Cleanup interface of acme_common

src/acme_client.ml

@@ -10,10 +10,8 @@ let ( let* ) = Result.bind
 let guard p err = if p then Ok () else Error err
 
 let key_authorization key token =
-  (* XXX. This get_ok is fine because it can only fail when using  
-     a kty oct which never happens in letsencrypt *)
-  let thumbprint = Jose.Jwk.get_thumbprint `SHA256 key |> Result.get_ok in
-  Printf.sprintf "%s.%s" token (Cstruct.to_string thumbprint |> B64u.urlencode)
+  let thumbprint = Jwk.thumbprint key in
+  Printf.sprintf "%s.%s" token thumbprint
 
 type t = {
   account_key : Jose.Jwk.priv Jose.Jwk.t;

src/acme_common.ml

@@ -96,11 +96,6 @@ let maybe f = function
 module Jwk = struct
   type 'a key = 'a Jose.Jwk.t
 
-  let encode = Jose.Jwk.to_pub_json
-
-  let decode data =
-    Jose.Jwk.of_pub_json_string data
-
   (* XXX. This get_ok is fine because it can only fail when using  
      a kty oct which never happens in letsencrypt *)
   let thumbprint pub_key =
@@ -111,39 +106,23 @@ module Jwk = struct
 end
 
 module Jws = struct
-  type header = Jose.Header.t
+  let encode_acme ?kid_url ~data ?nonce url priv =
+    let kid = Option.map Uri.to_string kid_url in
+    let url = "url", `String (Uri.to_string url) in
 
-  let encode ?(protected = []) ~data ?nonce priv =
-    let extra = Option.map (fun nonce -> [ "nonce", `String nonce]) nonce
-    |> Option.value ~default:[]
-    |> List.append protected
+    let extra = match nonce with
+    | Some nonce -> [ "nonce", `String nonce; url ]
+    | None -> [ url ]
+    in
+    let header = 
+      let header' = Jose.Header.make_header ~extra ~jwk_header:(Option.is_none kid) priv in
+      { header' with kid }
     in
-    let header = Jose.Header.make_header ~extra ~jwk_header:(List.mem_assoc "jwk" protected) priv in
     (* XXX. This get_ok is fine because it can only fail when using  
        a kty oct which never happens in letsencrypt *)
     Jose.Jws.sign ~header ~payload:data priv
     |> Result.get_ok
     |> Jose.Jws.to_string ~serialization:`Flattened
-
-  let encode_acme ?kid_url ~data ?nonce url priv =
-    let kid_or_jwk =
-      match kid_url with
-      | None -> "jwk", Jwk.encode (Jose.Jwk.pub_of_priv priv)
-      | Some url -> "kid", `String (Uri.to_string url)
-    in
-    let url = "url", `String (Uri.to_string url) in
-    let protected = [ kid_or_jwk ; url ] in
-    encode ~protected ~data ?nonce priv
-
-  let decode ?pub data =
-    let* jws = Jose.Jws.of_string data in
-    let* pub =
-      match pub, jws.header.jwk with
-      | Some pub, _ -> Ok pub
-      | None, Some pub -> Ok pub
-      | None, None -> Error (`Msg "no public key found")
-    in
-    Result.map (fun (jws : Jose.Jws.t) -> jws.header, jws.payload) @@ Jose.Jws.validate ~jwk:pub jws
 end
 
 let uri s = Ok (Uri.of_string s)

src/acme_common.mli

@@ -19,34 +19,14 @@ module Jwk : sig
 
   val thumbprint : 'a key -> string
   (** [thumbprint key] produces the JWK thumbprint of [key]. *)
-
-  val encode : 'a key -> json
-
-  val decode : string -> (Jose.Jwk.public key, 
-  [>  `Json_parse_failed of string
-    | `Msg of string
-    | `Unsupported_kty ]) result
 end
 
 module Jws : sig
   (** [Jws]: Json Web Signatures.
-
       Jws is an implementation of the Json Web Signature Standard (RFC7515).
-      Currently, encoding and decoding operations only support the RS256
-      algorithm; specifically the encoding operation is a bit rusty, and probably
-      its interface will change in the future.  *)
-
-  (** type [header] records information about the header. *)
-  type header = Jose.Header.t
-
+  *)
   val encode_acme : ?kid_url:Uri.t -> data:string -> ?nonce:string -> Uri.t ->
     Jose.Jwk.priv Jose.Jwk.t -> string
-
-  val encode : ?protected:(string * json) list -> data:string ->
-    ?nonce:string -> Jose.Jwk.priv Jose.Jwk.t -> string
-
-  val decode : ?pub:(Jose.Jwk.public Jose.Jwk.t) -> string ->
-    (header * string, [> `Invalid_signature | `Msg of string | `Not_json | `Not_supported ]) result
 end
 
 module Directory : sig