summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/acme-client/acme-client.conf.510
-rw-r--r--usr.sbin/acme-client/extern.h5
-rw-r--r--usr.sbin/acme-client/json.c39
-rw-r--r--usr.sbin/acme-client/main.c8
-rw-r--r--usr.sbin/acme-client/netproc.c10
-rw-r--r--usr.sbin/acme-client/parse.h3
-rw-r--r--usr.sbin/acme-client/parse.y14
7 files changed, 54 insertions, 35 deletions
diff --git a/usr.sbin/acme-client/acme-client.conf.5 b/usr.sbin/acme-client/acme-client.conf.5
index 9c65db0ff1e..061fb7ac21b 100644
--- a/usr.sbin/acme-client/acme-client.conf.5
+++ b/usr.sbin/acme-client/acme-client.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: acme-client.conf.5,v 1.10 2017/03/29 17:16:24 tj Exp $
+.\" $OpenBSD: acme-client.conf.5,v 1.11 2017/11/27 01:58:52 florian Exp $
.\"
.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org>
.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
@@ -17,7 +17,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: March 29 2017 $
+.Dd $Mdocdate: November 27 2017 $
.Dt ACME-CLIENT.CONF 5
.Os
.Sh NAME
@@ -86,11 +86,6 @@ It is followed by a block of options enclosed in curly brackets:
Specify a
.Ar file
used to identify the user of this CA.
-.It Ic agreement url Ar url
-Specify the
-.Ar url
-of a contract under which the certificates are supplied by the certificate
-authority.
.It Ic api url Ar url
Specify the
.Ar url
@@ -100,7 +95,6 @@ under which the ACME API is reachable.
An example authority block:
.Bd -literal -offset indent
authority letsencrypt {
- agreement url https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
api url "https://acme-v01.api.letsencrypt.org/directory"
account key "/etc/ssl/private/my-acme.key"
}
diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h
index 18e53ddd112..dda2edde484 100644
--- a/usr.sbin/acme-client/extern.h
+++ b/usr.sbin/acme-client/extern.h
@@ -1,4 +1,4 @@
-/* $Id: extern.h,v 1.8 2017/01/21 08:54:26 florian Exp $ */
+/* $Id: extern.h,v 1.9 2017/11/27 01:58:52 florian Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -162,6 +162,7 @@ struct capaths {
char *newcert; /* sign certificate */
char *newreg; /* new acme account */
char *revokecert; /* revoke certificate */
+ char *agreement; /* terms of service */
};
struct jsmnn;
@@ -184,7 +185,7 @@ int keyproc(int, const char *,
const char **, size_t, int);
int netproc(int, int, int, int, int, int, int, int,
struct authority_c *, const char *const *,
- size_t, const char *);
+ size_t);
/*
* Debugging functions.
diff --git a/usr.sbin/acme-client/json.c b/usr.sbin/acme-client/json.c
index e800799fbde..d985e200e8d 100644
--- a/usr.sbin/acme-client/json.c
+++ b/usr.sbin/acme-client/json.c
@@ -1,4 +1,4 @@
-/* $Id: json.c,v 1.9 2017/01/24 13:32:55 jsing Exp $ */
+/* $Id: json.c,v 1.10 2017/11/27 01:58:52 florian Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -257,6 +257,33 @@ json_getarray(struct jsmnn *n, const char *name)
}
/*
+ * Extract subtree from the returned JSON object, making sure that it's
+ * the correct type.
+ * Returns NULL on failure.
+ */
+static struct jsmnn *
+json_getobj(struct jsmnn *n, const char *name)
+{
+ size_t i;
+
+ if (n->type != JSMN_OBJECT)
+ return NULL;
+ for (i = 0; i < n->fields; i++) {
+ if (n->d.obj[i].lhs->type != JSMN_STRING &&
+ n->d.obj[i].lhs->type != JSMN_PRIMITIVE)
+ continue;
+ else if (strcmp(name, n->d.obj[i].lhs->d.str))
+ continue;
+ break;
+ }
+ if (i == n->fields)
+ return NULL;
+ if (n->d.obj[i].rhs->type != JSMN_OBJECT)
+ return NULL;
+ return n->d.obj[i].rhs;
+}
+
+/*
* Extract a single string from the returned JSON object, making sure
* that it's the correct type.
* Returns NULL on failure.
@@ -373,17 +400,24 @@ json_parse_challenge(struct jsmnn *n, struct chng *p)
int
json_parse_capaths(struct jsmnn *n, struct capaths *p)
{
+ struct jsmnn *meta;
if (n == NULL)
return 0;
+ meta = json_getobj(n, "meta");
+
+ if (meta == NULL)
+ return 0;
+
p->newauthz = json_getstr(n, "new-authz");
p->newcert = json_getstr(n, "new-cert");
p->newreg = json_getstr(n, "new-reg");
p->revokecert = json_getstr(n, "revoke-cert");
+ p->agreement = json_getstr(meta, "terms-of-service");
return p->newauthz != NULL && p->newcert != NULL &&
- p->newreg != NULL && p->revokecert != NULL;
+ p->newreg != NULL && p->revokecert != NULL && p->agreement != NULL;
}
/*
@@ -397,6 +431,7 @@ json_free_capaths(struct capaths *p)
free(p->newcert);
free(p->newreg);
free(p->revokecert);
+ free(p->agreement);
memset(p, 0, sizeof(struct capaths));
}
diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c
index a6ce6190b8a..58eb0d40175 100644
--- a/usr.sbin/acme-client/main.c
+++ b/usr.sbin/acme-client/main.c
@@ -1,4 +1,4 @@
-/* $Id: main.c,v 1.35 2017/05/27 08:31:08 florian Exp $ */
+/* $Id: main.c,v 1.36 2017/11/27 01:58:52 florian Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -39,7 +39,7 @@ main(int argc, char *argv[])
char *certdir = NULL, *certfile = NULL;
char *chainfile = NULL, *fullchainfile = NULL;
char *acctkey = NULL;
- char *chngdir = NULL, *auth = NULL, *agreement = NULL;
+ char *chngdir = NULL, *auth = NULL;
char *conffile = CONF_FILE;
int key_fds[2], acct_fds[2], chng_fds[2], cert_fds[2];
int file_fds[2], dns_fds[2], rvk_fds[2];
@@ -154,7 +154,6 @@ main(int argc, char *argv[])
errx(EXIT_FAILURE, "authority %s not found", auth);
}
- agreement = authority->agreement;
acctkey = authority->account;
if (acctkey == NULL) {
@@ -259,8 +258,7 @@ main(int argc, char *argv[])
chng_fds[1], cert_fds[1],
dns_fds[1], rvk_fds[1],
(popts & ACME_OPT_NEWACCT), revocate, authority,
- (const char *const *)alts, altsz,
- agreement);
+ (const char *const *)alts, altsz);
free(alts);
exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
}
diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c
index a4bcc542dbe..1c2f7f125c9 100644
--- a/usr.sbin/acme-client/netproc.c
+++ b/usr.sbin/acme-client/netproc.c
@@ -1,4 +1,4 @@
-/* $Id: netproc.c,v 1.13 2017/01/24 13:32:55 jsing Exp $ */
+/* $Id: netproc.c,v 1.14 2017/11/27 01:58:52 florian Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -325,7 +325,7 @@ sreq(struct conn *c, const char *addr, const char *req)
* Returns non-zero on success.
*/
static int
-donewreg(struct conn *c, const char *agreement, const struct capaths *p)
+donewreg(struct conn *c, const struct capaths *p)
{
int rc = 0;
char *req;
@@ -333,7 +333,7 @@ donewreg(struct conn *c, const char *agreement, const struct capaths *p)
dodbg("%s: new-reg", p->newreg);
- if ((req = json_fmt_newreg(agreement)) == NULL)
+ if ((req = json_fmt_newreg(p->agreement)) == NULL)
warnx("json_fmt_newreg");
else if ((lc = sreq(c, p->newreg, req)) < 0)
warnx("%s: bad comm", p->newreg);
@@ -567,7 +567,7 @@ dofullchain(struct conn *c, const char *addr)
int
netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
int newacct, int revocate, struct authority_c *authority,
- const char *const *alts,size_t altsz, const char *agreement)
+ const char *const *alts,size_t altsz)
{
int rc = 0;
size_t i;
@@ -673,7 +673,7 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
/* If new, register with the CA server. */
- if (newacct && ! donewreg(&c, agreement, &paths))
+ if (newacct && ! donewreg(&c, &paths))
goto out;
/* Pre-authorise all domains with CA server. */
diff --git a/usr.sbin/acme-client/parse.h b/usr.sbin/acme-client/parse.h
index 4993912830a..fc5d1ae5ec1 100644
--- a/usr.sbin/acme-client/parse.h
+++ b/usr.sbin/acme-client/parse.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.h,v 1.7 2017/01/21 12:59:06 benno Exp $ */
+/* $OpenBSD: parse.h,v 1.8 2017/11/27 01:58:52 florian Exp $ */
/*
* Copyright (c) 2016 Sebastian Benoit <benno@openbsd.org>
*
@@ -30,7 +30,6 @@
struct authority_c {
TAILQ_ENTRY(authority_c) entry;
char *name;
- char *agreement;
char *api;
char *account;
};
diff --git a/usr.sbin/acme-client/parse.y b/usr.sbin/acme-client/parse.y
index 13e71039d9f..7882c24527e 100644
--- a/usr.sbin/acme-client/parse.y
+++ b/usr.sbin/acme-client/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.18 2017/10/19 06:49:46 jsg Exp $ */
+/* $OpenBSD: parse.y,v 1.19 2017/11/27 01:58:52 florian Exp $ */
/*
* Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -189,14 +189,8 @@ authorityopts_l : authorityopts_l authorityoptsl nl
;
authorityoptsl : AGREEMENT URL STRING {
- char *s;
- if (auth->agreement != NULL) {
- yyerror("duplicate agreement");
- YYERROR;
- }
- if ((s = strdup($3)) == NULL)
- err(EXIT_FAILURE, "strdup");
- auth->agreement = s;
+ warnx("\"agreement url\" is deprecated.");
+ /* XXX remove after 6.3 */
}
| API URL STRING {
char *s;
@@ -965,8 +959,6 @@ print_config(struct acme_conf *xconf)
TAILQ_FOREACH(a, &xconf->authority_list, entry) {
printf("authority %s {\n", a->name);
- if (a->agreement != NULL)
- printf("\tagreement url \"%s\"\n", a->agreement);
if (a->api != NULL)
printf("\tapi url \"%s\"\n", a->api);
if (a->account != NULL)