From 5982f4bcf03807afff020eb4581e1ba9a73daec1 Mon Sep 17 00:00:00 2001 From: neil Date: Fri, 28 Oct 2016 18:07:04 +0800 Subject: [PATCH 1/9] rename JWK_HEADER --- acme.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/acme.sh b/acme.sh index a09b1153..bd4da527 100755 --- a/acme.sh +++ b/acme.sh @@ -851,9 +851,9 @@ _calcjwk() { jwk='{"e": "'$e'", "kty": "RSA", "n": "'$n'"}' _debug3 jwk "$jwk" - HEADER='{"alg": "RS256", "jwk": '$jwk'}' - HEADERPLACE_PART1='{"nonce": "' - HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}' + JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}' + JWK_HEADERPLACE_PART1='{"nonce": "' + JWK_HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}' elif grep "BEGIN EC PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then _debug "EC key" EC_SIGN="1" @@ -892,15 +892,15 @@ _calcjwk() { jwk='{"kty": "EC", "crv": "'$crv'", "x": "'$x64'", "y": "'$y64'"}' _debug3 jwk "$jwk" - HEADER='{"alg": "ES256", "jwk": '$jwk'}' - HEADERPLACE_PART1='{"nonce": "' - HEADERPLACE_PART2='", "alg": "ES256", "jwk": '$jwk'}' + JWK_HEADER='{"alg": "ES256", "jwk": '$jwk'}' + JWK_HEADERPLACE_PART1='{"nonce": "' + JWK_HEADERPLACE_PART2='", "alg": "ES256", "jwk": '$jwk'}' else _err "Only RSA or EC key is supported." return 1 fi - _debug3 HEADER "$HEADER" + _debug3 JWK_HEADER "$JWK_HEADER" } _time() { @@ -1129,7 +1129,7 @@ _send_signed_request() { _debug3 nonce "$nonce" - protected="$HEADERPLACE_PART1$nonce$HEADERPLACE_PART2" + protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2" _debug3 protected "$protected" protected64="$(printf "$protected" | _base64 | _urlencode)" @@ -1138,7 +1138,7 @@ _send_signed_request() { sig=$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256" | _urlencode) _debug3 sig "$sig" - body="{\"header\": $HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}" + body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}" _debug3 body "$body" From 1befee5aca2d6adb388ded34d169cdbb4a14757d Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 28 Oct 2016 20:56:18 +0800 Subject: [PATCH 2/9] fix performance --- acme.sh | 103 ++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 62 insertions(+), 41 deletions(-) diff --git a/acme.sh b/acme.sh index bd4da527..389377a1 100755 --- a/acme.sh +++ b/acme.sh @@ -833,6 +833,13 @@ _calcjwk() { _usage "Usage: _calcjwk keyfile" return 1 fi + + if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ] ; then + _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE" + return 0 + fi + + EC_SIGN="" if grep "BEGIN RSA PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then _debug "RSA key" @@ -901,6 +908,7 @@ _calcjwk() { fi _debug3 JWK_HEADER "$JWK_HEADER" + __CACHED_JWK_KEY_FILE="$keyfile" } _time() { @@ -929,35 +937,44 @@ _inithttp() { HTTP_HEADER="$(_mktemp)" _debug2 HTTP_HEADER "$HTTP_HEADER" fi - - if [ -z "$CURL" ] ; then - CURL="curl -L --silent --dump-header $HTTP_HEADER " - if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then - _CURL_DUMP="$(_mktemp)" - CURL="$CURL --trace-ascii $_CURL_DUMP " - fi - - if [ "$CA_BUNDLE" ] ; then - CURL="$CURL --cacert $CA_BUNDLE " - fi - - if [ "$HTTPS_INSECURE" ] ; then - CURL="$CURL --insecure " + + if [ "$__HTTP_INITIALIZED" ] ; then + if [ "$_ACME_CURL$_ACME_WGET" ] ; then + _debug2 "Http already initialized." + return 0 fi fi - if [ -z "$WGET" ] ; then - WGET="wget -q" + if [ -z "$_ACME_CURL" ] && _exists "curl" ; then + _ACME_CURL="curl -L --silent --dump-header $HTTP_HEADER " if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then - WGET="$WGET -d " + _CURL_DUMP="$(_mktemp)" + _ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP " fi + if [ "$CA_BUNDLE" ] ; then - WGET="$WGET --ca-certificate $CA_BUNDLE " + _ACME_CURL="$_ACME_CURL --cacert $CA_BUNDLE " fi + if [ "$HTTPS_INSECURE" ] ; then - WGET="$WGET --no-check-certificate " + _ACME_CURL="$_ACME_CURL --insecure " fi fi + + if [ -z "$_ACME_WGET" ] && _exists "wget"; then + _ACME_WGET="wget -q" + if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then + _ACME_WGET="$_ACME_WGET -d " + fi + if [ "$CA_BUNDLE" ] ; then + _ACME_WGET="$_ACME_WGET --ca-certificate $CA_BUNDLE " + fi + if [ "$HTTPS_INSECURE" ] ; then + _ACME_WGET="$_ACME_WGET --no-check-certificate " + fi + fi + + __HTTP_INITIALIZED=1 } @@ -978,8 +995,8 @@ _post() { _inithttp - if _exists "curl" ; then - _CURL="$CURL" + if [ "$_ACME_CURL" ] ; then + _CURL="$_ACME_CURL" _debug "_CURL" "$_CURL" if [ "$needbase64" ] ; then response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$url" | _base64)" @@ -994,19 +1011,19 @@ _post() { _err "$(cat "$_CURL_DUMP")" fi fi - elif _exists "wget" ; then - _debug "WGET" "$WGET" + elif [ "$_ACME_WGET" ] ; then + _debug "_ACME_WGET" "$_ACME_WGET" if [ "$needbase64" ] ; then if [ "$httpmethod" = "POST" ] ; then - response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)" + response="$($_ACME_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)" else - response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)" + response="$($_ACME_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER" | _base64)" fi else if [ "$httpmethod" = "POST" ] ; then - response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER")" + response="$($_ACME_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$url" 2>"$HTTP_HEADER")" else - response="$($WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER")" + response="$($_ACME_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$url" 2>"$HTTP_HEADER")" fi fi _ret="$?" @@ -1039,8 +1056,8 @@ _get() { _inithttp - if _exists "curl" ; then - _CURL="$CURL" + if [ "$_ACME_CURL" ] ; then + _CURL="$_ACME_CURL" if [ "$t" ] ; then _CURL="$_CURL --connect-timeout $t" fi @@ -1058,8 +1075,8 @@ _get() { _err "$(cat "$_CURL_DUMP")" fi fi - elif _exists "wget" ; then - _WGET="$WGET" + elif [ "$_ACME_WGET" ] ; then + _WGET="$_ACME_WGET" if [ "$t" ] ; then _WGET="$_WGET --timeout=$t" fi @@ -3194,19 +3211,23 @@ revoke() { data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}" uri="$API/acme/revoke-cert" - _info "Try domain key first." - if _send_signed_request $uri "$data" "" "$CERT_KEY_PATH"; then - if [ -z "$response" ] ; then - _info "Revoke success." - rm -f $CERT_PATH - return 0 - else - _err "Revoke error by domain key." - _err "$response" + if [ -f "$CERT_KEY_PATH" ] ; then + _info "Try domain key first." + if _send_signed_request $uri "$data" "" "$CERT_KEY_PATH"; then + if [ -z "$response" ] ; then + _info "Revoke success." + rm -f $CERT_PATH + return 0 + else + _err "Revoke error by domain key." + _err "$response" + fi fi + else + _info "Domain key file doesn't exists." fi - _info "Then try account key." + _info "Try account key." if _send_signed_request $uri "$data" "" "$ACCOUNT_KEY_PATH" ; then if [ -z "$response" ] ; then From 00bcbd367f6e14929b0b1a8c8d822ffe92b3e22c Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 28 Oct 2016 21:30:40 +0800 Subject: [PATCH 3/9] fix performance, use cached nonce --- acme.sh | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/acme.sh b/acme.sh index 389377a1..a6dc30c4 100755 --- a/acme.sh +++ b/acme.sh @@ -1132,18 +1132,23 @@ _send_signed_request() { payload64=$(printf "%s" "$payload" | _base64 | _urlencode) _debug3 payload64 $payload64 - nonceurl="$API/directory" - _headers="$(_get $nonceurl "onlyheader")" - - if [ "$?" != "0" ] ; then - _err "Can not connect to $nonceurl to get nonce." - return 1 + if [ -z "$_CACHED_NONCE" ] ; then + _debug2 "Get nonce." + nonceurl="$API/directory" + _headers="$(_get $nonceurl "onlyheader")" + + if [ "$?" != "0" ] ; then + _err "Can not connect to $nonceurl to get nonce." + return 1 + fi + + _debug3 _headers "$_headers" + + _CACHED_NONCE="$( echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" + else + _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE" fi - - _debug3 _headers "$_headers" - - nonce="$( echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" - + nonce="$_CACHED_NONCE" _debug3 nonce "$nonce" protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2" @@ -1160,6 +1165,7 @@ _send_signed_request() { response="$(_post "$body" $url "$needbase64")" + _CACHED_NONCE="" if [ "$?" != "0" ] ; then _err "Can not post to $url" return 1 @@ -1168,12 +1174,14 @@ _send_signed_request() { response="$( echo "$response" | _normalizeJson )" - responseHeaders="$(cat $HTTP_HEADER)" + responseHeaders="$(cat "$HTTP_HEADER")" _debug2 responseHeaders "$responseHeaders" _debug2 response "$response" code="$(grep "^HTTP" $HTTP_HEADER | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n" )" _debug code $code + + _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)" } From 8a29fbc850b49c76ad6da65a9f81344e609ef1c4 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 28 Oct 2016 22:45:19 +0800 Subject: [PATCH 4/9] do not register account if already registered --- acme.sh | 115 +++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 76 insertions(+), 39 deletions(-) diff --git a/acme.sh b/acme.sh index a6dc30c4..9b37b2e8 100755 --- a/acme.sh +++ b/acme.sh @@ -1223,60 +1223,85 @@ _setopt() { _debug2 "$(grep -n "^$__opt$__sep" $__conf)" } + +#_save_conf file key value +#save to conf +_save_conf() { + _s_c_f="$1" + _sdkey="$2" + _sdvalue="$3" + if [ "$_s_c_f" ] ; then + _setopt "$_s_c_f" "$_sdkey" "=" "'$_sdvalue'" + else + _err "config file is empty, can not save $_sdkey=$_sdvalue" + fi +} + +#_clear_conf file key +_clear_conf() { + _c_c_f="$1" + _sdkey="$2" + if [ "$_c_c_f" ] ; then + _sed_i "s/^$_sdkey.*$//" "$_c_c_f" + else + _err "config file is empty, can not clear" + fi +} + +#_read_conf file key +_read_conf() { + _r_c_f="$1" + _sdkey="$2" + if [ -f "$_r_c_f" ] ; then + ( + eval $(grep "^$_sdkey *=" "$_r_c_f") + eval "printf \"%s\" \"\$$_sdkey\"" + ) + else + _err "config file is empty, can not read $_sdkey" + fi +} + + #_savedomainconf key value #save to domain.conf _savedomainconf() { - _sdkey="$1" - _sdvalue="$2" - if [ "$DOMAIN_CONF" ] ; then - _setopt "$DOMAIN_CONF" "$_sdkey" "=" "\"$_sdvalue\"" - else - _err "DOMAIN_CONF is empty, can not save $_sdkey=$_sdvalue" - fi + _save_conf "$DOMAIN_CONF" "$1" "$2" } #_cleardomainconf key _cleardomainconf() { - _sdkey="$1" - if [ "$DOMAIN_CONF" ] ; then - _sed_i "s/^$_sdkey.*$//" "$DOMAIN_CONF" - else - _err "DOMAIN_CONF is empty, can not save $_sdkey=$value" - fi + _clear_conf "$DOMAIN_CONF" "$1" } #_readdomainconf key _readdomainconf() { - _sdkey="$1" - if [ "$DOMAIN_CONF" ] ; then - ( - eval $(grep "^$_sdkey *=" "$DOMAIN_CONF") - eval "printf \"%s\" \"\$$_sdkey\"" - ) - else - _err "DOMAIN_CONF is empty, can not read $_sdkey" - fi + _read_conf "$DOMAIN_CONF" "$1" } #_saveaccountconf key value _saveaccountconf() { - _sckey="$1" - _scvalue="$2" - if [ "$ACCOUNT_CONF_PATH" ] ; then - _setopt "$ACCOUNT_CONF_PATH" "$_sckey" "=" "'$_scvalue'" - else - _err "ACCOUNT_CONF_PATH is empty, can not save $_sckey=$_scvalue" - fi + _save_conf "$ACCOUNT_CONF_PATH" "$1" "$2" } #_clearaccountconf key _clearaccountconf() { - _scvalue="$1" - if [ "$ACCOUNT_CONF_PATH" ] ; then - _sed_i "s/^$_scvalue.*$//" "$ACCOUNT_CONF_PATH" - else - _err "ACCOUNT_CONF_PATH is empty, can not clear $_scvalue" - fi + _clear_conf "$ACCOUNT_CONF_PATH" "$1" +} + +#_savecaconf key value +_savecaconf() { + _save_conf "$CA_CONF" "$1" "$2" +} + +#_readcaconf key +_readcaconf() { + _read_conf "$CA_CONF" "$1" +} + +#_clearaccountconf key +_clearcaconf() { + _clear_conf "$CA_CONF" "$1" } # content localaddress @@ -2047,6 +2072,10 @@ registeraccount() { _regAccount } +__calcAccountKeyHash() { + cat "$ACCOUNT_KEY_PATH" | _digest sha256 +} + _regAccount() { _initpath @@ -2131,6 +2160,10 @@ _regAccount() { fi if [ "$code" = '202' ] ; then _info "Update success." + + CA_KEY_HASH="$(__calcAccountKeyHash)" + _debug "Calc CA_KEY_HASH" "$CA_KEY_HASH" + _savecaconf CA_KEY_HASH "$CA_KEY_HASH" else _err "Update account error." return 1 @@ -2280,11 +2313,15 @@ issue() { return 1 fi - if ! _regAccount ; then - _on_issue_err - return 1 - fi + _saved_account_key_hash="$(_readcaconf "CA_KEY_HASH")" + _debug2 _saved_account_key_hash "$_saved_account_key_hash" + if [ -z "$_saved_account_key_hash" ] || [ "$_saved_account_key_hash" != "$(__calcAccountKeyHash)" ] ; then + if ! _regAccount ; then + _on_issue_err + return 1 + fi + fi if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ] ; then _info "Signing from existing CSR." From cae203be71d7ffe2cd2d37ffc328b0b941e46d50 Mon Sep 17 00:00:00 2001 From: neilpang Date: Fri, 28 Oct 2016 23:30:32 +0800 Subject: [PATCH 5/9] fix thumbprint --- acme.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/acme.sh b/acme.sh index 9b37b2e8..858a57da 100755 --- a/acme.sh +++ b/acme.sh @@ -2109,8 +2109,6 @@ _regAccount() { while true ; do _debug AGREEMENT "$AGREEMENT" - accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' ) - thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode) regjson='{"resource": "'$_reg_res'", "agreement": "'$AGREEMENT'"}' @@ -2348,8 +2346,8 @@ issue() { _savedomainconf "Le_Keylength" "$Le_Keylength" vlist="$Le_Vlist" - # verify each domain - _info "Verify each domain" + + _info "Getting domain auth token for each domain" sep='#' if [ -z "$vlist" ] ; then alldomains=$(echo "$Le_Domain,$Le_Alt" | tr ',' ' ' ) @@ -2380,7 +2378,12 @@ issue() { _on_issue_err return 1 fi - + + if [ -z "$thumbprint" ] ; then + accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' ) + thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode) + fi + entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" _debug entry "$entry" if [ -z "$entry" ] ; then @@ -2394,7 +2397,7 @@ issue() { uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*'| cut -d : -f 2,3 | tr -d '"' )" _debug uri $uri - + keyauthorization="$token.$thumbprint" _debug keyauthorization "$keyauthorization" From 5dbf664a6bd02e72f581bbf77412c477de49a336 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 29 Oct 2016 10:53:45 +0800 Subject: [PATCH 6/9] minor, reduce the sleep time. --- acme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acme.sh b/acme.sh index 858a57da..4b7bedff 100755 --- a/acme.sh +++ b/acme.sh @@ -1476,7 +1476,7 @@ _starttlsserver() { fi serverproc="$!" - sleep 2 + sleep 1 _debug serverproc $serverproc } @@ -2541,7 +2541,7 @@ issue() { return 1 fi serverproc="$!" - sleep 2 + sleep 1 _debug serverproc $serverproc else @@ -2641,8 +2641,8 @@ issue() { return 1 fi - _debug "sleep 5 secs to verify" - sleep 5 + _debug "sleep 2 secs to verify" + sleep 2 _debug "checking" response="$(_get $uri)" if [ "$?" != "0" ] ; then From 18256c49231bd5be7ee71f42a0e9c0640da22b30 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 29 Oct 2016 11:08:18 +0800 Subject: [PATCH 7/9] fix issue cache jwk for ecc key only --- acme.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/acme.sh b/acme.sh index 4b7bedff..04105854 100755 --- a/acme.sh +++ b/acme.sh @@ -834,15 +834,18 @@ _calcjwk() { return 1 fi - if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ] ; then - _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE" - return 0 - fi + EC_SIGN="" if grep "BEGIN RSA PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then _debug "RSA key" + + if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ] ; then + _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE" + return 0 + fi + pub_exp=$(openssl rsa -in $keyfile -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1) if [ "${#pub_exp}" = "5" ] ; then pub_exp=0$pub_exp @@ -861,6 +864,7 @@ _calcjwk() { JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}' JWK_HEADERPLACE_PART1='{"nonce": "' JWK_HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}' + __CACHED_JWK_KEY_FILE="$keyfile" elif grep "BEGIN EC PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then _debug "EC key" EC_SIGN="1" @@ -908,7 +912,7 @@ _calcjwk() { fi _debug3 JWK_HEADER "$JWK_HEADER" - __CACHED_JWK_KEY_FILE="$keyfile" + } _time() { From 8c76b8bc36003b1e5488d0cd71ca9758c34a8b29 Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 29 Oct 2016 11:15:45 +0800 Subject: [PATCH 8/9] do not cache thumbprint for issues for ecc account key --- acme.sh | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/acme.sh b/acme.sh index 04105854..19c2c1f7 100755 --- a/acme.sh +++ b/acme.sh @@ -833,10 +833,7 @@ _calcjwk() { _usage "Usage: _calcjwk keyfile" return 1 fi - - - EC_SIGN="" if grep "BEGIN RSA PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then _debug "RSA key" @@ -2383,11 +2380,10 @@ issue() { return 1 fi - if [ -z "$thumbprint" ] ; then - accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' ) - thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode) - fi - + + accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' ) + thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode) + entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" _debug entry "$entry" if [ -z "$entry" ] ; then From ae2db62f1cddfe96cff9c79ac74236edd69c8c2c Mon Sep 17 00:00:00 2001 From: neilpang Date: Sat, 29 Oct 2016 12:14:48 +0800 Subject: [PATCH 9/9] fix issues for ECC account key. --- acme.sh | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/acme.sh b/acme.sh index 19c2c1f7..d6fb1c47 100755 --- a/acme.sh +++ b/acme.sh @@ -833,16 +833,16 @@ _calcjwk() { _usage "Usage: _calcjwk keyfile" return 1 fi - + + if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ] ; then + _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE" + return 0 + fi + + EC_SIGN="" if grep "BEGIN RSA PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then _debug "RSA key" - - if [ "$JWK_HEADER" ] && [ "$__CACHED_JWK_KEY_FILE" = "$keyfile" ] ; then - _debug2 "Use cached jwk for file: $__CACHED_JWK_KEY_FILE" - return 0 - fi - pub_exp=$(openssl rsa -in $keyfile -noout -text | grep "^publicExponent:"| cut -d '(' -f 2 | cut -d 'x' -f 2 | cut -d ')' -f 1) if [ "${#pub_exp}" = "5" ] ; then pub_exp=0$pub_exp @@ -861,7 +861,6 @@ _calcjwk() { JWK_HEADER='{"alg": "RS256", "jwk": '$jwk'}' JWK_HEADERPLACE_PART1='{"nonce": "' JWK_HEADERPLACE_PART2='", "alg": "RS256", "jwk": '$jwk'}' - __CACHED_JWK_KEY_FILE="$keyfile" elif grep "BEGIN EC PRIVATE KEY" "$keyfile" > /dev/null 2>&1 ; then _debug "EC key" EC_SIGN="1" @@ -897,7 +896,7 @@ _calcjwk() { y64="$(printf $y | tr -d : | _h2b | _base64 | _urlencode)" _debug3 y64 "$y64" - jwk='{"kty": "EC", "crv": "'$crv'", "x": "'$x64'", "y": "'$y64'"}' + jwk='{"crv": "'$crv'", "kty": "EC", "x": "'$x64'", "y": "'$y64'"}' _debug3 jwk "$jwk" JWK_HEADER='{"alg": "ES256", "jwk": '$jwk'}' @@ -909,7 +908,7 @@ _calcjwk() { fi _debug3 JWK_HEADER "$JWK_HEADER" - + __CACHED_JWK_KEY_FILE="$keyfile" } _time() { @@ -2380,10 +2379,11 @@ issue() { return 1 fi - - accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' ) - thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode) - + if [ -z "$thumbprint" ] ; then + accountkey_json=$(printf "%s" "$jwk" | tr -d ' ' ) + thumbprint=$(printf "%s" "$accountkey_json" | _digest "sha256" | _urlencode) + fi + entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')" _debug entry "$entry" if [ -z "$entry" ] ; then