letscert 0.4.5 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9713b8f8c57715a49c9a47ee496be861b140605e
-  data.tar.gz: b066af17d583c2a87e246729fe4ec52478b529b2
+  metadata.gz: 52add53a57fa00b0778f2a493f17f60c52c66420
+  data.tar.gz: 918a0428e5ec2c2c7f05c29eb41fcd60cd43a5f6
 SHA512:
-  metadata.gz: cf1ee72bfb5f7e348ab4dbe35a674e2c723e8004f241a28a705787d9947ab1d1abe1fd0b8788d84f3b7c8734ccd34f6cc6b44b1513f1f5c239b788506a757410
-  data.tar.gz: b2bf80554770b4545bf343b12676412b6074979dc92d6e9966ac7bdc9922bef503afa201dd538d20f187f7146f4388ff9ecadab073aec0019dcd824e4f6963bd
+  metadata.gz: 7a5017b39b842d751148c95666fc2372c4af7158c2dada7ad5b5d4dd6e53fe1d38582090827271611fc7ddb94c1e8c8473f0ed6837f855e3c66eedca38b544b4
+  data.tar.gz: 9c9462d83f3b2fecba4c0d3ef73760257d4814df0aeb8aafeb177f096e34fec2ed896f8cea923b37ed358592c1b345ca8de1cd03c93b6f43df0dc44647502987

data/.travis.yml

@@ -2,7 +2,8 @@ language: ruby
 rvm:
   - 2.1
   - 2.2
-  - 2.3.1
+  - 2.3.3
+  - 2.4.0
 
 install:
   - gem install bundler

data/letscert.gemspec

@@ -23,10 +23,10 @@ EOF
 
   s.required_ruby_version = '>= 2.1.0'
 
-  s.add_dependency 'acme-client', '~>0.5.0'
+  s.add_dependency 'acme-client', '~>0.5.5'
 
   s.add_development_dependency 'bundler', '~> 1.12'
-  s.add_development_dependency 'rake', '~> 10.0'
+  s.add_development_dependency 'rake', '~> 11.0'
   s.add_development_dependency 'rspec', '~>3.4'
   s.add_development_dependency 'vcr', '~>3.0'
   s.add_development_dependency 'yard', '~>0.8'

data/lib/letscert/certificate.rb

@@ -21,6 +21,7 @@
 # SOFTWARE.
 require 'acme-client'
 require_relative 'loggable'
+require_relative 'patched_ec_pkey'
 
 # rubocop:disable Metrics/ClassLength, Style/MultilineBlockLayout
 # rubocop:disable Style/BlockEndNewline, Style/BlockDelimiters
@@ -82,7 +83,7 @@ module LetsCert
              else
                logger.info { 'Generate new private key' }
                generate_certificate options[:roots].keys,
-                                    options[:cert_key_size]
+                                    options
              end
 
       options[:files] ||= []
@@ -299,6 +300,52 @@ module LetsCert
       end
     end
 
+    # Generate a key from options
+    # @param [Hash] options +:cert_ecdsa+ and +:cert_rsa+ are mutually
+    #  exclusive.
+    # @option options [Integer] :cert_ecdsa curve for which generate a cert
+    # @option options [Integer] :cert_rsa key size to generate a RSA key
+    # @return [OpenSSL::Pkey::PKey]
+    # @raise [Error]
+    def generate_key(options)
+      if options[:cert_ecdsa] and options[:cert_rsa]
+        raise Error, 'cannot generate a ECDSA key and a RSA key in one shot'
+      end
+
+      if options[:cert_ecdsa]
+        generate_ecdsa_key options[:cert_ecdsa]
+      else
+        OpenSSL::PKey::RSA.generate options[:cert_rsa]
+      end
+    end
+
+    # Generate a ECDSA key
+    # @param [String] curve curve name
+    # @return [OpenSSL::PKey::EC]
+    def generate_ecdsa_key(curve)
+      key = (PatchedECPkey.needed? ? PatchedECPkey : OpenSSL::PKey::EC).new
+      key.group = OpenSSL::PKey::EC::Group.new(curve)
+      key.generate_key
+    rescue OpenSSL::PKey::EC::Group::Error => ex
+      raise unless ex.message =~ /^unknown curve/
+      msg = "unknown curve. Supported curves are:\n"
+      msg << secure_curves.join("\n")
+      raise Error, msg
+    end
+
+    # Return array of secure curve names
+    # @return [Array<String>]
+    def secure_curves
+      curves = OpenSSL::PKey::EC.builtin_curves.map { |ary| '%-20s%s' % ary }
+      # Remove all binary curves, and prime curves which field is less than
+      # 256 bits
+      curves.reject! do |el|
+        el =~ /binary/ or (el =~ /(\d+) bit/ and $1.to_i < 256)
+      end
+
+      curves
+    end
+
     # Generate new certificate for given domains with existing private key
     # @param [Array<String>] domains
     # @param [OpenSSL::PKey::PKey] pkey private key to use
@@ -315,10 +362,11 @@ module LetsCert
 
     # Generate new certificate for given domains
     # @param [Array<String>] domains
-    # @param [Integer] pkey_size size in bits for private key to generate
+    # @param [Hash] options option hash containing +:cert_ecdsa+, +:cert_rsa+
+    #  or +:cert_key_size+ key.
     # @return [OpenSSL::PKey::PKey] generated private key
-    def generate_certificate(domains, pkey_size)
-      pkey = OpenSSL::PKey::RSA.generate(pkey_size)
+    def generate_certificate(domains, options)
+      pkey = generate_key(options)
       generate_certificate_from_pkey domains, pkey
     end
 

data/lib/letscert/patched_ec_pkey.rb

@@ -0,0 +1,16 @@
+require 'openssl'
+
+module LetsCert
+  # Ruby < 2.4 has bugs in OpenSSL. This class patches these bugs.
+  # @author Sylvain Daubert
+  class PatchedECPkey < OpenSSL::PKey::EC
+    alias :private? :private_key?
+    alias :public? :public_key?
+
+    # Say if {PatchedECPkey} is needed
+    # @return [Boolean]
+    def self.needed?
+      RbConfig::CONFIG['MAJOR'] == '2' && RbConfig::CONFIG['MINOR'].to_i < 4
+    end
+  end
+end

data/lib/letscert/runner.rb

@@ -42,6 +42,9 @@ module LetsCert
     # Exit value for error(s)
     RETURN_ERROR = 2
 
+    # Default key size for RSA certificates
+    RSA_DEFAULT_KEY_SIZE = 2048
+
     # Get options
     # @return [Hash]
     attr_reader :options
@@ -62,7 +65,6 @@ module LetsCert
         verbose: 0,
         domains: [],
         files: [],
-        cert_key_size: 2048,
         valid_min: ValidTime.new('30d'),
         account_key_size: 4096,
         tos_sha256: '33d233c8ab558ba6c8ebc370a509acdded8b80e5d587aa5d192193f3' \
@@ -150,10 +152,21 @@ module LetsCert
           @options[:files] << file
         end
 
+        opts.on('--cert-ecdsa CURVE', String,
+                'Generate ECDSA certificate on CURVE') do |curve|
+          @options[:cert_ecdsa] = curve
+        end
+
+        opts.on('--cert-rsa BITS', Integer,
+                'Generate RSA certificate with a BITS-bit',
+                'private key') do |bits|
+          @options[:cert_rsa] = bits
+        end
         opts.on('--cert-key-size BITS', Integer,
                 'Certificate key size in bits',
-                "(default: #{@options[:cert_key_size]})") do |bits|
-          @options[:cert_key_size] = bits
+                '(equivalent to --cert-rsa)',
+                "(default: #{RSA_DEFAULT_KEY_SIZE})") do |bits|
+          @options[:cert_rsa] = bits
         end
 
         opts.accept(ValidTime) do |valid_time|
@@ -207,6 +220,7 @@ module LetsCert
 
       @opt_parser.parse!
       compute_roots
+      select_default_cert_type_if_none_specified
     end
 
     # Check all components are covered by plugins
@@ -354,6 +368,12 @@ module LetsCert
       @options[:roots] = roots
     end
 
+    def select_default_cert_type_if_none_specified
+      if @options[:cert_ecdsa].nil? and @options[:cert_rsa].nil?
+        @options[:cert_rsa] = RSA_DEFAULT_KEY_SIZE
+      end
+    end
+
     def persisted_data
       persisted = IOPlugin.empty_data
       @options[:files].each do |file|

data/lib/letscert/version.rb

@@ -1,6 +1,6 @@
 module LetsCert
 
   # Letscert version number
-  VERSION = '0.4.5'.freeze
+  VERSION = '0.5.0'.freeze
 
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: letscert
 version: !ruby/object:Gem::Version
-  version: 0.4.5
+  version: 0.5.0
 platform: ruby
 authors:
 - Sylvain Daubert
@@ -31,7 +31,7 @@ cert_chain:
   dMi8WSKt03lfzyxIqZseBwVYYn+XMlzCcJLXCUgZXHcBRRRDH5wGDqOqXjL25b2O
   6m3JJngqkCFrOw==
   -----END CERTIFICATE-----
-date: 2016-11-21 00:00:00.000000000 Z
+date: 2017-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -39,14 +39,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.5.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.5.5
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -67,14 +67,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '11.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '11.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -162,6 +162,7 @@ files:
 - lib/letscert/io_plugins/key_file.rb
 - lib/letscert/io_plugins/openssl_io_plugin.rb
 - lib/letscert/loggable.rb
+- lib/letscert/patched_ec_pkey.rb
 - lib/letscert/runner.rb
 - lib/letscert/runner/logger_formatter.rb
 - lib/letscert/valid_time.rb
@@ -186,7 +187,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: letscert, a simple Let's Encrypt client