a new RSA key of the specified key size.
	414	pub fn generate_rsa_key(self, bits: u32) -> Result<Self, Error> {
	415	let key = openssl::rsa::Rsa::generate(bits)?;
	416	Ok(self.with_key(PKey::from_rsa(key)?))
	417	}
	418
	419	/// Generate a new P-256 EC key.
	420	pub fn generate_ec_key(self) -> Result<Self, Error> {
	421	let key = openssl::ec::EcKey::generate(
	422	openssl::ec::EcGroup::from_curve_name(openssl::nid::Nid::X9_62_PRIME256V1)?.as_ref(),
	423	)?;
	424	Ok(self.with_key(PKey::from_ec_key(key)?))
	425	}
	426
	427	/// Use an existing key. Note that only RSA and EC keys using the `P-256` curve are currently
	428	/// supported, however, this will not be checked at this point.
	429	pub fn with_key(mut self, key: PKey<Private>) -> Self {
	430	self.key = Some(key);
	431	self
	432	}
	433
	434	/// Prepare a HTTP request to create this account.
	435	///
	436	/// Changes to the user data made after this will have no effect on the account generated with
	437	/// the resulting request.
	438	/// Changing the private key between using the request and passing the response to
7bd0bfe1	439	/// [`response`](AccountCreator::response()) will render the account unusable!
aa230682	440	pub fn request(&self, directory: &Directory, nonce: &str) -> Result<Request, Error> {
95381262	441	let key = self.key.as_deref().ok_or(Error::MissingKey)?;
88f7e190 FG	442	let url = directory.new_account_url();
	443
	444	let external_account_binding = self
	445	.eab_credentials
	446	.as_ref()
	447	.map(\|cred\| {
	448	ExternalAccountBinding::new(&cred.0, &cred.1, Jwk::try_from(key)?, url.to_string())
	449	})
	450	.transpose()?;
aa230682 WB	451
	452	let data = AccountData {
	453	orders: None,
	454	status: AccountStatus::New,
	455	contact: self.contact.clone(),
	456	terms_of_service_agreed: if self.terms_of_service_agreed {
	457	Some(true)
	458	} else {
	459	None
	460	},
88f7e190	461	external_account_binding,
aa230682	462	only_return_existing: false,
5aee14ac	463	extra: HashMap::new(),
aa230682 WB	464	};
aa230682 WB	465
aa230682 WB	466	let body = serde_json::to_string(&Jws::new(
	467	key,
	468	None,
	469	url.to_owned(),
	470	nonce.to_owned(),
	471	&data,
	472	)?)?;
	473
	474	Ok(Request {
	475	url: url.to_owned(),
	476	method: "POST",
	477	content_type: crate::request::JSON_CONTENT_TYPE,
	478	body,
	479	expected: crate::request::CREATED,
	480	})
	481	}
	482
7bd0bfe1 WB	483	/// After issuing the request from [`request()`](AccountCreator::request()), the response's
	484	/// `Location` header and body must be passed to this for verification and to create an account
	485	/// which is to be persisted!
aa230682 WB	486	pub fn response(self, location_header: String, response_body: &[u8]) -> Result<Account, Error> {
	487	let private_key = self
	488	.key
	489	.ok_or(Error::MissingKey)?
	490	.private_key_to_pem_pkcs8()?;
	491	let private_key = String::from_utf8(private_key).map_err(\|_\| {
95381262	492	Error::Custom("PEM key contained illegal non-utf-8 characters".to_string())
aa230682 WB	493	})?;
	494
	495	Ok(Account {
	496	location: location_header,
	497	data: serde_json::from_slice(response_body)
	498	.map_err(\|err\| Error::BadAccountData(err.to_string()))?,
	499	private_key,
	500	})
	501	}
	502	}