acmesmith 2.5.0 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 18161ba6306c7d98accbbdfdec37599c67c8ba6e3d84a75e2ce52dc7cf2561b6
-  data.tar.gz: 4fdb29425b0e3a9c998bd86ad755c46dd01244936d718531309ebac17d57e4bb
+  metadata.gz: 914be0de4c237bcd0db59a908f8ce70c3f7b364bb2ab0ac25b6e26ff95ecd7bc
+  data.tar.gz: 14b96550d4ef0274d1546e78b5121c6b9356e9c71e479a4ed17b4d9ff8fc669e
 SHA512:
-  metadata.gz: 292b84e68ccaa7e7e3f946cdd7e3caaf281155085cd1813e2e4903f8a9737c67b35e8dd8b46ba95fa023865b6e329cd3be923da54a48f6220148d0cfa086e719
-  data.tar.gz: 8c25c548b5c4dcc11afe50279773f9991f22f750b2ea23fbe7be5f38f8e7ece8d04dec7c2705d11c7ecaebdad7669c77fe1af9178f4bfda2d55f8ca4197167c6
+  metadata.gz: ce305e972fcb06a4bc97b2ceea2177cd759601c55064dd5e22ea15b0981ea838e7c11d8e5401d08c41ec1f249cfa0d7a6489f67b2c3e52cc8d67bd1871d77e69
+  data.tar.gz: dfabb130f347dc7829cbaad1b5de6aca553dfedc7172d53d163736baee2b07b00124ef7f5f31d9270df660f4b9381b05ed6ca6cfa2e9a96163f25d6fa2d83286

data/.github/workflows/build.yml

@@ -18,7 +18,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['2.7', '3.0', '3.1']
+        ruby-version: ['3.0', '3.1', '3.2']
     container:
       image: public.ecr.aws/sorah/ruby:${{ matrix.ruby-version }}-dev
     steps:
@@ -40,7 +40,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ['2.7', '3.0', '3.1']
+        ruby-version: ['3.0', '3.1', '3.2']
 
         # FIXME: once GitHub Actions gains support of adding command line arguments to container
       #    services:

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## v2.6.0 (2023-10-05)
+
+### Enhancement
+
+- order: Gains `--key-type`, `--rsa-key-size`, `--elliptic-curve` options to customize private key generation, and generating EC keys. [#58](https://github.com/sorah/acmesmith/pull/58)
+- autorenew: Respect the existing key configuration when regenerating a fresh key pair for renewal.  [#58](https://github.com/sorah/acmesmith/pull/58)
+
 ## v2.5.0 (2020-10-09)
 
 ### Enhancement

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM sorah/ruby:2.7-dev as builder
+FROM sorah/ruby:3.2-dev as builder
 
 #RUN apt-get update \
 #    && apt-get install -y libmysqlclient-dev git-core \
@@ -12,7 +12,7 @@ RUN sed -i -e 's|Acmesmith::VERSION|"0.0.0"|g' -e '/^require.*acmesmith.version/
 
 RUN bundle install --path /gems --jobs 100 --without development
 
-FROM sorah/ruby:2.7
+FROM sorah/ruby:3.2
 
 #RUN apt-get update \
 #    && apt-get install -y libmysqlclient20 \

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    acmesmith (2.5.0)
+    acmesmith (2.6.0)
       acme-client (>= 2.0.7, < 3)
       aws-sdk-acm
       aws-sdk-route53
@@ -11,43 +11,46 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    acme-client (2.0.11)
+    acme-client (2.0.14)
       faraday (>= 1.0, < 3.0.0)
-      faraday-retry (~> 1.0)
+      faraday-retry (>= 1.0, < 3.0.0)
     aws-eventstream (1.2.0)
-    aws-partitions (1.644.0)
-    aws-sdk-acm (1.52.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-partitions (1.832.0)
+    aws-sdk-acm (1.62.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.159.0)
+    aws-sdk-core (3.185.0)
       aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.525.0)
-      aws-sigv4 (~> 1.1)
+      aws-partitions (~> 1, >= 1.651.0)
+      aws-sigv4 (~> 1.5)
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.58.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-kms (1.72.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-route53 (1.65.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-route53 (1.79.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.114.0)
-      aws-sdk-core (~> 3, >= 3.127.0)
+    aws-sdk-s3 (1.136.0)
+      aws-sdk-core (~> 3, >= 3.181.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.4)
-    aws-sigv4 (1.5.2)
+      aws-sigv4 (~> 1.6)
+    aws-sigv4 (1.6.0)
       aws-eventstream (~> 1, >= 1.0.2)
+    base64 (0.1.1)
     diff-lcs (1.4.4)
-    faraday (2.6.0)
+    faraday (2.7.11)
+      base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.1)
-    faraday-retry (1.0.3)
-    jmespath (1.6.1)
-    mini_portile2 (2.8.0)
-    nokogiri (1.13.3)
+    faraday-net_http (3.0.2)
+    faraday-retry (2.2.0)
+      faraday (~> 2.0)
+    jmespath (1.6.2)
+    mini_portile2 (2.8.1)
+    nokogiri (1.14.3)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    racc (1.6.0)
+    racc (1.6.2)
     rake (13.0.6)
     rspec (3.10.0)
       rspec-core (~> 3.10.0)
@@ -63,7 +66,7 @@ GEM
       rspec-support (~> 3.10.0)
     rspec-support (3.10.2)
     ruby2_keywords (0.0.5)
-    thor (1.2.1)
+    thor (1.2.2)
 
 PLATFORMS
   ruby

data/lib/acmesmith/certificate.rb

@@ -25,7 +25,7 @@ module Acmesmith
 
     # @param certificate [OpenSSL::X509::Certificate, String]
     # @param chain [String, Array<String>, Array<OpenSSL::X509::Certificate>]
-    # @param private_key [String, OpenSSL::PKey::RSA]
+    # @param private_key [String, OpenSSL::PKey::PKey]
     # @param key_passphrase [String, nil]
     # @param csr [String, OpenSSL::X509::Request, nil]
     def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil)
@@ -66,15 +66,15 @@ module Acmesmith
           self.key_passphrase = key_passphrase
         else
           begin
-            @private_key = OpenSSL::PKey::RSA.new(@raw_private_key) { nil }
-          rescue OpenSSL::PKey::RSAError
+            @private_key = OpenSSL::PKey.read(@raw_private_key) { nil }
+          rescue OpenSSL::PKey::PKeyError
             # may be encrypted
           end
         end
-      when OpenSSL::PKey::RSA
+      when OpenSSL::PKey::PKey
         @private_key = private_key
       else
-        raise TypeError, 'private_key is expected to be a String or OpenSSL::PKey::RSA'
+        raise TypeError, 'private_key is expected to be a String or OpenSSL::PKey::PKey'
       end
 
       @csr = case csr
@@ -100,19 +100,24 @@ module Acmesmith
     def key_passphrase=(pw)
       raise PrivateKeyDecrypted, 'private_key already given' if @private_key
 
-      @private_key = OpenSSL::PKey::RSA.new(@raw_private_key, pw)
+      @private_key = OpenSSL::PKey.read(@raw_private_key, pw)
 
       @raw_private_key = nil
       nil
     end
 
-    # @return [OpenSSL::PKey::RSA]
+    # @return [OpenSSL::PKey::PKey]
     # @raise [PassphraseRequired] if private_key is not yet decrypted
     def private_key
       return @private_key if @private_key
       raise PassphraseRequired, 'key_passphrase required'
     end
 
+    # @return [OpenSSL::PKey::PKey]
+    def public_key
+      @certificate.public_key
+    end
+
     # @return [String] leaf certificate + full certificate chain
     def fullchain
       "#{certificate.to_pem}\n#{issuer_pems}".gsub(/\n+/,?\n)

data/lib/acmesmith/client.rb

@@ -21,27 +21,9 @@ module Acmesmith
       key
     end
 
-    def order(*identifiers, not_before: nil, not_after: nil)
-      order = OrderingService.new(
-        acme: acme,
-        identifiers: identifiers,
-        challenge_responder_rules: config.challenge_responders,
-        chain_preferences: config.chain_preferences,
-        not_before: not_before,
-        not_after: not_after
-      )
-      order.perform!
-      cert = order.certificate
-
-      puts
-      print " * securing into the storage ..."
-      storage.put_certificate(cert, certificate_key_passphrase)
-      puts " [ ok ]"
-      puts
-
-      execute_post_issue_hooks(cert)
-
-      cert
+    def order(*identifiers, key_type: 'rsa', rsa_key_size: 2048, elliptic_curve: 'prime256v1', not_before: nil, not_after: nil)
+      private_key = generate_private_key(key_type: key_type, rsa_key_size: rsa_key_size, elliptic_curve: elliptic_curve)
+      order_with_private_key(*identifiers, private_key: private_key, not_before: not_before, not_after: not_after)
     end
 
     def authorize(*identifiers)
@@ -149,7 +131,7 @@ module Acmesmith
         puts "   Not valid after: #{not_after}"
         next unless (cert.certificate.not_after.utc - Time.now.utc) < (days.to_i * 86400)
         puts " * Renewing: CN=#{cert.common_name}, SANs=#{cert.sans.join(',')}"
-        order(cert.common_name, *cert.sans)
+        order_with_private_key(cert.common_name, *cert.sans, private_key: regenerate_private_key(cert.public_key))
       end
     end
 
@@ -158,7 +140,7 @@ module Acmesmith
       cert = storage.get_certificate(common_name)
       sans = cert.sans + add_sans
       puts " * SANs will be: #{sans.join(?,)}"
-      order(cert.common_name, *sans)
+      order_with_private_key(cert.common_name, *sans, private_key: regenerate_private_key(cert.public_key))
     end
 
     private
@@ -197,5 +179,52 @@ module Acmesmith
         config['account_key_passphrase']
       end
     end
+
+    def order_with_private_key(*identifiers, private_key:, not_before: nil, not_after: nil)
+      order = OrderingService.new(
+        acme: acme,
+        identifiers: identifiers,
+        private_key: private_key,
+        challenge_responder_rules: config.challenge_responders,
+        chain_preferences: config.chain_preferences,
+        not_before: not_before,
+        not_after: not_after
+      )
+      order.perform!
+      cert = order.certificate
+
+      puts
+      print " * securing into the storage ..."
+      storage.put_certificate(cert, certificate_key_passphrase)
+      puts " [ ok ]"
+      puts
+
+      execute_post_issue_hooks(cert)
+
+      cert
+    end
+
+    def generate_private_key(key_type:, rsa_key_size:, elliptic_curve:)
+      case key_type
+      when 'rsa'
+        OpenSSL::PKey::RSA.generate(rsa_key_size)
+      when 'ec'
+        OpenSSL::PKey::EC.generate(elliptic_curve)
+      else
+        raise ArgumentError, "Key type #{key_type} is not supported"
+      end
+    end
+
+    # Generate a new key pair with the same type and key size / curve as existing one
+    def regenerate_private_key(template)
+      case template
+      when OpenSSL::PKey::RSA
+        OpenSSL::PKey::RSA.generate(template.n.num_bits)
+      when OpenSSL::PKey::EC
+        OpenSSL::PKey::EC.generate(template.group)
+      else
+        raise ArgumentError, "Unknown key type: #{template.class}"
+      end
+    end
   end
 end

data/lib/acmesmith/command.rb

@@ -32,8 +32,16 @@ module Acmesmith
 
     desc "order COMMON_NAME [SAN]", "order certificate for CN +COMMON_NAME+ with SANs +SAN+"
     method_option :show_certificate, type: :boolean, aliases: %w(-s), default: true, desc: 'show an issued certificate in PEM and text when exiting'
+    method_option :key_type, type: :string, enum: %w(rsa ec), default: 'rsa', desc: 'key type'
+    method_option :rsa_key_size, type: :numeric, default: 2048, desc: 'size of RSA key'
+    method_option :elliptic_curve, type: :string, default: 'prime256v1', desc: 'elliptic curve group for EC key'
     def order(common_name, *sans)
-      cert = client.order(common_name, *sans)
+      cert = client.order(
+        common_name, *sans,
+        key_type: options[:key_type],
+        rsa_key_size: options[:rsa_key_size],
+        elliptic_curve: options[:elliptic_curve],
+      )
       if options[:show_certificate]
         puts cert.certificate.to_text
         puts cert.certificate.to_pem

data/lib/acmesmith/ordering_service.rb

@@ -8,20 +8,22 @@ module Acmesmith
 
     # @param acme [Acme::Client] ACME client
     # @param identifiers [Array<String>] Array of domain names for a ordering certificate. The first item will be a common name.
+    # @param private_key [OpenSSL::PKey::PKey] Private key
     # @param challenge_responder_rules [Array<Acmesmith::Config::ChallengeResponderRule>] responders
     # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>] chain_preferences
     # @param not_before [Time]
     # @param not_after [Time]
-    def initialize(acme:, identifiers:, challenge_responder_rules:, chain_preferences:, not_before: nil, not_after: nil)
+    def initialize(acme:, identifiers:, private_key:, challenge_responder_rules:, chain_preferences:, not_before: nil, not_after: nil)
       @acme = acme
       @identifiers = identifiers
+      @private_key = private_key
       @challenge_responder_rules = challenge_responder_rules
       @chain_preferences = chain_preferences
       @not_before = not_before
       @not_after = not_after
     end
 
-    attr_reader :acme, :identifiers, :challenge_responder_rules, :chain_preferences, :not_before, :not_after
+    attr_reader :acme, :identifiers, :private_key, :challenge_responder_rules, :chain_preferences, :not_before, :not_after
 
     def perform!
       puts "=> Ordering a certificate for the following identifiers:"
@@ -107,7 +109,7 @@ module Acmesmith
 
     # @return [Acme::Client::CertificateRequest]
     def csr
-      @csr ||= Acme::Client::CertificateRequest.new(subject: { common_name: common_name }, names: sans)
+      @csr ||= Acme::Client::CertificateRequest.new(subject: { common_name: common_name }, names: sans, private_key: private_key)
     end
   end
 end

data/lib/acmesmith/version.rb

@@ -1,3 +1,3 @@
 module Acmesmith
-  VERSION = "2.5.0"
+  VERSION = "2.6.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: acmesmith
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.6.0
 platform: ruby
 authors:
 - Sorah Fukumori
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-08 00:00:00.000000000 Z
+date: 2023-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -215,7 +215,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.0.dev
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: ACME client (Let's encrypt client) to manage certificate in multi server