diff --git a/acme4j-client/src/main/java/org/shredzone/acme4j/AcmeClient.java b/acme4j-client/src/main/java/org/shredzone/acme4j/AcmeClient.java index de37367b..6a122903 100644 --- a/acme4j-client/src/main/java/org/shredzone/acme4j/AcmeClient.java +++ b/acme4j-client/src/main/java/org/shredzone/acme4j/AcmeClient.java @@ -135,9 +135,22 @@ public interface AcmeClient { * {@link Registration} to be used for conversation * @param csr * PKCS#10 Certificate Signing Request to be sent to the server - * @return {@link URI} the certificate can be downloaded from + * @return {@link CertificateURIs} the certificate and certificate chain can be downloaded from */ - URI requestCertificate(Registration registration, byte[] csr) throws AcmeException; + CertificateURIs requestCertificate(Registration registration, byte[] csr) throws AcmeException; + + /** + * Downloads chain for certificate. + * + * @param chainCertUri + * Certificate {@link URI} + * @return Downloaded {@link X509Certificate[]} + * + * @throws AcmeException + * if an {@link IOException} is thrown during certificate retrieval + * or the max recursion limit is exceeded + */ + X509Certificate[] downloadCertificateChain(URI chainCertUri) throws AcmeException; /** * Downloads a certificate. diff --git a/acme4j-client/src/main/java/org/shredzone/acme4j/CertificateURIs.java b/acme4j-client/src/main/java/org/shredzone/acme4j/CertificateURIs.java new file mode 100644 index 00000000..2ccd2e17 --- /dev/null +++ b/acme4j-client/src/main/java/org/shredzone/acme4j/CertificateURIs.java @@ -0,0 +1,41 @@ +package org.shredzone.acme4j; + +import java.net.URI; + +/** + * Represents the URIs returned by a certificate request + * + * @author cargy + * + */ +public class CertificateURIs { + + private final URI certUri; + private final URI chainCertUri; + + public CertificateURIs(URI certUri, URI chainCertUri) { + this.certUri = certUri; + this.chainCertUri = chainCertUri; + } + + /** + * The URI from which the client may fetch the certificate + * + * @return + * {@link URI} the certificate can be downloaded from + */ + public URI getCertUri() { + return certUri; + } + + /** + * The URI from which the client may fetch a chain of CA certificates + * + * @return + * {@link URI} the certificate chain can be downloaded from + */ + public URI getChainCertUri() { + return chainCertUri; + } + +} diff --git a/acme4j-client/src/main/java/org/shredzone/acme4j/impl/AbstractAcmeClient.java b/acme4j-client/src/main/java/org/shredzone/acme4j/impl/AbstractAcmeClient.java index f4084c98..0cd7bd81 100644 --- a/acme4j-client/src/main/java/org/shredzone/acme4j/impl/AbstractAcmeClient.java +++ b/acme4j-client/src/main/java/org/shredzone/acme4j/impl/AbstractAcmeClient.java @@ -28,10 +28,7 @@ import java.util.Map; import org.jose4j.jwk.PublicJsonWebKey; import org.jose4j.jws.JsonWebSignature; import org.jose4j.lang.JoseException; -import org.shredzone.acme4j.AcmeClient; -import org.shredzone.acme4j.Authorization; -import org.shredzone.acme4j.Registration; -import org.shredzone.acme4j.Status; +import org.shredzone.acme4j.*; import org.shredzone.acme4j.challenge.Challenge; import org.shredzone.acme4j.connector.Connection; import org.shredzone.acme4j.connector.Resource; @@ -54,6 +51,7 @@ import org.slf4j.LoggerFactory; */ public abstract class AbstractAcmeClient implements AcmeClient { private static final Logger LOG = LoggerFactory.getLogger(AbstractAcmeClient.class); + private static final int MAX_CHAIN_LENGTH = 10; private final Session session = new Session(); @@ -410,7 +408,7 @@ public abstract class AbstractAcmeClient implements AcmeClient { } @Override - public URI requestCertificate(Registration registration, byte[] csr) throws AcmeException { + public CertificateURIs requestCertificate(Registration registration, byte[] csr) throws AcmeException { if (registration == null) { throw new NullPointerException("registration must not be null"); } @@ -433,12 +431,42 @@ public abstract class AbstractAcmeClient implements AcmeClient { // Optionally returns the certificate. Currently it is just ignored. // X509Certificate cert = conn.readCertificate(); - - return conn.getLocation(); + + return new CertificateURIs(conn.getLocation(), conn.getLink("up")); } catch (IOException ex) { throw new AcmeNetworkException(ex); } } + + @Override + public X509Certificate[] downloadCertificateChain(URI chainCertUri) throws AcmeException { + if (chainCertUri == null) { + throw new NullPointerException("certChainUri must not be null"); + } + + LOG.debug("getCertificateChain"); + + List certChain = new ArrayList<>(); + URI link = chainCertUri; + while (link != null && certChain.size() < MAX_CHAIN_LENGTH) { + try (Connection conn = createConnection()) { + int rc = conn.sendRequest(chainCertUri); + if (rc != HttpURLConnection.HTTP_OK) { + conn.throwAcmeException(); + } + + certChain.add(conn.readCertificate()); + link = conn.getLink("up"); + } catch (IOException ex) { + throw new AcmeNetworkException(ex); + } + } + + if (link != null) + throw new AcmeException("Recursion limit reached (" + MAX_CHAIN_LENGTH + "). Didn't get " + link); + + return certChain.toArray(new X509Certificate[certChain.size()]); + } @Override public X509Certificate downloadCertificate(URI certUri) throws AcmeException { diff --git a/acme4j-client/src/test/java/org/shredzone/acme4j/impl/AbstractAcmeClientTest.java b/acme4j-client/src/test/java/org/shredzone/acme4j/impl/AbstractAcmeClientTest.java index 30dfdc98..e2898891 100644 --- a/acme4j-client/src/test/java/org/shredzone/acme4j/impl/AbstractAcmeClientTest.java +++ b/acme4j-client/src/test/java/org/shredzone/acme4j/impl/AbstractAcmeClientTest.java @@ -32,6 +32,7 @@ import org.jose4j.lang.JoseException; import org.junit.Before; import org.junit.Test; import org.shredzone.acme4j.Authorization; +import org.shredzone.acme4j.CertificateURIs; import org.shredzone.acme4j.Registration; import org.shredzone.acme4j.Status; import org.shredzone.acme4j.challenge.Challenge; @@ -56,6 +57,7 @@ public class AbstractAcmeClientTest { private URI resourceUri; private URI locationUri; + private URI certChainUri; private URI agreementUri; private KeyPair accountKeyPair; private Registration testRegistration; @@ -64,6 +66,7 @@ public class AbstractAcmeClientTest { public void setup() throws IOException, URISyntaxException { resourceUri = new URI("https://example.com/acme/some-resource"); locationUri = new URI("https://example.com/acme/some-location"); + certChainUri = new URI("https://example.com/acme/some-url"); agreementUri = new URI("http://example.com/agreement.pdf"); accountKeyPair = TestUtils.createKeyPair(); testRegistration = new Registration(accountKeyPair); @@ -456,7 +459,8 @@ public class AbstractAcmeClientTest { @Test public void testRequestCertificate() throws AcmeException, IOException { Connection connection = new DummyConnection() { - @Override + + @Override public int sendSignedRequest(URI uri, ClaimBuilder claims, Session session, Registration registration) { assertThat(uri, is(resourceUri)); assertThat(claims.toString(), sameJSONAs(getJson("requestCertificateRequest"))); @@ -469,15 +473,21 @@ public class AbstractAcmeClientTest { public URI getLocation() { return locationUri; } + + @Override + public URI getLink(String relation) { + return certChainUri; + } }; TestableAbstractAcmeClient client = new TestableAbstractAcmeClient(connection); client.putTestResource(Resource.NEW_CERT, resourceUri); byte[] csr = TestUtils.getResourceAsByteArray("/csr.der"); - URI certUri = client.requestCertificate(testRegistration, csr); + CertificateURIs certUris = client.requestCertificate(testRegistration, csr); - assertThat(certUri, is(locationUri)); + assertThat(certUris.getCertUri(), is(locationUri)); + assertThat(certUris.getChainCertUri(), is(certChainUri)); } /**