acme-client 2.0.9 → 2.0.31

data/lib/acme/client/resources/authorization.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class Acme::Client::Resources::Authorization
-  attr_reader :url, :identifier, :domain, :expires, :status, :wildcard
+  attr_reader :url, :identifier, :domain, :expires, :status, :wildcard, :retry_after, :retry_after_time
 
   def initialize(client, **arguments)
     @client = client
@@ -38,6 +38,13 @@ class Acme::Client::Resources::Authorization
   end
   alias_method :dns, :dns01
 
+  def dns_account_01
+    @dns_account_01 ||= challenges.find { |challenge|
+      challenge.is_a?(Acme::Client::Resources::Challenges::DNSAccount01)
+    }
+  end
+  alias_method :dns_account, :dns_account_01
+
   def to_h
     {
       url: url,
@@ -45,7 +52,8 @@ class Acme::Client::Resources::Authorization
       status: status,
       expires: expires,
       challenges: @challenges,
-      wildcard: wildcard
+      wildcard: wildcard,
+      retry_after: retry_after
     }
   end
 
@@ -56,13 +64,13 @@ class Acme::Client::Resources::Authorization
       type: attributes.fetch('type'),
       status: attributes.fetch('status'),
       url: attributes.fetch('url'),
-      token: attributes.fetch('token'),
+      token: attributes.fetch('token', nil),
       error: attributes['error']
     }
     Acme::Client::Resources::Challenges.new(@client, **arguments)
   end
 
-  def assign_attributes(url:, status:, expires:, challenges:, identifier:, wildcard: false)
+  def assign_attributes(url:, status:, expires:, challenges:, identifier:, wildcard: false, retry_after: nil)
     @url = url
     @identifier = identifier
     @domain = identifier.fetch('value')
@@ -70,5 +78,7 @@ class Acme::Client::Resources::Authorization
     @expires = expires
     @challenges = challenges
     @wildcard = wildcard
+    @retry_after = retry_after
+    @retry_after_time = Acme::Client::Util.parse_retry_after(retry_after)
   end
 end

data/lib/acme/client/resources/challenges/base.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class Acme::Client::Resources::Challenges::Base
-  attr_reader :status, :url, :token, :error
+  attr_reader :status, :url, :token, :error, :validated, :retry_after, :retry_after_time
 
   def initialize(client, **arguments)
     @client = client
@@ -28,8 +28,17 @@ class Acme::Client::Resources::Challenges::Base
     true
   end
 
+  def typed_error
+    return nil unless error
+
+    error_type = error['type']
+    error_detail = error['detail'] || 'Unknown error'
+    error_class = Acme::Client::Error::ACME_ERRORS.fetch(error_type, Acme::Client::Error)
+    error_class.new(error_detail)
+  end
+
   def to_h
-    { status: status, url: url, token: token, error: error }
+    { status: status, url: url, token: token, error: error, validated: validated, retry_after: retry_after }
   end
 
   private
@@ -40,10 +49,13 @@ class Acme::Client::Resources::Challenges::Base
     ).to_h
   end
 
-  def assign_attributes(status:, url:, token:, error: nil)
+  def assign_attributes(status:, url:, token:, error: nil, validated: nil, retry_after: nil)
     @status = status
     @url = url
     @token = token
     @error = error
+    @validated = validated
+    @retry_after = retry_after
+    @retry_after_time = Acme::Client::Util.parse_retry_after(retry_after)
   end
 end

data/lib/acme/client/resources/challenges/dns_account01.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+# DNS-Account-01 challenge following draft-ietf-acme-dns-account-label-01
+# Enables multiple ACME clients to validate the same domain concurrently
+class Acme::Client::Resources::Challenges::DNSAccount01 < Acme::Client::Resources::Challenges::Base
+  CHALLENGE_TYPE = 'dns-account-01'.freeze
+  RECORD_PREFIX = '_'.freeze
+  RECORD_SUFFIX = '._acme-challenge'.freeze
+  RECORD_TYPE = 'TXT'.freeze
+  DIGEST = OpenSSL::Digest::SHA256
+  BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567'.freeze # RFC 4648 lowercase alphabet
+
+  # Generates account-specific DNS record name using SHA256(account_url) + Base32
+  # Format: _<base32_label>._acme-challenge
+  def record_name
+    digest = DIGEST.digest(@client.kid)[0, 10] # First 10 octets for label
+    bits = digest.unpack1('B*')
+    label = bits.scan(/.{5}/).map { |chunk| BASE32_ALPHABET[chunk.to_i(2)] }.join
+    "#{RECORD_PREFIX}#{label}#{RECORD_SUFFIX}"
+  end
+
+  def record_type
+    RECORD_TYPE
+  end
+
+  def record_content
+    Acme::Client::Util.urlsafe_base64(DIGEST.digest(key_authorization))
+  end
+end
+

data/lib/acme/client/resources/challenges.rb

@@ -4,11 +4,13 @@ module Acme::Client::Resources::Challenges
   require 'acme/client/resources/challenges/base'
   require 'acme/client/resources/challenges/http01'
   require 'acme/client/resources/challenges/dns01'
+  require 'acme/client/resources/challenges/dns_account01'
   require 'acme/client/resources/challenges/unsupported_challenge'
 
   CHALLENGE_TYPES = {
     'http-01' => Acme::Client::Resources::Challenges::HTTP01,
-    'dns-01' => Acme::Client::Resources::Challenges::DNS01
+    'dns-01' => Acme::Client::Resources::Challenges::DNS01,
+    'dns-account-01' => Acme::Client::Resources::Challenges::DNSAccount01
   }
 
   def self.new(client, type:, **arguments)

data/lib/acme/client/resources/directory.rb

@@ -7,22 +7,25 @@ class Acme::Client::Resources::Directory
     new_order: 'newOrder',
     new_authz: 'newAuthz',
     revoke_certificate: 'revokeCert',
-    key_change: 'keyChange'
+    key_change: 'keyChange',
+    renewal_info: 'renewalInfo'
   }
 
   DIRECTORY_META = {
     terms_of_service: 'termsOfService',
     website: 'website',
     caa_identities: 'caaIdentities',
-    external_account_required: 'externalAccountRequired'
+    external_account_required: 'externalAccountRequired',
+    profiles: 'profiles'
   }
 
-  def initialize(url, connection_options)
-    @url, @connection_options = url, connection_options
+  def initialize(client, **arguments)
+    @client = client
+    assign_attributes(**arguments)
   end
 
   def endpoint_for(key)
-    directory.fetch(key) do |missing_key|
+    @directory.fetch(key) do |missing_key|
       raise Acme::Client::Error::UnsupportedOperation,
         "Directory at #{@url} does not include `#{missing_key}`"
     end
@@ -44,37 +47,21 @@ class Acme::Client::Resources::Directory
     meta[DIRECTORY_META[:external_account_required]]
   end
 
+  def profiles
+    meta[DIRECTORY_META[:profiles]]
+  end
+
   def meta
-    directory[:meta]
+    @directory[:meta]
   end
 
   private
 
-  def directory
-    @directory ||= load_directory
-  end
-
-  def load_directory
-    body = fetch_directory
-    result = {}
-    result[:meta] = body.delete('meta')
+  def assign_attributes(directory:)
+    @directory = {}
+    @directory[:meta] = directory.delete('meta')
     DIRECTORY_RESOURCES.each do |key, entry|
-      result[key] = URI(body[entry]) if body[entry]
-    end
-    result
-  rescue JSON::ParserError => exception
-    raise Acme::Client::Error::InvalidDirectory,
-      "Invalid directory url\n#{@directory} did not return a valid directory\n#{exception.inspect}"
-  end
-
-  def fetch_directory
-    connection = Faraday.new(url: @directory, **@connection_options) do |configuration|
-      configuration.use Acme::Client::FaradayMiddleware, client: nil, mode: nil
-
-      configuration.adapter Faraday.default_adapter
+      @directory[key] = URI(directory[entry]) if directory[entry]
     end
-    connection.headers[:user_agent] = Acme::Client::USER_AGENT
-    response = connection.get(@url)
-    response.body
   end
 end

data/lib/acme/client/resources/order.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class Acme::Client::Resources::Order
-  attr_reader :url, :status, :contact, :finalize_url, :identifiers, :authorization_urls, :expires, :certificate_url
+  attr_reader :url, :status, :contact, :finalize_url, :identifiers, :authorization_urls, :expires, :certificate_url, :profile, :replaces, :retry_after, :retry_after_time
 
   def initialize(client, **arguments)
     @client = client
@@ -9,6 +9,8 @@ class Acme::Client::Resources::Order
   end
 
   def reload
+    raise Acme::Client::Error::OrderUrlNil, 'Cannot reload order with nil url.' if url.nil?
+
     assign_attributes(**@client.order(url: url).to_h)
     true
   end
@@ -32,6 +34,18 @@ class Acme::Client::Resources::Order
     end
   end
 
+  def renew(replaces: nil, **arguments)
+    replaces ||= renewal_info.ari_id
+
+    @client.new_order(replaces: replaces, **to_h.slice(:identifiers, :profile).merge(arguments))
+  end
+
+  def renewal_info(certificate: nil, ari_id: nil)
+    certificate ||= self.certificate if ari_id.nil?
+
+    @client.renewal_info(certificate:, ari_id:)
+  end
+
   def to_h
     {
       url: url,
@@ -40,19 +54,26 @@ class Acme::Client::Resources::Order
       finalize_url: finalize_url,
       authorization_urls: authorization_urls,
       identifiers: identifiers,
-      certificate_url: certificate_url
+      certificate_url: certificate_url,
+      profile: profile,
+      replaces: replaces,
+      retry_after: retry_after
     }
   end
 
   private
 
-  def assign_attributes(url:, status:, expires:, finalize_url:, authorization_urls:, identifiers:, certificate_url: nil)
-    @url = url
+  def assign_attributes(url: nil, status:, expires:, finalize_url:, authorization_urls:, identifiers:, certificate_url: nil, profile: nil, replaces: nil, retry_after: nil) # rubocop:disable Layout/LineLength,Metrics/ParameterLists
+    @url = url unless url.nil?
     @status = status
     @expires = expires
     @finalize_url = finalize_url
     @authorization_urls = authorization_urls
     @identifiers = identifiers
     @certificate_url = certificate_url
+    @profile = profile
+    @replaces = replaces
+    @retry_after = retry_after
+    @retry_after_time = Acme::Client::Util.parse_retry_after(retry_after)
   end
 end

data/lib/acme/client/resources/renewal_info.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+class Acme::Client::Resources::RenewalInfo
+  attr_reader :ari_id, :suggested_window, :explanation_url, :retry_after, :retry_after_time
+
+  def initialize(client, **arguments)
+    @client = client
+    assign_attributes(**arguments)
+  end
+
+  def reload
+    assign_attributes(**@client.renewal_info(ari_id: ari_id).to_h)
+  end
+
+  def suggested_window_start
+    suggested_window&.fetch('start', nil)
+  end
+
+  def suggested_window_end
+    suggested_window&.fetch('end', nil)
+  end
+
+  def suggested_renewal_time
+    return nil unless suggested_window_start && suggested_window_end
+
+    start_time = DateTime.rfc3339(suggested_window_start).to_time
+    end_time = DateTime.rfc3339(suggested_window_end).to_time
+    window_duration = end_time - start_time
+
+    random_offset = rand(0.0..window_duration)
+    selected_time = start_time + random_offset
+
+    selected_time > Time.now ? selected_time : Time.now
+  end
+
+  def to_h
+    {
+      ari_id: ari_id,
+      suggested_window: suggested_window,
+      explanation_url: explanation_url,
+      retry_after: retry_after
+    }
+  end
+
+  private
+
+  def assign_attributes(ari_id:, suggested_window:, explanation_url: nil, retry_after: nil)
+    @ari_id = ari_id
+    @suggested_window = suggested_window
+    @explanation_url = explanation_url
+    @retry_after = retry_after
+    @retry_after_time = Acme::Client::Util.parse_retry_after(retry_after)
+  end
+end

data/lib/acme/client/resources.rb

@@ -5,3 +5,4 @@ require 'acme/client/resources/account'
 require 'acme/client/resources/order'
 require 'acme/client/resources/authorization'
 require 'acme/client/resources/challenges'
+require 'acme/client/resources/renewal_info'

data/lib/acme/client/util.rb

@@ -1,4 +1,24 @@
+require 'time'
+
 module Acme::Client::Util
+  extend self
+
+  # Parses a Retry-After header value into a Time.
+  # RFC 7231 §7.1.3: the value is either delay-seconds or an HTTP-date.
+  # Returns a Time, or nil if the value is nil or unparseable.
+  def parse_retry_after(value)
+    return nil if value.nil?
+
+    value = value.to_s
+    Integer(value, 10).then { |seconds| Time.now + seconds }
+  rescue ArgumentError, RangeError
+    begin
+      Time.httpdate(value)
+    rescue ArgumentError
+      nil
+    end
+  end
+
   def urlsafe_base64(data)
     Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
   end
@@ -31,5 +51,40 @@ module Acme::Client::Util
     end
   end
 
-  extend self
+  # Generates a certificate identifier for ACME Renewal Information (ARI) as per RFC 9773.
+  # The identifier is constructed by extracting the Authority Key Identifier (AKI) from
+  # the certificate extension, and the DER-encoded serial number (without tag and length bytes).
+  # Both values are base64url-encoded and concatenated with a period separator.
+  #
+  # certificate - An OpenSSL::X509::Certificate instance or PEM string.
+  #
+  # Returns a string in the format: base64url(AKI).base64url(serial)
+  def ari_certificate_identifier(certificate)
+    cert = if certificate.is_a?(OpenSSL::X509::Certificate)
+      certificate
+    else
+      OpenSSL::X509::Certificate.new(certificate)
+    end
+
+    aki_ext = cert.extensions.find { |ext| ext.oid == 'authorityKeyIdentifier' }
+    raise ArgumentError, 'Certificate does not have an Authority Key Identifier extension' unless aki_ext
+
+    aki_value = aki_ext.value
+    hex_string = if aki_value =~ /keyid:([0-9A-Fa-f:]+)/
+      $1
+    elsif aki_value =~ /^[0-9A-Fa-f:]+$/
+      aki_value
+    else
+      raise ArgumentError, 'Could not parse Authority Key Identifier'
+    end
+
+    key_identifier = hex_string.split(':').map { |hex| hex.to_i(16).chr }.join
+    serial_der = OpenSSL::ASN1::Integer.new(cert.serial).to_der
+    serial_value = OpenSSL::ASN1.decode(serial_der).value.to_s(2)
+
+    aki_b64 = urlsafe_base64(key_identifier)
+    serial_b64 = urlsafe_base64(serial_value)
+
+    "#{aki_b64}.#{serial_b64}"
+  end
 end

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.9'.freeze
+    VERSION = '2.0.31'.freeze
   end
 end

data/lib/acme/client.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'faraday'
+require 'faraday/retry'
 require 'json'
 require 'openssl'
 require 'digest'
@@ -13,12 +14,13 @@ module Acme; end
 class Acme::Client; end
 
 require 'acme/client/version'
+require 'acme/client/http_client'
 require 'acme/client/certificate_request'
 require 'acme/client/self_sign_certificate'
 require 'acme/client/resources'
-require 'acme/client/faraday_middleware'
 require 'acme/client/jwk'
 require 'acme/client/error'
+require 'acme/client/error/rate_limited'
 require 'acme/client/util'
 require 'acme/client/chain_identifier'
 
@@ -43,13 +45,14 @@ class Acme::Client
 
     @kid, @connection_options = kid, connection_options
     @bad_nonce_retry = bad_nonce_retry
-    @directory = Acme::Client::Resources::Directory.new(URI(directory), @connection_options)
+    @directory_url = URI(directory)
     @nonces ||= []
   end
 
   attr_reader :jwk, :nonces
 
-  def new_account(contact:, terms_of_service_agreed: nil)
+  def new_account(contact:, terms_of_service_agreed: nil, external_account_binding: nil)
+    new_account_endpoint = endpoint_for(:new_account)
     payload = {
       contact: Array(contact)
     }
@@ -58,7 +61,18 @@ class Acme::Client
       payload[:termsOfServiceAgreed] = terms_of_service_agreed
     end
 
-    response = post(endpoint_for(:new_account), payload: payload, mode: :jws)
+    if external_account_binding
+      kid, hmac_key = external_account_binding.values_at(:kid, :hmac_key)
+      if kid.nil? || hmac_key.nil?
+        raise ArgumentError, 'must specify kid and hmac_key key for external_account_binding'
+      end
+
+      hmac = Acme::Client::JWK::HMAC.new(Base64.urlsafe_decode64(hmac_key))
+      external_account_payload = hmac.jws(header: { kid: kid, url: new_account_endpoint }, payload: @jwk)
+      payload[:externalAccountBinding] = JSON.parse(external_account_payload)
+    end
+
+    response = post(new_account_endpoint, payload: payload, mode: :jws)
     @kid = response.headers.fetch(:location)
 
     if response.body.nil? || response.body.empty?
@@ -122,11 +136,13 @@ class Acme::Client
     @kid ||= account.kid
   end
 
-  def new_order(identifiers:, not_before: nil, not_after: nil)
+  def new_order(identifiers:, not_before: nil, not_after: nil, profile: nil, replaces: nil)
     payload = {}
     payload['identifiers'] = prepare_order_identifiers(identifiers)
     payload['notBefore'] = not_before if not_before
     payload['notAfter'] = not_after if not_after
+    payload['profile'] = profile if profile
+    payload['replaces'] = replaces if replaces
 
     response = post(endpoint_for(:new_order), payload: payload)
     arguments = attributes_from_order_response(response)
@@ -209,35 +225,69 @@ class Acme::Client
     response.success?
   end
 
+  def renewal_info(certificate: nil, ari_id: nil)
+    if certificate.nil? && ari_id.nil?
+      raise ArgumentError, 'must specify certificate or ari_id'
+    end
+
+    ari_id ||= Acme::Client::Util.ari_certificate_identifier(certificate)
+
+    renewal_info_url = URI.join(endpoint_for(:renewal_info).to_s + '/', ari_id).to_s
+
+    response = get(renewal_info_url)
+    attributes = attributes_from_renewal_info_response(response)
+    Acme::Client::Resources::RenewalInfo.new(self, ari_id: ari_id, **attributes)
+  end
+
   def get_nonce
-    connection = new_connection(endpoint: endpoint_for(:new_nonce))
-    response = connection.head(nil, nil, 'User-Agent' => USER_AGENT)
+    http_client = Acme::Client::HTTPClient.new_connection(url: endpoint_for(:new_nonce), options: @connection_options)
+    response = http_client.head(nil, nil)
     nonces << response.headers['replay-nonce']
     true
   end
 
+  def directory
+    @directory ||= load_directory
+  end
+
   def meta
-    @directory.meta
+    directory.meta
   end
 
   def terms_of_service
-    @directory.terms_of_service
+    directory.terms_of_service
   end
 
   def website
-    @directory.website
+    directory.website
   end
 
   def caa_identities
-    @directory.caa_identities
+    directory.caa_identities
   end
 
   def external_account_required
-    @directory.external_account_required
+    directory.external_account_required
+  end
+
+  def profiles
+    directory.profiles
   end
 
   private
 
+  def load_directory
+    Acme::Client::Resources::Directory.new(self, directory: fetch_directory)
+  end
+
+  def fetch_directory
+    response = get(@directory_url)
+    response.body
+  rescue JSON::ParserError => exception
+    raise Acme::Client::Error::InvalidDirectory,
+      "Invalid directory url\n#{@directory_url} did not return a valid directory\n#{exception.inspect}"
+  end
+
   def prepare_order_identifiers(identifiers)
     if identifiers.is_a?(Hash)
       [identifiers]
@@ -257,6 +307,7 @@ class Acme::Client
       response.body,
       :status,
       [:term_of_service, 'termsOfServiceAgreed'],
+      :orders,
       :contact
     )
   end
@@ -269,19 +320,36 @@ class Acme::Client
       [:finalize_url, 'finalize'],
       [:authorization_urls, 'authorizations'],
       [:certificate_url, 'certificate'],
-      :identifiers
+      :identifiers,
+      :profile,
+      :replaces
     )
 
     attributes[:url] = response.headers[:location] if response.headers[:location]
+    attributes[:retry_after] = response.headers['retry-after'] if response.headers['retry-after']
     attributes
   end
 
   def attributes_from_authorization_response(response)
-    extract_attributes(response.body, :identifier, :status, :expires, :challenges, :wildcard)
+    attributes = extract_attributes(response.body, :identifier, :status, :expires, :challenges, :wildcard)
+    attributes[:retry_after] = response.headers['retry-after'] if response.headers['retry-after']
+    attributes
   end
 
   def attributes_from_challenge_response(response)
-    extract_attributes(response.body, :status, :url, :token, :type, :error)
+    attributes = extract_attributes(response.body, :status, :url, :token, :type, :error, :validated)
+    attributes[:retry_after] = response.headers['retry-after'] if response.headers['retry-after']
+    attributes
+  end
+
+  def attributes_from_renewal_info_response(response)
+    attributes = extract_attributes(
+      response.body,
+      [:suggested_window, 'suggestedWindow'],
+      [:explanation_url, 'explanationURL']
+    )
+    attributes[:retry_after] = response.headers['retry-after'] if response.headers['retry-after']
+    attributes
   end
 
   def extract_attributes(input, *attributes)
@@ -303,7 +371,7 @@ class Acme::Client
     connection.post(url, nil)
   end
 
-  def get(url, mode: :kid)
+  def get(url, mode: :get)
     connection = connection_for(url: url, mode: mode)
     connection.get(url)
   end
@@ -319,41 +387,15 @@ class Acme::Client
   def connection_for(url:, mode:)
     uri = URI(url)
     endpoint = "#{uri.scheme}://#{uri.hostname}:#{uri.port}"
+
     @connections ||= {}
     @connections[mode] ||= {}
-    @connections[mode][endpoint] ||= new_acme_connection(endpoint: endpoint, mode: mode)
-  end
-
-  def new_acme_connection(endpoint:, mode:)
-    new_connection(endpoint: endpoint) do |configuration|
-      configuration.use Acme::Client::FaradayMiddleware, client: self, mode: mode
-    end
-  end
-
-  def new_connection(endpoint:)
-    Faraday.new(endpoint, **@connection_options) do |configuration|
-      if @bad_nonce_retry > 0
-        configuration.request(:retry,
-          max: @bad_nonce_retry,
-          methods: Faraday::Connection::METHODS,
-          exceptions: [Acme::Client::Error::BadNonce])
-      end
-      yield(configuration) if block_given?
-      configuration.adapter Faraday.default_adapter
-    end
-  end
-
-  def fetch_chain(response, limit = 10)
-    links = response.headers['link']
-    if limit.zero? || links.nil? || links['up'].nil?
-      []
-    else
-      issuer = get(links['up'])
-      [OpenSSL::X509::Certificate.new(issuer.body), *fetch_chain(issuer, limit - 1)]
-    end
+    @connections[mode][endpoint] ||= Acme::Client::HTTPClient.new_acme_connection(
+      url: URI(endpoint), mode: mode, client: self, options: @connection_options, bad_nonce_retry: @bad_nonce_retry
+    )
   end
 
   def endpoint_for(key)
-    @directory.endpoint_for(key)
+    directory.endpoint_for(key)
   end
 end