Merge pull request #874 from urbit/acme-retry

adds robustness to :acme app

lib/jose.hoon

@@ -202,7 +202,8 @@
     ::
     ++  sign
       |=  [protect=cord payload=cord]
-      =/  sig=@ud  (~(sign rs256 k) (rap 3 ~[protect '.' payload]))
+      =/  msg=@t   (rap 3 ~[protect '.' payload])
+      =/  sig=@ud  (~(sign rs256 k) (met 3 msg) msg)
       =/  len=@ud  (met 3 n.pub.k)
       (en-base64url len (rev 3 len sig))
     --

lib/pkcs.hoon

@@ -26,12 +26,12 @@
   ::    Padded, DER encoded sha-256 hash (EMSA-PKCS1-v1_5).
   ::
   ++  emsa
-    |=  m=@
+    |=  m=byts
     =/  emlen  (met 3 n.pub.k)
     =/  pec=spec:asn1
       :~  %seq
           [%seq [%obj sha-256:obj:asn1] [%nul ~] ~]
-          [%oct 32 (shax m)]
+          [%oct 32 (shay wid.m dat.m)]
       ==
     ::  note: this asn.1 digest is rendered raw here, as we require
     ::  big-endian bytes, and the product of +en:der is little-endian
@@ -48,14 +48,14 @@
   ::    An RSA signature is the primitive decryption of the message hash.
   ::
   ++  sign
-    |=(m=@ (de:rsa (emsa m) k))
+    |=(m=byts (de:rsa (emsa m) k))
   ::  +verify:rs256: verify signature
   ::
   ::    RSA signature verification confirms that the primitive encryption
   ::    of the signature matches the message hash.
   ::
   ++  verify
-    |=  [s=@ m=@]
+    |=  [s=@ m=byts]
     =((emsa m) (en:rsa s k))
   --
 ::  |pem: generic PEM implementation (rfc7468)
@@ -334,7 +334,7 @@
               ::
               :+  %bit
                 (met 0 n.pub.key)
-              (swp 3 (~(sign rs256 key) +:(en:^der dat)))
+              (swp 3 (~(sign rs256 key) (en:^der dat)))
           ==
       ::  +info:en:spec:pkcs10: certificate request info
       ::

tests/app/acme.hoon

@@ -0,0 +1,46 @@
+/+  *test
+::
+/=  app  /:  /===/app/acme
+             /!noun/
+::
+|%
+::  tests that acme preps without moves
+::
+++  test-prep
+  =^  moves  app  (~(prep app *bowl:gall *acme:app) ~)
+  %+  expect-eq
+      !>  *(list move:app)
+      !>  moves
+::  tests that acme inits on first order
+::
+++  test-first-order
+  =/  dom=(set turf)  (sy /org/urbit/zod ~)
+  =^  moves  app  (~(poke-acme-order app *bowl:gall *acme:app) dom)
+  ;:  weld
+    %+  expect-eq
+        !>  ~[[ost.bow.app [%wait /acme/directory +(now.bow.app)]]]
+        !>  moves
+  ::
+    %+  expect-eq
+        !>  [~ dom]
+        !>  pen.app
+  ::
+    %+  expect-eq
+        !>  &
+        !>  !=(*key:rsa:app key.act.app)
+  ::
+    %+  expect-eq
+        !>  &
+        !>  !=(*key:rsa:app cey.app)
+  ==
+::  tests that acme requests service directory on %wake
+::
+++  test-first-order-wake
+  =^  moves  app  (~(wake app *bowl:gall *acme:app) /acme/directory ~)
+  =/  url
+    =-  (need (de-purl:html -))
+    'https://acme-staging-v02.api.letsencrypt.org/directory'
+  %+  expect-eq
+      !>  ~[[ost.bow.app [%hiss /acme/directory/~zod [~ ~] %httr %hiss url %get ~ ~]]]
+      !>  moves
+--

tests/lib/jose.hoon

@@ -128,7 +128,7 @@
   ::
     %+  expect-eq
       !>  exp-ws
-      !>  (en-base64url (en:octn (~(sign rs256 k) inp-ws)))
+      !>  (en-base64url (en:octn (~(sign rs256 k) (met 3 inp-ws) inp-ws)))
   ==
 ::
 ++  test-jws-2

tests/lib/pkcs.hoon

@@ -301,23 +301,23 @@
         'Q8EDWlbDcbjrheZgw6QotIr3wW99fYfMA22ussdXMPXxlMkNa7ReXPlfjigPvF+0shrm'
         '/g=='
     ==
-  =/  sig=@ux  (~(sign rs256 k2) inp2)
+  =/  sig=@ux  (~(sign rs256 k2) (met 3 inp2) inp2)
   ;:  weld
     %+  expect-eq
       !>  exp1
-      !>  (~(sign rs256 k1) inp1)
+      !>  (~(sign rs256 k1) (met 3 inp1) inp1)
   ::
     %+  expect-eq
       !>  &
-      !>  (~(verify rs256 k1) exp1 inp1)
+      !>  (~(verify rs256 k1) exp1 (met 3 inp1) inp1)
   ::
     %+  expect-eq
       !>  emsa1
-      !>  `@ux`(~(emsa rs256 k1) inp1)
+      !>  `@ux`(~(emsa rs256 k1) (met 3 inp1) inp1)
   ::
     %+  expect-eq
       !>  &
-      !>  (~(verify rs256 k2) sig inp2)
+      !>  (~(verify rs256 k2) sig (met 3 inp2) inp2)
   ::
     %+  expect-eq
       !>  exp2