bullion 0.1.3 → 0.3.1

data/lib/bullion/helpers/ssl.rb

@@ -6,24 +6,24 @@ module Bullion
     module Ssl
       # Converts the incoming key data to an OpenSSL public key usable to verify JWT signatures
       def openssl_compat(key_data)
-        case key_data['kty']
-        when 'RSA'
+        case key_data["kty"]
+        when "RSA"
           key_data_to_rsa(key_data)
-        when 'EC'
+        when "EC"
           key_data_to_ecdsa(key_data)
         end
       end
 
       def openssl_compat_csr(csrdata)
         "-----BEGIN CERTIFICATE REQUEST-----\n" \
-        "#{csrdata}-----END CERTIFICATE REQUEST-----"
+          "#{csrdata}-----END CERTIFICATE REQUEST-----"
       end
 
       # @see https://tools.ietf.org/html/rfc7518#page-30
       def key_data_to_rsa(key_data)
         key = OpenSSL::PKey::RSA.new
-        exponent = key_data['e']
-        modulus = key_data['n']
+        exponent = key_data["e"]
+        modulus = key_data["n"]
 
         key.set_key(
           base64_to_long(modulus),
@@ -35,14 +35,14 @@ module Bullion
 
       def key_data_to_ecdsa(key_data)
         crv_mapping = {
-          'P-256' => 'prime256v1',
-          'P-384' => 'secp384r1',
-          'P-521' => 'secp521r1'
+          "P-256" => "prime256v1",
+          "P-384" => "secp384r1",
+          "P-521" => "secp521r1"
         }
 
-        key = OpenSSL::PKey::EC.new(crv_mapping[key_data['crv']])
-        x = base64_to_octet(key_data['x'])
-        y = base64_to_octet(key_data['y'])
+        key = OpenSSL::PKey::EC.new(crv_mapping[key_data["crv"]])
+        x = base64_to_octet(key_data["x"])
+        y = base64_to_octet(key_data["y"])
 
         key_bn = OpenSSL::BN.new("\x04#{x}#{y}", 2)
         key.public_key = OpenSSL::PKey::EC::Point.new(key.group, key_bn)
@@ -50,7 +50,7 @@ module Bullion
       end
 
       def base64_to_long(data)
-        Base64.urlsafe_decode64(data).to_s.unpack('C*').map do |byte|
+        Base64.urlsafe_decode64(data).to_s.unpack("C*").map do |byte|
           to_hex(byte)
         end.join.to_i(16)
       end
@@ -60,12 +60,12 @@ module Bullion
       end
 
       def digest_from_alg(alg)
-        if alg.end_with?('256')
-          OpenSSL::Digest.new('SHA256')
-        elsif alg.end_with?('384')
-          OpenSSL::Digest.new('SHA384')
+        if alg.end_with?("256")
+          OpenSSL::Digest.new("SHA256")
+        elsif alg.end_with?("384")
+          OpenSSL::Digest.new("SHA384")
         else
-          OpenSSL::Digest.new('SHA512')
+          OpenSSL::Digest.new("SHA512")
         end
       end
 
@@ -78,7 +78,7 @@ module Bullion
         r = joined_ints[0..31]
         s = joined_ints[32..]
         # Unpack each word to a hex string
-        hexnums = [r, s].map { |n| n.unpack1('H*') }
+        hexnums = [r, s].map { |n| n.unpack1("H*") }
         # Convert each to an Integer
         ints = hexnums.map { |bn| bn.to_i(16) }
         # Convert each Integer to a BigNumber
@@ -96,7 +96,7 @@ module Bullion
       end
 
       def simple_subject(common_name)
-        OpenSSL::X509::Name.new([['CN', common_name, OpenSSL::ASN1::UTF8STRING]])
+        OpenSSL::X509::Name.new([["CN", common_name, OpenSSL::ASN1::UTF8STRING]])
       end
 
       def manage_csr_extensions(csr, new_cert)
@@ -105,16 +105,16 @@ module Bullion
         ef.subject_certificate = new_cert
         ef.issuer_certificate = Bullion.ca_cert
         new_cert.add_extension(
-          ef.create_extension('basicConstraints', 'CA:FALSE', true)
+          ef.create_extension("basicConstraints", "CA:FALSE", true)
         )
         new_cert.add_extension(
-          ef.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature', true)
+          ef.create_extension("keyUsage", "keyEncipherment,dataEncipherment,digitalSignature", true)
         )
         new_cert.add_extension(
-          ef.create_extension('subjectKeyIdentifier', 'hash')
+          ef.create_extension("subjectKeyIdentifier", "hash")
         )
         new_cert.add_extension(
-          ef.create_extension('extendedKeyUsage', 'serverAuth')
+          ef.create_extension("extendedKeyUsage", "serverAuth")
         )
 
         # Alternate Names
@@ -122,7 +122,7 @@ module Bullion
         existing_sans = filter_sans(csr_sans(csr))
         valid_alts = (["DNS:#{cn}"] + [*existing_sans]).uniq
 
-        new_cert.add_extension(ef.create_extension('subjectAltName', valid_alts.join(',')))
+        new_cert.add_extension(ef.create_extension("subjectAltName", valid_alts.join(",")))
 
         # return the updated cert and any subject alternate names added
         [new_cert, valid_alts]
@@ -132,7 +132,7 @@ module Bullion
         raw_attributes = csr.attributes
         return [] unless raw_attributes
 
-        seq = extract_csr_seq(raw_attributes)
+        seq = extract_csr_attrs(csr)
         return [] unless seq
 
         values = extract_san_values(seq)
@@ -143,37 +143,45 @@ module Bullion
         values.select { |v| v.tag == 2 }.map { |v| "DNS:#{v.value}" }
       end
 
-      def extract_csr_attrs(attrs)
-        attrs.select { |a| a.oid == 'extReq' }.map(&:value).first
+      def extract_csr_attrs(csr)
+        csr.attributes.select { |a| a.oid == "extReq" }.map { |a| a.value.map(&:value) }
+      end
+
+      def extract_csr_sans(csr_attrs)
+        csr_attrs.flatten.select { |a| a.value.first.value == "subjectAltName" }
+      end
+
+      def extract_csr_domains(csr_sans)
+        csr_decoded_sans = OpenSSL::ASN1.decode(csr_sans.first.value[1].value)
+        csr_decoded_sans.select { |v| v.tag == 2 }.map(&:value)
       end
 
       def extract_san_values(sequence)
+        unpacked_sequence = sequence
+        unpacked_sequence = unpacked_sequence.first while unpacked_sequence.first.is_a?(Array)
         seqvalues = nil
-        sequence.value.each do |v|
-          v.each do |innerv|
-            if innerv.value[0].value == 'subjectAltName'
-              seqvalues = innerv.value[1].value
-              break
-            end
-            break if seqvalues
-          end
+        unpacked_sequence.each do |outer_value|
+          seqvalues = outer_value.value[1].value if outer_value.value[0].value == "subjectAltName"
+          break if seqvalues
         end
         seqvalues
       end
 
       def filter_sans(potential_sans)
         # Select only those that are part of the appropriate domain
-        potential_sans.select { |alt| alt.match(/#{CA_DOMAIN}$/) }
+        potential_sans.select do |alt|
+          CA_DOMAINS.filter_map { |domain| alt.end_with?(".#{domain}") }.any?
+        end
       end
 
       def cn_from_csr(csr)
         if csr.subject.to_s
-          cns = csr.subject.to_s.split('/').select { |name| name =~ /^CN=/ }
+          cns = csr.subject.to_s.split("/").grep(/^CN=/)
 
-          return cns.first.split('=').last if cns && !cns.empty?
+          return cns.first.split("=").last if cns && !cns.empty?
         end
 
-        csr_sans(csr).first.split(':').last
+        csr_sans(csr).first.split(":").last
       end
 
       # Signs an ACME CSR
@@ -191,14 +199,14 @@ module Bullion
         # Force a subject if the cert doesn't have one
         cert.subject = simple_subject(cn_from_csr(csr)) unless cert.subject
 
-        csr_cert.subject = cert.subject.to_s
+        csr_cert.subject = simple_subject(cert.subject.to_s)
 
         csr_cert.public_key = csr.public_key
         csr_cert.issuer = Bullion.ca_cert.issuer
 
         csr_cert, sans = manage_csr_extensions(csr, csr_cert)
 
-        csr_cert.sign(Bullion.ca_key, OpenSSL::Digest.new('SHA256'))
+        csr_cert.sign(Bullion.ca_key, OpenSSL::Digest.new("SHA256"))
 
         cert.data = csr_cert.to_pem
         cert.alternate_names = sans unless sans.empty?

data/lib/bullion/models/account.rb

@@ -4,8 +4,8 @@ module Bullion
   module Models
     # ACMEv2 Account model
     class Account < ActiveRecord::Base
-      serialize :contacts, Array
-      serialize :public_key, Hash
+      serialize :contacts, JSON
+      serialize :public_key, JSON
 
       validates_uniqueness_of :public_key
 
@@ -20,7 +20,7 @@ module Bullion
         order.not_before = not_before if not_before
         order.not_after = not_after if not_after
         order.account = self
-        order.status = 'pending'
+        order.status = "pending"
         order.identifiers = identifiers
         order.save
 

data/lib/bullion/models/authorization.rb

@@ -4,7 +4,7 @@ module Bullion
   module Models
     # ACMEv2 Authorization model
     class Authorization < ActiveRecord::Base
-      serialize :identifier, Hash
+      serialize :identifier, JSON
 
       after_initialize :init_values, unless: :persisted?
 

data/lib/bullion/models/certificate.rb

@@ -4,14 +4,14 @@ module Bullion
   module Models
     # SSL Certificate model
     class Certificate < ActiveRecord::Base
-      serialize :alternate_names
+      serialize :alternate_names, JSON
 
       after_initialize :init_values, unless: :persisted?
 
       validates_presence_of :subject
 
       def init_values
-        self.serial ||= SecureRandom.hex(8).to_i(16)
+        self.serial ||= SecureRandom.hex(4).to_i(16)
       end
 
       def fingerprint
@@ -19,7 +19,7 @@ module Bullion
       end
 
       def cn
-        subject.split('/').select { |name| name =~ /^CN=/ }.first.split('=').last
+        subject.split("/").grep(/^CN=/).first.split("=").last
       end
 
       def self.from_csr(csr)

data/lib/bullion/models/challenge.rb

@@ -11,22 +11,29 @@ module Bullion
       validates :acme_type, inclusion: { in: %w[http-01 dns-01] }
       validates :status, inclusion: { in: %w[invalid pending processing valid] }
 
+      scope :dns01, -> { where(acme_type: "dns-01") }
+      scope :http01, -> { where(acme_type: "http-01") }
+
+      def identifier
+        authorization.identifier["value"]
+      end
+
       def init_values
         self.expires ||= Time.now + (60 * 60)
         self.token ||= SecureRandom.alphanumeric(48)
       end
 
       def thumbprint
-        cipher = OpenSSL::Digest.new('SHA256')
+        cipher = OpenSSL::Digest.new("SHA256")
         cipher.hexdigest authorization.order.account.public_key.to_json
       end
 
       def client
         case acme_type
-        when 'dns-01'
-          ChallengeClients::DNS.new(self)
-        when 'http-01'
-          ChallengeClients::HTTP.new(self)
+        when "dns-01"
+          DNS_CHALLENGE_CLIENT.new(self)
+        when "http-01"
+          HTTP_CHALLENGE_CLIENT.new(self)
         else
           raise Bullion::Acme::Errors::UnsupportedChallengeType,
                 "Challenge type '#{acme_type}' is not supported by Bullion."

data/lib/bullion/models/nonce.rb

@@ -15,7 +15,7 @@ module Bullion
       # Delete old nonces
       def self.clean_up!
         # nonces older than this can safely be deleted
-        where('created_at < ?', Time.now - 86_400).delete_all
+        where("created_at < ?", Time.now - 86_400).delete_all
       end
     end
   end

data/lib/bullion/models/order.rb

@@ -4,7 +4,7 @@ module Bullion
   module Models
     # ACMEv2 Order model
     class Order < ActiveRecord::Base
-      serialize :identifiers, Array
+      serialize :identifiers, JSON
 
       after_initialize :init_values, unless: :persisted?
 

data/lib/bullion/models.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
-require 'bullion/models/account'
-require 'bullion/models/authorization'
-require 'bullion/models/certificate'
-require 'bullion/models/challenge'
-require 'bullion/models/nonce'
-require 'bullion/models/order'
+require "bullion/models/account"
+require "bullion/models/authorization"
+require "bullion/models/certificate"
+require "bullion/models/challenge"
+require "bullion/models/nonce"
+require "bullion/models/order"

data/lib/bullion/rspec/challenge_clients/dns.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Bullion
+  module RSpec
+    module ChallengeClients
+      # A test DNS challenge client resolver for RSpec
+      class DNS < ::Bullion::ChallengeClients::DNS
+        FakeDNSRecord = Struct.new("FakeDNSRecord", :strings)
+
+        def records_for(name, _nameserver = nil)
+          return [] unless name == "_acme-challenge.#{identifier}"
+
+          [
+            FakeDNSRecord.new(
+              digest_value("#{challenge.token}.#{challenge.thumbprint}")
+            )
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/bullion/rspec/challenge_clients/http.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Bullion
+  module RSpec
+    module ChallengeClients
+      # A test HTTP challenge client resolver for RSpec
+      class HTTP < ::Bullion::ChallengeClients::HTTP
+        def retrieve_body(url)
+          return "" unless url == "http://#{identifier}/.well-known/acme-challenge/#{challenge.token}"
+
+          "#{challenge.token}.#{challenge.thumbprint}"
+        end
+      end
+    end
+  end
+end

data/lib/bullion/service.rb

@@ -15,12 +15,13 @@ module Bullion
 
     before do
       # Sets up a useful variable (@json_body) for accessing a parsed request body
-      if request.content_type&.include?('json') && !request.body.to_s.empty?
+      if request.content_type&.include?("json") && !request.body.read.empty?
+        p request.body
         request.body.rewind
         @json_body = JSON.parse(request.body.read, symbolize_names: true)
       end
     rescue StandardError => e
-      halt(400, { error: "Request must be JSON: #{e.message}" }.to_json)
+      halt(400, { error: "Request must be JSON: #{e.message}}" }.to_json)
     end
   end
 end