acme-client 2.0.11 → 2.0.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ff7c41acdce5ad9f39a371998b37466d8affe4cb3de5e856d44d36e512180ea
-  data.tar.gz: cb9fda5e72bf22dc93659a238b05dd419652584238a024658ebde04aaefc9e80
+  metadata.gz: 88c2953c9fcfd9a7f7825b4c69b2cf0ff86befb504914e6f78b03f6fdaab052b
+  data.tar.gz: bddedcd46dc0b2d1224a7d409916668aa31bfad3c6576a0d09376257c654f434
 SHA512:
-  metadata.gz: eea011baa47710043bab4f22e6556d6ece49ae1a87005e30ec25a41d1abeb93bf6a049ecadf742d706c6ebef7c6ece862704aadd96c252e8c6d801bf814c221a
-  data.tar.gz: 77a75476bd154d46349acee637aad44e08ef911a676e0da5de9267b5f1cc1b845cd2d8030511fd25e2ee31354cdb269f4151a6c1ae36816ff75908864effa6d6
+  metadata.gz: 999d2d254b29f3fdefe3af90333091c5a034d5aa3b3c3274bfe1c7787fe9c14723bf288ba0d7e4dce5fa3aad3352ecd0ef49bd60c93f4b51ab7e5d51017a9a1e
+  data.tar.gz: 0d16f423760bd8f714ce94de1767201dd8c842ae3fca2ec8d93c7364ea15c61f24f9c66c4175e2d7091cf263467caeb4a5e049f996c92173d64269ba5c11629b

data/CHANGELOG.md

@@ -1,3 +1,34 @@
+## `2.0.18`
+
+* Fix an issue public key encoding. `OpenSSL::BN` cause keys with leading zero to fail.
+
+## `2.0.17`
+
+* Fix bug where depending on call order `jws` get generated with the wrong `kid`
+
+## `2.0.16`
+
+* Refactor Directory
+* Fix an issue where the client would crash when ACME provider return nonce for directory endpoint
+
+## `2.0.15`
+
+* Also pass connection_options to Faraday for Client#get_nonce
+
+
+## `2.0.14`
+
+* Fix Faraday HTTP exceptions leaking out, always raise `Acme::Client::Error` instead
+
+## `2.0.13`
+
+* Add support for External Account Binding
+
+## `2.0.12`
+
+* Update test matrix to current Ruby versions (2.7 to 3.2)
+* Support for Faraday retry 2.x
+
 ## `2.0.11`
 
 * Add support for error code `AlreadyRevoked` and `BadPublicKey`

data/Gemfile

@@ -8,6 +8,5 @@ end
 
 group :development, :test do
   gem 'pry'
-  gem 'rubocop', '~> 0.49.0'
   gem 'ruby-prof', require: false
 end

data/README.md

@@ -1,15 +1,11 @@
 # Acme::Client
 
-[![Build Status](https://travis-ci.org/unixcharles/acme-client.svg?branch=master)](https://travis-ci.org/unixcharles/acme-client)
-
-`acme-client` is a client implementation of the ACMEv2 / [RFC 8555](https://tools.ietf.org/html/rfc8555) protocol in Ruby.
+`acme-client` is a client implementation of the ACME / [RFC 8555](https://tools.ietf.org/html/rfc8555) protocol in Ruby.
 
 You can find the ACME reference implementations of the [server](https://github.com/letsencrypt/boulder) in Go and the [client](https://github.com/certbot/certbot) in Python.
 
 ACME is part of the [Letsencrypt](https://letsencrypt.org/) project, which goal is to provide free SSL/TLS certificates with automation of the acquiring and renewal process.
 
-You can find ACMEv1 compatible client in the [acme-v1](https://github.com/unixcharles/acme-client/tree/acme-v1) branch.
-
 ## Installation
 
 Via RubyGems:
@@ -108,6 +104,15 @@ client.kid
 => "https://acme-staging-v02.api.letsencrypt.org/acme/acct/000000"
 ```
 
+## External Account Binding support
+
+You can use External Account Binding by providing a `external_account_binding` with a `kid` and `hmac_key`.
+
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme.zerossl.com/v2/DV90')
+account = client.new_account(contact: 'mailto:info@example.com', terms_of_service_agreed: true, external_account_binding: { kid: "your kid", hmac_key: "your hmac key"})
+```
+
 ## Obtaining a certificate
 ### Ordering a certificate
 
@@ -200,8 +205,7 @@ order.certificate # => PEM-formatted certificate
 
 ### Ordering an alternative certificate
 
-Let's Encrypt is [transitioning](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html) to use a new intermediate certificate. Starting January 11, 2021 new certificates will be signed by their own intermediate. To ease the transition on clients Let's Encrypt will continue signing an alternative version of the certificate using the old, cross-signed intermediate until September 29, 2021. In order to utilize an alternative certificate the `Order#certificate` method accepts a `force_chain` keyword argument, which takes the issuer name of the intermediate certificate.
-For example, to download the cross-signed certificate after January 11, 2021, call `Order#certificate` as follows:
+The provider may provide alternate certificate with different certificate chain. You can specify the required chain and the client will automatically download alternate certificate and match the chain by name.
 
 ```ruby
 begin
@@ -237,12 +241,12 @@ To change the key used for an account you can call `#account_key_change` with th
 ```ruby
 require 'openssl'
 new_private_key = OpenSSL::PKey::RSA.new(4096)
-client.account_key_change(private_key: new_private_key)
+client.account_key_change(new_private_key: new_private_key)
 ```
 
 ## Requirements
 
-Ruby >= 2.1
+Ruby >= 3.0
 
 ## Development
 

data/Rakefile

@@ -3,7 +3,4 @@ require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec)
 
-require 'rubocop/rake_task'
-RuboCop::RakeTask.new
-
-task default: [:spec, :rubocop]
+task default: [:spec]

data/acme-client.gemspec

@@ -11,18 +11,17 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'http://github.com/unixcharles/acme-client'
   spec.license       = 'MIT'
 
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) || f.start_with?('.') }
   spec.require_paths = ['lib']
 
   spec.required_ruby_version = '>= 2.3.0'
 
-  spec.add_development_dependency 'bundler', '>= 1.17.3'
   spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.9'
   spec.add_development_dependency 'vcr', '~> 2.9'
   spec.add_development_dependency 'webmock', '~> 3.8'
-  spec.add_development_dependency 'webrick'
+  spec.add_development_dependency 'webrick', '~> 1.7'
 
   spec.add_runtime_dependency 'faraday', '>= 1.0', '< 3.0.0'
-  spec.add_runtime_dependency 'faraday-retry', '~> 1.0'
+  spec.add_runtime_dependency 'faraday-retry', '>= 1.0', '< 3.0.0'
 end

data/bin/generate_keystash

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'acme-client'
+
+require File.join(File.dirname(__FILE__), '../spec/support/ssl_helper')
+
+
+SSLHelper::KEYSTASH.generate_keystash!(size: 200)

data/lib/acme/client/http_client.rb

@@ -0,0 +1,162 @@
+# frozen_string_literal: true
+
+module Acme::Client::HTTPClient
+  # Creates and returns a new HTTP client, with default settings.
+  #
+  # @param  url [URI:HTTPS]
+  # @param  options [Hash]
+  # @return [Faraday::Connection]
+  def self.new_connection(url:, options: {})
+    Faraday.new(url, options) do |configuration|
+      configuration.use Acme::Client::HTTPClient::ErrorMiddleware
+
+      yield(configuration) if block_given?
+
+      configuration.headers[:user_agent] = Acme::Client::USER_AGENT
+      configuration.adapter Faraday.default_adapter
+    end
+  end
+
+  # Creates and returns a new HTTP client designed for the Acme-protocol, with default settings.
+  #
+  # @param  url [URI:HTTPS]
+  # @param  client [Acme::Client]
+  # @param  mode [Symbol]
+  # @param  options [Hash]
+  # @param  bad_nonce_retry [Integer]
+  # @return [Faraday::Connection]
+  def self.new_acme_connection(url:, client:, mode:, options: {}, bad_nonce_retry: 0)
+    new_connection(url: url, options: options) do |configuration|
+      if bad_nonce_retry > 0
+        configuration.request(:retry,
+          max: bad_nonce_retry,
+          methods: Faraday::Connection::METHODS,
+          exceptions: [Acme::Client::Error::BadNonce])
+      end
+
+      configuration.use Acme::Client::HTTPClient::AcmeMiddleware, client: client, mode: mode
+
+      yield(configuration) if block_given?
+    end
+  end
+
+  # ErrorMiddleware ensures the HTTP Client would not raise exceptions outside the Acme namespace.
+  #
+  # Exceptions are rescued and re-packaged as Acme exceptions.
+  class ErrorMiddleware < Faraday::Middleware
+    # Implements the Rack-alike Faraday::Middleware interface.
+    def call(env)
+      @app.call(env)
+    rescue Faraday::TimeoutError, Faraday::ConnectionFailed
+      raise Acme::Client::Error::Timeout
+    end
+  end
+
+  # AcmeMiddleware implements the Acme-protocol requirements for JWK requests.
+  class AcmeMiddleware < Faraday::Middleware
+    attr_reader :env, :response, :client
+
+    CONTENT_TYPE = 'application/jose+json'
+
+    def initialize(app, options)
+      super(app)
+      @client = options.fetch(:client)
+      @mode = options.fetch(:mode)
+    end
+
+    def call(env)
+      @env = env
+      @env[:request_headers]['Content-Type'] = CONTENT_TYPE
+
+      if @env.method != :get
+        @env.body = client.jwk.jws(header: jws_header, payload: env.body)
+      end
+
+      @app.call(env).on_complete { |response_env| on_complete(response_env) }
+    end
+
+    def on_complete(env)
+      @env = env
+
+      raise_on_not_found!
+      store_nonce
+      env.body = decode_body
+      env.response_headers['Link'] = decode_link_headers
+
+      return if env.success?
+
+      raise_on_error!
+    end
+
+    private
+
+    def jws_header
+      headers = { nonce: pop_nonce, url: env.url.to_s }
+      headers[:kid] = client.kid if @mode == :kid
+      headers
+    end
+
+    def raise_on_not_found!
+      raise Acme::Client::Error::NotFound, env.url.to_s if env.status == 404
+    end
+
+    def raise_on_error!
+      raise error_class, error_message
+    end
+
+    def error_message
+      if env.body.is_a? Hash
+        env.body['detail']
+      else
+        "Error message: #{env.body}"
+      end
+    end
+
+    def error_class
+      Acme::Client::Error::ACME_ERRORS.fetch(error_name, Acme::Client::Error)
+    end
+
+    def error_name
+      return unless env.body.is_a?(Hash)
+      return unless env.body.key?('type')
+      env.body['type']
+    end
+
+    def decode_body
+      content_type = env.response_headers['Content-Type'].to_s
+
+      if content_type.start_with?('application/json', 'application/problem+json')
+        JSON.load(env.body)
+      else
+        env.body
+      end
+    end
+
+    def decode_link_headers
+      return unless env.response_headers.key?('Link')
+      link_header = env.response_headers['Link']
+      Acme::Client::Util.decode_link_headers(link_header)
+    end
+
+    def store_nonce
+      nonce = env.response_headers['replay-nonce']
+      nonces << nonce if nonce
+    end
+
+    def pop_nonce
+      if nonces.empty?
+        get_nonce
+      end
+
+      nonces.pop
+    end
+
+    def get_nonce
+      client.get_nonce
+    end
+
+    def nonces
+      client.nonces
+    end
+  end
+end

data/lib/acme/client/jwk/ecdsa.rb

@@ -50,8 +50,8 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
     {
       crv: @curve_params[:jwa_crv],
       kty: 'EC',
-      x: Acme::Client::Util.urlsafe_base64(coordinates[:x].to_s(2)),
-      y: Acme::Client::Util.urlsafe_base64(coordinates[:y].to_s(2))
+      x: Acme::Client::Util.urlsafe_base64(coordinates[:x]),
+      y: Acme::Client::Util.urlsafe_base64(coordinates[:y])
     }
   end
 
@@ -92,8 +92,8 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
       hex_y = hex[2 + data_len / 2, data_len / 2]
 
       {
-        x: OpenSSL::BN.new([hex_x].pack('H*'), 2),
-        y: OpenSSL::BN.new([hex_y].pack('H*'), 2)
+        x: [hex_x].pack('H*'),
+        y: [hex_y].pack('H*')
       }
     end
   end

data/lib/acme/client/jwk/hmac.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class Acme::Client::JWK::HMAC < Acme::Client::JWK::Base
+  # Instantiate a new HMAC JWS.
+  #
+  # key - A string.
+  #
+  # Returns nothing.
+  def initialize(key)
+    @key = key
+  end
+
+  # Sign a message with the private key.
+  #
+  # message - A String message to sign.
+  #
+  # Returns a String signature.
+  def sign(message)
+    OpenSSL::HMAC.digest('SHA256', @key, message)
+  end
+
+  # The name of the algorithm as needed for the `alg` member of a JWS object.
+  #
+  # Returns a String.
+  def jwa_alg
+    # https://tools.ietf.org/html/rfc7518#section-3.1
+    # HMAC using SHA-256
+    'HS256'
+  end
+end

data/lib/acme/client/jwk.rb

@@ -19,3 +19,4 @@ end
 require 'acme/client/jwk/base'
 require 'acme/client/jwk/rsa'
 require 'acme/client/jwk/ecdsa'
+require 'acme/client/jwk/hmac'

data/lib/acme/client/resources/authorization.rb

@@ -56,7 +56,7 @@ class Acme::Client::Resources::Authorization
       type: attributes.fetch('type'),
       status: attributes.fetch('status'),
       url: attributes.fetch('url'),
-      token: attributes.fetch('token'),
+      token: attributes.fetch('token', nil),
       error: attributes['error']
     }
     Acme::Client::Resources::Challenges.new(@client, **arguments)

data/lib/acme/client/resources/directory.rb

@@ -17,12 +17,13 @@ class Acme::Client::Resources::Directory
     external_account_required: 'externalAccountRequired'
   }
 
-  def initialize(url, connection_options)
-    @url, @connection_options = url, connection_options
+  def initialize(client, **arguments)
+    @client = client
+    assign_attributes(**arguments)
   end
 
   def endpoint_for(key)
-    directory.fetch(key) do |missing_key|
+    @directory.fetch(key) do |missing_key|
       raise Acme::Client::Error::UnsupportedOperation,
         "Directory at #{@url} does not include `#{missing_key}`"
     end
@@ -45,36 +46,16 @@ class Acme::Client::Resources::Directory
   end
 
   def meta
-    directory[:meta]
+    @directory[:meta]
   end
 
   private
 
-  def directory
-    @directory ||= load_directory
-  end
-
-  def load_directory
-    body = fetch_directory
-    result = {}
-    result[:meta] = body.delete('meta')
+  def assign_attributes(directory:)
+    @directory = {}
+    @directory[:meta] = directory.delete('meta')
     DIRECTORY_RESOURCES.each do |key, entry|
-      result[key] = URI(body[entry]) if body[entry]
-    end
-    result
-  rescue JSON::ParserError => exception
-    raise Acme::Client::Error::InvalidDirectory,
-      "Invalid directory url\n#{@directory} did not return a valid directory\n#{exception.inspect}"
-  end
-
-  def fetch_directory
-    connection = Faraday.new(url: @directory, **@connection_options) do |configuration|
-      configuration.use Acme::Client::FaradayMiddleware, client: nil, mode: nil
-
-      configuration.adapter Faraday.default_adapter
+      @directory[key] = URI(directory[entry]) if directory[entry]
     end
-    connection.headers[:user_agent] = Acme::Client::USER_AGENT
-    response = connection.get(@url)
-    response.body
   end
 end

data/lib/acme/client/util.rb

@@ -1,4 +1,6 @@
 module Acme::Client::Util
+  extend self
+
   def urlsafe_base64(data)
     Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
   end
@@ -30,6 +32,4 @@ module Acme::Client::Util
       raise ArgumentError, 'priv must be EC or RSA'
     end
   end
-
-  extend self
 end

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.11'.freeze
+    VERSION = '2.0.18'.freeze
   end
 end

data/lib/acme/client.rb

@@ -14,10 +14,10 @@ module Acme; end
 class Acme::Client; end
 
 require 'acme/client/version'
+require 'acme/client/http_client'
 require 'acme/client/certificate_request'
 require 'acme/client/self_sign_certificate'
 require 'acme/client/resources'
-require 'acme/client/faraday_middleware'
 require 'acme/client/jwk'
 require 'acme/client/error'
 require 'acme/client/util'
@@ -44,13 +44,14 @@ class Acme::Client
 
     @kid, @connection_options = kid, connection_options
     @bad_nonce_retry = bad_nonce_retry
-    @directory = Acme::Client::Resources::Directory.new(URI(directory), @connection_options)
+    @directory_url = URI(directory)
     @nonces ||= []
   end
 
   attr_reader :jwk, :nonces
 
-  def new_account(contact:, terms_of_service_agreed: nil)
+  def new_account(contact:, terms_of_service_agreed: nil, external_account_binding: nil)
+    new_account_endpoint = endpoint_for(:new_account)
     payload = {
       contact: Array(contact)
     }
@@ -59,7 +60,18 @@ class Acme::Client
       payload[:termsOfServiceAgreed] = terms_of_service_agreed
     end
 
-    response = post(endpoint_for(:new_account), payload: payload, mode: :jws)
+    if external_account_binding
+      kid, hmac_key = external_account_binding.values_at(:kid, :hmac_key)
+      if kid.nil? || hmac_key.nil?
+        raise ArgumentError, 'must specify kid and hmac_key key for external_account_binding'
+      end
+
+      hmac = Acme::Client::JWK::HMAC.new(Base64.urlsafe_decode64(hmac_key))
+      external_account_payload = hmac.jws(header: { kid: kid, url: new_account_endpoint }, payload: @jwk)
+      payload[:externalAccountBinding] = JSON.parse(external_account_payload)
+    end
+
+    response = post(new_account_endpoint, payload: payload, mode: :jws)
     @kid = response.headers.fetch(:location)
 
     if response.body.nil? || response.body.empty?
@@ -211,34 +223,50 @@ class Acme::Client
   end
 
   def get_nonce
-    connection = new_connection(endpoint: endpoint_for(:new_nonce))
-    response = connection.head(nil, nil, 'User-Agent' => USER_AGENT)
+    http_client = Acme::Client::HTTPClient.new_connection(url: endpoint_for(:new_nonce), options: @connection_options)
+    response = http_client.head(nil, nil)
     nonces << response.headers['replay-nonce']
     true
   end
 
+  def directory
+    @directory ||= load_directory
+  end
+
   def meta
-    @directory.meta
+    directory.meta
   end
 
   def terms_of_service
-    @directory.terms_of_service
+    directory.terms_of_service
   end
 
   def website
-    @directory.website
+    directory.website
   end
 
   def caa_identities
-    @directory.caa_identities
+    directory.caa_identities
   end
 
   def external_account_required
-    @directory.external_account_required
+    directory.external_account_required
   end
 
   private
 
+  def load_directory
+    Acme::Client::Resources::Directory.new(self, directory: fetch_directory)
+  end
+
+  def fetch_directory
+    response = get(@directory_url)
+    response.body
+  rescue JSON::ParserError => exception
+    raise Acme::Client::Error::InvalidDirectory,
+      "Invalid directory url\n#{@directory_url} did not return a valid directory\n#{exception.inspect}"
+  end
+
   def prepare_order_identifiers(identifiers)
     if identifiers.is_a?(Hash)
       [identifiers]
@@ -304,7 +332,7 @@ class Acme::Client
     connection.post(url, nil)
   end
 
-  def get(url, mode: :kid)
+  def get(url, mode: :get)
     connection = connection_for(url: url, mode: mode)
     connection.get(url)
   end
@@ -320,41 +348,15 @@ class Acme::Client
   def connection_for(url:, mode:)
     uri = URI(url)
     endpoint = "#{uri.scheme}://#{uri.hostname}:#{uri.port}"
+
     @connections ||= {}
     @connections[mode] ||= {}
-    @connections[mode][endpoint] ||= new_acme_connection(endpoint: endpoint, mode: mode)
-  end
-
-  def new_acme_connection(endpoint:, mode:)
-    new_connection(endpoint: endpoint) do |configuration|
-      configuration.use Acme::Client::FaradayMiddleware, client: self, mode: mode
-    end
-  end
-
-  def new_connection(endpoint:)
-    Faraday.new(endpoint, **@connection_options) do |configuration|
-      if @bad_nonce_retry > 0
-        configuration.request(:retry,
-          max: @bad_nonce_retry,
-          methods: Faraday::Connection::METHODS,
-          exceptions: [Acme::Client::Error::BadNonce])
-      end
-      yield(configuration) if block_given?
-      configuration.adapter Faraday.default_adapter
-    end
-  end
-
-  def fetch_chain(response, limit = 10)
-    links = response.headers['link']
-    if limit.zero? || links.nil? || links['up'].nil?
-      []
-    else
-      issuer = get(links['up'])
-      [OpenSSL::X509::Certificate.new(issuer.body), *fetch_chain(issuer, limit - 1)]
-    end
+    @connections[mode][endpoint] ||= Acme::Client::HTTPClient.new_acme_connection(
+      url: URI(endpoint), mode: mode, client: self, options: @connection_options, bad_nonce_retry: @bad_nonce_retry
+    )
   end
 
   def endpoint_for(key)
-    @directory.endpoint_for(key)
+    directory.endpoint_for(key)
   end
 end

metadata

@@ -1,29 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.11
+  version: 2.0.18
 platform: ruby
 authors:
 - Charles Barbier
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-06-01 00:00:00.000000000 Z
+date: 2024-06-14 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.17.3
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.17.3
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -84,16 +70,16 @@ dependencies:
   name: webrick
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.7'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -118,16 +104,22 @@ dependencies:
   name: faraday-retry
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 description:
 email:
 - unixcharles@gmail.com
@@ -135,11 +127,6 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/workflows/rubocop.yml"
-- ".github/workflows/test.yml"
-- ".gitignore"
-- ".rspec"
-- ".rubocop.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
@@ -147,6 +134,7 @@ files:
 - Rakefile
 - acme-client.gemspec
 - bin/console
+- bin/generate_keystash
 - bin/release
 - bin/setup
 - lib/acme-client.rb
@@ -155,10 +143,11 @@ files:
 - lib/acme/client/certificate_request/ec_key_patch.rb
 - lib/acme/client/chain_identifier.rb
 - lib/acme/client/error.rb
-- lib/acme/client/faraday_middleware.rb
+- lib/acme/client/http_client.rb
 - lib/acme/client/jwk.rb
 - lib/acme/client/jwk/base.rb
 - lib/acme/client/jwk/ecdsa.rb
+- lib/acme/client/jwk/hmac.rb
 - lib/acme/client/jwk/rsa.rb
 - lib/acme/client/resources.rb
 - lib/acme/client/resources/account.rb
@@ -192,7 +181,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.20
+rubygems_version: 3.4.20
 signing_key:
 specification_version: 4
 summary: Client for the ACME protocol.

data/.github/workflows/rubocop.yml

@@ -1,23 +0,0 @@
-name: Lint
-
-on:
-  push:
-    branches: [ master ]
-  pull_request:
-    branches: [ master ]
-
-jobs:
-  rubocop:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        ruby-version: ['3.0']
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: ${{ matrix.ruby-version }}
-        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-    - name: Run tests
-      run: bundle exec rake rubocop

data/.github/workflows/test.yml

@@ -1,26 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [ master ]
-  pull_request:
-    branches: [ master ]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        ruby-version: ['2.6', '2.7', '3.0', truffleruby-head]
-        faraday-version: ['~> 1.7', '~> 2.0']
-    env:
-      FARADAY_VERSION: ${{ matrix.faraday-version }}
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: ${{ matrix.ruby-version }}
-        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-    - name: Run tests
-      run: bundle exec rake spec

data/.gitignore

@@ -1,12 +0,0 @@
-/.bundle/
-/.yardoc
-/Gemfile.lock
-/_yardoc/
-/coverage/
-/doc/
-/pkg/
-/spec/reports/
-/tmp/
-/vendor/bundle
-/.idea/
-.tool-versions

data/.rspec

@@ -1,3 +0,0 @@
---format documentation
---color
---order rand

data/.rubocop.yml

@@ -1,134 +0,0 @@
-AllCops:
-  TargetRubyVersion: 2.1
-  Exclude:
-    - 'bin/*'
-    - 'vendor/**/*'
-
-Rails:
-  Enabled: false
-
-Layout/AlignParameters:
-  EnforcedStyle: with_fixed_indentation
-
-Layout/ElseAlignment:
-  Enabled: false
-
-Layout/FirstParameterIndentation:
-  EnforcedStyle: consistent
-
-Layout/IndentationWidth:
-  Enabled: false
-
-Layout/MultilineOperationIndentation:
-  Enabled: false
-
-Layout/SpaceInsideBlockBraces:
-  Enabled: false
-
-Lint/AmbiguousOperator:
-  Enabled: false
-
-Lint/AssignmentInCondition:
-  Enabled: false
-
-Lint/EndAlignment:
-  Enabled: false
-
-Lint/UnusedMethodArgument:
-  AllowUnusedKeywordArguments: true
-
-Metrics/AbcSize:
-  Enabled: false
-
-Metrics/BlockLength:
-  Enabled: false
-
-Metrics/ClassLength:
-  Enabled: false
-
-Metrics/CyclomaticComplexity:
-  Enabled: false
-
-Metrics/LineLength:
-  Max: 140
-
-Metrics/MethodLength:
-  Max: 15
-  Enabled: false
-
-Metrics/ParameterLists:
-  Max: 5
-  CountKeywordArgs: false
-
-Metrics/PerceivedComplexity:
-  Enabled: false
-
-Security/JSONLoad:
-  Enabled: false
-
-Style/AccessorMethodName:
-  Enabled: false
-
-Style/Alias:
-  Enabled: false
-
-Style/BlockDelimiters:
-  EnforcedStyle: semantic
-
-Style/ClassAndModuleChildren:
-  Enabled: false
-
-Style/Documentation:
-  Enabled: false
-
-Style/DoubleNegation:
-  Enabled: false
-
-Style/FileName:
-  Exclude:
-    - 'lib/acme-client.rb'
-
-Style/GlobalVars:
-  Enabled: false
-
-Style/GuardClause:
-  Enabled: false
-
-Style/IfUnlessModifier:
-  Enabled: false
-
-Style/Lambda:
-  Enabled: false
-
-Style/ModuleFunction:
-  Enabled: false
-
-Style/MultilineBlockChain:
-  Enabled: false
-
-Style/MultipleComparison:
-  Enabled: false
-
-Style/MutableConstant:
-  Enabled: false
-
-Style/ParallelAssignment:
-  Enabled: false
-
-Style/PercentLiteralDelimiters:
-  Enabled: false
-
-Style/SignalException:
-  EnforcedStyle: only_raise
-
-Style/SymbolArray:
-  Enabled: false
-
-Style/StringLiterals:
-  Enabled: single_quotes
-
-Style/TrailingCommaInArguments:
-  Enabled: false
-
-Style/TrivialAccessors:
-  AllowPredicates: true

data/lib/acme/client/faraday_middleware.rb

@@ -1,111 +0,0 @@
-# frozen_string_literal: true
-
-class Acme::Client::FaradayMiddleware < Faraday::Middleware
-  attr_reader :env, :response, :client
-
-  CONTENT_TYPE = 'application/jose+json'
-
-  def initialize(app, options)
-    super(app)
-    @client = options.fetch(:client)
-    @mode = options.fetch(:mode)
-  end
-
-  def call(env)
-    @env = env
-    @env[:request_headers]['User-Agent'] = Acme::Client::USER_AGENT
-    @env[:request_headers]['Content-Type'] = CONTENT_TYPE
-
-    if @env.method != :get
-      @env.body = client.jwk.jws(header: jws_header, payload: env.body)
-    end
-
-    @app.call(env).on_complete { |response_env| on_complete(response_env) }
-  rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-    raise Acme::Client::Error::Timeout
-  end
-
-  def on_complete(env)
-    @env = env
-
-    raise_on_not_found!
-    store_nonce
-    env.body = decode_body
-    env.response_headers['Link'] = decode_link_headers
-
-    return if env.success?
-
-    raise_on_error!
-  end
-
-  private
-
-  def jws_header
-    headers = { nonce: pop_nonce, url: env.url.to_s }
-    headers[:kid] = client.kid if @mode == :kid
-    headers
-  end
-
-  def raise_on_not_found!
-    raise Acme::Client::Error::NotFound, env.url.to_s if env.status == 404
-  end
-
-  def raise_on_error!
-    raise error_class, error_message
-  end
-
-  def error_message
-    if env.body.is_a? Hash
-      env.body['detail']
-    else
-      "Error message: #{env.body}"
-    end
-  end
-
-  def error_class
-    Acme::Client::Error::ACME_ERRORS.fetch(error_name, Acme::Client::Error)
-  end
-
-  def error_name
-    return unless env.body.is_a?(Hash)
-    return unless env.body.key?('type')
-    env.body['type']
-  end
-
-  def decode_body
-    content_type = env.response_headers['Content-Type'].to_s
-
-    if content_type.start_with?('application/json', 'application/problem+json')
-      JSON.load(env.body)
-    else
-      env.body
-    end
-  end
-
-  def decode_link_headers
-    return unless env.response_headers.key?('Link')
-    link_header = env.response_headers['Link']
-    Acme::Client::Util.decode_link_headers(link_header)
-  end
-
-  def store_nonce
-    nonce = env.response_headers['replay-nonce']
-    nonces << nonce if nonce
-  end
-
-  def pop_nonce
-    if nonces.empty?
-      get_nonce
-    end
-
-    nonces.pop
-  end
-
-  def get_nonce
-    client.get_nonce
-  end
-
-  def nonces
-    client.nonces
-  end
-end