Module: Bullion::Helpers::Acme

Defined in:
lib/bullion/helpers/acme.rb

Overview

ACME-specific helper functions

Instance Method Summary collapse

Instance Method Details

#extract_header_dataObject

rubocop:enable Metrics/AbcSize rubocop:enable Metrics/MethodLength rubocop:enable Metrics/PerceivedComplexity rubocop:enable Metrics/CyclomaticComplexity



64
65
66
# File 'lib/bullion/helpers/acme.rb', line 64

def extract_header_data
  JSON.parse(Base64.decode64(@json_body[:protected]))
end

#extract_payload_dataObject



68
69
70
71
72
73
74
# File 'lib/bullion/helpers/acme.rb', line 68

def extract_payload_data
  if @json_body[:payload] && @json_body[:payload] != ""
    JSON.parse(Base64.decode64(@json_body[:payload]))
  else
    @json_body[:payload]
  end
end

#extract_valid_order_domains(order_domains) ⇒ Object

rubocop:enable Metrics/AbcSize rubocop:enable Metrics/CyclomaticComplexity rubocop:enable Metrics/PerceivedComplexity



189
190
191
192
193
# File 'lib/bullion/helpers/acme.rb', line 189

def extract_valid_order_domains(order_domains)
  order_domains.reject do |domain|
    Bullion.config.ca.domains.none? { domain["value"].end_with?(_1) }
  end
end

#parse_acme_jwt(key = nil, validate_nonce: true) ⇒ Object

Parses and verifies the incoming ACME JWT for authentication rubocop:disable Metrics/AbcSize rubocop:disable Metrics/MethodLength rubocop:disable Metrics/PerceivedComplexity rubocop:disable Metrics/CyclomaticComplexity



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/bullion/helpers/acme.rb', line 14

def parse_acme_jwt(key = nil, validate_nonce: true)
  @header_data = extract_header_data
  @payload_data = extract_payload_data
  signature = @json_body[:signature]

  # check nonce
  if validate_nonce
    nonce = Models::Nonce.where(token: @header_data["nonce"]).first
    raise Bullion::Acme::Errors::BadNonce unless nonce

    nonce.destroy
  end

  jwt_data = [
    @json_body[:protected],
    @json_body[:payload],
    @json_body[:signature]
  ].join(".")

  # Either use the provided key or find the current user's public key
  public_key = key || user_public_key

  # Convert the key to an OpenSSL-compatible key
  compat_public_key = openssl_compat(public_key)

  # Validate the payload was signed with the private key for the public key
  if @payload_data && @payload_data != ""
    JWT.decode(jwt_data, compat_public_key, true, { algorithm: @header_data["alg"] })
  else
    digest = digest_from_alg(@header_data["alg"])

    sig = if @header_data["alg"].downcase.start_with?("es")
            ecdsa_sig_to_der(signature)
          elsif @header_data["alg"].downcase.start_with?("rs")
            Base64.urlsafe_decode64(signature)
          end

    validated = compat_public_key.verify(
      digest,
      sig,
      "#{@json_body[:protected]}."
    )
    raise Bullion::Acme::Errors::Malformed unless validated
  end
end

#user_public_keyObject



76
77
78
79
80
81
82
83
84
85
86
87
# File 'lib/bullion/helpers/acme.rb', line 76

def user_public_key
  @user = if @header_data["kid"]
            user_id = @header_data["kid"].split("/").last
            return unless user_id

            Models::Account.find(user_id)
          else
            Models::Account.where(public_key: @header_data["jwk"]).last
          end

  @user.public_key
end

#validate_account_data(hash) ⇒ Object

Validation helpers



91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# File 'lib/bullion/helpers/acme.rb', line 91

def (hash)
  unless [true, false, nil].include?(hash["onlyReturnExisting"])
    raise Bullion::Acme::Errors::Malformed,
          "Invalid onlyReturnExisting: #{hash["onlyReturnExisting"]}"
  end

  unless hash["contact"].is_a?(Array)
    raise Bullion::Acme::Errors::InvalidContact,
          "Invalid contacts format: #{hash["contact"].class}, #{hash}"
  end

  unless hash["contact"].size.positive?
    raise Bullion::Acme::Errors::InvalidContact,
          "Empty contacts list"
  end

  # Contacts must be a valid email
  # TODO: find a better email verification approach
  unless hash["contact"].grep_v(/^mailto:[a-zA-Z0-9@.+-]{3,}/).empty?
    raise Bullion::Acme::Errors::UnsupportedContact
  end

  true
end

#validate_acme_csr(order, csr) ⇒ Object



116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# File 'lib/bullion/helpers/acme.rb', line 116

def validate_acme_csr(order, csr)
  csr_attrs = extract_csr_attrs(csr)
  csr_sans = extract_csr_sans(csr_attrs)
  csr_domains = extract_csr_domains(csr_sans)
  csr_cn = cn_from_csr(csr)

  order_domains = order.identifiers.map { |i| i["value"] }

  # Make sure the CSR has a valid public key
  raise Bullion::Acme::Errors::BadCsr unless csr.verify(csr.public_key)

  return false unless order.status == "ready"
  raise Bullion::Acme::Errors::BadCsr unless csr_domains.include?(csr_cn)
  raise Bullion::Acme::Errors::BadCsr unless csr_domains.sort == order_domains.sort

  true
end

#validate_order(hash) ⇒ Object



134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# File 'lib/bullion/helpers/acme.rb', line 134

def validate_order(hash)
  validate_order_nb_and_na(hash["notBefore"], hash["notAfter"])

  # Don't approve empty orders
  raise Bullion::Acme::Errors::InvalidOrder, "Empty order!" if hash["identifiers"].empty?

  order_domains = hash["identifiers"].select { |ident| ident["type"] == "dns" }

  # Don't approve an order with identifiers that _aren't_ of type 'dns'
  unless hash["identifiers"] == order_domains
    raise Bullion::Acme::Errors::InvalidOrder, 'Only type "dns" allowed'
  end

  # Extract domains that end with something in our allowed domains list
  valid_domains = extract_valid_order_domains(order_domains)

  # Only allow configured domains...
  unless order_domains == valid_domains
    raise(
      Bullion::Acme::Errors::InvalidOrder,
      "Domains #{order_domains - valid_domains} not allowed"
    )
  end

  true
end

#validate_order_nb_and_na(not_before, not_after) ⇒ Object

rubocop:disable Metrics/AbcSize rubocop:disable Metrics/CyclomaticComplexity rubocop:disable Metrics/PerceivedComplexity



164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
# File 'lib/bullion/helpers/acme.rb', line 164

def validate_order_nb_and_na(not_before, not_after)
  raise Bullion::Acme::Errors::Malformed if not_before && !not_before.is_a?(String)
  raise Bullion::Acme::Errors::Malformed if not_after && !not_after.is_a?(String)

  return unless not_before && not_after

  nb = Time.parse(not_before)
  na = Time.parse(not_after)

  # don't allow nonsense certs
  raise Bullion::Acme::Errors::InvalidOrder unless nb < na
  # don't allow far-future certs
  if nb > Time.now + (7 * 86_400) || na > Time.now + CERT_VALIDITY_DURATION
    raise Bullion::Acme::Errors::InvalidOrder
  end

  # don't allow really "old" certs
  raise Bullion::Acme::Errors::InvalidOrder if nb < Time.now - (14 * 86_400)
  # don't allow creating certs that are already expired
  raise Bullion::Acme::Errors::InvalidOrder if na <= Time.now
end