line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Protocol::ACME; |
2
|
|
|
|
|
|
|
|
3
|
6
|
|
|
6
|
|
195485
|
use 5.007003; |
|
6
|
|
|
|
|
13
|
|
4
|
6
|
|
|
6
|
|
18
|
use strict; |
|
6
|
|
|
|
|
7
|
|
|
6
|
|
|
|
|
101
|
|
5
|
6
|
|
|
6
|
|
18
|
use warnings; |
|
6
|
|
|
|
|
5
|
|
|
6
|
|
|
|
|
513
|
|
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
our $VERSION = '1.01'; |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
=head1 NAME |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
Protocol::ACME - Interface to the Let's Encrypt ACME API |
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
=head1 VERSION |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
Version 1.01 |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
=head1 SYNOPSIS |
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
use Protocol::ACME; |
21
|
|
|
|
|
|
|
|
22
|
|
|
|
|
|
|
my @names = qw( www.example.com cloud.example.com ); |
23
|
|
|
|
|
|
|
|
24
|
|
|
|
|
|
|
my $challenges = { |
25
|
|
|
|
|
|
|
'www.example.com' => Protocol::ACME::Challenge::SimpleSSH->new( |
26
|
|
|
|
|
|
|
{ ssh_host => "host1", www_root => "~/www" } |
27
|
|
|
|
|
|
|
), |
28
|
|
|
|
|
|
|
'cloud.example.com' => Protocol::ACME::Challenge::SimpleSSH->new( |
29
|
|
|
|
|
|
|
{ ssh_host => "home2", www_root => "/opt/local/www/htdocs" } |
30
|
|
|
|
|
|
|
) |
31
|
|
|
|
|
|
|
}; |
32
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
eval |
34
|
|
|
|
|
|
|
{ |
35
|
|
|
|
|
|
|
my $acme = Protocol::ACME->new( host => $host, |
36
|
|
|
|
|
|
|
account_key => $account_key_pem_or_der, |
37
|
|
|
|
|
|
|
); |
38
|
|
|
|
|
|
|
|
39
|
|
|
|
|
|
|
$acme->directory(); |
40
|
|
|
|
|
|
|
$acme->register(); |
41
|
|
|
|
|
|
|
$acme->accept_tos(); |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
for my $domain ( @names ) |
44
|
|
|
|
|
|
|
{ |
45
|
|
|
|
|
|
|
$acme->authz( $domain ); |
46
|
|
|
|
|
|
|
$acme->handle_challenge( $challenges->{$domain} ); |
47
|
|
|
|
|
|
|
$acme->check_challenge(); |
48
|
|
|
|
|
|
|
$acme->cleanup_challenge( $challenges->{$domain} ); |
49
|
|
|
|
|
|
|
} |
50
|
|
|
|
|
|
|
|
51
|
|
|
|
|
|
|
my $cert = $acme->sign( $csr_file ); |
52
|
|
|
|
|
|
|
}; |
53
|
|
|
|
|
|
|
if ( $@ ) |
54
|
|
|
|
|
|
|
{ |
55
|
|
|
|
|
|
|
die if !UNIVERSAL::isa($@, 'Protocol::ACME::Exception'); |
56
|
|
|
|
|
|
|
die "Error occurred: Status: $@->{status}, |
57
|
|
|
|
|
|
|
Detail: $@->{detail}, |
58
|
|
|
|
|
|
|
Type: $@->{type}\n"; |
59
|
|
|
|
|
|
|
} |
60
|
|
|
|
|
|
|
else |
61
|
|
|
|
|
|
|
{ |
62
|
|
|
|
|
|
|
# do something appropriate with the DER encoded cert |
63
|
|
|
|
|
|
|
print "Success\n"; |
64
|
|
|
|
|
|
|
} |
65
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
=head1 DESCRIPTION |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
The C is a class implementing an interface for the |
69
|
|
|
|
|
|
|
Let's Encrypt ACME API. |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
The class handles the protocol details behind provisioning a Let's |
72
|
|
|
|
|
|
|
Encrypt certificate. |
73
|
|
|
|
|
|
|
|
74
|
|
|
|
|
|
|
=head1 CONSTRUCTOR METHODS |
75
|
|
|
|
|
|
|
|
76
|
|
|
|
|
|
|
The following constructor methods are available: |
77
|
|
|
|
|
|
|
|
78
|
|
|
|
|
|
|
=over 4 |
79
|
|
|
|
|
|
|
|
80
|
|
|
|
|
|
|
=item $acme = Protcol::ACME->new( %options ) |
81
|
|
|
|
|
|
|
|
82
|
|
|
|
|
|
|
This method constructs a new C object and returns it. |
83
|
|
|
|
|
|
|
Key/value pair arguments may be provided to set up the initial state. |
84
|
|
|
|
|
|
|
The may be passed in as a hash or a hashref. The following options |
85
|
|
|
|
|
|
|
correspond to attribute methods described below. Items marked with |
86
|
|
|
|
|
|
|
a * are required. |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
KEY DEFAULT |
89
|
|
|
|
|
|
|
----------- -------------------- |
90
|
|
|
|
|
|
|
*host undef |
91
|
|
|
|
|
|
|
account_key undef |
92
|
|
|
|
|
|
|
openssl undef |
93
|
|
|
|
|
|
|
ua HTTP::Tiny->new() |
94
|
|
|
|
|
|
|
loglevel error |
95
|
|
|
|
|
|
|
debug 0 |
96
|
|
|
|
|
|
|
mailto undef |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
B: The API end point to connect to. This will generally be acme-staging.api.letsencrypt.org |
99
|
|
|
|
|
|
|
or acme-v01.api.letsencrypt.org |
100
|
|
|
|
|
|
|
|
101
|
|
|
|
|
|
|
B: The account private key in a scalar ref or filename. See C<$self->account_key> |
102
|
|
|
|
|
|
|
for details on this arguemtn. |
103
|
|
|
|
|
|
|
|
104
|
|
|
|
|
|
|
B: The path to openssl. If this option is used a local version of the openssl binary will |
105
|
|
|
|
|
|
|
be used for crypto operations rather than C. |
106
|
|
|
|
|
|
|
|
107
|
|
|
|
|
|
|
B: An HTTP::Tiny object customized as you see fit |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
B: Set the loglevel to one of the C values. |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
B: If set to non-zero this is a shortcut for C debug> |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
B: This should be the email address that you want associated with your account. This is used |
114
|
|
|
|
|
|
|
my Let's Encrypt for expiration notification. |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
=back |
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
=head2 METHODS |
119
|
|
|
|
|
|
|
|
120
|
|
|
|
|
|
|
=over |
121
|
|
|
|
|
|
|
|
122
|
|
|
|
|
|
|
=item account_key( $key_filename ) |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
=item account_key( \$buffer ) |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
=item account_key( \%explicit_args ) |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
C will load a the private account key if it was not already loaded |
130
|
|
|
|
|
|
|
when the C object was constructed. There are three ways to call this: |
131
|
|
|
|
|
|
|
|
132
|
|
|
|
|
|
|
If the arg is a B it is assumed to be the filename of the |
133
|
|
|
|
|
|
|
key. C will throw an error if there are problems reading the file. |
134
|
|
|
|
|
|
|
|
135
|
|
|
|
|
|
|
If the arg is a B reference it is assumed to be a buffer that |
136
|
|
|
|
|
|
|
contains the KEY. |
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
If the arg is a B reference it contains named arguments. The arguments |
139
|
|
|
|
|
|
|
are: |
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
KEY DEFAUL DESC |
142
|
|
|
|
|
|
|
----------- ----------- ------------------- |
143
|
|
|
|
|
|
|
filename undef The key Filename |
144
|
|
|
|
|
|
|
buffer undef Buffer containing the key |
145
|
|
|
|
|
|
|
format undef Explicitly state the format ( DER | PEM ) |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
If both C and C are set the C argument will be ignored. |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
If the format is not explcitly set C will look at the key and |
150
|
|
|
|
|
|
|
try and determine what the format it. |
151
|
|
|
|
|
|
|
|
152
|
|
|
|
|
|
|
|
153
|
|
|
|
|
|
|
=item load_key_from_disk( $key_path ) |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
B |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
Load a key from disk. Currently the key needs to be unencrypted. |
158
|
|
|
|
|
|
|
Callbacks for handling password protected keys are still to come. |
159
|
|
|
|
|
|
|
|
160
|
|
|
|
|
|
|
=item directory() |
161
|
|
|
|
|
|
|
|
162
|
|
|
|
|
|
|
Loads the directory from the ACME host. This call must be made first |
163
|
|
|
|
|
|
|
before any other calls to the API in order the bootstrap the API |
164
|
|
|
|
|
|
|
resource list. |
165
|
|
|
|
|
|
|
|
166
|
|
|
|
|
|
|
=item register( %args ) |
167
|
|
|
|
|
|
|
|
168
|
|
|
|
|
|
|
Call the new-reg resource and create an account associated with the |
169
|
|
|
|
|
|
|
loaded account key. If that key has already been registered this method |
170
|
|
|
|
|
|
|
will gracefully and silently handle that. |
171
|
|
|
|
|
|
|
|
172
|
|
|
|
|
|
|
Arguments that can be passed in: |
173
|
|
|
|
|
|
|
|
174
|
|
|
|
|
|
|
KEY DEFAULT |
175
|
|
|
|
|
|
|
----------- -------------------- |
176
|
|
|
|
|
|
|
mailto undef |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
B: See C for a desciption. This will override the value passed to new |
179
|
|
|
|
|
|
|
if any. |
180
|
|
|
|
|
|
|
|
181
|
|
|
|
|
|
|
|
182
|
|
|
|
|
|
|
=item accept_tos() |
183
|
|
|
|
|
|
|
|
184
|
|
|
|
|
|
|
In order to use the Let's Encrypt service, the account needs to accept |
185
|
|
|
|
|
|
|
the Terms of Service. This is provided in a link header in response |
186
|
|
|
|
|
|
|
to the new-reg ( or reg ) resource call. If the TOS have already been |
187
|
|
|
|
|
|
|
accepted as indicated by the reg structure returned by the API this |
188
|
|
|
|
|
|
|
call will be a noop. |
189
|
|
|
|
|
|
|
|
190
|
|
|
|
|
|
|
=item authz( $domain ) |
191
|
|
|
|
|
|
|
|
192
|
|
|
|
|
|
|
C needs to be called for each domain ( called identifiers in |
193
|
|
|
|
|
|
|
ACME speak ) in the certificate. This included the domain in the subject |
194
|
|
|
|
|
|
|
as well as the Subject Alternate Name (SAN) fields. Each call to |
195
|
|
|
|
|
|
|
C will result in a challenge being issued from Let's Encrypt. |
196
|
|
|
|
|
|
|
These challenges need to be handled individually. |
197
|
|
|
|
|
|
|
|
198
|
|
|
|
|
|
|
=item handle_challenge( $challenge_object ) |
199
|
|
|
|
|
|
|
|
200
|
|
|
|
|
|
|
C is called for each challenge issued by C. |
201
|
|
|
|
|
|
|
The challenge object must be a subclass of C |
202
|
|
|
|
|
|
|
which implements a 'handle' method. This objects handle method |
203
|
|
|
|
|
|
|
will be passed three arguments and is expected to fulfill the |
204
|
|
|
|
|
|
|
preconditions for the chosen challenge. The three areguments |
205
|
|
|
|
|
|
|
are: |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
fingerprint: the sha256 hex digest of the account key |
208
|
|
|
|
|
|
|
token: the challenge token |
209
|
|
|
|
|
|
|
url: the url returned by the challenge |
210
|
|
|
|
|
|
|
|
211
|
|
|
|
|
|
|
Fully describing how to handle every challenge type of out of the |
212
|
|
|
|
|
|
|
scope of this documentation ( at least for now ). Two challenge |
213
|
|
|
|
|
|
|
classes have been included for reference: |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
C is initialized with the |
216
|
|
|
|
|
|
|
ssh host name and the www root for the web server for the http-01 |
217
|
|
|
|
|
|
|
challenge. It will ssh to the host and create the file in |
218
|
|
|
|
|
|
|
the correct location for challenge fulfillment. |
219
|
|
|
|
|
|
|
|
220
|
|
|
|
|
|
|
C is initialized with just the |
221
|
|
|
|
|
|
|
www root for the web server for the http-01 challenge. It will |
222
|
|
|
|
|
|
|
simply create the challenge file in the correct place on the local |
223
|
|
|
|
|
|
|
filesystem. |
224
|
|
|
|
|
|
|
|
225
|
|
|
|
|
|
|
C is intended to be run in an |
226
|
|
|
|
|
|
|
interactive manner and will stop and prompt the user with the relevant |
227
|
|
|
|
|
|
|
information so they can fulfill the challenge manually. |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
but below is an example for handling the simpleHTTP ( http-01 ) |
230
|
|
|
|
|
|
|
challenge. |
231
|
|
|
|
|
|
|
|
232
|
|
|
|
|
|
|
|
233
|
|
|
|
|
|
|
=item check_challenge() |
234
|
|
|
|
|
|
|
|
235
|
|
|
|
|
|
|
Called after C. This will poll the challenge status |
236
|
|
|
|
|
|
|
resource and will return when the state changes from 'pending'. |
237
|
|
|
|
|
|
|
|
238
|
|
|
|
|
|
|
=item cleanup_challenge() |
239
|
|
|
|
|
|
|
|
240
|
|
|
|
|
|
|
Called after C to remove the challenge files. |
241
|
|
|
|
|
|
|
|
242
|
|
|
|
|
|
|
=item $cert = sign( $csr_filename ) |
243
|
|
|
|
|
|
|
|
244
|
|
|
|
|
|
|
=item $cert = sign( \$buffer ) |
245
|
|
|
|
|
|
|
|
246
|
|
|
|
|
|
|
=item $cert = sign( \%explicit_args ) |
247
|
|
|
|
|
|
|
|
248
|
|
|
|
|
|
|
|
249
|
|
|
|
|
|
|
Call C after the challenge for each domain ( itentifier ) has |
250
|
|
|
|
|
|
|
been fulfilled. There are three ways to call this: |
251
|
|
|
|
|
|
|
|
252
|
|
|
|
|
|
|
If the arg is a B it is assumed to be the filename of the |
253
|
|
|
|
|
|
|
CSR. C will throw an error if there are problems reading the file. |
254
|
|
|
|
|
|
|
|
255
|
|
|
|
|
|
|
If the arg is a B reference it is assumed to be a buffer that |
256
|
|
|
|
|
|
|
contains the CSR. |
257
|
|
|
|
|
|
|
|
258
|
|
|
|
|
|
|
If the arg is a B reference it contains named arguments. The arguments |
259
|
|
|
|
|
|
|
are: |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
KEY DEFAUL DESC |
262
|
|
|
|
|
|
|
----------- ----------- ------------------- |
263
|
|
|
|
|
|
|
filename undef The CSR Filename |
264
|
|
|
|
|
|
|
buffer undef Buffer containing the CSR |
265
|
|
|
|
|
|
|
format undef Explicitly state the format ( DER | PEM ) |
266
|
|
|
|
|
|
|
|
267
|
|
|
|
|
|
|
If both C and C are set the C argument will be ignored. |
268
|
|
|
|
|
|
|
|
269
|
|
|
|
|
|
|
If the format is not explcitly set Protocol::ACME will look at the CSR and |
270
|
|
|
|
|
|
|
try and determine what the format it. |
271
|
|
|
|
|
|
|
|
272
|
|
|
|
|
|
|
On success C will return the DER encoded signed certificate. |
273
|
|
|
|
|
|
|
|
274
|
|
|
|
|
|
|
=item $cert_chain = chain() |
275
|
|
|
|
|
|
|
|
276
|
|
|
|
|
|
|
After C has been called and a cert successfully created, C will |
277
|
|
|
|
|
|
|
fetch and return the DER encoded certificate issuer. |
278
|
|
|
|
|
|
|
|
279
|
|
|
|
|
|
|
=item revoke( $certfile ) |
280
|
|
|
|
|
|
|
|
281
|
|
|
|
|
|
|
Call C to revoke an already issued certificate. C<$certfile> |
282
|
|
|
|
|
|
|
must point the a DER encoded form of the certificate. |
283
|
|
|
|
|
|
|
|
284
|
|
|
|
|
|
|
=item recovery_key() |
285
|
|
|
|
|
|
|
|
286
|
|
|
|
|
|
|
LE does not yet support recovery keys. This method will die when |
287
|
|
|
|
|
|
|
called. |
288
|
|
|
|
|
|
|
|
289
|
|
|
|
|
|
|
|
290
|
|
|
|
|
|
|
=back |
291
|
|
|
|
|
|
|
|
292
|
|
|
|
|
|
|
=cut |
293
|
|
|
|
|
|
|
|
294
|
|
|
|
|
|
|
package Protocol::ACME; |
295
|
|
|
|
|
|
|
|
296
|
6
|
|
|
6
|
|
24
|
use strict; |
|
6
|
|
|
|
|
6
|
|
|
6
|
|
|
|
|
86
|
|
297
|
6
|
|
|
6
|
|
14
|
use warnings; |
|
6
|
|
|
|
|
5
|
|
|
6
|
|
|
|
|
112
|
|
298
|
|
|
|
|
|
|
|
299
|
6
|
|
|
6
|
|
1875
|
use Protocol::ACME::Exception; |
|
6
|
|
|
|
|
35
|
|
|
6
|
|
|
|
|
113
|
|
300
|
6
|
|
|
6
|
|
1908
|
use Protocol::ACME::Utils; |
|
6
|
|
|
|
|
10
|
|
|
6
|
|
|
|
|
113
|
|
301
|
|
|
|
|
|
|
|
302
|
6
|
|
|
6
|
|
1877
|
use Crypt::Format; |
|
6
|
|
|
|
|
1791
|
|
|
6
|
|
|
|
|
115
|
|
303
|
6
|
|
|
6
|
|
1779
|
use Crypt::RSA::Parse (); |
|
6
|
|
|
|
|
162178
|
|
|
6
|
|
|
|
|
127
|
|
304
|
|
|
|
|
|
|
|
305
|
6
|
|
|
6
|
|
2298
|
use MIME::Base64 qw( encode_base64url decode_base64url decode_base64 encode_base64 ); |
|
6
|
|
|
|
|
2842
|
|
|
6
|
|
|
|
|
349
|
|
306
|
|
|
|
|
|
|
|
307
|
6
|
|
|
6
|
|
3406
|
use HTTP::Tiny; |
|
6
|
|
|
|
|
157108
|
|
|
6
|
|
|
|
|
190
|
|
308
|
6
|
|
|
6
|
|
3381
|
use JSON; |
|
6
|
|
|
|
|
47255
|
|
|
6
|
|
|
|
|
20
|
|
309
|
6
|
|
|
6
|
|
3193
|
use Digest::SHA qw( sha256 ); |
|
6
|
|
|
|
|
13406
|
|
|
6
|
|
|
|
|
339
|
|
310
|
6
|
|
|
6
|
|
29
|
use Carp; |
|
6
|
|
|
|
|
10
|
|
|
6
|
|
|
|
|
15231
|
|
311
|
|
|
|
|
|
|
|
312
|
|
|
|
|
|
|
|
313
|
|
|
|
|
|
|
my $USERAGENT = "Protocol::ACME v$VERSION"; |
314
|
|
|
|
|
|
|
my $NONCE_HEADER = "replay-nonce"; |
315
|
|
|
|
|
|
|
|
316
|
|
|
|
|
|
|
sub new |
317
|
|
|
|
|
|
|
{ |
318
|
6
|
|
|
6
|
1
|
160949
|
my $class = shift; |
319
|
6
|
|
|
|
|
11
|
my $self = {}; |
320
|
6
|
|
|
|
|
8
|
bless $self, $class; |
321
|
6
|
|
|
|
|
18
|
$self->_init( @_ ); |
322
|
6
|
|
|
|
|
46
|
return $self; |
323
|
|
|
|
|
|
|
} |
324
|
|
|
|
|
|
|
|
325
|
|
|
|
|
|
|
sub _init |
326
|
|
|
|
|
|
|
{ |
327
|
6
|
|
|
6
|
|
8
|
my $self = shift; |
328
|
|
|
|
|
|
|
|
329
|
6
|
|
|
|
|
7
|
my $args; |
330
|
|
|
|
|
|
|
|
331
|
6
|
50
|
|
|
|
18
|
if ( ref $_[0] eq "HASH" ) |
332
|
|
|
|
|
|
|
{ |
333
|
0
|
|
|
|
|
0
|
$args = $_[0]; |
334
|
|
|
|
|
|
|
} |
335
|
|
|
|
|
|
|
else |
336
|
|
|
|
|
|
|
{ |
337
|
6
|
|
|
|
|
25
|
%$args = @_; |
338
|
|
|
|
|
|
|
} |
339
|
|
|
|
|
|
|
|
340
|
|
|
|
|
|
|
# TODO: There are more elegant and well baked ways to take care of the |
341
|
|
|
|
|
|
|
# parameter handling that I am doing here |
342
|
6
|
50
|
|
|
|
39
|
$self->{host} = $args->{host} if exists $args->{host}; |
343
|
6
|
50
|
|
|
|
17
|
$self->{ua} = $args->{ua} if exists $args->{ua}; |
344
|
6
|
100
|
|
|
|
27
|
$self->{openssl} = $args->{openssl} if exists $args->{openssl}; |
345
|
6
|
100
|
|
|
|
17
|
$self->{debug} = $args->{debug} if exists $args->{debug}; |
346
|
6
|
100
|
|
|
|
15
|
$self->{loglevel} = exists $args->{loglevel} ? $args->{loglevel} : "error"; |
347
|
6
|
50
|
|
|
|
13
|
$self->{contact}->{mailto} = $args->{mailto} if exists $args->{mailto}; |
348
|
|
|
|
|
|
|
|
349
|
6
|
100
|
|
|
|
53
|
if ( $self->{debug} ) |
350
|
|
|
|
|
|
|
{ |
351
|
2
|
|
|
|
|
4
|
$self->{loglevel} = "debug"; |
352
|
|
|
|
|
|
|
} |
353
|
|
|
|
|
|
|
|
354
|
6
|
50
|
|
|
|
15
|
if ( ! exists $self->{ua} ) |
355
|
|
|
|
|
|
|
{ |
356
|
6
|
|
|
|
|
50
|
$self->{ua} = HTTP::Tiny->new( agent => $USERAGENT, verify_SSL => 1 ); |
357
|
|
|
|
|
|
|
} |
358
|
|
|
|
|
|
|
|
359
|
6
|
50
|
|
|
|
374
|
if ( ! exists $self->{host} ) |
360
|
|
|
|
|
|
|
{ |
361
|
0
|
|
|
|
|
0
|
_throw( detail => "host parameter is required for Protocol::ACME::new" ); |
362
|
|
|
|
|
|
|
} |
363
|
|
|
|
|
|
|
|
364
|
|
|
|
|
|
|
$self->{log} = $args->{'logger'} || do |
365
|
6
|
|
33
|
|
|
18
|
{ |
366
|
|
|
|
|
|
|
require Log::Any::Adapter; |
367
|
|
|
|
|
|
|
Log::Any::Adapter->set('+Protocol::ACME::Logger', log_level => $self->{loglevel}); |
368
|
|
|
|
|
|
|
Log::Any->get_logger; |
369
|
|
|
|
|
|
|
}; |
370
|
|
|
|
|
|
|
|
371
|
6
|
100
|
|
|
|
6918
|
if ( exists $args->{account_key} ) |
372
|
|
|
|
|
|
|
{ |
373
|
4
|
|
|
|
|
16
|
$self->account_key( $args->{account_key} ); |
374
|
|
|
|
|
|
|
} |
375
|
|
|
|
|
|
|
|
376
|
6
|
|
|
|
|
35
|
$self->{links}->{directory} = "https://" . $self->{host} . '/directory'; |
377
|
|
|
|
|
|
|
|
378
|
6
|
|
|
|
|
23
|
$self->{nonce} = undef; |
379
|
|
|
|
|
|
|
|
380
|
|
|
|
|
|
|
|
381
|
|
|
|
|
|
|
} |
382
|
|
|
|
|
|
|
|
383
|
|
|
|
|
|
|
sub _throw |
384
|
|
|
|
|
|
|
{ |
385
|
2
|
|
|
2
|
|
4
|
my (@args) = @_; |
386
|
2
|
50
|
|
|
|
7
|
if ( scalar(@_) == 1 ) |
387
|
|
|
|
|
|
|
{ |
388
|
2
|
|
|
|
|
6
|
@args = ( detail => $_[0] ); |
389
|
|
|
|
|
|
|
} |
390
|
2
|
|
|
|
|
16
|
croak ( Protocol::ACME::Exception->new( { @args } ) ); |
391
|
|
|
|
|
|
|
} |
392
|
|
|
|
|
|
|
|
393
|
|
|
|
|
|
|
sub load_key |
394
|
|
|
|
|
|
|
{ |
395
|
0
|
|
|
0
|
0
|
0
|
my ($self, $keystring) = @_; |
396
|
0
|
|
|
|
|
0
|
return $self->account_key( \$keystring ); |
397
|
|
|
|
|
|
|
} |
398
|
|
|
|
|
|
|
|
399
|
|
|
|
|
|
|
sub load_key_from_disk |
400
|
|
|
|
|
|
|
{ |
401
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
402
|
0
|
|
|
|
|
0
|
my $path = shift; |
403
|
|
|
|
|
|
|
|
404
|
0
|
|
|
|
|
0
|
return $self->account_key($path); |
405
|
|
|
|
|
|
|
} |
406
|
|
|
|
|
|
|
|
407
|
|
|
|
|
|
|
sub account_key |
408
|
|
|
|
|
|
|
{ |
409
|
28
|
|
|
28
|
1
|
3093138
|
my $self = shift; |
410
|
28
|
|
|
|
|
44
|
my $key = shift; |
411
|
|
|
|
|
|
|
|
412
|
28
|
|
|
|
|
114
|
my %args = ( filename => undef, |
413
|
|
|
|
|
|
|
buffer => undef, |
414
|
|
|
|
|
|
|
format => undef ); |
415
|
|
|
|
|
|
|
|
416
|
28
|
100
|
|
|
|
121
|
if ( ! ref $key ) |
|
|
100
|
|
|
|
|
|
417
|
|
|
|
|
|
|
{ |
418
|
4
|
|
|
|
|
10
|
$args{filename} = $key; |
419
|
|
|
|
|
|
|
|
420
|
4
|
50
|
|
|
|
141
|
if ( ! -f $key ) |
421
|
|
|
|
|
|
|
{ |
422
|
0
|
|
|
|
|
0
|
_throw( "account_key file $key does not exist" ); |
423
|
|
|
|
|
|
|
} |
424
|
|
|
|
|
|
|
} |
425
|
|
|
|
|
|
|
elsif( ref $key eq "SCALAR" ) |
426
|
|
|
|
|
|
|
{ |
427
|
8
|
|
|
|
|
20
|
$args{buffer} = $$key; |
428
|
|
|
|
|
|
|
} |
429
|
|
|
|
|
|
|
else |
430
|
|
|
|
|
|
|
{ |
431
|
16
|
|
|
|
|
56
|
@args{ keys %$key } = values %$key; |
432
|
|
|
|
|
|
|
} |
433
|
|
|
|
|
|
|
|
434
|
28
|
100
|
|
|
|
85
|
if ( $args{filename} ) |
435
|
|
|
|
|
|
|
{ |
436
|
8
|
|
|
|
|
31
|
$args{buffer} = _slurp( $args{filename} ); |
437
|
8
|
50
|
|
|
|
27
|
if ( ! $args{buffer} ) |
438
|
|
|
|
|
|
|
{ |
439
|
0
|
|
|
|
|
0
|
_throw( "Could not load the account key from file $args{filename}: $!" ); |
440
|
|
|
|
|
|
|
} |
441
|
|
|
|
|
|
|
} |
442
|
|
|
|
|
|
|
|
443
|
28
|
50
|
|
|
|
62
|
if ( ! $args{buffer} ) |
444
|
|
|
|
|
|
|
{ |
445
|
0
|
|
|
|
|
0
|
_throw( "Either an account key buffer or filename must be passed into account_key" ); |
446
|
|
|
|
|
|
|
} |
447
|
|
|
|
|
|
|
|
448
|
28
|
100
|
|
|
|
60
|
if ( ! $args{format} ) |
449
|
|
|
|
|
|
|
{ |
450
|
20
|
100
|
|
|
|
80
|
$args{format} = Protocol::ACME::Utils::looks_like_pem( $args{buffer} ) ? "PEM" : "DER"; |
451
|
|
|
|
|
|
|
} |
452
|
|
|
|
|
|
|
|
453
|
28
|
|
|
|
|
44
|
my $keystring = $args{buffer}; |
454
|
|
|
|
|
|
|
# TODO: This should detect/handle PKCS8-formatted private keys as well. |
455
|
28
|
100
|
|
|
|
67
|
if ( $args{format} eq "DER" ) |
456
|
|
|
|
|
|
|
{ |
457
|
12
|
|
|
|
|
49
|
$keystring = Crypt::Format::der2pem( $keystring, "RSA PRIVATE KEY" ); |
458
|
|
|
|
|
|
|
} |
459
|
|
|
|
|
|
|
|
460
|
28
|
100
|
|
|
|
514
|
if ( exists $self->{openssl} ) |
461
|
|
|
|
|
|
|
{ |
462
|
15
|
|
|
|
|
1752
|
require Protocol::ACME::Key; |
463
|
|
|
|
|
|
|
$key = Protocol::ACME::Key->new( keystring => $keystring, |
464
|
15
|
|
|
|
|
127
|
openssl => $self->{openssl} ); |
465
|
|
|
|
|
|
|
} |
466
|
|
|
|
|
|
|
else |
467
|
|
|
|
|
|
|
{ |
468
|
|
|
|
|
|
|
eval |
469
|
13
|
|
|
|
|
21
|
{ |
470
|
13
|
|
|
|
|
108
|
require Crypt::OpenSSL::RSA; |
471
|
13
|
|
|
|
|
51
|
require Crypt::OpenSSL::Bignum; |
472
|
|
|
|
|
|
|
}; |
473
|
13
|
50
|
|
|
|
33
|
if ( $@ ) |
474
|
|
|
|
|
|
|
{ |
475
|
0
|
|
|
|
|
0
|
die "Invoked usage requires Crypt::OpenSSL::RSA and Crypt::OpenSSL::Bignum. " . |
476
|
|
|
|
|
|
|
"To avoid these dependencies use the openssl parameter when creating the " . |
477
|
|
|
|
|
|
|
"Protocol::ACME object. This will use a native openssl binary instead."; |
478
|
|
|
|
|
|
|
} |
479
|
|
|
|
|
|
|
|
480
|
|
|
|
|
|
|
eval |
481
|
13
|
|
|
|
|
15
|
{ |
482
|
13
|
|
|
|
|
968
|
$key = Crypt::OpenSSL::RSA->new_private_key($keystring); |
483
|
|
|
|
|
|
|
}; |
484
|
13
|
100
|
|
|
|
35
|
if ( $@ ) |
485
|
|
|
|
|
|
|
{ |
486
|
2
|
|
|
|
|
8
|
_throw( "Error creating a key structure from the account key" ); |
487
|
|
|
|
|
|
|
} |
488
|
|
|
|
|
|
|
} |
489
|
|
|
|
|
|
|
|
490
|
25
|
50
|
|
|
|
109
|
if ( ! $key ) |
491
|
|
|
|
|
|
|
{ |
492
|
0
|
|
|
|
|
0
|
_throw( "Could not load account key into key structure" ); |
493
|
|
|
|
|
|
|
} |
494
|
|
|
|
|
|
|
|
495
|
25
|
|
|
|
|
78
|
$key->use_sha256_hash(); |
496
|
|
|
|
|
|
|
|
497
|
25
|
|
|
|
|
63
|
$self->{key}->{key} = $key; |
498
|
|
|
|
|
|
|
|
499
|
25
|
|
|
|
|
542
|
my ( $n_b64, $e_b64 ) = map { encode_base64url(_bigint_to_binary($_)) } $key->get_key_parameters(); |
|
116
|
|
|
|
|
1751
|
|
500
|
25
|
|
|
|
|
242
|
$self->{key}->{n} = $n_b64; |
501
|
25
|
|
|
|
|
48
|
$self->{key}->{e} = $e_b64; |
502
|
|
|
|
|
|
|
|
503
|
25
|
|
|
|
|
152
|
$self->{log}->debug( "Private key loaded" ); |
504
|
|
|
|
|
|
|
|
505
|
|
|
|
|
|
|
} |
506
|
|
|
|
|
|
|
|
507
|
|
|
|
|
|
|
|
508
|
|
|
|
|
|
|
|
509
|
|
|
|
|
|
|
|
510
|
|
|
|
|
|
|
sub directory |
511
|
|
|
|
|
|
|
{ |
512
|
4
|
|
|
4
|
1
|
2185
|
my $self = shift; |
513
|
|
|
|
|
|
|
|
514
|
4
|
|
|
|
|
25
|
my $resp = $self->_request_get( $self->{links}->{directory} ); |
515
|
|
|
|
|
|
|
|
516
|
|
|
|
|
|
|
|
517
|
|
|
|
|
|
|
|
518
|
4
|
50
|
|
|
|
17
|
if ( $resp->{status} != 200 ) |
519
|
|
|
|
|
|
|
{ |
520
|
0
|
|
|
|
|
0
|
_throw( detail => "Failed to fetch the directory for $self->{host}", resp => $resp ); |
521
|
|
|
|
|
|
|
} |
522
|
|
|
|
|
|
|
|
523
|
4
|
|
|
|
|
9
|
my $data = _decode_json( $resp->{content} ); |
524
|
|
|
|
|
|
|
|
525
|
4
|
|
|
|
|
24
|
@{$self->{links}}{keys %$data} = values %$data; |
|
4
|
|
|
|
|
16
|
|
526
|
|
|
|
|
|
|
|
527
|
|
|
|
|
|
|
|
528
|
4
|
|
|
|
|
41
|
$self->{log}->debug( "Let's Encrypt Directories loaded." ); |
529
|
|
|
|
|
|
|
} |
530
|
|
|
|
|
|
|
|
531
|
|
|
|
|
|
|
# |
532
|
|
|
|
|
|
|
# Register the account or load the reg url for an existing account ( new-reg or reg ) |
533
|
|
|
|
|
|
|
# |
534
|
|
|
|
|
|
|
sub register |
535
|
|
|
|
|
|
|
{ |
536
|
4
|
|
|
4
|
1
|
1394
|
my $self = shift; |
537
|
4
|
|
|
|
|
8
|
my %args = @_; |
538
|
|
|
|
|
|
|
|
539
|
4
|
|
|
|
|
8
|
my $obj = {}; |
540
|
4
|
|
|
|
|
8
|
$obj->{resource} = 'new-reg'; |
541
|
|
|
|
|
|
|
|
542
|
4
|
50
|
|
|
|
29
|
if ( exists $args{mailto} ) |
|
|
50
|
|
|
|
|
|
543
|
|
|
|
|
|
|
{ |
544
|
0
|
|
|
|
|
0
|
push @{$obj->{contact}}, "mailto:$args{mailto}"; |
|
0
|
|
|
|
|
0
|
|
545
|
|
|
|
|
|
|
} |
546
|
|
|
|
|
|
|
elsif ( exists $self->{contact}->{mailto} ) |
547
|
|
|
|
|
|
|
{ |
548
|
0
|
|
|
|
|
0
|
push @{$obj->{contact}}, "mailto:$self->{contact}->{mailto}"; |
|
0
|
|
|
|
|
0
|
|
549
|
|
|
|
|
|
|
} |
550
|
|
|
|
|
|
|
|
551
|
4
|
|
|
|
|
41
|
my $msg = _encode_json( $obj ); |
552
|
|
|
|
|
|
|
|
553
|
4
|
|
|
|
|
42
|
my $json = $self->_create_jws( $msg ); |
554
|
|
|
|
|
|
|
|
555
|
3
|
|
|
|
|
30
|
$self->{log}->debug( "Sending registration message" ); |
556
|
|
|
|
|
|
|
|
557
|
3
|
|
|
|
|
22
|
my $resp = $self->_request_post( $self->{links}->{'new-reg'}, $json ); |
558
|
|
|
|
|
|
|
|
559
|
3
|
50
|
|
|
|
30
|
if ( $resp->{status} == 409 ) |
|
|
0
|
|
|
|
|
|
560
|
|
|
|
|
|
|
{ |
561
|
3
|
|
|
|
|
21
|
$self->{links}->{'reg'} = $resp->{headers}->{'location'}; |
562
|
|
|
|
|
|
|
|
563
|
3
|
|
|
|
|
30
|
$self->{log}->debug( "Known key used" ); |
564
|
3
|
|
|
|
|
15
|
$self->{log}->debug( "Refetching with location URL" ); |
565
|
|
|
|
|
|
|
|
566
|
3
|
|
|
|
|
21
|
my $json = $self->_create_jws( _encode_json( { "resource" => 'reg' } ) ); |
567
|
|
|
|
|
|
|
|
568
|
2
|
|
|
|
|
26
|
$resp = $self->_request_post( $self->{links}->{'reg'}, $json ); |
569
|
|
|
|
|
|
|
|
570
|
2
|
50
|
|
|
|
32
|
if ( $resp->{status} == 202 ) |
571
|
|
|
|
|
|
|
{ |
572
|
2
|
|
|
|
|
13
|
my $links = _link_to_hash( $resp->{headers}->{'link'} ); |
573
|
|
|
|
|
|
|
|
574
|
2
|
|
|
|
|
10
|
@{$self->{links}}{keys %$links} = values %$links; |
|
2
|
|
|
|
|
17
|
|
575
|
|
|
|
|
|
|
} |
576
|
|
|
|
|
|
|
else |
577
|
|
|
|
|
|
|
{ |
578
|
0
|
|
|
|
|
0
|
_throw( %{ $self->{content} } ); |
|
0
|
|
|
|
|
0
|
|
579
|
|
|
|
|
|
|
} |
580
|
|
|
|
|
|
|
} |
581
|
|
|
|
|
|
|
elsif ( $resp->{status} == 201 ) |
582
|
|
|
|
|
|
|
{ |
583
|
0
|
|
|
|
|
0
|
my $links = _link_to_hash( $resp->{headers}->{'link'} ); |
584
|
|
|
|
|
|
|
|
585
|
0
|
|
|
|
|
0
|
@{$self->{links}}{keys %$links} = values %$links; |
|
0
|
|
|
|
|
0
|
|
586
|
|
|
|
|
|
|
|
587
|
0
|
|
|
|
|
0
|
$self->{links}->{'reg'} = $resp->{headers}->{'location'}; |
588
|
0
|
|
|
|
|
0
|
$self->{log}->debug( "New key used" ); |
589
|
|
|
|
|
|
|
} |
590
|
|
|
|
|
|
|
else |
591
|
|
|
|
|
|
|
{ |
592
|
0
|
|
|
|
|
0
|
_throw( %{ $self->{content} } ); |
|
0
|
|
|
|
|
0
|
|
593
|
|
|
|
|
|
|
} |
594
|
|
|
|
|
|
|
|
595
|
|
|
|
|
|
|
|
596
|
2
|
|
|
|
|
37
|
$self->{reg} = $self->{content}; |
597
|
|
|
|
|
|
|
} |
598
|
|
|
|
|
|
|
|
599
|
|
|
|
|
|
|
sub recovery_key |
600
|
|
|
|
|
|
|
{ |
601
|
|
|
|
|
|
|
# LE does not yet support the key recovery resource |
602
|
|
|
|
|
|
|
# the below can be considered debug code |
603
|
|
|
|
|
|
|
|
604
|
0
|
|
|
0
|
1
|
0
|
die "Let's Encrypt does not yet support key recovery"; |
605
|
|
|
|
|
|
|
|
606
|
0
|
|
|
|
|
0
|
my $self = shift; |
607
|
|
|
|
|
|
|
|
608
|
0
|
|
|
|
|
0
|
my $keyfile = shift; |
609
|
|
|
|
|
|
|
|
610
|
|
|
|
|
|
|
|
611
|
0
|
|
|
|
|
0
|
my $pem = _slurp( $keyfile ); |
612
|
0
|
0
|
|
|
|
0
|
_throw( "recovery_key: $keyfile: $!" ) if ! $pem; |
613
|
|
|
|
|
|
|
|
614
|
0
|
|
|
|
|
0
|
my $url = "https://acme-staging.api.letsencrypt.org/acme/reg/101834"; |
615
|
|
|
|
|
|
|
|
616
|
0
|
|
|
|
|
0
|
my $der = Crypt::Format::pem2der( $pem ); |
617
|
|
|
|
|
|
|
|
618
|
0
|
|
|
|
|
0
|
my $pub = Crypt::PK::ECC->new( \$der ); |
619
|
|
|
|
|
|
|
|
620
|
0
|
|
|
|
|
0
|
my $public_json_text = $pub->export_key_jwk('public'); |
621
|
|
|
|
|
|
|
|
622
|
0
|
|
|
|
|
0
|
my $hash = $pub->export_key_jwk( 'public', 1 ); |
623
|
|
|
|
|
|
|
|
624
|
|
|
|
|
|
|
my $msg = { "resource" => "reg", |
625
|
|
|
|
|
|
|
"recoveryToken" => { |
626
|
|
|
|
|
|
|
"client" => { "kty" => "EC", |
627
|
|
|
|
|
|
|
"crv" => "P-256", |
628
|
|
|
|
|
|
|
"x" => $hash->{x}, |
629
|
|
|
|
|
|
|
"y" => $hash->{y} |
630
|
|
|
|
|
|
|
} |
631
|
|
|
|
|
|
|
} |
632
|
0
|
|
|
|
|
0
|
}; |
633
|
|
|
|
|
|
|
|
634
|
0
|
|
|
|
|
0
|
my $json = $self->_create_jws( _encode_json($msg) ); |
635
|
|
|
|
|
|
|
|
636
|
0
|
|
|
|
|
0
|
my $resp = $self->_request_post( $url, $json ); |
637
|
|
|
|
|
|
|
|
638
|
|
|
|
|
|
|
# TODO: This is not complete |
639
|
|
|
|
|
|
|
} |
640
|
|
|
|
|
|
|
|
641
|
|
|
|
|
|
|
sub accept_tos |
642
|
|
|
|
|
|
|
{ |
643
|
2
|
|
|
2
|
1
|
1112
|
my $self = shift; |
644
|
|
|
|
|
|
|
|
645
|
2
|
50
|
|
|
|
11
|
if ( exists $self->{reg}->{agreement} ) |
646
|
|
|
|
|
|
|
{ |
647
|
2
|
|
|
|
|
20
|
$self->{log}->debug( "TOS already accepted. Skipping" ); |
648
|
2
|
|
|
|
|
10
|
return; |
649
|
|
|
|
|
|
|
} |
650
|
|
|
|
|
|
|
|
651
|
0
|
|
|
|
|
0
|
$self->{log}->debug( "Accepting TOS" ); |
652
|
|
|
|
|
|
|
# TODO: check for existance of terms-of-service link |
653
|
|
|
|
|
|
|
# TODO: assert on reg url being present |
654
|
|
|
|
|
|
|
|
655
|
|
|
|
|
|
|
my $msg = _encode_json( { "resource" => "reg", |
656
|
|
|
|
|
|
|
"agreement" => $self->{links}->{'terms-of-service'}, |
657
|
|
|
|
|
|
|
"key" => { "e" => $self->{key}->{e}, |
658
|
|
|
|
|
|
|
"kty" => "RSA", |
659
|
0
|
|
|
|
|
0
|
"n" => $self->{key}->{n} } } ); |
660
|
|
|
|
|
|
|
|
661
|
|
|
|
|
|
|
|
662
|
0
|
|
|
|
|
0
|
my $json = $self->_create_jws( $msg ); |
663
|
|
|
|
|
|
|
|
664
|
0
|
|
|
|
|
0
|
my $resp = $self->_request_post( $self->{links}->{'reg'}, $json ); |
665
|
|
|
|
|
|
|
|
666
|
0
|
0
|
|
|
|
0
|
if ( $resp->{status} == 202 ) |
667
|
|
|
|
|
|
|
{ |
668
|
0
|
|
|
|
|
0
|
$self->{log}->debug( "Accepted TOS" ); |
669
|
|
|
|
|
|
|
} |
670
|
|
|
|
|
|
|
else |
671
|
|
|
|
|
|
|
{ |
672
|
0
|
|
|
|
|
0
|
_throw( %{ $self->{content} } ); |
|
0
|
|
|
|
|
0
|
|
673
|
|
|
|
|
|
|
} |
674
|
|
|
|
|
|
|
} |
675
|
|
|
|
|
|
|
|
676
|
|
|
|
|
|
|
sub revoke |
677
|
|
|
|
|
|
|
{ |
678
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
679
|
0
|
|
|
|
|
0
|
my $certfile = shift; |
680
|
|
|
|
|
|
|
|
681
|
0
|
|
|
|
|
0
|
$self->{log}->debug( "Revoking Cert" ); |
682
|
|
|
|
|
|
|
|
683
|
0
|
|
|
|
|
0
|
my $cert = _slurp( $certfile ); |
684
|
|
|
|
|
|
|
|
685
|
0
|
0
|
|
|
|
0
|
if ( ! $cert ) |
686
|
|
|
|
|
|
|
{ |
687
|
0
|
|
|
|
|
0
|
_throw("revoke: Could not load cert from $certfile: $!"); |
688
|
|
|
|
|
|
|
} |
689
|
|
|
|
|
|
|
|
690
|
|
|
|
|
|
|
|
691
|
0
|
|
|
|
|
0
|
my $msg = _encode_json( { "resource" => "revoke-cert", |
692
|
|
|
|
|
|
|
"certificate" => encode_base64url( $cert ) } ); |
693
|
|
|
|
|
|
|
|
694
|
|
|
|
|
|
|
|
695
|
0
|
|
|
|
|
0
|
my $json = $self->_create_jws( $msg ); |
696
|
|
|
|
|
|
|
|
697
|
0
|
|
|
|
|
0
|
my $resp = $self->_request_post( $self->{links}->{'revoke-cert'}, $json ); |
698
|
|
|
|
|
|
|
|
699
|
0
|
0
|
|
|
|
0
|
if ( $resp->{status} != 200 ) |
700
|
|
|
|
|
|
|
{ |
701
|
0
|
|
|
|
|
0
|
_throw( %{ $self->{content} } ); |
|
0
|
|
|
|
|
0
|
|
702
|
|
|
|
|
|
|
} |
703
|
|
|
|
|
|
|
|
704
|
|
|
|
|
|
|
} |
705
|
|
|
|
|
|
|
|
706
|
|
|
|
|
|
|
sub authz |
707
|
|
|
|
|
|
|
{ |
708
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
709
|
0
|
|
|
|
|
0
|
my $domain = shift; |
710
|
|
|
|
|
|
|
|
711
|
0
|
|
|
|
|
0
|
$self->{log}->debug( "Sending authz message for $domain" ); |
712
|
|
|
|
|
|
|
# TODO: check for 'next' URL and that is it authz |
713
|
|
|
|
|
|
|
|
714
|
0
|
|
|
|
|
0
|
my $msg = _encode_json( { "identifier" => { "type" => "dns", "value" => $domain }, |
715
|
|
|
|
|
|
|
"resource" => "new-authz" } ); |
716
|
|
|
|
|
|
|
|
717
|
0
|
|
|
|
|
0
|
my $json = $self->_create_jws( $msg ); |
718
|
|
|
|
|
|
|
|
719
|
0
|
|
|
|
|
0
|
my $resp = $self->_request_post( $self->{links}->{next}, $json ); |
720
|
|
|
|
|
|
|
|
721
|
0
|
0
|
|
|
|
0
|
if ( $resp->{status} == 201 ) |
722
|
|
|
|
|
|
|
{ |
723
|
0
|
|
|
|
|
0
|
$self->{challenges} = $self->{content}->{challenges}; |
724
|
|
|
|
|
|
|
} |
725
|
|
|
|
|
|
|
else |
726
|
|
|
|
|
|
|
{ |
727
|
0
|
|
|
|
|
0
|
_throw( %{ $self->{content} } ); |
|
0
|
|
|
|
|
0
|
|
728
|
|
|
|
|
|
|
} |
729
|
|
|
|
|
|
|
} |
730
|
|
|
|
|
|
|
|
731
|
|
|
|
|
|
|
sub handle_challenge |
732
|
|
|
|
|
|
|
{ |
733
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
734
|
0
|
|
|
|
|
0
|
my $challenge = shift; |
735
|
0
|
|
|
|
|
0
|
my @args = @_; |
736
|
|
|
|
|
|
|
|
737
|
0
|
|
|
|
|
0
|
my $key = $self->{key}; |
738
|
|
|
|
|
|
|
|
739
|
0
|
|
|
|
|
0
|
my $jwk = _encode_json( { "e" => $key->{e}, "kty" => "RSA", "n" => $key->{n} } ); |
740
|
0
|
|
|
|
|
0
|
my $token; |
741
|
|
|
|
|
|
|
my $challenge_url; |
742
|
|
|
|
|
|
|
|
743
|
|
|
|
|
|
|
# TODO: this is feeling hardcoded and messy - and fragile |
744
|
|
|
|
|
|
|
# how do we handle other auth challenges? |
745
|
|
|
|
|
|
|
# This is hardcoded for http-01 |
746
|
0
|
|
|
|
|
0
|
for ( @{$self->{challenges}} ) |
|
0
|
|
|
|
|
0
|
|
747
|
|
|
|
|
|
|
{ |
748
|
0
|
0
|
|
|
|
0
|
if ( $_->{type} eq "http-01" ) |
749
|
|
|
|
|
|
|
{ |
750
|
0
|
|
|
|
|
0
|
$token = $_->{token}; |
751
|
0
|
|
|
|
|
0
|
$challenge_url = $_->{uri}; |
752
|
|
|
|
|
|
|
} |
753
|
|
|
|
|
|
|
} |
754
|
|
|
|
|
|
|
|
755
|
|
|
|
|
|
|
|
756
|
0
|
|
|
|
|
0
|
my $fingerprint = encode_base64url( sha256( $jwk ) ); |
757
|
|
|
|
|
|
|
|
758
|
0
|
|
|
|
|
0
|
$self->{log}->debug( "Handing challenge for token: $token.$fingerprint" ); |
759
|
|
|
|
|
|
|
|
760
|
0
|
|
|
|
|
0
|
my $ret = $challenge->handle( $token, $fingerprint, @args ); |
761
|
|
|
|
|
|
|
|
762
|
0
|
0
|
|
|
|
0
|
if ( $ret == 0 ) |
763
|
|
|
|
|
|
|
{ |
764
|
0
|
|
|
|
|
0
|
$self->{fingerprint} = $fingerprint; |
765
|
0
|
|
|
|
|
0
|
$self->{token} = $token; |
766
|
0
|
|
|
|
|
0
|
$self->{links}->{challenge} = $challenge_url; |
767
|
|
|
|
|
|
|
} |
768
|
|
|
|
|
|
|
else |
769
|
|
|
|
|
|
|
{ |
770
|
0
|
|
|
|
|
0
|
_throw( status => 0, detail => "Error in handling challenge: $ret", type => "challenge_exec" ); |
771
|
|
|
|
|
|
|
} |
772
|
|
|
|
|
|
|
} |
773
|
|
|
|
|
|
|
|
774
|
|
|
|
|
|
|
|
775
|
|
|
|
|
|
|
sub check_challenge |
776
|
|
|
|
|
|
|
{ |
777
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
778
|
|
|
|
|
|
|
|
779
|
0
|
|
|
|
|
0
|
my $msg = _encode_json( { "resource" => "challenge", "keyAuthorization" => $self->{token} . '.' . $self->{fingerprint} } ); |
780
|
|
|
|
|
|
|
|
781
|
0
|
|
|
|
|
0
|
my $json = $self->_create_jws( $msg ); |
782
|
|
|
|
|
|
|
|
783
|
|
|
|
|
|
|
|
784
|
0
|
|
|
|
|
0
|
my $resp = $self->_request_post( $self->{links}->{challenge}, $json ); |
785
|
|
|
|
|
|
|
|
786
|
0
|
|
|
|
|
0
|
my $status_url = $self->{content}->{uri}; |
787
|
|
|
|
|
|
|
|
788
|
|
|
|
|
|
|
# TODO: check for failure of challenge check |
789
|
|
|
|
|
|
|
# TODO: check for other HTTP failures |
790
|
|
|
|
|
|
|
|
791
|
0
|
|
|
|
|
0
|
$self->{log}->debug( "Polling for challenge fulfillment" ); |
792
|
0
|
|
|
|
|
0
|
while( 1 ) |
793
|
|
|
|
|
|
|
{ |
794
|
0
|
|
|
|
|
0
|
$self->{log}->debug( "Status: $self->{content}->{status}" ); |
795
|
0
|
0
|
|
|
|
0
|
if ( $self->{content}->{status} eq "pending" ) |
|
|
0
|
|
|
|
|
|
796
|
|
|
|
|
|
|
{ |
797
|
0
|
|
|
|
|
0
|
sleep(2); |
798
|
0
|
|
|
|
|
0
|
$resp = $self->_request_get( $status_url ); |
799
|
|
|
|
|
|
|
} |
800
|
|
|
|
|
|
|
elsif ( $self->{content}{status} eq "invalid" ) |
801
|
|
|
|
|
|
|
{ |
802
|
0
|
|
|
|
|
0
|
_throw(%{ $self->{content} }); |
|
0
|
|
|
|
|
0
|
|
803
|
|
|
|
|
|
|
} |
804
|
|
|
|
|
|
|
else |
805
|
|
|
|
|
|
|
{ |
806
|
0
|
|
|
|
|
0
|
last; |
807
|
|
|
|
|
|
|
} |
808
|
|
|
|
|
|
|
} |
809
|
|
|
|
|
|
|
} |
810
|
|
|
|
|
|
|
|
811
|
|
|
|
|
|
|
sub cleanup_challenge |
812
|
|
|
|
|
|
|
{ |
813
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
814
|
0
|
|
|
|
|
0
|
my $challenge = shift; |
815
|
0
|
|
|
|
|
0
|
return $challenge->cleanup(); |
816
|
|
|
|
|
|
|
} |
817
|
|
|
|
|
|
|
|
818
|
|
|
|
|
|
|
sub sign |
819
|
|
|
|
|
|
|
{ |
820
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
821
|
0
|
|
|
|
|
0
|
my $csr = shift; |
822
|
|
|
|
|
|
|
|
823
|
0
|
|
|
|
|
0
|
$self->{log}->debug( "Signing" ); |
824
|
|
|
|
|
|
|
|
825
|
0
|
|
|
|
|
0
|
my %args = ( filename => undef, |
826
|
|
|
|
|
|
|
buffer => undef, |
827
|
|
|
|
|
|
|
format => undef ); |
828
|
|
|
|
|
|
|
|
829
|
0
|
0
|
|
|
|
0
|
if ( ! ref $csr ) |
|
|
0
|
|
|
|
|
|
830
|
|
|
|
|
|
|
{ |
831
|
0
|
|
|
|
|
0
|
$args{filename} = $csr; |
832
|
|
|
|
|
|
|
} |
833
|
|
|
|
|
|
|
elsif( ref $csr eq "SCALAR" ) |
834
|
|
|
|
|
|
|
{ |
835
|
0
|
|
|
|
|
0
|
$args{buffer} = $$csr; |
836
|
|
|
|
|
|
|
} |
837
|
|
|
|
|
|
|
else |
838
|
|
|
|
|
|
|
{ |
839
|
0
|
|
|
|
|
0
|
@args{keys %$csr} = values %$csr; |
840
|
|
|
|
|
|
|
} |
841
|
|
|
|
|
|
|
|
842
|
0
|
0
|
|
|
|
0
|
if ( $args{filename} ) |
843
|
|
|
|
|
|
|
{ |
844
|
0
|
|
|
|
|
0
|
$args{buffer} = _slurp( $args{filename} ); |
845
|
0
|
0
|
|
|
|
0
|
if ( ! $args{buffer} ) |
846
|
|
|
|
|
|
|
{ |
847
|
0
|
|
|
|
|
0
|
_throw( "Could not load CSR from file $args{filename}" ); |
848
|
|
|
|
|
|
|
} |
849
|
|
|
|
|
|
|
} |
850
|
|
|
|
|
|
|
|
851
|
0
|
0
|
|
|
|
0
|
if ( ! $args{buffer} ) |
852
|
|
|
|
|
|
|
{ |
853
|
0
|
|
|
|
|
0
|
_throw( "Either a buffer or filename must be passed to sign" ); |
854
|
|
|
|
|
|
|
} |
855
|
|
|
|
|
|
|
|
856
|
0
|
0
|
|
|
|
0
|
if ( ! $args{format} ) |
857
|
|
|
|
|
|
|
{ |
858
|
0
|
0
|
|
|
|
0
|
$args{format} = Protocol::ACME::Utils::looks_like_pem( $args{buffer} ) ? "PEM" : "DER"; |
859
|
|
|
|
|
|
|
} |
860
|
|
|
|
|
|
|
|
861
|
0
|
0
|
|
|
|
0
|
my $der = $args{format} eq "DER" ? $args{buffer} : Crypt::Format::pem2der( $args{buffer} ); |
862
|
|
|
|
|
|
|
|
863
|
0
|
|
|
|
|
0
|
my $msg = _encode_json( { "resource" => "new-cert", "csr" => encode_base64url( $der ) } ); |
864
|
|
|
|
|
|
|
|
865
|
0
|
|
|
|
|
0
|
my $json = $self->_create_jws( $msg ); |
866
|
|
|
|
|
|
|
|
867
|
0
|
|
|
|
|
0
|
my $resp = $self->_request_post( $self->{links}->{'new-cert'}, $json, 1 ); |
868
|
|
|
|
|
|
|
|
869
|
0
|
0
|
|
|
|
0
|
if ( $resp->{status} != 201 ) |
870
|
|
|
|
|
|
|
{ |
871
|
0
|
|
|
|
|
0
|
_throw( %{_decode_json($resp->{content}) } ); |
|
0
|
|
|
|
|
0
|
|
872
|
|
|
|
|
|
|
} |
873
|
|
|
|
|
|
|
|
874
|
0
|
|
|
|
|
0
|
my $links = _link_to_hash( $resp->{headers}->{'link'} ); |
875
|
|
|
|
|
|
|
|
876
|
0
|
0
|
|
|
|
0
|
$self->{links}->{chain} = $links->{up} if exists $links->{up}; |
877
|
0
|
0
|
|
|
|
0
|
$self->{links}->{cert} = $resp->{headers}->{location} if exists $resp->{headers}->{location}; |
878
|
|
|
|
|
|
|
|
879
|
0
|
|
|
|
|
0
|
$self->{cert} = $resp->{content}; |
880
|
|
|
|
|
|
|
|
881
|
0
|
|
|
|
|
0
|
return $self->{cert}; |
882
|
|
|
|
|
|
|
} |
883
|
|
|
|
|
|
|
|
884
|
|
|
|
|
|
|
sub chain |
885
|
|
|
|
|
|
|
{ |
886
|
0
|
|
|
0
|
1
|
0
|
my $self = shift; |
887
|
|
|
|
|
|
|
|
888
|
0
|
0
|
|
|
|
0
|
if ( ! exists $self->{links}->{chain} ) |
889
|
|
|
|
|
|
|
{ |
890
|
0
|
|
|
|
|
0
|
_throw( "URL for the cert chain missing. Has sign() been called yet?" ); |
891
|
|
|
|
|
|
|
} |
892
|
|
|
|
|
|
|
|
893
|
0
|
|
|
|
|
0
|
my $resp = $self->_request_get( $self->{links}->{chain}, 1 ); |
894
|
|
|
|
|
|
|
|
895
|
0
|
0
|
|
|
|
0
|
if ( $resp->{status} != 200 ) |
896
|
|
|
|
|
|
|
{ |
897
|
|
|
|
|
|
|
_throw( detail => "Error received fetching the certificate chain", |
898
|
0
|
|
|
|
|
0
|
status => $resp->{status} ); |
899
|
|
|
|
|
|
|
} |
900
|
|
|
|
|
|
|
|
901
|
0
|
|
|
|
|
0
|
$self->{chain} = $resp->{content}; |
902
|
|
|
|
|
|
|
|
903
|
0
|
|
|
|
|
0
|
return $self->{chain}; |
904
|
|
|
|
|
|
|
} |
905
|
|
|
|
|
|
|
|
906
|
|
|
|
|
|
|
############################################################# |
907
|
|
|
|
|
|
|
### "Private" functions |
908
|
|
|
|
|
|
|
|
909
|
|
|
|
|
|
|
sub _request_get |
910
|
|
|
|
|
|
|
{ |
911
|
4
|
|
|
4
|
|
4
|
my $self = shift; |
912
|
4
|
|
|
|
|
8
|
my $url = shift; |
913
|
4
|
|
50
|
|
|
35
|
my $nodecode = shift || 0; |
914
|
|
|
|
|
|
|
|
915
|
4
|
|
|
|
|
122
|
my $resp = $self->{ua}->get( $url ); |
916
|
|
|
|
|
|
|
|
917
|
4
|
|
|
|
|
1772980
|
$self->{nonce} = $resp->{headers}->{$NONCE_HEADER}; |
918
|
4
|
|
|
|
|
109
|
$self->{json} = $resp->{content}; |
919
|
|
|
|
|
|
|
|
920
|
|
|
|
|
|
|
#Exception here should be fatal. |
921
|
4
|
|
|
|
|
8
|
$self->{content} = undef; |
922
|
4
|
50
|
|
|
|
35
|
$self->{content} = _decode_json( $resp->{content} ) unless $nodecode; |
923
|
|
|
|
|
|
|
|
924
|
4
|
|
|
|
|
11
|
$self->{response} = $resp; |
925
|
|
|
|
|
|
|
|
926
|
4
|
|
|
|
|
12
|
return $resp; |
927
|
|
|
|
|
|
|
} |
928
|
|
|
|
|
|
|
|
929
|
|
|
|
|
|
|
sub _request_post |
930
|
|
|
|
|
|
|
{ |
931
|
5
|
|
|
5
|
|
10
|
my $self = shift; |
932
|
5
|
|
|
|
|
9
|
my $url = shift; |
933
|
5
|
|
|
|
|
6
|
my $content = shift; |
934
|
5
|
|
50
|
|
|
39
|
my $nodecode = shift || 0; |
935
|
|
|
|
|
|
|
|
936
|
5
|
|
|
|
|
246
|
my $resp = $self->{ua}->post( $url, { content => $content } ); |
937
|
|
|
|
|
|
|
|
938
|
5
|
|
|
|
|
1191759
|
$self->{nonce} = $resp->{headers}->{$NONCE_HEADER}; |
939
|
|
|
|
|
|
|
|
940
|
5
|
|
|
|
|
17
|
$self->{json} = $resp->{content}; |
941
|
|
|
|
|
|
|
|
942
|
|
|
|
|
|
|
#Let exception from decode_json() propagate: |
943
|
|
|
|
|
|
|
#if we failed to decode the JSON, that’s a show-stopper. |
944
|
5
|
|
|
|
|
13
|
$self->{content} = undef; |
945
|
5
|
50
|
|
|
|
67
|
$self->{content} = _decode_json( $resp->{content} ) unless $nodecode; |
946
|
|
|
|
|
|
|
|
947
|
5
|
|
|
|
|
14
|
$self->{response} = $resp; |
948
|
|
|
|
|
|
|
|
949
|
5
|
|
|
|
|
44
|
return $resp; |
950
|
|
|
|
|
|
|
} |
951
|
|
|
|
|
|
|
|
952
|
|
|
|
|
|
|
sub _create_jws |
953
|
|
|
|
|
|
|
{ |
954
|
7
|
|
|
7
|
|
10
|
my $self = shift; |
955
|
|
|
|
|
|
|
|
956
|
7
|
|
|
|
|
12
|
my $msg = shift; |
957
|
7
|
|
|
|
|
30
|
return _create_jws_internal( $self->{key}, $msg, $self->{nonce} ); |
958
|
|
|
|
|
|
|
} |
959
|
|
|
|
|
|
|
|
960
|
|
|
|
|
|
|
|
961
|
|
|
|
|
|
|
############################################################# |
962
|
|
|
|
|
|
|
### Helper functions - not class methods |
963
|
|
|
|
|
|
|
|
964
|
|
|
|
|
|
|
sub _slurp |
965
|
|
|
|
|
|
|
{ |
966
|
8
|
|
|
8
|
|
10
|
my $filename = shift; |
967
|
|
|
|
|
|
|
|
968
|
8
|
50
|
|
|
|
445
|
open my $fh, '<', $filename or return undef; |
969
|
|
|
|
|
|
|
|
970
|
8
|
50
|
|
|
|
115
|
sysread( $fh, my $content, -s $fh ) or return undef; |
971
|
|
|
|
|
|
|
|
972
|
8
|
|
|
|
|
261
|
return $content; |
973
|
|
|
|
|
|
|
} |
974
|
|
|
|
|
|
|
|
975
|
|
|
|
|
|
|
|
976
|
|
|
|
|
|
|
sub _link_to_hash |
977
|
|
|
|
|
|
|
{ |
978
|
2
|
|
|
2
|
|
5
|
my $arrayref = shift; |
979
|
2
|
|
|
|
|
5
|
my $links; |
980
|
|
|
|
|
|
|
|
981
|
2
|
50
|
|
|
|
13
|
return {} unless $arrayref; |
982
|
|
|
|
|
|
|
|
983
|
2
|
50
|
|
|
|
8
|
if ( ! ref $arrayref ) |
984
|
|
|
|
|
|
|
{ |
985
|
0
|
|
|
|
|
0
|
$arrayref = [ $arrayref ]; |
986
|
|
|
|
|
|
|
} |
987
|
|
|
|
|
|
|
|
988
|
2
|
|
|
|
|
7
|
for my $link ( @$arrayref ) |
989
|
|
|
|
|
|
|
{ |
990
|
4
|
|
|
|
|
17
|
my ( $value, $key ) = split( ';', $link ); |
991
|
4
|
|
|
|
|
21
|
my ($url) = $value =~ /<([^>]*)>/; |
992
|
4
|
|
|
|
|
15
|
my ($rel) = $key =~ /rel=\"([^"]*)"/; |
993
|
|
|
|
|
|
|
|
994
|
4
|
50
|
33
|
|
|
24
|
if ( $url && $rel ) |
995
|
|
|
|
|
|
|
{ |
996
|
4
|
|
|
|
|
13
|
$links->{$rel} = $url; |
997
|
|
|
|
|
|
|
} |
998
|
|
|
|
|
|
|
else |
999
|
|
|
|
|
|
|
{ |
1000
|
|
|
|
|
|
|
# TODO: Something wonderful |
1001
|
|
|
|
|
|
|
} |
1002
|
|
|
|
|
|
|
} |
1003
|
|
|
|
|
|
|
|
1004
|
2
|
|
|
|
|
7
|
return $links; |
1005
|
|
|
|
|
|
|
} |
1006
|
|
|
|
|
|
|
|
1007
|
|
|
|
|
|
|
sub _bigint_to_binary { |
1008
|
116
|
|
|
116
|
|
108
|
my ( $bigint ) = @_; |
1009
|
|
|
|
|
|
|
|
1010
|
|
|
|
|
|
|
# TODO: Inelegant hack to deal with different Bignum implementations |
1011
|
116
|
|
|
|
|
84
|
my $hex; |
1012
|
116
|
100
|
|
|
|
306
|
if ( UNIVERSAL::isa( $bigint, "Math::BigInt" ) ) |
1013
|
|
|
|
|
|
|
{ |
1014
|
28
|
|
|
|
|
94
|
$hex = substr( $bigint->as_hex(), 2 ); |
1015
|
|
|
|
|
|
|
#Prefix a 0 as needed to get an even number of digits. |
1016
|
28
|
100
|
|
|
|
158271
|
if (length($hex) % 2) { |
1017
|
14
|
|
|
|
|
35
|
substr( $hex, 0, 0, 0 ); |
1018
|
|
|
|
|
|
|
} |
1019
|
|
|
|
|
|
|
|
1020
|
28
|
|
|
|
|
192
|
return pack 'H*', $hex; |
1021
|
|
|
|
|
|
|
} |
1022
|
|
|
|
|
|
|
else |
1023
|
|
|
|
|
|
|
{ |
1024
|
88
|
|
|
|
|
272
|
$bigint->to_bin(); |
1025
|
|
|
|
|
|
|
} |
1026
|
|
|
|
|
|
|
|
1027
|
|
|
|
|
|
|
} |
1028
|
|
|
|
|
|
|
|
1029
|
|
|
|
|
|
|
sub _create_jws_internal |
1030
|
|
|
|
|
|
|
{ |
1031
|
7
|
|
|
7
|
|
10
|
my $key = shift; |
1032
|
7
|
|
|
|
|
11
|
my $msg = shift; |
1033
|
7
|
|
|
|
|
9
|
my $nonce = shift; |
1034
|
|
|
|
|
|
|
|
1035
|
7
|
|
|
|
|
23
|
my $protected_header = '{"nonce": "' . $nonce . '"}'; |
1036
|
|
|
|
|
|
|
|
1037
|
7
|
|
|
|
|
40
|
my $sig = encode_base64url( $key->{key}->sign( encode_base64url($protected_header) . "." . encode_base64url($msg) ) ); |
1038
|
|
|
|
|
|
|
|
1039
|
|
|
|
|
|
|
my $jws = { header => { alg => "RS256", jwk => { "e" => $key->{e}, "kty" => "RSA", "n" => $key->{n} } }, |
1040
|
5
|
|
|
|
|
5379
|
protected => encode_base64url( $protected_header ), |
1041
|
|
|
|
|
|
|
payload => encode_base64url( $msg ), |
1042
|
|
|
|
|
|
|
signature => $sig }; |
1043
|
|
|
|
|
|
|
|
1044
|
5
|
|
|
|
|
84
|
my $json = _encode_json( $jws ); |
1045
|
|
|
|
|
|
|
|
1046
|
5
|
|
|
|
|
53
|
return $json; |
1047
|
|
|
|
|
|
|
|
1048
|
|
|
|
|
|
|
} |
1049
|
|
|
|
|
|
|
|
1050
|
|
|
|
|
|
|
sub _decode_json |
1051
|
|
|
|
|
|
|
{ |
1052
|
13
|
|
|
13
|
|
25
|
my $ref = shift; |
1053
|
|
|
|
|
|
|
|
1054
|
13
|
|
|
|
|
22
|
my $json = ""; |
1055
|
|
|
|
|
|
|
|
1056
|
|
|
|
|
|
|
eval |
1057
|
13
|
|
|
|
|
16
|
{ |
1058
|
13
|
|
|
|
|
356
|
$json = JSON->new->allow_nonref->decode($ref); |
1059
|
|
|
|
|
|
|
}; |
1060
|
|
|
|
|
|
|
|
1061
|
13
|
|
|
|
|
66
|
return $json; |
1062
|
|
|
|
|
|
|
} |
1063
|
|
|
|
|
|
|
|
1064
|
|
|
|
|
|
|
sub _encode_json |
1065
|
|
|
|
|
|
|
{ |
1066
|
12
|
|
|
12
|
|
20
|
my $ref = shift; |
1067
|
|
|
|
|
|
|
# my $json = JSON->new(); |
1068
|
|
|
|
|
|
|
# $json->canonical(); |
1069
|
|
|
|
|
|
|
# return $json->encode($ref); |
1070
|
12
|
|
|
|
|
359
|
return JSON->new->canonical->encode($ref); |
1071
|
|
|
|
|
|
|
} |
1072
|
|
|
|
|
|
|
|
1073
|
|
|
|
|
|
|
|
1074
|
|
|
|
|
|
|
=head1 AUTHOR |
1075
|
|
|
|
|
|
|
|
1076
|
|
|
|
|
|
|
Stephen Ludin, C<< >> |
1077
|
|
|
|
|
|
|
|
1078
|
|
|
|
|
|
|
=head1 BUGS |
1079
|
|
|
|
|
|
|
|
1080
|
|
|
|
|
|
|
Please report any bugs or feature requests to C, or through |
1081
|
|
|
|
|
|
|
the web interface at L. I will be notified, and then you'll |
1082
|
|
|
|
|
|
|
automatically be notified of progress on your bug as I make changes. |
1083
|
|
|
|
|
|
|
|
1084
|
|
|
|
|
|
|
=head1 REPOSITORY |
1085
|
|
|
|
|
|
|
|
1086
|
|
|
|
|
|
|
https://github.com/sludin/Protocol-ACME |
1087
|
|
|
|
|
|
|
|
1088
|
|
|
|
|
|
|
|
1089
|
|
|
|
|
|
|
=head1 SUPPORT |
1090
|
|
|
|
|
|
|
|
1091
|
|
|
|
|
|
|
You can find documentation for this module with the perldoc command. |
1092
|
|
|
|
|
|
|
|
1093
|
|
|
|
|
|
|
perldoc Protocol::ACME |
1094
|
|
|
|
|
|
|
|
1095
|
|
|
|
|
|
|
|
1096
|
|
|
|
|
|
|
You can also look for information at: |
1097
|
|
|
|
|
|
|
|
1098
|
|
|
|
|
|
|
=over 4 |
1099
|
|
|
|
|
|
|
|
1100
|
|
|
|
|
|
|
=item * RT: CPAN's request tracker (report bugs here) |
1101
|
|
|
|
|
|
|
|
1102
|
|
|
|
|
|
|
L |
1103
|
|
|
|
|
|
|
|
1104
|
|
|
|
|
|
|
=item * AnnoCPAN: Annotated CPAN documentation |
1105
|
|
|
|
|
|
|
|
1106
|
|
|
|
|
|
|
L |
1107
|
|
|
|
|
|
|
|
1108
|
|
|
|
|
|
|
=item * CPAN Ratings |
1109
|
|
|
|
|
|
|
|
1110
|
|
|
|
|
|
|
L |
1111
|
|
|
|
|
|
|
|
1112
|
|
|
|
|
|
|
=item * Search CPAN |
1113
|
|
|
|
|
|
|
|
1114
|
|
|
|
|
|
|
L |
1115
|
|
|
|
|
|
|
|
1116
|
|
|
|
|
|
|
=back |
1117
|
|
|
|
|
|
|
|
1118
|
|
|
|
|
|
|
|
1119
|
|
|
|
|
|
|
=head1 CONTRIBUTORS |
1120
|
|
|
|
|
|
|
|
1121
|
|
|
|
|
|
|
Felipe Gasper, C<< >> |
1122
|
|
|
|
|
|
|
|
1123
|
|
|
|
|
|
|
=head1 ACKNOWLEDGEMENTS |
1124
|
|
|
|
|
|
|
|
1125
|
|
|
|
|
|
|
|
1126
|
|
|
|
|
|
|
|
1127
|
|
|
|
|
|
|
=head1 LICENSE AND COPYRIGHT |
1128
|
|
|
|
|
|
|
|
1129
|
|
|
|
|
|
|
Copyright 2015 Stephen Ludin. |
1130
|
|
|
|
|
|
|
|
1131
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify it |
1132
|
|
|
|
|
|
|
under the terms of the the Artistic License (2.0). You may obtain a |
1133
|
|
|
|
|
|
|
copy of the full license at: |
1134
|
|
|
|
|
|
|
|
1135
|
|
|
|
|
|
|
L |
1136
|
|
|
|
|
|
|
|
1137
|
|
|
|
|
|
|
Any use, modification, and distribution of the Standard or Modified |
1138
|
|
|
|
|
|
|
Version 1.01 |
1139
|
|
|
|
|
|
|
distributing the Package, you accept this license. Do not use, modify, |
1140
|
|
|
|
|
|
|
or distribute the Package, if you do not accept this license. |
1141
|
|
|
|
|
|
|
|
1142
|
|
|
|
|
|
|
If your Modified Version has been derived from a Modified Version made |
1143
|
|
|
|
|
|
|
by someone other than you, you are nevertheless required to ensure that |
1144
|
|
|
|
|
|
|
your Modified Version complies with the requirements of this license. |
1145
|
|
|
|
|
|
|
|
1146
|
|
|
|
|
|
|
This license does not grant you the right to use any trademark, service |
1147
|
|
|
|
|
|
|
mark, tradename, or logo of the Copyright Holder. |
1148
|
|
|
|
|
|
|
|
1149
|
|
|
|
|
|
|
This license includes the non-exclusive, worldwide, free-of-charge |
1150
|
|
|
|
|
|
|
patent license to make, have made, use, offer to sell, sell, import and |
1151
|
|
|
|
|
|
|
otherwise transfer the Package with respect to any patent claims |
1152
|
|
|
|
|
|
|
licensable by the Copyright Holder that are necessarily infringed by the |
1153
|
|
|
|
|
|
|
Package. If you institute patent litigation (including a cross-claim or |
1154
|
|
|
|
|
|
|
counterclaim) against any party alleging that the Package constitutes |
1155
|
|
|
|
|
|
|
direct or contributory patent infringement, then this Artistic License |
1156
|
|
|
|
|
|
|
to you shall terminate on the date that such litigation is filed. |
1157
|
|
|
|
|
|
|
|
1158
|
|
|
|
|
|
|
Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER |
1159
|
|
|
|
|
|
|
AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. |
1160
|
|
|
|
|
|
|
THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR |
1161
|
|
|
|
|
|
|
PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY |
1162
|
|
|
|
|
|
|
YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR |
1163
|
|
|
|
|
|
|
CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR |
1164
|
|
|
|
|
|
|
CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, |
1165
|
|
|
|
|
|
|
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
1166
|
|
|
|
|
|
|
|
1167
|
|
|
|
|
|
|
|
1168
|
|
|
|
|
|
|
=cut |
1169
|
|
|
|
|
|
|
|
1170
|
|
|
|
|
|
|
1; # End of Protocol::ACME |