Commit b20c4369 authored by Adrien Dorsaz's avatar Adrien Dorsaz

account rollover: modularize jws header creation

parent 141a8dff
......@@ -20,6 +20,24 @@ def account_rollover(accountkeypath, new_accountkeypath, acme_directory, log=LOG
raise IOError("OpenSSL Error: {0}".format(err))
return out
# helper function to get jws_header from account key path
def _jws_header(accountkeypath):
accountkey = _openssl("rsa", ["-in", accountkeypath, "-noout", "-text"])
pub_hex, pub_exp = re.search(
r"modulus:\n\s+00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)",
accountkey.decode("utf8"), re.MULTILINE | re.DOTALL).groups()
pub_exp = "{0:x}".format(int(pub_exp))
pub_exp = "0{0}".format(pub_exp) if len(pub_exp) % 2 else pub_exp
jws_header = {
"alg": "RS256",
"jwk": {
"e": _b64(binascii.unhexlify(pub_exp.encode("utf-8"))),
"kty": "RSA",
"n": _b64(binascii.unhexlify(re.sub(r"(\s|:)", "", pub_hex).encode("utf-8"))),
},
}
return jws_header
# helper function to sign request with specified key
def _sign_request(accountkeypath, jwsheader, payload):
nonlocal jws_nonce
......@@ -33,7 +51,6 @@ def account_rollover(accountkeypath, new_accountkeypath, acme_directory, log=LOG
"header": jwsheader, "protected": protected64,
"payload": payload64, "signature": _b64(signature),
}
log.info("Signed JWS: {0}".format(signedjws))
return signedjws
# helper function make signed requests
......@@ -48,36 +65,10 @@ def account_rollover(accountkeypath, new_accountkeypath, acme_directory, log=LOG
return resp.getcode(), resp.read(), resp.getheaders()
log.info("Parsing current account key...")
accountkey = _openssl("rsa", ["-in", accountkeypath, "-noout", "-text"])
pub_hex, pub_exp = re.search(
r"modulus:\n\s+00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)",
accountkey.decode("utf8"), re.MULTILINE | re.DOTALL).groups()
pub_exp = "{0:x}".format(int(pub_exp))
pub_exp = "0{0}".format(pub_exp) if len(pub_exp) % 2 else pub_exp
jws_header = {
"alg": "RS256",
"jwk": {
"e": _b64(binascii.unhexlify(pub_exp.encode("utf-8"))),
"kty": "RSA",
"n": _b64(binascii.unhexlify(re.sub(r"(\s|:)", "", pub_hex).encode("utf-8"))),
},
}
cur_jws_header = _jws_header(accountkeypath)
log.info("Parsing new account key...")
newaccountkey = _openssl("rsa", ["-in", new_accountkeypath, "-noout", "-text"])
newpub_hex, newpub_exp = re.search(
r"modulus:\n\s+00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)",
newaccountkey.decode("utf8"), re.MULTILINE | re.DOTALL).groups()
newpub_exp = "{0:x}".format(int(newpub_exp))
newpub_exp = "0{0}".format(newpub_exp) if len(newpub_exp) % 2 else newpub_exp
new_jws_header = {
"alg": "RS256",
"jwk": {
"e": _b64(binascii.unhexlify(newpub_exp.encode("utf-8"))),
"kty": "RSA",
"n": _b64(binascii.unhexlify(re.sub(r"(\s|:)", "", newpub_hex).encode("utf-8"))),
},
}
new_jws_header = _jws_header(new_accountkeypath)
# get ACME server configuration from the directory
directory = urlopen(acme_directory)
......@@ -85,7 +76,7 @@ def account_rollover(accountkeypath, new_accountkeypath, acme_directory, log=LOG
jws_nonce = None
log.info("Register account to get account URL.")
code, result, headers = _send_signed_request(accountkeypath, jws_header, acme_config["new-reg"], {
code, result, headers = _send_signed_request(accountkeypath, cur_jws_header, acme_config["new-reg"], {
"resource": "new-reg"
})
......@@ -93,13 +84,13 @@ def account_rollover(accountkeypath, new_accountkeypath, acme_directory, log=LOG
raise ValueError("Error getting account URL: {0} {1}".format(code,result))
account_url = dict(headers).get("Location")
log.info("Rolls over account key...")
outer_payload = _sign_request(new_accountkeypath, new_jws_header, {
"url": acme_config["key-change"],
"url": acme_config["key-change"], # currently needed by boulder implementation in inner payload
"account": account_url,
"newKey": new_jws_header["jwk"]})
outer_payload["resource"] = "key-change"
log.info("Rolls over account key...")
code, result, headers = _send_signed_request(accountkeypath, jws_header, acme_config["key-change"], outer_payload)
outer_payload["resource"] = "key-change" # currently needed by boulder implementation
code, result, headers = _send_signed_request(accountkeypath, cur_jws_header, acme_config["key-change"], outer_payload)
if code != 200:
raise ValueError("Error rolling over account key: {0} {1}".format(code, result))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment