Merge pull request #714 from mritd/master

feat(server): add ZeroSSL EAB
apernet · Sep 30, 2023 · 922edce · 922edce
2 parents 8faaf3b + 3951826
commit 922edce
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 1 deletion.
diff --git a/app/cmd/server.go b/app/cmd/server.go
@@ -3,7 +3,9 @@ package cmd
 import (
 	"context"
 	"crypto/tls"
+	"encoding/json"
 	"errors"
+	"fmt"
 	"net"
 	"net/http"
 	"net/http/httputil"
@@ -13,6 +15,7 @@ import (
 	"time"
 
 	"github.com/caddyserver/certmagic"
+	"github.com/mholt/acmez/acme"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"go.uber.org/zap"
@@ -264,6 +267,11 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 			cmIssuer.CA = certmagic.LetsEncryptProductionCA
 		case "zerossl", "zero":
 			cmIssuer.CA = certmagic.ZeroSSLProductionCA
+			eab, err := genZeroSSLEAB(c.ACME.Email)
+			if err != nil {
+				return configError{Field: "acme.ca", Err: err}
+			}
+			cmIssuer.ExternalAccount = eab
 		default:
 			return configError{Field: "acme.ca", Err: errors.New("unknown CA")}
 		}
@@ -288,6 +296,48 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
 	return nil
 }
 
+func genZeroSSLEAB(email string) (*acme.EAB, error) {
+	req, err := http.NewRequest(
+		http.MethodPost,
+		"https://api.zerossl.com/acme/eab-credentials-email",
+		strings.NewReader(url.Values{"email": []string{email}}.Encode()),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to creare ZeroSSL EAB request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("User-Agent", certmagic.UserAgent)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to send ZeroSSL EAB request: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	var result struct {
+		Success bool `json:"success"`
+		Error   struct {
+			Code int    `json:"code"`
+			Type string `json:"type"`
+		} `json:"error"`
+		EABKID     string `json:"eab_kid"`
+		EABHMACKey string `json:"eab_hmac_key"`
+	}
+	if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return nil, fmt.Errorf("failed decoding ZeroSSL EAB API response: %w", err)
+	}
+	if result.Error.Code != 0 {
+		return nil, fmt.Errorf("failed getting ZeroSSL EAB credentials: HTTP %d: %s (code %d)", resp.StatusCode, result.Error.Type, result.Error.Code)
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("failed getting EAB credentials: HTTP %d", resp.StatusCode)
+	}
+
+	return &acme.EAB{
+		KeyID:  result.EABKID,
+		MACKey: result.EABHMACKey,
+	}, nil
+}
+
 func (c *serverConfig) fillQUICConfig(hyConfig *server.Config) error {
 	hyConfig.QUICConfig = server.QUICConfig{
 		InitialStreamReceiveWindow:     c.QUIC.InitStreamReceiveWindow,

diff --git a/app/go.mod b/app/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/apernet/hysteria/extras v0.0.0-00010101000000-000000000000
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/mdp/qrterminal/v3 v3.1.1
+	github.com/mholt/acmez v1.0.4
 	github.com/oschwald/geoip2-golang v1.9.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.15.0
@@ -29,7 +30,6 @@ require (
 	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mholt/acmez v1.0.4 // indirect
 	github.com/miekg/dns v1.1.55 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect