Bump github.com/eggsampler/acme/v3 from 3.2.1 to 3.3.0 (#6060)

Bumps github.com/eggsampler/acme/v3 from 3.2.1 to 3.3.0.
- Release notes: https://github.com/eggsampler/acme/releases
- Diff: https://github.com/eggsampler/acme/compare/v3.2.1...v3.3.0

Also updates github.com/miekg/dns from v1.1.45 to v1.1.48.
This does not affect any files we depend on.

go.mod

@@ -4,7 +4,7 @@ go 1.17
 
 require (
 	github.com/beeker1121/goque v1.0.3-0.20191103205551-d618510128af
-	github.com/eggsampler/acme/v3 v3.2.1
+	github.com/eggsampler/acme/v3 v3.3.0
 	github.com/go-gorp/gorp/v3 v3.0.2
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/go-sql-driver/mysql v1.5.0

go.sum

@@ -79,8 +79,8 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/eggsampler/acme/v3 v3.2.1 h1:Lfsrg3M2zt00QRnizOFzdpSfsS9oDvPsGrodXS/w1KI=
-github.com/eggsampler/acme/v3 v3.2.1/go.mod h1:/qh0rKC/Dh7Jj+p4So7DbWmFNzC4dpcpK53r226Fhuo=
+github.com/eggsampler/acme/v3 v3.3.0 h1:5M7vwYRy65iPpCFHZ01RyWXmYT8e8MlcWn/9BUUB7Ro=
+github.com/eggsampler/acme/v3 v3.3.0/go.mod h1:/qh0rKC/Dh7Jj+p4So7DbWmFNzC4dpcpK53r226Fhuo=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=

vendor/github.com/eggsampler/acme/v3/Makefile

@@ -1,14 +1,15 @@
 
 .PHONY: test examples clean test_full pebble pebble_setup pebble_start pebble_wait pebble_stop boulder boulder_setup boulder_start boulder_stop
 
-
+# some variables for path injection, if already set will not override
 GOPATH ?= $(HOME)/go
 BOULDER_PATH ?= $(GOPATH)/src/github.com/letsencrypt/boulder
 PEBBLE_PATH ?= $(GOPATH)/src/github.com/letsencrypt/pebble
 TEST_PATH ?= github.com/eggsampler/acme/v3
 
 
-# tests the code against a running ca instance
+# tests the code against an already running ca instance
+# to actually do a test against pebble or boulder, including , see the 'pebble' or 'boulder' targets
 test:
 	-go clean -testcache
 	go test -v -race -coverprofile=coverage.out -covermode=atomic $(TEST_PATH)
@@ -24,6 +25,7 @@ clean:
 test_full: clean examples pebble pebble_stop boulder boulder_stop
 
 
+# sets up & runs pebble (in docker), tests, then stops pebble
 pebble: pebble_setup pebble_start pebble_wait test pebble_stop
 
 pebble_setup:
@@ -45,6 +47,7 @@ pebble_stop:
 	docker-compose -f $(PEBBLE_PATH)/docker-compose.yml down
 
 
+# sets up & runs boulder (in docker), tests, then stops boulder
 boulder: boulder_setup boulder_start boulder_wait test boulder_stop
 
 # NB: this edits docker-compose.yml
@@ -53,7 +56,6 @@ boulder_setup:
 	-git clone --depth 1 https://github.com/letsencrypt/boulder.git $(BOULDER_PATH)
 	(cd $(BOULDER_PATH); git checkout -f main && git reset --hard HEAD && git pull -q)
 	make boulder_stop
-	rm -rf $(BOULDER_PATH)/temp
 
 # runs an instance of boulder
 boulder_start:

vendor/github.com/eggsampler/acme/v3/acme.go

@@ -173,7 +173,7 @@ func (c Client) postRaw(retryCount int, requestURL, kid string, privateKey crypt
 		return nil, nil, err
 	}
 
-	data, err := jwsEncodeJSON(payload, privateKey, keyID(kid), nonce, requestURL)
+	data, err := jwsEncodeJSON(payload, privateKey, KeyID(kid), nonce, requestURL)
 	if err != nil {
 		return nil, nil, fmt.Errorf("acme: error encoding json payload: %v", err)
 	}

vendor/github.com/eggsampler/acme/v3/docker-compose.boulder-temp.yml

@@ -1,5 +1,5 @@
 version: '3'
 services:
   boulder:
-    volumes:
-      - ./temp:/tmp
+    ports:
+      - "8055:8055"

vendor/github.com/eggsampler/acme/v3/jws.go

@@ -1,12 +1,13 @@
 // Copyright 2015 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
-// license that can be found in the THIRD-PARTY file.
+// license that can be found in the LICENSE file.
 
 package acme
 
 import (
 	"crypto"
 	"crypto/ecdsa"
+	"crypto/hmac"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
@@ -19,14 +20,12 @@ import (
 	"math/big"
 )
 
-var errUnsupportedKey = errors.New("unknown key type; only RSA and ECDSA are supported")
-
-// keyID is the account identity provided by a CA during registration.
-type keyID string
+// KeyID is the account key identity provided by a CA during registration.
+type KeyID string
 
 // noKeyID indicates that jwsEncodeJSON should compute and use JWK instead of a KID.
 // See jwsEncodeJSON for details.
-const noKeyID = keyID("")
+const noKeyID = KeyID("")
 
 // noPayload indicates jwsEncodeJSON will encode zero-length octet string
 // in a JWS request. This is called POST-as-GET in RFC 8555 and is used to make
@@ -34,19 +33,30 @@ const noKeyID = keyID("")
 // See https://tools.ietf.org/html/rfc8555#section-6.3 for more details.
 const noPayload = ""
 
+// jsonWebSignature can be easily serialized into a JWS following
+// https://tools.ietf.org/html/rfc7515#section-3.2.
+type jsonWebSignature struct {
+	Protected string `json:"protected"`
+	Payload   string `json:"payload"`
+	Sig       string `json:"signature"`
+}
+
 // jwsEncodeJSON signs claimset using provided key and a nonce.
 // The result is serialized in JSON format containing either kid or jwk
-// fields based on the provided keyID value.
+// fields based on the provided KeyID value.
 //
 // If kid is non-empty, its quoted value is inserted in the protected head
 // as "kid" field value. Otherwise, JWK is computed using jwkEncode and inserted
 // as "jwk" field value. The "jwk" and "kid" fields are mutually exclusive.
 //
 // See https://tools.ietf.org/html/rfc7515#section-7.
-func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid keyID, nonce, url string) ([]byte, error) {
+func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, url string) ([]byte, error) {
+	if key == nil {
+		return nil, errors.New("nil key")
+	}
 	alg, sha := jwsHasher(key.Public())
 	if alg == "" || !sha.Available() {
-		return nil, errUnsupportedKey
+		return nil, ErrUnsupportedKey
 	}
 	var phead string
 	switch kid {
@@ -69,17 +79,12 @@ func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid keyID, nonce, ur
 		payload = base64.RawURLEncoding.EncodeToString(cs)
 	}
 	hash := sha.New()
-	_, _ = hash.Write([]byte(phead + "." + payload))
+	hash.Write([]byte(phead + "." + payload))
 	sig, err := jwsSign(key, sha, hash.Sum(nil))
 	if err != nil {
 		return nil, err
 	}
-
-	enc := struct {
-		Protected string `json:"protected"`
-		Payload   string `json:"payload"`
-		Sig       string `json:"signature"`
-	}{
+	enc := jsonWebSignature{
 		Protected: phead,
 		Payload:   payload,
 		Sig:       base64.RawURLEncoding.EncodeToString(sig),
@@ -87,6 +92,43 @@ func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid keyID, nonce, ur
 	return json.Marshal(&enc)
 }
 
+// jwsWithMAC creates and signs a JWS using the given key and the HS256
+// algorithm. kid and url are included in the protected header. rawPayload
+// should not be base64-URL-encoded.
+func jwsWithMAC(key []byte, kid, url string, rawPayload []byte) (*jsonWebSignature, error) {
+	if len(key) == 0 {
+		return nil, errors.New("acme: cannot sign JWS with an empty MAC key")
+	}
+	header := struct {
+		Algorithm string `json:"alg"`
+		KID       string `json:"kid"`
+		URL       string `json:"url,omitempty"`
+	}{
+		// Only HMAC-SHA256 is supported.
+		Algorithm: "HS256",
+		KID:       kid,
+		URL:       url,
+	}
+	rawProtected, err := json.Marshal(header)
+	if err != nil {
+		return nil, err
+	}
+	protected := base64.RawURLEncoding.EncodeToString(rawProtected)
+	payload := base64.RawURLEncoding.EncodeToString(rawPayload)
+
+	h := hmac.New(sha256.New, key)
+	if _, err := h.Write([]byte(protected + "." + payload)); err != nil {
+		return nil, err
+	}
+	mac := h.Sum(nil)
+
+	return &jsonWebSignature{
+		Protected: protected,
+		Payload:   payload,
+		Sig:       base64.RawURLEncoding.EncodeToString(mac),
+	}, nil
+}
+
 // jwkEncode encodes public part of an RSA or ECDSA key into a JWK.
 // The result is also suitable for creating a JWK thumbprint.
 // https://tools.ietf.org/html/rfc7517
@@ -125,7 +167,7 @@ func jwkEncode(pub crypto.PublicKey) (string, error) {
 			base64.RawURLEncoding.EncodeToString(y),
 		), nil
 	}
-	return "", errUnsupportedKey
+	return "", ErrUnsupportedKey
 }
 
 // jwsSign signs the digest using the given key.
@@ -155,7 +197,7 @@ func jwsSign(key crypto.Signer, hash crypto.Hash, digest []byte) ([]byte, error)
 		copy(sig[size*2-len(sb):], sb)
 		return sig, nil
 	}
-	return nil, errUnsupportedKey
+	return nil, ErrUnsupportedKey
 }
 
 // jwsHasher indicates suitable JWS algorithm name and a hash function
@@ -167,6 +209,8 @@ func jwsHasher(pub crypto.PublicKey) (string, crypto.Hash) {
 		return "RS256", crypto.SHA256
 	case *ecdsa.PublicKey:
 		switch pub.Params().Name {
+		case "P-224":
+			return "ES224", crypto.SHA224
 		case "P-256":
 			return "ES256", crypto.SHA256
 		case "P-384":

vendor/github.com/eggsampler/acme/v3/types.go

@@ -3,10 +3,14 @@ package acme
 import (
 	"crypto"
 	"encoding/json"
+	"errors"
 	"net/http"
 	"time"
 )
 
+// ErrUnsupportedKey is returned when an unsupported key type is encountered.
+var ErrUnsupportedKey = errors.New("acme: unknown key type; only RSA and ECDSA are supported")
+
 // Different possible challenge types provided by an ACME server.
 // See https://tools.ietf.org/html/rfc8555#section-9.7.8
 const (

vendor/modules.txt

@@ -10,7 +10,7 @@ github.com/cespare/xxhash/v2
 # github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f
 ## explicit
 github.com/dgryski/go-rendezvous
-# github.com/eggsampler/acme/v3 v3.2.1
+# github.com/eggsampler/acme/v3 v3.3.0
 ## explicit; go 1.11
 github.com/eggsampler/acme/v3
 # github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a