diff options
Diffstat (limited to 'vendor/golang.org/x/crypto/acme/acme.go')
| -rw-r--r-- | vendor/golang.org/x/crypto/acme/acme.go | 258 |
1 files changed, 162 insertions, 96 deletions
diff --git a/vendor/golang.org/x/crypto/acme/acme.go b/vendor/golang.org/x/crypto/acme/acme.go index 8619508e..1f4fb69e 100644 --- a/vendor/golang.org/x/crypto/acme/acme.go +++ b/vendor/golang.org/x/crypto/acme/acme.go @@ -15,6 +15,7 @@ package acme import ( "bytes" + "context" "crypto" "crypto/ecdsa" "crypto/elliptic" @@ -36,9 +37,6 @@ import ( "strings" "sync" "time" - - "golang.org/x/net/context" - "golang.org/x/net/context/ctxhttp" ) // LetsEncryptURL is the Directory endpoint of Let's Encrypt CA. @@ -53,38 +51,6 @@ const ( maxNonces = 100 ) -// CertOption is an optional argument type for Client methods which manipulate -// certificate data. -type CertOption interface { - privateCertOpt() -} - -// WithKey creates an option holding a private/public key pair. -// The private part signs a certificate, and the public part represents the signee. -func WithKey(key crypto.Signer) CertOption { - return &certOptKey{key} -} - -type certOptKey struct { - key crypto.Signer -} - -func (*certOptKey) privateCertOpt() {} - -// WithTemplate creates an option for specifying a certificate template. -// See x509.CreateCertificate for template usage details. -// -// In TLSSNIxChallengeCert methods, the template is also used as parent, -// resulting in a self-signed certificate. -// The DNSNames field of t is always overwritten for tls-sni challenge certs. -func WithTemplate(t *x509.Certificate) CertOption { - return (*certOptTemplate)(t) -} - -type certOptTemplate x509.Certificate - -func (*certOptTemplate) privateCertOpt() {} - // Client is an ACME client. // The only required field is Key. An example of creating a client with a new key // is as follows: @@ -133,7 +99,7 @@ func (c *Client) Discover(ctx context.Context) (Directory, error) { if dirURL == "" { dirURL = LetsEncryptURL } - res, err := ctxhttp.Get(ctx, c.HTTPClient, dirURL) + res, err := c.get(ctx, dirURL) if err != nil { return Directory{}, err } @@ -154,7 +120,7 @@ func (c *Client) Discover(ctx context.Context) (Directory, error) { CAA []string `json:"caa-identities"` } } - if json.NewDecoder(res.Body).Decode(&v); err != nil { + if err := json.NewDecoder(res.Body).Decode(&v); err != nil { return Directory{}, err } c.dir = &Directory{ @@ -176,7 +142,7 @@ func (c *Client) Discover(ctx context.Context) (Directory, error) { // // In the case where CA server does not provide the issued certificate in the response, // CreateCert will poll certURL using c.FetchCert, which will result in additional round-trips. -// In such scenario the caller can cancel the polling with ctx. +// In such a scenario, the caller can cancel the polling with ctx. // // CreateCert returns an error if the CA's response or chain was unreasonably large. // Callers are encouraged to parse the returned value to ensure the certificate is valid and has the expected features. @@ -200,7 +166,7 @@ func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, req.NotAfter = now.Add(exp).Format(time.RFC3339) } - res, err := c.postJWS(ctx, c.Key, c.dir.CertURL, req) + res, err := c.retryPostJWS(ctx, c.Key, c.dir.CertURL, req) if err != nil { return nil, "", err } @@ -209,14 +175,14 @@ func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, return nil, "", responseError(res) } - curl := res.Header.Get("location") // cert permanent URL + curl := res.Header.Get("Location") // cert permanent URL if res.ContentLength == 0 { // no cert in the body; poll until we get it cert, err := c.FetchCert(ctx, curl, bundle) return cert, curl, err } // slurp issued cert and CA chain, if requested - cert, err := responseCert(ctx, c.HTTPClient, res, bundle) + cert, err := c.responseCert(ctx, res, bundle) return cert, curl, err } @@ -231,18 +197,18 @@ func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, // and has expected features. func (c *Client) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) { for { - res, err := ctxhttp.Get(ctx, c.HTTPClient, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } defer res.Body.Close() if res.StatusCode == http.StatusOK { - return responseCert(ctx, c.HTTPClient, res, bundle) + return c.responseCert(ctx, res, bundle) } if res.StatusCode > 299 { return nil, responseError(res) } - d := retryAfter(res.Header.Get("retry-after"), 3*time.Second) + d := retryAfter(res.Header.Get("Retry-After"), 3*time.Second) select { case <-time.After(d): // retry @@ -275,7 +241,7 @@ func (c *Client) RevokeCert(ctx context.Context, key crypto.Signer, cert []byte, if key == nil { key = c.Key } - res, err := c.postJWS(ctx, key, c.dir.RevokeURL, body) + res, err := c.retryPostJWS(ctx, key, c.dir.RevokeURL, body) if err != nil { return err } @@ -291,7 +257,7 @@ func (c *Client) RevokeCert(ctx context.Context, key crypto.Signer, cert []byte, func AcceptTOS(tosURL string) bool { return true } // Register creates a new account registration by following the "new-reg" flow. -// It returns registered account. The a argument is not modified. +// It returns the registered account. The account is not modified. // // The registration may require the caller to agree to the CA's Terms of Service (TOS). // If so, and the account has not indicated the acceptance of the terms (see Account for details), @@ -363,7 +329,7 @@ func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, Resource: "new-authz", Identifier: authzID{Type: "dns", Value: domain}, } - res, err := c.postJWS(ctx, c.Key, c.dir.AuthzURL, req) + res, err := c.retryPostJWS(ctx, c.Key, c.dir.AuthzURL, req) if err != nil { return nil, err } @@ -387,7 +353,7 @@ func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, // If a caller needs to poll an authorization until its status is final, // see the WaitAuthorization method. func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) { - res, err := ctxhttp.Get(ctx, c.HTTPClient, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } @@ -421,7 +387,7 @@ func (c *Client) RevokeAuthorization(ctx context.Context, url string) error { Status: "deactivated", Delete: true, } - res, err := c.postJWS(ctx, c.Key, url, req) + res, err := c.retryPostJWS(ctx, c.Key, url, req) if err != nil { return err } @@ -434,33 +400,26 @@ func (c *Client) RevokeAuthorization(ctx context.Context, url string) error { // WaitAuthorization polls an authorization at the given URL // until it is in one of the final states, StatusValid or StatusInvalid, -// or the context is done. +// the ACME CA responded with a 4xx error code, or the context is done. // // It returns a non-nil Authorization only if its Status is StatusValid. // In all other cases WaitAuthorization returns an error. -// If the Status is StatusInvalid, the returned error is ErrAuthorizationFailed. +// If the Status is StatusInvalid, the returned error is of type *AuthorizationError. func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) { - var count int - sleep := func(v string, inc int) error { - count += inc - d := backoff(count, 10*time.Second) - d = retryAfter(v, d) - wakeup := time.NewTimer(d) - defer wakeup.Stop() - select { - case <-ctx.Done(): - return ctx.Err() - case <-wakeup.C: - return nil - } - } - + sleep := sleeper(ctx) for { - res, err := ctxhttp.Get(ctx, c.HTTPClient, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } - retry := res.Header.Get("retry-after") + if res.StatusCode >= 400 && res.StatusCode <= 499 { + // Non-retriable error. For instance, Let's Encrypt may return 404 Not Found + // when requesting an expired authorization. + defer res.Body.Close() + return nil, responseError(res) + } + + retry := res.Header.Get("Retry-After") if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusAccepted { res.Body.Close() if err := sleep(retry, 1); err != nil { @@ -481,7 +440,7 @@ func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorizat return raw.authorization(url), nil } if raw.Status == StatusInvalid { - return nil, ErrAuthorizationFailed + return nil, raw.error(url) } if err := sleep(retry, 0); err != nil { return nil, err @@ -493,7 +452,7 @@ func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorizat // // A client typically polls a challenge status using this method. func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) { - res, err := ctxhttp.Get(ctx, c.HTTPClient, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } @@ -527,7 +486,7 @@ func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error Type: chal.Type, Auth: auth, } - res, err := c.postJWS(ctx, c.Key, chal.URI, req) + res, err := c.retryPostJWS(ctx, c.Key, chal.URI, req) if err != nil { return nil, err } @@ -660,7 +619,7 @@ func (c *Client) doReg(ctx context.Context, url string, typ string, acct *Accoun req.Contact = acct.Contact req.Agreement = acct.AgreedTerms } - res, err := c.postJWS(ctx, c.Key, url, req) + res, err := c.retryPostJWS(ctx, c.Key, url, req) if err != nil { return nil, err } @@ -697,6 +656,40 @@ func (c *Client) doReg(ctx context.Context, url string, typ string, acct *Accoun }, nil } +// retryPostJWS will retry calls to postJWS if there is a badNonce error, +// clearing the stored nonces after each error. +// If the response was 4XX-5XX, then responseError is called on the body, +// the body is closed, and the error returned. +func (c *Client) retryPostJWS(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, error) { + sleep := sleeper(ctx) + for { + res, err := c.postJWS(ctx, key, url, body) + if err != nil { + return nil, err + } + // handle errors 4XX-5XX with responseError + if res.StatusCode >= 400 && res.StatusCode <= 599 { + err := responseError(res) + res.Body.Close() + // according to spec badNonce is urn:ietf:params:acme:error:badNonce + // however, acme servers in the wild return their version of the error + // https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-5.4 + if ae, ok := err.(*Error); ok && strings.HasSuffix(strings.ToLower(ae.ProblemType), ":badnonce") { + // clear any nonces that we might've stored that might now be + // considered bad + c.clearNonces() + retry := res.Header.Get("Retry-After") + if err := sleep(retry, 1); err != nil { + return nil, err + } + continue + } + return nil, err + } + return res, nil + } +} + // postJWS signs the body with the given key and POSTs it to the provided url. // The body argument must be JSON-serializable. func (c *Client) postJWS(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, error) { @@ -708,7 +701,7 @@ func (c *Client) postJWS(ctx context.Context, key crypto.Signer, url string, bod if err != nil { return nil, err } - res, err := ctxhttp.Post(ctx, c.HTTPClient, url, "application/jose+json", bytes.NewReader(b)) + res, err := c.post(ctx, url, "application/jose+json", bytes.NewReader(b)) if err != nil { return nil, err } @@ -722,7 +715,7 @@ func (c *Client) popNonce(ctx context.Context, url string) (string, error) { c.noncesMu.Lock() defer c.noncesMu.Unlock() if len(c.nonces) == 0 { - return fetchNonce(ctx, c.HTTPClient, url) + return c.fetchNonce(ctx, url) } var nonce string for nonce = range c.nonces { @@ -732,6 +725,13 @@ func (c *Client) popNonce(ctx context.Context, url string) (string, error) { return nonce, nil } +// clearNonces clears any stored nonces +func (c *Client) clearNonces() { + c.noncesMu.Lock() + defer c.noncesMu.Unlock() + c.nonces = make(map[string]struct{}) +} + // addNonce stores a nonce value found in h (if any) for future use. func (c *Client) addNonce(h http.Header) { v := nonceFromHeader(h) @@ -749,8 +749,58 @@ func (c *Client) addNonce(h http.Header) { c.nonces[v] = struct{}{} } -func fetchNonce(ctx context.Context, client *http.Client, url string) (string, error) { - resp, err := ctxhttp.Head(ctx, client, url) +func (c *Client) httpClient() *http.Client { + if c.HTTPClient != nil { + return c.HTTPClient + } + return http.DefaultClient +} + +func (c *Client) get(ctx context.Context, urlStr string) (*http.Response, error) { + req, err := http.NewRequest("GET", urlStr, nil) + if err != nil { + return nil, err + } + return c.do(ctx, req) +} + +func (c *Client) head(ctx context.Context, urlStr string) (*http.Response, error) { + req, err := http.NewRequest("HEAD", urlStr, nil) + if err != nil { + return nil, err + } + return c.do(ctx, req) +} + +func (c *Client) post(ctx context.Context, urlStr, contentType string, body io.Reader) (*http.Response, error) { + req, err := http.NewRequest("POST", urlStr, body) + if err != nil { + return nil, err + } + req.Header.Set("Content-Type", contentType) + return c.do(ctx, req) +} + +func (c *Client) do(ctx context.Context, req *http.Request) (*http.Response, error) { + res, err := c.httpClient().Do(req.WithContext(ctx)) + if err != nil { + select { + case <-ctx.Done(): + // Prefer the unadorned context error. + // (The acme package had tests assuming this, previously from ctxhttp's + // behavior, predating net/http supporting contexts natively) + // TODO(bradfitz): reconsider this in the future. But for now this + // requires no test updates. + return nil, ctx.Err() + default: + return nil, err + } + } + return res, nil +} + +func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) { + resp, err := c.head(ctx, url) if err != nil { return "", err } @@ -769,7 +819,7 @@ func nonceFromHeader(h http.Header) string { return h.Get("Replay-Nonce") } -func responseCert(ctx context.Context, client *http.Client, res *http.Response, bundle bool) ([][]byte, error) { +func (c *Client) responseCert(ctx context.Context, res *http.Response, bundle bool) ([][]byte, error) { b, err := ioutil.ReadAll(io.LimitReader(res.Body, maxCertSize+1)) if err != nil { return nil, fmt.Errorf("acme: response stream: %v", err) @@ -793,7 +843,7 @@ func responseCert(ctx context.Context, client *http.Client, res *http.Response, return nil, errors.New("acme: rel=up link is too large") } for _, url := range up { - cc, err := chainCert(ctx, client, url, 0) + cc, err := c.chainCert(ctx, url, 0) if err != nil { return nil, err } @@ -807,14 +857,8 @@ func responseError(resp *http.Response) error { // don't care if ReadAll returns an error: // json.Unmarshal will fail in that case anyway b, _ := ioutil.ReadAll(resp.Body) - e := struct { - Status int - Type string - Detail string - }{ - Status: resp.StatusCode, - } - if err := json.Unmarshal(b, &e); err != nil { + e := &wireError{Status: resp.StatusCode} + if err := json.Unmarshal(b, e); err != nil { // this is not a regular error response: // populate detail with anything we received, // e.Status will already contain HTTP response code value @@ -823,12 +867,7 @@ func responseError(resp *http.Response) error { e.Detail = resp.Status } } - return &Error{ - StatusCode: e.Status, - ProblemType: e.Type, - Detail: e.Detail, - Header: resp.Header, - } + return e.error(resp.Header) } // chainCert fetches CA certificate chain recursively by following "up" links. @@ -836,12 +875,12 @@ func responseError(resp *http.Response) error { // if the recursion level reaches maxChainLen. // // First chainCert call starts with depth of 0. -func chainCert(ctx context.Context, client *http.Client, url string, depth int) ([][]byte, error) { +func (c *Client) chainCert(ctx context.Context, url string, depth int) ([][]byte, error) { if depth >= maxChainLen { return nil, errors.New("acme: certificate chain is too deep") } - res, err := ctxhttp.Get(ctx, client, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } @@ -863,7 +902,7 @@ func chainCert(ctx context.Context, client *http.Client, url string, depth int) return nil, errors.New("acme: certificate chain is too large") } for _, up := range uplink { - cc, err := chainCert(ctx, client, up, depth+1) + cc, err := c.chainCert(ctx, up, depth+1) if err != nil { return nil, err } @@ -893,6 +932,28 @@ func linkHeader(h http.Header, rel string) []string { return links } +// sleeper returns a function that accepts the Retry-After HTTP header value +// and an increment that's used with backoff to increasingly sleep on +// consecutive calls until the context is done. If the Retry-After header +// cannot be parsed, then backoff is used with a maximum sleep time of 10 +// seconds. +func sleeper(ctx context.Context) func(ra string, inc int) error { + var count int + return func(ra string, inc int) error { + count += inc + d := backoff(count, 10*time.Second) + d = retryAfter(ra, d) + wakeup := time.NewTimer(d) + defer wakeup.Stop() + select { + case <-ctx.Done(): + return ctx.Err() + case <-wakeup.C: + return nil + } + } +} + // retryAfter parses a Retry-After HTTP header value, // trying to convert v into an int (seconds) or use http.ParseTime otherwise. // It returns d if v cannot be parsed. @@ -941,6 +1002,7 @@ func keyAuth(pub crypto.PublicKey, token string) (string, error) { // tlsChallengeCert creates a temporary certificate for TLS-SNI challenges // with the given SANs and auto-generated public/private key pair. +// The Subject Common Name is set to the first SAN to aid debugging. // To create a cert with a custom key pair, specify WithKey option. func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) { var ( @@ -974,10 +1036,14 @@ func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) { NotBefore: time.Now(), NotAfter: time.Now().Add(24 * time.Hour), BasicConstraintsValid: true, - KeyUsage: x509.KeyUsageKeyEncipherment, + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, } } tmpl.DNSNames = san + if len(san) > 0 { + tmpl.Subject.CommonName = san[0] + } der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key) if err != nil { |