root
/
greenlock.js
mirror of https://github.com/therootcompany/greenlock.js.git
2
0
Fork 0
Code Issues 27 Releases Wiki Activity

tabs -> spaces

This commit is contained in:
AJ ONeal 2019-10-31 16:26:18 -06:00
parent 8c8d9251cd
commit fd1723782b
15 changed files with 2371 additions and 2371 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
README.md
View File

@ -50,12 +50,12 @@ TODO
// Creates an instance of greenlock with certain default values // Creates an instance of greenlock with certain default values
var gl = Greenlock.create({ var gl = Greenlock.create({
// Staging for testing environments // Staging for testing environments
staging: true, staging: true,
// This should be the contact who receives critical bug and security notifications // This should be the contact who receives critical bug and security notifications
// Optionally, you may receive other (very few) updates, such as important new features // Optionally, you may receive other (very few) updates, such as important new features
maintainerEmail: 'jon@example.com' maintainerEmail: 'jon@example.com'
}); });
``` ```
@ -73,10 +73,10 @@ var gl = Greenlock.create({
```js ```js
greenlock.manager.defaults({ greenlock.manager.defaults({
// The "Let's Encrypt Subscriber" (often the same as the maintainer) // The "Let's Encrypt Subscriber" (often the same as the maintainer)
// NOT the end customer (except where that is also the maintainer) // NOT the end customer (except where that is also the maintainer)
subscriberEmail: 'jon@example.com', subscriberEmail: 'jon@example.com',
agreeToTerms: true agreeToTerms: true
}); });
``` ```
@ -102,8 +102,8 @@ greenlock.manager.defaults({
```js ```js
gl.add({ gl.add({
subject: 'example.com', subject: 'example.com',
altnames: ['example.com', 'www.example.com', 'exampleapi.com'] altnames: ['example.com', 'www.example.com', 'exampleapi.com']
}); });
``` ```
@ -119,15 +119,15 @@ gl.add({
```js ```js
return greenlock.get({ servername }).then(function(site) { return greenlock.get({ servername }).then(function(site) {
if (!site) { if (!site) {
console.log(servername + ' was not found in any site config'); console.log(servername + ' was not found in any site config');
return; return;
} }
var privkey = site.pems.privkey; var privkey = site.pems.privkey;
var fullchain = site.pems.cert + '\n' + site.pems.chain + '\n'; var fullchain = site.pems.cert + '\n' + site.pems.chain + '\n';
console.log(privkey); console.log(privkey);
console.log(fullchain); console.log(fullchain);
}); });
``` ```
@ -141,13 +141,13 @@ This will renew only domains that have reached their `renewAt` or are within the
```js ```js
return greenlock.renew({}).then(function(results) { return greenlock.renew({}).then(function(results) {
results.forEach(function(site) { results.forEach(function(site) {
if (site.error) { if (site.error) {
console.error(site.subject, site.error); console.error(site.subject, site.error);
return; return;
} }
console.log('Renewed certificate for', site.subject, site.altnames); console.log('Renewed certificate for', site.subject, site.altnames);
}); });
}); });
``` ```
@ -163,7 +163,7 @@ return greenlock.renew({}).then(function(results) {
```js ```js
greenlock.update({ subject, renewAt: 0 }).then(function() { greenlock.update({ subject, renewAt: 0 }).then(function() {
return greenlock.renew({}); return greenlock.renew({});
}); });
``` ```

344
accounts.js
View File

@ -7,213 +7,213 @@ var E = require('./errors.js');
var pending = {}; var pending = {};
A._getOrCreate = function(gnlck, mconf, db, acme, args) { A._getOrCreate = function(gnlck, mconf, db, acme, args) {
var email = args.subscriberEmail || mconf.subscriberEmail; var email = args.subscriberEmail || mconf.subscriberEmail;
if (!email) { if (!email) {
throw E.NO_SUBSCRIBER('get account', args.subject); throw E.NO_SUBSCRIBER('get account', args.subject);
} }
// TODO send welcome message with benefit info // TODO send welcome message with benefit info
return U._validMx(email) return U._validMx(email)
.catch(function() { .catch(function() {
throw E.NO_SUBSCRIBER('get account', args.subcriberEmail); throw E.NO_SUBSCRIBER('get account', args.subcriberEmail);
}) })
.then(function() { .then(function() {
if (pending[email]) { if (pending[email]) {
return pending[email]; return pending[email];
} }
pending[email] = A._rawGetOrCreate( pending[email] = A._rawGetOrCreate(
gnlck, gnlck,
mconf, mconf,
db, db,
acme, acme,
args, args,
email email
) )
.catch(function(e) { .catch(function(e) {
delete pending[email]; delete pending[email];
throw e; throw e;
}) })
.then(function(result) { .then(function(result) {
delete pending[email]; delete pending[email];
return result; return result;
}); });
return pending[email]; return pending[email];
}); });
}; };
// What we really need out of this is the private key and the ACME "key" id // What we really need out of this is the private key and the ACME "key" id
A._rawGetOrCreate = function(gnlck, mconf, db, acme, args, email) { A._rawGetOrCreate = function(gnlck, mconf, db, acme, args, email) {
var p; var p;
if (db.check) { if (db.check) {
p = A._checkStore(gnlck, mconf, db, acme, args, email); p = A._checkStore(gnlck, mconf, db, acme, args, email);
} else { } else {
p = Promise.resolve(null); p = Promise.resolve(null);
} }
return p.then(function(fullAccount) { return p.then(function(fullAccount) {
if (!fullAccount) { if (!fullAccount) {
return A._newAccount(gnlck, mconf, db, acme, args, email, null); return A._newAccount(gnlck, mconf, db, acme, args, email, null);
} }
if (fullAccount.keypair && fullAccount.key && fullAccount.key.kid) { if (fullAccount.keypair && fullAccount.key && fullAccount.key.kid) {
return fullAccount; return fullAccount;
} }
return A._newAccount(gnlck, mconf, db, acme, args, email, fullAccount); return A._newAccount(gnlck, mconf, db, acme, args, email, fullAccount);
}); });
}; };
A._newAccount = function(gnlck, mconf, db, acme, args, email, fullAccount) { A._newAccount = function(gnlck, mconf, db, acme, args, email, fullAccount) {
var keyType = args.accountKeyType || mconf.accountKeyType; var keyType = args.accountKeyType || mconf.accountKeyType;
var query = { var query = {
subject: args.subject, subject: args.subject,
email: email, email: email,
subscriberEmail: email, subscriberEmail: email,
customerEmail: args.customerEmail, customerEmail: args.customerEmail,
account: fullAccount || {}, account: fullAccount || {},
directoryUrl: directoryUrl:
args.directoryUrl || args.directoryUrl ||
mconf.directoryUrl || mconf.directoryUrl ||
gnlck._defaults.directoryUrl gnlck._defaults.directoryUrl
}; };
return U._getOrCreateKeypair(db, args.subject, query, keyType).then( return U._getOrCreateKeypair(db, args.subject, query, keyType).then(
function(kresult) { function(kresult) {
var keypair = kresult.keypair; var keypair = kresult.keypair;
var accReg = { var accReg = {
subscriberEmail: email, subscriberEmail: email,
agreeToTerms: agreeToTerms:
args.agreeToTerms || args.agreeToTerms ||
mconf.agreeToTerms || mconf.agreeToTerms ||
gnlck._defaults.agreeToTerms, gnlck._defaults.agreeToTerms,
accountKey: keypair.privateKeyJwk || keypair.private, accountKey: keypair.privateKeyJwk || keypair.private,
debug: args.debug debug: args.debug
}; };
return acme.accounts.create(accReg).then(function(receipt) { return acme.accounts.create(accReg).then(function(receipt) {
var reg = { var reg = {
keypair: keypair, keypair: keypair,
receipt: receipt, receipt: receipt,
// shudder... not actually a KeyID... but so it is called anyway... // shudder... not actually a KeyID... but so it is called anyway...
kid: kid:
receipt && receipt &&
receipt.key && receipt.key &&
(receipt.key.kid || receipt.kid), (receipt.key.kid || receipt.kid),
email: args.email, email: args.email,
subscriberEmail: email, subscriberEmail: email,
customerEmail: args.customerEmail customerEmail: args.customerEmail
}; };
var keyP; var keyP;
if (kresult.exists) { if (kresult.exists) {
keyP = Promise.resolve(); keyP = Promise.resolve();
} else { } else {
query.keypair = keypair; query.keypair = keypair;
query.receipt = receipt; query.receipt = receipt;
/* /*
query.server = gnlck._defaults.directoryUrl.replace( query.server = gnlck._defaults.directoryUrl.replace(
/^https?:\/\//i, /^https?:\/\//i,
'' ''
); );
*/ */
keyP = db.setKeypair(query, keypair); keyP = db.setKeypair(query, keypair);
} }
return keyP return keyP
.then(function() { .then(function() {
if (!db.set) { if (!db.set) {
return Promise.resolve({ return Promise.resolve({
keypair: keypair keypair: keypair
}); });
} }
return db.set( return db.set(
{ {
// id to be set by Store // id to be set by Store
email: email, email: email,
subscriberEmail: email, subscriberEmail: email,
customerEmail: args.customerEmail, customerEmail: args.customerEmail,
agreeTos: true, agreeTos: true,
agreeToTerms: true, agreeToTerms: true,
directoryUrl: directoryUrl:
args.directoryUrl || args.directoryUrl ||
mconf.directoryUrl || mconf.directoryUrl ||
gnlck._defaults.directoryUrl gnlck._defaults.directoryUrl
/* /*
server: gnlck._defaults.directoryUrl.replace( server: gnlck._defaults.directoryUrl.replace(
/^https?:\/\//i, /^https?:\/\//i,
'' ''
) )
*/ */
}, },
reg reg
); );
}) })
.then(function(fullAccount) { .then(function(fullAccount) {
if (fullAccount && 'object' !== typeof fullAccount) { if (fullAccount && 'object' !== typeof fullAccount) {
throw new Error( throw new Error(
"accounts.set should either return 'null' or an object with an 'id' string" "accounts.set should either return 'null' or an object with an 'id' string"
); );
} }
if (!fullAccount) { if (!fullAccount) {
fullAccount = {}; fullAccount = {};
} }
fullAccount.keypair = keypair; fullAccount.keypair = keypair;
if (!fullAccount.key) { if (!fullAccount.key) {
fullAccount.key = {}; fullAccount.key = {};
} }
fullAccount.key.kid = reg.kid; fullAccount.key.kid = reg.kid;
return fullAccount; return fullAccount;
}); });
}); });
} }
); );
}; };
A._checkStore = function(gnlck, mconf, db, acme, args, email) { A._checkStore = function(gnlck, mconf, db, acme, args, email) {
if ((args.domain || args.domains) && !args.subject) { if ((args.domain || args.domains) && !args.subject) {
console.warn("use 'subject' instead of 'domain'"); console.warn("use 'subject' instead of 'domain'");
args.subject = args.domain; args.subject = args.domain;
} }
var account = args.account; var account = args.account;
if (!account) { if (!account) {
account = {}; account = {};
} }
if (args.accountKey) { if (args.accountKey) {
console.warn( console.warn(
'rather than passing accountKey, put it directly into your account key store' 'rather than passing accountKey, put it directly into your account key store'
); );
// TODO we probably don't need this // TODO we probably don't need this
return U._importKeypair(args.accountKey); return U._importKeypair(args.accountKey);
} }
if (!db.check) { if (!db.check) {
return Promise.resolve(null); return Promise.resolve(null);
} }
return db return db
.check({ .check({
//keypair: undefined, //keypair: undefined,
//receipt: undefined, //receipt: undefined,
email: email, email: email,
subscriberEmail: email, subscriberEmail: email,
customerEmail: args.customerEmail || mconf.customerEmail, customerEmail: args.customerEmail || mconf.customerEmail,
account: account, account: account,
directoryUrl: directoryUrl:
args.directoryUrl || args.directoryUrl ||
mconf.directoryUrl || mconf.directoryUrl ||
gnlck._defaults.directoryUrl gnlck._defaults.directoryUrl
}) })
.then(function(fullAccount) { .then(function(fullAccount) {
if (!fullAccount) { if (!fullAccount) {
return null; return null;
} }
return fullAccount; return fullAccount;
}); });
}; };

690
bin/certonly.js
View File

@ -4,375 +4,375 @@ var mkdirp = require('@root/mkdirp');
var cli = require('./cli.js'); var cli = require('./cli.js');
cli.parse({ cli.parse({
'directory-url': [ 'directory-url': [
false, false,
' ACME Directory Resource URL', ' ACME Directory Resource URL',
'string', 'string',
'https://acme-v02.api.letsencrypt.org/directory', 'https://acme-v02.api.letsencrypt.org/directory',
'server,acme-url' 'server,acme-url'
], ],
email: [ email: [
false, false,
' Email used for registration and recovery contact. (default: null)', ' Email used for registration and recovery contact. (default: null)',
'email' 'email'
], ],
'agree-tos': [ 'agree-tos': [
false, false,
" Agree to the Greenlock and Let's Encrypt Subscriber Agreements", " Agree to the Greenlock and Let's Encrypt Subscriber Agreements",
'boolean', 'boolean',
false false
], ],
'community-member': [ 'community-member': [
false, false,
' Submit stats to and get updates from Greenlock', ' Submit stats to and get updates from Greenlock',
'boolean', 'boolean',
false false
], ],
domains: [ domains: [
false, false,
' Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])', ' Domain names to apply. For multiple domains you can enter a comma separated list of domains as a parameter. (default: [])',
'string' 'string'
], ],
'renew-offset': [ 'renew-offset': [
false, false,
' Positive (time after issue) or negative (time before expiry) offset, such as 30d or -45d', ' Positive (time after issue) or negative (time before expiry) offset, such as 30d or -45d',
'string', 'string',
'45d' '45d'
], ],
'renew-within': [ 'renew-within': [
false, false,
' (ignored) use renew-offset instead', ' (ignored) use renew-offset instead',
'ignore', 'ignore',
undefined undefined
], ],
'cert-path': [ 'cert-path': [
false, false,
' Path to where new cert.pem is saved', ' Path to where new cert.pem is saved',
'string', 'string',
':configDir/live/:hostname/cert.pem' ':configDir/live/:hostname/cert.pem'
], ],
'fullchain-path': [ 'fullchain-path': [
false, false,
' Path to where new fullchain.pem (cert + chain) is saved', ' Path to where new fullchain.pem (cert + chain) is saved',
'string', 'string',
':configDir/live/:hostname/fullchain.pem' ':configDir/live/:hostname/fullchain.pem'
], ],
'bundle-path': [ 'bundle-path': [
false, false,
' Path to where new bundle.pem (fullchain + privkey) is saved', ' Path to where new bundle.pem (fullchain + privkey) is saved',
'string', 'string',
':configDir/live/:hostname/bundle.pem' ':configDir/live/:hostname/bundle.pem'
], ],
'chain-path': [ 'chain-path': [
false, false,
' Path to where new chain.pem is saved', ' Path to where new chain.pem is saved',
'string', 'string',
':configDir/live/:hostname/chain.pem' ':configDir/live/:hostname/chain.pem'
], ],
'privkey-path': [ 'privkey-path': [
false, false,
' Path to where privkey.pem is saved', ' Path to where privkey.pem is saved',
'string', 'string',
':configDir/live/:hostname/privkey.pem' ':configDir/live/:hostname/privkey.pem'
], ],
'config-dir': [ 'config-dir': [
false, false,
' Configuration directory.', ' Configuration directory.',
'string', 'string',
'~/letsencrypt/etc/' '~/letsencrypt/etc/'
], ],
store: [ store: [
false, false,
' The name of the storage module to use', ' The name of the storage module to use',
'string', 'string',
'greenlock-store-fs' 'greenlock-store-fs'
], ],
'store-xxxx': [ 'store-xxxx': [
false, false,
' An option for the chosen storage module, such as --store-apikey or --store-bucket', ' An option for the chosen storage module, such as --store-apikey or --store-bucket',
'bag' 'bag'
], ],
'store-json': [ 'store-json': [
false, false,
' A JSON string containing all option for the chosen store module (instead of --store-xxxx)', ' A JSON string containing all option for the chosen store module (instead of --store-xxxx)',
'json', 'json',
'{}' '{}'
], ],
challenge: [ challenge: [
false, false,
' The name of the HTTP-01, DNS-01, or TLS-ALPN-01 challenge module to use', ' The name of the HTTP-01, DNS-01, or TLS-ALPN-01 challenge module to use',
'string', 'string',
'@greenlock/acme-http-01-fs' '@greenlock/acme-http-01-fs'
], ],
'challenge-xxxx': [ 'challenge-xxxx': [
false, false,
' An option for the chosen challenge module, such as --challenge-apikey or --challenge-bucket', ' An option for the chosen challenge module, such as --challenge-apikey or --challenge-bucket',
'bag' 'bag'
], ],
'challenge-json': [ 'challenge-json': [
false, false,
' A JSON string containing all option for the chosen challenge module (instead of --challenge-xxxx)', ' A JSON string containing all option for the chosen challenge module (instead of --challenge-xxxx)',
'json', 'json',
'{}' '{}'
], ],
'skip-dry-run': [ 'skip-dry-run': [
false, false,
' Use with caution (and test with the staging url first). Creates an Order on the ACME server without a self-test.', ' Use with caution (and test with the staging url first). Creates an Order on the ACME server without a self-test.',
'boolean' 'boolean'
], ],
'skip-challenge-tests': [ 'skip-challenge-tests': [
false, false,
' Use with caution (and with the staging url first). Presents challenges to the ACME server without first testing locally.', ' Use with caution (and with the staging url first). Presents challenges to the ACME server without first testing locally.',
'boolean' 'boolean'
], ],
'http-01-port': [ 'http-01-port': [
false, false,
' Required to be 80 for live servers. Do not use. For special test environments only.', ' Required to be 80 for live servers. Do not use. For special test environments only.',
'int' 'int'
], ],
'dns-01': [false, ' Use DNS-01 challange type', 'boolean', false], 'dns-01': [false, ' Use DNS-01 challange type', 'boolean', false],
standalone: [ standalone: [
false, false,
' Obtain certs using a "standalone" webserver.', ' Obtain certs using a "standalone" webserver.',
'boolean', 'boolean',
false false
], ],
manual: [ manual: [
false, false,
' Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (uses acme-http-01-cli or acme-dns-01-cli)', ' Print the token and key to the screen and wait for you to hit enter, giving you time to copy it somewhere before continuing (uses acme-http-01-cli or acme-dns-01-cli)',
'boolean', 'boolean',
false false
], ],
debug: [false, ' show traces and logs', 'boolean', false], debug: [false, ' show traces and logs', 'boolean', false],
root: [ root: [
false, false,
' public_html / webroot path (may use the :hostname template such as /srv/www/:hostname)', ' public_html / webroot path (may use the :hostname template such as /srv/www/:hostname)',
'string', 'string',
undefined, undefined,
'webroot-path' 'webroot-path'
], ],
// //
// backwards compat // backwards compat
// //
duplicate: [ duplicate: [
false, false,
' Allow getting a certificate that duplicates an existing one/is an early renewal', ' Allow getting a certificate that duplicates an existing one/is an early renewal',
'boolean', 'boolean',
false false
], ],
'rsa-key-size': [ 'rsa-key-size': [
false, false,
' (ignored) use server-key-type or account-key-type instead', ' (ignored) use server-key-type or account-key-type instead',
'ignore', 'ignore',
2048 2048
], ],
'server-key-path': [ 'server-key-path': [
false, false,
' Path to privkey.pem to use for certificate (default: generate new)', ' Path to privkey.pem to use for certificate (default: generate new)',
'string', 'string',
undefined, undefined,
'domain-key-path' 'domain-key-path'
], ],
'server-key-type': [ 'server-key-type': [
false, false,
" One of 'RSA' (2048), 'RSA-3084', 'RSA-4096', 'ECDSA' (P-256), or 'P-384'. For best compatibility, security, and efficiency use the default (More bits != More security)", " One of 'RSA' (2048), 'RSA-3084', 'RSA-4096', 'ECDSA' (P-256), or 'P-384'. For best compatibility, security, and efficiency use the default (More bits != More security)",
'string', 'string',
'RSA' 'RSA'
], ],
'account-key-path': [ 'account-key-path': [
false, false,
' Path to privkey.pem to use for account (default: generate new)', ' Path to privkey.pem to use for account (default: generate new)',
'string' 'string'
], ],
'account-key-type': [ 'account-key-type': [
false, false,
" One of 'ECDSA' (P-256), 'P-384', 'RSA', 'RSA-3084', or 'RSA-4096'. Stick with 'ECDSA' (P-256) unless you need 'RSA' (2048) for legacy compatibility. (More bits != More security)", " One of 'ECDSA' (P-256), 'P-384', 'RSA', 'RSA-3084', or 'RSA-4096'. Stick with 'ECDSA' (P-256) unless you need 'RSA' (2048) for legacy compatibility. (More bits != More security)",
'string', 'string',
'P-256' 'P-256'
], ],
webroot: [false, ' (ignored) for certbot compatibility', 'ignore', false], webroot: [false, ' (ignored) for certbot compatibility', 'ignore', false],
//, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-alpn-01)", 'string', 'http-01'] //, 'standalone-supported-challenges': [ false, " Supported challenges, order preferences are randomly chosen. (default: http-01,tls-alpn-01)", 'string', 'http-01']
'work-dir': [ 'work-dir': [
false, false,
' for certbot compatibility (ignored)', ' for certbot compatibility (ignored)',
'string', 'string',
'~/letsencrypt/var/lib/' '~/letsencrypt/var/lib/'
], ],
'logs-dir': [ 'logs-dir': [
false, false,
' for certbot compatibility (ignored)', ' for certbot compatibility (ignored)',
'string', 'string',
'~/letsencrypt/var/log/' '~/letsencrypt/var/log/'
], ],
'acme-version': [ 'acme-version': [
false, false,
' (ignored) ACME is now RFC 8555 and prior drafts are no longer supported', ' (ignored) ACME is now RFC 8555 and prior drafts are no longer supported',
'ignore', 'ignore',
'rfc8555' 'rfc8555'
] ]
}); });
// ignore certonly and extraneous arguments // ignore certonly and extraneous arguments
cli.main(function(_, options) { cli.main(function(_, options) {
console.info(''); console.info('');
[ [
'configDir', 'configDir',
'privkeyPath', 'privkeyPath',
'certPath', 'certPath',
'chainPath', 'chainPath',
'fullchainPath', 'fullchainPath',
'bundlePath' 'bundlePath'
].forEach(function(k) { ].forEach(function(k) {
if (options[k]) { if (options[k]) {
options.storeOpts[k] = options[k]; options.storeOpts[k] = options[k];
} }
delete options[k]; delete options[k];
}); });
if (options.workDir) { if (options.workDir) {
options.challengeOpts.workDir = options.workDir; options.challengeOpts.workDir = options.workDir;
delete options.workDir; delete options.workDir;
} }
if (options.debug) { if (options.debug) {
console.debug(options); console.debug(options);
} }
var args = {}; var args = {};
var homedir = require('os').homedir(); var homedir = require('os').homedir();
Object.keys(options).forEach(function(key) { Object.keys(options).forEach(function(key) {
var val = options[key]; var val = options[key];
if ('string' === typeof val) { if ('string' === typeof val) {
val = val.replace(/^~/, homedir); val = val.replace(/^~/, homedir);
} }
key = key.replace(/\-([a-z0-9A-Z])/g, function(c) { key = key.replace(/\-([a-z0-9A-Z])/g, function(c) {
return c[1].toUpperCase(); return c[1].toUpperCase();
}); });
args[key] = val; args[key] = val;
}); });
Object.keys(args).forEach(function(key) { Object.keys(args).forEach(function(key) {
var val = args[key]; var val = args[key];
if ('string' === typeof val) { if ('string' === typeof val) {
val = val.replace(/(\:configDir)|(\:config)/, args.configDir); val = val.replace(/(\:configDir)|(\:config)/, args.configDir);
} }
args[key] = val; args[key] = val;
}); });
if (args.domains) { if (args.domains) {
args.domains = args.domains.split(','); args.domains = args.domains.split(',');
} }
if ( if (
!(Array.isArray(args.domains) && args.domains.length) || !(Array.isArray(args.domains) && args.domains.length) ||
!args.email || !args.email ||
!args.agreeTos || !args.agreeTos ||
(!args.server && !args.directoryUrl) (!args.server && !args.directoryUrl)
) { ) {
console.error('\nUsage:\n\ngreenlock certonly --standalone \\'); console.error('\nUsage:\n\ngreenlock certonly --standalone \\');
console.error( console.error(
'\t--agree-tos --email user@example.com --domains example.com \\' '\t--agree-tos --email user@example.com --domains example.com \\'
); );
console.error('\t--config-dir ~/acme/etc \\'); console.error('\t--config-dir ~/acme/etc \\');
console.error('\nSee greenlock --help for more details\n'); console.error('\nSee greenlock --help for more details\n');
return; return;
} }
if (args.http01Port) { if (args.http01Port) {
// [@agnat]: Coerce to string. cli returns a number although we request a string. // [@agnat]: Coerce to string. cli returns a number although we request a string.
args.http01Port = '' + args.http01Port; args.http01Port = '' + args.http01Port;
args.http01Port = args.http01Port.split(',').map(function(port) { args.http01Port = args.http01Port.split(',').map(function(port) {
return parseInt(port, 10); return parseInt(port, 10);
}); });
} }
function run() { function run() {
var challenges = {}; var challenges = {};
if (/http.?01/i.test(args.challenge)) { if (/http.?01/i.test(args.challenge)) {
challenges['http-01'] = args.challengeOpts; challenges['http-01'] = args.challengeOpts;
} }
if (/dns.?01/i.test(args.challenge)) { if (/dns.?01/i.test(args.challenge)) {
challenges['dns-01'] = args.challengeOpts; challenges['dns-01'] = args.challengeOpts;
} }
if (/alpn.?01/i.test(args.challenge)) { if (/alpn.?01/i.test(args.challenge)) {
challenges['tls-alpn-01'] = args.challengeOpts; challenges['tls-alpn-01'] = args.challengeOpts;
} }
if (!Object.keys(challenges).length) { if (!Object.keys(challenges).length) {
throw new Error( throw new Error(
"Could not determine the challenge type for '" + "Could not determine the challenge type for '" +
args.challengeOpts.module + args.challengeOpts.module +
"'. Expected a name like @you/acme-xxxx-01-foo. Please name the module with http-01, dns-01, or tls-alpn-01." "'. Expected a name like @you/acme-xxxx-01-foo. Please name the module with http-01, dns-01, or tls-alpn-01."
); );
} }
args.challengeOpts.module = args.challenge; args.challengeOpts.module = args.challenge;
args.storeOpts.module = args.store; args.storeOpts.module = args.store;
console.log('\ngot to the run step'); console.log('\ngot to the run step');
require(args.challenge); require(args.challenge);
require(args.store); require(args.store);
var greenlock = require('../').create({ var greenlock = require('../').create({
maintainerEmail: args.maintainerEmail || 'coolaj86@gmail.com', maintainerEmail: args.maintainerEmail || 'coolaj86@gmail.com',
manager: './manager.js', manager: './manager.js',
configFile: '~/.config/greenlock/certs.json', configFile: '~/.config/greenlock/certs.json',
challenges: challenges, challenges: challenges,
store: args.storeOpts, store: args.storeOpts,
renewOffset: args.renewOffset || '30d', renewOffset: args.renewOffset || '30d',
renewStagger: '1d' renewStagger: '1d'
}); });
// for long-running processes // for long-running processes
if (args.renewEvery) { if (args.renewEvery) {
setInterval(function() { setInterval(function() {
greenlock.renew({ greenlock.renew({
period: args.renewEvery period: args.renewEvery
}); });
}, args.renewEvery); }, args.renewEvery);
} }
// TODO should greenlock.add simply always include greenlock.renew? // TODO should greenlock.add simply always include greenlock.renew?
// the concern is conflating error events // the concern is conflating error events
return greenlock return greenlock
.add({ .add({
subject: args.subject, subject: args.subject,
altnames: args.altnames, altnames: args.altnames,
subscriberEmail: args.subscriberEmail || args.email subscriberEmail: args.subscriberEmail || args.email
}) })
.then(function(changes) { .then(function(changes) {
console.info(changes); console.info(changes);
// renew should always // renew should always
return greenlock return greenlock
.renew({ .renew({
subject: args.subject, subject: args.subject,
force: false force: false
}) })
.then(function() {}); .then(function() {});
}); });
} }
if ('greenlock-store-fs' !== args.store) { if ('greenlock-store-fs' !== args.store) {
run(); run();
return; return;
} }
// TODO remove mkdirp and let greenlock-store-fs do this? // TODO remove mkdirp and let greenlock-store-fs do this?
mkdirp(args.storeOpts.configDir, function(err) { mkdirp(args.storeOpts.configDir, function(err) {
if (!err) { if (!err) {
run(); run();
} }
console.error( console.error(
"Could not create --config-dir '" + args.configDir + "':", "Could not create --config-dir '" + args.configDir + "':",
err.code err.code
); );
console.error("Try setting --config-dir '/tmp'"); console.error("Try setting --config-dir '/tmp'");
return; return;
}); });
}, process.argv.slice(3)); }, process.argv.slice(3));

372
bin/cli.js
View File

@ -7,228 +7,228 @@ var defaultOpts;
var bags = []; var bags = [];
CLI.parse = function(conf) { CLI.parse = function(conf) {
var opts = (defaultOpts = {}); var opts = (defaultOpts = {});
defaultConf = conf; defaultConf = conf;
Object.keys(conf).forEach(function(k) { Object.keys(conf).forEach(function(k) {
var v = conf[k]; var v = conf[k];
var aliases = v[5]; var aliases = v[5];
var bag; var bag;
var bagName; var bagName;
// the name of the argument set is now the 0th argument // the name of the argument set is now the 0th argument
v.unshift(k); v.unshift(k);
// v[0] flagname // v[0] flagname
// v[1] short flagname // v[1] short flagname
// v[2] description // v[2] description
// v[3] type // v[3] type
// v[4] default value // v[4] default value
// v[5] aliases // v[5] aliases
if ('bag' === v[3]) { if ('bag' === v[3]) {
bag = v[0]; // 'bag-option-xxxx' => '--bag-option-' bag = v[0]; // 'bag-option-xxxx' => '--bag-option-'
bag = '--' + bag.replace(/xxx.*/, ''); bag = '--' + bag.replace(/xxx.*/, '');
bags.push(bag); bags.push(bag);
bagName = toBagName(bag.replace(/^--/, '')); bagName = toBagName(bag.replace(/^--/, ''));
opts[bagName] = {}; opts[bagName] = {};
} }
if ('json' === v[3]) { if ('json' === v[3]) {
bagName = toBagName(v[0].replace(/-json$/, '')); // 'bag-option-json' => 'bagOptionOpts' bagName = toBagName(v[0].replace(/-json$/, '')); // 'bag-option-json' => 'bagOptionOpts'
opts[bagName] = {}; opts[bagName] = {};
} else if ('ignore' !== v[3] && 'undefined' !== typeof v[4]) { } else if ('ignore' !== v[3] && 'undefined' !== typeof v[4]) {
// set the default values (where 'undefined' is not an allowed value) // set the default values (where 'undefined' is not an allowed value)
opts[toCamel(k)] = v[4]; opts[toCamel(k)] = v[4];
} }
if (!aliases) { if (!aliases) {
aliases = []; aliases = [];
} else if ('string' === typeof aliases) { } else if ('string' === typeof aliases) {
aliases = aliases.split(','); aliases = aliases.split(',');
} }
aliases.forEach(function(alias) { aliases.forEach(function(alias) {
if (alias in conf) { if (alias in conf) {
throw new Error( throw new Error(
"Cannot alias '" + "Cannot alias '" +
alias + alias +
"' from '" + "' from '" +
k + k +
"': option already exists" "': option already exists"
); );
} }
conf[alias] = v; conf[alias] = v;
}); });
}); });
}; };
CLI.main = function(cb, args) { CLI.main = function(cb, args) {
var leftovers = []; var leftovers = [];
var conf = defaultConf; var conf = defaultConf;
var opts = defaultOpts; var opts = defaultOpts;
if (!opts) { if (!opts) {
throw new Error("you didn't call `CLI.parse(configuration)`"); throw new Error("you didn't call `CLI.parse(configuration)`");
} }
// TODO what's the existing API for this? // TODO what's the existing API for this?
if (!args) { if (!args) {
args = process.argv.slice(2); args = process.argv.slice(2);
} }
var flag; var flag;
var cnf; var cnf;
var typ; var typ;
function grab(bag) { function grab(bag) {
var bagName = toBagName(bag); var bagName = toBagName(bag);
if (bag !== flag.slice(0, bag.length)) { if (bag !== flag.slice(0, bag.length)) {
return false; return false;
} }
console.log(bagName, toCamel(flag.slice(bag.length))); console.log(bagName, toCamel(flag.slice(bag.length)));
opts[bagName][toCamel(flag.slice(bag.length))] = args.shift(); opts[bagName][toCamel(flag.slice(bag.length))] = args.shift();
return true; return true;
} }
while (args.length) { while (args.length) {
// take one off the top // take one off the top
flag = args.shift(); flag = args.shift();
// mind the gap // mind the gap
if ('--' === flag) { if ('--' === flag) {
leftovers = leftovers.concat(args); leftovers = leftovers.concat(args);
break; break;
} }
// help! // help!
if ( if (
'--help' === flag || '--help' === flag ||
'-h' === flag || '-h' === flag ||
'/?' === flag || '/?' === flag ||
'help' === flag 'help' === flag
) { ) {
printHelp(conf); printHelp(conf);
process.exit(1); process.exit(1);
} }
// only long names are actually used // only long names are actually used
if ('--' !== flag.slice(0, 2)) { if ('--' !== flag.slice(0, 2)) {
console.error("Unrecognized argument '" + flag + "'"); console.error("Unrecognized argument '" + flag + "'");
process.exit(1); process.exit(1);
} }
cnf = conf[flag.slice(2)]; cnf = conf[flag.slice(2)];
if (!cnf) { if (!cnf) {
// look for arbitrary flags // look for arbitrary flags
if (bags.some(grab)) { if (bags.some(grab)) {
continue; continue;
} }
// other arbitrary args are not used // other arbitrary args are not used
console.error("Unrecognized flag '" + flag + "'"); console.error("Unrecognized flag '" + flag + "'");
process.exit(1); process.exit(1);
} }
// encourage switching to non-aliased version // encourage switching to non-aliased version
if (flag !== '--' + cnf[0]) { if (flag !== '--' + cnf[0]) {
console.warn( console.warn(
"use of '" + "use of '" +
flag + flag +
"' is deprecated, use '--" + "' is deprecated, use '--" +
cnf[0] + cnf[0] +
"' instead" "' instead"
); );
} }
// look for xxx-json flags // look for xxx-json flags
if ('json' === cnf[3]) { if ('json' === cnf[3]) {
try { try {
var json = JSON.parse(args.shift()); var json = JSON.parse(args.shift());
var bagName = toBagName(cnf[0].replace(/-json$/, '')); var bagName = toBagName(cnf[0].replace(/-json$/, ''));
Object.keys(json).forEach(function(k) { Object.keys(json).forEach(function(k) {
opts[bagName][k] = json[k]; opts[bagName][k] = json[k];
}); });
} catch (e) { } catch (e) {
console.error("Could not parse option '" + flag + "' as JSON:"); console.error("Could not parse option '" + flag + "' as JSON:");
console.error(e.message); console.error(e.message);
process.exit(1); process.exit(1);
} }
continue; continue;
} }
// set booleans, otherwise grab the next arg in line // set booleans, otherwise grab the next arg in line
typ = cnf[3]; typ = cnf[3];
// TODO --no-<whatever> to negate // TODO --no-<whatever> to negate
if (Boolean === typ || 'boolean' === typ) { if (Boolean === typ || 'boolean' === typ) {
opts[toCamel(cnf[0])] = true; opts[toCamel(cnf[0])] = true;
continue; continue;
} }
opts[toCamel(cnf[0])] = args.shift(); opts[toCamel(cnf[0])] = args.shift();
continue; continue;
} }
cb(leftovers, opts); cb(leftovers, opts);
}; };
function toCamel(str) { function toCamel(str) {
return str.replace(/-([a-z0-9])/g, function(m) { return str.replace(/-([a-z0-9])/g, function(m) {
return m[1].toUpperCase(); return m[1].toUpperCase();
}); });
} }
function toBagName(bag) { function toBagName(bag) {
// trim leading and trailing '-' // trim leading and trailing '-'
bag = bag.replace(/^-+/g, '').replace(/-+$/g, ''); bag = bag.replace(/^-+/g, '').replace(/-+$/g, '');
return toCamel(bag) + 'Opts'; // '--bag-option-' => bagOptionOpts return toCamel(bag) + 'Opts'; // '--bag-option-' => bagOptionOpts
} }
function printHelp(conf) { function printHelp(conf) {
var flagLen = 0; var flagLen = 0;
var typeLen = 0; var typeLen = 0;
var defLen = 0; var defLen = 0;
Object.keys(conf).forEach(function(k) { Object.keys(conf).forEach(function(k) {
flagLen = Math.max(flagLen, conf[k][0].length); flagLen = Math.max(flagLen, conf[k][0].length);
typeLen = Math.max(typeLen, conf[k][3].length); typeLen = Math.max(typeLen, conf[k][3].length);
if ('undefined' !== typeof conf[k][4]) { if ('undefined' !== typeof conf[k][4]) {
defLen = Math.max( defLen = Math.max(
defLen, defLen,
'(Default: )'.length + String(conf[k][4]).length '(Default: )'.length + String(conf[k][4]).length
); );
} }
}); });
Object.keys(conf).forEach(function(k) { Object.keys(conf).forEach(function(k) {
var v = conf[k]; var v = conf[k];
// skip aliases // skip aliases
if (v[0] !== k) { if (v[0] !== k) {
return; return;
} }
var def = v[4]; var def = v[4];
if ('undefined' === typeof def) { if ('undefined' === typeof def) {
def = ''; def = '';
} else { } else {
def = '(default: ' + JSON.stringify(def) + ')'; def = '(default: ' + JSON.stringify(def) + ')';
} }
var msg = var msg =
' --' + ' --' +
v[0].padEnd(flagLen) + v[0].padEnd(flagLen) +
' ' + ' ' +
v[3].padStart(typeLen + 1) + v[3].padStart(typeLen + 1) +
' ' + ' ' +
(v[2] || '') + (v[2] || '') +
' ' + ' ' +
def; /*.padStart(defLen)*/ def; /*.padStart(defLen)*/
// v[0] flagname // v[0] flagname
// v[1] short flagname // v[1] short flagname
// v[2] description // v[2] description
// v[3] type // v[3] type
// v[4] default value // v[4] default value
// v[5] aliases // v[5] aliases
console.info(msg); console.info(msg);
}); });
} }

4
bin/greenlock.js
View File

@ -4,6 +4,6 @@
var args = process.argv.slice(2); var args = process.argv.slice(2);
console.log(args); console.log(args);
if ('certonly' === args[0]) { if ('certonly' === args[0]) {
require('./certonly.js'); require('./certonly.js');
return; return;
} }

490
certificates.js
View File

@ -21,298 +21,298 @@ var rawPending = {};
// Certificates // Certificates
C._getOrOrder = function(gnlck, mconf, db, acme, chs, acc, args) { C._getOrOrder = function(gnlck, mconf, db, acme, chs, acc, args) {
var email = args.subscriberEmail || mconf.subscriberEmail; var email = args.subscriberEmail || mconf.subscriberEmail;
var id = args.altnames var id = args.altnames
.slice(0) .slice(0)
.sort() .sort()
.join(' '); .join(' ');
if (pending[id]) { if (pending[id]) {
return pending[id]; return pending[id];
} }
pending[id] = C._rawGetOrOrder( pending[id] = C._rawGetOrOrder(
gnlck, gnlck,
mconf, mconf,
db, db,
acme, acme,
chs, chs,
acc, acc,
email, email,
args args
) )
.then(function(pems) { .then(function(pems) {
delete pending[id]; delete pending[id];
return pems; return pems;
}) })
.catch(function(err) { .catch(function(err) {
delete pending[id]; delete pending[id];
throw err; throw err;
}); });
return pending[id]; return pending[id];
}; };
// Certificates // Certificates
C._rawGetOrOrder = function(gnlck, mconf, db, acme, chs, acc, email, args) { C._rawGetOrOrder = function(gnlck, mconf, db, acme, chs, acc, email, args) {
return C._check(gnlck, mconf, db, args).then(function(pems) { return C._check(gnlck, mconf, db, args).then(function(pems) {
// Nice and fresh? We're done! // Nice and fresh? We're done!
if (pems) { if (pems) {
if (!C._isStale(gnlck, mconf, args, pems)) { if (!C._isStale(gnlck, mconf, args, pems)) {
// return existing unexpired (although potentially stale) certificates when available // return existing unexpired (although potentially stale) certificates when available
// there will be an additional .renewing property if the certs are being asynchronously renewed // there will be an additional .renewing property if the certs are being asynchronously renewed
//pems._type = 'current'; //pems._type = 'current';
return pems; return pems;
} }
} }
// We're either starting fresh or freshening up... // We're either starting fresh or freshening up...
var p = C._rawOrder(gnlck, mconf, db, acme, chs, acc, email, args); var p = C._rawOrder(gnlck, mconf, db, acme, chs, acc, email, args);
var evname = pems ? 'cert_renewal' : 'cert_issue'; var evname = pems ? 'cert_renewal' : 'cert_issue';
p.then(function(newPems) { p.then(function(newPems) {
// notify in the background // notify in the background
var renewAt = C._renewWithStagger(gnlck, mconf, args, newPems); var renewAt = C._renewWithStagger(gnlck, mconf, args, newPems);
gnlck._notify(evname, { gnlck._notify(evname, {
renewAt: renewAt, renewAt: renewAt,
subject: args.subject, subject: args.subject,
altnames: args.altnames altnames: args.altnames
}); });
gnlck._notify('_cert_issue', { gnlck._notify('_cert_issue', {
renewAt: renewAt, renewAt: renewAt,
subject: args.subject, subject: args.subject,
altnames: args.altnames, altnames: args.altnames,
pems: newPems pems: newPems
}); });
}).catch(function(err) { }).catch(function(err) {
if (!err.context) { if (!err.context) {
err.context = evname; err.context = evname;
} }
err.subject = args.subject; err.subject = args.subject;
err.altnames = args.altnames; err.altnames = args.altnames;
gnlck._notify('error', err); gnlck._notify('error', err);
}); });
// No choice but to hang tight and wait for it // No choice but to hang tight and wait for it
if ( if (
!pems || !pems ||
pems.renewAt < Date.now() - 24 * 60 * 60 * 1000 || pems.renewAt < Date.now() - 24 * 60 * 60 * 1000 ||
pems.expiresAt <= Date.now() + 24 * 60 * 60 * 1000 pems.expiresAt <= Date.now() + 24 * 60 * 60 * 1000
) { ) {
return p; return p;
} }
// Wait it out // Wait it out
// TODO should we call this waitForRenewal? // TODO should we call this waitForRenewal?
if (args.waitForRenewal) { if (args.waitForRenewal) {
return p; return p;
} }
// Let the certs renew in the background // Let the certs renew in the background
return pems; return pems;
}); });
}; };
// we have another promise here because it the optional renewal // we have another promise here because it the optional renewal
// may resolve in a different stack than the returned pems // may resolve in a different stack than the returned pems
C._rawOrder = function(gnlck, mconf, db, acme, chs, acc, email, args) { C._rawOrder = function(gnlck, mconf, db, acme, chs, acc, email, args) {
var id = args.altnames var id = args.altnames
.slice(0) .slice(0)
.sort() .sort()
.join(' '); .join(' ');
if (rawPending[id]) { if (rawPending[id]) {
return rawPending[id]; return rawPending[id];
} }
var keyType = args.serverKeyType || mconf.serverKeyType; var keyType = args.serverKeyType || mconf.serverKeyType;
var query = { var query = {
subject: args.subject, subject: args.subject,
certificate: args.certificate || {}, certificate: args.certificate || {},
directoryUrl: args.directoryUrl || gnlck._defaults.directoryUrl directoryUrl: args.directoryUrl || gnlck._defaults.directoryUrl
}; };
rawPending[id] = U._getOrCreateKeypair(db, args.subject, query, keyType) rawPending[id] = U._getOrCreateKeypair(db, args.subject, query, keyType)
.then(function(kresult) { .then(function(kresult) {
var serverKeypair = kresult.keypair; var serverKeypair = kresult.keypair;
var domains = args.altnames.slice(0); var domains = args.altnames.slice(0);
return CSR.csr({ return CSR.csr({
jwk: serverKeypair.privateKeyJwk || serverKeypair.private, jwk: serverKeypair.privateKeyJwk || serverKeypair.private,
domains: domains, domains: domains,
encoding: 'der' encoding: 'der'
}) })
.then(function(csrDer) { .then(function(csrDer) {
// TODO let CSR support 'urlBase64' ? // TODO let CSR support 'urlBase64' ?
return Enc.bufToUrlBase64(csrDer); return Enc.bufToUrlBase64(csrDer);
}) })
.then(function(csr) { .then(function(csr) {
function notify(ev, opts) { function notify(ev, opts) {
gnlck._notify(ev, opts); gnlck._notify(ev, opts);
} }
var certReq = { var certReq = {
debug: args.debug || gnlck._defaults.debug, debug: args.debug || gnlck._defaults.debug,
challenges: chs, challenges: chs,
account: acc, // only used if accounts.key.kid exists account: acc, // only used if accounts.key.kid exists
accountKey: accountKey:
acc.keypair.privateKeyJwk || acc.keypair.private, acc.keypair.privateKeyJwk || acc.keypair.private,
keypair: acc.keypair, // TODO keypair: acc.keypair, // TODO
csr: csr, csr: csr,
domains: domains, // because ACME.js v3 uses `domains` still, actually domains: domains, // because ACME.js v3 uses `domains` still, actually
onChallengeStatus: notify, onChallengeStatus: notify,
notify: notify // TODO notify: notify // TODO
// TODO handle this in acme-v2 // TODO handle this in acme-v2
//subject: args.subject, //subject: args.subject,
//altnames: args.altnames.slice(0), //altnames: args.altnames.slice(0),
}; };
return acme.certificates return acme.certificates
.create(certReq) .create(certReq)
.then(U._attachCertInfo); .then(U._attachCertInfo);
}) })
.then(function(pems) { .then(function(pems) {
if (kresult.exists) { if (kresult.exists) {
return pems; return pems;
} }
query.keypair = serverKeypair; query.keypair = serverKeypair;
return db.setKeypair(query, serverKeypair).then(function() { return db.setKeypair(query, serverKeypair).then(function() {
return pems; return pems;
}); });
}); });
}) })
.then(function(pems) { .then(function(pems) {
// TODO put this in the docs // TODO put this in the docs
// { cert, chain, privkey, subject, altnames, issuedAt, expiresAt } // { cert, chain, privkey, subject, altnames, issuedAt, expiresAt }
// Note: the query has been updated // Note: the query has been updated
query.pems = pems; query.pems = pems;
return db.set(query); return db.set(query);
}) })
.then(function() { .then(function() {
return C._check(gnlck, mconf, db, args); return C._check(gnlck, mconf, db, args);
}) })
.then(function(bundle) { .then(function(bundle) {
// TODO notify Manager // TODO notify Manager
delete rawPending[id]; delete rawPending[id];
return bundle; return bundle;
}) })
.catch(function(err) { .catch(function(err) {
// Todo notify manager // Todo notify manager
delete rawPending[id]; delete rawPending[id];
throw err; throw err;
}); });
return rawPending[id]; return rawPending[id];
}; };
// returns pems, if they exist // returns pems, if they exist
C._check = function(gnlck, mconf, db, args) { C._check = function(gnlck, mconf, db, args) {
var query = { var query = {
subject: args.subject, subject: args.subject,
// may contain certificate.id // may contain certificate.id
certificate: args.certificate, certificate: args.certificate,
directoryUrl: args.directoryUrl || gnlck._defaults.directoryUrl directoryUrl: args.directoryUrl || gnlck._defaults.directoryUrl
}; };
return db.check(query).then(function(pems) { return db.check(query).then(function(pems) {
if (!pems) { if (!pems) {
return null; return null;
} }
pems = U._attachCertInfo(pems); pems = U._attachCertInfo(pems);
// For eager management // For eager management
if (args.subject && !U._certHasDomain(pems, args.subject)) { if (args.subject && !U._certHasDomain(pems, args.subject)) {
// TODO report error, but continue the process as with no cert // TODO report error, but continue the process as with no cert
return null; return null;
} }
// For lazy SNI requests // For lazy SNI requests
if (args.domain && !U._certHasDomain(pems, args.domain)) { if (args.domain && !U._certHasDomain(pems, args.domain)) {
// TODO report error, but continue the process as with no cert // TODO report error, but continue the process as with no cert
return null; return null;
} }
return U._getKeypair(db, args.subject, query) return U._getKeypair(db, args.subject, query)
.then(function(keypair) { .then(function(keypair) {
return Keypairs.export({ return Keypairs.export({
jwk: keypair.privateKeyJwk || keypair.private, jwk: keypair.privateKeyJwk || keypair.private,
encoding: 'pem' encoding: 'pem'
}).then(function(pem) { }).then(function(pem) {
pems.privkey = pem; pems.privkey = pem;
return pems; return pems;
}); });
}) })
.catch(function() { .catch(function() {
// TODO report error, but continue the process as with no cert // TODO report error, but continue the process as with no cert
return null; return null;
}); });
}); });
}; };
// Certificates // Certificates
C._isStale = function(gnlck, mconf, args, pems) { C._isStale = function(gnlck, mconf, args, pems) {
if (args.duplicate) { if (args.duplicate) {
return true; return true;
} }
var renewAt = C._renewableAt(gnlck, mconf, args, pems); var renewAt = C._renewableAt(gnlck, mconf, args, pems);
if (Date.now() >= renewAt) { if (Date.now() >= renewAt) {
return true; return true;
} }
return false; return false;
}; };
C._renewWithStagger = function(gnlck, mconf, args, pems) { C._renewWithStagger = function(gnlck, mconf, args, pems) {
var renewOffset = C._renewOffset(gnlck, mconf, args, pems); var renewOffset = C._renewOffset(gnlck, mconf, args, pems);
var renewStagger; var renewStagger;
try { try {
renewStagger = U._parseDuration( renewStagger = U._parseDuration(
args.renewStagger || mconf.renewStagger || 0 args.renewStagger || mconf.renewStagger || 0
); );
} catch (e) { } catch (e) {
renewStagger = U._parseDuration( renewStagger = U._parseDuration(
args.renewStagger || mconf.renewStagger args.renewStagger || mconf.renewStagger
); );
} }
// TODO check this beforehand // TODO check this beforehand
if (!args.force && renewStagger / renewOffset >= 0.5) { if (!args.force && renewStagger / renewOffset >= 0.5) {
renewStagger = renewOffset * 0.1; renewStagger = renewOffset * 0.1;
} }
if (renewOffset > 0) { if (renewOffset > 0) {
// stagger forward, away from issued at // stagger forward, away from issued at
return Math.round( return Math.round(
pems.issuedAt + renewOffset + Math.random() * renewStagger pems.issuedAt + renewOffset + Math.random() * renewStagger
); );
} }
// stagger backward, toward issued at // stagger backward, toward issued at
return Math.round( return Math.round(
pems.expiresAt + renewOffset - Math.random() * renewStagger pems.expiresAt + renewOffset - Math.random() * renewStagger
); );
}; };
C._renewOffset = function(gnlck, mconf, args /*, pems*/) { C._renewOffset = function(gnlck, mconf, args /*, pems*/) {
var renewOffset = U._parseDuration( var renewOffset = U._parseDuration(
args.renewOffset || mconf.renewOffset || 0 args.renewOffset || mconf.renewOffset || 0
); );
var week = 1000 * 60 * 60 * 24 * 6; var week = 1000 * 60 * 60 * 24 * 6;
if (!args.force && Math.abs(renewOffset) < week) { if (!args.force && Math.abs(renewOffset) < week) {
throw new Error( throw new Error(
'developer error: `renewOffset` should always be at least a week, use `force` to not safety-check renewOffset' 'developer error: `renewOffset` should always be at least a week, use `force` to not safety-check renewOffset'
); );
} }
return renewOffset; return renewOffset;
}; };
C._renewableAt = function(gnlck, mconf, args, pems) { C._renewableAt = function(gnlck, mconf, args, pems) {
if (args.renewAt) { if (args.renewAt) {
return args.renewAt; return args.renewAt;
} }
var renewOffset = C._renewOffset(gnlck, mconf, args, pems); var renewOffset = C._renewOffset(gnlck, mconf, args, pems);
if (renewOffset > 0) { if (renewOffset > 0) {
return pems.issuedAt + renewOffset; return pems.issuedAt + renewOffset;
} }
return pems.expiresAt + renewOffset; return pems.expiresAt + renewOffset;
}; };

48
errors.js
View File

@ -3,14 +3,14 @@
var E = module.exports; var E = module.exports;
function create(code, msg) { function create(code, msg) {
E[code] = function(ctx, msg2) { E[code] = function(ctx, msg2) {
var err = new Error(msg); var err = new Error(msg);
err.code = code; err.code = code;
err.context = ctx; err.context = ctx;
if (msg2) { if (msg2) {
err.message += ': ' + msg2; err.message += ': ' + msg2;
} }
/* /*
Object.keys(extras).forEach(function(k) { Object.keys(extras).forEach(function(k) {
if ('message' === k) { if ('message' === k) {
err.message += ': ' + extras[k]; err.message += ': ' + extras[k];
@ -19,39 +19,39 @@ function create(code, msg) {
} }
}); });
*/ */
return err; return err;
}; };
} }
// TODO open issues and link to them as the error url // TODO open issues and link to them as the error url
create( create(
'NO_MAINTAINER', 'NO_MAINTAINER',
'please supply `maintainerEmail` as a contact for security and critical bug notices' 'please supply `maintainerEmail` as a contact for security and critical bug notices'
); );
create( create(
'BAD_ORDER', 'BAD_ORDER',
'altnames should be in deterministic order, with subject as the first altname' 'altnames should be in deterministic order, with subject as the first altname'
); );
create('NO_SUBJECT', 'no certificate subject given'); create('NO_SUBJECT', 'no certificate subject given');
create( create(
'NO_SUBSCRIBER', 'NO_SUBSCRIBER',
'please supply `subscriberEmail` as a contact for failed renewal and certificate revocation' 'please supply `subscriberEmail` as a contact for failed renewal and certificate revocation'
); );
create( create(
'INVALID_SUBSCRIBER', 'INVALID_SUBSCRIBER',
'`subscriberEmail` is not a valid address, please check for typos' '`subscriberEmail` is not a valid address, please check for typos'
); );
create( create(
'INVALID_HOSTNAME', 'INVALID_HOSTNAME',
'valid hostnames must be restricted to a-z0-9_.- and contain at least one "."' 'valid hostnames must be restricted to a-z0-9_.- and contain at least one "."'
); );
create( create(
'INVALID_DOMAIN', 'INVALID_DOMAIN',
'one or more domains do not exist on public DNS SOA record' 'one or more domains do not exist on public DNS SOA record'
); );
create( create(
'NOT_UNIQUE', 'NOT_UNIQUE',
'found duplicate domains, or a subdomain that overlaps a wildcard' 'found duplicate domains, or a subdomain that overlaps a wildcard'
); );
// exported for testing only // exported for testing only

1136
greenlock.js
View File

File diff suppressed because it is too large Load Diff

376
manager-underlay.js
View File

@ -6,162 +6,162 @@ var E = require('./errors.js');
var warned = {}; var warned = {};
module.exports.wrap = function(greenlock, manager) { module.exports.wrap = function(greenlock, manager) {
greenlock.manager = {}; greenlock.manager = {};
greenlock.sites = {}; greenlock.sites = {};
//greenlock.accounts = {}; //greenlock.accounts = {};
//greenlock.certs = {}; //greenlock.certs = {};
var allowed = [ var allowed = [
'accountKeyType', //: ["P-256", "RSA-2048"], 'accountKeyType', //: ["P-256", "RSA-2048"],
'serverKeyType', //: ["RSA-2048", "P-256"], 'serverKeyType', //: ["RSA-2048", "P-256"],
'store', // : { module, specific opts }, 'store', // : { module, specific opts },
'challenges', // : { "http-01", "dns-01", "tls-alpn-01" }, 'challenges', // : { "http-01", "dns-01", "tls-alpn-01" },
'subscriberEmail', 'subscriberEmail',
'agreeToTerms', 'agreeToTerms',
'agreeTos', 'agreeTos',
'customerEmail', 'customerEmail',
'renewOffset', 'renewOffset',
'renewStagger', 'renewStagger',
'module', // not allowed, just ignored 'module', // not allowed, just ignored
'manager' 'manager'
]; ];
// get / set default site settings such as // get / set default site settings such as
// subscriberEmail, store, challenges, renewOffset, renewStagger // subscriberEmail, store, challenges, renewOffset, renewStagger
greenlock.manager.defaults = function(conf) { greenlock.manager.defaults = function(conf) {
return greenlock._init().then(function() { return greenlock._init().then(function() {
if (!conf) { if (!conf) {
return manager.defaults(); return manager.defaults();
} }
if (conf.sites) { if (conf.sites) {
throw new Error('cannot set sites as global config'); throw new Error('cannot set sites as global config');
} }
if (conf.routes) { if (conf.routes) {
throw new Error('cannot set routes as global config'); throw new Error('cannot set routes as global config');
} }
// disallow keys we know to be bad // disallow keys we know to be bad
[ [
'subject', 'subject',
'deletedAt', 'deletedAt',
'altnames', 'altnames',
'lastAttemptAt', 'lastAttemptAt',
'expiresAt', 'expiresAt',
'issuedAt', 'issuedAt',
'renewAt', 'renewAt',
'sites', 'sites',
'routes' 'routes'
].some(function(k) { ].some(function(k) {
if (k in conf) { if (k in conf) {
throw new Error( throw new Error(
'`' + k + '` not allowed as a default setting' '`' + k + '` not allowed as a default setting'
); );
} }
}); });
Object.keys(conf).forEach(function(k) { Object.keys(conf).forEach(function(k) {
if (!allowed.includes(k) && !warned[k]) { if (!allowed.includes(k) && !warned[k]) {
warned[k] = true; warned[k] = true;
console.warn( console.warn(
k + k +
" isn't a known key. Please open an issue and let us know the use case." " isn't a known key. Please open an issue and let us know the use case."
); );
} }
}); });
Object.keys(conf).forEach(function(k) { Object.keys(conf).forEach(function(k) {
if (-1 !== ['module', 'manager'].indexOf(k)) { if (-1 !== ['module', 'manager'].indexOf(k)) {
return; return;
} }
if ('undefined' === typeof k) { if ('undefined' === typeof k) {
throw new Error( throw new Error(
"'" + "'" +
k + k +
"' should be set to a value, or `null`, but not left `undefined`" "' should be set to a value, or `null`, but not left `undefined`"
); );
} }
}); });
return manager.defaults(conf); return manager.defaults(conf);
}); });
}; };
greenlock.add = greenlock.manager.add = function(args) { greenlock.add = greenlock.manager.add = function(args) {
if (!args || !Array.isArray(args.altnames) || !args.altnames.length) { if (!args || !Array.isArray(args.altnames) || !args.altnames.length) {
throw new Error( throw new Error(
'you must specify `altnames` when adding a new site' 'you must specify `altnames` when adding a new site'
); );
} }
if (args.renewAt) { if (args.renewAt) {
throw new Error( throw new Error(
'you cannot specify `renewAt` when adding a new site' 'you cannot specify `renewAt` when adding a new site'
); );
} }
return greenlock.manager.set(args); return greenlock.manager.set(args);
}; };
// TODO agreeToTerms should be handled somewhere... maybe? // TODO agreeToTerms should be handled somewhere... maybe?
// Add and update remains because I said I had locked the API // Add and update remains because I said I had locked the API
greenlock.manager.set = greenlock.manager.update = function(args) { greenlock.manager.set = greenlock.manager.update = function(args) {
return greenlock._init().then(function() { return greenlock._init().then(function() {
// The goal is to make this decently easy to manage by hand without mistakes // The goal is to make this decently easy to manage by hand without mistakes
// but also reasonably easy to error check and correct // but also reasonably easy to error check and correct
// and to make deterministic auto-corrections // and to make deterministic auto-corrections
args.subject = checkSubject(args); args.subject = checkSubject(args);
//var subscriberEmail = args.subscriberEmail; //var subscriberEmail = args.subscriberEmail;
// TODO shortcut the other array checks when not necessary // TODO shortcut the other array checks when not necessary
if (Array.isArray(args.altnames)) { if (Array.isArray(args.altnames)) {
args.altnames = checkAltnames(args.subject, args); args.altnames = checkAltnames(args.subject, args);
} }
// at this point we know that subject is the first of altnames // at this point we know that subject is the first of altnames
return Promise.all( return Promise.all(
(args.altnames || []).map(function(d) { (args.altnames || []).map(function(d) {
d = d.replace('*.', ''); d = d.replace('*.', '');
return U._validDomain(d); return U._validDomain(d);
}) })
).then(function() { ).then(function() {
if (!U._uniqueNames(args.altnames || [])) { if (!U._uniqueNames(args.altnames || [])) {
throw E.NOT_UNIQUE( throw E.NOT_UNIQUE(
'add', 'add',
"'" + args.altnames.join("' '") + "'" "'" + args.altnames.join("' '") + "'"
); );
} }
// durations // durations
if (args.renewOffset) { if (args.renewOffset) {
args.renewOffset = U._parseDuration(args.renewOffset); args.renewOffset = U._parseDuration(args.renewOffset);
} }
if (args.renewStagger) { if (args.renewStagger) {
args.renewStagger = U._parseDuration(args.renewStagger); args.renewStagger = U._parseDuration(args.renewStagger);
} }
return manager.set(args).then(function(result) { return manager.set(args).then(function(result) {
greenlock.renew({}).catch(function(err) { greenlock.renew({}).catch(function(err) {
if (!err.context) { if (!err.context) {
err.contxt = 'renew'; err.contxt = 'renew';
} }
greenlock._notify('error', err); greenlock._notify('error', err);
}); });
return result; return result;
}); });
}); });
}); });
}; };
greenlock.manager.remove = function(args) { greenlock.manager.remove = function(args) {
args.subject = checkSubject(args); args.subject = checkSubject(args);
// TODO check no altnames // TODO check no altnames
return manager.remove(args); return manager.remove(args);
}; };
/* /*
{ {
subject: site.subject, subject: site.subject,
altnames: site.altnames, altnames: site.altnames,
@ -177,60 +177,60 @@ module.exports.wrap = function(greenlock, manager) {
}; };
*/ */
greenlock._find = function(args) { greenlock._find = function(args) {
var altnames = args.altnames || []; var altnames = args.altnames || [];
// servername, wildname, and altnames are all the same // servername, wildname, and altnames are all the same
['wildname', 'servername'].forEach(function(k) { ['wildname', 'servername'].forEach(function(k) {
var altname = args[k] || ''; var altname = args[k] || '';
if (altname && !altnames.includes(altname)) { if (altname && !altnames.includes(altname)) {
altnames.push(altname); altnames.push(altname);
} }
}); });
if (altnames.length) { if (altnames.length) {
args.altnames = altnames; args.altnames = altnames;
args.altnames = args.altnames.map(U._encodeName); args.altnames = args.altnames.map(U._encodeName);
args.altnames = checkAltnames(false, args); args.altnames = checkAltnames(false, args);
} }
return manager.find(args); return manager.find(args);
}; };
}; };
function checkSubject(args) { function checkSubject(args) {
if (!args || !args.subject) { if (!args || !args.subject) {
throw new Error('you must specify `subject` when configuring a site'); throw new Error('you must specify `subject` when configuring a site');
} }
/* /*
if (!args.subject) { if (!args.subject) {
throw E.NO_SUBJECT('add'); throw E.NO_SUBJECT('add');
} }
*/ */
var subject = (args.subject || '').toLowerCase(); var subject = (args.subject || '').toLowerCase();
if (subject !== args.subject) { if (subject !== args.subject) {
console.warn('`subject` must be lowercase', args.subject); console.warn('`subject` must be lowercase', args.subject);
} }
return U._encodeName(subject); return U._encodeName(subject);
} }
function checkAltnames(subject, args) { function checkAltnames(subject, args) {
// the things we have to check and get right // the things we have to check and get right
var altnames = (args.altnames || []).map(function(name) { var altnames = (args.altnames || []).map(function(name) {
return String(name || '').toLowerCase(); return String(name || '').toLowerCase();
}); });
if (subject && subject !== altnames[0]) { if (subject && subject !== altnames[0]) {
throw new Error( throw new Error(
'`subject` must be the first domain in `altnames`', '`subject` must be the first domain in `altnames`',
args.subject, args.subject,
altnames.join(' ') altnames.join(' ')
); );
} }
/* /*
if (args.subject !== args.altnames[0]) { if (args.subject !== args.altnames[0]) {
throw E.BAD_ORDER( throw E.BAD_ORDER(
'add', 'add',
@ -239,20 +239,20 @@ function checkAltnames(subject, args) {
} }
*/ */
// punycode BEFORE validation // punycode BEFORE validation
// (set, find, remove) // (set, find, remove)
args.altnames = args.altnames.map(U._encodeName); args.altnames = args.altnames.map(U._encodeName);
if ( if (
!args.altnames.every(function(d) { !args.altnames.every(function(d) {
return U._validName(d); return U._validName(d);
}) })
) { ) {
throw E.INVALID_HOSTNAME('add', "'" + args.altnames.join("' '") + "'"); throw E.INVALID_HOSTNAME('add', "'" + args.altnames.join("' '") + "'");
} }
if (altnames.join() !== args.altnames.join()) { if (altnames.join() !== args.altnames.join()) {
console.warn('all domains in `altnames` must be lowercase', altnames); console.warn('all domains in `altnames` must be lowercase', altnames);
} }
return altnames; return altnames;
} }

116
order.js
View File

@ -1,95 +1,95 @@
var accountKeypair = await Keypairs.generate({ kty: accKty }); var accountKeypair = await Keypairs.generate({ kty: accKty });
if (config.debug) { if (config.debug) {
console.info('Account Key Created'); console.info('Account Key Created');
console.info(JSON.stringify(accountKeypair, null, 2)); console.info(JSON.stringify(accountKeypair, null, 2));
console.info(); console.info();
console.info(); console.info();
} }
var account = await acme.accounts.create({ var account = await acme.accounts.create({
agreeToTerms: agree, agreeToTerms: agree,
// TODO detect jwk/pem/der? // TODO detect jwk/pem/der?
accountKeypair: { privateKeyJwk: accountKeypair.private }, accountKeypair: { privateKeyJwk: accountKeypair.private },
subscriberEmail: config.email subscriberEmail: config.email
}); });
// TODO top-level agree // TODO top-level agree
function agree(tos) { function agree(tos) {
if (config.debug) { if (config.debug) {
console.info('Agreeing to Terms of Service:'); console.info('Agreeing to Terms of Service:');
console.info(tos); console.info(tos);
console.info(); console.info();
console.info(); console.info();
} }
agreed = true; agreed = true;
return Promise.resolve(tos); return Promise.resolve(tos);
} }
if (config.debug) { if (config.debug) {
console.info('New Subscriber Account'); console.info('New Subscriber Account');
console.info(JSON.stringify(account, null, 2)); console.info(JSON.stringify(account, null, 2));
console.info(); console.info();
console.info(); console.info();
} }
if (!agreed) { if (!agreed) {
throw new Error('Failed to ask the user to agree to terms'); throw new Error('Failed to ask the user to agree to terms');
} }
var certKeypair = await Keypairs.generate({ kty: srvKty }); var certKeypair = await Keypairs.generate({ kty: srvKty });
var pem = await Keypairs.export({ var pem = await Keypairs.export({
jwk: certKeypair.private, jwk: certKeypair.private,
encoding: 'pem' encoding: 'pem'
}); });
if (config.debug) { if (config.debug) {
console.info('Server Key Created'); console.info('Server Key Created');
console.info('privkey.jwk.json'); console.info('privkey.jwk.json');
console.info(JSON.stringify(certKeypair, null, 2)); console.info(JSON.stringify(certKeypair, null, 2));
// This should be saved as `privkey.pem` // This should be saved as `privkey.pem`
console.info(); console.info();
console.info('privkey.' + srvKty.toLowerCase() + '.pem:'); console.info('privkey.' + srvKty.toLowerCase() + '.pem:');
console.info(pem); console.info(pem);
console.info(); console.info();
} }
// 'subject' should be first in list // 'subject' should be first in list
var domains = randomDomains(rnd); var domains = randomDomains(rnd);
if (config.debug) { if (config.debug) {
console.info('Get certificates for random domains:'); console.info('Get certificates for random domains:');
console.info( console.info(
domains domains
.map(function(puny) { .map(function(puny) {
var uni = punycode.toUnicode(puny); var uni = punycode.toUnicode(puny);
if (puny !== uni) { if (puny !== uni) {
return puny + ' (' + uni + ')'; return puny + ' (' + uni + ')';
} }
return puny; return puny;
}) })
.join('\n') .join('\n')
); );
console.info(); console.info();
} }
// Create CSR // Create CSR
var csrDer = await CSR.csr({ var csrDer = await CSR.csr({
jwk: certKeypair.private, jwk: certKeypair.private,
domains: domains, domains: domains,
encoding: 'der' encoding: 'der'
}); });
var csr = Enc.bufToUrlBase64(csrDer); var csr = Enc.bufToUrlBase64(csrDer);
var csrPem = PEM.packBlock({ var csrPem = PEM.packBlock({
type: 'CERTIFICATE REQUEST', type: 'CERTIFICATE REQUEST',
bytes: csrDer /* { jwk: jwk, domains: opts.domains } */ bytes: csrDer /* { jwk: jwk, domains: opts.domains } */
}); });
if (config.debug) { if (config.debug) {
console.info('Certificate Signing Request'); console.info('Certificate Signing Request');
console.info(csrPem); console.info(csrPem);
console.info(); console.info();
} }
var results = await acme.certificates.create({ var results = await acme.certificates.create({
account: account, account: account,
accountKeypair: { privateKeyJwk: accountKeypair.private }, accountKeypair: { privateKeyJwk: accountKeypair.private },
csr: csr, csr: csr,
domains: domains, domains: domains,
challenges: challenges, // must be implemented challenges: challenges, // must be implemented
customerEmail: null customerEmail: null
}); });

102
package.json
View File

@ -1,53 +1,53 @@
{ {
"name": "@root/greenlock", "name": "@root/greenlock",
"version": "3.0.17", "version": "3.0.17",
"description": "The easiest Let's Encrypt client for Node.js and Browsers", "description": "The easiest Let's Encrypt client for Node.js and Browsers",
"homepage": "https://rootprojects.org/greenlock/", "homepage": "https://rootprojects.org/greenlock/",
"main": "greenlock.js", "main": "greenlock.js",
"browser": {}, "browser": {},
"files": [ "files": [
"*.js", "*.js",
"lib", "lib",
"bin", "bin",
"dist" "dist"
], ],
"scripts": { "scripts": {
"build": "nodex bin/bundle.js", "build": "nodex bin/bundle.js",
"lint": "jshint lib bin", "lint": "jshint lib bin",
"test": "node server.js", "test": "node server.js",
"start": "node server.js" "start": "node server.js"
}, },
"repository": { "repository": {
"type": "git", "type": "git",
"url": "https://git.rootprojects.org/root/greenlock.js.git" "url": "https://git.rootprojects.org/root/greenlock.js.git"
}, },
"keywords": [ "keywords": [
"Let's Encrypt", "Let's Encrypt",
"ACME", "ACME",
"browser", "browser",
"EC", "EC",
"RSA", "RSA",
"CSR", "CSR",
"greenlock", "greenlock",
"VanillaJS", "VanillaJS",
"ZeroSSL" "ZeroSSL"
], ],
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)", "author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
"license": "MPL-2.0", "license": "MPL-2.0",
"dependencies": { "dependencies": {
"@root/acme": "^3.0.8", "@root/acme": "^3.0.8",
"@root/csr": "^0.8.1", "@root/csr": "^0.8.1",
"@root/keypairs": "^0.9.0", "@root/keypairs": "^0.9.0",
"@root/mkdirp": "^1.0.0", "@root/mkdirp": "^1.0.0",
"@root/request": "^1.3.10", "@root/request": "^1.3.10",
"acme-http-01-standalone": "^3.0.5", "acme-http-01-standalone": "^3.0.5",
"cert-info": "^1.5.1", "cert-info": "^1.5.1",
"greenlock-manager-fs": "^3.0.1", "greenlock-manager-fs": "^3.0.1",
"greenlock-store-fs": "^3.2.0", "greenlock-store-fs": "^3.2.0",
"safe-replace": "^1.1.0" "safe-replace": "^1.1.0"
}, },
"devDependencies": { "devDependencies": {
"dotenv": "^8.2.0", "dotenv": "^8.2.0",
"punycode": "^1.4.1" "punycode": "^1.4.1"
} }
} }

530
plugins.js
View File

@ -10,192 +10,192 @@ var promisify = require('util').promisify;
P.PKG_DIR = __dirname; P.PKG_DIR = __dirname;
P._loadStore = function(storeConf) { P._loadStore = function(storeConf) {
return P._loadHelper(storeConf.module).then(function(plugin) { return P._loadHelper(storeConf.module).then(function(plugin) {
return P._normalizeStore(storeConf.module, plugin.create(storeConf)); return P._normalizeStore(storeConf.module, plugin.create(storeConf));
}); });
}; };
P._loadChallenge = function(chConfs, typ01) { P._loadChallenge = function(chConfs, typ01) {
return P._loadHelper(chConfs[typ01].module).then(function(plugin) { return P._loadHelper(chConfs[typ01].module).then(function(plugin) {
var ch = P._normalizeChallenge( var ch = P._normalizeChallenge(
chConfs[typ01].module, chConfs[typ01].module,
plugin.create(chConfs[typ01]) plugin.create(chConfs[typ01])
); );
ch._type = typ01; ch._type = typ01;
return ch; return ch;
}); });
}; };
P._loadHelper = function(modname) { P._loadHelper = function(modname) {
try { try {
return Promise.resolve(require(modname)); return Promise.resolve(require(modname));
} catch (e) { } catch (e) {
console.error("Could not load '%s'", modname); console.error("Could not load '%s'", modname);
console.error('Did you install it?'); console.error('Did you install it?');
console.error('\tnpm install --save %s', modname); console.error('\tnpm install --save %s', modname);
throw e; throw e;
// Fun experiment, bad idea // Fun experiment, bad idea
/* /*
return P._install(modname).then(function() { return P._install(modname).then(function() {
return require(modname); return require(modname);
}); });
*/ */
} }
}; };
P._normalizeStore = function(name, store) { P._normalizeStore = function(name, store) {
var acc = store.accounts; var acc = store.accounts;
var crt = store.certificates; var crt = store.certificates;
var warned = false; var warned = false;
function warn() { function warn() {
if (warned) { if (warned) {
return; return;
} }
warned = true; warned = true;
console.warn( console.warn(
"'" + "'" +
name + name +
"' may have incorrect function signatures, or contains deprecated use of callbacks" "' may have incorrect function signatures, or contains deprecated use of callbacks"
); );
} }
// accs // accs
if (acc.check && 2 === acc.check.length) { if (acc.check && 2 === acc.check.length) {
warn(); warn();
acc._thunk_check = acc.check; acc._thunk_check = acc.check;
acc.check = promisify(acc._thunk_check); acc.check = promisify(acc._thunk_check);
} }
if (acc.set && 3 === acc.set.length) { if (acc.set && 3 === acc.set.length) {
warn(); warn();
acc._thunk_set = acc.set; acc._thunk_set = acc.set;
acc.set = promisify(acc._thunk_set); acc.set = promisify(acc._thunk_set);
} }
if (2 === acc.checkKeypair.length) { if (2 === acc.checkKeypair.length) {
warn(); warn();
acc._thunk_checkKeypair = acc.checkKeypair; acc._thunk_checkKeypair = acc.checkKeypair;
acc.checkKeypair = promisify(acc._thunk_checkKeypair); acc.checkKeypair = promisify(acc._thunk_checkKeypair);
} }
if (3 === acc.setKeypair.length) { if (3 === acc.setKeypair.length) {
warn(); warn();
acc._thunk_setKeypair = acc.setKeypair; acc._thunk_setKeypair = acc.setKeypair;
acc.setKeypair = promisify(acc._thunk_setKeypair); acc.setKeypair = promisify(acc._thunk_setKeypair);
} }
// certs // certs
if (2 === crt.check.length) { if (2 === crt.check.length) {
warn(); warn();
crt._thunk_check = crt.check; crt._thunk_check = crt.check;
crt.check = promisify(crt._thunk_check); crt.check = promisify(crt._thunk_check);
} }
if (3 === crt.set.length) { if (3 === crt.set.length) {
warn(); warn();
crt._thunk_set = crt.set; crt._thunk_set = crt.set;
crt.set = promisify(crt._thunk_set); crt.set = promisify(crt._thunk_set);
} }
if (2 === crt.checkKeypair.length) { if (2 === crt.checkKeypair.length) {
warn(); warn();
crt._thunk_checkKeypair = crt.checkKeypair; crt._thunk_checkKeypair = crt.checkKeypair;
crt.checkKeypair = promisify(crt._thunk_checkKeypair); crt.checkKeypair = promisify(crt._thunk_checkKeypair);
} }
if (2 === crt.setKeypair.length) { if (2 === crt.setKeypair.length) {
warn(); warn();
crt._thunk_setKeypair = crt.setKeypair; crt._thunk_setKeypair = crt.setKeypair;
crt.setKeypair = promisify(crt._thunk_setKeypair); crt.setKeypair = promisify(crt._thunk_setKeypair);
} }
return store; return store;
}; };
P._normalizeChallenge = function(name, ch) { P._normalizeChallenge = function(name, ch) {
var gch = {}; var gch = {};
var warned = false; var warned = false;
function warn() { function warn() {
if (warned) { if (warned) {
return; return;
} }
warned = true; warned = true;
console.warn( console.warn(
"'" + "'" +
name + name +
"' may have incorrect function signatures, or contains deprecated use of callbacks" "' may have incorrect function signatures, or contains deprecated use of callbacks"
); );
} }
var warned2 = false; var warned2 = false;
function warn2() { function warn2() {
if (warned2) { if (warned2) {
return; return;
} }
warned2 = true; warned2 = true;
console.warn( console.warn(
"'" + "'" +
name + name +
"' did not return a Promise when called. This should be fixed by the maintainer." "' did not return a Promise when called. This should be fixed by the maintainer."
); );
} }
function wrappy(fn) { function wrappy(fn) {
return function(_params) { return function(_params) {
return Promise.resolve().then(function() { return Promise.resolve().then(function() {
var result = fn.call(ch, _params); var result = fn.call(ch, _params);
if (!result || !result.then) { if (!result || !result.then) {
warn2(); warn2();
} }
return result; return result;
}); });
}; };
} }
// init, zones, set, get, remove // init, zones, set, get, remove
if (ch.init) { if (ch.init) {
if (2 === ch.init.length) { if (2 === ch.init.length) {
warn(); warn();
ch._thunk_init = ch.init; ch._thunk_init = ch.init;
ch.init = promisify(ch._thunk_init); ch.init = promisify(ch._thunk_init);
} }
gch.init = wrappy(ch.init); gch.init = wrappy(ch.init);
} }
if (ch.zones) { if (ch.zones) {
if (2 === ch.zones.length) { if (2 === ch.zones.length) {
warn(); warn();
ch._thunk_zones = ch.zones; ch._thunk_zones = ch.zones;
ch.zones = promisify(ch._thunk_zones); ch.zones = promisify(ch._thunk_zones);
} }
gch.zones = wrappy(ch.zones); gch.zones = wrappy(ch.zones);
} }
if (2 === ch.set.length) { if (2 === ch.set.length) {
warn(); warn();
ch._thunk_set = ch.set; ch._thunk_set = ch.set;
ch.set = promisify(ch._thunk_set); ch.set = promisify(ch._thunk_set);
} }
gch.set = wrappy(ch.set); gch.set = wrappy(ch.set);
if (2 === ch.remove.length) { if (2 === ch.remove.length) {
warn(); warn();
ch._thunk_remove = ch.remove; ch._thunk_remove = ch.remove;
ch.remove = promisify(ch._thunk_remove); ch.remove = promisify(ch._thunk_remove);
} }
gch.remove = wrappy(ch.remove); gch.remove = wrappy(ch.remove);
if (ch.get) { if (ch.get) {
if (2 === ch.get.length) { if (2 === ch.get.length) {
warn(); warn();
ch._thunk_get = ch.get; ch._thunk_get = ch.get;
ch.get = promisify(ch._thunk_get); ch.get = promisify(ch._thunk_get);
} }
gch.get = wrappy(ch.get); gch.get = wrappy(ch.get);
} }
return gch; return gch;
}; };
P._loadSync = function(modname) { P._loadSync = function(modname) {
try { try {
return require(modname); return require(modname);
} catch (e) { } catch (e) {
console.error("Could not load '%s'", modname); console.error("Could not load '%s'", modname);
console.error('Did you install it?'); console.error('Did you install it?');
console.error('\tnpm install --save %s', modname); console.error('\tnpm install --save %s', modname);
throw e; throw e;
} }
/* /*
try { try {
mod = require(modname); mod = require(modname);
} catch (e) { } catch (e) {
@ -206,126 +206,126 @@ P._loadSync = function(modname) {
}; };
P._installSync = function(moduleName) { P._installSync = function(moduleName) {
var npm = 'npm'; var npm = 'npm';
var args = ['install', '--save', moduleName]; var args = ['install', '--save', moduleName];
var out = ''; var out = '';
var cmd; var cmd;
try { try {
cmd = spawnSync(npm, args, { cmd = spawnSync(npm, args, {
cwd: P.PKG_DIR, cwd: P.PKG_DIR,
windowsHide: true windowsHide: true
}); });
} catch (e) { } catch (e) {
console.error( console.error(
"Failed to start: '" + "Failed to start: '" +
npm + npm +
' ' + ' ' +
args.join(' ') + args.join(' ') +
"' in '" + "' in '" +
P.PKG_DIR + P.PKG_DIR +
"'" "'"
); );
console.error(e.message); console.error(e.message);
process.exit(1); process.exit(1);
} }
if (!cmd.status) { if (!cmd.status) {
return; return;
} }
out += cmd.stdout.toString('utf8'); out += cmd.stdout.toString('utf8');
out += cmd.stderr.toString('utf8'); out += cmd.stderr.toString('utf8');
if (out) { if (out) {
console.error(out); console.error(out);
console.error(); console.error();
console.error(); console.error();
} }
console.error( console.error(
"Failed to run: '" + "Failed to run: '" +
npm + npm +
' ' + ' ' +
args.join(' ') + args.join(' ') +
"' in '" + "' in '" +
P.PKG_DIR + P.PKG_DIR +
"'" "'"
); );
console.error( console.error(
'Try for yourself:\n\tcd ' + P.PKG_DIR + '\n\tnpm ' + args.join(' ') 'Try for yourself:\n\tcd ' + P.PKG_DIR + '\n\tnpm ' + args.join(' ')
); );
process.exit(1); process.exit(1);
}; };
P._install = function(moduleName) { P._install = function(moduleName) {
return new Promise(function(resolve) { return new Promise(function(resolve) {
if (!moduleName) { if (!moduleName) {
throw new Error('no module name given'); throw new Error('no module name given');
} }
var npm = 'npm'; var npm = 'npm';
var args = ['install', '--save', moduleName]; var args = ['install', '--save', moduleName];
var out = ''; var out = '';
var cmd = spawn(npm, args, { var cmd = spawn(npm, args, {
cwd: P.PKG_DIR, cwd: P.PKG_DIR,
windowsHide: true windowsHide: true
}); });
cmd.stdout.on('data', function(chunk) { cmd.stdout.on('data', function(chunk) {
out += chunk.toString('utf8'); out += chunk.toString('utf8');
}); });
cmd.stdout.on('data', function(chunk) { cmd.stdout.on('data', function(chunk) {
out += chunk.toString('utf8'); out += chunk.toString('utf8');
}); });
cmd.on('error', function(e) { cmd.on('error', function(e) {
console.error( console.error(
"Failed to start: '" + "Failed to start: '" +
npm + npm +
' ' + ' ' +
args.join(' ') + args.join(' ') +
"' in '" + "' in '" +
P.PKG_DIR + P.PKG_DIR +
"'" "'"
); );
console.error(e.message); console.error(e.message);
process.exit(1); process.exit(1);
}); });
cmd.on('exit', function(code) { cmd.on('exit', function(code) {
if (!code) { if (!code) {
resolve(); resolve();
return; return;
} }
if (out) { if (out) {
console.error(out); console.error(out);
console.error(); console.error();
console.error(); console.error();
} }
console.error( console.error(
"Failed to run: '" + "Failed to run: '" +
npm + npm +
' ' + ' ' +
args.join(' ') + args.join(' ') +
"' in '" + "' in '" +
P.PKG_DIR + P.PKG_DIR +
"'" "'"
); );
console.error( console.error(
'Try for yourself:\n\tcd ' + 'Try for yourself:\n\tcd ' +
P.PKG_DIR + P.PKG_DIR +
'\n\tnpm ' + '\n\tnpm ' +
args.join(' ') args.join(' ')
); );
process.exit(1); process.exit(1);
}); });
}); });
}; };
if (require.main === module) { if (require.main === module) {
P._installSync(process.argv[2]); P._installSync(process.argv[2]);
} }

76
tests/index.js
View File

@ -11,44 +11,44 @@ var challenge = JSON.parse(process.env.CHALLENGE_OPTIONS);
challenge.module = process.env.CHALLENGE_PLUGIN; challenge.module = process.env.CHALLENGE_PLUGIN;
var greenlock = Greenlock.create({ var greenlock = Greenlock.create({
packageAgent: 'Greenlock_Test/v0', packageAgent: 'Greenlock_Test/v0',
maintainerEmail: email, maintainerEmail: email,
staging: true, staging: true,
manager: require('greenlock-manager-fs').create({ manager: require('greenlock-manager-fs').create({
//configFile: '~/.config/greenlock/certs.json', //configFile: '~/.config/greenlock/certs.json',
}) })
}); });
greenlock.manager greenlock.manager
.defaults({ .defaults({
agreeToTerms: true, agreeToTerms: true,
subscriberEmail: email, subscriberEmail: email,
challenges: { challenges: {
'dns-01': challenge 'dns-01': challenge
} }
//store: args.storeOpts, //store: args.storeOpts,
//renewOffset: args.renewOffset || '30d', //renewOffset: args.renewOffset || '30d',
//renewStagger: '1d' //renewStagger: '1d'
}) })
.then(function() { .then(function() {
return greenlock return greenlock
.add({ .add({
subject: subject, subject: subject,
altnames: altnames, altnames: altnames,
subscriberEmail: email subscriberEmail: email
}) })
.then(function() { .then(function() {
return greenlock return greenlock
.get({ servername: subject }) .get({ servername: subject })
.then(function(pems) { .then(function(pems) {
if (pems && pems.privkey && pems.cert && pems.chain) { if (pems && pems.privkey && pems.cert && pems.chain) {
console.info('Success'); console.info('Success');
} }
//console.log(pems); //console.log(pems);
}); });
}); });
}) })
.catch(function(e) { .catch(function(e) {
console.error('Big bad error:', e.code); console.error('Big bad error:', e.code);
console.error(e); console.error(e);
}); });

2
user-events.js
View File

@ -3,5 +3,5 @@
var UserEvents = module.exports; var UserEvents = module.exports;
UserEvents.notify = function() { UserEvents.notify = function() {
// TODO not implemented yet // TODO not implemented yet
}; };

402
utils.js
View File

@ -11,79 +11,79 @@ var Keypairs = require('@root/keypairs');
var certParser = require('cert-info'); var certParser = require('cert-info');
U._parseDuration = function(str) { U._parseDuration = function(str) {
if ('number' === typeof str) { if ('number' === typeof str) {
return str; return str;
} }
var pattern = /^(\-?\d+(\.\d+)?)([wdhms]|ms)$/; var pattern = /^(\-?\d+(\.\d+)?)([wdhms]|ms)$/;
var matches = str.match(pattern); var matches = str.match(pattern);
if (!matches || !matches[0]) { if (!matches || !matches[0]) {
throw new Error('invalid duration string: ' + str); throw new Error('invalid duration string: ' + str);
} }
var n = parseInt(matches[1], 10); var n = parseInt(matches[1], 10);
var unit = matches[3]; var unit = matches[3];
switch (unit) { switch (unit) {
case 'w': case 'w':
n *= 7; n *= 7;
/*falls through*/ /*falls through*/
case 'd': case 'd':
n *= 24; n *= 24;
/*falls through*/ /*falls through*/
case 'h': case 'h':
n *= 60; n *= 60;
/*falls through*/ /*falls through*/
case 'm': case 'm':
n *= 60; n *= 60;
/*falls through*/ /*falls through*/
case 's': case 's':
n *= 1000; n *= 1000;
/*falls through*/ /*falls through*/
case 'ms': case 'ms':
n *= 1; // for completeness n *= 1; // for completeness
} }
return n; return n;
}; };
U._encodeName = function(str) { U._encodeName = function(str) {
return punycode.toASCII(str.toLowerCase(str)); return punycode.toASCII(str.toLowerCase(str));
}; };
U._validName = function(str) { U._validName = function(str) {
// A quick check of the 38 and two ½ valid characters // A quick check of the 38 and two ½ valid characters
// 253 char max full domain, including dots // 253 char max full domain, including dots
// 63 char max each label segment // 63 char max each label segment
// Note: * is not allowed, but it's allowable here // Note: * is not allowed, but it's allowable here
// Note: _ (underscore) is only allowed for "domain names", not "hostnames" // Note: _ (underscore) is only allowed for "domain names", not "hostnames"
// Note: - (hyphen) is not allowed as a first character (but a number is) // Note: - (hyphen) is not allowed as a first character (but a number is)
return ( return (
/^(\*\.)?[a-z0-9_\.\-]+$/.test(str) && /^(\*\.)?[a-z0-9_\.\-]+$/.test(str) &&
str.length < 254 && str.length < 254 &&
str.split('.').every(function(label) { str.split('.').every(function(label) {
return label.length > 0 && label.length < 64; return label.length > 0 && label.length < 64;
}) })
); );
}; };
U._validMx = function(email) { U._validMx = function(email) {
var host = email.split('@').slice(1)[0]; var host = email.split('@').slice(1)[0];
// try twice, just because DNS hiccups sometimes // try twice, just because DNS hiccups sometimes
// Note: we don't care if the domain exists, just that it *can* exist // Note: we don't care if the domain exists, just that it *can* exist
return resolveMx(host).catch(function() { return resolveMx(host).catch(function() {
return U._timeout(1000).then(function() { return U._timeout(1000).then(function() {
return resolveMx(host); return resolveMx(host);
}); });
}); });
}; };
// should be called after _validName // should be called after _validName
U._validDomain = function(str) { U._validDomain = function(str) {
// TODO use @root/dns (currently dns-suite) // TODO use @root/dns (currently dns-suite)
// because node's dns can't read Authority records // because node's dns can't read Authority records
return Promise.resolve(str); return Promise.resolve(str);
/* /*
// try twice, just because DNS hiccups sometimes // try twice, just because DNS hiccups sometimes
// Note: we don't care if the domain exists, just that it *can* exist // Note: we don't care if the domain exists, just that it *can* exist
return resolveSoa(str).catch(function() { return resolveSoa(str).catch(function() {
@ -98,184 +98,184 @@ U._validDomain = function(str) {
// should be called after _validName // should be called after _validName
// (which enforces *. or no *) // (which enforces *. or no *)
U._uniqueNames = function(altnames) { U._uniqueNames = function(altnames) {
var dups = {}; var dups = {};
var wilds = {}; var wilds = {};
if ( if (
altnames.some(function(w) { altnames.some(function(w) {
if ('*.' !== w.slice(0, 2)) { if ('*.' !== w.slice(0, 2)) {
return; return;
} }
if (wilds[w]) { if (wilds[w]) {
return true; return true;
} }
wilds[w] = true; wilds[w] = true;
}) })
) { ) {
return false; return false;
} }
return altnames.every(function(name) { return altnames.every(function(name) {
var w; var w;
if ('*.' !== name.slice(0, 2)) { if ('*.' !== name.slice(0, 2)) {
w = w =
'*.' + '*.' +
name name
.split('.') .split('.')
.slice(1) .slice(1)
.join('.'); .join('.');
} else { } else {
return true; return true;
} }
if (!dups[name] && !dups[w]) { if (!dups[name] && !dups[w]) {
dups[name] = true; dups[name] = true;
return true; return true;
} }
}); });
}; };
U._timeout = function(d) { U._timeout = function(d) {
return new Promise(function(resolve) { return new Promise(function(resolve) {
setTimeout(resolve, d); setTimeout(resolve, d);
}); });
}; };
U._genKeypair = function(keyType) { U._genKeypair = function(keyType) {
var keyopts; var keyopts;
var len = parseInt(keyType.replace(/.*?(\d)/, '$1') || 0, 10); var len = parseInt(keyType.replace(/.*?(\d)/, '$1') || 0, 10);
if (/RSA/.test(keyType)) { if (/RSA/.test(keyType)) {
keyopts = { keyopts = {
kty: 'RSA', kty: 'RSA',
modulusLength: len || 2048 modulusLength: len || 2048
}; };
} else if (/^(EC|P\-?\d)/i.test(keyType)) { } else if (/^(EC|P\-?\d)/i.test(keyType)) {
keyopts = { keyopts = {
kty: 'EC', kty: 'EC',
namedCurve: 'P-' + (len || 256) namedCurve: 'P-' + (len || 256)
}; };
} else { } else {
// TODO put in ./errors.js // TODO put in ./errors.js
throw new Error('invalid key type: ' + keyType); throw new Error('invalid key type: ' + keyType);
} }
return Keypairs.generate(keyopts).then(function(pair) { return Keypairs.generate(keyopts).then(function(pair) {
return U._jwkToSet(pair.private); return U._jwkToSet(pair.private);
}); });
}; };
// TODO use ACME._importKeypair ?? // TODO use ACME._importKeypair ??
U._importKeypair = function(keypair) { U._importKeypair = function(keypair) {
// this should import all formats equally well: // this should import all formats equally well:
// 'object' (JWK), 'string' (private key pem), kp.privateKeyPem, kp.privateKeyJwk // 'object' (JWK), 'string' (private key pem), kp.privateKeyPem, kp.privateKeyJwk
if (keypair.private || keypair.d) { if (keypair.private || keypair.d) {
return U._jwkToSet(keypair.private || keypair); return U._jwkToSet(keypair.private || keypair);
} }
if (keypair.privateKeyJwk) { if (keypair.privateKeyJwk) {
return U._jwkToSet(keypair.privateKeyJwk); return U._jwkToSet(keypair.privateKeyJwk);
} }
if ('string' !== typeof keypair && !keypair.privateKeyPem) { if ('string' !== typeof keypair && !keypair.privateKeyPem) {
// TODO put in errors // TODO put in errors
throw new Error('missing private key'); throw new Error('missing private key');
} }
return Keypairs.import({ pem: keypair.privateKeyPem || keypair }).then( return Keypairs.import({ pem: keypair.privateKeyPem || keypair }).then(
function(priv) { function(priv) {
if (!priv.d) { if (!priv.d) {
throw new Error('missing private key'); throw new Error('missing private key');
} }
return U._jwkToSet(priv); return U._jwkToSet(priv);
} }
); );
}; };
U._jwkToSet = function(jwk) { U._jwkToSet = function(jwk) {
var keypair = { var keypair = {
privateKeyJwk: jwk privateKeyJwk: jwk
}; };
return Promise.all([ return Promise.all([
Keypairs.export({ Keypairs.export({
jwk: jwk, jwk: jwk,
encoding: 'pem' encoding: 'pem'
}).then(function(pem) { }).then(function(pem) {
keypair.privateKeyPem = pem; keypair.privateKeyPem = pem;
}), }),
Keypairs.export({ Keypairs.export({
jwk: jwk, jwk: jwk,
encoding: 'pem', encoding: 'pem',
public: true public: true
}).then(function(pem) { }).then(function(pem) {
keypair.publicKeyPem = pem; keypair.publicKeyPem = pem;
}), }),
Keypairs.publish({ Keypairs.publish({
jwk: jwk jwk: jwk
}).then(function(pub) { }).then(function(pub) {
keypair.publicKeyJwk = pub; keypair.publicKeyJwk = pub;
}) })
]).then(function() { ]).then(function() {
return keypair; return keypair;
}); });
}; };
U._attachCertInfo = function(results) { U._attachCertInfo = function(results) {
var certInfo = certParser.info(results.cert); var certInfo = certParser.info(results.cert);
// subject, altnames, issuedAt, expiresAt // subject, altnames, issuedAt, expiresAt
Object.keys(certInfo).forEach(function(key) { Object.keys(certInfo).forEach(function(key) {
results[key] = certInfo[key]; results[key] = certInfo[key];
}); });
return results; return results;
}; };
U._certHasDomain = function(certInfo, _domain) { U._certHasDomain = function(certInfo, _domain) {
var names = (certInfo.altnames || []).slice(0); var names = (certInfo.altnames || []).slice(0);
return names.some(function(name) { return names.some(function(name) {
var domain = _domain.toLowerCase(); var domain = _domain.toLowerCase();
name = name.toLowerCase(); name = name.toLowerCase();
if ('*.' === name.substr(0, 2)) { if ('*.' === name.substr(0, 2)) {
name = name.substr(2); name = name.substr(2);
domain = domain domain = domain
.split('.') .split('.')
.slice(1) .slice(1)
.join('.'); .join('.');
} }
return name === domain; return name === domain;
}); });
}; };
// a bit heavy to be labeled 'utils'... perhaps 'common' would be better? // a bit heavy to be labeled 'utils'... perhaps 'common' would be better?
U._getOrCreateKeypair = function(db, subject, query, keyType, mustExist) { U._getOrCreateKeypair = function(db, subject, query, keyType, mustExist) {
var exists = false; var exists = false;
return db return db
.checkKeypair(query) .checkKeypair(query)
.then(function(kp) { .then(function(kp) {
if (kp) { if (kp) {
exists = true; exists = true;
return U._importKeypair(kp); return U._importKeypair(kp);
} }
if (mustExist) { if (mustExist) {
// TODO put in errors // TODO put in errors
throw new Error( throw new Error(
'required keypair not found: ' + 'required keypair not found: ' +
(subject || '') + (subject || '') +
' ' + ' ' +
JSON.stringify(query) JSON.stringify(query)
); );
} }
return U._genKeypair(keyType); return U._genKeypair(keyType);
}) })
.then(function(keypair) { .then(function(keypair) {
return { exists: exists, keypair: keypair }; return { exists: exists, keypair: keypair };
}); });
}; };
U._getKeypair = function(db, subject, query) { U._getKeypair = function(db, subject, query) {
return U._getOrCreateKeypair(db, subject, query, '', true).then(function( return U._getOrCreateKeypair(db, subject, query, '', true).then(function(
result result
) { ) {
return result.keypair; return result.keypair;
}); });
}; };