bullion 0.11.1 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/.release-please-manifest.json +1 -1
  3. data/CHANGELOG.md +14 -0
  4. data/Gemfile.lock +20 -14
  5. data/bullion.gemspec +1 -0
  6. data/lib/bullion/acme/error.rb +5 -0
  7. data/lib/bullion/helpers/acme.rb +3 -2
  8. data/lib/bullion/helpers/ssl.rb +25 -0
  9. data/lib/bullion/models/challenge.rb +11 -1
  10. data/lib/bullion/version.rb +1 -1
  11. data/lib/bullion.rb +2 -0
  12. metadata +15 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8821e563a9452dbd524f1bdfbd2f944ee4a3d0c071e57bab6d5f9b2c61e18555
4
- data.tar.gz: d31913ae560676de68a57ea6aa308126a6d3c92c7a3da69d4d882e032ed56196
3
+ metadata.gz: 95ab410d446f9be5b65083d059c91636f5c4ee801b2973536387bb001623a0b2
4
+ data.tar.gz: 87f492721aaf01a88c746bed6e70d5709c19c7ba3192a7ae83d6c628e716a0dd
5
5
  SHA512:
6
- metadata.gz: 4bcabcb78421e92a48fbd5485631de98bee3bf0d4452ba5d9c08eb04d34ac171934b073e0a441b5dc95aeeb353765a5445188ca7011b98d3e2f376d130aaf2d4
7
- data.tar.gz: 5541be539b018f62d1e466e51ada7985f5e37ee460eb98c4e344f79c443aa60fa3f8b2bf1d26d169a15c0b8efef38c7523c4023a416436e85654b585a5fcae6c
6
+ metadata.gz: 1ce61712fb1ee5ce6139bb6e105b242709c8f51eece706e116a4cff94f7361c3c7f9589598cc25373695f1df35f60b06866303f96872e1dc516748068fef338c
7
+ data.tar.gz: e69f33f2ee12e17572ad6ad2054a5123d7a1fe3f37471bd64432752b6b0df75892e1fba19004144349810cfae28bafb0ce23039d8cb53613f2ac9d66603eb8d1
data/.release-please-manifest.json CHANGED
@@ -1,3 +1,3 @@
1
1
  {
2
- ".": "0.11.1"
2
+ ".": "0.11.2"
3
3
  }
data/CHANGELOG.md CHANGED
@@ -1,5 +1,19 @@
1
1
  # Changelog
2
2
 
3
+ ## [0.11.2](https://github.com/jgnagy/bullion/compare/bullion/v0.11.1...bullion/v0.11.2) (2026-02-16)
4
+
5
+
6
+ ### Features
7
+
8
+ * add EdDSA (Ed25519) JWT signature support ([bba2985](https://github.com/jgnagy/bullion/commit/bba29851e1c5644152f4a3e82d82c6c1d5c5ce5e))
9
+ * add EdDSA (Ed25519) JWT signature support ([77a2f5b](https://github.com/jgnagy/bullion/commit/77a2f5bfc30db3527ad3fe75136b210956279957)), closes [#3](https://github.com/jgnagy/bullion/issues/3)
10
+ * Add test coverage for Ed25519 certificate signing ([59f0f74](https://github.com/jgnagy/bullion/commit/59f0f74a039292a5d804c8e49a880f20ab5d0c1b))
11
+
12
+
13
+ ### Bug Fixes
14
+
15
+ * return proper badPublicKey error for Ed448 ([a21414f](https://github.com/jgnagy/bullion/commit/a21414f66075d47e2b5613d2034fa806a0a78602))
16
+
3
17
  ## [0.11.1](https://github.com/jgnagy/bullion/compare/bullion/v0.11.0...bullion/v0.11.1) (2025-08-24)
4
18
 
5
19
 
data/Gemfile.lock CHANGED
@@ -1,13 +1,14 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- bullion (0.11.1)
4
+ bullion (0.11.2)
5
5
  benchmark (~> 0.4)
6
6
  dry-configurable (~> 1.1)
7
7
  httparty (~> 0.21)
8
8
  itsi (~> 0.2)
9
9
  json (~> 2.6)
10
10
  jwt (~> 2.7)
11
+ jwt-eddsa (~> 0.9)
11
12
  openssl (~> 3.0)
12
13
  prometheus-client (~> 4.2)
13
14
  sinatra (~> 3.1)
@@ -46,7 +47,7 @@ GEM
46
47
  backport (1.2.0)
47
48
  base64 (0.3.0)
48
49
  benchmark (0.4.1)
49
- bigdecimal (3.2.2)
50
+ bigdecimal (4.0.1)
50
51
  byebug (11.1.3)
51
52
  concurrent-ruby (1.3.5)
52
53
  connection_pool (2.5.3)
@@ -61,15 +62,16 @@ GEM
61
62
  concurrent-ruby (~> 1.0)
62
63
  logger
63
64
  zeitwerk (~> 2.6)
64
- faraday (2.13.4)
65
+ ed25519 (1.4.0)
66
+ faraday (2.14.1)
65
67
  faraday-net_http (>= 2.0, < 3.5)
66
68
  json
67
69
  logger
68
- faraday-net_http (3.4.1)
69
- net-http (>= 0.5.0)
70
+ faraday-net_http (3.4.2)
71
+ net-http (~> 0.5)
70
72
  faraday-retry (2.3.2)
71
73
  faraday (~> 2.0)
72
- httparty (0.23.1)
74
+ httparty (0.24.0)
73
75
  csv
74
76
  mini_mime (>= 1.0.0)
75
77
  multi_xml (>= 0.5.2)
@@ -86,9 +88,13 @@ GEM
86
88
  rack (>= 1.6)
87
89
  rb_sys (~> 0.9.91)
88
90
  jaro_winkler (1.6.1)
89
- json (2.13.2)
91
+ json (2.18.1)
90
92
  jwt (2.10.2)
91
93
  base64
94
+ jwt-eddsa (0.9.0)
95
+ base64
96
+ ed25519
97
+ jwt (>= 2.9.0)
92
98
  kramdown (2.5.1)
93
99
  rexml (>= 3.3.9)
94
100
  kramdown-parser-gfm (1.1.0)
@@ -99,12 +105,12 @@ GEM
99
105
  mini_mime (1.1.5)
100
106
  minitest (5.25.5)
101
107
  multi_json (1.17.0)
102
- multi_xml (0.7.2)
103
- bigdecimal (~> 3.1)
108
+ multi_xml (0.8.1)
109
+ bigdecimal (>= 3.1, < 5)
104
110
  mustermann (3.0.4)
105
111
  ruby2_keywords (~> 0.0.1)
106
- net-http (0.6.0)
107
- uri
112
+ net-http (0.9.1)
113
+ uri (>= 0.11.1)
108
114
  nokogiri (1.18.9-aarch64-linux-gnu)
109
115
  racc (~> 1.4)
110
116
  nokogiri (1.18.9-aarch64-linux-musl)
@@ -132,7 +138,7 @@ GEM
132
138
  prometheus-client (4.2.5)
133
139
  base64
134
140
  racc (1.8.1)
135
- rack (2.2.17)
141
+ rack (2.2.20)
136
142
  rack-protection (3.2.0)
137
143
  base64 (>= 0.1.0)
138
144
  rack (~> 2.2, >= 2.2.4)
@@ -148,7 +154,7 @@ GEM
148
154
  regexp_parser (2.11.2)
149
155
  reverse_markdown (3.0.0)
150
156
  nokogiri
151
- rexml (3.4.1)
157
+ rexml (3.4.2)
152
158
  rspec (3.13.1)
153
159
  rspec-core (~> 3.13.0)
154
160
  rspec-expectations (~> 3.13.0)
@@ -245,7 +251,7 @@ GEM
245
251
  unicode-display_width (3.1.5)
246
252
  unicode-emoji (~> 4.0, >= 4.0.4)
247
253
  unicode-emoji (4.0.4)
248
- uri (1.0.3)
254
+ uri (1.1.1)
249
255
  yard (0.9.37)
250
256
  yard-solargraph (0.1.0)
251
257
  yard (~> 0.9)
data/bullion.gemspec CHANGED
@@ -32,6 +32,7 @@ Gem::Specification.new do |spec|
32
32
  spec.add_dependency "itsi", "~> 0.2"
33
33
  spec.add_dependency "json", "~> 2.6"
34
34
  spec.add_dependency "jwt", "~> 2.7"
35
+ spec.add_dependency "jwt-eddsa", "~> 0.9"
35
36
  spec.add_dependency "openssl", "~> 3.0"
36
37
  spec.add_dependency "prometheus-client", "~> 4.2"
37
38
  spec.add_dependency "sinatra", "~> 3.1"
data/lib/bullion/acme/error.rb CHANGED
@@ -34,6 +34,11 @@ module Bullion
34
34
  def acme_type = "badNonce"
35
35
  end
36
36
 
37
+ # ACME exception for bad/unsupported public keys
38
+ class BadPublicKey < Bullion::Acme::Error
39
+ def acme_type = "badPublicKey"
40
+ end
41
+
37
42
  # ACME exception for invalid contacts in accounts
38
43
  class InvalidContact < Bullion::Acme::Error
39
44
  def acme_type = "invalidContact"
data/lib/bullion/helpers/acme.rb CHANGED
@@ -41,10 +41,11 @@ module Bullion
41
41
  JWT.decode(jwt_data, compat_public_key, true, { algorithm: @header_data["alg"] })
42
42
  else
43
43
  digest = digest_from_alg(@header_data["alg"])
44
+ alg = @header_data["alg"].downcase
44
45
 
45
- sig = if @header_data["alg"].downcase.start_with?("es")
46
+ sig = if alg.start_with?("es")
46
47
  ecdsa_sig_to_der(signature)
47
- elsif @header_data["alg"].downcase.start_with?("rs")
48
+ elsif alg.start_with?("rs") || alg == "eddsa"
48
49
  Base64.urlsafe_decode64(signature)
49
50
  end
50
51
 
data/lib/bullion/helpers/ssl.rb CHANGED
@@ -3,6 +3,7 @@
3
3
  module Bullion
4
4
  module Helpers
5
5
  # SSL-related helper methods
6
+ # rubocop:disable Metrics/ModuleLength
6
7
  module Ssl
7
8
  # Converts the incoming key data to an OpenSSL public key usable to verify JWT signatures
8
9
  def openssl_compat(key_data)
@@ -11,6 +12,8 @@ module Bullion
11
12
  key_data_to_rsa(key_data)
12
13
  when "EC"
13
14
  key_data_to_ecdsa(key_data)
15
+ when "OKP"
16
+ key_data_to_eddsa(key_data)
14
17
  end
15
18
  end
16
19
 
@@ -58,6 +61,24 @@ module Bullion
58
61
  OpenSSL::PKey::EC.new(outer_sequence.to_der)
59
62
  end
60
63
 
64
+ def key_data_to_eddsa(key_data)
65
+ curve = key_data["crv"]
66
+ x = base64_to_octet(key_data["x"])
67
+
68
+ # For JWT verification with jwt-eddsa gem, we need Ed25519::VerifyKey
69
+ case curve
70
+ when "Ed25519"
71
+ # The raw public key bytes are exactly what Ed25519::VerifyKey expects
72
+ Ed25519::VerifyKey.new(x)
73
+ when "Ed448"
74
+ # Ed448 not currently supported by the ed25519 gem
75
+ raise Bullion::Acme::Errors::BadPublicKey,
76
+ "EdDSA with Ed448 is not supported; only Ed25519 is supported"
77
+ else
78
+ raise Bullion::Acme::Errors::BadPublicKey, "Unsupported EdDSA curve: #{curve}"
79
+ end
80
+ end
81
+
61
82
  def base64_to_long(data)
62
83
  Base64.urlsafe_decode64(data).to_s.unpack("C*").map do |byte|
63
84
  to_hex(byte)
@@ -69,6 +90,9 @@ module Bullion
69
90
  end
70
91
 
71
92
  def digest_from_alg(alg)
93
+ # EdDSA doesn't use a separate digest step
94
+ return nil if alg.downcase == "eddsa"
95
+
72
96
  if alg.end_with?("256")
73
97
  OpenSSL::Digest.new("SHA256")
74
98
  elsif alg.end_with?("384")
@@ -231,5 +255,6 @@ module Bullion
231
255
  end
232
256
  # rubocop:enable Metrics/AbcSize
233
257
  end
258
+ # rubocop:enable Metrics/ModuleLength
234
259
  end
235
260
  end
data/lib/bullion/models/challenge.rb CHANGED
@@ -50,7 +50,17 @@ module Bullion
50
50
 
51
51
  def lexicographically_ordered_public_key
52
52
  jwk = authorization.order.account.public_key
53
- [["e", jwk["e"]], ["kty", jwk["kty"]], ["n", jwk["n"]]].to_h
53
+ case jwk["kty"]
54
+ when "RSA"
55
+ [["e", jwk["e"]], ["kty", jwk["kty"]], ["n", jwk["n"]]].to_h
56
+ when "EC"
57
+ [["crv", jwk["crv"]], ["kty", jwk["kty"]], ["x", jwk["x"]], ["y", jwk["y"]]].to_h
58
+ when "OKP"
59
+ [["crv", jwk["crv"]], ["kty", jwk["kty"]], ["x", jwk["x"]]].to_h
60
+ else
61
+ # Fallback for unknown types
62
+ jwk.sort.to_h
63
+ end
54
64
  end
55
65
  end
56
66
  end
data/lib/bullion/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Bullion
4
- VERSION = "0.11.1"
4
+ VERSION = "0.11.2"
5
5
  end
data/lib/bullion.rb CHANGED
@@ -18,6 +18,8 @@ require "sinatra/custom_logger"
18
18
  require "trilogy"
19
19
  require "sinatra/activerecord"
20
20
  require "jwt"
21
+ require "jwt/eddsa"
22
+ require "ed25519"
21
23
  require "prometheus/client"
22
24
  require "httparty"
23
25
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bullion
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.11.1
4
+ version: 0.11.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jonathan Gnagy
@@ -93,6 +93,20 @@ dependencies:
93
93
  - - "~>"
94
94
  - !ruby/object:Gem::Version
95
95
  version: '2.7'
96
+ - !ruby/object:Gem::Dependency
97
+ name: jwt-eddsa
98
+ requirement: !ruby/object:Gem::Requirement
99
+ requirements:
100
+ - - "~>"
101
+ - !ruby/object:Gem::Version
102
+ version: '0.9'
103
+ type: :runtime
104
+ prerelease: false
105
+ version_requirements: !ruby/object:Gem::Requirement
106
+ requirements:
107
+ - - "~>"
108
+ - !ruby/object:Gem::Version
109
+ version: '0.9'
96
110
  - !ruby/object:Gem::Dependency
97
111
  name: openssl
98
112
  requirement: !ruby/object:Gem::Requirement