2016-11-01 17:27:57 +00:00
|
|
|
"use strict";
|
2016-11-01 19:16:43 +00:00
|
|
|
const plugins = require("./smartacme.plugins");
|
2016-11-03 17:57:42 +00:00
|
|
|
const q = require("q");
|
2016-11-01 17:27:57 +00:00
|
|
|
const crypto = require("crypto");
|
|
|
|
const fs = require("fs");
|
|
|
|
const readline = require("readline");
|
|
|
|
const smartacme_classes_jwebclient_1 = require("./smartacme.classes.jwebclient");
|
|
|
|
/**
|
|
|
|
* json_to_utf8buffer
|
|
|
|
* @private
|
|
|
|
* @description convert JSON to Buffer using UTF-8 encoding
|
|
|
|
* @param {Object} obj
|
|
|
|
* @return {Buffer}
|
|
|
|
* @throws Exception if object cannot be stringified or contains cycle
|
|
|
|
*/
|
2016-11-01 19:16:43 +00:00
|
|
|
let json_to_utf8buffer = (obj) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
return new Buffer(JSON.stringify(obj), 'utf8');
|
|
|
|
};
|
|
|
|
/**
|
|
|
|
* @class AcmeClient
|
|
|
|
* @constructor
|
|
|
|
* @description ACME protocol implementation from client perspective
|
|
|
|
* @param {string} directory_url - Address of directory
|
|
|
|
* @param {module:JWebClient~JWebClient} jWebClient - Reference to JSON-Web-Client
|
|
|
|
*/
|
|
|
|
class AcmeClient {
|
|
|
|
constructor(directoryUrlArg) {
|
|
|
|
/**
|
|
|
|
* @member {Object} module:AcmeClient~AcmeClient#clientProfilePubKey
|
|
|
|
* @desc Cached public key obtained from profile
|
|
|
|
*/
|
|
|
|
this.clientProfilePubKey = {};
|
|
|
|
/**
|
|
|
|
* @member {number} module:AcmeClient~AcmeClient#days_valid
|
|
|
|
* @desc Validity period in days
|
|
|
|
* @default 1
|
|
|
|
*/
|
2016-11-03 17:57:42 +00:00
|
|
|
this.daysValid = 1;
|
2016-11-01 17:27:57 +00:00
|
|
|
/**
|
|
|
|
* @member {number} module:AcmeClient~AcmeClient#defaultRsaKeySize
|
|
|
|
* @desc Key strength in bits
|
|
|
|
* @default 4096
|
|
|
|
*/
|
|
|
|
this.defaultRsaKeySize = 4096;
|
|
|
|
/**
|
|
|
|
* @member {Object} module:AcmeClient~AcmeClient#directory
|
|
|
|
* @desc Hash map of REST URIs
|
|
|
|
*/
|
|
|
|
this.directory = {};
|
|
|
|
/**
|
|
|
|
* @member {string} module:AcmeClient~AcmeClient#directory_url
|
|
|
|
* @desc Address of directory
|
|
|
|
*/
|
|
|
|
this.directoryUrl = directoryUrlArg;
|
|
|
|
/**
|
|
|
|
* @member {string} module:AcmeClient~AcmeClient#emailDefaultPrefix
|
|
|
|
* @desc Prefix of email address if constructed from domain name
|
|
|
|
* @default "hostmaster"
|
|
|
|
*/
|
|
|
|
this.emailDefaultPrefix = 'hostmaster'; // {string}
|
|
|
|
/**
|
|
|
|
* @member {string} module:AcmeClient~AcmeClient#emailOverride
|
|
|
|
* @desc Email address to use
|
|
|
|
*/
|
|
|
|
this.emailOverride = null; // {string}
|
|
|
|
/**
|
|
|
|
* @member {module:JWebClient~JWebClient} module:AcmeClient~AcmeClient#jWebClient
|
|
|
|
* @desc Reference to JSON-Web-Client
|
|
|
|
*/
|
|
|
|
this.jWebClient = new smartacme_classes_jwebclient_1.JWebClient(); // {JWebClient}
|
|
|
|
/**
|
|
|
|
* @member {string} module:AcmeClient~AcmeClient#regLink
|
|
|
|
* @desc Cached registration URI
|
|
|
|
*/
|
|
|
|
this.regLink = null; // {string}
|
|
|
|
/**
|
|
|
|
* @member {string} module:AcmeClient~AcmeClient#tosLink
|
|
|
|
* @desc Cached terms of service URI
|
|
|
|
*/
|
|
|
|
this.tosLink = null; // {string}
|
|
|
|
/**
|
|
|
|
* @member {string} module:AcmeClient~AcmeClient#webroot
|
|
|
|
* @desc Path to server web root (or path to store challenge data)
|
|
|
|
* @default "."
|
|
|
|
*/
|
|
|
|
this.webroot = '.'; // {string}
|
|
|
|
/**
|
|
|
|
* @member {string} module:AcmeClient~AcmeClient#well_known_path
|
|
|
|
* @desc Directory structure for challenge data
|
|
|
|
* @default "/.well-known/acme-challenge/"
|
|
|
|
*/
|
2016-11-03 17:57:42 +00:00
|
|
|
this.wellKnownPath = '/.well-known/acme-challenge/'; // {string}
|
2016-11-01 17:27:57 +00:00
|
|
|
/**
|
|
|
|
* @member {boolean} module:AcmeClient~AcmeClient#withInteraction
|
|
|
|
* @desc Determines if interaction of user is required
|
|
|
|
* @default true
|
|
|
|
*/
|
|
|
|
this.withInteraction = true; // {boolean}
|
|
|
|
}
|
|
|
|
// *****************************************************************************
|
|
|
|
// REQUEST-Section
|
|
|
|
// *****************************************************************************
|
|
|
|
/**
|
|
|
|
* getDirectory
|
|
|
|
* @description retrieve directory entries (directory url must be set prior to execution)
|
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
*/
|
2016-11-03 17:57:42 +00:00
|
|
|
getDirectory() {
|
|
|
|
let done = q.defer();
|
|
|
|
this.jWebClient.get(this.directoryUrl)
|
|
|
|
.then((reqResArg) => {
|
|
|
|
done.resolve(reqResArg);
|
|
|
|
});
|
|
|
|
return done.promise;
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
/**
|
|
|
|
* newRegistration
|
|
|
|
* @description try to register (directory lookup must have occured prior to execution)
|
|
|
|
* @param {Object} payload
|
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
*/
|
|
|
|
newRegistration(payload, callback) {
|
|
|
|
if (!(payload instanceof Object)) {
|
|
|
|
payload = {}; // ensure payload is object
|
|
|
|
}
|
|
|
|
payload.resource = 'new-reg';
|
|
|
|
this.jWebClient.post(this.directory['new-reg'], payload, callback, callback);
|
|
|
|
// dereference
|
|
|
|
callback = null;
|
|
|
|
payload = null;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* getRegistration
|
|
|
|
* @description get information about registration
|
|
|
|
* @param {string} uri - will be exposed when trying to register
|
|
|
|
* @param {Object} payload - update information
|
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
*/
|
2016-11-03 17:57:42 +00:00
|
|
|
getRegistration(uri, payload) {
|
|
|
|
let done = q.defer();
|
2016-11-01 17:27:57 +00:00
|
|
|
payload['resource'] = 'reg';
|
2016-11-01 19:16:43 +00:00
|
|
|
this.jWebClient.post(uri, payload, (ans, res) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if (ans instanceof Object) {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.clientProfilePubKey = ans.key; // cache or reset returned public key
|
2016-11-01 17:27:57 +00:00
|
|
|
if ((res instanceof Object) && (res['headers'] instanceof Object)) {
|
|
|
|
let linkStr = res.headers['link'];
|
|
|
|
if (typeof linkStr === 'string') {
|
2016-11-01 19:16:43 +00:00
|
|
|
let tosLink = this.getTosLink(linkStr);
|
2016-11-01 17:27:57 +00:00
|
|
|
if (typeof tosLink === 'string') {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.tosLink = tosLink; // cache TOS link
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
else {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.tosLink = null; // reset TOS link
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.tosLink = null; // reset TOS link
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.tosLink = null; // reset TOS link
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
2016-11-03 17:57:42 +00:00
|
|
|
done.resolve({ ans: ans, res: res });
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
else {
|
2016-11-03 17:57:42 +00:00
|
|
|
done.reject(new Error('some error'));
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
});
|
2016-11-03 17:57:42 +00:00
|
|
|
return done.promise;
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
/**
|
|
|
|
* authorizeDomain
|
|
|
|
* @description authorize domain using challenge-response-method
|
|
|
|
* @param {string} domain
|
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
*/
|
|
|
|
authorizeDomain(domain, callback) {
|
|
|
|
/*jshint -W069 */
|
|
|
|
if (typeof callback !== 'function') {
|
|
|
|
callback = this.emptyCallback; // ensure callback is function
|
|
|
|
}
|
2016-11-03 17:57:42 +00:00
|
|
|
this.getProfile()
|
|
|
|
.then(profile => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if (!(profile instanceof Object)) {
|
|
|
|
callback(false); // no profile returned
|
|
|
|
}
|
|
|
|
else {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.jWebClient.post(this.directory['new-authz'], this.makeDomainAuthorizationRequest(domain), (ans, res) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if ((res instanceof Object) && (res['statusCode'] === 403)) {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.agreeTos(this.tosLink, (ans_, res_) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if ((res_ instanceof Object)
|
|
|
|
&& (res_['statusCode'] >= 200)
|
|
|
|
&& (res_['statusCode'] <= 400)) {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.authorizeDomain(domain, callback); // try authorization again
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback(false); // agreement failed
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
if ((res instanceof Object)
|
|
|
|
&& (res['headers'] instanceof Object)
|
|
|
|
&& (typeof res.headers['location'] === 'string')
|
|
|
|
&& (ans instanceof Object)) {
|
|
|
|
let poll_uri = res.headers['location']; // status URI for polling
|
2016-11-01 19:16:43 +00:00
|
|
|
let challenge = this.selectChallenge(ans, 'http-01'); // select simple http challenge
|
2016-11-01 17:27:57 +00:00
|
|
|
if (challenge instanceof Object) {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.prepareChallenge(domain, challenge, () => {
|
2016-11-01 17:27:57 +00:00
|
|
|
// reset
|
|
|
|
ans = null;
|
|
|
|
res = null;
|
|
|
|
// accept challenge
|
2016-11-01 19:16:43 +00:00
|
|
|
this.acceptChallenge(challenge, (ans, res) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if ((res instanceof Object)
|
|
|
|
&& (res['statusCode'] < 400) // server confirms challenge acceptance
|
|
|
|
) {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.pollUntilValid(poll_uri, callback); // poll status until server states success
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback(false); // server did not confirm challenge acceptance
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback(false); // desired challenge is not in list
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback(false); // server did not respond with status URI
|
|
|
|
}
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* acceptChallenge
|
|
|
|
* @description tell server which challenge will be accepted
|
|
|
|
* @param {Object} challenge
|
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
*/
|
|
|
|
acceptChallenge(challenge, callback) {
|
|
|
|
/*jshint -W069 */
|
|
|
|
if (!(challenge instanceof Object)) {
|
|
|
|
challenge = {}; // ensure challenge is object
|
|
|
|
}
|
|
|
|
this.jWebClient.post(challenge['uri'], this.makeChallengeResponse(challenge), callback);
|
|
|
|
// dereference
|
|
|
|
callback = null;
|
|
|
|
challenge = null;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* pollUntilValid
|
|
|
|
* @description periodically (with exponential back-off) check status of challenge
|
|
|
|
* @param {string} uri
|
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
* @param {number} retry - factor of delay
|
|
|
|
*/
|
|
|
|
pollUntilValid(uri, callback, retry = 1) {
|
|
|
|
/*jshint -W069 */
|
|
|
|
if (typeof callback !== 'function') {
|
|
|
|
callback = this.emptyCallback; // ensure callback is function
|
|
|
|
}
|
|
|
|
if (retry > 128) {
|
|
|
|
callback(false); // stop if retry value exceeds maximum
|
|
|
|
}
|
|
|
|
else {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.jWebClient.get(uri, (ans, res) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if (!(ans instanceof Object)) {
|
|
|
|
callback(false); // invalid answer
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
if (ans['status'] === 'pending') {
|
2016-11-01 19:16:43 +00:00
|
|
|
setTimeout(() => {
|
|
|
|
this.pollUntilValid(uri, callback, retry * 2); // retry
|
2016-11-01 17:27:57 +00:00
|
|
|
}, retry * 500);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback(ans, res); // challenge complete
|
|
|
|
}
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* pollUntilIssued
|
|
|
|
* @description periodically (with exponential back-off) check status of CSR
|
|
|
|
* @param {string} uri
|
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
* @param {number} retry - factor of delay
|
|
|
|
*/
|
|
|
|
pollUntilIssued(uri, callback, retry = 1) {
|
|
|
|
/*jshint -W069 */
|
|
|
|
if (typeof callback !== 'function') {
|
|
|
|
callback = this.emptyCallback; // ensure callback is function
|
|
|
|
}
|
|
|
|
if (retry > 128) {
|
|
|
|
callback(false); // stop if retry value exceeds maximum
|
|
|
|
}
|
|
|
|
else {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.jWebClient.get(uri, (ans, res) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if ((ans instanceof Buffer) && (ans.length > 0)) {
|
|
|
|
callback(ans); // certificate was returned with answer
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
if ((res instanceof Object) && (res['statusCode'] < 400)) {
|
2016-11-01 19:16:43 +00:00
|
|
|
setTimeout(() => {
|
|
|
|
this.pollUntilIssued(uri, callback, retry * 2); // retry
|
2016-11-01 17:27:57 +00:00
|
|
|
}, retry * 500);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback(false); // CSR complete
|
|
|
|
}
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* requestSigning
|
|
|
|
* @description send CSR
|
|
|
|
* @param {string} domain - expected to be already sanitized
|
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
*/
|
|
|
|
requestSigning(domain, callback) {
|
|
|
|
/*jshint -W069 */
|
|
|
|
if (typeof callback !== 'function') {
|
|
|
|
callback = this.emptyCallback; // ensure callback is function
|
|
|
|
}
|
2016-11-01 19:16:43 +00:00
|
|
|
fs.readFile(domain + '.csr', (err, csrBuffer) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if (err instanceof Object) {
|
2016-11-01 19:16:43 +00:00
|
|
|
if (this.jWebClient.verbose) {
|
2016-11-01 17:27:57 +00:00
|
|
|
console.error('Error : File system error', err['code'], 'while reading key from file');
|
|
|
|
}
|
|
|
|
callback(false);
|
|
|
|
}
|
|
|
|
else {
|
2016-11-01 19:16:43 +00:00
|
|
|
let csr = csrBuffer.toString();
|
2016-11-03 17:57:42 +00:00
|
|
|
this.jWebClient.post(this.directory['new-cert'], this.makeCertRequest(csr, this.daysValid), (ans, res) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if ((ans instanceof Buffer) && (ans.length > 0)) {
|
|
|
|
callback(ans); // certificate was returned with answer
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
if (res instanceof Object) {
|
|
|
|
if ((res['statusCode'] < 400) && !ans) {
|
|
|
|
let headers = res['headers'];
|
|
|
|
if (!(headers instanceof Object)) {
|
|
|
|
headers = {}; // ensure headers is object
|
|
|
|
}
|
2016-11-01 19:16:43 +00:00
|
|
|
this.pollUntilIssued(headers['location'], callback); // poll provided status URI
|
2016-11-01 17:27:57 +00:00
|
|
|
// dereference
|
|
|
|
headers = null;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback((res['statusCode'] < 400) ? ans : false); // answer may be provided as string or object
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback(false); // invalid response
|
|
|
|
}
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
/**
|
2016-11-03 17:57:42 +00:00
|
|
|
* retrieves profile of user (will make directory lookup and registration check)
|
2016-11-01 17:27:57 +00:00
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
*/
|
2016-11-03 17:57:42 +00:00
|
|
|
getProfile() {
|
|
|
|
let done = q.defer();
|
|
|
|
this.getDirectory()
|
|
|
|
.then((dir) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if (!(dir instanceof Object)) {
|
2016-11-03 17:57:42 +00:00
|
|
|
done.reject(new Error('server did not respond with directory'));
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
else {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.directory = dir; // cache directory
|
|
|
|
this.newRegistration(null, (ans, res) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if ((res instanceof Object)
|
|
|
|
&& (res['headers'] instanceof Object)
|
|
|
|
&& (typeof res.headers['location'] === 'string')) {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.regLink = res.headers['location'];
|
2016-11-03 17:57:42 +00:00
|
|
|
this.getRegistration(this.regLink, null)
|
|
|
|
.then((reqResArg) => {
|
|
|
|
done.resolve();
|
|
|
|
}); // get registration info from link
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
else {
|
2016-11-03 17:57:42 +00:00
|
|
|
done.reject(new Error('registration failed'));
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
});
|
2016-11-03 17:57:42 +00:00
|
|
|
return done.promise;
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
/**
|
|
|
|
* createAccount
|
|
|
|
* @description create new account (assumes directory lookup has already occured)
|
|
|
|
* @param {string} email
|
|
|
|
* @param {function} callback - first argument will be the registration URI
|
|
|
|
*/
|
|
|
|
createAccount(email, callback) {
|
|
|
|
/*jshint -W069 */
|
|
|
|
if (typeof email === 'string') {
|
|
|
|
if (typeof callback !== 'function') {
|
|
|
|
callback = this.emptyCallback; // ensure callback is function
|
|
|
|
}
|
2016-11-01 19:16:43 +00:00
|
|
|
this.newRegistration({
|
2016-11-01 17:27:57 +00:00
|
|
|
contact: [
|
|
|
|
'mailto:' + email
|
|
|
|
]
|
2016-11-01 19:16:43 +00:00
|
|
|
}, (ans, res) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if ((res instanceof Object)
|
|
|
|
&& (res['statusCode'] === 201)
|
|
|
|
&& (res['headers'] instanceof Object)
|
|
|
|
&& (typeof res.headers['location'] === 'string')) {
|
2016-11-01 19:16:43 +00:00
|
|
|
this.regLink = res.headers['location'];
|
|
|
|
callback(this.regLink); // registration URI
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback(false); // registration failed
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
callback(false); // no email address provided
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* agreeTos
|
|
|
|
* @description agree with terms of service (update agreement status in profile)
|
|
|
|
* @param {string} tosLink
|
|
|
|
* @param {function} callback - first argument will be the answer object
|
|
|
|
*/
|
|
|
|
agreeTos(tosLink, callback) {
|
2016-11-03 17:57:42 +00:00
|
|
|
let done = q.defer();
|
2016-11-01 17:27:57 +00:00
|
|
|
this.getRegistration(this.regLink, {
|
|
|
|
'Agreement': tosLink // terms of service URI
|
2016-11-03 17:57:42 +00:00
|
|
|
}).then(() => { done.resolve(); });
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Entry-Point: Request certificate
|
|
|
|
* @param {string} domain
|
|
|
|
* @param {string} organization
|
|
|
|
* @param {string} country
|
|
|
|
* @param {function} callback
|
2016-11-03 17:57:42 +00:00
|
|
|
* @returns Promise
|
2016-11-01 17:27:57 +00:00
|
|
|
*/
|
2016-11-03 17:57:42 +00:00
|
|
|
requestCertificate(domain, organization, country) {
|
|
|
|
let done = q.defer();
|
|
|
|
this.getProfile()
|
|
|
|
.then((profile) => {
|
2016-11-01 19:16:43 +00:00
|
|
|
let email = this.extractEmail(profile); // try to determine email address from profile
|
|
|
|
let bit = this.defaultRsaKeySize;
|
2016-11-01 17:27:57 +00:00
|
|
|
// sanitize
|
|
|
|
bit = Number(bit);
|
2016-11-01 19:16:43 +00:00
|
|
|
country = this.makeSafeFileName(country);
|
|
|
|
domain = this.makeSafeFileName(domain);
|
|
|
|
email = this.makeSafeFileName(email);
|
|
|
|
organization = this.makeSafeFileName(organization);
|
2016-11-01 17:27:57 +00:00
|
|
|
// create key pair
|
2016-11-03 17:57:42 +00:00
|
|
|
this.createKeyPair(bit, country, organization, domain, email)
|
|
|
|
.then(() => {
|
|
|
|
this.requestSigning(domain, (cert) => {
|
|
|
|
if ((cert instanceof Buffer) || (typeof cert === 'string')) {
|
|
|
|
fs.writeFile(domain + '.der', cert, (err) => {
|
|
|
|
if (err instanceof Object) {
|
|
|
|
if (this.jWebClient.verbose) {
|
|
|
|
console.error('Error : File system error', err['code'], 'while writing certificate to file');
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
2016-11-03 17:57:42 +00:00
|
|
|
done.reject(err);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
done.resolve(); // CSR complete and certificate written to file system
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
done.reject('invalid certificate data');
|
|
|
|
}
|
|
|
|
});
|
2016-11-01 17:27:57 +00:00
|
|
|
});
|
|
|
|
});
|
2016-11-03 17:57:42 +00:00
|
|
|
return done.promise;
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
/**
|
|
|
|
* External: Create key pair
|
|
|
|
* @param {number} bit - key strength, expected to be already sanitized
|
|
|
|
* @param {string} c - country code, expected to be already sanitized
|
|
|
|
* @param {string} o - organization, expected to be already sanitized
|
|
|
|
* @param {string} cn - common name (domain name), expected to be already sanitized
|
|
|
|
* @param {string} e - email address, expected to be already sanitized
|
|
|
|
* @param {function} callback
|
|
|
|
*/
|
2016-11-03 17:57:42 +00:00
|
|
|
createKeyPair(bit, c, o, cn, e) {
|
|
|
|
let done = q.defer();
|
2016-11-01 17:27:57 +00:00
|
|
|
let openssl = `openssl req -new -nodes -newkey rsa:${bit} -sha256 -subj "/C=${c}/O=${o}/CN=${cn}/emailAddress=${e}" -keyout \"${cn}.key\" -outform der -out \"${cn}.csr\"`;
|
|
|
|
console.error('Action : Creating key pair');
|
|
|
|
if (this.jWebClient.verbose) {
|
|
|
|
console.error('Running:', openssl);
|
|
|
|
}
|
2016-11-03 17:57:42 +00:00
|
|
|
plugins.shelljs.exec(openssl, (codeArg, stdOutArg, stdErrorArg) => {
|
|
|
|
if (!stdErrorArg) {
|
|
|
|
done.resolve();
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
else {
|
2016-11-03 17:57:42 +00:00
|
|
|
done.reject(stdErrorArg);
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
});
|
2016-11-03 17:57:42 +00:00
|
|
|
return done.promise;
|
2016-11-01 17:27:57 +00:00
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Helper: Empty callback
|
|
|
|
*/
|
|
|
|
emptyCallback() {
|
|
|
|
// nop
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Helper: Make safe file name or path from string
|
|
|
|
* @param {string} name
|
|
|
|
* @param {boolean} withPath - optional, default false
|
|
|
|
* @return {string}
|
|
|
|
*/
|
|
|
|
makeSafeFileName(name, withPath = false) {
|
|
|
|
if (typeof name !== 'string') {
|
|
|
|
name = '';
|
|
|
|
}
|
|
|
|
// respects file name restrictions for ntfs and ext2
|
2016-11-03 17:57:42 +00:00
|
|
|
let regexFile = '[<>:\"/\\\\\\|\\?\\*\\u0000-\\u001f\\u007f\\u0080-\\u009f]';
|
|
|
|
let regexPath = '[<>:\"\\\\\\|\\?\\*\\u0000-\\u001f\\u007f\\u0080-\\u009f]';
|
|
|
|
return name.replace(new RegExp(withPath ? regexPath : regexFile, 'g'), (charToReplace) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if (typeof charToReplace === 'string') {
|
|
|
|
return '%' + charToReplace.charCodeAt(0).toString(16).toLocaleUpperCase();
|
|
|
|
}
|
|
|
|
return '%00';
|
|
|
|
});
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Helper: Prepare challenge
|
|
|
|
* @param {string} domain
|
|
|
|
* @param {Object} challenge
|
|
|
|
* @param {function} callback
|
|
|
|
*/
|
|
|
|
prepareChallenge(domain, challenge, callback) {
|
|
|
|
/*jshint -W069, unused:false*/
|
|
|
|
if (typeof callback !== 'function') {
|
|
|
|
callback = this.emptyCallback; // ensure callback is function
|
|
|
|
}
|
|
|
|
if (challenge instanceof Object) {
|
|
|
|
if (challenge['type'] === 'http-01') {
|
2016-11-03 17:57:42 +00:00
|
|
|
let path = this.webroot + this.wellKnownPath + challenge['token']; // webroot and well_known_path are expected to be already sanitized
|
2016-11-01 19:16:43 +00:00
|
|
|
fs.writeFile(path, this.makeKeyAuthorization(challenge), (err) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if (err instanceof Object) {
|
2016-11-01 19:16:43 +00:00
|
|
|
if (this.jWebClient.verbose) {
|
2016-11-01 17:27:57 +00:00
|
|
|
console.error('Error : File system error', err['code'], 'while writing challenge data to file');
|
|
|
|
}
|
|
|
|
callback();
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
// let uri = "http://" + domain + this.well_known_path + challenge["token"]
|
|
|
|
let rl = readline.createInterface(process.stdin, process.stdout);
|
2016-11-01 19:16:43 +00:00
|
|
|
if (this.withInteraction) {
|
|
|
|
rl.question('Press enter to proceed', (answer) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
rl.close();
|
|
|
|
callback();
|
|
|
|
});
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
rl.close();
|
|
|
|
callback(); // skip interaction prompt if desired
|
|
|
|
}
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
console.error('Error : Challenge not supported');
|
|
|
|
callback();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
console.error('Error : Invalid challenge response');
|
|
|
|
callback();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Helper: Extract TOS Link, e.g. from "<http://...>;rel="terms-of-service"
|
|
|
|
* @param {string} linkStr
|
|
|
|
* @return {string}
|
|
|
|
*/
|
|
|
|
getTosLink(linkStr) {
|
|
|
|
let match = /(<)([^>]+)(>;rel="terms-of-service")/g.exec(linkStr);
|
|
|
|
if ((match instanceof Array) && (match.length > 2)) {
|
|
|
|
let result = match[2];
|
|
|
|
// dereference
|
|
|
|
match = null;
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Helper: Select challenge by type
|
|
|
|
* @param {Object} ans
|
|
|
|
* @param {string} challenge_type
|
|
|
|
* @return {Object}
|
|
|
|
*/
|
|
|
|
selectChallenge(ans, challengeType) {
|
|
|
|
/*jshint -W069 */
|
|
|
|
if ((ans instanceof Object) && (ans['challenges'] instanceof Array)) {
|
2016-11-01 19:16:43 +00:00
|
|
|
return ans.challenges.filter((entry) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
let type = entry['type'];
|
|
|
|
// dereference
|
|
|
|
entry = null;
|
|
|
|
if (type === challengeType) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}).pop();
|
|
|
|
} // return first match or undefined
|
|
|
|
// dereference
|
|
|
|
ans = null;
|
|
|
|
return void 0; // challenges not available or in expected format
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Helper: Extract first found email from profile (without mailto prefix)
|
|
|
|
* @param {Object} profile
|
|
|
|
* @return {string}
|
|
|
|
*/
|
|
|
|
extractEmail(profile) {
|
|
|
|
/*jshint -W069 */
|
|
|
|
if (!(profile instanceof Object) || !(profile['contact'] instanceof Array)) {
|
|
|
|
// dereference
|
|
|
|
profile = null;
|
|
|
|
return void 0; // invalid profile
|
|
|
|
}
|
|
|
|
let prefix = 'mailto:';
|
2016-11-01 19:16:43 +00:00
|
|
|
let email = profile.contact.filter((entry) => {
|
2016-11-01 17:27:57 +00:00
|
|
|
if (typeof entry !== 'string') {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
return !entry.indexOf(prefix); // check for mail prefix
|
|
|
|
}
|
|
|
|
}).pop();
|
|
|
|
// dereference
|
|
|
|
profile = null;
|
|
|
|
if (typeof email !== 'string') {
|
|
|
|
return void 0;
|
|
|
|
} // return default
|
|
|
|
return email.substr(prefix.length); // only return email address without protocol prefix
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Make ACME-Request: Domain-Authorization Request - Object: resource, identifier
|
|
|
|
* @param {string} domain
|
|
|
|
* @return {{resource: string, identifier: Object}}
|
|
|
|
*/
|
|
|
|
makeDomainAuthorizationRequest(domain) {
|
|
|
|
return {
|
|
|
|
'resource': 'new-authz',
|
|
|
|
'identifier': {
|
|
|
|
'type': 'dns',
|
|
|
|
'value': domain
|
|
|
|
}
|
|
|
|
};
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Make ACME-Object: Key-Authorization (encoded) - String: Challenge-Token . Encoded-Account-Key-Hash
|
|
|
|
* @param {Object} challenge
|
|
|
|
* @return {string}
|
|
|
|
*/
|
|
|
|
makeKeyAuthorization(challenge) {
|
|
|
|
/*jshint -W069 */
|
|
|
|
if (challenge instanceof Object) {
|
|
|
|
if (this.clientProfilePubKey instanceof Object) {
|
|
|
|
let jwk = json_to_utf8buffer({
|
|
|
|
e: this.clientProfilePubKey['e'],
|
|
|
|
kty: this.clientProfilePubKey['kty'],
|
|
|
|
n: this.clientProfilePubKey['n']
|
|
|
|
});
|
|
|
|
let hash = crypto.createHash('sha256').update(jwk.toString('utf8'), 'utf8').digest();
|
2016-11-01 19:16:43 +00:00
|
|
|
// create base64 encoded hash of account key
|
|
|
|
let ACCOUNT_KEY = plugins.smartstring.base64.encodeUri(hash.toString());
|
2016-11-01 17:27:57 +00:00
|
|
|
let token = challenge['token'];
|
|
|
|
return token + '.' + ACCOUNT_KEY;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
return ''; // return default (for writing to file)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Make ACME-Request: Challenge-Response - Object: resource, keyAuthorization
|
|
|
|
* @param {Object} challenge
|
|
|
|
* @return {{resource: string, keyAuthorization: string}}
|
|
|
|
*/
|
|
|
|
makeChallengeResponse(challenge) {
|
|
|
|
return {
|
|
|
|
'resource': 'challenge',
|
|
|
|
'keyAuthorization': this.makeKeyAuthorization(challenge)
|
|
|
|
};
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Make ACME-Request: CSR - Object: resource, csr, notBefore, notAfter
|
|
|
|
* @param {string} csr
|
|
|
|
* @param {number} days_valid
|
|
|
|
* @return {{resource: string, csr: string, notBefore: string, notAfter: string}}
|
|
|
|
*/
|
|
|
|
makeCertRequest(csr, DAYS_VALID) {
|
|
|
|
if (typeof csr !== 'string' && !(csr instanceof Buffer)) {
|
|
|
|
csr = ''; // default string for CSR
|
|
|
|
}
|
|
|
|
if ((typeof DAYS_VALID !== 'number') || (isNaN(DAYS_VALID)) || (DAYS_VALID === 0)) {
|
|
|
|
DAYS_VALID = 1; // default validity duration (1 day)
|
|
|
|
}
|
2016-11-01 19:16:43 +00:00
|
|
|
let DOMAIN_CSR_DER = plugins.smartstring.base64.encodeUri(csr); // create base64 encoded CSR
|
2016-11-01 17:27:57 +00:00
|
|
|
let CURRENT_DATE = (new Date()).toISOString(); // set start date to current date
|
|
|
|
// set end date to current date + days_valid
|
|
|
|
let NOTAFTER_DATE = (new Date((+new Date()) + 1000 * 60 * 60 * 24 * Math.abs(DAYS_VALID))).toISOString();
|
|
|
|
return {
|
|
|
|
'resource': 'new-cert',
|
|
|
|
'csr': DOMAIN_CSR_DER,
|
|
|
|
'notBefore': CURRENT_DATE,
|
|
|
|
'notAfter': NOTAFTER_DATE
|
|
|
|
};
|
|
|
|
}
|
|
|
|
}
|
|
|
|
exports.AcmeClient = AcmeClient;
|
2016-11-03 17:57:42 +00:00
|
|
|
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic21hcnRhY21lLmNsYXNzZXMuYWNtZWNsaWVudC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3RzL3NtYXJ0YWNtZS5jbGFzc2VzLmFjbWVjbGllbnQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBLCtDQUE4QztBQUM5Qyx1QkFBc0I7QUFFdEIsaUNBQWdDO0FBQ2hDLHlCQUF3QjtBQUN4QixxQ0FBb0M7QUFDcEMsaUZBQTJEO0FBRzNEOzs7Ozs7O0dBT0c7QUFDSCxJQUFJLGtCQUFrQixHQUFHLENBQUMsR0FBRztJQUN6QixNQUFNLENBQUMsSUFBSSxNQUFNLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUMsRUFBRSxNQUFNLENBQUMsQ0FBQTtBQUNsRCxDQUFDLENBQUE7QUFFRDs7Ozs7O0dBTUc7QUFDSDtJQWNJLFlBQVksZUFBZTtRQUN2Qjs7O1dBR0c7UUFDSCxJQUFJLENBQUMsbUJBQW1CLEdBQUcsRUFBRSxDQUFBO1FBQzdCOzs7O1dBSUc7UUFDSCxJQUFJLENBQUMsU0FBUyxHQUFHLENBQUMsQ0FBQTtRQUNsQjs7OztXQUlHO1FBQ0gsSUFBSSxDQUFDLGlCQUFpQixHQUFHLElBQUksQ0FBQTtRQUM3Qjs7O1dBR0c7UUFDSCxJQUFJLENBQUMsU0FBUyxHQUFHLEVBQUUsQ0FBQTtRQUNuQjs7O1dBR0c7UUFDSCxJQUFJLENBQUMsWUFBWSxHQUFHLGVBQWUsQ0FBQTtRQUNuQzs7OztXQUlHO1FBQ0gsSUFBSSxDQUFDLGtCQUFrQixHQUFHLFlBQVksQ0FBQSxDQUFDLFdBQVc7UUFDbEQ7OztXQUdHO1FBQ0gsSUFBSSxDQUFDLGFBQWEsR0FBRyxJQUFJLENBQUEsQ0FBQyxXQUFXO1FBQ3JDOzs7V0FHRztRQUNILElBQUksQ0FBQyxVQUFVLEdBQUcsSUFBSSx5Q0FBVSxFQUFFLENBQUEsQ0FBQyxlQUFlO1FBQ2xEOzs7V0FHRztRQUNILElBQUksQ0FBQyxPQUFPLEdBQUcsSUFBSSxDQUFBLENBQUMsV0FBVztRQUMvQjs7O1dBR0c7UUFDSCxJQUFJLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQSxDQUFDLFdBQVc7UUFDL0I7Ozs7V0FJRztRQUNILElBQUksQ0FBQyxPQUFPLEdBQUcsR0FBRyxDQUFBLENBQUMsV0FBVztRQUM5Qjs7OztXQUlHO1FBQ0gsSUFBSSxDQUFDLGFBQWEsR0FBRyw4QkFBOEIsQ0FBQSxDQUFDLFdBQVc7UUFDL0Q7Ozs7V0FJRztRQUNILElBQUksQ0FBQyxlQUFlLEdBQUcsSUFBSSxDQUFBLENBQUMsWUFBWTtJQUM1QyxDQUFDO0lBRUQsZ0ZBQWdGO0lBQ2hGLGtCQUFrQjtJQUNsQixnRkFBZ0Y7SUFFaEY7Ozs7T0FJRztJQUNILFlBQVk7UUFDUixJQUFJLElBQUksR0FBRyxDQUFDLENBQUMsS0FBSyxFQUFjLENBQUE7UUFDaEMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQzthQUNqQyxJQUFJLENBQUMsQ0FBQyxTQUFxQjtZQUN4QixJQUFJLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxDQUFBO1FBQzNCLENBQUMsQ0FBQyxDQUFBO1FBQ04sTUFBTSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUE7SUFDdkIsQ0FBQztJQUVEOzs7OztPQUtHO0lBQ0gsZUFBZSxDQUFDLE9BQU8sRUFBRSxRQUFRO1FBQzdCLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxPQUFPLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQy9CLE9BQU8sR0FBRyxFQUFFLENBQUEsQ0FBQywyQkFBMkI7UUFDNUMsQ0FBQztRQUNELE9BQU8sQ0FBQyxRQUFRLEdBQUcsU0FBUyxDQUFBO1FBQzVCLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLEVBQUUsT0FBTyxFQUFFLFFBQVEsRUFBRSxRQUFRLENBQUMsQ0FBQTtRQUM1RSxjQUFjO1FBQ2QsUUFBUSxHQUFHLElBQUksQ0FBQTtRQUNmLE9BQU8sR0FBRyxJQUFJLENBQUE7SUFDbEIsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILGVBQWUsQ0FBQyxHQUFHLEVBQUUsT0FBTztRQUN4QixJQUFJLElBQUksR0FBRyxDQUFDLENBQUMsS0FBSyxFQUFjLENBQUE7UUFDaEMsT0FBTyxDQUFDLFVBQVUsQ0FBQyxHQUFHLEtBQUssQ0FBQTtRQUMzQixJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsT0FBTyxFQUFFLENBQUMsR0FBRyxFQUFFLEdBQUc7WUFDeEMsRUFBRSxDQUFDLENBQUMsR0FBRyxZQUFZLE1BQU0sQ0FBQyxDQUFDLENBQUM7Z0JBQ3hCLElBQUksQ0FBQyxtQkFBbUIsR0FBRyxHQUFHLENBQUMsR0FBRyxDQUFBLENBQUMscUNBQXFDO2dCQUN4RSxFQUFFLENBQUMsQ0FBQyxDQUFDLEdBQUcsWUFBWSxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxTQUFTLENBQUMsWUFBWSxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUM7b0JBQ2hFLElBQUksT0FBTyxHQUFHLEdBQUcsQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLENBQUE7b0JBQ2pDLEVBQUUsQ0FBQyxDQUFDLE9BQU8sT0FBTyxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUM7d0JBQzlCLElBQUksT0FBTyxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUE7d0JBQ3RDLEVBQUUsQ0FBQyxDQUFDLE9BQU8sT0FBTyxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUM7NEJBQzlCLElBQUksQ0FBQyxPQUFPLEdBQUcsT0FBTyxDQUFBLENBQUMsaUJBQWlCO3dCQUM1QyxDQUFDO3dCQUFDLElBQUksQ0FBQyxDQUFDOzRCQUNKLElBQUksQ0FBQyxPQUFPLEdBQUcsSUFBSSxDQUFBLENBQUMsaUJBQWlCO3dCQUN6QyxDQUFDO29CQUNMLENBQUM7b0JBQUMsSUFBSSxDQUFDLENBQUM7d0JBQ0osSUFBSSxDQUFDLE9BQU8sR0FBRyxJQUFJLENBQUEsQ0FBQyxpQkFBaUI7b0JBQ3pDLENBQUM7Z0JBQ0wsQ0FBQztnQkFBQyxJQUFJLENBQUMsQ0FBQztvQkFDSixJQUFJLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQSxDQUFDLGlCQUFpQjtnQkFDekMsQ0FBQztnQkFDRCxJQUFJLENBQUMsT0FBTyxDQUFDLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLENBQUMsQ0FBQTtZQUN4QyxDQUFDO1lBQUMsSUFBSSxDQUFDLENBQUM7Z0JBQ0osSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLEtBQUssQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFBO1lBQ3hDLENBQUM7UUFDTCxDQUFDLENBQUMsQ0FBQTtRQUNGLE1BQU0sQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFBO
|