wire_e2e_identity/acquisition/
oidc_challenge.rs

1use rusty_jwt_tools::{jwk_thumbprint::JwkThumbprint, prelude::Pem};
2use x509_cert::Certificate;
3
4use super::{Result, X509CredentialAcquisition, states};
5use crate::{
6    acme::{RustyAcme, RustyAcmeError},
7    pki_env::hooks::{HttpHeader, HttpMethod},
8};
9
10impl X509CredentialAcquisition<states::DpopChallengeCompleted> {
11    /// Complete the OIDC challenge and get the certificate chain.
12    ///
13    /// Returns (signing keypair in PEM format, certificate chain).
14    /// The first certificate in the chain is the end-entity certificate,
15    /// i.e. the one certifying the public portion of the signing keypair.
16    pub async fn complete_oidc_challenge(self) -> Result<(Pem, Vec<Certificate>)> {
17        let hooks = self.pki_env.hooks();
18
19        // Complete the OIDC challenge.
20        let oidc_challenge_token = &self.data.oidc_challenge.token;
21        let thumbprint = JwkThumbprint::generate(&self.acme_jwk, self.config.hash_alg)?.kid;
22        let key_auth = format!("{oidc_challenge_token}.{thumbprint}");
23
24        let url = &self.data.oidc_challenge.url;
25        let id_token = hooks
26            .authenticate(self.config.idp_url.clone(), key_auth, url.to_string())
27            .await?;
28
29        let oidc_challenge_request = RustyAcme::oidc_chall_request(
30            id_token,
31            &self.data.oidc_challenge,
32            &self.data.acme_account,
33            self.config.sign_alg,
34            &self.acme_kp,
35            self.data.nonce.clone(),
36        )?;
37        let (nonce, response) = self.acme_request(url, &oidc_challenge_request).await?;
38        let _ = RustyAcme::new_chall_response(response)?;
39
40        // Finalize the order. This generates a CSR (Certificate Signing Request) and
41        // sends it to the ACME server.
42        let finalize_request = RustyAcme::finalize_req(
43            &self.data.order,
44            &self.data.acme_account,
45            self.config.sign_alg,
46            &self.acme_kp,
47            &self.sign_kp,
48            nonce,
49        )?;
50        let (nonce, response) = self.acme_request(&self.data.order.finalize, &finalize_request).await?;
51        let finalize = RustyAcme::finalize_response(response)?;
52
53        // Get the certificate chain.
54        //
55        // See [RFC 8555 Section 7.4.2](https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2).
56        let certificate_request = RustyAcme::certificate_req(
57            &finalize,
58            &self.data.acme_account,
59            self.config.sign_alg,
60            &self.acme_kp,
61            nonce,
62        )?;
63        let headers = vec![HttpHeader {
64            name: "content-type".into(),
65            value: "application/jose+json".into(),
66        }];
67        let body = serde_json::to_string(&certificate_request)?.into();
68        let response = hooks
69            .http_request(HttpMethod::Post, finalize.certificate.to_string(), headers, body)
70            .await?;
71        let response = String::from_utf8(response.body).map_err(|e| RustyAcmeError::from(e.utf8_error()))?;
72        let certificates = RustyAcme::certificate_response(response, self.data.order)?;
73
74        super::checks::verify_cert_chain(&self.config, &self.pki_env, &certificates).await?;
75
76        Ok((self.sign_kp, certificates))
77    }
78}