acme-client 0.5.5 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c5269e4586e1ba3dfa359b635a0ae311bed2d5ee
-  data.tar.gz: 36eb213b6bb4f6fa4f940718acf89f7a080d3b8c
+  metadata.gz: 9afb2ecd4afa51f2a457c64ed33d656188154552
+  data.tar.gz: 737c7eabe999b57d4f3445e577a453911f7e52fa
 SHA512:
-  metadata.gz: 39adb3b34f5eebfe7e718ef942270166a34844f50658698c800c112880f6485e65e7e08a6cba94b20c6ac613ea165df449a5118166f424e742c864c02998cd79
-  data.tar.gz: ad0eb8878dcea3eca909f88049d62aac40381727a51b521f8e06fa49b48195c552939adc8dcc28c0ec0e784267cc15cd147c6f87368a7c3922bc4622a5101672
+  metadata.gz: 369dbc069d504500b37d2b2bc36060c0be56e4c630be2e92242c88260619e099aba1e5fb2c416e036bb8456251a241e2bf2e248d045fe3bab2aabe693251ba4f
+  data.tar.gz: 0e989e2ab114ed13bd26e1a15885cb1d0027aa21bd76b0b3bf17b37164fae040632b3cb334098ea2aa6a3bd0d456793dcf5d7ce5818b8fa402df5b41fb26eb3f

data/lib/acme/client.rb

@@ -15,10 +15,11 @@ require 'acme/client/version'
 require 'acme/client/certificate'
 require 'acme/client/certificate_request'
 require 'acme/client/self_sign_certificate'
-require 'acme/client/crypto'
 require 'acme/client/resources'
 require 'acme/client/faraday_middleware'
+require 'acme/client/jwk'
 require 'acme/client/error'
+require 'acme/client/util'
 
 class Acme::Client
   DEFAULT_ENDPOINT = 'http://127.0.0.1:4000'.freeze
@@ -29,13 +30,23 @@ class Acme::Client
     'revoke-cert' => '/acme/revoke-cert'
   }.freeze
 
-  def initialize(private_key:, endpoint: DEFAULT_ENDPOINT, directory_uri: nil, connection_options: {})
-    @endpoint, @private_key, @directory_uri, @connection_options = endpoint, private_key, directory_uri, connection_options
+  def initialize(jwk: nil, private_key: nil, endpoint: DEFAULT_ENDPOINT, directory_uri: nil, connection_options: {})
+    if jwk.nil? && private_key.nil?
+      raise ArgumentError, 'must specify jwk or private_key'
+    end
+
+    @jwk = if jwk
+      jwk
+    else
+      Acme::Client::JWK.from_private_key(private_key)
+    end
+
+    @endpoint, @directory_uri, @connection_options = endpoint, directory_uri, connection_options
     @nonces ||= []
     load_directory!
   end
 
-  attr_reader :private_key, :nonces, :endpoint, :directory_uri, :operation_endpoints
+  attr_reader :jwk, :nonces, :endpoint, :directory_uri, :operation_endpoints
 
   def register(contact:)
     payload = {

data/lib/acme/client/faraday_middleware.rb

@@ -14,7 +14,7 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
   def call(env)
     @env = env
     @env[:request_headers]['User-Agent'] = USER_AGENT
-    @env.body = crypto.generate_signed_jws(header: { nonce: pop_nonce }, payload: env.body)
+    @env.body = client.jwk.jws(header: { nonce: pop_nonce }, payload: env.body)
     @app.call(env).on_complete { |response_env| on_complete(response_env) }
   rescue Faraday::TimeoutError
     raise Acme::Client::Error::Timeout
@@ -116,12 +116,4 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
   def nonces
     client.nonces
   end
-
-  def private_key
-    client.private_key
-  end
-
-  def crypto
-    @crypto ||= Acme::Client::Crypto.new(private_key)
-  end
 end

data/lib/acme/client/jwk.rb

@@ -0,0 +1,21 @@
+module Acme::Client::JWK
+  # Make a JWK from a private key.
+  #
+  # private_key - An OpenSSL::PKey::EC or OpenSSL::PKey::RSA instance.
+  #
+  # Returns a JWK::Base subclass instance.
+  def self.from_private_key(private_key)
+    case private_key
+    when OpenSSL::PKey::RSA
+      Acme::Client::JWK::RSA.new(private_key)
+    when OpenSSL::PKey::EC
+      Acme::Client::JWK::ECDSA.new(private_key)
+    else
+      raise ArgumentError, 'private_key must be EC or RSA'
+    end
+  end
+end
+
+require 'acme/client/jwk/base'
+require 'acme/client/jwk/rsa'
+require 'acme/client/jwk/ecdsa'

data/lib/acme/client/jwk/base.rb

@@ -0,0 +1,84 @@
+class Acme::Client::JWK::Base
+  THUMBPRINT_DIGEST = OpenSSL::Digest::SHA256
+
+  # Initialize a new JWK.
+  #
+  # Returns nothing.
+  def initialize
+    raise NotImplementedError
+  end
+
+  # Generate a JWS JSON web signature.
+  #
+  # header  - A Hash of extra header fields to include.
+  # payload - A Hash of payload data.
+  #
+  # Returns a JSON String.
+  def jws(header: {}, payload: {})
+    header = jws_header.merge(header)
+    encoded_header = Acme::Client::Util.urlsafe_base64(header.to_json)
+    encoded_payload = Acme::Client::Util.urlsafe_base64(payload.to_json)
+
+    signature_data = "#{encoded_header}.#{encoded_payload}"
+    signature = sign(signature_data)
+    encoded_signature = Acme::Client::Util.urlsafe_base64(signature)
+
+    {
+      protected: encoded_header,
+      payload: encoded_payload,
+      signature: encoded_signature
+    }.to_json
+  end
+
+  # Serialize this JWK as JSON.
+  #
+  # Returns a JSON string.
+  def to_json
+    to_h.to_json
+  end
+
+  # Get this JWK as a Hash for JSON serialization.
+  #
+  # Returns a Hash.
+  def to_h
+    raise NotImplementedError
+  end
+
+  # JWK thumbprint as used for key authorization.
+  #
+  # Returns a String.
+  def thumbprint
+    Acme::Client::Util.urlsafe_base64(THUMBPRINT_DIGEST.digest(to_json))
+  end
+
+  # Header fields for a JSON web signature.
+  #
+  # typ: - Value for the `typ` field. Default 'JWT'.
+  #
+  # Returns a Hash.
+  def jws_header
+    {
+      typ: 'JWT',
+      alg: jwa_alg,
+      jwk: to_h
+    }
+  end
+
+  # The name of the algorithm as needed for the `alg` member of a JWS object.
+  #
+  # Returns a String.
+  def jwa_alg
+    raise NotImplementedError
+  end
+
+  # Sign a message with the private key.
+  #
+  # message - A String message to sign.
+  #
+  # Returns a String signature.
+  # rubocop:disable Lint/UnusedMethodArgument
+  def sign(message)
+    raise NotImplementedError
+  end
+  # rubocop:enable Lint/UnusedMethodArgument
+end

data/lib/acme/client/jwk/ecdsa.rb

@@ -0,0 +1,104 @@
+class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
+  # JWA parameters for supported OpenSSL curves.
+  # https://tools.ietf.org/html/rfc7518#section-3.1
+  KNWON_CURVES = {
+    'prime256v1' => {
+      jwa_crv: 'P-256',
+      jwa_alg: 'ES384',
+      digest: OpenSSL::Digest::SHA256
+    }.freeze,
+    'secp384r1' => {
+      jwa_crv: 'P-384',
+      jwa_alg: 'ES384',
+      digest: OpenSSL::Digest::SHA384
+    }.freeze,
+    'secp521r1' => {
+      jwa_crv: 'P-521',
+      jwa_alg: 'ES512',
+      digest: OpenSSL::Digest::SHA512
+    }.freeze
+  }.freeze
+
+  # Instantiate a new ECDSA JWK.
+  #
+  # private_key - A OpenSSL::PKey::EC instance.
+  #
+  # Returns nothing.
+  def initialize(private_key)
+    unless private_key.is_a?(OpenSSL::PKey::EC)
+      raise ArgumentError, 'private_key must be a OpenSSL::PKey::EC'
+    end
+
+    unless @curve_params = KNWON_CURVES[private_key.group.curve_name]
+      raise ArgumentError, 'Unknown EC curve'
+    end
+
+    @private_key = private_key
+  end
+
+  # The name of the algorithm as needed for the `alg` member of a JWS object.
+  #
+  # Returns a String.
+  def jwa_alg
+    @curve_params[:jwa_alg]
+  end
+
+  # Get this JWK as a Hash for JSON serialization.
+  #
+  # Returns a Hash.
+  def to_h
+    {
+      crv: @curve_params[:jwa_crv],
+      kty: 'EC',
+      x: Acme::Client::Util.urlsafe_base64(coordinates[:x].to_s(2)),
+      y: Acme::Client::Util.urlsafe_base64(coordinates[:y].to_s(2))
+    }
+  end
+
+  # Sign a message with the private key.
+  #
+  # message - A String message to sign.
+  #
+  # Returns a String signature.
+  def sign(message)
+    # DER encoded ASN.1 signature
+    der = @private_key.sign(@curve_params[:digest].new, message)
+
+    # ASN.1 SEQUENCE
+    seq = OpenSSL::ASN1.decode(der)
+
+    # ASN.1 INTs
+    ints = seq.value
+
+    # BigNumbers
+    bns = ints.map(&:value)
+
+    # Binary R/S values
+    r, s = bns.map { |bn| [bn.to_s(16)].pack('H*') }
+
+    # JWS wants raw R/S concatenated.
+    [r, s].join
+  end
+
+  private
+
+  # rubocop:disable Metrics/AbcSize
+  def coordinates
+    @coordinates ||= begin
+      hex = public_key.to_bn.to_s(16)
+      data_len = hex.length - 2
+      hex_x = hex[2, data_len / 2]
+      hex_y = hex[2 + data_len / 2, data_len / 2]
+
+      {
+        x: OpenSSL::BN.new([hex_x].pack('H*'), 2),
+        y: OpenSSL::BN.new([hex_y].pack('H*'), 2)
+      }
+    end
+  end
+  # rubocop:enable Metrics/AbcSize
+
+  def public_key
+    @private_key.public_key
+  end
+end

data/lib/acme/client/jwk/rsa.rb

@@ -0,0 +1,52 @@
+class Acme::Client::JWK::RSA < Acme::Client::JWK::Base
+  # Digest algorithm to use when signing.
+  DIGEST = OpenSSL::Digest::SHA256
+
+  # Instantiate a new RSA JWK.
+  #
+  # private_key - A OpenSSL::PKey::RSA instance.
+  #
+  # Returns nothing.
+  def initialize(private_key)
+    unless private_key.is_a?(OpenSSL::PKey::RSA)
+      raise ArgumentError, 'private_key must be a OpenSSL::PKey::RSA'
+    end
+
+    @private_key = private_key
+  end
+
+  # Get this JWK as a Hash for JSON serialization.
+  #
+  # Returns a Hash.
+  def to_h
+    {
+      e: Acme::Client::Util.urlsafe_base64(public_key.e.to_s(2)),
+      kty: 'RSA',
+      n: Acme::Client::Util.urlsafe_base64(public_key.n.to_s(2))
+    }
+  end
+
+  # Sign a message with the private key.
+  #
+  # message - A String message to sign.
+  #
+  # Returns a String signature.
+  def sign(message)
+    @private_key.sign(DIGEST.new, message)
+  end
+
+  # The name of the algorithm as needed for the `alg` member of a JWS object.
+  #
+  # Returns a String.
+  def jwa_alg
+    # https://tools.ietf.org/html/rfc7518#section-3.1
+    # RSASSA-PKCS1-v1_5 using SHA-256
+    'RS256'
+  end
+
+  private
+
+  def public_key
+    @private_key.public_key
+  end
+end

data/lib/acme/client/resources/challenges/base.rb

@@ -34,10 +34,6 @@ class Acme::Client::Resources::Challenges::Base
   end
 
   def authorization_key
-    "#{token}.#{crypto.thumbprint}"
-  end
-
-  def crypto
-    @crypto ||= Acme::Client::Crypto.new(client.private_key)
+    "#{token}.#{client.jwk.thumbprint}"
   end
 end

data/lib/acme/client/resources/challenges/dns01.rb

@@ -4,6 +4,7 @@ class Acme::Client::Resources::Challenges::DNS01 < Acme::Client::Resources::Chal
   CHALLENGE_TYPE = 'dns-01'.freeze
   RECORD_NAME = '_acme-challenge'.freeze
   RECORD_TYPE = 'TXT'.freeze
+  DIGEST = OpenSSL::Digest::SHA256
 
   def record_name
     RECORD_NAME
@@ -14,6 +15,6 @@ class Acme::Client::Resources::Challenges::DNS01 < Acme::Client::Resources::Chal
   end
 
   def record_content
-    crypto.urlsafe_base64(crypto.digest.digest(authorization_key))
+    Acme::Client::Util.urlsafe_base64(DIGEST.digest(authorization_key))
   end
 end

data/lib/acme/client/resources/challenges/tls_sni01.rb

@@ -2,9 +2,10 @@
 
 class Acme::Client::Resources::Challenges::TLSSNI01 < Acme::Client::Resources::Challenges::Base
   CHALLENGE_TYPE = 'tls-sni-01'.freeze
+  DIGEST = OpenSSL::Digest::SHA256
 
   def hostname
-    digest = crypto.digest.hexdigest(authorization_key)
+    digest = DIGEST.hexdigest(authorization_key)
     "#{digest[0..31]}.#{digest[32..64]}.acme.invalid"
   end
 

data/lib/acme/client/self_sign_certificate.rb

@@ -46,7 +46,7 @@ class Acme::Client::SelfSignCertificate
     certificate = OpenSSL::X509::Certificate.new
     certificate.not_before = not_before
     certificate.not_after = not_after
-    certificate.public_key = private_key.public_key
+    Acme::Client::Util.set_public_key(certificate, private_key)
     certificate.version = 2
     certificate.serial = 1
     certificate

data/lib/acme/client/util.rb

@@ -0,0 +1,24 @@
+module Acme::Client::Util
+  def urlsafe_base64(data)
+    Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
+  end
+
+  # Sets public key on CSR or cert.
+  #
+  # obj  - An OpenSSL::X509::Certificate or OpenSSL::X509::Request instance.
+  # priv - An OpenSSL::PKey::EC or OpenSSL::PKey::RSA instance.
+  #
+  # Returns nothing.
+  def set_public_key(obj, priv)
+    case priv
+    when OpenSSL::PKey::EC
+      obj.public_key = priv
+    when OpenSSL::PKey::RSA
+      obj.public_key = priv.public_key
+    else
+      raise ArgumentError, 'priv must be EC or RSA'
+    end
+  end
+
+  extend self
+end

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '0.5.5'.freeze
+    VERSION = '0.6.0'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 0.5.5
+  version: 0.6.0
 platform: ruby
 authors:
 - Charles Barbier
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-07 00:00:00.000000000 Z
+date: 2017-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -148,9 +148,12 @@ files:
 - lib/acme/client/certificate.rb
 - lib/acme/client/certificate_request.rb
 - lib/acme/client/certificate_request/ec_key_patch.rb
-- lib/acme/client/crypto.rb
 - lib/acme/client/error.rb
 - lib/acme/client/faraday_middleware.rb
+- lib/acme/client/jwk.rb
+- lib/acme/client/jwk/base.rb
+- lib/acme/client/jwk/ecdsa.rb
+- lib/acme/client/jwk/rsa.rb
 - lib/acme/client/resources.rb
 - lib/acme/client/resources/authorization.rb
 - lib/acme/client/resources/challenges.rb
@@ -160,6 +163,7 @@ files:
 - lib/acme/client/resources/challenges/tls_sni01.rb
 - lib/acme/client/resources/registration.rb
 - lib/acme/client/self_sign_certificate.rb
+- lib/acme/client/util.rb
 - lib/acme/client/version.rb
 homepage: http://github.com/unixcharles/acme-client
 licenses:
@@ -181,7 +185,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.6.10
 signing_key: 
 specification_version: 4
 summary: Client for the ACME protocol.

data/lib/acme/client/crypto.rb

@@ -1,98 +0,0 @@
-class Acme::Client::Crypto
-  attr_reader :private_key
-
-  def initialize(private_key)
-    @private_key = private_key
-  end
-
-  def generate_signed_jws(header:, payload:)
-    header = { typ: 'JWT', alg: jws_alg, jwk: jwk }.merge(header)
-
-    encoded_header = urlsafe_base64(header.to_json)
-    encoded_payload = urlsafe_base64(payload.to_json)
-    signature_data = "#{encoded_header}.#{encoded_payload}"
-
-    signature = private_key.sign digest, signature_data
-    encoded_signature = urlsafe_base64(signature)
-
-    {
-      protected: encoded_header,
-      payload: encoded_payload,
-      signature: encoded_signature
-    }.to_json
-  end
-
-  def thumbprint
-    urlsafe_base64 digest.digest(jwk.to_json)
-  end
-
-  def digest
-    OpenSSL::Digest::SHA256.new
-  end
-
-  def urlsafe_base64(data)
-    Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
-  end
-
-  private
-
-  def jws_alg
-    { 'RSA' => 'RS256', 'EC' => 'ES256' }.fetch(jwk[:kty])
-  end
-
-  def jwk
-    @jwk ||= case private_key
-             when OpenSSL::PKey::RSA
-               rsa_jwk
-             when OpenSSL::PKey::EC
-               ec_jwk
-             else
-               raise ArgumentError, "Can't handle #{private_key} as private key, only OpenSSL::PKey::RSA and OpenSSL::PKey::EC"
-    end
-  end
-
-  def rsa_jwk
-    {
-      e: urlsafe_base64(public_key.e.to_s(2)),
-      kty: 'RSA',
-      n: urlsafe_base64(public_key.n.to_s(2))
-    }
-  end
-
-  def ec_jwk
-    {
-      crv: curve_name,
-      kty: 'EC',
-      x: urlsafe_base64(coordinates[:x].to_s(2)),
-      y: urlsafe_base64(coordinates[:y].to_s(2))
-    }
-  end
-
-  def curve_name
-    {
-      'prime256v1' => 'P-256',
-      'secp384r1' => 'P-384',
-      'secp521r1' => 'P-521'
-    }.fetch(private_key.group.curve_name) { raise ArgumentError, 'Unknown EC curve' }
-  end
-
-  # rubocop:disable Metrics/AbcSize
-  def coordinates
-    @coordinates ||= begin
-      hex = public_key.to_bn.to_s(16)
-      data_len = hex.length - 2
-      hex_x = hex[2, data_len / 2]
-      hex_y = hex[2 + data_len / 2, data_len / 2]
-
-      {
-        x: OpenSSL::BN.new([hex_x].pack('H*'), 2),
-        y: OpenSSL::BN.new([hex_y].pack('H*'), 2)
-      }
-    end
-  end
-  # rubocop:enable Metrics/AbcSize
-
-  def public_key
-    @public_key ||= private_key.public_key
-  end
-end