summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHendrik Jäger <gitcommit@henk.geekmail.org>2024-01-25 22:20:27 +0100
committerHendrik Jäger <gitcommit@henk.geekmail.org>2024-01-25 22:20:27 +0100
commit07d6038215ee603fdc9e6a715c51d7b59be5188e (patch)
tree35e11f3f36b21cdfd403631fc661fa27e2c8a315
parent757f7ba8827cd8f3cb19c0166fe2a95a66837e72 (diff)
try json-jwt insteadattempt/implement_acme
-rw-r--r--macir.rb127
1 files changed, 88 insertions, 39 deletions
diff --git a/macir.rb b/macir.rb
index b312052..1575f87 100644
--- a/macir.rb
+++ b/macir.rb
@@ -3,14 +3,14 @@
require 'net/http'
require 'json'
require 'base64'
-require 'jwt'
+require 'json/jwt'
def request_directory( uri: )
http = Net::HTTP.new( uri.hostname, uri.port )
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
- http.set_debug_output($stdout)
+ # http.set_debug_output($stdout)
http.get( uri.path ).body
end
@@ -18,7 +18,7 @@ def request_nonce( uri: )
http = Net::HTTP.new( uri.hostname, uri.port )
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
- http.set_debug_output($stdout)
+ # http.set_debug_output($stdout)
res = http.head( uri.path )
res['Replay-Nonce']
end
@@ -34,13 +34,39 @@ end
-ecdsa_key = OpenSSL::PKey::EC.generate('prime256v1')
-params = optional_parameters = { kid: 'foobar', use: 'sig', alg: 'ES256' }
-jwk_key = JWT::JWK.new( ecdsa_key, params )
-puts "private jwk_key"
-puts jwk_key.export( include_private: true )
-puts "public jwk_key"
-puts jwk_key.export
+private_key = OpenSSL::PKey::EC.generate('prime256v1')
+puts "private_key"
+puts private_key
+puts ""
+
+public_key = private_key.public_key
+puts "public_key"
+puts public_key
+puts ""
+
+jwk_key = JSON::JWK.new(private_key)
+puts "jwk_key"
+puts jwk_key
+puts ""
+
+# jwk_public = JSON::JWK.new(public_key)
+# puts "public_key"
+# puts jwk_public
+# puts ""
+
+jwk_normalized = jwk_key.normalize
+puts "jwk_normalized"
+puts jwk_normalized
+puts ""
+
+# p JSON::JWK.new(public_key)
+# params = optional_parameters = { kid: 'foobar', use: 'sig', alg: 'ES256' }
+
+# jwk_key = JWT::JWK.new( ecdsa_key, params )
+# puts "private jwk_key"
+# puts jwk_key.export( include_private: true )
+# puts "public jwk_key"
+# puts jwk_key.export
# acme_directory_uri = URI('https://acme-staging-v02.api.letsencrypt.org/directory')
@@ -50,7 +76,9 @@ acme_directory_uri.freeze
# acme_directory_json = Net::HTTP.get(acme_directory_uri)
acme_directory_json = request_directory( uri: acme_directory_uri )
acme_directory = JSON.parse(acme_directory_json)
-p acme_directory
+puts "acme_directory"
+puts acme_directory
+puts ""
newAccount_uri = URI( acme_directory['newAccount'] )
newNonce_uri = URI( acme_directory['newNonce'] )
@@ -59,6 +87,7 @@ newNonce_uri = URI( acme_directory['newNonce'] )
nonce = request_nonce( :uri => newNonce_uri )
puts "nonce"
puts nonce
+puts ""
stub_account_for_new_account = {
@@ -66,12 +95,13 @@ stub_account_for_new_account = {
"mailto:sysadmin@henk.geekmail.org"
],
termsOfServiceAgreed: true,
- onlyReturnExisting: true
+ onlyReturnExisting: true,
}
stub_account_for_new_account_json = JSON.generate(stub_account_for_new_account)
-puts "stub_account_for_new_account_json"
-puts stub_account_for_new_account_json
+# puts "stub_account_for_new_account_json"
+# puts stub_account_for_new_account_json
+# puts ""
stub_account_for_new_account_base64 = Base64.urlsafe_encode64(stub_account_for_new_account_json, padding: false)
@@ -79,45 +109,64 @@ protected_request_header = {
alg: 'ES256',
nonce: nonce,
url: newAccount_uri,
- jwk: jwk_key.export
+ jwk: jwk_normalized
}
protected_request_header_json = JSON.generate( protected_request_header )
puts "protected_request_header_json"
-pp protected_request_header_json
+puts protected_request_header_json
+puts ""
protected_request_header_base64 = Base64.urlsafe_encode64( protected_request_header_json, padding: false )
-newAccount_header_with_payload = JSON.generate(
- {
- :protected => protected_request_header_base64,
- :payload => stub_account_for_new_account_base64,
- }
-)
+newAccount_header_with_payload = JSON::JWT.new( stub_account_for_new_account)
+newAccount_header_with_payload.header[:alg] = 'ES256'
+newAccount_header_with_payload.header[:nonce] = nonce
+newAccount_header_with_payload.header[:url] = newAccount_uri
+newAccount_header_with_payload.header[:jwk] = jwk_normalized
+
+p newAccount_header_with_payload.header
+
puts "newAccount_header_with_payload"
puts newAccount_header_with_payload
+puts newAccount_header_with_payload.as_json( syntax: :flattened )
+puts ""
+
+# newAccount_header_with_payload.kid = 'default_key'
# #signing_key requires jwt somewhat newer than in debian stable (2.5.0)
# stub_account_for_new_account_signature = JWT::Algos::Ecdsa.sign( 'ES256', newAccount_header_with_payload, jwk_key.signing_key )
# stub_account_for_new_account_signature = ecdsa_key.sign( nil, newAccount_header_with_payload )
-stub_account_for_new_account_signature = JWT.encode( newAccount_header_with_payload, jwk_key.signing_key, 'ES256', protected_request_header ).split('.')[-1]
-stub_account_for_new_account_signature_base64 = Base64.urlsafe_encode64( stub_account_for_new_account_signature, padding: false )
-puts "stub_account_for_new_account_signature_base64"
+# stub_account_for_new_account_signature = JWT.encode( newAccount_header_with_payload, jwk_key.signing_key, 'ES256', protected_request_header ).split('.')[-1]
+stub_account_for_new_account_signature = newAccount_header_with_payload.sign( jwk_key )
+# stub_account_for_new_account_signature_base64 = Base64.urlsafe_encode64( stub_account_for_new_account_signature, padding: false )
+puts "stub_account_for_new_account_signature"
puts stub_account_for_new_account_signature
-puts stub_account_for_new_account_signature_base64
+# puts stub_account_for_new_account_signature_base64
+puts "stub_account_for_new_account_signature_class"
puts stub_account_for_new_account_signature.class
+puts ""
-
-newAccount_request_body = {
- :protected => protected_request_header_base64,
- :payload => stub_account_for_new_account_base64,
- :signature => stub_account_for_new_account_signature
-}
-
-
-newAccount_request_body_json = JSON.generate( newAccount_request_body )
-puts "newAccount_request_body_json"
-puts newAccount_request_body_json
-
-puts request_newAccount( :uri => newAccount_uri, :data => newAccount_request_body_json )
+puts "stub_account_for_new_account_signature"
+puts stub_account_for_new_account_signature
+puts "stub_account_for_new_account_signature.as_json flattened"
+puts stub_account_for_new_account_signature.as_json( syntax: :flattened )
+# puts stub_account_for_new_account_signature_base64
+puts "stub_account_for_new_account_signature.class"
+puts stub_account_for_new_account_signature.class
+puts ""
+
+# newAccount_request_body = {
+# :protected => protected_request_header_base64,
+# :payload => stub_account_for_new_account_base64,
+# :signature => stub_account_for_new_account_signature
+# }
+#
+#
+# newAccount_request_body_json = JSON.generate( newAccount_request_body )
+# puts "newAccount_request_body_json"
+# puts newAccount_request_body_json
+# puts ""
+
+puts request_newAccount( :uri => newAccount_uri, :data => stub_account_for_new_account_signature.as_json( syntax: :flattened ) )
# puts request_newAccount( :uri => newAccount_uri, :data => stub_account_for_new_account_signature )