acme-client 2.0.9 → 2.0.31

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d1fcaf1206f38a9ded860ad3685de94d3c2743a04222d63a6d5a14ca35146daa
-  data.tar.gz: 766a3bf59e3877a3a4ab457e369f9d09626204afacc8e1b8cb23015cde9ccf12
+  metadata.gz: 55d60fbf24893ea26c59535b2ffe6041916e678d4bbea5982666c5f9eb0f2bae
+  data.tar.gz: b62818cd2dc3ca8b9676e7ec355dfcec40eaf90b3f9b7abc26b2dddea0cc4473
 SHA512:
-  metadata.gz: 814205156a08f49d3481545f35306f63e1f342267f126edc528b22c78ce477b4696fd4a9f401a501bb8ffe33c57f42e8e6826de830e5321289555972d841bcb3
-  data.tar.gz: 493a4a2ebe8803b3949797bd74061d500bb66e7a79c5d62e9dfb98af7b995a46d3a2847c88d14ad7585f8b25567ccdabdf5bdaa25eafdb045a1f3aaed7b05f13
+  metadata.gz: b3311579f5f990f433e2ede868ce5baf6ce910eb38b19889107436a0dea91f7d96c36619e6039e0e4b4382402e8bc81dce939fee0f915c850b068b80ced67c1d
+  data.tar.gz: 45b7de2260bad0703cfa5f865a33e5367789cde176e0a906224fc7e7ad29ba5eeb9f756ce79b29719460c03264c26c5808702737be912d2f5df9cce38003b2f9

data/CHANGELOG.md

@@ -1,3 +1,99 @@
+## `2.0.31`
+
+* Expose Retry-After header on all
+* ARI improvement
+* Expose full error message on Error#acme_error_body
+* Expose error subproblems (RFC7807) on Error#subproblems
+
+## `2.0.30`
+
+* Add a default message to RateLimited error
+
+This fix avoid argument error on RateLimited object when stubbing without passing arguments.
+
+## `2.0.29`
+
+* IP support to the CertificateRequest helper
+
+## `2.0.28`
+
+*  Make [Retry-After](https://datatracker.ietf.org/doc/html/rfc8555/#section-6.6) accessible from RateLimited#retry_after exceptions
+
+## `2.0.27`
+
+*  Add support for Renewal Information (ARI) (RFC 9773)
+
+## `2.0.26`
+
+* Add support for dns-account-01 challenge (RFC draft-ietf-acme-dns-account-label-01)
+
+## `2.0.25`
+
+* Add support for profiles extension
+
+## `2.0.24`
+
+* Add support for account orders url attribute.
+
+## `2.0.23`
+
+* Allow Order to be create without url. Location is not always required in the specification. 
+
+## `2.0.22`
+
+* Loosen base64 dependency constraint
+
+## `2.0.21`
+
+* Add validated attribute to challenges
+
+## `2.0.20`
+
+* Add OrderNotReady exception
+
+## `2.0.19`
+
+* Fix an issue CSR generation. Version should be set to zero according to the spec. It's causing issue with some ACME server implementation.
+
+## `2.0.18`
+
+* Fix an issue public key encoding. `OpenSSL::BN` cause keys with leading zero to fail.
+
+## `2.0.17`
+
+* Fix bug where depending on call order `jws` get generated with the wrong `kid`
+
+## `2.0.16`
+
+* Refactor Directory
+* Fix an issue where the client would crash when ACME provider return nonce for directory endpoint
+
+## `2.0.15`
+
+* Also pass connection_options to Faraday for Client#get_nonce
+
+
+## `2.0.14`
+
+* Fix Faraday HTTP exceptions leaking out, always raise `Acme::Client::Error` instead
+
+## `2.0.13`
+
+* Add support for External Account Binding
+
+## `2.0.12`
+
+* Update test matrix to current Ruby versions (2.7 to 3.2)
+* Support for Faraday retry 2.x
+
+## `2.0.11`
+
+* Add support for error code `AlreadyRevoked` and `BadPublicKey`
+
+## `2.0.10`
+
+* Support for Faraday 1.0 / 2.0
+
 ## `2.0.9`
 
 * Support for Ruby 3.0 and Faraday 0.17.x

data/Gemfile

@@ -8,10 +8,5 @@ end
 
 group :development, :test do
   gem 'pry'
-  gem 'rubocop', '~> 0.49.0'
   gem 'ruby-prof', require: false
-
-  if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new('2.2.2')
-    gem 'activesupport', '~> 4.2.6'
-  end
 end

data/README.md

@@ -1,15 +1,11 @@
 # Acme::Client
 
-[![Build Status](https://travis-ci.org/unixcharles/acme-client.svg?branch=master)](https://travis-ci.org/unixcharles/acme-client)
-
-`acme-client` is a client implementation of the ACMEv2 / [RFC 8555](https://tools.ietf.org/html/rfc8555) protocol in Ruby.
+`acme-client` is a client implementation of the ACME / [RFC 8555](https://tools.ietf.org/html/rfc8555) protocol in Ruby.
 
 You can find the ACME reference implementations of the [server](https://github.com/letsencrypt/boulder) in Go and the [client](https://github.com/certbot/certbot) in Python.
 
 ACME is part of the [Letsencrypt](https://letsencrypt.org/) project, which goal is to provide free SSL/TLS certificates with automation of the acquiring and renewal process.
 
-You can find ACMEv1 compatible client in the [acme-v1](https://github.com/unixcharles/acme-client/tree/acme-v1) branch.
-
 ## Installation
 
 Via RubyGems:
@@ -108,6 +104,15 @@ client.kid
 => "https://acme-staging-v02.api.letsencrypt.org/acme/acct/000000"
 ```
 
+## External Account Binding support
+
+You can use External Account Binding by providing a `external_account_binding` with a `kid` and `hmac_key`.
+
+```ruby
+client = Acme::Client.new(private_key: private_key, directory: 'https://acme.zerossl.com/v2/DV90')
+account = client.new_account(contact: 'mailto:info@example.com', terms_of_service_agreed: true, external_account_binding: { kid: "your kid", hmac_key: "your hmac key"})
+```
+
 ## Obtaining a certificate
 ### Ordering a certificate
 
@@ -115,9 +120,11 @@ To order a new certificate, the client must provide a list of identifiers.
 
 The returned order will contain a list of `Authorization` that need to be completed in other to finalize the order, generally one per identifier.
 
-Each authorization contains multiple challenges, typically a `dns-01` and a `http-01` challenge. The applicant is only required to complete one of the challenges.
+Each authorization contains multiple challenges, typically a `dns-01`, `dns-account-01`, and a `http-01` challenge. The applicant is only required to complete one of the challenges.
 
-You can access the challenge you wish to complete using the `#dns` or `#http` method.
+The `dns-account-01` challenge prepends an account-specific label before `_acme-challenge`, producing a record name of the form `_<label>._acme-challenge` so different clients can validate the same domain concurrently.
+
+You can access the challenge you wish to complete using the `#dns`, `#dns_account`, or `#http` methods.
 
 ```ruby
 order = client.new_order(identifiers: ['example.com'])
@@ -160,6 +167,25 @@ dns_challenge.record_type # => 'TXT'
 dns_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
 ```
 
+### Preparing for DNS-Account-01 challenge
+
+To complete the DNS-Account-01 challenge, you must set a DNS TXT record using an account-specific name. This allows multiple ACME clients to validate the same domain concurrently without conflicts.
+
+The DNSAccount01 object has utility methods to generate the required DNS record:
+
+```ruby
+dns_account_challenge = authorization.dns_account
+
+dns_account_challenge.record_name    # => '_ujmmovf2vn55tgye._acme-challenge'
+dns_account_challenge.record_type    # => 'TXT'
+dns_account_challenge.record_content # => 'HRV3PS5sRDyV-ous4HJk4z24s5JjmUTjcCaUjFt28-8'
+```
+
+The record name includes an account-specific label derived from your account URL, ensuring different clients can validate simultaneously:
+
+- **DNS-01**: `_acme-challenge.example.com` (shared)
+- **DNS-Account-01**: `_ujmmovf2vn55tgye._acme-challenge.example.com` (account-specific)
+
 ### Requesting a challenge verification
 
 Once you are ready to complete the challenge, you can request the server perform the verification.
@@ -200,8 +226,7 @@ order.certificate # => PEM-formatted certificate
 
 ### Ordering an alternative certificate
 
-Let's Encrypt is [transitioning](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html) to use a new intermediate certificate. Starting January 11, 2021 new certificates will be signed by their own intermediate. To ease the transition on clients Let's Encrypt will continue signing an alternative version of the certificate using the old, cross-signed intermediate until September 29, 2021. In order to utilize an alternative certificate the `Order#certificate` method accepts a `force_chain` keyword argument, which takes the issuer name of the intermediate certificate.
-For example, to download the cross-signed certificate after January 11, 2021, call `Order#certificate` as follows:
+The provider may provide alternate certificate with different certificate chain. You can specify the required chain and the client will automatically download alternate certificate and match the chain by name.
 
 ```ruby
 begin
@@ -237,12 +262,28 @@ To change the key used for an account you can call `#account_key_change` with th
 ```ruby
 require 'openssl'
 new_private_key = OpenSSL::PKey::RSA.new(4096)
-client.account_key_change(private_key: new_private_key)
+client.account_key_change(new_private_key: new_private_key)
 ```
 
+### Profile Extension
+
+Provide a CA profile when creating a new order:
+
+```ruby
+order = client.new_order(identifiers: ['example.com'], profile: 'shortlived')
+```
+
+ACME servers may list supported profiles in the directory endpoint:
+
+```ruby
+client.profiles => {"classic": "https://example.com/docs/classic", "shortlived": "https://example.com/docs/shortlived"}
+```
+
+See the [RFC draft of certificate profiles](https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/) for more info.
+
 ## Requirements
 
-Ruby >= 2.1
+Ruby >= 3.0
 
 ## Development
 

data/Rakefile

@@ -3,7 +3,4 @@ require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec)
 
-require 'rubocop/rake_task'
-RuboCop::RakeTask.new
-
-task default: [:spec, :rubocop]
+task default: [:spec]

data/acme-client.gemspec

@@ -11,21 +11,19 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'http://github.com/unixcharles/acme-client'
   spec.license       = 'MIT'
 
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) || f.start_with?('.') }
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = '>= 2.1.0'
+  spec.required_ruby_version = '>= 2.3.0'
 
-  spec.add_development_dependency 'bundler', '>= 1.17.3'
-  if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2')
-    spec.add_development_dependency 'rake', '>= 12.0'
-  else
-    spec.add_development_dependency 'rake', '~> 13.0'
-  end
+  spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.9'
-  spec.add_development_dependency 'vcr', '~> 2.9'
+  spec.add_development_dependency 'vcr', '~> 6.0'
+  spec.add_development_dependency 'bigdecimal'
   spec.add_development_dependency 'webmock', '~> 3.8'
-  spec.add_development_dependency 'webrick'
+  spec.add_development_dependency 'webrick', '~> 1.7'
 
-  spec.add_runtime_dependency 'faraday', '>= 0.17', '< 2.0.0'
+  spec.add_runtime_dependency 'base64', '~> 0.2'
+  spec.add_runtime_dependency 'faraday', '>= 1.0', '< 3.0.0'
+  spec.add_runtime_dependency 'faraday-retry', '>= 1.0', '< 3.0.0'
 end

data/bin/generate_keystash

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'acme-client'
+
+require File.join(File.dirname(__FILE__), '../spec/support/ssl_helper')
+
+
+SSLHelper::KEYSTASH.generate_keystash!(size: 200)

data/lib/acme/client/certificate_request.rb

@@ -89,7 +89,7 @@ class Acme::Client::CertificateRequest
       end
       csr.public_key = @private_key
       csr.subject = generate_subject
-      csr.version = 2
+      csr.version = 0
       add_extension(csr)
       csr.sign @private_key, @digest
     end
@@ -104,8 +104,15 @@ class Acme::Client::CertificateRequest
   end
 
   def add_extension(csr)
+    san = @names.map do |name|
+      if valid_ip_address?(name)
+        "IP:#{name}"
+      else
+        "DNS:#{name}"
+      end
+    end
     extension = OpenSSL::X509::ExtensionFactory.new.create_extension(
-      'subjectAltName', @names.map { |name| "DNS:#{name}" }.join(', '), false
+      'subjectAltName', san.join(', '), false
     )
     csr.add_attribute(
       OpenSSL::X509::Attribute.new(
@@ -116,4 +123,14 @@ class Acme::Client::CertificateRequest
   end
 end
 
+def valid_ip_address?(address)
+  require 'ipaddr'
+  begin
+    ip = IPAddr.new(address)
+    true
+  rescue IPAddr::InvalidAddressError, IPAddr::AddressFamilyError
+    false
+  end
+end
+
 require 'acme/client/certificate_request/ec_key_patch'

data/lib/acme/client/error/rate_limited.rb

@@ -0,0 +1,15 @@
+class Acme::Client::Error::RateLimited < Acme::Client::Error::ServerError
+  DEFAULT_MESSAGE = 'Error message: urn:ietf:params:acme:error:rateLimited'
+  DEFAULT_RETRY_SECONDS = 10
+
+  def initialize(message = DEFAULT_MESSAGE, retry_after = nil, acme_error_body: nil, subproblems: nil)
+    retry_after_time = case retry_after
+                       when Time then retry_after
+                       when nil then Time.now + DEFAULT_RETRY_SECONDS
+                       else Acme::Client::Util.parse_retry_after(retry_after) || Time.now + DEFAULT_RETRY_SECONDS
+                       end
+    int_retry_after = retry_after.nil? ? DEFAULT_RETRY_SECONDS : [(retry_after_time - Time.now).ceil, 0].max
+    super(message, retry_after: int_retry_after, acme_error_body: acme_error_body, subproblems: subproblems)
+    @retry_after_time = retry_after_time
+  end
+end

data/lib/acme/client/error.rb

@@ -1,4 +1,36 @@
 class Acme::Client::Error < StandardError
+  attr_reader :retry_after, :retry_after_time, :subproblems, :acme_error_body
+
+  Subproblem = Struct.new(:type, :detail, :identifier, keyword_init: true) do
+    def to_h
+      { type: type, detail: detail, identifier: identifier }
+    end
+  end
+
+  def initialize(message = nil, retry_after: nil, acme_error_body: nil, subproblems: nil)
+    super(message)
+    @retry_after_time = Acme::Client::Util.parse_retry_after(retry_after)
+    @retry_after = @retry_after_time ? [(@retry_after_time - Time.now).ceil, 0].max : nil
+    @acme_error_body = acme_error_body
+    @subproblems = parse_subproblems(subproblems)
+  end
+
+  private
+
+  def parse_subproblems(raw)
+    return [] if raw.nil? || !raw.is_a?(Array)
+
+    raw.map do |sp|
+      Subproblem.new(
+        type: sp['type'],
+        detail: sp['detail'],
+        identifier: sp['identifier']
+      )
+    end
+  end
+
+  public
+
   class Timeout < Acme::Client::Error; end
 
   class ClientError < Acme::Client::Error; end
@@ -8,10 +40,15 @@ class Acme::Client::Error < StandardError
   class NotFound < ClientError; end
   class CertificateNotReady < ClientError; end
   class ForcedChainNotFound < ClientError; end
+  class OrderNotReady < ClientError; end
+  class OrderUrlNil < ClientError; end
 
   class ServerError < Acme::Client::Error; end
+  class AlreadyReplaced < ServerError; end
+  class AlreadyRevoked < ServerError; end
   class BadCSR < ServerError; end
   class BadNonce < ServerError; end
+  class BadPublicKey < ServerError; end
   class BadSignatureAlgorithm < ServerError; end
   class InvalidContact < ServerError; end
   class UnsupportedContact < ServerError; end
@@ -32,14 +69,18 @@ class Acme::Client::Error < StandardError
   class IncorrectResponse < ServerError; end
 
   ACME_ERRORS = {
+    'urn:ietf:params:acme:error:alreadyReplaced' => AlreadyReplaced,
+    'urn:ietf:params:acme:error:alreadyRevoked' => AlreadyRevoked,
     'urn:ietf:params:acme:error:badCSR' => BadCSR,
     'urn:ietf:params:acme:error:badNonce' => BadNonce,
+    'urn:ietf:params:acme:error:badPublicKey' => BadPublicKey,
     'urn:ietf:params:acme:error:badSignatureAlgorithm' => BadSignatureAlgorithm,
     'urn:ietf:params:acme:error:invalidContact' => InvalidContact,
     'urn:ietf:params:acme:error:unsupportedContact' => UnsupportedContact,
     'urn:ietf:params:acme:error:externalAccountRequired' => ExternalAccountRequired,
     'urn:ietf:params:acme:error:accountDoesNotExist' => AccountDoesNotExist,
     'urn:ietf:params:acme:error:malformed' => Malformed,
+    'urn:ietf:params:acme:error:orderNotReady' => OrderNotReady,
     'urn:ietf:params:acme:error:rateLimited' => RateLimited,
     'urn:ietf:params:acme:error:rejectedIdentifier' => RejectedIdentifier,
     'urn:ietf:params:acme:error:serverInternal' => ServerInternal,

data/lib/acme/client/http_client.rb

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+module Acme::Client::HTTPClient
+  # Creates and returns a new HTTP client, with default settings.
+  #
+  # @param  url [URI:HTTPS]
+  # @param  options [Hash]
+  # @return [Faraday::Connection]
+  def self.new_connection(url:, options: {})
+    Faraday.new(url, options) do |configuration|
+      configuration.use Acme::Client::HTTPClient::ErrorMiddleware
+
+      yield(configuration) if block_given?
+
+      configuration.headers[:user_agent] = Acme::Client::USER_AGENT
+      configuration.adapter Faraday.default_adapter
+    end
+  end
+
+  # Creates and returns a new HTTP client designed for the Acme-protocol, with default settings.
+  #
+  # @param  url [URI:HTTPS]
+  # @param  client [Acme::Client]
+  # @param  mode [Symbol]
+  # @param  options [Hash]
+  # @param  bad_nonce_retry [Integer]
+  # @return [Faraday::Connection]
+  def self.new_acme_connection(url:, client:, mode:, options: {}, bad_nonce_retry: 0)
+    new_connection(url: url, options: options) do |configuration|
+      if bad_nonce_retry > 0
+        configuration.request(:retry,
+          max: bad_nonce_retry,
+          methods: Faraday::Connection::METHODS,
+          exceptions: [Acme::Client::Error::BadNonce])
+      end
+
+      configuration.use Acme::Client::HTTPClient::AcmeMiddleware, client: client, mode: mode
+
+      yield(configuration) if block_given?
+    end
+  end
+
+  # ErrorMiddleware ensures the HTTP Client would not raise exceptions outside the Acme namespace.
+  #
+  # Exceptions are rescued and re-packaged as Acme exceptions.
+  class ErrorMiddleware < Faraday::Middleware
+    # Implements the Rack-alike Faraday::Middleware interface.
+    def call(env)
+      @app.call(env)
+    rescue Faraday::TimeoutError, Faraday::ConnectionFailed
+      raise Acme::Client::Error::Timeout
+    end
+  end
+
+  # AcmeMiddleware implements the Acme-protocol requirements for JWK requests.
+  class AcmeMiddleware < Faraday::Middleware
+    attr_reader :env, :response, :client
+
+    CONTENT_TYPE = 'application/jose+json'
+
+    def initialize(app, options)
+      super(app)
+      @client = options.fetch(:client)
+      @mode = options.fetch(:mode)
+    end
+
+    def call(env)
+      @env = env
+      @env[:request_headers]['Content-Type'] = CONTENT_TYPE
+
+      if @env.method != :get
+        @env.body = client.jwk.jws(header: jws_header, payload: env.body)
+      end
+
+      @app.call(env).on_complete { |response_env| on_complete(response_env) }
+    end
+
+    def on_complete(env)
+      @env = env
+
+      raise_on_not_found!
+      store_nonce
+      env.body = decode_body
+      env.response_headers['Link'] = decode_link_headers
+
+      return if env.success?
+
+      raise_on_error!
+    end
+
+    private
+
+    def jws_header
+      headers = { nonce: pop_nonce, url: env.url.to_s }
+      headers[:kid] = client.kid if @mode == :kid
+      headers
+    end
+
+    def raise_on_not_found!
+      raise Acme::Client::Error::NotFound, env.url.to_s if env.status == 404
+    end
+
+    def raise_on_error!
+      retry_after = env.response_headers['retry-after']
+      body = env.body.is_a?(Hash) ? env.body : nil
+      subproblems = error_subproblems
+      if error_class == Acme::Client::Error::RateLimited
+        raise error_class.new(error_message, retry_after, acme_error_body: body, subproblems: subproblems)
+      end
+      raise error_class.new(error_message, retry_after: retry_after, acme_error_body: body, subproblems: subproblems)
+    end
+
+    def error_message
+      if env.body.is_a? Hash
+        env.body['detail']
+      else
+        "Error message: #{env.body}"
+      end
+    end
+
+    def error_class
+      Acme::Client::Error::ACME_ERRORS.fetch(error_name, Acme::Client::Error)
+    end
+
+    def error_name
+      return unless env.body.is_a?(Hash)
+      return unless env.body.key?('type')
+      env.body['type']
+    end
+
+    def error_subproblems
+      return unless env.body.is_a?(Hash)
+      env.body['subproblems']
+    end
+
+    def decode_body
+      content_type = env.response_headers['Content-Type'].to_s
+
+      if content_type.start_with?('application/json', 'application/problem+json')
+        JSON.load(env.body)
+      else
+        env.body
+      end
+    end
+
+    def decode_link_headers
+      return unless env.response_headers.key?('Link')
+      link_header = env.response_headers['Link']
+      Acme::Client::Util.decode_link_headers(link_header)
+    end
+
+    def store_nonce
+      nonce = env.response_headers['replay-nonce']
+      nonces << nonce if nonce
+    end
+
+    def pop_nonce
+      if nonces.empty?
+        get_nonce
+      end
+
+      nonces.pop
+    end
+
+    def get_nonce
+      client.get_nonce
+    end
+
+    def nonces
+      client.nonces
+    end
+  end
+end

data/lib/acme/client/jwk/ecdsa.rb

@@ -50,8 +50,8 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
     {
       crv: @curve_params[:jwa_crv],
       kty: 'EC',
-      x: Acme::Client::Util.urlsafe_base64(coordinates[:x].to_s(2)),
-      y: Acme::Client::Util.urlsafe_base64(coordinates[:y].to_s(2))
+      x: Acme::Client::Util.urlsafe_base64(coordinates[:x]),
+      y: Acme::Client::Util.urlsafe_base64(coordinates[:y])
     }
   end
 
@@ -92,8 +92,8 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
       hex_y = hex[2 + data_len / 2, data_len / 2]
 
       {
-        x: OpenSSL::BN.new([hex_x].pack('H*'), 2),
-        y: OpenSSL::BN.new([hex_y].pack('H*'), 2)
+        x: [hex_x].pack('H*'),
+        y: [hex_y].pack('H*')
       }
     end
   end

data/lib/acme/client/jwk/hmac.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class Acme::Client::JWK::HMAC < Acme::Client::JWK::Base
+  # Instantiate a new HMAC JWS.
+  #
+  # key - A string.
+  #
+  # Returns nothing.
+  def initialize(key)
+    @key = key
+  end
+
+  # Sign a message with the private key.
+  #
+  # message - A String message to sign.
+  #
+  # Returns a String signature.
+  def sign(message)
+    OpenSSL::HMAC.digest('SHA256', @key, message)
+  end
+
+  # The name of the algorithm as needed for the `alg` member of a JWS object.
+  #
+  # Returns a String.
+  def jwa_alg
+    # https://tools.ietf.org/html/rfc7518#section-3.1
+    # HMAC using SHA-256
+    'HS256'
+  end
+end

data/lib/acme/client/jwk.rb

@@ -19,3 +19,4 @@ end
 require 'acme/client/jwk/base'
 require 'acme/client/jwk/rsa'
 require 'acme/client/jwk/ecdsa'
+require 'acme/client/jwk/hmac'

data/lib/acme/client/resources/account.rb

@@ -34,16 +34,18 @@ class Acme::Client::Resources::Account
       url: url,
       term_of_service: term_of_service,
       status: status,
-      contact: contact
+      contact: contact,
+      orders: orders_url
     }
   end
 
   private
 
-  def assign_attributes(url:, term_of_service:, status:, contact:)
+  def assign_attributes(url:, term_of_service:, status:, contact:, orders: nil)
     @url = url
     @term_of_service = term_of_service
     @status = status
     @contact = Array(contact)
+    @orders_url = orders
   end
 end