acmesmith 2.2.0 → 2.3.0

data/lib/acmesmith/certificate.rb

@@ -2,17 +2,32 @@ require 'openssl'
 
 module Acmesmith
   class Certificate
+    class PrivateKeyDecrypted < StandardError; end
     class PassphraseRequired < StandardError; end
 
+    CertificateExport = Struct.new(:certificate, :chain, :fullchain, :private_key, keyword_init: true)
+
+    # Split string containing multiple PEMs into Array of PEM strings.
+    # @param [String]
+    # @return [Array<String>]
     def self.split_pems(pems)
       pems.each_line.slice_before(/^-----BEGIN CERTIFICATE-----$/).map(&:join)
     end
 
+    # Return Acmesmith::Certificate by an issued certificate
+    # @param pem_chain [String]
+    # @param csr [Acme::Client::CertificateRequest]
+    # @return [Acmesmith::Certificate]
     def self.by_issuance(pem_chain, csr)
       pems = split_pems(pem_chain)
-      new(*pems, csr.private_key, nil, csr)
+      new(pems[0], pems[1..-1], csr.private_key, nil, csr)
     end
 
+    # @param certificate [OpenSSL::X509::Certificate, String]
+    # @param chain [String, Array<String>, Array<OpenSSL::X509::Certificate>]
+    # @param private_key [String, OpenSSL::PKey::RSA]
+    # @param key_passphrase [String, nil]
+    # @param csr [String, OpenSSL::X509::Request, nil]
     def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil)
       @certificate = case certificate
                      when OpenSSL::X509::Certificate
@@ -48,7 +63,7 @@ module Acmesmith
       when String
         @raw_private_key = private_key
         if key_passphrase
-          self.key_passphrase = key_passphrase 
+          self.key_passphrase = key_passphrase
         else
           begin
             @private_key = OpenSSL::PKey::RSA.new(@raw_private_key) { nil }
@@ -72,10 +87,18 @@ module Acmesmith
              end
     end
 
-    attr_reader :certificate, :chain, :csr
+    # @return [OpenSSL::X509::Certificate]
+    attr_reader :certificate
+    # @return [Array<OpenSSL::X509::Certificate>]
+    attr_reader :chain
+    # @return [OpenSSL::X509::Request]
+    attr_reader :csr
 
+    # Try to decrypt private_key if encrypted.
+    # @param pw [String] passphrase for encrypted PEM
+    # @raise [PrivateKeyDecrypted] if private_key is decrypted
     def key_passphrase=(pw)
-      raise 'private_key already given' if @private_key
+      raise PrivateKeyDecrypted, 'private_key already given' if @private_key
 
       @private_key = OpenSSL::PKey::RSA.new(@raw_private_key, pw)
 
@@ -83,44 +106,52 @@ module Acmesmith
       nil
     end
 
+    # @return [OpenSSL::PKey::RSA]
+    # @raise [PassphraseRequired] if private_key is not yet decrypted
     def private_key
       return @private_key if @private_key
       raise PassphraseRequired, 'key_passphrase required'
     end
 
+    # @return [String] leaf certificate + full certificate chain
     def fullchain
       "#{certificate.to_pem}\n#{issuer_pems}".gsub(/\n+/,?\n)
     end
 
+    # @return [String] issuer certificate chain
     def issuer_pems
       chain.map(&:to_pem).join("\n")
     end
 
+    # @return [String] common name
     def common_name
       certificate.subject.to_a.assoc('CN')[1]
     end
 
+    # @return [Array<String>] Subject Alternative Names (dNSname)
     def sans
       certificate.extensions.select { |_| _.oid == 'subjectAltName' }.flat_map do |ext|
         ext.value.split(/,\s*/).select { |_| _.start_with?('DNS:') }.map { |_| _[4..-1] }
       end
     end
 
+    # @return [String] Version string (consists of NotBefore time & certificate serial)
     def version
       "#{certificate.not_before.utc.strftime('%Y%m%d-%H%M%S')}_#{certificate.serial.to_i.to_s(16)}"
     end
 
+    # @return [OpenSSL::PKCS12]
     def pkcs12(passphrase)
-      OpenSSL::PKCS12.create(passphrase, common_name, private_key, certificate)
+      OpenSSL::PKCS12.create(passphrase, common_name, private_key, certificate, chain)
     end
 
+    # @return [CertificateExport]
     def export(passphrase, cipher: OpenSSL::Cipher.new('aes-256-cbc'))
-      {}.tap do |h|
-        h[:certificate] = certificate.to_pem
-        h[:chain] = issuer_pems
-        h[:fullchain] = fullchain
-
-        h[:private_key] = if passphrase
+      CertificateExport.new.tap do |h|
+        h.certificate = certificate.to_pem
+        h.chain = issuer_pems
+        h.fullchain = fullchain
+        h.private_key = if passphrase
           private_key.export(cipher, passphrase)
         else
           private_key.export

data/lib/acmesmith/challenge_responder_filter.rb

@@ -0,0 +1,23 @@
+module Acmesmith
+  class ChallengeResponderFilter
+    def initialize(responder, subject_name_exact: nil, subject_name_suffix: nil, subject_name_regexp: nil)
+      @responder = responder
+      @subject_name_exact = subject_name_exact && [*subject_name_exact].flatten.compact
+      @subject_name_suffix = subject_name_suffix && [*subject_name_suffix].flatten.compact
+      @subject_name_regexp = subject_name_regexp && [*subject_name_regexp].flatten.compact.map{ |_| Regexp.new(_) }
+    end
+
+    def applicable?(domain)
+      if @subject_name_exact
+        return false unless @subject_name_exact.include?(domain)
+      end
+      if @subject_name_suffix
+        return false unless @subject_name_suffix.any? { |suffix| domain.end_with?(suffix) }
+      end
+      if @subject_name_regexp
+        return false unless @subject_name_regexp.any? { |regexp| domain.match?(regexp) } 
+      end
+      @responder.applicable?(domain)
+    end
+  end
+end

data/lib/acmesmith/challenge_responders/base.rb

@@ -1,12 +1,19 @@
 module Acmesmith
   module ChallengeResponders
     class Base
-      # Return supported challenge types
+      # @param type [String] ACME challenge type (dns-01, http-01, ...)
+      # @return [true, false] true when given challenge type is supported
       def support?(type)
         raise NotImplementedError
       end
 
-      # Return 'true' if implements respond_all method.
+      # @param domain [String] target FQDN for a ACME authorization challenge
+      # @return [true, false] true when a responder is able to challenge against given domain name
+      def applicable?(domain)
+        true
+      end
+
+      # @return [true, false] true when implements #respond_all, #cleanup_all
       def cap_respond_all?
         false
       end
@@ -15,6 +22,7 @@ module Acmesmith
       end
 
       # Respond to the given challenges (1 or more).
+      # @param domain_and_challenges [Array<(String, Acme::Client::Resources::Challenges::Base)>] array of tuple of domain name and ACME challenge
       def respond_all(*domain_and_challenges)
         if cap_respond_all?
           raise NotImplementedError
@@ -26,6 +34,7 @@ module Acmesmith
       end
 
       # Clean up responses for the given challenges (1 or more).
+      # @param domain_and_challenges [Array<(String, Acme::Client::Resources::Challenges::Base)>] array of tuple of domain name and ACME challenge
       def cleanup_all(*domain_and_challenges)
         if cap_respond_all?
           raise NotImplementedError

data/lib/acmesmith/challenge_responders/pebble_challtestsrv_dns.rb

@@ -0,0 +1,53 @@
+require 'acmesmith/challenge_responders/base'
+require 'net/http'
+require 'uri'
+require 'json'
+
+module Acmesmith
+  module ChallengeResponders
+    class PebbleChalltestsrvDns < Base
+      def support?(type)
+        # Acme::Client::Resources::Challenges::DNS01
+        type == 'dns-01'
+      end
+
+      def initialize(url: 'http://localhost:8055')
+        warn_test
+        @url = URI.parse(url)
+      end
+
+      attr_reader :url
+
+      def respond(domain, challenge)
+        warn_test
+
+        Net::HTTP.post(
+          URI.join(url,"/set-txt"),
+          {
+            host: "#{challenge.record_name}.#{domain}.",
+            value: challenge.record_content,
+          }.to_json,
+        ).value
+      end
+
+      def cleanup(domain, challenge)
+        warn_test
+
+        Net::HTTP.post(
+          URI.join(url,"/clear-txt"),
+          {
+            host: "#{challenge.record_name}.#{domain}.",
+          }.to_json,
+        ).value
+      end
+
+      def warn_test
+        unless ENV['CI']
+          $stderr.puts '!!!!!!!!! WARNING WARNING WARNING !!!!!!!!!'
+          $stderr.puts '!!!! pebble-challtestsrv command is for TEST USAGE ONLY. It is trivially insecure, offering no authentication. Only use pebble-challtestsrv in a controlled test environment.'
+          $stderr.puts '!!!! https://github.com/letsencrypt/pebble/blob/master/cmd/pebble-challtestsrv/README.md'
+        end
+      end
+    end
+  end
+end

data/lib/acmesmith/challenge_responders/route53.rb

@@ -17,10 +17,21 @@ module Acmesmith
         true
       end
 
-      def initialize(aws_access_key: nil, hosted_zone_map: {})
-        @route53 = Aws::Route53::Client.new({region: 'us-east-1'}.tap do |opt| 
+      def initialize(aws_access_key: nil, assume_role: nil, hosted_zone_map: {})
+        aws_options = {region: 'us-east-1'}.tap do |opt| 
           opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
+        end
+
+        @route53 = Aws::Route53::Client.new(aws_options.dup.tap do |opt|
+          case
+          when assume_role
+            opt[:credentials] = Aws::AssumeRoleCredentials.new(
+              client: Aws::STS::Client.new(aws_options),
+              **({role_session_name: "acmesmith-#{$$}"}.merge(assume_role.map{ |k,v| [k.to_sym,v] }.to_h)),
+            )
+          end
         end)
+
         @hosted_zone_map = hosted_zone_map
         @hosted_zone_cache = {}
       end

data/lib/acmesmith/client.rb

@@ -1,5 +1,7 @@
 require 'acmesmith/account_key'
 require 'acmesmith/certificate'
+require 'acmesmith/authorization_service'
+require 'acmesmith/ordering_service'
 require 'acmesmith/save_certificate_service'
 require 'acme-client'
 
@@ -11,7 +13,7 @@ module Acmesmith
 
     def new_account(contact, tos_agreed: true)
       key = AccountKey.generate
-      acme = Acme::Client.new(private_key: key.private_key, directory: config.fetch('directory'))
+      acme = Acme::Client.new(private_key: key.private_key, directory: config.directory, connection_options: config.connection_options, bad_nonce_retry: config.bad_nonce_retry)
       acme.new_account(contact: contact, terms_of_service_agreed: tos_agreed)
 
       storage.put_account_key(key, account_key_passphrase)
@@ -20,31 +22,16 @@ module Acmesmith
     end
 
     def order(*identifiers, not_before: nil, not_after: nil)
-      puts "=> Ordering a certificate for the following identifiers:"
-      puts
-      identifiers.each do |id|
-        puts " * #{id}"
-      end
-      puts
-      puts "=> Generating CSR"
-      csr = Acme::Client::CertificateRequest.new(subject: { common_name: identifiers.first }, names: identifiers[1..-1])
-      puts "=> Placing an order"
-      order = acme.new_order(identifiers: identifiers, not_before: not_before, not_after: not_after)
-
-      unless order.authorizations.empty? || order.status == 'ready'
-        puts "=> Looking for required domain authorizations"
-        puts
-        order.authorizations.map(&:domain).each do |domain|
-          puts " * #{domain}"
-        end
-        puts
-
-        process_authorizations(order.authorizations)
-      end
-
-      cert = process_order_finalization(order, csr)
+      order = OrderingService.new(
+        acme: acme,
+        identifiers: identifiers,
+        challenge_responder_rules: config.challenge_responders,
+        not_before: not_before,
+        not_after: not_after
+      )
+      order.perform!
+      cert = order.certificate
 
-      puts "=> Certificate issued"
       puts
       print " * securing into the storage ..."
       storage.put_certificate(cert, certificate_key_passphrase)
@@ -175,111 +162,6 @@ module Acmesmith
 
     private
 
-    def process_order_finalization(order, csr)
-      puts "=> Finalizing the order"
-      puts
-
-      print " * Requesting..."
-      order.finalize(csr: csr)
-      puts" [ ok ]"
-
-      while %w(ready processing).include?(order.status)
-        order.reload()
-        puts " * Waiting for procession: status=#{order.status}"
-        sleep 2
-      end
-      puts
-
-      Certificate.by_issuance(order.certificate, csr)
-    end
-
-    def process_authorizations(authzs)
-      return if authzs.empty?
-
-      targets = authzs.map do |authz|
-        challenges = authz.challenges
-        challenge = nil
-        responder = config.challenge_responders.find do |x|
-          challenge = challenges.find { |c|
-            # OMG, acme-client might return a Hash instead of Acme::Client::Resources::Challenge::* object...
-            challenge_type = c.is_a?(Hash) ? c[:challenge_type] : c.challenge_type
-            x.support?(challenge_type)
-          }
-        end
-        {domain: authz.domain, authz: authz, responder: responder, responder_id: responder.__id__, challenge: challenge}
-      end
-      target_by_responders = targets.group_by{ |_| _.fetch(:responder_id) }.map { |_, ts| [ts[0].fetch(:responder), ts] }
-
-      begin
-        target_by_responders.each do |responder, ts|
-          puts "=> Responsing to the challenges for the following identifier:"
-          puts
-          puts " * Responder:   #{responder.class}"
-          puts " * Identifiers:"
-          ts.each do |target|
-            puts "     - #{target.fetch(:domain)} (#{target.fetch(:challenge).challenge_type})"
-          end
-          puts
-
-          responder.respond_all(*ts.map{ |t| [t.fetch(:domain), t.fetch(:challenge)] })
-        end
-
-        puts "=> Requesting validations..."
-        puts
-        targets.each do |target|
-          print " * #{target[:domain]} (#{target[:challenge].challenge_type}) ..."
-          target[:challenge].request_validation()
-          puts " [ ok ]"
-        end
-        puts
-
-        puts "=> Waiting for the validation..."
-        puts
-
-        loop do
-          all_valid = true
-          any_error = false
-          targets.each do |target|
-            next if target[:valid]
-
-            target[:challenge].reload
-            status = target[:challenge].status
-
-            puts " * [#{target[:domain]}] status: #{status}"
-
-            if status == 'valid'
-              target[:valid] = true
-              next
-            end
-
-            all_valid = false
-            if status == 'invalid'
-              any_error = true
-              err = target[:challenge].error
-              puts " ! [#{target[:domain]}] error: #{err.inspect}"
-            end
-          end
-          break if all_valid || any_error
-          sleep 3
-        end
-        puts
-
-        target_by_responders.each do |responder, ts|
-          puts "=> Cleaning the responses the challenges for the following identifier:"
-          puts
-          puts " * Responder:   #{responder.class}"
-          puts " * Identifiers:"
-          ts.each do |target|
-            puts "     - #{target.fetch(:domain)} (#{target.fetch(:challenge).challenge_type})"
-          end
-          puts
-
-          responder.cleanup_all(*ts.map{ |t| [t.fetch(:domain), t.fetch(:challenge)] })
-        end
-
-        puts "=> Authorized!"
-      end
-    end
 
     def config
       @config
@@ -296,7 +178,7 @@ module Acmesmith
     end
 
     def acme
-      @acme ||= Acme::Client.new(private_key: account_key.private_key, directory: config.fetch('directory'))
+      @acme ||= Acme::Client.new(private_key: account_key.private_key, directory: config.directory, connection_options: config.connection_options, bad_nonce_retry: config.bad_nonce_retry)
     end
 
     def certificate_key_passphrase

data/lib/acmesmith/config.rb

@@ -1,10 +1,13 @@
 require 'yaml'
 require 'acmesmith/storages'
 require 'acmesmith/challenge_responders'
+require 'acmesmith/challenge_responder_filter'
 require 'acmesmith/post_issuing_hooks'
 
 module Acmesmith
   class Config
+    ChallengeResponderRule = Struct.new(:challenge_responder, :filter, keyword_init: true)
+
     def self.load_yaml(path)
       new YAML.load_file(path)
     end
@@ -40,6 +43,18 @@ module Acmesmith
       @config.merge!(pair)
     end
 
+    def directory
+      @config.fetch('directory')
+    end
+
+    def connection_options
+      @config['connection_options'] || {}
+    end
+
+    def bad_nonce_retry
+      @config['bad_nonce_retry'] || 0
+    end
+
     def account_key_passphrase
       @config['account_key_passphrase']
     end
@@ -76,8 +91,14 @@ module Acmesmith
       @challenge_responders ||= begin
         specs = @config['challenge_responders'].kind_of?(Hash) ? @config['challenge_responders'].map { |k,v| [k => v] } : @config['challenge_responders']
         specs.flat_map do |specs_sub|
-          specs_sub.map do |k, v|
-            ChallengeResponders.find(k).new(**v.map{ |k_,v_| [k_.to_sym, v_]}.to_h)
+          specs_sub = specs_sub.dup
+          filter = (specs_sub.delete('filter') || {}).map { |k,v| [k.to_sym, v] }.to_h
+          specs_sub.map do |k,v|
+            responder = ChallengeResponders.find(k).new(**v.map{ |k_,v_| [k_.to_sym, v_]}.to_h)
+            ChallengeResponderRule.new(
+              challenge_responder: responder,
+              filter: ChallengeResponderFilter.new(responder, **filter),
+            )
           end
         end
       end