对比本项目与 RFC 8555 出入的地方

composer.json

@@ -1,5 +1,5 @@
 {
-    "name": "acmephp/acmephp",
+    "name": "trustocean/acmephp",
     "description": "Let's Encrypt client written in PHP",
     "type": "project",
     "license": "MIT",

src/Cli/Command/AuthorizeCommand.php

@@ -19,12 +19,21 @@
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
 use Symfony\Component\Console\Output\OutputInterface;
+use AcmePhp\Cli\Command\Helper\KeyOptionCommandTrait;
+use AcmePhp\Ssl\CertificateRequest;
 
 /**
  * @author Titouan Galopin <galopintitouan@gmail.com>
  */
 class AuthorizeCommand extends AbstractCommand
 {
+    use KeyOptionCommandTrait;
+
+    /**
+     * @var RepositoryInterface
+     */
+    private $repository;
+
     /**
      * {@inheritdoc}
      */
@@ -34,6 +43,14 @@ protected function configure()
             ->setDefinition([
                 new InputOption('solver', 's', InputOption::VALUE_REQUIRED, 'The type of challenge solver to use (available: http, dns, route53)', 'http'),
                 new InputArgument('domains', InputArgument::IS_ARRAY | InputArgument::REQUIRED, 'List of domains to ask an authorization for'),
+                new InputOption('country', null, InputOption::VALUE_REQUIRED, 'Your country two-letters code (field "C" of the distinguished name, for instance: "US")'),
+                new InputOption('province', null, InputOption::VALUE_REQUIRED, 'Your country province (field "ST" of the distinguished name, for instance: "California")'),
+                new InputOption('locality', null, InputOption::VALUE_REQUIRED, 'Your locality (field "L" of the distinguished name, for instance: "Mountain View")'),
+                new InputOption('organization', null, InputOption::VALUE_REQUIRED, 'Your organization/company (field "O" of the distinguished name, for instance: "Acme PHP")'),
+                new InputOption('unit', null, InputOption::VALUE_REQUIRED, 'Your unit/department in your organization (field "OU" of the distinguished name, for instance: "Sales")'),
+                new InputOption('email', null, InputOption::VALUE_REQUIRED, 'Your e-mail address (field "E" of the distinguished name)'),
+                new InputOption('alternative-name', 'a', InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, 'Alternative domains for this certificate'),
+                new InputOption('key-type', 'k', InputOption::VALUE_REQUIRED, 'The type of private key used to sign certificates (one of RSA, EC)', 'RSA'),
             ])
             ->setDescription('Ask the ACME server for an authorization token to check you are the owner of a domain')
             ->setHelp(<<<'EOF'
@@ -56,8 +73,11 @@ protected function configure()
      */
     protected function execute(InputInterface $input, OutputInterface $output)
     {
+        $this->repository = $this->getRepository();
+
         $client = $this->getClient();
         $domains = $input->getArgument('domains');
+        $keyType = $input->getOption('key-type');
 
         $solverName = strtolower($input->getOption('solver'));
 
@@ -68,8 +88,37 @@ protected function execute(InputInterface $input, OutputInterface $output)
         $solver = $solverLocator->get($solverName);
         $this->debug('Solver found', ['name' => $solverName]);
 
+        $alternativeNames = $domains;
+        $domain = $alternativeNames[0];
+        sort($alternativeNames);
+
+        $introduction = <<<'EOF'
+
+There is currently no certificate for domain %s in the Acme PHP storage. As it is the
+first time you request a certificate for this domain, some configuration is required.
+
+<info>Generating domain key pair...</info>
+EOF;
+
+        $this->info(sprintf($introduction, $domain));
+
+        /* @var KeyPair $domainKeyPair */
+        $domainKeyPair = $this->getContainer()->get('ssl.key_pair_generator')->generateKeyPair(
+            $this->createKeyOption($keyType)
+        );
+        $this->repository->storeDomainKeyPair($domain, $domainKeyPair);
+
+        $this->debug('Domain key pair generated and stored', [
+            'domain' => $domain,
+            'public_key' => $domainKeyPair->getPublicKey()->getPEM(),
+        ]);
+        $distinguishedName = $this->getOrCreateDistinguishedName($domain, $alternativeNames);
+        $this->notice('Distinguished name informations have been stored locally for this domain (they won\'t be asked on renewal).');
+        $this->notice(sprintf('Loading the order related to the domains %s ...', implode(', ', $domains)));
+        $csr = new CertificateRequest($distinguishedName, $domainKeyPair);
+
         $this->notice(sprintf('Requesting an authorization token for domains %s ...', implode(', ', $domains)));
-        $order = $client->requestOrder($domains);
+        $order = $client->requestOrder($domains, $csr);
         $this->notice('The authorization tokens was successfully fetched!');
         $authorizationChallengesToSolve = [];
         foreach ($order->getAuthorizationsChallenges() as $domainKey => $authorizationChallenges) {

src/Cli/Command/Helper/KeyOptionCommandTrait.php

@@ -13,6 +13,7 @@
 
 use AcmePhp\Ssl\Generator\EcKey\EcKeyOption;
 use AcmePhp\Ssl\Generator\RsaKey\RsaKeyOption;
+use AcmePhp\Ssl\DistinguishedName;
 
 /**
  * @author Jérémy Derussé <jeremy@derusse.com>
@@ -30,4 +31,61 @@ private function createKeyOption($keyType)
                 throw new \InvalidArgumentException(sprintf('The keyType "%s" is not valid. Supported types are: RSA, EC', strtoupper($keyType)));
         }
     }
+
+
+    /**
+     * Retrieve the stored distinguishedName or create a new one if needed.
+     *
+     * @param string $domain
+     * @param array  $alternativeNames
+     *
+     * @return DistinguishedName
+     */
+    private function getOrCreateDistinguishedName($domain, array $alternativeNames)
+    {
+        if ($this->repository->hasDomainDistinguishedName($domain)) {
+            $original = $this->repository->loadDomainDistinguishedName($domain);
+
+            $distinguishedName = new DistinguishedName(
+                $domain,
+                $this->input->getOption('country') ?: $original->getCountryName(),
+                $this->input->getOption('province') ?: $original->getStateOrProvinceName(),
+                $this->input->getOption('locality') ?: $original->getLocalityName(),
+                $this->input->getOption('organization') ?: $original->getOrganizationName(),
+                $this->input->getOption('unit') ?: $original->getOrganizationalUnitName(),
+                $this->input->getOption('email') ?: $original->getEmailAddress(),
+                $alternativeNames
+            );
+        } else {
+            // Ask DistinguishedName
+            $distinguishedName = new DistinguishedName(
+                $domain,
+                $this->input->getOption('country'),
+                $this->input->getOption('province'),
+                $this->input->getOption('locality'),
+                $this->input->getOption('organization'),
+                $this->input->getOption('unit'),
+                $this->input->getOption('email'),
+                $alternativeNames
+            );
+
+            /** @var DistinguishedNameHelper $helper */
+            $helper = $this->getHelper('distinguished_name');
+
+            if (!$helper->isReadyForRequest($distinguishedName)) {
+                $this->info("\n\nSome informations about you or your company are required for the certificate:\n");
+
+                $distinguishedName = $helper->ask(
+                    $this->getHelper('question'),
+                    $this->input,
+                    $this->output,
+                    $distinguishedName
+                );
+            }
+        }
+
+        $this->repository->storeDomainDistinguishedName($domain, $distinguishedName);
+
+        return $distinguishedName;
+    }
 }

src/Cli/Command/RequestCommand.php

@@ -342,60 +342,4 @@ private function executeRenewal($domain, array $alternativeNames)
             throw $e;
         }
     }
-
-    /**
-     * Retrieve the stored distinguishedName or create a new one if needed.
-     *
-     * @param string $domain
-     * @param array  $alternativeNames
-     *
-     * @return DistinguishedName
-     */
-    private function getOrCreateDistinguishedName($domain, array $alternativeNames)
-    {
-        if ($this->repository->hasDomainDistinguishedName($domain)) {
-            $original = $this->repository->loadDomainDistinguishedName($domain);
-
-            $distinguishedName = new DistinguishedName(
-                $domain,
-                $this->input->getOption('country') ?: $original->getCountryName(),
-                $this->input->getOption('province') ?: $original->getStateOrProvinceName(),
-                $this->input->getOption('locality') ?: $original->getLocalityName(),
-                $this->input->getOption('organization') ?: $original->getOrganizationName(),
-                $this->input->getOption('unit') ?: $original->getOrganizationalUnitName(),
-                $this->input->getOption('email') ?: $original->getEmailAddress(),
-                $alternativeNames
-            );
-        } else {
-            // Ask DistinguishedName
-            $distinguishedName = new DistinguishedName(
-                $domain,
-                $this->input->getOption('country'),
-                $this->input->getOption('province'),
-                $this->input->getOption('locality'),
-                $this->input->getOption('organization'),
-                $this->input->getOption('unit'),
-                $this->input->getOption('email'),
-                $alternativeNames
-            );
-
-            /** @var DistinguishedNameHelper $helper */
-            $helper = $this->getHelper('distinguished_name');
-
-            if (!$helper->isReadyForRequest($distinguishedName)) {
-                $this->info("\n\nSome informations about you or your company are required for the certificate:\n");
-
-                $distinguishedName = $helper->ask(
-                    $this->getHelper('question'),
-                    $this->input,
-                    $this->output,
-                    $distinguishedName
-                );
-            }
-        }
-
-        $this->repository->storeDomainDistinguishedName($domain, $distinguishedName);
-
-        return $distinguishedName;
-    }
 }

src/Cli/Command/RunCommand.php

@@ -96,7 +96,7 @@ protected function execute(InputInterface $input, OutputInterface $output)
                     $certificate
                 );
             } else {
-                $order = $this->challengeDomains($domainConfig);
+                $order = $this->challengeDomains($domainConfig, $keyOption);
                 $response = $this->requestCertificate($order, $domainConfig, $keyOption);
             }
 
@@ -228,7 +228,7 @@ private function requestCertificate(CertificateOrder $order, $domainConfig, KeyO
         return $response;
     }
 
-    private function challengeDomains(array $domainConfig)
+    private function challengeDomains(array $domainConfig, KeyOption $keyOption)
     {
         $solverConfig = $domainConfig['solver'];
         $domain = $domainConfig['domain'];
@@ -246,8 +246,36 @@ private function challengeDomains(array $domainConfig)
         $client = $this->getClient();
         $domains = array_unique(array_merge([$domain], $domainConfig['subject_alternative_names']));
 
+
+        $domain = $domainConfig['domain'];
+        $this->output->writeln(sprintf('<comment>Requesting certificate for domain %s...</comment>', $domain));
+
+        $repository = $this->getRepository();
+        $client = $this->getClient();
+        $distinguishedName = new DistinguishedName(
+            $domainConfig['domain'],
+            $domainConfig['distinguished_name']['country'],
+            $domainConfig['distinguished_name']['state'],
+            $domainConfig['distinguished_name']['locality'],
+            $domainConfig['distinguished_name']['organization_name'],
+            $domainConfig['distinguished_name']['organization_unit_name'],
+            $domainConfig['distinguished_name']['email_address'],
+            $domainConfig['subject_alternative_names']
+        );
+
+        if ($repository->hasDomainKeyPair($domain)) {
+            $domainKeyPair = $repository->loadDomainKeyPair($domain);
+        } else {
+            $domainKeyPair = $this->getContainer()->get('ssl.key_pair_generator')->generateKeyPair($keyOption);
+            $repository->storeDomainKeyPair($domain, $domainKeyPair);
+        }
+
+        $repository->storeDomainDistinguishedName($domain, $distinguishedName);
+
+        $csr = new CertificateRequest($distinguishedName, $domainKeyPair);
+
         $this->output->writeln('<comment>Requesting certificate order...</comment>');
-        $order = $client->requestOrder($domains);
+        $order = $client->requestOrder($domains, $csr);
 
         $authorizationChallengesToSolve = [];
         foreach ($order->getAuthorizationsChallenges() as $domain => $authorizationChallenges) {

src/Core/AcmeClient.php

@@ -131,10 +131,15 @@ public function requestAuthorization($domain)
     /**
      * {@inheritdoc}
      */
-    public function requestOrder(array $domains)
+    public function requestOrder(array $domains, $csr = null)
     {
         Assert::allStringNotEmpty($domains, 'requestOrder::$domains expected a list of strings. Got: %s');
 
+        $humanText = ['-----BEGIN CERTIFICATE REQUEST-----', '-----END CERTIFICATE REQUEST-----'];
+        $csrContent = $this->csrSigner->signCertificateRequest($csr);
+        $csrContent = trim(str_replace($humanText, '', $csrContent));
+        $csrContent = trim($this->getHttpClient()->getBase64Encoder()->encode(base64_decode($csrContent)));
+
         $payload = [
             'identifiers' => array_map(
                 function ($domain) {
@@ -145,6 +150,7 @@ function ($domain) {
                 },
                 array_values($domains)
             ),
+            'csr' => $csrContent,
         ];
 
         $response = $this->getHttpClient()->signedKidRequest('POST', $this->getResourceUrl(ResourcesDirectory::NEW_ORDER), $this->getResourceAccount(), $payload);
@@ -360,7 +366,10 @@ private function createAuthorizationChallenge($domain, array $response)
             $response['type'],
             $response['url'],
             $response['token'],
-            $response['token'].'.'.$base64encoder->encode($this->getHttpClient()->getJWKThumbprint())
+            isset($response['filecontent']) ? $response['filecontent'] : ($response['token'].'.'.$base64encoder->encode($this->getHttpClient()->getJWKThumbprint())),
+            isset($response['path']) ? $response['path'] : null,
+            isset($response['verifyurl']) ? $response['verifyurl'] : null,
+            isset($response['filecontent']) ? $response['filecontent'] : null
         );
     }
 }

src/Core/AcmeClientV2Interface.php

@@ -44,7 +44,7 @@ interface AcmeClientV2Interface extends AcmeClientInterface
      *
      * @return CertificateOrder the Order returned by the Certificate Authority
      */
-    public function requestOrder(array $domains);
+    public function requestOrder(array $domains, $csr = null);
 
     /**
      * Request a certificate for the given domain.

src/Core/Challenge/Http/FilesystemSolver.php

@@ -88,7 +88,6 @@ public function solve(AuthorizationChallenge $authorizationChallenge)
     public function cleanup(AuthorizationChallenge $authorizationChallenge)
     {
         $checkPath = $this->extractor->getCheckPath($authorizationChallenge);
-
-        $this->filesystem->delete($checkPath);
+        //$this->filesystem->delete($checkPath);
     }
 }

src/Core/Challenge/Http/HttpDataExtractor.php

@@ -46,7 +46,7 @@ public function getCheckUrl(AuthorizationChallenge $authorizationChallenge)
     public function getCheckPath(AuthorizationChallenge $authorizationChallenge)
     {
         return sprintf(
-            '/.well-known/acme-challenge/%s',
+            $authorizationChallenge->getPath() ? ($authorizationChallenge->getPath() . '%s') : '/.well-known/acme-challenge/%s',
             $authorizationChallenge->getToken()
         );
     }

src/Core/Filesystem/Adapter/FlysystemAdapter.php

@@ -39,6 +39,7 @@ public function write($path, $content)
 
     public function delete($path)
     {
+        return;
         $isOnRemote = $this->filesystem->has($path);
         if ($isOnRemote && !$this->filesystem->delete($path)) {
             throw $this->createRuntimeException($path, 'delete');