acme-client 2.0.0 → 2.0.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ccaa8fb7fadbae1a6d93f99ad319ca95261994cbec494ab885028aae2f894a6a
-  data.tar.gz: 224d05d0f66cb37ffcbcf1bf05f649e0278dc097518b927dcc4a2e635ba29357
+  metadata.gz: 88c2953c9fcfd9a7f7825b4c69b2cf0ff86befb504914e6f78b03f6fdaab052b
+  data.tar.gz: bddedcd46dc0b2d1224a7d409916668aa31bfad3c6576a0d09376257c654f434
 SHA512:
-  metadata.gz: c461b3d255fc35d3b21411632ff4f26700fd0969547f8a7a93879c719e2383f58badfc0278bc45df4780b293094af3b2d560494ac3f00076dae23affbe697682
-  data.tar.gz: 477869ea08075d8e9d70afa80f4576f6a0ffb936bfb70244b0bf6f8d34d2da593d76acf6231d266fd920eeb0fbf4045e4605869c77f9b06377487cbb4902c014
+  metadata.gz: 999d2d254b29f3fdefe3af90333091c5a034d5aa3b3c3274bfe1c7787fe9c14723bf288ba0d7e4dce5fa3aad3352ecd0ef49bd60c93f4b51ab7e5d51017a9a1e
+  data.tar.gz: 0d16f423760bd8f714ce94de1767201dd8c842ae3fca2ec8d93c7364ea15c61f24f9c66c4175e2d7091cf263467caeb4a5e049f996c92173d64269ba5c11629b

data/CHANGELOG.md

@@ -1,3 +1,94 @@
+## `2.0.18`
+
+* Fix an issue public key encoding. `OpenSSL::BN` cause keys with leading zero to fail.
+
+## `2.0.17`
+
+* Fix bug where depending on call order `jws` get generated with the wrong `kid`
+
+## `2.0.16`
+
+* Refactor Directory
+* Fix an issue where the client would crash when ACME provider return nonce for directory endpoint
+
+## `2.0.15`
+
+* Also pass connection_options to Faraday for Client#get_nonce
+
+
+## `2.0.14`
+
+* Fix Faraday HTTP exceptions leaking out, always raise `Acme::Client::Error` instead
+
+## `2.0.13`
+
+* Add support for External Account Binding
+
+## `2.0.12`
+
+* Update test matrix to current Ruby versions (2.7 to 3.2)
+* Support for Faraday retry 2.x
+
+## `2.0.11`
+
+* Add support for error code `AlreadyRevoked` and `BadPublicKey`
+
+## `2.0.10`
+
+* Support for Faraday 1.0 / 2.0
+
+## `2.0.9`
+
+* Support for Ruby 3.0 and Faraday 0.17.x
+* Raise when directory is rate limited
+
+## `2.0.8`
+
+* Add support for the keyChange endpoint
+
+https://tools.ietf.org/html/rfc8555#section-7.3.5
+
+
+## `2.0.7`
+
+* Add support for alternate certificate chain
+* Change `Link` headers parsing to return array of value. This add support multiple entries at the same `rel`
+
+## `2.0.6`
+
+* Allow Faraday up to `< 2.0`
+
+## `2.0.5`
+
+* Use post-as-get
+* Remove deprecated keyAuthorization
+
+## `2.0.4`
+
+* Add an option to retry bad nonce errors
+
+## `2.0.3`
+
+* Do not try to set the body on GET request
+
+## `2.0.2`
+
+* Fix constant lookup on InvalidDirectory
+* Forward connection options when fetching nonce
+* Fix splats without parenthesis warning
+
+## `2.0.1`
+
+* Properly require URI
+
+## `2.0.0`
+
+* Release of the `ACMEv2` branch
+
+## `1.0.0`
+
+* Development for `ACMEv1` moved into `1.0.x`
+
 ## `0.6.3`
 
 * Handle Faraday::ConnectionFailed errors as Timeout error.

data/Gemfile

@@ -1,12 +1,12 @@
 source 'https://rubygems.org'
+
 gemspec
 
+if faraday_version = ENV['FARADAY_VERSION']
+  gem 'faraday', faraday_version
+end
+
 group :development, :test do
   gem 'pry'
-  gem 'rubocop', '~> 0.49.0'
   gem 'ruby-prof', require: false
-
-  if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new('2.2.2')
-    gem 'activesupport', '~> 4.2.6'
-  end
 end

data/README.md

@@ -1,15 +1,11 @@
 # Acme::Client
 
-[![Build Status](https://travis-ci.org/unixcharles/acme-client.svg?branch=master)](https://travis-ci.org/unixcharles/acme-client)
-
-`acme-client` is a client implementation of the [ACMEv2](https://github.com/ietf-wg-acme/acme) protocol in Ruby.
+`acme-client` is a client implementation of the ACME / [RFC 8555](https://tools.ietf.org/html/rfc8555) protocol in Ruby.
 
 You can find the ACME reference implementations of the [server](https://github.com/letsencrypt/boulder) in Go and the [client](https://github.com/certbot/certbot) in Python.
 
 ACME is part of the [Letsencrypt](https://letsencrypt.org/) project, which goal is to provide free SSL/TLS certificates with automation of the acquiring and renewal process.
 
-You can find ACMEv1 compatible client in the [acme-v1](https://github.com/unixcharles/acme-client/tree/acme-v1) branch.
-
 ## Installation
 
 Via RubyGems:
@@ -23,17 +19,26 @@ gem 'acme-client'
 ```
 
 ## Usage
-* [Setting up a client](#setting-up-a-client)
-* [Account management](#account-management)
-* [Obtaining a certificate](#obtaining-a-certificate)
-  * [Ordering a certificate](#ordering-a-certificate)
-  * [Completing an HTTP challenge](#preparing-for-http-challenge)
-  * [Completing an DNS challenge](#preparing-for-dns-challenge)
-  * [Requesting a challenge verification](#requesting-a-challenge-verification)
-  * [Downloading a certificate](#downloading-a-certificate)
-* [Extra](#extra)
-  * [Certificate revokation](#certificate-revokation)
-  * [Certificate renewal](#certificate-renewal)
+- [Acme::Client](#acmeclient)
+  - [Installation](#installation)
+  - [Usage](#usage)
+  - [Setting up a client](#setting-up-a-client)
+  - [Account management](#account-management)
+  - [Obtaining a certificate](#obtaining-a-certificate)
+    - [Ordering a certificate](#ordering-a-certificate)
+    - [Preparing for HTTP challenge](#preparing-for-http-challenge)
+    - [Preparing for DNS challenge](#preparing-for-dns-challenge)
+    - [Requesting a challenge verification](#requesting-a-challenge-verification)
+    - [Downloading a certificate](#downloading-a-certificate)
+    - [Ordering an alternative certificate](#ordering-an-alternative-certificate)
+  - [Extra](#extra)
+    - [Certificate revokation](#certificate-revokation)
+    - [Certificate renewal](#certificate-renewal)
+  - [Not implemented](#not-implemented)
+  - [Requirements](#requirements)
+  - [Development](#development)
+  - [Pull request?](#pull-request)
+  - [License](#license)
 
 ## Setting up a client
 
@@ -41,7 +46,7 @@ The client is initialized with a private key and the directory of your ACME prov
 
 LetsEncrypt's `directory` is `https://acme-v02.api.letsencrypt.org/directory`.
 
-They also have a staging enpoind at `https://acme-staging-v02.api.letsencrypt.org/directory`.
+They also have a staging endpoint at `https://acme-staging-v02.api.letsencrypt.org/directory`.
 
 `acme-ruby` expects `OpenSSL::PKey::RSA` or `OpenSSL::PKey::EC`
 
@@ -89,6 +94,25 @@ account = client.new_account(contact: 'mailto:info@example.com', terms_of_servic
 account.kid # => <kid string>
 ```
 
+If you already have an existing account (for example one created in ACME v1) please note that unless the `kid` is provided at initialization, the client will lazy load the `kid` by doing a `POST` to `newAccount` whenever the `kid` is required. Therefore, you can easily get your `kid` for an existing account and (if needed) store it for reuse:
+
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme-staging-v02.api.letsencrypt.org/directory')
+
+# kid is not set, therefore a call to newAccount is made to lazy-initialize the kid
+client.kid
+=> "https://acme-staging-v02.api.letsencrypt.org/acme/acct/000000"
+```
+
+## External Account Binding support
+
+You can use External Account Binding by providing a `external_account_binding` with a `kid` and `hmac_key`.
+
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme.zerossl.com/v2/DV90')
+account = client.new_account(contact: 'mailto:info@example.com', terms_of_service_agreed: true, external_account_binding: { kid: "your kid", hmac_key: "your hmac key"})
+```
+
 ## Obtaining a certificate
 ### Ordering a certificate
 
@@ -96,7 +120,7 @@ To order a new certificate, the client must provide a list of identifiers.
 
 The returned order will contain a list of `Authorization` that need to be completed in other to finalize the order, generally one per identifier.
 
-Each authorization contains multiple challenges, typically a `dns-01` and a `http-01` challenge. The applicant is only required to complete one the challenges.
+Each authorization contains multiple challenges, typically a `dns-01` and a `http-01` challenge. The applicant is only required to complete one of the challenges.
 
 You can access the challenge you wish to complete using the `#dns` or `#http` method.
 
@@ -151,7 +175,7 @@ challenge.request_validation
 
 The validation is performed asynchronously and can take some time to be performed by the server.
 
-You can poll until its status change.
+You can poll until its status changes.
 
 ```ruby
 while challenge.status == 'pending'
@@ -165,17 +189,36 @@ challenge.status # => 'valid'
 
 Once all required authorizations have been validated through challenges, the order can be finalized using a CSR ([Certificate Signing Request](https://en.wikipedia.org/wiki/Certificate_signing_request)).
 
-A CSR can be slightly tricky to generate using OpenSSL from Ruby standard library. `acme-client` provide a utility class `CertificateRequest` to help with that.
+A CSR can be slightly tricky to generate using OpenSSL from Ruby standard library. `acme-client` provide a utility class `CertificateRequest` to help with that. You'll need to use a different private key for the certificate request than the one you use for your `Acme::Client` account.
 
 Certificate generation happens asynchronously. You may need to poll.
 
 ```ruby
-csr = Acme::Client::CertificateRequest.new(private_key: private_key, subject: { common_name: 'example.com' })
+csr = Acme::Client::CertificateRequest.new(private_key: a_different_private_key, subject: { common_name: 'example.com' })
 order.finalize(csr: csr)
-sleep(1) while order.status == 'processing'
+while order.status == 'processing'
+  sleep(1)
+  order.reload
+end
 order.certificate # => PEM-formatted certificate
 ```
 
+### Ordering an alternative certificate
+
+The provider may provide alternate certificate with different certificate chain. You can specify the required chain and the client will automatically download alternate certificate and match the chain by name.
+
+```ruby
+begin
+  order.certificate(force_chain: 'DST Root CA X3')
+rescue Acme::Client::Error::ForcedChainNotFound
+  order.certificate
+end
+```
+
+Note: if the specified forced chain doesn't match an existing alternative certificate the method will raise an `Acme::Client::Error::ForcedChainNotFound` error.
+
+Learn more about the original Github issue for this client [here](https://github.com/unixcharles/acme-client/issues/186), information from Let's Encrypt [here](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html), and cross-signing [here](https://letsencrypt.org/certificates/#cross-signing).
+
 ## Extra
 
 ### Certificate revokation
@@ -188,16 +231,22 @@ client.revoke(certificate: certificate)
 
 ### Certificate renewal
 
-The is no renewal process, just create a new order.
+There is no renewal process, just create a new order.
+
 
+### Account Key Roll-over
 
-## Not implemented
+To change the key used for an account you can call `#account_key_change` with the new private key or jwk.
 
-- Account Key Roll-over.
+```ruby
+require 'openssl'
+new_private_key = OpenSSL::PKey::RSA.new(4096)
+client.account_key_change(new_private_key: new_private_key)
+```
 
 ## Requirements
 
-Ruby >= 2.1
+Ruby >= 3.0
 
 ## Development
 
@@ -214,4 +263,3 @@ Yes.
 ## License
 
 [MIT License](http://opensource.org/licenses/MIT)
-

data/Rakefile

@@ -3,7 +3,4 @@ require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec)
 
-require 'rubocop/rake_task'
-RuboCop::RakeTask.new
-
-task default: [:spec, :rubocop]
+task default: [:spec]

data/acme-client.gemspec

@@ -11,16 +11,17 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'http://github.com/unixcharles/acme-client'
   spec.license       = 'MIT'
 
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) || f.start_with?('.') }
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = '>= 2.1.0'
+  spec.required_ruby_version = '>= 2.3.0'
 
-  spec.add_development_dependency 'bundler', '~> 1.6', '>= 1.6.9'
-  spec.add_development_dependency 'rake', '~> 10.0'
-  spec.add_development_dependency 'rspec', '~> 3.3', '>= 3.3.0'
-  spec.add_development_dependency 'vcr', '~> 2.9', '>= 2.9.3'
-  spec.add_development_dependency 'webmock', '~> 1.21', '>= 1.21.0'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'rspec', '~> 3.9'
+  spec.add_development_dependency 'vcr', '~> 2.9'
+  spec.add_development_dependency 'webmock', '~> 3.8'
+  spec.add_development_dependency 'webrick', '~> 1.7'
 
-  spec.add_runtime_dependency 'faraday', '~> 0.9', '>= 0.9.1'
+  spec.add_runtime_dependency 'faraday', '>= 1.0', '< 3.0.0'
+  spec.add_runtime_dependency 'faraday-retry', '>= 1.0', '< 3.0.0'
 end

data/bin/generate_keystash

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'acme-client'
+
+require File.join(File.dirname(__FILE__), '../spec/support/ssl_helper')
+
+
+SSLHelper::KEYSTASH.generate_keystash!(size: 200)

data/bin/release

@@ -13,6 +13,7 @@ def `(command)
   end
 end
 
+`git add CHANGELOG.md`
 `git add lib/acme/client/version.rb`
 `git commit -m "bump to #{version}"`
 `git pull --rebase origin master`

data/lib/acme/client/chain_identifier.rb

@@ -0,0 +1,27 @@
+class Acme::Client
+  class ChainIdentifier
+    def initialize(pem_certificate_chain)
+      @pem_certificate_chain = pem_certificate_chain
+    end
+
+    def match_name?(name)
+      issuers.any? do |issuer|
+        issuer.include?(name)
+      end
+    end
+
+    private
+
+    def issuers
+      x509_certificates.map(&:issuer).map(&:to_s)
+    end
+
+    def x509_certificates
+      @x509_certificates ||= splitted_pem_certificates.map { |pem| OpenSSL::X509::Certificate.new(pem) }
+    end
+
+    def splitted_pem_certificates
+      @pem_certificate_chain.each_line.slice_after(/END CERTIFICATE/).map(&:join)
+    end
+  end
+end

data/lib/acme/client/error.rb

@@ -7,10 +7,13 @@ class Acme::Client::Error < StandardError
   class UnsupportedChallengeType < ClientError; end
   class NotFound < ClientError; end
   class CertificateNotReady < ClientError; end
+  class ForcedChainNotFound < ClientError; end
 
   class ServerError < Acme::Client::Error; end
+  class AlreadyRevoked < ServerError; end
   class BadCSR < ServerError; end
   class BadNonce < ServerError; end
+  class BadPublicKey < ServerError; end
   class BadSignatureAlgorithm < ServerError; end
   class InvalidContact < ServerError; end
   class UnsupportedContact < ServerError; end
@@ -31,8 +34,10 @@ class Acme::Client::Error < StandardError
   class IncorrectResponse < ServerError; end
 
   ACME_ERRORS = {
+    'urn:ietf:params:acme:error:alreadyRevoked' => AlreadyRevoked,
     'urn:ietf:params:acme:error:badCSR' => BadCSR,
     'urn:ietf:params:acme:error:badNonce' => BadNonce,
+    'urn:ietf:params:acme:error:badPublicKey' => BadPublicKey,
     'urn:ietf:params:acme:error:badSignatureAlgorithm' => BadSignatureAlgorithm,
     'urn:ietf:params:acme:error:invalidContact' => InvalidContact,
     'urn:ietf:params:acme:error:unsupportedContact' => UnsupportedContact,

data/lib/acme/client/http_client.rb

@@ -0,0 +1,162 @@
+# frozen_string_literal: true
+
+module Acme::Client::HTTPClient
+  # Creates and returns a new HTTP client, with default settings.
+  #
+  # @param  url [URI:HTTPS]
+  # @param  options [Hash]
+  # @return [Faraday::Connection]
+  def self.new_connection(url:, options: {})
+    Faraday.new(url, options) do |configuration|
+      configuration.use Acme::Client::HTTPClient::ErrorMiddleware
+
+      yield(configuration) if block_given?
+
+      configuration.headers[:user_agent] = Acme::Client::USER_AGENT
+      configuration.adapter Faraday.default_adapter
+    end
+  end
+
+  # Creates and returns a new HTTP client designed for the Acme-protocol, with default settings.
+  #
+  # @param  url [URI:HTTPS]
+  # @param  client [Acme::Client]
+  # @param  mode [Symbol]
+  # @param  options [Hash]
+  # @param  bad_nonce_retry [Integer]
+  # @return [Faraday::Connection]
+  def self.new_acme_connection(url:, client:, mode:, options: {}, bad_nonce_retry: 0)
+    new_connection(url: url, options: options) do |configuration|
+      if bad_nonce_retry > 0
+        configuration.request(:retry,
+          max: bad_nonce_retry,
+          methods: Faraday::Connection::METHODS,
+          exceptions: [Acme::Client::Error::BadNonce])
+      end
+
+      configuration.use Acme::Client::HTTPClient::AcmeMiddleware, client: client, mode: mode
+
+      yield(configuration) if block_given?
+    end
+  end
+
+  # ErrorMiddleware ensures the HTTP Client would not raise exceptions outside the Acme namespace.
+  #
+  # Exceptions are rescued and re-packaged as Acme exceptions.
+  class ErrorMiddleware < Faraday::Middleware
+    # Implements the Rack-alike Faraday::Middleware interface.
+    def call(env)
+      @app.call(env)
+    rescue Faraday::TimeoutError, Faraday::ConnectionFailed
+      raise Acme::Client::Error::Timeout
+    end
+  end
+
+  # AcmeMiddleware implements the Acme-protocol requirements for JWK requests.
+  class AcmeMiddleware < Faraday::Middleware
+    attr_reader :env, :response, :client
+
+    CONTENT_TYPE = 'application/jose+json'
+
+    def initialize(app, options)
+      super(app)
+      @client = options.fetch(:client)
+      @mode = options.fetch(:mode)
+    end
+
+    def call(env)
+      @env = env
+      @env[:request_headers]['Content-Type'] = CONTENT_TYPE
+
+      if @env.method != :get
+        @env.body = client.jwk.jws(header: jws_header, payload: env.body)
+      end
+
+      @app.call(env).on_complete { |response_env| on_complete(response_env) }
+    end
+
+    def on_complete(env)
+      @env = env
+
+      raise_on_not_found!
+      store_nonce
+      env.body = decode_body
+      env.response_headers['Link'] = decode_link_headers
+
+      return if env.success?
+
+      raise_on_error!
+    end
+
+    private
+
+    def jws_header
+      headers = { nonce: pop_nonce, url: env.url.to_s }
+      headers[:kid] = client.kid if @mode == :kid
+      headers
+    end
+
+    def raise_on_not_found!
+      raise Acme::Client::Error::NotFound, env.url.to_s if env.status == 404
+    end
+
+    def raise_on_error!
+      raise error_class, error_message
+    end
+
+    def error_message
+      if env.body.is_a? Hash
+        env.body['detail']
+      else
+        "Error message: #{env.body}"
+      end
+    end
+
+    def error_class
+      Acme::Client::Error::ACME_ERRORS.fetch(error_name, Acme::Client::Error)
+    end
+
+    def error_name
+      return unless env.body.is_a?(Hash)
+      return unless env.body.key?('type')
+      env.body['type']
+    end
+
+    def decode_body
+      content_type = env.response_headers['Content-Type'].to_s
+
+      if content_type.start_with?('application/json', 'application/problem+json')
+        JSON.load(env.body)
+      else
+        env.body
+      end
+    end
+
+    def decode_link_headers
+      return unless env.response_headers.key?('Link')
+      link_header = env.response_headers['Link']
+      Acme::Client::Util.decode_link_headers(link_header)
+    end
+
+    def store_nonce
+      nonce = env.response_headers['replay-nonce']
+      nonces << nonce if nonce
+    end
+
+    def pop_nonce
+      if nonces.empty?
+        get_nonce
+      end
+
+      nonces.pop
+    end
+
+    def get_nonce
+      client.get_nonce
+    end
+
+    def nonces
+      client.nonces
+    end
+  end
+end

data/lib/acme/client/jwk/base.rb

@@ -14,10 +14,10 @@ class Acme::Client::JWK::Base
   # payload - A Hash of payload data.
   #
   # Returns a JSON String.
-  def jws(header: {}, payload: {})
+  def jws(header: {}, payload:)
     header = jws_header(header)
     encoded_header = Acme::Client::Util.urlsafe_base64(header.to_json)
-    encoded_payload = Acme::Client::Util.urlsafe_base64(payload.to_json)
+    encoded_payload = Acme::Client::Util.urlsafe_base64(payload.nil? ? '' : payload.to_json)
 
     signature_data = "#{encoded_header}.#{encoded_payload}"
     signature = sign(signature_data)

data/lib/acme/client/jwk/ecdsa.rb

@@ -50,8 +50,8 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
     {
       crv: @curve_params[:jwa_crv],
       kty: 'EC',
-      x: Acme::Client::Util.urlsafe_base64(coordinates[:x].to_s(2)),
-      y: Acme::Client::Util.urlsafe_base64(coordinates[:y].to_s(2))
+      x: Acme::Client::Util.urlsafe_base64(coordinates[:x]),
+      y: Acme::Client::Util.urlsafe_base64(coordinates[:y])
     }
   end
 
@@ -73,8 +73,10 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
     # BigNumbers
     bns = ints.map(&:value)
 
+    byte_size = (@private_key.group.degree + 7) / 8
+
     # Binary R/S values
-    r, s = bns.map { |bn| [bn.to_s(16)].pack('H*') }
+    r, s = bns.map { |bn| bn.to_s(2).rjust(byte_size, "\x00") }
 
     # JWS wants raw R/S concatenated.
     [r, s].join
@@ -90,8 +92,8 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
       hex_y = hex[2 + data_len / 2, data_len / 2]
 
       {
-        x: OpenSSL::BN.new([hex_x].pack('H*'), 2),
-        y: OpenSSL::BN.new([hex_y].pack('H*'), 2)
+        x: [hex_x].pack('H*'),
+        y: [hex_y].pack('H*')
       }
     end
   end

data/lib/acme/client/jwk/hmac.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class Acme::Client::JWK::HMAC < Acme::Client::JWK::Base
+  # Instantiate a new HMAC JWS.
+  #
+  # key - A string.
+  #
+  # Returns nothing.
+  def initialize(key)
+    @key = key
+  end
+
+  # Sign a message with the private key.
+  #
+  # message - A String message to sign.
+  #
+  # Returns a String signature.
+  def sign(message)
+    OpenSSL::HMAC.digest('SHA256', @key, message)
+  end
+
+  # The name of the algorithm as needed for the `alg` member of a JWS object.
+  #
+  # Returns a String.
+  def jwa_alg
+    # https://tools.ietf.org/html/rfc7518#section-3.1
+    # HMAC using SHA-256
+    'HS256'
+  end
+end

data/lib/acme/client/jwk.rb

@@ -19,3 +19,4 @@ end
 require 'acme/client/jwk/base'
 require 'acme/client/jwk/rsa'
 require 'acme/client/jwk/ecdsa'
+require 'acme/client/jwk/hmac'