3.1.1

Merge pull request #1 from sam-lord/master
Bug fix: Polling status using POST-as-GET wherever possible
2024-11-16 17:29:00 +00:00 · 2021-05-24 11:05:49 +01:00 · 2021-05-24 11:01:15 +01:00 · 2021-04-08 14:19:33 +01:00 · 2020-07-28 16:03:07 -06:00 · 2020-07-28 16:02:45 -06:00
26 changed files with 351 additions and 360 deletions
--- a/account.js
+++ b/account.js
@ -11,7 +11,7 @@ A._getAccountKid = function(me, options) {
 	// It's just fine if there's no account, we'll go get the key id we need via the existing key
 	var kid =
 		options.kid ||
-		(options.account && (options.account.key && options.account.key.kid));
+		(options.account && options.account.key && options.account.key.kid);
 	if (kid) {
 		return Promise.resolve(kid);
--- a/acme.js
+++ b/acme.js
@ -756,12 +756,8 @@ ACME._postChallenge = function(me, options, kid, auth) {
 			altname: altname
 		});
-		if ('processing' === resp.body.status) {
+		// State can be pending while waiting ACME server to transition to
-			//#console.debug('poll: again', auth.url);
+		// processing
 			return ACME._wait(RETRY_INTERVAL).then(pollStatus);
 		}
 		// This state should never occur
 		if ('pending' === resp.body.status) {
 			if (count >= MAX_PEND) {
 				return ACME._wait(RETRY_INTERVAL)
@ -769,7 +765,12 @@ ACME._postChallenge = function(me, options, kid, auth) {
 					.then(respondToChallenge);
 			}
 			//#console.debug('poll: again', auth.url);
-			return ACME._wait(RETRY_INTERVAL).then(respondToChallenge);
+			return ACME._wait(RETRY_INTERVAL).then(pollStatus);
 		}
 		if ('processing' === resp.body.status) {
 			//#console.debug('poll: again', auth.url);
 			return ACME._wait(RETRY_INTERVAL).then(pollStatus);
 		}
 		// REMOVE DNS records as soon as the state is non-processing
@ -1012,14 +1013,7 @@ ACME._pollOrderStatus = function(me, options, kid, order, verifieds) {
 	var body = { csr: csr64 };
 	var payload = JSON.stringify(body);
-	function pollCert() {
+	function processResponse(resp) {
 		//#console.debug('[ACME.js] pollCert:', order._finalizeUrl);
 		return U._jwsRequest(me, {
 			accountKey: options.accountKey,
 			url: order._finalizeUrl,
 			protected: { kid: kid },
 			payload: Enc.strToBuf(payload)
 		}).then(function(resp) {
 		ACME._notify(me, options, 'certificate_status', {
 			subject: options.domains[0],
 			status: resp.body.status
@ -1035,7 +1029,7 @@ ACME._pollOrderStatus = function(me, options, kid, order, verifieds) {
 		}
 		if ('processing' === resp.body.status) {
-				return ACME._wait().then(pollCert);
+			return ACME._wait().then(pollStatus);
 		}
 		if (me.debug) {
@ -1075,10 +1069,28 @@ ACME._pollOrderStatus = function(me, options, kid, order, verifieds) {
 		return Promise.reject(
 			E.UNHANDLED_ORDER_STATUS(options, verifieds, resp)
 		);
 		});
 	}
-	return pollCert();
+	function pollStatus() {
 		return U._jwsRequest(me, {
 			accountKey: options.accountKey,
 			url: order._orderUrl,
 			protected: { kid: kid },
 			payload: Enc.binToBuf('')
 		}).then(processResponse);
 	}
 	function finalizeOrder() {
 		//#console.debug('[ACME.js] pollCert:', order._finalizeUrl);
 		return U._jwsRequest(me, {
 			accountKey: options.accountKey,
 			url: order._finalizeUrl,
 			protected: { kid: kid },
 			payload: Enc.strToBuf(payload)
 		}).then(processResponse);
 	}
 	return finalizeOrder();
 };
 ACME._redeemCert = function (me, options, kid, voucher) {
@ -1236,14 +1248,8 @@ ACME._prepRequest = function(me, options) {
 		options.domains = options.domains || _csr.altnames;
 		_csr.altnames = _csr.altnames || [];
 		if (
-			options.domains
+			options.domains.slice(0).sort().join(' ') !==
-				.slice(0)
+			_csr.altnames.slice(0).sort().join(' ')
 				.sort()
 				.join(' ') !==
 			_csr.altnames
 				.slice(0)
 				.sort()
 				.join(' ')
 		) {
 			return Promise.reject(
 				new Error('certificate altnames do not match requested domains')
@ -1347,10 +1353,7 @@ ACME._csrToUrlBase64 = function(csr) {
 	// TODO use PEM.parseBlock()
 	// nix PEM headers, if any
 	if ('-' === csr[0]) {
-		csr = csr
+		csr = csr.split(/\n+/).slice(1, -1).join('');
 			.split(/\n+/)
 			.slice(1, -1)
 			.join('');
 	}
 	return Enc.base64ToUrlBase64(csr.trim().replace(/\s+/g, ''));
 };
@ -1359,9 +1362,7 @@ ACME._csrToUrlBase64 = function(csr) {
 ACME._prnd = function (n) {
 	var rnd = '';
 	while (rnd.length / 2 < n) {
-		var i = Math.random()
+		var i = Math.random().toString().substr(2);
 			.toString()
 			.substr(2);
 		var h = parseInt(i, 10).toString(16);
 		if (h.length % 2) {
 			h = '0' + h;
--- a/lib/node/sha2.js
+++ b/lib/node/sha2.js
@ -9,9 +9,6 @@ sha2.sum = function(alg, str) {
 		var sha = 'sha' + String(alg).replace(/^sha-?/i, '');
 		// utf8 is the default for strings
 		var buf = Buffer.from(str);
-		return crypto
+		return crypto.createHash(sha).update(buf).digest();
 			.createHash(sha)
 			.update(buf)
 			.digest();
 	});
 };
--- a/package-lock.json
+++ b/package-lock.json
@ -1,6 +1,6 @@
 {
 	"name": "@root/acme",
-	"version": "3.0.10",
+	"version": "3.1.1",
 	"lockfileVersion": 1,
 	"requires": true,
 	"dependencies": {
@ -28,9 +28,9 @@
 			"integrity": "sha512-OaEub02ufoU038gy6bsNHQOjIn8nUjGiLcaRmJ40IUykneJkIW5fxDqKxQx48cszuNflYldsJLPPXCrGfHs8yQ=="
 		},
 		"@root/keypairs": {
-			"version": "0.9.0",
+			"version": "0.10.0",
-			"resolved": "https://registry.npmjs.org/@root/keypairs/-/keypairs-0.9.0.tgz",
+			"resolved": "https://registry.npmjs.org/@root/keypairs/-/keypairs-0.10.0.tgz",
-			"integrity": "sha512-NXE2L9Gv7r3iC4kB/gTPZE1vO9Ox/p14zDzAJ5cGpTpytbWOlWF7QoHSJbtVX4H7mRG/Hp7HR3jWdWdb2xaaXg==",
+			"integrity": "sha512-t8VocY46Mtb0NTsxzyLLf5tsgfw0BXLYVADAyiRdEdqHcvPFGJdjkXNtHVQuSV/FMaC65iTOHVP4E6X8iT3Ikg==",
 			"requires": {
 				"@root/encoding": "^1.0.1",
 				"@root/pem": "^1.0.4",
@ -43,9 +43,9 @@
 			"integrity": "sha512-rEUDiUsHtild8GfIjFE9wXtcVxeS+ehCJQBwbQQ3IVfORKHK93CFnRtkr69R75lZFjcmKYVc+AXDB+AeRFOULA=="
 		},
 		"@root/request": {
-			"version": "1.3.11",
+			"version": "1.6.1",
-			"resolved": "https://registry.npmjs.org/@root/request/-/request-1.3.11.tgz",
+			"resolved": "https://registry.npmjs.org/@root/request/-/request-1.6.1.tgz",
-			"integrity": "sha512-3a4Eeghcjsfe6zh7EJ+ni1l8OK9Fz2wL1OjP4UCa0YdvtH39kdXB9RGWuzyNv7dZi0+Ffkc83KfH0WbPMiuJFw=="
+			"integrity": "sha512-8wrWyeBLRp7T8J36GkT3RODJ6zYmL0/maWlAUD5LOXT28D3TDquUepyYDKYANNA3Gc8R5ZCgf+AXvSTYpJEWwQ=="
 		},
 		"@root/x509": {
 			"version": "0.7.2",
@ -152,9 +152,9 @@
 			"dev": true
 		},
 		"glob": {
-			"version": "7.1.5",
+			"version": "7.1.6",
-			"resolved": "https://registry.npmjs.org/glob/-/glob-7.1.5.tgz",
+			"resolved": "https://registry.npmjs.org/glob/-/glob-7.1.6.tgz",
-			"integrity": "sha512-J9dlskqUXK1OeTOYBEn5s8aMukWMwWfs+rPTn/jn50Ux4MNXVhubL1wu/j2t+H4NVI+cXEcCaYellqaPVGXNqQ==",
+			"integrity": "sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==",
 			"dev": true,
 			"requires": {
 				"fs.realpath": "^1.0.0",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
 	"name": "@root/acme",
-	"version": "3.0.10",
+	"version": "3.1.1",
 	"description": "Free SSL certificates for Node.js and Browsers. Issued via Let's Encrypt",
 	"homepage": "https://rootprojects.org/acme/",
 	"main": "acme.js",
@ -44,9 +44,9 @@
 	"dependencies": {
 		"@root/csr": "^0.8.1",
 		"@root/encoding": "^1.0.1",
-		"@root/keypairs": "^0.9.0",
+		"@root/keypairs": "^0.10.0",
 		"@root/pem": "^1.0.4",
-		"@root/request": "^1.3.11",
+		"@root/request": "^1.6.1",
 		"@root/x509": "^0.7.2"
 	},
 	"devDependencies": {
--- a/tests/issue-certificates.js
+++ b/tests/issue-certificates.js
@ -247,12 +247,7 @@ module.exports = function() {
 	function random() {
 		return (
-			parseInt(
+			parseInt(Math.random().toString().slice(2, 99), 10)
 				Math.random()
 					.toString()
 					.slice(2, 99),
 				10
 			)
 				.toString(16)
 				.slice(0, 4) + '例'
 		);
--- a/tests/maintainer.js
+++ b/tests/maintainer.js
@ -33,10 +33,7 @@ native
 				var now = Date.now();
 				var nonce = '20';
-				var needle = crypto
+				var needle = crypto.randomBytes(3).toString('hex').slice(0, 5);
 					.randomBytes(3)
 					.toString('hex')
 					.slice(0, 5);
 				native
 					._hashcash({
 						alg: 'SHA-256',
--- a/utils.js
+++ b/utils.js
@ -11,12 +11,13 @@ U._jwsRequest = function(me, bigopts) {
 		bigopts.protected.nonce = nonce;
 		bigopts.protected.url = bigopts.url;
 		// protected.alg: added by Keypairs.signJws
-		if (!bigopts.protected.jwk) {
+		if (bigopts.protected.jwk) {
-			// protected.kid must be overwritten due to ACME's interpretation of the spec
+			bigopts.protected.kid = false;
-			if (!('kid' in bigopts.protected)) {
+		} else if (!('kid' in bigopts.protected)) {
 			// protected.kid must be provided according to ACME's interpretation of the spec
 			// (using the provided URL rather than the Key's Thumbprint as Key ID)
 			bigopts.protected.kid = bigopts.kid;
 		}
 		}
 		// this will shasum the thumbprint the 2nd time
 		return Keypairs.signJws({
Author	SHA1	Message	Date
Sam Lord	45fd6962f2	3.1.1	2021-05-24 11:05:49 +01:00
Sam Lord	829d34f60a	Merge pull request #1 from sam-lord/master Bug fix: Polling status using POST-as-GET wherever possible	2021-05-24 11:01:15 +01:00
Sam Lord	0aa939a227	Bug fix: Polling status using POST-as-GET wherever possible Avoid repeating finalize POST request and challenge POST requests by using POST-as-GET requests instead. Allows for testing with Pebble, and more correctly follows the spec.	2021-04-08 14:19:33 +01:00
AJ ONeal	bef931f28f	3.1.0	2020-07-28 16:03:07 -06:00
AJ ONeal	eb432571ca	Bugfix jwk / kid mutually exclusive See https://git.rootprojects.org/root/greenlock-express.js/issues/38	2020-07-28 16:02:45 -06:00
AJ ONeal	29a47e8fa4	make Prettier v2	2020-07-28 15:53:50 -06:00