niki/vendor/golang.org/x/crypto/acme/acme.go

// Copyright 2015 The Go Authors. All rights reserved.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// Package acme provides an implementation of the

// Automatic Certificate Management Environment (ACME) spec,

// most famously used by Let's Encrypt.

//

// The initial implementation of this package was based on an early version

// of the spec. The current implementation supports only the modern

// RFC 8555 but some of the old API surface remains for compatibility.

// While code using the old API will still compile, it will return an error.

// Note the deprecation comments to update your code.

//

// See https://tools.ietf.org/html/rfc8555 for the spec.

//

// Most common scenarios will want to use autocert subdirectory instead,

// which provides automatic access to certificates from Let's Encrypt

// and any other ACME-based CA.

package acme

import (
	"context"
	"crypto"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/sha256"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/asn1"
	"encoding/base64"
	"encoding/hex"
	"encoding/json"
	"encoding/pem"
	"errors"
	"fmt"
	"math/big"
	"net/http"
	"strings"
	"sync"
	"time"
)

const (

	// LetsEncryptURL is the Directory endpoint of Let's Encrypt CA.

	LetsEncryptURL = "https://acme-v02.api.letsencrypt.org/directory"

	// ALPNProto is the ALPN protocol name used by a CA server when validating

	// tls-alpn-01 challenges.

	//

	// Package users must ensure their servers can negotiate the ACME ALPN in

	// order for tls-alpn-01 challenge verifications to succeed.

	// See the crypto/tls package's Config.NextProtos field.

	ALPNProto = "acme-tls/1"
)

// idPeACMEIdentifier is the OID for the ACME extension for the TLS-ALPN challenge.

// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1

var idPeACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}

const (
	maxChainLen = 5 // max depth and breadth of a certificate chain

	maxCertSize = 1 << 20 // max size of a certificate, in DER bytes

	// Used for decoding certs from application/pem-certificate-chain response,

	// the default when in RFC mode.

	maxCertChainSize = maxCertSize * maxChainLen

	// Max number of collected nonces kept in memory.

	// Expect usual peak of 1 or 2.

	maxNonces = 100
)

// Client is an ACME client.

//

// The only required field is Key. An example of creating a client with a new key

// is as follows:

//

//	key, err := rsa.GenerateKey(rand.Reader, 2048)

//	if err != nil {

//		log.Fatal(err)

//	}

//	client := &Client{Key: key}

type Client struct {

	// Key is the account key used to register with a CA and sign requests.

	// Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey.

	//

	// The following algorithms are supported:

	// RS256, ES256, ES384 and ES512.

	// See RFC 7518 for more details about the algorithms.

	Key crypto.Signer

	// HTTPClient optionally specifies an HTTP client to use

	// instead of http.DefaultClient.

	HTTPClient *http.Client

	// DirectoryURL points to the CA directory endpoint.

	// If empty, LetsEncryptURL is used.

	// Mutating this value after a successful call of Client's Discover method

	// will have no effect.

	DirectoryURL string

	// RetryBackoff computes the duration after which the nth retry of a failed request

	// should occur. The value of n for the first call on failure is 1.

	// The values of r and resp are the request and response of the last failed attempt.

	// If the returned value is negative or zero, no more retries are done and an error

	// is returned to the caller of the original method.

	//

	// Requests which result in a 4xx client error are not retried,

	// except for 400 Bad Request due to "bad nonce" errors and 429 Too Many Requests.

	//

	// If RetryBackoff is nil, a truncated exponential backoff algorithm

	// with the ceiling of 10 seconds is used, where each subsequent retry n

	// is done after either ("Retry-After" + jitter) or (2^n seconds + jitter),

	// preferring the former if "Retry-After" header is found in the resp.

	// The jitter is a random value up to 1 second.

	RetryBackoff func(n int, r *http.Request, resp *http.Response) time.Duration

	// UserAgent is prepended to the User-Agent header sent to the ACME server,

	// which by default is this package's name and version.

	//

	// Reusable libraries and tools in particular should set this value to be

	// identifiable by the server, in case they are causing issues.

	UserAgent string

	cacheMu sync.Mutex

	dir *Directory // cached result of Client's Discover method

	// KID is the key identifier provided by the CA. If not provided it will be

	// retrieved from the CA by making a call to the registration endpoint.

	KID KeyID

	noncesMu sync.Mutex

	nonces map[string]struct{} // nonces collected from previous responses

}

// accountKID returns a key ID associated with c.Key, the account identity

// provided by the CA during RFC based registration.

// It assumes c.Discover has already been called.

//

// accountKID requires at most one network roundtrip.

// It caches only successful result.

//

// When in pre-RFC mode or when c.getRegRFC responds with an error, accountKID

// returns noKeyID.

func (c *Client) accountKID(ctx context.Context) KeyID {

	c.cacheMu.Lock()

	defer c.cacheMu.Unlock()

	if c.KID != noKeyID {

		return c.KID

	}

	a, err := c.getRegRFC(ctx)

	if err != nil {

		return noKeyID

	}

	c.KID = KeyID(a.URI)

	return c.KID

}

var errPreRFC = errors.New("acme: server does not support the RFC 8555 version of ACME")

// Discover performs ACME server discovery using c.DirectoryURL.

//

// It caches successful result. So, subsequent calls will not result in

// a network round-trip. This also means mutating c.DirectoryURL after successful call

// of this method will have no effect.

func (c *Client) Discover(ctx context.Context) (Directory, error) {

	c.cacheMu.Lock()

	defer c.cacheMu.Unlock()

	if c.dir != nil {

		return *c.dir, nil

	}

	res, err := c.get(ctx, c.directoryURL(), wantStatus(http.StatusOK))

	if err != nil {

		return Directory{}, err

	}

	defer res.Body.Close()

	c.addNonce(res.Header)

	var v struct {
		Reg string `json:"newAccount"`

		Authz string `json:"newAuthz"`

		Order string `json:"newOrder"`

		Revoke string `json:"revokeCert"`

		Nonce string `json:"newNonce"`

		KeyChange string `json:"keyChange"`

		Meta struct {
			Terms string `json:"termsOfService"`

			Website string `json:"website"`

			CAA []string `json:"caaIdentities"`

			ExternalAcct bool `json:"externalAccountRequired"`
		}
	}

	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {

		return Directory{}, err

	}

	if v.Order == "" {

		return Directory{}, errPreRFC

	}

	c.dir = &Directory{

		RegURL: v.Reg,

		AuthzURL: v.Authz,

		OrderURL: v.Order,

		RevokeURL: v.Revoke,

		NonceURL: v.Nonce,

		KeyChangeURL: v.KeyChange,

		Terms: v.Meta.Terms,

		Website: v.Meta.Website,

		CAA: v.Meta.CAA,

		ExternalAccountRequired: v.Meta.ExternalAcct,
	}

	return *c.dir, nil

}

func (c *Client) directoryURL() string {

	if c.DirectoryURL != "" {

		return c.DirectoryURL

	}

	return LetsEncryptURL

}

// CreateCert was part of the old version of ACME. It is incompatible with RFC 8555.

//

// Deprecated: this was for the pre-RFC 8555 version of ACME. Callers should use CreateOrderCert.

func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, bundle bool) (der [][]byte, certURL string, err error) {

	return nil, "", errPreRFC

}

// FetchCert retrieves already issued certificate from the given url, in DER format.

// It retries the request until the certificate is successfully retrieved,

// context is cancelled by the caller or an error response is received.

//

// If the bundle argument is true, the returned value also contains the CA (issuer)

// certificate chain.

//

// FetchCert returns an error if the CA's response or chain was unreasonably large.

// Callers are encouraged to parse the returned value to ensure the certificate is valid

// and has expected features.

func (c *Client) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) {

	if _, err := c.Discover(ctx); err != nil {

		return nil, err

	}

	return c.fetchCertRFC(ctx, url, bundle)

}

// RevokeCert revokes a previously issued certificate cert, provided in DER format.

//

// The key argument, used to sign the request, must be authorized

// to revoke the certificate. It's up to the CA to decide which keys are authorized.

// For instance, the key pair of the certificate may be authorized.

// If the key is nil, c.Key is used instead.

func (c *Client) RevokeCert(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error {

	if _, err := c.Discover(ctx); err != nil {

		return err

	}

	return c.revokeCertRFC(ctx, key, cert, reason)

}

// AcceptTOS always returns true to indicate the acceptance of a CA's Terms of Service

// during account registration. See Register method of Client for more details.

func AcceptTOS(tosURL string) bool { return true }

// Register creates a new account with the CA using c.Key.

// It returns the registered account. The account acct is not modified.

//

// The registration may require the caller to agree to the CA's Terms of Service (TOS).

// If so, and the account has not indicated the acceptance of the terms (see Account for details),

// Register calls prompt with a TOS URL provided by the CA. Prompt should report

// whether the caller agrees to the terms. To always accept the terms, the caller can use AcceptTOS.

//

// When interfacing with an RFC-compliant CA, non-RFC 8555 fields of acct are ignored

// and prompt is called if Directory's Terms field is non-zero.

// Also see Error's Instance field for when a CA requires already registered accounts to agree

// to an updated Terms of Service.

func (c *Client) Register(ctx context.Context, acct *Account, prompt func(tosURL string) bool) (*Account, error) {

	if c.Key == nil {

		return nil, errors.New("acme: client.Key must be set to Register")

	}

	if _, err := c.Discover(ctx); err != nil {

		return nil, err

	}

	return c.registerRFC(ctx, acct, prompt)

}

// GetReg retrieves an existing account associated with c.Key.

//

// The url argument is a legacy artifact of the pre-RFC 8555 API

// and is ignored.

func (c *Client) GetReg(ctx context.Context, url string) (*Account, error) {

	if _, err := c.Discover(ctx); err != nil {

		return nil, err

	}

	return c.getRegRFC(ctx)

}

// UpdateReg updates an existing registration.

// It returns an updated account copy. The provided account is not modified.

//

// The account's URI is ignored and the account URL associated with

// c.Key is used instead.

func (c *Client) UpdateReg(ctx context.Context, acct *Account) (*Account, error) {

	if _, err := c.Discover(ctx); err != nil {

		return nil, err

	}

	return c.updateRegRFC(ctx, acct)

}

// AccountKeyRollover attempts to transition a client's account key to a new key.

// On success client's Key is updated which is not concurrency safe.

// On failure an error will be returned.

// The new key is already registered with the ACME provider if the following is true:

//   - error is of type acme.Error

//   - StatusCode should be 409 (Conflict)

//   - Location header will have the KID of the associated account

//

// More about account key rollover can be found at

// https://tools.ietf.org/html/rfc8555#section-7.3.5.

func (c *Client) AccountKeyRollover(ctx context.Context, newKey crypto.Signer) error {

	return c.accountKeyRollover(ctx, newKey)

}

// Authorize performs the initial step in the pre-authorization flow,

// as opposed to order-based flow.

// The caller will then need to choose from and perform a set of returned

// challenges using c.Accept in order to successfully complete authorization.

//

// Once complete, the caller can use AuthorizeOrder which the CA

// should provision with the already satisfied authorization.

// For pre-RFC CAs, the caller can proceed directly to requesting a certificate

// using CreateCert method.

//

// If an authorization has been previously granted, the CA may return

// a valid authorization which has its Status field set to StatusValid.

//

// More about pre-authorization can be found at

// https://tools.ietf.org/html/rfc8555#section-7.4.1.

func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, error) {

	return c.authorize(ctx, "dns", domain)

}

// AuthorizeIP is the same as Authorize but requests IP address authorization.

// Clients which successfully obtain such authorization may request to issue

// a certificate for IP addresses.

//

// See the ACME spec extension for more details about IP address identifiers:

// https://tools.ietf.org/html/draft-ietf-acme-ip.

func (c *Client) AuthorizeIP(ctx context.Context, ipaddr string) (*Authorization, error) {

	return c.authorize(ctx, "ip", ipaddr)

}

func (c *Client) authorize(ctx context.Context, typ, val string) (*Authorization, error) {

	if _, err := c.Discover(ctx); err != nil {

		return nil, err

	}

	type authzID struct {
		Type string `json:"type"`

		Value string `json:"value"`
	}

	req := struct {
		Resource string `json:"resource"`

		Identifier authzID `json:"identifier"`
	}{

		Resource: "new-authz",

		Identifier: authzID{Type: typ, Value: val},
	}

	res, err := c.post(ctx, nil, c.dir.AuthzURL, req, wantStatus(http.StatusCreated))

	if err != nil {

		return nil, err

	}

	defer res.Body.Close()

	var v wireAuthz

	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {

		return nil, fmt.Errorf("acme: invalid response: %v", err)

	}

	if v.Status != StatusPending && v.Status != StatusValid {

		return nil, fmt.Errorf("acme: unexpected status: %s", v.Status)

	}

	return v.authorization(res.Header.Get("Location")), nil

}

// GetAuthorization retrieves an authorization identified by the given URL.

//

// If a caller needs to poll an authorization until its status is final,

// see the WaitAuthorization method.

func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) {

	if _, err := c.Discover(ctx); err != nil {

		return nil, err

	}

	res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))

	if err != nil {

		return nil, err

	}

	defer res.Body.Close()

	var v wireAuthz

	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {

		return nil, fmt.Errorf("acme: invalid response: %v", err)

	}

	return v.authorization(url), nil

}

// RevokeAuthorization relinquishes an existing authorization identified

// by the given URL.

// The url argument is an Authorization.URI value.

//

// If successful, the caller will be required to obtain a new authorization

// using the Authorize or AuthorizeOrder methods before being able to request

// a new certificate for the domain associated with the authorization.

//

// It does not revoke existing certificates.

func (c *Client) RevokeAuthorization(ctx context.Context, url string) error {

	if _, err := c.Discover(ctx); err != nil {

		return err

	}

	req := struct {
		Resource string `json:"resource"`

		Status string `json:"status"`

		Delete bool `json:"delete"`
	}{

		Resource: "authz",

		Status: "deactivated",

		Delete: true,
	}

	res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK))

	if err != nil {

		return err

	}

	defer res.Body.Close()

	return nil

}

// WaitAuthorization polls an authorization at the given URL

// until it is in one of the final states, StatusValid or StatusInvalid,

// the ACME CA responded with a 4xx error code, or the context is done.

//

// It returns a non-nil Authorization only if its Status is StatusValid.

// In all other cases WaitAuthorization returns an error.

// If the Status is StatusInvalid, the returned error is of type *AuthorizationError.

func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) {

	if _, err := c.Discover(ctx); err != nil {

		return nil, err

	}

	for {

		res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted))

		if err != nil {

			return nil, err

		}

		var raw wireAuthz

		err = json.NewDecoder(res.Body).Decode(&raw)

		res.Body.Close()

		switch {

		case err != nil:

			// Skip and retry.

		case raw.Status == StatusValid:

			return raw.authorization(url), nil

		case raw.Status == StatusInvalid:

			return nil, raw.error(url)

		}

		// Exponential backoff is implemented in c.get above.

		// This is just to prevent continuously hitting the CA

		// while waiting for a final authorization status.

		d := retryAfter(res.Header.Get("Retry-After"))

		if d == 0 {

			// Given that the fastest challenges TLS-SNI and HTTP-01

			// require a CA to make at least 1 network round trip

			// and most likely persist a challenge state,

			// this default delay seems reasonable.

			d = time.Second

		}

		t := time.NewTimer(d)

		select {

		case <-ctx.Done():

			t.Stop()

			return nil, ctx.Err()

		case <-t.C:

			// Retry.

		}

	}

}

// GetChallenge retrieves the current status of an challenge.

//

// A client typically polls a challenge status using this method.

func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) {

	if _, err := c.Discover(ctx); err != nil {

		return nil, err

	}

	res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted))

	if err != nil {

		return nil, err

	}

	defer res.Body.Close()

	v := wireChallenge{URI: url}

	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {

		return nil, fmt.Errorf("acme: invalid response: %v", err)

	}

	return v.challenge(), nil

}

// Accept informs the server that the client accepts one of its challenges

// previously obtained with c.Authorize.

//

// The server will then perform the validation asynchronously.

func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error) {

	if _, err := c.Discover(ctx); err != nil {

		return nil, err

	}

	res, err := c.post(ctx, nil, chal.URI, json.RawMessage("{}"), wantStatus(

		http.StatusOK, // according to the spec

		http.StatusAccepted, // Let's Encrypt: see https://goo.gl/WsJ7VT (acme-divergences.md)

	))

	if err != nil {

		return nil, err

	}

	defer res.Body.Close()

	var v wireChallenge

	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {

		return nil, fmt.Errorf("acme: invalid response: %v", err)

	}

	return v.challenge(), nil

}

// DNS01ChallengeRecord returns a DNS record value for a dns-01 challenge response.

// A TXT record containing the returned value must be provisioned under

// "_acme-challenge" name of the domain being validated.

//

// The token argument is a Challenge.Token value.

func (c *Client) DNS01ChallengeRecord(token string) (string, error) {

	ka, err := keyAuth(c.Key.Public(), token)

	if err != nil {

		return "", err

	}

	b := sha256.Sum256([]byte(ka))

	return base64.RawURLEncoding.EncodeToString(b[:]), nil

}

// HTTP01ChallengeResponse returns the response for an http-01 challenge.

// Servers should respond with the value to HTTP requests at the URL path

// provided by HTTP01ChallengePath to validate the challenge and prove control

// over a domain name.

//

// The token argument is a Challenge.Token value.

func (c *Client) HTTP01ChallengeResponse(token string) (string, error) {

	return keyAuth(c.Key.Public(), token)

}

// HTTP01ChallengePath returns the URL path at which the response for an http-01 challenge

// should be provided by the servers.

// The response value can be obtained with HTTP01ChallengeResponse.

//

// The token argument is a Challenge.Token value.

func (c *Client) HTTP01ChallengePath(token string) string {

	return "/.well-known/acme-challenge/" + token

}

// TLSSNI01ChallengeCert creates a certificate for TLS-SNI-01 challenge response.

//

// Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec.

func (c *Client) TLSSNI01ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) {

	ka, err := keyAuth(c.Key.Public(), token)

	if err != nil {

		return tls.Certificate{}, "", err

	}

	b := sha256.Sum256([]byte(ka))

	h := hex.EncodeToString(b[:])

	name = fmt.Sprintf("%s.%s.acme.invalid", h[:32], h[32:])

	cert, err = tlsChallengeCert([]string{name}, opt)

	if err != nil {

		return tls.Certificate{}, "", err

	}

	return cert, name, nil

}

// TLSSNI02ChallengeCert creates a certificate for TLS-SNI-02 challenge response.

//

// Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec.

func (c *Client) TLSSNI02ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) {

	b := sha256.Sum256([]byte(token))

	h := hex.EncodeToString(b[:])

	sanA := fmt.Sprintf("%s.%s.token.acme.invalid", h[:32], h[32:])

	ka, err := keyAuth(c.Key.Public(), token)

	if err != nil {

		return tls.Certificate{}, "", err

	}

	b = sha256.Sum256([]byte(ka))

	h = hex.EncodeToString(b[:])

	sanB := fmt.Sprintf("%s.%s.ka.acme.invalid", h[:32], h[32:])

	cert, err = tlsChallengeCert([]string{sanA, sanB}, opt)

	if err != nil {

		return tls.Certificate{}, "", err

	}

	return cert, sanA, nil

}

// TLSALPN01ChallengeCert creates a certificate for TLS-ALPN-01 challenge response.

// Servers can present the certificate to validate the challenge and prove control

// over a domain name. For more details on TLS-ALPN-01 see

// https://tools.ietf.org/html/draft-shoemaker-acme-tls-alpn-00#section-3

//

// The token argument is a Challenge.Token value.

// If a WithKey option is provided, its private part signs the returned cert,

// and the public part is used to specify the signee.

// If no WithKey option is provided, a new ECDSA key is generated using P-256 curve.

//

// The returned certificate is valid for the next 24 hours and must be presented only when

// the server name in the TLS ClientHello matches the domain, and the special acme-tls/1 ALPN protocol

// has been specified.

func (c *Client) TLSALPN01ChallengeCert(token, domain string, opt ...CertOption) (cert tls.Certificate, err error) {

	ka, err := keyAuth(c.Key.Public(), token)

	if err != nil {

		return tls.Certificate{}, err

	}

	shasum := sha256.Sum256([]byte(ka))

	extValue, err := asn1.Marshal(shasum[:])

	if err != nil {

		return tls.Certificate{}, err

	}

	acmeExtension := pkix.Extension{

		Id: idPeACMEIdentifier,

		Critical: true,

		Value: extValue,
	}

	tmpl := defaultTLSChallengeCertTemplate()

	var newOpt []CertOption

	for _, o := range opt {

		switch o := o.(type) {

		case *certOptTemplate:

			t := *(*x509.Certificate)(o) // shallow copy is ok

			tmpl = &t

		default:

			newOpt = append(newOpt, o)

		}

	}

	tmpl.ExtraExtensions = append(tmpl.ExtraExtensions, acmeExtension)

	newOpt = append(newOpt, WithTemplate(tmpl))

	return tlsChallengeCert([]string{domain}, newOpt)

}

// popNonce returns a nonce value previously stored with c.addNonce

// or fetches a fresh one from c.dir.NonceURL.

// If NonceURL is empty, it first tries c.directoryURL() and, failing that,

// the provided url.

func (c *Client) popNonce(ctx context.Context, url string) (string, error) {

	c.noncesMu.Lock()

	defer c.noncesMu.Unlock()

	if len(c.nonces) == 0 {

		if c.dir != nil && c.dir.NonceURL != "" {

			return c.fetchNonce(ctx, c.dir.NonceURL)

		}

		dirURL := c.directoryURL()

		v, err := c.fetchNonce(ctx, dirURL)

		if err != nil && url != dirURL {

			v, err = c.fetchNonce(ctx, url)

		}

		return v, err

	}

	var nonce string

	for nonce = range c.nonces {

		delete(c.nonces, nonce)

		break

	}

	return nonce, nil

}

// clearNonces clears any stored nonces

func (c *Client) clearNonces() {

	c.noncesMu.Lock()

	defer c.noncesMu.Unlock()

	c.nonces = make(map[string]struct{})

}

// addNonce stores a nonce value found in h (if any) for future use.

func (c *Client) addNonce(h http.Header) {

	v := nonceFromHeader(h)

	if v == "" {

		return

	}

	c.noncesMu.Lock()

	defer c.noncesMu.Unlock()

	if len(c.nonces) >= maxNonces {

		return

	}

	if c.nonces == nil {

		c.nonces = make(map[string]struct{})

	}

	c.nonces[v] = struct{}{}

}

func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) {

	r, err := http.NewRequest("HEAD", url, nil)

	if err != nil {

		return "", err

	}

	resp, err := c.doNoRetry(ctx, r)

	if err != nil {

		return "", err

	}

	defer resp.Body.Close()

	nonce := nonceFromHeader(resp.Header)

	if nonce == "" {

		if resp.StatusCode > 299 {

			return "", responseError(resp)

		}

		return "", errors.New("acme: nonce not found")

	}

	return nonce, nil

}

func nonceFromHeader(h http.Header) string {

	return h.Get("Replay-Nonce")

}

// linkHeader returns URI-Reference values of all Link headers

// with relation-type rel.

// See https://tools.ietf.org/html/rfc5988#section-5 for details.

func linkHeader(h http.Header, rel string) []string {

	var links []string

	for _, v := range h["Link"] {

		parts := strings.Split(v, ";")

		for _, p := range parts {

			p = strings.TrimSpace(p)

			if !strings.HasPrefix(p, "rel=") {

				continue

			}

			if v := strings.Trim(p[4:], `"`); v == rel {

				links = append(links, strings.Trim(parts[0], "<>"))

			}

		}

	}

	return links

}

// keyAuth generates a key authorization string for a given token.

func keyAuth(pub crypto.PublicKey, token string) (string, error) {

	th, err := JWKThumbprint(pub)

	if err != nil {

		return "", err

	}

	return fmt.Sprintf("%s.%s", token, th), nil

}

// defaultTLSChallengeCertTemplate is a template used to create challenge certs for TLS challenges.

func defaultTLSChallengeCertTemplate() *x509.Certificate {

	return &x509.Certificate{

		SerialNumber: big.NewInt(1),

		NotBefore: time.Now(),

		NotAfter: time.Now().Add(24 * time.Hour),

		BasicConstraintsValid: true,

		KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,

		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
	}

}

// tlsChallengeCert creates a temporary certificate for TLS-SNI challenges

// with the given SANs and auto-generated public/private key pair.

// The Subject Common Name is set to the first SAN to aid debugging.

// To create a cert with a custom key pair, specify WithKey option.

func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) {

	var key crypto.Signer

	tmpl := defaultTLSChallengeCertTemplate()

	for _, o := range opt {

		switch o := o.(type) {

		case *certOptKey:

			if key != nil {

				return tls.Certificate{}, errors.New("acme: duplicate key option")

			}

			key = o.key

		case *certOptTemplate:

			t := *(*x509.Certificate)(o) // shallow copy is ok

			tmpl = &t

		default:

			// package's fault, if we let this happen:

			panic(fmt.Sprintf("unsupported option type %T", o))

		}

	}

	if key == nil {

		var err error

		if key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader); err != nil {

			return tls.Certificate{}, err

		}

	}

	tmpl.DNSNames = san

	if len(san) > 0 {

		tmpl.Subject.CommonName = san[0]

	}

	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)

	if err != nil {

		return tls.Certificate{}, err

	}

	return tls.Certificate{

		Certificate: [][]byte{der},

		PrivateKey: key,
	}, nil

}

// encodePEM returns b encoded as PEM with block of type typ.

func encodePEM(typ string, b []byte) []byte {

	pb := &pem.Block{Type: typ, Bytes: b}

	return pem.EncodeToMemory(pb)

}

// timeNow is time.Now, except in tests which can mess with it.

var timeNow = time.Now