letscert 0.4.1 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bf207714b90b6a7da996b80ce11c034408eedb01
-  data.tar.gz: 037d0a835588236f7046b6ca09a0936fe34473ef
+  metadata.gz: 81459818c78f3836b106c632ae5befa99dcacf82
+  data.tar.gz: 1fce468a7511a75b84f584ff1fd8b5455db48065
 SHA512:
-  metadata.gz: b2adc8ccf14ab988d0c4debd191b664a6793670b4f3218e477285e8907466c93f8689f514da0025c4d0113a0fcf00fea78a59dc4ba0345dc22fd60a1e5e62bed
-  data.tar.gz: 4e84d8553a12638d26a7444cb9760a440ae468ffa870ba3078d1678f7de39f7828224a5ad8694b4226500d292e79b3beb390a1ac90e2e13ea3f977d197d0ba94
+  metadata.gz: 3b4ce524f540fbb291c6c88f13d32bfa27a501c2105d8c5002ff98ef9d4c808802cdaecd7cbffad6e53695792b84ed180517d16facd079af245f960f9cce100a
+  data.tar.gz: 2149c9cd3a620ecebf9d1ec2bdaaeef2f7f92944127c25f4351ecc42424503526c9fbf2d8498ad19b54277f76b301fe3a838eb96a3a7562745f69e08c60c4077

data/.rubocop.yml

@@ -0,0 +1,33 @@
+Style/AndOr:
+  Enabled: false
+
+Style/EmptyLinesAroundClassBody:
+  Enabled: false
+
+Style/EmptyLinesAroundModuleBody:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/FormatString:
+  Enabled: false
+
+Metrics/ClassLength:
+  Max: 150
+
+Metrics/ModuleLength:
+  Max: 150
+
+Metrics/MethodLength:
+  Max: 20
+
+# don't understand this metric
+Metrics/AbcSize:
+  Enabled: false
+
+AllCops:
+  Exclude:
+    - 'spec/**/*'
+    - 'vendor/**/*'
+    

data/Gemfile

@@ -1,3 +1,5 @@
 source 'https://rubygems.org'
 
 gemspec
+
+gem 'rubocop', '~> 0.42.0', require: false

data/README.md

@@ -75,14 +75,17 @@ letscert -d example.com:/var/www/example.com/html --email my.name@domain.tld --r
   * 2 in case of errors.
 
 # Installation
-`letscert` is cryptographically signed. To be sure the gem you install hasn’t been tampered:
+Since v0.4.1, `letscert` is cryptographically signed. To be sure the gem you install
+hasn’t been tampered:
 * add my public key as a trusted certificate:
 ```
-gem cert --add <(curl -Ls https://raw.github.com/metricfu/metric_fu/master/certs/gem-public_cert.pem)
+gem cert --add <(curl -Ls https://raw.github.com/sdaubert/letscert/master/certs/gem-public_cert.pem)
 ```
 * install letscert gem with a policy:
 ```
 gem install letscert -P MediumSecurity
 ```
 
-The MediumSecurity trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of letcert’s dependencies are signed, so we cannot use HighSecurity.
+The MediumSecurity trust profile will verify signed gems, but allow the installation of
+unsigned dependencies. This is necessary because not all of letcert’s dependencies are
+signed, so we cannot use HighSecurity.

data/Rakefile

@@ -1,6 +1,7 @@
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'yard'
+require 'rubocop/rake_task'
 
 RSpec::Core::RakeTask.new
 
@@ -9,4 +10,6 @@ YARD::Rake::YardocTask.new do |t|
   t.files = ['lib/**/*.rb', '-', 'LICENSE']
 end
 
-task :default => :spec
+RuboCop::RakeTask.new
+
+task default: :spec

data/letscert.gemspec

@@ -16,17 +16,17 @@ EOF
   s.email = 'sylvain.daubert@laposte.net'
   s.homepage = 'https://github.com/sdaubert/letscert'
 
-  s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  files = `git ls-files -z`.split("\x0")
+  s.files = files.reject { |f| f.match(%r{^(test|spec|features)/}) }
   s.executables = ['letscert']
-  s.require_paths = ["lib"]
+  s.require_paths = ['lib']
 
   s.required_ruby_version = '>= 2.1.0'
 
   s.add_dependency 'acme-client', '~>0.4.0'
-  s.add_dependency 'json', '~>1.8.3'
 
-  s.add_development_dependency "bundler", "~> 1.12"
-  s.add_development_dependency "rake", "~> 10.0"
+  s.add_development_dependency 'bundler', '~> 1.12'
+  s.add_development_dependency 'rake', '~> 10.0'
   s.add_development_dependency 'rspec', '~>3.4'
   s.add_development_dependency 'vcr', '~>3.0'
   s.add_development_dependency 'yard', '~>0.8'

data/lib/letscert/certificate.rb

@@ -37,7 +37,6 @@ module LetsCert
     # @return [Acme::Client,nil]
     attr_reader :client
 
-
     # @param [OpenSSL::X509::Certificate,nil] cert
     def initialize(cert)
       @cert = cert
@@ -45,26 +44,28 @@ module LetsCert
     end
 
     # Get a new certificate, or renew an existing one
-    # @param [OpenSSL::PKey::PKey,nil] account_key private key to authenticate to ACME
-    #   server
-    # @param [OpenSSL::PKey::PKey, nil] key private key from which make a certificate.
-    #    If +nil+, generate a new one with +options[:cet_key_size]+ bits.
+    # @param [OpenSSL::PKey::PKey,nil] account_key private key to
+    #   authenticate to ACME server
+    # @param [OpenSSL::PKey::PKey, nil] key private key from which make a
+    #   certificate. If +nil+, generate a new one with +options[:cet_key_size]+
+    #   bits.
     # @param [Hash] options option hash
-    # @option options [Fixnum] :account_key_size ACME account private key size in bits
+    # @option options [Fixnum] :account_key_size ACME account private key size
+    #   in bits
     # @option options [Fixnum] :cert_key_size private key size used to generate
     #    a certificate
     # @option options [String] :email e-mail used as ACME account
     # @option options [Array<String>] :files plugin names to use
     # @option options [Boolean] :reuse_key reuse private key when getting a new
     #    certificate
-    # @option options [Hash] :roots hash associating domains as keys to web roots as
-    #    values
+    # @option options [Hash] :roots hash associating domains as keys to web
+    #   roots as values
     # @option options [String] :server ACME servel URL
     # @return [void]
     # @raise [Acme::Client::Error] error in protocol ACME with server
     # @raise [Error] issue with domain name, challenge fails,...
     def get(account_key, key, options)
-      logger.info {"create key/cert/chain..." }
+      logger.info { 'create key/cert/chain...' }
       check_roots(options[:roots])
       logger.debug { "webroots are: #{options[:roots].inspect}" }
 
@@ -72,23 +73,20 @@ module LetsCert
 
       do_challenges client, options[:roots]
 
-      if options[:reuse_key] and !key.nil?
-        logger.info { 'Reuse existing private key' }
-      else
-        logger.info { 'Generate new private key' }
-        key = OpenSSL::PKey::RSA.generate(options[:cert_key_size])
-      end
-
-      csr = Acme::Client::CertificateRequest.new(names: options[:roots].keys,
-                                                 private_key: key)
-      acme_cert = client.new_certificate(csr)
-      @cert = acme_cert.x509
-      @chain = acme_cert.x509_chain
+      pkey = if options[:reuse_key]
+               raise Error, 'cannot reuse a non-existing key' if key.nil?
+               logger.info { 'Reuse existing private key' }
+               generate_certificate_from_pkey options[:roots].keys, key
+             else
+               logger.info { 'Generate new private key' }
+               generate_certificate options[:roots].keys,
+                                    options[:cert_key_size]
+             end
 
       options[:files] ||= []
       options[:files].each do |plugname|
         IOPlugin.registered[plugname].save(account_key: client.private_key,
-                                           key: key, cert: @cert,
+                                           key: pkey, cert: @cert,
                                            chain: @chain)
       end
     end
@@ -96,22 +94,17 @@ module LetsCert
     # Revoke certificate
     # @param [OpenSSL::PKey::PKey] account_key
     # @param [Hash] options
-    # @option options [Fixnum] :account_key_size ACME account private key size in bits
+    # @option options [Fixnum] :account_key_size ACME account private key size
+    #   in bits
     # @option options [String] :email e-mail used as ACME account
     # @option options [String] :server ACME servel URL
     # @return [Boolean]
     # @raise [Error] no certificate to revole.
-    def revoke(account_key, options={})
-      if @cert.nil?
-        raise Error, 'no certification data to revoke'
-      end
+    def revoke(account_key, options = {})
+      raise Error, 'no certification data to revoke' if @cert.nil?
 
       client = get_acme_client(account_key, options)
-      begin
-        result = client.revoke_certificate(@cert)
-      rescue Exception => ex
-        raise
-      end
+      result = client.revoke_certificate(@cert)
 
       if result
         logger.info { 'certificate is revoked' }
@@ -125,10 +118,10 @@ module LetsCert
     # Check if certificate is still valid for at least +valid_min+ seconds.
     # Also checks that +domains+ are certified by certificate.
     # @param [Array<String>] domains list of certificate domains
-    # @param [Integer] valid_min minimum number of seconds of validity under which
-    #  a renewal is necessary.
+    # @param [Integer] valid_min minimum number of seconds of validity under
+    #   which a renewal is necessary.
     # @return [Boolean]
-    def valid?(domains, valid_min=0)
+    def valid?(domains, valid_min = 0)
       if @cert.nil?
         logger.debug { 'no existing certificate' }
         return false
@@ -144,8 +137,9 @@ module LetsCert
 
       # Check all domains are subjects of certificate
       unless domains.all? { |domain| subjects.include? domain }
-        raise Error, "At least one domain is not declared as a certificate subject." +
-                     "Backup and remove existing cert if you want to proceed"
+        msg = 'At least one domain is not declared as a certificate subject. ' \
+              'Backup and remove existing cert if you want to proceed.'
+        raise Error, msg
       end
 
       !renewal_necessary?(valid_min)
@@ -168,20 +162,18 @@ module LetsCert
       yield @client if block_given?
 
       if options[:email].nil?
-        logger.warn { '--email was not provided. ACME CA will have no way to ' +
-                       'contact you!' }
+        logger.warn { '--email was not provided. ACME CA will have no way to ' \
+                      'contact you!' }
       end
 
       begin
         logger.debug { "register with #{options[:email]}" }
         registration = @client.register(contact: "mailto:#{options[:email]}")
       rescue Acme::Client::Error::Malformed => ex
-        if ex.message != 'Registration key is already in use'
-          raise
-        end
+        raise if ex.message != 'Registration key is already in use'
       else
-        # Requesting ToS make acme-client throw an exception: Connection reset by peer
-        # (Faraday::ConnectionFailed). To investigate...
+        # Requesting ToS make acme-client throw an exception: Connection reset
+        # by peer (Faraday::ConnectionFailed). To investigate...
         #if registration.term_of_service_uri
         #  @logger.debug { "get terms of service" }
         #  terms = registration.get_terms
@@ -190,8 +182,7 @@ module LetsCert
         #    if tos_digest != @options[:tos_sha256]
         #      raise Error, 'Terms Of Service mismatch'
         #    end
-        
-             @logger.debug { "agree terms of service" }
+             @logger.debug { 'agree terms of service' }
              registration.agree_terms
         #  end
         #end
@@ -200,19 +191,18 @@ module LetsCert
       @client
     end
 
-
     private
 
     # check webroots.
     # @param [Hash] roots
     # @raise [Error] if some domains have no defined root.
     def check_roots(roots)
-      no_roots = roots.select { |k,v| v.nil? }
+      no_roots = roots.select { |_k, v| v.nil? }
 
-      if !no_roots.empty?
-        raise Error, 'root for the following domain(s) are not specified: ' +
-                     no_roots.keys.join(', ') + ".\nTry --default_root or use " +
-                     '-d example.com:/var/www/html syntax.'
+      unless no_roots.empty?
+        raise Error, 'root for the following domain(s) are not specified: ' \
+                     "#{no_roots.keys.join(', ')}.\nTry --default_root or " \
+                     'use -d example.com:/var/www/html syntax.'
       end
     end
 
@@ -234,26 +224,12 @@ module LetsCert
     # @param [Hash] roots
     def do_challenges(client, roots)
       logger.debug { 'Get authorization for all domains' }
-      challenges = {}
-
-      roots.keys.each do |domain|
-        authorization = client.authorize(domain: domain)
-         if authorization
-           challenges[domain] = authorization.http01
-         else
-           challenges[domain] = nil
-         end
-      end
-
-      logger.debug { 'Check all challenges are HTTP-01' }
-      if challenges.values.any? { |chall| chall.nil? }
-        raise Error, 'CA did not offer http-01-only challenge. ' +
-                     'This client is unable to solve any other challenges.'
-      end
+      challenges = get_challenges(client, roots)
 
       challenges.each do |domain, challenge|
         begin
-          FileUtils.mkdir_p(File.join(roots[domain], File.dirname(challenge.filename)))
+          path = File.join(roots[domain], File.dirname(challenge.filename))
+          FileUtils.mkdir_p path
         rescue SystemCallError => ex
           raise Error, ex.message
         end
@@ -263,20 +239,44 @@ module LetsCert
         File.write path, challenge.file_content
 
         challenge.request_verification
+        wait_for_verification challenge, domain
 
-        status = 'pending'
-        while(status == 'pending') do
-          sleep(1)
-          status = challenge.verify_status
-        end
+        File.unlink path
+      end
+    end
 
-        if status != 'valid'
-          logger.warn { "#{domain} was not successfully verified!" }
-        else
-          logger.info { "#{domain} was successfully verified." }
-        end
+    # Get challenges
+    # @param [Acme::Client] client
+    # @param [Hash] roots
+    # @return [Hash] key: domain, value: authorization
+    # @raise [Error] if any challenges does not support HTTP-01
+    def get_challenges(client, roots)
+      challenges = {}
+      roots.keys.each do |domain|
+        authorization = client.authorize(domain: domain)
+        challenges[domain] = authorization ? authorization.http01 : nil
+      end
 
-        File.unlink path
+      logger.debug { 'Check all challenges are HTTP-01' }
+      if challenges.values.any?(&:nil?)
+        raise Error, 'CA did not offer http-01-only challenge. ' \
+                     'This client is unable to solve any other challenges.'
+      end
+
+      challenges
+    end
+
+    def wait_for_verification(challenge, domain)
+      status = 'pending'
+      while status == 'pending'
+        sleep(1)
+        status = challenge.verify_status
+      end
+
+      if status != 'valid'
+        logger.warn { "#{domain} was not successfully verified!" }
+      else
+        logger.info { "#{domain} was successfully verified." }
       end
     end
 
@@ -286,12 +286,34 @@ module LetsCert
     def renewal_necessary?(valid_min)
       now = Time.now.utc
       diff = (@cert.not_after - now).to_i
-      logger.debug { "Certificate expires in #{diff}s on #{@cert.not_after}" +
+      logger.debug { "Certificate expires in #{diff}s on #{@cert.not_after}" \
                      " (relative to #{now})" }
 
       diff < valid_min
     end
 
-  end
+    # Generate new certificate for given domains with existing private key
+    # @param [Array<String>] domains
+    # @param [OpenSSL::PKey::PKey] pkey private key to use
+    # @return [OpenSSL::PKey::PKey] +pkey+
+    def generate_certificate_from_pkey(domains, pkey)
+      csr = Acme::Client::CertificateRequest.new(names: domains,
+                                                 private_key: pkey)
+      acme_cert = client.new_certificate(csr)
+      @cert = acme_cert.x509
+      @chain = acme_cert.x509_chain
+
+      pkey
+    end
 
+    # Generate new certificate for given domains
+    # @param [Array<String>] domains
+    # @param [Integer] pkey_size size in bits for private key to generate
+    # @return [OpenSSL::PKey::PKey] generated private key
+    def generate_certificate(domains, pkey_size)
+      pkey = OpenSSL::PKey::RSA.generate(pkey_size)
+      generate_certificate_from_pkey domains, pkey
+    end
+
+  end
 end

data/lib/letscert/io_plugin.rb

@@ -19,7 +19,6 @@
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
-require 'base64'
 require_relative 'loggable'
 
 module LetsCert
@@ -33,35 +32,36 @@ module LetsCert
     # @return [String]
     attr_reader :name
 
-
     # Registered plugins
-    @@registered = {}
+    @registered = {}
 
-    # Get empty data
-    # @return [Hash] +{ account_key: nil, key: nil, cert: nil, chain: nil }+
-    def self.empty_data
-      { account_key: nil, key: nil, cert: nil, chain: nil }
-    end
+    class << self
+
+      # Get registered plugins
+      # @return [Hash] keys are filenames and keys are instances of IOPlugin
+      #  subclasses.
+      attr_reader :registered
 
-    # Register a plugin
-    # @param [Class] klass
-    # @param [Array] args args to pass to +klass+ constructor
-    # @return [IOPlugin]
-    def self.register(klass, *args)
-      plugin = klass.new(*args)
-      if plugin.name =~ /[\/\\]/ or ['.', '..'].include?(plugin.name)
-        raise Error, "plugin name should just be a file name, without path"
+      # Get empty data
+      # @return [Hash] +{ account_key: nil, key: nil, cert: nil, chain: nil }+
+      def empty_data
+        { account_key: nil, key: nil, cert: nil, chain: nil }
       end
 
-      @@registered[plugin.name] = plugin
+      # Register a plugin
+      # @param [Class] klass
+      # @param [Array] args args to pass to +klass+ constructor
+      # @return [IOPlugin]
+      def register(klass, *args)
+        plugin = klass.new(*args)
+        if plugin.name =~ %r{[/\\]} or ['.', '..'].include?(plugin.name)
+          raise Error, 'plugin name should just be a file name, without path'
+        end
 
-      klass
-    end
+        @registered[plugin.name] = plugin
+        klass
+      end
 
-    # Get registered plugins
-    # @return [Hash] keys are filenames and keys are instances of IOPlugin subclasses.
-    def self.registered
-      @@registered
     end
 
     # @param [String] name
@@ -81,331 +81,13 @@ module LetsCert
 
   end
 
-
-  # Mixin for IOPmugin subclasses that handle files
-  # @author Sylvain Daubert
-  module FileIOPluginMixin
-
-    # Load data from file named +#name+
-    # @return [Hash]
-    def load
-      logger.debug { "Loading #@name" }
-
-      begin
-        content = File.read(@name)
-      rescue SystemCallError => ex
-        if ex.is_a? Errno::ENOENT
-          logger.info { "no #@name file" }
-          return self.class.empty_data
-        end
-        raise
-      end
-
-      load_from_content(content)
-    end
-
-    # @abstract
-    # @param [String] content
-    # @return [Hash]
-    def load_from_content(content)
-      raise NotImplementedError
-    end
-
-    # Save data to file +#name+
-    # @param [Hash] data
-    # @return [void]
-    def save_to_file(data)
-      return if data.nil?
-
-      logger.info { "saving #@name" }
-      begin
-        File.open(name, 'w') do |f|
-          f.write(data)
-        end
-      rescue Errno => ex
-        @logger.error { ex.message }
-        raise Error, "Error when saving #@name"
-      end
-    end
-
-  end
-
-
-  # Mixin for IOPlugin subclasses that handle JWK
-  # @author Sylvain Daubert
-  module JWKIOPluginMixin
-
-    # Encode string +data+ to base64
-    # @param [String] data
-    # @return [String]
-    def urlsafe_encode64(data)
-      Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
-    end
-
-    # Decode base64 string +data+
-    # @param [String] data
-    # @return [String]
-    def urlsafe_decode64(data)
-      Base64.urlsafe_decode64(data.sub(/[\s=]*\z/, ''))
-    end
-
-    # Load crypto data from JSON-encoded file
-    # @param [String] data JSON-encoded data
-    # @return [OpenSSL::PKey::PKey]
-    def load_jwk(data)
-      return nil if data.empty?
-
-      h = JSON.parse(data)
-      case h['kty']
-      when 'RSA'
-        pkey = OpenSSL::PKey::RSA.new
-        %w(e n d p q).collect do |key|
-          next if h[key].nil?
-          value = OpenSSL::BN.new(urlsafe_decode64(h[key]), 2)
-          pkey.send "#{key}=".to_sym, value
-        end
-      else
-        raise Error, "unknown account key type '#{k['kty']}'"
-      end
-
-      pkey
-    end
-
-    # Dump crypto data (key) to a JSON-encoded string
-    # @param [OpenSSL::PKey] key
-    # @return [String]
-    def dump_jwk(key)
-      return {}.to_json if key.nil?
-
-      h = { 'kty' => 'RSA' }
-      case key
-      when OpenSSL::PKey::RSA
-        h['e'] = urlsafe_encode64(key.e.to_s(2)) if key.e
-        h['n'] = urlsafe_encode64(key.n.to_s(2)) if key.n
-        if key.private?
-          h['d'] = urlsafe_encode64(key.d.to_s(2))
-          h['p'] = urlsafe_encode64(key.p.to_s(2))
-          h['q'] = urlsafe_encode64(key.q.to_s(2))
-        end
-      else
-        raise Error, "only RSA keys are supported"
-      end
-      h.to_json
-    end
-  end
-
-
-  # Account key IO plugin
-  # @author Sylvain Daubert
-  class AccountKey < IOPlugin
-    include FileIOPluginMixin
-    include JWKIOPluginMixin
-
-    # @return [Hash] always get +true+ for +:account_key+ key
-    def persisted
-      { account_key: true }
-    end
-
-    # @return [Hash]
-    def load_from_content(content)
-      { account_key: load_jwk(content) }
-    end
-
-    # Save account key.
-    # @param [Hash] data
-    # @return [void]
-    def save(data)
-      save_to_file(dump_jwk(data[:account_key]))
-    end
-
-  end
-  IOPlugin.register(AccountKey, 'account_key.json')
-
-
-  # OpenSSL IOPlugin
-  # @author Sylvain Daubert
-  class OpenSSLIOPlugin < IOPlugin
-
-    # @private Regular expression to discriminate PEM
-    PEM_RE = /^-----BEGIN CERTIFICATE-----\n.*?\n-----END CERTIFICATE-----\n/m
-
-    # @param [String] name filename
-    # @param [:pem,:der] type
-    def initialize(name, type)
-      case type
-      when :pem
-      when :der
-      else
-        raise ArgumentError, "type should be :pem or :der"
-      end
-
-      @type = type
-      super(name)
-    end
-
-    # Load key from raw +data+
-    # @param [String] data
-    # @return [OpenSSL::PKey]
-    def load_key(data)
-      OpenSSL::PKey::RSA.new data
-    end
-
-    # Dump key/cert data
-    # @param [OpenSSL::PKey] key
-    # @return [String]
-    def dump_key(key)
-      case @type
-      when :pem
-        key.to_pem
-      when :der
-        key.to_der
-      end
-    end
-    alias :dump_cert :dump_key
-
-    # Load certificate from raw +data+
-    # @param [String] data
-    # @return [OpenSSL::X509::Certificate]
-    def load_cert(data)
-      OpenSSL::X509::Certificate.new data
-    end
-
-
-    private
-
-    # Split concatenated PEMs.
-    # @param [String] data
-    # @yield [String] pem
-    def split_pems(data)
-      my_data = data
-      m = my_data.match(PEM_RE)
-      while (m) do
-        yield m[0]
-        my_data = my_data[m.end(0)..-1]
-        m = my_data.match(PEM_RE)
-      end
-    end
-
-  end
-
-
-  # Key file plugin
-  # @author Sylvain Daubert
-  class KeyFile < OpenSSLIOPlugin
-    include FileIOPluginMixin
-
-    # @return [Hash] always get +true+ for +:key+ key
-    def persisted
-      @persisted ||= { key: true }
-    end
-
-    # @return [Hash]
-    def load_from_content(content)
-      { key: load_key(content) }
-    end
-
-    # Save private key.
-    # @param [Hash] data
-    # @return [void]
-    def save(data)
-      save_to_file(dump_key(data[:key]))
-    end
-
-  end
-  IOPlugin.register(KeyFile, 'key.pem', :pem)
-  IOPlugin.register(KeyFile, 'key.der', :der)
-
-
-  # Chain file plugin
-  # @author Sylvain Daubert
-  class ChainFile < OpenSSLIOPlugin
-    include FileIOPluginMixin
-
-    # @return [Hash] always get +true+ for +:chain+ key
-    def persisted
-      @persisted ||= { chain: true }
-    end
-
-    # @return [Hash]
-    def load_from_content(content)
-      chain = []
-      split_pems(content) do |pem|
-        chain << load_cert(pem)
-      end
-      { chain: chain }
-    end
-
-    # Save chain.
-    # @param [Hash] data
-    # @return [void]
-    def save(data)
-      save_to_file(data[:chain].map { |c| dump_cert(c) }.join)
-    end
-
-  end
-  IOPlugin.register(ChainFile, 'chain.pem', :pem)
-
-
-  # Fullchain file plugin
-  # @author Sylvain Daubert
-  class FullChainFile < ChainFile
-
-    # @return [Hash] always get +true+ for +:cert+ and +:chain+ keys
-    def persisted
-      @persisted ||= { cert: true, chain: true }
-    end
-
-    # Load full certificate chain
-    # @return [Hash]
-    def load
-      data = super
-      if data[:chain].nil? or data[:chain].empty?
-        cert = nil
-        chain = []
-      else
-        cert = data[:chain].shift
-        chain = data[:chain]
-      end
-
-      { account_key: data[:account_key], key: data[:key], cert: cert, chain: chain }
-    end
-
-    # Save fullchain.
-    # @param [Hash] data
-    # @return [void]
-    def save(data)
-      super(account_key: data[:account_key], key: data[:key], cert: nil,
-            chain: [data[:cert]] + data[:chain])
-    end
-
-  end
-  IOPlugin.register(FullChainFile, 'fullchain.pem', :pem)
-
-
-  # Cert file plugin
-  # @author Sylvain Daubert
-  class CertFile < OpenSSLIOPlugin
-    include FileIOPluginMixin
-
-    # @return [Hash] always get +true+ for +:cert+ key
-    def persisted
-      @persisted ||= { cert: true }
-    end
-
-    # @return [Hash]
-    def load_from_content(content)
-      { cert: load_cert(content) }
-    end
-
-    # Save certificate.
-    # @param [Hash] data
-    # @return [void]
-    def save(data)
-      save_to_file(dump_cert(data[:cert]))
-    end
-
-  end
-  IOPlugin.register(CertFile, 'cert.pem', :pem)
-  IOPlugin.register(CertFile, 'cert.der', :der)
-
 end
+
+require_relative 'io_plugins/file_io_plugin_mixin'
+require_relative 'io_plugins/jwk_io_plugin_mixin'
+require_relative 'io_plugins/openssl_io_plugin'
+require_relative 'io_plugins/account_key'
+require_relative 'io_plugins/key_file'
+require_relative 'io_plugins/chain_file'
+require_relative 'io_plugins/full_chain_file'
+require_relative 'io_plugins/cert_file'