bullion 0.11.0 → 0.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.release-please-manifest.json +1 -1
- data/CHANGELOG.md +13 -0
- data/Gemfile.lock +1 -1
- data/Rakefile +1 -0
- data/lib/bullion/helpers/acme.rb +2 -2
- data/lib/bullion/helpers/ssl.rb +30 -26
- data/lib/bullion/version.rb +1 -1
- data/lib/bullion.rb +6 -1
- data/scripts/docker-entrypoint.sh +0 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8821e563a9452dbd524f1bdfbd2f944ee4a3d0c071e57bab6d5f9b2c61e18555
|
|
4
|
+
data.tar.gz: d31913ae560676de68a57ea6aa308126a6d3c92c7a3da69d4d882e032ed56196
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4bcabcb78421e92a48fbd5485631de98bee3bf0d4452ba5d9c08eb04d34ac171934b073e0a441b5dc95aeeb353765a5445188ca7011b98d3e2f376d130aaf2d4
|
|
7
|
+
data.tar.gz: 5541be539b018f62d1e466e51ada7985f5e37ee460eb98c4e344f79c443aa60fa3f8b2bf1d26d169a15c0b8efef38c7523c4023a416436e85654b585a5fcae6c
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,18 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [0.11.1](https://github.com/jgnagy/bullion/compare/bullion/v0.11.0...bullion/v0.11.1) (2025-08-24)
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
### Features
|
|
7
|
+
|
|
8
|
+
* add support for ECDSA CAs ([49b752e](https://github.com/jgnagy/bullion/commit/49b752ef6fde2b0543b59fb1c5977073f21b6731))
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
### Bug Fixes
|
|
12
|
+
|
|
13
|
+
* improve detection of SANS for cert-manager ([605f80d](https://github.com/jgnagy/bullion/commit/605f80d97135727ab9a962d6c3078b2b4a74b533))
|
|
14
|
+
* loading required bigdecimal gem ([98d1668](https://github.com/jgnagy/bullion/commit/98d1668da600bba890dd0eb035af4a363fa79eef))
|
|
15
|
+
|
|
3
16
|
## [0.11.0](https://github.com/jgnagy/bullion/compare/bullion/v0.10.3...bullion/v0.11.0) (2025-08-23)
|
|
4
17
|
|
|
5
18
|
|
data/Gemfile.lock
CHANGED
data/Rakefile
CHANGED
data/lib/bullion/helpers/acme.rb
CHANGED
|
@@ -119,13 +119,13 @@ module Bullion
|
|
|
119
119
|
csr_attrs = extract_csr_attrs(csr)
|
|
120
120
|
csr_sans = extract_csr_sans(csr_attrs)
|
|
121
121
|
csr_domains = extract_csr_domains(csr_sans)
|
|
122
|
-
csr_cn = cn_from_csr(csr)
|
|
122
|
+
csr_cn = cn_from_csr(csr) || csr_domains.first
|
|
123
123
|
|
|
124
124
|
# Make sure the CSR has a valid public key
|
|
125
125
|
raise Bullion::Acme::Errors::BadCsr unless csr.verify(csr.public_key)
|
|
126
126
|
|
|
127
127
|
return false unless order.ready_status?
|
|
128
|
-
raise Bullion::Acme::Errors::BadCsr
|
|
128
|
+
raise Bullion::Acme::Errors::BadCsr if csr_cn && !csr_domains.include?(csr_cn)
|
|
129
129
|
raise Bullion::Acme::Errors::BadCsr unless csr_domains.sort == order.domains.sort
|
|
130
130
|
|
|
131
131
|
true
|
data/lib/bullion/helpers/ssl.rb
CHANGED
|
@@ -127,9 +127,7 @@ module Bullion
|
|
|
127
127
|
)
|
|
128
128
|
|
|
129
129
|
# Alternate Names
|
|
130
|
-
|
|
131
|
-
existing_sans = filter_sans(csr_sans(csr))
|
|
132
|
-
valid_alts = (["DNS:#{cn}"] + [*existing_sans]).uniq
|
|
130
|
+
valid_alts = build_valid_alt_names(csr)
|
|
133
131
|
|
|
134
132
|
new_cert.add_extension(ef.create_extension("subjectAltName", valid_alts.join(",")))
|
|
135
133
|
|
|
@@ -137,21 +135,6 @@ module Bullion
|
|
|
137
135
|
[new_cert, valid_alts]
|
|
138
136
|
end
|
|
139
137
|
|
|
140
|
-
def csr_sans(csr)
|
|
141
|
-
raw_attributes = csr.attributes
|
|
142
|
-
return [] unless raw_attributes
|
|
143
|
-
|
|
144
|
-
seq = extract_csr_attrs(csr)
|
|
145
|
-
return [] unless seq
|
|
146
|
-
|
|
147
|
-
values = extract_san_values(seq)
|
|
148
|
-
return [] unless values
|
|
149
|
-
|
|
150
|
-
values = OpenSSL::ASN1.decode(values).value
|
|
151
|
-
|
|
152
|
-
values.select { |v| v.tag == 2 }.map { |v| "DNS:#{v.value}" }
|
|
153
|
-
end
|
|
154
|
-
|
|
155
138
|
def extract_csr_attrs(csr)
|
|
156
139
|
csr.attributes.select { |a| a.oid == "extReq" }.map { |a| a.value.map(&:value) }
|
|
157
140
|
end
|
|
@@ -161,8 +144,9 @@ module Bullion
|
|
|
161
144
|
end
|
|
162
145
|
|
|
163
146
|
def extract_csr_domains(csr_sans)
|
|
164
|
-
|
|
165
|
-
csr_decoded_sans
|
|
147
|
+
subject_alt_names = csr_sans.first.value.find { |v| v.tag == 4 }
|
|
148
|
+
csr_decoded_sans = OpenSSL::ASN1.decode(subject_alt_names.value)
|
|
149
|
+
csr_decoded_sans.value.select { |v| v.tag == 2 }.map(&:value)
|
|
166
150
|
end
|
|
167
151
|
|
|
168
152
|
def extract_san_values(sequence)
|
|
@@ -184,13 +168,33 @@ module Bullion
|
|
|
184
168
|
end
|
|
185
169
|
|
|
186
170
|
def cn_from_csr(csr)
|
|
187
|
-
|
|
188
|
-
cns = csr.subject.to_s.split("/").grep(/^CN=/)
|
|
171
|
+
return unless csr.subject.to_s
|
|
189
172
|
|
|
190
|
-
|
|
191
|
-
|
|
173
|
+
cns = csr.subject.to_s.split("/").grep(/^CN=/)
|
|
174
|
+
|
|
175
|
+
cns.first.split("=").last if cns && !cns.empty?
|
|
176
|
+
end
|
|
177
|
+
|
|
178
|
+
def cn_or_first_san_from_csr(csr)
|
|
179
|
+
cn = cn_from_csr(csr)
|
|
180
|
+
return cn if cn
|
|
181
|
+
|
|
182
|
+
csr_attrs = extract_csr_attrs(csr)
|
|
183
|
+
csr_sans = extract_csr_sans(csr_attrs)
|
|
184
|
+
extract_csr_domains(csr_sans).first
|
|
185
|
+
end
|
|
186
|
+
|
|
187
|
+
def domains_from_csr(csr)
|
|
188
|
+
csr_attrs = extract_csr_attrs(csr)
|
|
189
|
+
csr_sans = extract_csr_sans(csr_attrs)
|
|
190
|
+
extract_csr_domains(csr_sans)
|
|
191
|
+
end
|
|
192
192
|
|
|
193
|
-
|
|
193
|
+
def build_valid_alt_names(csr)
|
|
194
|
+
cn = cn_or_first_san_from_csr(csr)
|
|
195
|
+
csr_domains = domains_from_csr(csr)
|
|
196
|
+
existing_sans = filter_sans(csr_domains).map { |d| "DNS:#{d}" }
|
|
197
|
+
(["DNS:#{cn}"] + [*existing_sans]).uniq
|
|
194
198
|
end
|
|
195
199
|
|
|
196
200
|
# Signs an ACME CSR
|
|
@@ -206,7 +210,7 @@ module Bullion
|
|
|
206
210
|
csr_cert.not_after = csr_cert.not_before + (3 * 30 * 24 * 60 * 60)
|
|
207
211
|
|
|
208
212
|
# Force a subject if the cert doesn't have one
|
|
209
|
-
cert.subject = simple_subject(
|
|
213
|
+
cert.subject = simple_subject(cn_or_first_san_from_csr(csr)) unless cert.subject
|
|
210
214
|
|
|
211
215
|
csr_cert.subject = simple_subject(cert.subject.to_s)
|
|
212
216
|
|
data/lib/bullion/version.rb
CHANGED
data/lib/bullion.rb
CHANGED
|
@@ -7,6 +7,7 @@ require "securerandom"
|
|
|
7
7
|
require "time"
|
|
8
8
|
require "logger"
|
|
9
9
|
require "openssl"
|
|
10
|
+
require "bigdecimal"
|
|
10
11
|
|
|
11
12
|
# External requirements
|
|
12
13
|
require "benchmark"
|
|
@@ -68,7 +69,11 @@ module Bullion
|
|
|
68
69
|
MetricsRegistry = Prometheus::Client.registry
|
|
69
70
|
|
|
70
71
|
def self.ca_key
|
|
71
|
-
@ca_key ||=
|
|
72
|
+
@ca_key ||= begin
|
|
73
|
+
OpenSSL::PKey::RSA.new(File.read(config.ca.key_path), config.ca.secret)
|
|
74
|
+
rescue OpenSSL::PKey::RSAError
|
|
75
|
+
OpenSSL::PKey::EC.new(File.read(config.ca.key_path), config.ca.secret)
|
|
76
|
+
end
|
|
72
77
|
end
|
|
73
78
|
|
|
74
79
|
def self.ca_cert_file
|