Started using ACME
This commit is contained in:
parent
deb44806ce
commit
e05c7230a6
3 changed files with 392 additions and 0 deletions
41
pom.xml
41
pom.xml
|
@ -31,6 +31,31 @@
|
||||||
<target>1.8</target>
|
<target>1.8</target>
|
||||||
</configuration>
|
</configuration>
|
||||||
</plugin>
|
</plugin>
|
||||||
|
<plugin>
|
||||||
|
<groupId>org.apache.maven.plugins</groupId>
|
||||||
|
<artifactId>maven-shade-plugin</artifactId>
|
||||||
|
<version>2.4.2</version>
|
||||||
|
<executions>
|
||||||
|
<execution>
|
||||||
|
<phase>package</phase>
|
||||||
|
<goals>
|
||||||
|
<goal>shade</goal>
|
||||||
|
</goals>
|
||||||
|
<configuration>
|
||||||
|
<artifactSet>
|
||||||
|
<includes>
|
||||||
|
<include>org.shredzone.acme4j:acme4j-client</include>
|
||||||
|
</includes>
|
||||||
|
</artifactSet>
|
||||||
|
<pluginExecution>
|
||||||
|
<action>
|
||||||
|
<execute />
|
||||||
|
</action>
|
||||||
|
</pluginExecution>
|
||||||
|
</configuration>
|
||||||
|
</execution>
|
||||||
|
</executions>
|
||||||
|
</plugin>
|
||||||
</plugins>
|
</plugins>
|
||||||
</build>
|
</build>
|
||||||
<properties>
|
<properties>
|
||||||
|
@ -87,5 +112,21 @@
|
||||||
<artifactId>ButtonCore</artifactId>
|
<artifactId>ButtonCore</artifactId>
|
||||||
<version>master-SNAPSHOT</version>
|
<version>master-SNAPSHOT</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.shredzone.acme4j</groupId>
|
||||||
|
<artifactId>acme4j-client</artifactId>
|
||||||
|
<version>0.10</version>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.shredzone.acme4j</groupId>
|
||||||
|
<artifactId>acme4j-utils</artifactId>
|
||||||
|
<version>0.10</version>
|
||||||
|
</dependency>
|
||||||
|
<!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on -->
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.bouncycastle</groupId>
|
||||||
|
<artifactId>bcprov-jdk15on</artifactId>
|
||||||
|
<version>1.57</version>
|
||||||
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</project>
|
</project>
|
||||||
|
|
331
src/buttondevteam/website/AcmeClient.java
Normal file
331
src/buttondevteam/website/AcmeClient.java
Normal file
|
@ -0,0 +1,331 @@
|
||||||
|
/*
|
||||||
|
* acme4j - Java ACME client
|
||||||
|
*
|
||||||
|
* Copyright (C) 2015 Richard "Shred" Körber
|
||||||
|
* http://acme4j.shredzone.org
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
*/ //Modified
|
||||||
|
package buttondevteam.website;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileReader;
|
||||||
|
import java.io.FileWriter;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.Writer;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.security.KeyPair;
|
||||||
|
import java.security.Security;
|
||||||
|
import java.security.cert.X509Certificate;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.Collection;
|
||||||
|
|
||||||
|
import javax.swing.JOptionPane;
|
||||||
|
|
||||||
|
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
||||||
|
import org.shredzone.acme4j.*;
|
||||||
|
import org.shredzone.acme4j.challenge.Challenge;
|
||||||
|
import org.shredzone.acme4j.challenge.Http01Challenge;
|
||||||
|
import org.shredzone.acme4j.exception.AcmeConflictException;
|
||||||
|
import org.shredzone.acme4j.exception.AcmeException;
|
||||||
|
import org.shredzone.acme4j.util.CSRBuilder;
|
||||||
|
import org.shredzone.acme4j.util.CertificateUtils;
|
||||||
|
import org.shredzone.acme4j.util.KeyPairUtils;
|
||||||
|
import org.slf4j.Logger;
|
||||||
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
|
import buttondevteam.lib.TBMCCoreAPI;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A simple client test tool.
|
||||||
|
* <p>
|
||||||
|
* Pass the names of the domains as parameters.
|
||||||
|
*/
|
||||||
|
public class AcmeClient {
|
||||||
|
// File name of the User Key Pair
|
||||||
|
private static final File USER_KEY_FILE = new File("user.key");
|
||||||
|
|
||||||
|
// File name of the Domain Key Pair
|
||||||
|
private static final File DOMAIN_KEY_FILE = new File("domain.key");
|
||||||
|
|
||||||
|
// File name of the CSR
|
||||||
|
private static final File DOMAIN_CSR_FILE = new File("domain.csr");
|
||||||
|
|
||||||
|
// File name of the signed certificate
|
||||||
|
private static final File DOMAIN_CHAIN_FILE = new File("domain-chain.crt");
|
||||||
|
|
||||||
|
// RSA key size of generated key pairs
|
||||||
|
private static final int KEY_SIZE = 2048;
|
||||||
|
|
||||||
|
private static final Logger LOG = LoggerFactory.getLogger(AcmeClient.class);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generates a certificate for the given domains. Also takes care for the registration process.
|
||||||
|
*
|
||||||
|
* @param domains
|
||||||
|
* Domains to get a common certificate for
|
||||||
|
*/
|
||||||
|
public void fetchCertificate(Collection<String> domains) throws IOException, AcmeException {
|
||||||
|
// Load the user key file. If there is no key file, create a new one.
|
||||||
|
// Keep this key pair in a safe place! In a production environment, you will not be
|
||||||
|
// able to access your account again if you should lose the key pair.
|
||||||
|
KeyPair userKeyPair = loadOrCreateKeyPair(USER_KEY_FILE);
|
||||||
|
|
||||||
|
// Create a session for Let's Encrypt.
|
||||||
|
// Use "acme://letsencrypt.org" for production server
|
||||||
|
Session session = new Session("acme://letsencrypt.org" + (TBMCCoreAPI.IsTestServer() ? "/staging" : ""),
|
||||||
|
userKeyPair);
|
||||||
|
|
||||||
|
// Get the Registration to the account.
|
||||||
|
// If there is no account yet, create a new one.
|
||||||
|
Registration reg = findOrRegisterAccount(session);
|
||||||
|
|
||||||
|
// Separately authorize every requested domain.
|
||||||
|
for (String domain : domains) {
|
||||||
|
authorize(reg, domain);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Load or create a key pair for the domains. This should not be the userKeyPair!
|
||||||
|
KeyPair domainKeyPair = loadOrCreateKeyPair(DOMAIN_KEY_FILE);
|
||||||
|
|
||||||
|
// Generate a CSR for all of the domains, and sign it with the domain key pair.
|
||||||
|
CSRBuilder csrb = new CSRBuilder();
|
||||||
|
csrb.addDomains(domains);
|
||||||
|
csrb.sign(domainKeyPair);
|
||||||
|
|
||||||
|
// Write the CSR to a file, for later use.
|
||||||
|
try (Writer out = new FileWriter(DOMAIN_CSR_FILE)) {
|
||||||
|
csrb.write(out);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now request a signed certificate.
|
||||||
|
Certificate certificate = reg.requestCertificate(csrb.getEncoded());
|
||||||
|
|
||||||
|
LOG.info("Success! The certificate for domains " + domains + " has been generated!");
|
||||||
|
LOG.info("Certificate URI: " + certificate.getLocation());
|
||||||
|
|
||||||
|
// Download the leaf certificate and certificate chain.
|
||||||
|
X509Certificate cert = certificate.download();
|
||||||
|
X509Certificate[] chain = certificate.downloadChain();
|
||||||
|
|
||||||
|
// Write a combined file containing the certificate and chain.
|
||||||
|
try (FileWriter fw = new FileWriter(DOMAIN_CHAIN_FILE)) {
|
||||||
|
CertificateUtils.writeX509CertificateChain(fw, cert, chain);
|
||||||
|
}
|
||||||
|
|
||||||
|
// That's all! Configure your web server to use the DOMAIN_KEY_FILE and
|
||||||
|
// DOMAIN_CHAIN_FILE for the requested domans.
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Loads a key pair from specified file. If the file does not exist, a new key pair is generated and saved.
|
||||||
|
*
|
||||||
|
* @return {@link KeyPair}.
|
||||||
|
*/
|
||||||
|
private KeyPair loadOrCreateKeyPair(File file) throws IOException {
|
||||||
|
if (file.exists()) {
|
||||||
|
try (FileReader fr = new FileReader(file)) {
|
||||||
|
return KeyPairUtils.readKeyPair(fr);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
KeyPair domainKeyPair = KeyPairUtils.createKeyPair(KEY_SIZE);
|
||||||
|
try (FileWriter fw = new FileWriter(file)) {
|
||||||
|
KeyPairUtils.writeKeyPair(domainKeyPair, fw);
|
||||||
|
}
|
||||||
|
return domainKeyPair;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Finds your {@link Registration} at the ACME server. It will be found by your user's public key. If your key is not known to the server yet, a new registration will be created.
|
||||||
|
* <p>
|
||||||
|
* This is a simple way of finding your {@link Registration}. A better way is to get the URI of your new registration with {@link Registration#getLocation()} and store it somewhere. If you need to
|
||||||
|
* get access to your account later, reconnect to it via {@link Registration#bind(Session, URI)} by using the stored location.
|
||||||
|
*
|
||||||
|
* @param session
|
||||||
|
* {@link Session} to bind with
|
||||||
|
* @return {@link Registration} connected to your account
|
||||||
|
*/
|
||||||
|
private Registration findOrRegisterAccount(Session session) throws AcmeException {
|
||||||
|
Registration reg;
|
||||||
|
|
||||||
|
try {
|
||||||
|
// Try to create a new Registration.
|
||||||
|
reg = new RegistrationBuilder().create(session);
|
||||||
|
LOG.info("Registered a new user, URI: " + reg.getLocation());
|
||||||
|
|
||||||
|
// This is a new account. Let the user accept the Terms of Service.
|
||||||
|
// We won't be able to authorize domains until the ToS is accepted.
|
||||||
|
URI agreement = reg.getAgreement();
|
||||||
|
LOG.info("Terms of Service: " + agreement);
|
||||||
|
acceptAgreement(reg, agreement);
|
||||||
|
|
||||||
|
} catch (AcmeConflictException ex) {
|
||||||
|
// The Key Pair is already registered. getLocation() contains the
|
||||||
|
// URL of the existing registration's location. Bind it to the session.
|
||||||
|
reg = Registration.bind(session, ex.getLocation());
|
||||||
|
LOG.info("Account does already exist, URI: " + reg.getLocation(), ex);
|
||||||
|
}
|
||||||
|
|
||||||
|
return reg;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Authorize a domain. It will be associated with your account, so you will be able to retrieve a signed certificate for the domain later.
|
||||||
|
* <p>
|
||||||
|
* You need separate authorizations for subdomains (e.g. "www" subdomain). Wildcard certificates are not currently supported.
|
||||||
|
*
|
||||||
|
* @param reg
|
||||||
|
* {@link Registration} of your account
|
||||||
|
* @param domain
|
||||||
|
* Name of the domain to authorize
|
||||||
|
*/
|
||||||
|
private void authorize(Registration reg, String domain) throws AcmeException {
|
||||||
|
// Authorize the domain.
|
||||||
|
Authorization auth = reg.authorizeDomain(domain);
|
||||||
|
LOG.info("Authorization for domain " + domain);
|
||||||
|
|
||||||
|
// Find the desired challenge and prepare it.
|
||||||
|
Challenge challenge = httpChallenge(auth, domain);
|
||||||
|
|
||||||
|
if (challenge == null) {
|
||||||
|
throw new AcmeException("No challenge found");
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the challenge is already verified, there's no need to execute it again.
|
||||||
|
if (challenge.getStatus() == Status.VALID) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now trigger the challenge.
|
||||||
|
challenge.trigger();
|
||||||
|
|
||||||
|
// Poll for the challenge to complete.
|
||||||
|
try {
|
||||||
|
int attempts = 10;
|
||||||
|
while (challenge.getStatus() != Status.VALID && attempts-- > 0) {
|
||||||
|
// Did the authorization fail?
|
||||||
|
if (challenge.getStatus() == Status.INVALID) {
|
||||||
|
throw new AcmeException("Challenge failed... Giving up.");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Wait for a few seconds
|
||||||
|
Thread.sleep(3000L);
|
||||||
|
|
||||||
|
// Then update the status
|
||||||
|
challenge.update();
|
||||||
|
}
|
||||||
|
} catch (InterruptedException ex) {
|
||||||
|
LOG.error("interrupted", ex);
|
||||||
|
Thread.currentThread().interrupt();
|
||||||
|
}
|
||||||
|
|
||||||
|
// All reattempts are used up and there is still no valid authorization?
|
||||||
|
if (challenge.getStatus() != Status.VALID) {
|
||||||
|
throw new AcmeException("Failed to pass the challenge for domain " + domain + ", ... Giving up.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Prepares a HTTP challenge.
|
||||||
|
* <p>
|
||||||
|
* The verification of this challenge expects a file with a certain content to be reachable at a given path under the domain to be tested.
|
||||||
|
* <p>
|
||||||
|
* This example outputs instructions that need to be executed manually. In a production environment, you would rather generate this file automatically, or maybe use a servlet that returns
|
||||||
|
* {@link Http01Challenge#getAuthorization()}.
|
||||||
|
*
|
||||||
|
* @param auth
|
||||||
|
* {@link Authorization} to find the challenge in
|
||||||
|
* @param domain
|
||||||
|
* Domain name to be authorized
|
||||||
|
* @return {@link Challenge} to verify
|
||||||
|
*/
|
||||||
|
public Challenge httpChallenge(Authorization auth, String domain) throws AcmeException {
|
||||||
|
// Find a single http-01 challenge
|
||||||
|
Http01Challenge challenge = auth.findChallenge(Http01Challenge.TYPE);
|
||||||
|
if (challenge == null) {
|
||||||
|
throw new AcmeException("Found no " + Http01Challenge.TYPE + " challenge, don't know what to do...");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Output the challenge, wait for acknowledge...
|
||||||
|
LOG.info("Please create a file in your web server's base directory.");
|
||||||
|
LOG.info("It must be reachable at: http://" + domain + "/.well-known/acme-challenge/" + challenge.getToken());
|
||||||
|
LOG.info("File name: " + challenge.getToken());
|
||||||
|
LOG.info("Content: " + challenge.getAuthorization());
|
||||||
|
LOG.info("The file must not contain any leading or trailing whitespaces or line breaks!");
|
||||||
|
LOG.info("If you're ready, dismiss the dialog...");
|
||||||
|
|
||||||
|
StringBuilder message = new StringBuilder();
|
||||||
|
message.append("Please create a file in your web server's base directory.\n\n");
|
||||||
|
message.append("http://").append(domain).append("/.well-known/acme-challenge/").append(challenge.getToken())
|
||||||
|
.append("\n\n");
|
||||||
|
message.append("Content:\n\n");
|
||||||
|
message.append(challenge.getAuthorization());
|
||||||
|
acceptChallenge(message.toString());
|
||||||
|
|
||||||
|
return challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Presents the instructions for preparing the challenge validation, and waits for dismissal. If the user cancelled the dialog, an exception is thrown.
|
||||||
|
*
|
||||||
|
* @param message
|
||||||
|
* Instructions to be shown in the dialog
|
||||||
|
*/
|
||||||
|
public void acceptChallenge(String message) throws AcmeException {
|
||||||
|
int option = JOptionPane.showConfirmDialog(null, message, "Prepare Challenge", JOptionPane.OK_CANCEL_OPTION);
|
||||||
|
if (option == JOptionPane.CANCEL_OPTION) {
|
||||||
|
throw new AcmeException("User cancelled the challenge");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Presents the user a link to the Terms of Service, and asks for confirmation. If the user denies confirmation, an exception is thrown.
|
||||||
|
*
|
||||||
|
* @param reg
|
||||||
|
* {@link Registration} User's registration
|
||||||
|
* @param agreement
|
||||||
|
* {@link URI} of the Terms of Service
|
||||||
|
*/
|
||||||
|
public void acceptAgreement(Registration reg, URI agreement) throws AcmeException {
|
||||||
|
int option = JOptionPane.showConfirmDialog(null, "Do you accept the Terms of Service?\n\n" + agreement,
|
||||||
|
"Accept ToS", JOptionPane.YES_NO_OPTION);
|
||||||
|
if (option == JOptionPane.NO_OPTION) {
|
||||||
|
throw new AcmeException("User did not accept Terms of Service");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Motify the Registration and accept the agreement
|
||||||
|
reg.modify().setAgreement(agreement).commit();
|
||||||
|
LOG.info("Updated user's ToS");
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Invokes this example.
|
||||||
|
*
|
||||||
|
* @param args
|
||||||
|
* Domains to get a certificate for
|
||||||
|
*/
|
||||||
|
public static void main(String... args) {
|
||||||
|
if (args.length == 0) {
|
||||||
|
System.err.println("Usage: ClientTest <domain>...");
|
||||||
|
System.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
LOG.info("Starting up...");
|
||||||
|
|
||||||
|
Security.addProvider(new BouncyCastleProvider());
|
||||||
|
|
||||||
|
Collection<String> domains = Arrays.asList(args);
|
||||||
|
try {
|
||||||
|
AcmeClient ct = new AcmeClient();
|
||||||
|
ct.fetchCertificate(domains);
|
||||||
|
} catch (Exception ex) {
|
||||||
|
LOG.error("Failed to get a certificate for domains " + domains, ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
20
src/buttondevteam/website/page/AcmeChallengePage.java
Normal file
20
src/buttondevteam/website/page/AcmeChallengePage.java
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
package buttondevteam.website.page;
|
||||||
|
|
||||||
|
import com.sun.net.httpserver.HttpExchange;
|
||||||
|
|
||||||
|
import buttondevteam.website.io.Response;
|
||||||
|
|
||||||
|
public class AcmeChallengePage extends Page {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String GetName() {
|
||||||
|
return ".well-known/acme-challenge";
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Response handlePage(HttpExchange exchange) {
|
||||||
|
// TODO Auto-generated method stub
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in a new issue