acme-client 0.2.1 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.rspec +1 -0
- data/README.md +11 -19
- data/lib/acme-client.rb +1 -0
- data/lib/acme/certificate.rb +7 -2
- data/lib/acme/certificate_request.rb +113 -0
- data/lib/acme/client.rb +1 -1
- data/lib/acme/version.rb +1 -1
- metadata +2 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 66b791acbcafdeb9a0cc7b1fc56977ff235771db
|
4
|
+
data.tar.gz: fcc5bdffc2e7278301de2ad97745a0dd1400915e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1dda0e5460db94b43231b033513b28c6a88b7af1be4c201bd360b5fda5dab159eb684305177636f6a3327a5ef6b54359045c1f12a87c62312a510dddae3b8345
|
7
|
+
data.tar.gz: c5d7b4f69f4455c56fdeb9611b66757e981ebd870582fca017656a6f9635bfd223cc1c2231c67a159682f66e369dad18e3ed81e259c9d931d4f0f5b11a3972de
|
data/.gitignore
CHANGED
data/.rspec
CHANGED
data/README.md
CHANGED
@@ -22,15 +22,15 @@ require 'acme-client'
|
|
22
22
|
client = Acme::Client.new(private_key: private_key, endpoint: endpoint)
|
23
23
|
|
24
24
|
# If the private key is not known to the server, we need to register it for the first time.
|
25
|
-
registration = client.register(contact: 'mailto:
|
25
|
+
registration = client.register(contact: 'mailto:contact@example.com')
|
26
26
|
|
27
27
|
# You'll may need to agree to the term (that's up the to the server to require it or not but boulder does by default)
|
28
28
|
registration.agree_terms
|
29
29
|
|
30
|
-
# Let's try to optain a certificate for
|
30
|
+
# Let's try to optain a certificate for example.org
|
31
31
|
|
32
32
|
# We need to prove that we control the domain using one of the challenges method.
|
33
|
-
authorization = client.authorize(domain: '
|
33
|
+
authorization = client.authorize(domain: 'example.org')
|
34
34
|
|
35
35
|
# For now the only challenge method supprted by the client is http-01.
|
36
36
|
challenge = authorization.http01
|
@@ -65,26 +65,18 @@ sleep(1)
|
|
65
65
|
|
66
66
|
challenge.verify_status # => 'valid'
|
67
67
|
|
68
|
-
# We're going to need a
|
69
|
-
|
68
|
+
# We're going to need a certificate signing request. If not explicitly
|
69
|
+
# specified, the first name listed becomes the common name.
|
70
|
+
csr = Acme::CertificateRequest.new(names: %w[example.org www.example.org])
|
70
71
|
|
71
|
-
# We
|
72
|
-
|
73
|
-
|
74
|
-
# We just going to add the domain but normally you might want to provide more information.
|
75
|
-
csr.subject = OpenSSL::X509::Name.new([
|
76
|
-
['CN', 'yourdomain.com', OpenSSL::ASN1::UTF8STRING]
|
77
|
-
])
|
78
|
-
|
79
|
-
csr.public_key = certificate_private_key.public_key
|
80
|
-
csr.sign(certificate_private_key, OpenSSL::Digest::SHA256.new)
|
81
|
-
|
82
|
-
# We can now request a certificate
|
72
|
+
# We can now request a certificate, you can pass anything that returns
|
73
|
+
# a valid DER encoded CSR when calling to_der on it, for example a
|
74
|
+
# OpenSSL::X509::Request too.
|
83
75
|
certificate = client.new_certificate(csr) # => #<Acme::Certificate ....>
|
84
76
|
|
85
77
|
# Save the certificate and key
|
78
|
+
File.write("privkey.pem", certificate.request.private_key.to_pem)
|
86
79
|
File.write("cert.pem", certificate.to_pem)
|
87
|
-
File.write("key.pem", certificate_private_key.to_pem)
|
88
80
|
File.write("chain.pem", certificate.chain_to_pem)
|
89
81
|
File.write("fullchain.pem", certificate.fullchain_to_pem)
|
90
82
|
|
@@ -100,7 +92,7 @@ File.write("fullchain.pem", certificate.fullchain_to_pem)
|
|
100
92
|
# Not implemented
|
101
93
|
|
102
94
|
- Recovery methods are not implemented.
|
103
|
-
-
|
95
|
+
- tls-sni-01 and proofOfPossession-01 are not implemented.
|
104
96
|
|
105
97
|
## Development
|
106
98
|
|
data/lib/acme-client.rb
CHANGED
data/lib/acme/certificate.rb
CHANGED
@@ -1,13 +1,14 @@
|
|
1
1
|
class Acme::Certificate
|
2
2
|
extend Forwardable
|
3
3
|
|
4
|
-
attr_reader :x509, :x509_chain
|
4
|
+
attr_reader :x509, :x509_chain, :request
|
5
5
|
|
6
6
|
def_delegators :x509, :to_pem, :to_der
|
7
7
|
|
8
|
-
def initialize(certificate, chain)
|
8
|
+
def initialize(certificate, chain, request)
|
9
9
|
@x509 = certificate
|
10
10
|
@x509_chain = chain
|
11
|
+
@request = request
|
11
12
|
end
|
12
13
|
|
13
14
|
def chain_to_pem
|
@@ -21,4 +22,8 @@ class Acme::Certificate
|
|
21
22
|
def fullchain_to_pem
|
22
23
|
x509_fullchain.map(&:to_pem).join
|
23
24
|
end
|
25
|
+
|
26
|
+
def common_name
|
27
|
+
x509.subject.to_a.find {|name, _, _| name == "CN" }[1]
|
28
|
+
end
|
24
29
|
end
|
@@ -0,0 +1,113 @@
|
|
1
|
+
class Acme::CertificateRequest
|
2
|
+
extend Forwardable
|
3
|
+
|
4
|
+
DEFAULT_KEY_LENGTH = 2048
|
5
|
+
DEFAULT_DIGEST = OpenSSL::Digest::SHA256
|
6
|
+
SUBJECT_KEYS = {
|
7
|
+
common_name: "CN",
|
8
|
+
country_name: "C",
|
9
|
+
organization_name: "O",
|
10
|
+
organizational_unit: "OU",
|
11
|
+
state_or_province: "ST",
|
12
|
+
locality_name: "L"
|
13
|
+
}.freeze
|
14
|
+
|
15
|
+
SUBJECT_TYPES = {
|
16
|
+
"CN" => OpenSSL::ASN1::UTF8STRING,
|
17
|
+
"C" => OpenSSL::ASN1::UTF8STRING,
|
18
|
+
"O" => OpenSSL::ASN1::UTF8STRING,
|
19
|
+
"OU" => OpenSSL::ASN1::UTF8STRING,
|
20
|
+
"ST" => OpenSSL::ASN1::UTF8STRING,
|
21
|
+
"L" => OpenSSL::ASN1::UTF8STRING
|
22
|
+
}.freeze
|
23
|
+
|
24
|
+
attr_reader :csr, :private_key, :common_name, :names, :subject
|
25
|
+
|
26
|
+
def_delegators :csr, :to_pem, :to_der
|
27
|
+
|
28
|
+
def initialize(common_name: nil,
|
29
|
+
names: [],
|
30
|
+
private_key: generate_private_key,
|
31
|
+
subject: {},
|
32
|
+
digest: DEFAULT_DIGEST.new)
|
33
|
+
raise ArgumentError.new("Digest must be a OpenSSL::Digest") unless digest.is_a?(OpenSSL::Digest)
|
34
|
+
@digest = digest
|
35
|
+
|
36
|
+
@private_key = private_key
|
37
|
+
|
38
|
+
@subject = normalize_subject(subject)
|
39
|
+
@common_name = common_name || @subject[SUBJECT_KEYS[:common_name]] || @subject[:common_name]
|
40
|
+
|
41
|
+
@names = names.to_a.dup
|
42
|
+
normalize_names
|
43
|
+
|
44
|
+
@subject[SUBJECT_KEYS[:common_name]] ||= @common_name
|
45
|
+
validate_subject
|
46
|
+
|
47
|
+
@csr = generate
|
48
|
+
end
|
49
|
+
|
50
|
+
private
|
51
|
+
|
52
|
+
def generate_private_key
|
53
|
+
OpenSSL::PKey::RSA.new(DEFAULT_KEY_LENGTH)
|
54
|
+
end
|
55
|
+
|
56
|
+
def normalize_subject(subject)
|
57
|
+
@subject = subject.each_with_object({}) {|(key, value), subject|
|
58
|
+
subject[SUBJECT_KEYS.fetch(key, key)] = value.to_s
|
59
|
+
}
|
60
|
+
end
|
61
|
+
|
62
|
+
def normalize_names
|
63
|
+
if @common_name
|
64
|
+
@names.unshift(@common_name) unless @names.include?(@common_name)
|
65
|
+
elsif @names.empty?
|
66
|
+
raise ArgumentError.new("No common name and no list of names given")
|
67
|
+
else
|
68
|
+
@common_name = @names.first
|
69
|
+
end
|
70
|
+
end
|
71
|
+
|
72
|
+
def validate_subject
|
73
|
+
extra_keys = @subject.keys - SUBJECT_KEYS.keys - SUBJECT_KEYS.values
|
74
|
+
unless extra_keys.empty?
|
75
|
+
raise ArgumentError.new("Unexpected subject attributes given: #{extra_keys.inspect}")
|
76
|
+
end
|
77
|
+
|
78
|
+
unless @common_name == @subject[SUBJECT_KEYS[:common_name]]
|
79
|
+
raise ArgumentError.new("Conflicting common name given in arguments and subject")
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
83
|
+
def generate
|
84
|
+
OpenSSL::X509::Request.new.tap do |csr|
|
85
|
+
csr.public_key = @private_key.public_key
|
86
|
+
csr.subject = generate_subject
|
87
|
+
add_extension(csr)
|
88
|
+
csr.sign @private_key, @digest
|
89
|
+
end
|
90
|
+
end
|
91
|
+
|
92
|
+
def generate_subject
|
93
|
+
OpenSSL::X509::Name.new(
|
94
|
+
@subject.map {|name, value|
|
95
|
+
[name, value, SUBJECT_TYPES[name]]
|
96
|
+
}
|
97
|
+
)
|
98
|
+
end
|
99
|
+
|
100
|
+
def add_extension(csr)
|
101
|
+
return if @names.size <= 1
|
102
|
+
|
103
|
+
extension = OpenSSL::X509::ExtensionFactory.new.create_extension(
|
104
|
+
"subjectAltName", @names.map {|name| "DNS:#{name}" }.join(", "), false
|
105
|
+
)
|
106
|
+
csr.add_attribute(
|
107
|
+
OpenSSL::X509::Attribute.new(
|
108
|
+
"extReq",
|
109
|
+
OpenSSL::ASN1::Set.new([OpenSSL::ASN1::Sequence.new([extension])])
|
110
|
+
)
|
111
|
+
)
|
112
|
+
end
|
113
|
+
end
|
data/lib/acme/client.rb
CHANGED
@@ -44,7 +44,7 @@ class Acme::Client
|
|
44
44
|
}
|
45
45
|
|
46
46
|
response = connection.post(@operation_endpoints.fetch('new-cert'), payload)
|
47
|
-
::Acme::Certificate.new(OpenSSL::X509::Certificate.new(response.body), fetch_chain(response))
|
47
|
+
::Acme::Certificate.new(OpenSSL::X509::Certificate.new(response.body), fetch_chain(response), csr)
|
48
48
|
end
|
49
49
|
|
50
50
|
def fetch_chain(response, limit=10)
|
data/lib/acme/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: acme-client
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Charles Barbier
|
@@ -157,6 +157,7 @@ files:
|
|
157
157
|
- bin/setup
|
158
158
|
- lib/acme-client.rb
|
159
159
|
- lib/acme/certificate.rb
|
160
|
+
- lib/acme/certificate_request.rb
|
160
161
|
- lib/acme/client.rb
|
161
162
|
- lib/acme/crypto.rb
|
162
163
|
- lib/acme/error.rb
|