Make sure the challenges do not get re-ordered for SAN certs

2015-11-17 22:22:25 +01:00 · 2015-11-17 22:22:25 +01:00 · 6671fd137c
commit 6671fd137c
parent c849ca1b90
2 changed files with 55 additions and 3 deletions
--- a/acme/client.go
+++ b/acme/client.go
@ -234,10 +234,13 @@ func (c *Client) ObtainSANCertificate(domains []string, bundle bool) (Certificat
 	}

 	challenges, failures := c.getChallenges(domains)
-	if len(challenges) == 0 {
+	// If any challenge fails - return. Do not generate partial SAN certificates.
+	if len(failures) > 0 {
 		return CertificateResource{}, failures
 	}

+	challenges = reorderAuthorizations(domains, challenges)
+
 	errs := c.solveChallenges(challenges)
 	// If any challenge fails - return. Do not generate partial SAN certificates.
 	if len(errs) > 0 {
@ -246,9 +249,9 @@ func (c *Client) ObtainSANCertificate(domains []string, bundle bool) (Certificat

 	logf("[INFO] acme: Validations succeeded; requesting certificates")

-	cert, err := c.requestCertificate(succeededChallenges, bundle)
+	cert, err := c.requestCertificate(challenges, bundle)
 	if err != nil {
-		for _, chln := range succeededChallenges {
+		for _, chln := range challenges {
 			failures[chln.Domain] = err
 		}
 	}
@ -660,3 +663,20 @@ func parseLinks(links []string) map[string]string {

 	return linkMap
 }
+
+func reorderAuthorizations(domains []string, challenges []authorizationResource) []authorizationResource {
+	// restore order of challenges
+	for i, domain := range domains {
+		if domain == challenges[i].Domain {
+			continue
+		}
+
+		for j, chlng := range challenges {
+			if chlng.Domain == domain {
+				challenges[i], challenges[j] = challenges[j], challenges[i]
+			}
+		}
+	}
+
+	return challenges
+}
--- a/acme/client_test.go
+++ b/acme/client_test.go
@ -4,6 +4,8 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/json"
+	"fmt"
+	mrand "math/rand"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@ -68,3 +70,33 @@ type mockUser struct {
 func (u mockUser) GetEmail() string                       { return u.email }
 func (u mockUser) GetRegistration() *RegistrationResource { return u.regres }
 func (u mockUser) GetPrivateKey() *rsa.PrivateKey         { return u.privatekey }
+
+func TestReorderAuthorizations(t *testing.T) {
+	// generate fake domains
+	var domains []string
+	for i := 0; i < 30; i++ {
+		domains = append(domains, fmt.Sprintf("example%d.com", i))
+	}
+
+	// generate authorizationResources from the domains
+	var challenges []authorizationResource
+	for _, domain := range domains {
+		challenges = append(challenges, authorizationResource{Domain: domain})
+	}
+
+	// shuffle the challenges slice
+	for i := len(challenges) - 1; i > 0; i-- {
+		j := mrand.Intn(i + 1)
+		challenges[i], challenges[j] = challenges[j], challenges[i]
+	}
+
+	// reorder the challenges
+	reordered := reorderAuthorizations(domains, challenges)
+
+	// test if reordering was successfull
+	for i, domain := range domains {
+		if domain != reordered[i].Domain {
+			t.Errorf("Expected reordered[%d] to equal %s but was %s", i, domain, reordered[i].Domain)
+		}
+	}
+}