From 0243b54e5bde1b570b90c5732581955db71be96e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Apr 2022 15:09:25 -0700 Subject: [PATCH] Bump github.com/eggsampler/acme/v3 from 3.2.1 to 3.3.0 (#6060) Bumps github.com/eggsampler/acme/v3 from 3.2.1 to 3.3.0. - Release notes: https://github.com/eggsampler/acme/releases - Diff: https://github.com/eggsampler/acme/compare/v3.2.1...v3.3.0 Also updates github.com/miekg/dns from v1.1.45 to v1.1.48. This does not affect any files we depend on. --- go.mod | 2 +- go.sum | 4 +- vendor/github.com/eggsampler/acme/v3/Makefile | 8 +- vendor/github.com/eggsampler/acme/v3/acme.go | 2 +- .../acme/v3/docker-compose.boulder-temp.yml | 4 +- vendor/github.com/eggsampler/acme/v3/jws.go | 80 ++++++++++++++----- vendor/github.com/eggsampler/acme/v3/types.go | 4 + vendor/modules.txt | 2 +- 8 files changed, 78 insertions(+), 28 deletions(-) diff --git a/go.mod b/go.mod index ce6831cde..0fc61c8ee 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.17 require ( github.com/beeker1121/goque v1.0.3-0.20191103205551-d618510128af - github.com/eggsampler/acme/v3 v3.2.1 + github.com/eggsampler/acme/v3 v3.3.0 github.com/go-gorp/gorp/v3 v3.0.2 github.com/go-redis/redis/v8 v8.11.5 github.com/go-sql-driver/mysql v1.5.0 diff --git a/go.sum b/go.sum index 8e92cae5e..5d7ac90e5 100644 --- a/go.sum +++ b/go.sum @@ -79,8 +79,8 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/eggsampler/acme/v3 v3.2.1 h1:Lfsrg3M2zt00QRnizOFzdpSfsS9oDvPsGrodXS/w1KI= -github.com/eggsampler/acme/v3 v3.2.1/go.mod h1:/qh0rKC/Dh7Jj+p4So7DbWmFNzC4dpcpK53r226Fhuo= +github.com/eggsampler/acme/v3 v3.3.0 h1:5M7vwYRy65iPpCFHZ01RyWXmYT8e8MlcWn/9BUUB7Ro= +github.com/eggsampler/acme/v3 v3.3.0/go.mod h1:/qh0rKC/Dh7Jj+p4So7DbWmFNzC4dpcpK53r226Fhuo= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= diff --git a/vendor/github.com/eggsampler/acme/v3/Makefile b/vendor/github.com/eggsampler/acme/v3/Makefile index 45017d09c..7ac3f2956 100644 --- a/vendor/github.com/eggsampler/acme/v3/Makefile +++ b/vendor/github.com/eggsampler/acme/v3/Makefile @@ -1,14 +1,15 @@ .PHONY: test examples clean test_full pebble pebble_setup pebble_start pebble_wait pebble_stop boulder boulder_setup boulder_start boulder_stop - +# some variables for path injection, if already set will not override GOPATH ?= $(HOME)/go BOULDER_PATH ?= $(GOPATH)/src/github.com/letsencrypt/boulder PEBBLE_PATH ?= $(GOPATH)/src/github.com/letsencrypt/pebble TEST_PATH ?= github.com/eggsampler/acme/v3 -# tests the code against a running ca instance +# tests the code against an already running ca instance +# to actually do a test against pebble or boulder, including , see the 'pebble' or 'boulder' targets test: -go clean -testcache go test -v -race -coverprofile=coverage.out -covermode=atomic $(TEST_PATH) @@ -24,6 +25,7 @@ clean: test_full: clean examples pebble pebble_stop boulder boulder_stop +# sets up & runs pebble (in docker), tests, then stops pebble pebble: pebble_setup pebble_start pebble_wait test pebble_stop pebble_setup: @@ -45,6 +47,7 @@ pebble_stop: docker-compose -f $(PEBBLE_PATH)/docker-compose.yml down +# sets up & runs boulder (in docker), tests, then stops boulder boulder: boulder_setup boulder_start boulder_wait test boulder_stop # NB: this edits docker-compose.yml @@ -53,7 +56,6 @@ boulder_setup: -git clone --depth 1 https://github.com/letsencrypt/boulder.git $(BOULDER_PATH) (cd $(BOULDER_PATH); git checkout -f main && git reset --hard HEAD && git pull -q) make boulder_stop - rm -rf $(BOULDER_PATH)/temp # runs an instance of boulder boulder_start: diff --git a/vendor/github.com/eggsampler/acme/v3/acme.go b/vendor/github.com/eggsampler/acme/v3/acme.go index e0278c132..b0049321f 100644 --- a/vendor/github.com/eggsampler/acme/v3/acme.go +++ b/vendor/github.com/eggsampler/acme/v3/acme.go @@ -173,7 +173,7 @@ func (c Client) postRaw(retryCount int, requestURL, kid string, privateKey crypt return nil, nil, err } - data, err := jwsEncodeJSON(payload, privateKey, keyID(kid), nonce, requestURL) + data, err := jwsEncodeJSON(payload, privateKey, KeyID(kid), nonce, requestURL) if err != nil { return nil, nil, fmt.Errorf("acme: error encoding json payload: %v", err) } diff --git a/vendor/github.com/eggsampler/acme/v3/docker-compose.boulder-temp.yml b/vendor/github.com/eggsampler/acme/v3/docker-compose.boulder-temp.yml index 34f0abf24..8455b23be 100644 --- a/vendor/github.com/eggsampler/acme/v3/docker-compose.boulder-temp.yml +++ b/vendor/github.com/eggsampler/acme/v3/docker-compose.boulder-temp.yml @@ -1,5 +1,5 @@ version: '3' services: boulder: - volumes: - - ./temp:/tmp + ports: + - "8055:8055" \ No newline at end of file diff --git a/vendor/github.com/eggsampler/acme/v3/jws.go b/vendor/github.com/eggsampler/acme/v3/jws.go index 94c416486..8d0cb1ddd 100644 --- a/vendor/github.com/eggsampler/acme/v3/jws.go +++ b/vendor/github.com/eggsampler/acme/v3/jws.go @@ -1,12 +1,13 @@ // Copyright 2015 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style -// license that can be found in the THIRD-PARTY file. +// license that can be found in the LICENSE file. package acme import ( "crypto" "crypto/ecdsa" + "crypto/hmac" "crypto/rand" "crypto/rsa" "crypto/sha256" @@ -19,14 +20,12 @@ import ( "math/big" ) -var errUnsupportedKey = errors.New("unknown key type; only RSA and ECDSA are supported") - -// keyID is the account identity provided by a CA during registration. -type keyID string +// KeyID is the account key identity provided by a CA during registration. +type KeyID string // noKeyID indicates that jwsEncodeJSON should compute and use JWK instead of a KID. // See jwsEncodeJSON for details. -const noKeyID = keyID("") +const noKeyID = KeyID("") // noPayload indicates jwsEncodeJSON will encode zero-length octet string // in a JWS request. This is called POST-as-GET in RFC 8555 and is used to make @@ -34,19 +33,30 @@ const noKeyID = keyID("") // See https://tools.ietf.org/html/rfc8555#section-6.3 for more details. const noPayload = "" +// jsonWebSignature can be easily serialized into a JWS following +// https://tools.ietf.org/html/rfc7515#section-3.2. +type jsonWebSignature struct { + Protected string `json:"protected"` + Payload string `json:"payload"` + Sig string `json:"signature"` +} + // jwsEncodeJSON signs claimset using provided key and a nonce. // The result is serialized in JSON format containing either kid or jwk -// fields based on the provided keyID value. +// fields based on the provided KeyID value. // // If kid is non-empty, its quoted value is inserted in the protected head // as "kid" field value. Otherwise, JWK is computed using jwkEncode and inserted // as "jwk" field value. The "jwk" and "kid" fields are mutually exclusive. // // See https://tools.ietf.org/html/rfc7515#section-7. -func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid keyID, nonce, url string) ([]byte, error) { +func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, url string) ([]byte, error) { + if key == nil { + return nil, errors.New("nil key") + } alg, sha := jwsHasher(key.Public()) if alg == "" || !sha.Available() { - return nil, errUnsupportedKey + return nil, ErrUnsupportedKey } var phead string switch kid { @@ -69,17 +79,12 @@ func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid keyID, nonce, ur payload = base64.RawURLEncoding.EncodeToString(cs) } hash := sha.New() - _, _ = hash.Write([]byte(phead + "." + payload)) + hash.Write([]byte(phead + "." + payload)) sig, err := jwsSign(key, sha, hash.Sum(nil)) if err != nil { return nil, err } - - enc := struct { - Protected string `json:"protected"` - Payload string `json:"payload"` - Sig string `json:"signature"` - }{ + enc := jsonWebSignature{ Protected: phead, Payload: payload, Sig: base64.RawURLEncoding.EncodeToString(sig), @@ -87,6 +92,43 @@ func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid keyID, nonce, ur return json.Marshal(&enc) } +// jwsWithMAC creates and signs a JWS using the given key and the HS256 +// algorithm. kid and url are included in the protected header. rawPayload +// should not be base64-URL-encoded. +func jwsWithMAC(key []byte, kid, url string, rawPayload []byte) (*jsonWebSignature, error) { + if len(key) == 0 { + return nil, errors.New("acme: cannot sign JWS with an empty MAC key") + } + header := struct { + Algorithm string `json:"alg"` + KID string `json:"kid"` + URL string `json:"url,omitempty"` + }{ + // Only HMAC-SHA256 is supported. + Algorithm: "HS256", + KID: kid, + URL: url, + } + rawProtected, err := json.Marshal(header) + if err != nil { + return nil, err + } + protected := base64.RawURLEncoding.EncodeToString(rawProtected) + payload := base64.RawURLEncoding.EncodeToString(rawPayload) + + h := hmac.New(sha256.New, key) + if _, err := h.Write([]byte(protected + "." + payload)); err != nil { + return nil, err + } + mac := h.Sum(nil) + + return &jsonWebSignature{ + Protected: protected, + Payload: payload, + Sig: base64.RawURLEncoding.EncodeToString(mac), + }, nil +} + // jwkEncode encodes public part of an RSA or ECDSA key into a JWK. // The result is also suitable for creating a JWK thumbprint. // https://tools.ietf.org/html/rfc7517 @@ -125,7 +167,7 @@ func jwkEncode(pub crypto.PublicKey) (string, error) { base64.RawURLEncoding.EncodeToString(y), ), nil } - return "", errUnsupportedKey + return "", ErrUnsupportedKey } // jwsSign signs the digest using the given key. @@ -155,7 +197,7 @@ func jwsSign(key crypto.Signer, hash crypto.Hash, digest []byte) ([]byte, error) copy(sig[size*2-len(sb):], sb) return sig, nil } - return nil, errUnsupportedKey + return nil, ErrUnsupportedKey } // jwsHasher indicates suitable JWS algorithm name and a hash function @@ -167,6 +209,8 @@ func jwsHasher(pub crypto.PublicKey) (string, crypto.Hash) { return "RS256", crypto.SHA256 case *ecdsa.PublicKey: switch pub.Params().Name { + case "P-224": + return "ES224", crypto.SHA224 case "P-256": return "ES256", crypto.SHA256 case "P-384": diff --git a/vendor/github.com/eggsampler/acme/v3/types.go b/vendor/github.com/eggsampler/acme/v3/types.go index 99e839989..7bc3874e2 100644 --- a/vendor/github.com/eggsampler/acme/v3/types.go +++ b/vendor/github.com/eggsampler/acme/v3/types.go @@ -3,10 +3,14 @@ package acme import ( "crypto" "encoding/json" + "errors" "net/http" "time" ) +// ErrUnsupportedKey is returned when an unsupported key type is encountered. +var ErrUnsupportedKey = errors.New("acme: unknown key type; only RSA and ECDSA are supported") + // Different possible challenge types provided by an ACME server. // See https://tools.ietf.org/html/rfc8555#section-9.7.8 const ( diff --git a/vendor/modules.txt b/vendor/modules.txt index 1b1ef6cda..0b1089d9f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -10,7 +10,7 @@ github.com/cespare/xxhash/v2 # github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f ## explicit github.com/dgryski/go-rendezvous -# github.com/eggsampler/acme/v3 v3.2.1 +# github.com/eggsampler/acme/v3 v3.3.0 ## explicit; go 1.11 github.com/eggsampler/acme/v3 # github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a