Update Lego

vendor/github.com/xenolf/lego/acme/api/account.go

@@ -0,0 +1,69 @@
+package api
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	"github.com/xenolf/lego/acme"
+)
+
+type AccountService service
+
+// New Creates a new account.
+func (a *AccountService) New(req acme.Account) (acme.ExtendedAccount, error) {
+	var account acme.Account
+	resp, err := a.core.post(a.core.GetDirectory().NewAccountURL, req, &account)
+	location := getLocation(resp)
+
+	if len(location) > 0 {
+		a.core.jws.SetKid(location)
+	}
+
+	if err != nil {
+		return acme.ExtendedAccount{Location: location}, err
+	}
+
+	return acme.ExtendedAccount{Account: account, Location: location}, nil
+}
+
+// NewEAB Creates a new account with an External Account Binding.
+func (a *AccountService) NewEAB(accMsg acme.Account, kid string, hmacEncoded string) (acme.ExtendedAccount, error) {
+	hmac, err := base64.RawURLEncoding.DecodeString(hmacEncoded)
+	if err != nil {
+		return acme.ExtendedAccount{}, fmt.Errorf("acme: could not decode hmac key: %v", err)
+	}
+
+	eabJWS, err := a.core.signEABContent(a.core.GetDirectory().NewAccountURL, kid, hmac)
+	if err != nil {
+		return acme.ExtendedAccount{}, fmt.Errorf("acme: error signing eab content: %v", err)
+	}
+	accMsg.ExternalAccountBinding = eabJWS
+
+	return a.New(accMsg)
+}
+
+// Get Retrieves an account.
+func (a *AccountService) Get(accountURL string) (acme.Account, error) {
+	if len(accountURL) == 0 {
+		return acme.Account{}, errors.New("account[get]: empty URL")
+	}
+
+	var account acme.Account
+	_, err := a.core.post(accountURL, acme.Account{}, &account)
+	if err != nil {
+		return acme.Account{}, err
+	}
+	return account, nil
+}
+
+// Deactivate Deactivates an account.
+func (a *AccountService) Deactivate(accountURL string) error {
+	if len(accountURL) == 0 {
+		return errors.New("account[deactivate]: empty URL")
+	}
+
+	req := acme.Account{Status: acme.StatusDeactivated}
+	_, err := a.core.post(accountURL, req, nil)
+	return err
+}

vendor/github.com/xenolf/lego/acme/api/api.go

@@ -0,0 +1,151 @@
+package api
+
+import (
+	"bytes"
+	"crypto"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/xenolf/lego/acme"
+	"github.com/xenolf/lego/acme/api/internal/nonces"
+	"github.com/xenolf/lego/acme/api/internal/secure"
+	"github.com/xenolf/lego/acme/api/internal/sender"
+	"github.com/xenolf/lego/log"
+)
+
+// Core ACME/LE core API.
+type Core struct {
+	doer         *sender.Doer
+	nonceManager *nonces.Manager
+	jws          *secure.JWS
+	directory    acme.Directory
+	HTTPClient   *http.Client
+
+	common         service // Reuse a single struct instead of allocating one for each service on the heap.
+	Accounts       *AccountService
+	Authorizations *AuthorizationService
+	Certificates   *CertificateService
+	Challenges     *ChallengeService
+	Orders         *OrderService
+}
+
+// New Creates a new Core.
+func New(httpClient *http.Client, userAgent string, caDirURL, kid string, privateKey crypto.PrivateKey) (*Core, error) {
+	doer := sender.NewDoer(httpClient, userAgent)
+
+	dir, err := getDirectory(doer, caDirURL)
+	if err != nil {
+		return nil, err
+	}
+
+	nonceManager := nonces.NewManager(doer, dir.NewNonceURL)
+
+	jws := secure.NewJWS(privateKey, kid, nonceManager)
+
+	c := &Core{doer: doer, nonceManager: nonceManager, jws: jws, directory: dir}
+
+	c.common.core = c
+	c.Accounts = (*AccountService)(&c.common)
+	c.Authorizations = (*AuthorizationService)(&c.common)
+	c.Certificates = (*CertificateService)(&c.common)
+	c.Challenges = (*ChallengeService)(&c.common)
+	c.Orders = (*OrderService)(&c.common)
+
+	return c, nil
+}
+
+// post performs an HTTP POST request and parses the response body as JSON,
+// into the provided respBody object.
+func (a *Core) post(uri string, reqBody, response interface{}) (*http.Response, error) {
+	content, err := json.Marshal(reqBody)
+	if err != nil {
+		return nil, errors.New("failed to marshal message")
+	}
+
+	return a.retrievablePost(uri, content, response, 0)
+}
+
+// postAsGet performs an HTTP POST ("POST-as-GET") request.
+// https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-6.3
+func (a *Core) postAsGet(uri string, response interface{}) (*http.Response, error) {
+	return a.retrievablePost(uri, []byte{}, response, 0)
+}
+
+func (a *Core) retrievablePost(uri string, content []byte, response interface{}, retry int) (*http.Response, error) {
+	resp, err := a.signedPost(uri, content, response)
+	if err != nil {
+		// during tests, 5 retries allow to support ~50% of bad nonce.
+		if retry >= 5 {
+			log.Infof("too many retry on a nonce error, retry count: %d", retry)
+			return resp, err
+		}
+		switch err.(type) {
+		// Retry once if the nonce was invalidated
+		case *acme.NonceError:
+			log.Infof("nonce error retry: %s", err)
+			resp, err = a.retrievablePost(uri, content, response, retry+1)
+			if err != nil {
+				return resp, err
+			}
+		default:
+			return resp, err
+		}
+	}
+
+	return resp, nil
+}
+
+func (a *Core) signedPost(uri string, content []byte, response interface{}) (*http.Response, error) {
+	signedContent, err := a.jws.SignContent(uri, content)
+	if err != nil {
+		return nil, fmt.Errorf("failed to post JWS message -> failed to sign content -> %v", err)
+	}
+
+	signedBody := bytes.NewBuffer([]byte(signedContent.FullSerialize()))
+
+	resp, err := a.doer.Post(uri, signedBody, "application/jose+json", response)
+
+	// nonceErr is ignored to keep the root error.
+	nonce, nonceErr := nonces.GetFromResponse(resp)
+	if nonceErr == nil {
+		a.nonceManager.Push(nonce)
+	}
+
+	return resp, err
+}
+
+func (a *Core) signEABContent(newAccountURL, kid string, hmac []byte) ([]byte, error) {
+	eabJWS, err := a.jws.SignEABContent(newAccountURL, kid, hmac)
+	if err != nil {
+		return nil, err
+	}
+
+	return []byte(eabJWS.FullSerialize()), nil
+}
+
+// GetKeyAuthorization Gets the key authorization
+func (a *Core) GetKeyAuthorization(token string) (string, error) {
+	return a.jws.GetKeyAuthorization(token)
+}
+
+func (a *Core) GetDirectory() acme.Directory {
+	return a.directory
+}
+
+func getDirectory(do *sender.Doer, caDirURL string) (acme.Directory, error) {
+	var dir acme.Directory
+	if _, err := do.Get(caDirURL, &dir); err != nil {
+		return dir, fmt.Errorf("get directory at '%s': %v", caDirURL, err)
+	}
+
+	if dir.NewAccountURL == "" {
+		return dir, errors.New("directory missing new registration URL")
+	}
+	if dir.NewOrderURL == "" {
+		return dir, errors.New("directory missing new order URL")
+	}
+
+	return dir, nil
+}

vendor/github.com/xenolf/lego/acme/api/authorization.go

@@ -0,0 +1,34 @@
+package api
+
+import (
+	"errors"
+
+	"github.com/xenolf/lego/acme"
+)
+
+type AuthorizationService service
+
+// Get Gets an authorization.
+func (c *AuthorizationService) Get(authzURL string) (acme.Authorization, error) {
+	if len(authzURL) == 0 {
+		return acme.Authorization{}, errors.New("authorization[get]: empty URL")
+	}
+
+	var authz acme.Authorization
+	_, err := c.core.postAsGet(authzURL, &authz)
+	if err != nil {
+		return acme.Authorization{}, err
+	}
+	return authz, nil
+}
+
+// Deactivate Deactivates an authorization.
+func (c *AuthorizationService) Deactivate(authzURL string) error {
+	if len(authzURL) == 0 {
+		return errors.New("authorization[deactivate]: empty URL")
+	}
+
+	var disabledAuth acme.Authorization
+	_, err := c.core.post(authzURL, acme.Authorization{Status: acme.StatusDeactivated}, &disabledAuth)
+	return err
+}

vendor/github.com/xenolf/lego/acme/api/certificate.go

@@ -0,0 +1,99 @@
+package api
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/xenolf/lego/acme"
+	"github.com/xenolf/lego/certcrypto"
+	"github.com/xenolf/lego/log"
+)
+
+// maxBodySize is the maximum size of body that we will read.
+const maxBodySize = 1024 * 1024
+
+type CertificateService service
+
+// Get Returns the certificate and the issuer certificate.
+// 'bundle' is only applied if the issuer is provided by the 'up' link.
+func (c *CertificateService) Get(certURL string, bundle bool) ([]byte, []byte, error) {
+	cert, up, err := c.get(certURL)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Get issuerCert from bundled response from Let's Encrypt
+	// See https://community.letsencrypt.org/t/acme-v2-no-up-link-in-response/64962
+	_, issuer := pem.Decode(cert)
+	if issuer != nil {
+		return cert, issuer, nil
+	}
+
+	issuer, err = c.getIssuerFromLink(up)
+	if err != nil {
+		// If we fail to acquire the issuer cert, return the issued certificate - do not fail.
+		log.Warnf("acme: Could not bundle issuer certificate [%s]: %v", certURL, err)
+	} else if len(issuer) > 0 {
+		// If bundle is true, we want to return a certificate bundle.
+		// To do this, we append the issuer cert to the issued cert.
+		if bundle {
+			cert = append(cert, issuer...)
+		}
+	}
+
+	return cert, issuer, nil
+}
+
+// Revoke Revokes a certificate.
+func (c *CertificateService) Revoke(req acme.RevokeCertMessage) error {
+	_, err := c.core.post(c.core.GetDirectory().RevokeCertURL, req, nil)
+	return err
+}
+
+// get Returns the certificate and the "up" link.
+func (c *CertificateService) get(certURL string) ([]byte, string, error) {
+	if len(certURL) == 0 {
+		return nil, "", errors.New("certificate[get]: empty URL")
+	}
+
+	resp, err := c.core.postAsGet(certURL, nil)
+	if err != nil {
+		return nil, "", err
+	}
+
+	cert, err := ioutil.ReadAll(http.MaxBytesReader(nil, resp.Body, maxBodySize))
+	if err != nil {
+		return nil, "", err
+	}
+
+	// The issuer certificate link may be supplied via an "up" link
+	// in the response headers of a new certificate.
+	// See https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4.2
+	up := getLink(resp.Header, "up")
+
+	return cert, up, err
+}
+
+// getIssuerFromLink requests the issuer certificate
+func (c *CertificateService) getIssuerFromLink(up string) ([]byte, error) {
+	if len(up) == 0 {
+		return nil, nil
+	}
+
+	log.Infof("acme: Requesting issuer cert from %s", up)
+
+	cert, _, err := c.get(up)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = x509.ParseCertificate(cert)
+	if err != nil {
+		return nil, err
+	}
+
+	return certcrypto.PEMEncode(certcrypto.DERCertificateBytes(cert)), nil
+}

vendor/github.com/xenolf/lego/acme/api/challenge.go

@@ -0,0 +1,45 @@
+package api
+
+import (
+	"errors"
+
+	"github.com/xenolf/lego/acme"
+)
+
+type ChallengeService service
+
+// New Creates a challenge.
+func (c *ChallengeService) New(chlgURL string) (acme.ExtendedChallenge, error) {
+	if len(chlgURL) == 0 {
+		return acme.ExtendedChallenge{}, errors.New("challenge[new]: empty URL")
+	}
+
+	// Challenge initiation is done by sending a JWS payload containing the trivial JSON object `{}`.
+	// We use an empty struct instance as the postJSON payload here to achieve this result.
+	var chlng acme.ExtendedChallenge
+	resp, err := c.core.post(chlgURL, struct{}{}, &chlng)
+	if err != nil {
+		return acme.ExtendedChallenge{}, err
+	}
+
+	chlng.AuthorizationURL = getLink(resp.Header, "up")
+	chlng.RetryAfter = getRetryAfter(resp)
+	return chlng, nil
+}
+
+// Get Gets a challenge.
+func (c *ChallengeService) Get(chlgURL string) (acme.ExtendedChallenge, error) {
+	if len(chlgURL) == 0 {
+		return acme.ExtendedChallenge{}, errors.New("challenge[get]: empty URL")
+	}
+
+	var chlng acme.ExtendedChallenge
+	resp, err := c.core.postAsGet(chlgURL, &chlng)
+	if err != nil {
+		return acme.ExtendedChallenge{}, err
+	}
+
+	chlng.AuthorizationURL = getLink(resp.Header, "up")
+	chlng.RetryAfter = getRetryAfter(resp)
+	return chlng, nil
+}

vendor/github.com/xenolf/lego/acme/api/internal/nonces/nonce_manager.go

@@ -0,0 +1,78 @@
+package nonces
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"sync"
+
+	"github.com/xenolf/lego/acme/api/internal/sender"
+)
+
+// Manager Manages nonces.
+type Manager struct {
+	do       *sender.Doer
+	nonceURL string
+	nonces   []string
+	sync.Mutex
+}
+
+// NewManager Creates a new Manager.
+func NewManager(do *sender.Doer, nonceURL string) *Manager {
+	return &Manager{
+		do:       do,
+		nonceURL: nonceURL,
+	}
+}
+
+// Pop Pops a nonce.
+func (n *Manager) Pop() (string, bool) {
+	n.Lock()
+	defer n.Unlock()
+
+	if len(n.nonces) == 0 {
+		return "", false
+	}
+
+	nonce := n.nonces[len(n.nonces)-1]
+	n.nonces = n.nonces[:len(n.nonces)-1]
+	return nonce, true
+}
+
+// Push Pushes a nonce.
+func (n *Manager) Push(nonce string) {
+	n.Lock()
+	defer n.Unlock()
+	n.nonces = append(n.nonces, nonce)
+}
+
+// Nonce implement jose.NonceSource
+func (n *Manager) Nonce() (string, error) {
+	if nonce, ok := n.Pop(); ok {
+		return nonce, nil
+	}
+	return n.getNonce()
+}
+
+func (n *Manager) getNonce() (string, error) {
+	resp, err := n.do.Head(n.nonceURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to get nonce from HTTP HEAD -> %v", err)
+	}
+
+	return GetFromResponse(resp)
+}
+
+// GetFromResponse Extracts a nonce from a HTTP response.
+func GetFromResponse(resp *http.Response) (string, error) {
+	if resp == nil {
+		return "", errors.New("nil response")
+	}
+
+	nonce := resp.Header.Get("Replay-Nonce")
+	if nonce == "" {
+		return "", fmt.Errorf("server did not respond with a proper nonce header")
+	}
+
+	return nonce, nil
+}

vendor/github.com/xenolf/lego/acme/api/internal/secure/jws.go

@@ -0,0 +1,134 @@
+package secure
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	"github.com/xenolf/lego/acme/api/internal/nonces"
+	"gopkg.in/square/go-jose.v2"
+)
+
+// JWS Represents a JWS.
+type JWS struct {
+	privKey crypto.PrivateKey
+	kid     string // Key identifier
+	nonces  *nonces.Manager
+}
+
+// NewJWS Create a new JWS.
+func NewJWS(privateKey crypto.PrivateKey, kid string, nonceManager *nonces.Manager) *JWS {
+	return &JWS{
+		privKey: privateKey,
+		nonces:  nonceManager,
+		kid:     kid,
+	}
+}
+
+// SetKid Sets a key identifier.
+func (j *JWS) SetKid(kid string) {
+	j.kid = kid
+}
+
+// SignContent Signs a content with the JWS.
+func (j *JWS) SignContent(url string, content []byte) (*jose.JSONWebSignature, error) {
+	var alg jose.SignatureAlgorithm
+	switch k := j.privKey.(type) {
+	case *rsa.PrivateKey:
+		alg = jose.RS256
+	case *ecdsa.PrivateKey:
+		if k.Curve == elliptic.P256() {
+			alg = jose.ES256
+		} else if k.Curve == elliptic.P384() {
+			alg = jose.ES384
+		}
+	}
+
+	signKey := jose.SigningKey{
+		Algorithm: alg,
+		Key:       jose.JSONWebKey{Key: j.privKey, KeyID: j.kid},
+	}
+
+	options := jose.SignerOptions{
+		NonceSource: j.nonces,
+		ExtraHeaders: map[jose.HeaderKey]interface{}{
+			"url": url,
+		},
+	}
+
+	if j.kid == "" {
+		options.EmbedJWK = true
+	}
+
+	signer, err := jose.NewSigner(signKey, &options)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create jose signer -> %v", err)
+	}
+
+	signed, err := signer.Sign(content)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign content -> %v", err)
+	}
+	return signed, nil
+}
+
+// SignEABContent Signs an external account binding content with the JWS.
+func (j *JWS) SignEABContent(url, kid string, hmac []byte) (*jose.JSONWebSignature, error) {
+	jwk := jose.JSONWebKey{Key: j.privKey}
+	jwkJSON, err := jwk.Public().MarshalJSON()
+	if err != nil {
+		return nil, fmt.Errorf("acme: error encoding eab jwk key: %v", err)
+	}
+
+	signer, err := jose.NewSigner(
+		jose.SigningKey{Algorithm: jose.HS256, Key: hmac},
+		&jose.SignerOptions{
+			EmbedJWK: false,
+			ExtraHeaders: map[jose.HeaderKey]interface{}{
+				"kid": kid,
+				"url": url,
+			},
+		},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create External Account Binding jose signer -> %v", err)
+	}
+
+	signed, err := signer.Sign(jwkJSON)
+	if err != nil {
+		return nil, fmt.Errorf("failed to External Account Binding sign content -> %v", err)
+	}
+
+	return signed, nil
+}
+
+// GetKeyAuthorization Gets the key authorization for a token.
+func (j *JWS) GetKeyAuthorization(token string) (string, error) {
+	var publicKey crypto.PublicKey
+	switch k := j.privKey.(type) {
+	case *ecdsa.PrivateKey:
+		publicKey = k.Public()
+	case *rsa.PrivateKey:
+		publicKey = k.Public()
+	}
+
+	// Generate the Key Authorization for the challenge
+	jwk := &jose.JSONWebKey{Key: publicKey}
+	if jwk == nil {
+		return "", errors.New("could not generate JWK from key")
+	}
+
+	thumbBytes, err := jwk.Thumbprint(crypto.SHA256)
+	if err != nil {
+		return "", err
+	}
+
+	// unpad the base64URL
+	keyThumb := base64.RawURLEncoding.EncodeToString(thumbBytes)
+
+	return token + "." + keyThumb, nil
+}

vendor/github.com/xenolf/lego/acme/api/internal/sender/sender.go

@@ -0,0 +1,146 @@
+package sender
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"runtime"
+	"strings"
+
+	"github.com/xenolf/lego/acme"
+)
+
+type RequestOption func(*http.Request) error
+
+func contentType(ct string) RequestOption {
+	return func(req *http.Request) error {
+		req.Header.Set("Content-Type", ct)
+		return nil
+	}
+}
+
+type Doer struct {
+	httpClient *http.Client
+	userAgent  string
+}
+
+// NewDoer Creates a new Doer.
+func NewDoer(client *http.Client, userAgent string) *Doer {
+	return &Doer{
+		httpClient: client,
+		userAgent:  userAgent,
+	}
+}
+
+// Get performs a GET request with a proper User-Agent string.
+// If "response" is not provided, callers should close resp.Body when done reading from it.
+func (d *Doer) Get(url string, response interface{}) (*http.Response, error) {
+	req, err := d.newRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return d.do(req, response)
+}
+
+// Head performs a HEAD request with a proper User-Agent string.
+// The response body (resp.Body) is already closed when this function returns.
+func (d *Doer) Head(url string) (*http.Response, error) {
+	req, err := d.newRequest(http.MethodHead, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return d.do(req, nil)
+}
+
+// Post performs a POST request with a proper User-Agent string.
+// If "response" is not provided, callers should close resp.Body when done reading from it.
+func (d *Doer) Post(url string, body io.Reader, bodyType string, response interface{}) (*http.Response, error) {
+	req, err := d.newRequest(http.MethodPost, url, body, contentType(bodyType))
+	if err != nil {
+		return nil, err
+	}
+
+	return d.do(req, response)
+}
+
+func (d *Doer) newRequest(method, uri string, body io.Reader, opts ...RequestOption) (*http.Request, error) {
+	req, err := http.NewRequest(method, uri, body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %v", err)
+	}
+
+	req.Header.Set("User-Agent", d.formatUserAgent())
+
+	for _, opt := range opts {
+		err = opt(req)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create request: %v", err)
+		}
+	}
+
+	return req, nil
+}
+
+func (d *Doer) do(req *http.Request, response interface{}) (*http.Response, error) {
+	resp, err := d.httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = checkError(req, resp); err != nil {
+		return resp, err
+	}
+
+	if response != nil {
+		raw, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return resp, err
+		}
+
+		defer resp.Body.Close()
+
+		err = json.Unmarshal(raw, response)
+		if err != nil {
+			return resp, fmt.Errorf("failed to unmarshal %q to type %T: %v", raw, response, err)
+		}
+	}
+
+	return resp, nil
+}
+
+// formatUserAgent builds and returns the User-Agent string to use in requests.
+func (d *Doer) formatUserAgent() string {
+	ua := fmt.Sprintf("%s %s (%s; %s; %s)", d.userAgent, ourUserAgent, ourUserAgentComment, runtime.GOOS, runtime.GOARCH)
+	return strings.TrimSpace(ua)
+}
+
+func checkError(req *http.Request, resp *http.Response) error {
+	if resp.StatusCode >= http.StatusBadRequest {
+
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return fmt.Errorf("%d :: %s :: %s :: %v", resp.StatusCode, req.Method, req.URL, err)
+		}
+
+		var errorDetails *acme.ProblemDetails
+		err = json.Unmarshal(body, &errorDetails)
+		if err != nil {
+			return fmt.Errorf("%d ::%s :: %s :: %v :: %s", resp.StatusCode, req.Method, req.URL, err, string(body))
+		}
+
+		errorDetails.Method = req.Method
+		errorDetails.URL = req.URL.String()
+
+		// Check for errors we handle specifically
+		if errorDetails.HTTPStatus == http.StatusBadRequest && errorDetails.Type == acme.BadNonceErr {
+			return &acme.NonceError{ProblemDetails: errorDetails}
+		}
+
+		return errorDetails
+	}
+	return nil
+}

vendor/github.com/xenolf/lego/acme/api/internal/sender/useragent.go

@@ -0,0 +1,14 @@
+package sender
+
+// CODE GENERATED AUTOMATICALLY
+// THIS FILE MUST NOT BE EDITED BY HAND
+
+const (
+	// ourUserAgent is the User-Agent of this underlying library package.
+	ourUserAgent = "xenolf-acme/1.2.1"
+
+	// ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package.
+	// values: detach|release
+	// NOTE: Update this with each tagged release.
+	ourUserAgentComment = "detach"
+)

vendor/github.com/xenolf/lego/acme/api/order.go

@@ -0,0 +1,65 @@
+package api
+
+import (
+	"encoding/base64"
+	"errors"
+
+	"github.com/xenolf/lego/acme"
+)
+
+type OrderService service
+
+// New Creates a new order.
+func (o *OrderService) New(domains []string) (acme.ExtendedOrder, error) {
+	var identifiers []acme.Identifier
+	for _, domain := range domains {
+		identifiers = append(identifiers, acme.Identifier{Type: "dns", Value: domain})
+	}
+
+	orderReq := acme.Order{Identifiers: identifiers}
+
+	var order acme.Order
+	resp, err := o.core.post(o.core.GetDirectory().NewOrderURL, orderReq, &order)
+	if err != nil {
+		return acme.ExtendedOrder{}, err
+	}
+
+	return acme.ExtendedOrder{
+		Location: resp.Header.Get("Location"),
+		Order:    order,
+	}, nil
+}
+
+// Get Gets an order.
+func (o *OrderService) Get(orderURL string) (acme.Order, error) {
+	if len(orderURL) == 0 {
+		return acme.Order{}, errors.New("order[get]: empty URL")
+	}
+
+	var order acme.Order
+	_, err := o.core.postAsGet(orderURL, &order)
+	if err != nil {
+		return acme.Order{}, err
+	}
+
+	return order, nil
+}
+
+// UpdateForCSR Updates an order for a CSR.
+func (o *OrderService) UpdateForCSR(orderURL string, csr []byte) (acme.Order, error) {
+	csrMsg := acme.CSRMessage{
+		Csr: base64.RawURLEncoding.EncodeToString(csr),
+	}
+
+	var order acme.Order
+	_, err := o.core.post(orderURL, csrMsg, &order)
+	if err != nil {
+		return acme.Order{}, err
+	}
+
+	if order.Status == acme.StatusInvalid {
+		return acme.Order{}, order.Error
+	}
+
+	return order, nil
+}

vendor/github.com/xenolf/lego/acme/api/service.go

@@ -0,0 +1,45 @@
+package api
+
+import (
+	"net/http"
+	"regexp"
+)
+
+type service struct {
+	core *Core
+}
+
+// getLink get a rel into the Link header
+func getLink(header http.Header, rel string) string {
+	var linkExpr = regexp.MustCompile(`<(.+?)>;\s*rel="(.+?)"`)
+
+	for _, link := range header["Link"] {
+		for _, m := range linkExpr.FindAllStringSubmatch(link, -1) {
+			if len(m) != 3 {
+				continue
+			}
+			if m[2] == rel {
+				return m[1]
+			}
+		}
+	}
+	return ""
+}
+
+// getLocation get the value of the header Location
+func getLocation(resp *http.Response) string {
+	if resp == nil {
+		return ""
+	}
+
+	return resp.Header.Get("Location")
+}
+
+// getRetryAfter get the value of the header Retry-After
+func getRetryAfter(resp *http.Response) string {
+	if resp == nil {
+		return ""
+	}
+
+	return resp.Header.Get("Retry-After")
+}