ol.clave.acme.challenge

Helpers for working with ACME challenges and authorizations.

key-authorization

(key-authorization challenge account-key)

Return the key authorization for challenge and account-key.

challenge may be a map with ::ol.clave.specs/token or a raw token string.

source

dns01-key-authorization

(dns01-key-authorization key-authorization)
(dns01-key-authorization challenge account-key)

Return the DNS-01 key authorization digest.

When called with a challenge map and account-key, computes the key authorization first.

| arity | description | |---------------------------|----------------------------------------------| | [key-authorization] | digest the provided key authorization string | | [challenge account-key] | compute key authorization then digest |

source

http01-resource-path

(http01-resource-path challenge)

Return the HTTP-01 resource path for challenge or token.

source

dns01-txt-name

(dns01-txt-name domain-or-authorization)

Return the DNS-01 TXT record name for domain or authorization.

source

wildcard?

(wildcard? authorization)

Return true when the authorization declares a wildcard identifier.

source

identifier

(identifier authorization)

Return the identifier value from an authorization map.

source

identifier-domain

(identifier-domain authorization)

Return the identifier domain with any wildcard prefix removed.

source

token

(token challenge)

Return the challenge token string.

source

find-by-type

(find-by-type authorization type)

Return the first challenge in authorization matching type.

source

acme-tls-1-protocol

ALPN protocol identifier for TLS-ALPN-01 challenges.

Use this value to detect ACME challenge handshakes in your TLS server’s ALPN negotiation callback. See RFC 8737 Section 6.2.

source

tlsalpn01-challenge-cert

(tlsalpn01-challenge-cert identifier key-authorization)
(tlsalpn01-challenge-cert authorization challenge account-key)

Build a TLS-ALPN-01 challenge certificate.

This function has two arities:

Low-level arity [identifier key-authorization]: - identifier - Map with :type ("dns" or "ip") and :value - key-authorization - The computed key authorization string

Convenience arity [authorization challenge account-key]: - authorization - Authorization map with ::acme/identifier - challenge - Challenge map with ::acme/token - account-key - Account keypair for computing key authorization

Returns a map with:

| key | description | |--------------------|---------------------------------------------| | :certificate-der | DER-encoded certificate bytes | | :certificate-pem | PEM-encoded certificate string | | :private-key-der | DER-encoded private key bytes (PKCS#8) | | :private-key-pem | PEM-encoded private key string (PKCS#8) | | :x509 | Parsed java.security.cert.X509Certificate | | :keypair | The generated java.security.KeyPair | | :identifier-type | The identifier type from input | | :identifier-value| The identifier value from input |

The certificate contains: - Subject and Issuer: CN=ACME challenge - SubjectAltName with the identifier (DNS name or IP address) - Critical acmeValidationV1 extension (OID 1.3.6.1.5.5.7.1.31) containing the SHA-256 digest of the key authorization

;; Low-level usage with pre-computed key authorization
(tlsalpn01-challenge-cert {:type "dns" :value "example.com"}
                          "token.thumbprint")

;; Convenience usage with authorization and challenge maps
(tlsalpn01-challenge-cert authorization challenge account-key)

See RFC 8737 for TLS-ALPN-01 challenge specification.

source