Repository: shred/acme4j
Branch: master
Commit: 0f3b7de23b3c
Files: 327
Total size: 1.2 MB
Directory structure:
gitextract_nzsxpl3o/
├── .github/
│ ├── FUNDING.yml
│ └── workflows/
│ └── ci.yml
├── .gitignore
├── .gitlab-ci.yml
├── CONTRIBUTING.md
├── LICENSE-APL.txt
├── README.md
├── acme4j-client/
│ ├── pom.xml
│ └── src/
│ ├── main/
│ │ ├── java/
│ │ │ ├── .gitignore
│ │ │ ├── module-info.java
│ │ │ └── org/
│ │ │ └── shredzone/
│ │ │ └── acme4j/
│ │ │ ├── Account.java
│ │ │ ├── AccountBuilder.java
│ │ │ ├── AcmeJsonResource.java
│ │ │ ├── AcmeResource.java
│ │ │ ├── Authorization.java
│ │ │ ├── Certificate.java
│ │ │ ├── Identifier.java
│ │ │ ├── Login.java
│ │ │ ├── Metadata.java
│ │ │ ├── Order.java
│ │ │ ├── OrderBuilder.java
│ │ │ ├── PollableResource.java
│ │ │ ├── Problem.java
│ │ │ ├── RenewalInfo.java
│ │ │ ├── RevocationReason.java
│ │ │ ├── Session.java
│ │ │ ├── Status.java
│ │ │ ├── challenge/
│ │ │ │ ├── Challenge.java
│ │ │ │ ├── Dns01Challenge.java
│ │ │ │ ├── DnsAccount01Challenge.java
│ │ │ │ ├── DnsPersist01Challenge.java
│ │ │ │ ├── Http01Challenge.java
│ │ │ │ ├── TlsAlpn01Challenge.java
│ │ │ │ ├── TokenChallenge.java
│ │ │ │ └── package-info.java
│ │ │ ├── connector/
│ │ │ │ ├── Connection.java
│ │ │ │ ├── DefaultConnection.java
│ │ │ │ ├── HttpConnector.java
│ │ │ │ ├── NetworkSettings.java
│ │ │ │ ├── NonceHolder.java
│ │ │ │ ├── RequestSigner.java
│ │ │ │ ├── Resource.java
│ │ │ │ ├── ResourceIterator.java
│ │ │ │ ├── TrimmingInputStream.java
│ │ │ │ └── package-info.java
│ │ │ ├── exception/
│ │ │ │ ├── AcmeException.java
│ │ │ │ ├── AcmeLazyLoadingException.java
│ │ │ │ ├── AcmeNetworkException.java
│ │ │ │ ├── AcmeNotSupportedException.java
│ │ │ │ ├── AcmeProtocolException.java
│ │ │ │ ├── AcmeRateLimitedException.java
│ │ │ │ ├── AcmeServerException.java
│ │ │ │ ├── AcmeUnauthorizedException.java
│ │ │ │ ├── AcmeUserActionRequiredException.java
│ │ │ │ └── package-info.java
│ │ │ ├── package-info.java
│ │ │ ├── provider/
│ │ │ │ ├── AbstractAcmeProvider.java
│ │ │ │ ├── AcmeProvider.java
│ │ │ │ ├── ChallengeProvider.java
│ │ │ │ ├── ChallengeType.java
│ │ │ │ ├── GenericAcmeProvider.java
│ │ │ │ ├── actalis/
│ │ │ │ │ ├── ActalisAcmeProvider.java
│ │ │ │ │ └── package-info.java
│ │ │ │ ├── google/
│ │ │ │ │ ├── GoogleAcmeProvider.java
│ │ │ │ │ └── package-info.java
│ │ │ │ ├── letsencrypt/
│ │ │ │ │ ├── LetsEncryptAcmeProvider.java
│ │ │ │ │ └── package-info.java
│ │ │ │ ├── package-info.java
│ │ │ │ ├── pebble/
│ │ │ │ │ ├── PebbleAcmeProvider.java
│ │ │ │ │ └── package-info.java
│ │ │ │ ├── sslcom/
│ │ │ │ │ ├── SslComAcmeProvider.java
│ │ │ │ │ └── package-info.java
│ │ │ │ └── zerossl/
│ │ │ │ ├── ZeroSSLAcmeProvider.java
│ │ │ │ └── package-info.java
│ │ │ ├── toolbox/
│ │ │ │ ├── AcmeUtils.java
│ │ │ │ ├── JSON.java
│ │ │ │ ├── JSONBuilder.java
│ │ │ │ ├── JoseUtils.java
│ │ │ │ └── package-info.java
│ │ │ └── util/
│ │ │ ├── CSRBuilder.java
│ │ │ ├── CertificateUtils.java
│ │ │ ├── KeyPairUtils.java
│ │ │ └── package-info.java
│ │ ├── resources/
│ │ │ ├── .gitignore
│ │ │ ├── META-INF/
│ │ │ │ └── services/
│ │ │ │ └── org.shredzone.acme4j.provider.AcmeProvider
│ │ │ └── org/
│ │ │ └── shredzone/
│ │ │ └── acme4j/
│ │ │ └── provider/
│ │ │ └── pebble/
│ │ │ └── pebble.minica.pem
│ │ └── resources-filtered/
│ │ └── org/
│ │ └── shredzone/
│ │ └── acme4j/
│ │ └── version.properties
│ └── test/
│ ├── java/
│ │ ├── .gitignore
│ │ └── org/
│ │ └── shredzone/
│ │ └── acme4j/
│ │ ├── AccountBuilderTest.java
│ │ ├── AccountTest.java
│ │ ├── AcmeJsonResourceTest.java
│ │ ├── AcmeResourceTest.java
│ │ ├── AuthorizationTest.java
│ │ ├── CertificateTest.java
│ │ ├── IdentifierTest.java
│ │ ├── LoginTest.java
│ │ ├── OrderBuilderTest.java
│ │ ├── OrderTest.java
│ │ ├── ProblemTest.java
│ │ ├── RenewalInfoTest.java
│ │ ├── SessionTest.java
│ │ ├── StatusTest.java
│ │ ├── challenge/
│ │ │ ├── ChallengeTest.java
│ │ │ ├── Dns01ChallengeTest.java
│ │ │ ├── DnsAccount01ChallengeTest.java
│ │ │ ├── DnsPersist01ChallengeTest.java
│ │ │ ├── Http01ChallengeTest.java
│ │ │ ├── TlsAlpn01ChallengeTest.java
│ │ │ └── TokenChallengeTest.java
│ │ ├── connector/
│ │ │ ├── DefaultConnectionTest.java
│ │ │ ├── DummyConnection.java
│ │ │ ├── HttpConnectorTest.java
│ │ │ ├── NetworkSettingsTest.java
│ │ │ ├── ResourceIteratorTest.java
│ │ │ ├── ResourceTest.java
│ │ │ ├── SessionProviderTest.java
│ │ │ └── TrimmingInputStreamTest.java
│ │ ├── exception/
│ │ │ ├── AcmeExceptionTest.java
│ │ │ ├── AcmeLazyLoadingExceptionTest.java
│ │ │ ├── AcmeNetworkExceptionTest.java
│ │ │ ├── AcmeNotSupportedExceptionTest.java
│ │ │ ├── AcmeProtocolExceptionTest.java
│ │ │ ├── AcmeRateLimitedExceptionTest.java
│ │ │ └── AcmeUserActionRequiredExceptionTest.java
│ │ ├── provider/
│ │ │ ├── AbstractAcmeProviderTest.java
│ │ │ ├── GenericAcmeProviderTest.java
│ │ │ ├── TestableConnectionProvider.java
│ │ │ ├── actalis/
│ │ │ │ └── ActalisAcmeProviderTest.java
│ │ │ ├── google/
│ │ │ │ └── GoogleAcmeProviderTest.java
│ │ │ ├── letsencrypt/
│ │ │ │ └── LetsEncryptAcmeProviderTest.java
│ │ │ ├── pebble/
│ │ │ │ └── PebbleAcmeProviderTest.java
│ │ │ ├── sslcom/
│ │ │ │ └── SslComAcmeProviderTest.java
│ │ │ └── zerossl/
│ │ │ └── ZeroSSLAcmeProviderTest.java
│ │ ├── toolbox/
│ │ │ ├── AcmeUtilsTest.java
│ │ │ ├── JSONBuilderTest.java
│ │ │ ├── JSONTest.java
│ │ │ ├── JoseUtilsTest.java
│ │ │ └── TestUtils.java
│ │ └── util/
│ │ ├── CSRBuilderTest.java
│ │ ├── CertificateUtilsTest.java
│ │ └── KeyPairUtilsTest.java
│ └── resources/
│ ├── .gitignore
│ ├── META-INF/
│ │ └── services/
│ │ └── org.shredzone.acme4j.provider.AcmeProvider
│ ├── ari-example-cert.pem
│ ├── cert.pem
│ ├── certid-cert.pem
│ ├── csr.der
│ ├── domain-private.key
│ ├── domain-public.key
│ ├── json/
│ │ ├── authorizationChallenges.json
│ │ ├── canceledOrderResponse.json
│ │ ├── datatypes.json
│ │ ├── deactivateAccountResponse.json
│ │ ├── directory.json
│ │ ├── directoryNoMeta.json
│ │ ├── dns01Challenge.json
│ │ ├── dnsAccount01Challenge.json
│ │ ├── dnsPersist01Challenge.json
│ │ ├── finalizeAutoRenewResponse.json
│ │ ├── finalizeRequest.json
│ │ ├── finalizeResponse.json
│ │ ├── genericChallenge.json
│ │ ├── httpChallenge.json
│ │ ├── httpNoTokenChallenge.json
│ │ ├── modifyAccount.json
│ │ ├── modifyAccountResponse.json
│ │ ├── newAccount.json
│ │ ├── newAccountOnlyExisting.json
│ │ ├── newAccountResponse.json
│ │ ├── newAuthorizationRequest.json
│ │ ├── newAuthorizationRequestSub.json
│ │ ├── newAuthorizationResponse.json
│ │ ├── newAuthorizationResponseSub.json
│ │ ├── problem.json
│ │ ├── renewalInfo.json
│ │ ├── replacedCertificateRequest.json
│ │ ├── requestAutoRenewOrderRequest.json
│ │ ├── requestAutoRenewOrderResponse.json
│ │ ├── requestCertificateRequest.json
│ │ ├── requestCertificateRequestWithDate.json
│ │ ├── requestOrderRequest.json
│ │ ├── requestOrderRequestSub.json
│ │ ├── requestOrderResponse.json
│ │ ├── requestOrderResponseSub.json
│ │ ├── requestProfileOrderRequest.json
│ │ ├── requestProfileOrderResponse.json
│ │ ├── requestReplacesRequest.json
│ │ ├── requestReplacesResponse.json
│ │ ├── revokeCertificateRequest.json
│ │ ├── revokeCertificateWithReasonRequest.json
│ │ ├── tlsAlpnChallenge.json
│ │ ├── triggerHttpChallenge.json
│ │ ├── triggerHttpChallengeRequest.json
│ │ ├── triggerHttpChallengeResponse.json
│ │ ├── updateAccount.json
│ │ ├── updateAccountResponse.json
│ │ ├── updateAuthorizationResponse.json
│ │ ├── updateAuthorizationWildcardResponse.json
│ │ ├── updateAutoRenewOrderResponse.json
│ │ ├── updateHttpChallengeResponse.json
│ │ └── updateOrderResponse.json
│ ├── private.key
│ ├── public.key
│ └── simplelogger.properties
├── acme4j-example/
│ ├── .gitignore
│ ├── pom.xml
│ └── src/
│ ├── main/
│ │ ├── java/
│ │ │ ├── .gitignore
│ │ │ ├── module-info.java
│ │ │ └── org/
│ │ │ └── shredzone/
│ │ │ └── acme4j/
│ │ │ └── example/
│ │ │ └── ClientTest.java
│ │ └── resources/
│ │ ├── .gitignore
│ │ └── simplelogger.properties
│ └── test/
│ ├── java/
│ │ └── .gitignore
│ └── resources/
│ └── .gitignore
├── acme4j-it/
│ ├── pom.xml
│ └── src/
│ ├── main/
│ │ ├── docker/
│ │ │ ├── challtestsrv.dockerfile
│ │ │ └── challtestsrv.sh
│ │ ├── java/
│ │ │ ├── module-info.java
│ │ │ └── org/
│ │ │ └── shredzone/
│ │ │ └── acme4j/
│ │ │ └── it/
│ │ │ ├── BammBammClient.java
│ │ │ └── package-info.java
│ │ └── resources/
│ │ └── .gitignore
│ └── test/
│ ├── java/
│ │ └── org/
│ │ └── shredzone/
│ │ └── acme4j/
│ │ └── it/
│ │ ├── ProviderIT.java
│ │ ├── SoftFail.java
│ │ ├── SoftFailExtension.java
│ │ ├── boulder/
│ │ │ └── OrderHttpIT.java
│ │ └── pebble/
│ │ ├── AccountIT.java
│ │ ├── OrderIT.java
│ │ ├── OrderWildcardIT.java
│ │ ├── PebbleITBase.java
│ │ └── SessionIT.java
│ └── resources/
│ └── simplelogger.properties
├── acme4j-smime/
│ ├── .gitattributes
│ ├── pom.xml
│ ├── src/
│ │ ├── main/
│ │ │ ├── java/
│ │ │ │ ├── .gitignore
│ │ │ │ ├── module-info.java
│ │ │ │ └── org/
│ │ │ │ └── shredzone/
│ │ │ │ └── acme4j/
│ │ │ │ └── smime/
│ │ │ │ ├── EmailIdentifier.java
│ │ │ │ ├── challenge/
│ │ │ │ │ ├── EmailReply00Challenge.java
│ │ │ │ │ ├── EmailReply00ChallengeProvider.java
│ │ │ │ │ └── package-info.java
│ │ │ │ ├── csr/
│ │ │ │ │ ├── KeyUsageType.java
│ │ │ │ │ ├── SMIMECSRBuilder.java
│ │ │ │ │ └── package-info.java
│ │ │ │ ├── email/
│ │ │ │ │ ├── EmailProcessor.java
│ │ │ │ │ ├── ResponseBodyGenerator.java
│ │ │ │ │ ├── ResponseGenerator.java
│ │ │ │ │ └── package-info.java
│ │ │ │ ├── exception/
│ │ │ │ │ ├── AcmeInvalidMessageException.java
│ │ │ │ │ └── package-info.java
│ │ │ │ ├── package-info.java
│ │ │ │ └── wrapper/
│ │ │ │ ├── Mail.java
│ │ │ │ ├── SignedMail.java
│ │ │ │ ├── SignedMailBuilder.java
│ │ │ │ ├── SimpleMail.java
│ │ │ │ └── package-info.java
│ │ │ └── resources/
│ │ │ ├── .gitignore
│ │ │ └── META-INF/
│ │ │ └── services/
│ │ │ └── org.shredzone.acme4j.provider.ChallengeProvider
│ │ └── test/
│ │ ├── java/
│ │ │ ├── .gitignore
│ │ │ └── org/
│ │ │ └── shredzone/
│ │ │ └── acme4j/
│ │ │ └── smime/
│ │ │ ├── EmailIdentifierTest.java
│ │ │ ├── SMIMETests.java
│ │ │ ├── challenge/
│ │ │ │ └── EmailReply00ChallengeTest.java
│ │ │ ├── csr/
│ │ │ │ └── SMIMECSRBuilderTest.java
│ │ │ ├── email/
│ │ │ │ └── EmailProcessorTest.java
│ │ │ └── wrapper/
│ │ │ ├── SignedMailBuilderTest.java
│ │ │ └── SignedMailTest.java
│ │ └── resources/
│ │ ├── .gitignore
│ │ ├── 7508-fake-ca.jks
│ │ ├── 7508-valid-ca.jks
│ │ ├── email/
│ │ │ ├── challenge.eml
│ │ │ ├── invalid-cert-mismatch.eml
│ │ │ ├── invalid-nosan.eml
│ │ │ ├── invalid-protected-mail-from.eml
│ │ │ ├── invalid-protected-mail-subject.eml
│ │ │ ├── invalid-protected-mail-to.eml
│ │ │ ├── invalid-signed-mail.eml
│ │ │ ├── valid-mail-7508.eml
│ │ │ └── valid-mail.eml
│ │ ├── invalid-signer-privkey.pem
│ │ ├── invalid-signer.pem
│ │ ├── json/
│ │ │ ├── emailReplyChallenge.json
│ │ │ └── emailReplyChallengeMismatch.json
│ │ ├── key.pem
│ │ ├── valid-signer-nosan-privkey.pem
│ │ ├── valid-signer-nosan.pem
│ │ ├── valid-signer-privkey.pem
│ │ └── valid-signer.pem
│ └── tool/
│ ├── smime-generator.py
│ └── test-key-generator.sh
├── pom.xml
└── src/
└── doc/
├── docs/
│ ├── ca/
│ │ ├── actalis.md
│ │ ├── google.md
│ │ ├── index.md
│ │ ├── letsencrypt.md
│ │ ├── pebble.md
│ │ ├── sslcom.md
│ │ └── zerossl.md
│ ├── challenge/
│ │ ├── dns-01.md
│ │ ├── dns-account-01.md
│ │ ├── dns-persist-01.md
│ │ ├── email-reply-00.md
│ │ ├── http-01.md
│ │ ├── index.md
│ │ └── tls-alpn-01.md
│ ├── development/
│ │ ├── challenge.md
│ │ ├── index.md
│ │ ├── provider.md
│ │ └── testing.md
│ ├── example.md
│ ├── faq.md
│ ├── index.md
│ ├── migration.md
│ └── usage/
│ ├── account.md
│ ├── advanced.md
│ ├── connecting.md
│ ├── debugging.md
│ ├── errors.md
│ ├── exceptions.md
│ ├── index.md
│ ├── order.md
│ ├── persistence.md
│ ├── renewal.md
│ └── revocation.md
├── mkdocs.yml
└── theme/
├── breadcrumbs.html
├── css/
│ ├── font.css
│ ├── theme_custom.css
│ └── theme_pygments.css
├── footer.html
└── main.html
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/FUNDING.yml
================================================
github: shred
ko_fi: shredzone
================================================
FILE: .github/workflows/ci.yml
================================================
name: CI
on:
pull_request:
branches:
- master
push:
branches:
- master
jobs:
build:
runs-on: ubuntu-22.04
strategy:
matrix:
java: [ '17', '21' ]
steps:
- uses: actions/checkout@v2
- name: Set up JDK
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: ${{ matrix.java }}
- name: Build
run: mvn --no-transfer-progress -B -P ci verify
================================================
FILE: .gitignore
================================================
target
================================================
FILE: .gitlab-ci.yml
================================================
stages:
- build
- test
variables:
DOCKER_TLS_CERTDIR: "/certs"
DOCKER_HOST: tcp://docker:2376
DOCKER_TLS_VERIFY: "1"
DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
image: maven:3-eclipse-temurin-17
cache:
key: ${CI_COMMIT_REF_SLUG}
paths:
- /root/.m2/repository/
- acme4j-client/target/
- acme4j-example/target/
- acme4j-it/target/
- acme4j-smime/target/
- target/
build:
stage: build
script:
- apt-get update -y && apt-get install -y mkdocs
- mvn -B clean install mkdocs:build
test:
stage: test
services:
- name: docker:dind
alias: pebble, bammbamm
script:
- (cd acme4j-it; mvn -B docker:remove)
- mvn -B -P ci verify -DpebbleHost=pebble -DbammbammUrl=http://bammbamm:8055 -Ddocker.showLogs=true
================================================
FILE: CONTRIBUTING.md
================================================
# Contributing to _acme4j_
Thank you for taking your time to contribute!
## Acceptance Criteria
These criteria must be met for a successful pull request:
* Follow the [Style Guide](#style-guide).
* If you add code, remember to add [unit tests](#unit-tests) that test your code.
* All unit tests must run successfully.
* Integration tests should run successfully, unless there is a good reason (e.g. waiting for a pending change in Pebble).
* Your commits follow the [git commit](#git-commits) guide.
* You accept that your code is distributed under the terms of [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0).
* You confirm that you did not use AI based code generators like GitHub Copilot for your contribution.
## Style Guide
Our style guide bases on [Oracle's Code conventions for the Java Programming Language](http://www.oracle.com/technetwork/java/codeconventions-150003.pdf). These additional rules apply:
* Indentation is 4 spaces. Do not use tabs!
* Remove trailing spaces.
* Line length is 90 characters. You may exceed this length by a few characters if it is easier to read than a wrapped line.
* `if`, `for` and `while` statements always use blocks, even for a single statement.
* All types and methods must have a descriptive JavaDoc, except of `@Override` annotated methods. For plain getter and setter methods, `@param` and `@return` can be omitted.
## Unit Tests
More than 80% of the code is covered by unit tests, and we would like to keep it that way.
* Main functionalities must be covered by unit tests.
* Corner cases should be covered by unit tests.
* Common exception handling does not need to be tested.
* No tests are required for code that is not expected to be executed (e.g. `UnsupportedEncodingException` when handling utf-8, or the empty private default constructor of a utility class).
* Unit tests should not depend on external resources, as they might be temporarily unavailable at runtime.
There are no unit tests required for the `acme4j-example` and `acme4j-it` modules.
## git Commits
Good programming does not end with a clean source code, but should have pretty commits as well.
* Always put separate concerns into separate commits.
* If you have interim commits in your history, squash them with an interactive rebase before sending the pull request.
* Use present tense and imperative mood in commit messages ("fix bug #1234", not "fixed bug #1234").
* Always give meaningful commit messages (not just "bug fix").
* The commit message must be concise and should not exceed 50 characters. Further explanations may follow in subsequent lines, with an empty line as separator.
* Commits must compile and must not break unit tests.
* Do not commit IDE generated files and directories (like `.project` or `.idea`).
================================================
FILE: LICENSE-APL.txt
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: README.md
================================================
# ACME Java Client  
This is a Java client for the _Automatic Certificate Management Environment_ (ACME) protocol as specified in [RFC 8555](https://tools.ietf.org/html/rfc8555).
ACME is a protocol that a certificate authority (CA) and an applicant can use to automate the process of verification and certificate issuance.
This Java client helps to connect to an ACME server, and performing all necessary steps to manage certificates.
## Features
* Mature and stable code base. First release was in December 2015!
* Fully [RFC 8555](https://tools.ietf.org/html/rfc8555) compliant
* Supports the `http-01`, `dns-01`, and `tls-alpn-01` ([RFC 8737](https://tools.ietf.org/html/rfc8737)) challenges
* Supports [RFC 8738](https://tools.ietf.org/html/rfc8738) IP identifier validation
* Supports [RFC 8739](https://tools.ietf.org/html/rfc8739) short-term automatic certificate renewal (experimental)
* Supports [RFC 8823](https://tools.ietf.org/html/rfc8823) for S/MIME certificates (experimental)
* Supports [RFC 9444](https://tools.ietf.org/html/rfc9444) for subdomain validation
* Supports [RFC 9773](https://tools.ietf.org/html/rfc9773) for renewal information
* Supports [draft-ietf-acme-profiles-01](https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/) for certificate profiles (experimental)
* Supports [draft-ietf-acme-dns-account-label-02](https://datatracker.ietf.org/doc/draft-ietf-acme-dns-account-label/) for DNS labeled with ACME account ID challenges (experimental)
* Supports [draft-ietf-acme-dns-persist-01](https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist/) for dns-persist-01 challenges (experimental)
* Easy to use Java API
* Requires JRE 17 or higher
* Supports [Actalis](https://www.actalis.com/), [Google Trust Services](https://pki.goog/), [Let's Encrypt](https://letsencrypt.org/), [SSL.com](https://www.ssl.com/), [ZeroSSL](https://zerossl.com/), and **all other CAs that comply with the ACME protocol (RFC 8555)**. Note that _acme4j_ is an independent project that is not supported or endorsed by any of the CAs.
* Built with maven, packages available at [Maven Central](http://search.maven.org/#search|ga|1|g%3A%22org.shredzone.acme4j%22)
* Extensive unit and integration tests
* Adheres to [Semantic Versioning](https://semver.org/)
## Dependencies
* [Bouncy Castle](https://www.bouncycastle.org/)
* [jose4j](https://bitbucket.org/b_c/jose4j/wiki/Home)
* [slf4j](http://www.slf4j.org/)
* For `acme4j-smime`: [Jakarta Mail](https://eclipse-ee4j.github.io/mail/), [Bouncy Castle](https://www.bouncycastle.org/)
## Usage
* See the [online documentation](https://shredzone.org/maven/acme4j/) about how to use _acme4j_.
* For a quick start, take a look at [the source code of an example](https://shredzone.org/maven/acme4j/example.html).
## Announcements
Follow our Mastodon feed for release notes and other acme4j related news.
* Mastodon: `@acme4j@foojay.social`
* RSS: https://foojay.social/@acme4j.rss
## Contribute
* Fork the [Source code at Codeberg](https://codeberg.org/shred/acme4j) or [GitHub](https://github.com/shred/acme4j). Feel free to send pull requests (see [Contributing](CONTRIBUTING.md) for the rules).
* Found a bug? [File a bug report!](https://codeberg.org/shred/acme4j/issues) ([GitHub](https://github.com/shred/acme4j/issues))
## License
_acme4j_ is open source software. The source code is distributed under the terms of [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0).
## Acknowledgements
* I would like to thank Brian Campbell and all the other [jose4j](https://bitbucket.org/b_c/jose4j/wiki/Home) developers. _acme4j_ would not exist without your excellent work.
* Thanks to [Daniel McCarney](https://github.com/cpu) for his help with the ACME protocol, Pebble, and Boulder.
* [Ulrich Krause](https://github.com/eknori) for his help to make _acme4j_ run on IBM Java VMs.
* I also like to thank [everyone who contributed to _acme4j_](https://codeberg.org/shred/acme4j/activity/contributors).
* The Mastodon account is hosted by [foojay.io](https://foojay.io).
================================================
FILE: acme4j-client/pom.xml
================================================
4.0.0org.shredzone.acme4jacme4j5.1.1-SNAPSHOTacme4j-clientacme4j ClientACME client for Javasrc/main/resourcessrc/main/resources-filteredtrueorg.apache.maven.pluginsmaven-surefire-pluginfalseorg.bitbucket.b_cjose4j${jose4j.version}org.bouncycastlebcprov-jdk18on${bouncycastle.version}org.bouncycastlebcpkix-jdk18on${bouncycastle.version}org.slf4jslf4j-api${slf4j.version}org.slf4jslf4j-simple${slf4j.version}testorg.bouncycastlebcpg-jdk18on${bouncycastle.version}test
================================================
FILE: acme4j-client/src/main/java/.gitignore
================================================
================================================
FILE: acme4j-client/src/main/java/module-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2020 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This is the main module of the acme4j client.
*/
module org.shredzone.acme4j {
requires static com.github.spotbugs.annotations;
requires java.net.http;
requires org.bouncycastle.pkix;
requires org.bouncycastle.provider;
requires org.jose4j;
requires org.slf4j;
exports org.shredzone.acme4j;
exports org.shredzone.acme4j.challenge;
exports org.shredzone.acme4j.connector;
exports org.shredzone.acme4j.exception;
exports org.shredzone.acme4j.provider;
exports org.shredzone.acme4j.toolbox;
exports org.shredzone.acme4j.util;
uses org.shredzone.acme4j.provider.AcmeProvider;
uses org.shredzone.acme4j.provider.ChallengeProvider;
provides org.shredzone.acme4j.provider.AcmeProvider
with org.shredzone.acme4j.provider.GenericAcmeProvider,
org.shredzone.acme4j.provider.actalis.ActalisAcmeProvider,
org.shredzone.acme4j.provider.google.GoogleAcmeProvider,
org.shredzone.acme4j.provider.letsencrypt.LetsEncryptAcmeProvider,
org.shredzone.acme4j.provider.pebble.PebbleAcmeProvider,
org.shredzone.acme4j.provider.sslcom.SslComAcmeProvider,
org.shredzone.acme4j.provider.zerossl.ZeroSSLAcmeProvider;
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Account.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import java.io.Serial;
import java.net.URI;
import java.net.URL;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.shredzone.acme4j.connector.Resource;
import org.shredzone.acme4j.connector.ResourceIterator;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeNotSupportedException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.exception.AcmeServerException;
import org.shredzone.acme4j.toolbox.AcmeUtils;
import org.shredzone.acme4j.toolbox.JSON.Value;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.shredzone.acme4j.toolbox.JoseUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* A representation of an account at the ACME server.
*/
public class Account extends AcmeJsonResource {
@Serial
private static final long serialVersionUID = 7042863483428051319L;
private static final Logger LOG = LoggerFactory.getLogger(Account.class);
private static final String KEY_TOS_AGREED = "termsOfServiceAgreed";
private static final String KEY_ORDERS = "orders";
private static final String KEY_CONTACT = "contact";
private static final String KEY_STATUS = "status";
private static final String KEY_EXTERNAL_ACCOUNT_BINDING = "externalAccountBinding";
protected Account(Login login, URL location) {
super(login, location);
}
/**
* Returns if the user agreed to the terms of service.
*
* @return {@code true} if the user agreed to the terms of service. May be
* empty if the server did not provide such an information.
*/
public Optional getTermsOfServiceAgreed() {
return getJSON().get(KEY_TOS_AGREED).map(Value::asBoolean);
}
/**
* List of registered contact addresses (emails, phone numbers etc).
*
* This list is unmodifiable. Use {@link #modify()} to change the contacts. May be
* empty, but is never {@code null}.
*/
public List getContacts() {
return getJSON().get(KEY_CONTACT)
.asArray()
.stream()
.map(Value::asURI)
.toList();
}
/**
* Returns the current status of the account.
*
* Possible values are: {@link Status#VALID}, {@link Status#DEACTIVATED},
* {@link Status#REVOKED}.
*/
public Status getStatus() {
return getJSON().get(KEY_STATUS).asStatus();
}
/**
* Returns {@code true} if the account is bound to an external non-ACME account.
*
* @since 2.8
*/
public boolean hasExternalAccountBinding() {
return getJSON().contains(KEY_EXTERNAL_ACCOUNT_BINDING);
}
/**
* Returns the key identifier of the external non-ACME account. If this account is
* not bound to an external account, the result is empty.
*
* @since 2.8
*/
public Optional getKeyIdentifier() {
return getJSON().get(KEY_EXTERNAL_ACCOUNT_BINDING)
.optional().map(Value::asObject)
.map(j -> j.get("protected")).map(Value::asEncodedObject)
.map(j -> j.get("kid")).map(Value::asString);
}
/**
* Returns an {@link Iterator} of all {@link Order} belonging to this
* {@link Account}.
*
* Using the iterator will initiate one or more requests to the ACME server.
*
* @return {@link Iterator} instance that returns {@link Order} objects in no specific
* sorting order. {@link Iterator#hasNext()} and {@link Iterator#next()} may throw
* {@link AcmeProtocolException} if a batch of authorization URIs could not be fetched
* from the server.
*/
public Iterator getOrders() {
var ordersUrl = getJSON().get(KEY_ORDERS).optional().map(Value::asURL);
if (ordersUrl.isEmpty()) {
// Let's Encrypt does not provide this field at the moment, although it's required.
// See https://github.com/letsencrypt/boulder/issues/3335
throw new AcmeNotSupportedException("getOrders()");
}
return new ResourceIterator<>(getLogin(), KEY_ORDERS, ordersUrl.get(), Login::bindOrder);
}
/**
* Creates a builder for a new {@link Order}.
*
* @return {@link OrderBuilder} object
*/
public OrderBuilder newOrder() {
return getLogin().newOrder();
}
/**
* Pre-authorizes a domain. The CA will check if it accepts the domain for
* certification, and returns the necessary challenges.
*
* Some servers may not allow pre-authorization.
*
* It is not possible to pre-authorize wildcard domains.
*
* @param domain
* Domain name to be pre-authorized. IDN names are accepted and will be ACE
* encoded automatically.
* @return {@link Authorization} object for this domain
* @throws AcmeException
* if the server does not allow pre-authorization
* @throws AcmeServerException
* if the server allows pre-authorization, but will refuse to issue a
* certificate for this domain
*/
public Authorization preAuthorizeDomain(String domain) throws AcmeException {
Objects.requireNonNull(domain, "domain");
if (domain.isEmpty()) {
throw new IllegalArgumentException("domain must not be empty");
}
return preAuthorize(Identifier.dns(domain));
}
/**
* Pre-authorizes an {@link Identifier}. The CA will check if it accepts the
* identifier for certification, and returns the necessary challenges.
*
* Some servers may not allow pre-authorization.
*
* It is not possible to pre-authorize wildcard domains.
*
* @param identifier
* {@link Identifier} to be pre-authorized.
* @return {@link Authorization} object for this identifier
* @throws AcmeException
* if the server does not allow pre-authorization
* @throws AcmeServerException
* if the server allows pre-authorization, but will refuse to issue a
* certificate for this identifier
* @since 2.3
*/
public Authorization preAuthorize(Identifier identifier) throws AcmeException {
Objects.requireNonNull(identifier, "identifier");
var newAuthzUrl = getSession().resourceUrl(Resource.NEW_AUTHZ);
if (identifier.toMap().containsKey(Identifier.KEY_SUBDOMAIN_AUTH_ALLOWED)
&& !getSession().getMetadata().isSubdomainAuthAllowed()) {
throw new AcmeNotSupportedException("subdomain-auth");
}
LOG.debug("preAuthorize {}", identifier);
try (var conn = getSession().connect()) {
var claims = new JSONBuilder();
claims.put("identifier", identifier.toMap());
conn.sendSignedRequest(newAuthzUrl, claims, getLogin());
var auth = getLogin().bindAuthorization(conn.getLocation());
auth.setJSON(conn.readJsonResponse());
return auth;
}
}
/**
* Changes the {@link KeyPair} associated with the account.
*
* After a successful call, the new key pair is already set in the associated
* {@link Login}. The old key pair can be discarded.
*
* @param newKeyPair
* new {@link KeyPair} to be used for identifying this account
*/
public void changeKey(KeyPair newKeyPair) throws AcmeException {
Objects.requireNonNull(newKeyPair, "newKeyPair");
if (Arrays.equals(getLogin().getPublicKey().getEncoded(),
newKeyPair.getPublic().getEncoded())) {
throw new IllegalArgumentException("newKeyPair must actually be a new key pair");
}
LOG.debug("key-change");
try (var conn = getSession().connect()) {
var keyChangeUrl = getSession().resourceUrl(Resource.KEY_CHANGE);
var payloadClaim = new JSONBuilder();
payloadClaim.put("account", getLocation());
payloadClaim.putKey("oldKey", getLogin().getPublicKey());
var jose = JoseUtils.createJoseRequest(keyChangeUrl, newKeyPair,
payloadClaim, null, null);
conn.sendSignedRequest(keyChangeUrl, jose, getLogin());
getLogin().setKeyPair(newKeyPair);
}
}
/**
* Permanently deactivates an account. Related certificates may still be valid after
* account deactivation, and need to be revoked separately if neccessary.
*
* A deactivated account cannot be reactivated!
*/
public void deactivate() throws AcmeException {
LOG.debug("deactivate");
try (var conn = getSession().connect()) {
var claims = new JSONBuilder();
claims.put(KEY_STATUS, "deactivated");
conn.sendSignedRequest(getLocation(), claims, getLogin());
setJSON(conn.readJsonResponse());
}
}
/**
* Modifies the account data of the account.
*
* @return {@link EditableAccount} where the account can be modified
*/
public EditableAccount modify() {
return new EditableAccount();
}
/**
* Provides editable properties of an {@link Account}.
*/
public class EditableAccount {
private final List editContacts = new ArrayList<>();
private EditableAccount() {
editContacts.addAll(Account.this.getContacts());
}
/**
* Returns the list of all contact URIs for modification. Use the {@link List}
* methods to modify the contact list.
*
* The modified list is not validated. If you change entries, you have to make
* sure that they are valid according to the RFC. It is recommended to use
* the {@code addContact()} methods below to add new contacts to the list.
*/
@SuppressFBWarnings("EI_EXPOSE_REP") // behavior is intended
public List getContacts() {
return editContacts;
}
/**
* Adds a new Contact to the account.
*
* @param contact
* Contact URI
* @return itself
*/
public EditableAccount addContact(URI contact) {
AcmeUtils.validateContact(contact);
editContacts.add(contact);
return this;
}
/**
* Adds a new Contact to the account.
*
* This is a convenience call for {@link #addContact(URI)}.
*
* @param contact
* Contact URI as string
* @return itself
*/
public EditableAccount addContact(String contact) {
addContact(URI.create(contact));
return this;
}
/**
* Adds a new Contact email to the account.
*
* This is a convenience call for {@link #addContact(String)} that doesn't
* require to prepend the email address with the "mailto" scheme.
*
* @param email
* Contact email without "mailto" scheme (e.g. test@gmail.com)
* @return itself
*/
public EditableAccount addEmail(String email) {
addContact("mailto:" + email);
return this;
}
/**
* Commits the changes and updates the account.
*/
public void commit() throws AcmeException {
LOG.debug("modify/commit");
try (var conn = getSession().connect()) {
var claims = new JSONBuilder();
if (!editContacts.isEmpty()) {
claims.put(KEY_CONTACT, editContacts);
}
conn.sendSignedRequest(getLocation(), claims, getLogin());
setJSON(conn.readJsonResponse());
}
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/AccountBuilder.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.util.Objects.requireNonNull;
import static org.jose4j.jws.AlgorithmIdentifiers.*;
import static org.shredzone.acme4j.toolbox.JoseUtils.macKeyAlgorithm;
import java.net.URI;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.connector.Resource;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.toolbox.AcmeUtils;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.shredzone.acme4j.toolbox.JoseUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* A builder for registering a new account with the CA.
*
* You need to create a new key pair and set it via {@link #useKeyPair(KeyPair)}. Your
* account will be identified by the public part of that key pair, so make sure to store
* it safely! There is no automatic way to regain access to your account if the key pair
* is lost.
*
* Depending on the CA you register with, you might need to give additional information.
*
*
You might need to agree to the terms of service via
* {@link #agreeToTermsOfService()}.
*
You might need to give at least one contact URI.
*
You might need to provide a key identifier (e.g. your customer number) and
* a shared secret via {@link #withKeyIdentifier(String, SecretKey)}.
*
*
* It is not possible to modify an existing account with the {@link AccountBuilder}. To
* modify an existing account, use {@link Account#modify()} and
* {@link Account#changeKey(KeyPair)}.
*/
public class AccountBuilder {
private static final Logger LOG = LoggerFactory.getLogger(AccountBuilder.class);
private static final Set VALID_ALGORITHMS = Set.of(HMAC_SHA256, HMAC_SHA384, HMAC_SHA512);
private final List contacts = new ArrayList<>();
private @Nullable Boolean termsOfServiceAgreed;
private @Nullable Boolean onlyExisting;
private @Nullable String keyIdentifier;
private @Nullable KeyPair keyPair;
private @Nullable SecretKey macKey;
private @Nullable String macAlgorithm;
/**
* Add a contact URI to the list of contacts.
*
* A contact URI may be e.g. an email address or a phone number. It depends on the CA
* what kind of contact URIs are accepted, and how many must be provided as minimum.
*
* @param contact
* Contact URI
* @return itself
*/
public AccountBuilder addContact(URI contact) {
AcmeUtils.validateContact(contact);
contacts.add(contact);
return this;
}
/**
* Add a contact address to the list of contacts.
*
* This is a convenience call for {@link #addContact(URI)}.
*
* @param contact
* Contact URI as string
* @return itself
* @throws IllegalArgumentException
* if there is a syntax error in the URI string
*/
public AccountBuilder addContact(String contact) {
addContact(URI.create(contact));
return this;
}
/**
* Add an email address to the list of contacts.
*
* This is a convenience call for {@link #addContact(String)} that doesn't require
* to prepend the "mailto" scheme to an email address.
*
* @param email
* Contact email without "mailto" scheme (e.g. test@gmail.com)
* @return itself
* @throws IllegalArgumentException
* if there is a syntax error in the URI string
*/
public AccountBuilder addEmail(String email) {
if (email.startsWith("mailto:")) {
addContact(email);
} else {
addContact("mailto:" + email);
}
return this;
}
/**
* Documents that the user has agreed to the terms of service.
*
* If the CA requires the user to agree to the terms of service, it is your
* responsibility to present them to the user, and actively ask for their agreement. A
* link to the terms of service is provided via
* {@code session.getMetadata().getTermsOfService()}.
*
* @return itself
*/
public AccountBuilder agreeToTermsOfService() {
this.termsOfServiceAgreed = true;
return this;
}
/**
* Signals that only an existing account should be returned. The server will not
* create a new account if the key is not known.
*
* If you have lost your account's location URL, but still have your account's key
* pair, you can register your account again with the same key, and use
* {@link #onlyExisting()} to make sure that your existing account is returned. If
* your key is unknown to the server, an error is thrown once the account is to be
* created.
*
* @return itself
*/
public AccountBuilder onlyExisting() {
this.onlyExisting = true;
return this;
}
/**
* Sets the {@link KeyPair} to be used for this account.
*
* Only the public key of the pair is sent to the server for registration. acme4j will
* never send the private key part.
*
* Make sure to store your key pair safely after registration! There is no automatic
* way to regain access to your account if the key pair is lost.
*
* @param keyPair
* Account's {@link KeyPair}
* @return itself
*/
public AccountBuilder useKeyPair(KeyPair keyPair) {
this.keyPair = requireNonNull(keyPair, "keyPair");
return this;
}
/**
* Sets a Key Identifier and MAC key provided by the CA. Use this if your CA requires
* an individual account identification (e.g. your customer number) and a shared
* secret for registration. See the documentation of your CA about how to retrieve the
* key identifier and MAC key.
*
* @param kid
* Key Identifier
* @param macKey
* MAC key
* @return itself
* @see #withKeyIdentifier(String, String)
*/
public AccountBuilder withKeyIdentifier(String kid, SecretKey macKey) {
if (kid != null && kid.isEmpty()) {
throw new IllegalArgumentException("kid must not be empty");
}
this.macKey = requireNonNull(macKey, "macKey");
this.keyIdentifier = kid;
return this;
}
/**
* Sets a Key Identifier and MAC key provided by the CA. Use this if your CA requires
* an individual account identification (e.g. your customer number) and a shared
* secret for registration. See the documentation of your CA about how to retrieve the
* key identifier and MAC key.
*
* This is a convenience call of {@link #withKeyIdentifier(String, SecretKey)} that
* accepts a base64url encoded MAC key, so both parameters can be passed in as
* strings.
*
* @param kid
* Key Identifier
* @param encodedMacKey
* Base64url encoded MAC key.
* @return itself
* @see #withKeyIdentifier(String, SecretKey)
*/
public AccountBuilder withKeyIdentifier(String kid, String encodedMacKey) {
var encodedKey = AcmeUtils.base64UrlDecode(requireNonNull(encodedMacKey, "encodedMacKey"));
return withKeyIdentifier(kid, new SecretKeySpec(encodedKey, "HMAC"));
}
/**
* Sets the MAC key algorithm that is provided by the CA. To be used in combination
* with key identifier. By default, the algorithm is deduced from the size of the
* MAC key. If a different size is needed, it can be set using this method.
*
* @param macAlgorithm
* the algorithm to be set in the {@code alg} field, e.g. {@code "HS512"}.
* @return itself
* @since 3.1.0
*/
public AccountBuilder withMacAlgorithm(String macAlgorithm) {
var algorithm = requireNonNull(macAlgorithm, "macAlgorithm");
if (!VALID_ALGORITHMS.contains(algorithm)) {
throw new IllegalArgumentException("Invalid MAC algorithm: " + macAlgorithm);
}
this.macAlgorithm = algorithm;
return this;
}
/**
* Creates a new account.
*
* Use this method to finally create your account with the given parameters. Do not
* use the {@link AccountBuilder} after invoking this method.
*
* @param session
* {@link Session} to be used for registration
* @return {@link Account} referring to the new account
* @see #createLogin(Session)
*/
public Account create(Session session) throws AcmeException {
return createLogin(session).getAccount();
}
/**
* Creates a new account.
*
* This method is identical to {@link #create(Session)}, but returns a {@link Login}
* that is ready to be used.
*
* @param session
* {@link Session} to be used for registration
* @return {@link Login} referring to the new account
*/
public Login createLogin(Session session) throws AcmeException {
requireNonNull(session, "session");
if (keyPair == null) {
throw new IllegalStateException("Use AccountBuilder.useKeyPair() to set the account's key pair.");
}
LOG.debug("create");
try (var conn = session.connect()) {
var resourceUrl = session.resourceUrl(Resource.NEW_ACCOUNT);
var claims = new JSONBuilder();
if (!contacts.isEmpty()) {
claims.put("contact", contacts);
}
if (termsOfServiceAgreed != null) {
claims.put("termsOfServiceAgreed", termsOfServiceAgreed);
}
if (keyIdentifier != null && macKey != null) {
var algorithm = Optional.ofNullable(macAlgorithm)
.or(session.provider()::getProposedEabMacAlgorithm)
.orElseGet(() -> macKeyAlgorithm(macKey));
claims.put("externalAccountBinding", JoseUtils.createExternalAccountBinding(
keyIdentifier, keyPair.getPublic(), macKey, algorithm, resourceUrl));
}
if (onlyExisting != null) {
claims.put("onlyReturnExisting", onlyExisting);
}
conn.sendSignedRequest(resourceUrl, claims, session, (url, payload, nonce) ->
JoseUtils.createJoseRequest(url, keyPair, payload, nonce, null));
var login = new Login(conn.getLocation(), keyPair, session);
login.getAccount().setJSON(conn.readJsonResponse());
return login;
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/AcmeJsonResource.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2018 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import java.io.Serial;
import java.net.URL;
import java.time.Instant;
import java.util.Objects;
import java.util.Optional;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeLazyLoadingException;
import org.shredzone.acme4j.toolbox.JSON;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* An extension of {@link AcmeResource} that also contains the current state of a resource
* as JSON document. If the current state is not present, this class takes care of
* fetching it from the server if necessary.
*/
public abstract class AcmeJsonResource extends AcmeResource {
@Serial
private static final long serialVersionUID = -5060364275766082345L;
private static final Logger LOG = LoggerFactory.getLogger(AcmeJsonResource.class);
private @Nullable JSON data = null;
private @Nullable Instant retryAfter = null;
/**
* Create a new {@link AcmeJsonResource}.
*
* @param login
* {@link Login} the resource is bound with
* @param location
* Location {@link URL} of this resource
*/
protected AcmeJsonResource(Login login, URL location) {
super(login, location);
}
/**
* Returns the JSON representation of the resource data.
*
* If there is no data, {@link #fetch()} is invoked to fetch it from the server.
*
* This method can be used to read proprietary data from the resources.
*
* @return Resource data, as {@link JSON}.
* @throws AcmeLazyLoadingException
* if an {@link AcmeException} occured while fetching the current state from
* the server.
*/
public JSON getJSON() {
if (data == null) {
try {
fetch();
} catch (AcmeException ex) {
throw new AcmeLazyLoadingException(this, ex);
}
}
return Objects.requireNonNull(data);
}
/**
* Sets the JSON representation of the resource data.
*
* @param data
* New {@link JSON} data, must not be {@code null}.
*/
protected void setJSON(JSON data) {
invalidate();
this.data = Objects.requireNonNull(data, "data");
}
/**
* Checks if this resource is valid.
*
* @return {@code true} if the resource state has been loaded from the server. If
* {@code false}, {@link #getJSON()} would implicitly call {@link #fetch()}
* to fetch the current state from the server.
*/
protected boolean isValid() {
return data != null;
}
/**
* Invalidates the state of this resource. Enforces a {@link #fetch()} when
* {@link #getJSON()} is invoked.
*
* Subclasses can override this method to purge internal caches that are based on the
* JSON structure. Remember to invoke {@code super.invalidate()}!
*/
protected void invalidate() {
data = null;
retryAfter = null;
}
/**
* Updates this resource, by fetching the current resource data from the server.
*
* @return An {@link Optional} estimation when the resource status will change. If you
* are polling for the resource to complete, you should wait for the given instant
* before trying again. Empty if the server did not return a "Retry-After" header.
* @throws AcmeException
* if the resource could not be fetched.
* @since 3.2.0
*/
public Optional fetch() throws AcmeException {
var resourceType = getClass().getSimpleName();
LOG.debug("update {}", resourceType);
try (var conn = getSession().connect()) {
conn.sendSignedPostAsGetRequest(getLocation(), getLogin());
setJSON(conn.readJsonResponse());
var retryAfterOpt = conn.getRetryAfter();
retryAfterOpt.ifPresent(instant -> LOG.debug("Retry-After: {}", instant));
setRetryAfter(retryAfterOpt.orElse(null));
return retryAfterOpt;
}
}
/**
* Sets a Retry-After instant.
*
* @since 3.2.0
*/
protected void setRetryAfter(@Nullable Instant retryAfter) {
this.retryAfter = retryAfter;
}
/**
* Gets an estimation when the resource status will change. If you are polling for
* the resource to complete, you should wait for the given instant before trying
* a status refresh.
*
* This instant was sent with the Retry-After header at the last update.
*
* @return Retry-after {@link Instant}, or empty if there was no such header.
* @since 3.2.0
*/
public Optional getRetryAfter() {
return Optional.ofNullable(retryAfter);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/AcmeResource.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import java.io.Serial;
import java.io.Serializable;
import java.net.URL;
import java.util.Objects;
import edu.umd.cs.findbugs.annotations.Nullable;
/**
* This is the root class of all ACME resources (like accounts, orders, certificates).
* Every resource is identified by its location URL.
*
* This class also takes care for proper serialization and de-serialization of the
* resource. After de-serialization, the resource must be bound to a {@link Login} again,
* using {@link #rebind(Login)}.
*/
public abstract class AcmeResource implements Serializable {
@Serial
private static final long serialVersionUID = -7930580802257379731L;
private transient @Nullable Login login;
private final URL location;
/**
* Create a new {@link AcmeResource}.
*
* @param login
* {@link Login} the resource is bound with
* @param location
* Location {@link URL} of this resource
*/
protected AcmeResource(Login login, URL location) {
this.location = Objects.requireNonNull(location, "location");
rebind(login);
}
/**
* Gets the {@link Login} this resource is bound with.
*/
protected Login getLogin() {
if (login == null) {
throw new IllegalStateException("Use rebind() for binding this object to a login.");
}
return login;
}
/**
* Gets the {@link Session} this resource is bound with.
*/
protected Session getSession() {
return getLogin().getSession();
}
/**
* Rebinds this resource to a {@link Login}.
*
* Logins are not serialized, because they contain volatile session data and also a
* private key. After de-serialization of an {@link AcmeResource}, use this method to
* rebind it to a {@link Login}.
*
* @param login
* {@link Login} to bind this resource to
*/
public void rebind(Login login) {
if (this.login != null) {
throw new IllegalStateException("Resource is already bound to a login");
}
this.login = Objects.requireNonNull(login, "login");
}
/**
* Gets the resource's location.
*/
public URL getLocation() {
return location;
}
@Override
protected final void finalize() {
// CT_CONSTRUCTOR_THROW: Prevents finalizer attack
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Authorization.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.util.stream.Collectors.toUnmodifiableList;
import java.io.Serial;
import java.net.URL;
import java.time.Duration;
import java.time.Instant;
import java.util.EnumSet;
import java.util.List;
import java.util.Optional;
import org.shredzone.acme4j.challenge.Challenge;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.AcmeUtils;
import org.shredzone.acme4j.toolbox.JSON.Value;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Represents an authorization request at the ACME server.
*/
public class Authorization extends AcmeJsonResource implements PollableResource {
@Serial
private static final long serialVersionUID = -3116928998379417741L;
private static final Logger LOG = LoggerFactory.getLogger(Authorization.class);
protected Authorization(Login login, URL location) {
super(login, location);
}
/**
* Gets the {@link Identifier} to be authorized.
*
* For wildcard domain orders, the domain itself (without wildcard prefix) is returned
* here. To find out if this {@link Authorization} is related to a wildcard domain
* order, check the {@link #isWildcard()} method.
*
* @since 2.3
*/
public Identifier getIdentifier() {
return getJSON().get("identifier").asIdentifier();
}
/**
* Gets the authorization status.
*
* Possible values are: {@link Status#PENDING}, {@link Status#VALID},
* {@link Status#INVALID}, {@link Status#DEACTIVATED}, {@link Status#EXPIRED},
* {@link Status#REVOKED}.
*/
@Override
public Status getStatus() {
return getJSON().get("status").asStatus();
}
/**
* Gets the expiry date of the authorization, if set by the server.
*/
public Optional getExpires() {
return getJSON().get("expires")
.map(Value::asString)
.map(AcmeUtils::parseTimestamp);
}
/**
* Returns {@code true} if this {@link Authorization} is related to a wildcard domain,
* {@code false} otherwise.
*/
public boolean isWildcard() {
return getJSON().get("wildcard")
.map(Value::asBoolean)
.orElse(false);
}
/**
* Returns {@code true} if certificates for subdomains can be issued according to
* RFC9444.
*
* @since 3.3.0
*/
public boolean isSubdomainAuthAllowed() {
return getJSON().get("subdomainAuthAllowed")
.map(Value::asBoolean)
.orElse(false);
}
/**
* Gets a list of all challenges offered by the server, in no specific order.
*/
public List getChallenges() {
var login = getLogin();
return getJSON().get("challenges")
.asArray()
.stream()
.map(Value::asObject)
.map(login::createChallenge)
.collect(toUnmodifiableList());
}
/**
* Finds a {@link Challenge} of the given type. Responding to this {@link Challenge}
* is sufficient for authorization.
*
* {@link Authorization#findChallenge(Class)} should be preferred, as this variant
* is not type safe.
*
* @param type
* Challenge name (e.g. "http-01")
* @return {@link Challenge} matching that name, or empty if there is no such
* challenge, or if the challenge alone is not sufficient for authorization.
* @throws ClassCastException
* if the type does not match the expected Challenge class type
*/
@SuppressWarnings("unchecked")
public Optional findChallenge(final String type) {
return (Optional) getChallenges().stream()
.filter(ch -> type.equals(ch.getType()))
.reduce((a, b) -> {
throw new AcmeProtocolException("Found more than one challenge of type " + type);
});
}
/**
* Finds a {@link Challenge} of the given class type. Responding to this {@link
* Challenge} is sufficient for authorization.
*
* @param type
* Challenge type (e.g. "Http01Challenge.class")
* @return {@link Challenge} of that type, or empty if there is no such
* challenge, or if the challenge alone is not sufficient for authorization.
* @since 2.8
*/
public Optional findChallenge(Class type) {
return getChallenges().stream()
.filter(type::isInstance)
.map(type::cast)
.reduce((a, b) -> {
throw new AcmeProtocolException("Found more than one challenge of type " + type.getName());
});
}
/**
* Waits until the authorization is completed.
*
* It is completed if it reaches either {@link Status#VALID} or
* {@link Status#INVALID}.
*
* This method is synchronous and blocks the current thread.
*
* @param timeout
* Timeout until a terminal status must have been reached
* @return Status that was reached
* @since 3.4.0
*/
public Status waitForCompletion(Duration timeout)
throws AcmeException, InterruptedException {
return waitForStatus(EnumSet.of(Status.VALID, Status.INVALID), timeout);
}
/**
* Permanently deactivates the {@link Authorization}.
*/
public void deactivate() throws AcmeException {
LOG.debug("deactivate");
try (var conn = getSession().connect()) {
var claims = new JSONBuilder();
claims.put("status", "deactivated");
conn.sendSignedRequest(getLocation(), claims, getLogin());
setJSON(conn.readJsonResponse());
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Certificate.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.util.Collections.unmodifiableList;
import static java.util.Objects.requireNonNull;
import static java.util.stream.Collectors.toList;
import static java.util.stream.Collectors.toUnmodifiableList;
import static org.shredzone.acme4j.toolbox.AcmeUtils.getRenewalUniqueIdentifier;
import java.io.IOException;
import java.io.Serial;
import java.io.Writer;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.security.KeyPair;
import java.security.Principal;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import edu.umd.cs.findbugs.annotations.Nullable;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.shredzone.acme4j.connector.Resource;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeLazyLoadingException;
import org.shredzone.acme4j.exception.AcmeNotSupportedException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.AcmeUtils;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.shredzone.acme4j.toolbox.JoseUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Represents an issued certificate and its certificate chain.
*
* A certificate is immutable once it is issued. For renewal, a new certificate must be
* ordered.
*/
public class Certificate extends AcmeResource {
@Serial
private static final long serialVersionUID = 7381527770159084201L;
private static final Logger LOG = LoggerFactory.getLogger(Certificate.class);
private @Nullable List certChain;
private @Nullable Collection alternates;
private transient @Nullable RenewalInfo renewalInfo = null;
private transient @Nullable List alternateCerts = null;
protected Certificate(Login login, URL certUrl) {
super(login, certUrl);
}
/**
* Downloads the certificate chain.
*
* The certificate is downloaded lazily by the other methods. Usually there is no need
* to invoke this method, unless the download is to be enforced. If the certificate
* has been downloaded already, nothing will happen.
*
* @throws AcmeException
* if the certificate could not be downloaded
*/
public void download() throws AcmeException {
if (certChain == null) {
LOG.debug("download");
try (var conn = getSession().connect()) {
conn.sendCertificateRequest(getLocation(), getLogin());
alternates = conn.getLinks("alternate");
certChain = conn.readCertificates();
}
}
}
/**
* Returns the created certificate.
*
* @return The created end-entity {@link X509Certificate} without issuer chain.
*/
public X509Certificate getCertificate() {
lazyDownload();
return requireNonNull(certChain).get(0);
}
/**
* Returns the created certificate and issuer chain.
*
* @return The created end-entity {@link X509Certificate} and issuer chain. The first
* certificate is always the end-entity certificate, followed by the
* intermediate certificates required to build a path to a trusted root.
*/
public List getCertificateChain() {
lazyDownload();
return unmodifiableList(requireNonNull(certChain));
}
/**
* Returns URLs to alternate certificate chains.
*
* @return Alternate certificate chains, or empty if there are none.
*/
public List getAlternates() {
lazyDownload();
return requireNonNull(alternates).stream().collect(toUnmodifiableList());
}
/**
* Returns alternate certificate chains, if available.
*
* @return Alternate certificate chains, or empty if there are none.
* @since 2.11
*/
public List getAlternateCertificates() {
if (alternateCerts == null) {
var login = getLogin();
alternateCerts = getAlternates().stream()
.map(login::bindCertificate)
.collect(toList());
}
return unmodifiableList(alternateCerts);
}
/**
* Checks if this certificate was issued by the given issuer name.
*
* @param issuer
* Issuer name to check against, case-sensitive
* @return {@code true} if this issuer name was found in the certificate chain as
* issuer, {@code false} otherwise.
* @since 3.0.0
*/
public boolean isIssuedBy(String issuer) {
var issuerCn = "CN=" + issuer;
return getCertificateChain().stream()
.map(X509Certificate::getIssuerX500Principal)
.map(Principal::getName)
.anyMatch(issuerCn::equals);
}
/**
* Finds a {@link Certificate} that was issued by the given issuer name.
*
* @param issuer
* Issuer name to check against, case-sensitive
* @return Certificate that was issued by that issuer, or {@code empty} if there was
* none. The returned {@link Certificate} may be this instance, or one of the
* {@link #getAlternateCertificates()} instances. If multiple certificates are issued
* by that issuer, the first one that was found is returned.
* @since 3.0.0
*/
public Optional findCertificate(String issuer) {
if (isIssuedBy(issuer)) {
return Optional.of(this);
}
return getAlternateCertificates().stream()
.filter(c -> c.isIssuedBy(issuer))
.findFirst();
}
/**
* Writes the certificate to the given writer. It is written in PEM format, with the
* end-entity cert coming first, followed by the intermediate certificates.
*
* @param out
* {@link Writer} to write to. The writer is not closed after use.
*/
public void writeCertificate(Writer out) throws IOException {
try {
for (var cert : getCertificateChain()) {
AcmeUtils.writeToPem(cert.getEncoded(), AcmeUtils.PemLabel.CERTIFICATE, out);
}
} catch (CertificateEncodingException ex) {
throw new IOException("Encoding error", ex);
}
}
/**
* Returns the location of the certificate's RenewalInfo. Empty if the CA does not
* provide this information.
*
* @since 3.0.0
*/
public Optional getRenewalInfoLocation() {
try {
return getSession().resourceUrlOptional(Resource.RENEWAL_INFO)
.map(baseUrl -> {
try {
var url = baseUrl.toExternalForm();
if (!url.endsWith("/")) {
url += '/';
}
url += getRenewalUniqueIdentifier(getCertificate());
return URI.create(url).toURL();
} catch (MalformedURLException ex) {
throw new AcmeProtocolException("Invalid RenewalInfo URL", ex);
}
});
} catch (AcmeException ex) {
throw new AcmeLazyLoadingException(this, ex);
}
}
/**
* Returns {@code true} if the CA provides renewal information.
*
* @since 3.0.0
*/
public boolean hasRenewalInfo() {
return getRenewalInfoLocation().isPresent();
}
/**
* Reads the RenewalInfo for this certificate.
*
* @return The {@link RenewalInfo} of this certificate.
* @throws AcmeNotSupportedException if the CA does not support renewal information.
* @since 3.0.0
*/
@SuppressFBWarnings("EI_EXPOSE_REP") // behavior is intended
public RenewalInfo getRenewalInfo() {
if (renewalInfo == null) {
renewalInfo = getRenewalInfoLocation()
.map(getLogin()::bindRenewalInfo)
.orElseThrow(() -> new AcmeNotSupportedException("renewal-info"));
}
return renewalInfo;
}
/**
* Revokes this certificate.
*/
public void revoke() throws AcmeException {
revoke(null);
}
/**
* Revokes this certificate.
*
* @param reason
* {@link RevocationReason} stating the reason of the revocation that is
* used when generating OCSP responses and CRLs. {@code null} to give no
* reason.
* @see #revoke(Login, X509Certificate, RevocationReason)
* @see #revoke(Session, KeyPair, X509Certificate, RevocationReason)
*/
public void revoke(@Nullable RevocationReason reason) throws AcmeException {
revoke(getLogin(), getCertificate(), reason);
}
/**
* Revoke a certificate.
*
* Use this method if the certificate's location is unknown, so you cannot regenerate
* a {@link Certificate} instance. This method requires a {@link Login} to your
* account and the issued certificate.
*
* @param login
* {@link Login} to the account
* @param cert
* The {@link X509Certificate} to be revoked
* @param reason
* {@link RevocationReason} stating the reason of the revocation that is used
* when generating OCSP responses and CRLs. {@code null} to give no reason.
* @see #revoke(Session, KeyPair, X509Certificate, RevocationReason)
* @since 2.6
*/
public static void revoke(Login login, X509Certificate cert, @Nullable RevocationReason reason)
throws AcmeException {
LOG.debug("revoke");
var session = login.getSession();
var resUrl = session.resourceUrl(Resource.REVOKE_CERT);
try (var conn = session.connect()) {
var claims = new JSONBuilder();
claims.putBase64("certificate", cert.getEncoded());
if (reason != null) {
claims.put("reason", reason.getReasonCode());
}
conn.sendSignedRequest(resUrl, claims, login);
} catch (CertificateEncodingException ex) {
throw new AcmeProtocolException("Invalid certificate", ex);
}
}
/**
* Revoke a certificate.
*
* Use this method if the key pair of your account was lost (so you are unable to
* login into your account), but you still have the key pair of the affected domain
* and the issued certificate.
*
* @param session
* {@link Session} connected to the ACME server
* @param domainKeyPair
* Key pair the CSR was signed with
* @param cert
* The {@link X509Certificate} to be revoked
* @param reason
* {@link RevocationReason} stating the reason of the revocation that is used
* when generating OCSP responses and CRLs. {@code null} to give no reason.
* @see #revoke(Login, X509Certificate, RevocationReason)
*/
public static void revoke(Session session, KeyPair domainKeyPair, X509Certificate cert,
@Nullable RevocationReason reason) throws AcmeException {
LOG.debug("revoke using the domain key pair");
var resUrl = session.resourceUrl(Resource.REVOKE_CERT);
try (var conn = session.connect()) {
var claims = new JSONBuilder();
claims.putBase64("certificate", cert.getEncoded());
if (reason != null) {
claims.put("reason", reason.getReasonCode());
}
conn.sendSignedRequest(resUrl, claims, session, (url, payload, nonce) ->
JoseUtils.createJoseRequest(url, domainKeyPair, payload, nonce, null));
} catch (CertificateEncodingException ex) {
throw new AcmeProtocolException("Invalid certificate", ex);
}
}
/**
* Lazily downloads the certificate. Throws a runtime {@link AcmeLazyLoadingException}
* if the download failed.
*/
private void lazyDownload() {
try {
download();
} catch (AcmeException ex) {
throw new AcmeLazyLoadingException(this, ex);
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Identifier.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2018 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.util.Collections.unmodifiableMap;
import static java.util.Objects.requireNonNull;
import static org.shredzone.acme4j.toolbox.AcmeUtils.toAce;
import java.io.Serial;
import java.io.Serializable;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Map;
import java.util.TreeMap;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.JSON;
/**
* Represents an identifier.
*
* The ACME protocol only defines the DNS identifier, which identifies a domain name.
* acme4j also supports IP identifiers.
*
* CAs, and other acme4j modules, may define further, proprietary identifier types.
*
* @since 2.3
*/
public class Identifier implements Serializable {
@Serial
private static final long serialVersionUID = -7777851842076362412L;
/**
* Type constant for DNS identifiers.
*/
public static final String TYPE_DNS = "dns";
/**
* Type constant for IP identifiers.
*
* @see RFC 8738
*/
public static final String TYPE_IP = "ip";
static final String KEY_TYPE = "type";
static final String KEY_VALUE = "value";
static final String KEY_ANCESTOR_DOMAIN = "ancestorDomain";
static final String KEY_SUBDOMAIN_AUTH_ALLOWED = "subdomainAuthAllowed";
private final Map content = new TreeMap<>();
/**
* Creates a new {@link Identifier}.
*
* This is a generic constructor for identifiers. Refer to the documentation of your
* CA to find out about the accepted identifier types and values.
*
* Note that for DNS identifiers, no ASCII encoding of unicode domain takes place
* here. Use {@link #dns(String)} instead.
*
* @param type
* Identifier type
* @param value
* Identifier value
*/
public Identifier(String type, String value) {
content.put(KEY_TYPE, requireNonNull(type, KEY_TYPE));
content.put(KEY_VALUE, requireNonNull(value, KEY_VALUE));
}
/**
* Creates a new {@link Identifier} from the given {@link JSON} structure.
*
* @param json
* {@link JSON} containing the identifier data
*/
public Identifier(JSON json) {
if (!json.contains(KEY_TYPE)) {
throw new AcmeProtocolException("Required key " + KEY_TYPE + " is missing");
}
if (!json.contains(KEY_VALUE)) {
throw new AcmeProtocolException("Required key " + KEY_VALUE + " is missing");
}
content.putAll(json.toMap());
}
/**
* Makes a copy of the given Identifier.
*/
private Identifier(Identifier identifier) {
content.putAll(identifier.content);
}
/**
* Creates a new DNS identifier for the given domain name.
*
* @param domain
* Domain name. Unicode domains are automatically ASCII encoded.
* @return New {@link Identifier}
*/
public static Identifier dns(String domain) {
return new Identifier(TYPE_DNS, toAce(domain));
}
/**
* Creates a new IP identifier for the given {@link InetAddress}.
*
* @param ip
* {@link InetAddress}
* @return New {@link Identifier}
*/
public static Identifier ip(InetAddress ip) {
return new Identifier(TYPE_IP, ip.getHostAddress());
}
/**
* Creates a new IP identifier for the given {@link InetAddress}.
*
* @param ip
* IP address as {@link String}
* @return New {@link Identifier}
* @since 2.7
*/
public static Identifier ip(String ip) {
try {
return ip(InetAddress.getByName(ip));
} catch (UnknownHostException ex) {
throw new IllegalArgumentException("Bad IP: " + ip, ex);
}
}
/**
* Sets an ancestor domain, as required in RFC-9444.
*
* @param domain
* The ancestor domain to be set. Unicode domains are automatically ASCII
* encoded.
* @return An {@link Identifier} that contains the ancestor domain.
* @since 3.3.0
*/
public Identifier withAncestorDomain(String domain) {
expectType(TYPE_DNS);
var result = new Identifier(this);
result.content.put(KEY_ANCESTOR_DOMAIN, toAce(domain));
return result;
}
/**
* Gives the permission to authorize subdomains of this domain, as required in
* RFC-9444.
*
* @return An {@link Identifier} that allows subdomain auths.
* @since 3.3.0
*/
public Identifier allowSubdomainAuth() {
expectType(TYPE_DNS);
var result = new Identifier(this);
result.content.put(KEY_SUBDOMAIN_AUTH_ALLOWED, true);
return result;
}
/**
* Returns the identifier type.
*/
public String getType() {
return content.get(KEY_TYPE).toString();
}
/**
* Returns the identifier value.
*/
public String getValue() {
return content.get(KEY_VALUE).toString();
}
/**
* Returns the domain name if this is a DNS identifier.
*
* @return Domain name. Unicode domains are ASCII encoded.
* @throws AcmeProtocolException
* if this is not a DNS identifier.
*/
public String getDomain() {
expectType(TYPE_DNS);
return getValue();
}
/**
* Returns the IP address if this is an IP identifier.
*
* @return {@link InetAddress}
* @throws AcmeProtocolException
* if this is not a DNS identifier.
*/
public InetAddress getIP() {
expectType(TYPE_IP);
try {
return InetAddress.getByName(getValue());
} catch (UnknownHostException ex) {
throw new AcmeProtocolException("bad ip identifier value", ex);
}
}
/**
* Returns the identifier as JSON map.
*/
public Map toMap() {
return unmodifiableMap(content);
}
/**
* Makes sure this identifier is of the given type.
*
* @param type
* Expected type
* @throws AcmeProtocolException
* if this identifier is of a different type
*/
private void expectType(String type) {
if (!type.equals(getType())) {
throw new AcmeProtocolException("expected '" + type + "' identifier, but found '" + getType() + "'");
}
}
@Override
public String toString() {
if (content.size() == 2) {
return getType() + '=' + getValue();
}
return content.toString();
}
@Override
public boolean equals(Object obj) {
if (!(obj instanceof Identifier i)) {
return false;
}
return content.equals(i.content);
}
@Override
public int hashCode() {
return content.hashCode();
}
@Override
protected final void finalize() {
// CT_CONSTRUCTOR_THROW: Prevents finalizer attack
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Login.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2018 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.util.Objects.requireNonNull;
import static org.shredzone.acme4j.toolbox.AcmeUtils.getRenewalUniqueIdentifier;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import edu.umd.cs.findbugs.annotations.Nullable;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.shredzone.acme4j.challenge.Challenge;
import org.shredzone.acme4j.connector.Resource;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeLazyLoadingException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.shredzone.acme4j.toolbox.JoseUtils;
/**
* A {@link Login} into an account.
*
* A login is bound to a {@link Session}. However, a {@link Session} can handle multiple
* logins in parallel.
*
* To create a login, you need to specify the location URI of the {@link Account}, and
* need to provide the {@link KeyPair} the account was created with. If the account's
* location URL is unknown, the account can be re-registered with the
* {@link AccountBuilder}, using {@link AccountBuilder#onlyExisting()} to make sure that
* no new account will be created. If the key pair was lost though, there is no automatic
* way to regain access to your account, and you have to contact your CA's support hotline
* for assistance.
*
* Note that {@link Login} objects are intentionally not serializable, as they contain a
* keypair and volatile data. On distributed systems, you can create a {@link Login} to
* the same account for every service instance.
*/
public class Login {
private final Session session;
private final Account account;
private KeyPair keyPair;
/**
* Creates a new {@link Login}.
*
* @param accountLocation
* Account location {@link URL}
* @param keyPair
* {@link KeyPair} of the account
* @param session
* {@link Session} to be used
*/
public Login(URL accountLocation, KeyPair keyPair, Session session) {
this.keyPair = requireNonNull(keyPair, "keyPair");
this.session = requireNonNull(session, "session");
this.account = new Account(this, requireNonNull(accountLocation, "accountLocation"));
}
/**
* Gets the {@link Session} that is used.
*/
@SuppressFBWarnings("EI_EXPOSE_REP") // behavior is intended
public Session getSession() {
return session;
}
/**
* Gets the {@link PublicKey} of the ACME account.
*
* @since 5.0.0
*/
public PublicKey getPublicKey() {
return keyPair.getPublic();
}
/**
* Gets the {@link Account} that is bound to this login.
*
* @return {@link Account} bound to the login
*/
@SuppressFBWarnings("EI_EXPOSE_REP") // behavior is intended
public Account getAccount() {
return account;
}
/**
* Creates a new instance of an existing {@link Authorization} and binds it to this
* login.
*
* @param location
* Location of the Authorization
* @return {@link Authorization} bound to the login
*/
public Authorization bindAuthorization(URL location) {
return new Authorization(this, requireNonNull(location, "location"));
}
/**
* Creates a new instance of an existing {@link Certificate} and binds it to this
* login.
*
* @param location
* Location of the Certificate
* @return {@link Certificate} bound to the login
*/
public Certificate bindCertificate(URL location) {
return new Certificate(this, requireNonNull(location, "location"));
}
/**
* Creates a new instance of an existing {@link Order} and binds it to this login.
*
* @param location
* Location URL of the order
* @return {@link Order} bound to the login
*/
public Order bindOrder(URL location) {
return new Order(this, requireNonNull(location, "location"));
}
/**
* Creates a new instance of an existing {@link RenewalInfo} and binds it to this
* login.
*
* @param location
* Location URL of the renewal info
* @return {@link RenewalInfo} bound to the login
* @since 3.0.0
*/
public RenewalInfo bindRenewalInfo(URL location) {
return new RenewalInfo(this, requireNonNull(location, "location"));
}
/**
* Creates a new instance of an existing {@link RenewalInfo} and binds it to this
* login.
*
* @param certificate
* {@link X509Certificate} to get the {@link RenewalInfo} for
* @return {@link RenewalInfo} bound to the login
* @since 3.2.0
*/
public RenewalInfo bindRenewalInfo(X509Certificate certificate) throws AcmeException {
try {
var url = getSession().resourceUrl(Resource.RENEWAL_INFO).toExternalForm();
if (!url.endsWith("/")) {
url += '/';
}
url += getRenewalUniqueIdentifier(certificate);
return bindRenewalInfo(URI.create(url).toURL());
} catch (MalformedURLException ex) {
throw new AcmeProtocolException("Invalid RenewalInfo URL", ex);
}
}
/**
* Creates a new instance of an existing {@link Challenge} and binds it to this
* login. Use this method only if the resulting challenge type is unknown.
*
* @param location
* Location URL of the challenge
* @return {@link Challenge} bound to the login
* @since 2.8
* @see #bindChallenge(URL, Class)
*/
public Challenge bindChallenge(URL location) {
try (var connect = session.connect()) {
connect.sendSignedPostAsGetRequest(location, this);
return createChallenge(connect.readJsonResponse());
} catch (AcmeException ex) {
throw new AcmeLazyLoadingException(Challenge.class, location, ex);
}
}
/**
* Creates a new instance of an existing {@link Challenge} and binds it to this
* login. Use this method if the resulting challenge type is known.
*
* @param location
* Location URL of the challenge
* @param type
* Expected challenge type
* @return Challenge bound to the login
* @throws AcmeProtocolException
* if the challenge found at the location does not match the expected
* challenge type.
* @since 2.12
*/
public C bindChallenge(URL location, Class type) {
var challenge = bindChallenge(location);
if (!type.isInstance(challenge)) {
throw new AcmeProtocolException("Challenge type " + challenge.getType()
+ " does not match requested class " + type);
}
return type.cast(challenge);
}
/**
* Creates a {@link Challenge} instance for the given challenge data.
*
* @param data
* Challenge JSON data
* @return {@link Challenge} instance
*/
public Challenge createChallenge(JSON data) {
var challenge = session.provider().createChallenge(this, data);
if (challenge == null) {
throw new AcmeProtocolException("Could not create challenge for: " + data);
}
return challenge;
}
/**
* Creates a builder for a new {@link Order}.
*
* @return {@link OrderBuilder} object
* @since 3.0.0
*/
public OrderBuilder newOrder() {
return new OrderBuilder(this);
}
/**
* Sets a different {@link KeyPair}. The new key pair is only used locally in this
* instance, but is not set on server side!
*/
protected void setKeyPair(KeyPair keyPair) {
this.keyPair = requireNonNull(keyPair, "keyPair");
}
/**
* Creates an ACME JOSE request. This method is meant for internal purposes only.
*
* @param url
* {@link URL} of the ACME call
* @param payload
* ACME JSON payload. If {@code null}, a POST-as-GET request is generated
* instead.
* @param nonce
* Nonce to be used. {@code null} if no nonce is to be used in the JOSE
* header.
* @return JSON structure of the JOSE request, ready to be sent.
* @since 5.0.0
*/
public JSONBuilder createJoseRequest(URL url, @Nullable JSONBuilder payload, @Nullable String nonce) {
return JoseUtils.createJoseRequest(url, keyPair, payload, nonce, getAccount().getLocation().toString());
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Metadata.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.util.stream.Collectors.toList;
import java.net.URI;
import java.net.URL;
import java.time.Duration;
import java.util.Collection;
import java.util.Optional;
import java.util.Set;
import org.shredzone.acme4j.exception.AcmeNotSupportedException;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.toolbox.JSON.Value;
/**
* A collection of metadata related to the CA provider.
*/
public class Metadata {
private final JSON meta;
/**
* Creates a new {@link Metadata} instance.
*
* @param meta
* JSON map of metadata
*/
public Metadata(JSON meta) {
this.meta = meta;
}
/**
* Returns an {@link URI} of the current terms of service, or empty if not available.
*/
public Optional getTermsOfService() {
return meta.get("termsOfService").map(Value::asURI);
}
/**
* Returns an {@link URL} of a website providing more information about the ACME
* server. Empty if not available.
*/
public Optional getWebsite() {
return meta.get("website").map(Value::asURL);
}
/**
* Returns a collection of hostnames, which the ACME server recognises as referring to
* itself for the purposes of CAA record validation. Empty if not available.
*/
public Collection getCaaIdentities() {
return meta.get("caaIdentities")
.asArray()
.stream()
.map(Value::asString)
.collect(toList());
}
/**
* Returns whether an external account is required by this CA.
*/
public boolean isExternalAccountRequired() {
return meta.get("externalAccountRequired").map(Value::asBoolean).orElse(false);
}
/**
* Returns whether the CA supports short-term auto-renewal of certificates.
*
* @since 2.3
*/
public boolean isAutoRenewalEnabled() {
return meta.get("auto-renewal").isPresent();
}
/**
* Returns the minimum acceptable value for the maximum validity of a certificate
* before auto-renewal.
*
* @since 2.3
* @throws AcmeNotSupportedException if the server does not support auto-renewal.
*/
public Duration getAutoRenewalMinLifetime() {
return meta.getFeature("auto-renewal")
.map(Value::asObject)
.orElseGet(JSON::empty)
.get("min-lifetime")
.asDuration();
}
/**
* Returns the maximum delta between auto-renewal end date and auto-renewal start
* date.
*
* @since 2.3
* @throws AcmeNotSupportedException if the server does not support auto-renewal.
*/
public Duration getAutoRenewalMaxDuration() {
return meta.getFeature("auto-renewal")
.map(Value::asObject)
.orElseGet(JSON::empty)
.get("max-duration")
.asDuration();
}
/**
* Returns whether the CA also allows to fetch STAR certificates via GET request.
*
* @since 2.6
* @throws AcmeNotSupportedException if the server does not support auto-renewal.
*/
public boolean isAutoRenewalGetAllowed() {
return meta.getFeature("auto-renewal").optional()
.map(Value::asObject)
.orElseGet(JSON::empty)
.get("allow-certificate-get")
.optional()
.map(Value::asBoolean)
.orElse(false);
}
/**
* Returns whether the CA supports the profile feature.
*
* @since 3.5.0
* @draft This method is currently based on RFC draft draft-ietf-acme-profiles. It
* may be changed or removed without notice to reflect future changes to the draft.
* SemVer rules do not apply here.
*/
public boolean isProfileAllowed() {
return meta.get("profiles").isPresent();
}
/**
* Returns whether the CA supports the requested profile.
*
* Also returns {@code false} if profiles are not allowed in general.
*
* @since 3.5.0
* @draft This method is currently based on RFC draft draft-ietf-acme-profiles. It
* may be changed or removed without notice to reflect future changes to the draft.
* SemVer rules do not apply here.
*/
public boolean isProfileAllowed(String profile) {
return getProfiles().contains(profile);
}
/**
* Returns all profiles supported by the CA. May be empty if the CA does not support
* profiles.
*
* @since 3.5.0
* @draft This method is currently based on RFC draft draft-ietf-acme-profiles. It
* may be changed or removed without notice to reflect future changes to the draft.
* SemVer rules do not apply here.
*/
public Set getProfiles() {
return meta.get("profiles")
.optional()
.map(Value::asObject)
.orElseGet(JSON::empty)
.keySet();
}
/**
* Returns a description of the requested profile. This can be a human-readable string
* or a URL linking to a documentation.
*
* Empty if the profile is not allowed.
*
* @since 3.5.0
* @draft This method is currently based on RFC draft draft-ietf-acme-profiles. It
* may be changed or removed without notice to reflect future changes to the draft.
* SemVer rules do not apply here.
*/
public Optional getProfileDescription(String profile) {
return meta.get("profiles").optional()
.map(Value::asObject)
.orElseGet(JSON::empty)
.get(profile)
.optional()
.map(Value::asString);
}
/**
* Returns whether the CA supports subdomain auth according to RFC9444.
*
* @since 3.3.0
*/
public boolean isSubdomainAuthAllowed() {
return meta.get("subdomainAuthAllowed").map(Value::asBoolean).orElse(false);
}
/**
* Returns the JSON representation of the metadata. This is useful for reading
* proprietary metadata properties.
*/
public JSON getJSON() {
return meta;
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Order.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2017 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.util.Collections.unmodifiableList;
import static java.util.stream.Collectors.toList;
import java.io.IOException;
import java.io.Serial;
import java.net.URL;
import java.security.KeyPair;
import java.time.Duration;
import java.time.Instant;
import java.util.EnumSet;
import java.util.List;
import java.util.Optional;
import java.util.function.Consumer;
import edu.umd.cs.findbugs.annotations.Nullable;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeNotSupportedException;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.toolbox.JSON.Value;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.shredzone.acme4j.util.CSRBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* A representation of a certificate order at the CA.
*/
public class Order extends AcmeJsonResource implements PollableResource {
@Serial
private static final long serialVersionUID = 5435808648658292177L;
private static final Logger LOG = LoggerFactory.getLogger(Order.class);
private transient @Nullable Certificate certificate = null;
private transient @Nullable List authorizations = null;
protected Order(Login login, URL location) {
super(login, location);
}
/**
* Returns the current status of the order.
*
* Possible values are: {@link Status#PENDING}, {@link Status#READY},
* {@link Status#PROCESSING}, {@link Status#VALID}, {@link Status#INVALID}.
* If the server supports STAR, another possible value is {@link Status#CANCELED}.
*/
@Override
public Status getStatus() {
return getJSON().get("status").asStatus();
}
/**
* Returns a {@link Problem} document with the reason if the order has failed.
*/
public Optional getError() {
return getJSON().get("error").map(v -> v.asProblem(getLocation()));
}
/**
* Gets the expiry date of the authorization, if set by the server.
*/
public Optional getExpires() {
return getJSON().get("expires").map(Value::asInstant);
}
/**
* Gets a list of {@link Identifier} that are connected to this order.
*
* @since 2.3
*/
public List getIdentifiers() {
return getJSON().get("identifiers")
.asArray()
.stream()
.map(Value::asIdentifier)
.toList();
}
/**
* Gets the "not before" date that was used for the order.
*/
public Optional getNotBefore() {
return getJSON().get("notBefore").map(Value::asInstant);
}
/**
* Gets the "not after" date that was used for the order.
*/
public Optional getNotAfter() {
return getJSON().get("notAfter").map(Value::asInstant);
}
/**
* Gets the {@link Authorization} that are required to fulfil this order, in no
* specific order.
*/
public List getAuthorizations() {
if (authorizations == null) {
var login = getLogin();
authorizations = getJSON().get("authorizations")
.asArray()
.stream()
.map(Value::asURL)
.map(login::bindAuthorization)
.collect(toList());
}
return unmodifiableList(authorizations);
}
/**
* Gets the location {@link URL} of where to send the finalization call to.
*
* For internal purposes. Use {@link #execute(byte[])} to finalize an order.
*/
public URL getFinalizeLocation() {
return getJSON().get("finalize").asURL();
}
/**
* Gets the {@link Certificate}.
*
* @throws IllegalStateException
* if the order is not ready yet. You must finalize the order first, and wait
* for the status to become {@link Status#VALID}.
*/
@SuppressFBWarnings("EI_EXPOSE_REP") // behavior is intended
public Certificate getCertificate() {
if (certificate == null) {
certificate = getJSON().get("star-certificate")
.optional()
.or(() -> getJSON().get("certificate").optional())
.map(Value::asURL)
.map(getLogin()::bindCertificate)
.orElseThrow(() -> new IllegalStateException("Order is not completed"));
}
return certificate;
}
/**
* Returns whether this is a STAR certificate ({@code true}) or a standard certificate
* ({@code false}).
*
* @since 3.5.0
*/
public boolean isAutoRenewalCertificate() {
return getJSON().contains("star-certificate");
}
/**
* Finalizes the order.
*
* If the finalization was successful, the certificate is provided via
* {@link #getCertificate()}.
*
* Even though the ACME protocol uses the term "finalize an order", this method is
* called {@link #execute(KeyPair)} to avoid confusion with the problematic
* {@link Object#finalize()} method.
*
* @param domainKeyPair
* The {@link KeyPair} that is going to be certified. This is not
* your account's keypair!
* @see #execute(KeyPair, Consumer)
* @see #execute(PKCS10CertificationRequest)
* @see #execute(byte[])
* @see #waitUntilReady(Duration)
* @see #waitForCompletion(Duration)
* @since 3.0.0
*/
public void execute(KeyPair domainKeyPair) throws AcmeException {
execute(domainKeyPair, csrBuilder -> {});
}
/**
* Finalizes the order (see {@link #execute(KeyPair)}).
*
* This method also accepts a builderConsumer that can be used to add further details
* to the CSR (e.g. your organization). The identifiers (IPs, domain names, etc.) are
* automatically added to the CSR.
*
* @param domainKeyPair
* The {@link KeyPair} that is going to be used together with the certificate.
* This is not your account's keypair!
* @param builderConsumer
* {@link Consumer} that adds further details to the provided
* {@link CSRBuilder}.
* @see #execute(KeyPair)
* @see #execute(PKCS10CertificationRequest)
* @see #execute(byte[])
* @see #waitUntilReady(Duration)
* @see #waitForCompletion(Duration)
* @since 3.0.0
*/
public void execute(KeyPair domainKeyPair, Consumer builderConsumer) throws AcmeException {
try {
var csrBuilder = new CSRBuilder();
csrBuilder.addIdentifiers(getIdentifiers());
builderConsumer.accept(csrBuilder);
csrBuilder.sign(domainKeyPair);
execute(csrBuilder.getCSR());
} catch (IOException ex) {
throw new AcmeException("Failed to create CSR", ex);
}
}
/**
* Finalizes the order (see {@link #execute(KeyPair)}).
*
* This method receives a {@link PKCS10CertificationRequest} instance of a CSR that
* was generated externally. Use this method to gain full control over the content of
* the CSR. The CSR is not checked by acme4j, but just transported to the CA. It is
* your responsibility that it matches to the order.
*
* @param csr
* {@link PKCS10CertificationRequest} to be used for this order.
* @see #execute(KeyPair)
* @see #execute(KeyPair, Consumer)
* @see #execute(byte[])
* @see #waitUntilReady(Duration)
* @see #waitForCompletion(Duration)
* @since 3.0.0
*/
public void execute(PKCS10CertificationRequest csr) throws AcmeException {
try {
execute(csr.getEncoded());
} catch (IOException ex) {
throw new AcmeException("Invalid CSR", ex);
}
}
/**
* Finalizes the order (see {@link #execute(KeyPair)}).
*
* This method receives a byte array containing an encoded CSR that was generated
* externally. Use this method to gain full control over the content of the CSR. The
* CSR is not checked by acme4j, but just transported to the CA. It is your
* responsibility that it matches to the order.
*
* @param csr
* Binary representation of a CSR containing the parameters for the
* certificate being requested, in DER format
* @see #waitUntilReady(Duration)
* @see #waitForCompletion(Duration)
*/
public void execute(byte[] csr) throws AcmeException {
LOG.debug("finalize");
try (var conn = getSession().connect()) {
var claims = new JSONBuilder();
claims.putBase64("csr", csr);
conn.sendSignedRequest(getFinalizeLocation(), claims, getLogin());
}
invalidate();
}
/**
* Waits until the order is ready for finalization.
*
* Is is ready if it reaches {@link Status#READY}. The method will also return if the
* order already has another terminal state, which is either {@link Status#VALID} or
* {@link Status#INVALID}.
*
* This method is synchronous and blocks the current thread.
*
* @param timeout
* Timeout until a terminal status must have been reached
* @return Status that was reached
* @since 3.4.0
*/
public Status waitUntilReady(Duration timeout)
throws AcmeException, InterruptedException {
return waitForStatus(EnumSet.of(Status.READY, Status.VALID, Status.INVALID), timeout);
}
/**
* Waits until the order finalization is completed.
*
* Is is completed if it reaches either {@link Status#VALID} or
* {@link Status#INVALID}.
*
* This method is synchronous and blocks the current thread.
*
* @param timeout
* Timeout until a terminal status must have been reached
* @return Status that was reached
* @since 3.4.0
*/
public Status waitForCompletion(Duration timeout)
throws AcmeException, InterruptedException {
return waitForStatus(EnumSet.of(Status.VALID, Status.INVALID), timeout);
}
/**
* Checks if this order is auto-renewing, according to the ACME STAR specifications.
*
* @since 2.3
*/
public boolean isAutoRenewing() {
return getJSON().get("auto-renewal")
.optional()
.isPresent();
}
/**
* Returns the earliest date of validity of the first certificate issued.
*
* @since 2.3
* @throws AcmeNotSupportedException if auto-renewal is not supported
*/
public Optional getAutoRenewalStartDate() {
return getJSON().getFeature("auto-renewal")
.map(Value::asObject)
.orElseGet(JSON::empty)
.get("start-date")
.optional()
.map(Value::asInstant);
}
/**
* Returns the latest date of validity of the last certificate issued.
*
* @since 2.3
* @throws AcmeNotSupportedException if auto-renewal is not supported
*/
public Instant getAutoRenewalEndDate() {
return getJSON().getFeature("auto-renewal")
.map(Value::asObject)
.orElseGet(JSON::empty)
.get("end-date")
.asInstant();
}
/**
* Returns the maximum lifetime of each certificate.
*
* @since 2.3
* @throws AcmeNotSupportedException if auto-renewal is not supported
*/
public Duration getAutoRenewalLifetime() {
return getJSON().getFeature("auto-renewal")
.optional()
.map(Value::asObject)
.orElseGet(JSON::empty)
.get("lifetime")
.asDuration();
}
/**
* Returns the pre-date period of each certificate.
*
* @since 2.7
* @throws AcmeNotSupportedException if auto-renewal is not supported
*/
public Optional getAutoRenewalLifetimeAdjust() {
return getJSON().getFeature("auto-renewal")
.optional()
.map(Value::asObject)
.orElseGet(JSON::empty)
.get("lifetime-adjust")
.optional()
.map(Value::asDuration);
}
/**
* Returns {@code true} if STAR certificates from this order can also be fetched via
* GET requests.
*
* @since 2.6
*/
public boolean isAutoRenewalGetEnabled() {
return getJSON().getFeature("auto-renewal")
.optional()
.map(Value::asObject)
.orElseGet(JSON::empty)
.get("allow-certificate-get")
.optional()
.map(Value::asBoolean)
.orElse(false);
}
/**
* Cancels an auto-renewing order.
*
* @since 2.3
*/
public void cancelAutoRenewal() throws AcmeException {
if (!getSession().getMetadata().isAutoRenewalEnabled()) {
throw new AcmeNotSupportedException("auto-renewal");
}
LOG.debug("cancel");
try (var conn = getSession().connect()) {
var claims = new JSONBuilder();
claims.put("status", "canceled");
conn.sendSignedRequest(getLocation(), claims, getLogin());
setJSON(conn.readJsonResponse());
}
}
/**
* Returns the selected profile.
*
* @since 3.5.0
* @throws AcmeNotSupportedException if profile is not supported
*/
public String getProfile() {
return getJSON().getFeature("profile").asString();
}
@Override
protected void invalidate() {
super.invalidate();
certificate = null;
authorizations = null;
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/OrderBuilder.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2017 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.util.Objects.requireNonNull;
import static java.util.stream.Collectors.toList;
import static org.shredzone.acme4j.toolbox.AcmeUtils.getRenewalUniqueIdentifier;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.Collection;
import java.util.LinkedHashSet;
import java.util.Objects;
import java.util.Set;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.connector.Resource;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeNotSupportedException;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Start a new certificate {@link Order}.
*
* Use {@link Login#newOrder()} or {@link Account#newOrder()} to create a new
* {@link OrderBuilder} instance. Both methods are identical.
*/
public class OrderBuilder {
private static final Logger LOG = LoggerFactory.getLogger(OrderBuilder.class);
private final Login login;
private final Set identifierSet = new LinkedHashSet<>();
private @Nullable Instant notBefore;
private @Nullable Instant notAfter;
private @Nullable String replaces;
private boolean autoRenewal;
private @Nullable Instant autoRenewalStart;
private @Nullable Instant autoRenewalEnd;
private @Nullable Duration autoRenewalLifetime;
private @Nullable Duration autoRenewalLifetimeAdjust;
private boolean autoRenewalGet;
private @Nullable String profile;
/**
* Create a new {@link OrderBuilder}.
*
* @param login
* {@link Login} to bind with
*/
protected OrderBuilder(Login login) {
this.login = login;
}
/**
* Adds a domain name to the order.
*
* @param domain
* Name of a domain to be ordered. May be a wildcard domain if supported by
* the CA. IDN names are accepted and will be ACE encoded automatically.
* @return itself
*/
public OrderBuilder domain(String domain) {
return identifier(Identifier.dns(domain));
}
/**
* Adds domain names to the order.
*
* @param domains
* Collection of domain names to be ordered. May be wildcard domains if
* supported by the CA. IDN names are accepted and will be ACE encoded
* automatically.
* @return itself
*/
public OrderBuilder domains(String... domains) {
for (var domain : requireNonNull(domains, "domains")) {
domain(domain);
}
return this;
}
/**
* Adds a collection of domain names to the order.
*
* @param domains
* Collection of domain names to be ordered. May be wildcard domains if
* supported by the CA. IDN names are accepted and will be ACE encoded
* automatically.
* @return itself
*/
public OrderBuilder domains(Collection domains) {
requireNonNull(domains, "domains").forEach(this::domain);
return this;
}
/**
* Adds an {@link Identifier} to the order.
*
* @param identifier
* {@link Identifier} to be added to the order.
* @return itself
* @since 2.3
*/
public OrderBuilder identifier(Identifier identifier) {
identifierSet.add(requireNonNull(identifier, "identifier"));
return this;
}
/**
* Adds a collection of {@link Identifier} to the order.
*
* @param identifiers
* Collection of {@link Identifier} to be added to the order.
* @return itself
* @since 2.3
*/
public OrderBuilder identifiers(Collection identifiers) {
requireNonNull(identifiers, "identifiers").forEach(this::identifier);
return this;
}
/**
* Sets a "not before" date in the certificate. May be ignored by the CA.
*
* @param notBefore "not before" date
* @return itself
*/
public OrderBuilder notBefore(Instant notBefore) {
if (autoRenewal) {
throw new IllegalArgumentException("cannot combine notBefore with autoRenew");
}
this.notBefore = requireNonNull(notBefore, "notBefore");
return this;
}
/**
* Sets a "not after" date in the certificate. May be ignored by the CA.
*
* @param notAfter "not after" date
* @return itself
*/
public OrderBuilder notAfter(Instant notAfter) {
if (autoRenewal) {
throw new IllegalArgumentException("cannot combine notAfter with autoRenew");
}
this.notAfter = requireNonNull(notAfter, "notAfter");
return this;
}
/**
* Enables short-term automatic renewal of the certificate, if supported by the CA.
*
* Automatic renewals cannot be combined with {@link #notBefore(Instant)} or
* {@link #notAfter(Instant)}.
*
* @return itself
* @since 2.3
*/
public OrderBuilder autoRenewal() {
if (notBefore != null || notAfter != null) {
throw new IllegalArgumentException("cannot combine notBefore/notAfter with autoRenewal");
}
this.autoRenewal = true;
return this;
}
/**
* Sets the earliest date of validity of the first issued certificate. If not set,
* the start date is the earliest possible date.
*
* Implies {@link #autoRenewal()}.
*
* @param start
* Start date of validity
* @return itself
* @since 2.3
*/
public OrderBuilder autoRenewalStart(Instant start) {
autoRenewal();
this.autoRenewalStart = requireNonNull(start, "start");
return this;
}
/**
* Sets the latest date of validity of the last issued certificate. If not set, the
* CA's default is used.
*
* Implies {@link #autoRenewal()}.
*
* @param end
* End date of validity
* @return itself
* @see Metadata#getAutoRenewalMaxDuration()
* @since 2.3
*/
public OrderBuilder autoRenewalEnd(Instant end) {
autoRenewal();
this.autoRenewalEnd = requireNonNull(end, "end");
return this;
}
/**
* Sets the maximum validity period of each certificate. If not set, the CA's
* default is used.
*
* Implies {@link #autoRenewal()}.
*
* @param duration
* Duration of validity of each certificate
* @return itself
* @see Metadata#getAutoRenewalMinLifetime()
* @since 2.3
*/
public OrderBuilder autoRenewalLifetime(Duration duration) {
autoRenewal();
this.autoRenewalLifetime = requireNonNull(duration, "duration");
return this;
}
/**
* Sets the amount of pre-dating each certificate. If not set, the CA's
* default (0) is used.
*
* Implies {@link #autoRenewal()}.
*
* @param duration
* Duration of certificate pre-dating
* @return itself
* @since 2.7
*/
public OrderBuilder autoRenewalLifetimeAdjust(Duration duration) {
autoRenewal();
this.autoRenewalLifetimeAdjust = requireNonNull(duration, "duration");
return this;
}
/**
* Announces that the client wishes to fetch the auto-renewed certificate via GET
* request. If not used, the STAR certificate can only be fetched via POST-as-GET
* request. {@link Metadata#isAutoRenewalGetAllowed()} must return {@code true} in
* order for this option to work.
*
* This option is only needed if you plan to fetch the STAR certificate via other
* means than by using acme4j. acme4j is fetching certificates via POST-as-GET
* request.
*
* Implies {@link #autoRenewal()}.
*
* @return itself
* @since 2.6
*/
public OrderBuilder autoRenewalEnableGet() {
autoRenewal();
this.autoRenewalGet = true;
return this;
}
/**
* Notifies the CA of the desired profile of the ordered certificate.
*
* Optional, only supported if the CA supports profiles. However, in this case the
* client may include this field.
*
* @param profile
* Identifier of the desired profile
* @return itself
* @draft This method is currently based on RFC draft draft-ietf-acme-profiles. It
* may be changed or removed without notice to reflect future changes to the draft.
* SemVer rules do not apply here.
* @since 3.5.0
*/
public OrderBuilder profile(String profile) {
this.profile = Objects.requireNonNull(profile);
return this;
}
/**
* Notifies the CA that the ordered certificate will replace a previously issued
* certificate. The certificate is identified by its ARI unique identifier.
*
* Optional, only supported if the CA provides renewal information. However, in this
* case the client should include this field.
*
* @param uniqueId
* Certificate's renewal unique identifier.
* @return itself
* @since 3.2.0
*/
public OrderBuilder replaces(String uniqueId) {
this.replaces = Objects.requireNonNull(uniqueId);
return this;
}
/**
* Notifies the CA that the ordered certificate will replace a previously issued
* certificate.
*
* Optional, only supported if the CA provides renewal information. However, in this
* case the client should include this field.
*
* @param certificate
* Certificate to be replaced
* @return itself
* @since 3.2.0
*/
public OrderBuilder replaces(X509Certificate certificate) {
return replaces(getRenewalUniqueIdentifier(certificate));
}
/**
* Notifies the CA that the ordered certificate will replace a previously issued
* certificate.
*
* Optional, only supported if the CA provides renewal information. However, in this
* case the client should include this field.
*
* @param certificate
* Certificate to be replaced
* @return itself
* @since 3.2.0
*/
public OrderBuilder replaces(Certificate certificate) {
return replaces(certificate.getCertificate());
}
/**
* Sends a new order to the server, and returns an {@link Order} object.
*
* @return {@link Order} that was created
*/
public Order create() throws AcmeException {
if (identifierSet.isEmpty()) {
throw new IllegalArgumentException("At least one identifer is required");
}
var session = login.getSession();
if (autoRenewal && !session.getMetadata().isAutoRenewalEnabled()) {
throw new AcmeNotSupportedException("auto-renewal");
}
if (autoRenewalGet && !session.getMetadata().isAutoRenewalGetAllowed()) {
throw new AcmeNotSupportedException("auto-renewal-get");
}
if (replaces != null && session.resourceUrlOptional(Resource.RENEWAL_INFO).isEmpty()) {
throw new AcmeNotSupportedException("renewal-information");
}
if (profile != null && !session.getMetadata().isProfileAllowed()) {
throw new AcmeNotSupportedException("profile");
}
if (profile != null && !session.getMetadata().isProfileAllowed(profile)) {
throw new AcmeNotSupportedException("profile: " + profile);
}
var hasAncestorDomain = identifierSet.stream()
.filter(id -> Identifier.TYPE_DNS.equals(id.getType()))
.anyMatch(id -> id.toMap().containsKey(Identifier.KEY_ANCESTOR_DOMAIN));
if (hasAncestorDomain && !login.getSession().getMetadata().isSubdomainAuthAllowed()) {
throw new AcmeNotSupportedException("ancestor-domain");
}
LOG.debug("create");
try (var conn = session.connect()) {
var claims = new JSONBuilder();
claims.array("identifiers", identifierSet.stream().map(Identifier::toMap).collect(toList()));
if (notBefore != null) {
claims.put("notBefore", notBefore);
}
if (notAfter != null) {
claims.put("notAfter", notAfter);
}
if (autoRenewal) {
var arClaims = claims.object("auto-renewal");
if (autoRenewalStart != null) {
arClaims.put("start-date", autoRenewalStart);
}
if (autoRenewalStart != null) {
arClaims.put("end-date", autoRenewalEnd);
}
if (autoRenewalLifetime != null) {
arClaims.put("lifetime", autoRenewalLifetime);
}
if (autoRenewalLifetimeAdjust != null) {
arClaims.put("lifetime-adjust", autoRenewalLifetimeAdjust);
}
if (autoRenewalGet) {
arClaims.put("allow-certificate-get", autoRenewalGet);
}
}
if (replaces != null) {
claims.put("replaces", replaces);
}
if (profile != null) {
claims.put("profile", profile);
}
conn.sendSignedRequest(session.resourceUrl(Resource.NEW_ORDER), claims, login);
var order = new Order(login, conn.getLocation());
order.setJSON(conn.readJsonResponse());
return order;
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/PollableResource.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2024 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.time.Instant.now;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.shredzone.acme4j.exception.AcmeException;
/**
* Marks an ACME Resource with a pollable status.
*
* The resource provides a status, and a method for updating the internal cache to read
* the current status from the server.
*
* @since 3.4.0
*/
public interface PollableResource {
/**
* Default delay between status polls if there is no Retry-After header.
*/
Duration DEFAULT_RETRY_AFTER = Duration.ofSeconds(3L);
/**
* Returns the current status of the resource.
*/
Status getStatus();
/**
* Fetches the current status from the server.
*
* @return Retry-After time, if given by the CA, otherwise empty.
*/
Optional fetch() throws AcmeException;
/**
* Waits until a terminal status has been reached, by polling until one of the given
* status or the given timeout has been reached. This call honors the Retry-After
* header if set by the CA.
*
* This method is synchronous and blocks the current thread.
*
* If the resource is already in a terminal status, the method returns immediately.
*
* @param statusSet
* Set of {@link Status} that are accepted as terminal
* @param timeout
* Timeout until a terminal status must have been reached
* @return Status that was reached
*/
default Status waitForStatus(Set statusSet, Duration timeout)
throws AcmeException, InterruptedException {
Objects.requireNonNull(timeout, "timeout");
Objects.requireNonNull(statusSet, "statusSet");
if (statusSet.isEmpty()) {
throw new IllegalArgumentException("At least one Status is required");
}
var currentStatus = getStatus();
if (statusSet.contains(currentStatus)) {
return currentStatus;
}
var timebox = now().plus(timeout);
Instant now;
while ((now = now()).isBefore(timebox)) {
// Poll status and get the time of the next poll
var retryAfter = fetch()
.orElse(now.plus(DEFAULT_RETRY_AFTER));
currentStatus = getStatus();
if (statusSet.contains(currentStatus)) {
return currentStatus;
}
// Preemptively end the loop if the next iteration would be after timebox
if (retryAfter.isAfter(timebox)) {
break;
}
// Wait until retryAfter is reached
Thread.sleep(now.until(retryAfter, ChronoUnit.MILLIS));
}
throw new AcmeException("Timeout has been reached");
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Problem.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2017 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import java.io.Serial;
import java.io.Serializable;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.List;
import java.util.Optional;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.toolbox.JSON.Value;
/**
* A JSON problem. It contains further, machine- and human-readable details about the
* reason of an error or failure.
*
* @see RFC 7807
*/
public class Problem implements Serializable {
@Serial
private static final long serialVersionUID = -8418248862966754214L;
private final URL baseUrl;
private final JSON problemJson;
/**
* Creates a new {@link Problem} object.
*
* @param problem
* Problem as JSON structure
* @param baseUrl
* Document's base {@link URL} to resolve relative URIs against
*/
public Problem(JSON problem, URL baseUrl) {
this.problemJson = problem;
this.baseUrl = baseUrl;
}
/**
* Returns the problem type. It is always an absolute URI.
*/
public URI getType() {
return problemJson.get("type")
.map(Value::asString)
.map(it -> {
try {
return baseUrl.toURI().resolve(it);
} catch (URISyntaxException ex) {
throw new IllegalArgumentException("Bad base URL", ex);
}
})
.orElseThrow(() -> new AcmeProtocolException("Problem without type"));
}
/**
* Returns a short, human-readable summary of the problem. The text may be localized
* if supported by the server. Empty if the server did not provide a title.
*
* @see #toString()
*/
public Optional getTitle() {
return problemJson.get("title").map(Value::asString);
}
/**
* Returns a detailed and specific human-readable explanation of the problem. The
* text may be localized if supported by the server.
*
* @see #toString()
*/
public Optional getDetail() {
return problemJson.get("detail").map(Value::asString);
}
/**
* Returns a URI that identifies the specific occurence of the problem. It is always
* an absolute URI.
*/
public Optional getInstance() {
return problemJson.get("instance")
.map(Value::asString)
.map(it -> {
try {
return baseUrl.toURI().resolve(it);
} catch (URISyntaxException ex) {
throw new IllegalArgumentException("Bad base URL", ex);
}
});
}
/**
* Returns the {@link Identifier} this problem relates to.
*
* @since 2.3
*/
public Optional getIdentifier() {
return problemJson.get("identifier")
.optional()
.map(Value::asIdentifier);
}
/**
* Returns a list of sub-problems.
*/
public List getSubProblems() {
return problemJson.get("subproblems")
.asArray()
.stream()
.map(o -> o.asProblem(baseUrl))
.toList();
}
/**
* Returns the problem as {@link JSON} object, to access other, non-standard fields.
*
* @return Problem as {@link JSON} object
*/
public JSON asJSON() {
return problemJson;
}
/**
* Returns a human-readable description of the problem, that is as specific as
* possible. The description may be localized if supported by the server.
*
* If {@link #getSubProblems()} exist, they will be appended.
*
* Technically, it returns {@link #getDetail()}. If not set, {@link #getTitle()} is
* returned instead. As a last resort, {@link #getType()} is returned.
*/
@Override
public String toString() {
var sb = new StringBuilder();
if (getDetail().isPresent()) {
sb.append(getDetail().get());
} else if (getTitle().isPresent()) {
sb.append(getTitle().get());
} else {
sb.append(getType());
}
var subproblems = getSubProblems();
if (!subproblems.isEmpty()) {
sb.append(" (");
var first = true;
for (var sub : subproblems) {
if (!first) {
sb.append(" ‒ ");
}
sb.append(sub.toString());
first = false;
}
sb.append(')');
}
return sb.toString();
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/RenewalInfo.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2023 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import java.net.URL;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Optional;
import java.util.concurrent.ThreadLocalRandom;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.connector.Connection;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.JSON.Value;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Renewal Information of a certificate.
*
* @since 3.0.0
*/
public class RenewalInfo extends AcmeJsonResource {
private static final Logger LOG = LoggerFactory.getLogger(RenewalInfo.class);
protected RenewalInfo(Login login, URL location) {
super(login, location);
}
/**
* Returns the starting {@link Instant} of the time window the CA recommends for
* certificate renewal.
*/
public Instant getSuggestedWindowStart() {
return getJSON().get("suggestedWindow").asObject().get("start").asInstant();
}
/**
* Returns the ending {@link Instant} of the time window the CA recommends for
* certificate renewal.
*/
public Instant getSuggestedWindowEnd() {
return getJSON().get("suggestedWindow").asObject().get("end").asInstant();
}
/**
* An optional {@link URL} pointing to a page which may explain why the suggested
* renewal window is what it is.
*/
public Optional getExplanation() {
return getJSON().get("explanationURL").optional().map(Value::asURL);
}
/**
* Checks if the given {@link Instant} is before the suggested time window, so a
* certificate renewal is not required yet.
*
* @param instant
* {@link Instant} to check
* @return {@code true} if the {@link Instant} is before the time window, {@code
* false} otherwise.
*/
public boolean renewalIsNotRequired(Instant instant) {
assertValidTimeWindow();
return instant.isBefore(getSuggestedWindowStart());
}
/**
* Checks if the given {@link Instant} is within the suggested time window, and a
* certificate renewal is recommended.
*
* An {@link Instant} is deemed to be within the time window if it is equal to, or
* after {@link #getSuggestedWindowStart()}, and before {@link
* #getSuggestedWindowEnd()}.
*
* @param instant
* {@link Instant} to check
* @return {@code true} if the {@link Instant} is within the time window, {@code
* false} otherwise.
*/
public boolean renewalIsRecommended(Instant instant) {
assertValidTimeWindow();
return !instant.isBefore(getSuggestedWindowStart())
&& instant.isBefore(getSuggestedWindowEnd());
}
/**
* Checks if the given {@link Instant} is past the time window, and a certificate
* renewal is overdue.
*
* An {@link Instant} is deemed to be past the time window if it is equal to, or after
* {@link #getSuggestedWindowEnd()}.
*
* @param instant
* {@link Instant} to check
* @return {@code true} if the {@link Instant} is past the time window, {@code false}
* otherwise.
*/
public boolean renewalIsOverdue(Instant instant) {
assertValidTimeWindow();
return !instant.isBefore(getSuggestedWindowEnd());
}
/**
* Returns a proposed {@link Instant} when the certificate related to this
* {@link RenewalInfo} should be renewed.
*
* This method is useful for setting alarms for renewal cron jobs. As a parameter, the
* frequency of the cron job is set. The resulting {@link Instant} is guaranteed to be
* executed in time, considering the cron job intervals.
*
* This method uses {@link ThreadLocalRandom} for random numbers. It is sufficient for
* most cases, as only an "earliest" {@link Instant} is returned, but the actual
* renewal process also depends on cron job execution times and other factors like
* system load.
*
* The result is empty if it is impossible to renew the certificate in time, under the
* given circumstances. This is either because the time window already ended in the
* past, or because the cron job would not be executed before the ending of the time
* window. In this case, it is recommended to renew the certificate immediately.
*
* @param frequency
* Frequency of the cron job executing the certificate renewals. May be
* {@code null} if there is no cron job, and the renewal is going to be
* executed exactly at the given {@link Instant}.
* @return Random {@link Instant} when the certificate should be renewed. This instant
* might be slightly in the past. In this case, start the renewal process at the next
* possible regular moment.
*/
public Optional getRandomProposal(@Nullable TemporalAmount frequency) {
assertValidTimeWindow();
Instant start = Instant.now();
Instant suggestedStart = getSuggestedWindowStart();
if (start.isBefore(suggestedStart)) {
start = suggestedStart;
}
Instant end = getSuggestedWindowEnd();
if (frequency != null) {
end = end.minus(frequency);
}
if (!end.isAfter(start)) {
return Optional.empty();
}
return Optional.of(Instant.ofEpochMilli(ThreadLocalRandom.current().nextLong(
start.toEpochMilli(),
end.toEpochMilli())));
}
/**
* Asserts that the end of the suggested time window is after the start.
*/
private void assertValidTimeWindow() {
if (getSuggestedWindowStart().isAfter(getSuggestedWindowEnd())) {
throw new AcmeProtocolException("Received an invalid suggested window");
}
}
@Override
public Optional fetch() throws AcmeException {
LOG.debug("update RenewalInfo");
try (Connection conn = getSession().connect()) {
conn.sendRequest(getLocation(), getSession(), null);
setJSON(conn.readJsonResponse());
var retryAfterOpt = conn.getRetryAfter();
retryAfterOpt.ifPresent(instant -> LOG.debug("Retry-After: {}", instant));
setRetryAfter(retryAfterOpt.orElse(null));
return retryAfterOpt;
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/RevocationReason.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import java.util.Arrays;
/**
* An enumeration of revocation reasons.
*
* @see RFC 5280 Section
* 5.3.1
*/
public enum RevocationReason {
UNSPECIFIED(0),
KEY_COMPROMISE(1),
CA_COMPROMISE(2),
AFFILIATION_CHANGED(3),
SUPERSEDED(4),
CESSATION_OF_OPERATION(5),
CERTIFICATE_HOLD(6),
REMOVE_FROM_CRL(8),
PRIVILEGE_WITHDRAWN(9),
AA_COMPROMISE(10);
private final int reasonCode;
RevocationReason(int reasonCode) {
this.reasonCode = reasonCode;
}
/**
* Returns the reason code as defined in RFC 5280.
*/
public int getReasonCode() {
return reasonCode;
}
/**
* Returns the {@link RevocationReason} that matches the reason code.
*
* @param reasonCode
* Reason code as defined in RFC 5280
* @return Matching {@link RevocationReason}
* @throws IllegalArgumentException if the reason code is unknown or invalid
*/
public static RevocationReason code(int reasonCode) {
return Arrays.stream(values())
.filter(rr -> rr.reasonCode == reasonCode)
.findFirst()
.orElseThrow(() -> new IllegalArgumentException("Unknown revocation reason code: " + reasonCode));
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Session.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import static java.util.Objects.requireNonNull;
import java.net.URI;
import java.net.URL;
import java.net.http.HttpClient;
import java.security.KeyPair;
import java.time.ZonedDateTime;
import java.util.EnumMap;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.ServiceLoader;
import java.util.concurrent.atomic.AtomicReference;
import java.util.concurrent.locks.ReentrantLock;
import java.util.stream.StreamSupport;
import edu.umd.cs.findbugs.annotations.Nullable;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.shredzone.acme4j.connector.Connection;
import org.shredzone.acme4j.connector.NetworkSettings;
import org.shredzone.acme4j.connector.NonceHolder;
import org.shredzone.acme4j.connector.Resource;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeNotSupportedException;
import org.shredzone.acme4j.provider.AcmeProvider;
import org.shredzone.acme4j.provider.GenericAcmeProvider;
import org.shredzone.acme4j.toolbox.AcmeUtils;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.toolbox.JSON.Value;
/**
* A {@link Session} tracks the entire communication with a CA.
*
* To create a session instance, use its constructor. It requires the URI of the ACME
* server to connect to. This can be the location of the CA's directory (via {@code http}
* or {@code https} protocol), or a special URI (via {@code acme} protocol). See the
* documentation about valid URIs.
*
* Starting with version 4.0.0, a session instance can be shared between multiple threads.
* A session won't perform parallel HTTP connections. For high-load scenarios, it is
* recommended to use multiple sessions.
*/
public class Session {
private static final GenericAcmeProvider GENERIC_PROVIDER = new GenericAcmeProvider();
private final AtomicReference> resourceMap = new AtomicReference<>();
private final AtomicReference metadata = new AtomicReference<>();
private final AtomicReference httpClient = new AtomicReference<>();
private final ReentrantLock nonceLock = new ReentrantLock();
private final NetworkSettings networkSettings = new NetworkSettings();
private final URI serverUri;
private final AcmeProvider provider;
private @Nullable String nonce;
private @Nullable Locale locale = Locale.getDefault();
private String languageHeader = AcmeUtils.localeToLanguageHeader(Locale.getDefault());
protected @Nullable ZonedDateTime directoryLastModified;
protected @Nullable ZonedDateTime directoryExpires;
/**
* Creates a new {@link Session}.
*
* @param serverUri
* URI string of the ACME server to connect to. This is either the location of
* the CA's ACME directory (using {@code http} or {@code https} protocol), or
* a special URI (using the {@code acme} protocol).
* @throws IllegalArgumentException
* if no ACME provider was found for the server URI.
*/
public Session(String serverUri) {
this(URI.create(serverUri));
}
/**
* Creates a new {@link Session}.
*
* @param serverUri
* {@link URI} of the ACME server to connect to. This is either the location
* of the CA's ACME directory (using {@code http} or {@code https} protocol),
* or a special URI (using the {@code acme} protocol).
* @throws IllegalArgumentException
* if no ACME provider was found for the server URI.
*/
public Session(URI serverUri) {
this.serverUri = requireNonNull(serverUri, "serverUri");
if (GENERIC_PROVIDER.accepts(serverUri)) {
provider = GENERIC_PROVIDER;
return;
}
var providers = ServiceLoader.load(AcmeProvider.class);
provider = StreamSupport.stream(providers.spliterator(), false)
.filter(p -> p.accepts(serverUri))
.reduce((a, b) -> {
throw new IllegalArgumentException("Both ACME providers "
+ a.getClass().getSimpleName() + " and "
+ b.getClass().getSimpleName() + " accept "
+ serverUri + ". Please check your classpath.");
})
.orElseThrow(() -> new IllegalArgumentException("No ACME provider found for " + serverUri));
}
/**
* Creates a new {@link Session} using the given {@link AcmeProvider}.
*
* This constructor is only to be used for testing purposes.
*
* @param serverUri
* {@link URI} of the ACME server
* @param provider
* {@link AcmeProvider} to be used
* @since 2.8
*/
public Session(URI serverUri, AcmeProvider provider) {
this.serverUri = requireNonNull(serverUri, "serverUri");
this.provider = requireNonNull(provider, "provider");
if (!provider.accepts(serverUri)) {
throw new IllegalArgumentException("Provider does not accept " + serverUri);
}
}
/**
* Logs into an existing account.
*
* @param accountLocation
* Location {@link URL} of the account
* @param accountKeyPair
* Account {@link KeyPair}
* @return {@link Login} to this account
*/
public Login login(URL accountLocation, KeyPair accountKeyPair) {
return new Login(accountLocation, accountKeyPair, this);
}
/**
* Gets the ACME server {@link URI} of this session.
*/
public URI getServerUri() {
return serverUri;
}
/**
* Locks the Session for the current thread, and returns a {@link NonceHolder}.
*
* The current thread can lock the nonce multiple times. Other threads have to wait
* until the current thread unlocks the nonce.
*
* @since 4.0.0
*/
public NonceHolder lockNonce() {
nonceLock.lock();
return new NonceHolder() {
@Override
public String getNonce() {
return Session.this.nonce;
}
@Override
public void setNonce(@Nullable String nonce) {
Session.this.nonce = nonce;
}
@Override
public void close() {
nonceLock.unlock();
}
};
}
/**
* Gets the current locale of this session, or {@code null} if no special language is
* selected.
*/
@Nullable
public Locale getLocale() {
return locale;
}
/**
* Sets the locale used in this session. The locale is passed to the server as
* Accept-Language header. The server may respond with localized messages.
* The default is the system's language. If set to {@code null}, any language will be
* accepted.
*/
public void setLocale(@Nullable Locale locale) {
this.locale = locale;
this.languageHeader = AcmeUtils.localeToLanguageHeader(locale);
}
/**
* Gets an Accept-Language header value that matches the current locale. This method
* is mainly for internal use.
*
* @since 3.0.0
*/
public String getLanguageHeader() {
return languageHeader;
}
/**
* Returns the current {@link NetworkSettings}.
*
* @return {@link NetworkSettings}
* @since 2.8
*/
@SuppressFBWarnings("EI_EXPOSE_REP") // behavior is intended
public NetworkSettings networkSettings() {
return networkSettings;
}
/**
* Returns the {@link AcmeProvider} that is used for this session.
*
* @return {@link AcmeProvider}
*/
public AcmeProvider provider() {
return provider;
}
/**
* Returns a new {@link Connection} to the ACME server.
*
* @return {@link Connection}
*/
public Connection connect() {
return provider.connect(getServerUri(), networkSettings, getHttpClient());
}
/**
* Returns the shared {@link HttpClient} instance for this session. The instance is
* created lazily on first access and then cached for reuse. This allows multiple
* connections to share the same HTTP client, improving resource utilization and
* connection pooling.
*
* @return Shared {@link HttpClient} instance
* @since 4.0.0
*/
public HttpClient getHttpClient() {
var result = httpClient.get();
if (result == null) {
result = httpClient.updateAndGet(
client -> client != null
? client
: provider.createHttpClient(networkSettings)
);
}
return result;
}
/**
* Gets the {@link URL} of the given {@link Resource}. This may involve connecting to
* the server and fetching the directory. The result is cached.
*
* @param resource
* {@link Resource} to get the {@link URL} of
* @return {@link URL} of the resource
* @throws AcmeException
* if the server does not offer the {@link Resource}
*/
public URL resourceUrl(Resource resource) throws AcmeException {
return resourceUrlOptional(resource)
.orElseThrow(() -> new AcmeNotSupportedException(resource.path()));
}
/**
* Gets the {@link URL} of the given {@link Resource}. This may involve connecting to
* the server and fetching the directory. The result is cached.
*
* @param resource
* {@link Resource} to get the {@link URL} of
* @return {@link URL} of the resource, or empty if the resource is not available.
* @since 3.0.0
*/
public Optional resourceUrlOptional(Resource resource) throws AcmeException {
readDirectory();
return Optional.ofNullable(resourceMap.get()
.get(requireNonNull(resource, "resource")));
}
/**
* Gets the metadata of the provider's directory. This may involve connecting to the
* server and fetching the directory. The result is cached.
*
* @return {@link Metadata}. May contain no data, but is never {@code null}.
*/
public Metadata getMetadata() throws AcmeException {
readDirectory();
return metadata.get();
}
/**
* Returns the date when the directory has been modified the last time.
*
* @return The last modification date of the directory, or {@code null} if unknown
* (directory has not been read yet or did not provide this information).
* @since 2.10
*/
@Nullable
public ZonedDateTime getDirectoryLastModified() {
return directoryLastModified;
}
/**
* Sets the date when the directory has been modified the last time. Should only be
* invoked by {@link AcmeProvider} implementations.
*
* @param directoryLastModified
* The last modification date of the directory, or {@code null} if unknown
* (directory has not been read yet or did not provide this information).
* @since 2.10
*/
public void setDirectoryLastModified(@Nullable ZonedDateTime directoryLastModified) {
this.directoryLastModified = directoryLastModified;
}
/**
* Returns the date when the current directory records will expire. A fresh copy of
* the directory will be fetched automatically after that instant.
*
* @return The expiration date, or {@code null} if the server did not provide this
* information.
* @since 2.10
*/
@Nullable
public ZonedDateTime getDirectoryExpires() {
return directoryExpires;
}
/**
* Sets the date when the current directory will expire. Should only be invoked by
* {@link AcmeProvider} implementations.
*
* @param directoryExpires
* Expiration date, or {@code null} if the server did not provide this
* information.
* @since 2.10
*/
public void setDirectoryExpires(@Nullable ZonedDateTime directoryExpires) {
this.directoryExpires = directoryExpires;
}
/**
* Returns {@code true} if a copy of the directory is present in a local cache. It is
* not evaluated if the cached copy has expired though.
*
* @return {@code true} if a directory is available.
* @since 2.10
*/
public boolean hasDirectory() {
return resourceMap.get() != null;
}
/**
* Purges the directory cache. Makes sure that a fresh copy of the directory will be
* read from the CA on the next time the directory is accessed.
*
* @since 3.0.0
*/
public void purgeDirectoryCache() {
setDirectoryLastModified(null);
setDirectoryExpires(null);
resourceMap.set(null);
}
/**
* Reads the provider's directory, then rebuild the resource map. The resource map
* is unchanged if the {@link AcmeProvider} returns that the directory has not been
* changed on the remote side.
*/
private void readDirectory() throws AcmeException {
var directoryJson = provider().directory(this, getServerUri());
if (directoryJson == null) {
if (!hasDirectory()) {
throw new AcmeException("AcmeProvider did not provide a directory");
}
return;
}
var meta = directoryJson.get("meta");
if (meta.isPresent()) {
metadata.set(new Metadata(meta.asObject()));
} else {
metadata.set(new Metadata(JSON.empty()));
}
var map = new EnumMap(Resource.class);
for (var res : Resource.values()) {
directoryJson.get(res.path())
.map(Value::asURL)
.ifPresent(url -> map.put(res, url));
}
resourceMap.set(map);
}
@Override
protected final void finalize() {
// CT_CONSTRUCTOR_THROW: Prevents finalizer attack
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/Status.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j;
import java.util.Arrays;
import java.util.Locale;
/**
* An enumeration of status codes of challenges and authorizations.
*/
public enum Status {
/**
* The server has created the resource, and is waiting for the client to process it.
*/
PENDING,
/**
* The {@link Order} is ready to be finalized. Invoke {@link Order#execute(byte[])}.
*/
READY,
/**
* The server is processing the resource. The client should invoke
* {@link AcmeJsonResource#fetch()} and re-check the status.
*/
PROCESSING,
/**
* The resource is valid and can be used as intended.
*/
VALID,
/**
* An error or authorization/validation failure has occured. The client should check
* for error messages.
*/
INVALID,
/**
* The {@link Authorization} has been revoked by the server.
*/
REVOKED,
/**
* The {@link Account} or {@link Authorization} has been deactivated by the client.
*/
DEACTIVATED,
/**
* The {@link Authorization} is expired.
*/
EXPIRED,
/**
* An auto-renewing {@link Order} is canceled.
*
* @since 2.3
*/
CANCELED,
/**
* The server did not provide a status, or the provided status is not a specified ACME
* status.
*/
UNKNOWN;
/**
* Parses the string and returns a corresponding Status object.
*
* @param str
* String to parse
* @return {@link Status} matching the string, or {@link Status#UNKNOWN} if there was
* no match
*/
public static Status parse(String str) {
var check = str.toUpperCase(Locale.ENGLISH);
return Arrays.stream(values())
.filter(s -> s.name().equals(check))
.findFirst()
.orElse(Status.UNKNOWN);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/challenge/Challenge.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.challenge;
import java.io.Serial;
import java.time.Duration;
import java.time.Instant;
import java.util.EnumSet;
import java.util.Optional;
import org.shredzone.acme4j.AcmeJsonResource;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.PollableResource;
import org.shredzone.acme4j.Problem;
import org.shredzone.acme4j.Status;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.toolbox.JSON.Value;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* A generic challenge. It can be used as a base class for actual challenge
* implementations, but it is also used if the ACME server offers a proprietary challenge
* that is unknown to acme4j.
*
* Subclasses must override {@link Challenge#acceptable(String)} so it only accepts its
* own type. {@link Challenge#prepareResponse(JSONBuilder)} can be overridden to put all
* required data to the challenge response.
*/
public class Challenge extends AcmeJsonResource implements PollableResource {
@Serial
private static final long serialVersionUID = 2338794776848388099L;
private static final Logger LOG = LoggerFactory.getLogger(Challenge.class);
protected static final String KEY_TYPE = "type";
protected static final String KEY_URL = "url";
protected static final String KEY_STATUS = "status";
protected static final String KEY_VALIDATED = "validated";
protected static final String KEY_ERROR = "error";
/**
* Creates a new generic {@link Challenge} object.
*
* @param login
* {@link Login} the resource is bound with
* @param data
* {@link JSON} challenge data
*/
public Challenge(Login login, JSON data) {
super(login, data.get(KEY_URL).asURL());
setJSON(data);
}
/**
* Returns the challenge type by name (e.g. "http-01").
*/
public String getType() {
return getJSON().get(KEY_TYPE).asString();
}
/**
* Returns the current status of the challenge.
*
* A challenge is only completed when it reaches either status {@link Status#VALID} or
* {@link Status#INVALID}.
*/
@Override
public Status getStatus() {
return getJSON().get(KEY_STATUS).asStatus();
}
/**
* Returns the validation date, if returned by the server.
*/
public Optional getValidated() {
return getJSON().get(KEY_VALIDATED).map(Value::asInstant);
}
/**
* Returns a reason why the challenge has failed in the past, if returned by the
* server. If there are multiple errors, they can be found in
* {@link Problem#getSubProblems()}.
*/
public Optional getError() {
return getJSON().get(KEY_ERROR).map(it -> it.asProblem(getLocation()));
}
/**
* Prepares the response message for triggering the challenge. Subclasses can add
* fields to the {@link JSONBuilder} as required by the challenge. Implementations of
* subclasses should make sure that {@link #prepareResponse(JSONBuilder)} of the
* superclass is invoked.
*
* @param response
* {@link JSONBuilder} to write the response to
*/
protected void prepareResponse(JSONBuilder response) {
// Do nothing here...
}
/**
* Checks if the type is acceptable to this challenge. This generic class only checks
* if the type is not blank. Subclasses should instead check if the given type matches
* expected challenge type.
*
* @param type
* Type to check
* @return {@code true} if acceptable, {@code false} if not
*/
protected boolean acceptable(String type) {
return type != null && !type.trim().isEmpty();
}
@Override
protected void setJSON(JSON json) {
var type = json.get(KEY_TYPE).asString();
if (!acceptable(type)) {
throw new AcmeProtocolException("incompatible type " + type + " for this challenge");
}
var loc = json.get(KEY_URL).asString();
if (!loc.equals(getLocation().toString())) {
throw new AcmeProtocolException("challenge has changed its location");
}
super.setJSON(json);
}
/**
* Triggers this {@link Challenge}. The ACME server is requested to validate the
* response. Note that the validation is performed asynchronously by the ACME server.
*
* After a challenge is triggered, it changes to {@link Status#PENDING}. As soon as
* validation takes place, it changes to {@link Status#PROCESSING}. After validation
* the status changes to {@link Status#VALID} or {@link Status#INVALID}, depending on
* the outcome of the validation.
*
* If the challenge requires a resource to be set on your side (e.g. a DNS record or
* an HTTP file), it must be reachable from public before {@link #trigger()}
* is invoked, and must not be taken down until the challenge has reached
* {@link Status#VALID} or {@link Status#INVALID}.
*
* If this method is invoked a second time, the ACME server is requested to retry the
* validation. This can be useful if the client state has changed, for example after a
* firewall rule has been updated.
*
* @see #waitForCompletion(Duration)
*/
public void trigger() throws AcmeException {
LOG.debug("trigger");
try (var conn = getSession().connect()) {
var claims = new JSONBuilder();
prepareResponse(claims);
conn.sendSignedRequest(getLocation(), claims, getLogin());
setJSON(conn.readJsonResponse());
}
}
/**
* Waits until the challenge is completed.
*
* Is is completed if it reaches either {@link Status#VALID} or
* {@link Status#INVALID}.
*
* This method is synchronous and blocks the current thread.
*
* @param timeout
* Timeout until a terminal status must have been reached
* @return Status that was reached
* @since 3.4.0
*/
public Status waitForCompletion(Duration timeout)
throws AcmeException, InterruptedException {
return waitForStatus(EnumSet.of(Status.VALID, Status.INVALID), timeout);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/challenge/Dns01Challenge.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.challenge;
import static org.shredzone.acme4j.toolbox.AcmeUtils.base64UrlEncode;
import static org.shredzone.acme4j.toolbox.AcmeUtils.sha256hash;
import java.io.Serial;
import org.shredzone.acme4j.Identifier;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.toolbox.JSON;
/**
* Implements the {@value TYPE} challenge. It requires a specific DNS record for domain
* validation. See the acme4j documentation for a detailed explanation.
*/
public class Dns01Challenge extends TokenChallenge {
@Serial
private static final long serialVersionUID = 6964687027713533075L;
/**
* Challenge type name: {@value}
*/
public static final String TYPE = "dns-01";
/**
* The prefix of the domain name to be used for the DNS TXT record.
*/
public static final String RECORD_NAME_PREFIX = "_acme-challenge";
/**
* Creates a new generic {@link Dns01Challenge} object.
*
* @param login
* {@link Login} the resource is bound with
* @param data
* {@link JSON} challenge data
*/
public Dns01Challenge(Login login, JSON data) {
super(login, data);
}
/**
* Converts a domain identifier to the Resource Record name to be used for the DNS TXT
* record.
*
* @param identifier
* Domain {@link Identifier} of the domain to be validated
* @return Resource Record name (e.g. {@code _acme-challenge.www.example.org.}, note
* the trailing full stop character).
* @since 4.0.0
*/
public String getRRName(Identifier identifier) {
return getRRName(identifier.getDomain());
}
/**
* Converts a domain identifier to the Resource Record name to be used for the DNS TXT
* record.
*
* @param domain
* Domain name to be validated
* @return Resource Record name (e.g. {@code _acme-challenge.www.example.org.}, note
* the trailing full stop character).
* @since 4.0.0
*/
public String getRRName(String domain) {
return RECORD_NAME_PREFIX + '.' + domain + '.';
}
/**
* Returns the digest string to be set in the domain's {@code _acme-challenge} TXT
* record.
*/
public String getDigest() {
return base64UrlEncode(sha256hash(getAuthorization()));
}
@Override
protected boolean acceptable(String type) {
return TYPE.equals(type);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/challenge/DnsAccount01Challenge.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2025 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.challenge;
import static org.shredzone.acme4j.toolbox.AcmeUtils.*;
import java.io.Serial;
import java.net.URL;
import java.util.Arrays;
import java.util.Locale;
import org.shredzone.acme4j.Identifier;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.toolbox.JSON;
/**
* Implements the {@value TYPE} challenge. It requires a specific DNS record for domain
* validation. See the acme4j documentation for a detailed explanation.
*
* @draft This class is currently based on an RFC draft. It may be changed or removed
* without notice to reflect future changes to the draft. SemVer rules do not apply here.
* @since 4.0.0
*/
public class DnsAccount01Challenge extends TokenChallenge {
@Serial
private static final long serialVersionUID = -1098129409378900733L;
/**
* Challenge type name: {@value}
*/
public static final String TYPE = "dns-account-01";
/**
* Creates a new generic {@link DnsAccount01Challenge} object.
*
* @param login
* {@link Login} the resource is bound with
* @param data
* {@link JSON} challenge data
*/
public DnsAccount01Challenge(Login login, JSON data) {
super(login, data);
}
/**
* Converts a domain identifier to the Resource Record name to be used for the DNS TXT
* record.
*
* @param identifier
* {@link Identifier} to be validated
* @return Resource Record name (e.g.
* {@code _ujmmovf2vn55tgye._acme-challenge.example.org.}, note the trailing full stop
* character).
*/
public String getRRName(Identifier identifier) {
return getRRName(identifier.getDomain());
}
/**
* Converts a domain identifier to the Resource Record name to be used for the DNS TXT
* record.
*
* @param domain
* Domain name to be validated
* @return Resource Record name (e.g.
* {@code _ujmmovf2vn55tgye._acme-challenge.example.org.}, note the trailing full stop
* character).
*/
public String getRRName(String domain) {
return getPrefix(getLogin().getAccount().getLocation()) + '.' + domain + '.';
}
/**
* Returns the digest string to be set in the domain's TXT record.
*/
public String getDigest() {
return base64UrlEncode(sha256hash(getAuthorization()));
}
/**
* Returns the prefix of an account location.
*/
private String getPrefix(URL accountLocation) {
var urlHash = sha256hash(accountLocation.toExternalForm());
var hash = base32Encode(Arrays.copyOfRange(urlHash, 0, 10));
return "_" + hash.toLowerCase(Locale.ENGLISH)
+ "._acme-challenge";
}
@Override
protected boolean acceptable(String type) {
return TYPE.equals(type);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/challenge/DnsPersist01Challenge.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2026 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.challenge;
import static java.util.Objects.requireNonNull;
import java.io.Serial;
import java.net.URISyntaxException;
import java.net.URL;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.Identifier;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.AcmeUtils;
import org.shredzone.acme4j.toolbox.JSON;
/**
* Implements the {@value TYPE} challenge. It requires a specific DNS record for domain
* validation. See the acme4j documentation for a detailed explanation.
*
* @draft This class is currently based on an RFC draft. It may be changed or removed
* without notice to reflect future changes to the draft. SemVer rules do not apply here.
* @since 5.0.0
*/
public class DnsPersist01Challenge extends Challenge {
@Serial
private static final long serialVersionUID = 7532514098897449519L;
/**
* Challenge type name: {@value}
*/
public static final String TYPE = "dns-persist-01";
protected static final String KEY_ISSUER_DOMAIN_NAMES = "issuer-domain-names";
protected static final String RECORD_NAME_PREFIX = "_validation-persist";
protected static final String KEY_ACCOUNT_URI = "accounturi";
private static final int ISSUER_SIZE_LIMIT = 10; // according to the specs
private static final int DOMAIN_LENGTH_LIMIT = 253; // according to the specs
private @Nullable List issuerDomainNames;
/**
* Creates a new generic {@link DnsPersist01Challenge} object.
*
* @param login
* {@link Login} the resource is bound with
* @param data
* {@link JSON} challenge data
*/
public DnsPersist01Challenge(Login login, JSON data) {
super(login, data);
}
/**
* Returns the list of issuer-domain-names from the CA. The list is guaranteed to
* have at least one element.
*/
public List getIssuerDomainNames() {
if (issuerDomainNames == null) {
var domainNames = getJSON().get(KEY_ISSUER_DOMAIN_NAMES).asArray().stream()
.map(JSON.Value::asString)
.map(AcmeUtils::toAce)
.toList();
if (domainNames.isEmpty()) {
// malform check is mandatory according to the specification
throw new AcmeProtocolException("issuer-domain-names missing or empty");
}
if (domainNames.size() > ISSUER_SIZE_LIMIT) {
// malform check is mandatory according to the specification
throw new AcmeProtocolException("issuer-domain-names size limit exceeded: "
+ domainNames.size() + " > " + ISSUER_SIZE_LIMIT);
}
if (domainNames.stream().anyMatch(it -> it.endsWith("."))) {
throw new AcmeProtocolException("issuer-domain-names must not have trailing dots");
}
if (!domainNames.stream().allMatch(it -> it.length() <= DOMAIN_LENGTH_LIMIT)) {
throw new AcmeProtocolException("issuer-domain-names content too long");
}
issuerDomainNames = domainNames;
}
return Collections.unmodifiableList(issuerDomainNames);
}
/**
* Converts a domain identifier to the Resource Record name to be used for the DNS TXT
* record.
*
* @param identifier
* Domain {@link Identifier} of the domain to be validated
* @return Resource Record name (e.g. {@code _validation-persist.www.example.org.},
* note the trailing full stop character).
*/
public String getRRName(Identifier identifier) {
return getRRName(identifier.getDomain());
}
/**
* Converts a domain identifier to the Resource Record name to be used for the DNS TXT
* record.
*
* @param domain
* Domain name to be validated
* @return Resource Record name (e.g. {@code _validation-persist.www.example.org.},
* note the trailing full stop character).
*/
public String getRRName(String domain) {
return RECORD_NAME_PREFIX + '.' + AcmeUtils.toAce(domain) + '.';
}
/**
* Returns a builder for the RDATA value of the DNS TXT record.
*
* @return Builder for the RDATA
*/
public Builder buildRData() {
return new Builder(getLogin(), getIssuerDomainNames());
}
/**
* Convenience call to get a standard RDATA without optional tags.
*
* @return RRDATA
*/
public String getRData() {
return buildRData().build();
}
/**
* Returns the Account URI that is expected to request the validation.
*
* @since 5.1.0
*/
public URL getAccountUrl() {
return getJSON().get(KEY_ACCOUNT_URI).asURL();
}
@Override
protected void invalidate() {
super.invalidate();
issuerDomainNames = null;
}
@Override
protected boolean acceptable(String type) {
return TYPE.equals(type);
}
@Override
protected void setJSON(JSON json) {
super.setJSON(json);
// TODO: In a future release, KEY_ACCOUNT_URI is expected to be mandatory,
// and this check will always apply!
if (getJSON().contains(KEY_ACCOUNT_URI)) {
try {
var expectedAccount = getJSON().get(KEY_ACCOUNT_URI).asURI();
var actualAccount = getLogin().getAccount().getLocation().toURI();
if (!actualAccount.equals(expectedAccount)) {
throw new AcmeProtocolException("challenge is intended for a different account: " + expectedAccount);
}
} catch (URISyntaxException ex) {
throw new IllegalStateException("Account URL is not an URI?", ex);
}
}
}
/**
* Builder for RDATA.
*
* The following default values are assumed unless overridden by one of the builder
* methods:
*
*
The first issuer domain name from the list of issuer domain names is used
*
No wildcard domain
*
No persistence limit
*
Generate quote-enclosed strings
*
*/
public static class Builder {
private final Login login;
private final List issuerDomainNames;
private String issuer;
private boolean wildcard = false;
private boolean quotes = true;
private @Nullable Instant persistUntil = null;
private Builder(Login login, List issuerDomainNames) {
this.login = login;
this.issuerDomainNames = issuerDomainNames;
this.issuer = issuerDomainNames.get(0);
}
/**
* Change the issuer domain name.
*
* @param issuer
* Issuer domain name, must be one of
* {@link DnsPersist01Challenge#getIssuerDomainNames()}.
*/
public Builder issuerDomainName(String issuer) {
requireNonNull(issuer, "issuer");
if (!issuerDomainNames.contains(issuer)) {
throw new IllegalArgumentException("Domain " + issuer + " is not in the list of issuer-domain-names");
}
this.issuer = issuer;
return this;
}
/**
* Request wildcard validation.
*/
public Builder wildcard() {
wildcard = true;
return this;
}
/**
* Instant until this RDATA is valid. The CA must not use this record after that.
*
* @param instant
* Persist until instant
*/
public Builder persistUntil(Instant instant) {
persistUntil = requireNonNull(instant, "instant");
return this;
}
/**
* Do not use quote-enclosed strings. Proper formatting of the resulting RDATA
* must be done externally!
*/
public Builder noQuotes() {
quotes = false;
return this;
}
/**
* Build the RDATA string for the DNS TXT record.
*/
public String build() {
var parts = new ArrayList();
parts.add(issuer);
parts.add("accounturi=" + login.getAccount().getLocation());
if (wildcard) {
parts.add("policy=wildcard");
}
if (persistUntil != null) {
parts.add("persistUntil=" + persistUntil.getEpochSecond());
}
if (quotes) {
// Quotes inside the parts should be escaped. However, we don't expect
// that any part contains qoutes.
return '"' + String.join(";\" \" ", parts) + '"';
} else {
return String.join("; ", parts);
}
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/challenge/Http01Challenge.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.challenge;
import java.io.Serial;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.toolbox.JSON;
/**
* Implements the {@value TYPE} challenge. For domain validation, it requires a specific
* file that can be retrieved from the domain via HTTP. See the acme4j documentation for a
* detailed explanation.
*/
public class Http01Challenge extends TokenChallenge {
@Serial
private static final long serialVersionUID = 3322211185872544605L;
/**
* Challenge type name: {@value}
*/
public static final String TYPE = "http-01";
/**
* Creates a new generic {@link Http01Challenge} object.
*
* @param login
* {@link Login} the resource is bound with
* @param data
* {@link JSON} challenge data
*/
public Http01Challenge(Login login, JSON data) {
super(login, data);
}
/**
* Returns the token to be used for this challenge.
*/
@Override
public String getToken() {
return super.getToken();
}
@Override
protected boolean acceptable(String type) {
return TYPE.equals(type);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/challenge/TlsAlpn01Challenge.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2018 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.challenge;
import static org.shredzone.acme4j.toolbox.AcmeUtils.sha256hash;
import java.io.IOException;
import java.io.Serial;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import org.shredzone.acme4j.Identifier;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.util.CertificateUtils;
/**
* Implements the {@value TYPE} challenge. It requires a specific certificate that can be
* retrieved from the domain via HTTPS request. See the acme4j documentation for a
* detailed explanation.
*
* @since 2.1
*/
public class TlsAlpn01Challenge extends TokenChallenge {
@Serial
private static final long serialVersionUID = -5590351078176091228L;
/**
* Challenge type name: {@value}
*/
public static final String TYPE = "tls-alpn-01";
/**
* OID of the {@code acmeValidation} extension.
*/
public static final String ACME_VALIDATION_OID = "1.3.6.1.5.5.7.1.31";
/**
* {@code acme-tls/1} protocol.
*/
public static final String ACME_TLS_1_PROTOCOL = "acme-tls/1";
/**
* Creates a new generic {@link TlsAlpn01Challenge} object.
*
* @param login
* {@link Login} the resource is bound with
* @param data
* {@link JSON} challenge data
*/
public TlsAlpn01Challenge(Login login, JSON data) {
super(login, data);
}
/**
* Returns the value that is to be used as {@code acmeValidation} extension in
* the test certificate.
*/
public byte[] getAcmeValidation() {
return sha256hash(getAuthorization());
}
/**
* Creates a self-signed {@link X509Certificate} for this challenge. The certificate
* is valid for 7 days.
*
* @param keypair
* A domain {@link KeyPair} to be used for the challenge
* @param id
* The {@link Identifier} that is to be validated
* @return Created certificate
* @since 3.0.0
*/
public X509Certificate createCertificate(KeyPair keypair, Identifier id) {
try {
return CertificateUtils.createTlsAlpn01Certificate(keypair, id, getAcmeValidation());
} catch (IOException ex) {
throw new IllegalArgumentException("Bad certificate parameters", ex);
}
}
@Override
protected boolean acceptable(String type) {
return TYPE.equals(type);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/challenge/TokenChallenge.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.challenge;
import static org.shredzone.acme4j.toolbox.AcmeUtils.base64UrlEncode;
import java.io.Serial;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.AcmeUtils;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.toolbox.JoseUtils;
/**
* A generic extension of {@link Challenge} that handles challenges with a {@code token}
* and {@code keyAuthorization}.
*/
public class TokenChallenge extends Challenge {
@Serial
private static final long serialVersionUID = 1634133407432681800L;
protected static final String KEY_TOKEN = "token";
/**
* Creates a new generic {@link TokenChallenge} object.
*
* @param login
* {@link Login} the resource is bound with
* @param data
* {@link JSON} challenge data
*/
public TokenChallenge(Login login, JSON data) {
super(login, data);
}
/**
* Gets the token.
*/
protected String getToken() {
var token = getJSON().get(KEY_TOKEN).asString();
if (!AcmeUtils.isValidBase64Url(token)) {
throw new AcmeProtocolException("Invalid token: " + token);
}
return token;
}
/**
* Computes the key authorization for the given token.
*
* The default is {@code token + '.' + base64url(jwkThumbprint)}. Subclasses may
* override this method if a different algorithm is used.
*
* @param token
* Token to be used
* @return Key Authorization string for that token
* @since 2.12
*/
protected String keyAuthorizationFor(String token) {
var pk = getLogin().getPublicKey();
return token + '.' + base64UrlEncode(JoseUtils.thumbprint(pk));
}
/**
* Returns the authorization string.
*
* The default uses {@link #keyAuthorizationFor(String)} to compute the key
* authorization of {@link #getToken()}. Subclasses may override this method if a
* different algorithm is used.
*/
public String getAuthorization() {
return keyAuthorizationFor(getToken());
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/challenge/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2020 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This package contains all standard challenges, as well as base classes for challenges
* that are proprietary to a CA.
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.challenge;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/Connection.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.connector;
import java.net.URL;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.ZonedDateTime;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.toolbox.JSONBuilder;
/**
* Connects to the ACME server and offers different methods for invoking the API.
*
* The actual way of communicating with the ACME server is intentionally left open.
* Implementations could use other means than HTTP, or could mock the communication for
* unit testing.
*/
public interface Connection extends AutoCloseable {
/**
* Resets the session nonce, by fetching a new one.
*
* @param session
* {@link Session} instance to fetch a nonce for
*/
void resetNonce(Session session) throws AcmeException;
/**
* Sends a simple GET request.
*
* If the response code was not HTTP status 200, an {@link AcmeException} matching
* the error is raised.
*
* @param url
* {@link URL} to send the request to.
* @param session
* {@link Session} instance to be used for tracking
* @param ifModifiedSince
* {@link ZonedDateTime} to be sent as "If-Modified-Since" header, or
* {@code null} if this header is not to be used
* @return HTTP status that was returned
*/
int sendRequest(URL url, Session session, @Nullable ZonedDateTime ifModifiedSince)
throws AcmeException;
/**
* Sends a signed POST-as-GET request for a certificate resource. Requires a
* {@link Login} for the session and {@link KeyPair}. The {@link Login} account
* location is sent in a "kid" protected header.
*
* If the server does not return a 200 class status code, an {@link AcmeException} is
* raised matching the error.
*
* @param url
* {@link URL} to send the request to.
* @param login
* {@link Login} instance to be used for signing and tracking.
* @return HTTP 200 class status that was returned
*/
int sendCertificateRequest(URL url, Login login) throws AcmeException;
/**
* Sends a signed POST-as-GET request. Requires a {@link Login} for the session and
* {@link KeyPair}. The {@link Login} account location is sent in a "kid" protected
* header.
*
* If the server does not return a 200 class status code, an {@link AcmeException} is
* raised matching the error.
*
* @param url
* {@link URL} to send the request to.
* @param login
* {@link Login} instance to be used for signing and tracking.
* @return HTTP 200 class status that was returned
*/
int sendSignedPostAsGetRequest(URL url, Login login) throws AcmeException;
/**
* Sends a signed POST request. Requires a {@link Login} for the session and
* {@link KeyPair}. The {@link Login} account location is sent in a "kid" protected
* header.
*
* If the server does not return a 200 class status code, an {@link AcmeException} is
* raised matching the error.
*
* @param url
* {@link URL} to send the request to.
* @param claims
* {@link JSONBuilder} containing claims.
* @param login
* {@link Login} instance to be used for signing and tracking.
* @return HTTP 200 class status that was returned
*/
int sendSignedRequest(URL url, JSONBuilder claims, Login login) throws AcmeException;
/**
* Sends a signed POST request. Only requires a {@link Session}.
*
* If the server does not return a 200 class status code, an {@link AcmeException} is
* raised matching the error.
*
* @param url
* {@link URL} to send the request to.
* @param claims
* {@link JSONBuilder} containing claims.
* @param session
* {@link Session} instance to be used for tracking.
* @param signer
* {@link RequestSigner} to sign the request with
* @return HTTP 200 class status that was returned
* @since 5.0.0
*/
int sendSignedRequest(URL url, JSONBuilder claims, Session session, RequestSigner signer)
throws AcmeException;
/**
* Reads a server response as JSON object.
*
* @return The JSON response.
*/
JSON readJsonResponse() throws AcmeException;
/**
* Reads a certificate and its chain of issuers.
*
* @return List of X.509 certificate and chain that was read.
*/
List readCertificates() throws AcmeException;
/**
* Returns the Retry-After header if present.
*
* @since 3.0.0
*/
Optional getRetryAfter();
/**
* Gets the nonce from the nonce header.
*
* @return Base64 encoded nonce, or empty if no nonce header was set
*/
Optional getNonce();
/**
* Gets a location from the {@code Location} header.
*
* Relative links are resolved against the last request's URL.
*
* @return Location {@link URL}
* @throws org.shredzone.acme4j.exception.AcmeProtocolException if the location
* header is missing
*/
URL getLocation();
/**
* Returns the content of the last-modified header, if present.
*
* @return Date in the Last-Modified header, or empty if the server did not provide
* this information.
* @since 2.10
*/
Optional getLastModified();
/**
* Returns the expiration date of the resource, if present.
*
* @return Expiration date, either from the Cache-Control or Expires header. If empty,
* the server did not provide an expiration date, or forbid caching.
* @since 2.10
*/
Optional getExpiration();
/**
* Gets one or more relation links from the header. The result is expected to be a
* URL.
*
* Relative links are resolved against the last request's URL.
*
* @param relation
* Link relation
* @return Collection of links. Empty if there was no such relation.
*/
Collection getLinks(String relation);
/**
* Closes the {@link Connection}, releasing all resources.
*/
@Override
void close();
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/DefaultConnection.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2023 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.connector;
import static java.time.format.DateTimeFormatter.RFC_1123_DATE_TIME;
import static java.util.function.Predicate.not;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.time.format.DateTimeParseException;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Consumer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.zip.GZIPInputStream;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.Problem;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeNetworkException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.exception.AcmeRateLimitedException;
import org.shredzone.acme4j.exception.AcmeServerException;
import org.shredzone.acme4j.exception.AcmeUnauthorizedException;
import org.shredzone.acme4j.exception.AcmeUserActionRequiredException;
import org.shredzone.acme4j.toolbox.AcmeUtils;
import org.shredzone.acme4j.toolbox.JSON;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Default implementation of {@link Connection}. It communicates with the ACME server via
* HTTP, with a client that is provided by the given {@link HttpConnector}.
*/
public class DefaultConnection implements Connection {
private static final Logger LOG = LoggerFactory.getLogger(DefaultConnection.class);
private static final int HTTP_OK = 200;
private static final int HTTP_CREATED = 201;
private static final int HTTP_NO_CONTENT = 204;
private static final int HTTP_NOT_MODIFIED = 304;
private static final String ACCEPT_HEADER = "Accept";
private static final String ACCEPT_CHARSET_HEADER = "Accept-Charset";
private static final String ACCEPT_LANGUAGE_HEADER = "Accept-Language";
private static final String ACCEPT_ENCODING_HEADER = "Accept-Encoding";
private static final String CACHE_CONTROL_HEADER = "Cache-Control";
private static final String CONTENT_TYPE_HEADER = "Content-Type";
private static final String DATE_HEADER = "Date";
private static final String EXPIRES_HEADER = "Expires";
private static final String IF_MODIFIED_SINCE_HEADER = "If-Modified-Since";
private static final String LAST_MODIFIED_HEADER = "Last-Modified";
private static final String LINK_HEADER = "Link";
private static final String LOCATION_HEADER = "Location";
private static final String REPLAY_NONCE_HEADER = "Replay-Nonce";
private static final String RETRY_AFTER_HEADER = "Retry-After";
private static final String DEFAULT_CHARSET = "utf-8";
private static final String MIME_JSON = "application/json";
private static final String MIME_JSON_PROBLEM = "application/problem+json";
private static final String MIME_CERTIFICATE_CHAIN = "application/pem-certificate-chain";
private static final URI BAD_NONCE_ERROR = URI.create("urn:ietf:params:acme:error:badNonce");
private static final int MAX_ATTEMPTS = 10;
private static final Pattern NO_CACHE_PATTERN = Pattern.compile("(?:^|.*?,)\\s*no-(?:cache|store)\\s*(?:,.*|$)", Pattern.CASE_INSENSITIVE);
private static final Pattern MAX_AGE_PATTERN = Pattern.compile("(?:^|.*?,)\\s*max-age=(\\d+)\\s*(?:,.*|$)", Pattern.CASE_INSENSITIVE);
private static final Pattern DIGITS_ONLY_PATTERN = Pattern.compile("^\\d+$");
protected final HttpConnector httpConnector;
protected final HttpClient httpClient;
protected @Nullable HttpResponse lastResponse;
/**
* Creates a new {@link DefaultConnection}.
*
* @param httpConnector
* {@link HttpConnector} to be used for HTTP connections
*/
public DefaultConnection(HttpConnector httpConnector) {
this.httpConnector = Objects.requireNonNull(httpConnector, "httpConnector");
this.httpClient = httpConnector.getHttpClient();
}
@Override
public void resetNonce(Session session) throws AcmeException {
assertConnectionIsClosed();
try (var nonceHolder = session.lockNonce()) {
nonceHolder.setNonce(null);
var newNonceUrl = session.resourceUrl(Resource.NEW_NONCE);
LOG.debug("HEAD {}", newNonceUrl);
sendRequest(session, newNonceUrl, b ->
b.method("HEAD", HttpRequest.BodyPublishers.noBody()));
logHeaders();
var rc = getResponse().statusCode();
if (rc != HTTP_OK && rc != HTTP_NO_CONTENT) {
throw new AcmeException("Server responded with HTTP " + rc + " while trying to retrieve a nonce");
}
nonceHolder.setNonce(getNonce()
.orElseThrow(() -> new AcmeProtocolException("Server did not provide a nonce"))
);
} catch (IOException ex) {
throw new AcmeNetworkException(ex);
} finally {
close();
}
}
@Override
public int sendRequest(URL url, Session session, @Nullable ZonedDateTime ifModifiedSince)
throws AcmeException {
Objects.requireNonNull(url, "url");
Objects.requireNonNull(session, "session");
assertConnectionIsClosed();
LOG.debug("GET {}", url);
try (var nonceHolder = session.lockNonce()) {
sendRequest(session, url, builder -> {
builder.GET();
builder.header(ACCEPT_HEADER, MIME_JSON);
if (ifModifiedSince != null) {
builder.header(IF_MODIFIED_SINCE_HEADER, ifModifiedSince.format(RFC_1123_DATE_TIME));
}
});
logHeaders();
getNonce().ifPresent(nonceHolder::setNonce);
var rc = getResponse().statusCode();
if (rc != HTTP_OK && rc != HTTP_CREATED && (rc != HTTP_NOT_MODIFIED || ifModifiedSince == null)) {
throwAcmeException();
}
return rc;
} catch (IOException ex) {
throw new AcmeNetworkException(ex);
}
}
@Override
public int sendCertificateRequest(URL url, Login login) throws AcmeException {
return sendSignedRequest(url, null, login.getSession(), MIME_CERTIFICATE_CHAIN,
login::createJoseRequest);
}
@Override
public int sendSignedPostAsGetRequest(URL url, Login login) throws AcmeException {
return sendSignedRequest(url, null, login.getSession(), MIME_JSON,
login::createJoseRequest);
}
@Override
public int sendSignedRequest(URL url, JSONBuilder claims, Login login) throws AcmeException {
return sendSignedRequest(url, claims, login.getSession(), MIME_JSON,
login::createJoseRequest);
}
@Override
public int sendSignedRequest(URL url, JSONBuilder claims, Session session, RequestSigner signer)
throws AcmeException {
return sendSignedRequest(url, claims, session, MIME_JSON, signer);
}
@Override
public JSON readJsonResponse() throws AcmeException {
expectContentType(Set.of(MIME_JSON, MIME_JSON_PROBLEM));
try (var in = getResponseBody()) {
var result = JSON.parse(in);
LOG.debug("Result JSON: {}", result);
return result;
} catch (IOException ex) {
throw new AcmeNetworkException(ex);
}
}
@Override
public List readCertificates() throws AcmeException {
expectContentType(Set.of(MIME_CERTIFICATE_CHAIN));
try (var in = new TrimmingInputStream(getResponseBody())) {
var cf = CertificateFactory.getInstance("X.509");
return cf.generateCertificates(in).stream()
.map(X509Certificate.class::cast)
.toList();
} catch (IOException ex) {
throw new AcmeNetworkException(ex);
} catch (CertificateException ex) {
throw new AcmeProtocolException("Failed to read certificate", ex);
}
}
@Override
public Optional getNonce() {
var nonceHeaderOpt = getResponse().headers()
.firstValue(REPLAY_NONCE_HEADER)
.map(String::trim)
.filter(not(String::isEmpty));
if (nonceHeaderOpt.isPresent()) {
var nonceHeader = nonceHeaderOpt.get();
if (!AcmeUtils.isValidBase64Url(nonceHeader)) {
throw new AcmeProtocolException("Invalid replay nonce: " + nonceHeader);
}
LOG.debug("Replay Nonce: {}", nonceHeader);
}
return nonceHeaderOpt;
}
@Override
public URL getLocation() {
return getResponse().headers()
.firstValue(LOCATION_HEADER)
.map(l -> {
LOG.debug("Location: {}", l);
return l;
})
.map(this::resolveRelative)
.orElseThrow(() -> new AcmeProtocolException("location header is missing"));
}
@Override
public Optional getLastModified() {
return getResponse().headers()
.firstValue(LAST_MODIFIED_HEADER)
.map(lm -> {
try {
return ZonedDateTime.parse(lm, RFC_1123_DATE_TIME);
} catch (DateTimeParseException ex) {
LOG.debug("Ignored invalid Last-Modified date: {}", lm, ex);
return null;
}
});
}
@Override
public Optional getExpiration() {
var cacheControlHeader = getResponse().headers()
.firstValue(CACHE_CONTROL_HEADER)
.filter(not(h -> NO_CACHE_PATTERN.matcher(h).matches()))
.map(MAX_AGE_PATTERN::matcher)
.filter(Matcher::matches)
.map(m -> Integer.parseInt(m.group(1)))
.filter(maxAge -> maxAge != 0)
.map(maxAge -> ZonedDateTime.now(ZoneId.of("UTC")).plusSeconds(maxAge));
if (cacheControlHeader.isPresent()) {
return cacheControlHeader;
}
return getResponse().headers()
.firstValue(EXPIRES_HEADER)
.flatMap(header -> {
try {
return Optional.of(ZonedDateTime.parse(header, RFC_1123_DATE_TIME));
} catch (DateTimeParseException ex) {
LOG.debug("Ignored invalid Expires date: {}", header, ex);
return Optional.empty();
}
});
}
@Override
public Collection getLinks(String relation) {
return collectLinks(relation).stream()
.map(this::resolveRelative)
.toList();
}
@Override
public void close() {
lastResponse = null;
}
/**
* Sends a HTTP request via http client. This is the central method to be used for
* sending. It will create a {@link HttpRequest} by using the request builder,
* configure commnon headers, and then send the request via {@link HttpClient}.
*
* @param session
* {@link Session} to be used for sending
* @param url
* Target {@link URL}
* @param body
* Callback that completes the {@link HttpRequest.Builder} with the request
* body (e.g. HTTP method, request body, more headers).
*/
protected void sendRequest(Session session, URL url, Consumer body) throws IOException {
try {
var builder = httpConnector.createRequestBuilder(url)
.header(ACCEPT_CHARSET_HEADER, DEFAULT_CHARSET)
.header(ACCEPT_LANGUAGE_HEADER, session.getLanguageHeader());
if (session.networkSettings().isCompressionEnabled()) {
builder.header(ACCEPT_ENCODING_HEADER, "gzip");
}
body.accept(builder);
lastResponse = httpClient.send(builder.build(), HttpResponse.BodyHandlers.ofInputStream());
} catch (InterruptedException ex) {
throw new IOException("Request was interrupted", ex);
}
}
/**
* Sends a signed POST request.
*
* @param url
* {@link URL} to send the request to.
* @param claims
* {@link JSONBuilder} containing claims. {@code null} for POST-as-GET
* request.
* @param accept
* Accept header
* @return HTTP 200 class status that was returned
*/
protected int sendSignedRequest(URL url, @Nullable JSONBuilder claims,
Session session, String accept, RequestSigner signer)
throws AcmeException {
Objects.requireNonNull(url, "url");
Objects.requireNonNull(session, "session");
Objects.requireNonNull(accept, "accept");
Objects.requireNonNull(signer, "signer");
assertConnectionIsClosed();
var attempt = 1;
while (true) {
try {
return performRequest(url, claims, session, accept, signer);
} catch (AcmeServerException ex) {
if (!BAD_NONCE_ERROR.equals(ex.getType())) {
throw ex;
}
if (attempt == MAX_ATTEMPTS) {
throw ex;
}
LOG.info("Bad Replay Nonce, trying again (attempt {}/{})", attempt, MAX_ATTEMPTS);
attempt++;
}
}
}
/**
* Performs the POST request.
*
* @param url
* {@link URL} to send the request to.
* @param claims
* {@link JSONBuilder} containing claims. {@code null} for POST-as-GET
* request.
* @param accept
* Accept header
* @return HTTP 200 class status that was returned
*/
private int performRequest(URL url, @Nullable JSONBuilder claims, Session session,
String accept, RequestSigner signer) throws AcmeException {
try (var nonceHolder = session.lockNonce()) {
if (nonceHolder.getNonce() == null) {
resetNonce(session);
}
var jose = signer.createRequest(url, claims, nonceHolder.getNonce());
var outputData = jose.toString();
sendRequest(session, url, builder -> {
builder.POST(HttpRequest.BodyPublishers.ofString(outputData));
builder.header(ACCEPT_HEADER, accept);
builder.header(CONTENT_TYPE_HEADER, "application/jose+json");
});
logHeaders();
nonceHolder.setNonce(getNonce().orElse(null));
var rc = getResponse().statusCode();
if (rc != HTTP_OK && rc != HTTP_CREATED) {
throwAcmeException();
}
return rc;
} catch (IOException ex) {
throw new AcmeNetworkException(ex);
}
}
@Override
public Optional getRetryAfter() {
return getResponse().headers()
.firstValue(RETRY_AFTER_HEADER)
.map(this::parseRetryAfterHeader);
}
/**
* Parses the content of a Retry-After header. The header can either contain a
* relative or an absolute time.
*
* @param header
* Retry-After header
* @return Instant given in the header
* @throws AcmeProtocolException
* if the header content is invalid
*/
private Instant parseRetryAfterHeader(String header) {
// See RFC 2616 section 14.37
try {
// delta-seconds
if (DIGITS_ONLY_PATTERN.matcher(header).matches()) {
var delta = Integer.parseInt(header);
var date = getResponse().headers().firstValue(DATE_HEADER)
.map(d -> ZonedDateTime.parse(d, RFC_1123_DATE_TIME).toInstant())
.orElseGet(Instant::now);
return date.plusSeconds(delta);
}
// HTTP-date
return ZonedDateTime.parse(header, RFC_1123_DATE_TIME).toInstant();
} catch (RuntimeException ex) {
throw new AcmeProtocolException("Bad retry-after header value: " + header, ex);
}
}
/**
* Provides an {@link InputStream} of the response body. If the stream is compressed,
* it will also take care for decompression.
*/
private InputStream getResponseBody() throws IOException {
var stream = getResponse().body();
if (stream == null) {
throw new AcmeProtocolException("Unexpected empty response");
}
if (getResponse().headers().firstValue("Content-Encoding")
.filter("gzip"::equalsIgnoreCase)
.isPresent()) {
stream = new GZIPInputStream(stream);
}
return stream;
}
/**
* Throws an {@link AcmeException}. This method throws an exception that tries to
* explain the error as precisely as possible.
*/
private void throwAcmeException() throws AcmeException {
try {
if (getResponse().headers().firstValue(CONTENT_TYPE_HEADER)
.map(AcmeUtils::getContentType)
.filter(MIME_JSON_PROBLEM::equals)
.isEmpty()) {
// Generic HTTP error
throw new AcmeException("HTTP " + getResponse().statusCode());
}
var problem = new Problem(readJsonResponse(), getResponse().request().uri().toURL());
var error = AcmeUtils.stripErrorPrefix(problem.getType().toString());
if ("unauthorized".equals(error)) {
throw new AcmeUnauthorizedException(problem);
}
if ("userActionRequired".equals(error)) {
var tos = collectLinks("terms-of-service").stream()
.findFirst()
.map(this::resolveUri)
.orElse(null);
throw new AcmeUserActionRequiredException(problem, tos);
}
if ("rateLimited".equals(error)) {
var retryAfter = getRetryAfter();
var rateLimits = getLinks("help");
throw new AcmeRateLimitedException(problem, retryAfter.orElse(null), rateLimits);
}
throw new AcmeServerException(problem);
} catch (IOException ex) {
throw new AcmeNetworkException(ex);
}
}
/**
* Checks if the returned content type is in the list of expected types.
*
* @param expectedTypes
* content types that are accepted
* @throws AcmeProtocolException
* if the returned content type is different
*/
private void expectContentType(Set expectedTypes) {
var contentType = getResponse().headers()
.firstValue(CONTENT_TYPE_HEADER)
.map(AcmeUtils::getContentType)
.orElseThrow(() -> new AcmeProtocolException("No content type header found"));
if (!expectedTypes.contains(contentType)) {
throw new AcmeProtocolException("Unexpected content type: " + contentType);
}
}
/**
* Returns the response of the last request. If there is no connection currently
* open, an exception is thrown instead.
*
* Note that the response provides an {@link InputStream} that can be read only
* once.
*/
private HttpResponse getResponse() {
if (lastResponse == null) {
throw new IllegalStateException("Not connected.");
}
return lastResponse;
}
/**
* Asserts that the connection is currently closed. Throws an exception if not.
*/
private void assertConnectionIsClosed() {
if (lastResponse != null) {
throw new IllegalStateException("Previous connection is not closed.");
}
}
/**
* Log all HTTP headers in debug mode.
*/
private void logHeaders() {
if (!LOG.isDebugEnabled()) {
return;
}
getResponse().headers().map().forEach((key, headers) ->
headers.forEach(value ->
LOG.debug("HEADER {}: {}", key, value)
)
);
}
/**
* Collects links of the given relation.
*
* @param relation
* Link relation
* @return Collection of links, unconverted
*/
private Collection collectLinks(String relation) {
var p = Pattern.compile("<([^>]+)>\\s*;[^<]*?\\brel=\"?" + Pattern.quote(relation) + "\"?(?:[\\s,;]|$)");
return getResponse().headers().allValues(LINK_HEADER)
.stream()
.map(p::matcher)
.flatMap(Matcher::results)
.map(m -> m.group(1))
.peek(location -> LOG.debug("Link: {} -> {}", relation, location))
.toList();
}
/**
* Resolves a relative link against the connection's last URL.
*
* @param link
* Link to resolve. Absolute links are just converted to an URL.
* @return Absolute URL of the given link
*/
private URL resolveRelative(String link) {
try {
return resolveUri(link).toURL();
} catch (MalformedURLException ex) {
throw new AcmeProtocolException("Cannot resolve relative link: " + link, ex);
}
}
/**
* Resolves a relative URI against the connection's last URL.
*
* @param uri
* URI to resolve
* @return Absolute URI of the given link
*/
private URI resolveUri(String uri) {
return getResponse().request().uri().resolve(uri);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/HttpConnector.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.connector;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.util.Properties;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.LoggerFactory;
/**
* A generic HTTP connector. It creates {@link HttpRequest.Builder} that can be
* individually customized according to the user's needs.
*
* @since 3.0.0
*/
public class HttpConnector {
private static final String USER_AGENT;
private final NetworkSettings networkSettings;
private final HttpClient httpClient;
static {
var agent = new StringBuilder("acme4j");
try (var in = HttpConnector.class.getResourceAsStream("/org/shredzone/acme4j/version.properties")) {
var prop = new Properties();
prop.load(in);
agent.append('/').append(prop.getProperty("version"));
} catch (Exception ex) {
// Ignore, just don't use a version
LoggerFactory.getLogger(HttpConnector.class).warn("Could not read library version", ex);
}
agent.append(" Java/").append(System.getProperty("java.version"));
USER_AGENT = agent.toString();
}
/**
* Returns the default User-Agent to be used.
*
* @return User-Agent
*/
public static String defaultUserAgent() {
return USER_AGENT;
}
/**
* Creates a new {@link HttpConnector} that is using the given
* {@link NetworkSettings} and {@link HttpClient}.
*
* @param networkSettings Network settings to use
* @param httpClient HTTP client to use for requests
* @since 4.0.0
*/
@SuppressFBWarnings("EI_EXPOSE_REP2") // behavior is intended
public HttpConnector(NetworkSettings networkSettings, HttpClient httpClient) {
this.networkSettings = networkSettings;
this.httpClient = httpClient;
}
/**
* Creates a new {@link HttpRequest.Builder} that is preconfigured and bound to the
* given URL. Subclasses can override this method to extend the configuration, or
* create a different builder.
*
* @param url
* {@link URL} to connect to
* @return {@link HttpRequest.Builder} connected to the {@link URL}
*/
public HttpRequest.Builder createRequestBuilder(URL url) {
try {
return HttpRequest.newBuilder(url.toURI())
.header("User-Agent", USER_AGENT)
.timeout(networkSettings.getTimeout());
} catch (URISyntaxException ex) {
throw new IllegalArgumentException("Invalid URL", ex);
}
}
/**
* Returns the {@link HttpClient} instance used by this connector.
*
* @return {@link HttpClient} instance
* @since 4.0.0
*/
public HttpClient getHttpClient() {
return httpClient;
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/NetworkSettings.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2019 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.connector;
import java.net.Authenticator;
import java.net.ProxySelector;
import java.net.http.HttpClient;
import java.time.Duration;
import java.util.Optional;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.slf4j.LoggerFactory;
/**
* Contains network settings to be used for network connections.
*
* @since 2.8
*/
public class NetworkSettings {
/**
* Name of the system property to control GZIP compression. Expects a boolean value.
*/
public static final String GZIP_PROPERTY_NAME = "org.shredzone.acme4j.gzip_compression";
private ProxySelector proxySelector = HttpClient.Builder.NO_PROXY;
private Duration timeout = Duration.ofSeconds(30);
private @Nullable Authenticator authenticator = null;
private boolean compression = true;
public NetworkSettings() {
try {
Optional.ofNullable(System.getProperty(GZIP_PROPERTY_NAME))
.map(Boolean::parseBoolean)
.ifPresent(val -> compression = val);
} catch (Exception ex) {
// Ignore a broken property name or a SecurityException
LoggerFactory.getLogger(NetworkSettings.class)
.warn("Could not read system property: {}", GZIP_PROPERTY_NAME, ex);
}
}
/**
* Gets the {@link ProxySelector} to be used for connections.
*
* @since 3.0.0
*/
public ProxySelector getProxySelector() {
return proxySelector;
}
/**
* Sets a {@link ProxySelector} that is to be used for all connections. If
* {@code null}, {@link HttpClient.Builder#NO_PROXY} is used, which is also the
* default.
*
* @since 3.0.0
*/
public void setProxySelector(@Nullable ProxySelector proxySelector) {
this.proxySelector = proxySelector != null ? proxySelector : HttpClient.Builder.NO_PROXY;
}
/**
* Gets the {@link Authenticator} to be used, or {@code null} if none is to be set.
*
* @since 3.0.0
*/
public @Nullable Authenticator getAuthenticator() {
return authenticator;
}
/**
* Sets an {@link Authenticator} to be used if HTTP authentication is needed (e.g.
* by a proxy). {@code null} means that no authenticator shall be set.
*
* @since 3.0.0
*/
public void setAuthenticator(@Nullable Authenticator authenticator) {
this.authenticator = authenticator;
}
/**
* Gets the current network timeout.
*/
public Duration getTimeout() {
return timeout;
}
/**
* Sets the network timeout to be used for connections. Defaults to 10 seconds.
*
* @param timeout
* Network timeout {@link Duration}
*/
public void setTimeout(Duration timeout) {
if (timeout == null || timeout.isNegative() || timeout.isZero()) {
throw new IllegalArgumentException("Timeout must be positive");
}
this.timeout = timeout;
}
/**
* Checks if HTTP compression is enabled.
*
* @since 3.0.0
*/
public boolean isCompressionEnabled() {
return compression;
}
/**
* Sets if HTTP compression is enabled. It is enabled by default, but can be
* disabled e.g. for debugging purposes.
*
* acme4j gzip compression can also be controlled via the {@value #GZIP_PROPERTY_NAME}
* system property.
*
* @since 3.0.0
*/
public void setCompressionEnabled(boolean compression) {
this.compression = compression;
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/NonceHolder.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2026 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.connector;
import edu.umd.cs.findbugs.annotations.Nullable;
/**
* Keeps the current nonce for a request. Make sure that the {@link #close()} method is
* always invoked, otherwise the related {@link org.shredzone.acme4j.Session} will be
* blocked.
*
* This object is for internal use only.
*
* @since 4.0.0
*/
public interface NonceHolder extends AutoCloseable {
/**
* Gets the last base64 encoded nonce, or {@code null} if the session is new.
*/
@Nullable
String getNonce();
/**
* Sets the base64 encoded nonce received by the server.
*/
void setNonce(@Nullable String nonce);
/**
* Closes the NonceHolder. Must be invoked!
*/
void close();
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/RequestSigner.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2026 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.connector;
import java.net.URL;
import java.security.KeyPair;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.toolbox.JSONBuilder;
/**
* Function for assembling and signing an ACME JOSE request.
*
* @since 5.0.0
*/
@FunctionalInterface
public interface RequestSigner {
/**
* Creates an ACME JOSE request.
*
* Implementors can use
* {@link org.shredzone.acme4j.toolbox.JoseUtils#createJoseRequest(URL, KeyPair,
* JSONBuilder, String, String)} without giving the signing {@link KeyPair} out of
* their control.
*
* @param url
* {@link URL} of the ACME call
* @param payload
* ACME JSON payload. If {@code null}, a POST-as-GET request is generated
* instead.
* @param nonce
* Nonce to be used. {@code null} if no nonce is to be used in the JOSE
* header.
* @return JSON structure of the JOSE request, ready to be sent.
* @see org.shredzone.acme4j.toolbox.JoseUtils#createJoseRequest(URL, KeyPair,
* JSONBuilder, String, String)
*/
JSONBuilder createRequest(URL url, @Nullable JSONBuilder payload, @Nullable String nonce);
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/Resource.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.connector;
/**
* Enumeration of standard resources, and their key name in the CA's directory.
*/
public enum Resource {
NEW_NONCE("newNonce"),
NEW_ACCOUNT("newAccount"),
NEW_ORDER("newOrder"),
NEW_AUTHZ("newAuthz"),
REVOKE_CERT("revokeCert"),
KEY_CHANGE("keyChange"),
RENEWAL_INFO("renewalInfo");
private final String path;
Resource(String path) {
this.path = path;
}
/**
* Returns the key name in the directory.
*
* @return key name
*/
public String path() {
return path;
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/ResourceIterator.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.connector;
import static java.util.Objects.requireNonNull;
import java.net.URL;
import java.util.ArrayDeque;
import java.util.Deque;
import java.util.Iterator;
import java.util.NoSuchElementException;
import java.util.function.BiFunction;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.AcmeResource;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.JSON;
/**
* An {@link Iterator} that fetches a batch of URLs from the ACME server, and generates
* {@link AcmeResource} instances.
*
* @param
* {@link AcmeResource} type to iterate over
*/
public class ResourceIterator implements Iterator {
private final Login login;
private final String field;
private final Deque urlList = new ArrayDeque<>();
private final BiFunction creator;
private boolean eol = false;
private @Nullable URL nextUrl;
/**
* Creates a new {@link ResourceIterator}.
*
* @param login
* {@link Login} to bind this iterator to
* @param field
* Field name to be used in the JSON response
* @param start
* URL of the first JSON array, may be {@code null} for an empty iterator
* @param creator
* Creator for an {@link AcmeResource} that is bound to the given
* {@link Login} and {@link URL}.
*/
public ResourceIterator(Login login, String field, @Nullable URL start, BiFunction creator) {
this.login = requireNonNull(login, "login");
this.field = requireNonNull(field, "field");
this.nextUrl = start;
this.creator = requireNonNull(creator, "creator");
}
/**
* Checks if there is another object in the result.
*
* @throws AcmeProtocolException
* if the next batch of URLs could not be fetched from the server
*/
@Override
public boolean hasNext() {
if (eol) {
return false;
}
if (urlList.isEmpty()) {
fetch();
}
if (urlList.isEmpty()) {
eol = true;
}
return !urlList.isEmpty();
}
/**
* Returns the next object of the result.
*
* @throws AcmeProtocolException
* if the next batch of URLs could not be fetched from the server
* @throws NoSuchElementException
* if there are no more entries
*/
@Override
public T next() {
if (!eol && urlList.isEmpty()) {
fetch();
}
var next = urlList.poll();
if (next == null) {
eol = true;
throw new NoSuchElementException("no more " + field);
}
return creator.apply(login, next);
}
/**
* Unsupported operation, only here to satisfy the {@link Iterator} interface.
*/
@Override
public void remove() {
throw new UnsupportedOperationException("cannot remove " + field);
}
/**
* Fetches the next batch of URLs. Handles exceptions. Does nothing if there is no
* URL of the next batch.
*/
private void fetch() {
if (nextUrl == null) {
return;
}
try {
readAndQueue();
} catch (AcmeException ex) {
throw new AcmeProtocolException("failed to read next set of " + field, ex);
}
}
/**
* Reads the next batch of URLs from the server, and fills the queue with the URLs. If
* there is a "next" header, it is used for the next batch of URLs.
*/
private void readAndQueue() throws AcmeException {
var session = login.getSession();
try (var conn = session.connect()) {
conn.sendSignedPostAsGetRequest(requireNonNull(nextUrl), login);
fillUrlList(conn.readJsonResponse());
nextUrl = conn.getLinks("next").stream().findFirst().orElse(null);
}
}
/**
* Fills the url list with the URLs found in the desired field.
*
* @param json
* JSON map to read from
*/
private void fillUrlList(JSON json) {
json.get(field).asArray().stream()
.map(JSON.Value::asURL)
.forEach(urlList::add);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/TrimmingInputStream.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2018 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.connector;
import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
/**
* Normalizes line separators in an InputStream. Converts all line separators to '\n'.
* Multiple line separators are compressed to a single line separator. Leading line
* separators are removed. Trailing line separators are compressed to a single separator.
*/
public class TrimmingInputStream extends InputStream {
private final BufferedInputStream in;
private boolean startOfFile = true;
/**
* Creates a new {@link TrimmingInputStream}.
*
* @param in
* {@link InputStream} to read from. Will be closed when this stream is
* closed.
*/
public TrimmingInputStream(InputStream in) {
this.in = new BufferedInputStream(in, 1024);
}
@Override
public int read() throws IOException {
var ch = in.read();
if (!isLineSeparator(ch)) {
startOfFile = false;
return ch;
}
in.mark(1);
ch = in.read();
while (isLineSeparator(ch)) {
in.mark(1);
ch = in.read();
}
if (startOfFile) {
startOfFile = false;
return ch;
} else {
in.reset();
return '\n';
}
}
@Override
public int available() throws IOException {
// Workaround for https://github.com/google/conscrypt/issues/1068. Conscrypt
// requires the stream to have at least one non-blocking byte available for
// reading, otherwise generateCertificates() will not read the stream, but
// immediately returns an empty list. This workaround pre-fills the buffer
// of the BufferedInputStream by reading 1 byte ahead.
if (in.available() == 0) {
in.mark(1);
var read = in.read();
in.reset();
if (read < 0) {
return 0;
}
}
return in.available();
}
@Override
public void close() throws IOException {
in.close();
super.close();
}
/**
* Checks if the character is a line separator.
*/
private static boolean isLineSeparator(int ch) {
return ch == '\n' || ch == '\r';
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/connector/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2020 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This package contains internal classes for connection to the CA, and for handling the
* requests and responses.
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.connector;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/AcmeException.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.exception;
import java.io.Serial;
/**
* The root class of all checked acme4j exceptions.
*/
public class AcmeException extends Exception {
@Serial
private static final long serialVersionUID = -2935088954705632025L;
/**
* Creates a generic {@link AcmeException}.
*/
public AcmeException() {
super();
}
/**
* Creates a generic {@link AcmeException}.
*
* @param msg
* Description
*/
public AcmeException(String msg) {
super(msg);
}
/**
* Creates a generic {@link AcmeException}.
*
* @param msg
* Description
* @param cause
* {@link Throwable} that caused this exception
*/
public AcmeException(String msg, Throwable cause) {
super(msg, cause);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/AcmeLazyLoadingException.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.exception;
import static java.util.Objects.requireNonNull;
import java.io.Serial;
import java.net.URL;
import org.shredzone.acme4j.AcmeResource;
/**
* A runtime exception that is thrown when an {@link AcmeException} occured while trying
* to lazy-load a resource from the ACME server. It contains the original cause of the
* exception and a reference to the resource that could not be lazy-loaded. It is usually
* thrown by getter methods, so the API is not polluted with checked exceptions.
*/
public class AcmeLazyLoadingException extends RuntimeException {
@Serial
private static final long serialVersionUID = 1000353433913721901L;
private final Class type;
private final URL location;
/**
* Creates a new {@link AcmeLazyLoadingException}.
*
* @param resource
* {@link AcmeResource} to be loaded
* @param cause
* {@link AcmeException} that was raised
*/
public AcmeLazyLoadingException(AcmeResource resource, AcmeException cause) {
this(requireNonNull(resource).getClass(), requireNonNull(resource).getLocation(), cause);
}
/**
* Creates a new {@link AcmeLazyLoadingException}.
*
* This constructor is used if there is no actual instance of the resource.
*
* @param type
* {@link AcmeResource} type to be loaded
* @param location
* Resource location
* @param cause
* {@link AcmeException} that was raised
* @since 2.8
*/
public AcmeLazyLoadingException(Class type, URL location, AcmeException cause) {
super(requireNonNull(type).getSimpleName() + " " + requireNonNull(location), requireNonNull(cause));
this.type = type;
this.location = location;
}
/**
* Returns the {@link AcmeResource} type of the resource that could not be loaded.
*/
public Class getType() {
return type;
}
/**
* Returns the location of the resource that could not be loaded.
*/
public URL getLocation() {
return location;
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/AcmeNetworkException.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.exception;
import java.io.IOException;
import java.io.Serial;
/**
* A general network error has occured while communicating with the server (e.g. network
* timeout).
*/
public class AcmeNetworkException extends AcmeException {
@Serial
private static final long serialVersionUID = 2054398693543329179L;
/**
* Create a new {@link AcmeNetworkException}.
*
* @param cause
* {@link IOException} that caused the network error
*/
public AcmeNetworkException(IOException cause) {
super("Network error", cause);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/AcmeNotSupportedException.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2023 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.exception;
import java.io.Serial;
/**
* A runtime exception that is thrown if the ACME server does not support a certain
* feature. It might be either because that feature is optional, or because the server
* is not fully RFC compliant.
*/
public class AcmeNotSupportedException extends AcmeProtocolException {
@Serial
private static final long serialVersionUID = 3434074002226584731L;
/**
* Creates a new {@link AcmeNotSupportedException}.
*
* @param feature
* Feature that is not supported
*/
public AcmeNotSupportedException(String feature) {
super("Server does not support " + feature);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/AcmeProtocolException.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.exception;
import java.io.Serial;
/**
* A runtime exception that is thrown when the response of the server is violating the
* RFC, and could not be handled or parsed for that reason. It is an indicator that the CA
* does not fully comply with the RFC, and is usually not expected to be thrown.
*/
public class AcmeProtocolException extends RuntimeException {
@Serial
private static final long serialVersionUID = 2031203835755725193L;
/**
* Creates a new {@link AcmeProtocolException}.
*
* @param msg
* Reason of the exception
*/
public AcmeProtocolException(String msg) {
super(msg);
}
/**
* Creates a new {@link AcmeProtocolException}.
*
* @param msg
* Reason of the exception
* @param cause
* Cause
*/
public AcmeProtocolException(String msg, Throwable cause) {
super(msg, cause);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/AcmeRateLimitedException.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.exception;
import java.io.Serial;
import java.net.URL;
import java.time.Instant;
import java.util.Collection;
import java.util.Collections;
import java.util.Optional;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.Problem;
/**
* A rate limit was exceeded. If provided by the server, it also includes the earliest
* time at which a new attempt will be accepted, and a reference to a document that
* further explains the rate limit that was exceeded.
*/
public class AcmeRateLimitedException extends AcmeServerException {
@Serial
private static final long serialVersionUID = 4150484059796413069L;
private final @Nullable Instant retryAfter;
private final Collection documents;
/**
* Creates a new {@link AcmeRateLimitedException}.
*
* @param problem
* {@link Problem} that caused the exception
* @param retryAfter
* The instant of time that the request is expected to succeed again, may be
* {@code null} if not known
* @param documents
* URLs pointing to documents about the rate limit that was hit, may be
* {@code null} if not known
*/
public AcmeRateLimitedException(Problem problem, @Nullable Instant retryAfter,
@Nullable Collection documents) {
super(problem);
this.retryAfter = retryAfter;
this.documents = documents != null ? documents : Collections.emptyList();
}
/**
* Returns the instant of time the request is expected to succeed again. Empty
* if this moment is not known.
*/
public Optional getRetryAfter() {
return Optional.ofNullable(retryAfter);
}
/**
* Collection of URLs pointing to documents about the rate limit that was hit.
* Empty if the server did not provide such URLs.
*/
public Collection getDocuments() {
return Collections.unmodifiableCollection(documents);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/AcmeServerException.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.exception;
import java.io.Serial;
import java.net.URI;
import java.util.Objects;
import org.shredzone.acme4j.Problem;
/**
* The ACME server returned an error. The exception contains a {@link Problem} document
* containing the exact cause of the error.
*
* For some special cases, subclasses of this exception are thrown, so they can be handled
* individually.
*/
public class AcmeServerException extends AcmeException {
@Serial
private static final long serialVersionUID = 5971622508467042792L;
private final Problem problem;
/**
* Creates a new {@link AcmeServerException}.
*
* @param problem
* {@link Problem} that caused the exception
*/
public AcmeServerException(Problem problem) {
super(Objects.requireNonNull(problem).toString());
this.problem = problem;
}
/**
* Returns the error type.
*/
public URI getType() {
return problem.getType();
}
/**
* Returns the {@link Problem} that caused the exception
*/
public Problem getProblem() {
return problem;
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/AcmeUnauthorizedException.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.exception;
import java.io.Serial;
import org.shredzone.acme4j.Problem;
/**
* The client is not authorized to perform the operation. The {@link Problem} document
* will give further details (e.g. "client IP is blocked").
*/
public class AcmeUnauthorizedException extends AcmeServerException {
@Serial
private static final long serialVersionUID = 9064697508262919366L;
/**
* Creates a new {@link AcmeUnauthorizedException}.
*
* @param problem
* {@link Problem} that caused the exception
*/
public AcmeUnauthorizedException(Problem problem) {
super(problem);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/AcmeUserActionRequiredException.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.exception;
import java.io.Serial;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.util.Optional;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.Problem;
/**
* The user is required to take manual action as indicated.
*
* Usually this exception is thrown when the terms of service have changed, and the CA
* requires an agreement to the new terms before proceeding.
*/
public class AcmeUserActionRequiredException extends AcmeServerException {
@Serial
private static final long serialVersionUID = 7719055447283858352L;
private final @Nullable URI tosUri;
/**
* Creates a new {@link AcmeUserActionRequiredException}.
*
* @param problem
* {@link Problem} that caused the exception
* @param tosUri
* {@link URI} of the terms-of-service document to accept, may be
* {@code null}
*/
public AcmeUserActionRequiredException(Problem problem, @Nullable URI tosUri) {
super(problem);
this.tosUri = tosUri;
}
/**
* Returns the {@link URI} of the terms-of-service document to accept. Empty
* if the server did not provide a link to such a document.
*/
public Optional getTermsOfServiceUri() {
return Optional.ofNullable(tosUri);
}
/**
* Returns the {@link URL} of a document that gives instructions on the actions to be
* taken by a human.
*/
public URL getInstance() {
var instance = getProblem().getInstance()
.orElseThrow(() -> new AcmeProtocolException("Instance URL required, but missing."));
try {
return instance.toURL();
} catch (MalformedURLException ex) {
throw new AcmeProtocolException("Bad instance URL: " + instance, ex);
}
}
@Override
public String toString() {
return getProblem().getInstance()
.map(uri -> "Please visit " + uri + " - details: " + getProblem())
.orElseGet(super::toString);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/exception/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2020 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This package contains all exceptions that can be thrown by acme4j.
*
* {@link org.shredzone.acme4j.exception.AcmeException} is the root exception, and other
* exceptions are derived from it.
*
* Some methods that do lazy-loading of remote resources may throw a runtime
* {@link org.shredzone.acme4j.exception.AcmeLazyLoadingException} instead, so the API is
* not polluted with checked exceptions on every getter.
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.exception;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2020 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* acme4j is a Java client for the ACME protocol.
*
* See the documentation and the example for how to use this client in your own projects.
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/AbstractAcmeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider;
import java.net.URI;
import java.net.http.HttpClient;
import java.time.ZonedDateTime;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.ServiceLoader;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.challenge.Challenge;
import org.shredzone.acme4j.challenge.Dns01Challenge;
import org.shredzone.acme4j.challenge.DnsAccount01Challenge;
import org.shredzone.acme4j.challenge.DnsPersist01Challenge;
import org.shredzone.acme4j.challenge.Http01Challenge;
import org.shredzone.acme4j.challenge.TlsAlpn01Challenge;
import org.shredzone.acme4j.challenge.TokenChallenge;
import org.shredzone.acme4j.connector.Connection;
import org.shredzone.acme4j.connector.DefaultConnection;
import org.shredzone.acme4j.connector.HttpConnector;
import org.shredzone.acme4j.connector.NetworkSettings;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.toolbox.JSON;
/**
* Abstract implementation of {@link AcmeProvider}. It consists of a challenge
* registry and a standard {@link HttpConnector}.
*
* Implementing classes must implement at least {@link AcmeProvider#accepts(URI)}
* and {@link AbstractAcmeProvider#resolve(URI)}.
*/
public abstract class AbstractAcmeProvider implements AcmeProvider {
private static final int HTTP_NOT_MODIFIED = 304;
private static final Map CHALLENGES = challengeMap();
@Override
public Connection connect(URI serverUri, NetworkSettings networkSettings, HttpClient httpClient) {
return new DefaultConnection(createHttpConnector(networkSettings, httpClient));
}
@Override
public JSON directory(Session session, URI serverUri) throws AcmeException {
var expires = session.getDirectoryExpires();
if (expires != null && expires.isAfter(ZonedDateTime.now())) {
// The cached directory is still valid
return null;
}
try (var nonceHolder = session.lockNonce();
var conn = connect(serverUri, session.networkSettings(), session.getHttpClient())) {
var lastModified = session.getDirectoryLastModified();
var rc = conn.sendRequest(resolve(serverUri), session, lastModified);
if (lastModified != null && rc == HTTP_NOT_MODIFIED) {
// The server has not been modified since
return null;
}
// evaluate caching headers
session.setDirectoryLastModified(conn.getLastModified().orElse(null));
session.setDirectoryExpires(conn.getExpiration().orElse(null));
// use nonce header if there is one, saves a HEAD request...
conn.getNonce().ifPresent(nonceHolder::setNonce);
return conn.readJsonResponse();
}
}
private static Map challengeMap() {
var map = new HashMap();
map.put(Dns01Challenge.TYPE, Dns01Challenge::new);
map.put(DnsAccount01Challenge.TYPE, DnsAccount01Challenge::new);
map.put(DnsPersist01Challenge.TYPE, DnsPersist01Challenge::new);
map.put(Http01Challenge.TYPE, Http01Challenge::new);
map.put(TlsAlpn01Challenge.TYPE, TlsAlpn01Challenge::new);
for (var provider : ServiceLoader.load(ChallengeProvider.class)) {
var typeAnno = provider.getClass().getAnnotation(ChallengeType.class);
if (typeAnno == null) {
throw new IllegalStateException("ChallengeProvider "
+ provider.getClass().getName()
+ " has no @ChallengeType annotation");
}
var type = typeAnno.value();
if (type == null || type.trim().isEmpty()) {
throw new IllegalStateException("ChallengeProvider "
+ provider.getClass().getName()
+ ": type must not be null or empty");
}
if (map.containsKey(type)) {
throw new IllegalStateException("ChallengeProvider "
+ provider.getClass().getName()
+ ": there is already a provider for challenge type "
+ type);
}
map.put(type, provider);
}
return Collections.unmodifiableMap(map);
}
/**
* {@inheritDoc}
*
* This implementation handles the standard challenge types. For unknown types,
* generic {@link Challenge} or {@link TokenChallenge} instances are created.
*
* Custom provider implementations may override this method to provide challenges that
* are proprietary to the provider.
*/
@Override
public Challenge createChallenge(Login login, JSON data) {
Objects.requireNonNull(login, "login");
Objects.requireNonNull(data, "data");
var type = data.get("type").asString();
var constructor = CHALLENGES.get(type);
if (constructor != null) {
return constructor.create(login, data);
}
if (data.contains("token")) {
return new TokenChallenge(login, data);
} else {
return new Challenge(login, data);
}
}
/**
* Creates a {@link HttpConnector} with the given {@link NetworkSettings} and
* {@link HttpClient}.
*
* Subclasses may override this method to configure the {@link HttpConnector}.
*
* @param settings The network settings to use
* @param httpClient The HTTP client to use
* @return A new {@link HttpConnector} instance
* @since 4.0.0
*/
protected HttpConnector createHttpConnector(NetworkSettings settings, HttpClient httpClient) {
return new HttpConnector(settings, httpClient);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/AcmeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider;
import java.net.URI;
import java.net.URL;
import java.net.http.HttpClient;
import java.util.Optional;
import java.util.ServiceLoader;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.challenge.Challenge;
import org.shredzone.acme4j.connector.Connection;
import org.shredzone.acme4j.connector.NetworkSettings;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.toolbox.JSON;
/**
* An {@link AcmeProvider} provides methods to be used for communicating with the ACME
* server. Implementations handle individual features of each ACME server.
*
* Provider implementations must be registered with Java's {@link ServiceLoader}.
*/
public interface AcmeProvider {
/**
* Checks if this provider accepts the given server URI.
*
* @param serverUri
* Server URI to test
* @return {@code true} if this provider accepts the server URI, {@code false}
* otherwise
*/
boolean accepts(URI serverUri);
/**
* Resolves the server URI and returns the matching directory URL.
*
* @param serverUri
* Server {@link URI}
* @return Resolved directory {@link URL}
* @throws IllegalArgumentException
* if the server {@link URI} is not accepted
*/
URL resolve(URI serverUri);
/**
* Creates an {@link HttpClient} instance configured with the given network settings.
*
* The default implementation creates a standard HttpClient with the network settings.
* Subclasses can override this method to create a customized HttpClient, for example
* to configure SSL context or other provider-specific requirements.
*
* @param networkSettings The network settings to use
* @return {@link HttpClient} instance
* @since 4.0.0
*/
default HttpClient createHttpClient(NetworkSettings networkSettings) {
var builder = HttpClient.newBuilder()
.followRedirects(HttpClient.Redirect.NORMAL)
.connectTimeout(networkSettings.getTimeout())
.proxy(networkSettings.getProxySelector());
if (networkSettings.getAuthenticator() != null) {
builder.authenticator(networkSettings.getAuthenticator());
}
return builder.build();
}
/**
* Creates a {@link Connection} for communication with the ACME server.
*
* @param serverUri
* Server {@link URI}
* @param networkSettings
* {@link NetworkSettings} to be used for the connection
* @param httpClient
* {@link HttpClient} to be used for HTTP requests
* @return {@link Connection} that was generated
* @since 4.0.0
*/
Connection connect(URI serverUri, NetworkSettings networkSettings, HttpClient httpClient);
/**
* Returns the provider's directory. The structure must contain resource URLs, and may
* optionally contain metadata.
*
* The default implementation resolves the server URI and fetches the directory via
* HTTP request. Subclasses may override this method, e.g. if the directory is static.
*
* @param session
* {@link Session} to be used
* @param serverUri
* Server {@link URI}
* @return Directory data, as JSON object, or {@code null} if the directory has not
* been changed since the last request.
*/
@Nullable
JSON directory(Session session, URI serverUri) throws AcmeException;
/**
* Creates a {@link Challenge} instance for the given challenge data.
*
* @param login
* {@link Login} to bind the challenge to
* @param data
* Challenge {@link JSON} data
* @return {@link Challenge} instance, or {@code null} if this provider is unable to
* generate a matching {@link Challenge} instance.
*/
@Nullable
Challenge createChallenge(Login login, JSON data);
/**
* Returns a proposal for the EAB MAC algorithm to be used. Only set if the CA
* requires External Account Binding and the MAC algorithm cannot be correctly derived
* from the MAC key. Empty otherwise.
*
* @return Proposed MAC algorithm to be used for EAB, or empty for the default
* behavior.
* @since 3.5.0
*/
default Optional getProposedEabMacAlgorithm() {
return Optional.empty();
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/ChallengeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2021 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.challenge.Challenge;
import org.shredzone.acme4j.toolbox.JSON;
/**
* A provider that creates a Challenge from a matching JSON.
*
* @since 2.12
*/
@FunctionalInterface
public interface ChallengeProvider {
/**
* Creates a Challenge.
*
* @param login
* {@link Login} of the user's account
* @param data
* {@link JSON} of the challenge as sent by the CA
* @return Created and initialized {@link Challenge}. It must match the JSON type.
*/
Challenge create(Login login, JSON data);
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/ChallengeType.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2021 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* Annotates the challenge type that is generated by the {@link ChallengeProvider}.
*
* @since 2.12
*/
@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
public @interface ChallengeType {
/**
* Challenge type.
*/
String value();
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/GenericAcmeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
/**
* A generic {@link AcmeProvider}. It should be working for all ACME servers complying to
* the ACME specifications.
*
* The {@code serverUri} is either a http or https URI to the server's directory service.
*/
public class GenericAcmeProvider extends AbstractAcmeProvider {
@Override
public boolean accepts(URI serverUri) {
return "http".equals(serverUri.getScheme())
|| "https".equals(serverUri.getScheme());
}
@Override
public URL resolve(URI serverUri) {
try {
return serverUri.toURL();
} catch (MalformedURLException ex) {
throw new IllegalArgumentException("Bad generic server URI", ex);
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/actalis/ActalisAcmeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2025 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider.actalis;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.util.Map;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.provider.AbstractAcmeProvider;
import org.shredzone.acme4j.provider.AcmeProvider;
import org.shredzone.acme4j.toolbox.JSON;
/**
* An {@link AcmeProvider} for Actalis.
*
* The {@code serverUri} is {@code "acme://actalis.com"} for the production server.
*
* If you want to use Actalis, always prefer to use this provider.
*
* @see Actalis S.p.A.
* @since 4.0.0
*/
public class ActalisAcmeProvider extends AbstractAcmeProvider {
private static final String PRODUCTION_DIRECTORY_URL = "https://acme-api.actalis.com/acme/directory";
@Override
public boolean accepts(URI serverUri) {
return "acme".equals(serverUri.getScheme())
&& "actalis.com".equals(serverUri.getHost());
}
@Override
public URL resolve(URI serverUri) {
var path = serverUri.getPath();
String directoryUrl;
if (path == null || path.isEmpty() || "/".equals(path)) {
directoryUrl = PRODUCTION_DIRECTORY_URL;
} else {
throw new IllegalArgumentException("Unknown URI " + serverUri);
}
try {
return URI.create(directoryUrl).toURL();
} catch (MalformedURLException ex) {
throw new AcmeProtocolException(directoryUrl, ex);
}
}
@Override
@SuppressWarnings("unchecked")
public JSON directory(Session session, URI serverUri) throws AcmeException {
// This is a workaround as actalis.com uses "home" instead of "website" to
// refer to its homepage in the metadata.
var superdirectory = super.directory(session, serverUri);
if (superdirectory == null) {
return null;
}
var directory = superdirectory.toMap();
var meta = directory.get("meta");
if (meta instanceof Map) {
var metaMap = ((Map) meta);
if (metaMap.containsKey("home") && !metaMap.containsKey("website")) {
metaMap.put("website", metaMap.remove("home"));
}
}
return JSON.fromMap(directory);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/actalis/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2025 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This package contains an {@link org.shredzone.acme4j.provider.AcmeProvider} for the
* Actalis server.
*
* @see Actalis S.p.A.
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.provider.actalis;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/google/GoogleAcmeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2024 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider.google;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.util.Optional;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.provider.AbstractAcmeProvider;
import org.shredzone.acme4j.provider.AcmeProvider;
/**
* An {@link AcmeProvider} for the Google Trust Services.
*
* The {@code serverUri} is {@code "acme://pki.goog"} for the production server,
* and {@code "acme://pki.goog/staging"} for the staging server.
*
* @see https://pki.goog/
* @since 3.5.0
*/
public class GoogleAcmeProvider extends AbstractAcmeProvider {
private static final String PRODUCTION_DIRECTORY_URL = "https://dv.acme-v02.api.pki.goog/directory";
private static final String STAGING_DIRECTORY_URL = "https://dv.acme-v02.test-api.pki.goog/directory";
@Override
public boolean accepts(URI serverUri) {
return "acme".equals(serverUri.getScheme())
&& "pki.goog".equals(serverUri.getHost());
}
@Override
public URL resolve(URI serverUri) {
var path = serverUri.getPath();
String directoryUrl;
if (path == null || path.isEmpty() || "/".equals(path)) {
directoryUrl = PRODUCTION_DIRECTORY_URL;
} else if ("/staging".equals(path)) {
directoryUrl = STAGING_DIRECTORY_URL;
} else {
throw new IllegalArgumentException("Unknown URI " + serverUri);
}
try {
return URI.create(directoryUrl).toURL();
} catch (MalformedURLException ex) {
throw new AcmeProtocolException(directoryUrl, ex);
}
}
@Override
public Optional getProposedEabMacAlgorithm() {
return Optional.of(AlgorithmIdentifiers.HMAC_SHA256);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/google/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2024 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This package contains the {@link org.shredzone.acme4j.provider.AcmeProvider} for the
* Google Trust Services.
*
* @see https://pki.goog/
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.provider.google;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/letsencrypt/LetsEncryptAcmeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2015 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider.letsencrypt;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.provider.AbstractAcmeProvider;
import org.shredzone.acme4j.provider.AcmeProvider;
/**
* An {@link AcmeProvider} for Let's Encrypt.
*
* The {@code serverUri} is {@code "acme://letsencrypt.org"} for the production server,
* and {@code "acme://letsencrypt.org/staging"} for a testing server.
*
* If you want to use Let's Encrypt, always prefer to use this provider.
*
* @see Let's Encrypt
*/
public class LetsEncryptAcmeProvider extends AbstractAcmeProvider {
private static final String V02_DIRECTORY_URL = "https://acme-v02.api.letsencrypt.org/directory";
private static final String STAGING_DIRECTORY_URL = "https://acme-staging-v02.api.letsencrypt.org/directory";
@Override
public boolean accepts(URI serverUri) {
return "acme".equals(serverUri.getScheme())
&& "letsencrypt.org".equals(serverUri.getHost());
}
@Override
public URL resolve(URI serverUri) {
var path = serverUri.getPath();
String directoryUrl;
if (path == null || path.isEmpty() || "/".equals(path) || "/v02".equals(path)) {
directoryUrl = V02_DIRECTORY_URL;
} else if ("/staging".equals(path)) {
directoryUrl = STAGING_DIRECTORY_URL;
} else {
throw new IllegalArgumentException("Unknown URI " + serverUri);
}
try {
return URI.create(directoryUrl).toURL();
} catch (MalformedURLException ex) {
throw new AcmeProtocolException(directoryUrl, ex);
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/letsencrypt/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2020 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This package contains the Let's Encrypt
* {@link org.shredzone.acme4j.provider.AcmeProvider}.
*
* @see Let's Encrypt
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.provider.letsencrypt;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2020 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* Acme Providers are the link between acme4j and the ACME server. They know how to
* connect to their server, and how to set up HTTP connections.
*
* {@link org.shredzone.acme4j.provider.AcmeProvider} is the root interface.
* {@link org.shredzone.acme4j.provider.AbstractAcmeProvider} is an abstract
* implementation of the most elementary methods. Most HTTP based providers will extend
* from {@link org.shredzone.acme4j.provider.GenericAcmeProvider} though.
*
* Provider implementations must be registered with Java's
* {@link java.util.ServiceLoader}.
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.provider;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/pebble/PebbleAcmeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2017 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider.pebble;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.http.HttpClient;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Optional;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import org.shredzone.acme4j.connector.NetworkSettings;
import org.shredzone.acme4j.provider.AbstractAcmeProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* An {@link AcmeProvider} for Pebble.
*
* Pebble is a small ACME test server.
* This provider can be used to connect to an instance of a Pebble server.
*
* {@code "acme://pebble"} connects to a Pebble server running on localhost and listening
* on the standard port 14000. Using {@code "acme://pebble/other-host:12345"}, it is
* possible to connect to an external Pebble server on the given {@code other-host} and
* port. The port is optional, and if omitted, the standard port is used.
*/
public class PebbleAcmeProvider extends AbstractAcmeProvider {
private static final Logger LOG = LoggerFactory.getLogger(PebbleAcmeProvider.class);
private static final Pattern HOST_PATTERN = Pattern.compile("^/([^:/]+)(?:\\:(\\d+))?/?$");
private static final int PEBBLE_DEFAULT_PORT = 14000;
@Override
public boolean accepts(URI serverUri) {
return "acme".equals(serverUri.getScheme()) && "pebble".equals(serverUri.getHost());
}
@Override
public URL resolve(URI serverUri) {
try {
var path = serverUri.getPath();
int port = serverUri.getPort() != -1 ? serverUri.getPort() : PEBBLE_DEFAULT_PORT;
var baseUrl = URI.create("https://localhost:" + port + "/dir").toURL();
if (path != null && !path.isEmpty() && !"/".equals(path)) {
baseUrl = parsePath(path);
}
return baseUrl;
} catch (MalformedURLException ex) {
throw new IllegalArgumentException("Bad server URI " + serverUri, ex);
}
}
/**
* Parses the server URI path and returns the server's base URL.
*
* @param path
* server URI path
* @return URL of the server's base
*/
private URL parsePath(String path) throws MalformedURLException {
var m = HOST_PATTERN.matcher(path);
if (m.matches()) {
var host = m.group(1);
var port = PEBBLE_DEFAULT_PORT;
if (m.group(2) != null) {
port = Integer.parseInt(m.group(2));
}
try {
return new URI("https", null, host, port, "/dir", null, null).toURL();
} catch (URISyntaxException ex) {
throw new IllegalArgumentException("Malformed Pebble host/port: " + path);
}
} else {
throw new IllegalArgumentException("Invalid Pebble host/port: " + path);
}
}
@Override
public HttpClient createHttpClient(NetworkSettings networkSettings) {
var builder = HttpClient.newBuilder()
.followRedirects(HttpClient.Redirect.NORMAL)
.connectTimeout(networkSettings.getTimeout())
.proxy(networkSettings.getProxySelector())
.sslContext(createPebbleSSLContext());
if (networkSettings.getAuthenticator() != null) {
builder.authenticator(networkSettings.getAuthenticator());
}
return builder.build();
}
/**
* Creates a TrustManagerFactory configured with the Pebble root certificate.
*
* This method loads the Pebble root certificate from the PEM file and creates
* a TrustManagerFactory that trusts certificates signed by Pebble's CA.
*
* @return TrustManagerFactory configured for Pebble
* @throws RuntimeException if the Pebble certificate cannot be found or loaded
* @since 4.0.0
*/
protected TrustManagerFactory createPebbleTrustManagerFactory() {
try {
var keystore = readPemFile("/pebble.minica.pem")
.or(() -> readPemFile("/META-INF/pebble.minica.pem"))
.or(() -> readPemFile("/org/shredzone/acme4j/provider/pebble/pebble.minica.pem"))
.orElseThrow(() -> new RuntimeException("Could not find a Pebble root certificate"));
var tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keystore);
return tmf;
} catch (KeyStoreException | NoSuchAlgorithmException ex) {
throw new RuntimeException("Could not create truststore", ex);
}
}
/**
* Creates the Pebble SSL context.
*
* Since the HTTP client is cached at the session level, this method is only called
* once per session, so no additional caching is needed.
*
* @return SSLContext configured for Pebble
*/
private SSLContext createPebbleSSLContext() {
try {
var tmf = createPebbleTrustManagerFactory();
var sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
return sslContext;
} catch (NoSuchAlgorithmException | KeyManagementException ex) {
throw new RuntimeException("Could not create SSL context", ex);
}
}
/**
* Reads a PEM file from a resource for Pebble SSL context creation.
*/
private Optional readPemFile(String resource) {
try (var in = PebbleAcmeProvider.class.getResourceAsStream(resource)) {
if (in == null) {
return Optional.empty();
}
var cf = CertificateFactory.getInstance("X.509");
var cert = cf.generateCertificate(in);
var keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(null, "acme4j".toCharArray());
keystore.setCertificateEntry("pebble", cert);
return Optional.of(keystore);
} catch (IOException | KeyStoreException | CertificateException
| NoSuchAlgorithmException ex) {
LOG.error("Failed to read PEM from resource '{}'", resource, ex);
return Optional.empty();
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/pebble/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2020 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This package contains an {@link org.shredzone.acme4j.provider.AcmeProvider} for the
* Pebble test server.
*
* @see Pebble project page
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.provider.pebble;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/sslcom/SslComAcmeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2024 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider.sslcom;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.util.Map;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.provider.AbstractAcmeProvider;
import org.shredzone.acme4j.provider.AcmeProvider;
import org.shredzone.acme4j.toolbox.JSON;
/**
* An {@link AcmeProvider} for SSL.com.
*
* The {@code serverUri} is {@code "acme://ssl.com"} for the production server,
* and {@code "acme://acme-try.ssl.com"} for a testing server.
*
* If you want to use SSL.com, always prefer to use this provider.
*
* @see SSL.com
* @since 3.2.0
*/
public class SslComAcmeProvider extends AbstractAcmeProvider {
private static final String PRODUCTION_ECC_DIRECTORY_URL = "https://acme.ssl.com/sslcom-dv-ecc";
private static final String PRODUCTION_RSA_DIRECTORY_URL = "https://acme.ssl.com/sslcom-dv-rsa";
private static final String STAGING_ECC_DIRECTORY_URL = "https://acme-try.ssl.com/sslcom-dv-ecc";
private static final String STAGING_RSA_DIRECTORY_URL = "https://acme-try.ssl.com/sslcom-dv-rsa";
@Override
public boolean accepts(URI serverUri) {
return "acme".equals(serverUri.getScheme())
&& "ssl.com".equals(serverUri.getHost());
}
@Override
public URL resolve(URI serverUri) {
var path = serverUri.getPath();
String directoryUrl;
if (path == null || path.isEmpty() || "/".equals(path) || "/ecc".equals(path)) {
directoryUrl = PRODUCTION_ECC_DIRECTORY_URL;
} else if ("/rsa".equals(path)) {
directoryUrl = PRODUCTION_RSA_DIRECTORY_URL;
} else if ("/staging".equals(path) || "/staging/ecc".equals(path)) {
directoryUrl = STAGING_ECC_DIRECTORY_URL;
} else if ("/staging/rsa".equals(path)) {
directoryUrl = STAGING_RSA_DIRECTORY_URL;
} else {
throw new IllegalArgumentException("Unknown URI " + serverUri);
}
try {
return URI.create(directoryUrl).toURL();
} catch (MalformedURLException ex) {
throw new AcmeProtocolException(directoryUrl, ex);
}
}
@Override
@SuppressWarnings("unchecked")
public JSON directory(Session session, URI serverUri) throws AcmeException {
// This is a workaround for a bug at SSL.com. It requires account registration
// by EAB, but the "externalAccountRequired" flag in the directory is set to
// false. This patch reads the directory and forcefully sets the flag to true.
// The entire method can be removed once it is fixed on SSL.com side.
var superdirectory = super.directory(session, serverUri);
if (superdirectory == null) {
return null;
}
var directory = superdirectory.toMap();
var meta = directory.get("meta");
if (meta instanceof Map) {
var metaMap = ((Map) meta);
metaMap.remove("externalAccountRequired");
metaMap.put("externalAccountRequired", true);
}
return JSON.fromMap(directory);
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/sslcom/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2020 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This package contains the SSL.com
* {@link org.shredzone.acme4j.provider.AcmeProvider}.
*
* @see SSL.com
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.provider.sslcom;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/zerossl/ZeroSSLAcmeProvider.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2024 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.provider.zerossl;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.provider.AbstractAcmeProvider;
import org.shredzone.acme4j.provider.AcmeProvider;
/**
* An {@link AcmeProvider} for ZeroSSL.
*
* The {@code serverUri} is {@code "acme://zerossl.com"} for the production server.
*
* @see ZeroSSL
* @since 3.2.0
*/
public class ZeroSSLAcmeProvider extends AbstractAcmeProvider {
private static final String V02_DIRECTORY_URL = "https://acme.zerossl.com/v2/DV90";
@Override
public boolean accepts(URI serverUri) {
return "acme".equals(serverUri.getScheme())
&& "zerossl.com".equals(serverUri.getHost());
}
@Override
public URL resolve(URI serverUri) {
var path = serverUri.getPath();
String directoryUrl;
if (path == null || path.isEmpty() || "/".equals(path)) {
directoryUrl = V02_DIRECTORY_URL;
} else {
throw new IllegalArgumentException("Unknown URI " + serverUri);
}
try {
return URI.create(directoryUrl).toURL();
} catch (MalformedURLException ex) {
throw new AcmeProtocolException(directoryUrl, ex);
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/provider/zerossl/package-info.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2024 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
/**
* This package contains the ZeroSSL {@link org.shredzone.acme4j.provider.AcmeProvider}.
*
* @see ZeroSSL
*/
@ReturnValuesAreNonnullByDefault
@DefaultAnnotationForParameters(NonNull.class)
@DefaultAnnotationForFields(NonNull.class)
package org.shredzone.acme4j.provider.zerossl;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForFields;
import edu.umd.cs.findbugs.annotations.DefaultAnnotationForParameters;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.ReturnValuesAreNonnullByDefault;
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/toolbox/AcmeUtils.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.toolbox;
import static java.nio.charset.StandardCharsets.UTF_8;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.io.Writer;
import java.net.IDN;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.util.Arrays;
import java.util.Base64;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Pattern;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.cert.X509CertificateHolder;
import org.shredzone.acme4j.exception.AcmeProtocolException;
/**
* Contains utility methods that are frequently used for the ACME protocol.
*
* This class is internal. You may use it in your own code, but be warned that methods may
* change their signature or disappear without prior announcement.
*/
public final class AcmeUtils {
private static final char[] HEX = "0123456789abcdef".toCharArray();
private static final String ACME_ERROR_PREFIX = "urn:ietf:params:acme:error:";
private static final Pattern DATE_PATTERN = Pattern.compile(
"^(\\d{4})-(\\d{2})-(\\d{2})T"
+ "(\\d{2}):(\\d{2}):(\\d{2})"
+ "(?:\\.(\\d{1,3})\\d*)?"
+ "(Z|[+-]\\d{2}:?\\d{2})$", Pattern.CASE_INSENSITIVE);
private static final Pattern TZ_PATTERN = Pattern.compile(
"([+-])(\\d{2}):?(\\d{2})$");
private static final Pattern CONTENT_TYPE_PATTERN = Pattern.compile(
"([^;]+)(?:;.*?charset=(\"?)([a-z0-9_-]+)(\\2))?.*", Pattern.CASE_INSENSITIVE);
private static final Pattern MAIL_PATTERN = Pattern.compile("\\?|@.*,");
private static final Pattern BASE64URL_PATTERN = Pattern.compile("[0-9A-Za-z_-]*");
private static final Base64.Encoder PEM_ENCODER = Base64.getMimeEncoder(64,
"\n".getBytes(StandardCharsets.US_ASCII));
private static final Base64.Encoder URL_ENCODER = Base64.getUrlEncoder().withoutPadding();
private static final Base64.Decoder URL_DECODER = Base64.getUrlDecoder();
private static final char[] BASE32_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567".toCharArray();
/**
* Enumeration of PEM labels.
*/
public enum PemLabel {
CERTIFICATE("CERTIFICATE"),
CERTIFICATE_REQUEST("CERTIFICATE REQUEST"),
PRIVATE_KEY("PRIVATE KEY"),
PUBLIC_KEY("PUBLIC KEY");
private final String label;
PemLabel(String label) {
this.label = label;
}
@Override
public String toString() {
return label;
}
}
private AcmeUtils() {
// Utility class without constructor
}
/**
* Computes a SHA-256 hash of the given string.
*
* @param z
* String to hash
* @return Hash
*/
public static byte[] sha256hash(String z) {
try {
var md = MessageDigest.getInstance("SHA-256");
md.update(z.getBytes(UTF_8));
return md.digest();
} catch (NoSuchAlgorithmException ex) {
throw new AcmeProtocolException("Could not compute hash", ex);
}
}
/**
* Hex encodes the given byte array.
*
* @param data
* byte array to hex encode
* @return Hex encoded string of the data (with lower case characters)
*/
public static String hexEncode(byte[] data) {
var result = new char[data.length * 2];
for (var ix = 0; ix < data.length; ix++) {
var val = data[ix] & 0xFF;
result[ix * 2] = HEX[val >>> 4];
result[ix * 2 + 1] = HEX[val & 0x0F];
}
return new String(result);
}
/**
* Base64 encodes the given byte array, using URL style encoding.
*
* @param data
* byte array to base64 encode
* @return base64 encoded string
*/
public static String base64UrlEncode(byte[] data) {
return URL_ENCODER.encodeToString(data);
}
/**
* Base64 decodes to a byte array, using URL style encoding.
*
* @param base64
* base64 encoded string
* @return decoded data
*/
public static byte[] base64UrlDecode(String base64) {
return URL_DECODER.decode(base64);
}
/**
* Base32 encodes a byte array.
*
* @param data Byte array to encode
* @return Base32 encoded data (includes padding)
* @since 4.0.0
*/
public static String base32Encode(byte[] data) {
var result = new StringBuilder();
var unconverted = new int[5];
var converted = new int[8];
for (var ix = 0; ix < (data.length + 4) / 5; ix++) {
var blocklen = unconverted.length;
for (var pos = 0; pos < unconverted.length; pos++) {
if ((ix * 5 + pos) < data.length) {
unconverted[pos] = data[ix * 5 + pos] & 0xFF;
} else {
unconverted[pos] = 0;
blocklen--;
}
}
converted[0] = (unconverted[0] >> 3) & 0x1F;
converted[1] = ((unconverted[0] & 0x07) << 2) | ((unconverted[1] >> 6) & 0x03);
converted[2] = (unconverted[1] >> 1) & 0x1F;
converted[3] = ((unconverted[1] & 0x01) << 4) | ((unconverted[2] >> 4) & 0x0F);
converted[4] = ((unconverted[2] & 0x0F) << 1) | ((unconverted[3] >> 7) & 0x01);
converted[5] = (unconverted[3] >> 2) & 0x1F;
converted[6] = ((unconverted[3] & 0x03) << 3) | ((unconverted[4] >> 5) & 0x07);
converted[7] = unconverted[4] & 0x1F;
var padding = switch (blocklen) {
case 1 -> 6;
case 2 -> 4;
case 3 -> 3;
case 4 -> 1;
case 5 -> 0;
default -> throw new IllegalArgumentException("blocklen " + blocklen + " out of range");
};
Arrays.stream(converted)
.limit(converted.length - padding)
.map(v -> BASE32_ALPHABET[v])
.forEach(v -> result.append((char) v));
if (padding > 0) {
result.append("=".repeat(padding));
}
}
return result.toString();
}
/**
* Validates that the given {@link String} is a valid base64url encoded value.
*
* @param base64
* {@link String} to validate
* @return {@code true}: String contains a valid base64url encoded value.
* {@code false} if the {@link String} was {@code null} or contained illegal
* characters.
* @since 2.6
*/
public static boolean isValidBase64Url(@Nullable String base64) {
return base64 != null && BASE64URL_PATTERN.matcher(base64).matches();
}
/**
* ASCII encodes a domain name.
*
* The conversion is done as described in
* RFC 3490. Additionally, all
* leading and trailing white spaces are trimmed, and the result is lowercased.
*
* It is safe to pass in ACE encoded domains, they will be returned unchanged.
*
* @param domain
* Domain name to encode
* @return Encoded domain name, white space trimmed and lower cased.
*/
public static String toAce(String domain) {
Objects.requireNonNull(domain, "domain");
return IDN.toASCII(domain.trim()).toLowerCase(Locale.ENGLISH);
}
/**
* Parses a RFC 3339 formatted date.
*
* @param str
* Date string
* @return {@link Instant} that was parsed
* @throws IllegalArgumentException
* if the date string was not RFC 3339 formatted
* @see RFC 3339
*/
public static Instant parseTimestamp(String str) {
var m = DATE_PATTERN.matcher(str);
if (!m.matches()) {
throw new IllegalArgumentException("Illegal date: " + str);
}
var year = Integer.parseInt(m.group(1));
var month = Integer.parseInt(m.group(2));
var dom = Integer.parseInt(m.group(3));
var hour = Integer.parseInt(m.group(4));
var minute = Integer.parseInt(m.group(5));
var second = Integer.parseInt(m.group(6));
var msStr = new StringBuilder();
if (m.group(7) != null) {
msStr.append(m.group(7));
}
while (msStr.length() < 3) {
msStr.append('0');
}
var ms = Integer.parseInt(msStr.toString());
var tz = m.group(8);
if ("Z".equalsIgnoreCase(tz)) {
tz = "GMT";
} else {
tz = TZ_PATTERN.matcher(tz).replaceAll("GMT$1$2:$3");
}
return ZonedDateTime.of(
year, month, dom, hour, minute, second, ms * 1_000_000,
ZoneId.of(tz)).toInstant();
}
/**
* Converts the given locale to an Accept-Language header value.
*
* @param locale
* {@link Locale} to be used in the header
* @return Value that can be used in an Accept-Language header
*/
public static String localeToLanguageHeader(@Nullable Locale locale) {
if (locale == null || "und".equals(locale.toLanguageTag())) {
return "*";
}
var langTag = locale.toLanguageTag();
var header = new StringBuilder(langTag);
if (langTag.indexOf('-') >= 0) {
header.append(',').append(locale.getLanguage()).append(";q=0.8");
}
header.append(",*;q=0.1");
return header.toString();
}
/**
* Strips the acme error prefix from the error string.
*
* For example, for "urn:ietf:params:acme:error:unauthorized", "unauthorized" is
* returned.
*
* @param type
* Error type to strip the prefix from. {@code null} is safe.
* @return Stripped error type, or {@code null} if the prefix was not found.
*/
@Nullable
public static String stripErrorPrefix(@Nullable String type) {
if (type != null && type.startsWith(ACME_ERROR_PREFIX)) {
return type.substring(ACME_ERROR_PREFIX.length());
} else {
return null;
}
}
/**
* Writes an encoded key or certificate to a file in PEM format.
*
* @param encoded
* Encoded data to write
* @param label
* {@link PemLabel} to be used
* @param out
* {@link Writer} to write to. It will not be closed after use!
*/
public static void writeToPem(byte[] encoded, PemLabel label, Writer out)
throws IOException {
out.append("-----BEGIN ").append(label.toString()).append("-----\n");
out.append(new String(PEM_ENCODER.encode(encoded), StandardCharsets.US_ASCII));
out.append("\n-----END ").append(label.toString()).append("-----\n");
}
/**
* Extracts the content type of a Content-Type header.
*
* @param header
* Content-Type header
* @return Content-Type, or {@code null} if the header was invalid or empty
* @throws AcmeProtocolException
* if the Content-Type header contains a different charset than "utf-8".
*/
@Nullable
public static String getContentType(@Nullable String header) {
if (header != null) {
var m = CONTENT_TYPE_PATTERN.matcher(header);
if (m.matches()) {
var charset = m.group(3);
if (charset != null && !"utf-8".equalsIgnoreCase(charset)) {
throw new AcmeProtocolException("Unsupported charset " + charset);
}
return m.group(1).trim().toLowerCase(Locale.ENGLISH);
}
}
return null;
}
/**
* Validates a contact {@link URI}.
*
* @param contact
* Contact {@link URI} to validate
* @throws IllegalArgumentException
* if the contact {@link URI} is not suitable for account contacts.
*/
public static void validateContact(URI contact) {
if ("mailto".equalsIgnoreCase(contact.getScheme())) {
var address = contact.toString().substring(7);
if (MAIL_PATTERN.matcher(address).find()) {
throw new IllegalArgumentException(
"multiple recipients or hfields are not allowed: " + contact);
}
}
}
/**
* Returns the certificate's unique identifier for renewal.
*
* @param certificate
* Certificate to get the unique identifier for.
* @return Unique identifier
* @throws AcmeProtocolException
* if the certificate is invalid or does not provide the necessary
* information.
*/
public static String getRenewalUniqueIdentifier(X509Certificate certificate) {
try {
var cert = new X509CertificateHolder(certificate.getEncoded());
var aki = Optional.of(cert)
.map(X509CertificateHolder::getExtensions)
.map(AuthorityKeyIdentifier::fromExtensions)
.map(AuthorityKeyIdentifier::getKeyIdentifier)
.map(AcmeUtils::base64UrlEncode)
.orElseThrow(() -> new AcmeProtocolException("Missing or invalid Authority Key Identifier"));
var sn = Optional.of(cert)
.map(X509CertificateHolder::toASN1Structure)
.map(Certificate::getSerialNumber)
.map(AcmeUtils::getRawInteger)
.map(AcmeUtils::base64UrlEncode)
.orElseThrow(() -> new AcmeProtocolException("Missing or invalid serial number"));
return aki + '.' + sn;
} catch (Exception ex) {
throw new AcmeProtocolException("Invalid certificate", ex);
}
}
/**
* Gets the raw integer array from ASN1Integer. This is done by encoding it to a byte
* array, and then skipping the INTEGER identifier. Other methods of ASN1Integer only
* deliver a parsed integer value that might have been mangled.
*
* @param integer
* ASN1Integer to convert to raw
* @return Byte array of the raw integer
*/
private static byte[] getRawInteger(ASN1Integer integer) {
try {
var encoded = integer.getEncoded();
return Arrays.copyOfRange(encoded, 2, encoded.length);
} catch (IOException ex) {
throw new UncheckedIOException(ex);
}
}
}
================================================
FILE: acme4j-client/src/main/java/org/shredzone/acme4j/toolbox/JSON.java
================================================
/*
* acme4j - Java ACME client
*
* Copyright (C) 2016 Richard "Shred" Körber
* http://acme4j.shredzone.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/
package org.shredzone.acme4j.toolbox;
import static java.nio.charset.StandardCharsets.UTF_8;
import static java.util.stream.Collectors.joining;
import static org.shredzone.acme4j.toolbox.AcmeUtils.parseTimestamp;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Serial;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.time.Duration;
import java.time.Instant;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import edu.umd.cs.findbugs.annotations.Nullable;
import org.jose4j.json.JsonUtil;
import org.jose4j.lang.JoseException;
import org.shredzone.acme4j.Identifier;
import org.shredzone.acme4j.Problem;
import org.shredzone.acme4j.Status;
import org.shredzone.acme4j.exception.AcmeNotSupportedException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
/**
* A model containing a JSON result. The content is immutable.
*/
public final class JSON implements Serializable {
@Serial
private static final long serialVersionUID = 418332625174149030L;
private static final JSON EMPTY_JSON = new JSON(new HashMap<>());
private final String path;
private final Map data;
/**
* Creates a new {@link JSON} root object.
*
* @param data
* {@link Map} containing the parsed JSON data
*/
private JSON(Map data) {
this("", data);
}
/**
* Creates a new {@link JSON} branch object.
*
* @param path
* Path leading to this branch.
* @param data
* {@link Map} containing the parsed JSON data
*/
private JSON(String path, Map data) {
this.path = path;
this.data = data;
}
/**
* Parses JSON from an {@link InputStream}.
*
* @param in
* {@link InputStream} to read from. Will be closed after use.
* @return {@link JSON} of the read content.
*/
public static JSON parse(InputStream in) throws IOException {
try (var reader = new BufferedReader(new InputStreamReader(in, UTF_8))) {
var json = reader.lines().map(String::trim).collect(joining());
return parse(json);
}
}
/**
* Parses JSON from a String.
*
* @param json
* JSON string
* @return {@link JSON} of the read content.
*/
public static JSON parse(String json) {
try {
return new JSON(JsonUtil.parseJson(json));
} catch (JoseException ex) {
throw new AcmeProtocolException("Bad JSON: " + json, ex);
}
}
/**
* Creates a JSON object from a map.
*
* The map's content is deeply copied. Changes to the map won't reflect in the created
* JSON structure.
*
* @param data
* Map structure
* @return {@link JSON} of the map's content.
* @since 3.2.0
*/
public static JSON fromMap(Map data) {
return JSON.parse(JsonUtil.toJson(data));
}
/**
* Returns a {@link JSON} of an empty document.
*
* @return Empty {@link JSON}
*/
public static JSON empty() {
return EMPTY_JSON;
}
/**
* Returns a set of all keys of this object.
*
* @return {@link Set} of keys
*/
public Set keySet() {
return Collections.unmodifiableSet(data.keySet());
}
/**
* Checks if this object contains the given key.
*
* @param key
* Name of the key to check
* @return {@code true} if the key is present
*/
public boolean contains(String key) {
return data.containsKey(key);
}
/**
* Returns the {@link Value} of the given key.
*
* @param key
* Key to read
* @return {@link Value} of the key
*/
public Value get(String key) {
return new Value(
path.isEmpty() ? key : path + '.' + key,
data.get(key));
}
/**
* Returns the {@link Value} of the given key.
*
* @param key
* Key to read
* @return {@link Value} of the key
* @throws AcmeNotSupportedException
* if the key is not present. The key is used as feature name.
*/
public Value getFeature(String key) {
return new Value(
path.isEmpty() ? key : path + '.' + key,
data.get(key)).onFeature(key);
}
/**
* Returns the content as JSON string.
*/
@Override
public String toString() {
return JsonUtil.toJson(data);
}
/**
* Returns the content as unmodifiable Map.
*
* @since 2.8
*/
public Map toMap() {
return Collections.unmodifiableMap(data);
}
/**
* Represents a JSON array.
*/
public static final class Array implements Iterable {
private final String path;
private final List