prs/prs.server/Engines/Certificate/CertificateEngine.cs

using System;
using System.Collections.Generic;
using System.Formats.Asn1;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using System.Threading;
using System.Threading.Tasks;
using System.Timers;
using ACMESharp.Authorizations;
using ACMESharp.Protocol;
using ACMESharp.Protocol.Resources;
using GenHTTP.Api.Content;
using GenHTTP.Api.Infrastructure;
using GenHTTP.Api.Protocol;
using GenHTTP.Engine;
using GenHTTP.Modules.IO;
using GenHTTP.Modules.Practices;
using InABox.Core;
using Newtonsoft.Json;
using Timer = System.Timers.Timer;

namespace PRSServer
{
    public class CertificateHandler : IHandler
    {
        private static readonly string AcmeHttp01PathPrefix =
            Http01ChallengeValidationDetails.HttpPathPrefix.Trim('/');

        public CertificateHandler(IHandler parent)
        {
            Parent = parent;
        }

        public IDictionary<string, Http01ChallengeValidationDetails> Http01Responses { get; set; }
            = new Dictionary<string, Http01ChallengeValidationDetails>();

        public IHandler Parent { get; init; }

        public ValueTask<IResponse?> HandleAsync(IRequest request)
        {
            var fullPath = request.Target.Path.ToString().Trim('/');

            Logger.Send(LogType.Information, "", "Running ACME Challenge Request Handler");

            IResponseBuilder response;
            if (Http01Responses.TryGetValue(fullPath, out var httpDetails))
            {
                Logger.Send(LogType.Information, "",
                    string.Format("Found match on [{0}] with response [{1}]", fullPath, httpDetails.HttpResourceValue));

                response = request.Respond()
                    .Type(new FlexibleContentType(httpDetails.HttpResourceContentType))
                    .Content(Resource.FromString(httpDetails.HttpResourceValue).Build());
            }
            else
            {
                Logger.Send(LogType.Information, "", string.Format("NO MATCH FOUND ON [{0}]", fullPath));
                response = request.Respond()
                    .Status(ResponseStatus.NotFound)
                    .Content(Resource.FromString("No matching ACME response path").Build());
            }

            return new ValueTask<IResponse?>(response.Build());
        }

        public ValueTask PrepareAsync()
        {
            return new ValueTask();
        }

        public IEnumerable<ContentElement> GetContent(IRequest request)
        {
            return Enumerable.Empty<ContentElement>();
        }

        public bool AddChallengeHandling(IChallengeValidationDetails chlngDetails)
        {
            if (chlngDetails is not Http01ChallengeValidationDetails httpDetails)
            {
                Logger.Send(LogType.Information, "", "Unable to handle non-Http01 Challenge details");
                return false;
            }

            var fullPath = httpDetails.HttpResourcePath.Trim('/');
            Logger.Send(LogType.Information, "", string.Format("Handling Challenges with HTTP full path of [{0}]", fullPath));
            Http01Responses[fullPath] = httpDetails;
            return true;
        }
    }

    public class CertificateHandlerBuilder : IHandlerBuilder<CertificateHandlerBuilder>
    {
        private readonly List<IConcernBuilder> _Concerns = new();

        public CertificateHandlerBuilder(CertificateEngine engine)
        {
            Engine = engine;
        }

        private CertificateEngine Engine { get; }

        public CertificateHandlerBuilder Add(IConcernBuilder concern)
        {
            _Concerns.Add(concern);
            return this;
        }

        public IHandler Build(IHandler parent)
        {
            return Concerns.Chain(parent, _Concerns, p =>
            {
                Engine.Handler = new CertificateHandler(p);
                return Engine.Handler;
            });
        }
    }

    public class CertificateEngine : Engine<CertificateEngineProperties>
    {
        private readonly DateTime _scheduleTime;

        public CertificateHandler? Handler;

        private IServerHost? host;

        private static string ChallengeType = AcmeState.Http01ChallengeType;

        static CertificateEngine()
        {
            CertificateFolder = Path.Combine(
                Path.GetDirectoryName(Assembly.GetEntryAssembly()?.Location ?? string.Empty) ?? string.Empty,
                "certs"
            );
        }

        private static T? Load<T>(string path)
        {
            if (!File.Exists(path))
                return default;

            if (typeof(T) == typeof(Stream)) return (T)(object)new FileStream(path, FileMode.Open);

            if (typeof(T) == typeof(byte[])) return (T)(object)File.ReadAllBytes(path);

            return JsonConvert.DeserializeObject<T>(File.ReadAllText(path)) ?? default;
        }

        protected static void Save<T>(string path, T value)
        {
            if (typeof(Stream).IsAssignableFrom(typeof(T)))
            {
                var rs = (Stream)(object)value;
                using (var ws = new FileStream(path, FileMode.Create))
                {
                    rs.CopyTo(ws);
                }
            }
            else if (typeof(T) == typeof(byte[]))
            {
                var ba = (byte[])(object)value;
                File.WriteAllBytes(path, ba);
            }
            else
            {
                File.WriteAllText(path,
                    JsonConvert.SerializeObject(value, Formatting.Indented));
            }
        }

        public void DeleteFile(string filename)
        {
            try
            {
                File.Delete(filename);
            }
            catch (Exception) { }
        }

        public void RefreshCertificateFile(CancellationToken cancellationToken)
        {
            Logger.Send(LogType.Information, "", "Updating HTTPS certificate...");

            if (!Directory.Exists(CertificateFolder))
            {
                Logger.Send(LogType.Information, "", "Creating certificate folder...");
                Directory.CreateDirectory(CertificateFolder);
            }

            DeleteFile(OrderFile);
            DeleteFile(CertificateFile);
            //DeleteFile(AuthorizationsFile);

            ServiceDirectory = Load<ServiceDirectory>(ServiceDirectoryFile);
            Account = Load<AccountDetails>(AccountFile);
            AccountKey = Load<ExamplesAccountKey>(AccountKeyFile);
            Order = Load<OrderDetails>(OrderFile);
            Authorizations = Load<Dictionary<string, Authorization>>(AuthorizationsFile);
            var certRaw = Load<byte[]>(CertificateFile);
            if (certRaw?.Length > 0)
                Certificate = new X509Certificate2(certRaw);

            DnsNames = Properties.DomainNames.Split(',');
            AccountContactEmails = Properties.AccountContactEmails.Split(',');

            Logger.Send(LogType.Information, "", "Initializing HTTP Handler");

            host = Host.Create()
                .Handler(new CertificateHandlerBuilder(this))
                .Defaults()
                .Port(80)
                .Start();

            // We delay for 5 seconds just to give other parts of
            // the service (like request handling) to get in place
            Task.Delay(5 * 1000, cancellationToken);
            if (DoTheWork())
            {
                Logger.Send(LogType.Information, "", "HTTPS Refresh Complete!");
            }
            else
            {
                Logger.Send(LogType.Information, "", "HTTPS Refresh Failed");
            }
            host.Stop();
        }

        private bool DoTheWork()
        {
            try
            {
                Logger.Send(LogType.Information, "", "** DOING WORKING *****************************************");
                Logger.Send(LogType.Information, "", $"DNS Names:  {Properties.DomainNames}");

                var acmeUrl = new Uri(Properties.CaUrl);
                using var acme = new AcmeProtocolClient(acmeUrl, usePostAsGet: true);

                var task = DoTheWorkAsync(acme);
                task.Wait();
                return task.Result;
            }
            catch(Exception e)
            {
                Logger.Send(LogType.Error, "", CoreUtils.FormatException(e));
                return false;
            }
        }

        private async Task ClearAuthorizations(AcmeProtocolClient acme)
        {
            if(Authorizations != null)
            {
                foreach (var (url, authorization) in Authorizations)
                {
                    if (authorization.Status != AcmeState.ValidStatus)
                    {
                        try
                        {
                            await acme.DeactivateAuthorizationAsync(url);
                        }
                        catch(Exception e)
                        {
                            Logger.Send(LogType.Error, "", $"Could not deactivate authorization: {CoreUtils.FormatException(e)}");
                        }
                    }
                }
                Authorizations.Clear();
                Save(AuthorizationsFile, Authorizations);
            }
            else
            {
                Authorizations = new Dictionary<string, Authorization>();
            }
        }

        private async Task<bool> DoTheWorkAsync(AcmeProtocolClient acme)
        {
            ServiceDirectory = await acme.GetDirectoryAsync();
            Save(ServiceDirectoryFile, ServiceDirectory);
            acme.Directory = ServiceDirectory;

            Save(TermsOfServiceFile, await acme.GetTermsOfServiceAsync());

            // This line basically has to be called before all ACME things.
            await acme.GetNonceAsync();

            ClearAuthorizations(acme).Wait();

            if (!await ResolveAccount(acme))
                return false;

            if (!await ResolveOrder(acme))
                return false;

            if (!await ResolveChallenges(acme))
                return false;

            if (!await ResolveAuthorizations(acme))
                return false;

            if (!await ResolveCertificate(acme))
                return false;

            return true;
        }

        private async Task<bool> ResolveAccount(AcmeProtocolClient acme)
        {
            // TODO:  All this ASSUMES a fixed key type/size for now
            if (Account == null || AccountKey == null)
            {
                var contacts = AccountContactEmails.Where(x => !string.IsNullOrEmpty(x)).Select(x => $"mailto:{x}");
                Logger.Send(LogType.Information, "", "Creating ACME Account");
                Account = await acme.CreateAccountAsync(
                    contacts,
                    Properties.AcceptTermsOfService);
                AccountKey = new ExamplesAccountKey
                {
                    KeyType = acme.Signer.JwsAlg,
                    KeyExport = acme.Signer.Export()
                };
                Save(AccountFile, Account);
                Save(AccountKeyFile, AccountKey);
                acme.Account = Account;
            }
            else
            {
                acme.Account = Account;
                acme.Signer.Import(AccountKey.KeyExport);
            }

            return true;
        }

        private async Task<bool> ResolveOrder(AcmeProtocolClient acme)
        {
            var now = DateTime.Now;
            if (!string.IsNullOrEmpty(Order?.OrderUrl))
            {
                Logger.Send(LogType.Information, "", "Existing Order found; refreshing");
                Order = await acme.GetOrderDetailsAsync(Order.OrderUrl, Order);
            }

            if (Order?.Payload?.Error != null)
            {
                Logger.Send(LogType.Information, "", "Existing Order reported an Error:");
                Logger.Send(LogType.Information, "", JsonConvert.SerializeObject(Order.Payload.Error));
                Logger.Send(LogType.Information, "", "Resetting existing order");
                Order = null;
            }

            if (AcmeState.InvalidStatus == Order?.Payload.Status)
            {
                Logger.Send(LogType.Information, "", "Existing Order is INVALID; resetting");
                Order = null;
            }

            if (!DateTime.TryParse(Order?.Payload?.Expires, out var orderExpires)
                || orderExpires < now)
            {
                Logger.Send(LogType.Information, "", "Existing Order is EXPIRED; resetting");
                Order = null;
            }

            if (DateTime.TryParse(Order?.Payload?.NotAfter, out var orderNotAfter)
                && orderNotAfter < now)
            {
                Logger.Send(LogType.Information, "", "Existing Order is OUT-OF-DATE; resetting");
                Order = null;
            }

            if (Order?.Payload == null)
            {
                Logger.Send(LogType.Information, "", "Creating NEW Order");
                Order = await acme.CreateOrderAsync(DnsNames);
            }

            Save(OrderFile, Order);
            return true;
        }

        private async Task<bool> ResolveChallenges(AcmeProtocolClient acme)
        {
            if (AcmeState.PendingStatus == Order?.Payload?.Status)
            {
                Logger.Send(LogType.Information, "", "Order is pending, resolving Authorizations");
                if (Authorizations == null)
                    Authorizations = new Dictionary<string, Authorization>();
                foreach (var authzUrl in Order.Payload.Authorizations)
                {
                    var authz = await acme.GetAuthorizationDetailsAsync(authzUrl);
                    Authorizations[authzUrl] = authz;

                    if (AcmeState.PendingStatus == authz.Status)
                        foreach (var chlng in authz.Challenges)
                            if (string.IsNullOrEmpty(ChallengeType) || ChallengeType == chlng.Type)
                            {
                                var chlngValidation = AuthorizationDecoder.DecodeChallengeValidation(
                                    authz, chlng.Type, acme.Signer);
                                if (Handler.AddChallengeHandling(chlngValidation))
                                {
                                    Logger.Send(LogType.Information, "", "Challenge Handler has handled challenge:");
                                    Logger.Send(LogType.Information, "", JsonConvert.SerializeObject(chlngValidation, Formatting.Indented));
                                    var chlngUpdated = await acme.AnswerChallengeAsync(chlng.Url);
                                    if (chlngUpdated.Error != null)
                                    {
                                        Logger.Send(LogType.Error, "", "Submitting Challenge Answer reported an error:");
                                        Logger.Send(LogType.Error, "", JsonConvert.SerializeObject(chlngUpdated.Error));
                                    }
                                }

                                Logger.Send(LogType.Information, "", "Refreshing Authorization status");
                                authz = await acme.GetAuthorizationDetailsAsync(authzUrl);
                                if (AcmeState.PendingStatus != authz.Status)
                                    break;
                            }
                }

                Save(AuthorizationsFile, Authorizations);

                Logger.Send(LogType.Information, "", "Refreshing Order status");
                Order = await acme.GetOrderDetailsAsync(Order.OrderUrl, Order);
                Save(OrderFile, Order);
            }

            return true;
        }

        private async Task<bool> ResolveAuthorizations(AcmeProtocolClient acme)
        {
            if (AcmeState.InvalidStatus == Order?.Payload?.Status)
            {
                Logger.Send(LogType.Information, "", "Current Order is INVALID; aborting");
                return false;
            }

            if (AcmeState.ValidStatus == Order?.Payload?.Status)
            {
                Logger.Send(LogType.Information, "", "Current Order is already VALID; skipping");
                return true;
            }

            var now = DateTime.Now;
            do
            {
                if (Authorizations == null)
                    Authorizations = new Dictionary<string, Authorization>();
                // Wait for all Authorizations to be valid or any one to go invalid
                var validCount = 0;
                var invalidCount = 0;
                foreach (var authz in Authorizations)
                    switch (authz.Value.Status)
                    {
                        case AcmeState.ValidStatus:
                            ++validCount;
                            break;
                        case AcmeState.InvalidStatus:
                            ++invalidCount;
                            break;
                    }

                if (validCount == Authorizations.Count)
                {
                    Logger.Send(LogType.Information, "", string.Format("All Authorizations ({0}) are valid", validCount));
                    break;
                }

                if (invalidCount > 0)
                {
                    Logger.Send(LogType.Error, "", string.Format("Found {0} invalid Authorization(s); ABORTING", invalidCount));
                    return false;
                }

                Logger.Send(LogType.Information, "", string.Format("Found {0} Authorization(s) NOT YET valid", Authorizations.Count - validCount));

                if (now.AddSeconds(Properties.WaitForAuthorizations) < DateTime.Now)
                {
                    Logger.Send(LogType.Error, "", "Timed out waiting for Authorizations; ABORTING");
                    return false;
                }

                // We wait in 5s increments
                await Task.Delay(5000);
                foreach (var authzUrl in Order.Payload.Authorizations)
                    // Update all the Authorizations still pending
                    if (AcmeState.PendingStatus == Authorizations[authzUrl].Status)
                        Authorizations[authzUrl] = await acme.GetAuthorizationDetailsAsync(authzUrl);
            } while (true);

            Save(AuthorizationsFile, Authorizations);

            return true;
        }

        private async Task<bool> ResolveCertificate(AcmeProtocolClient acme)
        {
            if (Certificate != null)
            {
                Logger.Send(LogType.Information, "", "Certificate is already resolved");
                return true;
            }

            CertPrivateKey? key = null;
            Logger.Send(LogType.Information, "", "Refreshing Order status");
            Order = await acme.GetOrderDetailsAsync(Order.OrderUrl, Order);
            Save(OrderFile, Order);

            if (AcmeState.PendingStatus == Order.Payload.Status || AcmeState.ReadyStatus == Order.Payload.Status)
            {
                Logger.Send(LogType.Information, "", "Generating CSR");
                byte[] csr;
                switch (Properties.CertificateKeyAlgor)
                {
                    case "rsa":
                        key = CertHelper.GenerateRsaPrivateKey(
                            Properties.CertificateKeySize ?? CertificateEngineProperties.DefaultRsaKeySize);
                        csr = CertHelper.GenerateRsaCsr(DnsNames, key);
                        break;
                    case "ec":
                        key = CertHelper.GenerateEcPrivateKey(
                            Properties.CertificateKeySize ?? CertificateEngineProperties.DefaultEcKeySize);
                        csr = CertHelper.GenerateEcCsr(DnsNames, key);
                        break;
                    default:
                        throw new Exception("Unknown Certificate Key Algorithm: "
                                            + Properties.CertificateKeyAlgor);
                }

                using (var keyPem = new MemoryStream())
                {
                    CertHelper.ExportPrivateKey(key, EncodingFormat.PEM, keyPem);
                    keyPem.Position = 0L;
                    Save(CertificateKeysFile, keyPem);
                }

                Save(CertificateRequestFile, csr);

                Logger.Send(LogType.Information, "", "Finalizing Order");
                Order = await acme.FinalizeOrderAsync(Order.Payload.Finalize, csr);
                Save(OrderFile, Order);
            }

            if (string.IsNullOrEmpty(Order.Payload.Certificate))
            {
                Logger.Send(LogType.Information, "", "Order Certificate is NOT READY YET");
                var now = DateTime.Now;
                do
                {
                    Logger.Send(LogType.Information, "", "Waiting...");
                    // We wait in 5s increments
                    await Task.Delay(5000);

                    Order = await acme.GetOrderDetailsAsync(Order.OrderUrl, Order);
                    Save(OrderFile, Order);

                    if (!string.IsNullOrEmpty(Order.Payload.Certificate))
                        break;

                    if (DateTime.Now < now.AddSeconds(Properties.WaitForCertificate))
                    {
                        Logger.Send(LogType.Information, "", "Timed Out!");
                        return false;
                    }
                } while (true);
            }

            if (AcmeState.ValidStatus != Order.Payload.Status)
            {
                Logger.Send(LogType.Information, "", "Order is NOT VALID");
                return false;
            }

            Logger.Send(LogType.Information, "", "Retreiving Certificate");
            var certBytes = await acme.GetOrderCertificateAsync(Order);
            Save(CertificateChainFile, certBytes);

            if (key == null)
            {
                Logger.Send(LogType.Information, "", "Loading private key");
                key = CertHelper.ImportPrivateKey(EncodingFormat.PEM, Load<Stream>(CertificateKeysFile));
            }

            using (var crtStream = new MemoryStream(certBytes))
            using (var pfxStream = new MemoryStream())
            {
                Logger.Send(LogType.Information, "", "Reading in Certificate chain (PEM)");
                var cert = CertHelper.ImportCertificate(EncodingFormat.PEM, crtStream);
                Logger.Send(LogType.Information, "", "Writing out Certificate archive (PKCS12)");
                CertHelper.ExportArchive(key, new[] { cert }, ArchiveFormat.PKCS12, pfxStream);
                pfxStream.Position = 0L;
                Save(CertificateFile, pfxStream);
            }

            Logger.Send(LogType.Information, "", "Loading PKCS12 archive as active certificate");
            Certificate = new X509Certificate2(Load<byte[]>(CertificateFile));

            return true;
        }

        private void CheckForRefresh()
        {
            Logger.Send(LogType.Information, "", "Checking for refresh...");
            if (!Directory.Exists(CertificateFolder))
            {
                Logger.Send(LogType.Information, "", "Creating certificate folder...");
                Directory.CreateDirectory(CertificateFolder);
            }

            var certRaw = Load<byte[]>(CertificateFile);
            if (certRaw?.Length > 0)
            {
                Certificate = new X509Certificate2(certRaw);
            }
            if(Certificate == null)
            {
                RefreshCertificateFile(CancellationToken.None);
                return;
            }
            DateTime now = DateTime.Now;
            TimeSpan startDiff = now - Certificate.NotBefore;
            TimeSpan endDiff = Certificate.NotAfter - now;

            // If the certificate will expire in less than 30 days or if the certificate is not yet valid
            if (startDiff < TimeSpan.Zero || endDiff < TimeSpan.FromDays(30))
            {
                RefreshCertificateFile(CancellationToken.None);
                return;
            }
            var names = GetDnsNames(Certificate).ToHashSet();
            var requiredNames = Properties.DomainNames.Split(',');
            if(requiredNames.Any(x => !names.Contains(x)))
            {
                RefreshCertificateFile(CancellationToken.None);
                return;
            }

            Logger.Send(LogType.Information, "", "Refresh not required!");
        }

        public override void Run()
        {
            System.Threading.Timer timer = new System.Threading.Timer(
                (o) => { CheckForRefresh(); },
                null,
                3000,
                1000 * 60 * 60 * 24
            );
            Thread.Sleep(Timeout.Infinite);
        }

        public override void Stop()
        {
            host?.Stop();
        }

        public static IEnumerable<string> DnsAlternateNames(X509Certificate2 certificate)
        {
            // Adapted from https://stackoverflow.com/questions/16698307/how-do-you-parse-the-subject-alternate-names-from-an-x509certificate2/59382929#59382929

            // OID for SubjectAlternativeName X509 extension.
            const string SAN_OID = "2.5.29.17";

            var extension = certificate.Extensions[SAN_OID];
            if (extension is null) yield break;

            // Tag value "2" is defined by:
            //
            //    dNSName                         [2]     IA5String,
            //
            // in: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
            var dnsNameTag = new Asn1Tag(TagClass.ContextSpecific, tagValue: 2, isConstructed: false);

            var asnReader = new AsnReader(extension.RawData, AsnEncodingRules.BER);
            var sequenceReader = asnReader.ReadSequence(Asn1Tag.Sequence);

            while (sequenceReader.HasData)
            {
                var tag = sequenceReader.PeekTag();
                if(tag != dnsNameTag)
                {
                    sequenceReader.ReadEncodedValue();
                    continue;
                }

                var dnsName = sequenceReader.ReadCharacterString(UniversalTagNumber.IA5String, dnsNameTag);
                yield return dnsName;
            }
        }

        public static IEnumerable<string> GetDnsNames(X509Certificate2 certificate)
        {
            yield return certificate.GetNameInfo(X509NameType.DnsName, false);
            foreach (var name in DnsAlternateNames(certificate))
                yield return name;
        }

        #region File Names

        public static string CertificateFolder { get; }

        private string ServiceDirectoryFile => Path.Combine(CertificateFolder, "00-ServiceDirectory.json");
        private string TermsOfServiceFile => Path.Combine(CertificateFolder, "05-TermsOfService");
        private string AccountFile => Path.Combine(CertificateFolder, "10-Account.json");
        private string AccountKeyFile => Path.Combine(CertificateFolder, "15-AccountKey.json");
        private string OrderFile => Path.Combine(CertificateFolder, "50-Order.json");
        private string AuthorizationsFile => Path.Combine(CertificateFolder, "52-Authorizations.json");
        private string CertificateKeysFile => Path.Combine(CertificateFolder, "70-CertificateKeys.pem");
        private string CertificateRequestFile => Path.Combine(CertificateFolder, "72-CertificateRequest.der");
        private string CertificateChainFile => Path.Combine(CertificateFolder, "74-CertificateChain.pem");
        public static string CertificateFile => Path.Combine(CertificateFolder, "80-Certificate.pfx");

        #endregion

        #region Extra State Properties

        private ServiceDirectory? ServiceDirectory;
        private AccountDetails? Account;
        private ExamplesAccountKey? AccountKey;
        private OrderDetails? Order;
        private Dictionary<string, Authorization>? Authorizations;
        private X509Certificate2? Certificate;
        private IEnumerable<string> DnsNames;
        private IEnumerable<string> AccountContactEmails;

        #endregion
    }
}