bullion 0.1.2 → 0.3.0

data/config.ru

@@ -2,11 +2,11 @@
 
 # \ -s puma
 
-require 'bullion'
+require "bullion"
 Bullion.validate_config!
 
-require 'prometheus/middleware/collector'
-require 'prometheus/middleware/exporter'
+require "prometheus/middleware/collector"
+require "prometheus/middleware/exporter"
 
 use Rack::ShowExceptions
 use Rack::Deflater
@@ -15,8 +15,8 @@ use Prometheus::Middleware::Exporter
 
 # Prometheus metrics are on /metrics
 mappings = {
-  '/ping' => Bullion::Services::Ping.new,
-  '/acme' => Bullion::Services::CA.new
+  "/ping" => Bullion::Services::Ping.new,
+  "/acme" => Bullion::Services::CA.new
 }
 
 run Rack::URLMap.new(mappings)

data/db/migrate/20210104060422_create_certificates.rb

@@ -10,7 +10,7 @@ class CreateCertificates < ActiveRecord::Migration[6.1]
       t.text :alternate_names
       t.string :requester
       t.boolean :validated, null: false, default: false, index: true
-      t.integer :serial, null: false, index: { unique: true }
+      t.bigint :serial, null: false, index: { unique: true }
 
       t.timestamps
     end

data/db/migrate/20210105060406_create_orders.rb

@@ -4,7 +4,7 @@
 class CreateOrders < ActiveRecord::Migration[6.1]
   def change
     create_table :orders do |t|
-      t.string :status, null: false, default: 'pending', index: true
+      t.string :status, null: false, default: "pending", index: true
       t.timestamp :expires, null: false, index: true
       t.text :identifiers, null: false
       t.timestamp :not_before, null: false

data/db/migrate/20210106052306_create_authorizations.rb

@@ -4,7 +4,7 @@
 class CreateAuthorizations < ActiveRecord::Migration[6.1]
   def change
     create_table :authorizations do |t|
-      t.string :status, null: false, default: 'pending', index: true
+      t.string :status, null: false, default: "pending", index: true
       t.timestamp :expires, null: false, index: true
       t.text :identifier, null: false
 

data/db/schema.rb

@@ -10,25 +10,24 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2021_01_06_060335) do
-
+ActiveRecord::Schema[7.0].define(version: 2021_01_06_060335) do
   create_table "accounts", force: :cascade do |t|
     t.boolean "tos_agreed", default: true, null: false
     t.text "public_key", null: false
     t.text "contacts", null: false
-    t.datetime "created_at", precision: 6, null: false
-    t.datetime "updated_at", precision: 6, null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
     t.index ["public_key"], name: "index_accounts_on_public_key", unique: true
     t.index ["tos_agreed"], name: "index_accounts_on_tos_agreed"
   end
 
   create_table "authorizations", force: :cascade do |t|
     t.string "status", default: "pending", null: false
-    t.datetime "expires", null: false
+    t.datetime "expires", precision: nil, null: false
     t.text "identifier", null: false
     t.integer "order_id"
-    t.datetime "created_at", precision: 6, null: false
-    t.datetime "updated_at", precision: 6, null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
     t.index ["expires"], name: "index_authorizations_on_expires"
     t.index ["order_id"], name: "index_authorizations_on_order_id"
     t.index ["status"], name: "index_authorizations_on_status"
@@ -41,9 +40,9 @@ ActiveRecord::Schema.define(version: 2021_01_06_060335) do
     t.text "alternate_names"
     t.string "requester"
     t.boolean "validated", default: false, null: false
-    t.integer "serial", null: false
-    t.datetime "created_at", precision: 6, null: false
-    t.datetime "updated_at", precision: 6, null: false
+    t.bigint "serial", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
     t.index ["csr_fingerprint"], name: "index_certificates_on_csr_fingerprint"
     t.index ["serial"], name: "index_certificates_on_serial", unique: true
     t.index ["subject"], name: "index_certificates_on_subject"
@@ -53,12 +52,12 @@ ActiveRecord::Schema.define(version: 2021_01_06_060335) do
   create_table "challenges", force: :cascade do |t|
     t.string "acme_type", null: false
     t.string "status", default: "pending", null: false
-    t.datetime "expires", null: false
+    t.datetime "expires", precision: nil, null: false
     t.string "token", null: false
-    t.datetime "validated"
+    t.datetime "validated", precision: nil
     t.integer "authorization_id"
-    t.datetime "created_at", precision: 6, null: false
-    t.datetime "updated_at", precision: 6, null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
     t.index ["acme_type"], name: "index_challenges_on_acme_type"
     t.index ["authorization_id"], name: "index_challenges_on_authorization_id"
     t.index ["expires"], name: "index_challenges_on_expires"
@@ -67,21 +66,21 @@ ActiveRecord::Schema.define(version: 2021_01_06_060335) do
 
   create_table "nonces", force: :cascade do |t|
     t.string "token", null: false
-    t.datetime "created_at", precision: 6, null: false
-    t.datetime "updated_at", precision: 6, null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
     t.index ["token"], name: "index_nonces_on_token", unique: true
   end
 
   create_table "orders", force: :cascade do |t|
     t.string "status", default: "pending", null: false
-    t.datetime "expires", null: false
+    t.datetime "expires", precision: nil, null: false
     t.text "identifiers", null: false
-    t.datetime "not_before", null: false
-    t.datetime "not_after", null: false
+    t.datetime "not_before", precision: nil, null: false
+    t.datetime "not_after", precision: nil, null: false
     t.integer "certificate_id"
     t.integer "account_id"
-    t.datetime "created_at", precision: 6, null: false
-    t.datetime "updated_at", precision: 6, null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
     t.index ["account_id"], name: "index_orders_on_account_id"
     t.index ["certificate_id"], name: "index_orders_on_certificate_id"
     t.index ["expires"], name: "index_orders_on_expires"

data/lib/bullion/acme/error.rb

@@ -6,11 +6,11 @@ module Bullion
     class Error < Bullion::Error
       # @see https://tools.ietf.org/html/rfc8555#section-6.7
       def acme_type
-        'genericError'
+        "genericError"
       end
 
       def acme_preface
-        'urn:ietf:params:acme:error:'
+        "urn:ietf:params:acme:error:"
       end
 
       def acme_error
@@ -22,49 +22,49 @@ module Bullion
       # ACME exception for bad CSRs
       class BadCsr < Bullion::Acme::Error
         def acme_type
-          'badCSR'
+          "badCSR"
         end
       end
 
       # ACME exception for bad Nonces
       class BadNonce < Bullion::Acme::Error
         def acme_type
-          'badNonce'
+          "badNonce"
         end
       end
 
       # ACME exception for invalid contacts in accounts
       class InvalidContact < Bullion::Acme::Error
         def acme_type
-          'invalidContact'
+          "invalidContact"
         end
       end
 
       # ACME exception for invalid orders
       class InvalidOrder < Bullion::Acme::Error
         def acme_type
-          'invalidOrder'
+          "invalidOrder"
         end
       end
 
       # ACME exception for malformed requests
       class Malformed < Bullion::Acme::Error
         def acme_type
-          'malformed'
+          "malformed"
         end
       end
 
       # ACME exception for unsupported contacts in accounts
       class UnsupportedContact < Bullion::Acme::Error
         def acme_type
-          'unsupportedContact'
+          "unsupportedContact"
         end
       end
 
       # Non-standard exception for unsupported challenge types
       class UnsupportedChallengeType < Bullion::Acme::Error
         def acme_error
-          'urn:ietf:params:bullion:error:unsupportedChallengeType'
+          "urn:ietf:params:bullion:error:unsupportedChallengeType"
         end
       end
     end

data/lib/bullion/challenge_client.rb

@@ -5,7 +5,7 @@ module Bullion
   class ChallengeClient
     ChallengeClientMetric = Prometheus::Client::Histogram.new(
       :challenge_execution_seconds,
-      docstring: 'Challenge execution histogram in seconds',
+      docstring: "Challenge execution histogram in seconds",
       labels: %i[acme_type status]
     )
     MetricsRegistry.register(ChallengeClientMetric)
@@ -28,7 +28,7 @@ module Bullion
           success = perform
           if success
             LOGGER.info "Validated #{type} #{identifier}"
-            challenge.status = 'valid'
+            challenge.status = "valid"
             challenge.validated = Time.now
           else
             sleep rand(2..4)
@@ -38,7 +38,7 @@ module Bullion
 
       unless success
         LOGGER.info "Failed to validate #{type} #{identifier}"
-        challenge.status = 'invalid'
+        challenge.status = "invalid"
       end
 
       challenge.save
@@ -53,7 +53,7 @@ module Bullion
     # rubocop:enable Metrics/MethodLength
 
     def identifier
-      challenge.authorization.identifier['value']
+      challenge.authorization.identifier["value"]
     end
   end
 end

data/lib/bullion/challenge_clients/dns.rb

@@ -6,42 +6,57 @@ module Bullion
     # @see https://tools.ietf.org/html/rfc8555#section-8.4
     class DNS < ChallengeClient
       def type
-        'DNS01'
+        "DNS01"
       end
 
       def perform
         value = dns_value
-
-        digester = OpenSSL::Digest.new('SHA256')
-        digest   = digester.digest "#{challenge.token}.#{challenge.thumbprint}"
-        # clean up the digest output so it can match the provided challenge value
-        expected_value = Base64.urlsafe_encode64(digest).sub(/[\s=]*\z/, '')
+        expected_value = digest_value("#{challenge.token}.#{challenge.thumbprint}")
 
         value == expected_value
       end
 
+      def digest_value(string)
+        digester = OpenSSL::Digest.new("SHA256")
+        digest   = digester.digest(string)
+        # clean up the digest output so it can match the provided challenge value
+        Base64.urlsafe_encode64(digest).sub(/[\s=]*\z/, "")
+      end
+
       def dns_value
         name = "_acme-challenge.#{identifier}"
 
         # Randomly select a nameserver to pull the TXT record
         nameserver = NAMESERVERS.sample
 
-        begin
-          records = Resolv::DNS.open(nameserver: nameserver) do |dns|
-            dns.getresources(
-              name,
-              Resolv::DNS::Resource::IN::TXT
-            )
+        LOGGER.debug "Looking up #{name}"
+        records = records_for(name, nameserver)
+        raise "Failed to find records for #{name}" unless records
+
+        record = records.map(&:strings).flatten.first
+        LOGGER.debug "Resolved #{name} to value #{record}"
+        record
+      rescue Resolv::ResolvError
+        msg = ["Resolution error for #{name}"]
+        msg << "via #{nameserver}" if nameserver
+        LOGGER.info msg.join(" ")
+        false
+      rescue StandardError => e
+        msg = ["Error '#{e.message}' for #{name}"]
+        msg << "with #{nameserver}" if nameserver
+        LOGGER.warn msg.join(" ")
+        false
+      end
+
+      def records_for(name, nameserver = nil)
+        if nameserver
+          Resolv::DNS.open(nameserver:) do |dns|
+            dns.getresources(name, Resolv::DNS::Resource::IN::TXT)
+          end
+        else
+          Resolv::DNS.open do |dns|
+            dns.getresources(name, Resolv::DNS::Resource::IN::TXT)
           end
-          record = records.map(&:strings).flatten.first
-          LOGGER.debug "Resolved #{name} to value #{record}"
-          record
-        rescue Resolv::ResolvError
-          LOGGER.info "Resolution error for #{name} via #{nameserver}"
-          false
-        rescue StandardError => e
-          LOGGER.warn "Error '#{e.message}' for #{name} with #{nameserver}"
-          false
         end
       end
     end

data/lib/bullion/challenge_clients/http.rb

@@ -6,28 +6,32 @@ module Bullion
     # @see https://tools.ietf.org/html/rfc8555#section-8.3
     class HTTP < ChallengeClient
       def type
-        'HTTP01'
+        "HTTP01"
       end
 
       def perform
         response = begin
-          HTTParty.get(
-            challenge_url,
-            verify: false,
-            headers: { 'User-Agent' => "Bullion/#{Bullion::VERSION}" }
-          ).body
+          retrieve_body(challenge_url)
         rescue SocketError
           LOGGER.debug "Failed to connect to #{challenge_url}"
-          ''
+          ""
         end
 
-        token, thumbprint = response.split('.')
+        token, thumbprint = response.split(".")
         token == challenge.token && thumbprint == challenge.thumbprint
       end
 
       def challenge_url
         "http://#{identifier}/.well-known/acme-challenge/#{challenge.token}"
       end
+
+      def retrieve_body(url)
+        HTTParty.get(
+          url,
+          verify: false,
+          headers: { "User-Agent" => "Bullion/#{Bullion::VERSION}" }
+        ).body
+      end
     end
   end
 end

data/lib/bullion/helpers/acme.rb

@@ -17,7 +17,7 @@ module Bullion
 
         # check nonce
         if validate_nonce
-          nonce = Models::Nonce.where(token: @header_data['nonce']).first
+          nonce = Models::Nonce.where(token: @header_data["nonce"]).first
           raise Bullion::Acme::Errors::BadNonce unless nonce
 
           nonce.destroy
@@ -27,7 +27,7 @@ module Bullion
           @json_body[:protected],
           @json_body[:payload],
           @json_body[:signature]
-        ].join('.')
+        ].join(".")
 
         # Either use the provided key or find the current user's public key
         public_key = key || user_public_key
@@ -36,14 +36,14 @@ module Bullion
         compat_public_key = openssl_compat(public_key)
 
         # Validate the payload was signed with the private key for the public key
-        if @payload_data && @payload_data != ''
-          JWT.decode(jwt_data, compat_public_key, @header_data['alg'])
+        if @payload_data && @payload_data != ""
+          JWT.decode(jwt_data, compat_public_key, true, { algorithm: @header_data["alg"] })
         else
-          digest = digest_from_alg(@header_data['alg'])
+          digest = digest_from_alg(@header_data["alg"])
 
-          sig = if @header_data['alg'].downcase.start_with?('es')
+          sig = if @header_data["alg"].downcase.start_with?("es")
                   ecdsa_sig_to_der(signature)
-                elsif @header_data['alg'].downcase.start_with?('rs')
+                elsif @header_data["alg"].downcase.start_with?("rs")
                   Base64.urlsafe_decode64(signature)
                 end
 
@@ -65,7 +65,7 @@ module Bullion
       end
 
       def extract_payload_data
-        if @json_body[:payload] && @json_body[:payload] != ''
+        if @json_body[:payload] && @json_body[:payload] != ""
           JSON.parse(Base64.decode64(@json_body[:payload]))
         else
           @json_body[:payload]
@@ -73,52 +73,39 @@ module Bullion
       end
 
       def user_public_key
-        @user = if @header_data['kid']
-                  user_id = @header_data['kid'].split('/').last
+        @user = if @header_data["kid"]
+                  user_id = @header_data["kid"].split("/").last
                   return unless user_id
 
                   Models::Account.find(user_id)
                 else
-                  Models::Account.where(public_key: @header_data['jwk']).last
+                  Models::Account.where(public_key: @header_data["jwk"]).last
                 end
 
         @user.public_key
       end
 
-      def extract_csr_attrs(csr)
-        csr.attributes.select { |a| a.oid == 'extReq' }.map { |a| a.value.map(&:value) }
-      end
-
-      def extract_csr_sans(csr_attrs)
-        csr_attrs.flatten.select { |a| a.value.first.value == 'subjectAltName' }
-      end
-
-      def extract_csr_domains(csr_sans)
-        csr_decoded_sans = OpenSSL::ASN1.decode(csr_sans.first.value[1].value)
-        csr_decoded_sans.select { |v| v.tag == 2 }.map(&:value)
-      end
-
       # Validation helpers
 
       def validate_account_data(hash)
-        unless [true, false, nil].include?(hash['onlyReturnExisting'])
+        unless [true, false, nil].include?(hash["onlyReturnExisting"])
           raise Bullion::Acme::Errors::Malformed,
-                "Invalid onlyReturnExisting: #{hash['onlyReturnExisting']}"
+                "Invalid onlyReturnExisting: #{hash["onlyReturnExisting"]}"
         end
 
-        unless hash['contact'].is_a?(Array)
+        unless hash["contact"].is_a?(Array)
           raise Bullion::Acme::Errors::InvalidContact,
-                "Invalid contacts format: #{hash['contact'].class}, #{hash}"
+                "Invalid contacts format: #{hash["contact"].class}, #{hash}"
         end
 
-        unless hash['contact'].size.positive?
+        unless hash["contact"].size.positive?
           raise Bullion::Acme::Errors::InvalidContact,
-                'Empty contacts list'
+                "Empty contacts list"
         end
 
         # Contacts must be a valid email
         # TODO: find a better email verification approach
-        unless hash['contact'].reject { |c| c.match?(/^mailto:[a-zA-Z0-9@.+-]{3,}/) }.empty?
+        unless hash["contact"].grep_v(/^mailto:[a-zA-Z0-9@.+-]{3,}/).empty?
           raise Bullion::Acme::Errors::UnsupportedContact
         end
 
@@ -131,31 +118,34 @@ module Bullion
         csr_domains = extract_csr_domains(csr_sans)
         csr_cn = cn_from_csr(csr)
 
-        order_domains = order.identifiers.map { |i| i['value'] }
+        order_domains = order.identifiers.map { |i| i["value"] }
+
+        # Make sure the CSR has a valid public key
+        raise Bullion::Acme::Errors::BadCsr unless csr.verify(csr.public_key)
 
-        return false unless order.status == 'ready'
-        raise Bullion::Acme::Errors::BadCSR unless csr_domains.include?(csr_cn)
-        raise Bullion::Acme::Errors::BadCSR unless csr_domains.sort == order_domains.sort
+        return false unless order.status == "ready"
+        raise Bullion::Acme::Errors::BadCsr unless csr_domains.include?(csr_cn)
+        raise Bullion::Acme::Errors::BadCsr unless csr_domains.sort == order_domains.sort
 
         true
       end
 
       def validate_order(hash)
-        validate_order_nb_and_na(hash['notBefore'], hash['notAfter'])
+        validate_order_nb_and_na(hash["notBefore"], hash["notAfter"])
 
         # Don't approve empty orders
-        raise Bullion::Acme::Errors::InvalidOrder, 'Empty order!' if hash['identifiers'].empty?
+        raise Bullion::Acme::Errors::InvalidOrder, "Empty order!" if hash["identifiers"].empty?
 
-        order_domains = hash['identifiers'].select { |ident| ident['type'] == 'dns' }
+        order_domains = hash["identifiers"].select { |ident| ident["type"] == "dns" }
 
         # Don't approve an order with identifiers that _aren't_ of type 'dns'
-        unless hash['identifiers'] == order_domains
+        unless hash["identifiers"] == order_domains
           raise Bullion::Acme::Errors::InvalidOrder, 'Only type "dns" allowed'
         end
 
         # Extract domains that end with something in our allowed domains list
         valid_domains = order_domains.reject do |domain|
-          endings = CA_DOMAINS.select { |d| domain['value'].end_with?(d) }
+          endings = CA_DOMAINS.select { |d| domain["value"].end_with?(d) }
           endings.empty?
         end
 

data/lib/bullion/helpers/service.rb

@@ -5,8 +5,8 @@ module Bullion
     # Sinatra service helper methods
     module Service
       def add_acme_headers(nonce, additional: {})
-        headers['Replay-Nonce'] = nonce
-        headers['Link'] = "<#{uri('/directory')}>;rel=\"index\""
+        headers["Replay-Nonce"] = nonce
+        headers["Link"] = "<#{uri("/directory")}>;rel=\"index\""
 
         additional.each do |name, value|
           headers[name.to_s] = value.to_s