acme-client 2.0.7 → 2.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 718dac85c8139621711a030272097498d04414ca52c9d84544b8bac32179e8a1
-  data.tar.gz: 9e929450733261f291a62b96f5056ed89e8c235cae010805ddccfc3efb17188c
+  metadata.gz: f780d5789f4ea62c093b7b1df25b8a9efeb8b7c3c94fce26205eb79edb8fefa5
+  data.tar.gz: 95118697ef1fcd9a090e822bcc6bb1455c38ebaf392b2b2a7e90928e68cb328a
 SHA512:
-  metadata.gz: f6e77c41a67b3f2fe9d6e373d58e928bfc0ee2523ac7b0ce2beb93167179a0950045cbb0ec4f5d8616527108814001acd0da7909a8bb0df8dac9b6ddde8bfbba
-  data.tar.gz: 9eba181b543cfe437e2043970b2e74cd691944457d43d3c3ea052cf10d3134e59b51aa8ee3522c36f27b25c212797e44e0e29b86f96b13361e98ca07d054ccac
+  metadata.gz: c10643d9a50b74e142bd8748ab77001d292bc789884410cfeac79e10c01911335f5ffd6adb95a2c359d3582fe7cfac4dc02a686a02fbe90154a6644301736d37
+  data.tar.gz: a8ffa05157b5a3ce8cc606dc74592924b13918fefe0f55717ff8018ef13a219eebe1f614c2bdda6b7f097190e3173f8ecdf5a8de48f8462d462b5bcc09a67161

data/.github/workflows/rubocop.yml

@@ -0,0 +1,23 @@
+name: Lint
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['3.0']
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Run tests
+      run: bundle exec rake rubocop

data/.github/workflows/test.yml

@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.6', '2.7', '3.0', truffleruby-head]
+        faraday-version: ['~> 1.7', '~> 2.0']
+    env:
+      FARADAY_VERSION: ${{ matrix.faraday-version }}
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Run tests
+      run: bundle exec rake spec

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## `2.0.10`
+
+* Support for Faraday 1.0 / 2.0
+
+## `2.0.9`
+
+* Support for Ruby 3.0 and Faraday 0.17.x
+* Raise when directory is rate limited
+
+## `2.0.8`
+
+* Add support for the keyChange endpoint
+
+https://tools.ietf.org/html/rfc8555#section-7.3.5
+
+
 ## `2.0.7`
 
 * Add support for alternate certificate chain

data/Gemfile

@@ -2,12 +2,12 @@ source 'https://rubygems.org'
 
 gemspec
 
+if faraday_version = ENV['FARADAY_VERSION']
+  gem 'faraday', faraday_version
+end
+
 group :development, :test do
   gem 'pry'
   gem 'rubocop', '~> 0.49.0'
   gem 'ruby-prof', require: false
-
-  if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new('2.2.2')
-    gem 'activesupport', '~> 4.2.6'
-  end
 end

data/README.md

@@ -23,17 +23,26 @@ gem 'acme-client'
 ```
 
 ## Usage
-* [Setting up a client](#setting-up-a-client)
-* [Account management](#account-management)
-* [Obtaining a certificate](#obtaining-a-certificate)
-  * [Ordering a certificate](#ordering-a-certificate)
-  * [Completing an HTTP challenge](#preparing-for-http-challenge)
-  * [Completing an DNS challenge](#preparing-for-dns-challenge)
-  * [Requesting a challenge verification](#requesting-a-challenge-verification)
-  * [Downloading a certificate](#downloading-a-certificate)
-* [Extra](#extra)
-  * [Certificate revokation](#certificate-revokation)
-  * [Certificate renewal](#certificate-renewal)
+- [Acme::Client](#acmeclient)
+  - [Installation](#installation)
+  - [Usage](#usage)
+  - [Setting up a client](#setting-up-a-client)
+  - [Account management](#account-management)
+  - [Obtaining a certificate](#obtaining-a-certificate)
+    - [Ordering a certificate](#ordering-a-certificate)
+    - [Preparing for HTTP challenge](#preparing-for-http-challenge)
+    - [Preparing for DNS challenge](#preparing-for-dns-challenge)
+    - [Requesting a challenge verification](#requesting-a-challenge-verification)
+    - [Downloading a certificate](#downloading-a-certificate)
+    - [Ordering an alternative certificate](#ordering-an-alternative-certificate)
+  - [Extra](#extra)
+    - [Certificate revokation](#certificate-revokation)
+    - [Certificate renewal](#certificate-renewal)
+  - [Not implemented](#not-implemented)
+  - [Requirements](#requirements)
+  - [Development](#development)
+  - [Pull request?](#pull-request)
+  - [License](#license)
 
 ## Setting up a client
 
@@ -91,7 +100,7 @@ account.kid # => <kid string>
 
 If you already have an existing account (for example one created in ACME v1) please note that unless the `kid` is provided at initialization, the client will lazy load the `kid` by doing a `POST` to `newAccount` whenever the `kid` is required. Therefore, you can easily get your `kid` for an existing account and (if needed) store it for reuse:
 
-```
+```ruby
 client = Acme::Client.new(private_key: private_key, directory: 'https://acme-staging-v02.api.letsencrypt.org/directory')
 
 # kid is not set, therefore a call to newAccount is made to lazy-initialize the kid
@@ -189,6 +198,23 @@ end
 order.certificate # => PEM-formatted certificate
 ```
 
+### Ordering an alternative certificate
+
+Let's Encrypt is [transitioning](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html) to use a new intermediate certificate. Starting January 11, 2021 new certificates will be signed by their own intermediate. To ease the transition on clients Let's Encrypt will continue signing an alternative version of the certificate using the old, cross-signed intermediate until September 29, 2021. In order to utilize an alternative certificate the `Order#certificate` method accepts a `force_chain` keyword argument, which takes the issuer name of the intermediate certificate.
+For example, to download the cross-signed certificate after January 11, 2021, call `Order#certificate` as follows:
+
+```ruby
+begin
+  order.certificate(force_chain: 'DST Root CA X3')
+rescue Acme::Client::Error::ForcedChainNotFound
+  order.certificate
+end
+```
+
+Note: if the specified forced chain doesn't match an existing alternative certificate the method will raise an `Acme::Client::Error::ForcedChainNotFound` error.
+
+Learn more about the original Github issue for this client [here](https://github.com/unixcharles/acme-client/issues/186), information from Let's Encrypt [here](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html), and cross-signing [here](https://letsencrypt.org/certificates/#cross-signing).
+
 ## Extra
 
 ### Certificate revokation
@@ -204,9 +230,15 @@ client.revoke(certificate: certificate)
 There is no renewal process, just create a new order.
 
 
-## Not implemented
+### Account Key Roll-over
 
-- Account Key Roll-over.
+To change the key used for an account you can call `#account_key_change` with the new private key or jwk.
+
+```ruby
+require 'openssl'
+new_private_key = OpenSSL::PKey::RSA.new(4096)
+client.account_key_change(private_key: new_private_key)
+```
 
 ## Requirements
 
@@ -227,4 +259,3 @@ Yes.
 ## License
 
 [MIT License](http://opensource.org/licenses/MIT)
-

data/acme-client.gemspec

@@ -14,17 +14,15 @@ Gem::Specification.new do |spec|
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = '>= 2.1.0'
+  spec.required_ruby_version = '>= 2.3.0'
 
   spec.add_development_dependency 'bundler', '>= 1.17.3'
-  if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2')
-    spec.add_development_dependency 'rake', '>= 12.0'
-  else
-    spec.add_development_dependency 'rake', '~> 13.0'
-  end
+  spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.9'
   spec.add_development_dependency 'vcr', '~> 2.9'
   spec.add_development_dependency 'webmock', '~> 3.8'
+  spec.add_development_dependency 'webrick'
 
-  spec.add_runtime_dependency 'faraday', '>= 0.17', '< 2.0.0'
+  spec.add_runtime_dependency 'faraday', '>= 1.0', '< 3.0.0'
+  spec.add_runtime_dependency 'faraday-retry', '~> 1.0'
 end

data/lib/acme/client/faraday_middleware.rb

@@ -5,10 +5,10 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
 
   CONTENT_TYPE = 'application/jose+json'
 
-  def initialize(app, client:, mode:)
+  def initialize(app, options)
     super(app)
-    @client = client
-    @mode = mode
+    @client = options.fetch(:client)
+    @mode = options.fetch(:mode)
   end
 
   def call(env)

data/lib/acme/client/jwk/ecdsa.rb

@@ -73,8 +73,10 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
     # BigNumbers
     bns = ints.map(&:value)
 
+    byte_size = (@private_key.group.degree + 7) / 8
+
     # Binary R/S values
-    r, s = bns.map { |bn| [bn.to_s(16)].pack('H*') }
+    r, s = bns.map { |bn| bn.to_s(2).rjust(byte_size, "\x00") }
 
     # JWS wants raw R/S concatenated.
     [r, s].join

data/lib/acme/client/resources/directory.rb

@@ -68,9 +68,13 @@ class Acme::Client::Resources::Directory
   end
 
   def fetch_directory
-    connection = Faraday.new(url: @directory, **@connection_options)
+    connection = Faraday.new(url: @directory, **@connection_options) do |configuration|
+      configuration.use Acme::Client::FaradayMiddleware, client: nil, mode: nil
+
+      configuration.adapter Faraday.default_adapter
+    end
     connection.headers[:user_agent] = Acme::Client::USER_AGENT
     response = connection.get(@url)
-    JSON.parse(response.body)
+    response.body
   end
 end

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.7'.freeze
+    VERSION = '2.0.10'.freeze
   end
 end

data/lib/acme/client.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'faraday'
+require 'faraday/retry'
 require 'json'
 require 'openssl'
 require 'digest'
@@ -85,6 +86,28 @@ class Acme::Client
     Acme::Client::Resources::Account.new(self, url: kid, **arguments)
   end
 
+  def account_key_change(new_private_key: nil, new_jwk: nil)
+    if new_private_key.nil? && new_jwk.nil?
+      raise ArgumentError, 'must specify new_jwk or new_private_key'
+    end
+    old_jwk = jwk
+    new_jwk ||= Acme::Client::JWK.from_private_key(new_private_key)
+
+    inner_payload_header = {
+      url: endpoint_for(:key_change)
+    }
+    inner_payload = {
+      account: kid,
+      oldKey: old_jwk.to_h
+    }
+    payload = JSON.parse(new_jwk.jws(header: inner_payload_header, payload: inner_payload))
+
+    response = post(endpoint_for(:key_change), payload: payload, mode: :kid)
+    arguments = attributes_from_account_response(response)
+    @jwk = new_jwk
+    Acme::Client::Resources::Account.new(self, url: kid, **arguments)
+  end
+
   def account
     @kid ||= begin
       response = post(endpoint_for(:new_account), payload: { onlyReturnExisting: true }, mode: :jwk)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 2.0.7
+  version: 2.0.10
 platform: ruby
 authors:
 - Charles Barbier
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-18 00:00:00.000000000 Z
+date: 2022-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -80,37 +80,66 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: '1.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 3.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: '1.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 2.0.0
-description: 
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: faraday-retry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description:
 email:
 - unixcharles@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/rubocop.yml"
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
@@ -148,7 +177,7 @@ homepage: http://github.com/unixcharles/acme-client
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -156,15 +185,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.1.0
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: Client for the ACME protocol.
 test_files: []

data/.travis.yml

@@ -1,10 +0,0 @@
-language: ruby
-cache: bundler
-rvm:
-  - 2.5
-  - 2.6
-  - 2.7
-
-before_install:
-  - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
-  - gem install bundler -v '< 2'