sendnrw/goacme
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changes
Some checks failed
release-tag / release-image (push) Failing after 2m5s
Details

Browse Source
This commit is contained in:
jbergner
2025-04-29 10:31:33 +02:00
parent 9c293716cf
commit b6c39eda74
1 changed files with 543 additions and 545 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
main.go
View File

@@ -24,14 +24,12 @@ import (
"bytes"
"context"
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/sha256"
"crypto/x509"
"crypto/x509/pkix"
"database/sql"
"encoding/asn1"
"encoding/base64"
"encoding/json"
"encoding/pem"
"errors"
@@ -224,7 +222,7 @@ type ca struct {
db *mysqlStore
mu sync.RWMutex // guards ocspCache / crlCache
ocspCache []byte
//ocspCache []byte
crlCache []byte
}
@@ -586,10 +584,8 @@ func (s *server) handleFinalize(ctx context.Context, w http.ResponseWriter, r *h
return
}
// order ID is last element
orderID := path.Base(r.URL.Path)
// Parse CSR (DER) payload contains base64encoded CSR per RFC 8555 §7.4
var in struct {
CSR string `json:"csr"`
}
@@ -597,7 +593,7 @@ func (s *server) handleFinalize(ctx context.Context, w http.ResponseWriter, r *h
http.Error(w, "bad csr wrapper", 400)
return
}
csrDER, err := jose.Base64URLDecode(in.CSR)
csrDER, err := base64.RawURLEncoding.DecodeString(in.CSR)
if err != nil {
http.Error(w, "bad csr b64", 400)
return
@@ -613,8 +609,10 @@ func (s *server) handleFinalize(ctx context.Context, w http.ResponseWriter, r *h
return
}
// Build leaf cert (valid 90 days, keyusage TLSserver)
serial := big.NewInt(0).SetBytes(sha256.Sum256([]byte(uuid.New().String()))[:])
// --- FIX: sha256.Sum256 liefert ein [32]byte zuerst in Variable legen
hash := sha256.Sum256([]byte(uuid.New().String()))
serial := new(big.Int).SetBytes(hash[:])
tmpl := &x509.Certificate{
SerialNumber: serial,
Subject: csr.Subject,
@@ -640,14 +638,12 @@ func (s *server) handleFinalize(ctx context.Context, w http.ResponseWriter, r *h
return
}
// Link order → valid & cert URL
certURL := fmt.Sprintf("https://%s/acme/cert/%s", r.Host, certID)
if _, err := s.db.db.ExecContext(ctx, `UPDATE orders SET status='valid',payload=?,finalize_url=? WHERE id=?`, pay.Data, certURL, orderID); err != nil {
http.Error(w, "db", 500)
return
}
// Response must include chain (leaf + CA) in PEM order per RFC 8555 §7.4
var buf bytes.Buffer
_ = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: der})
_ = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: s.ca.cert.Raw})
@@ -687,7 +683,9 @@ func (s *server) handleRevoke(ctx context.Context, w http.ResponseWriter, r *htt
nonce := uuid.New().String()
_ = s.db.putNonce(ctx, nonce)
s.jsonResponse(w, 200, struct{ Status string `json:"status"` }{Status: "revoked"}, nonce)
s.jsonResponse(w, 200, struct {
Status string `json:"status"`
}{Status: "revoked"}, nonce)
}
func (s *server) handleOCSP(ctx context.Context, w http.ResponseWriter, r *http.Request) {