1 //! ACME Account management and creation. The [`Account`] type also contains most of the ACME API
2 //! entry point helpers.
4 use std
::collections
::HashMap
;
5 use std
::convert
::TryFrom
;
7 use openssl
::pkey
::{PKey, Private}
;
8 use serde
::{Deserialize, Serialize}
;
11 use crate::authorization
::{Authorization, GetAuthorization}
;
13 use crate::directory
::Directory
;
15 use crate::key
::PublicKey
;
16 use crate::order
::{NewOrder, Order, OrderData}
;
17 use crate::request
::Request
;
22 /// This contains the location URL, the account data and the private key for an account.
23 /// This can directly be serialized via serde to persist the account.
25 /// In order to register a new account with an ACME provider, see the [`Account::creator`] method.
26 #[derive(Deserialize, Serialize)]
27 #[serde(rename_all = "camelCase")]
29 /// Account location URL.
32 /// Acme account data.
33 pub data
: AccountData
,
35 /// base64url encoded PEM formatted private key.
36 pub private_key
: String
,
40 /// Rebuild an account from its components.
41 pub fn from_parts(location
: String
, private_key
: String
, data
: AccountData
) -> Self {
49 /// Builds an [`AccountCreator`]. This handles creation of the private key and account data as
50 /// well as handling the response sent by the server for the registration request.
51 pub fn creator() -> AccountCreator
{
52 AccountCreator
::default()
55 /// Place a new order. This will build a [`NewOrder`] representing an in flight order creation
58 /// The returned `NewOrder`'s `request` option is *guaranteed* to be `Some(Request)`.
62 directory
: &Directory
,
64 ) -> Result
<NewOrder
, Error
> {
65 let key
= PKey
::private_key_from_pem(self.private_key
.as_bytes())?
;
67 if order
.identifiers
.is_empty() {
68 return Err(Error
::EmptyOrder
);
71 let url
= directory
.new_order_url();
72 let body
= serde_json
::to_string(&Jws
::new(
74 Some(self.location
.clone()),
80 let request
= Request
{
83 content_type
: crate::request
::JSON_CONTENT_TYPE
,
85 expected
: crate::request
::CREATED
,
88 Ok(NewOrder
::new(request
))
91 /// Prepare a "POST-as-GET" request to fetch data. Low level helper.
92 pub fn get_request(&self, url
: &str, nonce
: &str) -> Result
<Request
, Error
> {
93 let key
= PKey
::private_key_from_pem(self.private_key
.as_bytes())?
;
94 let body
= serde_json
::to_string(&Jws
::new_full(
96 Some(self.location
.clone()),
105 content_type
: crate::request
::JSON_CONTENT_TYPE
,
111 /// Prepare a JSON POST request. Low level helper.
112 pub fn post_request
<T
: Serialize
>(
117 ) -> Result
<Request
, Error
> {
118 let key
= PKey
::private_key_from_pem(self.private_key
.as_bytes())?
;
119 let body
= serde_json
::to_string(&Jws
::new(
121 Some(self.location
.clone()),
130 content_type
: crate::request
::JSON_CONTENT_TYPE
,
136 /// Prepare a JSON POST request.
137 fn post_request_raw_payload(
142 ) -> Result
<Request
, Error
> {
143 let key
= PKey
::private_key_from_pem(self.private_key
.as_bytes())?
;
144 let body
= serde_json
::to_string(&Jws
::new_full(
146 Some(self.location
.clone()),
155 content_type
: crate::request
::JSON_CONTENT_TYPE
,
161 /// Get the "key authorization" for a token.
162 pub fn key_authorization(&self, token
: &str) -> Result
<String
, Error
> {
163 let key
= PKey
::private_key_from_pem(self.private_key
.as_bytes())?
;
164 let thumbprint
= PublicKey
::try_from(&*key
)?
.thumbprint()?
;
165 Ok(format
!("{}.{}", token
, thumbprint
))
168 /// Get the TXT field value for a dns-01 token. This is the base64url encoded sha256 digest of
169 /// the key authorization value.
170 pub fn dns_01_txt_value(&self, token
: &str) -> Result
<String
, Error
> {
171 let key_authorization
= self.key_authorization(token
)?
;
172 let digest
= openssl
::sha
::sha256(key_authorization
.as_bytes());
173 Ok(b64u
::encode(&digest
))
176 /// Prepare a request to update account data.
178 /// This is a rather low level interface. You should know what you're doing.
179 pub fn update_account_request
<T
: Serialize
>(
183 ) -> Result
<Request
, Error
> {
184 self.post_request(&self.location
, nonce
, data
)
187 /// Prepare a request to deactivate this account.
188 pub fn deactivate_account_request
<T
: Serialize
>(&self, nonce
: &str) -> Result
<Request
, Error
> {
189 self.post_request_raw_payload(
192 r
#"{"status":"deactivated"}"#.to_string(),
196 /// Prepare a request to query an Authorization for an Order.
198 /// Returns `Ok(None)` if `auth_index` is out of out of range. You can query the number of
199 /// authorizations from via [`Order::authorization_len`] or by manually inspecting its
200 /// `.data.authorization` vector.
201 pub fn get_authorization(
206 ) -> Result
<Option
<GetAuthorization
>, Error
> {
207 match order
.authorization(auth_index
) {
209 Some(url
) => Ok(Some(GetAuthorization
::new(self.get_request(url
, nonce
)?
))),
213 /// Prepare a request to validate a Challenge from an Authorization.
215 /// Returns `Ok(None)` if `challenge_index` is out of out of range. The challenge count is
216 /// available by inspecting the [`Authorization::challenges`] vector.
218 /// This returns a raw `Request` since validation takes some time and the `Authorization`
219 /// object has to be re-queried and its `status` inspected.
220 pub fn validate_challenge(
222 authorization
: &Authorization
,
223 challenge_index
: usize,
225 ) -> Result
<Option
<Request
>, Error
> {
226 match authorization
.challenges
.get(challenge_index
) {
228 Some(challenge
) => self
229 .post_request_raw_payload(&challenge
.url
, nonce
, "{}".to_string())
234 /// Prepare a request to revoke a certificate.
236 /// The certificate can be either PEM or DER formatted.
238 /// Note that this uses the account's key for authorization.
240 /// Revocation using a certificate's private key is not yet implemented.
241 pub fn revoke_certificate(
245 ) -> Result
<CertificateRevocation
, Error
> {
246 let cert
= if certificate
.starts_with(b
"-----BEGIN CERTIFICATE-----") {
247 b64u
::encode(&openssl
::x509
::X509
::from_pem(certificate
)?
.to_der()?
)
249 b64u
::encode(certificate
)
252 let data
= match reason
{
253 Some(reason
) => serde_json
::json
!({ "certificate": cert, "reason": reason }
),
254 None
=> serde_json
::json
!({ "certificate": cert }
),
257 Ok(CertificateRevocation
{
264 /// Certificate revocation involves converting the certificate to base64url encoded DER and then
265 /// embedding it in a json structure. Since we also need a nonce and possibly retry the request if
266 /// a `BadNonce` error happens, this caches the converted data for efficiency.
267 pub struct CertificateRevocation
<'a
> {
268 account
: &'a Account
,
272 impl CertificateRevocation
<'_
> {
273 /// Create the revocation request using the specified nonce for the given directory.
274 pub fn request(&self, directory
: &Directory
, nonce
: &str) -> Result
<Request
, Error
> {
276 .post_request(&directory
.data
.revoke_cert
, nonce
, &self.data
)
280 /// Status of an ACME account.
281 #[derive(Clone, Copy, Eq, PartialEq, Deserialize, Serialize)]
282 #[serde(rename_all = "camelCase")]
283 pub enum AccountStatus
{
284 /// This is not part of the ACME API, but a temporary marker for us until the ACME provider
285 /// tells us the account's real status.
286 #[serde(rename = "<invalid>")]
289 /// Means the account is valid and can be used.
292 /// The account has been deactivated by its user and cannot be used anymore.
295 /// The account has been revoked by the server and cannot be used anymore.
306 fn is_new(&self) -> bool
{
307 *self == AccountStatus
::New
311 /// ACME Account data. This is the part of the account returned from and possibly sent to the ACME
312 /// provider. Some fields may be uptdated by the user via a request to the account location, others
313 /// may not be changed.
314 #[derive(Clone, Deserialize, Serialize)]
315 #[serde(rename_all = "camelCase")]
316 pub struct AccountData
{
317 /// The current account status.
319 skip_serializing_if
= "AccountStatus::is_new",
320 default = "AccountStatus::new"
322 pub status
: AccountStatus
,
324 /// URLs to currently pending orders.
325 #[serde(skip_serializing_if = "Option::is_none")]
326 pub orders
: Option
<String
>,
328 /// The acccount's contact info.
330 /// This usually contains a `"mailto:<email address>"` entry but may also contain some other
331 /// data if the server accepts it.
332 #[serde(skip_serializing_if = "Vec::is_empty", default)]
333 pub contact
: Vec
<String
>,
335 /// Indicated whether the user agreed to the ACME provider's terms of service.
336 #[serde(skip_serializing_if = "Option::is_none")]
337 pub terms_of_service_agreed
: Option
<bool
>,
339 /// External account information. This is currently not directly supported in any way and only
340 /// stored to completeness.
341 #[serde(skip_serializing_if = "Option::is_none")]
342 pub external_account_binding
: Option
<Value
>,
344 /// This is only used by the client when querying an account.
345 #[serde(default = "default_true", skip_serializing_if = "is_false")]
346 pub only_return_existing
: bool
,
348 /// Stores unknown fields if there are any.
349 #[serde(flatten, default, skip_serializing_if = "HashMap::is_empty")]
350 pub extra
: HashMap
<String
, Value
>,
354 fn default_true() -> bool
{
359 fn is_false(b
: &bool
) -> bool
{
363 /// Helper to create an account.
365 /// This is used to generate a private key and set the contact info for the account. Afterwards the
366 /// creation request can be created via the [`request`](AccountCreator::request()) method, giving
367 /// it a nonce and a directory. This can be repeated, if necessary, like when the nonce fails.
369 /// When the server sends a succesful response, it should be passed to the
370 /// [`response`](AccountCreator::response()) method to finish the creation of an [`Account`] which
371 /// can then be persisted.
373 #[must_use = "when creating an account you must pass the response to AccountCreator::response()!"]
374 pub struct AccountCreator
{
375 contact
: Vec
<String
>,
376 terms_of_service_agreed
: bool
,
377 key
: Option
<PKey
<Private
>>,
380 impl AccountCreator
{
381 /// Replace the contact infor with the provided ACME compatible data.
382 pub fn set_contacts(mut self, contact
: Vec
<String
>) -> Self {
383 self.contact
= contact
;
387 /// Append a contact string.
388 pub fn contact(mut self, contact
: String
) -> Self {
389 self.contact
.push(contact
);
393 /// Append an email address to the contact list.
394 pub fn email(self, email
: String
) -> Self {
395 self.contact(format
!("mailto:{}", email
))
398 /// Change whether the account agrees to the terms of service. Use the directory's or client's
399 /// `terms_of_service_url()` method to present the user with the Terms of Service.
400 pub fn agree_to_tos(mut self, agree
: bool
) -> Self {
401 self.terms_of_service_agreed
= agree
;
405 /// Generate a new RSA key of the specified key size.
406 pub fn generate_rsa_key(self, bits
: u32) -> Result
<Self, Error
> {
407 let key
= openssl
::rsa
::Rsa
::generate(bits
)?
;
408 Ok(self.with_key(PKey
::from_rsa(key
)?
))
411 /// Generate a new P-256 EC key.
412 pub fn generate_ec_key(self) -> Result
<Self, Error
> {
413 let key
= openssl
::ec
::EcKey
::generate(
414 openssl
::ec
::EcGroup
::from_curve_name(openssl
::nid
::Nid
::X9_62_PRIME256V1
)?
.as_ref(),
416 Ok(self.with_key(PKey
::from_ec_key(key
)?
))
419 /// Use an existing key. Note that only RSA and EC keys using the `P-256` curve are currently
420 /// supported, however, this will not be checked at this point.
421 pub fn with_key(mut self, key
: PKey
<Private
>) -> Self {
422 self.key
= Some(key
);
426 /// Prepare a HTTP request to create this account.
428 /// Changes to the user data made after this will have no effect on the account generated with
429 /// the resulting request.
430 /// Changing the private key between using the request and passing the response to
431 /// [`response`](AccountCreator::response()) will render the account unusable!
432 pub fn request(&self, directory
: &Directory
, nonce
: &str) -> Result
<Request
, Error
> {
433 let key
= self.key
.as_deref().ok_or(Error
::MissingKey
)?
;
435 let data
= AccountData
{
437 status
: AccountStatus
::New
,
438 contact
: self.contact
.clone(),
439 terms_of_service_agreed
: if self.terms_of_service_agreed
{
444 external_account_binding
: None
,
445 only_return_existing
: false,
446 extra
: HashMap
::new(),
449 let url
= directory
.new_account_url();
450 let body
= serde_json
::to_string(&Jws
::new(
461 content_type
: crate::request
::JSON_CONTENT_TYPE
,
463 expected
: crate::request
::CREATED
,
467 /// After issuing the request from [`request()`](AccountCreator::request()), the response's
468 /// `Location` header and body must be passed to this for verification and to create an account
469 /// which is to be persisted!
470 pub fn response(self, location_header
: String
, response_body
: &[u8]) -> Result
<Account
, Error
> {
471 let private_key
= self
473 .ok_or(Error
::MissingKey
)?
474 .private_key_to_pem_pkcs8()?
;
475 let private_key
= String
::from_utf8(private_key
).map_err(|_
| {
476 Error
::Custom("PEM key contained illegal non-utf-8 characters".to_string())
480 location
: location_header
,
481 data
: serde_json
::from_slice(response_body
)
482 .map_err(|err
| Error
::BadAccountData(err
.to_string()))?
,