ACME: allow specifying preferred or required profile.

This change implements [draft-ietf-acme-profiles] version 00.

[draft-ietf-acme-profiles]: https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/

Fixes: #4.

Author: bavshin-f5

README.md

@@ -15,10 +15,12 @@ The module implements following specifications:
     - Only HTTP-01 challenge type is supported
 - [RFC8737] (ACME TLS Application-Layer Protocol Negotiation (ALPN) Challenge
   Extension)
+- [draft-ietf-acme-profiles] (ACME Profiles Extension, version 00)
 
 [NGINX]: https://nginx.org/
 [RFC8555]: https://datatracker.ietf.org/doc/html/rfc8555
 [RFC8737]: https://datatracker.ietf.org/doc/html/rfc8737
+[draft-ietf-acme-profiles]: https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/
 
 ## Getting Started
 
@@ -283,6 +285,21 @@ In both cases, the key is expected to be encoded in
 
 [RFC8555#eab]: https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.4
 
+### profile
+
+**Syntax:** **`profile`** _`name`_ \[`require`]
+
+**Default:** -
+
+**Context:** acme_issuer
+
+Requests the supported [certificate profile][draft-ietf-acme-profiles]
+_`name`_ from the ACME server.
+
+The `require` parameter will cause the account registration and certificate
+renewals to fail if the ACME server does not advertise support for the
+specified profile.
+
 ### ssl_trusted_certificate
 
 **Syntax:** **`ssl_trusted_certificate`** _`file`_

src/acme.rs

@@ -23,7 +23,7 @@ use types::{AccountStatus, ProblemCategory};
 use self::account_key::{AccountKey, AccountKeyError};
 use self::types::{AuthorizationStatus, ChallengeKind, ChallengeStatus, OrderStatus};
 use crate::conf::identifier::Identifier;
-use crate::conf::issuer::Issuer;
+use crate::conf::issuer::{Issuer, Profile};
 use crate::conf::order::CertificateOrder;
 use crate::net::http::HttpClient;
 use crate::time::Time;
@@ -72,6 +72,7 @@ where
     log: NonNull<nginx_sys::ngx_log_t>,
     key: AccountKey,
     account: Option<String>,
+    profile: Option<&'a str>,
     nonce: NoncePool,
     directory: types::Directory,
     solvers: Vec<Box<dyn solvers::ChallengeSolver + Send + 'a>>,
@@ -131,6 +132,7 @@ where
             log,
             key,
             account: None,
+            profile: None,
             nonce: Default::default(),
             directory: Default::default(),
             solvers: Vec::new(),
@@ -299,6 +301,24 @@ where
             })
             .transpose()?;
 
+        self.profile = match self.issuer.profile {
+            Profile::Required(x) | Profile::Preferred(x)
+                if self.directory.meta.profiles.contains_key(x) =>
+            {
+                Some(x)
+            }
+            Profile::Preferred(x) => {
+                ngx::ngx_log_error!(
+                    nginx_sys::NGX_LOG_NOTICE,
+                    self.log.as_ptr(),
+                    "acme profile \"{x}\" is not supported by the server"
+                );
+                None
+            }
+            Profile::Required(_) => return Err(NewAccountError::Profile),
+            _ => None,
+        };
+
         let payload = types::AccountRequest {
             terms_of_service_agreed: self.issuer.accept_tos,
             contact: &self.issuer.contacts,
@@ -350,6 +370,7 @@ where
             identifiers: &identifiers,
             not_before: None,
             not_after: None,
+            profile: self.profile,
         };
 
         let payload = serde_json::to_string(&payload).map_err(RequestError::RequestFormat)?;

src/acme/error.rs

@@ -21,6 +21,9 @@ pub enum NewAccountError {
     #[error("external account key required")]
     ExternalAccount,
 
+    #[error("profile is not supported")]
+    Profile,
+
     #[error(transparent)]
     Protocol(#[from] Problem),
 
@@ -47,6 +50,7 @@ impl NewAccountError {
     pub fn is_invalid(&self) -> bool {
         match self {
             Self::ExternalAccount => true,
+            Self::Profile => true,
             Self::Protocol(err) => matches!(
                 err.category(),
                 ProblemCategory::Account | ProblemCategory::Malformed

src/acme/types.rs

@@ -10,7 +10,7 @@ use std::string::{String, ToString};
 
 use http::Uri;
 use ngx::collections::Vec;
-use serde::{Deserialize, Serialize};
+use serde::{de::IgnoredAny, Deserialize, Serialize};
 
 use crate::conf::identifier::Identifier;
 
@@ -22,6 +22,7 @@ pub struct DirectoryMetadata {
     pub website: Option<Uri>,
     pub caa_identities: Vec<String>,
     pub external_account_required: Option<bool>,
+    pub profiles: std::collections::BTreeMap<String, IgnoredAny>,
 }
 
 /// RFC8555 Section 7.1.1 Directory
@@ -118,6 +119,8 @@ pub struct OrderRequest<'a> {
     pub not_before: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub not_after: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub profile: Option<&'a str>,
 }
 
 #[derive(Clone, Debug, Deserialize, Eq, PartialEq)]
@@ -200,6 +203,7 @@ pub enum ErrorKind {
     ExternalAccountRequired,
     IncorrectResponse,
     InvalidContact,
+    InvalidProfile,
     Malformed,
     OrderNotReady,
     RateLimited,
@@ -232,6 +236,7 @@ const ERROR_KIND: &[(&str, ErrorKind)] = &[
     ),
     ("incorrectResponse", ErrorKind::IncorrectResponse),
     ("invalidContact", ErrorKind::InvalidContact),
+    ("invalidProfile", ErrorKind::InvalidProfile),
     ("malformed", ErrorKind::Malformed),
     ("orderNotReady", ErrorKind::OrderNotReady),
     ("rateLimited", ErrorKind::RateLimited),
@@ -331,6 +336,7 @@ impl Problem {
             | ErrorKind::BadSignatureAlgorithm
             | ErrorKind::ExternalAccountRequired
             | ErrorKind::InvalidContact
+            | ErrorKind::InvalidProfile
             | ErrorKind::UnsupportedContact
             | ErrorKind::UserActionRequired => ProblemCategory::Account,
 

src/conf.rs

@@ -84,7 +84,7 @@ pub static mut NGX_HTTP_ACME_COMMANDS: [ngx_command_t; 4] = [
     ngx_command_t::empty(),
 ];
 
-static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 10] = [
+static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 11] = [
     ngx_command_t {
         name: ngx_string!("uri"),
         type_: NGX_CONF_TAKE1 as ngx_uint_t,
@@ -125,6 +125,14 @@ static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 10] = [
         offset: 0,
         post: ptr::null_mut(),
     },
+    ngx_command_t {
+        name: ngx_string!("profile"),
+        type_: nginx_sys::NGX_CONF_TAKE12 as ngx_uint_t,
+        set: Some(cmd_issuer_set_profile),
+        conf: 0,
+        offset: 0,
+        post: ptr::null_mut(),
+    },
     ngx_command_t {
         name: ngx_string!("ssl_trusted_certificate"),
         type_: NGX_CONF_TAKE1 as ngx_uint_t,
@@ -496,6 +504,42 @@ extern "C" fn cmd_issuer_set_external_account_key(
     NGX_CONF_OK
 }
 
+extern "C" fn cmd_issuer_set_profile(
+    cf: *mut ngx_conf_t,
+    _cmd: *mut ngx_command_t,
+    conf: *mut c_void,
+) -> *mut c_char {
+    let cf = unsafe { cf.as_mut().expect("cf") };
+    let issuer = unsafe { conf.cast::<Issuer>().as_mut().expect("issuer conf") };
+
+    if !matches!(issuer.profile, issuer::Profile::Unset) {
+        return NGX_CONF_DUPLICATE;
+    }
+
+    // NGX_CONF_TAKE12 ensures that args contains either 2 or 3 elements
+    let args = cf.args();
+
+    // SAFETY: the value is not empty, well aligned, and the conversion result is assigned to an
+    // object in the same pool.
+    let Ok(profile) = (unsafe { conf_value_to_str(&args[1]) }) else {
+        return NGX_CONF_INVALID_VALUE;
+    };
+
+    let require = match args.get(2) {
+        Some(x) if x.as_ref() == b"require" => true,
+        Some(_) => return NGX_CONF_INVALID_VALUE,
+        None => false,
+    };
+
+    issuer.profile = if require {
+        issuer::Profile::Required(profile)
+    } else {
+        issuer::Profile::Preferred(profile)
+    };
+
+    NGX_CONF_OK
+}
+
 extern "C" fn cmd_issuer_set_uri(
     cf: *mut ngx_conf_t,
     _cmd: *mut ngx_command_t,

src/conf/issuer.rs

@@ -50,6 +50,7 @@ pub struct Issuer {
     pub challenge: Option<ChallengeKind>,
     pub contacts: Vec<&'static str, Pool>,
     pub eab_key: Option<ExternalAccountKey>,
+    pub profile: Profile,
     pub resolver: Option<NonNull<ngx_resolver_t>>,
     pub resolver_timeout: ngx_msec_t,
     pub ssl_trusted_certificate: ngx_str_t,
@@ -70,6 +71,13 @@ pub struct ExternalAccountKey {
     pub key: ngx_str_t,
 }
 
+#[derive(Debug)]
+pub enum Profile {
+    Preferred(&'static str),
+    Required(&'static str),
+    Unset,
+}
+
 #[derive(Debug, Error)]
 pub enum IssuerError {
     #[error("cannot load account key: {0}")]
@@ -102,6 +110,7 @@ impl Issuer {
             challenge: None,
             contacts: Vec::new_in(alloc.clone()),
             eab_key: None,
+            profile: Profile::Unset,
             resolver: None,
             resolver_timeout: NGX_CONF_UNSET_MSEC,
             ssl_trusted_certificate: ngx_str_t::empty(),