ACME v2 - Deprecation of unauthenticated resource GETs

fbett · Oct 27, 2018 · a03379d · a03379d
1 parent 0787aa9
commit a03379d
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 18 deletions.
diff --git a/composer.json b/composer.json
@@ -2,7 +2,7 @@
   "name": "fbett/le_acme2",
   "description": "Letsencrypt PHP ACME v2 client",
   "homepage": "https://github.com/fbett/le-acme2-php",
-  "version": "1.1.4",
+  "version": "1.1.5",
   "license": "MIT",
   "authors": [
     {

diff --git a/src/LE_ACME2/Authorizer/AbstractAuthorizer.php b/src/LE_ACME2/Authorizer/AbstractAuthorizer.php
@@ -47,7 +47,7 @@ protected function _fetchAuthorizationResponses() {
 
         foreach($directoryNewOrderResponse->getAuthorizations() as $authorization) {
 
-            $request = new Request\Authorization\Get($authorization);
+            $request = new Request\Authorization\Get($this->_account, $authorization);
             $this->_authorizationResponses[] = $request->getResponse();
         }
     }

diff --git a/src/LE_ACME2/Order.php b/src/LE_ACME2/Order.php
@@ -215,7 +215,7 @@ public function finalize() {
 
         if($directoryNewOrderResponse->getStatus() == Response\Order\AbstractDirectoryNewOrder::STATUS_VALID) {
 
-            $request = new Request\Order\GetCertificate($directoryNewOrderResponse);
+            $request = new Request\Order\GetCertificate($this->_account, $directoryNewOrderResponse);
             $response = $request->getResponse();
 
             $certificate = $response->getCertificate();

diff --git a/src/LE_ACME2/Request/Authorization/Get.php b/src/LE_ACME2/Request/Authorization/Get.php
@@ -2,17 +2,22 @@
 
 namespace LE_ACME2\Request\Authorization;
 
+use LE_ACME2\Account;
 use LE_ACME2\Connector\Connector;
+use LE_ACME2\Connector\Storage;
 use LE_ACME2\Request\AbstractRequest;
 
-use LE_ACME2\Response as Response;
+use LE_ACME2\Response;
+use LE_ACME2\Utilities;
 
 class Get extends AbstractRequest {
 
+    protected $_account;
     protected $_authorizationURL;
 
-    public function __construct($authorizationURL) {
+    public function __construct(Account $account, $authorizationURL) {
 
+        $this->_account = $account;
         $this->_authorizationURL = $authorizationURL;
     }
 
@@ -24,10 +29,20 @@ public function __construct($authorizationURL) {
     public function getResponse() {
 
         $connector = Connector::getInstance();
+        $storage = Storage::getInstance();
+
+        $kid = Utilities\RequestSigner::KID(
+            null,
+            $storage->getDirectoryNewAccountResponse($this->_account)->getLocation(),
+            $this->_authorizationURL,
+            $storage->getNewNonceResponse()->getNonce(),
+            $this->_account->getKeyDirectoryPath()
+        );
 
         $result = $connector->request(
-            Connector::METHOD_GET,
-            $this->_authorizationURL
+            Connector::METHOD_POST,
+            $this->_authorizationURL,
+            $kid
         );
 
         return new Response\Authorization\Get($result);

diff --git a/src/LE_ACME2/Request/Order/Get.php b/src/LE_ACME2/Request/Order/Get.php
@@ -5,7 +5,8 @@
 use LE_ACME2\Connector\Storage;
 use LE_ACME2\Order;
 use LE_ACME2\Request\AbstractRequest;
-use LE_ACME2\Response as Response;
+use LE_ACME2\Response;
+use LE_ACME2\Utilities;
 
 use LE_ACME2\Account;
 use LE_ACME2\Connector\Connector;
@@ -31,9 +32,18 @@ public function getResponse()
         $connector = Connector::getInstance();
         $storage = Storage::getInstance();
 
+        $kid = Utilities\RequestSigner::KID(
+            null,
+            $storage->getDirectoryNewAccountResponse($this->_account)->getLocation(),
+            $storage->getDirectoryNewOrderResponse($this->_account, $this->_order)->getLocation(),
+            $storage->getNewNonceResponse()->getNonce(),
+            $this->_account->getKeyDirectoryPath()
+        );
+
         $result = $connector->request(
-            Connector::METHOD_GET,
-            $storage->getDirectoryNewOrderResponse($this->_account, $this->_order)->getLocation()
+            Connector::METHOD_POST,
+            $storage->getDirectoryNewOrderResponse($this->_account, $this->_order)->getLocation(),
+            $kid
         );
 
         return new Response\Order\Get($result, $storage->getDirectoryNewOrderResponse($this->_account, $this->_order)->getLocation());

diff --git a/src/LE_ACME2/Request/Order/GetCertificate.php b/src/LE_ACME2/Request/Order/GetCertificate.php
@@ -2,17 +2,22 @@
 
 namespace LE_ACME2\Request\Order;
 
+use LE_ACME2\Account;
 use LE_ACME2\Connector\Connector;
-use LE_ACME2\Response as Response;
+use LE_ACME2\Connector\Storage;
+use LE_ACME2\Response;
+use LE_ACME2\Utilities;
 
 use LE_ACME2\Request\AbstractRequest;
 
 class GetCertificate extends AbstractRequest {
 
+    protected $_account;
     protected $_directoryNewOrderResponse;
 
-    public function __construct(Response\Order\AbstractDirectoryNewOrder $directoryNewOrderResponse) {
+    public function __construct(Account $account, Response\Order\AbstractDirectoryNewOrder $directoryNewOrderResponse) {
 
+        $this->_account = $account;
         $this->_directoryNewOrderResponse = $directoryNewOrderResponse;
     }
 
@@ -24,11 +29,22 @@ public function __construct(Response\Order\AbstractDirectoryNewOrder $directoryN
     public function getResponse()
     {
         $connector = Connector::getInstance();
+        $storage = Storage::getInstance();
+
+        $kid = Utilities\RequestSigner::KID(
+            null,
+            $storage->getDirectoryNewAccountResponse($this->_account)->getLocation(),
+            $this->_directoryNewOrderResponse->getCertificate(),
+            $storage->getNewNonceResponse()->getNonce(),
+            $this->_account->getKeyDirectoryPath()
+        );
 
         $result = $connector->request(
-            Connector::METHOD_GET,
-            $this->_directoryNewOrderResponse->getCertificate()
+            Connector::METHOD_POST,
+            $this->_directoryNewOrderResponse->getCertificate(),
+            $kid
         );
+
         return new Response\Order\GetCertificate($result);
     }
 

diff --git a/src/LE_ACME2/Utilities/RequestSigner.php b/src/LE_ACME2/Utilities/RequestSigner.php
@@ -15,7 +15,7 @@ class RequestSigner {
      *
      * @return array	Returns an array containing the signature.
      */
-    public static function JWK($payload, $url, $nonce, $privateKeyDir, $privateKeyFile = 'private.pem') {
+    public static function JWK(array $payload, $url, $nonce, $privateKeyDir, $privateKeyFile = 'private.pem') {
 
         Logger::getInstance()->add(Logger::LEVEL_DEBUG, 'JWK sign request for ' . $url, $payload);
 
@@ -59,7 +59,7 @@ public static function JWK($payload, $url, $nonce, $privateKeyDir, $privateKeyFi
      *
      * @return string	Returns a JSON encoded string containing the signature.
      */
-    public static function JWKString($payload, $url, $nonce, $privateKeyDir, $privateKeyFile = 'private.pem') {
+    public static function JWKString(array $payload, $url, $nonce, $privateKeyDir, $privateKeyFile = 'private.pem') {
 
         $jwk = self::JWK($payload, $url, $nonce, $privateKeyDir, $privateKeyFile);
         return json_encode($jwk);
@@ -77,7 +77,7 @@ public static function JWKString($payload, $url, $nonce, $privateKeyDir, $privat
      *
      * @return string	Returns a JSON encoded string containing the signature.
      */
-    public static function KID($payload, $kid, $url, $nonce, $privateKeyDir, $privateKeyFile = 'private.pem') {
+    public static function KID(array $payload = null, $kid, $url, $nonce, $privateKeyDir, $privateKeyFile = 'private.pem') {
 
         Logger::getInstance()->add(Logger::LEVEL_DEBUG, 'KID sign request for ' . $url, $payload);
 
@@ -93,7 +93,9 @@ public static function KID($payload, $kid, $url, $nonce, $privateKeyDir, $privat
 
         Logger::getInstance()->add(Logger::LEVEL_DEBUG, 'KID: ready to sign request for: ' . $url, $protected);
 
-        $payload64 = Base64::UrlSafeEncode(str_replace('\\/', '/', json_encode($payload)));
+        $payload = $payload === null ? "" : str_replace('\\/', '/', json_encode($payload));
+
+        $payload64 = Base64::UrlSafeEncode($payload);
         $protected64 = Base64::UrlSafeEncode(json_encode($protected));
 
         openssl_sign($protected64.'.'.$payload64, $signed, $privateKey, "SHA256");