acmeRFC8555Servlet.h

/*NB_REVISION*/
 
/*NB_COPYRIGHT*/
 
#ifndef _NB_ACME_H
#define _NB_ACME_H
 
#include <predef.h>
#include <ip.h>
#include <nettypes.h>
 
 
#include <base64.h>
#include <json_lexer.h>
#include <nbtime.h>
#include <nbstring.h>
#include <diagnostics.h>
#include <webclient/http_funcs.h>
 
#include <crypto/wolfssl/wolfcrypt/ecc.h>
#include <crypto/wolfssl/wolfcrypt/random.h>
#include <crypto/wolfssl/wolfcrypt/sha256.h>
#include <crypto/wolfssl/wolfcrypt/hash.h>
#include <crypto/wolfssl/wolfcrypt/asn_public.h>
#include <crypto/wolfssl/wolfcrypt/wolfmath.h>        
#include <crypto/certgen.h>
#include <servlets.h>
 
const int ACME_ERR_NONE=0;
const int ACME_ERR_HAL_SAVE_FAIL=-10;
const int ACME_ERR_CSR_ERR=-11;
const int ACME_ERR_FAIL_READ_EXPIRY=-12;
const int ACME_ERR_STORED_CERT_INVALID=-14;
const int ACME_FAILED_GET_DIR=-15;
const int ACME_FAILED_GET_NONCE=-16;
const int ACME_FAILED_GET_NONCE_DIR=-17;
const int ACME_FAILED_GET_ACCOUNT=-18;
const int ACME_ERR_GET_CSR_FAIL=-19;
const int ACME_ERR_ORDER_FAIL=-20;
const int ACME_ERR_MALLOC_FAIL=-21;
const int ACME_ERR_SELF_FAIL=-22; 
const int ACME_ERR_DNS_FAIL=-23; 
const int ACME_ERR_TRANSACT_FAIL=-24;
 
 
 
//Forward declartions.
class AcmeDataSet;
class AcmeServletObject;
 
 
//Class to hanle header processing as ACME needs both headers and body processed.
class AcmeServletBuffer : public ParsedJsonDataSet 
{
AcmeDataSet * pAcme;
    virtual void ProcessHeader(const char * hdr);
public:
    AcmeServletBuffer(AcmeDataSet * pOwner) {pAcme=pOwner;}
 
};
 
class AcmeAuthItem  : public HtmlPageHandler
{
    typedef enum {
            eAuthStart,   
            eAuthCreated,   
            eAuthRetrieved,   
            eAuthActivated,   
            eAuthValid,
            eAuthPending,   
            eAuthInvalid
    } eAcmeAuthState_t;
 
 
public:
AcmeServletBuffer AuthBuffer;
NBString AuthItem;//The URL from the  Order list 
NBString AuthActivation; //The URL for activation and status
NBString AuthToken;//The Token to return
NBString AuthPath;//The Path
NBString AuthName;//The DNS name were doing all this for
NBString UseThumb;
AcmeServletObject &  Owner;
int m_Index;
int m_Query_Num;
int m_Retry;
eAcmeAuthState_t m_State;
 
//HtmlPageHandler callback used to serve up the response page
//Possible this might change from is one to has one...
virtual int ProcessRaw(int sock, HTTP_Request &pd);
 
AcmeAuthItem(AcmeServletObject & owner,AcmeDataSet * pData);
void InitNew(const NBString & src, int index);
~AcmeAuthItem();
void SendForState();
bool ProcessForState();
bool ProcessForTimeout();
const char * GetStateCC();
void clear();
void SetTimeoutSecs(int secs);
inline bool valid() {return (m_State==eAuthValid); }; 
 
};
 
 
 
 
struct AcmeDataSet
{
AcmeServletBuffer DirListing;  //Holds the rood directoory listing of services.
AcmeServletBuffer OrderResult; //Holds the order in process.
AcmeServletBuffer TransactionResult; //Temp holds the transactions...
 
 
NBString nonce;
NBString jwk;
NBString kid;
NBString FinalizeUrl;
NBString RetryAfter;
NBString Location;
NBString OrderUrl;
AcmeAuthItem AuthItem;
bool bDiag;
uint8_t CertBigBuffer[16384]; 
SimpleBufferObject sbo{CertBigBuffer,16384}; 
 
WC_RNG rng;
 
//Helper function Used to scan incomming headers for things of interest.
bool ScanHeaderAndSet(const char * pTarget, NBString & setv,const char * hdr);
 
//Called for every header in incomming transactions.
void ProcessHeader(const char * hdr);
 
AcmeDataSet(AcmeServletObject & owner):DirListing(this),OrderResult(this),TransactionResult(this),AuthItem(owner,this)
{
}
~AcmeDataSet();
};
 
 
class AcmeServletObject : public DiagItemClass, public WebClientServlet
{
 
    typedef enum {
        eWaitStart,   
        eGetDirs,
        eFirstNonce,
        eDoAccount,
        eDoOrder,
        eDoAuthItemDo,      
        eDoOrderFinalize,
        eDoOrderStatus,     
        eDoGetCert, 
        eDoneSleeping,
        eErrorWaitForRetry,
        eRestart
    } eAcmeServletState_t;
 
const char * m_AcmeServerUrl;
 
 
ecc_key  AccountKey;
ecc_key  ServerKey;
uint32_t keysize;
 
//Used by SSL to get keys etc...
puint8_t m_pServerKey;
puint8_t m_pServerCert;
 
 
//State variables
 
time_t m_issued;     //When does cert expire
time_t m_expiry;     //When does cert expire
time_t m_retrydate;  //When shoudl we renew?
NBString m_CertIssuer; //Name of entity who signed cert.
NBString m_LastAction;
 
 
AcmeDataSet  * pAcmeSet;
 
eAcmeServletState_t m_pvt_State;
int m_Retry_Order;
int m_Retry_Status;
int m_Retry_Transaction;
uint32_t m_StatusFlags;
 
 
//The erorr state of the world.
NBString err_str;
int err_code;
 
//Active status of the world
NBString status_str;
 
 
private:
 
//Access the things we need to generate responses...
    NBString GetJwk(); //Java web key
    NBString GetThumb(); //Thumb print of account key
    bool GetCSR(NBString & s); //Generate a Certificate signing request
 
 
    void FillInReq(Cert & req);//Fillin names and details on a cert request
 
 
//Global pointer so we can get the one and only object for SSL key handeling
 
 
void RetryOrder();
 
void SendForState(eAcmeServletState_t state);
void ProcessForState(eAcmeServletState_t state);
void ProcessForTimeout(eAcmeServletState_t state);
 
 
 
PoolPtr PrepTransaction(const NBString & url, const char* payload="", bool bJwk=false);
void StartTransaction(AcmeServletBuffer & buf,const char * dir_entry, const char* payload="", bool bJwk=false);
void StartTransactionUrl(AcmeServletBuffer & buf,const NBString & url, const char* payload="", bool bJwk=false);
 
 
//Save current active keys to storage
bool SaveKeysToStorage();
 
//Make and save to storage a selfsigned cert...
bool MakeSaveSelfSignedCert();
 
//Read the server cert and set the issue and expiry date
//Setup cert on SSL.
void UseCurrentCert();
 
//DigItemClass virtual for showing state of the world on diag item.
virtual void ServeContent(int fd);
 
//WebClientServlet and Root servlet virtual func
virtual int AddToSelectSet(fd_set &rd_set, fd_set &wr_set, fd_set &er_set);
 
//WebClientServlet  virtual function.
virtual void ActionComplete(eWebClientAction_t action); 
 
 
bool LoadKeys();
bool MakeKeys();
void CheckCert();
 
protected:
inline bool FlagIsSet(uint32_t flag){ return ((m_StatusFlags&flag)==flag); };
inline bool FlagIsClear(uint32_t flag){return ((m_StatusFlags&flag)==0); };
inline void SetFlag(uint32_t flag) {m_StatusFlags|=flag;};
inline void ClearFlag(uint32_t flag){m_StatusFlags &=(~flag); };
 
inline eAcmeServletState_t GetState() {return m_pvt_State;};
inline void SetState(eAcmeServletState_t s){m_pvt_State=s;}
 
 
bool bDiag;
 
 
 
 
public:
 
void Delete_Everything_Restart();
 
 
void SetDiag(bool v){bDiag=v; if(pAcmeSet) pAcmeSet->bDiag=v;}
 
// Access functions:
 
NBString GetGlobalStateString();
 
NBString GetStateString();
const char * GetStateCC();
 
//Get the current DNSName the servlet is using.
//NBString GetNames() {return (NBString)m_DnsName; };
 
 
 
AcmeServletObject(const char * pUrlDir):
DiagItemClass("ACMEClient"),
m_AcmeServerUrl(pUrlDir),
pAcmeSet(0),
m_pvt_State(eWaitStart),
m_Retry_Order(0),
m_Retry_Status(0),
m_Retry_Transaction(0),
m_StatusFlags(0),
bDiag(false)
{
};
 
 
friend AcmeAuthItem;
friend CertGenData *GetDataForCertGen();
 
 
 
 
 
 
};
 
 
class LetsEncryptAcmeServletObject : public AcmeServletObject
{
 
public:
 
LetsEncryptAcmeServletObject(const bool useStaging=false):
AcmeServletObject(
    (useStaging ? "https://acme-staging-v02.api.letsencrypt.org/directory" : "https://acme-v02.api.letsencrypt.org/directory")
){};
 
};
 
 
class BuyPassAcmeServletObject : public AcmeServletObject
{
 
public:
 
BuyPassAcmeServletObject():
AcmeServletObject(
    "https://api.buypass.com/acme/directory"
){};
 
};
 
#endif