1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
# frozen_string_literal: true
require 'faraday'
require 'json'
require 'openssl'
require 'digest'
require 'forwardable'
require 'base64'
require 'time'
module Acme; end
class Acme::Client; end
require 'acme/client/version'
require 'acme/client/certificate'
require 'acme/client/certificate_request'
require 'acme/client/self_sign_certificate'
require 'acme/client/crypto'
require 'acme/client/resources'
require 'acme/client/faraday_middleware'
require 'acme/client/error'
class Acme::Client
DEFAULT_ENDPOINT = 'http://127.0.0.1:4000'.freeze
DIRECTORY_DEFAULT = {
'new-authz' => '/acme/new-authz',
'new-cert' => '/acme/new-cert',
'new-reg' => '/acme/new-reg',
'revoke-cert' => '/acme/revoke-cert'
}.freeze
def initialize(private_key:, endpoint: DEFAULT_ENDPOINT, directory_uri: nil, connection_options: {})
@endpoint, @private_key, @directory_uri, @connection_options = endpoint, private_key, directory_uri, connection_options
@nonces ||= []
load_directory!
end
attr_reader :private_key, :nonces, :operation_endpoints
def register(contact:)
payload = {
resource: 'new-reg', contact: Array(contact)
}
response = connection.post(@operation_endpoints.fetch('new-reg'), payload)
::Acme::Client::Resources::Registration.new(self, response)
end
def authorize(domain:)
payload = {
resource: 'new-authz',
identifier: {
type: 'dns',
value: domain
}
}
response = connection.post(@operation_endpoints.fetch('new-authz'), payload)
::Acme::Client::Resources::Authorization.new(self, response.headers['Location'], response)
end
def fetch_authorization(uri)
response = connection.get(uri)
::Acme::Client::Resources::Authorization.new(self, uri, response)
end
def new_certificate(csr)
payload = {
resource: 'new-cert',
csr: Base64.urlsafe_encode64(csr.to_der)
}
response = connection.post(@operation_endpoints.fetch('new-cert'), payload)
::Acme::Client::Certificate.new(OpenSSL::X509::Certificate.new(response.body), response.headers['location'], fetch_chain(response), csr)
end
def revoke_certificate(certificate)
payload = { resource: 'revoke-cert', certificate: Base64.urlsafe_encode64(certificate.to_der) }
endpoint = @operation_endpoints.fetch('revoke-cert')
response = connection.post(endpoint, payload)
response.success?
end
def self.revoke_certificate(certificate, *arguments)
client = new(*arguments)
client.revoke_certificate(certificate)
end
def connection
@connection ||= Faraday.new(@endpoint, **@connection_options) do |configuration|
configuration.use Acme::Client::FaradayMiddleware, client: self
configuration.adapter Faraday.default_adapter
end
end
private
def fetch_chain(response, limit = 10)
links = response.headers['link']
if limit.zero? || links.nil? || links['up'].nil?
[]
else
issuer = connection.get(links['up'])
[OpenSSL::X509::Certificate.new(issuer.body), *fetch_chain(issuer, limit - 1)]
end
end
def load_directory!
@operation_endpoints = if @directory_uri
response = connection.get(@directory_uri)
body = response.body
{
'new-reg' => body.fetch('new-reg'),
'new-authz' => body.fetch('new-authz'),
'new-cert' => body.fetch('new-cert'),
'revoke-cert' => body.fetch('revoke-cert'),
}
else
DIRECTORY_DEFAULT
end
end
end
|