acme-client 2.0.6 → 2.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '09b859082bb56c35a6c050801def72343fe9f9737213155705f691bb044a54cc'
-  data.tar.gz: be387d14e92a862fb79668579d456050cdf0e8e5c36de6726bbd80e073410c41
+  metadata.gz: d1fcaf1206f38a9ded860ad3685de94d3c2743a04222d63a6d5a14ca35146daa
+  data.tar.gz: 766a3bf59e3877a3a4ab457e369f9d09626204afacc8e1b8cb23015cde9ccf12
 SHA512:
-  metadata.gz: 44f195eb5477138c33393704905537d3b2a66f774d5f1c645f88475cfe4b4be4bba082a15b8e99fbfc8266d74901fb38847ec83d440175db3a004ffbb085c9cd
-  data.tar.gz: 76930a35156563532898381603c515f65fb6057b8895b5d2785c88897b75878a319067a26652dee0e33d6a992f75073011b72398a40580b7be493927e11c047e
+  metadata.gz: 814205156a08f49d3481545f35306f63e1f342267f126edc528b22c78ce477b4696fd4a9f401a501bb8ffe33c57f42e8e6826de830e5321289555972d841bcb3
+  data.tar.gz: 493a4a2ebe8803b3949797bd74061d500bb66e7a79c5d62e9dfb98af7b995a46d3a2847c88d14ad7585f8b25567ccdabdf5bdaa25eafdb045a1f3aaed7b05f13

data/.github/workflows/rubocop.yml

@@ -0,0 +1,23 @@
+name: Lint
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['3.0']
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Run tests
+      run: bundle exec rake rubocop

data/.github/workflows/test.yml

@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.6', '2.7', '3.0']
+        faraday-version: ['~> 0.17.3', '~> 1.7']
+    env:
+      FARADAY_VERSION: ${{ matrix.faraday-version }}
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Run tests
+      run: bundle exec rake spec

data/CHANGELOG.md

@@ -1,3 +1,20 @@
+## `2.0.9`
+
+* Support for Ruby 3.0 and Faraday 0.17.x
+* Raise when directory is rate limited
+
+## `2.0.8`
+
+* Add support for the keyChange endpoint
+
+https://tools.ietf.org/html/rfc8555#section-7.3.5
+
+
+## `2.0.7`
+
+* Add support for alternate certificate chain
+* Change `Link` headers parsing to return array of value. This add support multiple entries at the same `rel`
+
 ## `2.0.6`
 
 * Allow Faraday up to `< 2.0`

data/Gemfile

@@ -2,6 +2,10 @@ source 'https://rubygems.org'
 
 gemspec
 
+if faraday_version = ENV['FARADAY_VERSION']
+  gem 'faraday', faraday_version
+end
+
 group :development, :test do
   gem 'pry'
   gem 'rubocop', '~> 0.49.0'

data/README.md

@@ -23,17 +23,26 @@ gem 'acme-client'
 ```
 
 ## Usage
-* [Setting up a client](#setting-up-a-client)
-* [Account management](#account-management)
-* [Obtaining a certificate](#obtaining-a-certificate)
-  * [Ordering a certificate](#ordering-a-certificate)
-  * [Completing an HTTP challenge](#preparing-for-http-challenge)
-  * [Completing an DNS challenge](#preparing-for-dns-challenge)
-  * [Requesting a challenge verification](#requesting-a-challenge-verification)
-  * [Downloading a certificate](#downloading-a-certificate)
-* [Extra](#extra)
-  * [Certificate revokation](#certificate-revokation)
-  * [Certificate renewal](#certificate-renewal)
+- [Acme::Client](#acmeclient)
+  - [Installation](#installation)
+  - [Usage](#usage)
+  - [Setting up a client](#setting-up-a-client)
+  - [Account management](#account-management)
+  - [Obtaining a certificate](#obtaining-a-certificate)
+    - [Ordering a certificate](#ordering-a-certificate)
+    - [Preparing for HTTP challenge](#preparing-for-http-challenge)
+    - [Preparing for DNS challenge](#preparing-for-dns-challenge)
+    - [Requesting a challenge verification](#requesting-a-challenge-verification)
+    - [Downloading a certificate](#downloading-a-certificate)
+    - [Ordering an alternative certificate](#ordering-an-alternative-certificate)
+  - [Extra](#extra)
+    - [Certificate revokation](#certificate-revokation)
+    - [Certificate renewal](#certificate-renewal)
+  - [Not implemented](#not-implemented)
+  - [Requirements](#requirements)
+  - [Development](#development)
+  - [Pull request?](#pull-request)
+  - [License](#license)
 
 ## Setting up a client
 
@@ -91,7 +100,7 @@ account.kid # => <kid string>
 
 If you already have an existing account (for example one created in ACME v1) please note that unless the `kid` is provided at initialization, the client will lazy load the `kid` by doing a `POST` to `newAccount` whenever the `kid` is required. Therefore, you can easily get your `kid` for an existing account and (if needed) store it for reuse:
 
-```
+```ruby
 client = Acme::Client.new(private_key: private_key, directory: 'https://acme-staging-v02.api.letsencrypt.org/directory')
 
 # kid is not set, therefore a call to newAccount is made to lazy-initialize the kid
@@ -184,11 +193,28 @@ csr = Acme::Client::CertificateRequest.new(private_key: a_different_private_key,
 order.finalize(csr: csr)
 while order.status == 'processing'
   sleep(1)
-  challenge.reload
+  order.reload
 end
 order.certificate # => PEM-formatted certificate
 ```
 
+### Ordering an alternative certificate
+
+Let's Encrypt is [transitioning](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html) to use a new intermediate certificate. Starting January 11, 2021 new certificates will be signed by their own intermediate. To ease the transition on clients Let's Encrypt will continue signing an alternative version of the certificate using the old, cross-signed intermediate until September 29, 2021. In order to utilize an alternative certificate the `Order#certificate` method accepts a `force_chain` keyword argument, which takes the issuer name of the intermediate certificate.
+For example, to download the cross-signed certificate after January 11, 2021, call `Order#certificate` as follows:
+
+```ruby
+begin
+  order.certificate(force_chain: 'DST Root CA X3')
+rescue Acme::Client::Error::ForcedChainNotFound
+  order.certificate
+end
+```
+
+Note: if the specified forced chain doesn't match an existing alternative certificate the method will raise an `Acme::Client::Error::ForcedChainNotFound` error.
+
+Learn more about the original Github issue for this client [here](https://github.com/unixcharles/acme-client/issues/186), information from Let's Encrypt [here](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html), and cross-signing [here](https://letsencrypt.org/certificates/#cross-signing).
+
 ## Extra
 
 ### Certificate revokation
@@ -204,9 +230,15 @@ client.revoke(certificate: certificate)
 There is no renewal process, just create a new order.
 
 
-## Not implemented
+### Account Key Roll-over
+
+To change the key used for an account you can call `#account_key_change` with the new private key or jwk.
 
-- Account Key Roll-over.
+```ruby
+require 'openssl'
+new_private_key = OpenSSL::PKey::RSA.new(4096)
+client.account_key_change(private_key: new_private_key)
+```
 
 ## Requirements
 
@@ -227,4 +259,3 @@ Yes.
 ## License
 
 [MIT License](http://opensource.org/licenses/MIT)
-

data/acme-client.gemspec

@@ -25,6 +25,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rspec', '~> 3.9'
   spec.add_development_dependency 'vcr', '~> 2.9'
   spec.add_development_dependency 'webmock', '~> 3.8'
+  spec.add_development_dependency 'webrick'
 
   spec.add_runtime_dependency 'faraday', '>= 0.17', '< 2.0.0'
 end

data/lib/acme/client/chain_identifier.rb

@@ -0,0 +1,27 @@
+class Acme::Client
+  class ChainIdentifier
+    def initialize(pem_certificate_chain)
+      @pem_certificate_chain = pem_certificate_chain
+    end
+
+    def match_name?(name)
+      issuers.any? do |issuer|
+        issuer.include?(name)
+      end
+    end
+
+    private
+
+    def issuers
+      x509_certificates.map(&:issuer).map(&:to_s)
+    end
+
+    def x509_certificates
+      @x509_certificates ||= splitted_pem_certificates.map { |pem| OpenSSL::X509::Certificate.new(pem) }
+    end
+
+    def splitted_pem_certificates
+      @pem_certificate_chain.each_line.slice_after(/END CERTIFICATE/).map(&:join)
+    end
+  end
+end

data/lib/acme/client/error.rb

@@ -7,6 +7,7 @@ class Acme::Client::Error < StandardError
   class UnsupportedChallengeType < ClientError; end
   class NotFound < ClientError; end
   class CertificateNotReady < ClientError; end
+  class ForcedChainNotFound < ClientError; end
 
   class ServerError < Acme::Client::Error; end
   class BadCSR < ServerError; end

data/lib/acme/client/faraday_middleware.rb

@@ -5,10 +5,10 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
 
   CONTENT_TYPE = 'application/jose+json'
 
-  def initialize(app, client:, mode:)
+  def initialize(app, options)
     super(app)
-    @client = client
-    @mode = mode
+    @client = options.fetch(:client)
+    @mode = options.fetch(:mode)
   end
 
   def call(env)
@@ -82,18 +82,10 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
     end
   end
 
-  LINK_MATCH = /<(.*?)>;rel="([\w-]+)"/
-
   def decode_link_headers
     return unless env.response_headers.key?('Link')
     link_header = env.response_headers['Link']
-
-    links = link_header.split(', ').map { |entry|
-      _, link, name = *entry.match(LINK_MATCH)
-      [name, link]
-    }
-
-    Hash[*links.flatten]
+    Acme::Client::Util.decode_link_headers(link_header)
   end
 
   def store_nonce

data/lib/acme/client/jwk/ecdsa.rb

@@ -73,8 +73,10 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
     # BigNumbers
     bns = ints.map(&:value)
 
+    byte_size = (@private_key.group.degree + 7) / 8
+
     # Binary R/S values
-    r, s = bns.map { |bn| [bn.to_s(16)].pack('H*') }
+    r, s = bns.map { |bn| bn.to_s(2).rjust(byte_size, "\x00") }
 
     # JWS wants raw R/S concatenated.
     [r, s].join

data/lib/acme/client/resources/account.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Account
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def kid

data/lib/acme/client/resources/authorization.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Authorization
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def deactivate

data/lib/acme/client/resources/challenges/base.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Challenges::Base
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def challenge_type

data/lib/acme/client/resources/directory.rb

@@ -68,9 +68,13 @@ class Acme::Client::Resources::Directory
   end
 
   def fetch_directory
-    connection = Faraday.new(url: @directory, **@connection_options)
+    connection = Faraday.new(url: @directory, **@connection_options) do |configuration|
+      configuration.use Acme::Client::FaradayMiddleware, client: nil, mode: nil
+
+      configuration.adapter Faraday.default_adapter
+    end
     connection.headers[:user_agent] = Acme::Client::USER_AGENT
     response = connection.get(@url)
-    JSON.parse(response.body)
+    response.body
   end
 end

data/lib/acme/client/resources/order.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Order
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def reload
@@ -24,9 +24,9 @@ class Acme::Client::Resources::Order
     true
   end
 
-  def certificate
+  def certificate(force_chain: nil)
     if certificate_url
-      @client.certificate(url: certificate_url)
+      @client.certificate(url: certificate_url, force_chain: force_chain)
     else
       raise Acme::Client::Error::CertificateNotReady, 'No certificate_url to collect the order'
     end

data/lib/acme/client/util.rb

@@ -3,6 +3,17 @@ module Acme::Client::Util
     Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
   end
 
+  LINK_MATCH = /<(.*?)>\s?;\s?rel="([\w-]+)"/
+
+  # See RFC 8288 - https://tools.ietf.org/html/rfc8288#section-3
+  def decode_link_headers(link_header)
+    link_header.split(',').each_with_object({}) { |entry, hash|
+      _, link, name = *entry.match(LINK_MATCH)
+      hash[name] ||= []
+      hash[name].push(link)
+    }
+  end
+
   # Sets public key on CSR or cert.
   #
   # obj  - An OpenSSL::X509::Certificate or OpenSSL::X509::Request instance.

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.6'.freeze
+    VERSION = '2.0.9'.freeze
   end
 end

data/lib/acme/client.rb

@@ -20,6 +20,7 @@ require 'acme/client/faraday_middleware'
 require 'acme/client/jwk'
 require 'acme/client/error'
 require 'acme/client/util'
+require 'acme/client/chain_identifier'
 
 class Acme::Client
   DEFAULT_DIRECTORY = 'http://127.0.0.1:4000/directory'.freeze
@@ -84,6 +85,28 @@ class Acme::Client
     Acme::Client::Resources::Account.new(self, url: kid, **arguments)
   end
 
+  def account_key_change(new_private_key: nil, new_jwk: nil)
+    if new_private_key.nil? && new_jwk.nil?
+      raise ArgumentError, 'must specify new_jwk or new_private_key'
+    end
+    old_jwk = jwk
+    new_jwk ||= Acme::Client::JWK.from_private_key(new_private_key)
+
+    inner_payload_header = {
+      url: endpoint_for(:key_change)
+    }
+    inner_payload = {
+      account: kid,
+      oldKey: old_jwk.to_h
+    }
+    payload = JSON.parse(new_jwk.jws(header: inner_payload_header, payload: inner_payload))
+
+    response = post(endpoint_for(:key_change), payload: payload, mode: :kid)
+    arguments = attributes_from_account_response(response)
+    @jwk = new_jwk
+    Acme::Client::Resources::Account.new(self, url: kid, **arguments)
+  end
+
   def account
     @kid ||= begin
       response = post(endpoint_for(:new_account), payload: { onlyReturnExisting: true }, mode: :jwk)
@@ -127,9 +150,24 @@ class Acme::Client
     Acme::Client::Resources::Order.new(self, **arguments)
   end
 
-  def certificate(url:)
+  def certificate(url:, force_chain: nil)
     response = download(url, format: :pem)
-    response.body
+    pem = response.body
+
+    return pem if force_chain.nil?
+
+    return pem if ChainIdentifier.new(pem).match_name?(force_chain)
+
+    alternative_urls = Array(response.headers.dig('link', 'alternate'))
+    alternative_urls.each do |alternate_url|
+      response = download(alternate_url, format: :pem)
+      pem = response.body
+      if ChainIdentifier.new(pem).match_name?(force_chain)
+        return pem
+      end
+    end
+
+    raise Acme::Client::Error::ForcedChainNotFound, "Could not find any matching chain for `#{force_chain}`"
   end
 
   def authorization(url:)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.6
+  version: 2.0.9
 platform: ruby
 authors:
 - Charles Barbier
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-05 00:00:00.000000000 Z
+date: 2021-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -80,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -107,10 +121,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/rubocop.yml"
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
@@ -124,6 +139,7 @@ files:
 - lib/acme/client.rb
 - lib/acme/client/certificate_request.rb
 - lib/acme/client/certificate_request/ec_key_patch.rb
+- lib/acme/client/chain_identifier.rb
 - lib/acme/client/error.rb
 - lib/acme/client/faraday_middleware.rb
 - lib/acme/client/jwk.rb
@@ -162,7 +178,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Client for the ACME protocol.

data/.travis.yml

@@ -1,14 +0,0 @@
-language: ruby
-cache: bundler
-rvm:
-  - 2.1
-  - 2.2
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-  - 2.7
-
-before_install:
-  - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
-  - gem install bundler -v '< 2'