Http-01 Challenge support (#72)

Author: jklamer

Cargo.toml

@@ -33,11 +33,12 @@ axum-server = { version = "0.7", features = ["tls-rustls-no-provider"], optional
 async-web-client = { version = "0.6.2", default-features = false }
 http = "1"
 blocking = "1.4.1"
+tower-service = { version = "0.3.3",  optional=true }
 
 [dev-dependencies]
 simple_logger = "4.3.3"
 clap = { version = "3.1.18", features = ["derive"] }
-axum = "0.7"
+axum = "0.8"
 tokio = { version="1.35.1", features = ["full"] }
 tokio-stream = { version="0.1.14", features = ["net"] }
 tokio-util = { version="0.7.10", features = ["compat"] }
@@ -59,13 +60,18 @@ rustdoc-args = ["--cfg", "doc_auto_cfg"]
 default = ["aws-lc-rs", "tls12"]
 ring = ["dep:ring", "async-web-client/ring", "rcgen/ring"]
 aws-lc-rs = ["dep:aws-lc-rs", "async-web-client/aws-lc-rs", "rcgen/aws_lc_rs"]
-axum = ["dep:axum-server", "tokio"]
+axum = ["dep:axum-server", "tower"]
+tower = ["dep:tower-service", "tokio"]
 tokio = ["dep:tokio", "dep:tokio-util"]
 tls12 = ["async-web-client/tls12"]
 
 [[example]]
-name="low_level_axum"
-required-features=["axum"]
+name = "low_level_axum"
+required-features = ["axum"]
+
+[[example]]
+name = "low_level_axum_http"
+required-features = ["axum", "tower"]
 
 [[example]]
 name="high_level_warp"

examples/low_level_axum_http.rs

@@ -0,0 +1,73 @@
+use axum::extract::{Path, State};
+use axum::response::{IntoResponse, Response};
+use axum::{routing::get, Router};
+use axum_server::bind;
+use clap::Parser;
+use http::{header, HeaderValue, StatusCode};
+use rustls_acme::caches::DirCache;
+use rustls_acme::tower::TowerHttp01ChallengeService;
+use rustls_acme::UseChallenge::Http01;
+use rustls_acme::{AcmeConfig, ResolvesServerCertAcme};
+use std::net::{Ipv6Addr, SocketAddr};
+use std::os::macos::raw::stat;
+use std::path::PathBuf;
+use std::sync::Arc;
+use tokio_stream::StreamExt;
+
+#[derive(Parser, Debug)]
+struct Args {
+    /// Domains
+    #[clap(short, required = true)]
+    domains: Vec<String>,
+
+    /// Contact info
+    #[clap(short)]
+    email: Vec<String>,
+
+    /// Cache directory
+    #[clap(short, parse(from_os_str))]
+    cache: Option<PathBuf>,
+
+    /// Use Let's Encrypt production environment
+    /// (see https://letsencrypt.org/docs/staging-environment/)
+    #[clap(long)]
+    prod: bool,
+
+    #[clap(short, long, default_value = "443")]
+    port: u16,
+}
+
+#[tokio::main]
+async fn main() {
+    simple_logger::init_with_level(log::Level::Info).unwrap();
+    let args = Args::parse();
+
+    let mut state = AcmeConfig::new(args.domains)
+        .contact(args.email.iter().map(|e| format!("mailto:{}", e)))
+        .cache_option(args.cache.clone().map(DirCache::new))
+        .directory_lets_encrypt(args.prod)
+        .challenge_type(Http01)
+        .state();
+    let acceptor = state.axum_acceptor(state.default_rustls_config());
+    let tower_service: TowerHttp01ChallengeService = state.http01_challenge_tower_service();
+    let http_challenge_app = Router::new().route_service("/.well-known/acme-challenge/{challenge_token}", tower_service);
+    tokio::spawn(challenge_http_app(http_challenge_app));
+
+    tokio::spawn(async move {
+        loop {
+            match state.next().await.unwrap() {
+                Ok(ok) => log::info!("event: {:?}", ok),
+                Err(err) => log::error!("error: {:?}", err),
+            }
+        }
+    });
+
+    let app = Router::new().route("/", get(|| async { "Hello Tls!" }));
+    let addr = SocketAddr::from((Ipv6Addr::UNSPECIFIED, args.port));
+    bind(addr).acceptor(acceptor).serve(app.into_make_service()).await.unwrap();
+}
+
+async fn challenge_http_app(http_challenge_app: Router) {
+    let listener = tokio::net::TcpListener::bind((Ipv6Addr::UNSPECIFIED, 80)).await.unwrap();
+    axum::serve(listener, http_challenge_app.into_make_service()).await.unwrap();
+}

src/acme.rs

@@ -1,11 +1,9 @@
-use std::sync::Arc;
-
 use crate::any_ecdsa_type;
 use crate::crypto::error::{KeyRejected, Unspecified};
 use crate::crypto::rand::SystemRandom;
 use crate::crypto::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, ECDSA_P256_SHA256_FIXED_SIGNING};
 use crate::https_helper::{https, HttpsRequestError};
-use crate::jose::{key_authorization_sha256, sign, JoseError};
+use crate::jose::{key_authorization, key_authorization_sha256, sign, JoseError};
 use base64::prelude::*;
 use futures_rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
 use futures_rustls::rustls::{sign::CertifiedKey, ClientConfig};
@@ -14,6 +12,7 @@ use http::{Method, Response};
 use rcgen::{CustomExtension, KeyPair, PKCS_ECDSA_P256_SHA256};
 use serde::{Deserialize, Serialize};
 use serde_json::json;
+use std::sync::Arc;
 use thiserror::Error;
 
 pub const LETS_ENCRYPT_STAGING_DIRECTORY: &str = "https://acme-staging-v02.api.letsencrypt.org/directory";
@@ -130,6 +129,15 @@ impl Account {
         let certified_key = CertifiedKey::new(vec![cert.der().clone()], sk);
         Ok((challenge, certified_key))
     }
+    pub fn http_01<'a>(&self, challenges: &'a [Challenge]) -> Result<(&'a Challenge, String), AcmeError> {
+        let challenge = challenges.iter().find(|c| c.typ == ChallengeType::Http01);
+        let challenge = match challenge {
+            Some(challenge) => challenge,
+            None => return Err(AcmeError::NoHttp01Challenge),
+        };
+        let key_auth = key_authorization(&self.key_pair, &challenge.token)?;
+        Ok((challenge, key_auth))
+    }
 }
 
 #[derive(Debug, Clone, Deserialize)]
@@ -245,6 +253,8 @@ pub enum AcmeError {
     MissingHeader(&'static str),
     #[error("no tls-alpn-01 challenge found")]
     NoTlsAlpn01Challenge,
+    #[error("no http-01 challenge found")]
+    NoHttp01Challenge,
 }
 
 impl From<http::Error> for AcmeError {

src/config.rs

@@ -1,5 +1,6 @@
 use crate::acme::{LETS_ENCRYPT_PRODUCTION_DIRECTORY, LETS_ENCRYPT_STAGING_DIRECTORY};
 use crate::caches::{BoxedErrCache, CompositeCache, NoCache};
+use crate::UseChallenge::TlsAlpn01;
 use crate::{crypto_provider, AccountCache, Cache, CertCache};
 use crate::{AcmeState, Incoming};
 use core::fmt;
@@ -21,6 +22,12 @@ pub struct AcmeConfig<EC: Debug, EA: Debug = EC> {
     pub(crate) domains: Vec<String>,
     pub(crate) contact: Vec<String>,
     pub(crate) cache: Box<dyn Cache<EC = EC, EA = EA>>,
+    pub(crate) challenge_type: UseChallenge,
+}
+
+pub enum UseChallenge {
+    Http01,
+    TlsAlpn01,
 }
 
 impl AcmeConfig<Infallible, Infallible> {
@@ -78,6 +85,7 @@ impl AcmeConfig<Infallible, Infallible> {
             domains: domains.into_iter().map(|s| s.as_ref().into()).collect(),
             contact: vec![],
             cache: Box::new(NoCache::default()),
+            challenge_type: TlsAlpn01,
         }
     }
 }
@@ -132,6 +140,7 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeConfig<EC, EA> {
             domains: self.domains,
             contact: self.contact,
             cache: Box::new(cache),
+            challenge_type: self.challenge_type,
         }
     }
     pub fn cache_compose<CC: 'static + CertCache, CA: 'static + AccountCache>(self, cert_cache: CC, account_cache: CA) -> AcmeConfig<CC::EC, CA::EA> {
@@ -146,6 +155,10 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeConfig<EC, EA> {
             None => self.cache(NoCache::<C::EC, C::EA>::default()),
         }
     }
+    pub fn challenge_type(mut self, challenge_type: UseChallenge) -> Self {
+        self.challenge_type = challenge_type;
+        self
+    }
     pub fn state(self) -> AcmeState<EC, EA> {
         AcmeState::new(self)
     }

src/jose.rs

@@ -23,9 +23,13 @@ pub(crate) fn sign(key: &EcdsaKeyPair, kid: Option<&str>, nonce: String, url: &s
     Ok(serde_json::to_string(&body)?)
 }
 
-pub(crate) fn key_authorization_sha256(key: &EcdsaKeyPair, token: &str) -> Result<Digest, JoseError> {
+pub(crate) fn key_authorization(key: &EcdsaKeyPair, token: &str) -> Result<String, JoseError> {
     let jwk = Jwk::new(key);
-    let key_authorization = format!("{}.{}", token, jwk.thumb_sha256_base64()?);
+    Ok(format!("{}.{}", token, jwk.thumb_sha256_base64()?))
+}
+
+pub(crate) fn key_authorization_sha256(key: &EcdsaKeyPair, token: &str) -> Result<Digest, JoseError> {
+    let key_authorization = key_authorization(key, token)?;
     Ok(digest(&SHA256, key_authorization.as_bytes()))
 }
 

src/lib.rs

@@ -122,6 +122,8 @@ mod resolver;
 mod state;
 #[cfg(feature = "tokio")]
 pub mod tokio;
+#[cfg(feature = "tower")]
+pub mod tower;
 
 pub use futures_rustls;
 

src/resolver.rs

@@ -1,13 +1,12 @@
+use crate::is_tls_alpn_challenge;
 use futures_rustls::rustls::{
     server::{ClientHello, ResolvesServerCert},
     sign::CertifiedKey,
 };
-use std::collections::BTreeMap;
+use std::fmt::Debug;
 use std::sync::Arc;
 use std::sync::Mutex;
 
-use crate::is_tls_alpn_challenge;
-
 #[derive(Debug)]
 pub struct ResolvesServerCertAcme {
     inner: Mutex<Inner>,
@@ -16,23 +15,47 @@ pub struct ResolvesServerCertAcme {
 #[derive(Debug)]
 struct Inner {
     cert: Option<Arc<CertifiedKey>>,
-    auth_keys: BTreeMap<String, Arc<CertifiedKey>>,
+    challenge_data: Option<ChallengeData>,
+}
+
+#[derive(Debug)]
+enum ChallengeData {
+    TlsAlpn01 { sni: String, cert: Arc<CertifiedKey> },
+    Http01 { token: String, key_auth: String },
 }
 
 impl ResolvesServerCertAcme {
     pub(crate) fn new() -> Arc<Self> {
         Arc::new(Self {
             inner: Mutex::new(Inner {
                 cert: None,
-                auth_keys: Default::default(),
+                challenge_data: None,
             }),
         })
     }
     pub(crate) fn set_cert(&self, cert: Arc<CertifiedKey>) {
         self.inner.lock().unwrap().cert = Some(cert);
     }
-    pub(crate) fn set_auth_key(&self, domain: String, cert: Arc<CertifiedKey>) {
-        self.inner.lock().unwrap().auth_keys.insert(domain, cert);
+    pub(crate) fn set_tls_alpn_01_challenge_data(&self, domain: String, cert: Arc<CertifiedKey>) {
+        self.inner.lock().unwrap().challenge_data = Some(ChallengeData::TlsAlpn01 { sni: domain, cert });
+    }
+    pub(crate) fn set_http_01_challenge_data(&self, token: String, key_auth: String) {
+        self.inner.lock().unwrap().challenge_data = Some(ChallengeData::Http01 { token, key_auth })
+    }
+    pub(crate) fn clear_challenge_data(&self) {
+        self.inner.lock().unwrap().challenge_data = None;
+    }
+    pub fn get_http_01_key_auth(&self, challenge_token: &str) -> Option<String> {
+        match &self.inner.lock().unwrap().challenge_data {
+            Some(ChallengeData::Http01 { token, key_auth }) => {
+                if token == challenge_token {
+                    Some(key_auth.clone())
+                } else {
+                    None
+                }
+            }
+            _ => None,
+        }
     }
 }
 
@@ -45,11 +68,16 @@ impl ResolvesServerCert for ResolvesServerCertAcme {
                     log::debug!("client did not supply SNI");
                     None
                 }
-                Some(domain) => {
-                    let domain = domain.to_owned();
-                    let domain: String = AsRef::<str>::as_ref(&domain).into();
-                    self.inner.lock().unwrap().auth_keys.get(&domain).cloned()
-                }
+                Some(domain) => match &self.inner.lock().unwrap().challenge_data {
+                    Some(ChallengeData::TlsAlpn01 { sni, cert }) => {
+                        if sni == domain {
+                            Some(cert.clone())
+                        } else {
+                            None
+                        }
+                    }
+                    _ => None,
+                },
             }
         } else {
             self.inner.lock().unwrap().cert.clone()