|
|
@@ -1530,62 +1530,75 @@ _send_signed_request() {
|
|
|
payload64=$(printf "%s" "$payload" | _base64 | _url_replace)
|
|
|
_debug3 payload64 "$payload64"
|
|
|
|
|
|
- if [ -z "$_CACHED_NONCE" ]; then
|
|
|
- _debug2 "Get nonce."
|
|
|
- nonceurl="$API/directory"
|
|
|
- _headers="$(_get "$nonceurl" "onlyheader")"
|
|
|
+ MAX_REQUEST_RETRY_TIMES=5
|
|
|
+ _request_retry_times=0
|
|
|
+ while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
|
|
|
+ _debug3 _request_retry_times "$_request_retry_times"
|
|
|
+ if [ -z "$_CACHED_NONCE" ]; then
|
|
|
+ _debug2 "Get nonce."
|
|
|
+ nonceurl="$API/directory"
|
|
|
+ _headers="$(_get "$nonceurl" "onlyheader")"
|
|
|
|
|
|
- if [ "$?" != "0" ]; then
|
|
|
- _err "Can not connect to $nonceurl to get nonce."
|
|
|
- return 1
|
|
|
- fi
|
|
|
+ if [ "$?" != "0" ]; then
|
|
|
+ _err "Can not connect to $nonceurl to get nonce."
|
|
|
+ return 1
|
|
|
+ fi
|
|
|
|
|
|
- _debug2 _headers "$_headers"
|
|
|
+ _debug2 _headers "$_headers"
|
|
|
|
|
|
- _CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
|
|
|
- _debug2 _CACHED_NONCE "$_CACHED_NONCE"
|
|
|
- else
|
|
|
- _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
|
|
|
- fi
|
|
|
- nonce="$_CACHED_NONCE"
|
|
|
- _debug2 nonce "$nonce"
|
|
|
+ _CACHED_NONCE="$(echo "$_headers" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
|
|
|
+ _debug2 _CACHED_NONCE "$_CACHED_NONCE"
|
|
|
+ else
|
|
|
+ _debug2 "Use _CACHED_NONCE" "$_CACHED_NONCE"
|
|
|
+ fi
|
|
|
+ nonce="$_CACHED_NONCE"
|
|
|
+ _debug2 nonce "$nonce"
|
|
|
|
|
|
- protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2"
|
|
|
- _debug3 protected "$protected"
|
|
|
+ protected="$JWK_HEADERPLACE_PART1$nonce$JWK_HEADERPLACE_PART2"
|
|
|
+ _debug3 protected "$protected"
|
|
|
|
|
|
- protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
|
|
|
- _debug3 protected64 "$protected64"
|
|
|
+ protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
|
|
|
+ _debug3 protected64 "$protected64"
|
|
|
|
|
|
- if ! _sig_t="$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256")"; then
|
|
|
- _err "Sign request failed."
|
|
|
- return 1
|
|
|
- fi
|
|
|
- _debug3 _sig_t "$_sig_t"
|
|
|
+ if ! _sig_t="$(printf "%s" "$protected64.$payload64" | _sign "$keyfile" "sha256")"; then
|
|
|
+ _err "Sign request failed."
|
|
|
+ return 1
|
|
|
+ fi
|
|
|
+ _debug3 _sig_t "$_sig_t"
|
|
|
|
|
|
- sig="$(printf "%s" "$_sig_t" | _url_replace)"
|
|
|
- _debug3 sig "$sig"
|
|
|
+ sig="$(printf "%s" "$_sig_t" | _url_replace)"
|
|
|
+ _debug3 sig "$sig"
|
|
|
|
|
|
- body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
|
|
|
- _debug3 body "$body"
|
|
|
+ body="{\"header\": $JWK_HEADER, \"protected\": \"$protected64\", \"payload\": \"$payload64\", \"signature\": \"$sig\"}"
|
|
|
+ _debug3 body "$body"
|
|
|
|
|
|
- response="$(_post "$body" "$url" "$needbase64")"
|
|
|
- _CACHED_NONCE=""
|
|
|
- if [ "$?" != "0" ]; then
|
|
|
- _err "Can not post to $url"
|
|
|
- return 1
|
|
|
- fi
|
|
|
- _debug2 original "$response"
|
|
|
+ response="$(_post "$body" "$url" "$needbase64")"
|
|
|
+ _CACHED_NONCE=""
|
|
|
+
|
|
|
+ if [ "$?" != "0" ]; then
|
|
|
+ _err "Can not post to $url"
|
|
|
+ return 1
|
|
|
+ fi
|
|
|
+ _debug2 original "$response"
|
|
|
+ response="$(echo "$response" | _normalizeJson)"
|
|
|
|
|
|
- response="$(echo "$response" | _normalizeJson)"
|
|
|
+ responseHeaders="$(<"$HTTP_HEADER")"
|
|
|
|
|
|
- responseHeaders="$(cat "$HTTP_HEADER")"
|
|
|
+ _debug2 responseHeaders "$responseHeaders"
|
|
|
+ _debug2 response "$response"
|
|
|
+ code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
|
|
|
+ _debug code "$code"
|
|
|
|
|
|
- _debug2 responseHeaders "$responseHeaders"
|
|
|
- _debug2 response "$response"
|
|
|
- code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
|
|
|
- _debug code "$code"
|
|
|
+ _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
|
|
|
|
|
|
- _CACHED_NONCE="$(echo "$responseHeaders" | grep "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
|
|
|
+ if _contains "$response" "JWS has invalid anti-replay nonce"; then
|
|
|
+ _info "It seems the CA server is busy now, let's wait and retry."
|
|
|
+ _request_retry_times=$(_math "$_request_retry_times" + 1)
|
|
|
+ _sleep 5
|
|
|
+ continue
|
|
|
+ fi
|
|
|
+ break
|
|
|
+ done
|
|
|
|
|
|
}
|
|
|
|
neil