forked from TrueCloudLab/certificates
Merge pull request #146 from anxolerd/normalize-wildcard
Perform domain normalization for wildcard domains
This commit is contained in:
commit
37d33968f1
2 changed files with 52 additions and 2 deletions
|
@ -385,11 +385,20 @@ func (dc *dns01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo validat
|
||||||
return dc, nil
|
return dc, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
txtRecords, err := vo.lookupTxt("_acme-challenge." + dc.Value)
|
// Normalize domain for wildcard DNS names
|
||||||
|
// This is done to avoid making TXT lookups for domains like
|
||||||
|
// _acme-challenge.*.example.com
|
||||||
|
// Instead perform txt lookup for _acme-challenge.example.com
|
||||||
|
domain := dc.Value
|
||||||
|
if strings.HasPrefix(domain, "*") {
|
||||||
|
domain = strings.TrimPrefix(domain, "*.")
|
||||||
|
}
|
||||||
|
|
||||||
|
txtRecords, err := vo.lookupTxt("_acme-challenge." + domain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err = dc.storeError(db,
|
if err = dc.storeError(db,
|
||||||
DNSErr(errors.Wrapf(err, "error looking up TXT "+
|
DNSErr(errors.Wrapf(err, "error looking up TXT "+
|
||||||
"records for domain %s", dc.Value))); err != nil {
|
"records for domain %s", domain))); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return dc, nil
|
return dc, nil
|
||||||
|
|
|
@ -930,6 +930,47 @@ func TestDNS01Validate(t *testing.T) {
|
||||||
res: ch,
|
res: ch,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"ok/lookup-txt-wildcard": func(t *testing.T) test {
|
||||||
|
ch, err := newDNSCh()
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
_ch, ok := ch.(*dns01Challenge)
|
||||||
|
assert.Fatal(t, ok)
|
||||||
|
_ch.baseChallenge.Value = "*.zap.internal"
|
||||||
|
|
||||||
|
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
|
||||||
|
expKeyAuth, err := KeyAuthorization(ch.getToken(), jwk)
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
h := sha256.Sum256([]byte(expKeyAuth))
|
||||||
|
expected := base64.RawURLEncoding.EncodeToString(h[:])
|
||||||
|
|
||||||
|
baseClone := ch.clone()
|
||||||
|
baseClone.Status = StatusValid
|
||||||
|
baseClone.Error = nil
|
||||||
|
newCh := &dns01Challenge{baseClone}
|
||||||
|
|
||||||
|
return test{
|
||||||
|
ch: ch,
|
||||||
|
res: newCh,
|
||||||
|
vo: validateOptions{
|
||||||
|
lookupTxt: func(url string) ([]string, error) {
|
||||||
|
assert.Equals(t, url, "_acme-challenge.zap.internal")
|
||||||
|
return []string{"foo", expected}, nil
|
||||||
|
},
|
||||||
|
},
|
||||||
|
jwk: jwk,
|
||||||
|
db: &db.MockNoSQLDB{
|
||||||
|
MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
|
||||||
|
dnsCh, err := unmarshalChallenge(newval)
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
assert.Equals(t, dnsCh.getStatus(), StatusValid)
|
||||||
|
baseClone.Validated = dnsCh.getValidated()
|
||||||
|
return nil, true, nil
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
},
|
||||||
"fail/key-authorization-gen-error": func(t *testing.T) test {
|
"fail/key-authorization-gen-error": func(t *testing.T) test {
|
||||||
ch, err := newDNSCh()
|
ch, err := newDNSCh()
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
|
Loading…
Reference in a new issue