Http-01 Challenge Framework support

src/acme.rs

@@ -1,5 +1,5 @@
 use std::sync::Arc;
-
+use aws_lc_rs::digest::Digest;
 use crate::any_ecdsa_type;
 use crate::crypto::error::{KeyRejected, Unspecified};
 use crate::crypto::rand::SystemRandom;
@@ -130,6 +130,15 @@ impl Account {
         let certified_key = CertifiedKey::new(vec![cert.der().clone()], sk);
         Ok((challenge, certified_key))
     }
+    pub fn http_01<'a>(&self, challenges: &'a [Challenge]) -> Result<(&'a Challenge, Digest), AcmeError> {
+        let challenge = challenges.iter().find(|c| c.typ == ChallengeType::Http01);
+        let challenge = match challenge {
+            Some(challenge) => challenge,
+            None => return Err(AcmeError::NoHttp01Challenge),
+        };
+        let key_auth = key_authorization_sha256(&self.key_pair, &challenge.token)?;
+        Ok((challenge, key_auth))
+    }
 }
 
 #[derive(Debug, Clone, Deserialize)]
@@ -245,6 +254,8 @@ pub enum AcmeError {
     MissingHeader(&'static str),
     #[error("no tls-alpn-01 challenge found")]
     NoTlsAlpn01Challenge,
+    #[error("no http-01 challenge found")]
+    NoHttp01Challenge,
 }
 
 impl From<http::Error> for AcmeError {

src/config.rs

@@ -1,5 +1,6 @@
 use crate::acme::{LETS_ENCRYPT_PRODUCTION_DIRECTORY, LETS_ENCRYPT_STAGING_DIRECTORY};
 use crate::caches::{BoxedErrCache, CompositeCache, NoCache};
+use crate::UseChallenge::TlsAlpn01;
 use crate::{crypto_provider, AccountCache, Cache, CertCache};
 use crate::{AcmeState, Incoming};
 use core::fmt;
@@ -21,8 +22,11 @@ pub struct AcmeConfig<EC: Debug, EA: Debug = EC> {
     pub(crate) domains: Vec<String>,
     pub(crate) contact: Vec<String>,
     pub(crate) cache: Box<dyn Cache<EC = EC, EA = EA>>,
+    pub(crate) challenge_type: UseChallenge
 }
 
+pub enum UseChallenge { Http01, TlsAlpn01 }
+
 impl AcmeConfig<Infallible, Infallible> {
     /// Creates a new [AcmeConfig] instance.
     ///
@@ -78,6 +82,7 @@ impl AcmeConfig<Infallible, Infallible> {
             domains: domains.into_iter().map(|s| s.as_ref().into()).collect(),
             contact: vec![],
             cache: Box::new(NoCache::default()),
+            challenge_type: TlsAlpn01
         }
     }
 }
@@ -132,6 +137,7 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeConfig<EC, EA> {
             domains: self.domains,
             contact: self.contact,
             cache: Box::new(cache),
+            challenge_type: self.challenge_type,
         }
     }
     pub fn cache_compose<CC: 'static + CertCache, CA: 'static + AccountCache>(self, cert_cache: CC, account_cache: CA) -> AcmeConfig<CC::EC, CA::EA> {
@@ -146,6 +152,10 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeConfig<EC, EA> {
             None => self.cache(NoCache::<C::EC, C::EA>::default()),
         }
     }
+    pub fn challenge_type(mut self, challenge_type: UseChallenge) -> Self {
+        self.challenge_type = challenge_type;
+        self
+    }
     pub fn state(self) -> AcmeState<EC, EA> {
         AcmeState::new(self)
     }

src/resolver.rs

@@ -3,9 +3,9 @@ use futures_rustls::rustls::{
     sign::CertifiedKey,
 };
 use std::collections::BTreeMap;
+use std::fmt::Debug;
 use std::sync::Arc;
 use std::sync::Mutex;
-
 use crate::is_tls_alpn_challenge;
 
 #[derive(Debug)]
@@ -17,6 +17,7 @@ pub struct ResolvesServerCertAcme {
 struct Inner {
     cert: Option<Arc<CertifiedKey>>,
     auth_keys: BTreeMap<String, Arc<CertifiedKey>>,
+    key_auths: BTreeMap<String, Arc<Vec<u8>>>,
 }
 
 impl ResolvesServerCertAcme {
@@ -25,6 +26,8 @@ impl ResolvesServerCertAcme {
             inner: Mutex::new(Inner {
                 cert: None,
                 auth_keys: Default::default(),
+                // Reasonably high key auth cache defaults. Avoid Infinite accumulation
+                key_auths: Default::default(),
             }),
         })
     }
@@ -34,6 +37,15 @@ impl ResolvesServerCertAcme {
     pub(crate) fn set_auth_key(&self, domain: String, cert: Arc<CertifiedKey>) {
         self.inner.lock().unwrap().auth_keys.insert(domain, cert);
     }
+    pub(crate) fn set_key_auth(&self, token: String, key_auth: Arc<Vec<u8>>) {
+        self.inner.lock().unwrap().key_auths.insert(token, key_auth);
+    }
+    pub (crate) fn clear_key_auth(&self, token: &String) {
+        self.inner.lock().unwrap().key_auths.remove(token);
+    }
+    pub fn get_key_auth(&self, token: &String) -> Option<Arc<Vec<u8>>> {
+        self.inner.lock().unwrap().key_auths.get(token).cloned()
+    }
 }
 
 impl ResolvesServerCert for ResolvesServerCertAcme {

src/state.rs

@@ -1,6 +1,6 @@
 use crate::acceptor::AcmeAcceptor;
 use crate::acme::{Account, AcmeError, Auth, AuthStatus, Directory, Identifier, Order, OrderStatus, ACME_TLS_ALPN_NAME};
-use crate::{any_ecdsa_type, crypto_provider, AcmeConfig, Incoming, ResolvesServerCertAcme};
+use crate::{any_ecdsa_type, crypto_provider, AcmeConfig, Incoming, ResolvesServerCertAcme, UseChallenge};
 use async_io::Timer;
 use chrono::{DateTime, TimeZone, Utc};
 use core::fmt;
@@ -292,17 +292,35 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeState<EC, EA> {
     }
     async fn authorize(config: &AcmeConfig<EC, EA>, resolver: &ResolvesServerCertAcme, account: &Account, url: &String) -> Result<(), OrderError> {
         let auth = account.auth(&config.client_config, url).await?;
-        let (domain, challenge_url) = match auth.status {
+        let (domain, challenge_url, token) = match auth.status {
             AuthStatus::Pending => {
                 let Identifier::Dns(domain) = auth.identifier;
                 log::info!("trigger challenge for {}", &domain);
-                let (challenge, auth_key) = account.tls_alpn_01(&auth.challenges, domain.clone())?;
-                resolver.set_auth_key(domain.clone(), Arc::new(auth_key));
+                let challenge = match config.challenge_type {
+                    UseChallenge::Http01 => {
+                        let (challenge, key_auth) = account.http_01(&auth.challenges)?;
+                        resolver.set_key_auth(challenge.token.clone(), Arc::new(Vec::from(key_auth.as_ref())));
+                        challenge
+                    }
+                    UseChallenge::TlsAlpn01 => {
+                        let (challenge, auth_key) = account.tls_alpn_01(&auth.challenges, domain.clone())?;
+                        resolver.set_auth_key(domain.clone(), Arc::new(auth_key));
+                        challenge
+                    }
+                };
                 account.challenge(&config.client_config, &challenge.url).await?;
-                (domain, challenge.url.clone())
+                (domain, challenge.url.clone(), challenge.token.clone())
+            }
+            AuthStatus::Valid => {
+                //clear all tokens from challenges when auth is valid
+                auth.challenges.iter().map(|c| &c.token).for_each(|t| resolver.clear_key_auth(t));
+                return Ok(());
             }
-            AuthStatus::Valid => return Ok(()),
-            _ => return Err(OrderError::BadAuth(auth)),
+            _ => {
+                // clear all tokens from challenges when auth is invalid
+                auth.challenges.iter().map(|c| &c.token).for_each(|t| resolver.clear_key_auth(t));
+                return Err(OrderError::BadAuth(auth))
+            },
         };
         for i in 0u64..5 {
             Timer::after(Duration::from_secs(1u64 << i)).await;
@@ -312,8 +330,16 @@ impl<EC: 'static + Debug, EA: 'static + Debug> AcmeState<EC, EA> {
                     log::info!("authorization for {} still pending", &domain);
                     account.challenge(&config.client_config, &challenge_url).await?
                 }
-                AuthStatus::Valid => return Ok(()),
-                _ => return Err(OrderError::BadAuth(auth)),
+                AuthStatus::Valid => {
+                    // clear token from chosen challenge when auth validated
+                    resolver.clear_key_auth(&token);
+                    return Ok(())
+                },
+                _ => {
+                    // clear token from chosen challenge when auth invalidated
+                    resolver.clear_key_auth(&token);
+                    return Err(OrderError::BadAuth(auth))
+                },
             }
         }
         Err(OrderError::TooManyAttemptsAuth(domain))