File Coverage

blib/lib/Net/ACME2/Challenge/tls_alpn_01.pm

Criterion	Covered	Total	%
statement	31	31	100.0
branch	1	2	50.0
condition			n/a
subroutine	7	7	100.0
pod	1	1	100.0
total	40	41	97.5

line	stmt	bran	sub	pod	time	code
1						package Net::ACME2::Challenge::tls_alpn_01;
2
3	2		2		13	use strict;
	2				5
	2				55
4	2		2		9	use warnings;
	2				4
	2				106
5
6						=encoding utf-8
7
8						=head1 NAME
9
10						Net::ACME2::Challenge::tls_alpn_01
11
12						=head1 DESCRIPTION
13
14						This module is instantiated by L and is a
15						subclass of L.
16
17						This module is EXPERIMENTAL, subject to finalization of the challenge
18						method described at L.
19
20						=cut
21
22	2		2		15	use parent qw( Net::ACME2::Challenge );
	2				6
	2				12
23
24						use constant {
25	2				166	_VALIDITY_DELTA => 2 * 86400,
26	2		2		147	};
	2				5
27
28						=head1 METHODS
29
30						=head2 I->KEY()
31
32						Returns the private key (in PEM format) that is used to sign the
33						certificates that this module generates. The key does not need to be kept
34						secret; it’s just here because TLS implementations want it.
35
36						=cut
37
38						# NB: tls-alpn-01 doesn’t set any requirement for the key that signs
39						# the certificate. prime256v1 will get us the smallest certificate in
40						# the least amount of time. There’s no need to protect the key itself.
41	2		2		13	use constant KEY => <
	2				4
	2				101
42						-----BEGIN PRIVATE KEY-----
43						MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg+ja8vtIRQUTb11MC
44						elKer3JSgd3SYqNuSpQO+wTSkLGhRANCAATM+733J/pbsQASVQm08GoqHX4B7TKS
45						jijjtiQfzx/O9Dbr982LcWk1eaiYL/s3gzy5zodiIWu82PmorYkyJzLf
46						-----END PRIVATE KEY-----
47						END
48
49						# This will depend on the key length.
50	2		2		13	use constant _SIGNATURE_ALGORITHM => 'sha256';
	2				3
	2				512
51
52						=head2 I->create_certificate( $ACME, $DOMAIN )
53
54						Returns an X.509 certificate that you can use to complete the challenge.
55
56						The certificate is given in PEM encoding; L can easily
57						convert it to DER if you prefer.
58
59						=cut
60
61						sub create_certificate {
62	1		1	1	30767	my ($self, $acme, $domain) = @_;
63
64	1	50			6	die "Need a domain!" if !$domain;
65
66	1				12	require Crypt::Perl::PK;
67	1				868	require Crypt::Perl::X509v3;
68	1				7442	require Digest::SHA;
69
70	1				8	my $priv_key = Crypt::Perl::PK::parse_key( KEY() );
71
72	1				128121	my $now = time;
73
74	1				13	my $key_authz = $acme->make_key_authorization($self);
75
76	1				20	my $key_authz_sha = Digest::SHA::sha256($key_authz);
77
78	1				6	my @name = ( [ commonName => $domain ] );
79
80	1				8	my $cert = Crypt::Perl::X509v3->new(
81						key => $priv_key->get_public_key(),
82						subject => \@name,
83						issuer => \@name,
84						not_after => $now + _VALIDITY_DELTA(),
85						not_before => $now - _VALIDITY_DELTA(),
86						extensions => [
87						[ subjectAltName => [ dNSName => $domain ] ],
88						[ 'acmeValidation-v1' => Digest::SHA::sha256($key_authz) ],
89						],
90						);
91
92	1				29151	$cert->sign( $priv_key, _SIGNATURE_ALGORITHM() );
93
94	1				6304235	return $cert->to_pem();
95						}
96
97						1;