fixup! ACME: certificate issue and renewal implementation.

Author: bavshin-f5

src/acme.rs

@@ -12,7 +12,7 @@ use ngx::async_::sleep;
 use ngx::collections::Vec;
 use ngx::ngx_log_debug;
 use openssl::pkey::{PKey, PKeyRef, Private};
-use openssl::x509::{self, extension as x509_ext, X509Req, X509};
+use openssl::x509::{self, extension as x509_ext, X509Req};
 
 use self::account_key::AccountKey;
 use self::types::{AuthorizationStatus, ChallengeKind, ChallengeStatus, OrderStatus};
@@ -31,7 +31,6 @@ static REPLAY_NONCE: http::HeaderName = http::HeaderName::from_static("replay-no
 
 pub struct NewCertificateOutput {
     pub chain: Bytes,
-    pub x509: Vec<X509>,
     pub pkey: PKey<Private>,
 }
 
@@ -85,7 +84,13 @@ where
     Http: HttpClient,
 {
     pub fn new(http: Http, issuer: &'a Issuer, log: NonNull<nginx_sys::ngx_log_t>) -> Result<Self> {
-        let key = AccountKey::new(issuer.pkey.as_ref().expect("account key"))?;
+        let key = AccountKey::try_from(
+            issuer
+                .pkey
+                .as_ref()
+                .expect("checked during configuration load")
+                .as_ref(),
+        )?;
 
         Ok(Self {
             issuer,
@@ -367,10 +372,7 @@ where
 
         let chain = self.post(&certificate, b"").await?.into_body();
 
-        // FIXME: avoid reallocation from std::vec::Vec.
-        let x509 = Vec::from_iter(X509::stack_from_pem(&chain)?);
-
-        Ok(NewCertificateOutput { chain, x509, pkey })
+        Ok(NewCertificateOutput { chain, pkey })
     }
 
     async fn do_authorization(

src/acme/account_key.rs

@@ -28,21 +28,6 @@ enum AccountKeyInner {
 }
 
 impl AccountKey {
-    pub fn new(key: &PKeyRef<Private>) -> Result<Self, AccountKeyError> {
-        let inner = match key.id() {
-            Id::EC => key.try_into().map(AccountKeyInner::ShaWithEcdsa),
-            Id::RSA => key.try_into().map(AccountKeyInner::ShaWithRsa),
-            id => Err(NewKeyError::Algorithm(id)),
-        }?;
-
-        let thumbprint = match inner {
-            AccountKeyInner::ShaWithEcdsa(ref key) => key.thumbprint(),
-            AccountKeyInner::ShaWithRsa(ref key) => key.thumbprint(),
-        }?;
-
-        Ok(Self { inner, thumbprint })
-    }
-
     pub fn thumbprint(&self) -> &[u8] {
         self.thumbprint.as_bytes()
     }
@@ -77,3 +62,22 @@ impl Serialize for AccountKey {
         }
     }
 }
+
+impl TryFrom<&PKeyRef<Private>> for AccountKey {
+    type Error = AccountKeyError;
+
+    fn try_from(value: &PKeyRef<Private>) -> Result<Self, Self::Error> {
+        let inner = match value.id() {
+            Id::EC => value.try_into().map(AccountKeyInner::ShaWithEcdsa),
+            Id::RSA => value.try_into().map(AccountKeyInner::ShaWithRsa),
+            id => Err(NewKeyError::Algorithm(id)),
+        }?;
+
+        let thumbprint = match inner {
+            AccountKeyInner::ShaWithEcdsa(ref key) => key.thumbprint(),
+            AccountKeyInner::ShaWithRsa(ref key) => key.thumbprint(),
+        }?;
+
+        Ok(Self { inner, thumbprint })
+    }
+}

src/conf/order.rs

@@ -54,7 +54,7 @@ where
         std::format!("{name}-{hash:x}", hash = hasher.finish())
     }
 
-    pub fn borrow<NewA>(&self, alloc: NewA) -> CertificateOrder<&str, NewA>
+    pub fn to_str_order<NewA>(&self, alloc: NewA) -> CertificateOrder<&str, NewA>
     where
         NewA: Allocator + Clone,
         S: AsRef<[u8]>,

src/lib.rs

@@ -1,7 +1,6 @@
 #![no_std]
 extern crate std;
 
-use core::ops::Deref;
 use core::time::Duration;
 use core::{cmp, ptr};
 
@@ -14,6 +13,7 @@ use ngx::core::Status;
 use ngx::http::{HttpModule, HttpModuleMainConf, HttpModuleServerConf};
 use ngx::log::ngx_cycle_log;
 use ngx::{ngx_log_debug, ngx_log_error};
+use openssl::x509::X509;
 use time::TimeRange;
 use zeroize::Zeroizing;
 
@@ -256,15 +256,17 @@ async fn ngx_http_acme_update_certificates_for_issuer(
         let alloc = crate::util::OwnedPool::new(nginx_sys::NGX_DEFAULT_POOL_SIZE as _, log)
             .map_err(|_| AllocError)?;
 
-        let borrowed_order = order.borrow(alloc.deref());
-        let res = client.new_certificate(&borrowed_order).await;
+        // Acme client wants &str and we already validated that the identifiers are valid UTF-8.
+        let str_order = order.to_str_order(&*alloc);
+        let res = client.new_certificate(&str_order).await;
 
         let cert_next = match res {
             Ok(ref val) => {
                 let pkey = Zeroizing::new(val.pkey.private_key_to_pem_pkcs8()?);
+                let x509 = X509::from_pem(&val.chain)?;
 
-                let valid = TimeRange::from_x509(&val.x509[0])
-                    .unwrap_or(TimeRange::new(Time::now(), Time::now()));
+                let valid =
+                    TimeRange::from_x509(&x509).unwrap_or(TimeRange::new(Time::now(), Time::now()));
 
                 let next = match cert.write().set(&val.chain, &pkey, valid) {
                     Ok(x) => x,