acme-client 0.1.3 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: db4de0115967af2794cdf73fbc564ba3207d07bb
-  data.tar.gz: a6e4dbafa02042fa3ebdf0c171a5f700770d000c
+  metadata.gz: 5ee8283817ef99669367cba5c6e5d62095aa5015
+  data.tar.gz: 62f8588bfd710561c626064825b7bd0a678b3a49
 SHA512:
-  metadata.gz: e54827c5a1b93c079476b4ee7061d42d8a69c668063afd571887a040b063c362fc68f279fff2ebc9260b0bde0dd3d4af6b86b8f950385419f715bb6bb5f74f42
-  data.tar.gz: 368afee114cd978a13f764869f84c74fbd7df1177bed9ed8a25c3e675b2bb8e4f0de80c97bc3f3f6d061e4bd9c6d0c4a938f78cd1f16789e48907f721499a0a7
+  metadata.gz: 4cd8d3dcdeb48bd21acc1212bc04f65fb0a37ce797d3553d63dc3730370bce723a68e5683fcf7745eb14916be610dd8009e284c911f75d50d76a7be0135a1dcf
+  data.tar.gz: 7bb4ff248144d4cbc9f43b752cca79773b6529a0140c81db433cdb2c8653d063ee7933287c0071fdb50daa0817b105c930e4f51a80e6eddcc7d98c3b2898cc14

data/.travis.yml

@@ -1,4 +1,4 @@
 language: ruby
 rvm:
-  - 2.1.0
-before_install: gem install bundler -v 1.10.6
+  - 2.1
+  - 2.2

data/README.md

@@ -1,4 +1,5 @@
 # Acme::Client
+[![Build Status](https://travis-ci.org/unixcharles/acme-client.svg?branch=master)](https://travis-ci.org/unixcharles/acme-client)
 
 `acme-client` is a client implementation of the [ACME](https://letsencrypt.github.io/acme-spec) protocol in Ruby.
 
@@ -10,12 +11,14 @@ ACME is part of the [Letsencrypt](https://letsencrypt.org/) project, that are wo
 
 ```ruby
 # We're going to need a private key.
+require 'openssl'
 private_key = OpenSSL::PKey::RSA.new(2048)
 
 # We need an ACME server to talk to, see github.com/letsencrypt/boulder
 endpoint = 'https://acme-staging.api.letsencrypt.org'
 
 # Initialize the client
+require 'acme-client'
 client = Acme::Client.new(private_key: private_key, endpoint: endpoint)
 
 # If the private key is not known to the server, we need to register it for the first time.
@@ -29,28 +32,38 @@ registration.agree_terms
 # We need to prove that we control the domain using one of the challenges method.
 authorization = client.authorize(domain: 'yourdomain.com')
 
-# For now the only challenge method supprted by the client is simple_http.
-simple_http = authorization.simple_http
+# For now the only challenge method supprted by the client is http-01.
+challenge = authorization.http01
 
-# The SimpleHTTP method will require you to response to an HTTP request.
+# The http-01 method will require you to response to an HTTP request.
 
 # You can retrieve the expected path for the file.
-simple_http.filename # => ".well-known/acme-challenge/:some_token"
+challenge.filename # => ".well-known/acme-challenge/:some_token"
 
 # You can generate the body of the expected response.
-simple_http.file_content # => 'string of JWS signed json' 
+challenge.file_content # => 'string token and JWK thumbprint'
+
+# You can send no Content-Type at all but if you send one it has to be 'text/plain'.
+challenge.content_type
+
+# Save the file. We'll create a public directory to serve it from, and we'll creating the challenge directory.
+FileUtils.mkdir_p( File.join( 'public', File.dirname( challenge.filename ) ) )
+
+# Then writing the file
+File.write( File.join( 'public', challenge.filename), challenge.file_content )
+
+# The challenge file can be server with a Ruby webserver such as run a webserver in another console. You may need to forward ports on your router
+#ruby -run -e httpd public -p 8080 --bind-address 0.0.0.0
 
-# You can send no Content-Type at all but if you send one it has to be 'application/jose+json'.
-simple_http.content_type
 
 # Once you are ready to serve the confirmation request you can proceed.
-simple_http.request_verification # => true
-simple_http.verify_status # => 'pending'
+challenge.request_verification # => true
+challenge.verify_status # => 'pending'
 
 # Wait a bit for the server to make the request, or really just blink, it should be fast.
 sleep(1)
 
-simple_http.verify_status # => 'valid'
+challenge.verify_status # => 'valid'
 
 # We're going to need a CSR, lets do this real quick with Ruby+OpenSSL.
 csr = OpenSSL::X509::Request.new
@@ -60,20 +73,34 @@ certificate_private_key = OpenSSL::PKey::RSA.new(2048)
 
 # We just going to add the domain but normally you might want to provide more information.
 csr.subject = OpenSSL::X509::Name.new([
-  ['CN', common_name, OpenSSL::ASN1::UTF8STRING]
+  ['CN', 'yourdomain.com', OpenSSL::ASN1::UTF8STRING]
 ])
 
 csr.public_key = certificate_private_key.public_key
 csr.sign(certificate_private_key, OpenSSL::Digest::SHA256.new)
 
 # We can now request a certificate
-client.new_certificate(csr) # => #<OpenSSL::X509::Certificate ....>
+certificate = client.new_certificate(csr) # => #<Acme::Certificate ....>
+
+# Save the certificate and key
+File.write("cert.pem", certificate.to_pem)
+File.write("key.pem", certificate_private_key.to_pem)
+File.write("chain.pem", certificate.chain_to_pem)
+File.write("fullchain.pem", certificate.fullchain_to_pem)
+
+# Start a webserver, using your shiny new certificate
+# ruby -r openssl -r webrick -r 'webrick/https' -e "s = WEBrick::HTTPServer.new(
+#   :Port => 8443,
+#   :DocumentRoot => Dir.pwd,
+#   :SSLEnable => true,
+#   :SSLPrivateKey => OpenSSL::PKey::RSA.new( File.read('key.pem') ),
+#   :SSLCertificate => OpenSSL::X509::Certificate.new( File.read('cert.pem') )); trap('INT') { s.shutdown }; s.start"
 ```
 
 # Not implemented
 
 - Recovery methods are not implemented.
-- SimpleHTTP is the only challenge method implemented
+- http-01 is the only challenge method implemented
 
 ## Development
 

data/acme-client.gemspec

@@ -15,7 +15,7 @@ Gem::Specification.new do |spec|
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler', '~> 1.10'
+  spec.add_development_dependency 'bundler', '>= 1.6.9'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec', '~> 3.3', '>= 3.3.0'
   spec.add_development_dependency 'vcr', '~> 2.9', '>= 2.9.3'

data/lib/acme-client.rb

@@ -6,7 +6,9 @@ require 'json'
 require 'json/jwt'
 require 'openssl'
 require 'digest'
+require 'forwardable'
 
+require 'acme/certificate'
 require 'acme/crypto'
 require 'acme/client'
 require 'acme/resources'

data/lib/acme/certificate.rb

@@ -0,0 +1,20 @@
+class Acme::Certificate
+  extend Forwardable
+
+  attr_reader :x509, :x509_chain
+
+  def_delegators :x509, :to_pem, :to_der
+
+  def initialize(certificate, chain)
+    @x509 = certificate
+    @x509_chain = chain
+  end
+
+  def chain_to_pem
+    x509_chain.map(&:to_pem).join
+  end
+
+  def fullchain_to_pem
+    [*x509_chain, x509].map(&:to_pem).join
+  end
+end

data/lib/acme/client.rb

@@ -44,7 +44,16 @@ class Acme::Client
     }
 
     response = connection.post(@operation_endpoints.fetch('new-cert'), payload)
-    OpenSSL::X509::Certificate.new(response.body)
+    ::Acme::Certificate.new(OpenSSL::X509::Certificate.new(response.body), fetch_chain(response).reverse)
+  end
+
+  def fetch_chain(response, limit=10)
+    if limit == 0 || response.headers["link"].nil? || response.headers["link"]["up"].nil?
+      []
+    else
+      issuer = connection.get(response.headers["link"]["up"])
+      [OpenSSL::X509::Certificate.new(issuer.body), *fetch_chain(issuer, limit-1)]
+    end
   end
 
   def connection

data/lib/acme/resources/authorization.rb

@@ -1,7 +1,8 @@
 class Acme::Resources::Authorization
   HTTP01 = Acme::Resources::Challenges::HTTP01
+  DNS01 = Acme::Resources::Challenges::DNS01
 
-  attr_reader :domain, :status, :http01
+  attr_reader :domain, :status, :http01, :dns01
 
   def initialize(client, response)
     @client = client
@@ -15,6 +16,7 @@ class Acme::Resources::Authorization
     challenges.each do |attributes|
       case attributes.fetch('type')
       when 'http-01' then @http01 = HTTP01.new(@client, attributes)
+      when 'dns-01' then @dns01 = DNS01.new(@client, attributes)
       else
         # no supported
       end

data/lib/acme/resources/challenges.rb

@@ -1,3 +1,4 @@
 module Acme::Resources::Challenges; end
 require 'acme/resources/challenges/base'
 require 'acme/resources/challenges/http01'
+require 'acme/resources/challenges/dns01'

data/lib/acme/resources/challenges/dns01.rb

@@ -0,0 +1,21 @@
+class Acme::Resources::Challenges::DNS01 < Acme::Resources::Challenges::Base
+  RECORD_NAME = '_acme-challenge'
+  RECORD_TYPE = 'TXT'
+
+  def record_name
+    RECORD_NAME
+  end
+
+  def record_type
+    RECORD_TYPE
+  end
+
+  def record_content
+    crypto.digest.hexdigest(authorization_key)
+  end
+
+  def request_verification
+    response = @client.connection.post(@uri, { resource: 'challenge', type: 'dns-01', keyAuthorization: authorization_key })
+    response.success?
+  end
+end

data/lib/acme/version.rb

@@ -1,5 +1,5 @@
 module Acme
   class Client
-    VERSION = '0.1.3'
+    VERSION = '0.2.0'
   end
 end

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.0
 platform: ruby
 authors:
 - Charles Barbier
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-27 00:00:00.000000000 Z
+date: 2015-12-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: 1.6.9
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: 1.6.9
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -176,6 +176,7 @@ files:
 - bin/console
 - bin/setup
 - lib/acme-client.rb
+- lib/acme/certificate.rb
 - lib/acme/client.rb
 - lib/acme/crypto.rb
 - lib/acme/error.rb
@@ -184,6 +185,7 @@ files:
 - lib/acme/resources/authorization.rb
 - lib/acme/resources/challenges.rb
 - lib/acme/resources/challenges/base.rb
+- lib/acme/resources/challenges/dns01.rb
 - lib/acme/resources/challenges/http01.rb
 - lib/acme/resources/registration.rb
 - lib/acme/version.rb