Update to ACMEv2 (RFC8555) #34
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- signJwt is not using SimpleJWS, but self signs and encodes. Support for POST-as-GET with empty payload and some small refactoring according to ACMEv2 with providing the account location in the jws header if present. - Added Domain objects for wrapping responses. Corresponds to fields defined in RFC8555. - Added content-type in header in acmeClient - Added errors and resources corresponding RFC8555 - Updated register, requestChallenge (newOrder), answerChallenge - Added getChallenge given a authorizationUrl TODO: pollForChallenge, requestCertificate, pollForCertificate, revokeCertificate, unit tests and TESTING!
- Updated requestCertificate to use the locationUrl - Updated pollCertificate with POST-as-a-GET request - Updated pollCertificate. When success, use the download location URL in response to download the certificate data. - Updated pollCertificate. Link in header in ACMEv2 contains rel="index", this conflicts with the previous link check causing chain to be reached. Fixed this. - Fixed type in revoke certificate. - Updated method in AcmeResource which checks if a resource needs Jwk authorization. Removed the revoke action since this can be done using both kid as jwk header in jws. We use kid in this client. TODO: unit tests, validating implementation with IETF-8555 and review.
- Small cleanups/fixes
2597 development
- Added location in newOrder response to order object for returning - Added getOrder method in AcmeService for POST-as-a-GET the Order using the order's location URL - Added location header in order response in finalizeOrder request
|
Wow, thanks! These are a lot less changes than I expected. Will migrate my client based on this library to test it. |
…ing from payload.
Refactored a bit so we only check for uplinks, no other rel headers.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refactored the ACME library to support the ACMEv2 protocol based on the RFC8555. This release breaks implementations that rely on ACMEv1, since ACMEv2 has a different flow for requesting and retrieving a certificate.
New:
Updated:
I might have forgotten to mention one or more things that have been changed, but it is also noted inside the commits.
**This requires review and testing before it can be considered as production-ready. Please contact us if you are having questions/notes. We'd like to keep in touch for reviewing.
You can contact us at: scrumteam@xel.nl**
ps. I need some help to get the tests working with pebble in docker.