acme-client 2.0.12 → 2.0.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 409e7fad9385308a4e8127d743897dd27683dfd8c711ea7e252624b0ea5599b5
-  data.tar.gz: 0df61205e809a7a2075cc26618023a5958b4820391408f217f7b34a79eb51391
+  metadata.gz: 6238349e171138af08de444bf08268ab3bebab0c4d0497bee91d9d4a30d397ab
+  data.tar.gz: 9928049d9997c284cec6d75e12bf6b5f07150459775d8f852adbc09b7c923178
 SHA512:
-  metadata.gz: 90caf54c02324bfd5a9e2f41a293956d2fa940208a8cf26aafc26aa19fbd0810e21284c73b408b5a03b97ee41476fa1e424199cf89d07dfe79460f878b118392
-  data.tar.gz: 9d8465df2b32462b17aed637db02a86abdd84d8236c68bd46525aa34473f2583ebd8562a7fb94c4dcca498427a7e0f0de249f30a72162bea661cca7abbd91557
+  metadata.gz: 8543f742ee8fe3822c8c989a7e5f8b1f75473f01a36d7a2218c44b43ebec55fa538beabc4545c4798a7b35005ad1fddbd0ed59dbae6942413812fae9ce625f92
+  data.tar.gz: 77cd41773aa293bcb65ebdb9489c500a06b144e0efb2dc5af23baa8dec8c36c1af32fd9f1c97eb77e40eb4a521a9c904448d5765f64dcbe56a67f4907225aaf3

data/CHANGELOG.md

@@ -1,4 +1,12 @@
-## `2.0.11`
+## `2.0.14`
+
+* Fix Faraday HTTP exceptions leaking out, always raise `Acme::Client::Error` instead
+
+## `2.0.13`
+
+* Add support for External Account Binding
+
+## `2.0.12`
 
 * Update test matrix to current Ruby versions (2.7 to 3.2)
 * Support for Faraday retry 2.x

data/README.md

@@ -106,6 +106,15 @@ client.kid
 => "https://acme-staging-v02.api.letsencrypt.org/acme/acct/000000"
 ```
 
+## External Account Binding support
+
+You can use External Account Binding by providing a `external_account_binding` with a `kid` and `hmac_key`.
+
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme.zerossl.com/v2/DV90')
+account = client.new_account(contact: 'mailto:info@example.com', terms_of_service_agreed: true, external_account_binding: { kid: "your kid", hmac_key: "your hmac key"})
+```
+
 ## Obtaining a certificate
 ### Ordering a certificate
 
@@ -235,7 +244,7 @@ To change the key used for an account you can call `#account_key_change` with th
 ```ruby
 require 'openssl'
 new_private_key = OpenSSL::PKey::RSA.new(4096)
-client.account_key_change(private_key: new_private_key)
+client.account_key_change(new_private_key: new_private_key)
 ```
 
 ## Requirements

data/lib/acme/client/http_client.rb

@@ -0,0 +1,162 @@
+# frozen_string_literal: true
+
+module Acme::Client::HTTPClient
+  # Creates and returns a new HTTP client, with default settings.
+  #
+  # @param  url [URI:HTTPS]
+  # @param  options [Hash]
+  # @return [Faraday::Connection]
+  def self.new_connection(url:, options: {})
+    Faraday.new(url, options) do |configuration|
+      configuration.use Acme::Client::HTTPClient::ErrorMiddleware
+
+      yield(configuration) if block_given?
+
+      configuration.headers[:user_agent] = Acme::Client::USER_AGENT
+      configuration.adapter Faraday.default_adapter
+    end
+  end
+
+  # Creates and returns a new HTTP client designed for the Acme-protocol, with default settings.
+  #
+  # @param  url [URI:HTTPS]
+  # @param  client [Acme::Client]
+  # @param  mode [Symbol]
+  # @param  options [Hash]
+  # @param  bad_nonce_retry [Integer]
+  # @return [Faraday::Connection]
+  def self.new_acme_connection(url:, client:, mode:, options: {}, bad_nonce_retry: 0)
+    new_connection(url: url, options: options) do |configuration|
+      if bad_nonce_retry > 0
+        configuration.request(:retry,
+          max: bad_nonce_retry,
+          methods: Faraday::Connection::METHODS,
+          exceptions: [Acme::Client::Error::BadNonce])
+      end
+
+      configuration.use Acme::Client::HTTPClient::AcmeMiddleware, client: client, mode: mode
+
+      yield(configuration) if block_given?
+    end
+  end
+
+  # ErrorMiddleware ensures the HTTP Client would not raise exceptions outside the Acme namespace.
+  #
+  # Exceptions are rescued and re-packaged as Acme exceptions.
+  class ErrorMiddleware < Faraday::Middleware
+    # Implements the Rack-alike Faraday::Middleware interface.
+    def call(env)
+      @app.call(env)
+    rescue Faraday::TimeoutError, Faraday::ConnectionFailed
+      raise Acme::Client::Error::Timeout
+    end
+  end
+
+  # AcmeMiddleware implements the Acme-protocol requirements for JWK requests.
+  class AcmeMiddleware < Faraday::Middleware
+    attr_reader :env, :response, :client
+
+    CONTENT_TYPE = 'application/jose+json'
+
+    def initialize(app, options)
+      super(app)
+      @client = options.fetch(:client)
+      @mode = options.fetch(:mode)
+    end
+
+    def call(env)
+      @env = env
+      @env[:request_headers]['Content-Type'] = CONTENT_TYPE
+
+      if @env.method != :get
+        @env.body = client.jwk.jws(header: jws_header, payload: env.body)
+      end
+
+      @app.call(env).on_complete { |response_env| on_complete(response_env) }
+    end
+
+    def on_complete(env)
+      @env = env
+
+      raise_on_not_found!
+      store_nonce
+      env.body = decode_body
+      env.response_headers['Link'] = decode_link_headers
+
+      return if env.success?
+
+      raise_on_error!
+    end
+
+    private
+
+    def jws_header
+      headers = { nonce: pop_nonce, url: env.url.to_s }
+      headers[:kid] = client.kid if @mode == :kid
+      headers
+    end
+
+    def raise_on_not_found!
+      raise Acme::Client::Error::NotFound, env.url.to_s if env.status == 404
+    end
+
+    def raise_on_error!
+      raise error_class, error_message
+    end
+
+    def error_message
+      if env.body.is_a? Hash
+        env.body['detail']
+      else
+        "Error message: #{env.body}"
+      end
+    end
+
+    def error_class
+      Acme::Client::Error::ACME_ERRORS.fetch(error_name, Acme::Client::Error)
+    end
+
+    def error_name
+      return unless env.body.is_a?(Hash)
+      return unless env.body.key?('type')
+      env.body['type']
+    end
+
+    def decode_body
+      content_type = env.response_headers['Content-Type'].to_s
+
+      if content_type.start_with?('application/json', 'application/problem+json')
+        JSON.load(env.body)
+      else
+        env.body
+      end
+    end
+
+    def decode_link_headers
+      return unless env.response_headers.key?('Link')
+      link_header = env.response_headers['Link']
+      Acme::Client::Util.decode_link_headers(link_header)
+    end
+
+    def store_nonce
+      nonce = env.response_headers['replay-nonce']
+      nonces << nonce if nonce
+    end
+
+    def pop_nonce
+      if nonces.empty?
+        get_nonce
+      end
+
+      nonces.pop
+    end
+
+    def get_nonce
+      client.get_nonce
+    end
+
+    def nonces
+      client.nonces
+    end
+  end
+end

data/lib/acme/client/jwk/hmac.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class Acme::Client::JWK::HMAC < Acme::Client::JWK::Base
+  # Instantiate a new HMAC JWS.
+  #
+  # key - A string.
+  #
+  # Returns nothing.
+  def initialize(key)
+    @key = key
+  end
+
+  # Sign a message with the private key.
+  #
+  # message - A String message to sign.
+  #
+  # Returns a String signature.
+  def sign(message)
+    OpenSSL::HMAC.digest('SHA256', @key, message)
+  end
+
+  # The name of the algorithm as needed for the `alg` member of a JWS object.
+  #
+  # Returns a String.
+  def jwa_alg
+    # https://tools.ietf.org/html/rfc7518#section-3.1
+    # HMAC using SHA-256
+    'HS256'
+  end
+end

data/lib/acme/client/jwk.rb

@@ -19,3 +19,4 @@ end
 require 'acme/client/jwk/base'
 require 'acme/client/jwk/rsa'
 require 'acme/client/jwk/ecdsa'
+require 'acme/client/jwk/hmac'

data/lib/acme/client/resources/directory.rb

@@ -68,13 +68,8 @@ class Acme::Client::Resources::Directory
   end
 
   def fetch_directory
-    connection = Faraday.new(url: @directory, **@connection_options) do |configuration|
-      configuration.use Acme::Client::FaradayMiddleware, client: nil, mode: nil
-
-      configuration.adapter Faraday.default_adapter
-    end
-    connection.headers[:user_agent] = Acme::Client::USER_AGENT
-    response = connection.get(@url)
+    http_client = Acme::Client::HTTPClient.new_acme_connection(url: @directory, options: @connection_options, client: nil, mode: nil)
+    response = http_client.get(@url)
     response.body
   end
 end

data/lib/acme/client/util.rb

@@ -1,4 +1,6 @@
 module Acme::Client::Util
+  extend self
+
   def urlsafe_base64(data)
     Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
   end
@@ -30,6 +32,4 @@ module Acme::Client::Util
       raise ArgumentError, 'priv must be EC or RSA'
     end
   end
-
-  extend self
 end

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.12'.freeze
+    VERSION = '2.0.14'.freeze
   end
 end

data/lib/acme/client.rb

@@ -14,10 +14,10 @@ module Acme; end
 class Acme::Client; end
 
 require 'acme/client/version'
+require 'acme/client/http_client'
 require 'acme/client/certificate_request'
 require 'acme/client/self_sign_certificate'
 require 'acme/client/resources'
-require 'acme/client/faraday_middleware'
 require 'acme/client/jwk'
 require 'acme/client/error'
 require 'acme/client/util'
@@ -50,7 +50,8 @@ class Acme::Client
 
   attr_reader :jwk, :nonces
 
-  def new_account(contact:, terms_of_service_agreed: nil)
+  def new_account(contact:, terms_of_service_agreed: nil, external_account_binding: nil)
+    new_account_endpoint = endpoint_for(:new_account)
     payload = {
       contact: Array(contact)
     }
@@ -59,7 +60,18 @@ class Acme::Client
       payload[:termsOfServiceAgreed] = terms_of_service_agreed
     end
 
-    response = post(endpoint_for(:new_account), payload: payload, mode: :jws)
+    if external_account_binding
+      kid, hmac_key = external_account_binding.values_at(:kid, :hmac_key)
+      if kid.nil? || hmac_key.nil?
+        raise ArgumentError, 'must specify kid and hmac_key key for external_account_binding'
+      end
+
+      hmac = Acme::Client::JWK::HMAC.new(Base64.urlsafe_decode64(hmac_key))
+      external_account_payload = hmac.jws(header: { kid: kid, url: new_account_endpoint }, payload: @jwk)
+      payload[:externalAccountBinding] = JSON.parse(external_account_payload)
+    end
+
+    response = post(new_account_endpoint, payload: payload, mode: :jws)
     @kid = response.headers.fetch(:location)
 
     if response.body.nil? || response.body.empty?
@@ -211,8 +223,8 @@ class Acme::Client
   end
 
   def get_nonce
-    connection = new_connection(endpoint: endpoint_for(:new_nonce))
-    response = connection.head(nil, nil, 'User-Agent' => USER_AGENT)
+    http_client = Acme::Client::HTTPClient.new_connection(url: endpoint_for(:new_nonce))
+    response = http_client.head(nil, nil)
     nonces << response.headers['replay-nonce']
     true
   end
@@ -320,28 +332,12 @@ class Acme::Client
   def connection_for(url:, mode:)
     uri = URI(url)
     endpoint = "#{uri.scheme}://#{uri.hostname}:#{uri.port}"
+
     @connections ||= {}
     @connections[mode] ||= {}
-    @connections[mode][endpoint] ||= new_acme_connection(endpoint: endpoint, mode: mode)
-  end
-
-  def new_acme_connection(endpoint:, mode:)
-    new_connection(endpoint: endpoint) do |configuration|
-      configuration.use Acme::Client::FaradayMiddleware, client: self, mode: mode
-    end
-  end
-
-  def new_connection(endpoint:)
-    Faraday.new(endpoint, **@connection_options) do |configuration|
-      if @bad_nonce_retry > 0
-        configuration.request(:retry,
-          max: @bad_nonce_retry,
-          methods: Faraday::Connection::METHODS,
-          exceptions: [Acme::Client::Error::BadNonce])
-      end
-      yield(configuration) if block_given?
-      configuration.adapter Faraday.default_adapter
-    end
+    @connections[mode][endpoint] ||= Acme::Client::HTTPClient.new_acme_connection(
+      url: URI(endpoint), mode: mode, client: self, options: @connection_options, bad_nonce_retry: @bad_nonce_retry
+    )
   end
 
   def fetch_chain(response, limit = 10)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.12
+  version: 2.0.14
 platform: ruby
 authors:
 - Charles Barbier
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-31 00:00:00.000000000 Z
+date: 2023-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -134,7 +134,7 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: 3.0.0
-description:
+description: 
 email:
 - unixcharles@gmail.com
 executables: []
@@ -161,10 +161,11 @@ files:
 - lib/acme/client/certificate_request/ec_key_patch.rb
 - lib/acme/client/chain_identifier.rb
 - lib/acme/client/error.rb
-- lib/acme/client/faraday_middleware.rb
+- lib/acme/client/http_client.rb
 - lib/acme/client/jwk.rb
 - lib/acme/client/jwk/base.rb
 - lib/acme/client/jwk/ecdsa.rb
+- lib/acme/client/jwk/hmac.rb
 - lib/acme/client/jwk/rsa.rb
 - lib/acme/client/resources.rb
 - lib/acme/client/resources/account.rb
@@ -183,7 +184,7 @@ homepage: http://github.com/unixcharles/acme-client
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -198,8 +199,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
-signing_key:
+rubygems_version: 3.0.3.1
+signing_key: 
 specification_version: 4
 summary: Client for the ACME protocol.
 test_files: []

data/lib/acme/client/faraday_middleware.rb

@@ -1,111 +0,0 @@
-# frozen_string_literal: true
-
-class Acme::Client::FaradayMiddleware < Faraday::Middleware
-  attr_reader :env, :response, :client
-
-  CONTENT_TYPE = 'application/jose+json'
-
-  def initialize(app, options)
-    super(app)
-    @client = options.fetch(:client)
-    @mode = options.fetch(:mode)
-  end
-
-  def call(env)
-    @env = env
-    @env[:request_headers]['User-Agent'] = Acme::Client::USER_AGENT
-    @env[:request_headers]['Content-Type'] = CONTENT_TYPE
-
-    if @env.method != :get
-      @env.body = client.jwk.jws(header: jws_header, payload: env.body)
-    end
-
-    @app.call(env).on_complete { |response_env| on_complete(response_env) }
-  rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-    raise Acme::Client::Error::Timeout
-  end
-
-  def on_complete(env)
-    @env = env
-
-    raise_on_not_found!
-    store_nonce
-    env.body = decode_body
-    env.response_headers['Link'] = decode_link_headers
-
-    return if env.success?
-
-    raise_on_error!
-  end
-
-  private
-
-  def jws_header
-    headers = { nonce: pop_nonce, url: env.url.to_s }
-    headers[:kid] = client.kid if @mode == :kid
-    headers
-  end
-
-  def raise_on_not_found!
-    raise Acme::Client::Error::NotFound, env.url.to_s if env.status == 404
-  end
-
-  def raise_on_error!
-    raise error_class, error_message
-  end
-
-  def error_message
-    if env.body.is_a? Hash
-      env.body['detail']
-    else
-      "Error message: #{env.body}"
-    end
-  end
-
-  def error_class
-    Acme::Client::Error::ACME_ERRORS.fetch(error_name, Acme::Client::Error)
-  end
-
-  def error_name
-    return unless env.body.is_a?(Hash)
-    return unless env.body.key?('type')
-    env.body['type']
-  end
-
-  def decode_body
-    content_type = env.response_headers['Content-Type'].to_s
-
-    if content_type.start_with?('application/json', 'application/problem+json')
-      JSON.load(env.body)
-    else
-      env.body
-    end
-  end
-
-  def decode_link_headers
-    return unless env.response_headers.key?('Link')
-    link_header = env.response_headers['Link']
-    Acme::Client::Util.decode_link_headers(link_header)
-  end
-
-  def store_nonce
-    nonce = env.response_headers['replay-nonce']
-    nonces << nonce if nonce
-  end
-
-  def pop_nonce
-    if nonces.empty?
-      get_nonce
-    end
-
-    nonces.pop
-  end
-
-  def get_nonce
-    client.get_nonce
-  end
-
-  def nonces
-    client.nonces
-  end
-end