ACME: alternative chains support.

Author: bavshin-f5

Cargo.lock

@@ -18,6 +18,7 @@ http-body = "1.0.1"
 http-body-util = "0.1.3"
 http-serde = "2.1.1"
 hyper = { version = "1.6.0", features = ["client", "http1"] }
+iri-string = "0.7"
 libc = "0.2.174"
 nginx-sys = "0.5.0"
 ngx = { version = "0.5.0", features = ["async", "serde", "std"] }

Cargo.toml

@@ -237,6 +237,24 @@ Accepted values:
 The generated account keys are preserved across reloads,
 but will be lost on restart unless [state_path](#state_path) is configured.
 
+### chain
+
+**Syntax:** **`chain`** `issuer`=_`name`_
+
+**Default:** -
+
+**Context:** acme_issuer
+
+_This directive appeared in version 0.3.0._
+
+Specifies the preferred certificate chain.
+
+If the ACME issuer offers multiple certificate chains,
+prefer the chain with the topmost certificate issued from the
+Subject Common Name _`name`_.
+
+If no matches, the default chain will be used.
+
 ### challenge
 
 **Syntax:** **`challenge`** _`type`_
@@ -298,6 +316,8 @@ In both cases, the key is expected to be encoded in
 
 **Context:** acme_issuer
 
+_This directive appeared in version 0.3.0._
+
 Requests the supported [certificate profile][draft-ietf-acme-profiles]
 _`name`_ from the ACME server.
 

README.md

@@ -11,25 +11,26 @@ use std::string::{String, ToString};
 
 use bytes::Bytes;
 use error::{NewAccountError, NewCertificateError, RequestError};
-use http::Uri;
+use http::{Response, Uri};
 use ngx::allocator::{Allocator, Box};
 use ngx::async_::sleep;
 use ngx::collections::Vec;
 use ngx::ngx_log_debug;
 use openssl::pkey::{PKey, PKeyRef, Private};
-use openssl::x509::{self, extension as x509_ext, X509Req};
+use openssl::x509::{self, extension as x509_ext, X509Req, X509};
 use types::{AccountStatus, ProblemCategory};
 
 use self::account_key::{AccountKey, AccountKeyError};
 use self::types::{AuthorizationStatus, ChallengeKind, ChallengeStatus, OrderStatus};
 use crate::conf::identifier::Identifier;
-use crate::conf::issuer::{Issuer, Profile};
+use crate::conf::issuer::{CertificateChainMatcher, Issuer, Profile};
 use crate::conf::order::CertificateOrder;
 use crate::net::http::HttpClient;
 use crate::time::Time;
 
 pub mod account_key;
 pub mod error;
+pub mod headers;
 pub mod solvers;
 pub mod types;
 
@@ -49,7 +50,8 @@ pub enum NewAccountOutput<'a> {
 }
 
 pub struct NewCertificateOutput {
-    pub chain: Bytes,
+    pub bytes: Bytes,
+    pub x509: std::vec::Vec<X509>,
     pub pkey: PKey<Private>,
 }
 
@@ -246,7 +248,7 @@ where
                     if let Some(val) = res
                         .headers()
                         .get(http::header::RETRY_AFTER)
-                        .and_then(parse_retry_after)
+                        .and_then(headers::parse_retry_after)
                         .filter(|x| x > &MAX_SERVER_RETRY_INTERVAL)
                     {
                         return Err(RequestError::RateLimited(val));
@@ -461,11 +463,69 @@ where
 
         let certificate = order
             .certificate
-            .ok_or(NewCertificateError::CertificateUrl)?;
+            .ok_or(NewCertificateError::MissingCertificate)?;
 
-        let chain = self.post(&certificate, b"").await?.into_body();
+        let res = self.post(&certificate, b"").await?;
 
-        Ok(NewCertificateOutput { chain, pkey })
+        if let Some(ref matcher) = self.issuer.chain {
+            let (bytes, x509) = self
+                .find_preferred_chain(&certificate, res, matcher)
+                .await?;
+            Ok(NewCertificateOutput { bytes, x509, pkey })
+        } else {
+            let bytes = res.into_body();
+            let x509 =
+                X509::stack_from_pem(&bytes).map_err(NewCertificateError::InvalidCertificate)?;
+            if x509.is_empty() {
+                return Err(NewCertificateError::MissingCertificate);
+            }
+
+            Ok(NewCertificateOutput { bytes, x509, pkey })
+        }
+    }
+
+    async fn find_preferred_chain(
+        &self,
+        base: &Uri,
+        cert: Response<Bytes>,
+        matcher: &CertificateChainMatcher,
+    ) -> Result<(Bytes, std::vec::Vec<X509>), NewCertificateError> {
+        let default =
+            X509::stack_from_pem(cert.body()).map_err(NewCertificateError::InvalidCertificate)?;
+
+        if !matcher.test(&default) {
+            if let Ok(base) = iri_string::types::UriAbsoluteString::try_from(base.to_string()) {
+                let alternates = cert
+                    .headers()
+                    .get_all(http::header::LINK)
+                    .into_iter()
+                    .filter_map(headers::parse_link)
+                    .flatten()
+                    .filter(|x| x.is_rel("alternate"));
+
+                for link in alternates {
+                    let uri = link.target.resolve_against(&base).to_string();
+                    let Ok(uri) = Uri::try_from(uri) else {
+                        continue;
+                    };
+
+                    let res = self.post(&uri, b"").await?;
+                    let bytes = res.into_body();
+
+                    let stack = X509::stack_from_pem(&bytes)
+                        .map_err(NewCertificateError::InvalidCertificate)?;
+                    if matcher.test(&stack) {
+                        return Ok((bytes, stack));
+                    }
+                }
+            }
+        }
+
+        if default.is_empty() {
+            return Err(NewCertificateError::MissingCertificate);
+        }
+
+        Ok((cert.into_body(), default))
     }
 
     async fn do_authorization(
@@ -586,7 +646,7 @@ async fn wait_for_retry<B>(
     let retry_after = res
         .headers()
         .get(http::header::RETRY_AFTER)
-        .and_then(parse_retry_after)
+        .and_then(headers::parse_retry_after)
         .unwrap_or(interval)
         .min(MAX_SERVER_RETRY_INTERVAL);
 
@@ -616,15 +676,3 @@ where
 {
     serde_json::from_slice(bytes).map_err(RequestError::ResponseFormat)
 }
-
-fn parse_retry_after(val: &http::HeaderValue) -> Option<Duration> {
-    let val = val.to_str().ok()?;
-
-    // Retry-After: <http-date>
-    if let Ok(time) = Time::parse(val) {
-        return Some(time - Time::now());
-    }
-
-    // Retry-After: <delay-seconds>
-    val.parse().map(Duration::from_secs).ok()
-}

src/acme.rs

@@ -62,15 +62,18 @@ pub enum NewCertificateError {
     #[error("unexpected authorization status {0:?}")]
     AuthorizationStatus(super::types::AuthorizationStatus),
 
-    #[error("no certificate in the validated order")]
-    CertificateUrl,
-
     #[error("unexpected challenge status {0:?}")]
     ChallengeStatus(super::types::ChallengeStatus),
 
     #[error("csr generation failed ({0})")]
     Csr(openssl::error::ErrorStack),
 
+    #[error("PEM_read_bio_X509() failed: {0}")]
+    InvalidCertificate(openssl::error::ErrorStack),
+
+    #[error("no certificate in the completed order")]
+    MissingCertificate,
+
     #[error("no supported challenges")]
     NoSupportedChallenges,