acme-client 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c20a6817f7b9cabcc97fd675cb6e9977544de7de
+  data.tar.gz: 04ab2587617f4c1c94bab02ecc0f902c71c11576
+SHA512:
+  metadata.gz: 7cc46125a7e5565dab48ee669330663d471ee93877e6e0751cde792ca389dd03290eade0ef9e4bbb6dbcd50f955d7071fe7de6d3e6bb01fb7439d9c15563ebab
+  data.tar.gz: a5b7c82005996edfa8a11bddaeae46df26748a037666f5349980c7d6d0df3be4b63d91908ce24d96fecc42d94140c6b80e7d4877cbdf02ef510cad882146ed6f

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.1.0
+before_install: gem install bundler -v 1.10.6

data/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in acme-client.gemspec
+gemspec
+
+group :development, :test do
+  gem 'pry'
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Charles Barbier
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,84 @@
+# Acme::Client
+
+`acme-client` is a client implementation of the [ACME](https://letsencrypt.github.io/acme-spec) protocol in Ruby.
+
+You can find the server reference implementation for ACME server at [here](github.com/letsencrypt/boulder) and also the a reference [client](github.com/letsencrypt/letsencrypt) written in python.
+
+ACME is part of the [Letsencrypt](https://letsencrypt.org/) project, that are working hard at encrypting all the things.
+
+## Usage
+
+```ruby
+# We're going to need a private key.
+private_key = OpenSSL::PKey::RSA.new(2048)
+
+# We need an ACME server to talk to, see github.com/letsencrypt/boulder
+endpoint = 'http://letsencrypt.com/'
+
+# Initialize the client
+client = Acme::Client.new(private_key: private_key, endpoint: endpoint)
+
+# If the private key is not known to the server we need to register for the first time.
+registration = client.register(contact: 'mailto:unixcharles@gmail.com')
+
+# You'll need to agree the term (that's up the to the server to require it or not but boulder does by default)
+registration.agree_terms
+
+# Let's try to optain a certificate for yourdomain.com
+authorization = client.authorize(domain: 'yourdomain.com')
+
+# We need to prove that we control the domain using one of the challanges method
+simple_http = authorization.simple_http
+
+# The SimpleHTTP method will require you to response to an HTTP request.
+
+# You can retreive the expected path for the file.
+simple_http.filename # => ".well-known/acme-challenge/:some_token"
+
+# You can retrieve the body of the expected response
+simple_http.file_content # => 'string of JWS signed json' 
+
+# You can send no Content-Type at all but if you send one it has to be 'application/jose+json'
+simple_http.content_type
+
+# Once you are ready to serve the confirmation request you can proceed.
+simple_http.request_verification # => true
+simple_http.verify_status # => 'pending'
+
+# Wait a bit for the server to make the request, or really just blink, should be fast.
+sleep(1)
+
+simple_http.verify_status # => 'pending'
+
+# We're going to need a CSR, let do this real quick with Ruby+OpenSSL.
+request = OpenSSL::X509::Request.new
+request.subject = OpenSSL::X509::Name.new([
+  ['CN', common_name, OpenSSL::ASN1::UTF8STRING]
+])
+
+request.public_key = private_key.public_key
+request.sign(private_key, OpenSSL::Digest::SHA256.new)
+
+# You can request a new certificate
+client.new_certificate(csr) # => #<OpenSSL::X509::Certificate ....>
+```
+
+# Not implemented
+
+- Recovery methods are not implemented.
+- SimpleHTTP is the only challenge method implemented
+
+## Development
+
+All the tests use VCR to mock the interaction with the server but if you
+need to record new interation against the server simply clone boulder and
+run it normally with `./start.py`.
+
+## Pull request?
+
+Yes.
+
+## License
+
+[MIT License](http://opensource.org/licenses/MIT)
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/acme-client.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'acme/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'acme-client'
+  spec.version       = Acme::Client::VERSION
+  spec.authors       = ['Charles Barbier']
+  spec.email         = ['unixcharles@gmail.com']
+  spec.summary       = 'Client for the ACME protocol.'
+  spec.homepage      = 'http://github.com/unixcharles/acme-client'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.10'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.3', '>= 3.3.0'
+  spec.add_development_dependency 'vcr', '~> 2.9', '>= 2.9.3'
+  spec.add_development_dependency 'webmock', '~> 1.21', '>= 1.21.0'
+
+  spec.add_runtime_dependency 'faraday', '~> 0.9', '>= 0.9.1'
+  spec.add_runtime_dependency 'url_safe_base64', '~> 0.2', '>= 0.2.2'
+  spec.add_runtime_dependency 'json-jwt', '~> 1.2', '>= 1.2.3'
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "acme/client"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/acme/client.rb

@@ -0,0 +1,66 @@
+class Acme::Client
+  DEFAULT_ENDPOINT = 'http://127.0.0.1:4000'
+
+  def initialize(endpoint: DEFAULT_ENDPOINT, directory_uri: nil, private_key:)
+    @endpoint, @private_key, @directory_uri = endpoint, private_key, directory_uri
+    @nonces ||= []
+    load_directory!
+  end
+
+  attr_reader :private_key, :nonces, :operation_endpoints
+
+  def register(contact:)
+    payload = {
+      resource: 'new-reg', contact: Array.wrap(contact)
+    }
+
+    response = connection.post(@operation_endpoints.fetch('new-reg'), payload)
+    ::Acme::Resources::Registration.new(self, response)
+  end
+
+  def authorize(domain:)
+    payload = {
+      resource: "new-authz",
+      identifier: {
+        type: "dns",
+        value: domain
+      }
+    }
+
+    response = connection.post(@operation_endpoints.fetch('new-authz'), payload)
+    ::Acme::Resources::Authorization.new(self, response)
+  end
+
+  def new_certificate(csr)
+    payload = {
+      resource: 'new-cert',
+      csr: UrlSafeBase64.encode64(csr.to_der)
+    }
+
+    response = connection.post(@operation_endpoints.fetch('new-cert'), payload)
+    OpenSSL::X509::Certificate.new(response.body)
+  end
+
+  def connection
+    @connection ||= Faraday.new(@endpoint) do |configuration|
+      configuration.use Acme::FaradayMiddleware, client: self
+      configuration.adapter Faraday.default_adapter
+    end
+  end
+
+  def load_directory!
+    @operation_endpoints = if @directory_uri
+      response = connection.get(@directory_uri)
+      body = response.body
+      {
+        'new-reg' => body.fetch('new-reg'),
+        'recover-reg' => body.fetch('recover-reg'),
+        'new-authz' => body.fetch('new-authz'),
+        'new-cert' => body.fetch('new-cert'),
+        'revoke-cert' => body.fetch('revoke-cert'),
+      }
+    else
+      DIRECTORY_DEFAULT
+    end
+  end
+end

data/lib/acme/crypto.rb

@@ -0,0 +1,47 @@
+class Acme::Crypto
+  attr_reader :private_key
+
+  def initialize(private_key)
+    @private_key = private_key
+  end
+
+  def generate_signed_jws(header:, payload:)
+    protection_header = generate_protection_header(header)
+    payload = encode64(JSON.dump(payload))
+
+    JSON.dump(
+      {
+        header: { alg: :RS256, jwk: jwk },
+        protected: protection_header,
+        payload: payload,
+        signature: generate_signature(protection_header, payload)
+      }
+    )
+  end
+
+  def generate_signature(protection_header, payload)
+    input = "#{protection_header}.#{payload}"
+    signature = private_key.sign(digest, input)
+    encode64(signature)
+  end
+
+  def generate_protection_header(header)
+    encode64(JSON.dump(header))
+  end
+
+  def jwk
+    JSON::JWK.new(public_key).to_hash
+  end
+
+  def public_key
+    private_key.public_key
+  end
+
+  def digest
+    OpenSSL::Digest::SHA256.new
+  end
+
+  def encode64(input)
+    UrlSafeBase64.encode64(input)
+  end
+end

data/lib/acme/error.rb

@@ -0,0 +1,12 @@
+class Acme::Error < StandardError
+  class NotFound < Acme::Error; end
+  class BadCSR < Acme::Error; end
+  class BadNonce < Acme::Error; end
+  class Connection < Acme::Error; end
+  class Dnssec < Acme::Error; end
+  class Malformed < Acme::Error; end
+  class ServerInternal < Acme::Error; end
+  class Acme::Tls < Acme::Error; end
+  class Unauthorized < Acme::Error; end
+  class UnknownHost < Acme::Error; end
+end

data/lib/acme/faraday_middleware.rb

@@ -0,0 +1,81 @@
+class Acme::FaradayMiddleware < Faraday::Middleware
+  attr_reader :env, :response, :client
+
+  def initialize(app, client:)
+    super(app)
+    @client = client
+  end
+
+  def call(env)
+    @env = env
+    @env.body = crypto.generate_signed_jws(header: { nonce: pop_nonce }, payload: env.body)
+    @app.call(env).on_complete {|env| on_complete(env) }
+  end
+
+  def on_complete(env)
+    raise Acme::Error::NotFound, env.url.to_s if env.status == 404
+
+    nonces << env.response_headers['replay-nonce']
+
+    content_type = env.response_headers['Content-Type']
+
+    if content_type == 'application/json' || content_type == 'application/problem+json'
+      env.body = JSON.load(env.body)
+    end
+
+    if env.response_headers.key?('Link')
+      link_header = env.response_headers['Link']
+      links = link_header.split(', ').map do |entry|
+        link = entry.match(/<(.*?)>;/).captures.first
+        name = entry.match(/rel="([\w_-]+)"/).captures.first
+        [name, link]
+      end
+
+      env.response_headers['Link'] = Hash[*links.flatten]
+    end
+
+    return if env.success?
+
+    error_name = env.body['type'].gsub('urn:acme:error:', '').classify
+    error_class = if Acme::Error.qualified_const_defined?(error_name)
+      "Acme::Error::#{error_name}".constantize
+    else
+      Acme::Error
+    end
+
+    message = if env.body.is_a? Hash
+      env.body['detail']
+    else
+      "Error message: #{env.body}"
+    end
+
+    raise error_class, env.body['detail']
+  end
+
+  private
+
+  def pop_nonce
+    if nonces.empty?
+      get_nonce
+    else
+      nonces.pop
+    end
+  end
+
+  def get_nonce
+    response = Faraday.head(env.url)
+    response.headers['replay-nonce']
+  end
+
+  def nonces
+    client.nonces
+  end
+
+  def private_key
+    client.private_key
+  end
+
+  def crypto
+    @crypto ||= Acme::Crypto.new(private_key)
+  end
+end

data/lib/acme/resources.rb

@@ -0,0 +1,4 @@
+module Acme::Resources; end
+require 'acme/resources/registration'
+require 'acme/resources/challenges'
+require 'acme/resources/authorization'

data/lib/acme/resources/authorization.rb

@@ -0,0 +1,28 @@
+class Acme::Resources::Authorization
+  SimpleHttp = Acme::Resources::Challenges::SimpleHttp
+
+  attr_reader :domain, :status, :simple_http
+
+  def initialize(client, response)
+    @client = client
+    assign_challenges(response.body['challenges'])
+    assign_attributes(response.body)
+  end
+
+  private
+
+  def assign_challenges(challenges)
+    challenges.each do |attributes|
+      case attributes.fetch('type')
+      when 'simpleHttp' then @simple_http = SimpleHttp.new(@client, attributes)
+      else
+        # no supported
+      end
+    end
+  end
+
+  def assign_attributes(body)
+    @domain = body['identifier']['value']
+    @status = body['status']
+  end
+end

data/lib/acme/resources/challenges.rb

@@ -0,0 +1,2 @@
+module Acme::Resources::Challenges; end
+require 'acme/resources/challenges/simple_http'

data/lib/acme/resources/challenges/simple_http.rb

@@ -0,0 +1,50 @@
+class Acme::Resources::Challenges::SimpleHttp
+  CONTENT_TYPE = 'application/jose+json'
+
+  attr_reader :status, :uri, :token, :error
+  attr_accessor :tls
+
+  def initialize(client, attributes)
+    @client = client
+    assign_attributes(attributes)
+  end
+
+  def content_type
+    CONTENT_TYPE
+  end
+
+  def file_content
+    message = { 'type' => 'simpleHttp', 'token' => token, 'tls' => tls }
+    crypto.generate_signed_jws(header: {}, payload: message)
+  end
+
+  def filename
+    ".well-known/acme-challenge/#{token}"
+  end
+
+  def request_verification
+    response = @client.connection.post(@uri, { resource: 'challenge', type: 'simpleHttp', tls: tls })
+    response.success?
+  end
+
+  def verify_status
+    response = @client.connection.get(@uri)
+
+    assign_attributes(response.body)
+    @error = response.body['error']
+    status
+  end
+
+  private
+
+  def assign_attributes(attributes)
+    @status = attributes.fetch('status', 'pending')
+    @uri = attributes.fetch('uri')
+    @token = attributes.fetch('token')
+    @tls = attributes.fetch('tls')
+  end
+
+  def crypto
+    @crypto ||= Acme::Crypto.new(@client.private_key)
+  end
+end

data/lib/acme/resources/registration.rb

@@ -0,0 +1,43 @@
+class Acme::Resources::Registration
+  attr_reader :id, :key, :contact, :uri, :next_uri, :recover_uri, :term_of_service_uri
+
+  def initialize(client, response)
+    @client = client
+    @uri = response.headers['location']
+    assign_links(response.headers['Link'])
+    assign_attributes(response.body)
+  end
+
+  def get_terms
+    if @term_of_service_uri
+      @client.connection.get(@term_of_service_uri).body
+    end
+  end
+
+  def agree_terms
+    if @term_of_service_uri
+      payload = {
+        resource: "reg",
+        agreement: @term_of_service_uri
+      }
+      response = @client.connection.post(@uri, { resource: 'reg', agreement: @term_of_service_uri })
+      response.success?
+    else
+      true
+    end
+  end
+
+  private
+
+  def assign_links(links)
+    @next_uri = links['next']
+    @recover_uri = links['recover']
+    @term_of_service_uri = links['terms-of-service']
+  end
+
+  def assign_attributes(body)
+    @id = body['id']
+    @key = body['key']
+    @contact = body['contact']
+  end
+end

data/lib/acme/version.rb

@@ -0,0 +1,5 @@
+module Acme
+  class Client
+    VERSION = '0.1.0'
+  end
+end

data/lib/acme_client.rb

@@ -0,0 +1,14 @@
+module Acme; end
+
+require 'url_safe_base64'
+require 'faraday'
+require 'json'
+require 'json/jwt'
+require 'openssl'
+require 'digest'
+
+require 'acme/crypto'
+require 'acme/client'
+require 'acme/resources'
+require 'acme/faraday_middleware'
+require 'acme/error'

metadata

@@ -0,0 +1,213 @@
+--- !ruby/object:Gem::Specification
+name: acme-client
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Charles Barbier
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-08-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.3.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.3.0
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.3
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.21.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.21.0
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+- !ruby/object:Gem::Dependency
+  name: url_safe_base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.2
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.3
+description: 
+email:
+- unixcharles@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- acme-client.gemspec
+- bin/console
+- bin/setup
+- lib/acme/client.rb
+- lib/acme/crypto.rb
+- lib/acme/error.rb
+- lib/acme/faraday_middleware.rb
+- lib/acme/resources.rb
+- lib/acme/resources/authorization.rb
+- lib/acme/resources/challenges.rb
+- lib/acme/resources/challenges/simple_http.rb
+- lib/acme/resources/registration.rb
+- lib/acme/version.rb
+- lib/acme_client.rb
+homepage: http://github.com/unixcharles/acme-client
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.0
+signing_key: 
+specification_version: 4
+summary: Client for the ACME protocol.
+test_files: []