From 904cf09788c5572869f7b8f3a6a1ee431af8de1a Mon Sep 17 00:00:00 2001 From: PhilKunz Date: Tue, 1 Nov 2016 18:27:57 +0100 Subject: [PATCH] first version --- .gitignore | 4 + .gitlab-ci.yml | 59 ++ LICENSE | 20 + dist/index.d.ts | 1 + dist/index.js | 6 + dist/smartacme.classes.acmeclient.d.ts | 195 ++++++ dist/smartacme.classes.acmeclient.js | 903 ++++++++++++++++++++++++ dist/smartacme.classes.jwebclient.d.ts | 61 ++ dist/smartacme.classes.jwebclient.js | 283 ++++++++ dist/smartacme.classes.smartacme.d.ts | 5 + dist/smartacme.classes.smartacme.js | 9 + dist/smartacme.plugins.d.ts | 3 + dist/smartacme.plugins.js | 5 + package.json | 38 + test/test.d.ts | 1 + test/test.js | 7 + test/test.ts | 10 + ts/index.ts | 1 + ts/smartacme.classes.acmeclient.ts | 923 +++++++++++++++++++++++++ ts/smartacme.classes.jwebclient.ts | 294 ++++++++ ts/smartacme.classes.smartacme.ts | 9 + ts/smartacme.plugins.ts | 6 + tslint.json | 3 + 23 files changed, 2846 insertions(+) create mode 100644 .gitignore create mode 100644 .gitlab-ci.yml create mode 100644 LICENSE create mode 100644 dist/index.d.ts create mode 100644 dist/index.js create mode 100644 dist/smartacme.classes.acmeclient.d.ts create mode 100644 dist/smartacme.classes.acmeclient.js create mode 100644 dist/smartacme.classes.jwebclient.d.ts create mode 100644 dist/smartacme.classes.jwebclient.js create mode 100644 dist/smartacme.classes.smartacme.d.ts create mode 100644 dist/smartacme.classes.smartacme.js create mode 100644 dist/smartacme.plugins.d.ts create mode 100644 dist/smartacme.plugins.js create mode 100644 package.json create mode 100644 test/test.d.ts create mode 100644 test/test.js create mode 100644 test/test.ts create mode 100644 ts/index.ts create mode 100644 ts/smartacme.classes.acmeclient.ts create mode 100644 ts/smartacme.classes.jwebclient.ts create mode 100644 ts/smartacme.classes.smartacme.ts create mode 100644 ts/smartacme.plugins.ts create mode 100644 tslint.json diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3f93687 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +node_modules/ +coverage/ +public/ +pages/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..05f1805 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,59 @@ +image: hosttoday/ht-docker-node:npmts + +stages: +- test +- release +- trigger +- pages + +testLEGACY: + stage: test + script: + - npmci test legacy + tags: + - docker + allow_failure: true + +testLTS: + stage: test + script: + - npmci test lts + tags: + - docker + +testSTABLE: + stage: test + script: + - npmci test stable + tags: + - docker + +release: + stage: release + script: + - npmci publish + only: + - tags + tags: + - docker + +trigger: + stage: trigger + script: + - npmci trigger + only: + - tags + tags: + - docker + +pages: + image: hosttoday/ht-docker-node:npmpage + stage: pages + script: + - npmci command npmpage --host gitlab + only: + - tags + artifacts: + expire_in: 1 week + paths: + - public \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..86a2642 --- /dev/null +++ b/LICENSE @@ -0,0 +1,20 @@ +Copyright (C) 2016, Lossless GmbH +Copyright (C) 2016, Martin Springwald + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/dist/index.d.ts b/dist/index.d.ts new file mode 100644 index 0000000..7c69782 --- /dev/null +++ b/dist/index.d.ts @@ -0,0 +1 @@ +export * from './smartacme.classes.smartacme'; diff --git a/dist/index.js b/dist/index.js new file mode 100644 index 0000000..112a28c --- /dev/null +++ b/dist/index.js @@ -0,0 +1,6 @@ +"use strict"; +function __export(m) { + for (var p in m) if (!exports.hasOwnProperty(p)) exports[p] = m[p]; +} +__export(require("./smartacme.classes.smartacme")); +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi90cy9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7O0FBQUEsbURBQTZDIn0= \ No newline at end of file diff --git a/dist/smartacme.classes.acmeclient.d.ts b/dist/smartacme.classes.acmeclient.d.ts new file mode 100644 index 0000000..973cc01 --- /dev/null +++ b/dist/smartacme.classes.acmeclient.d.ts @@ -0,0 +1,195 @@ +/** + * @class AcmeClient + * @constructor + * @description ACME protocol implementation from client perspective + * @param {string} directory_url - Address of directory + * @param {module:JWebClient~JWebClient} jWebClient - Reference to JSON-Web-Client + */ +export declare class AcmeClient { + clientProfilePubKey: any; + days_valid: number; + defaultRsaKeySize: number; + directory: any; + directoryUrl: string; + emailDefaultPrefix: string; + emailOverride: string; + jWebClient: any; + regLink: string; + tosLink: string; + webroot: string; + well_known_path: string; + withInteraction: boolean; + constructor(directoryUrlArg: any); + /** + * getDirectory + * @description retrieve directory entries (directory url must be set prior to execution) + * @param {function} callback - first argument will be the answer object + */ + getDirectory(callback: any): void; + /** + * newRegistration + * @description try to register (directory lookup must have occured prior to execution) + * @param {Object} payload + * @param {function} callback - first argument will be the answer object + */ + newRegistration(payload: any, callback: any): void; + /** + * getRegistration + * @description get information about registration + * @param {string} uri - will be exposed when trying to register + * @param {Object} payload - update information + * @param {function} callback - first argument will be the answer object + */ + getRegistration(uri: any, payload: any, callback: any): void; + /** + * authorizeDomain + * @description authorize domain using challenge-response-method + * @param {string} domain + * @param {function} callback - first argument will be the answer object + */ + authorizeDomain(domain: any, callback: any): void; + /** + * acceptChallenge + * @description tell server which challenge will be accepted + * @param {Object} challenge + * @param {function} callback - first argument will be the answer object + */ + acceptChallenge(challenge: any, callback: any): void; + /** + * pollUntilValid + * @description periodically (with exponential back-off) check status of challenge + * @param {string} uri + * @param {function} callback - first argument will be the answer object + * @param {number} retry - factor of delay + */ + pollUntilValid(uri: any, callback: any, retry?: number): void; + /** + * pollUntilIssued + * @description periodically (with exponential back-off) check status of CSR + * @param {string} uri + * @param {function} callback - first argument will be the answer object + * @param {number} retry - factor of delay + */ + pollUntilIssued(uri: any, callback: any, retry?: number): void; + /** + * requestSigning + * @description send CSR + * @param {string} domain - expected to be already sanitized + * @param {function} callback - first argument will be the answer object + */ + requestSigning(domain: any, callback: any): void; + /** + * getProfile + * @description retrieve profile of user (will make directory lookup and registration check) + * @param {function} callback - first argument will be the answer object + */ + getProfile(callback: any): void; + /** + * createAccount + * @description create new account (assumes directory lookup has already occured) + * @param {string} email + * @param {function} callback - first argument will be the registration URI + */ + createAccount(email: any, callback: any): void; + /** + * agreeTos + * @description agree with terms of service (update agreement status in profile) + * @param {string} tosLink + * @param {function} callback - first argument will be the answer object + */ + agreeTos(tosLink: any, callback: any): void; + /** + * Entry-Point: Request certificate + * @param {string} domain + * @param {string} organization + * @param {string} country + * @param {function} callback + */ + requestCertificate(domain: any, organization: any, country: any, callback: any): void; + /** + * External: Create key pair + * @param {number} bit - key strength, expected to be already sanitized + * @param {string} c - country code, expected to be already sanitized + * @param {string} o - organization, expected to be already sanitized + * @param {string} cn - common name (domain name), expected to be already sanitized + * @param {string} e - email address, expected to be already sanitized + * @param {function} callback + */ + createKeyPair(bit: any, c: any, o: any, cn: any, e: any, callback: any): void; + /** + * Helper: Empty callback + */ + emptyCallback(): void; + /** + * Helper: Make safe file name or path from string + * @param {string} name + * @param {boolean} withPath - optional, default false + * @return {string} + */ + makeSafeFileName(name: any, withPath?: boolean): any; + /** + * Helper: Prepare challenge + * @param {string} domain + * @param {Object} challenge + * @param {function} callback + */ + prepareChallenge(domain: any, challenge: any, callback: any): void; + /** + * Helper: Extract TOS Link, e.g. from "<http://...>;rel="terms-of-service" + * @param {string} linkStr + * @return {string} + */ + getTosLink(linkStr: any): string; + /** + * Helper: Select challenge by type + * @param {Object} ans + * @param {string} challenge_type + * @return {Object} + */ + selectChallenge(ans: any, challengeType: string): any; + /** + * Helper: Extract first found email from profile (without mailto prefix) + * @param {Object} profile + * @return {string} + */ + extractEmail(profile: any): string; + /** + * Make ACME-Request: Domain-Authorization Request - Object: resource, identifier + * @param {string} domain + * @return {{resource: string, identifier: Object}} + */ + makeDomainAuthorizationRequest(domain: any): { + 'resource': string; + 'identifier': { + 'type': string; + 'value': any; + }; + }; + /** + * Make ACME-Object: Key-Authorization (encoded) - String: Challenge-Token . Encoded-Account-Key-Hash + * @param {Object} challenge + * @return {string} + */ + makeKeyAuthorization(challenge: any): string; + /** + * Make ACME-Request: Challenge-Response - Object: resource, keyAuthorization + * @param {Object} challenge + * @return {{resource: string, keyAuthorization: string}} + */ + makeChallengeResponse(challenge: any): { + 'resource': string; + 'keyAuthorization': string; + }; + /** + * Make ACME-Request: CSR - Object: resource, csr, notBefore, notAfter + * @param {string} csr + * @param {number} days_valid + * @return {{resource: string, csr: string, notBefore: string, notAfter: string}} + */ + makeCertRequest(csr: any, DAYS_VALID: number): { + 'resource': string; + 'csr': string; + 'notBefore': string; + 'notAfter': string; + }; +} diff --git a/dist/smartacme.classes.acmeclient.js b/dist/smartacme.classes.acmeclient.js new file mode 100644 index 0000000..f2e2ddf --- /dev/null +++ b/dist/smartacme.classes.acmeclient.js @@ -0,0 +1,903 @@ +"use strict"; +const base64url = require("base64url"); +const child_process = require("child_process"); +const crypto = require("crypto"); +const fs = require("fs"); +const readline = require("readline"); +const smartacme_classes_jwebclient_1 = require("./smartacme.classes.jwebclient"); +/** + * json_to_utf8buffer + * @private + * @description convert JSON to Buffer using UTF-8 encoding + * @param {Object} obj + * @return {Buffer} + * @throws Exception if object cannot be stringified or contains cycle + */ +let json_to_utf8buffer = function (obj) { + return new Buffer(JSON.stringify(obj), 'utf8'); +}; +/** + * @class AcmeClient + * @constructor + * @description ACME protocol implementation from client perspective + * @param {string} directory_url - Address of directory + * @param {module:JWebClient~JWebClient} jWebClient - Reference to JSON-Web-Client + */ +class AcmeClient { + constructor(directoryUrlArg) { + /** + * @member {Object} module:AcmeClient~AcmeClient#clientProfilePubKey + * @desc Cached public key obtained from profile + */ + this.clientProfilePubKey = {}; + /** + * @member {number} module:AcmeClient~AcmeClient#days_valid + * @desc Validity period in days + * @default 1 + */ + this.days_valid = 1; + /** + * @member {number} module:AcmeClient~AcmeClient#defaultRsaKeySize + * @desc Key strength in bits + * @default 4096 + */ + this.defaultRsaKeySize = 4096; + /** + * @member {Object} module:AcmeClient~AcmeClient#directory + * @desc Hash map of REST URIs + */ + this.directory = {}; + /** + * @member {string} module:AcmeClient~AcmeClient#directory_url + * @desc Address of directory + */ + this.directoryUrl = directoryUrlArg; + /** + * @member {string} module:AcmeClient~AcmeClient#emailDefaultPrefix + * @desc Prefix of email address if constructed from domain name + * @default "hostmaster" + */ + this.emailDefaultPrefix = 'hostmaster'; // {string} + /** + * @member {string} module:AcmeClient~AcmeClient#emailOverride + * @desc Email address to use + */ + this.emailOverride = null; // {string} + /** + * @member {module:JWebClient~JWebClient} module:AcmeClient~AcmeClient#jWebClient + * @desc Reference to JSON-Web-Client + */ + this.jWebClient = new smartacme_classes_jwebclient_1.JWebClient(); // {JWebClient} + /** + * @member {string} module:AcmeClient~AcmeClient#regLink + * @desc Cached registration URI + */ + this.regLink = null; // {string} + /** + * @member {string} module:AcmeClient~AcmeClient#tosLink + * @desc Cached terms of service URI + */ + this.tosLink = null; // {string} + /** + * @member {string} module:AcmeClient~AcmeClient#webroot + * @desc Path to server web root (or path to store challenge data) + * @default "." + */ + this.webroot = '.'; // {string} + /** + * @member {string} module:AcmeClient~AcmeClient#well_known_path + * @desc Directory structure for challenge data + * @default "/.well-known/acme-challenge/" + */ + this.well_known_path = '/.well-known/acme-challenge/'; // {string} + /** + * @member {boolean} module:AcmeClient~AcmeClient#withInteraction + * @desc Determines if interaction of user is required + * @default true + */ + this.withInteraction = true; // {boolean} + } + // ***************************************************************************** + // REQUEST-Section + // ***************************************************************************** + /** + * getDirectory + * @description retrieve directory entries (directory url must be set prior to execution) + * @param {function} callback - first argument will be the answer object + */ + getDirectory(callback) { + this.jWebClient.get(this.directoryUrl, callback, callback); + // dereference + callback = null; + } + /** + * newRegistration + * @description try to register (directory lookup must have occured prior to execution) + * @param {Object} payload + * @param {function} callback - first argument will be the answer object + */ + newRegistration(payload, callback) { + if (!(payload instanceof Object)) { + payload = {}; // ensure payload is object + } + payload.resource = 'new-reg'; + this.jWebClient.post(this.directory['new-reg'], payload, callback, callback); + // dereference + callback = null; + payload = null; + } + /** + * getRegistration + * @description get information about registration + * @param {string} uri - will be exposed when trying to register + * @param {Object} payload - update information + * @param {function} callback - first argument will be the answer object + */ + getRegistration(uri, payload, callback) { + /*jshint -W069 */ + let ctx = this; + if (!(payload instanceof Object)) { + payload = {}; // ensure payload is object + } + payload['resource'] = 'reg'; + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + this.jWebClient.post(uri, payload, function (ans, res) { + if (ans instanceof Object) { + ctx.clientProfilePubKey = ans.key; // cache or reset returned public key + if ((res instanceof Object) && (res['headers'] instanceof Object)) { + let linkStr = res.headers['link']; + if (typeof linkStr === 'string') { + let tosLink = ctx.getTosLink(linkStr); + if (typeof tosLink === 'string') { + ctx.tosLink = tosLink; // cache TOS link + } + else { + ctx.tosLink = null; // reset TOS link + } + } + else { + ctx.tosLink = null; // reset TOS link + } + } + else { + ctx.tosLink = null; // reset TOS link + } + callback(ans, res); + } + else { + callback(false); + } + // dereference + ans = null; + callback = null; + ctx = null; + res = null; + }); + // dereference + payload = null; + } + /** + * authorizeDomain + * @description authorize domain using challenge-response-method + * @param {string} domain + * @param {function} callback - first argument will be the answer object + */ + authorizeDomain(domain, callback) { + /*jshint -W069 */ + let ctx = this; + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + this.getProfile(function (profile) { + if (!(profile instanceof Object)) { + callback(false); // no profile returned + // dereference + callback = null; + ctx = null; + } + else { + ctx.jWebClient.post(ctx.directory['new-authz'], ctx.makeDomainAuthorizationRequest(domain), function (ans, res) { + if ((res instanceof Object) && (res['statusCode'] === 403)) { + ctx.agreeTos(ctx.tosLink, function (ans_, res_) { + if ((res_ instanceof Object) + && (res_['statusCode'] >= 200) + && (res_['statusCode'] <= 400)) { + ctx.authorizeDomain(domain, callback); // try authorization again + } + else { + callback(false); // agreement failed + } + // dereference + ans = null; + ans_ = null; + callback = null; + ctx = null; + profile = null; + res = null; + res_ = null; + }); + } + else { + if ((res instanceof Object) + && (res['headers'] instanceof Object) + && (typeof res.headers['location'] === 'string') + && (ans instanceof Object)) { + let poll_uri = res.headers['location']; // status URI for polling + let challenge = ctx.selectChallenge(ans, 'http-01'); // select simple http challenge + if (challenge instanceof Object) { + ctx.prepareChallenge(domain, challenge, function () { + // reset + ans = null; + res = null; + // accept challenge + ctx.acceptChallenge(challenge, function (ans, res) { + if ((res instanceof Object) + && (res['statusCode'] < 400) // server confirms challenge acceptance + ) { + ctx.pollUntilValid(poll_uri, callback); // poll status until server states success + } + else { + callback(false); // server did not confirm challenge acceptance + } + // dereference + ans = null; + callback = null; + challenge = null; + ctx = null; + profile = null; + res = null; + }); + }); + } + else { + callback(false); // desired challenge is not in list + // dereference + ans = null; + callback = null; + ctx = null; + profile = null; + res = null; + } + } + else { + callback(false); // server did not respond with status URI + // dereference + ans = null; + callback = null; + ctx = null; + profile = null; + res = null; + } + } + }); + } + }); + } + /** + * acceptChallenge + * @description tell server which challenge will be accepted + * @param {Object} challenge + * @param {function} callback - first argument will be the answer object + */ + acceptChallenge(challenge, callback) { + /*jshint -W069 */ + if (!(challenge instanceof Object)) { + challenge = {}; // ensure challenge is object + } + this.jWebClient.post(challenge['uri'], this.makeChallengeResponse(challenge), callback); + // dereference + callback = null; + challenge = null; + } + /** + * pollUntilValid + * @description periodically (with exponential back-off) check status of challenge + * @param {string} uri + * @param {function} callback - first argument will be the answer object + * @param {number} retry - factor of delay + */ + pollUntilValid(uri, callback, retry = 1) { + /*jshint -W069 */ + let ctx = this; + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + if (retry > 128) { + callback(false); // stop if retry value exceeds maximum + } + else { + this.jWebClient.get(uri, function (ans, res) { + if (!(ans instanceof Object)) { + callback(false); // invalid answer + // dereference + callback = null; + ctx = null; + res = null; + } + else { + if (ans['status'] === 'pending') { + setTimeout(function () { + ctx.pollUntilValid(uri, callback, retry * 2); // retry + // dereference + ans = null; + callback = null; + ctx = null; + res = null; + }, retry * 500); + } + else { + callback(ans, res); // challenge complete + // dereference + ans = null; + callback = null; + ctx = null; + res = null; + } + } + }); + } + } + /** + * pollUntilIssued + * @description periodically (with exponential back-off) check status of CSR + * @param {string} uri + * @param {function} callback - first argument will be the answer object + * @param {number} retry - factor of delay + */ + pollUntilIssued(uri, callback, retry = 1) { + /*jshint -W069 */ + let ctx = this; + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + if (retry > 128) { + callback(false); // stop if retry value exceeds maximum + } + else { + this.jWebClient.get(uri, function (ans, res) { + if ((ans instanceof Buffer) && (ans.length > 0)) { + callback(ans); // certificate was returned with answer + // dereference + ans = null; + callback = null; + ctx = null; + res = null; + } + else { + if ((res instanceof Object) && (res['statusCode'] < 400)) { + setTimeout(function () { + ctx.pollUntilIssued(uri, callback, retry * 2); // retry + // dereference + ans = null; + callback = null; + ctx = null; + res = null; + }, retry * 500); + } + else { + callback(false); // CSR complete + // dereference + ans = null; + callback = null; + ctx = null; + res = null; + } + } + }); + } + } + /** + * requestSigning + * @description send CSR + * @param {string} domain - expected to be already sanitized + * @param {function} callback - first argument will be the answer object + */ + requestSigning(domain, callback) { + /*jshint -W069 */ + let ctx = this; + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + fs.readFile(domain + '.csr', function (err, csr) { + if (err instanceof Object) { + if (ctx.jWebClient.verbose) { + console.error('Error : File system error', err['code'], 'while reading key from file'); + } + callback(false); + // dereference + callback = null; + csr = null; + ctx = null; + err = null; + } + else { + ctx.jWebClient.post(ctx.directory['new-cert'], ctx.makeCertRequest(csr, ctx.days_valid), function (ans, res) { + if ((ans instanceof Buffer) && (ans.length > 0)) { + callback(ans); // certificate was returned with answer + // dereference + ans = null; + callback = null; + csr = null; + ctx = null; + err = null; + res = null; + } + else { + if (res instanceof Object) { + if ((res['statusCode'] < 400) && !ans) { + let headers = res['headers']; + if (!(headers instanceof Object)) { + headers = {}; // ensure headers is object + } + ctx.pollUntilIssued(headers['location'], callback); // poll provided status URI + // dereference + headers = null; + } + else { + callback((res['statusCode'] < 400) ? ans : false); // answer may be provided as string or object + } + } + else { + callback(false); // invalid response + } + // dereference + ans = null; + callback = null; + csr = null; + ctx = null; + err = null; + res = null; + } + }); + } + }); + } + /** + * getProfile + * @description retrieve profile of user (will make directory lookup and registration check) + * @param {function} callback - first argument will be the answer object + */ + getProfile(callback) { + /*jshint -W069 */ + let ctx = this; + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + this.getDirectory(function (dir) { + if (!(dir instanceof Object)) { + callback(false); // server did not respond with directory + // dereference + callback = null; + ctx = null; + } + else { + ctx.directory = dir; // cache directory + ctx.newRegistration(null, function (ans, res) { + if ((res instanceof Object) + && (res['headers'] instanceof Object) + && (typeof res.headers['location'] === 'string')) { + ctx.regLink = res.headers['location']; + ctx.getRegistration(ctx.regLink, null, callback); // get registration info from link + } + else { + callback(false); // registration failed + } + // dereference + ans = null; + callback = null; + ctx = null; + dir = null; + res = null; + }); + } + }); + } + /** + * createAccount + * @description create new account (assumes directory lookup has already occured) + * @param {string} email + * @param {function} callback - first argument will be the registration URI + */ + createAccount(email, callback) { + /*jshint -W069 */ + let ctx = this; + if (typeof email === 'string') { + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + ctx.newRegistration({ + contact: [ + 'mailto:' + email + ] + }, function (ans, res) { + if ((res instanceof Object) + && (res['statusCode'] === 201) + && (res['headers'] instanceof Object) + && (typeof res.headers['location'] === 'string')) { + ctx.regLink = res.headers['location']; + callback(ctx.regLink); // registration URI + } + else { + callback(false); // registration failed + } + // dereference + ans = null; + callback = null; + ctx = null; + res = null; + }); + } + else { + callback(false); // no email address provided + // dereference + callback = null; + ctx = null; + } + } + /** + * agreeTos + * @description agree with terms of service (update agreement status in profile) + * @param {string} tosLink + * @param {function} callback - first argument will be the answer object + */ + agreeTos(tosLink, callback) { + this.getRegistration(this.regLink, { + 'Agreement': tosLink // terms of service URI + }, callback); + // dereference + callback = null; + } + /** + * Entry-Point: Request certificate + * @param {string} domain + * @param {string} organization + * @param {string} country + * @param {function} callback + */ + requestCertificate(domain, organization, country, callback) { + /*jshint -W069 */ + let ctx = this; + if (typeof domain !== 'string') { + domain = ''; // ensure domain is string + } + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + this.getProfile(function (profile) { + let email = ctx.extractEmail(profile); // try to determine email address from profile + if (typeof ctx.emailOverride === 'string') { + email = ctx.emailOverride; // override email address if set + } + else if (typeof email !== 'string') { + email = ctx.emailDefaultPrefix + '@' + domain; // or set default + } + let bit = ctx.defaultRsaKeySize; + // sanitize + bit = Number(bit); + country = ctx.makeSafeFileName(country); + domain = ctx.makeSafeFileName(domain); + email = ctx.makeSafeFileName(email); + organization = ctx.makeSafeFileName(organization); + // create key pair + ctx.createKeyPair(bit, country, organization, domain, email, function (e) { + if (!e) { + ctx.requestSigning(domain, function (cert) { + if ((cert instanceof Buffer) || (typeof cert === 'string')) { + fs.writeFile(domain + '.der', cert, function (err) { + if (err instanceof Object) { + if (ctx.jWebClient.verbose) { + console.error('Error : File system error', err['code'], 'while writing certificate to file'); + } + callback(false); + } + else { + callback(true); // CSR complete and certificate written to file system + } + // dereference + callback = null; + cert = null; + ctx = null; + e = null; + err = null; + profile = null; + }); + } + else { + callback(false); // invalid certificate data + // dereference + callback = null; + cert = null; + ctx = null; + e = null; + profile = null; + } + }); + } + else { + callback(false); // could not create key pair + // dereference + callback = null; + ctx = null; + e = null; + profile = null; + } + }); + }); + } + /** + * External: Create key pair + * @param {number} bit - key strength, expected to be already sanitized + * @param {string} c - country code, expected to be already sanitized + * @param {string} o - organization, expected to be already sanitized + * @param {string} cn - common name (domain name), expected to be already sanitized + * @param {string} e - email address, expected to be already sanitized + * @param {function} callback + */ + createKeyPair(bit, c, o, cn, e, callback) { + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + let openssl = `openssl req -new -nodes -newkey rsa:${bit} -sha256 -subj "/C=${c}/O=${o}/CN=${cn}/emailAddress=${e}" -keyout \"${cn}.key\" -outform der -out \"${cn}.csr\"`; + console.error('Action : Creating key pair'); + if (this.jWebClient.verbose) { + console.error('Running:', openssl); + } + child_process.exec(openssl, function (e) { + if (!e) { + console.error('Result : done'); + } + else { + console.error('Result : failed'); + } + callback(e); + // dereference + callback = null; + e = null; + }); + } + /** + * Helper: Empty callback + */ + emptyCallback() { + // nop + } + /** + * Helper: Make safe file name or path from string + * @param {string} name + * @param {boolean} withPath - optional, default false + * @return {string} + */ + makeSafeFileName(name, withPath = false) { + if (typeof name !== 'string') { + name = ''; + } + // respects file name restrictions for ntfs and ext2 + let regex_file = '[<>:\"/\\\\\\|\\?\\*\\u0000-\\u001f\\u007f\\u0080-\\u009f]'; + let regex_path = '[<>:\"\\\\\\|\\?\\*\\u0000-\\u001f\\u007f\\u0080-\\u009f]'; + return name.replace(new RegExp(withPath ? regex_path : regex_file, 'g'), function (charToReplace) { + if (typeof charToReplace === 'string') { + return '%' + charToReplace.charCodeAt(0).toString(16).toLocaleUpperCase(); + } + return '%00'; + }); + } + /** + * Helper: Prepare challenge + * @param {string} domain + * @param {Object} challenge + * @param {function} callback + */ + prepareChallenge(domain, challenge, callback) { + /*jshint -W069, unused:false*/ + let ctx = this; + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + if (challenge instanceof Object) { + if (challenge['type'] === 'http-01') { + let path = this.webroot + this.well_known_path + challenge['token']; // webroot and well_known_path are expected to be already sanitized + fs.writeFile(path, this.makeKeyAuthorization(challenge), function (err) { + if (err instanceof Object) { + if (ctx.jWebClient.verbose) { + console.error('Error : File system error', err['code'], 'while writing challenge data to file'); + } + callback(); + // dereference + callback = null; + challenge = null; + ctx = null; + err = null; + } + else { + // let uri = "http://" + domain + this.well_known_path + challenge["token"] + let rl = readline.createInterface(process.stdin, process.stdout); + if (ctx.withInteraction) { + rl.question('Press enter to proceed', function (answer) { + rl.close(); + callback(); + // dereference + callback = null; + challenge = null; + ctx = null; + rl = null; + }); + } + else { + rl.close(); + callback(); // skip interaction prompt if desired + // dereference + callback = null; + challenge = null; + ctx = null; + rl = null; + } + } + }); + } + else { + console.error('Error : Challenge not supported'); + callback(); + // dereference + callback = null; + challenge = null; + ctx = null; + } + } + else { + console.error('Error : Invalid challenge response'); + callback(); + // dereference + callback = null; + challenge = null; + ctx = null; + } + } + /** + * Helper: Extract TOS Link, e.g. from "<http://...>;rel="terms-of-service" + * @param {string} linkStr + * @return {string} + */ + getTosLink(linkStr) { + let match = /(<)([^>]+)(>;rel="terms-of-service")/g.exec(linkStr); + if ((match instanceof Array) && (match.length > 2)) { + let result = match[2]; + // dereference + match = null; + return result; + } + // dereference + match = null; + return void 0; + } + /** + * Helper: Select challenge by type + * @param {Object} ans + * @param {string} challenge_type + * @return {Object} + */ + selectChallenge(ans, challengeType) { + /*jshint -W069 */ + if ((ans instanceof Object) && (ans['challenges'] instanceof Array)) { + return ans.challenges.filter(function (entry) { + let type = entry['type']; + // dereference + entry = null; + if (type === challengeType) { + return true; + } + return false; + }).pop(); + } // return first match or undefined + // dereference + ans = null; + return void 0; // challenges not available or in expected format + } + /** + * Helper: Extract first found email from profile (without mailto prefix) + * @param {Object} profile + * @return {string} + */ + extractEmail(profile) { + /*jshint -W069 */ + if (!(profile instanceof Object) || !(profile['contact'] instanceof Array)) { + // dereference + profile = null; + return void 0; // invalid profile + } + let prefix = 'mailto:'; + let email = profile.contact.filter(function (entry) { + if (typeof entry !== 'string') { + return false; + } + else { + return !entry.indexOf(prefix); // check for mail prefix + } + }).pop(); + // dereference + profile = null; + if (typeof email !== 'string') { + return void 0; + } // return default + return email.substr(prefix.length); // only return email address without protocol prefix + } + /** + * Make ACME-Request: Domain-Authorization Request - Object: resource, identifier + * @param {string} domain + * @return {{resource: string, identifier: Object}} + */ + makeDomainAuthorizationRequest(domain) { + return { + 'resource': 'new-authz', + 'identifier': { + 'type': 'dns', + 'value': domain + } + }; + } + /** + * Make ACME-Object: Key-Authorization (encoded) - String: Challenge-Token . Encoded-Account-Key-Hash + * @param {Object} challenge + * @return {string} + */ + makeKeyAuthorization(challenge) { + /*jshint -W069 */ + if (challenge instanceof Object) { + if (this.clientProfilePubKey instanceof Object) { + let jwk = json_to_utf8buffer({ + e: this.clientProfilePubKey['e'], + kty: this.clientProfilePubKey['kty'], + n: this.clientProfilePubKey['n'] + }); + let hash = crypto.createHash('sha256').update(jwk.toString('utf8'), 'utf8').digest(); + let ACCOUNT_KEY = base64url.default.encode(hash); // create base64 encoded hash of account key + let token = challenge['token']; + // dereference + challenge = null; + jwk = null; + return token + '.' + ACCOUNT_KEY; + } + } + else { + return ''; // return default (for writing to file) + } + } + /** + * Make ACME-Request: Challenge-Response - Object: resource, keyAuthorization + * @param {Object} challenge + * @return {{resource: string, keyAuthorization: string}} + */ + makeChallengeResponse(challenge) { + return { + 'resource': 'challenge', + 'keyAuthorization': this.makeKeyAuthorization(challenge) + }; + } + /** + * Make ACME-Request: CSR - Object: resource, csr, notBefore, notAfter + * @param {string} csr + * @param {number} days_valid + * @return {{resource: string, csr: string, notBefore: string, notAfter: string}} + */ + makeCertRequest(csr, DAYS_VALID) { + if (typeof csr !== 'string' && !(csr instanceof Buffer)) { + csr = ''; // default string for CSR + } + if ((typeof DAYS_VALID !== 'number') || (isNaN(DAYS_VALID)) || (DAYS_VALID === 0)) { + DAYS_VALID = 1; // default validity duration (1 day) + } + let DOMAIN_CSR_DER = base64url.default.encode(csr); // create base64 encoded CSR + let CURRENT_DATE = (new Date()).toISOString(); // set start date to current date + // set end date to current date + days_valid + let NOTAFTER_DATE = (new Date((+new Date()) + 1000 * 60 * 60 * 24 * Math.abs(DAYS_VALID))).toISOString(); + return { + 'resource': 'new-cert', + 'csr': DOMAIN_CSR_DER, + 'notBefore': CURRENT_DATE, + 'notAfter': NOTAFTER_DATE + }; + } +} +exports.AcmeClient = AcmeClient; +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic21hcnRhY21lLmNsYXNzZXMuYWNtZWNsaWVudC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3RzL3NtYXJ0YWNtZS5jbGFzc2VzLmFjbWVjbGllbnQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUNBLHVDQUFzQztBQUN0QywrQ0FBOEM7QUFDOUMsaUNBQWdDO0FBQ2hDLHlCQUF3QjtBQUN4QixxQ0FBb0M7QUFDcEMsaUZBQTJEO0FBRTNEOzs7Ozs7O0dBT0c7QUFDSCxJQUFJLGtCQUFrQixHQUFHLFVBQVUsR0FBRztJQUNsQyxNQUFNLENBQUMsSUFBSSxNQUFNLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUMsRUFBRSxNQUFNLENBQUMsQ0FBQTtBQUNsRCxDQUFDLENBQUE7QUFFRDs7Ozs7O0dBTUc7QUFDSDtJQWNJLFlBQVksZUFBZTtRQUN2Qjs7O1dBR0c7UUFDSCxJQUFJLENBQUMsbUJBQW1CLEdBQUcsRUFBRSxDQUFBO1FBQzdCOzs7O1dBSUc7UUFDSCxJQUFJLENBQUMsVUFBVSxHQUFHLENBQUMsQ0FBQTtRQUNuQjs7OztXQUlHO1FBQ0gsSUFBSSxDQUFDLGlCQUFpQixHQUFHLElBQUksQ0FBQTtRQUM3Qjs7O1dBR0c7UUFDSCxJQUFJLENBQUMsU0FBUyxHQUFHLEVBQUUsQ0FBQTtRQUNuQjs7O1dBR0c7UUFDSCxJQUFJLENBQUMsWUFBWSxHQUFHLGVBQWUsQ0FBQTtRQUNuQzs7OztXQUlHO1FBQ0gsSUFBSSxDQUFDLGtCQUFrQixHQUFHLFlBQVksQ0FBQSxDQUFDLFdBQVc7UUFDbEQ7OztXQUdHO1FBQ0gsSUFBSSxDQUFDLGFBQWEsR0FBRyxJQUFJLENBQUEsQ0FBQyxXQUFXO1FBQ3JDOzs7V0FHRztRQUNILElBQUksQ0FBQyxVQUFVLEdBQUcsSUFBSSx5Q0FBVSxFQUFFLENBQUEsQ0FBQyxlQUFlO1FBQ2xEOzs7V0FHRztRQUNILElBQUksQ0FBQyxPQUFPLEdBQUcsSUFBSSxDQUFBLENBQUMsV0FBVztRQUMvQjs7O1dBR0c7UUFDSCxJQUFJLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQSxDQUFDLFdBQVc7UUFDL0I7Ozs7V0FJRztRQUNILElBQUksQ0FBQyxPQUFPLEdBQUcsR0FBRyxDQUFBLENBQUMsV0FBVztRQUM5Qjs7OztXQUlHO1FBQ0gsSUFBSSxDQUFDLGVBQWUsR0FBRyw4QkFBOEIsQ0FBQSxDQUFDLFdBQVc7UUFDakU7Ozs7V0FJRztRQUNILElBQUksQ0FBQyxlQUFlLEdBQUcsSUFBSSxDQUFBLENBQUMsWUFBWTtJQUM1QyxDQUFDO0lBRUQsZ0ZBQWdGO0lBQ2hGLGtCQUFrQjtJQUNsQixnRkFBZ0Y7SUFFaEY7Ozs7T0FJRztJQUNILFlBQVksQ0FBQyxRQUFRO1FBQ2pCLElBQUksQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsUUFBUSxFQUFFLFFBQVEsQ0FBQyxDQUFBO1FBQzFELGNBQWM7UUFDZCxRQUFRLEdBQUcsSUFBSSxDQUFBO0lBQ25CLENBQUM7SUFFRDs7Ozs7T0FLRztJQUNILGVBQWUsQ0FBQyxPQUFPLEVBQUUsUUFBUTtRQUM3QixFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsT0FBTyxZQUFZLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUMvQixPQUFPLEdBQUcsRUFBRSxDQUFBLENBQUMsMkJBQTJCO1FBQzVDLENBQUM7UUFDRCxPQUFPLENBQUMsUUFBUSxHQUFHLFNBQVMsQ0FBQTtRQUM1QixJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLFNBQVMsQ0FBQyxFQUFFLE9BQU8sRUFBRSxRQUFRLEVBQUUsUUFBUSxDQUFDLENBQUE7UUFDNUUsY0FBYztRQUNkLFFBQVEsR0FBRyxJQUFJLENBQUE7UUFDZixPQUFPLEdBQUcsSUFBSSxDQUFBO0lBQ2xCLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxlQUFlLENBQUMsR0FBRyxFQUFFLE9BQU8sRUFBRSxRQUFRO1FBQ2xDLGlCQUFpQjtRQUNqQixJQUFJLEdBQUcsR0FBRyxJQUFJLENBQUE7UUFDZCxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsT0FBTyxZQUFZLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUMvQixPQUFPLEdBQUcsRUFBRSxDQUFBLENBQUMsMkJBQTJCO1FBQzVDLENBQUM7UUFDRCxPQUFPLENBQUMsVUFBVSxDQUFDLEdBQUcsS0FBSyxDQUFBO1FBQzNCLEVBQUUsQ0FBQyxDQUFDLE9BQU8sUUFBUSxLQUFLLFVBQVUsQ0FBQyxDQUFDLENBQUM7WUFDakMsUUFBUSxHQUFHLElBQUksQ0FBQyxhQUFhLENBQUEsQ0FBQyw4QkFBOEI7UUFDaEUsQ0FBQztRQUNELElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRSxPQUFPLEVBQUUsVUFBVSxHQUFHLEVBQUUsR0FBRztZQUNqRCxFQUFFLENBQUMsQ0FBQyxHQUFHLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQztnQkFDeEIsR0FBRyxDQUFDLG1CQUFtQixHQUFHLEdBQUcsQ0FBQyxHQUFHLENBQUEsQ0FBQyxxQ0FBcUM7Z0JBQ3ZFLEVBQUUsQ0FBQyxDQUFDLENBQUMsR0FBRyxZQUFZLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLFNBQVMsQ0FBQyxZQUFZLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQztvQkFDaEUsSUFBSSxPQUFPLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FBQTtvQkFDakMsRUFBRSxDQUFDLENBQUMsT0FBTyxPQUFPLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQzt3QkFDOUIsSUFBSSxPQUFPLEdBQUcsR0FBRyxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQTt3QkFDckMsRUFBRSxDQUFDLENBQUMsT0FBTyxPQUFPLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQzs0QkFDOUIsR0FBRyxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUEsQ0FBQyxpQkFBaUI7d0JBQzNDLENBQUM7d0JBQUMsSUFBSSxDQUFDLENBQUM7NEJBQ0osR0FBRyxDQUFDLE9BQU8sR0FBRyxJQUFJLENBQUEsQ0FBQyxpQkFBaUI7d0JBQ3hDLENBQUM7b0JBQ0wsQ0FBQztvQkFBQyxJQUFJLENBQUMsQ0FBQzt3QkFDSixHQUFHLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQSxDQUFDLGlCQUFpQjtvQkFDeEMsQ0FBQztnQkFDTCxDQUFDO2dCQUFDLElBQUksQ0FBQyxDQUFDO29CQUNKLEdBQUcsQ0FBQyxPQUFPLEdBQUcsSUFBSSxDQUFBLENBQUMsaUJBQWlCO2dCQUN4QyxDQUFDO2dCQUNELFFBQVEsQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUE7WUFDdEIsQ0FBQztZQUFDLElBQUksQ0FBQyxDQUFDO2dCQUNKLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQTtZQUNuQixDQUFDO1lBQ0QsY0FBYztZQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7WUFDVixRQUFRLEdBQUcsSUFBSSxDQUFBO1lBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTtZQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7UUFDZCxDQUFDLENBQUMsQ0FBQTtRQUNGLGNBQWM7UUFDZCxPQUFPLEdBQUcsSUFBSSxDQUFBO0lBQ2xCLENBQUM7SUFFRDs7Ozs7T0FLRztJQUNILGVBQWUsQ0FBQyxNQUFNLEVBQUUsUUFBUTtRQUM1QixpQkFBaUI7UUFDakIsSUFBSSxHQUFHLEdBQUcsSUFBSSxDQUFBO1FBQ2QsRUFBRSxDQUFDLENBQUMsT0FBTyxRQUFRLEtBQUssVUFBVSxDQUFDLENBQUMsQ0FBQztZQUNqQyxRQUFRLEdBQUcsSUFBSSxDQUFDLGFBQWEsQ0FBQSxDQUFDLDhCQUE4QjtRQUNoRSxDQUFDO1FBQ0QsSUFBSSxDQUFDLFVBQVUsQ0FBQyxVQUFVLE9BQU87WUFDN0IsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sWUFBWSxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQy9CLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQSxDQUFDLHNCQUFzQjtnQkFDdEMsY0FBYztnQkFDZCxRQUFRLEdBQUcsSUFBSSxDQUFBO2dCQUNmLEdBQUcsR0FBRyxJQUFJLENBQUE7WUFDZCxDQUFDO1lBQUMsSUFBSSxDQUFDLENBQUM7Z0JBQ0osR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLFNBQVMsQ0FBQyxXQUFXLENBQUMsRUFBRSxHQUFHLENBQUMsOEJBQThCLENBQUMsTUFBTSxDQUFDLEVBQUUsVUFBVSxHQUFHLEVBQUUsR0FBRztvQkFDMUcsRUFBRSxDQUFDLENBQUMsQ0FBQyxHQUFHLFlBQVksTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLEtBQUssR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDO3dCQUN6RCxHQUFHLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsVUFBVSxJQUFJLEVBQUUsSUFBSTs0QkFDMUMsRUFBRSxDQUFDLENBQ0MsQ0FBQyxJQUFJLFlBQVksTUFBTSxDQUFDO21DQUNyQixDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsSUFBSSxHQUFHLENBQUM7bUNBQzNCLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxJQUFJLEdBQUcsQ0FDakMsQ0FBQyxDQUFDLENBQUM7Z0NBQ0MsR0FBRyxDQUFDLGVBQWUsQ0FBQyxNQUFNLEVBQUUsUUFBUSxDQUFDLENBQUEsQ0FBRSwwQkFBMEI7NEJBQ3JFLENBQUM7NEJBQUMsSUFBSSxDQUFDLENBQUM7Z0NBQ0osUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFBLENBQUMsbUJBQW1COzRCQUN2QyxDQUFDOzRCQUNELGNBQWM7NEJBQ2QsR0FBRyxHQUFHLElBQUksQ0FBQTs0QkFDVixJQUFJLEdBQUcsSUFBSSxDQUFBOzRCQUNYLFFBQVEsR0FBRyxJQUFJLENBQUE7NEJBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTs0QkFDVixPQUFPLEdBQUcsSUFBSSxDQUFBOzRCQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7NEJBQ1YsSUFBSSxHQUFHLElBQUksQ0FBQTt3QkFDZixDQUFDLENBQUMsQ0FBQTtvQkFDTixDQUFDO29CQUFDLElBQUksQ0FBQyxDQUFDO3dCQUNKLEVBQUUsQ0FBQyxDQUNDLENBQUMsR0FBRyxZQUFZLE1BQU0sQ0FBQzsrQkFDcEIsQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLFlBQVksTUFBTSxDQUFDOytCQUNsQyxDQUFDLE9BQU8sR0FBRyxDQUFDLE9BQU8sQ0FBQyxVQUFVLENBQUMsS0FBSyxRQUFRLENBQUM7K0JBQzdDLENBQUMsR0FBRyxZQUFZLE1BQU0sQ0FDN0IsQ0FBQyxDQUFDLENBQUM7NEJBQ0MsSUFBSSxRQUFRLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxVQUFVLENBQUMsQ0FBQSxDQUFDLHlCQUF5Qjs0QkFDaEUsSUFBSSxTQUFTLEdBQUcsR0FBRyxDQUFDLGVBQWUsQ0FBQyxHQUFHLEVBQUUsU0FBUyxDQUFDLENBQUEsQ0FBQywrQkFBK0I7NEJBQ25GLEVBQUUsQ0FBQyxDQUFDLFNBQVMsWUFBWSxNQUFNLENBQUMsQ0FBQyxDQUFDO2dDQUM5QixHQUFHLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxFQUFFLFNBQVMsRUFBRTtvQ0FDcEMsUUFBUTtvQ0FDUixHQUFHLEdBQUcsSUFBSSxDQUFBO29DQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7b0NBQ1YsbUJBQW1CO29DQUNuQixHQUFHLENBQUMsZUFBZSxDQUFDLFNBQVMsRUFBRSxVQUFVLEdBQUcsRUFBRSxHQUFHO3dDQUM3QyxFQUFFLENBQUMsQ0FDQyxDQUFDLEdBQUcsWUFBWSxNQUFNLENBQUM7K0NBQ3BCLENBQUMsR0FBRyxDQUFDLFlBQVksQ0FBQyxHQUFHLEdBQUcsQ0FBQyxDQUFDLHVDQUF1Qzt3Q0FDeEUsQ0FBQyxDQUFDLENBQUM7NENBQ0MsR0FBRyxDQUFDLGNBQWMsQ0FBQyxRQUFRLEVBQUUsUUFBUSxDQUFDLENBQUEsQ0FBQywwQ0FBMEM7d0NBQ3JGLENBQUM7d0NBQUMsSUFBSSxDQUFDLENBQUM7NENBQ0osUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFBLENBQUMsOENBQThDO3dDQUNsRSxDQUFDO3dDQUNELGNBQWM7d0NBQ2QsR0FBRyxHQUFHLElBQUksQ0FBQTt3Q0FDVixRQUFRLEdBQUcsSUFBSSxDQUFBO3dDQUNmLFNBQVMsR0FBRyxJQUFJLENBQUE7d0NBQ2hCLEdBQUcsR0FBRyxJQUFJLENBQUE7d0NBQ1YsT0FBTyxHQUFHLElBQUksQ0FBQTt3Q0FDZCxHQUFHLEdBQUcsSUFBSSxDQUFBO29DQUNkLENBQUMsQ0FBQyxDQUFBO2dDQUNOLENBQUMsQ0FBQyxDQUFBOzRCQUNOLENBQUM7NEJBQUMsSUFBSSxDQUFDLENBQUM7Z0NBQ0osUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFBLENBQUMsbUNBQW1DO2dDQUNuRCxjQUFjO2dDQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7Z0NBQ1YsUUFBUSxHQUFHLElBQUksQ0FBQTtnQ0FDZixHQUFHLEdBQUcsSUFBSSxDQUFBO2dDQUNWLE9BQU8sR0FBRyxJQUFJLENBQUE7Z0NBQ2QsR0FBRyxHQUFHLElBQUksQ0FBQTs0QkFDZCxDQUFDO3dCQUNMLENBQUM7d0JBQUMsSUFBSSxDQUFDLENBQUM7NEJBQ0osUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFBLENBQUMseUNBQXlDOzRCQUN6RCxjQUFjOzRCQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7NEJBQ1YsUUFBUSxHQUFHLElBQUksQ0FBQTs0QkFDZixHQUFHLEdBQUcsSUFBSSxDQUFBOzRCQUNWLE9BQU8sR0FBRyxJQUFJLENBQUE7NEJBQ2QsR0FBRyxHQUFHLElBQUksQ0FBQTt3QkFDZCxDQUFDO29CQUNMLENBQUM7Z0JBQ0wsQ0FBQyxDQUFDLENBQUE7WUFDTixDQUFDO1FBQ0wsQ0FBQyxDQUFDLENBQUE7SUFDTixDQUFDO0lBRUQ7Ozs7O09BS0c7SUFDSCxlQUFlLENBQUMsU0FBUyxFQUFFLFFBQVE7UUFDL0IsaUJBQWlCO1FBQ2pCLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxTQUFTLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ2pDLFNBQVMsR0FBRyxFQUFFLENBQUEsQ0FBQyw2QkFBNkI7UUFDaEQsQ0FBQztRQUNELElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxLQUFLLENBQUMsRUFBRSxJQUFJLENBQUMscUJBQXFCLENBQUMsU0FBUyxDQUFDLEVBQUUsUUFBUSxDQUFDLENBQUE7UUFDdkYsY0FBYztRQUNkLFFBQVEsR0FBRyxJQUFJLENBQUE7UUFDZixTQUFTLEdBQUcsSUFBSSxDQUFBO0lBQ3BCLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxjQUFjLENBQUMsR0FBRyxFQUFFLFFBQVEsRUFBRSxLQUFLLEdBQUcsQ0FBQztRQUNuQyxpQkFBaUI7UUFDakIsSUFBSSxHQUFHLEdBQUcsSUFBSSxDQUFBO1FBQ2QsRUFBRSxDQUFDLENBQUMsT0FBTyxRQUFRLEtBQUssVUFBVSxDQUFDLENBQUMsQ0FBQztZQUNqQyxRQUFRLEdBQUcsSUFBSSxDQUFDLGFBQWEsQ0FBQSxDQUFDLDhCQUE4QjtRQUNoRSxDQUFDO1FBQ0QsRUFBRSxDQUFDLENBQUMsS0FBSyxHQUFHLEdBQUcsQ0FBQyxDQUFDLENBQUM7WUFDZCxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUEsQ0FBQyxzQ0FBc0M7UUFDMUQsQ0FBQztRQUFDLElBQUksQ0FBQyxDQUFDO1lBQ0osSUFBSSxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsR0FBRyxFQUFFLFVBQVUsR0FBRyxFQUFFLEdBQUc7Z0JBQ3ZDLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxHQUFHLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDO29CQUMzQixRQUFRLENBQUMsS0FBSyxDQUFDLENBQUEsQ0FBQyxpQkFBaUI7b0JBQ2pDLGNBQWM7b0JBQ2QsUUFBUSxHQUFHLElBQUksQ0FBQTtvQkFDZixHQUFHLEdBQUcsSUFBSSxDQUFBO29CQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7Z0JBQ2QsQ0FBQztnQkFBQyxJQUFJLENBQUMsQ0FBQztvQkFDSixFQUFFLENBQUMsQ0FBQyxHQUFHLENBQUMsUUFBUSxDQUFDLEtBQUssU0FBUyxDQUFDLENBQUMsQ0FBQzt3QkFDOUIsVUFBVSxDQUFDOzRCQUNQLEdBQUcsQ0FBQyxjQUFjLENBQUMsR0FBRyxFQUFFLFFBQVEsRUFBRSxLQUFLLEdBQUcsQ0FBQyxDQUFDLENBQUEsQ0FBQyxRQUFROzRCQUNyRCxjQUFjOzRCQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7NEJBQ1YsUUFBUSxHQUFHLElBQUksQ0FBQTs0QkFDZixHQUFHLEdBQUcsSUFBSSxDQUFBOzRCQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7d0JBQ2QsQ0FBQyxFQUFFLEtBQUssR0FBRyxHQUFHLENBQUMsQ0FBQTtvQkFDbkIsQ0FBQztvQkFBQyxJQUFJLENBQUMsQ0FBQzt3QkFDSixRQUFRLENBQUMsR0FBRyxFQUFFLEdBQUcsQ0FBQyxDQUFBLENBQUMscUJBQXFCO3dCQUN4QyxjQUFjO3dCQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7d0JBQ1YsUUFBUSxHQUFHLElBQUksQ0FBQTt3QkFDZixHQUFHLEdBQUcsSUFBSSxDQUFBO3dCQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7b0JBQ2QsQ0FBQztnQkFDTCxDQUFDO1lBQ0wsQ0FBQyxDQUFDLENBQUE7UUFDTixDQUFDO0lBQ0wsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILGVBQWUsQ0FBQyxHQUFHLEVBQUUsUUFBUSxFQUFFLEtBQUssR0FBRyxDQUFDO1FBQ3BDLGlCQUFpQjtRQUNqQixJQUFJLEdBQUcsR0FBRyxJQUFJLENBQUE7UUFDZCxFQUFFLENBQUMsQ0FBQyxPQUFPLFFBQVEsS0FBSyxVQUFVLENBQUMsQ0FBQyxDQUFDO1lBQ2pDLFFBQVEsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFBLENBQUMsOEJBQThCO1FBQ2hFLENBQUM7UUFDRCxFQUFFLENBQUMsQ0FBQyxLQUFLLEdBQUcsR0FBRyxDQUFDLENBQUMsQ0FBQztZQUNkLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQSxDQUFDLHNDQUFzQztRQUMxRCxDQUFDO1FBQUMsSUFBSSxDQUFDLENBQUM7WUFDSixJQUFJLENBQUMsVUFBVSxDQUFDLEdBQUcsQ0FBQyxHQUFHLEVBQUUsVUFBVSxHQUFHLEVBQUUsR0FBRztnQkFDdkMsRUFBRSxDQUFDLENBQUMsQ0FBQyxHQUFHLFlBQVksTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztvQkFDOUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFBLENBQUMsdUNBQXVDO29CQUNyRCxjQUFjO29CQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7b0JBQ1YsUUFBUSxHQUFHLElBQUksQ0FBQTtvQkFDZixHQUFHLEdBQUcsSUFBSSxDQUFBO29CQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7Z0JBQ2QsQ0FBQztnQkFBQyxJQUFJLENBQUMsQ0FBQztvQkFDSixFQUFFLENBQUMsQ0FBQyxDQUFDLEdBQUcsWUFBWSxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxZQUFZLENBQUMsR0FBRyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7d0JBQ3ZELFVBQVUsQ0FBQzs0QkFDUCxHQUFHLENBQUMsZUFBZSxDQUFDLEdBQUcsRUFBRSxRQUFRLEVBQUUsS0FBSyxHQUFHLENBQUMsQ0FBQyxDQUFBLENBQUMsUUFBUTs0QkFDdEQsY0FBYzs0QkFDZCxHQUFHLEdBQUcsSUFBSSxDQUFBOzRCQUNWLFFBQVEsR0FBRyxJQUFJLENBQUE7NEJBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTs0QkFDVixHQUFHLEdBQUcsSUFBSSxDQUFBO3dCQUNkLENBQUMsRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLENBQUE7b0JBQ25CLENBQUM7b0JBQUMsSUFBSSxDQUFDLENBQUM7d0JBQ0osUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFBLENBQUMsZUFBZTt3QkFDL0IsY0FBYzt3QkFDZCxHQUFHLEdBQUcsSUFBSSxDQUFBO3dCQUNWLFFBQVEsR0FBRyxJQUFJLENBQUE7d0JBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTt3QkFDVixHQUFHLEdBQUcsSUFBSSxDQUFBO29CQUNkLENBQUM7Z0JBQ0wsQ0FBQztZQUNMLENBQUMsQ0FBQyxDQUFBO1FBQ04sQ0FBQztJQUNMLENBQUM7SUFFRDs7Ozs7T0FLRztJQUNILGNBQWMsQ0FBQyxNQUFNLEVBQUUsUUFBUTtRQUMzQixpQkFBaUI7UUFDakIsSUFBSSxHQUFHLEdBQUcsSUFBSSxDQUFBO1FBQ2QsRUFBRSxDQUFDLENBQUMsT0FBTyxRQUFRLEtBQUssVUFBVSxDQUFDLENBQUMsQ0FBQztZQUNqQyxRQUFRLEdBQUcsSUFBSSxDQUFDLGFBQWEsQ0FBQSxDQUFDLDhCQUE4QjtRQUNoRSxDQUFDO1FBQ0QsRUFBRSxDQUFDLFFBQVEsQ0FBQyxNQUFNLEdBQUcsTUFBTSxFQUFFLFVBQVUsR0FBRyxFQUFFLEdBQUc7WUFDM0MsRUFBRSxDQUFDLENBQUMsR0FBRyxZQUFZLE1BQU0sQ0FBQyxDQUFDLENBQUM7Z0JBQ3hCLEVBQUUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztvQkFDekIsT0FBTyxDQUFDLEtBQUssQ0FBQyw0QkFBNEIsRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLEVBQUUsNkJBQTZCLENBQUMsQ0FBQTtnQkFDM0YsQ0FBQztnQkFDRCxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUE7Z0JBQ2YsY0FBYztnQkFDZCxRQUFRLEdBQUcsSUFBSSxDQUFBO2dCQUNmLEdBQUcsR0FBRyxJQUFJLENBQUE7Z0JBQ1YsR0FBRyxHQUFHLElBQUksQ0FBQTtnQkFDVixHQUFHLEdBQUcsSUFBSSxDQUFBO1lBQ2QsQ0FBQztZQUFDLElBQUksQ0FBQyxDQUFDO2dCQUNKLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxTQUFTLENBQUMsVUFBVSxDQUFDLEVBQUUsR0FBRyxDQUFDLGVBQWUsQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLFVBQVUsQ0FBQyxFQUFFLFVBQVUsR0FBRyxFQUFFLEdBQUc7b0JBQ3ZHLEVBQUUsQ0FBQyxDQUFDLENBQUMsR0FBRyxZQUFZLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7d0JBQzlDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQSxDQUFDLHVDQUF1Qzt3QkFDckQsY0FBYzt3QkFDZCxHQUFHLEdBQUcsSUFBSSxDQUFBO3dCQUNWLFFBQVEsR0FBRyxJQUFJLENBQUE7d0JBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTt3QkFDVixHQUFHLEdBQUcsSUFBSSxDQUFBO3dCQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7d0JBQ1YsR0FBRyxHQUFHLElBQUksQ0FBQTtvQkFDZCxDQUFDO29CQUFDLElBQUksQ0FBQyxDQUFDO3dCQUNKLEVBQUUsQ0FBQyxDQUFDLEdBQUcsWUFBWSxNQUFNLENBQUMsQ0FBQyxDQUFDOzRCQUN4QixFQUFFLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxZQUFZLENBQUMsR0FBRyxHQUFHLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7Z0NBQ3BDLElBQUksT0FBTyxHQUFHLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQTtnQ0FDNUIsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sWUFBWSxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUM7b0NBQy9CLE9BQU8sR0FBRyxFQUFFLENBQUEsQ0FBRSwyQkFBMkI7Z0NBQzdDLENBQUM7Z0NBQ0QsR0FBRyxDQUFDLGVBQWUsQ0FBQyxPQUFPLENBQUMsVUFBVSxDQUFDLEVBQUUsUUFBUSxDQUFDLENBQUEsQ0FBQywyQkFBMkI7Z0NBQzlFLGNBQWM7Z0NBQ2QsT0FBTyxHQUFHLElBQUksQ0FBQTs0QkFDbEIsQ0FBQzs0QkFBQyxJQUFJLENBQUMsQ0FBQztnQ0FDSixRQUFRLENBQUMsQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLEdBQUcsR0FBRyxDQUFDLEdBQUcsR0FBRyxHQUFHLEtBQUssQ0FBQyxDQUFBLENBQUMsNkNBQTZDOzRCQUNuRyxDQUFDO3dCQUNMLENBQUM7d0JBQUMsSUFBSSxDQUFDLENBQUM7NEJBQ0osUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFBLENBQUMsbUJBQW1CO3dCQUN2QyxDQUFDO3dCQUNELGNBQWM7d0JBQ2QsR0FBRyxHQUFHLElBQUksQ0FBQTt3QkFDVixRQUFRLEdBQUcsSUFBSSxDQUFBO3dCQUNmLEdBQUcsR0FBRyxJQUFJLENBQUE7d0JBQ1YsR0FBRyxHQUFHLElBQUksQ0FBQTt3QkFDVixHQUFHLEdBQUcsSUFBSSxDQUFBO3dCQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7b0JBQ2QsQ0FBQztnQkFDTCxDQUFDLENBQUMsQ0FBQTtZQUNOLENBQUM7UUFDTCxDQUFDLENBQUMsQ0FBQTtJQUNOLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsVUFBVSxDQUFDLFFBQVE7UUFDZixpQkFBaUI7UUFDakIsSUFBSSxHQUFHLEdBQUcsSUFBSSxDQUFBO1FBQ2QsRUFBRSxDQUFDLENBQUMsT0FBTyxRQUFRLEtBQUssVUFBVSxDQUFDLENBQUMsQ0FBQztZQUNqQyxRQUFRLEdBQUcsSUFBSSxDQUFDLGFBQWEsQ0FBQSxDQUFDLDhCQUE4QjtRQUNoRSxDQUFDO1FBQ0QsSUFBSSxDQUFDLFlBQVksQ0FBQyxVQUFVLEdBQUc7WUFDM0IsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDLEdBQUcsWUFBWSxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQzNCLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQSxDQUFDLHdDQUF3QztnQkFDeEQsY0FBYztnQkFDZCxRQUFRLEdBQUcsSUFBSSxDQUFBO2dCQUNmLEdBQUcsR0FBRyxJQUFJLENBQUE7WUFDZCxDQUFDO1lBQUMsSUFBSSxDQUFDLENBQUM7Z0JBQ0osR0FBRyxDQUFDLFNBQVMsR0FBRyxHQUFHLENBQUEsQ0FBQyxrQkFBa0I7Z0JBQ3RDLEdBQUcsQ0FBQyxlQUFlLENBQUMsSUFBSSxFQUFFLFVBQVUsR0FBRyxFQUFFLEdBQUc7b0JBQ3hDLEVBQUUsQ0FBQyxDQUNDLENBQUMsR0FBRyxZQUFZLE1BQU0sQ0FBQzsyQkFDcEIsQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLFlBQVksTUFBTSxDQUFDOzJCQUNsQyxDQUFDLE9BQU8sR0FBRyxDQUFDLE9BQU8sQ0FBQyxVQUFVLENBQUMsS0FBSyxRQUFRLENBQ25ELENBQUMsQ0FBQyxDQUFDO3dCQUNDLEdBQUcsQ0FBQyxPQUFPLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxVQUFVLENBQUMsQ0FBQTt3QkFDckMsR0FBRyxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLElBQUksRUFBRSxRQUFRLENBQUMsQ0FBQSxDQUFDLGtDQUFrQztvQkFDdkYsQ0FBQztvQkFBQyxJQUFJLENBQUMsQ0FBQzt3QkFDSixRQUFRLENBQUMsS0FBSyxDQUFDLENBQUEsQ0FBQyxzQkFBc0I7b0JBQzFDLENBQUM7b0JBQ0QsY0FBYztvQkFDZCxHQUFHLEdBQUcsSUFBSSxDQUFBO29CQUNWLFFBQVEsR0FBRyxJQUFJLENBQUE7b0JBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTtvQkFDVixHQUFHLEdBQUcsSUFBSSxDQUFBO29CQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7Z0JBQ2QsQ0FBQyxDQUFDLENBQUE7WUFDTixDQUFDO1FBQ0wsQ0FBQyxDQUFDLENBQUE7SUFDTixDQUFDO0lBRUQ7Ozs7O09BS0c7SUFDSCxhQUFhLENBQUMsS0FBSyxFQUFFLFFBQVE7UUFDekIsaUJBQWlCO1FBQ2pCLElBQUksR0FBRyxHQUFHLElBQUksQ0FBQTtRQUNkLEVBQUUsQ0FBQyxDQUFDLE9BQU8sS0FBSyxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUM7WUFDNUIsRUFBRSxDQUFDLENBQUMsT0FBTyxRQUFRLEtBQUssVUFBVSxDQUFDLENBQUMsQ0FBQztnQkFDakMsUUFBUSxHQUFHLElBQUksQ0FBQyxhQUFhLENBQUEsQ0FBQyw4QkFBOEI7WUFDaEUsQ0FBQztZQUNELEdBQUcsQ0FBQyxlQUFlLENBQ2Y7Z0JBQ0ksT0FBTyxFQUFFO29CQUNMLFNBQVMsR0FBRyxLQUFLO2lCQUNwQjthQUNKLEVBQ0QsVUFBVSxHQUFHLEVBQUUsR0FBRztnQkFDZCxFQUFFLENBQUMsQ0FDQyxDQUFDLEdBQUcsWUFBWSxNQUFNLENBQUM7dUJBQ3BCLENBQUMsR0FBRyxDQUFDLFlBQVksQ0FBQyxLQUFLLEdBQUcsQ0FBQzt1QkFDM0IsQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLFlBQVksTUFBTSxDQUFDO3VCQUNsQyxDQUFDLE9BQU8sR0FBRyxDQUFDLE9BQU8sQ0FBQyxVQUFVLENBQUMsS0FBSyxRQUFRLENBQ25ELENBQUMsQ0FBQyxDQUFDO29CQUNDLEdBQUcsQ0FBQyxPQUFPLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxVQUFVLENBQUMsQ0FBQTtvQkFDckMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxPQUFPLENBQUMsQ0FBQSxDQUFDLG1CQUFtQjtnQkFDN0MsQ0FBQztnQkFBQyxJQUFJLENBQUMsQ0FBQztvQkFDSixRQUFRLENBQUMsS0FBSyxDQUFDLENBQUEsQ0FBQyxzQkFBc0I7Z0JBQzFDLENBQUM7Z0JBQ0QsY0FBYztnQkFDZCxHQUFHLEdBQUcsSUFBSSxDQUFBO2dCQUNWLFFBQVEsR0FBRyxJQUFJLENBQUE7Z0JBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTtnQkFDVixHQUFHLEdBQUcsSUFBSSxDQUFBO1lBQ2QsQ0FBQyxDQUFDLENBQUE7UUFDVixDQUFDO1FBQUMsSUFBSSxDQUFDLENBQUM7WUFDSixRQUFRLENBQUMsS0FBSyxDQUFDLENBQUEsQ0FBQyw0QkFBNEI7WUFDNUMsY0FBYztZQUNkLFFBQVEsR0FBRyxJQUFJLENBQUE7WUFDZixHQUFHLEdBQUcsSUFBSSxDQUFBO1FBQ2QsQ0FBQztJQUNMLENBQUM7SUFFRDs7Ozs7T0FLRztJQUNILFFBQVEsQ0FBQyxPQUFPLEVBQUUsUUFBUTtRQUN0QixJQUFJLENBQUMsZUFBZSxDQUFDLElBQUksQ0FBQyxPQUFPLEVBQUU7WUFDL0IsV0FBVyxFQUFFLE9BQU8sQ0FBQyx1QkFBdUI7U0FDL0MsRUFBRSxRQUFRLENBQUMsQ0FBQTtRQUNaLGNBQWM7UUFDZCxRQUFRLEdBQUcsSUFBSSxDQUFBO0lBQ25CLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxrQkFBa0IsQ0FBQyxNQUFNLEVBQUUsWUFBWSxFQUFFLE9BQU8sRUFBRSxRQUFRO1FBQ3RELGlCQUFpQjtRQUNqQixJQUFJLEdBQUcsR0FBRyxJQUFJLENBQUE7UUFDZCxFQUFFLENBQUMsQ0FBQyxPQUFPLE1BQU0sS0FBSyxRQUFRLENBQUMsQ0FBQyxDQUFDO1lBQzdCLE1BQU0sR0FBRyxFQUFFLENBQUEsQ0FBQywwQkFBMEI7UUFDMUMsQ0FBQztRQUNELEVBQUUsQ0FBQyxDQUFDLE9BQU8sUUFBUSxLQUFLLFVBQVUsQ0FBQyxDQUFDLENBQUM7WUFDakMsUUFBUSxHQUFHLElBQUksQ0FBQyxhQUFhLENBQUEsQ0FBQyw4QkFBOEI7UUFDaEUsQ0FBQztRQUNELElBQUksQ0FBQyxVQUFVLENBQUMsVUFBVSxPQUFPO1lBQzdCLElBQUksS0FBSyxHQUFHLEdBQUcsQ0FBQyxZQUFZLENBQUMsT0FBTyxDQUFDLENBQUEsQ0FBQyw4Q0FBOEM7WUFDcEYsRUFBRSxDQUFDLENBQUMsT0FBTyxHQUFHLENBQUMsYUFBYSxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUM7Z0JBQ3hDLEtBQUssR0FBRyxHQUFHLENBQUMsYUFBYSxDQUFBLENBQUUsZ0NBQWdDO1lBQy9ELENBQUM7WUFBQyxJQUFJLENBQUMsRUFBRSxDQUFDLENBQUMsT0FBTyxLQUFLLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQztnQkFDbkMsS0FBSyxHQUFHLEdBQUcsQ0FBQyxrQkFBa0IsR0FBRyxHQUFHLEdBQUcsTUFBTSxDQUFBLENBQUUsaUJBQWlCO1lBQ3BFLENBQUM7WUFDRCxJQUFJLEdBQUcsR0FBRyxHQUFHLENBQUMsaUJBQWlCLENBQUE7WUFDL0IsV0FBVztZQUNYLEdBQUcsR0FBRyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUE7WUFDakIsT0FBTyxHQUFHLEdBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsQ0FBQTtZQUN2QyxNQUFNLEdBQUcsR0FBRyxDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxDQUFBO1lBQ3JDLEtBQUssR0FBRyxHQUFHLENBQUMsZ0JBQWdCLENBQUMsS0FBSyxDQUFDLENBQUE7WUFDbkMsWUFBWSxHQUFHLEdBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxZQUFZLENBQUMsQ0FBQTtZQUNqRCxrQkFBa0I7WUFDbEIsR0FBRyxDQUFDLGFBQWEsQ0FBQyxHQUFHLEVBQUUsT0FBTyxFQUFFLFlBQVksRUFBRSxNQUFNLEVBQUUsS0FBSyxFQUFFLFVBQVUsQ0FBQztnQkFDcEUsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO29CQUNMLEdBQUcsQ0FBQyxjQUFjLENBQUMsTUFBTSxFQUFFLFVBQVUsSUFBSTt3QkFDckMsRUFBRSxDQUFDLENBQUMsQ0FBQyxJQUFJLFlBQVksTUFBTSxDQUFDLElBQUksQ0FBQyxPQUFPLElBQUksS0FBSyxRQUFRLENBQUMsQ0FBQyxDQUFDLENBQUM7NEJBQ3pELEVBQUUsQ0FBQyxTQUFTLENBQUMsTUFBTSxHQUFHLE1BQU0sRUFBRSxJQUFJLEVBQUUsVUFBVSxHQUFHO2dDQUM3QyxFQUFFLENBQUMsQ0FBQyxHQUFHLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQztvQ0FDeEIsRUFBRSxDQUFDLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDO3dDQUN6QixPQUFPLENBQUMsS0FBSyxDQUFDLDRCQUE0QixFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUMsRUFBRSxtQ0FBbUMsQ0FBQyxDQUFBO29DQUNqRyxDQUFDO29DQUNELFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQTtnQ0FDbkIsQ0FBQztnQ0FBQyxJQUFJLENBQUMsQ0FBQztvQ0FDSixRQUFRLENBQUMsSUFBSSxDQUFDLENBQUEsQ0FBRSxzREFBc0Q7Z0NBQzFFLENBQUM7Z0NBQ0QsY0FBYztnQ0FDZCxRQUFRLEdBQUcsSUFBSSxDQUFBO2dDQUNmLElBQUksR0FBRyxJQUFJLENBQUE7Z0NBQ1gsR0FBRyxHQUFHLElBQUksQ0FBQTtnQ0FDVixDQUFDLEdBQUcsSUFBSSxDQUFBO2dDQUNSLEdBQUcsR0FBRyxJQUFJLENBQUE7Z0NBQ1YsT0FBTyxHQUFHLElBQUksQ0FBQTs0QkFDbEIsQ0FBQyxDQUFDLENBQUE7d0JBQ04sQ0FBQzt3QkFBQyxJQUFJLENBQUMsQ0FBQzs0QkFDSixRQUFRLENBQUMsS0FBSyxDQUFDLENBQUEsQ0FBQywyQkFBMkI7NEJBQzNDLGNBQWM7NEJBQ2QsUUFBUSxHQUFHLElBQUksQ0FBQTs0QkFDZixJQUFJLEdBQUcsSUFBSSxDQUFBOzRCQUNYLEdBQUcsR0FBRyxJQUFJLENBQUE7NEJBQ1YsQ0FBQyxHQUFHLElBQUksQ0FBQTs0QkFDUixPQUFPLEdBQUcsSUFBSSxDQUFBO3dCQUNsQixDQUFDO29CQUNMLENBQUMsQ0FBQyxDQUFBO2dCQUNOLENBQUM7Z0JBQUMsSUFBSSxDQUFDLENBQUM7b0JBQ0osUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFBLENBQUMsNEJBQTRCO29CQUM1QyxjQUFjO29CQUNkLFFBQVEsR0FBRyxJQUFJLENBQUE7b0JBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTtvQkFDVixDQUFDLEdBQUcsSUFBSSxDQUFBO29CQUNSLE9BQU8sR0FBRyxJQUFJLENBQUE7Z0JBQ2xCLENBQUM7WUFDTCxDQUFDLENBQUMsQ0FBQTtRQUNOLENBQUMsQ0FBQyxDQUFBO0lBQ04sQ0FBQztJQUVEOzs7Ozs7OztPQVFHO0lBQ0gsYUFBYSxDQUFDLEdBQUcsRUFBRSxDQUFDLEVBQUUsQ0FBQyxFQUFFLEVBQUUsRUFBRSxDQUFDLEVBQUUsUUFBUTtRQUNwQyxFQUFFLENBQUMsQ0FBQyxPQUFPLFFBQVEsS0FBSyxVQUFVLENBQUMsQ0FBQyxDQUFDO1lBQ2pDLFFBQVEsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFBLENBQUMsOEJBQThCO1FBQ2hFLENBQUM7UUFDRCxJQUFJLE9BQU8sR0FBRyx1Q0FBdUMsR0FBRyxzQkFBc0IsQ0FBQyxNQUFNLENBQUMsT0FBTyxFQUFFLGlCQUFpQixDQUFDLGVBQWUsRUFBRSw4QkFBOEIsRUFBRSxRQUFRLENBQUE7UUFDMUssT0FBTyxDQUFDLEtBQUssQ0FBQyw0QkFBNEIsQ0FBQyxDQUFBO1FBQzNDLEVBQUUsQ0FBQyxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztZQUMxQixPQUFPLENBQUMsS0FBSyxDQUFDLFVBQVUsRUFBRSxPQUFPLENBQUMsQ0FBQTtRQUN0QyxDQUFDO1FBQ0QsYUFBYSxDQUFDLElBQUksQ0FBQyxPQUFPLEVBQUUsVUFBVSxDQUFDO1lBQ25DLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztnQkFDTCxPQUFPLENBQUMsS0FBSyxDQUFDLGVBQWUsQ0FBQyxDQUFBO1lBQ2xDLENBQUM7WUFBQyxJQUFJLENBQUMsQ0FBQztnQkFDSixPQUFPLENBQUMsS0FBSyxDQUFDLGlCQUFpQixDQUFDLENBQUE7WUFDcEMsQ0FBQztZQUNELFFBQVEsQ0FBQyxDQUFDLENBQUMsQ0FBQTtZQUNYLGNBQWM7WUFDZCxRQUFRLEdBQUcsSUFBSSxDQUFBO1lBQ2YsQ0FBQyxHQUFHLElBQUksQ0FBQTtRQUNaLENBQUMsQ0FDQSxDQUFBO0lBQ0wsQ0FBQztJQUVEOztPQUVHO0lBQ0gsYUFBYTtRQUNULE1BQU07SUFDVixDQUFDO0lBRUQ7Ozs7O09BS0c7SUFDSCxnQkFBZ0IsQ0FBQyxJQUFJLEVBQUUsUUFBUSxHQUFHLEtBQUs7UUFDbkMsRUFBRSxDQUFDLENBQUMsT0FBTyxJQUFJLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQztZQUMzQixJQUFJLEdBQUcsRUFBRSxDQUFBO1FBQ2IsQ0FBQztRQUNELG9EQUFvRDtRQUNwRCxJQUFJLFVBQVUsR0FBRyw0REFBNEQsQ0FBQTtRQUM3RSxJQUFJLFVBQVUsR0FBRywyREFBMkQsQ0FBQTtRQUM1RSxNQUFNLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxJQUFJLE1BQU0sQ0FBQyxRQUFRLEdBQUcsVUFBVSxHQUFHLFVBQVUsRUFBRSxHQUFHLENBQUMsRUFBRSxVQUFVLGFBQWE7WUFDNUYsRUFBRSxDQUFDLENBQUMsT0FBTyxhQUFhLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQztnQkFDcEMsTUFBTSxDQUFDLEdBQUcsR0FBRyxhQUFhLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUMsQ0FBQyxpQkFBaUIsRUFBRSxDQUFBO1lBQzdFLENBQUM7WUFDRCxNQUFNLENBQUMsS0FBSyxDQUFBO1FBQ2hCLENBQUMsQ0FBQyxDQUFBO0lBQ04sQ0FBQztJQUVEOzs7OztPQUtHO0lBQ0gsZ0JBQWdCLENBQUMsTUFBTSxFQUFFLFNBQVMsRUFBRSxRQUFRO1FBQ3hDLDhCQUE4QjtRQUM5QixJQUFJLEdBQUcsR0FBRyxJQUFJLENBQUE7UUFDZCxFQUFFLENBQUMsQ0FBQyxPQUFPLFFBQVEsS0FBSyxVQUFVLENBQUMsQ0FBQyxDQUFDO1lBQ2pDLFFBQVEsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFBLENBQUMsOEJBQThCO1FBQ2hFLENBQUM7UUFDRCxFQUFFLENBQUMsQ0FBQyxTQUFTLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQztZQUM5QixFQUFFLENBQUMsQ0FBQyxTQUFTLENBQUMsTUFBTSxDQUFDLEtBQUssU0FBUyxDQUFDLENBQUMsQ0FBQztnQkFDbEMsSUFBSSxJQUFJLEdBQUcsSUFBSSxDQUFDLE9BQU8sR0FBRyxJQUFJLENBQUMsZUFBZSxHQUFHLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQSxDQUFDLG1FQUFtRTtnQkFDdkksRUFBRSxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQUUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLFNBQVMsQ0FBQyxFQUFFLFVBQVUsR0FBRztvQkFDbEUsRUFBRSxDQUFDLENBQUMsR0FBRyxZQUFZLE1BQU0sQ0FBQyxDQUFDLENBQUM7d0JBQ3hCLEVBQUUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQzs0QkFDekIsT0FBTyxDQUFDLEtBQUssQ0FDVCw0QkFBNEIsRUFDNUIsR0FBRyxDQUFDLE1BQU0sQ0FBQyxFQUFFLHNDQUFzQyxDQUN0RCxDQUFBO3dCQUNMLENBQUM7d0JBQ0QsUUFBUSxFQUFFLENBQUE7d0JBQ1YsY0FBYzt3QkFDZCxRQUFRLEdBQUcsSUFBSSxDQUFBO3dCQUNmLFNBQVMsR0FBRyxJQUFJLENBQUE7d0JBQ2hCLEdBQUcsR0FBRyxJQUFJLENBQUE7d0JBQ1YsR0FBRyxHQUFHLElBQUksQ0FBQTtvQkFDZCxDQUFDO29CQUFDLElBQUksQ0FBQyxDQUFDO3dCQUNKLDJFQUEyRTt3QkFDM0UsSUFBSSxFQUFFLEdBQUcsUUFBUSxDQUFDLGVBQWUsQ0FBQyxPQUFPLENBQUMsS0FBSyxFQUFFLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FBQTt3QkFDaEUsRUFBRSxDQUFDLENBQUMsR0FBRyxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUM7NEJBQ3RCLEVBQUUsQ0FBQyxRQUFRLENBQUMsd0JBQXdCLEVBQUUsVUFBVSxNQUFNO2dDQUNsRCxFQUFFLENBQUMsS0FBSyxFQUFFLENBQUE7Z0NBQ1YsUUFBUSxFQUFFLENBQUE7Z0NBQ1YsY0FBYztnQ0FDZCxRQUFRLEdBQUcsSUFBSSxDQUFBO2dDQUNmLFNBQVMsR0FBRyxJQUFJLENBQUE7Z0NBQ2hCLEdBQUcsR0FBRyxJQUFJLENBQUE7Z0NBQ1YsRUFBRSxHQUFHLElBQUksQ0FBQTs0QkFDYixDQUFDLENBQUMsQ0FBQTt3QkFDTixDQUFDO3dCQUFDLElBQUksQ0FBQyxDQUFDOzRCQUNKLEVBQUUsQ0FBQyxLQUFLLEVBQUUsQ0FBQTs0QkFDVixRQUFRLEVBQUUsQ0FBQSxDQUFDLHFDQUFxQzs0QkFDaEQsY0FBYzs0QkFDZCxRQUFRLEdBQUcsSUFBSSxDQUFBOzRCQUNmLFNBQVMsR0FBRyxJQUFJLENBQUE7NEJBQ2hCLEdBQUcsR0FBRyxJQUFJLENBQUE7NEJBQ1YsRUFBRSxHQUFHLElBQUksQ0FBQTt3QkFDYixDQUFDO29CQUNMLENBQUM7Z0JBQ0wsQ0FBQyxDQUFDLENBQUE7WUFDTixDQUFDO1lBQUMsSUFBSSxDQUFDLENBQUM7Z0JBQ0osT0FBTyxDQUFDLEtBQUssQ0FBQyxrQ0FBa0MsQ0FBQyxDQUFBO2dCQUNqRCxRQUFRLEVBQUUsQ0FBQTtnQkFDVixjQUFjO2dCQUNkLFFBQVEsR0FBRyxJQUFJLENBQUE7Z0JBQ2YsU0FBUyxHQUFHLElBQUksQ0FBQTtnQkFDaEIsR0FBRyxHQUFHLElBQUksQ0FBQTtZQUNkLENBQUM7UUFDTCxDQUFDO1FBQUMsSUFBSSxDQUFDLENBQUM7WUFDSixPQUFPLENBQUMsS0FBSyxDQUFDLHFDQUFxQyxDQUFDLENBQUE7WUFDcEQsUUFBUSxFQUFFLENBQUE7WUFDVixjQUFjO1lBQ2QsUUFBUSxHQUFHLElBQUksQ0FBQTtZQUNmLFNBQVMsR0FBRyxJQUFJLENBQUE7WUFDaEIsR0FBRyxHQUFHLElBQUksQ0FBQTtRQUNkLENBQUM7SUFDTCxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILFVBQVUsQ0FBQyxPQUFPO1FBQ2QsSUFBSSxLQUFLLEdBQUcsdUNBQXVDLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFBO1FBQ2pFLEVBQUUsQ0FBQyxDQUFDLENBQUMsS0FBSyxZQUFZLEtBQUssQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7WUFDakQsSUFBSSxNQUFNLEdBQUcsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFBO1lBQ3JCLGNBQWM7WUFDZCxLQUFLLEdBQUcsSUFBSSxDQUFBO1lBQ1osTUFBTSxDQUFDLE1BQU0sQ0FBQTtRQUNqQixDQUFDO1FBQ0QsY0FBYztRQUNkLEtBQUssR0FBRyxJQUFJLENBQUE7UUFDWixNQUFNLENBQUMsS0FBSyxDQUFDLENBQUE7SUFDakIsQ0FBQztJQUVEOzs7OztPQUtHO0lBQ0gsZUFBZSxDQUFDLEdBQUcsRUFBRSxhQUFxQjtRQUN0QyxpQkFBaUI7UUFDakIsRUFBRSxDQUFDLENBQUMsQ0FBQyxHQUFHLFlBQVksTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLFlBQVksS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ2xFLE1BQU0sQ0FBQyxHQUFHLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxVQUFVLEtBQUs7Z0JBQ3hDLElBQUksSUFBSSxHQUFHLEtBQUssQ0FBQyxNQUFNLENBQUMsQ0FBQTtnQkFDeEIsY0FBYztnQkFDZCxLQUFLLEdBQUcsSUFBSSxDQUFBO2dCQUNaLEVBQUUsQ0FBQyxDQUFDLElBQUksS0FBSyxhQUFhLENBQUMsQ0FBQyxDQUFDO29CQUN6QixNQUFNLENBQUMsSUFBSSxDQUFBO2dCQUNmLENBQUM7Z0JBQ0QsTUFBTSxDQUFDLEtBQUssQ0FBQTtZQUNoQixDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsQ0FBQTtRQUNaLENBQUMsQ0FBQyxrQ0FBa0M7UUFDcEMsY0FBYztRQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7UUFDVixNQUFNLENBQUMsS0FBSyxDQUFDLENBQUEsQ0FBQyxpREFBaUQ7SUFDbkUsQ0FBQztJQUVEOzs7O09BSUc7SUFDSCxZQUFZLENBQUMsT0FBTztRQUNoQixpQkFBaUI7UUFDakIsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sWUFBWSxNQUFNLENBQUMsSUFBSSxDQUFDLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxZQUFZLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUN6RSxjQUFjO1lBQ2QsT0FBTyxHQUFHLElBQUksQ0FBQTtZQUNkLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQSxDQUFDLGtCQUFrQjtRQUNwQyxDQUFDO1FBQ0QsSUFBSSxNQUFNLEdBQUcsU0FBUyxDQUFBO1FBQ3RCLElBQUksS0FBSyxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLFVBQVUsS0FBSztZQUM5QyxFQUFFLENBQUMsQ0FBQyxPQUFPLEtBQUssS0FBSyxRQUFRLENBQUMsQ0FBQyxDQUFDO2dCQUM1QixNQUFNLENBQUMsS0FBSyxDQUFBO1lBQ2hCLENBQUM7WUFBQyxJQUFJLENBQUMsQ0FBQztnQkFDSixNQUFNLENBQUMsQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUFBLENBQUMsd0JBQXdCO1lBQzFELENBQUM7UUFDTCxDQUFDLENBQ0EsQ0FBQyxHQUFHLEVBQUUsQ0FBQTtRQUNQLGNBQWM7UUFDZCxPQUFPLEdBQUcsSUFBSSxDQUFBO1FBQ2QsRUFBRSxDQUFDLENBQUMsT0FBTyxLQUFLLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQztZQUM1QixNQUFNLENBQUMsS0FBSyxDQUFDLENBQUE7UUFDakIsQ0FBQyxDQUFDLGlCQUFpQjtRQUNuQixNQUFNLENBQUMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUEsQ0FBQyxvREFBb0Q7SUFDM0YsQ0FBQztJQUVEOzs7O09BSUc7SUFDSCw4QkFBOEIsQ0FBQyxNQUFNO1FBQ2pDLE1BQU0sQ0FBQztZQUNILFVBQVUsRUFBRSxXQUFXO1lBQ3ZCLFlBQVksRUFBRTtnQkFDVixNQUFNLEVBQUUsS0FBSztnQkFDYixPQUFPLEVBQUUsTUFBTTthQUNsQjtTQUNKLENBQUE7SUFDTCxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILG9CQUFvQixDQUFDLFNBQVM7UUFDMUIsaUJBQWlCO1FBQ2pCLEVBQUUsQ0FBQyxDQUFDLFNBQVMsWUFBWSxNQUFNLENBQUMsQ0FBQyxDQUFDO1lBQzlCLEVBQUUsQ0FBQyxDQUFDLElBQUksQ0FBQyxtQkFBbUIsWUFBWSxNQUFNLENBQUMsQ0FBQyxDQUFDO2dCQUM3QyxJQUFJLEdBQUcsR0FBRyxrQkFBa0IsQ0FBQztvQkFDekIsQ0FBQyxFQUFFLElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxHQUFHLENBQUM7b0JBQ2hDLEdBQUcsRUFBRSxJQUFJLENBQUMsbUJBQW1CLENBQUMsS0FBSyxDQUFDO29CQUNwQyxDQUFDLEVBQUUsSUFBSSxDQUFDLG1CQUFtQixDQUFDLEdBQUcsQ0FBQztpQkFDbkMsQ0FDQSxDQUFBO2dCQUNELElBQUksSUFBSSxHQUFHLE1BQU0sQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLEVBQUUsTUFBTSxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUE7Z0JBQ3BGLElBQUksV0FBVyxHQUFHLFNBQVMsQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFBLENBQUMsNENBQTRDO2dCQUM3RixJQUFJLEtBQUssR0FBRyxTQUFTLENBQUMsT0FBTyxDQUFDLENBQUE7Z0JBQzlCLGNBQWM7Z0JBQ2QsU0FBUyxHQUFHLElBQUksQ0FBQTtnQkFDaEIsR0FBRyxHQUFHLElBQUksQ0FBQTtnQkFDVixNQUFNLENBQUMsS0FBSyxHQUFHLEdBQUcsR0FBRyxXQUFXLENBQUE7WUFDcEMsQ0FBQztRQUNMLENBQUM7UUFBQyxJQUFJLENBQUMsQ0FBQztZQUNKLE1BQU0sQ0FBQyxFQUFFLENBQUEsQ0FBQyx1Q0FBdUM7UUFDckQsQ0FBQztJQUNMLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gscUJBQXFCLENBQUMsU0FBUztRQUMzQixNQUFNLENBQUM7WUFDSCxVQUFVLEVBQUUsV0FBVztZQUN2QixrQkFBa0IsRUFBRSxJQUFJLENBQUMsb0JBQW9CLENBQUMsU0FBUyxDQUFDO1NBQzNELENBQUE7SUFDTCxDQUFDO0lBRUQ7Ozs7O09BS0c7SUFDSCxlQUFlLENBQUMsR0FBRyxFQUFFLFVBQWtCO1FBQ25DLEVBQUUsQ0FBQyxDQUFDLE9BQU8sR0FBRyxLQUFLLFFBQVEsSUFBSSxDQUFDLENBQUMsR0FBRyxZQUFZLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUN0RCxHQUFHLEdBQUcsRUFBRSxDQUFBLENBQUMseUJBQXlCO1FBQ3RDLENBQUM7UUFDRCxFQUFFLENBQUMsQ0FBQyxDQUFDLE9BQU8sVUFBVSxLQUFLLFFBQVEsQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQyxDQUFDLElBQUksQ0FBQyxVQUFVLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ2hGLFVBQVUsR0FBRyxDQUFDLENBQUEsQ0FBQyxvQ0FBb0M7UUFDdkQsQ0FBQztRQUNELElBQUksY0FBYyxHQUFHLFNBQVMsQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFBLENBQUMsNEJBQTRCO1FBQy9FLElBQUksWUFBWSxHQUFHLENBQUMsSUFBSSxJQUFJLEVBQUUsQ0FBQyxDQUFDLFdBQVcsRUFBRSxDQUFBLENBQUMsaUNBQWlDO1FBRS9FLDRDQUE0QztRQUM1QyxJQUFJLGFBQWEsR0FBRyxDQUFDLElBQUksSUFBSSxDQUFDLENBQUMsQ0FBQyxJQUFJLElBQUksRUFBRSxDQUFDLEdBQUcsSUFBSSxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLFdBQVcsRUFBRSxDQUFBO1FBQ3hHLE1BQU0sQ0FBQztZQUNILFVBQVUsRUFBRSxVQUFVO1lBQ3RCLEtBQUssRUFBRSxjQUFjO1lBQ3JCLFdBQVcsRUFBRSxZQUFZO1lBQ3pCLFVBQVUsRUFBRSxhQUFhO1NBQzVCLENBQUE7SUFDTCxDQUFDO0NBQ0o7QUEvM0JELGdDQSszQkMifQ== \ No newline at end of file diff --git a/dist/smartacme.classes.jwebclient.d.ts b/dist/smartacme.classes.jwebclient.d.ts new file mode 100644 index 0000000..ad0360a --- /dev/null +++ b/dist/smartacme.classes.jwebclient.d.ts @@ -0,0 +1,61 @@ +/** + * @class JWebClient + * @constructor + * @description Implementation of HTTPS-based JSON-Web-Client + */ +export declare class JWebClient { + key_pair: any; + last_nonce: string; + verbose: boolean; + constructor(); + /** + * createJWT + * @description create JSON-Web-Token signed object + * @param {string|undefined} nonce + * @param {Object|string|number|boolean} payload + * @param {string} alg + * @param {Object|string} key + * @param {Object} jwk + * @return {string} + */ + createJWT(nonce: any, payload: any, alg: any, key: any, jwk: any): string; + /** + * request + * @description make GET or POST request over HTTPS and use JOSE as payload type + * @param {string} query + * @param {string} payload + * @param {function} callback + * @param {function} errorCallback + */ + request(query: any, payload: any, callback: any, errorCallback: any): void; + /** + * get + * @description make GET request + * @param {string} uri + * @param {function} callback + * @param {function} errorCallback + */ + get(uri: any, callback: any, errorCallback: any): void; + /** + * post + * @description make POST request + * @param {string} uri + * @param {Object|string|number|boolean} payload + * @param {function} callback + * @param {function} errorCallback + */ + post(uri: any, payload: any, callback: any, errorCallback: any): void; + /** + * evaluateStatus + * @description check if status is expected and log errors + * @param {string} uri + * @param {Object|string|number|boolean} payload + * @param {Object|string} ans + * @param {Object} res + */ + evaluateStatus(uri: any, payload: any, ans: any, res: any): void; + /** + * Helper: Empty callback + */ + emptyCallback(): void; +} diff --git a/dist/smartacme.classes.jwebclient.js b/dist/smartacme.classes.jwebclient.js new file mode 100644 index 0000000..fb5d757 --- /dev/null +++ b/dist/smartacme.classes.jwebclient.js @@ -0,0 +1,283 @@ +"use strict"; +const base64url = require("base64url"); +const https = require("https"); +let jwa = require('jwa'); +const url = require("url"); +/** + * json_to_utf8base64url + * @private + * @description convert JSON to base64-url encoded string using UTF-8 encoding + * @param {Object} obj + * @return {string} + * @throws Exception if object cannot be stringified or contains cycle + */ +let json_to_utf8base64url = function (obj) { + return base64url.default.encode(new Buffer(JSON.stringify(obj), 'utf8')); +}; +/** + * @class JWebClient + * @constructor + * @description Implementation of HTTPS-based JSON-Web-Client + */ +class JWebClient { + constructor() { + /** + * @member {Object} module:JWebClient~JWebClient#key_pair + * @desc User account key pair + */ + this.key_pair = null; // {Object} + /** + * @member {string} module:JWebClient~JWebClient#last_nonce + * @desc Cached nonce returned with last request + */ + this.last_nonce = null; // {string} + /** + * @member {boolean} module:JWebClient~JWebClient#verbose + * @desc Determines verbose mode + */ + this.verbose = false; // {boolean} + } + /** + * createJWT + * @description create JSON-Web-Token signed object + * @param {string|undefined} nonce + * @param {Object|string|number|boolean} payload + * @param {string} alg + * @param {Object|string} key + * @param {Object} jwk + * @return {string} + */ + createJWT(nonce, payload, alg, key, jwk) { + /*jshint -W069 */ + // prepare key + if (key instanceof Object) { + key = base64url.default.toBuffer(key['k']); + } + // prepare header + let header = { + typ: 'JWT', + alg: alg, + jwk: jwk, + nonce: null + }; + if (nonce !== void 0) { + header.nonce = nonce; + } + // concatenate header and payload + let input = [ + json_to_utf8base64url(header), + json_to_utf8base64url(payload) + ].join('.'); + // sign input + let hmac = jwa(alg); + let sig = hmac.sign(input, key); + // concatenate input and signature + let output = [ + input, + sig + ].join('.'); + // dereference + header = null; + hmac = null; + input = null; + jwk = null; + key = null; + payload = null; + // output + return output; + } + /** + * request + * @description make GET or POST request over HTTPS and use JOSE as payload type + * @param {string} query + * @param {string} payload + * @param {function} callback + * @param {function} errorCallback + */ + request(query, payload, callback, errorCallback) { + /*jshint -W069 */ + if (typeof query !== 'string') { + query = ''; // ensure query is string + } + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + if (typeof errorCallback !== 'function') { + errorCallback = this.emptyCallback; // ensure callback is function + } + // prepare options + let uri = url.parse(query); + let options = { + hostname: uri.hostname, + port: parseInt(uri.port, 10), + path: uri.path, + method: null, + headers: {} + }; + if (typeof payload === 'string') { + options.method = 'POST'; + options.headers = { + 'Content-Type': 'application/jose', + 'Content-Length': payload.length + }; + } + else { + options.method = 'GET'; + } + // prepare request + let req = https.request(options, function (res) { + // receive data + let data = []; + res.on('data', function (block) { + if (block instanceof Buffer) { + data.push(block); + } + }); + res.on('end', function () { + let buf = Buffer.concat(data); + let isJSON = ((res instanceof Object) + && (res['headers'] instanceof Object) + && (typeof res.headers['content-type'] === 'string') + && (res.headers['content-type'].indexOf('json') > -1)); + if (isJSON && buf.length > 0) { + try { + // convert to JSON + let json = JSON.parse(buf.toString('utf8')); + callback(json, res); + } + catch (e) { + // error (if empty or invalid JSON) + errorCallback(void 0, e); + } + } + else { + callback(buf, res); + } + }); + }).on('error', function (e) { + console.error('Error occured', e); + // error + errorCallback(void 0, e); + }); + // write POST body if payload was specified + if (typeof payload === 'string') { + req.write(payload); + } + // make request + req.end(); + } + /** + * get + * @description make GET request + * @param {string} uri + * @param {function} callback + * @param {function} errorCallback + */ + get(uri, callback, errorCallback) { + /*jshint -W069 */ + let ctx = this; + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + this.request(uri, void 0, function (ans, res) { + ctx.evaluateStatus(uri, null, ans, res); + // save replay nonce for later requests + if ((res instanceof Object) && (res['headers'] instanceof Object)) { + ctx.last_nonce = res.headers['replay-nonce']; + } + callback(ans, res); + // dereference + ans = null; + callback = null; + ctx = null; + res = null; + }, errorCallback); + // dereference + errorCallback = null; + } + /** + * post + * @description make POST request + * @param {string} uri + * @param {Object|string|number|boolean} payload + * @param {function} callback + * @param {function} errorCallback + */ + post(uri, payload, callback, errorCallback) { + /*jshint -W069 */ + let ctx = this; + if (typeof callback !== 'function') { + callback = this.emptyCallback; // ensure callback is function + } + let key_pair = this.key_pair; + if (!(key_pair instanceof Object)) { + key_pair = {}; // ensure key pair is object + } + let jwt = this.createJWT(this.last_nonce, payload, 'RS256', key_pair['private_pem'], key_pair['public_jwk']); + this.request(uri, jwt, (ans, res) => { + ctx.evaluateStatus(uri, payload, ans, res); + // save replay nonce for later requests + if ((res instanceof Object) && (res['headers'] instanceof Object)) { + ctx.last_nonce = res.headers['replay-nonce']; + } + callback(ans, res); + // dereference + ans = null; + callback = null; + ctx = null; + key_pair = null; + payload = null; + res = null; + }, errorCallback); + // dereference + errorCallback = null; + } + /** + * evaluateStatus + * @description check if status is expected and log errors + * @param {string} uri + * @param {Object|string|number|boolean} payload + * @param {Object|string} ans + * @param {Object} res + */ + evaluateStatus(uri, payload, ans, res) { + /*jshint -W069 */ + if (this.verbose) { + if ((payload instanceof Object) + || (typeof payload === 'string') + || (typeof payload === 'number') + || (typeof payload === 'boolean')) { + console.error('Send :', payload); // what has been sent + } + } + let uri_parsed = url.parse(uri); + if (res['statusCode'] >= 100 && res['statusCode'] < 400) { + console.error('HTTP :', res['statusCode'], uri_parsed.path); // response code if successful + } + if (res['statusCode'] >= 400 && res['statusCode'] < 500) { + console.error('HTTP :', res['statusCode'], uri_parsed.path); // response code if error + if (ans instanceof Object) { + if (typeof ans['detail'] === 'string') { + console.error('Message:', ans.detail.split(' :: ').pop()); // error message if any + } + } + } + if (this.verbose) { + console.error('Receive:', res['headers']); // received headers + console.error('Receive:', ans); // received data + } + // dereference + ans = null; + payload = null; + res = null; + uri_parsed = null; + } + /** + * Helper: Empty callback + */ + emptyCallback() { + // nop + } +} +exports.JWebClient = JWebClient; +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic21hcnRhY21lLmNsYXNzZXMuandlYmNsaWVudC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3RzL3NtYXJ0YWNtZS5jbGFzc2VzLmp3ZWJjbGllbnQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUNBLHVDQUFzQztBQUN0QywrQkFBOEI7QUFDOUIsSUFBSSxHQUFHLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQyxDQUFBO0FBQ3hCLDJCQUEwQjtBQUUxQjs7Ozs7OztHQU9HO0FBQ0gsSUFBSSxxQkFBcUIsR0FBRyxVQUFVLEdBQUc7SUFDckMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLElBQUksTUFBTSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsR0FBRyxDQUFDLEVBQUUsTUFBTSxDQUFDLENBQUMsQ0FBQTtBQUM1RSxDQUFDLENBQUE7QUFFRDs7OztHQUlHO0FBQ0g7SUFJSTtRQUNJOzs7V0FHRztRQUNILElBQUksQ0FBQyxRQUFRLEdBQUcsSUFBSSxDQUFBLENBQUMsV0FBVztRQUNoQzs7O1dBR0c7UUFDSCxJQUFJLENBQUMsVUFBVSxHQUFHLElBQUksQ0FBQSxDQUFDLFdBQVc7UUFDbEM7OztXQUdHO1FBQ0gsSUFBSSxDQUFDLE9BQU8sR0FBRyxLQUFLLENBQUEsQ0FBQyxZQUFZO0lBQ3JDLENBQUM7SUFFRDs7Ozs7Ozs7O09BU0c7SUFDSCxTQUFTLENBQUMsS0FBSyxFQUFFLE9BQU8sRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUc7UUFDbkMsaUJBQWlCO1FBQ2pCLGNBQWM7UUFDZCxFQUFFLENBQUMsQ0FBQyxHQUFHLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQztZQUN4QixHQUFHLEdBQUcsU0FBUyxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUE7UUFDOUMsQ0FBQztRQUNELGlCQUFpQjtRQUNqQixJQUFJLE1BQU0sR0FBRztZQUNULEdBQUcsRUFBRSxLQUFLO1lBQ1YsR0FBRyxFQUFFLEdBQUc7WUFDUixHQUFHLEVBQUUsR0FBRztZQUNSLEtBQUssRUFBRSxJQUFJO1NBQ2QsQ0FBQTtRQUVELEVBQUUsQ0FBQyxDQUFDLEtBQUssS0FBSyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7WUFDbkIsTUFBTSxDQUFDLEtBQUssR0FBRyxLQUFLLENBQUE7UUFDeEIsQ0FBQztRQUNELGlDQUFpQztRQUNqQyxJQUFJLEtBQUssR0FBRztZQUNSLHFCQUFxQixDQUFDLE1BQU0sQ0FBQztZQUM3QixxQkFBcUIsQ0FBQyxPQUFPLENBQUM7U0FDakMsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUE7UUFDWCxhQUFhO1FBQ2IsSUFBSSxJQUFJLEdBQUcsR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFBO1FBQ25CLElBQUksR0FBRyxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFBO1FBQy9CLGtDQUFrQztRQUNsQyxJQUFJLE1BQU0sR0FBRztZQUNULEtBQUs7WUFDTCxHQUFHO1NBQ04sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUE7UUFDWCxjQUFjO1FBQ2QsTUFBTSxHQUFHLElBQUksQ0FBQTtRQUNiLElBQUksR0FBRyxJQUFJLENBQUE7UUFDWCxLQUFLLEdBQUcsSUFBSSxDQUFBO1FBQ1osR0FBRyxHQUFHLElBQUksQ0FBQTtRQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7UUFDVixPQUFPLEdBQUcsSUFBSSxDQUFBO1FBQ2QsU0FBUztRQUNULE1BQU0sQ0FBQyxNQUFNLENBQUE7SUFDakIsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSCxPQUFPLENBQUMsS0FBSyxFQUFFLE9BQU8sRUFBRSxRQUFRLEVBQUUsYUFBYTtRQUMzQyxpQkFBaUI7UUFDakIsRUFBRSxDQUFDLENBQUMsT0FBTyxLQUFLLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQztZQUM1QixLQUFLLEdBQUcsRUFBRSxDQUFBLENBQUMseUJBQXlCO1FBQ3hDLENBQUM7UUFDRCxFQUFFLENBQUMsQ0FBQyxPQUFPLFFBQVEsS0FBSyxVQUFVLENBQUMsQ0FBQyxDQUFDO1lBQ2pDLFFBQVEsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFBLENBQUMsOEJBQThCO1FBQ2hFLENBQUM7UUFDRCxFQUFFLENBQUMsQ0FBQyxPQUFPLGFBQWEsS0FBSyxVQUFVLENBQUMsQ0FBQyxDQUFDO1lBQ3RDLGFBQWEsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFBLENBQUMsOEJBQThCO1FBQ3JFLENBQUM7UUFDRCxrQkFBa0I7UUFDbEIsSUFBSSxHQUFHLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQTtRQUMxQixJQUFJLE9BQU8sR0FBRztZQUNWLFFBQVEsRUFBRSxHQUFHLENBQUMsUUFBUTtZQUN0QixJQUFJLEVBQUUsUUFBUSxDQUFDLEdBQUcsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDO1lBQzVCLElBQUksRUFBRSxHQUFHLENBQUMsSUFBSTtZQUNkLE1BQU0sRUFBRSxJQUFJO1lBQ1osT0FBTyxFQUFFLEVBQUU7U0FDZCxDQUFBO1FBQ0QsRUFBRSxDQUFDLENBQUMsT0FBTyxPQUFPLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQztZQUM5QixPQUFPLENBQUMsTUFBTSxHQUFHLE1BQU0sQ0FBQTtZQUN2QixPQUFPLENBQUMsT0FBTyxHQUFHO2dCQUNkLGNBQWMsRUFBRSxrQkFBa0I7Z0JBQ2xDLGdCQUFnQixFQUFFLE9BQU8sQ0FBQyxNQUFNO2FBQ25DLENBQUE7UUFDTCxDQUFDO1FBQUMsSUFBSSxDQUFDLENBQUM7WUFDSixPQUFPLENBQUMsTUFBTSxHQUFHLEtBQUssQ0FBQTtRQUMxQixDQUFDO1FBQ0Qsa0JBQWtCO1FBQ2xCLElBQUksR0FBRyxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUMsT0FBTyxFQUFFLFVBQVUsR0FBRztZQUMxQyxlQUFlO1lBQ2YsSUFBSSxJQUFJLEdBQUcsRUFBRSxDQUFBO1lBQ2IsR0FBRyxDQUFDLEVBQUUsQ0FBQyxNQUFNLEVBQUUsVUFBVSxLQUFLO2dCQUMxQixFQUFFLENBQUMsQ0FBQyxLQUFLLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQztvQkFDMUIsSUFBSSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQTtnQkFDcEIsQ0FBQztZQUNMLENBQUMsQ0FBQyxDQUFBO1lBQ0YsR0FBRyxDQUFDLEVBQUUsQ0FBQyxLQUFLLEVBQUU7Z0JBQ1YsSUFBSSxHQUFHLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsQ0FBQTtnQkFDN0IsSUFBSSxNQUFNLEdBQUcsQ0FDVCxDQUFDLEdBQUcsWUFBWSxNQUFNLENBQUM7dUJBQ3BCLENBQUMsR0FBRyxDQUFDLFNBQVMsQ0FBQyxZQUFZLE1BQU0sQ0FBQzt1QkFDbEMsQ0FBQyxPQUFPLEdBQUcsQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDLEtBQUssUUFBUSxDQUFDO3VCQUNqRCxDQUFDLEdBQUcsQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQ3hELENBQUE7Z0JBQ0QsRUFBRSxDQUFDLENBQUMsTUFBTSxJQUFJLEdBQUcsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztvQkFDM0IsSUFBSSxDQUFDO3dCQUNELGtCQUFrQjt3QkFDbEIsSUFBSSxJQUFJLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUE7d0JBQzNDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUE7b0JBQ3ZCLENBQUU7b0JBQUEsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQzt3QkFDVCxtQ0FBbUM7d0JBQ25DLGFBQWEsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQTtvQkFDNUIsQ0FBQztnQkFDTCxDQUFDO2dCQUFDLElBQUksQ0FBQyxDQUFDO29CQUNKLFFBQVEsQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUE7Z0JBQ3RCLENBQUM7WUFDTCxDQUFDLENBQUMsQ0FBQTtRQUNOLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxPQUFPLEVBQUUsVUFBVSxDQUFDO1lBQ3RCLE9BQU8sQ0FBQyxLQUFLLENBQUMsZUFBZSxFQUFFLENBQUMsQ0FBQyxDQUFBO1lBQ2pDLFFBQVE7WUFDUixhQUFhLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUE7UUFDNUIsQ0FBQyxDQUFDLENBQUE7UUFDRiwyQ0FBMkM7UUFDM0MsRUFBRSxDQUFDLENBQUMsT0FBTyxPQUFPLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQztZQUM5QixHQUFHLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFBO1FBQ3RCLENBQUM7UUFDRCxlQUFlO1FBQ2YsR0FBRyxDQUFDLEdBQUcsRUFBRSxDQUFBO0lBQ2IsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILEdBQUcsQ0FBQyxHQUFHLEVBQUUsUUFBUSxFQUFFLGFBQWE7UUFDNUIsaUJBQWlCO1FBQ2pCLElBQUksR0FBRyxHQUFHLElBQUksQ0FBQTtRQUNkLEVBQUUsQ0FBQyxDQUFDLE9BQU8sUUFBUSxLQUFLLFVBQVUsQ0FBQyxDQUFDLENBQUM7WUFDakMsUUFBUSxHQUFHLElBQUksQ0FBQyxhQUFhLENBQUEsQ0FBQyw4QkFBOEI7UUFDaEUsQ0FBQztRQUNELElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxFQUFFLEtBQUssQ0FBQyxFQUFFLFVBQVUsR0FBRyxFQUFFLEdBQUc7WUFDeEMsR0FBRyxDQUFDLGNBQWMsQ0FBQyxHQUFHLEVBQUUsSUFBSSxFQUFFLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQTtZQUN2Qyx1Q0FBdUM7WUFDdkMsRUFBRSxDQUFDLENBQUMsQ0FBQyxHQUFHLFlBQVksTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUNoRSxHQUFHLENBQUMsVUFBVSxHQUFHLEdBQUcsQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDLENBQUE7WUFDaEQsQ0FBQztZQUNELFFBQVEsQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUE7WUFDbEIsY0FBYztZQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7WUFDVixRQUFRLEdBQUcsSUFBSSxDQUFBO1lBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTtZQUNWLEdBQUcsR0FBRyxJQUFJLENBQUE7UUFDZCxDQUFDLEVBQUUsYUFBYSxDQUFDLENBQUE7UUFDakIsY0FBYztRQUNkLGFBQWEsR0FBRyxJQUFJLENBQUE7SUFDeEIsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSCxJQUFJLENBQUMsR0FBRyxFQUFFLE9BQU8sRUFBRSxRQUFRLEVBQUUsYUFBYTtRQUN0QyxpQkFBaUI7UUFDakIsSUFBSSxHQUFHLEdBQUcsSUFBSSxDQUFBO1FBQ2QsRUFBRSxDQUFDLENBQUMsT0FBTyxRQUFRLEtBQUssVUFBVSxDQUFDLENBQUMsQ0FBQztZQUNqQyxRQUFRLEdBQUcsSUFBSSxDQUFDLGFBQWEsQ0FBQSxDQUFDLDhCQUE4QjtRQUNoRSxDQUFDO1FBQ0QsSUFBSSxRQUFRLEdBQUcsSUFBSSxDQUFDLFFBQVEsQ0FBQTtRQUM1QixFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxZQUFZLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUNoQyxRQUFRLEdBQUcsRUFBRSxDQUFBLENBQUMsNEJBQTRCO1FBQzlDLENBQUM7UUFDRCxJQUFJLEdBQUcsR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsT0FBTyxFQUFFLE9BQU8sRUFBRSxRQUFRLENBQUMsYUFBYSxDQUFDLEVBQUUsUUFBUSxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUE7UUFDNUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLENBQUMsR0FBRyxFQUFFLEdBQUc7WUFDNUIsR0FBRyxDQUFDLGNBQWMsQ0FBQyxHQUFHLEVBQUUsT0FBTyxFQUFFLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQTtZQUMxQyx1Q0FBdUM7WUFDdkMsRUFBRSxDQUFDLENBQUMsQ0FBQyxHQUFHLFlBQVksTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUNoRSxHQUFHLENBQUMsVUFBVSxHQUFHLEdBQUcsQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDLENBQUE7WUFDaEQsQ0FBQztZQUNELFFBQVEsQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUE7WUFDbEIsY0FBYztZQUNkLEdBQUcsR0FBRyxJQUFJLENBQUE7WUFDVixRQUFRLEdBQUcsSUFBSSxDQUFBO1lBQ2YsR0FBRyxHQUFHLElBQUksQ0FBQTtZQUNWLFFBQVEsR0FBRyxJQUFJLENBQUE7WUFDZixPQUFPLEdBQUcsSUFBSSxDQUFBO1lBQ2QsR0FBRyxHQUFHLElBQUksQ0FBQTtRQUNkLENBQUMsRUFBRSxhQUFhLENBQUMsQ0FBQTtRQUNqQixjQUFjO1FBQ2QsYUFBYSxHQUFHLElBQUksQ0FBQTtJQUN4QixDQUFDO0lBRUQ7Ozs7Ozs7T0FPRztJQUNILGNBQWMsQ0FBQyxHQUFHLEVBQUUsT0FBTyxFQUFFLEdBQUcsRUFBRSxHQUFHO1FBQ2pDLGlCQUFpQjtRQUNqQixFQUFFLENBQUMsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztZQUNmLEVBQUUsQ0FBQyxDQUNDLENBQUMsT0FBTyxZQUFZLE1BQU0sQ0FBQzttQkFDeEIsQ0FBQyxPQUFPLE9BQU8sS0FBSyxRQUFRLENBQUM7bUJBQzdCLENBQUMsT0FBTyxPQUFPLEtBQUssUUFBUSxDQUFDO21CQUM3QixDQUFDLE9BQU8sT0FBTyxLQUFLLFNBQVMsQ0FDcEMsQ0FBQyxDQUFDLENBQUM7Z0JBQ0MsT0FBTyxDQUFDLEtBQUssQ0FBQyxVQUFVLEVBQUUsT0FBTyxDQUFDLENBQUEsQ0FBQyxxQkFBcUI7WUFDNUQsQ0FBQztRQUNMLENBQUM7UUFDRCxJQUFJLFVBQVUsR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFBO1FBQy9CLEVBQUUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxZQUFZLENBQUMsSUFBSSxHQUFHLElBQUksR0FBRyxDQUFDLFlBQVksQ0FBQyxHQUFHLEdBQUcsQ0FBQyxDQUFDLENBQUM7WUFDdEQsT0FBTyxDQUFDLEtBQUssQ0FBQyxVQUFVLEVBQUUsR0FBRyxDQUFDLFlBQVksQ0FBQyxFQUFFLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQSxDQUFDLDhCQUE4QjtRQUNoRyxDQUFDO1FBQ0QsRUFBRSxDQUFDLENBQUMsR0FBRyxDQUFDLFlBQVksQ0FBQyxJQUFJLEdBQUcsSUFBSSxHQUFHLENBQUMsWUFBWSxDQUFDLEdBQUcsR0FBRyxDQUFDLENBQUMsQ0FBQztZQUN0RCxPQUFPLENBQUMsS0FBSyxDQUFDLFVBQVUsRUFBRSxHQUFHLENBQUMsWUFBWSxDQUFDLEVBQUUsVUFBVSxDQUFDLElBQUksQ0FBQyxDQUFBLENBQUMseUJBQXlCO1lBQ3ZGLEVBQUUsQ0FBQyxDQUFDLEdBQUcsWUFBWSxNQUFNLENBQUMsQ0FBQyxDQUFDO2dCQUN4QixFQUFFLENBQUMsQ0FBQyxPQUFPLEdBQUcsQ0FBQyxRQUFRLENBQUMsS0FBSyxRQUFRLENBQUMsQ0FBQyxDQUFDO29CQUNwQyxPQUFPLENBQUMsS0FBSyxDQUFDLFVBQVUsRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsQ0FBQyxHQUFHLEVBQUUsQ0FBQyxDQUFBLENBQUMsdUJBQXVCO2dCQUNyRixDQUFDO1lBQ0wsQ0FBQztRQUNMLENBQUM7UUFDRCxFQUFFLENBQUMsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztZQUNmLE9BQU8sQ0FBQyxLQUFLLENBQUMsVUFBVSxFQUFFLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFBLENBQUMsbUJBQW1CO1lBQzdELE9BQU8sQ0FBQyxLQUFLLENBQUMsVUFBVSxFQUFFLEdBQUcsQ0FBQyxDQUFBLENBQUMsZ0JBQWdCO1FBQ25ELENBQUM7UUFDRCxjQUFjO1FBQ2QsR0FBRyxHQUFHLElBQUksQ0FBQTtRQUNWLE9BQU8sR0FBRyxJQUFJLENBQUE7UUFDZCxHQUFHLEdBQUcsSUFBSSxDQUFBO1FBQ1YsVUFBVSxHQUFHLElBQUksQ0FBQTtJQUNyQixDQUFDO0lBRUQ7O09BRUc7SUFDSCxhQUFhO1FBQ1QsTUFBTTtJQUNWLENBQUM7Q0FDSjtBQTlRRCxnQ0E4UUMifQ== \ No newline at end of file diff --git a/dist/smartacme.classes.smartacme.d.ts b/dist/smartacme.classes.smartacme.d.ts new file mode 100644 index 0000000..57d2931 --- /dev/null +++ b/dist/smartacme.classes.smartacme.d.ts @@ -0,0 +1,5 @@ +import * as acmeclient from './smartacme.classes.acmeclient'; +export declare class SmartAcme { + acmeClient: acmeclient.AcmeClient; + constructor(directoryUrlArg?: string); +} diff --git a/dist/smartacme.classes.smartacme.js b/dist/smartacme.classes.smartacme.js new file mode 100644 index 0000000..e6f9cbd --- /dev/null +++ b/dist/smartacme.classes.smartacme.js @@ -0,0 +1,9 @@ +"use strict"; +const acmeclient = require("./smartacme.classes.acmeclient"); +class SmartAcme { + constructor(directoryUrlArg = 'https://acme-staging.api.letsencrypt.org/directory') { + this.acmeClient = new acmeclient.AcmeClient(directoryUrlArg); + } +} +exports.SmartAcme = SmartAcme; +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic21hcnRhY21lLmNsYXNzZXMuc21hcnRhY21lLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvc21hcnRhY21lLmNsYXNzZXMuc21hcnRhY21lLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUFDQSw2REFBNEQ7QUFFNUQ7SUFFSSxZQUFZLGtCQUEwQixvREFBb0Q7UUFDdEYsSUFBSSxDQUFDLFVBQVUsR0FBRyxJQUFJLFVBQVUsQ0FBQyxVQUFVLENBQUMsZUFBZSxDQUFDLENBQUE7SUFDaEUsQ0FBQztDQUNKO0FBTEQsOEJBS0MifQ== \ No newline at end of file diff --git a/dist/smartacme.plugins.d.ts b/dist/smartacme.plugins.d.ts new file mode 100644 index 0000000..8a7180f --- /dev/null +++ b/dist/smartacme.plugins.d.ts @@ -0,0 +1,3 @@ +import 'typings-global'; +import * as path from 'path'; +export { path }; diff --git a/dist/smartacme.plugins.js b/dist/smartacme.plugins.js new file mode 100644 index 0000000..1e65bb2 --- /dev/null +++ b/dist/smartacme.plugins.js @@ -0,0 +1,5 @@ +"use strict"; +require("typings-global"); +const path = require("path"); +exports.path = path; +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic21hcnRhY21lLnBsdWdpbnMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi90cy9zbWFydGFjbWUucGx1Z2lucy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiO0FBQUEsMEJBQXVCO0FBQ3ZCLDZCQUE0QjtBQUd4QixvQkFBSSJ9 \ No newline at end of file diff --git a/package.json b/package.json new file mode 100644 index 0000000..1427f7a --- /dev/null +++ b/package.json @@ -0,0 +1,38 @@ +{ + "name": "smartacme", + "version": "1.0.0", + "description": "acme implementation in TypeScript", + "main": "dist/index.js", + "typings": "dist/index.d.ts", + "scripts": { + "test": "(npmts --nodocs)" + }, + "repository": { + "type": "git", + "url": "git+ssh://git@gitlab.com/pushrocks/smartacme.git" + }, + "keywords": [ + "TypeScript", + "acme", + "letsencrypt" + ], + "author": "Lossless GmbH", + "license": "MIT", + "bugs": { + "url": "https://gitlab.com/pushrocks/smartacme/issues" + }, + "homepage": "https://gitlab.com/pushrocks/smartacme#README", + "dependencies": { + "@types/base64url": "^2.0.3", + "base64url": "^2.0.0", + "jwa": "^1.1.3", + "rsa-pem-to-jwk": "^1.1.3", + "smartstring": "^2.0.19", + "typings-global": "^1.0.14" + }, + "devDependencies": { + "@types/should": "^8.1.30", + "should": "^11.1.1", + "typings-test": "^1.0.3" + } +} diff --git a/test/test.d.ts b/test/test.d.ts new file mode 100644 index 0000000..2fd432a --- /dev/null +++ b/test/test.d.ts @@ -0,0 +1 @@ +import 'typings-test'; diff --git a/test/test.js b/test/test.js new file mode 100644 index 0000000..9fb4b88 --- /dev/null +++ b/test/test.js @@ -0,0 +1,7 @@ +"use strict"; +require("typings-test"); +describe('smartacme', function () { + let testAcme; + it('should create a valid instance'); +}); +//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidGVzdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbInRlc3QudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBLHdCQUFxQjtBQU1yQixRQUFRLENBQUMsV0FBVyxFQUFFO0lBQ2xCLElBQUksUUFBNkIsQ0FBQTtJQUNqQyxFQUFFLENBQUMsZ0NBQWdDLENBQUMsQ0FBQTtBQUN4QyxDQUFDLENBQUMsQ0FBQSJ9 \ No newline at end of file diff --git a/test/test.ts b/test/test.ts new file mode 100644 index 0000000..f7fa067 --- /dev/null +++ b/test/test.ts @@ -0,0 +1,10 @@ +import 'typings-test' +import * as should from 'should' + +// import the module to test +import * as smartacme from '../dist/index' + +describe('smartacme', function(){ + let testAcme: smartacme.smartacme + it('should create a valid instance') +}) diff --git a/ts/index.ts b/ts/index.ts new file mode 100644 index 0000000..debfb71 --- /dev/null +++ b/ts/index.ts @@ -0,0 +1 @@ +export * from './smartacme.classes.smartacme' diff --git a/ts/smartacme.classes.acmeclient.ts b/ts/smartacme.classes.acmeclient.ts new file mode 100644 index 0000000..ce2df76 --- /dev/null +++ b/ts/smartacme.classes.acmeclient.ts @@ -0,0 +1,923 @@ +import * as plugins from './smartacme.plugins' +import * as base64url from 'base64url' +import * as child_process from 'child_process' +import * as crypto from 'crypto' +import * as fs from 'fs' +import * as readline from 'readline' +import { JWebClient } from './smartacme.classes.jwebclient' + +/** + * json_to_utf8buffer + * @private + * @description convert JSON to Buffer using UTF-8 encoding + * @param {Object} obj + * @return {Buffer} + * @throws Exception if object cannot be stringified or contains cycle + */ +let json_to_utf8buffer = function (obj) { + return new Buffer(JSON.stringify(obj), 'utf8') +} + +/** + * @class AcmeClient + * @constructor + * @description ACME protocol implementation from client perspective + * @param {string} directory_url - Address of directory + * @param {module:JWebClient~JWebClient} jWebClient - Reference to JSON-Web-Client + */ +export class AcmeClient { + clientProfilePubKey: any + days_valid: number + defaultRsaKeySize: number + directory: any + directoryUrl: string + emailDefaultPrefix: string + emailOverride: string + jWebClient: any + regLink: string + tosLink: string + webroot: string + well_known_path: string + withInteraction: boolean + constructor(directoryUrlArg) { + /** + * @member {Object} module:AcmeClient~AcmeClient#clientProfilePubKey + * @desc Cached public key obtained from profile + */ + this.clientProfilePubKey = {} + /** + * @member {number} module:AcmeClient~AcmeClient#days_valid + * @desc Validity period in days + * @default 1 + */ + this.days_valid = 1 + /** + * @member {number} module:AcmeClient~AcmeClient#defaultRsaKeySize + * @desc Key strength in bits + * @default 4096 + */ + this.defaultRsaKeySize = 4096 + /** + * @member {Object} module:AcmeClient~AcmeClient#directory + * @desc Hash map of REST URIs + */ + this.directory = {} + /** + * @member {string} module:AcmeClient~AcmeClient#directory_url + * @desc Address of directory + */ + this.directoryUrl = directoryUrlArg + /** + * @member {string} module:AcmeClient~AcmeClient#emailDefaultPrefix + * @desc Prefix of email address if constructed from domain name + * @default "hostmaster" + */ + this.emailDefaultPrefix = 'hostmaster' // {string} + /** + * @member {string} module:AcmeClient~AcmeClient#emailOverride + * @desc Email address to use + */ + this.emailOverride = null // {string} + /** + * @member {module:JWebClient~JWebClient} module:AcmeClient~AcmeClient#jWebClient + * @desc Reference to JSON-Web-Client + */ + this.jWebClient = new JWebClient() // {JWebClient} + /** + * @member {string} module:AcmeClient~AcmeClient#regLink + * @desc Cached registration URI + */ + this.regLink = null // {string} + /** + * @member {string} module:AcmeClient~AcmeClient#tosLink + * @desc Cached terms of service URI + */ + this.tosLink = null // {string} + /** + * @member {string} module:AcmeClient~AcmeClient#webroot + * @desc Path to server web root (or path to store challenge data) + * @default "." + */ + this.webroot = '.' // {string} + /** + * @member {string} module:AcmeClient~AcmeClient#well_known_path + * @desc Directory structure for challenge data + * @default "/.well-known/acme-challenge/" + */ + this.well_known_path = '/.well-known/acme-challenge/' // {string} + /** + * @member {boolean} module:AcmeClient~AcmeClient#withInteraction + * @desc Determines if interaction of user is required + * @default true + */ + this.withInteraction = true // {boolean} + } + + // ***************************************************************************** + // REQUEST-Section + // ***************************************************************************** + + /** + * getDirectory + * @description retrieve directory entries (directory url must be set prior to execution) + * @param {function} callback - first argument will be the answer object + */ + getDirectory(callback) { + this.jWebClient.get(this.directoryUrl, callback, callback) + // dereference + callback = null + } + + /** + * newRegistration + * @description try to register (directory lookup must have occured prior to execution) + * @param {Object} payload + * @param {function} callback - first argument will be the answer object + */ + newRegistration(payload, callback) { + if (!(payload instanceof Object)) { + payload = {} // ensure payload is object + } + payload.resource = 'new-reg' + this.jWebClient.post(this.directory['new-reg'], payload, callback, callback) + // dereference + callback = null + payload = null + } + + /** + * getRegistration + * @description get information about registration + * @param {string} uri - will be exposed when trying to register + * @param {Object} payload - update information + * @param {function} callback - first argument will be the answer object + */ + getRegistration(uri, payload, callback) { + /*jshint -W069 */ + let ctx = this + if (!(payload instanceof Object)) { + payload = {} // ensure payload is object + } + payload['resource'] = 'reg' + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + this.jWebClient.post(uri, payload, function (ans, res) { + if (ans instanceof Object) { + ctx.clientProfilePubKey = ans.key // cache or reset returned public key + if ((res instanceof Object) && (res['headers'] instanceof Object)) { + let linkStr = res.headers['link'] + if (typeof linkStr === 'string') { + let tosLink = ctx.getTosLink(linkStr) + if (typeof tosLink === 'string') { + ctx.tosLink = tosLink // cache TOS link + } else { + ctx.tosLink = null // reset TOS link + } + } else { + ctx.tosLink = null // reset TOS link + } + } else { + ctx.tosLink = null // reset TOS link + } + callback(ans, res) + } else { + callback(false) + } + // dereference + ans = null + callback = null + ctx = null + res = null + }) + // dereference + payload = null + } + + /** + * authorizeDomain + * @description authorize domain using challenge-response-method + * @param {string} domain + * @param {function} callback - first argument will be the answer object + */ + authorizeDomain(domain, callback) { + /*jshint -W069 */ + let ctx = this + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + this.getProfile(function (profile) { + if (!(profile instanceof Object)) { + callback(false) // no profile returned + // dereference + callback = null + ctx = null + } else { + ctx.jWebClient.post(ctx.directory['new-authz'], ctx.makeDomainAuthorizationRequest(domain), function (ans, res) { + if ((res instanceof Object) && (res['statusCode'] === 403)) { // if unauthorized + ctx.agreeTos(ctx.tosLink, function (ans_, res_) { // agree to TOS + if ( // if TOS were agreed successfully + (res_ instanceof Object) + && (res_['statusCode'] >= 200) + && (res_['statusCode'] <= 400) + ) { + ctx.authorizeDomain(domain, callback) // try authorization again + } else { + callback(false) // agreement failed + } + // dereference + ans = null + ans_ = null + callback = null + ctx = null + profile = null + res = null + res_ = null + }) + } else { + if ( + (res instanceof Object) + && (res['headers'] instanceof Object) + && (typeof res.headers['location'] === 'string') + && (ans instanceof Object) + ) { + let poll_uri = res.headers['location'] // status URI for polling + let challenge = ctx.selectChallenge(ans, 'http-01') // select simple http challenge + if (challenge instanceof Object) { // desired challenge is in list + ctx.prepareChallenge(domain, challenge, function () { // prepare all objects and files for challenge + // reset + ans = null + res = null + // accept challenge + ctx.acceptChallenge(challenge, function (ans, res) { + if ( + (res instanceof Object) + && (res['statusCode'] < 400) // server confirms challenge acceptance + ) { + ctx.pollUntilValid(poll_uri, callback) // poll status until server states success + } else { + callback(false) // server did not confirm challenge acceptance + } + // dereference + ans = null + callback = null + challenge = null + ctx = null + profile = null + res = null + }) + }) + } else { + callback(false) // desired challenge is not in list + // dereference + ans = null + callback = null + ctx = null + profile = null + res = null + } + } else { + callback(false) // server did not respond with status URI + // dereference + ans = null + callback = null + ctx = null + profile = null + res = null + } + } + }) + } + }) + } + + /** + * acceptChallenge + * @description tell server which challenge will be accepted + * @param {Object} challenge + * @param {function} callback - first argument will be the answer object + */ + acceptChallenge(challenge, callback) { + /*jshint -W069 */ + if (!(challenge instanceof Object)) { + challenge = {} // ensure challenge is object + } + this.jWebClient.post(challenge['uri'], this.makeChallengeResponse(challenge), callback) + // dereference + callback = null + challenge = null + } + + /** + * pollUntilValid + * @description periodically (with exponential back-off) check status of challenge + * @param {string} uri + * @param {function} callback - first argument will be the answer object + * @param {number} retry - factor of delay + */ + pollUntilValid(uri, callback, retry = 1) { + /*jshint -W069 */ + let ctx = this + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + if (retry > 128) { + callback(false) // stop if retry value exceeds maximum + } else { + this.jWebClient.get(uri, function (ans, res) { + if (!(ans instanceof Object)) { + callback(false) // invalid answer + // dereference + callback = null + ctx = null + res = null + } else { + if (ans['status'] === 'pending') { // still pending + setTimeout(function () { + ctx.pollUntilValid(uri, callback, retry * 2) // retry + // dereference + ans = null + callback = null + ctx = null + res = null + }, retry * 500) + } else { + callback(ans, res) // challenge complete + // dereference + ans = null + callback = null + ctx = null + res = null + } + } + }) + } + } + + /** + * pollUntilIssued + * @description periodically (with exponential back-off) check status of CSR + * @param {string} uri + * @param {function} callback - first argument will be the answer object + * @param {number} retry - factor of delay + */ + pollUntilIssued(uri, callback, retry = 1) { + /*jshint -W069 */ + let ctx = this + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + if (retry > 128) { + callback(false) // stop if retry value exceeds maximum + } else { + this.jWebClient.get(uri, function (ans, res) { + if ((ans instanceof Buffer) && (ans.length > 0)) { + callback(ans) // certificate was returned with answer + // dereference + ans = null + callback = null + ctx = null + res = null + } else { + if ((res instanceof Object) && (res['statusCode'] < 400)) { // still pending + setTimeout(function () { + ctx.pollUntilIssued(uri, callback, retry * 2) // retry + // dereference + ans = null + callback = null + ctx = null + res = null + }, retry * 500) + } else { + callback(false) // CSR complete + // dereference + ans = null + callback = null + ctx = null + res = null + } + } + }) + } + } + + /** + * requestSigning + * @description send CSR + * @param {string} domain - expected to be already sanitized + * @param {function} callback - first argument will be the answer object + */ + requestSigning(domain, callback) { + /*jshint -W069 */ + let ctx = this + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + fs.readFile(domain + '.csr', function (err, csr) { + if (err instanceof Object) { // file system error + if (ctx.jWebClient.verbose) { + console.error('Error : File system error', err['code'], 'while reading key from file') + } + callback(false) + // dereference + callback = null + csr = null + ctx = null + err = null + } else { + ctx.jWebClient.post(ctx.directory['new-cert'], ctx.makeCertRequest(csr, ctx.days_valid), function (ans, res) { + if ((ans instanceof Buffer) && (ans.length > 0)) { // answer is buffer + callback(ans) // certificate was returned with answer + // dereference + ans = null + callback = null + csr = null + ctx = null + err = null + res = null + } else { + if (res instanceof Object) { + if ((res['statusCode'] < 400) && !ans) { // success response, but no answer was provided + let headers = res['headers'] + if (!(headers instanceof Object)) { + headers = {} // ensure headers is object + } + ctx.pollUntilIssued(headers['location'], callback) // poll provided status URI + // dereference + headers = null + } else { + callback((res['statusCode'] < 400) ? ans : false) // answer may be provided as string or object + } + } else { + callback(false) // invalid response + } + // dereference + ans = null + callback = null + csr = null + ctx = null + err = null + res = null + } + }) + } + }) + } + + /** + * getProfile + * @description retrieve profile of user (will make directory lookup and registration check) + * @param {function} callback - first argument will be the answer object + */ + getProfile(callback) { + /*jshint -W069 */ + let ctx = this + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + this.getDirectory(function (dir) { + if (!(dir instanceof Object)) { + callback(false) // server did not respond with directory + // dereference + callback = null + ctx = null + } else { + ctx.directory = dir // cache directory + ctx.newRegistration(null, function (ans, res) { // try new registration to get registration link + if ( + (res instanceof Object) + && (res['headers'] instanceof Object) + && (typeof res.headers['location'] === 'string') + ) { + ctx.regLink = res.headers['location'] + ctx.getRegistration(ctx.regLink, null, callback) // get registration info from link + } else { + callback(false) // registration failed + } + // dereference + ans = null + callback = null + ctx = null + dir = null + res = null + }) + } + }) + } + + /** + * createAccount + * @description create new account (assumes directory lookup has already occured) + * @param {string} email + * @param {function} callback - first argument will be the registration URI + */ + createAccount(email, callback) { + /*jshint -W069 */ + let ctx = this + if (typeof email === 'string') { + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + ctx.newRegistration( + { + contact: [ + 'mailto:' + email + ] + }, + function (ans, res) { + if ( + (res instanceof Object) + && (res['statusCode'] === 201) + && (res['headers'] instanceof Object) + && (typeof res.headers['location'] === 'string') + ) { + ctx.regLink = res.headers['location'] + callback(ctx.regLink) // registration URI + } else { + callback(false) // registration failed + } + // dereference + ans = null + callback = null + ctx = null + res = null + }) + } else { + callback(false) // no email address provided + // dereference + callback = null + ctx = null + } + } + + /** + * agreeTos + * @description agree with terms of service (update agreement status in profile) + * @param {string} tosLink + * @param {function} callback - first argument will be the answer object + */ + agreeTos(tosLink, callback) { + this.getRegistration(this.regLink, { + 'Agreement': tosLink // terms of service URI + }, callback) + // dereference + callback = null + } + + /** + * Entry-Point: Request certificate + * @param {string} domain + * @param {string} organization + * @param {string} country + * @param {function} callback + */ + requestCertificate(domain, organization, country, callback) { + /*jshint -W069 */ + let ctx = this + if (typeof domain !== 'string') { + domain = '' // ensure domain is string + } + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + this.getProfile(function (profile) { + let email = ctx.extractEmail(profile) // try to determine email address from profile + if (typeof ctx.emailOverride === 'string') { + email = ctx.emailOverride // override email address if set + } else if (typeof email !== 'string') { + email = ctx.emailDefaultPrefix + '@' + domain // or set default + } + let bit = ctx.defaultRsaKeySize + // sanitize + bit = Number(bit) + country = ctx.makeSafeFileName(country) + domain = ctx.makeSafeFileName(domain) + email = ctx.makeSafeFileName(email) + organization = ctx.makeSafeFileName(organization) + // create key pair + ctx.createKeyPair(bit, country, organization, domain, email, function (e) { // create key pair + if (!e) { + ctx.requestSigning(domain, function (cert) { // send CSR + if ((cert instanceof Buffer) || (typeof cert === 'string')) { // valid certificate data + fs.writeFile(domain + '.der', cert, function (err) { // sanitize domain name for file path + if (err instanceof Object) { // file system error + if (ctx.jWebClient.verbose) { + console.error('Error : File system error', err['code'], 'while writing certificate to file') + } + callback(false) + } else { + callback(true) // CSR complete and certificate written to file system + } + // dereference + callback = null + cert = null + ctx = null + e = null + err = null + profile = null + }) + } else { + callback(false) // invalid certificate data + // dereference + callback = null + cert = null + ctx = null + e = null + profile = null + } + }) + } else { + callback(false) // could not create key pair + // dereference + callback = null + ctx = null + e = null + profile = null + } + }) + }) + } + + /** + * External: Create key pair + * @param {number} bit - key strength, expected to be already sanitized + * @param {string} c - country code, expected to be already sanitized + * @param {string} o - organization, expected to be already sanitized + * @param {string} cn - common name (domain name), expected to be already sanitized + * @param {string} e - email address, expected to be already sanitized + * @param {function} callback + */ + createKeyPair(bit, c, o, cn, e, callback) { + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + let openssl = `openssl req -new -nodes -newkey rsa:${bit} -sha256 -subj "/C=${c}/O=${o}/CN=${cn}/emailAddress=${e}" -keyout \"${cn}.key\" -outform der -out \"${cn}.csr\"` + console.error('Action : Creating key pair') + if (this.jWebClient.verbose) { + console.error('Running:', openssl) + } + child_process.exec(openssl, function (e) { + if (!e) { + console.error('Result : done') + } else { + console.error('Result : failed') + } + callback(e) + // dereference + callback = null + e = null + } + ) + } + + /** + * Helper: Empty callback + */ + emptyCallback() { + // nop + } + + /** + * Helper: Make safe file name or path from string + * @param {string} name + * @param {boolean} withPath - optional, default false + * @return {string} + */ + makeSafeFileName(name, withPath = false) { + if (typeof name !== 'string') { + name = '' + } + // respects file name restrictions for ntfs and ext2 + let regex_file = '[<>:\"/\\\\\\|\\?\\*\\u0000-\\u001f\\u007f\\u0080-\\u009f]' + let regex_path = '[<>:\"\\\\\\|\\?\\*\\u0000-\\u001f\\u007f\\u0080-\\u009f]' + return name.replace(new RegExp(withPath ? regex_path : regex_file, 'g'), function (charToReplace) { + if (typeof charToReplace === 'string') { + return '%' + charToReplace.charCodeAt(0).toString(16).toLocaleUpperCase() + } + return '%00' + }) + } + + /** + * Helper: Prepare challenge + * @param {string} domain + * @param {Object} challenge + * @param {function} callback + */ + prepareChallenge(domain, challenge, callback) { + /*jshint -W069, unused:false*/ + let ctx = this + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + if (challenge instanceof Object) { + if (challenge['type'] === 'http-01') { // simple http challenge + let path = this.webroot + this.well_known_path + challenge['token'] // webroot and well_known_path are expected to be already sanitized + fs.writeFile(path, this.makeKeyAuthorization(challenge), function (err) { // create challenge file + if (err instanceof Object) { // file system error + if (ctx.jWebClient.verbose) { + console.error( + 'Error : File system error', + err['code'], 'while writing challenge data to file' + ) + } + callback() + // dereference + callback = null + challenge = null + ctx = null + err = null + } else { + // let uri = "http://" + domain + this.well_known_path + challenge["token"] + let rl = readline.createInterface(process.stdin, process.stdout) + if (ctx.withInteraction) { + rl.question('Press enter to proceed', function (answer) { // wait for user to proceed + rl.close() + callback() + // dereference + callback = null + challenge = null + ctx = null + rl = null + }) + } else { + rl.close() + callback() // skip interaction prompt if desired + // dereference + callback = null + challenge = null + ctx = null + rl = null + } + } + }) + } else { // no supported challenge + console.error('Error : Challenge not supported') + callback() + // dereference + callback = null + challenge = null + ctx = null + } + } else { // invalid challenge response + console.error('Error : Invalid challenge response') + callback() + // dereference + callback = null + challenge = null + ctx = null + } + } + + /** + * Helper: Extract TOS Link, e.g. from "<http://...>;rel="terms-of-service" + * @param {string} linkStr + * @return {string} + */ + getTosLink(linkStr) { + let match = /(<)([^>]+)(>;rel="terms-of-service")/g.exec(linkStr) + if ((match instanceof Array) && (match.length > 2)) { + let result = match[2] + // dereference + match = null + return result + } + // dereference + match = null + return void 0 + } + + /** + * Helper: Select challenge by type + * @param {Object} ans + * @param {string} challenge_type + * @return {Object} + */ + selectChallenge(ans, challengeType: string) { + /*jshint -W069 */ + if ((ans instanceof Object) && (ans['challenges'] instanceof Array)) { + return ans.challenges.filter(function (entry) { + let type = entry['type'] + // dereference + entry = null + if (type === challengeType) { // check for type match + return true + } + return false + }).pop() + } // return first match or undefined + // dereference + ans = null + return void 0 // challenges not available or in expected format + } + + /** + * Helper: Extract first found email from profile (without mailto prefix) + * @param {Object} profile + * @return {string} + */ + extractEmail(profile) { + /*jshint -W069 */ + if (!(profile instanceof Object) || !(profile['contact'] instanceof Array)) { + // dereference + profile = null + return void 0 // invalid profile + } + let prefix = 'mailto:' + let email = profile.contact.filter(function (entry) { + if (typeof entry !== 'string') { + return false + } else { + return !entry.indexOf(prefix) // check for mail prefix + } + } + ).pop() + // dereference + profile = null + if (typeof email !== 'string') { + return void 0 + } // return default + return email.substr(prefix.length) // only return email address without protocol prefix + } + + /** + * Make ACME-Request: Domain-Authorization Request - Object: resource, identifier + * @param {string} domain + * @return {{resource: string, identifier: Object}} + */ + makeDomainAuthorizationRequest(domain) { + return { + 'resource': 'new-authz', + 'identifier': { + 'type': 'dns', + 'value': domain + } + } + } + + /** + * Make ACME-Object: Key-Authorization (encoded) - String: Challenge-Token . Encoded-Account-Key-Hash + * @param {Object} challenge + * @return {string} + */ + makeKeyAuthorization(challenge) { + /*jshint -W069 */ + if (challenge instanceof Object) { + if (this.clientProfilePubKey instanceof Object) { + let jwk = json_to_utf8buffer({ + e: this.clientProfilePubKey['e'], + kty: this.clientProfilePubKey['kty'], + n: this.clientProfilePubKey['n'] + } + ) + let hash = crypto.createHash('sha256').update(jwk.toString('utf8'), 'utf8').digest() + let ACCOUNT_KEY = base64url.default.encode(hash) // create base64 encoded hash of account key + let token = challenge['token'] + // dereference + challenge = null + jwk = null + return token + '.' + ACCOUNT_KEY + } + } else { + return '' // return default (for writing to file) + } + } + + /** + * Make ACME-Request: Challenge-Response - Object: resource, keyAuthorization + * @param {Object} challenge + * @return {{resource: string, keyAuthorization: string}} + */ + makeChallengeResponse(challenge) { + return { + 'resource': 'challenge', + 'keyAuthorization': this.makeKeyAuthorization(challenge) + } + } + + /** + * Make ACME-Request: CSR - Object: resource, csr, notBefore, notAfter + * @param {string} csr + * @param {number} days_valid + * @return {{resource: string, csr: string, notBefore: string, notAfter: string}} + */ + makeCertRequest(csr, DAYS_VALID: number) { + if (typeof csr !== 'string' && !(csr instanceof Buffer)) { + csr = '' // default string for CSR + } + if ((typeof DAYS_VALID !== 'number') || (isNaN(DAYS_VALID)) || (DAYS_VALID === 0)) { + DAYS_VALID = 1 // default validity duration (1 day) + } + let DOMAIN_CSR_DER = base64url.default.encode(csr) // create base64 encoded CSR + let CURRENT_DATE = (new Date()).toISOString() // set start date to current date + + // set end date to current date + days_valid + let NOTAFTER_DATE = (new Date((+new Date()) + 1000 * 60 * 60 * 24 * Math.abs(DAYS_VALID))).toISOString() + return { + 'resource': 'new-cert', + 'csr': DOMAIN_CSR_DER, + 'notBefore': CURRENT_DATE, + 'notAfter': NOTAFTER_DATE + } + } +} diff --git a/ts/smartacme.classes.jwebclient.ts b/ts/smartacme.classes.jwebclient.ts new file mode 100644 index 0000000..2465c76 --- /dev/null +++ b/ts/smartacme.classes.jwebclient.ts @@ -0,0 +1,294 @@ +import * as plugins from './smartacme.plugins' +import * as base64url from 'base64url' +import * as https from 'https' +let jwa = require('jwa') +import * as url from 'url' + +/** + * json_to_utf8base64url + * @private + * @description convert JSON to base64-url encoded string using UTF-8 encoding + * @param {Object} obj + * @return {string} + * @throws Exception if object cannot be stringified or contains cycle + */ +let json_to_utf8base64url = function (obj) { + return base64url.default.encode(new Buffer(JSON.stringify(obj), 'utf8')) +} + +/** + * @class JWebClient + * @constructor + * @description Implementation of HTTPS-based JSON-Web-Client + */ +export class JWebClient { + key_pair: any + last_nonce: string + verbose: boolean + constructor() { + /** + * @member {Object} module:JWebClient~JWebClient#key_pair + * @desc User account key pair + */ + this.key_pair = null // {Object} + /** + * @member {string} module:JWebClient~JWebClient#last_nonce + * @desc Cached nonce returned with last request + */ + this.last_nonce = null // {string} + /** + * @member {boolean} module:JWebClient~JWebClient#verbose + * @desc Determines verbose mode + */ + this.verbose = false // {boolean} + } + + /** + * createJWT + * @description create JSON-Web-Token signed object + * @param {string|undefined} nonce + * @param {Object|string|number|boolean} payload + * @param {string} alg + * @param {Object|string} key + * @param {Object} jwk + * @return {string} + */ + createJWT(nonce, payload, alg, key, jwk) { + /*jshint -W069 */ + // prepare key + if (key instanceof Object) { + key = base64url.default.toBuffer(key['k']) + } + // prepare header + let header = { + typ: 'JWT', + alg: alg, + jwk: jwk, + nonce: null + } + + if (nonce !== void 0) { + header.nonce = nonce + } + // concatenate header and payload + let input = [ + json_to_utf8base64url(header), + json_to_utf8base64url(payload) + ].join('.') + // sign input + let hmac = jwa(alg) + let sig = hmac.sign(input, key) + // concatenate input and signature + let output = [ + input, + sig + ].join('.') + // dereference + header = null + hmac = null + input = null + jwk = null + key = null + payload = null + // output + return output + } + + /** + * request + * @description make GET or POST request over HTTPS and use JOSE as payload type + * @param {string} query + * @param {string} payload + * @param {function} callback + * @param {function} errorCallback + */ + request(query, payload, callback, errorCallback) { + /*jshint -W069 */ + if (typeof query !== 'string') { + query = '' // ensure query is string + } + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + if (typeof errorCallback !== 'function') { + errorCallback = this.emptyCallback // ensure callback is function + } + // prepare options + let uri = url.parse(query) + let options = { + hostname: uri.hostname, + port: parseInt(uri.port, 10), + path: uri.path, + method: null, + headers: {} + } + if (typeof payload === 'string') { + options.method = 'POST' + options.headers = { + 'Content-Type': 'application/jose', + 'Content-Length': payload.length + } + } else { + options.method = 'GET' + } + // prepare request + let req = https.request(options, function (res) { + // receive data + let data = [] + res.on('data', function (block) { + if (block instanceof Buffer) { + data.push(block) + } + }) + res.on('end', function () { + let buf = Buffer.concat(data) + let isJSON = ( + (res instanceof Object) + && (res['headers'] instanceof Object) + && (typeof res.headers['content-type'] === 'string') + && (res.headers['content-type'].indexOf('json') > -1) + ) + if (isJSON && buf.length > 0) { + try { + // convert to JSON + let json = JSON.parse(buf.toString('utf8')) + callback(json, res) + } catch (e) { + // error (if empty or invalid JSON) + errorCallback(void 0, e) + } + } else { + callback(buf, res) + } + }) + }).on('error', function (e) { + console.error('Error occured', e) + // error + errorCallback(void 0, e) + }) + // write POST body if payload was specified + if (typeof payload === 'string') { + req.write(payload) + } + // make request + req.end() + } + + /** + * get + * @description make GET request + * @param {string} uri + * @param {function} callback + * @param {function} errorCallback + */ + get(uri, callback, errorCallback) { + /*jshint -W069 */ + let ctx = this + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + this.request(uri, void 0, function (ans, res) { + ctx.evaluateStatus(uri, null, ans, res) + // save replay nonce for later requests + if ((res instanceof Object) && (res['headers'] instanceof Object)) { + ctx.last_nonce = res.headers['replay-nonce'] + } + callback(ans, res) + // dereference + ans = null + callback = null + ctx = null + res = null + }, errorCallback) + // dereference + errorCallback = null + } + + /** + * post + * @description make POST request + * @param {string} uri + * @param {Object|string|number|boolean} payload + * @param {function} callback + * @param {function} errorCallback + */ + post(uri, payload, callback, errorCallback) { + /*jshint -W069 */ + let ctx = this + if (typeof callback !== 'function') { + callback = this.emptyCallback // ensure callback is function + } + let key_pair = this.key_pair + if (!(key_pair instanceof Object)) { + key_pair = {} // ensure key pair is object + } + let jwt = this.createJWT(this.last_nonce, payload, 'RS256', key_pair['private_pem'], key_pair['public_jwk']) + this.request(uri, jwt, (ans, res) => { + ctx.evaluateStatus(uri, payload, ans, res) + // save replay nonce for later requests + if ((res instanceof Object) && (res['headers'] instanceof Object)) { + ctx.last_nonce = res.headers['replay-nonce'] + } + callback(ans, res) + // dereference + ans = null + callback = null + ctx = null + key_pair = null + payload = null + res = null + }, errorCallback) + // dereference + errorCallback = null + } + + /** + * evaluateStatus + * @description check if status is expected and log errors + * @param {string} uri + * @param {Object|string|number|boolean} payload + * @param {Object|string} ans + * @param {Object} res + */ + evaluateStatus(uri, payload, ans, res) { + /*jshint -W069 */ + if (this.verbose) { + if ( + (payload instanceof Object) + || (typeof payload === 'string') + || (typeof payload === 'number') + || (typeof payload === 'boolean') + ) { + console.error('Send :', payload) // what has been sent + } + } + let uri_parsed = url.parse(uri) + if (res['statusCode'] >= 100 && res['statusCode'] < 400) { + console.error('HTTP :', res['statusCode'], uri_parsed.path) // response code if successful + } + if (res['statusCode'] >= 400 && res['statusCode'] < 500) { + console.error('HTTP :', res['statusCode'], uri_parsed.path) // response code if error + if (ans instanceof Object) { + if (typeof ans['detail'] === 'string') { + console.error('Message:', ans.detail.split(' :: ').pop()) // error message if any + } + } + } + if (this.verbose) { + console.error('Receive:', res['headers']) // received headers + console.error('Receive:', ans) // received data + } + // dereference + ans = null + payload = null + res = null + uri_parsed = null + } + + /** + * Helper: Empty callback + */ + emptyCallback() { + // nop + } +} diff --git a/ts/smartacme.classes.smartacme.ts b/ts/smartacme.classes.smartacme.ts new file mode 100644 index 0000000..569f42a --- /dev/null +++ b/ts/smartacme.classes.smartacme.ts @@ -0,0 +1,9 @@ +import * as plugins from './smartacme.plugins' +import * as acmeclient from './smartacme.classes.acmeclient' + +export class SmartAcme { + acmeClient: acmeclient.AcmeClient + constructor(directoryUrlArg: string = 'https://acme-staging.api.letsencrypt.org/directory') { + this.acmeClient = new acmeclient.AcmeClient(directoryUrlArg) + } +} diff --git a/ts/smartacme.plugins.ts b/ts/smartacme.plugins.ts new file mode 100644 index 0000000..3eccc7e --- /dev/null +++ b/ts/smartacme.plugins.ts @@ -0,0 +1,6 @@ +import 'typings-global' +import * as path from 'path' + +export { + path +} diff --git a/tslint.json b/tslint.json new file mode 100644 index 0000000..45052ad --- /dev/null +++ b/tslint.json @@ -0,0 +1,3 @@ +{ + "extends": "tslint-config-standard" +}