1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
#!/usr/bin/ruby
require 'net/http'
require 'json'
require 'base64'
require 'jwt'
def request_directory( uri: )
http = Net::HTTP.new( uri.hostname, uri.port )
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.set_debug_output($stdout)
http.get( uri.path ).body
end
def request_nonce( uri: )
http = Net::HTTP.new( uri.hostname, uri.port )
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.set_debug_output($stdout)
res = http.head( uri.path )
res['Replay-Nonce']
end
def request_newAccount( uri:, data: )
http = Net::HTTP.new( uri.hostname, uri.port )
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.set_debug_output($stdout)
headers = { 'Content-Type': 'application/jose+json' }
http.post( uri.path, data, headers )
end
ecdsa_key = OpenSSL::PKey::EC.generate('prime256v1')
params = optional_parameters = { kid: 'foobar', use: 'sig', alg: 'ES256' }
jwk_key = JWT::JWK.new( ecdsa_key, params )
puts "private jwk_key"
puts jwk_key.export( include_private: true )
puts "public jwk_key"
puts jwk_key.export
# acme_directory_uri = URI('https://acme-staging-v02.api.letsencrypt.org/directory')
acme_directory_uri = URI('https://localhost:14000/dir')
acme_directory_uri.freeze
# acme_directory_json = Net::HTTP.get(acme_directory_uri)
acme_directory_json = request_directory( uri: acme_directory_uri )
acme_directory = JSON.parse(acme_directory_json)
p acme_directory
newAccount_uri = URI( acme_directory['newAccount'] )
newNonce_uri = URI( acme_directory['newNonce'] )
nonce = request_nonce( :uri => newNonce_uri )
puts "nonce"
puts nonce
stub_account_for_new_account = {
contact: [
"mailto:sysadmin@henk.geekmail.org"
],
termsOfServiceAgreed: true,
onlyReturnExisting: true
}
stub_account_for_new_account_json = JSON.generate(stub_account_for_new_account)
puts "stub_account_for_new_account_json"
puts stub_account_for_new_account_json
stub_account_for_new_account_base64 = Base64.urlsafe_encode64(stub_account_for_new_account_json, padding: false)
protected_request_header = {
alg: 'ES256',
nonce: nonce,
url: newAccount_uri,
jwk: jwk_key.export
}
protected_request_header_json = JSON.generate( protected_request_header )
puts "protected_request_header_json"
pp protected_request_header_json
protected_request_header_base64 = Base64.urlsafe_encode64( protected_request_header_json, padding: false )
newAccount_header_with_payload = JSON.generate(
{
:protected => protected_request_header_base64,
:payload => stub_account_for_new_account_base64,
}
)
puts "newAccount_header_with_payload"
puts newAccount_header_with_payload
# #signing_key requires jwt somewhat newer than in debian stable (2.5.0)
# stub_account_for_new_account_signature = JWT::Algos::Ecdsa.sign( 'ES256', newAccount_header_with_payload, jwk_key.signing_key )
# stub_account_for_new_account_signature = ecdsa_key.sign( nil, newAccount_header_with_payload )
stub_account_for_new_account_signature = JWT.encode( newAccount_header_with_payload, jwk_key.signing_key, 'ES256', protected_request_header ).split('.')[-1]
stub_account_for_new_account_signature_base64 = Base64.urlsafe_encode64( stub_account_for_new_account_signature, padding: false )
puts "stub_account_for_new_account_signature_base64"
puts stub_account_for_new_account_signature
puts stub_account_for_new_account_signature_base64
puts stub_account_for_new_account_signature.class
newAccount_request_body = {
:protected => protected_request_header_base64,
:payload => stub_account_for_new_account_base64,
:signature => stub_account_for_new_account_signature
}
newAccount_request_body_json = JSON.generate( newAccount_request_body )
puts "newAccount_request_body_json"
puts newAccount_request_body_json
puts request_newAccount( :uri => newAccount_uri, :data => newAccount_request_body_json )
# puts request_newAccount( :uri => newAccount_uri, :data => stub_account_for_new_account_signature )
|