ACME-PS.psm1
|
<# abstract #> class KeyExport { KeyExport () { if ($this.GetType() -eq [KeyExport]) { throw [System.InvalidOperationException]::new("Class must be inherited"); } } <# abstract #> [string] TypeName() { throw [System.NotImplementedException]::new(); } } class RSAKeyExport : KeyExport { hidden [string] $TypeName = "RSAKeyExport"; [int] $HashSize; [byte[]] $Modulus; [byte[]] $Exponent; [byte[]] $P; [byte[]] $Q; [byte[]] $DP; [byte[]] $DQ; [byte[]] $InverseQ; [byte[]] $D; } class ECDsaKeyExport : KeyExport { hidden [string] $TypeName = "ECDsaKeyExport"; [int] $HashSize; [byte[]] $D; [byte[]] $X; [byte[]] $Y; } <# abstract #> class KeyBase { [ValidateSet(256,384,512)] [int] hidden $HashSize; [System.Security.Cryptography.HashAlgorithmName] hidden $HashName; KeyBase([int] $hashSize) { if ($this.GetType() -eq [KeyBase]) { throw [System.InvalidOperationException]::new("Class must be inherited"); } $this.HashSize = $hashSize; switch ($hashSize) { 256 { $this.HashName = "SHA256"; } 384 { $this.HashName = "SHA384"; } 512 { $this.HashName = "SHA512"; } default { throw [System.ArgumentOutOfRangeException]::new("Cannot set hash size"); } } } <# abstract #> [KeyExport] ExportKey() { throw [System.NotImplementedException]::new(); } } class Certificate { static [byte[]] ExportPfx([byte[]] $acmeCertificate, [System.Security.Cryptography.AsymmetricAlgorithm] $algorithm, [securestring] $password) { $certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($acmeCertificate); if($algorithm -is [System.Security.Cryptography.RSA]) { $certifiate = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::CopyWithPrivateKey($certificate, $algorithm); } elseif($algorithm -is [System.Security.Cryptography.ECDsa]) { $certifiate = [System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions]::CopyWithPrivateKey($certificate, $algorithm); } else { throw [System.InvalidOperationException]::new("Cannot use $($algorithm.GetType().Name) to export pfx."); } if($password) { return $certifiate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx, $password); } else { return $certifiate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx); } } static [byte[]] GenerateCsr([string[]] $dnsNames, [System.Security.Cryptography.AsymmetricAlgorithm] $algorithm, [System.Security.Cryptography.HashAlgorithmName] $hashName) { if(-not $dnsNames) { throw [System.ArgumentException]::new("You need to provide at least one DNSName", "dnsNames"); } $sanBuilder = [System.Security.Cryptography.X509Certificates.SubjectAlternativeNameBuilder]::new(); foreach ($dnsName in $dnsNames) { $sanBuilder.AddDnsName($dnsNames); } $distinguishedName = [X500DistinguishedName]::new("CN=$($dnsNames[0])"); [System.Security.Cryptography.X509Certificates.CertificateRequest]$certRequest = $null; if($algorithm -is [System.Security.Cryptography.RSA]) { $certRequest = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new( $distinguishedName, $algorithm, $hashName, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1); } elseif($algorithm -is [System.Security.Cryptography.ECDsa]) { $certRequest = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new( $distinguishedName, $algorithm, $hashName); } else { throw [System.InvalidOperationException]::new("Cannot use $($algorithm.GetType().Name) to create CSR."); } $certRequest.CertificateExtensions.Add($sanBuilder.Build()); return $certRequest.CreateSigningRequest(); } } <# abstract #> class RSAKeyBase : KeyBase { hidden [System.Security.Cryptography.RSA] $RSA; RSAKeyBase([int] $hashSize, [int] $keySize) : base($hashSize) { if ($this.GetType() -eq [RSAKeyBase]) { throw [System.InvalidOperationException]::new("Class must be inherited"); } $this.RSA = [System.Security.Cryptography.RSA]::Create($keySize); } RSAKeyBase([int] $hashSize, [System.Security.Cryptography.RSAParameters] $keyParameters) :base($hashSize) { if ($this.GetType() -eq [RSAKeyBase]) { throw [System.InvalidOperationException]::new("Class must be inherited"); } $this.RSA = [System.Security.Cryptography.RSA]::Create($keyParameters); } [object] ExportKey() { $rsaParams = $this.RSA.ExportParameters($true); $keyExport = [RSAKeyExport]::new(); $keyExport.D = $rsaParams.D; $keyExport.DP = $rsaParams.DP; $keyExport.DQ = $rsaParams.DQ; $keyExport.Exponent = $rsaParams.Exponent; $keyExport.InverseQ = $rsaParams.InverseQ; $keyExport.Modulus = $rsaParams.Modulus; $keyExport.P = $rsaParams.P; $keyExport.Q = $rsaParams.Q; $keyExport.HashSize = $this.HashSize; return $keyExport; } } class RSAAccountKey : RSAKeyBase, IAccountKey { RSAAccountKey([int] $hashSize, [int] $keySize) : base($hashSize, $keySize) { } RSAAccountKey([int] $hashSize, [System.Security.Cryptography.RSAParameters] $keyParameters) : base($hashSize, $keyParameters) { } [string] JwsAlgorithmName() { return "RS$($this.HashSize)" } [System.Collections.Specialized.OrderedDictionary] ExportPublicJwk() { $keyParams = $this.RSA.ExportParameters($false); <# As per RFC 7638 Section 3, these are the *required* elements of the JWK and are sorted in lexicographic order to produce a canonical form #> $publicJwk = [ordered]@{ "e" = ConvertTo-UrlBase64 -InputBytes $keyParams.Exponent; "kty" = "RSA"; # https://tools.ietf.org/html/rfc7518#section-6.3 "n" = ConvertTo-UrlBase64 -InputBytes $keyParams.Modulus; } return $publicJwk; } [byte[]] Sign([byte[]] $inputBytes) { return $this.RSA.SignData($inputBytes, $this.HashName, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1); } [byte[]] Sign([string] $inputString) { return $this.Sign([System.Text.Encoding]::UTF8.GetBytes($inputString)); } static [IAccountKey] Create([RSAKeyExport] $keyExport) { $keyParameters = [System.Security.Cryptography.RSAParameters]::new(); $keyParameters.D = $keyExport.D; $keyParameters.DP = $keyExport.DP; $keyParameters.DQ = $keyExport.DQ; $keyParameters.Exponent = $keyExport.Exponent; $keyParameters.InverseQ = $keyExport.InverseQ; $keyParameters.Modulus = $keyExport.Modulus; $keyParameters.P = $keyExport.P; $keyParameters.Q = $keyExport.Q; return [RSAAccountKey]::new($keyExport.HashSize, $keyParameters); } } class RSACertificateKey : RSAAccountKey, ICertificateKey { RSACertificateKey([int] $hashSize, [int] $keySize) : base($hashSize, $keySize) { } RSACertificateKey([int] $hashSize, [System.Security.Cryptography.RSAParameters] $keyParameters) : base($hashSize, $keyParameters) { } [byte[]] ExportPfx([byte[]] $acmeCertificate, [SecureString] $password) { return [Certificate]::ExportPfx($acmeCertificate, $this.RSA, $password); } [byte[]] GenerateCsr([string[]] $dnsNames) { return [Certificate]::GenerateCsr($dnsNames, $this.RSA, $this.HashName); } static [ICertificateKey] Create([RSAKeyExport] $keyExport) { $keyParameters = [System.Security.Cryptography.RSAParameters]::new(); $keyParameters.D = $keyExport.D; $keyParameters.DP = $keyExport.DP; $keyParameters.DQ = $keyExport.DQ; $keyParameters.Exponent = $keyExport.Exponent; $keyParameters.InverseQ = $keyExport.InverseQ; $keyParameters.Modulus = $keyExport.Modulus; $keyParameters.P = $keyExport.P; $keyParameters.Q = $keyExport.Q; return [RSACertificateKey]::new($keyExport.HashSize, $keyParameters); } } <# abstract #> class ECDsaKeyBase : KeyBase { hidden [System.Security.Cryptography.ECDsa] $ECDsa; hidden [string] $CurveName ECDsaKeyBase([int] $hashSize) : base($hashSize) { if ($this.GetType() -eq [ECDsaKeyBase]) { throw [System.InvalidOperationException]::new("Class must be inherited"); } $this.CurveName = "P-$hashSize"; $curve = [ECDsaKeyBase]::GetCurve($hashSize); $this.ECDsa = [System.Security.Cryptography.ECDsa]::Create($curve); } ECDsaKeyBase([int] $hashSize,[System.Security.Cryptography.ECParameters] $keyParameters) :base($hashSize) { if ($this.GetType() -eq [ECDsaKeyBase]) { throw [System.InvalidOperationException]::new("Class must be inherited"); } $this.CurveName = "P-$hashSize"; $this.ECDsa = [System.Security.Cryptography.ECDsa]::Create($keyParameters); } static [System.Security.Cryptography.ECCurve] GetCurve($hashSize) { switch ($hashSize) { 256 { return [System.Security.Cryptography.ECCurve+NamedCurves]::nistP256; } 384 { return [System.Security.Cryptography.ECCurve+NamedCurves]::nistP384; } 512 { return [System.Security.Cryptography.ECCurve+NamedCurves]::nistP521; } Default { throw [System.ArgumentOutOfRangeException]::new("Cannot use hash size to create curve."); } } return $null; } [object] ExportKey() { $ecParams = $this.ECDsa.ExportParameters($true); $keyExport = [ECDsaKeyExport]::new(); $keyExport.D = $ecParams.D; $keyExport.X = $ecParams.Q.X; $keyExport.Y = $ecParams.Q.Y; $keyExport.HashSize = $this.HashSize; return $keyExport; } } class ECDsaAccountKey : ECDsaKeyBase, IAccountKey { ECDsaAccountKey([int] $hashSize) : base($hashSize) { } ECDsaAccountKey([int] $hashSize, [System.Security.Cryptography.ECParameters] $keyParameters) : base($hashSize, $keyParameters) { } [string] JwsAlgorithmName() { return "ES$($this.HashSize)" } [System.Collections.Specialized.OrderedDictionary] ExportPublicJwk() { $keyParams = $this.ECDsa.ExportParameters($false); <# As per RFC 7638 Section 3, these are the *required* elements of the JWK and are sorted in lexicographic order to produce a canonical form #> $publicJwk = [ordered]@{ "crv" = $this.CurveName; "kty" = "EC"; # https://tools.ietf.org/html/rfc7518#section-6.2 "x" = ConvertTo-UrlBase64 -InputBytes $keyParams.Q.X; "y" = ConvertTo-UrlBase64 -InputBytes $keyParams.Q.Y; } return $publicJwk; } [byte[]] Sign([byte[]] $inputBytes) { return $this.ECDsa.SignData($inputBytes, $this.HashName); } [byte[]] Sign([string] $inputString) { return $this.Sign([System.Text.Encoding]::UTF8.GetBytes($inputString)); } static [IAccountKey] Create([ECDsaKeyExport] $keyExport) { $keyParameters = [System.Security.Cryptography.ECParameters]::new(); $keyParameters.Curve = [ECDsaKeyBase]::GetCurve($keyExport.HashSize); $keyParameters.D = $keyExport.D; $keyParameters.Q.X = $keyExport.QX; $keyParameters.Q.Y = $keyExport.QY; return [ECDsaAccountKey]::new($keyExport.HashSize, $keyParameters); } } class ECDsaCertificateKey : ECDsaAccountKey, ICertificateKey { ECDsaCertificateKey([int] $hashSize) : base($hashSize) { } ECDsaCertificateKey([int] $hashSize, [System.Security.Cryptography.ECParameters] $keyParameters) : base($hashSize, $keyParameters) { } [byte[]] ExportPfx([byte[]] $acmeCertificate, [SecureString] $password) { return [Certificate]::ExportPfx($acmeCertificate, $this.ECDsa, $password); } [byte[]] GenerateCsr([string[]] $dnsNames) { return [Certificate]::GenerateCsr($dnsNames, $this.ECDsa, $this.HashName); } static [ICertificateKey] Create([ECDsaKeyExport] $keyExport) { $keyParameters = [System.Security.Cryptography.ECParameters]::new(); $keyParameters.Curve = [ECDsaKeyBase]::GetCurve($keyExport.HashSize); $keyParameters.D = $keyExport.D; $keyParameters.Q.X = $keyExport.QX; $keyParameters.Q.Y = $keyExport.QY; return [ECDsaCertificateKey]::new($keyExport.HashSize, $keyParameters); } } class KeyAuthorization { static hidden [byte[]] ComputeThumbprint([IAccountKey] $accountKey, [System.Security.Cryptography.HashAlgorithm] $hashAlgorithm) { $jwkJson = $accountKey.ExportPublicJwk() | ConvertTo-Json -Compress; $jwkBytes = [System.Text.Encoding]::UTF8.GetBytes($jwkJson); $jwkHash = $hashAlgorithm.ComputeHash($jwkBytes); return $jwkHash; } static [string] Compute([IAccountKey] $accountKey, [string] $token) { $sha256 = [System.Security.Cryptography.SHA256]::Create(); try { $thumbprintBytes = [KeyAuthorization]::ComputeThumbprint($accountKey, $sha256); $thumbprint = ConvertTo-UrlBase64 -InputBytes $thumbprintBytes; return "$token.$thumbprint"; } finally { $sha256.Dispose(); } } static [string] ComputeDigest([IAccountKey] $accountKey, [string] $token) { $sha256 = [System.Security.Cryptography.SHA256]::Create(); try { $thumbprintBytes = [KeyAuthorization]::ComputeThumbprint($accountKey, $sha256); $thumbprint = ConvertTo-UrlBase64 -InputBytes $thumbprintBytes; $keyAuthZBytes = [System.Text.Encoding]::UTF8.GetBytes("$token.$thumbprint"); $digest = $sha256.ComputeHash($keyAuthZBytes); return ConvertTo-UrlBase64 -InputBytes $digest; } finally { $sha256.Dispose(); } } } class Creator { [Type] $TargetType; [Type] $KeyType; [Func[[KeyExport], [KeyBase]]] $Create; Creator([Type] $targetType, [Type] $keyType, [Func[[KeyExport], [KeyBase]]] $creatorFunction) { $this.TargetType = $targetType; $this.KeyType = $keyType; $this.Create = $creatorFunction; } } class KeyFactory { static [System.Collections.ArrayList] $Factories = @( [Creator]::new("IAccountKey", "RSAKeyExport", { param($k) return [RSAAccountKey]::Create($k) }), [Creator]::new("ICertificateKey", "RSAKeyExport", { param($k) return [RSACertificateKey]::Create($k) }), [Creator]::new("IAccountKey", "ECDsaKeyExport", { param($k) return [ECDsaAccountKey]::Create($k) }), [Creator]::new("ICertificateKey", "ECDsaKeyExport", { param($k) return [ECDsaCertificateKey]::Create($k) }) ); hidden static [KeyBase] Create([Type] $targetType, [KeyExport] $keyParameters) { $keyType = $keyParameters.GetType(); $factory = [KeyFactory]::Factories | Where-Object { $_.TargetType -eq $targetType -and $_.KeyType -eq $keyType } | Select-Object -First 1 if ($null -eq $factory) { throw [InvalidOperationException]::new("Unknown KeyParameters-Type."); } return $factory.Create.Invoke($keyParameters); } static [IAccountKey] CreateAccountKey([KeyExport] $keyParameters) { return [KeyFactory]::Create("IAccountKey", $keyParameters); } static [ICertificateKey] CreateCertificateKey([KeyExport] $keyParameters) { return [KeyFactory]::Create("ICertificateKey", $keyParameters); } } class AcmeHttpResponse { AcmeHttpResponse() {} AcmeHttpResponse([System.Net.Http.HttpResponseMessage] $responseMessage, [string] $stringContent) { $this.RequestUri = $responseMessage.RequestMessage.RequestUri; $this.StatusCode = $responseMessage.StatusCode; $this.IsError = $this.StatusCode -ge 400; if($stringContent) { $this.Content = $stringContent | ConvertFrom-Json; } $this.Headers = @{}; foreach($h in $responseMessage.Headers) { $this.Headers.Add($h.Key, $h.Value); if($h.Key -eq "Replay-Nonce") { $this.NextNonce = $h.Value[0]; } } } [string] $RequestUri; [int] $StatusCode; [bool] $IsError; [PSCustomObject] $Content; [hashtable] $Headers; [string] $NextNonce; } class AcmeDirectory { AcmeDirectory([PSCustomObject] $obj) { $this.ResourceUrl = $obj.ResourceUrl $this.NewAccount = $obj.NewAccount; $this.NewAuthz = $obj.NewAuthz; $this.NewNonce = $obj.NewNonce; $this.NewOrder = $obj.NewOrder; $this.KeyChange = $obj.KeyChange; $this.RevokeCert = $obj.RevokeCert; $this.Meta = [AcmeDirectoryMeta]::new($obj.Meta); } [string] $ResourceUrl; [string] $NewAccount; [string] $NewAuthz; [string] $NewNonce; [string] $NewOrder; [string] $KeyChange; [string] $RevokeCert; [AcmeDirectoryMeta] $Meta; } class AcmeDirectoryMeta { AcmeDirectoryMeta([PSCustomObject] $obj) { $this.CaaIdentites = $obj.CaaIdentities; $this.TermsOfService = $obj.TermsOfService; $this.Website = $obj.Website; } [string[]] $CaaIdentites; [string] $TermsOfService; [string] $Website; } class AcmeAccount { AcmeAccount() {} AcmeAccount([AcmeHttpResponse] $httpResponse, [string] $KeyId) { $this.KeyId = $KeyId; $this.Status = $httpResponse.Content.Status; $this.Id = $httpResponse.Content.Id; $this.Contact = $httpResponse.Content.Contact; $this.InitialIp = $httpResponse.Content.InitialIp; $this.CreatedAt = $httpResponse.Content.CreatedAt; $this.OrderListUrl = $httpResponse.Content.Orders; $this.ResourceUrl = $KeyId; } [string] $ResourceUrl; [string] $KeyId; [string] $Status; [string] $Id; [string[]] $Contact; [string] $InitialIp; [string] $CreatedAt; [string] $OrderListUrl; } class AcmeIdentifier { AcmeIdentifier([string] $type, [string] $value) { $this.Type = $type; $this.Value = $value; } AcmeIdentifier([PsCustomObject] $obj) { $this.type = $obj.type; $this.value = $obj.Value; } [string] $type; [string] $value; [string] ToString() { return "$($this.Type.ToLower()):$($this.Value.ToLower())"; } } class AcmeChallenge { AcmeChallenge([PSCustomObject] $obj, [AcmeIdentifier] $identifier) { $this.Type = $obj.type; $this.Url = $obj.url; $this.Token = $obj.token; $this.Identifier = $identifier; } [string] $Type; [string] $Url; [string] $Token; [AcmeIdentifier] $Identifier; [PSCustomObject] $Data; } class AcmeOrder { AcmeOrder([PsCustomObject] $obj) { $this.Status = $obj.Status; $this.Expires = $obj.Expires; $this.NotBefore = $obj.NotBefore; $this.NotAfter = $obj.NotAfter; $this.Identifiers = $obj.Identifiers | ForEach-Object { [AcmeIdentifier]::new($_) }; $this.AuthorizationUrls = $obj.AuthorizationUrls; $this.FinalizeUrl = $obj.FinalizeUrl; $this.CertificateUrl = $obj.CertificateUrl; $this.ResourceUrl = $obj.ResourceUrl; } AcmeOrder([AcmeHttpResponse] $httpResponse) { $this.UpdateOrder($httpResponse) } [void] UpdateOrder([AcmeHttpResponse] $httpResponse) { $this.Status = $httpResponse.Content.Status; $this.Expires = $httpResponse.Content.Expires; $this.NotBefore = $httpResponse.Content.NotBefore; $this.NotAfter = $httpResponse.Content.NotAfter; $this.Identifiers = $httpResponse.Content.Identifiers | ForEach-Object { [AcmeIdentifier]::new($_) }; $this.AuthorizationUrls = $httpResponse.Content.Authorizations; $this.FinalizeUrl = $httpResponse.Content.Finalize; $this.CertificateUrl = $httpResponse.Content.Certificate; if($httpResponse.Headers.Location) { $this.ResourceUrl = $httpResponse.Headers.Location[0]; } else { $this.ResourceUrl = $httpResponse.RequestUri; } } [string] $ResourceUrl; [string] $Status; [string] $Expires; [Nullable[System.DateTimeOffset]] $NotBefore; [Nullable[System.DateTimeOffset]] $NotAfter; [AcmeIdentifier[]] $Identifiers; [string[]] $AuthorizationUrls; [string] $FinalizeUrl; [string] $CertificateUrl; } class AcmeAuthorization { AcmeAuthorization([AcmeHttpResponse] $httpResponse) { $this.status = $httpResponse.Content.status; $this.expires = $httpResponse.Content.expires; $this.identifier = [AcmeIdentifier]::new($httpResponse.Content.identifier); $this.challenges = @($httpResponse.Content.challenges | ForEach-Object { [AcmeChallenge]::new($_, $this.identifier) }); $this.wildcard = $httpResponse.Content.wildcard; $this.ResourceUrl = $httpResponse.RequestUri; } [string] $ResourceUrl; [string] $Status; [System.DateTimeOffset] $Expires; [AcmeIdentifier] $Identifier; [AcmeChallenge[]] $Challenges; [bool] $Wildcard; } class AcmeState { [ValidateNotNull()] hidden [AcmeDirectory] $ServiceDirectory; [ValidateNotNull()] hidden [string] $Nonce; [ValidateNotNull()] hidden [IAccountKey] $AccountKey; [ValidateNotNull()] hidden [AcmeAccount] $Account; hidden [string] $SavePath; hidden [bool] $AutoSave; hidden [bool] $IsInitializing; hidden [AcmeStatePaths] $Filenames; AcmeState() { $this.Filenames = [AcmeStatePaths]::new(""); } AcmeState([string] $savePath, [bool]$autoSave) { $this.Filenames = [AcmeStatePaths]::new($savePath); if(-not (Test-Path $savePath)) { New-Item $savePath -ItemType Directory -Force; } $this.AutoSave = $autoSave; $this.SavePath = Resolve-Path $savePath; } [AcmeDirectory] GetServiceDirectory() { return $this.ServiceDirectory; } [string] GetNonce() { return $this.Nonce; } [IAccountKey] GetAccountKey() { return $this.AccountKey; } [AcmeAccount] GetAccount() { return $this.Account; } [void] Set([AcmeDirectory] $serviceDirectory) { $this.ServiceDirectory = $serviceDirectory; if($this.AutoSave) { $directoryPath = $this.Filenames.ServiceDirectory; Write-Debug "Storing the service directory to $directoryPath"; $this.ServiceDirectory | Export-AcmeObject $directoryPath -Force; } } [void] SetNonce([string] $nonce) { $this.Nonce = $nonce; if($this.AutoSave) { $noncePath = $this.Filenames.Nonce; Set-Content $noncePath -Value $nonce -NoNewLine; } } [void] Set([IAccountKey] $accountKey) { $this.AccountKey = $accountKey; if($this.AutoSave) { $accountKeyPath = $this.Filenames.AccountKey; $this.AccountKey | Export-AccountKey $accountKeyPath -Force; } elseif(-not $this.IsInitializing) { Write-Warning "The account key will not be exported." Write-Information "Make sure you save the account key or you might loose access to your ACME account."; } } [void] Set([AcmeAccount] $account) { $this.Account = $account; if($this.AutoSave) { $accountPath = $this.Filenames.Account; $this.Account | Export-AcmeObject $accountPath; } } hidden [void] LoadFromPath() { $this.IsInitializing = $true; $this.AutoSave = $false; $directoryPath = $this.Filenames.ServiceDirectory; $noncePath = $this.Filenames.Nonce; $accountKeyPath = $this.Filenames.AccountKey; $accountPath = $this.Filenames.Account; if(Test-Path $directoryPath) { Get-ServiceDirectory $this -Path $directoryPath } else { Write-Verbose "Could not find saved service directory at $directoryPath"; } if(Test-Path $noncePath) { $importedNonce = Get-Content $noncePath -Raw if($importedNonce) { $this.SetNonce($importedNonce); } else { New-Nonce $this; } } else { Write-Verbose "Could not find saved nonce at $noncePath"; } if(Test-Path $accountKeyPath) { Import-AccountKey $this -Path $accountKeyPath } else { Write-Verbose "Could not find saved account key at $accountKeyPath"; } if(Test-Path $accountPath) { $importedAccount = Import-AcmeObject -Path $accountPath -TypeName "AcmeAccount" $this.Set($importedAccount); } else { Write-Verbose "Could not find saved account at $accountPath"; } $this.AutoSave = $true; $this.IsInitializing = $false } hidden [string] GetOrderHash([AcmeOrder] $order) { $orderIdentifiers = $order.Identifiers | Foreach-Object { $_.ToString() } | Sort-Object; $identifier = [string]::Join('|', $orderIdentifiers); $sha256 = [System.Security.Cryptography.SHA256]::Create(); try { $identifierBytes = [System.Text.Encoding]::UTF8.GetBytes($identifier); $identifierHash = $sha256.ComputeHash($identifierBytes); $result = ConvertTo-UrlBase64 -InputBytes $identifierHash; return $result; } finally { $sha256.Dispose(); } } hidden [string] GetOrderFileName([string] $orderHash) { $fileName = $this.Filenames.Order.Replace("[hash]", $orderHash); return $fileName; } hidden [AcmeOrder] LoadOrder([string] $orderHash) { $orderFile = $this.GetOrderFileName($orderHash); if(Test-Path $orderFile) { $order = Import-AcmeObject -Path $orderFile -TypeName "AcmeOrder"; return $order; } return $null; } [void] AddOrder([AcmeOrder] $order) { $this.SetOrder($order); } [void] SetOrder([AcmeOrder] $order) { if($this.AutoSave) { $orderHash = $this.GetOrderHash($order); $orderFileName = $this.GetOrderFileName($orderHash); if(-not (Test-Path $order)) { $orderListFile = $this.Filenames.OrderList; foreach ($id in $order.Identifiers) { if(-not (Test-Path $orderListFile)) { New-Item $orderListFile -Force; } "$($id.ToString())=$orderHash" | Add-Content $orderListFile; } } $order | Export-AcmeObject $orderFileName -Force; } else { Write-Warning "If AutoSaving is off, this method does nothing." } } [void] RemoveOrder([AcmeOrder] $order) { if($this.AutoSave) { $orderHash = $this.GetOrderHash($order); $orderFileName = $this.GetOrderFileName($orderHash); if(Test-Path $orderFileName) { Remove-Item $orderFileName; } $orderListFile = $this.Filenames.OrderList; Set-Content -Path $orderListFile -Value (Get-Content -Path $orderListFile | Select-String -Pattern "=$orderHash" -NotMatch -SimpleMatch) } else { Write-Warning "If AutoSaving is off, this method does nothing." } } [AcmeOrder] FindOrder([string[]] $dnsNames) { $orderListFile = $this.Filenames.OrderList; $first = $true; $lastMatch = $null; foreach($dnsName in $dnsNames) { $match = Select-String -Path $orderListFile -Pattern "$dnsName=" -SimpleMatch | Select-Object -Last 1 if($first) { $lastMatch = $match; } if($match -ne $lastMatch) { return $null; } $lastMatch = $match; } $orderHash = ($lastMatch -split "=", 2)[1]; return $this.LoadOrder($orderHash); } [bool] Validate() { return $null -ne $this.ServiceDirectory -and $null -ne $this.Nonce -and $null -ne $this.AccountKey -and $null -ne $this.Account; } [bool] Validate([string] $field) { if($field -eq "ServiceDirectory") { return $null -ne $this.ServiceDirectory; } if($field -eq "Nonce") { return $null -ne $this.ServiceDirectory -and $null -ne $this.Nonce; } if($field -eq "AccountKey") { return $null -ne $this.ServiceDirectory -and $null -ne $this.Nonce -and $null -ne $this.AccountKey; } if($field -eq "Account") { return $this.Validate(); } return false; } static [AcmeState] FromPath([string] $Path) { $state = [AcmeState]::new($Path, $false); $state.LoadFromPath(); return $state; } } class AcmeStatePaths { [string] $ServiceDirectory; [string] $Nonce; [string] $AccountKey; [string] $Account; [string] $OrderList; [string] $Order; AcmeStatePaths([string] $basePath) { $this.ServiceDirectory = "$basePath/ServiceDirectory.xml"; $this.Nonce = "$basePath/NextNonce.txt"; $this.AccountKey = "$basePath/AccountKey.xml"; $this.Account = "$basePath/Account.xml"; $this.OrderList = "$basePath/Orders/OrderList.txt" $this.Order = "$basePath/Orders/Order-[hash].xml"; } } function ConvertTo-OriginalType { param( [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true)] $inputObject, [Parameter(Mandatory=$true, Position=1, ValueFromPipelineByPropertyName=$true)] [ValidateNotNull()] [string] $TypeName ) process { $result = $inputObject -as ([type]$TypeName); if(-not $result) { Write-Error "Could not convert inputObject to $TypeName"; } Write-Verbose "Converted input object to type $TypeName"; return $result; } } function ConvertTo-UrlBase64 { param( [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, ParameterSetName="FromString")] [ValidateNotNullOrEmpty()] [string] $InputText, [Parameter(Mandatory = $true, ParameterSetName="FromByteArray")] [ValidateNotNullOrEmpty()] [byte[]] $InputBytes ) if($PSCmdlet.ParameterSetName -eq "FromString") { $InputBytes = [System.Text.Encoding]::UTF8.GetBytes($InputText); } $encoded = [System.Convert]::ToBase64String($InputBytes); $encoded = $encoded.TrimEnd('='); $encoded = $encoded.Replace('+', '-'); $encoded = $encoded.Replace('/', '_'); return $encoded; } function Export-AcmeObject { param( [Parameter(Mandatory=$true, Position = 0)] [ValidateNotNullOrEmpty()] [string] $Path, [Parameter(Mandatory=$true, ValueFromPipeline = $true)] [ValidateNotNull()] $InputObject, [Parameter()] [switch] $Force ) process { $ErrorActionPreference = 'Stop' if((Test-Path $Path) -and -not $Force) { Write-Error "$Path already exists." } Write-Debug "Exporting $($InputObject.GetType()) to $Path" if($Path -like "*.json") { Write-Verbose "Exporting object to JSON file $Path" $InputObject | ConvertTo-Json | Out-File -FilePath $Path -Encoding utf8 -Force:$Force; } else { Write-Verbose "Exporting object to CLIXML file $Path" Export-Clixml $Path -InputObject $InputObject -Force:$Force; } } } function Import-AcmeObject { param( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [ValidateScript({Test-Path $_})] [string] $Path, [Parameter()] [string] $TypeName ) process { $ErrorActionPreference = 'Stop' if($Path -like "*.json") { Write-Verbose "Importing object from JSON file $Path" $imported = Get-Content $Path -Raw | ConvertFrom-Json; } else { Write-Verbose "Importing object from CLIXML file $Path" $imported = Import-Clixml $Path; } if($TypeName) { $result = $imported | ConvertTo-OriginalType -TypeName $TypeName } else { $result = $imported | ConvertTo-OriginalType } return $result; } } function Invoke-ACMEWebRequest { <# #> [CmdletBinding()] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [Alias("Url")] [uri] $Uri, [Parameter(Position = 1)] [ValidateNotNull()] [string] $JsonBody, [Parameter(Mandatory = $true)] [ValidateSet("GET", "POST", "HEAD")] [string] $Method ) $httpRequest = [System.Net.Http.HttpRequestMessage]::new($Method, $Uri); Write-Verbose "Sending HttpRequest ($Method) to $Uri"; if($Method -in @("POST", "PUT")) { $httpRequest.Content = [System.Net.Http.StringContent]::new($JsonBody, [System.Text.Encoding]::UTF8); $httpRequest.Content.Headers.ContentType = "application/jose+json"; Write-Debug "The content of the request is $JsonBody"; } #TODO: This should possibly swapped out to be something singleton-ish. $httpClient = [System.Net.Http.HttpClient]::new(); $httpResponse = $httpClient.SendAsync($httpRequest).GetAwaiter().GetResult(); $response = $httpResponse.Content.ReadAsStringAsync().GetAwaiter().GetResult(); if($httpResponse.Content.Headers.ContentType -eq "application/problem+json") { Write-Error "Server returned Problem: $response" } if($httpRequest.StatusCode -lt 500) { $result = [AcmeHttpResponse]::new($httpResponse, $response); return $result; } Write-Error "Unexpected response from server: $($httpResponse.StatusCode), with content:`n$response" return $response; } function Invoke-SignedWebRequest { [CmdletBinding()] [OutputType("AcmeHttpResponse")] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNullOrEmpty()] [string] $Url, [Parameter(Mandatory = $true, Position = 1)] [AcmeState] $State, [Parameter(Mandatory = $true, Position = 2)] [ValidateNotNull()] [object] $Payload, [Parameter()] [switch] $SupressKeyId ) process { $accountKey = $State.GetAccountKey(); $account = $State.GetAccount(); $keyId = $(if($account -and -not $SupressKeyId) { $account.KeyId }); $nonce = $State.GetNonce(); $requestBody = New-SignedMessage -Url $Url -SigningKey $accountKey -KeyId $keyId -Nonce $nonce -Payload $Payload $response = Invoke-AcmeWebRequest $Url $requestBody -Method POST -ErrorAction 'Continue' if($null -ne $response -and $response.NextNonce) { $State.SetNonce($response.NextNonce); } if($response.IsError) { throw $response; } return $response; } } function New-SignedMessage { [CmdletBinding(SupportsShouldProcess=$false)] [Diagnostics.CodeAnalysis.SuppressMessageAttribute( "PSUseShouldProcessForStateChangingFunctions", "", Scope="Function", Target="*")] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNullOrEmpty()] [string] $Url, [Parameter(Mandatory = $true, Position = 1)] [ISigningKey] $SigningKey, [Parameter(Position = 2)] [string] $KeyId, [Parameter(Position = 3)] [string] $Nonce, [Parameter(Mandatory = $true, Position = 4)] [ValidateNotNull()] [object] $Payload ) $headers = @{}; $headers.Add("alg", $SigningKey.JwsAlgorithmName()); $headers.Add("url", $Url); if($Nonce) { Write-Debug "Nonce $Nonce will be used"; $headers.Add("nonce", $Nonce); } if($KeyId) { Write-Debug "KeyId $KeyId will be used"; $headers.Add("kid", $KeyId); } if(-not ($KeyId)) { Write-Debug "No KeyId present, addind JWK."; $headers.Add("jwk", $SigningKey.ExportPublicJwk()); } if($Payload -is [string]) { Write-Debug "Payload was string, using without Conversion." $messagePayload = $Payload; } else { Write-Debug "Payload was object, converting to Json"; $messagePayload = $Payload | ConvertTo-Json -Compress; } $jsonHeaders = $headers | ConvertTo-Json -Compress Write-Debug "Payload is now: $messagePayload"; Write-Debug "Headers are: $jsonHeaders" $signedPayload = @{}; $signedPayload.add("header", $null); $signedPayload.add("protected", ($jsonHeaders | ConvertTo-UrlBase64)); $signedPayload.add("payload", ($messagePayload | ConvertTo-UrlBase64)); $signedPayload.add("signature", (ConvertTo-UrlBase64 -InputBytes $SigningKey.Sign("$($signedPayload.Protected).$($signedPayload.Payload)"))); $result = $signedPayload | ConvertTo-Json; Write-Debug "Created signed message`n: $result"; return $result; } function Get-Account { <# #> [CmdletBinding(DefaultParameterSetName = "FindAccount")] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [ValidateScript({$_.Validate("AccountKey")})] [AcmeState] $State, [Parameter()] [switch] $PassThru, [Parameter(Mandatory = $true, Position = 1, ParameterSetName="GetAccount")] [ValidateNotNull()] [uri] $AccountUrl, [Parameter(Mandatory = $true, Position = 2, ParameterSetName="GetAccount")] [ValidateNotNullOrEmpty()] [string] $KeyId ) if($PSCmdlet.ParameterSetName -eq "FindAccount") { $requestUrl = $State.GetServiceDirectory().NewAccount; $payload = @{"onlyReturnExisting" = $true}; $response = Invoke-SignedWebRequest $requestUrl $State $payload if($response.StatusCode -eq 200) { $KeyId = $response.Headers["Location"][0]; $AccountUrl = $KeyId; } else { Write-Error "JWK seems not to be registered for an account." return $null; } } $response = Invoke-SignedWebRequest $AccountUrl $State @{} $result = [AcmeAccount]::new($response, $KeyId); if($AutomaticAccountHandling) { Enable-AccountHandling -Account $result; } return $result; } function New-Account { <# .SYNOPSIS Registers your account key with a new ACME-Account. .DESCRIPTION Registers the given account key with an ACME service to retreive an account that enables you to communicate with the ACME service. .PARAMETER State The account will be written into the provided state instance. .PARAMETER PassThru If set, the account will be returned to the pipeline. .PARAMETER AcceptTOS If you set this, you accepted the Terms-of-service. .PARAMETER ExistingAccountIsError If set, the script will throw an error, if the key has already been registered. If not set, the script will try to fetch the account associated with the account key. .PARAMETER EmailAddresses Contact adresses for certificate expiration mails and similar. .EXAMPLE PS> New-Account -AcceptTOS -EmailAddresses "mail@example.com" -AutomaticAccountHandling .EXAMPLE PS> New-Account $myServiceDirectory $myAccountKey $myNonce -AcceptTos -EmailAddresses @(...) -ExistingAccountIsError #> [CmdletBinding(SupportsShouldProcess=$true)] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [ValidateScript({$_.Validate("AccountKey")})] [AcmeState] $State, [Parameter()] [switch] $PassThru, [Switch] $AcceptTOS, [Switch] $ExistingAccountIsError, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string[]] $EmailAddresses ) $Contacts = @($EmailAddresses | ForEach-Object { if($_.StartsWith("mailto:")) { $_ } else { "mailto:$_" } }); $payload = @{ "TermsOfServiceAgreed"=$AcceptTOS.IsPresent; "Contact"=$Contacts; } $url = $State.GetServiceDirectory().NewAccount; if($PSCmdlet.ShouldProcess("New-Account", "Sending account registration to ACME Server $Url")) { $response = Invoke-SignedWebRequest $url $State $payload -SupressKeyId -ErrorAction 'Stop' if($response.StatusCode -eq 200) { if(-not $ExistingAccountIsError) { Write-Warning "JWK had already been registered for an account - trying to fetch account." $keyId = $response.Headers["Location"][0]; return Get-Account -AccountUrl $keyId -KeyId $keyId -State $State -PassThru:$PassThru } else { Write-Error "JWK had already been registiered for an account." } } $account = [AcmeAccount]::new($response, $response.Headers["Location"][0]); $State.Set($account); if($PassThru) { return $result; } } } function Set-Account { [CmdletBinding(SupportsShouldProcess=$true)] param( [Parameter(Mandatory = $true)] [ValidateNotNull()] [ValidateScript({$_.Validate()})] [AcmeState] $State, [Parameter()] [switch] $PassThru, [Parameter(Mandatory = $true, ParameterSetName="NewAccountKey")] [IAccountKey] $NewAccountKey ) $innerPayload = @{ "account" = $State.GetAccount().KeyId; "oldKey" = $State.GetAccountKey().ExportPuplicKey() }; $payload = New-SignedMessage -Url $Url -SigningKey $NewAccountKey -Payload $innerPayload; if($PSCmdlet.ShouldProcess("Account", "Set new AccountKey and store it into state")) { Invoke-SignedWebRequest $Url -$State $payload -ErrorAction 'Stop'; $State.Set($NewAccountKey); return Get-Account -Url $TargetAccount.ResourceUrl -State $State -KeyId $Account.KeyId } } function Export-AccountKey { <# .SYNOPSIS Stores an account key to the given path. .DESCRIPTION Stores an account key to the given path. If the path already exists an error will be thrown and the key will not be saved. .PARAMETER Path The path where the key should be exported to. Uses json if path ends with .json. Will use clixml in other cases. .PARAMETER AccountKey The account key that will be exported to the Path. If AutomaticAccountKeyHandling is enabled it will export the registered account key. .EXAMPLE PS> Export-AccountKey -Path "C:\myExportPath.xml" -AccountKey $myAccountKey #> [CmdletBinding()] param( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $Path, [Parameter(ValueFromPipeline=$true)] [ValidateNotNull()] [IAccountKey] $AccountKey, [Parameter()] [switch] $Force ) process { $ErrorActionPreference = 'Stop'; $AccountKey.ExportKey() | Export-AcmeObject $Path -Force:$Force } } function Import-AccountKey { <# .SYNOPSIS Imports an exported account key. .DESCRIPTION Imports an account key that has been exported with Export-AccountKey. If requested, the key is registered for automatic key handling. .PARAMETER Path The path where the key has been exported to. .PARAMETER State The account key will be written into the provided state instance. .PARAMETER PassThru If set, the account key will be returned to the pipeline. #> param( # Specifies a path to one or more locations. [Parameter(Mandatory=$true, Position=1)] [ValidateNotNullOrEmpty()] [string] $Path, [Parameter(Position = 0)] [ValidateNotNull()] [AcmeState] $State, [Parameter()] [switch] $PassThru ) process { $ErrorActionPreference = 'Stop' $imported = Import-AcmeObject $Path $accountKey = [KeyFactory]::CreateAccountKey($imported); if($State) { $State.Set($accountKey); } if($PassThru -or -not $State) { return $accountKey; } } } function New-AccountKey { <# .SYNOPSIS Creates a new account key, that can will used to sign ACME operations. Provide a path where to save the key, since being able to restore it is crucial. .DESCRIPTION Creates and stores a new account key, that can be used for ACME operations. The key will first be created, than exported and imported again to make sure, it has been saved. You can skip the export by providing the SkipExport switch. .PARAMETER RSA Used to select RSA key type. (default) .PARAMETER RSAHashSize The hash size used for the RSA algorithm. .PARAMETER RSAKeySize The key size of the RSA algorithm. .PARAMETER ECDsa Used to select ECDsa key type. .PARAMETER ECDsaHashSize The hash size used for the ECDsa algorithm. .PARAMETER Path The path where the keys will be stored. .PARAMETER SkipExport Allows you to skip exporting the account key. Use with care. .PARAMETER State The account key will be written into the provided state instance. .PARAMETER PassThru If set, the account key will be returned to the pipeline. .EXAMPLE PS> New-AccountKey -Path C:\myKeyExport.xml .EXAMPLE PS> New-AccountKey -Path C:\myKeyExport.json -RSA -HashSize 512 .EXAMPLE PS> New-AccountKey -ECDsa -HashSize 384 -SkipExport #> [CmdletBinding(DefaultParameterSetName="RSA", SupportsShouldProcess=$true)] [OutputType("IAccountKey")] param( [Parameter(ParameterSetName="RSA")] [switch] $RSA, [Parameter(ParameterSetName="RSA")] [ValidateSet(256, 384, 512)] [int] $RSAHashSize = 256, [Parameter(ParameterSetName="RSA")] [ValidateSet(2048)] [int] $RSAKeySize = 2048, [Parameter(ParameterSetName="ECDsa")] [switch] $ECDsa, [Parameter(ParameterSetName="ECDsa")] [ValidateSet(256, 384, 512)] [int] $ECDsaHashSize = 256, [Parameter(Position = 0)] [ValidateNotNull()] [AcmeState] $State, [Parameter()] [switch] $PassThru ) if($PSCmdlet.ParameterSetName -eq "ECDsa") { $accountKey = [IAccountKey]([ECDsaAccountKey]::new($ECDsaHashSize)); Write-Verbose "Created new ECDsa account key with hash size $ECDsaHashSize"; } else { $accountKey = [IAccountKey]([RSAAccountKey]::new($RSAHashSize, $RSAKeySize)); Write-Verbose "Created new RSA account key with hash size $RSAHashSize and key size $RSAKeySize"; } if($State -and $PSCmdlet.ShouldProcess("AccountKey", "Add created account key to state.")) { $State.Set($accountKey); } if($PassThru -or -not $State) { return $accountKey; } } function Get-Authorization { <# .SYNOPSIS Fetches authorizations from acme service. .DESCIPTION Fetches all authorizations for an order or an single authorizatin by its resource url. .PARAMETER Order The order, whoose authorizations will be fetched .PARAMETER Url The authorization resource url to fetch the data. .EXAMPLE PS> Get-Authorization $myOrder .EXAMPLE PS> Get-Authorization https://acme.server/authz/1243 #> [CmdletBinding()] param( [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, ParameterSetName = "FromOrder")] [ValidateNotNull()] [AcmeOrder] $Order, [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "FromUrl")] [ValidateNotNullOrEmpty()] [uri] $Url ) process { switch ($PSCmdlet.ParameterSetName) { "FromOrder" { $Order.AuthorizationUrls | ForEach-Object { Get-Authorization -Url $_ } } Default { $response = Invoke-AcmeWebRequest $Url -Method GET; return [AcmeAuthorization]::new($response); } } } } function Export-Certificate { <# .SYNOPSIS Exports an issued certificate as pfx with private and public key. .DESCRIPTION Exports an issued certificate by downloading it from the acme service and combining it with the private key. .PARAMETER Order The order which contains the issued certificate. .PARAMETER CertificateKey The key which was used to create the orders CSR. .PARAMETER Path The path where the key will be saved. .PARAMETER Password The password used to secure the certificate. #> param( [Parameter(Mandatory = $true)] [ValidateNotNull()] [AcmeOrder] $Order, [Parameter(Mandatory = $true)] [ValidateNotNull()] [ICertificateKey] $CertificateKey, [Parameter(Mandatory = $true)] [ValidateNotNull()] [string] $Path, [Parameter()] [SecureString] $Passsword, [Parameter()] [switch] $Force ) $ErrorActionPreference = 'Stop' if(Test-Path $Path) { if($Force) { Clear-Content $Path; } else { Write-Error "$Path did already exist." } } $response = Invoke-WebRequest $Order.CertificateUrl -UseBasicParsing; $certicate = [byte[]]$response.Content; $CertificateKey.ExportPfx($certicate, $Passsword) | Set-Content $Path -Encoding byte } function Export-CertificateKey { <# .SYNOPSIS Stores an certificate key to the given path. .DESCRIPTION Stores an certificate key to the given path. If the path already exists an error will be thrown and the key will not be saved. .PARAMETER Path The path where the key should be exported to. Uses json if path ends with .json. Will use clixml in other cases. .PARAMETER CertificateKey The certificate key that will be exported to the Path. If AutomaticCertificateKeyHandling is enabled it will export the registered certificate key. .EXAMPLE PS> Export-CertificateKey -Path "C:\myExportPath.xml" -CertificateKey $myCertificateKey #> [CmdletBinding()] param( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $Path, [Parameter(ValueFromPipeline=$true)] [ValidateNotNull()] [ICertificateKey] $CertificateKey ) process { if(Test-Path $Path) { Write-Error "$Path already exists. This method will not override existing files" } if($Path -like "*.json") { $CertificateKey.ExportKey() | ConvertTo-Json -Compress | Out-File $Path -Encoding utf8 Write-Verbose "Exported certificate key as JSON to $Path"; } else { $CertificateKey.ExportKey() | Export-Clixml -Path $Path Write-Verbose "Exported certificate key as CLIXML to $Path"; } } } function Import-CertificateKey { <# .SYNOPSIS Imports an exported certificate key. .DESCRIPTION Imports an certificate key that has been exported with Export-CertificateKey. If requested, the key is registered for automatic key handling. .PARAMETER Path The path where the key has been exported to. #> param( # Specifies a path to one or more locations. [Parameter(Mandatory=$true, Position=0)] [ValidateNotNullOrEmpty()] [string] $Path ) $ErrorActionPreference = 'Stop' if($Path -like "*.json") { $imported = Get-Content $Path -Raw | ConvertFrom-Json | ConvertTo-OriginalType; } else { $imported = Import-Clixml $Path | ConvertTo-OriginalType } $certificateKey = [KeyFactory]::CreateCertificateKey($imported); return $certificateKey; } function New-CertificateKey { <# .SYNOPSIS Creates a new certificate key, that can will used to sign ACME operations. Provide a path where to save the key, since being able to restore it is crucial. .DESCRIPTION Creates and stores a new certificate key, that can be used for ACME operations. The key will first be created, than exported and imported again to make sure, it has been saved. You can skip the export by providing the SkipExport switch. .PARAMETER RSA Used to select RSA key type. (default) .PARAMETER RSAHashSize The hash size used for the RSA algorithm. .PARAMETER RSAKeySize The key size of the RSA algorithm. .PARAMETER ECDsa Used to select ECDsa key type. .PARAMETER ECDsaHashSize The hash size used for the ECDsa algorithm. .PARAMETER Path The path where the keys will be stored. .EXAMPLE PS> New-CertificateKey -Path C:\myKeyExport.xml -AutomaticCertificateKeyHandling .EXAMPLE PS> New-CertificateKey -Path C:\myKeyExport.json -RSA -HashSize 512 .EXAMPLE PS> New-CertificateKey -ECDsa -HashSize 384 -SkipExport #> [CmdletBinding(DefaultParameterSetName="RSA", SupportsShouldProcess=$true)] [OutputType("ICertificateKey")] param( [Parameter(ParameterSetName="RSA")] [switch] $RSA, [Parameter(ParameterSetName="RSA")] [ValidateSet(256, 384, 512)] [int] $RSAHashSize = 256, [Parameter(ParameterSetName="RSA")] [ValidateSet(2048)] [int] $RSAKeySize = 2048, [Parameter(ParameterSetName="ECDsa")] [switch] $ECDsa, [Parameter(ParameterSetName="ECDsa")] [ValidateSet(256, 384, 512)] [int] $ECDsaHashSize = 256, [Parameter()] [string] $Path, [Parameter()] [switch] $SkipKeyExport ) if(-not $SkipKeyExport) { if(-not $Path) { Write-Error "Path was null or empty. Provide a path for the key to be exported or specify SkipKeyExport"; return; } } if($PSCmdlet.ParameterSetName -eq "ECDsa") { $certificateKey = [ICertificateKey]([ECDsaCertifiaceKey]::new($ECDsaHashSize)); Write-Verbose "Created new ECDsa certificate key with hash size $ECDsaHashSize"; } else { $certificateKey = [ICertificateKey]([RSACertificateKey]::new($RSAHashSize, $RSAKeySize)); Write-Verbose "Created new RSA certificate key with hash size $RSAHashSize and key size $RSAKeySize"; } if($SkipKeyExport) { Write-Warning "The certificate key will not be exported. Make sure you save the certificate key!."; return $certificateKey; } if($PSCmdlet.ShouldProcess("CertificateKey", "Store created key to $Path and reload it from there")) { Export-CertificateKey -CertificateKey $certificateKey -Path $Path -ErrorAction 'Stop' | Out-Null return Import-CertificateKey -Path $Path -ErrorAction 'Stop' } } function Complete-Challenge { <# .PARAMETER State State instance containing service directory, account key, account and nonce. #> [CmdletBinding(SupportsShouldProcess=$true)] param( [Parameter(Mandatory = $true, Position = 1, ValueFromPipeline = $true)] [ValidateNotNull()] [AcmeChallenge] $Challenge, [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [ValidateScript({$_.Validate()})] [AcmeState] $State ) process { $payload = @{}; if($PSCmdlet.ShouldProcess("Challenge", "Complete challenge by submitting completion to ACME service")) { $response = Invoke-SignedWebRequest $Challenge.Url $State $payload; return [AcmeChallenge]::new($response, $Challenge.Identifier); } } } function Get-Challenge { [CmdletBinding()] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [ValidateScript({$_.Validate()})] [AcmeState] $State, [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 1)] [ValidateNotNull()] [AcmeAuthorization] $Authorization, [Parameter(Mandatory = $true, Position = 2)] [string] $Type ) process { $challange = $Authorization.Challenges | Where-Object { $_.Type -eq $Type } | Select-Object -First 1 if(-not $challange.Data) { $challange | Initialize-Challenge $State } return $challange; } } function Initialize-Challenge { [CmdletBinding()] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [ValidateScript({$_.Validate()})] [AcmeState] $State, [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 1, ParameterSetName="ByAuthorization")] [ValidateNotNull()] [AcmeAuthorization] $Authorization, [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 1, ParameterSetName="ByChallenge")] [ValidateNotNull()] [AcmeChallenge] $Challenge, [Parameter()] [switch] $PassThru ) process { if($PSCmdlet.ParameterSetName -eq "ByAuthorization") { return ($Authorization.challenges | Initialize-Challenge $State -PassThru:$PassThru); } $accountKey = $State.GetAccountKey(); switch($Challenge.Type) { "http-01" { $fileName = $Challenge.Token; $relativePath = "/.well-known/acme-challenge/$fileName" $fqdn = "$($Challenge.Identifier.Value)$relativePath" $content = [KeyAuthorization]::Compute($AccountKey, $Challenge.Token); $Challenge.Data = [PSCustomObject]@{ "Type" = $Challenge.Type; "Token" = $Challenge.Token; "Filename" = $fileName; "RelativeUrl" = $relativePath; "AbsoluteUrl" = $fqdn; "Content" = $content; } } "dns-01" { $txtRecordName = "_acme-challenge.$($Challenge.Identifier.Value)"; $content = [KeyAuthorization]::ComputeDigest($AccountKey, $Challenge.Token); $Challenge.Data = [PSCustomObject]@{ "Type" = "dns-01"; "Token" = $Challenge.Token; "TxtRecordName" = $txtRecordName; "Content" = $content; } } "tls-alpn-01" { $content = [KeyAuthorization]::Compute($AccountKey, $Challenge.Token); $Challenge.Data = [PSCustomObject]@{ "Type" = $Challenge.Type; "Token" = $Challenge.Token; "SubjectAlternativeName" = $Challenge.Identifier.Value; "AcmeValidation-v1" = $content; } } Default { Write-Error "Cannot show how to resolve challange of unknown type $($Challenge.Type)" } } if($PassThru) { return $Challenge; } } } function New-Nonce { <# .SYNOPSIS Gets a new nonce. .DESCRIPTION Issues a web request to receive a new nonce from the service directory .PARAMETER State The nonce will be written into the provided state instance. .PARAMETER PassThru If set, the nonce will be returned to the pipeline. .EXAMPLE PS> New-Nonce -Uri "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce" #> [CmdletBinding(SupportsShouldProcess=$true)] [OutputType("string")] param( [Parameter(Mandatory = $true)] [ValidateNotNull()] [ValidateScript({$_.Validate("ServiceDirectory")})] [AcmeState] $State, [Parameter()] [switch] $PassThru ) $Url = $State.GetServiceDirectory().NewNonce; $response = Invoke-AcmeWebRequest $Url -Method Head $nonce = $response.NextNonce; if(-not $nonce) { throw "Could not retreive new nonce"; } if($PSCmdlet.ShouldProcess("Nonce", "Store new nonce into state")) { $State.SetNonce($nonce); } if($PassThru) { return $nonce; } } function Complete-Order { <# .SYNOPSIS Finalizes an acme order .DESCRIPTION Finalizes the acme order by submitting a CSR to the acme service. .PARAMETER State State instance containing service directory, account key, account and nonce. .PARAMETER Order The order to be finalized. .PARAMETER CertificateKey The certificate key to be used to create a CSR. .EXAMPLE PS> Complete-Order -Order $myOrder -CertificateKey $myCertKey #> [CmdletBinding(SupportsShouldProcess=$true)] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [ValidateScript({$_.Validate()})] [AcmeState] $State, [Parameter(Mandatory = $true)] [ValidateNotNull()] [AcmeOrder] $Order, [Parameter(Mandatory = $true)] [ValidateNotNull()] [ICertificateKey] $CertificateKey, [Parameter()] [switch] $PassThru ) process { $ErrorActionPreference = 'Stop'; $dnsNames = $Order.Identifiers | ForEach-Object { $_.Value } $csr = $CertificateKey.GenerateCsr($dnsNames); $payload = @{ "csr"= (ConvertTo-UrlBase64 -InputBytes $csr) } $requestUrl = $Order.FinalizeUrl; if($PSCmdlet.ShouldProcess("Order", "Finalizing order at ACME service by submitting CSR")) { $response = Invoke-SignedWebRequest $requestUrl $State $payload; $Order.UpdateOrder($response); } if($PassThru) { return $Order; } } } function Get-Order { <# .SYNOPSIS Fetches an order from acme service .DESCRIPTION Uses the given url to fetch an existing order object from the acme service. .PARAMETER Url The resource url of the order to be fetched. #> [CmdletBinding()] [OutputType("AcmeOrder")] param( [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "FromUrl")] [ValidateNotNullOrEmpty()] [uri] $Url ) $response = Invoke-AcmeWebRequest $Url -Method GET; return [AcmeOrder]::new($response); } function New-Identifier { <# .SYNOPSIS Creates a new identifier. .DESCRIPTION Creates a new identifier needed for orders and authorizations .PARAMETER Type The identifier type .PARAMETER Value The value of the identifer, e.g. the FQDN. .EXAMPLE PS> New-Identifier www.example.com #> [CmdletBinding(SupportsShouldProcess=$false)] [Diagnostics.CodeAnalysis.SuppressMessageAttribute( "PSUseShouldProcessForStateChangingFunctions", "", Scope="Function", Target="*")] param( [Parameter(Mandatory = $true, Position = 0, ValueFromPipelineByPropertyName = $true)] [ValidateNotNullOrEmpty()] [string] $Value, [Parameter(Position = 1, ValueFromPipelineByPropertyName = $true)] [ValidateNotNullOrEmpty()] [string] $Type = "dns" ) process { return [AcmeIdentifier]::new($Type, $Value); } } function New-Order { <# .SYNOPSIS Creates a new order object. .DESCRIPTION Creates a new order object to be used for signing a new certificate including all submitted identifiers. .PARAMETER State State instance containing service directory, account key, account and nonce. .PARAMETER Identifiers The list of identifiers, which will be covered by the certificates subject alternative names. .PARAMETER NotBefore Earliest date the certificate should be considered valid. .PARAMETER NotAfter Latest date the certificate should be considered valid. .EXAMPLE PS> New-Order -Directory $myDirectory -AccountKey $myAccountKey -KeyId $myKid -Nonce $myNonce -Identifiers $myIdentifiers .EXAMPLE PS> New-Order -Identifiers (New-Identifier "dns" "www.test.com") #> [CmdletBinding(SupportsShouldProcess=$true)] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [ValidateScript({$_.Validate()})] [AcmeState] $State, [Parameter(Mandatory = $true)] [AcmeIdentifier[]] $Identifiers, [Parameter()] [System.DateTimeOffset] $NotBefore, [Parameter()] [System.DateTimeOffset] $NotAfter ) $payload = @{ "identifiers" = @($Identifiers | Select-Object @{N="type";E={$_.Type}}, @{N="value";E={$_.Value}}) }; if($NotBefore -and $NotAfter) { $payload.Add("notBefore", $NotBefore.ToString("o")); $payload.Add("notAfter", $NotAfter.ToString("o")); } $requestUrl = $State.GetServiceDirectory().NewOrder; if($PSCmdlet.ShouldProcess("Order", "Create new order with ACME Service")) { $response = Invoke-SignedWebRequest $requestUrl $State $payload; $order = [AcmeOrder]::new($response); $state.AddOrder($order); return $order; } } function Update-Order { <# .SYNOPSIS Updates an order from acme service .DESCRIPTION Updates the given order instance by querying the acme service. The result will be used to update the order stored in the state object .PARAMETER State State instance containing service directory, account key, account and nonce. .PARAMETER Order The order to be updated. .PARAMETER PassThru If present, the updated order will be written to the output. #> [CmdletBinding(SupportsShouldProcess=$true)] [OutputType("AcmeOrder")] param( [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [ValidateScript({$_.Validate()})] [AcmeState] $State, [Parameter(Mandatory = $true, Position = 1, ValueFromPipeline = $true)] [ValidateNotNullOrEmpty()] [AcmeOrder] $Order, [Parameter()] [switch] $PassThru ) if($PSCmdlet.ShouldProcess("Order", "Get updated order form ACME service and store it to state")) { $response = Invoke-AcmeWebRequest $Order.ResourceUrl -Method GET; $Order.UpdateOrder($response); $State.SetOrder($Order); if($PassThru) { return $Order; } } } function Get-ServiceDirectory { <# .SYNOPSIS Fetches the ServiceDirectory from an ACME Servers. .DESCRIPTION This will issue a web request to either the url or to a well-known ACME server to fetch the service directory. Alternatively the directory can be loaded from a path, when it has been stored with Export-CliXML or as Json. .PARAMETER EndpointName The Name of an Well-Known ACME-Endpoint. .PARAMETER DirectoryUrl Url of an ACME Directory. .PARAMETER Path Path to load the Directory from. The given file needs to be .json or .xml (CLI-Xml) .PARAMETER State If present, the service directory will be written into the provided state instance. .PARAMETER PassThru If set, the service directory will be returned to the pipeline. .EXAMPLE PS> Get-ServiceDirectory $myState .EXAMPLE PS> Get-ServiceDirectory "LetsEncrypt" $myState -PassThru .EXAMPLE PS> Get-ServiceDirectory -DirectoryUrl "https://acme-staging-v02.api.letsencrypt.org" $myState #> [CmdletBinding(DefaultParameterSetName="FromName")] [OutputType("ACMEDirectory")] param( [Parameter(Position=1, ParameterSetName="FromName")] [string] $ServiceName = "LetsEncrypt-Staging", [Parameter(Mandatory=$true, ParameterSetName="FromUrl")] [Uri] $DirectoryUrl, [Parameter(Mandatory=$true, ParameterSetName="FromPath")] [ValidateNotNullOrEmpty()] [string] $Path, [Parameter(Mandatory = $true, Position = 0)] [ValidateNotNull()] [AcmeState] $State, [Parameter()] [switch] $PassThru ) begin { $KnownEndpoints = @{ "LetsEncrypt-Staging"="https://acme-staging-v02.api.letsencrypt.org"; "LetsEncrypt"="https://acme-v02.api.letsencrypt.org" } } process { $ErrorActionPreference = 'Stop'; if($PSCmdlet.ParameterSetName -in @("FromName", "FormUrl")) { if($PSCmdlet.ParameterSetName -eq "FromName") { $acmeBaseUrl = $KnownEndpoints[$ServiceName]; if($null -eq $acmeBaseUrl) { $knownNames = $KnownEndpoints.Keys -join ", " throw "The ACME-Service-Name $ServiceName is not known. Known names are $knownNames." } $serviceDirectoryUrl = "$acmeBaseUrl/directory" } elseif ($PSCmdlet.ParameterSetName -eq "FromUrl") { $serviceDirectoryUrl = $DirectoryUrl } $response = Invoke-WebRequest $serviceDirectoryUrl; $result = [AcmeDirectory]::new(($response.Content | ConvertFrom-Json)); $result.ResourceUrl = $serviceDirectoryUrl; } if($PSCmdlet.ParameterSetName -eq "FromPath") { if($Path -like "*.json") { $result = [ACMEDirectory](Get-Content $Path | ConvertFrom-Json) } else { $result = [AcmeDirectory](Import-Clixml $Path) } } $State.Set($result); if($PassThru) { return $result; } } } function Get-TermsOfService { <# .SYNOPSIS Show the ACME service TOS .DESCRIPTION Show the ACME service TOS .PARAMETER Directory The directory to read the TOS from. #> [CmdletBinding()] param( [Parameter(Mandatory=$true)] [AcmeState] $State ) process { Start-Process $State.GetServiceDirectory().Meta.TermsOfService; } } function Get-State { <# .SYNOPSIS Initializes state from saved date. .DESCRIPTION Initializes state from saved data. Use this if you already have an exported account key and an account. .PARAMETER Path Path to an exported service directory .EXAMPLE PS> Initialize-AutomaticHandlers C:\myServiceDirectory.xml C:\myKey.json #> [CmdletBinding()] param( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [string] $Path ) $ErrorActionPreference = 'Stop'; Write-Verbose "Loading ACME-PS state from $Path"; $state = [AcmeState]::FromPath($Path); return $state; } function New-State { <# .SYNOPSIS Initializes a new state object. .DESCRIPTION Initializes a new state object, that will be used by other functions to access the service directory, nonce, account and account key. .PARAMETER Path Directory where the state will be persisted. .EXAMPLE PS> New-State #> [CmdletBinding(SupportsShouldProcess=$true)] param( [Parameter()] [string] $Path ) process { if(-not $Path) { Write-Warning "You did not provide a persistency path. State will not be saved automatically." return [AcmeState]::new() } else { if($PSCmdlet.ShouldProcess("State", "Create new state and save it to $Path")) { return [AcmeState]::new($Path, $true); } } } } # SIG # Begin signature block # MIITfQYJKoZIhvcNAQcCoIITbjCCE2oCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU8h5lgkDzGrKagoGYWhP5Y6b8 # zUugghCnMIIFEjCCA/qgAwIBAgIJAOML1fivJdmBMA0GCSqGSIb3DQEBCwUAMIGC # MQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2UgU2Vy # dmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjElMCMG # A1UEAwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMjAeFw0xNjAyMjIxMzM4 # MjJaFw0zMTAyMjIyMzU5NTlaMIGVMQswCQYDVQQGEwJERTFFMEMGA1UEChM8VmVy # ZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0 # emVzIGUuIFYuMRAwDgYDVQQLEwdERk4tUEtJMS0wKwYDVQQDEyRERk4tVmVyZWlu # IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IB # DwAwggEKAoIBAQDLYNf/ZqFBzdL6h5eKc6uZTepnOVqhYIBHFU6MlbLlz87TV0uN # zvhWbBVVdgfqRv3IA0VjPnDUq1SAsSOcvjcoqQn/BV0YD8SYmTezIPZmeBeHwp0O # zEoy5xadrg6NKXkHACBU3BVfSpbXeLY008F0tZ3pv8B3Teq9WQfgWi9sPKUA3DW9 # ZQ2PfzJt8lpqS2IB7qw4NFlFNkkF2njKam1bwIFrEczSPKiL+HEayjvigN0WtGd6 # izbqTpEpPbNRXK2oDL6dNOPRDReDdcQ5HrCUCxLx1WmOJfS4PSu/wI7DHjulv1UQ # qyquF5deM87I8/QJB+MChjFGawHFEAwRx1npAgMBAAGjggF0MIIBcDAOBgNVHQ8B # Af8EBAMCAQYwHQYDVR0OBBYEFJPj2DIm2tXxSqWRSuDqS+KiDM/hMB8GA1UdIwQY # MBaAFL9ZIDYAeaCgImuM1fJh0rgsy4JKMBIGA1UdEwEB/wQIMAYBAf8CAQIwMwYD # VR0gBCwwKjAPBg0rBgEEAYGtIYIsAQEEMA0GCysGAQQBga0hgiweMAgGBmeBDAEC # AjBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL3Js # L1RlbGVTZWNfR2xvYmFsUm9vdF9DbGFzc18yLmNybDCBhgYIKwYBBQUHAQEEejB4 # MCwGCCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjBI # BggrBgEFBQcwAoY8aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvVGVsZVNl # Y19HbG9iYWxSb290X0NsYXNzXzIuY2VyMA0GCSqGSIb3DQEBCwUAA4IBAQCHC/8+ # AptlyFYt1juamItxT9q6Kaoh+UYu9bKkD64ROHk4sw50unZdnugYgpZi20wz6N35 # at8yvSxMR2BVf+d0a7Qsg9h5a7a3TVALZge17bOXrerufzDmmf0i4nJNPoRb7vnP # mep/11I5LqyYAER+aTu/de7QCzsazeX3DyJsR4T2pUeg/dAaNH2t0j13s+70103/ # w+jlkk9ZPpBHEEqwhVjAb3/4ru0IQp4e1N8ULk2PvJ6Uw+ft9hj4PEnnJqinNtgs # 3iLNi4LY2XjiVRKjO4dEthEL1QxSr2mMDwbf0KJTi1eYe8/9ByT0/L3D/UqSApcb # 8re2z2WKGqK1chk5MIIFrDCCBJSgAwIBAgIHG2O60B4sPTANBgkqhkiG9w0BAQsF # ADCBlTELMAkGA1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIgRm9lcmRlcnVu # ZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UE # CxMHREZOLVBLSTEtMCsGA1UEAxMkREZOLVZlcmVpbiBDZXJ0aWZpY2F0aW9uIEF1 # dGhvcml0eSAyMB4XDTE2MDUyNDExMzg0MFoXDTMxMDIyMjIzNTk1OVowgY0xCzAJ # BgNVBAYTAkRFMUUwQwYDVQQKDDxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWluZXMg # RGV1dHNjaGVuIEZvcnNjaHVuZ3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsMB0RGTi1Q # S0kxJTAjBgNVBAMMHERGTi1WZXJlaW4gR2xvYmFsIElzc3VpbmcgQ0EwggEiMA0G # CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdO3kcR94fhsvGadcQnjnX2aIw23Ic # BX8pX0to8a0Z1kzhaxuxC3+hq+B7i4vYLc5uiDoQ7lflHn8EUTbrunBtY6C+li5A # 4dGDTGY9HGRp5ZukrXKuaDlRh3nMF9OuL11jcUs5eutCp5eQaQW/kP+kQHC9A+e/ # nhiIH5+ZiE0OR41IX2WZENLZKkntwbktHZ8SyxXTP38eVC86rpNXp354ytVK4hrl # 7UF9U1/Isyr1ijCs7RcFJD+2oAsH/U0amgNSoDac3iSHZeTn+seWcyQUzdDoG2ie # GFmudn730Qp4PIdLsDfPU8o6OBDzy0dtjGQ9PFpFSrrKgHy48+enTEzNAgMBAAGj # ggIFMIICATASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjApBgNV # HSAEIjAgMA0GCysGAQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwHQYDVR0OBBYE # FGs6mIv58lOJ2uCtsjIeCR/oqjt0MB8GA1UdIwQYMBaAFJPj2DIm2tXxSqWRSuDq # S+KiDM/hMIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9jZHAxLnBjYS5kZm4u # ZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwQKA+oDyGOmh0 # dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9j # YWNybC5jcmwwgd0GCCsGAQUFBwEBBIHQMIHNMDMGCCsGAQUFBzABhidodHRwOi8v # b2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSgYIKwYBBQUHMAKGPmh0 # dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2Vy # dC9jYWNlcnQuY3J0MEoGCCsGAQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRl # L2dsb2JhbC1yb290LWcyLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG # 9w0BAQsFAAOCAQEAgXhFpE6kfw5V8Amxaj54zGg1qRzzlZ4/8/jfazh3iSyNta0+ # x/KUzaAGrrrMqLGtMwi2JIZiNkx4blDw1W5gjU9SMUOXRnXwYuRuZlHBQjFnUOVJ # 5zkey5/KhkjeCBT/FUsrZpugOJ8Azv2n69F/Vy3ITF/cEBGXPpYEAlyEqCk5bJT8 # EJIGe57u2Ea0G7UDDDjZ3LCpP3EGC7IDBzPCjUhjJSU8entXbveKBTjvuKCuL/Tb # B9VbhBjBqbhLzmyQGoLkuT36d/HSHzMCv1PndvncJiVBby+mG/qkE5D6fH7ZC2Bd # 7L/KQaBh+xFJKdioLXUV2EoY6hbvVTQiGhONBjCCBd0wggTFoAMCAQICDB+/A6ha # DPjjhUCllTANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCREUxRTBDBgNVBAoM # PFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5n # c25ldHplcyBlLiBWLjEQMA4GA1UECwwHREZOLVBLSTElMCMGA1UEAwwcREZOLVZl # cmVpbiBHbG9iYWwgSXNzdWluZyBDQTAeFw0xODA5MTcxMDQ3MDNaFw0yMTA5MTYx # MDQ3MDNaMIGAMQswCQYDVQQGEwJERTEYMBYGA1UECAwPUmhlaW5sYW5kLVBmYWx6 # MQ4wDAYDVQQHDAVNYWluejEuMCwGA1UECgwlSm9oYW5uZXMgR3V0ZW5iZXJnLVVu # aXZlcnNpdGFldCBNYWluejEXMBUGA1UEAwwOVGhvbWFzIEdsYXR6ZXIwggEiMA0G # CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT5Cmh9WscXfM0blOLwaofBH1EbBOr # ms//nxhM/eyCx8ySoXabPOkFi5PILnXut0760GlIdWaw9IF71AP/R+2X8oG1rCw7 # Ixxc95+LqfFwHbVPg1A378GSCjuq9eInMy9lV4k3X/M/M9qlPu6IlRIbxHGD6WyB # LG+RAHdPjyZps44k3lIL7hIv8dmoTjEOpqtYMz6+aSgiQK65bZS/e4XtT8A+YFEA # bZHOXAlBPjR/Ju3peINVnjBPkQmAn+yZc8M5Hk7Tn2lHXcmijSU7PDkKtlufWHng # GEF5QWe+1baHmGcP+XPTuqSd1HESZ7NhZ8LoNbDYjMDY/zUOqMmNbkxfAgMBAAGj # ggJGMIICQjBABgNVHSAEOTA3MA8GDSsGAQQBga0hgiwBAQQwEQYPKwYBBAGBrSGC # LAEBBAMIMBEGDysGAQQBga0hgiwCAQQDCDAJBgNVHRMEAjAAMA4GA1UdDwEB/wQE # AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQURyrNzV08EeIUCx9E # rmaaoPVwywowHwYDVR0jBBgwFoAUazqYi/nyU4na4K2yMh4JH+iqO3QwIAYDVR0R # BBkwF4EVZ2xhdHplcnRAdW5pLW1haW56LmRlMIGNBgNVHR8EgYUwgYIwP6A9oDuG # OWh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY3Js # L2NhY3JsLmNybDA/oD2gO4Y5aHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tY2Et # Z2xvYmFsLWcyL3B1Yi9jcmwvY2FjcmwuY3JsMIHbBggrBgEFBQcBAQSBzjCByzAz # BggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9P # Q1NQMEkGCCsGAQUFBzAChj1odHRwOi8vY2RwMS5wY2EuZGZuLmRlL2Rmbi1jYS1n # bG9iYWwtZzIvcHViL2NhY2VydC9jYWNlcnQuY3J0MEkGCCsGAQUFBzAChj1odHRw # Oi8vY2RwMi5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NhY2VydC9j # YWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQBdYk5Jgp0gBDglwDZxm670zvqY # l3/rDP8XMBwuJ21yMk7BUQDbrqrsMJNhJFQrKp3hjzRtic5f7hP+qR50oE6kCqRB # V9Vxs4uxy65M8bVDzMDjAstPc36G90a7C1orMa88SBgskghw0WpQUeJlGbnrJTuB # LX+/UGMMnSSuyJRnZKi//BZc5Uz5MNSy0KV0EgSlXpjPxdSnMEsXrSjunzGbUz9c # RmV+fi9JX7iLRiyX1vz72iOmY5oS4omb+j9gwimGvw+NlBwRE5945U5594R8bdaO # cCEb26409/4M47o9NSZMNjShIdvTQO+VQYK8GIiwRZ6twtAEocNnbIPorhi5MYIC # QDCCAjwCAQEwgZ4wgY0xCzAJBgNVBAYTAkRFMUUwQwYDVQQKDDxWZXJlaW4genVy # IEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVuIEZvcnNjaHVuZ3NuZXR6ZXMgZS4g # Vi4xEDAOBgNVBAsMB0RGTi1QS0kxJTAjBgNVBAMMHERGTi1WZXJlaW4gR2xvYmFs # IElzc3VpbmcgQ0ECDB+/A6haDPjjhUCllTAJBgUrDgMCGgUAoHgwGAYKKwYBBAGC # NwIBDDEKMAigAoAAoQKAADAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAjBgkqhkiG9w0BCQQxFgQUlHTBFWDm # URszxDA2ZbOJaZb6fIIwDQYJKoZIhvcNAQEBBQAEggEANNaXSHgE5lumRfJ2Tjga # cHRV98cwVt6tvygBvpfoj5/+YkZZQjwyN08s3rqoLTydDU9wlaiSlE9BT0hOucvK # yK8RvqkfF2+LYLUpjWo0vpRf8Ql6z0i+2BG3J9JFnsqX2Fn7vvLZNIwI4Rs90WfJ # t/UWmRyvZ2ofFxle5kOghs5xSTgIyyN/yrq8ZZejAMGxOonIWstxFOM80UtawPbw # 2vmcpLAZXUe8AQWZLey7TshwprsdF1onfqf4eN8AEgZ4N9dgGh4sNashQc0I4J9A # unQ09hy7kqW2tX8/WSXxSkKYW5kGbqOc0iNiW0dtYzWpbrtzD5flScyj2ThWWASV # cA== # SIG # End signature block |