acme-client 2.0.3 → 2.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: c5cf05983ff0530ff6a437895b70d686deb7ffd8
-  data.tar.gz: 351f8408667c94ff7107f95b48215b589736db34
+SHA256:
+  metadata.gz: 9cb714bd4f0321181c50087f976122251233340d09f4ed612cf91070e0986d70
+  data.tar.gz: db7df58ad9a1e4794bef25dfbc309efad73b9b1cbb6100f77d9552cbb734fb5d
 SHA512:
-  metadata.gz: 419dde577de805c570f1b502ec660eb7734aba59f8243f7e7febc46a2eacc86e5e93d922bca0085dc5eb3cd783e1ccd1927a8b2844c55ed8d12a717d66603f44
-  data.tar.gz: d0a6e1682e3d3bbe04f645e1faf5b6ef11675e24cece7475ec42c134a9aa7c15c85c61e1518c5670793b4dfa42a3aad83234627aa249c7e4c74cba3d44669b22
+  metadata.gz: 8d7eb7d76ea95ab724810af93ad4e79af03fe62752509a793b5310b01b670b7c57f737bbb3a68de72ab4e84f01f9d613e45937a50119ddfe3b0f5d0aa628f45e
+  data.tar.gz: 38b349fdcdb68f5ec493951ec4a480966256e591f6d9cffc4266116bff6d2aed6e8f0e5493acf985f6a81c0cad7c20a69e4d7bd1cedb95357b297cdcfb1b494c

data/.gitignore

@@ -9,3 +9,4 @@
 /tmp/
 /vendor/bundle
 /.idea/
+.tool-versions

data/.rubocop.yml

@@ -7,133 +7,128 @@ AllCops:
 Rails:
   Enabled: false
 
-Style/FileName:
-  Exclude:
-    - 'lib/acme-client.rb'
+Layout/AlignParameters:
+  EnforcedStyle: with_fixed_indentation
 
-Lint/AssignmentInCondition:
+Layout/ElseAlignment:
   Enabled: false
 
-Style/ClassAndModuleChildren:
-  Enabled: false
+Layout/FirstParameterIndentation:
+  EnforcedStyle: consistent
 
-Style/Documentation:
+Layout/IndentationWidth:
   Enabled: false
 
 Layout/MultilineOperationIndentation:
   Enabled: false
 
-Style/SignalException:
-  EnforcedStyle: only_raise
-
-Layout/AlignParameters:
-  EnforcedStyle: with_fixed_indentation
-
-Layout/ElseAlignment:
+Layout/SpaceInsideBlockBraces:
   Enabled: false
 
-Style/MultipleComparison:
+Lint/AmbiguousOperator:
   Enabled: false
 
-Layout/IndentationWidth:
+Lint/AssignmentInCondition:
   Enabled: false
 
-Style/SymbolArray:
+Lint/EndAlignment:
   Enabled: false
 
-Layout/FirstParameterIndentation:
-  EnforcedStyle: consistent
-
-Style/TrailingCommaInArguments:
-  Enabled: false
+Lint/UnusedMethodArgument:
+  AllowUnusedKeywordArguments: true
 
-Style/PercentLiteralDelimiters:
+Metrics/AbcSize:
   Enabled: false
 
 Metrics/BlockLength:
   Enabled: false
 
-Layout/SpaceInsideBlockBraces:
+Metrics/ClassLength:
   Enabled: false
 
-Style/StringLiterals:
-  Enabled: single_quotes
+Metrics/CyclomaticComplexity:
+  Enabled: false
 
 Metrics/LineLength:
   Max: 140
 
+Metrics/MethodLength:
+  Max: 15
+  Enabled: false
+
 Metrics/ParameterLists:
   Max: 5
   CountKeywordArgs: false
 
-Lint/EndAlignment:
+Metrics/PerceivedComplexity:
   Enabled: false
 
-Style/ParallelAssignment:
+Security/JSONLoad:
   Enabled: false
 
-Style/ModuleFunction:
+Style/AccessorMethodName:
   Enabled: false
 
-Style/TrivialAccessors:
-  AllowPredicates: true
-
-Lint/UnusedMethodArgument:
-  AllowUnusedKeywordArguments: true
+Style/Alias:
+  Enabled: false
 
-Metrics/MethodLength:
-  Max: 15
+Style/BlockDelimiters:
+  EnforcedStyle: semantic
 
-Style/DoubleNegation:
+Style/ClassAndModuleChildren:
   Enabled: false
 
-Style/IfUnlessModifier:
+Style/Documentation:
   Enabled: false
 
-Style/MultilineBlockChain:
+Style/DoubleNegation:
   Enabled: false
 
-Style/BlockDelimiters:
-  EnforcedStyle: semantic
+Style/FileName:
+  Exclude:
+    - 'lib/acme-client.rb'
 
-Style/Lambda:
+Style/GlobalVars:
   Enabled: false
 
 Style/GuardClause:
   Enabled: false
 
-Style/Alias:
+Style/IfUnlessModifier:
   Enabled: false
 
-Lint/AmbiguousOperator:
+Style/Lambda:
   Enabled: false
 
-Metrics/MethodLength:
+Style/ModuleFunction:
   Enabled: false
 
-Metrics/PerceivedComplexity:
+Style/MultilineBlockChain:
   Enabled: false
 
-Metrics/CyclomaticComplexity:
+Style/MultipleComparison:
   Enabled: false
 
-Metrics/AbcSize:
+Style/MutableConstant:
   Enabled: false
 
-Metrics/ClassLength:
+Style/ParallelAssignment:
   Enabled: false
 
-Style/MutableConstant:
+Style/PercentLiteralDelimiters:
   Enabled: false
 
-Style/GlobalVars:
-  Enabled: false
+Style/SignalException:
+  EnforcedStyle: only_raise
 
-Style/ExpandPathArguments:
+Style/SymbolArray:
   Enabled: false
 
-Security/JSONLoad:
-  Enabled: false
+Style/StringLiterals:
+  Enabled: single_quotes
 
-Style/AccessorMethodName:
+Style/TrailingCommaInArguments:
   Enabled: false
+
+Style/TrivialAccessors:
+  AllowPredicates: true

data/.travis.yml

@@ -1,8 +1,10 @@
 language: ruby
 cache: bundler
 rvm:
-  - 2.1
-  - 2.2
-  - 2.3.3
-  - 2.4.0
-  - 2.6.1
+  - 2.5
+  - 2.6
+  - 2.7
+
+before_install:
+  - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
+  - gem install bundler -v '< 2'

data/CHANGELOG.md

@@ -1,3 +1,28 @@
+## `2.0.8`
+
+* Add support for the keyChange endpoint
+
+https://tools.ietf.org/html/rfc8555#section-7.3.5
+
+
+## `2.0.7`
+
+* Add support for alternate certificate chain
+* Change `Link` headers parsing to return array of value. This add support multiple entries at the same `rel`
+
+## `2.0.6`
+
+* Allow Faraday up to `< 2.0`
+
+## `2.0.5`
+
+* Use post-as-get
+* Remove deprecated keyAuthorization
+
+## `2.0.4`
+
+* Add an option to retry bad nonce errors
+
 ## `2.0.3`
 
 * Do not try to set the body on GET request

data/Gemfile

@@ -1,4 +1,5 @@
 source 'https://rubygems.org'
+
 gemspec
 
 group :development, :test do

data/README.md

@@ -2,7 +2,7 @@
 
 [![Build Status](https://travis-ci.org/unixcharles/acme-client.svg?branch=master)](https://travis-ci.org/unixcharles/acme-client)
 
-`acme-client` is a client implementation of the [ACMEv2](https://github.com/ietf-wg-acme/acme) protocol in Ruby.
+`acme-client` is a client implementation of the ACMEv2 / [RFC 8555](https://tools.ietf.org/html/rfc8555) protocol in Ruby.
 
 You can find the ACME reference implementations of the [server](https://github.com/letsencrypt/boulder) in Go and the [client](https://github.com/certbot/certbot) in Python.
 
@@ -23,17 +23,26 @@ gem 'acme-client'
 ```
 
 ## Usage
-* [Setting up a client](#setting-up-a-client)
-* [Account management](#account-management)
-* [Obtaining a certificate](#obtaining-a-certificate)
-  * [Ordering a certificate](#ordering-a-certificate)
-  * [Completing an HTTP challenge](#preparing-for-http-challenge)
-  * [Completing an DNS challenge](#preparing-for-dns-challenge)
-  * [Requesting a challenge verification](#requesting-a-challenge-verification)
-  * [Downloading a certificate](#downloading-a-certificate)
-* [Extra](#extra)
-  * [Certificate revokation](#certificate-revokation)
-  * [Certificate renewal](#certificate-renewal)
+- [Acme::Client](#acmeclient)
+  - [Installation](#installation)
+  - [Usage](#usage)
+  - [Setting up a client](#setting-up-a-client)
+  - [Account management](#account-management)
+  - [Obtaining a certificate](#obtaining-a-certificate)
+    - [Ordering a certificate](#ordering-a-certificate)
+    - [Preparing for HTTP challenge](#preparing-for-http-challenge)
+    - [Preparing for DNS challenge](#preparing-for-dns-challenge)
+    - [Requesting a challenge verification](#requesting-a-challenge-verification)
+    - [Downloading a certificate](#downloading-a-certificate)
+    - [Ordering an alternative certificate](#ordering-an-alternative-certificate)
+  - [Extra](#extra)
+    - [Certificate revokation](#certificate-revokation)
+    - [Certificate renewal](#certificate-renewal)
+  - [Not implemented](#not-implemented)
+  - [Requirements](#requirements)
+  - [Development](#development)
+  - [Pull request?](#pull-request)
+  - [License](#license)
 
 ## Setting up a client
 
@@ -91,7 +100,7 @@ account.kid # => <kid string>
 
 If you already have an existing account (for example one created in ACME v1) please note that unless the `kid` is provided at initialization, the client will lazy load the `kid` by doing a `POST` to `newAccount` whenever the `kid` is required. Therefore, you can easily get your `kid` for an existing account and (if needed) store it for reuse:
 
-```
+```ruby
 client = Acme::Client.new(private_key: private_key, directory: 'https://acme-staging-v02.api.letsencrypt.org/directory')
 
 # kid is not set, therefore a call to newAccount is made to lazy-initialize the kid
@@ -182,10 +191,30 @@ Certificate generation happens asynchronously. You may need to poll.
 ```ruby
 csr = Acme::Client::CertificateRequest.new(private_key: a_different_private_key, subject: { common_name: 'example.com' })
 order.finalize(csr: csr)
-sleep(1) while order.status == 'processing'
+while order.status == 'processing'
+  sleep(1)
+  order.reload
+end
 order.certificate # => PEM-formatted certificate
 ```
 
+### Ordering an alternative certificate
+
+Let's Encrypt is [transitioning](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html) to use a new intermediate certificate. Starting January 11, 2021 new certificates will be signed by their own intermediate. To ease the transition on clients Let's Encrypt will continue signing an alternative version of the certificate using the old, cross-signed intermediate until September 29, 2021. In order to utilize an alternative certificate the `Order#certificate` method accepts a `force_chain` keyword argument, which takes the issuer name of the intermediate certificate.
+For example, to download the cross-signed certificate after January 11, 2021, call `Order#certificate` as follows:
+
+```ruby
+begin
+  order.certificate(force_chain: 'DST Root CA X3')
+rescue Acme::Client::Error::ForcedChainNotFound
+  order.certificate
+end
+```
+
+Note: if the specified forced chain doesn't match an existing alternative certificate the method will raise an `Acme::Client::Error::ForcedChainNotFound` error.
+
+Learn more about the original Github issue for this client [here](https://github.com/unixcharles/acme-client/issues/186), information from Let's Encrypt [here](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html), and cross-signing [here](https://letsencrypt.org/certificates/#cross-signing).
+
 ## Extra
 
 ### Certificate revokation
@@ -198,12 +227,18 @@ client.revoke(certificate: certificate)
 
 ### Certificate renewal
 
-The is no renewal process, just create a new order.
+There is no renewal process, just create a new order.
+
 
+### Account Key Roll-over
 
-## Not implemented
+To change the key used for an account you can call `#account_key_change` with the new private key or jwk.
 
-- Account Key Roll-over.
+```ruby
+require 'openssl'
+new_private_key = OpenSSL::PKey::RSA.new(4096)
+client.account_key_change(private_key: new_private_key)
+```
 
 ## Requirements
 
@@ -224,4 +259,3 @@ Yes.
 ## License
 
 [MIT License](http://opensource.org/licenses/MIT)
-

data/acme-client.gemspec

@@ -16,11 +16,15 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.1.0'
 
-  spec.add_development_dependency 'bundler', '~> 1.6', '>= 1.6.9'
-  spec.add_development_dependency 'rake', '~> 10.0'
-  spec.add_development_dependency 'rspec', '~> 3.3', '>= 3.3.0'
-  spec.add_development_dependency 'vcr', '~> 2.9', '>= 2.9.3'
-  spec.add_development_dependency 'webmock', '~> 1.21', '>= 1.21.0'
+  spec.add_development_dependency 'bundler', '>= 1.17.3'
+  if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2')
+    spec.add_development_dependency 'rake', '>= 12.0'
+  else
+    spec.add_development_dependency 'rake', '~> 13.0'
+  end
+  spec.add_development_dependency 'rspec', '~> 3.9'
+  spec.add_development_dependency 'vcr', '~> 2.9'
+  spec.add_development_dependency 'webmock', '~> 3.8'
 
-  spec.add_runtime_dependency 'faraday', '~> 0.9', '>= 0.9.1'
+  spec.add_runtime_dependency 'faraday', '>= 0.17', '< 2.0.0'
 end

data/lib/acme/client.rb

@@ -20,6 +20,7 @@ require 'acme/client/faraday_middleware'
 require 'acme/client/jwk'
 require 'acme/client/error'
 require 'acme/client/util'
+require 'acme/client/chain_identifier'
 
 class Acme::Client
   DEFAULT_DIRECTORY = 'http://127.0.0.1:4000/directory'.freeze
@@ -29,7 +30,7 @@ class Acme::Client
     pem: 'application/pem-certificate-chain'
   }
 
-  def initialize(jwk: nil, kid: nil, private_key: nil, directory: DEFAULT_DIRECTORY, connection_options: {})
+  def initialize(jwk: nil, kid: nil, private_key: nil, directory: DEFAULT_DIRECTORY, connection_options: {}, bad_nonce_retry: 0)
     if jwk.nil? && private_key.nil?
       raise ArgumentError, 'must specify jwk or private_key'
     end
@@ -41,6 +42,7 @@ class Acme::Client
     end
 
     @kid, @connection_options = kid, connection_options
+    @bad_nonce_retry = bad_nonce_retry
     @directory = Acme::Client::Resources::Directory.new(URI(directory), @connection_options)
     @nonces ||= []
   end
@@ -83,13 +85,35 @@ class Acme::Client
     Acme::Client::Resources::Account.new(self, url: kid, **arguments)
   end
 
+  def account_key_change(new_private_key: nil, new_jwk: nil)
+    if new_private_key.nil? && new_jwk.nil?
+      raise ArgumentError, 'must specify new_jwk or new_private_key'
+    end
+    old_jwk = jwk
+    new_jwk ||= Acme::Client::JWK.from_private_key(new_private_key)
+
+    inner_payload_header = {
+      url: endpoint_for(:key_change)
+    }
+    inner_payload = {
+      account: kid,
+      oldKey: old_jwk.to_h
+    }
+    payload = JSON.parse(new_jwk.jws(header: inner_payload_header, payload: inner_payload))
+
+    response = post(endpoint_for(:key_change), payload: payload, mode: :kid)
+    arguments = attributes_from_account_response(response)
+    @jwk = new_jwk
+    Acme::Client::Resources::Account.new(self, url: kid, **arguments)
+  end
+
   def account
     @kid ||= begin
       response = post(endpoint_for(:new_account), payload: { onlyReturnExisting: true }, mode: :jwk)
       response.headers.fetch(:location)
     end
 
-    response = post(@kid)
+    response = post_as_get(@kid)
     arguments = attributes_from_account_response(response)
     Acme::Client::Resources::Account.new(self, url: @kid, **arguments)
   end
@@ -100,13 +124,7 @@ class Acme::Client
 
   def new_order(identifiers:, not_before: nil, not_after: nil)
     payload = {}
-    payload['identifiers'] = if identifiers.is_a?(Hash)
-      identifiers
-    else
-      Array(identifiers).map do |identifier|
-        { type: 'dns', value: identifier }
-      end
-    end
+    payload['identifiers'] = prepare_order_identifiers(identifiers)
     payload['notBefore'] = not_before if not_before
     payload['notAfter'] = not_after if not_after
 
@@ -116,7 +134,7 @@ class Acme::Client
   end
 
   def order(url:)
-    response = get(url)
+    response = post_as_get(url)
     arguments = attributes_from_order_response(response)
     Acme::Client::Resources::Order.new(self, **arguments.merge(url: url))
   end
@@ -132,13 +150,28 @@ class Acme::Client
     Acme::Client::Resources::Order.new(self, **arguments)
   end
 
-  def certificate(url:)
+  def certificate(url:, force_chain: nil)
     response = download(url, format: :pem)
-    response.body
+    pem = response.body
+
+    return pem if force_chain.nil?
+
+    return pem if ChainIdentifier.new(pem).match_name?(force_chain)
+
+    alternative_urls = Array(response.headers.dig('link', 'alternate'))
+    alternative_urls.each do |alternate_url|
+      response = download(alternate_url, format: :pem)
+      pem = response.body
+      if ChainIdentifier.new(pem).match_name?(force_chain)
+        return pem
+      end
+    end
+
+    raise Acme::Client::Error::ForcedChainNotFound, "Could not find any matching chain for `#{force_chain}`"
   end
 
   def authorization(url:)
-    response = get(url)
+    response = post_as_get(url)
     arguments = attributes_from_authorization_response(response)
     Acme::Client::Resources::Authorization.new(self, url: url, **arguments)
   end
@@ -150,13 +183,13 @@ class Acme::Client
   end
 
   def challenge(url:)
-    response = get(url)
+    response = post_as_get(url)
     arguments = attributes_from_challenge_response(response)
     Acme::Client::Resources::Challenges.new(self, **arguments)
   end
 
-  def request_challenge_validation(url:, key_authorization:)
-    response = post(url, payload: { keyAuthorization: key_authorization })
+  def request_challenge_validation(url:, key_authorization: nil)
+    response = post(url, payload: {})
     arguments = attributes_from_challenge_response(response)
     Acme::Client::Resources::Challenges.new(self, **arguments)
   end
@@ -205,6 +238,20 @@ class Acme::Client
 
   private
 
+  def prepare_order_identifiers(identifiers)
+    if identifiers.is_a?(Hash)
+      [identifiers]
+    else
+      Array(identifiers).map do |identifier|
+        if identifier.is_a?(String)
+          { type: 'dns', value: identifier }
+        else
+          identifier
+        end
+      end
+    end
+  end
+
   def attributes_from_account_response(response)
     extract_attributes(
       response.body,
@@ -251,14 +298,19 @@ class Acme::Client
     connection.post(url, payload)
   end
 
+  def post_as_get(url, mode: :kid)
+    connection = connection_for(url: url, mode: mode)
+    connection.post(url, nil)
+  end
+
   def get(url, mode: :kid)
     connection = connection_for(url: url, mode: mode)
     connection.get(url)
   end
 
   def download(url, format:)
-    connection = connection_for(url: url, mode: :download)
-    connection.get do |request|
+    connection = connection_for(url: url, mode: :kid)
+    connection.post do |request|
       request.url(url)
       request.headers['Accept'] = CONTENT_TYPES.fetch(format)
     end
@@ -280,6 +332,12 @@ class Acme::Client
 
   def new_connection(endpoint:)
     Faraday.new(endpoint, **@connection_options) do |configuration|
+      if @bad_nonce_retry > 0
+        configuration.request(:retry,
+          max: @bad_nonce_retry,
+          methods: Faraday::Connection::METHODS,
+          exceptions: [Acme::Client::Error::BadNonce])
+      end
       yield(configuration) if block_given?
       configuration.adapter Faraday.default_adapter
     end

data/lib/acme/client/chain_identifier.rb

@@ -0,0 +1,27 @@
+class Acme::Client
+  class ChainIdentifier
+    def initialize(pem_certificate_chain)
+      @pem_certificate_chain = pem_certificate_chain
+    end
+
+    def match_name?(name)
+      issuers.any? do |issuer|
+        issuer.include?(name)
+      end
+    end
+
+    private
+
+    def issuers
+      x509_certificates.map(&:issuer).map(&:to_s)
+    end
+
+    def x509_certificates
+      @x509_certificates ||= splitted_pem_certificates.map { |pem| OpenSSL::X509::Certificate.new(pem) }
+    end
+
+    def splitted_pem_certificates
+      @pem_certificate_chain.each_line.slice_after(/END CERTIFICATE/).map(&:join)
+    end
+  end
+end

data/lib/acme/client/error.rb

@@ -7,6 +7,7 @@ class Acme::Client::Error < StandardError
   class UnsupportedChallengeType < ClientError; end
   class NotFound < ClientError; end
   class CertificateNotReady < ClientError; end
+  class ForcedChainNotFound < ClientError; end
 
   class ServerError < Acme::Client::Error; end
   class BadCSR < ServerError; end

data/lib/acme/client/faraday_middleware.rb

@@ -82,18 +82,10 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
     end
   end
 
-  LINK_MATCH = /<(.*?)>;rel="([\w-]+)"/
-
   def decode_link_headers
     return unless env.response_headers.key?('Link')
     link_header = env.response_headers['Link']
-
-    links = link_header.split(', ').map { |entry|
-      _, link, name = *entry.match(LINK_MATCH)
-      [name, link]
-    }
-
-    Hash[*links.flatten]
+    Acme::Client::Util.decode_link_headers(link_header)
   end
 
   def store_nonce

data/lib/acme/client/jwk/base.rb

@@ -14,10 +14,10 @@ class Acme::Client::JWK::Base
   # payload - A Hash of payload data.
   #
   # Returns a JSON String.
-  def jws(header: {}, payload: {})
+  def jws(header: {}, payload:)
     header = jws_header(header)
     encoded_header = Acme::Client::Util.urlsafe_base64(header.to_json)
-    encoded_payload = Acme::Client::Util.urlsafe_base64(payload.to_json)
+    encoded_payload = Acme::Client::Util.urlsafe_base64(payload.nil? ? '' : payload.to_json)
 
     signature_data = "#{encoded_header}.#{encoded_payload}"
     signature = sign(signature_data)

data/lib/acme/client/jwk/ecdsa.rb

@@ -73,8 +73,10 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
     # BigNumbers
     bns = ints.map(&:value)
 
+    byte_size = (@private_key.group.degree + 7) / 8
+
     # Binary R/S values
-    r, s = bns.map { |bn| [bn.to_s(16)].pack('H*') }
+    r, s = bns.map { |bn| bn.to_s(2).rjust(byte_size, "\x00") }
 
     # JWS wants raw R/S concatenated.
     [r, s].join

data/lib/acme/client/resources/account.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Account
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def kid

data/lib/acme/client/resources/authorization.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Authorization
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def deactivate

data/lib/acme/client/resources/challenges.rb

@@ -4,6 +4,7 @@ module Acme::Client::Resources::Challenges
   require 'acme/client/resources/challenges/base'
   require 'acme/client/resources/challenges/http01'
   require 'acme/client/resources/challenges/dns01'
+  require 'acme/client/resources/challenges/unsupported_challenge'
 
   CHALLENGE_TYPES = {
     'http-01' => Acme::Client::Resources::Challenges::HTTP01,
@@ -11,11 +12,6 @@ module Acme::Client::Resources::Challenges
   }
 
   def self.new(client, type:, **arguments)
-    klass = CHALLENGE_TYPES[type]
-    if klass
-      klass.new(client, **arguments)
-    else
-      { type: type }.merge(arguments)
-    end
+    CHALLENGE_TYPES.fetch(type, Unsupported).new(client, **arguments)
   end
 end

data/lib/acme/client/resources/challenges/base.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Challenges::Base
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def challenge_type
@@ -21,17 +21,9 @@ class Acme::Client::Resources::Challenges::Base
     true
   end
 
-  def send_challenge_vallidation(url:, key_authorization:)
-    @client.request_challenge_validation(
-      url: url,
-      key_authorization: key_authorization
-    ).to_h
-  end
-
   def request_validation
-    assign_attributes(**send_challenge_vallidation(
-      url: url,
-      key_authorization: key_authorization
+    assign_attributes(**send_challenge_validation(
+      url: url
     ))
     true
   end
@@ -42,6 +34,12 @@ class Acme::Client::Resources::Challenges::Base
 
   private
 
+  def send_challenge_validation(url:)
+    @client.request_challenge_validation(
+      url: url
+    ).to_h
+  end
+
   def assign_attributes(status:, url:, token:, error: nil)
     @status = status
     @url = url

data/lib/acme/client/resources/challenges/unsupported_challenge.rb

@@ -0,0 +1,2 @@
+class Acme::Client::Resources::Challenges::Unsupported < Acme::Client::Resources::Challenges::Base
+end

data/lib/acme/client/resources/order.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Order
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def reload
@@ -24,9 +24,9 @@ class Acme::Client::Resources::Order
     true
   end
 
-  def certificate
+  def certificate(force_chain: nil)
     if certificate_url
-      @client.certificate(url: certificate_url)
+      @client.certificate(url: certificate_url, force_chain: force_chain)
     else
       raise Acme::Client::Error::CertificateNotReady, 'No certificate_url to collect the order'
     end

data/lib/acme/client/util.rb

@@ -3,6 +3,17 @@ module Acme::Client::Util
     Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
   end
 
+  LINK_MATCH = /<(.*?)>\s?;\s?rel="([\w-]+)"/
+
+  # See RFC 8288 - https://tools.ietf.org/html/rfc8288#section-3
+  def decode_link_headers(link_header)
+    link_header.split(',').each_with_object({}) { |entry, hash|
+      _, link, name = *entry.match(LINK_MATCH)
+      hash[name] ||= []
+      hash[name].push(link)
+    }
+  end
+
   # Sets public key on CSR or cert.
   #
   # obj  - An OpenSSL::X509::Certificate or OpenSSL::X509::Request instance.

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.3'.freeze
+    VERSION = '2.0.8'.freeze
   end
 end

metadata

@@ -1,69 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.0.8
 platform: ruby
 authors:
 - Charles Barbier
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-24 00:00:00.000000000 Z
+date: 2021-04-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.6'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.9
+        version: 1.17.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.6'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.9
+        version: 1.17.3
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.3'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.3.0
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.3'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.3.0
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
@@ -71,9 +59,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.9'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.9.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -81,49 +66,40 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.9'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.9.3
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.21'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.21.0
+        version: '3.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.21'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.21.0
+        version: '3.8'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: '0.17'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: '0.17'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
 description: 
 email:
 - unixcharles@gmail.com
@@ -148,6 +124,7 @@ files:
 - lib/acme/client.rb
 - lib/acme/client/certificate_request.rb
 - lib/acme/client/certificate_request/ec_key_patch.rb
+- lib/acme/client/chain_identifier.rb
 - lib/acme/client/error.rb
 - lib/acme/client/faraday_middleware.rb
 - lib/acme/client/jwk.rb
@@ -161,6 +138,7 @@ files:
 - lib/acme/client/resources/challenges/base.rb
 - lib/acme/client/resources/challenges/dns01.rb
 - lib/acme/client/resources/challenges/http01.rb
+- lib/acme/client/resources/challenges/unsupported_challenge.rb
 - lib/acme/client/resources/directory.rb
 - lib/acme/client/resources/order.rb
 - lib/acme/client/self_sign_certificate.rb
@@ -185,8 +163,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Client for the ACME protocol.