alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

acme: go fmt

Browse source
This commit is contained in:
David Cowden 2020-05-07 09:27:16 -07:00
parent 9af4dd3692
commit bdadea8a37
3 changed files with 35 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
acme/api/handler.go
View file

@ -206,7 +206,7 @@ func (h *Handler) GetChallenge(w http.ResponseWriter, r *http.Request) {
} }
var ( var (
ch *acme.Challenge ch *acme.Challenge
chID = chi.URLParam(r, "chID") chID = chi.URLParam(r, "chID")
) )
ch, err = h.Auth.ValidateChallenge(prov, acc.GetID(), chID, acc.GetKey()) ch, err = h.Auth.ValidateChallenge(prov, acc.GetID(), chID, acc.GetKey())

18
acme/authority.go
View file

@ -57,12 +57,12 @@ var (
orderTable = []byte("acme_orders") orderTable = []byte("acme_orders")
ordersByAccountIDTable = []byte("acme_account_orders_index") ordersByAccountIDTable = []byte("acme_account_orders_index")
certTable = []byte("acme_certs") certTable = []byte("acme_certs")
ordinal int ordinal int
) )
// Ordinal is used during challenge retries to indicate ownership. // Ordinal is used during challenge retries to indicate ownership.
func init() { func init() {
ordstr := os.Getenv("STEP_CA_ORDINAL"); ordstr := os.Getenv("STEP_CA_ORDINAL")
if ordstr == "" { if ordstr == "" {
ordinal = 0 ordinal = 0
} else { } else {
@ -323,13 +323,12 @@ func (a *Authority) ValidateChallenge(p provisioner.Interface, accID, chID strin
// Take ownership of the challenge status and retry state. The values must be reset. // Take ownership of the challenge status and retry state. The values must be reset.
up := ch.clone() up := ch.clone()
up.Status = StatusProcessing up.Status = StatusProcessing
up.Retry = &Retry { up.Retry = &Retry{
Owner: ordinal, Owner: ordinal,
ProvisionerID: p.GetID(), ProvisionerID: p.GetID(),
NumAttempts: 0, NumAttempts: 0,
MaxAttempts: 10, MaxAttempts: 10,
NextAttempt: time.Now().Add(retryInterval).UTC().Format(time.RFC3339), NextAttempt: time.Now().Add(retryInterval).UTC().Format(time.RFC3339),
} }
err = up.save(a.db, ch) err = up.save(a.db, ch)
if err != nil { if err != nil {
@ -382,7 +381,6 @@ func (a *Authority) validate(ch challenge, jwk *jose.JSONWebKey) (challenge, err
}) })
} }
const retryInterval = 12 * time.Second const retryInterval = 12 * time.Second
// see: ValidateChallenge // see: ValidateChallenge
@ -458,7 +456,6 @@ func (a *Authority) RetryChallenge(chID string) {
} }
} }
// GetCertificate retrieves the Certificate by ID. // GetCertificate retrieves the Certificate by ID.
func (a *Authority) GetCertificate(accID, certID string) ([]byte, error) { func (a *Authority) GetCertificate(accID, certID string) ([]byte, error) {
cert, err := getCert(a.db, certID) cert, err := getCert(a.db, certID)
@ -470,4 +467,3 @@ func (a *Authority) GetCertificate(accID, certID string) ([]byte, error) {
} }
return cert.toACME(a.db, a.dir) return cert.toACME(a.db, a.dir)
} }

56
acme/challenge.go
View file

@ -25,15 +25,15 @@ import (
// Challenge is a subset of the challenge type containing only those attributes // Challenge is a subset of the challenge type containing only those attributes
// required for responses in the ACME protocol. // required for responses in the ACME protocol.
type Challenge struct { type Challenge struct {
Type string `json:"type"` Type string `json:"type"`
Status string `json:"status"` Status string `json:"status"`
Token string `json:"token"` Token string `json:"token"`
Validated string `json:"validated,omitempty"` Validated string `json:"validated,omitempty"`
URL string `json:"url"` URL string `json:"url"`
Error *AError `json:"error,omitempty"` Error *AError `json:"error,omitempty"`
RetryAfter string `json:"retry_after,omitempty"` RetryAfter string `json:"retry_after,omitempty"`
ID string `json:"-"` ID string `json:"-"`
AuthzID string `json:"-"` AuthzID string `json:"-"`
} }
// ToLog enables response logging. // ToLog enables response logging.
@ -86,10 +86,10 @@ type challenge interface {
// ChallengeOptions is the type used to created a new Challenge. // ChallengeOptions is the type used to created a new Challenge.
type ChallengeOptions struct { type ChallengeOptions struct {
AccountID string AccountID string
AuthzID string AuthzID string
ProvisionerID string ProvisionerID string
Identifier Identifier Identifier Identifier
} }
// baseChallenge is the base Challenge type that others build from. // baseChallenge is the base Challenge type that others build from.
@ -294,18 +294,17 @@ func unmarshalChallenge(data []byte) (challenge, error) {
// Challenge retry information is internally relevant and needs to be stored in the DB, but should not be part // Challenge retry information is internally relevant and needs to be stored in the DB, but should not be part
// of the public challenge API apart from the Retry-After header. // of the public challenge API apart from the Retry-After header.
type Retry struct { type Retry struct {
Owner int `json:"owner"` Owner int `json:"owner"`
ProvisionerID string `json:"provisionerid"` ProvisionerID string `json:"provisionerid"`
NumAttempts int `json:"numattempts"` NumAttempts int `json:"numattempts"`
MaxAttempts int `json:"maxattempts"` MaxAttempts int `json:"maxattempts"`
NextAttempt string `json:"nextattempt"` NextAttempt string `json:"nextattempt"`
} }
func (r *Retry) Active() bool { func (r *Retry) Active() bool {
return r.NumAttempts < r.MaxAttempts return r.NumAttempts < r.MaxAttempts
} }
// http01Challenge represents an http-01 acme challenge. // http01Challenge represents an http-01 acme challenge.
type http01Challenge struct { type http01Challenge struct {
*baseChallenge *baseChallenge
@ -452,8 +451,8 @@ func (tc *tlsALPN01Challenge) validate(jwk *jose.JSONWebKey, vo validateOptions)
leafCert := certs[0] leafCert := certs[0]
if len(leafCert.DNSNames) != 1 || !strings.EqualFold(leafCert.DNSNames[0], tc.Value) { if len(leafCert.DNSNames) != 1 || !strings.EqualFold(leafCert.DNSNames[0], tc.Value) {
e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: " + e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: "+
"leaf certificate must contain a single DNS name, %v", tc.Value) "leaf certificate must contain a single DNS name, %v", tc.Value)
up.Error = RejectedIdentifierErr(e).ToACME() up.Error = RejectedIdentifierErr(e).ToACME()
return up, nil return up, nil
} }
@ -472,7 +471,7 @@ func (tc *tlsALPN01Challenge) validate(jwk *jose.JSONWebKey, vo validateOptions)
if idPeAcmeIdentifier.Equal(ext.Id) { if idPeAcmeIdentifier.Equal(ext.Id) {
if !ext.Critical { if !ext.Critical {
e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: " + e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: " +
"acmeValidationV1 extension not critical") "acmeValidationV1 extension not critical")
up.Error = IncorrectResponseErr(e).ToACME() up.Error = IncorrectResponseErr(e).ToACME()
return up, nil return up, nil
} }
@ -482,15 +481,15 @@ func (tc *tlsALPN01Challenge) validate(jwk *jose.JSONWebKey, vo validateOptions)
if err != nil || len(rest) > 0 || len(hashedKeyAuth) != len(extValue) { if err != nil || len(rest) > 0 || len(hashedKeyAuth) != len(extValue) {
e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: " + e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: " +
"malformed acmeValidationV1 extension value") "malformed acmeValidationV1 extension value")
up.Error = IncorrectResponseErr(e).ToACME() up.Error = IncorrectResponseErr(e).ToACME()
return up, nil return up, nil
} }
if subtle.ConstantTimeCompare(hashedKeyAuth[:], extValue) != 1 { if subtle.ConstantTimeCompare(hashedKeyAuth[:], extValue) != 1 {
e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: " + e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: "+
"expected acmeValidationV1 extension value %s for this challenge but got %s", "expected acmeValidationV1 extension value %s for this challenge but got %s",
hex.EncodeToString(hashedKeyAuth[:]), hex.EncodeToString(extValue)) hex.EncodeToString(hashedKeyAuth[:]), hex.EncodeToString(extValue))
up.Error = IncorrectResponseErr(e).ToACME() up.Error = IncorrectResponseErr(e).ToACME()
// There is an appropriate value, but it doesn't match. // There is an appropriate value, but it doesn't match.
up.Status = StatusInvalid up.Status = StatusInvalid
@ -511,13 +510,13 @@ func (tc *tlsALPN01Challenge) validate(jwk *jose.JSONWebKey, vo validateOptions)
if foundIDPeAcmeIdentifierV1Obsolete { if foundIDPeAcmeIdentifierV1Obsolete {
e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: " + e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: " +
"obsolete id-pe-acmeIdentifier in acmeValidationV1 extension") "obsolete id-pe-acmeIdentifier in acmeValidationV1 extension")
up.Error = IncorrectResponseErr(e).ToACME() up.Error = IncorrectResponseErr(e).ToACME()
return up, nil return up, nil
} }
e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: "+ e := errors.Errorf("incorrect certificate for tls-alpn-01 challenge: " +
"missing acmeValidationV1 extension") "missing acmeValidationV1 extension")
up.Error = IncorrectResponseErr(e).ToACME() up.Error = IncorrectResponseErr(e).ToACME()
return tc, nil return tc, nil
} }
@ -600,7 +599,7 @@ func (dc *dns01Challenge) validate(jwk *jose.JSONWebKey, vo validateOptions) (ch
up.Status = StatusInvalid up.Status = StatusInvalid
e := errors.Errorf("keyAuthorization does not match; expected %s, but got %s", e := errors.Errorf("keyAuthorization does not match; expected %s, but got %s",
expectedKeyAuth, txtRecords) expectedKeyAuth, txtRecords)
up.Error = IncorrectResponseErr(e).ToACME() up.Error = IncorrectResponseErr(e).ToACME()
return up, nil return up, nil
} }
@ -630,4 +629,3 @@ func getChallenge(db nosql.DB, id string) (challenge, error) {
} }
return ch, nil return ch, nil
} }