alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Improve check for single IP in TLS-ALPN-01 challenge

Browse source
This commit is contained in:
Herman Slatman 2021-06-04 00:12:49 +02:00
parent a6405e98a9
commit 0c79914d0d
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
acme/challenge.go
View file

@ -108,12 +108,12 @@ func http01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWeb
func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, vo *ValidateChallengeOptions) error { func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, vo *ValidateChallengeOptions) error {
var serverName string
// RFC8738 states that, if HostName is IP, it should be the ARPA // RFC8738 states that, if HostName is IP, it should be the ARPA
// address https://datatracker.ietf.org/doc/html/rfc8738#section-6. // address https://datatracker.ietf.org/doc/html/rfc8738#section-6.
// It also references TLS Extensions [RFC6066]. // It also references TLS Extensions [RFC6066].
if ip := net.ParseIP(ch.Value); ip != nil { var serverName string
ip := net.ParseIP(ch.Value)
if ip != nil {
serverName = reverseAddr(ip) serverName = reverseAddr(ip)
} else { } else {
serverName = ch.Value serverName = ch.Value
@ -155,7 +155,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
// if no DNS names present, look for IP address and verify that exactly one exists // if no DNS names present, look for IP address and verify that exactly one exists
if len(leafCert.DNSNames) == 0 { if len(leafCert.DNSNames) == 0 {
if len(leafCert.IPAddresses) != 1 || !strings.EqualFold(leafCert.IPAddresses[0].String(), ch.Value) { if len(leafCert.IPAddresses) != 1 || !leafCert.IPAddresses[0].Equal(ip) {
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType, return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: leaf certificate must contain a single IP address, %v", ch.Value)) "incorrect certificate for tls-alpn-01 challenge: leaf certificate must contain a single IP address, %v", ch.Value))
} }