letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into more-revoker

This commit is contained in:
Roland Shoemaker 2016-01-15 13:41:55 -08:00
parent a77c8e3d5b 3ed79880d1
commit 11661bab9e
44 changed files with 1345 additions and 454 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -34,6 +34,3 @@ _testmain.go
*.test
*.prof
*.coverprofile
boulder-start/boulder-start
activity-monitor/activity-monitor

2
.travis.yml
View File

@ -1,7 +1,7 @@
language: go
go:
- 1.5.2
- 1.5.3
addons:
hosts:

1
Godeps/Godeps.json generated
View File

@ -144,6 +144,7 @@
"ImportPath": "golang.org/x/net/context",
"Rev": "ce84af2e5bf21582345e478b116afc7d4efaba3d"
},
{
"ImportPath": "gopkg.in/gorp.v1",
"Comment": "v1.7.1",
"Rev": "c87af80f3cc5036b55b83d77171e156791085e2e"

68
bdns/dns.go
View File

@ -118,7 +118,7 @@ var (
// DNSResolver queries for DNS records
type DNSResolver interface {
LookupTXT(context.Context, string) ([]string, error)
LookupTXT(context.Context, string) (txts []string, authorities []string, err error)
LookupHost(context.Context, string) ([]net.IP, error)
LookupCAA(context.Context, string) ([]*dns.CAA, error)
LookupMX(context.Context, string) ([]string, error)
@ -242,30 +242,34 @@ type dnsResp struct {
err error
}
// LookupTXT sends a DNS query to find all TXT records associated with the
// provided hostname. It will retry requests in the case of temporary network
// errors. It can return net package, context.Canceled, and
// context.DeadlineExceeded errors.
func (dnsResolver *DNSResolverImpl) LookupTXT(ctx context.Context, hostname string) ([]string, error) {
// LookupTXT sends a DNS query to find all TXT records associated with
// the provided hostname which it returns along with the returned
// DNS authority section.
func (dnsResolver *DNSResolverImpl) LookupTXT(ctx context.Context, hostname string) ([]string, []string, error) {
var txt []string
r, err := dnsResolver.exchangeOne(ctx, hostname, dns.TypeTXT, dnsResolver.txtStats)
dnsType := dns.TypeTXT
r, err := dnsResolver.exchangeOne(ctx, hostname, dnsType, dnsResolver.txtStats)
if err != nil {
return nil, err
return nil, nil, &dnsError{dnsType, hostname, err, -1}
}
if r.Rcode != dns.RcodeSuccess {
err = fmt.Errorf("DNS failure: %d-%s for TXT query", r.Rcode, dns.RcodeToString[r.Rcode])
return nil, err
return nil, nil, &dnsError{dnsType, hostname, nil, r.Rcode}
}
for _, answer := range r.Answer {
if answer.Header().Rrtype == dns.TypeTXT {
if answer.Header().Rrtype == dnsType {
if txtRec, ok := answer.(*dns.TXT); ok {
txt = append(txt, strings.Join(txtRec.Txt, ""))
}
}
}
return txt, err
authorities := []string{}
for _, a := range r.Ns {
authorities = append(authorities, a.String())
}
return txt, authorities, err
}
func isPrivateV4(ip net.IP) bool {
@ -284,18 +288,17 @@ func isPrivateV4(ip net.IP) bool {
// context.Canceled, and context.DeadlineExceeded errors.
func (dnsResolver *DNSResolverImpl) LookupHost(ctx context.Context, hostname string) ([]net.IP, error) {
var addrs []net.IP
r, err := dnsResolver.exchangeOne(ctx, hostname, dns.TypeA, dnsResolver.aStats)
dnsType := dns.TypeA
r, err := dnsResolver.exchangeOne(ctx, hostname, dnsType, dnsResolver.aStats)
if err != nil {
return addrs, err
return addrs, &dnsError{dnsType, hostname, err, -1}
}
if r.Rcode != dns.RcodeSuccess {
err = fmt.Errorf("DNS failure: %d-%s for A query", r.Rcode, dns.RcodeToString[r.Rcode])
return nil, err
return nil, &dnsError{dnsType, hostname, nil, r.Rcode}
}
for _, answer := range r.Answer {
if answer.Header().Rrtype == dns.TypeA {
if answer.Header().Rrtype == dnsType {
if a, ok := answer.(*dns.A); ok && a.A.To4() != nil && (!isPrivateV4(a.A) || dnsResolver.allowRestrictedAddresses) {
addrs = append(addrs, a.A)
}
@ -305,15 +308,14 @@ func (dnsResolver *DNSResolverImpl) LookupHost(ctx context.Context, hostname str
return addrs, nil
}
// LookupCAA sends a DNS query to find all CAA records associated with the
// provided hostname. If the response code from the resolver is SERVFAIL an
// empty slice of CAA records is returned. It will retry requests in the case
// of temporary network errors. It can return net package, context.Canceled, and
// context.DeadlineExceeded errors.
// LookupCAA sends a DNS query to find all CAA records associated with
// the provided hostname. If the response code from the resolver is
// SERVFAIL an empty slice of CAA records is returned.
func (dnsResolver *DNSResolverImpl) LookupCAA(ctx context.Context, hostname string) ([]*dns.CAA, error) {
r, err := dnsResolver.exchangeOne(ctx, hostname, dns.TypeCAA, dnsResolver.caaStats)
dnsType := dns.TypeCAA
r, err := dnsResolver.exchangeOne(ctx, hostname, dnsType, dnsResolver.caaStats)
if err != nil {
return nil, err
return nil, &dnsError{dnsType, hostname, err, -1}
}
// On resolver validation failure, or other server failures, return empty an
@ -324,7 +326,7 @@ func (dnsResolver *DNSResolverImpl) LookupCAA(ctx context.Context, hostname stri
}
for _, answer := range r.Answer {
if answer.Header().Rrtype == dns.TypeCAA {
if answer.Header().Rrtype == dnsType {
if caaR, ok := answer.(*dns.CAA); ok {
CAAs = append(CAAs, caaR)
}
@ -333,18 +335,16 @@ func (dnsResolver *DNSResolverImpl) LookupCAA(ctx context.Context, hostname stri
return CAAs, nil
}
// LookupMX sends a DNS query to find a MX record associated hostname and
// returns the record target. It will retry requests in the case of temporary
// network errors. It can return net package, context.Canceled, and
// context.DeadlineExceeded errors.
// LookupMX sends a DNS query to find a MX record associated hostname and returns the
// record target.
func (dnsResolver *DNSResolverImpl) LookupMX(ctx context.Context, hostname string) ([]string, error) {
r, err := dnsResolver.exchangeOne(ctx, hostname, dns.TypeMX, dnsResolver.mxStats)
dnsType := dns.TypeMX
r, err := dnsResolver.exchangeOne(ctx, hostname, dnsType, dnsResolver.mxStats)
if err != nil {
return nil, err
return nil, &dnsError{dnsType, hostname, err, -1}
}
if r.Rcode != dns.RcodeSuccess {
err = fmt.Errorf("DNS failure: %d-%s for MX query", r.Rcode, dns.RcodeToString[r.Rcode])
return nil, err
return nil, &dnsError{dnsType, hostname, nil, r.Rcode}
}
var results []string

114
bdns/dns_test.go
View File

@ -66,6 +66,9 @@ func mockDNSQuery(w dns.ResponseWriter, r *dns.Msg) {
record.A = net.ParseIP("127.0.0.1")
appendAnswer(record)
}
if q.Name == "nxdomain.letsencrypt.org." {
m.SetRcode(r, dns.RcodeNameError)
}
case dns.TypeCNAME:
if q.Name == "cname.letsencrypt.org." {
record := new(dns.CNAME)
@ -110,6 +113,20 @@ func mockDNSQuery(w dns.ResponseWriter, r *dns.Msg) {
record.Txt = []string{"a", "b", "c"}
appendAnswer(record)
}
if q.Name == "nxdomain.letsencrypt.org." {
m.SetRcode(r, dns.RcodeNameError)
}
auth := new(dns.SOA)
auth.Hdr = dns.RR_Header{Name: "letsencrypt.org.", Rrtype: dns.TypeSOA, Class: dns.ClassINET, Ttl: 0}
auth.Ns = "ns.letsencrypt.org."
auth.Mbox = "master.letsencrypt.org."
auth.Serial = 1
auth.Refresh = 1
auth.Retry = 1
auth.Expire = 1
auth.Minttl = 1
m.Ns = append(m.Ns, auth)
}
}
@ -182,7 +199,7 @@ func TestDNSDuplicateServers(t *testing.T) {
func TestDNSLookupsNoServer(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{}, testStats, clock.NewFake(), 1)
_, err := obj.LookupTXT(context.Background(), "letsencrypt.org")
_, _, err := obj.LookupTXT(context.Background(), "letsencrypt.org")
test.AssertError(t, err, "No servers")
_, err = obj.LookupHost(context.Background(), "letsencrypt.org")
@ -196,7 +213,7 @@ func TestDNSServFail(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
bad := "servfail.com"
_, err := obj.LookupTXT(context.Background(), bad)
_, _, err := obj.LookupTXT(context.Background(), bad)
test.AssertError(t, err, "LookupTXT didn't return an error")
_, err = obj.LookupHost(context.Background(), bad)
@ -212,11 +229,11 @@ func TestDNSServFail(t *testing.T) {
func TestDNSLookupTXT(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
a, err := obj.LookupTXT(context.Background(), "letsencrypt.org")
a, _, err := obj.LookupTXT(context.Background(), "letsencrypt.org")
t.Logf("A: %v", a)
test.AssertNotError(t, err, "No message")
a, err = obj.LookupTXT(context.Background(), "split-txt.letsencrypt.org")
a, _, err = obj.LookupTXT(context.Background(), "split-txt.letsencrypt.org")
t.Logf("A: %v ", a)
test.AssertNotError(t, err, "No message")
test.AssertEquals(t, len(a), 1)
@ -253,6 +270,23 @@ func TestDNSLookupHost(t *testing.T) {
test.Assert(t, len(ip) == 0, "Should not have IPs")
}
func TestDNSNXDOMAIN(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
hostname := "nxdomain.letsencrypt.org"
_, err := obj.LookupHost(context.Background(), hostname)
expected := dnsError{dns.TypeA, hostname, nil, dns.RcodeNameError}
if err, ok := err.(*dnsError); !ok || *err != expected {
t.Errorf("Looking up %s, got %#v, expected %#v", hostname, err, expected)
}
_, _, err = obj.LookupTXT(context.Background(), hostname)
expected.recordType = dns.TypeTXT
if err, ok := err.(*dnsError); !ok || *err != expected {
t.Errorf("Looking up %s, got %#v, expected %#v", hostname, err, expected)
}
}
func TestDNSLookupCAA(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
@ -269,6 +303,15 @@ func TestDNSLookupCAA(t *testing.T) {
test.Assert(t, len(caas) > 0, "Should follow CNAME to find CAA")
}
func TestDNSTXTAuthorities(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
_, auths, err := obj.LookupTXT(context.Background(), "letsencrypt.org")
test.AssertNotError(t, err, "TXT lookup failed")
test.AssertEquals(t, len(auths), 1)
test.AssertEquals(t, auths[0], "letsencrypt.org. 0 IN SOA ns.letsencrypt.org. master.letsencrypt.org. 1 1 1 1 1")
}
type testExchanger struct {
sync.Mutex
count int
@ -295,40 +338,45 @@ func (te *testExchanger) Exchange(m *dns.Msg, a string) (*dns.Msg, time.Duration
func TestRetry(t *testing.T) {
isTempErr := &net.OpError{Op: "read", Err: tempError(true)}
nonTempErr := &net.OpError{Op: "read", Err: tempError(false)}
servFailError := errors.New("DNS problem: server failure at resolver looking up TXT for example.com")
netError := errors.New("DNS problem: networking error looking up TXT for example.com")
type testCase struct {
maxTries int
expected int
te *testExchanger
maxTries int
te *testExchanger
expected error
expectedCount int
}
tests := []*testCase{
// The success on first try case
{
maxTries: 3,
expected: 1,
te: &testExchanger{
errs: []error{nil},
},
expected: nil,
expectedCount: 1,
},
// Immediate non-OpError, error returns immediately
{
maxTries: 3,
expected: 1,
te: &testExchanger{
errs: []error{errors.New("nope")},
},
expected: servFailError,
expectedCount: 1,
},
// Temporary err, then non-OpError stops at two tries
{
maxTries: 3,
expected: 2,
te: &testExchanger{
errs: []error{isTempErr, errors.New("nope")},
},
expected: servFailError,
expectedCount: 2,
},
// Temporary error given always
{
maxTries: 3,
expected: 3,
te: &testExchanger{
errs: []error{
isTempErr,
@ -336,31 +384,34 @@ func TestRetry(t *testing.T) {
isTempErr,
},
},
expected: netError,
expectedCount: 3,
},
// Even with maxTries at 0, we should still let a single request go
// through
{
maxTries: 0,
expected: 1,
te: &testExchanger{
errs: []error{nil},
},
expected: nil,
expectedCount: 1,
},
// Temporary error given just once causes two tries
{
maxTries: 3,
expected: 2,
te: &testExchanger{
errs: []error{
isTempErr,
nil,
},
},
expected: nil,
expectedCount: 2,
},
// Temporary error given twice causes three tries
{
maxTries: 3,
expected: 3,
te: &testExchanger{
errs: []error{
isTempErr,
@ -368,11 +419,12 @@ func TestRetry(t *testing.T) {
nil,
},
},
expected: nil,
expectedCount: 3,
},
// Temporary error given thrice causes three tries and fails
{
maxTries: 3,
expected: 3,
te: &testExchanger{
errs: []error{
isTempErr,
@ -380,17 +432,20 @@ func TestRetry(t *testing.T) {
isTempErr,
},
},
expected: netError,
expectedCount: 3,
},
// temporary then non-Temporary error causes two retries
{
maxTries: 3,
expected: 2,
te: &testExchanger{
errs: []error{
isTempErr,
nonTempErr,
},
},
expected: netError,
expectedCount: 2,
},
}
@ -398,16 +453,18 @@ func TestRetry(t *testing.T) {
dr := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), tc.maxTries)
dr.DNSClient = tc.te
_, err := dr.LookupTXT(context.Background(), "example.com")
_, _, err := dr.LookupTXT(context.Background(), "example.com")
if err == errTooManyRequests {
t.Errorf("#%d, sent more requests than the test case handles", i)
}
expectedErr := tc.te.errs[tc.expected-1]
if err != expectedErr {
expectedErr := tc.expected
if (expectedErr == nil && err != nil) ||
(expectedErr != nil && err == nil) ||
(expectedErr != nil && expectedErr.Error() != err.Error()) {
t.Errorf("#%d, error, expected %v, got %v", i, expectedErr, err)
}
if tc.expected != tc.te.count {
t.Errorf("#%d, count, expected %d, got %d", i, tc.expected, tc.te.count)
if tc.expectedCount != tc.te.count {
t.Errorf("#%d, error, expectedCount %v, got %v", i, tc.expectedCount, tc.te.count)
}
}
@ -415,23 +472,26 @@ func TestRetry(t *testing.T) {
dr.DNSClient = &testExchanger{errs: []error{isTempErr, isTempErr, nil}}
ctx, cancel := context.WithCancel(context.Background())
cancel()
_, err := dr.LookupTXT(ctx, "example.com")
if err != context.Canceled {
_, _, err := dr.LookupTXT(ctx, "example.com")
if err == nil ||
err.Error() != "DNS problem: query timed out looking up TXT for example.com" {
t.Errorf("expected %s, got %s", context.Canceled, err)
}
dr.DNSClient = &testExchanger{errs: []error{isTempErr, isTempErr, nil}}
ctx, _ = context.WithTimeout(context.Background(), -10*time.Hour)
_, err = dr.LookupTXT(ctx, "example.com")
if err != context.DeadlineExceeded {
_, _, err = dr.LookupTXT(ctx, "example.com")
if err == nil ||
err.Error() != "DNS problem: query timed out looking up TXT for example.com" {
t.Errorf("expected %s, got %s", context.DeadlineExceeded, err)
}
dr.DNSClient = &testExchanger{errs: []error{isTempErr, isTempErr, nil}}
ctx, deadlineCancel := context.WithTimeout(context.Background(), -10*time.Hour)
deadlineCancel()
_, err = dr.LookupTXT(ctx, "example.com")
if err != context.DeadlineExceeded {
_, _, err = dr.LookupTXT(ctx, "example.com")
if err == nil ||
err.Error() != "DNS problem: query timed out looking up TXT for example.com" {
t.Errorf("expected %s, got %s", context.DeadlineExceeded, err)
}
}

117
bdns/mocks.go Normal file
View File

@ -0,0 +1,117 @@
package bdns
import (
"errors"
"fmt"
"net"
"os"
"strings"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/miekg/dns"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
)
// MockDNSResolver is a mock
type MockDNSResolver struct {
}
// LookupTXT is a mock
func (mock *MockDNSResolver) LookupTXT(_ context.Context, hostname string) ([]string, []string, error) {
if hostname == "_acme-challenge.servfail.com" {
return nil, nil, fmt.Errorf("SERVFAIL")
}
if hostname == "_acme-challenge.good-dns01.com" {
// base64(sha256("LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
// + "." + "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"))
// expected token + test account jwk thumbprint
return []string{"LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo"}, []string{"respect my authority!"}, nil
}
return []string{"hostname"}, []string{"respect my authority!"}, nil
}
// MockTimeoutError returns a a net.OpError for which Timeout() returns true.
func MockTimeoutError() *net.OpError {
return &net.OpError{
Err: os.NewSyscallError("ugh timeout", timeoutError{}),
}
}
type timeoutError struct{}
func (t timeoutError) Error() string {
return "so sloooow"
}
func (t timeoutError) Timeout() bool {
return true
}
// LookupHost is a mock
//
// Note: see comments on LookupMX regarding email.only
//
func (mock *MockDNSResolver) LookupHost(_ context.Context, hostname string) ([]net.IP, error) {
if hostname == "always.invalid" ||
hostname == "invalid.invalid" ||
hostname == "email.only" {
return []net.IP{}, nil
}
if hostname == "always.timeout" {
return []net.IP{}, &dnsError{dns.TypeA, "always.timeout", MockTimeoutError(), -1}
}
if hostname == "always.error" {
return []net.IP{}, &dnsError{dns.TypeA, "always.error", &net.OpError{
Err: errors.New("some net error"),
}, -1}
}
ip := net.ParseIP("127.0.0.1")
return []net.IP{ip}, nil
}
// LookupCAA is a mock
func (mock *MockDNSResolver) LookupCAA(_ context.Context, domain string) ([]*dns.CAA, error) {
var results []*dns.CAA
var record dns.CAA
switch strings.TrimRight(domain, ".") {
case "caa-timeout.com":
return nil, &dnsError{dns.TypeCAA, "always.timeout", MockTimeoutError(), -1}
case "reserved.com":
record.Tag = "issue"
record.Value = "symantec.com"
results = append(results, &record)
case "critical.com":
record.Flag = 1
record.Tag = "issue"
record.Value = "symantec.com"
results = append(results, &record)
case "present.com":
record.Tag = "issue"
record.Value = "letsencrypt.org"
results = append(results, &record)
case "com":
// Nothing should ever call this, since CAA checking should stop when it
// reaches a public suffix.
fallthrough
case "servfail.com":
return results, fmt.Errorf("SERVFAIL")
}
return results, nil
}
// LookupMX is a mock
//
// Note: the email.only domain must have an MX but no A or AAAA
// records. The mock LookupHost returns an address of 127.0.0.1 for
// all domains except for special cases, so MX-only domains must be
// handled in both LookupHost and LookupMX.
//
func (mock *MockDNSResolver) LookupMX(_ context.Context, domain string) ([]string, error) {
switch strings.TrimRight(domain, ".") {
case "letsencrypt.org":
fallthrough
case "email.only":
fallthrough
case "email.com":
return []string{"mail.email.com"}, nil
}
return nil, nil
}

54
bdns/problem.go
View File

@ -9,30 +9,60 @@ import (
"fmt"
"net"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/miekg/dns"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/probs"
)
const detailDNSTimeout = "DNS query timed out"
const detailDNSNetFailure = "DNS networking error"
const detailServerFailure = "Server failure at resolver"
type dnsError struct {
recordType uint16
hostname string
// Exactly one of rCode or underlying should be set.
underlying error
rCode int
}
func (d dnsError) Error() string {
var detail string
if d.underlying != nil {
if netErr, ok := d.underlying.(*net.OpError); ok {
if netErr.Timeout() {
detail = detailDNSTimeout
} else {
detail = detailDNSNetFailure
}
} else if d.underlying == context.Canceled || d.underlying == context.DeadlineExceeded {
detail = detailDNSTimeout
} else {
detail = detailServerFailure
}
} else if d.rCode != dns.RcodeSuccess {
detail = dns.RcodeToString[d.rCode]
} else {
detail = detailServerFailure
}
return fmt.Sprintf("DNS problem: %s looking up %s for %s", detail,
dns.TypeToString[d.recordType], d.hostname)
}
const detailDNSTimeout = "query timed out"
const detailDNSNetFailure = "networking error"
const detailServerFailure = "server failure at resolver"
// ProblemDetailsFromDNSError checks the error returned from Lookup... methods
// and tests if the error was an underlying net.OpError or an error caused by
// resolver returning SERVFAIL or other invalid Rcodes and returns the relevant
// core.ProblemDetails. The detail string will contain a mention of the DNS
// record type and domain given.
func ProblemDetailsFromDNSError(recordType, domain string, err error) *probs.ProblemDetails {
detail := detailServerFailure
if netErr, ok := err.(*net.OpError); ok {
if netErr.Timeout() {
detail = detailDNSTimeout
} else {
detail = detailDNSNetFailure
func ProblemDetailsFromDNSError(err error) *probs.ProblemDetails {
if dnsErr, ok := err.(*dnsError); ok {
return &probs.ProblemDetails{
Type: probs.ConnectionProblem,
Detail: dnsErr.Error(),
}
}
detail = fmt.Sprintf("%s during %s-record lookup of %s", detail, recordType, domain)
return &probs.ProblemDetails{
Type: probs.ConnectionProblem,
Detail: detail,
Detail: detailServerFailure,
}
}

26
bdns/problem_test.go
View File

@ -10,7 +10,9 @@ import (
"net"
"testing"
"github.com/letsencrypt/boulder/mocks"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/miekg/dns"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/probs"
)
@ -20,23 +22,31 @@ func TestProblemDetailsFromDNSError(t *testing.T) {
expected string
}{
{
mocks.TimeoutError(),
detailDNSTimeout,
&dnsError{dns.TypeA, "hostname", MockTimeoutError(), -1},
"DNS problem: query timed out looking up A for hostname",
}, {
errors.New("other failure"),
detailServerFailure,
}, {
&net.OpError{Err: errors.New("some net error")},
detailDNSNetFailure,
&dnsError{dns.TypeMX, "hostname", &net.OpError{Err: errors.New("some net error")}, -1},
"DNS problem: networking error looking up MX for hostname",
}, {
&dnsError{dns.TypeTXT, "hostname", nil, dns.RcodeNameError},
"DNS problem: NXDOMAIN looking up TXT for hostname",
}, {
&dnsError{dns.TypeTXT, "hostname", context.DeadlineExceeded, -1},
"DNS problem: query timed out looking up TXT for hostname",
}, {
&dnsError{dns.TypeTXT, "hostname", context.Canceled, -1},
"DNS problem: query timed out looking up TXT for hostname",
},
}
for _, tc := range testCases {
err := ProblemDetailsFromDNSError("TXT", "example.com", tc.err)
err := ProblemDetailsFromDNSError(tc.err)
if err.Type != probs.ConnectionProblem {
t.Errorf("ProblemDetailsFromDNSError(%q).Type = %q, expected %q", tc.err, err.Type, probs.ConnectionProblem)
}
exp := tc.expected + " during TXT-record lookup of example.com"
if err.Detail != exp {
if err.Detail != tc.expected {
t.Errorf("ProblemDetailsFromDNSError(%q).Detail = %q, expected %q", tc.err, err.Detail, tc.expected)
}
}

11
ca/certificate-authority.go
View File

@ -65,6 +65,7 @@ type CertificateAuthorityImpl struct {
SA core.StorageAuthority
PA core.PolicyAuthority
Publisher core.Publisher
keyPolicy core.KeyPolicy
clk clock.Clock // TODO(jmhodges): should be private, like log
log *blog.AuditLogger
stats statsd.Statter
@ -90,6 +91,7 @@ func NewCertificateAuthorityImpl(
stats statsd.Statter,
issuer *x509.Certificate,
privateKey crypto.Signer,
keyPolicy core.KeyPolicy,
) (*CertificateAuthorityImpl, error) {
var ca *CertificateAuthorityImpl
var err error
@ -142,6 +144,7 @@ func NewCertificateAuthorityImpl(
stats: stats,
notAfter: issuer.NotAfter,
hsmFaultTimeout: config.HSMFaultTimeout.Duration,
keyPolicy: keyPolicy,
}
if config.Expiry == "" {
@ -218,12 +221,6 @@ func (ca *CertificateAuthorityImpl) GenerateOCSP(xferObj core.OCSPSigningRequest
return ocspResponse, err
}
// RevokeCertificate revokes the trust of the Cert referred to by the provided Serial.
func (ca *CertificateAuthorityImpl) RevokeCertificate(serial string, reasonCode core.RevocationCode) (err error) {
err = ca.SA.MarkCertificateRevoked(serial, reasonCode)
return err
}
// IssueCertificate attempts to convert a CSR into a signed Certificate, while
// enforcing all policies. Names (domains) in the CertificateRequest will be
// lowercased before storage.
@ -242,7 +239,7 @@ func (ca *CertificateAuthorityImpl) IssueCertificate(csr x509.CertificateRequest
ca.log.AuditErr(err)
return emptyCert, err
}
if err = core.GoodKey(key); err != nil {
if err = ca.keyPolicy.GoodKey(key); err != nil {
err = core.MalformedRequestError(fmt.Sprintf("Invalid public key in CSR: %s", err.Error()))
// AUDIT[ Certificate Requests ] 11917fa4-10ef-4e0d-9105-bacbe7836a3c
ca.log.AuditErr(err)

64
ca/certificate-authority_test.go
View File

@ -92,6 +92,10 @@ var (
// * DNSNames = moreCAPs.com, morecaps.com, evenMOREcaps.com, Capitalizedletters.COM
CapitalizedCSR = mustRead("./testdata/capitalized_cn_and_san.der.csr")
// CSR generated by OpenSSL:
// Edited signature to become invalid.
WrongSignatureCSR = mustRead("./testdata/invalid_signature.der.csr")
log = mocks.UseMockLog()
)
@ -109,13 +113,14 @@ func mustRead(path string) []byte {
}
type testCtx struct {
sa core.StorageAuthority
caConfig cmd.CAConfig
reg core.Registration
pa core.PolicyAuthority
fc clock.FakeClock
stats *mocks.Statter
cleanUp func()
sa core.StorageAuthority
caConfig cmd.CAConfig
reg core.Registration
pa core.PolicyAuthority
keyPolicy core.KeyPolicy
fc clock.FakeClock
stats *mocks.Statter
cleanUp func()
}
var caKey crypto.Signer
@ -207,11 +212,18 @@ func setup(t *testing.T) *testCtx {
stats := mocks.NewStatter()
keyPolicy := core.KeyPolicy{
AllowRSA: true,
AllowECDSANISTP256: true,
AllowECDSANISTP384: true,
}
return &testCtx{
ssa,
caConfig,
reg,
pa,
keyPolicy,
fc,
&stats,
cleanUp,
@ -223,14 +235,14 @@ func TestFailNoSerial(t *testing.T) {
defer ctx.cleanUp()
ctx.caConfig.SerialPrefix = 0
_, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
_, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
test.AssertError(t, err, "CA should have failed with no SerialPrefix")
}
func TestIssueCertificate(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
test.AssertNotError(t, err, "Failed to create CA")
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
@ -307,7 +319,7 @@ func TestIssueCertificate(t *testing.T) {
func TestRejectNoName(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
test.AssertNotError(t, err, "Failed to create CA")
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
@ -324,7 +336,7 @@ func TestRejectNoName(t *testing.T) {
func TestRejectTooManyNames(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
test.AssertNotError(t, err, "Failed to create CA")
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
@ -341,7 +353,7 @@ func TestRejectTooManyNames(t *testing.T) {
func TestDeduplication(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
test.AssertNotError(t, err, "Failed to create CA")
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
@ -365,7 +377,7 @@ func TestDeduplication(t *testing.T) {
func TestRejectValidityTooLong(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
test.AssertNotError(t, err, "Failed to create CA")
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
@ -383,7 +395,7 @@ func TestRejectValidityTooLong(t *testing.T) {
func TestShortKey(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
ca.SA = ctx.sa
@ -399,7 +411,7 @@ func TestShortKey(t *testing.T) {
func TestRejectBadAlgorithm(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
ca.SA = ctx.sa
@ -416,7 +428,7 @@ func TestCapitalizedLetters(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ctx.caConfig.MaxNames = 3
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
ca.SA = ctx.sa
@ -433,11 +445,29 @@ func TestCapitalizedLetters(t *testing.T) {
test.AssertDeepEquals(t, expected, parsedCert.DNSNames)
}
func TestWrongSignature(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ctx.caConfig.MaxNames = 3
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
ca.SA = ctx.sa
// x509.ParseCertificateRequest() does not check for invalid signatures...
csr, _ := x509.ParseCertificateRequest(WrongSignatureCSR)
_, err = ca.IssueCertificate(*csr, ctx.reg.ID)
if err == nil {
t.Fatalf("Issued a certificate based on a CSR with an invalid signature.")
}
}
func TestHSMFaultTimeout(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey)
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy)
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
ca.SA = ctx.sa

BIN
ca/testdata/invalid_signature.der.csr vendored Normal file
View File

Binary file not shown.

3
cmd/boulder-ca/main.go
View File

@ -91,7 +91,8 @@ func main() {
clock.Default(),
stats,
issuer,
priv)
priv,
c.KeyPolicy())
cmd.FailOnError(err, "Failed to create CA impl")
cai.PA = pa

2
cmd/boulder-ra/main.go
View File

@ -59,7 +59,7 @@ func main() {
}
rai := ra.NewRegistrationAuthorityImpl(clock.Default(), auditlogger, stats,
dc, rateLimitPolicies, c.RA.MaxContactsPerRegistration)
dc, rateLimitPolicies, c.RA.MaxContactsPerRegistration, c.KeyPolicy())
rai.PA = pa
raDNSTimeout, err := time.ParseDuration(c.Common.DNSTimeout)
cmd.FailOnError(err, "Couldn't parse RA DNS timeout")

4
cmd/boulder-wfe/main.go
View File

@ -53,7 +53,7 @@ func main() {
app.Action = func(c cmd.Config, stats statsd.Statter, auditlogger *blog.AuditLogger) {
go cmd.DebugServer(c.WFE.DebugAddr)
wfe, err := wfe.NewWebFrontEndImpl(stats, clock.Default())
wfe, err := wfe.NewWebFrontEndImpl(stats, clock.Default(), c.KeyPolicy())
cmd.FailOnError(err, "Unable to create WFE")
rac, sac := setupWFE(c, auditlogger, stats)
wfe.RA = rac
@ -79,6 +79,8 @@ func main() {
wfe.IssuerCert, err = cmd.LoadCert(c.Common.IssuerCert)
cmd.FailOnError(err, fmt.Sprintf("Couldn't read issuer cert [%s]", c.Common.IssuerCert))
auditlogger.Info(fmt.Sprintf("WFE using key policy: %#v", c.KeyPolicy()))
go cmd.ProfileCmd("WFE", stats)
// Set up paths

27
cmd/config.go
View File

@ -118,6 +118,8 @@ type Config struct {
Port string
Username string
Password string
From string
Subject string
CertLimit int
NagTimes []string
@ -186,10 +188,35 @@ type Config struct {
Workers int
ReportDirectoryPath string
}
AllowedSigningAlgos *AllowedSigningAlgos
SubscriberAgreementURL string
}
// AllowedSigningAlgos defines which algorithms be used for keys that we will
// sign.
type AllowedSigningAlgos struct {
RSA bool
ECDSANISTP256 bool
ECDSANISTP384 bool
ECDSANISTP521 bool
}
// KeyPolicy returns a KeyPolicy reflecting the Boulder configuration.
func (config *Config) KeyPolicy() core.KeyPolicy {
if config.AllowedSigningAlgos != nil {
return core.KeyPolicy{
AllowRSA: config.AllowedSigningAlgos.RSA,
AllowECDSANISTP256: config.AllowedSigningAlgos.ECDSANISTP256,
AllowECDSANISTP384: config.AllowedSigningAlgos.ECDSANISTP384,
AllowECDSANISTP521: config.AllowedSigningAlgos.ECDSANISTP521,
}
}
return core.KeyPolicy{
AllowRSA: true,
}
}
// ServiceConfig contains config items that are common to all our services, to
// be embedded in other config structs.
type ServiceConfig struct {

17
cmd/expiration-mailer/main.go
View File

@ -10,6 +10,7 @@ import (
"crypto/x509"
"fmt"
"io/ioutil"
netmail "net/mail"
"sort"
"strings"
"text/template"
@ -19,6 +20,7 @@ import (
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/codegangsta/cli"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/gopkg.in/gorp.v1"
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"
blog "github.com/letsencrypt/boulder/log"
@ -46,6 +48,7 @@ type mailer struct {
rs regStore
mailer mail.Mailer
emailTemplate *template.Template
subject string
nagTimes []time.Duration
limit int
clk clock.Clock
@ -72,7 +75,7 @@ func (m *mailer) sendNags(parsedCert *x509.Certificate, contacts []*core.AcmeURL
return err
}
startSending := m.clk.Now()
err = m.mailer.SendMail(emails, msgBuf.String())
err = m.mailer.SendMail(emails, m.subject, msgBuf.String())
if err != nil {
m.stats.Inc("Mailer.Expiration.Errors.SendingNag.SendFailure", 1, 1.0)
return err
@ -246,7 +249,12 @@ func main() {
tmpl, err := template.New("expiry-email").Parse(string(emailTmpl))
cmd.FailOnError(err, "Could not parse email template")
mailClient := mail.New(c.Mailer.Server, c.Mailer.Port, c.Mailer.Username, c.Mailer.Password)
_, err = netmail.ParseAddress(c.Mailer.From)
cmd.FailOnError(err, fmt.Sprintf("Could not parse from address: %s", c.Mailer.From))
mailClient := mail.New(c.Mailer.Server, c.Mailer.Port, c.Mailer.Username, c.Mailer.Password, c.Mailer.From)
err = mailClient.Connect()
cmd.FailOnError(err, "Couldn't connect to mail server.")
nagCheckInterval := defaultNagCheckInterval
if s := c.Mailer.NagCheckInterval; s != "" {
@ -269,8 +277,13 @@ func main() {
// Make sure durations are sorted in increasing order
sort.Sort(nags)
subject := "Certificate expiration notice"
if c.Mailer.Subject != "" {
subject = c.Mailer.Subject
}
m := mailer{
stats: stats,
subject: subject,
log: auditlogger,
dbMap: dbMap,
rs: sac,

22
cmd/expiration-mailer/main_test.go
View File

@ -23,6 +23,7 @@ import (
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/gopkg.in/gorp.v1"
"github.com/letsencrypt/boulder/core"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/mocks"
@ -42,21 +43,6 @@ func intFromB64(b64 string) int {
return int(bigIntFromB64(b64).Int64())
}
type mockMail struct {
Messages []string
}
func (m *mockMail) Clear() {
m.Messages = []string{}
}
func (m *mockMail) SendMail(to []string, msg string) (err error) {
for range to {
m.Messages = append(m.Messages, msg)
}
return
}
type fakeRegStore struct {
RegByID map[int64]core.Registration
}
@ -104,7 +90,7 @@ var (
func TestSendNags(t *testing.T) {
stats, _ := statsd.NewNoopClient(nil)
mc := mockMail{}
mc := mocks.Mailer{}
rs := newFakeRegStore()
fc := newFakeClock(t)
@ -461,7 +447,7 @@ func TestDontFindRevokedCert(t *testing.T) {
type testCtx struct {
dbMap *gorp.DbMap
ssa core.StorageAdder
mc *mockMail
mc *mocks.Mailer
fc clock.FakeClock
m *mailer
cleanUp func()
@ -482,7 +468,7 @@ func setup(t *testing.T, nagTimes []time.Duration) *testCtx {
cleanUp := test.ResetSATestDatabase(t)
stats, _ := statsd.NewNoopClient(nil)
mc := &mockMail{}
mc := &mocks.Mailer{}
offsetNags := make([]time.Duration, len(nagTimes))
for i, t := range nagTimes {

4
cmd/ocsp-updater/main_test.go
View File

@ -29,10 +29,6 @@ func (ca *mockCA) GenerateOCSP(xferObj core.OCSPSigningRequest) (ocsp []byte, er
return
}
func (ca *mockCA) RevokeCertificate(serial string, reasonCode core.RevocationCode) (err error) {
return
}
type mockPub struct {
sa core.StorageAuthority
}

182
core/good_key.go
View File

@ -8,9 +8,9 @@ package core
import (
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rsa"
"fmt"
blog "github.com/letsencrypt/boulder/log"
"math/big"
"reflect"
"sync"
@ -38,53 +38,163 @@ var (
smallPrimes []*big.Int
)
// KeyPolicy etermines which types of key may be used with various boulder
// operations.
type KeyPolicy struct {
AllowRSA bool // Whether RSA keys should be allowed.
AllowECDSANISTP256 bool // Whether ECDSA NISTP256 keys should be allowed.
AllowECDSANISTP384 bool // Whether ECDSA NISTP384 keys should be allowed.
AllowECDSANISTP521 bool // Whether ECDSA NISTP521 keys should be allowed.
}
// GoodKey returns true iff the key is acceptable for both TLS use and account
// key use (our requirements are the same for either one), according to basic
// strength and algorithm checking.
// TODO: Support JsonWebKeys once go-jose migration is done.
func GoodKey(key crypto.PublicKey) error {
log := blog.GetAuditLogger()
func (policy *KeyPolicy) GoodKey(key crypto.PublicKey) error {
switch t := key.(type) {
case rsa.PublicKey:
return GoodKeyRSA(t)
return policy.goodKeyRSA(t)
case *rsa.PublicKey:
return GoodKeyRSA(*t)
return policy.goodKeyRSA(*t)
case ecdsa.PublicKey:
return GoodKeyECDSA(t)
return policy.goodKeyECDSA(t)
case *ecdsa.PublicKey:
return GoodKeyECDSA(*t)
return policy.goodKeyECDSA(*t)
default:
err := MalformedRequestError(fmt.Sprintf("Unknown key type %s", reflect.TypeOf(key)))
log.Debug(err.Error())
return err
return MalformedRequestError(fmt.Sprintf("Unknown key type %s", reflect.TypeOf(key)))
}
}
// GoodKeyECDSA determines if an ECDSA pubkey meets our requirements
func GoodKeyECDSA(key ecdsa.PublicKey) (err error) {
log := blog.GetAuditLogger()
err = NotSupportedError("ECDSA keys not yet supported")
log.Debug(err.Error())
return
func (policy *KeyPolicy) goodKeyECDSA(key ecdsa.PublicKey) (err error) {
// Check the curve.
//
// The validity of the curve is an assumption for all following tests.
err = policy.goodCurve(key.Curve)
if err != nil {
return err
}
// Key validation routine adapted from NIST SP800-56A § 5.6.2.3.2.
// <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf>
//
// Assuming a prime field since a) we are only allowing such curves and b)
// crypto/elliptic only supports prime curves. Where this assumption
// simplifies the code below, it is explicitly stated and explained. If ever
// adapting this code to support non-prime curves, refer to NIST SP800-56A §
// 5.6.2.3.2 and adapt this code appropriately.
params := key.Params()
// SP800-56A § 5.6.2.3.2 Step 1.
// Partial check of the public key for an invalid range in the EC group:
// Verify that key is not the point at infinity O.
// This code assumes that the point at infinity is (0,0), which is the
// case for all supported curves.
if isPointAtInfinityNISTP(key.X, key.Y) {
return MalformedRequestError("Key x, y must not be the point at infinity")
}
// SP800-56A § 5.6.2.3.2 Step 2.
// "Verify that x_Q and y_Q are integers in the interval [0,p-1] in the
// case that q is an odd prime p, or that x_Q and y_Q are bit strings
// of length m bits in the case that q = 2**m."
//
// Prove prime field: ASSUMED.
// Prove q != 2: ASSUMED. (Curve parameter. No supported curve has q == 2.)
// Prime field && q != 2 => q is an odd prime p
// Therefore "verify that x, y are in [0, p-1]" satisfies step 2.
//
// Therefore verify that both x and y of the public key point have the unique
// correct representation of an element in the underlying field by verifying
// that x and y are integers in [0, p-1].
if key.X.Sign() < 0 || key.Y.Sign() < 0 {
return MalformedRequestError("Key x, y must not be negative")
}
if key.X.Cmp(params.P) >= 0 || key.Y.Cmp(params.P) >= 0 {
return MalformedRequestError("Key x, y must not exceed P-1")
}
// SP800-56A § 5.6.2.3.2 Step 3.
// "If q is an odd prime p, verify that (y_Q)**2 === (x_Q)***3 + a*x_Q + b (mod p).
// If q = 2**m, verify that (y_Q)**2 + (x_Q)*(y_Q) == (x_Q)**3 + a*(x_Q)*2 + b in
// the finite field of size 2**m.
// (Ensures that the public key is on the correct elliptic curve.)"
//
// q is an odd prime p: proven/assumed above.
// a = -3 for all supported curves.
//
// Therefore step 3 is satisfied simply by showing that
// y**2 === x**3 - 3*x + B (mod P).
//
// This proves that the public key is on the correct elliptic curve.
// But in practice, this test is provided by crypto/elliptic, so use that.
if !key.Curve.IsOnCurve(key.X, key.Y) {
return MalformedRequestError("Key point is not on the curve")
}
// SP800-56A § 5.6.2.3.2 Step 4.
// "Verify that n*Q == O.
// (Ensures that the public key has the correct order. Along with check 1,
// ensures that the public key is in the correct range in the correct EC
// subgroup, that is, it is in the correct EC subgroup and is not the
// identity element.)"
//
// Ensure that public key has the correct order:
// verify that n*Q = O.
//
// n*Q = O iff n*Q is the point at infinity (see step 1).
ox, oy := key.Curve.ScalarMult(key.X, key.Y, params.N.Bytes())
if !isPointAtInfinityNISTP(ox, oy) {
return MalformedRequestError("Public key does not have correct order")
}
// End of SP800-56A § 5.6.2.3.2 Public Key Validation Routine.
// Key is valid.
return nil
}
// Returns true iff the point (x,y) on NIST P-256, NIST P-384 or NIST P-521 is
// the point at infinity. These curves all have the same point at infinity
// (0,0). This function must ONLY be used on points on curves verified to have
// (0,0) as their point at infinity.
func isPointAtInfinityNISTP(x, y *big.Int) bool {
return x.Sign() == 0 && y.Sign() == 0
}
// GoodCurve determines if an elliptic curve meets our requirements.
func (policy *KeyPolicy) goodCurve(c elliptic.Curve) (err error) {
// Simply use a whitelist for now.
params := c.Params()
switch {
case policy.AllowECDSANISTP256 && params == elliptic.P256().Params():
return nil
case policy.AllowECDSANISTP384 && params == elliptic.P384().Params():
return nil
case policy.AllowECDSANISTP521 && params == elliptic.P521().Params():
return nil
default:
return MalformedRequestError(fmt.Sprintf("ECDSA curve %v not allowed", params.Name))
}
}
// GoodKeyRSA determines if a RSA pubkey meets our requirements
func GoodKeyRSA(key rsa.PublicKey) (err error) {
log := blog.GetAuditLogger()
func (policy *KeyPolicy) goodKeyRSA(key rsa.PublicKey) (err error) {
if !policy.AllowRSA {
return MalformedRequestError("RSA keys are not allowed")
}
// Baseline Requirements Appendix A
// Modulus must be >= 2048 bits and <= 4096 bits
modulus := key.N
modulusBitLen := modulus.BitLen()
const maxKeySize = 4096
if modulusBitLen < 2048 {
err = MalformedRequestError(fmt.Sprintf("Key too small: %d", modulusBitLen))
log.Debug(err.Error())
return err
return MalformedRequestError(fmt.Sprintf("Key too small: %d", modulusBitLen))
}
if modulusBitLen > maxKeySize {
err = MalformedRequestError(fmt.Sprintf("Key too large: %d > %d", modulusBitLen, maxKeySize))
log.Debug(err.Error())
return err
return MalformedRequestError(fmt.Sprintf("Key too large: %d > %d", modulusBitLen, maxKeySize))
}
// The CA SHALL confirm that the value of the public exponent is an
// odd number equal to 3 or more. Additionally, the public exponent
@ -93,26 +203,36 @@ func GoodKeyRSA(key rsa.PublicKey) (err error) {
// 2^32 - 1 or 2^64 - 1, because it stores E as an integer. So we
// don't need to check the upper bound.
if (key.E%2) == 0 || key.E < ((1<<16)+1) {
err = MalformedRequestError(fmt.Sprintf("Key exponent should be odd and >2^16: %d", key.E))
log.Debug(err.Error())
return err
return MalformedRequestError(fmt.Sprintf("Key exponent should be odd and >2^16: %d", key.E))
}
// The modulus SHOULD also have the following characteristics: an odd
// number, not the power of a prime, and have no factors smaller than 752.
// TODO: We don't yet check for "power of a prime."
if checkSmallPrimes(modulus) {
return MalformedRequestError("Key divisible by small prime")
}
return nil
}
// Returns true iff integer i is divisible by any of the primes in smallPrimes.
//
// Short circuits; execution time is dependent on i. Do not use this on secret
// values.
func checkSmallPrimes(i *big.Int) bool {
smallPrimesSingleton.Do(func() {
for _, prime := range smallPrimeInts {
smallPrimes = append(smallPrimes, big.NewInt(prime))
}
})
for _, prime := range smallPrimes {
var result big.Int
result.Mod(modulus, prime)
result.Mod(i, prime)
if result.Sign() == 0 {
err = MalformedRequestError(fmt.Sprintf("Key divisible by small prime: %d", prime))
log.Debug(err.Error())
return err
return true
}
}
return nil
return false
}

142
core/good_key_test.go
View File

@ -7,6 +7,7 @@ package core
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"math/big"
@ -15,29 +16,29 @@ import (
"github.com/letsencrypt/boulder/test"
)
func TestUnknownKeyType(t *testing.T) {
notAKey := struct{}{}
test.AssertError(t, GoodKey(notAKey), "Should have rejected a key of unknown type")
var testingPolicy = &KeyPolicy{
AllowRSA: true,
AllowECDSANISTP256: true,
AllowECDSANISTP384: true,
}
func TestWrongKeyType(t *testing.T) {
ecdsaKey := ecdsa.PublicKey{}
test.AssertError(t, GoodKey(&ecdsaKey), "Should have rejected ECDSA key.")
test.AssertError(t, GoodKey(ecdsaKey), "Should have rejected ECDSA key.")
func TestUnknownKeyType(t *testing.T) {
notAKey := struct{}{}
test.AssertError(t, testingPolicy.GoodKey(notAKey), "Should have rejected a key of unknown type")
}
func TestSmallModulus(t *testing.T) {
private, err := rsa.GenerateKey(rand.Reader, 2040)
test.AssertNotError(t, err, "Error generating key")
test.AssertError(t, GoodKey(&private.PublicKey), "Should have rejected too-short key.")
test.AssertError(t, GoodKey(private.PublicKey), "Should have rejected too-short key.")
test.AssertError(t, testingPolicy.GoodKey(&private.PublicKey), "Should have rejected too-short key.")
test.AssertError(t, testingPolicy.GoodKey(private.PublicKey), "Should have rejected too-short key.")
}
func TestLargeModulus(t *testing.T) {
private, err := rsa.GenerateKey(rand.Reader, 4097)
test.AssertNotError(t, err, "Error generating key")
test.AssertError(t, GoodKey(&private.PublicKey), "Should have rejected too-long key.")
test.AssertError(t, GoodKey(private.PublicKey), "Should have rejected too-long key.")
test.AssertError(t, testingPolicy.GoodKey(&private.PublicKey), "Should have rejected too-long key.")
test.AssertError(t, testingPolicy.GoodKey(private.PublicKey), "Should have rejected too-long key.")
}
func TestSmallExponent(t *testing.T) {
@ -46,7 +47,7 @@ func TestSmallExponent(t *testing.T) {
N: bigOne.Lsh(bigOne, 2048),
E: 5,
}
test.AssertError(t, GoodKey(&key), "Should have rejected small exponent.")
test.AssertError(t, testingPolicy.GoodKey(&key), "Should have rejected small exponent.")
}
func TestEvenExponent(t *testing.T) {
@ -55,7 +56,7 @@ func TestEvenExponent(t *testing.T) {
N: bigOne.Lsh(bigOne, 2048),
E: 1 << 17,
}
test.AssertError(t, GoodKey(&key), "Should have rejected even exponent.")
test.AssertError(t, testingPolicy.GoodKey(&key), "Should have rejected even exponent.")
}
func TestEvenModulus(t *testing.T) {
@ -64,7 +65,7 @@ func TestEvenModulus(t *testing.T) {
N: bigOne.Lsh(bigOne, 2048),
E: (1 << 17) + 1,
}
test.AssertError(t, GoodKey(&key), "Should have rejected even modulus.")
test.AssertError(t, testingPolicy.GoodKey(&key), "Should have rejected even modulus.")
}
func TestModulusDivisibleBy752(t *testing.T) {
@ -76,11 +77,120 @@ func TestModulusDivisibleBy752(t *testing.T) {
N: N,
E: (1 << 17) + 1,
}
test.AssertError(t, GoodKey(&key), "Should have rejected modulus divisible by 751.")
test.AssertError(t, testingPolicy.GoodKey(&key), "Should have rejected modulus divisible by 751.")
}
func TestGoodKey(t *testing.T) {
private, err := rsa.GenerateKey(rand.Reader, 2048)
test.AssertNotError(t, err, "Error generating key")
test.AssertNotError(t, GoodKey(&private.PublicKey), "Should have accepted good key.")
test.AssertNotError(t, testingPolicy.GoodKey(&private.PublicKey), "Should have accepted good key.")
}
func TestECDSABadCurve(t *testing.T) {
for _, curve := range invalidCurves {
private, err := ecdsa.GenerateKey(curve, rand.Reader)
test.AssertNotError(t, err, "Error generating key")
test.AssertError(t, testingPolicy.GoodKey(&private.PublicKey), "Should have rejected key with unsupported curve.")
test.AssertError(t, testingPolicy.GoodKey(private.PublicKey), "Should have rejected key with unsupported curve.")
}
}
var invalidCurves = []elliptic.Curve{
elliptic.P224(),
elliptic.P521(),
}
var validCurves = []elliptic.Curve{
elliptic.P256(),
elliptic.P384(),
}
func TestECDSAGoodKey(t *testing.T) {
for _, curve := range validCurves {
private, err := ecdsa.GenerateKey(curve, rand.Reader)
test.AssertNotError(t, err, "Error generating key")
test.AssertNotError(t, testingPolicy.GoodKey(&private.PublicKey), "Should have accepted good key.")
test.AssertNotError(t, testingPolicy.GoodKey(private.PublicKey), "Should have accepted good key.")
}
}
func TestECDSANotOnCurveX(t *testing.T) {
for _, curve := range validCurves {
// Change a public key so that it is no longer on the curve.
private, err := ecdsa.GenerateKey(curve, rand.Reader)
test.AssertNotError(t, err, "Error generating key")
private.X.Add(private.X, big.NewInt(1))
test.AssertError(t, testingPolicy.GoodKey(&private.PublicKey), "Should not have accepted key not on the curve.")
test.AssertError(t, testingPolicy.GoodKey(private.PublicKey), "Should not have accepted key not on the curve.")
}
}
func TestECDSANotOnCurveY(t *testing.T) {
for _, curve := range validCurves {
// Again with Y.
private, err := ecdsa.GenerateKey(curve, rand.Reader)
test.AssertNotError(t, err, "Error generating key")
// Change the public key so that it is no longer on the curve.
private.Y.Add(private.Y, big.NewInt(1))
test.AssertError(t, testingPolicy.GoodKey(&private.PublicKey), "Should not have accepted key not on the curve.")
test.AssertError(t, testingPolicy.GoodKey(private.PublicKey), "Should not have accepted key not on the curve.")
}
}
func TestECDSANegative(t *testing.T) {
for _, curve := range validCurves {
// Check that negative X is not accepted.
private, err := ecdsa.GenerateKey(curve, rand.Reader)
test.AssertNotError(t, err, "Error generating key")
private.X.Neg(private.X)
test.AssertError(t, testingPolicy.GoodKey(&private.PublicKey), "Should not have accepted key with negative X.")
test.AssertError(t, testingPolicy.GoodKey(private.PublicKey), "Should not have accepted key with negative X.")
// Check that negative Y is not accepted.
private.X.Neg(private.X)
private.Y.Neg(private.Y)
test.AssertError(t, testingPolicy.GoodKey(&private.PublicKey), "Should not have accepted key with negative Y.")
test.AssertError(t, testingPolicy.GoodKey(private.PublicKey), "Should not have accepted key with negative Y.")
}
}
func TestECDSANegativeUnmodulatedX(t *testing.T) {
for _, curve := range validCurves {
// Check that unmodulated X is not accepted.
private, err := ecdsa.GenerateKey(curve, rand.Reader)
test.AssertNotError(t, err, "Error generating key")
private.X.Mul(private.X, private.Curve.Params().P)
test.AssertError(t, testingPolicy.GoodKey(&private.PublicKey), "Should not have accepted key with unmodulated X.")
test.AssertError(t, testingPolicy.GoodKey(private.PublicKey), "Should not have accepted key with unmodulated X.")
}
}
func TestECDSANegativeUnmodulatedY(t *testing.T) {
for _, curve := range validCurves {
// Check that unmodulated Y is not accepted.
private, err := ecdsa.GenerateKey(curve, rand.Reader)
test.AssertNotError(t, err, "Error generating key")
private.X.Mul(private.Y, private.Curve.Params().P)
test.AssertError(t, testingPolicy.GoodKey(&private.PublicKey), "Should not have accepted key with unmodulated Y.")
test.AssertError(t, testingPolicy.GoodKey(private.PublicKey), "Should not have accepted key with unmodulated Y.")
}
}
func TestECDSAIdentity(t *testing.T) {
for _, curve := range validCurves {
// The point at infinity is 0,0, it should not be accepted.
public := ecdsa.PublicKey{
Curve: curve,
X: big.NewInt(0),
Y: big.NewInt(0),
}
test.AssertError(t, testingPolicy.GoodKey(&public), "Should not have accepted key with point at infinity.")
test.AssertError(t, testingPolicy.GoodKey(public), "Should not have accepted key with point at infinity.")
}
}

8
core/interfaces.go
View File

@ -12,7 +12,6 @@ import (
"time"
jose "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
gorp "github.com/letsencrypt/boulder/Godeps/_workspace/src/gopkg.in/gorp.v1"
)
// A WebFrontEnd object supplies methods that can be hooked into
@ -83,7 +82,6 @@ type RegistrationAuthority interface {
type CertificateAuthority interface {
// [RegistrationAuthority]
IssueCertificate(x509.CertificateRequest, int64) (Certificate, error)
RevokeCertificate(string, RevocationCode) error
GenerateOCSP(OCSPSigningRequest) ([]byte, error)
}
@ -131,12 +129,6 @@ type StorageAuthority interface {
StorageAdder
}
// CertificateAuthorityDatabase represents an atomic sequence source
type CertificateAuthorityDatabase interface {
IncrementAndGetSerial(*gorp.Transaction) (int64, error)
Begin() (*gorp.Transaction, error)
}
// Publisher defines the public interface for the Boulder Publisher
type Publisher interface {
SubmitToCT([]byte) error

11
core/objects.go
View File

@ -178,6 +178,9 @@ func (r *Registration) MergeUpdate(input Registration) {
// ValidationRecord represents a validation attempt against a specific URL/hostname
// and the IP addresses that were resolved and used
type ValidationRecord struct {
// DNS only
Authorities []string
// SimpleHTTP only
URL string `json:"url,omitempty"`
@ -328,7 +331,7 @@ type Challenge struct {
// RecordsSane checks the sanity of a ValidationRecord object before sending it
// back to the RA to be stored.
func (ch Challenge) RecordsSane() bool {
if ch.Type != ChallengeTypeDNS01 && (ch.ValidationRecord == nil || len(ch.ValidationRecord) == 0) {
if ch.ValidationRecord == nil || len(ch.ValidationRecord) == 0 {
return false
}
@ -352,6 +355,12 @@ func (ch Challenge) RecordsSane() bool {
return false
}
case ChallengeTypeDNS01:
if len(ch.ValidationRecord) > 1 {
return false
}
if len(ch.ValidationRecord[0].Authorities) == 0 || ch.ValidationRecord[0].Hostname == "" {
return false
}
return true
default: // Unsupported challenge type
return false

166
mail/mailer.go
View File

@ -6,38 +6,178 @@
package mail
import (
"bytes"
"crypto/rand"
"crypto/tls"
"errors"
"fmt"
"math"
"math/big"
"mime/quotedprintable"
"net"
"net/smtp"
"strconv"
"strings"
"time"
"unicode"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
)
type idGenerator interface {
generate() *big.Int
}
var maxBigInt = big.NewInt(math.MaxInt64)
type realSource struct{}
func (s realSource) generate() *big.Int {
randInt, err := rand.Int(rand.Reader, maxBigInt)
if err != nil {
panic(err)
}
return randInt
}
// Mailer provides the interface for a mailer
type Mailer interface {
SendMail([]string, string) error
SendMail([]string, string, string) error
}
// MailerImpl defines a mail transfer agent to use for sending mail
type MailerImpl struct {
Server string
Port string
Auth smtp.Auth
From string
server string
port string
auth smtp.Auth
from string
client *smtp.Client
clk clock.Clock
csprgSource idGenerator
}
func isASCII(str string) bool {
for _, r := range str {
if r > unicode.MaxASCII {
return false
}
}
return true
}
// New constructs a Mailer to represent an account on a particular mail
// transfer agent.
func New(server, port, username, password string) MailerImpl {
func New(server, port, username, password, from string) MailerImpl {
auth := smtp.PlainAuth("", username, password, server)
return MailerImpl{
Server: server,
Port: port,
Auth: auth,
From: username,
server: server,
port: port,
auth: auth,
from: from,
clk: clock.Default(),
csprgSource: realSource{},
}
}
func (m *MailerImpl) generateMessage(to []string, subject, body string) ([]byte, error) {
mid := m.csprgSource.generate()
now := m.clk.Now().UTC()
addrs := []string{}
for _, a := range to {
if !isASCII(a) {
return nil, fmt.Errorf("Non-ASCII email address")
}
addrs = append(addrs, strconv.Quote(a))
}
headers := []string{
fmt.Sprintf("To: %s", strings.Join(addrs, ", ")),
fmt.Sprintf("From: %s", m.from),
fmt.Sprintf("Subject: %s", subject),
fmt.Sprintf("Date: %s", now.Format(time.RFC822)),
fmt.Sprintf("Message-Id: <%s.%s.%s>", now.Format("20060102T150405"), mid.String(), m.from),
"MIME-Version: 1.0",
"Content-Type: text/plain; charset=UTF-8",
"Content-Transfer-Encoding: quoted-printable",
}
for i := range headers[1:] {
// strip LFs
headers[i] = strings.Replace(headers[i], "\n", "", -1)
}
bodyBuf := new(bytes.Buffer)
mimeWriter := quotedprintable.NewWriter(bodyBuf)
_, err := mimeWriter.Write([]byte(body))
if err != nil {
return nil, err
}
err = mimeWriter.Close()
if err != nil {
return nil, err
}
return []byte(fmt.Sprintf(
"%s\r\n\r\n%s\r\n",
strings.Join(headers, "\r\n"),
bodyBuf.String(),
)), nil
}
// Connect opens a connection to the specified mail server. It must be called
// before SendMail.
func (m *MailerImpl) Connect() error {
hostport := net.JoinHostPort(m.server, m.port)
var conn net.Conn
var err error
// By convention, port 465 is TLS-wrapped SMTP, while 587 is plaintext SMTP
// (with STARTTLS as best-effort).
if m.port == "465" {
conn, err = tls.Dial("tcp", hostport, nil)
} else {
conn, err = net.Dial("tcp", hostport)
}
if err != nil {
return err
}
client, err := smtp.NewClient(conn, m.server)
if err != nil {
return err
}
if err = client.Auth(m.auth); err != nil {
return err
}
m.client = client
return nil
}
// SendMail sends an email to the provided list of recipients. The email body
// is simple text.
func (m *MailerImpl) SendMail(to []string, msg string) (err error) {
err = smtp.SendMail(net.JoinHostPort(m.Server, m.Port), m.Auth, m.From, to, []byte(msg))
return
func (m *MailerImpl) SendMail(to []string, subject, msg string) error {
if m.client == nil {
return errors.New("call Connect before SendMail")
}
body, err := m.generateMessage(to, subject, msg)
if err != nil {
return err
}
if m.client.Mail(m.from); err != nil {
return err
}
for _, t := range to {
if m.client.Rcpt(t); err != nil {
return err
}
}
w, err := m.client.Data()
if err != nil {
return err
}
_, err = w.Write(body)
if err != nil {
return err
}
err = w.Close()
if err != nil {
return err
}
return nil
}

101
mail/mailer_test.go
View File

@ -4,3 +4,104 @@
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package mail
import (
"bufio"
"errors"
"fmt"
"math/big"
"net"
"strings"
"testing"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/test"
)
type fakeSource struct{}
func (f fakeSource) generate() *big.Int {
return big.NewInt(1991)
}
func TestGenerateMessage(t *testing.T) {
fc := clock.NewFake()
m := New("", "", "", "", "send@email.com")
m.clk = fc
m.csprgSource = fakeSource{}
messageBytes, err := m.generateMessage([]string{"recv@email.com"}, "test subject", "this is the body\n")
test.AssertNotError(t, err, "Failed to generate email body")
message := string(messageBytes)
fields := strings.Split(message, "\r\n")
test.AssertEquals(t, len(fields), 12)
fmt.Println(message)
test.AssertEquals(t, fields[0], "To: \"recv@email.com\"")
test.AssertEquals(t, fields[1], "From: send@email.com")
test.AssertEquals(t, fields[2], "Subject: test subject")
test.AssertEquals(t, fields[3], "Date: 01 Jan 70 00:00 UTC")
test.AssertEquals(t, fields[4], "Message-Id: <19700101T000000.1991.send@email.com>")
test.AssertEquals(t, fields[5], "MIME-Version: 1.0")
test.AssertEquals(t, fields[6], "Content-Type: text/plain; charset=UTF-8")
test.AssertEquals(t, fields[7], "Content-Transfer-Encoding: quoted-printable")
test.AssertEquals(t, fields[8], "")
test.AssertEquals(t, fields[9], "this is the body")
}
func TestFailNonASCIIAddress(t *testing.T) {
m := New("", "", "", "", "send@email.com")
_, err := m.generateMessage([]string{"遗憾@email.com"}, "test subject", "this is the body\n")
test.AssertError(t, err, "Allowed a non-ASCII to address incorrectly")
}
func expect(t *testing.T, buf *bufio.Reader, expected string) error {
line, _, err := buf.ReadLine()
if err != nil {
t.Errorf("readline: %s\n", err)
return err
}
if string(line) != expected {
t.Errorf("Expected %s, got %s", expected, line)
return errors.New("")
}
return nil
}
func TestConnect(t *testing.T) {
port := "16632"
l, err := net.Listen("tcp", ":"+port)
if err != nil {
t.Errorf("listen: %s", err)
}
go func() {
defer l.Close()
for {
conn, err := l.Accept()
if err != nil {
return
}
go func() {
defer conn.Close()
buf := bufio.NewReader(conn)
conn.Write([]byte("220 smtp.example.com ESMTP\n"))
if err := expect(t, buf, "EHLO localhost"); err != nil {
return
}
conn.Write([]byte("250-PIPELINING\n"))
conn.Write([]byte("250-AUTH PLAIN LOGIN\n"))
conn.Write([]byte("250 8BITMIME\n"))
// Base64 encoding of "user@example.com\0paswd"
if err := expect(t, buf, "AUTH PLAIN AHVzZXJAZXhhbXBsZS5jb20AcGFzd2Q="); err != nil {
return
}
conn.Write([]byte("235 2.7.0 Authentication successful\n"))
}()
}
}()
m := New("localhost", port, "user@example.com", "paswd", "send@email.com")
err = m.Connect()
if err != nil {
t.Errorf("Failed to connect: %s", err)
}
}

154
mocks/mocks.go
View File

@ -12,8 +12,6 @@ import (
"fmt"
"io/ioutil"
"net"
"os"
"strings"
"time"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cactus/go-statsd-client/statsd"
@ -23,117 +21,9 @@ import (
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/miekg/dns"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/core"
)
// DNSResolver is a mock
type DNSResolver struct {
}
// LookupTXT is a mock
func (mock *DNSResolver) LookupTXT(ctx context.Context, hostname string) ([]string, error) {
if hostname == "_acme-challenge.servfail.com" {
return nil, fmt.Errorf("SERVFAIL")
}
if hostname == "_acme-challenge.good-dns01.com" {
// base64(sha256("LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
// + "." + "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"))
// expected token + test account jwk thumbprint
return []string{"LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo"}, nil
}
return []string{"hostname"}, nil
}
// TimeoutError returns a net.OpError for which Timeout() returns true.
func TimeoutError() *net.OpError {
return &net.OpError{
Err: os.NewSyscallError("ugh timeout", timeoutError{}),
}
}
type timeoutError struct{}
func (t timeoutError) Error() string {
return "so sloooow"
}
func (t timeoutError) Timeout() bool {
return true
}
// LookupHost is a mock
//
// Note: see comments on LookupMX regarding email.only
//
func (mock *DNSResolver) LookupHost(ctx context.Context, hostname string) ([]net.IP, error) {
if hostname == "always.invalid" ||
hostname == "invalid.invalid" ||
hostname == "email.only" {
return []net.IP{}, nil
}
if hostname == "always.timeout" {
return []net.IP{}, TimeoutError()
}
if hostname == "always.error" {
return []net.IP{}, &net.OpError{
Err: errors.New("some net error"),
}
}
ip := net.ParseIP("127.0.0.1")
return []net.IP{ip}, nil
}
// LookupCAA is a mock
func (mock *DNSResolver) LookupCAA(ctx context.Context, domain string) ([]*dns.CAA, error) {
var results []*dns.CAA
var record dns.CAA
switch strings.TrimRight(domain, ".") {
case "caa-timeout.com":
return nil, TimeoutError()
case "reserved.com":
record.Tag = "issue"
record.Value = "symantec.com"
results = append(results, &record)
case "critical.com":
record.Flag = 1
record.Tag = "issue"
record.Value = "symantec.com"
results = append(results, &record)
case "present.com":
record.Tag = "issue"
record.Value = "letsencrypt.org"
results = append(results, &record)
case "com":
// Nothing should ever call this, since CAA checking should stop when it
// reaches a public suffix.
fallthrough
case "servfail.com":
return results, fmt.Errorf("SERVFAIL")
}
return results, nil
}
// LookupMX is a mock
//
// Note: the email.only domain must have an MX but no A or AAAA
// records. The mock LookupHost returns an address of 127.0.0.1 for
// all domains except for special cases, so MX-only domains must be
// handled in both LookupHost and LookupMX.
//
func (mock *DNSResolver) LookupMX(ctx context.Context, domain string) ([]string, error) {
switch strings.TrimRight(domain, ".") {
case "letsencrypt.org":
fallthrough
case "email.only":
fallthrough
case "email.com":
return []string{"mail.email.com"}, nil
}
return nil, nil
}
// StorageAuthority is a mock
type StorageAuthority struct {
clk clock.Clock
@ -158,6 +48,20 @@ const (
"n":"qnARLrT7Xz4gRcKyLdydmCr-ey9OuPImX4X40thk3on26FkMznR3fRjs66eLK7mmPcBZ6uOJseURU6wAaZNmemoYx1dMvqvWWIyiQleHSD7Q8vBrhR6uIoO4jAzJZR-ChzZuSDt7iHN-3xUVspu5XGwXU_MVJZshTwp4TaFx5elHIT_ObnTvTOU3Xhish07AbgZKmWsVbXh5s-CrIicU4OexJPgunWZ_YJJueOKmTvnLlTV4MzKR2oZlBKZ27S0-SfdV_QDx_ydle5oMAyKVtlAV35cyPMIsYNwgUGBCdY_2Uzi5eX0lTc7MPRwz6qR1kip-i59VcGcUQgqHV6Fyqw",
"e":"AAEAAQ"
}`
testE1KeyPublicJSON = `{
"kty":"EC",
"crv":"P-256",
"x":"FwvSZpu06i3frSk_mz9HcD9nETn4wf3mQ-zDtG21Gao",
"y":"S8rR-0dWa8nAcw1fbunF_ajS3PQZ-QwLps-2adgLgPk"
}`
testE2KeyPublicJSON = `{
"kty":"EC",
"crv":"P-256",
"x":"S8FOmrZ3ywj4yyFqt0etAD90U-EnkNaOBSLfQmf7pNg",
"y":"vMvpDyqFDRHjGfZ1siDOm5LS6xNdR5xTpyoQGLDOX2Q"
}`
agreementURL = "http://example.invalid/terms"
)
@ -189,8 +93,12 @@ func (sa *StorageAuthority) GetRegistration(id int64) (core.Registration, error)
func (sa *StorageAuthority) GetRegistrationByKey(jwk jose.JsonWebKey) (core.Registration, error) {
var test1KeyPublic jose.JsonWebKey
var test2KeyPublic jose.JsonWebKey
var testE1KeyPublic jose.JsonWebKey
var testE2KeyPublic jose.JsonWebKey
test1KeyPublic.UnmarshalJSON([]byte(test1KeyPublicJSON))
test2KeyPublic.UnmarshalJSON([]byte(test2KeyPublicJSON))
testE1KeyPublic.UnmarshalJSON([]byte(testE1KeyPublicJSON))
testE2KeyPublic.UnmarshalJSON([]byte(testE2KeyPublicJSON))
if core.KeyDigestEquals(jwk, test1KeyPublic) {
return core.Registration{ID: 1, Key: jwk, Agreement: agreementURL}, nil
@ -201,6 +109,14 @@ func (sa *StorageAuthority) GetRegistrationByKey(jwk jose.JsonWebKey) (core.Regi
return core.Registration{ID: 2}, core.NoSuchRegistrationError("reg not found")
}
if core.KeyDigestEquals(jwk, testE1KeyPublic) {
return core.Registration{ID: 3, Key: jwk, Agreement: agreementURL}, nil
}
if core.KeyDigestEquals(jwk, testE2KeyPublic) {
return core.Registration{ID: 4}, core.NoSuchRegistrationError("reg not found")
}
// Return a fake registration. Make sure to fill the key field to avoid marshaling errors.
return core.Registration{ID: 1, Key: test1KeyPublic, Agreement: agreementURL}, nil
}
@ -439,3 +355,21 @@ func (s *Statter) Inc(metric string, value int64, rate float32) error {
func NewStatter() Statter {
return Statter{statsd.NoopClient{}, map[string]int64{}}
}
// Mailer is a mock
type Mailer struct {
Messages []string
}
// Clear removes any previously recorded messages
func (m *Mailer) Clear() {
m.Messages = []string{}
}
// SendMail is a mock
func (m *Mailer) SendMail(to []string, subject, msg string) (err error) {
for range to {
m.Messages = append(m.Messages, msg)
}
return
}

50
ra/registration-authority.go
View File

@ -21,6 +21,7 @@ import (
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/net/publicsuffix"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/metrics"
"github.com/letsencrypt/boulder/probs"
"github.com/letsencrypt/boulder/bdns"
@ -54,6 +55,7 @@ type RegistrationAuthorityImpl struct {
clk clock.Clock
log *blog.AuditLogger
dc *DomainCheck
keyPolicy core.KeyPolicy
// How long before a newly created authorization expires.
authorizationLifetime time.Duration
pendingAuthorizationLifetime time.Duration
@ -62,10 +64,17 @@ type RegistrationAuthorityImpl struct {
totalIssuedCache int
lastIssuedCount *time.Time
maxContactsPerReg int
regByIPStats metrics.Scope
pendAuthByRegIDStats metrics.Scope
certsForDomainStats metrics.Scope
totalCertsStats metrics.Scope
}
// NewRegistrationAuthorityImpl constructs a new RA object.
func NewRegistrationAuthorityImpl(clk clock.Clock, logger *blog.AuditLogger, stats statsd.Statter, dc *DomainCheck, policies cmd.RateLimitConfig, maxContactsPerReg int) *RegistrationAuthorityImpl {
func NewRegistrationAuthorityImpl(clk clock.Clock, logger *blog.AuditLogger, stats statsd.Statter, dc *DomainCheck, policies cmd.RateLimitConfig, maxContactsPerReg int, keyPolicy core.KeyPolicy) *RegistrationAuthorityImpl {
// TODO(jmhodges): making RA take a "RA" stats.Scope, not Statter
scope := metrics.NewStatsdScope(stats, "RA")
ra := &RegistrationAuthorityImpl{
stats: stats,
clk: clk,
@ -76,6 +85,12 @@ func NewRegistrationAuthorityImpl(clk clock.Clock, logger *blog.AuditLogger, sta
rlPolicies: policies,
tiMu: new(sync.RWMutex),
maxContactsPerReg: maxContactsPerReg,
keyPolicy: keyPolicy,
regByIPStats: scope.NewScope("RA", "RateLimit", "RegistrationsByIP"),
pendAuthByRegIDStats: scope.NewScope("RA", "RateLimit", "PendingAuthorizationsByRegID"),
certsForDomainStats: scope.NewScope("RA", "RateLimit", "CertificatesForDomain"),
totalCertsStats: scope.NewScope("RA", "RateLimit", "TotalCertificates"),
}
return ra
}
@ -98,10 +113,8 @@ func validateEmail(ctx context.Context, address string, resolver bdns.DNSResolve
var resultMX []string
var resultA []net.IP
resultMX, err = resolver.LookupMX(ctx, domain)
recQ := "MX"
if err == nil && len(resultMX) == 0 {
resultA, err = resolver.LookupHost(ctx, domain)
recQ = "A"
if err == nil && len(resultA) == 0 {
return &probs.ProblemDetails{
Type: probs.InvalidEmailProblem,
@ -110,7 +123,7 @@ func validateEmail(ctx context.Context, address string, resolver bdns.DNSResolve
}
}
if err != nil {
prob := bdns.ProblemDetailsFromDNSError(recQ, domain, err)
prob := bdns.ProblemDetailsFromDNSError(err)
prob.Type = probs.InvalidEmailProblem
return prob
}
@ -186,15 +199,18 @@ func (ra *RegistrationAuthorityImpl) checkRegistrationLimit(ip net.IP) error {
return err
}
if count >= limit.GetThreshold(ip.String(), noRegistrationID) {
ra.regByIPStats.Inc("Exceeded", 1)
ra.log.Info(fmt.Sprintf("Rate limit exceeded, RegistrationsByIP, IP: %s", ip))
return core.RateLimitedError("Too many registrations from this IP")
}
ra.regByIPStats.Inc("Pass", 1)
}
return nil
}
// NewRegistration constructs a new Registration from a request.
func (ra *RegistrationAuthorityImpl) NewRegistration(init core.Registration) (reg core.Registration, err error) {
if err = core.GoodKey(init.Key.Key); err != nil {
if err = ra.keyPolicy.GoodKey(init.Key.Key); err != nil {
return core.Registration{}, core.MalformedRequestError(fmt.Sprintf("Invalid public key: %s", err.Error()))
}
if err = ra.checkRegistrationLimit(init.InitialIP); err != nil {
@ -260,9 +276,10 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
return
}
func checkPendingAuthorizationLimit(sa core.StorageGetter, limit *cmd.RateLimitPolicy, regID int64) error {
func (ra *RegistrationAuthorityImpl) checkPendingAuthorizationLimit(regID int64) error {
limit := ra.rlPolicies.PendingAuthorizationsPerAccount
if limit.Enabled() {
count, err := sa.CountPendingAuthorizations(regID)
count, err := ra.SA.CountPendingAuthorizations(regID)
if err != nil {
return err
}
@ -270,8 +287,11 @@ func checkPendingAuthorizationLimit(sa core.StorageGetter, limit *cmd.RateLimitP
// here.
noKey := ""
if count >= limit.GetThreshold(noKey, regID) {
ra.pendAuthByRegIDStats.Inc("Exceeded", 1)
ra.log.Info(fmt.Sprintf("Rate limit exceeded, PendingAuthorizationsByRegID, regID: %d", regID))
return core.RateLimitedError("Too many currently pending authorizations.")
}
ra.pendAuthByRegIDStats.Inc("Pass", 1)
}
return nil
}
@ -293,8 +313,7 @@ func (ra *RegistrationAuthorityImpl) NewAuthorization(request core.Authorization
return authz, err
}
limit := &ra.rlPolicies.PendingAuthorizationsPerAccount
if err = checkPendingAuthorizationLimit(ra.SA, limit, regID); err != nil {
if err = ra.checkPendingAuthorizationLimit(regID); err != nil {
return authz, err
}
@ -609,10 +628,15 @@ func (ra *RegistrationAuthorityImpl) checkCertificatesPerNameLimit(names []strin
}
}
if len(badNames) > 0 {
domains := strings.Join(badNames, ", ")
ra.certsForDomainStats.Inc("Exceeded", 1)
ra.log.Info(fmt.Sprintf("Rate limit exceeded, CertificatesForDomain, regID: %d, domains: %s", regID, domains))
return core.RateLimitedError(fmt.Sprintf(
"Too many certificates already issued for: %s",
strings.Join(badNames, ", ")))
"Too many certificates already issued for: %s", domains))
}
ra.certsForDomainStats.Inc("Pass", 1)
return nil
}
@ -624,8 +648,12 @@ func (ra *RegistrationAuthorityImpl) checkLimits(names []string, regID int64) er
return err
}
if totalIssued >= ra.rlPolicies.TotalCertificates.Threshold {
domains := strings.Join(names, ",")
ra.totalCertsStats.Inc("Exceeded", 1)
ra.log.Info(fmt.Sprintf("Rate limit exceeded, TotalCertificates, regID: %d, domains: %s, totalIssued: %d", regID, domains, totalIssued))
return core.RateLimitedError("Certificate issuance limit reached")
}
ra.totalCertsStats.Inc("Pass", 1)
}
if limits.CertificatesPerName.Enabled() {
err := ra.checkCertificatesPerNameLimit(names, limits.CertificatesPerName, regID)

22
ra/registration-authority_test.go
View File

@ -23,6 +23,7 @@ import (
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
jose "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/bdns"
"github.com/letsencrypt/boulder/ca"
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"
@ -146,6 +147,12 @@ func makeResponse(ch core.Challenge) (out core.Challenge, err error) {
return
}
var testKeyPolicy = core.KeyPolicy{
AllowRSA: true,
AllowECDSANISTP256: true,
AllowECDSANISTP384: true,
}
func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAuthority, *RegistrationAuthorityImpl, clock.FakeClock, func()) {
err := json.Unmarshal(AccountKeyJSONA, &AccountKeyA)
test.AssertNotError(t, err, "Failed to unmarshal public JWK")
@ -215,7 +222,8 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut
fc,
stats,
caCert,
caKey)
caKey,
testKeyPolicy)
test.AssertNotError(t, err, "Couldn't create CA")
ca.SA = ssa
ca.PA = pa
@ -242,12 +250,12 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut
Threshold: 100,
Window: cmd.ConfigDuration{Duration: 24 * 90 * time.Hour},
},
}, 1)
}, 1, testKeyPolicy)
ra.SA = ssa
ra.VA = va
ra.CA = ca
ra.PA = pa
ra.DNSResolver = &mocks.DNSResolver{}
ra.DNSResolver = &bdns.MockDNSResolver{}
AuthzInitial.RegistrationID = Registration.ID
@ -318,8 +326,8 @@ func TestValidateEmail(t *testing.T) {
}{
{"an email`", unparseableEmailDetail},
{"a@always.invalid", emptyDNSResponseDetail},
{"a@always.timeout", "DNS query timed out during A-record lookup of always.timeout"},
{"a@always.error", "DNS networking error during A-record lookup of always.error"},
{"a@always.timeout", "DNS problem: query timed out looking up A for always.timeout"},
{"a@always.error", "DNS problem: networking error looking up A for always.error"},
}
testSuccesses := []string{
"a@email.com",
@ -327,7 +335,7 @@ func TestValidateEmail(t *testing.T) {
}
for _, tc := range testFailures {
problem := validateEmail(context.Background(), tc.input, &mocks.DNSResolver{})
problem := validateEmail(context.Background(), tc.input, &bdns.MockDNSResolver{})
if problem.Type != probs.InvalidEmailProblem {
t.Errorf("validateEmail(%q): got problem type %#v, expected %#v", tc.input, problem.Type, probs.InvalidEmailProblem)
}
@ -338,7 +346,7 @@ func TestValidateEmail(t *testing.T) {
}
for _, addr := range testSuccesses {
if prob := validateEmail(context.Background(), addr, &mocks.DNSResolver{}); prob != nil {
if prob := validateEmail(context.Background(), addr, &bdns.MockDNSResolver{}); prob != nil {
t.Errorf("validateEmail(%q): expected success, but it failed: %s",
addr, prob)
}

31
rpc/rpc-wrappers.go
View File

@ -42,7 +42,6 @@ const (
MethodNewCertificate = "NewCertificate" // RA
MethodUpdateRegistration = "UpdateRegistration" // RA, SA
MethodUpdateAuthorization = "UpdateAuthorization" // RA
MethodRevokeCertificate = "RevokeCertificate" // CA
MethodRevokeCertificateWithReg = "RevokeCertificateWithReg" // RA
MethodAdministrativelyRevokeCertificate = "AdministrativelyRevokeCertificate" // RA
MethodOnValidationUpdate = "OnValidationUpdate" // RA
@ -705,19 +704,6 @@ func NewCertificateAuthorityServer(rpc Server, impl core.CertificateAuthority) (
return
})
rpc.Handle(MethodRevokeCertificate, func(req []byte) (response []byte, err error) {
var revokeReq revokeCertificateRequest
err = json.Unmarshal(req, &revokeReq)
if err != nil {
// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
errorCondition(MethodRevokeCertificate, err, req)
return
}
err = impl.RevokeCertificate(revokeReq.Serial, revokeReq.ReasonCode)
return
})
rpc.Handle(MethodGenerateOCSP, func(req []byte) (response []byte, err error) {
var xferObj core.OCSPSigningRequest
err = json.Unmarshal(req, &xferObj)
@ -768,23 +754,6 @@ func (cac CertificateAuthorityClient) IssueCertificate(csr x509.CertificateReque
return
}
// RevokeCertificate sends a request to revoke a certificate
func (cac CertificateAuthorityClient) RevokeCertificate(serial string, reasonCode core.RevocationCode) (err error) {
var revokeReq revokeCertificateRequest
revokeReq.Serial = serial
revokeReq.ReasonCode = reasonCode
data, err := json.Marshal(revokeReq)
if err != nil {
// AUDIT[ Error Conditions ] 9cc4d537-8534-4970-8665-4b382abe82f3
errorCondition(MethodRevokeCertificate, err, revokeReq)
return
}
_, err = cac.rpc.DispatchSync(MethodRevokeCertificate, data)
return
}
// GenerateOCSP sends a request to generate an OCSP response
func (cac CertificateAuthorityClient) GenerateOCSP(signRequest core.OCSPSigningRequest) (resp []byte, err error) {
data, err := json.Marshal(signRequest)

10
test/boulder-config.json
View File

@ -254,6 +254,7 @@
"server": "mail.example.com",
"port": "25",
"username": "cert-master@example.com",
"from": "Expiry bot <test@example.com>",
"password": "password",
"dbConnectFile": "test/secrets/mailer_dburl",
"messageLimit": 0,
@ -306,5 +307,12 @@
"dbConnectFile": "test/secrets/cert_checker_dburl"
},
"subscriberAgreementURL": "http://127.0.0.1:4001/terms/v1"
"subscriberAgreementURL": "http://127.0.0.1:4001/terms/v1",
"allowedSigningAlgos": {
"rsa": true,
"ecdsanistp256": true,
"ecdsanistp384": true,
"ecdsanistp521": false
}
}

84
test/ct-test-srv/main.go
View File

@ -9,20 +9,77 @@
package main
import (
"crypto/ecdsa"
"crypto/rand"
"crypto/sha256"
"crypto/x509"
"encoding/asn1"
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"log"
"math/big"
"net/http"
"os"
"sync/atomic"
ct "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/google/certificate-transparency/go"
)
func createSignedSCT(leaf []byte, k *ecdsa.PrivateKey) []byte {
rawKey, _ := x509.MarshalPKIXPublicKey(&k.PublicKey)
pkHash := sha256.Sum256(rawKey)
sct := ct.SignedCertificateTimestamp{
SCTVersion: ct.V1,
LogID: pkHash,
Timestamp: 1337,
}
serialized, _ := ct.SerializeSCTSignatureInput(sct, ct.LogEntry{
Leaf: ct.MerkleTreeLeaf{
LeafType: ct.TimestampedEntryLeafType,
TimestampedEntry: ct.TimestampedEntry{
X509Entry: ct.ASN1Cert(leaf),
EntryType: ct.X509LogEntryType,
},
},
})
hashed := sha256.Sum256(serialized)
var ecdsaSig struct {
R, S *big.Int
}
ecdsaSig.R, ecdsaSig.S, _ = ecdsa.Sign(rand.Reader, k, hashed[:])
sig, _ := asn1.Marshal(ecdsaSig)
ds := ct.DigitallySigned{
HashAlgorithm: ct.SHA256,
SignatureAlgorithm: ct.ECDSA,
Signature: sig,
}
var jsonSCTObj struct {
SCTVersion ct.Version `json:"sct_version"`
ID string `json:"id"`
Timestamp uint64 `json:"timestamp"`
Extensions string `json:"extensions"`
Signature string `json:"signature"`
}
jsonSCTObj.SCTVersion = ct.V1
jsonSCTObj.ID = base64.StdEncoding.EncodeToString(pkHash[:])
jsonSCTObj.Timestamp = 1337
jsonSCTObj.Signature, _ = ds.Base64String()
jsonSCT, _ := json.Marshal(jsonSCTObj)
return jsonSCT
}
type ctSubmissionRequest struct {
Chain []string `json:"chain"`
}
type integrationSrv struct {
submissions int64
key *ecdsa.PrivateKey
}
func (is *integrationSrv) handler(w http.ResponseWriter, r *http.Request) {
@ -47,14 +104,16 @@ func (is *integrationSrv) handler(w http.ResponseWriter, r *http.Request) {
return
}
leaf, err := base64.StdEncoding.DecodeString(addChainReq.Chain[0])
if err != nil {
w.WriteHeader(400)
return
}
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{
"sct_version":0,
"id":"KHYaGJAn++880NYaAY12sFBXKcenQRvMvfYE9F1CYVM=",
"timestamp":1337,
"extensions":"",
"signature":"BAMARjBEAiAka/W0eYq23Iaih2wB2CGrAqlo92KyQuuY6WWumi1eNwIgBirYV/wsJvmZfGP5NrNYoWGIx1VV6NaNBIaSXh9hiYA="
}`))
// id is a sha256 of a random EC key. Generate your own with:
// openssl ecparam -name prime256v1 -genkey -outform der | openssl sha256 -binary | base64
w.Write(createSignedSCT(leaf, is.key))
atomic.AddInt64(&is.submissions, 1)
case "/submissions":
if r.Method != "GET" {
@ -72,7 +131,16 @@ func (is *integrationSrv) handler(w http.ResponseWriter, r *http.Request) {
}
func main() {
is := integrationSrv{}
signingKey := "MHcCAQEEIOCtGlGt/WT7471dOHdfBg43uJWJoZDkZAQjWfTitcVNoAoGCCqGSM49AwEHoUQDQgAEYggOxPnPkzKBIhTacSYoIfnSL2jPugcbUKx83vFMvk5gKAz/AGe87w20riuPwEGn229hKVbEKHFB61NIqNHC3Q=="
decodedKey, _ := base64.StdEncoding.DecodeString(signingKey)
key, err := x509.ParseECPrivateKey(decodedKey)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to parse signing key: %s\n", err)
return
}
is := integrationSrv{key: key}
s := &http.Server{
Addr: "localhost:4500",
Handler: http.HandlerFunc(is.handler),

11
test/dns-test-srv/main.go
View File

@ -134,6 +134,17 @@ func (ts *testSrv) dnsHandler(w dns.ResponseWriter, r *dns.Msg) {
}
}
auth := new(dns.SOA)
auth.Hdr = dns.RR_Header{Name: "boulder.invalid.", Rrtype: dns.TypeSOA, Class: dns.ClassINET, Ttl: 0}
auth.Ns = "ns.boulder.invalid."
auth.Mbox = "master.boulder.invalid."
auth.Serial = 1
auth.Refresh = 1
auth.Retry = 1
auth.Expire = 1
auth.Minttl = 1
m.Ns = append(m.Ns, auth)
w.WriteMsg(m)
return
}

9
test/entrypoint.sh
View File

@ -12,10 +12,19 @@ while ! exec 6<>/dev/tcp/0.0.0.0/3306; do
sleep 1
done
# make sure we can reach the rabbitmq
while ! exec 6<>/dev/tcp/0.0.0.0/5672; do
echo "$(date) - still trying to connect to rabbitmq at 0.0.0.0:5672"
sleep 1
done
exec 6>&-
exec 6<&-
# create the database
source $DIR/create_db.sh
# Set up rabbitmq exchange and activity monitor queue
go run cmd/rabbitmq-setup/main.go -server amqp://localhost
$@

8
test/integration-test.py
View File

@ -201,12 +201,6 @@ def run_client_tests():
if subprocess.Popen(cmd, shell=True, cwd=root, executable='/bin/bash').wait() != 0:
die(ExitStatus.PythonFailure)
def check_activity_monitor():
"""Ensure that the activity monitor is running and received some messages."""
resp = urllib2.urlopen("http://localhost:8007/debug/vars")
debug_vars = json.loads(resp.read())
assert debug_vars['messages'] > 0, "Activity Monitor received zero messages."
@atexit.register
def cleanup():
import shutil
@ -271,8 +265,6 @@ def main():
if args.run_all or args.run_letsencrypt:
run_client_tests()
check_activity_monitor()
if not startservers.check():
die(ExitStatus.Error)
exit_status = ExitStatus.OK

6
test/policy_db_users.sql
View File

@ -19,8 +19,8 @@
-- and the CA and RA (for reads). So right now we have the one user that has
-- both read and write permission, even though it would be better to give only
-- read permission to CA and RA.
GRANT SELECT,INSERT,DELETE ON blacklist TO 'policy'@'127.0.0.1';
GRANT SELECT,INSERT,DELETE ON whitelist TO 'policy'@'127.0.0.1';
GRANT SELECT,INSERT,DELETE ON blacklist TO 'policy'@'localhost';
GRANT SELECT,INSERT,DELETE ON whitelist TO 'policy'@'localhost';
-- Test setup and teardown
GRANT ALL PRIVILEGES ON * to 'test_setup'@'127.0.0.1';
GRANT ALL PRIVILEGES ON * to 'test_setup'@'localhost';

2
test/rate-limit-policies.yml
View File

@ -13,6 +13,8 @@ certificatesPerName:
le2.wtf: 10000
le3.wtf: 10000
nginx.wtf: 10000
good-caa-reserved.com: 10000
bad-caa-reserved.com: 10000
registrationOverrides:
101: 1000
registrationsPerIP:

52
test/sa_db_users.sql
View File

@ -15,43 +15,43 @@
-- the user exists and then drop the user.
-- Storage Authority
GRANT SELECT,INSERT,UPDATE ON authz TO 'sa'@'127.0.0.1';
GRANT SELECT,INSERT,UPDATE,DELETE ON pendingAuthorizations TO 'sa'@'127.0.0.1';
GRANT SELECT(id,Lockcol) ON pendingAuthorizations TO 'sa'@'127.0.0.1';
GRANT SELECT,INSERT ON certificates TO 'sa'@'127.0.0.1';
GRANT SELECT,INSERT,UPDATE ON certificateStatus TO 'sa'@'127.0.0.1';
GRANT SELECT,INSERT ON issuedNames TO 'sa'@'127.0.0.1';
GRANT SELECT,INSERT ON sctReceipts TO 'sa'@'127.0.0.1';
GRANT SELECT,INSERT ON deniedCSRs TO 'sa'@'127.0.0.1';
GRANT INSERT ON ocspResponses TO 'sa'@'127.0.0.1';
GRANT SELECT,INSERT,UPDATE ON registrations TO 'sa'@'127.0.0.1';
GRANT SELECT,INSERT,UPDATE ON challenges TO 'sa'@'127.0.0.1';
GRANT SELECT,INSERT,UPDATE ON authz TO 'sa'@'localhost';
GRANT SELECT,INSERT,UPDATE,DELETE ON pendingAuthorizations TO 'sa'@'localhost';
GRANT SELECT(id,Lockcol) ON pendingAuthorizations TO 'sa'@'localhost';
GRANT SELECT,INSERT ON certificates TO 'sa'@'localhost';
GRANT SELECT,INSERT,UPDATE ON certificateStatus TO 'sa'@'localhost';
GRANT SELECT,INSERT ON issuedNames TO 'sa'@'localhost';
GRANT SELECT,INSERT ON sctReceipts TO 'sa'@'localhost';
GRANT SELECT,INSERT ON deniedCSRs TO 'sa'@'localhost';
GRANT INSERT ON ocspResponses TO 'sa'@'localhost';
GRANT SELECT,INSERT,UPDATE ON registrations TO 'sa'@'localhost';
GRANT SELECT,INSERT,UPDATE ON challenges TO 'sa'@'localhost';
-- OCSP Responder
GRANT SELECT ON certificateStatus TO 'ocsp_resp'@'127.0.0.1';
GRANT SELECT ON ocspResponses TO 'ocsp_resp'@'127.0.0.1';
GRANT SELECT ON certificateStatus TO 'ocsp_resp'@'localhost';
GRANT SELECT ON ocspResponses TO 'ocsp_resp'@'localhost';
-- OCSP Generator Tool (Updater)
GRANT INSERT ON ocspResponses TO 'ocsp_update'@'127.0.0.1';
GRANT SELECT ON certificates TO 'ocsp_update'@'127.0.0.1';
GRANT SELECT,UPDATE ON certificateStatus TO 'ocsp_update'@'127.0.0.1';
GRANT SELECT ON sctReceipts TO 'ocsp_update'@'127.0.0.1';
GRANT INSERT ON ocspResponses TO 'ocsp_update'@'localhost';
GRANT SELECT ON certificates TO 'ocsp_update'@'localhost';
GRANT SELECT,UPDATE ON certificateStatus TO 'ocsp_update'@'localhost';
GRANT SELECT ON sctReceipts TO 'ocsp_update'@'localhost';
-- Revoker Tool
GRANT SELECT ON registrations TO 'revoker'@'127.0.0.1';
GRANT SELECT ON certificates TO 'revoker'@'127.0.0.1';
GRANT SELECT,INSERT ON deniedCSRs TO 'revoker'@'127.0.0.1';
GRANT SELECT ON registrations TO 'revoker'@'localhost';
GRANT SELECT ON certificates TO 'revoker'@'localhost';
GRANT SELECT,INSERT ON deniedCSRs TO 'revoker'@'localhost';
-- External Cert Importer
GRANT SELECT,INSERT,UPDATE,DELETE ON identifierData TO 'importer'@'127.0.0.1';
GRANT SELECT,INSERT,UPDATE,DELETE ON externalCerts TO 'importer'@'127.0.0.1';
GRANT SELECT,INSERT,UPDATE,DELETE ON identifierData TO 'importer'@'localhost';
GRANT SELECT,INSERT,UPDATE,DELETE ON externalCerts TO 'importer'@'localhost';
-- Expiration mailer
GRANT SELECT ON certificates TO 'mailer'@'127.0.0.1';
GRANT SELECT,UPDATE ON certificateStatus TO 'mailer'@'127.0.0.1';
GRANT SELECT ON certificates TO 'mailer'@'localhost';
GRANT SELECT,UPDATE ON certificateStatus TO 'mailer'@'localhost';
-- Cert checker
GRANT SELECT ON certificates TO 'cert_checker'@'127.0.0.1';
GRANT SELECT ON certificates TO 'cert_checker'@'localhost';
-- Test setup and teardown
GRANT ALL PRIVILEGES ON * to 'test_setup'@'127.0.0.1';
GRANT ALL PRIVILEGES ON * to 'test_setup'@'localhost';

1
test/secrets/mailer_dburl Normal file
View File

@ -0,0 +1 @@
mysql+tcp://mailer@localhost:3306/boulder_sa_integration

1
test/startservers.py
View File

@ -63,7 +63,6 @@ def start(race_detection):
t.daemon = True
t.start()
progs = [
'activity-monitor',
'boulder-wfe',
'boulder-ra',
'boulder-sa',

13
va/validation-authority.go
View File

@ -94,7 +94,7 @@ func (va ValidationAuthorityImpl) getAddr(ctx context.Context, hostname string)
addrs, err := va.DNSResolver.LookupHost(ctx, hostname)
if err != nil {
va.log.Debug(fmt.Sprintf("%s DNS failure: %s", hostname, err))
problem := bdns.ProblemDetailsFromDNSError("A", hostname, err)
problem := bdns.ProblemDetailsFromDNSError(err)
return net.IP{}, nil, problem
}
@ -431,18 +431,21 @@ func (va *ValidationAuthorityImpl) validateDNS01(ctx context.Context, identifier
// Look for the required record in the DNS
challengeSubdomain := fmt.Sprintf("%s.%s", core.DNSPrefix, identifier.Value)
txts, err := va.DNSResolver.LookupTXT(ctx, challengeSubdomain)
txts, authorities, err := va.DNSResolver.LookupTXT(ctx, challengeSubdomain)
if err != nil {
va.log.Debug(fmt.Sprintf("%s [%s] DNS failure: %s", challenge.Type, identifier, err))
return nil, bdns.ProblemDetailsFromDNSError("TXT", challengeSubdomain, err)
return nil, bdns.ProblemDetailsFromDNSError(err)
}
for _, element := range txts {
if subtle.ConstantTimeCompare([]byte(element), []byte(authorizedKeysDigest)) == 1 {
// Successful challenge validation
return nil, nil
return []core.ValidationRecord{{
Authorities: authorities,
Hostname: identifier.Value,
}}, nil
}
}
@ -457,7 +460,7 @@ func (va *ValidationAuthorityImpl) checkCAA(ctx context.Context, identifier core
present, valid, err := va.checkCAARecords(ctx, identifier)
if err != nil {
va.log.Warning(fmt.Sprintf("Problem checking CAA: %s", err))
return bdns.ProblemDetailsFromDNSError("CAA", identifier.Value, err)
return bdns.ProblemDetailsFromDNSError(err)
}
// AUDIT[ Certificate Requests ] 11917fa4-10ef-4e0d-9105-bacbe7836a3c
va.log.Audit(fmt.Sprintf("Checked CAA records for %s, registration ID %d [Present: %t, Valid for issuance: %t]", identifier.Value, regID, present, valid))

42
va/validation-authority_test.go
View File

@ -222,7 +222,7 @@ func TestHTTP(t *testing.T) {
}
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{HTTPPort: badPort}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
_, prob := va.validateHTTP01(context.Background(), ident, chall)
if prob == nil {
@ -231,7 +231,7 @@ func TestHTTP(t *testing.T) {
test.AssertEquals(t, prob.Type, probs.ConnectionProblem)
va = NewValidationAuthorityImpl(&PortConfig{HTTPPort: goodPort}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
log.Clear()
t.Logf("Trying to validate: %+v\n", chall)
@ -315,7 +315,7 @@ func TestHTTPRedirectLookup(t *testing.T) {
test.AssertNotError(t, err, "failed to get test server port")
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{HTTPPort: port}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
log.Clear()
setChallengeToken(&chall, pathMoved)
@ -373,7 +373,7 @@ func TestHTTPRedirectLoop(t *testing.T) {
test.AssertNotError(t, err, "failed to get test server port")
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{HTTPPort: port}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
log.Clear()
_, prob := va.validateHTTP01(context.Background(), ident, chall)
@ -393,7 +393,7 @@ func TestHTTPRedirectUserAgent(t *testing.T) {
test.AssertNotError(t, err, "failed to get test server port")
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{HTTPPort: port}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
va.UserAgent = rejectUserAgent
setChallengeToken(&chall, pathMoved)
@ -435,7 +435,7 @@ func TestTLSSNI(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{TLSPort: port}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
log.Clear()
_, prob := va.validateTLSSNI01(context.Background(), ident, chall)
@ -507,7 +507,7 @@ func TestTLSError(t *testing.T) {
test.AssertNotError(t, err, "failed to get test server port")
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{TLSPort: port}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
_, prob := va.validateTLSSNI01(context.Background(), ident, chall)
if prob == nil {
@ -526,7 +526,7 @@ func TestValidateHTTP(t *testing.T) {
test.AssertNotError(t, err, "failed to get test server port")
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{HTTPPort: port}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -583,7 +583,7 @@ func TestValidateTLSSNI01(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{TLSPort: port}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -601,7 +601,7 @@ func TestValidateTLSSNI01(t *testing.T) {
func TestValidateTLSSNINotSane(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default()) // no calls made
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -623,7 +623,7 @@ func TestValidateTLSSNINotSane(t *testing.T) {
func TestUpdateValidations(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -650,13 +650,13 @@ func TestUpdateValidations(t *testing.T) {
func TestCAATimeout(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
va.IssuerDomain = "letsencrypt.org"
err := va.checkCAA(context.Background(), core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "caa-timeout.com"}, 101)
if err.Type != probs.ConnectionProblem {
t.Errorf("Expected timeout error type %s, got %s", probs.ConnectionProblem, err.Type)
}
expected := "DNS query timed out during CAA-record lookup of caa-timeout.com"
expected := "DNS problem: query timed out looking up CAA for always.timeout"
if err.Detail != expected {
t.Errorf("checkCAA: got %#v, expected %#v", err.Detail, expected)
}
@ -683,7 +683,7 @@ func TestCAAChecking(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
va.IssuerDomain = "letsencrypt.org"
for _, caaTest := range tests {
present, valid, err := va.CheckCAARecords(core.AcmeIdentifier{Type: "dns", Value: caaTest.Domain})
@ -713,7 +713,7 @@ func TestCAAChecking(t *testing.T) {
func TestDNSValidationFailure(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -750,7 +750,7 @@ func TestDNSValidationInvalid(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -764,7 +764,7 @@ func TestDNSValidationInvalid(t *testing.T) {
func TestDNSValidationNotSane(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -791,7 +791,7 @@ func TestDNSValidationNotSane(t *testing.T) {
func TestDNSValidationServFail(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -840,7 +840,7 @@ func TestDNSValidationNoServer(t *testing.T) {
func TestDNSValidationOK(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -874,7 +874,7 @@ func TestDNSValidationOK(t *testing.T) {
func TestDNSValidationLive(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -933,7 +933,7 @@ func TestCAAFailure(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{TLSPort: port}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA

13
wfe/jose.go
View File

@ -1,6 +1,7 @@
package wfe
import (
"crypto/ecdsa"
"crypto/rsa"
"fmt"
@ -9,10 +10,18 @@ import (
)
func algorithmForKey(key *jose.JsonWebKey) (string, error) {
// TODO(https://github.com/letsencrypt/boulder/issues/792): Support EC.
switch key.Key.(type) {
switch k := key.Key.(type) {
case *rsa.PublicKey:
return string(jose.RS256), nil
case *ecdsa.PublicKey:
switch k.Params().Name {
case "P-256":
return string(jose.ES256), nil
case "P-384":
return string(jose.ES384), nil
case "P-521":
return string(jose.ES512), nil
}
}
return "", core.SignatureValidationError("no signature algorithms suitable for given key type")
}

45
wfe/jose_test.go
View File

@ -2,6 +2,7 @@ package wfe
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rsa"
"testing"
@ -64,15 +65,6 @@ func TestCheckAlgorithm(t *testing.T) {
expectedErr string
expectedStat string
}{
{
jose.JsonWebKey{
Algorithm: "ES256",
Key: &ecdsa.PublicKey{},
},
jose.JsonWebSignature{},
"no signature algorithms suitable for given key type",
"WFE.Errors.NoAlgorithmForKey",
},
{
jose.JsonWebKey{
Algorithm: "HS256",
@ -173,4 +165,39 @@ func TestCheckAlgorithmSuccess(t *testing.T) {
if err != nil {
t.Errorf("RS256 key: Expected nil error, got '%s'", err)
}
_, err = checkAlgorithm(&jose.JsonWebKey{
Algorithm: "ES256",
Key: &ecdsa.PublicKey{
Curve: elliptic.P256(),
},
}, &jose.JsonWebSignature{
Signatures: []jose.Signature{
jose.Signature{
Header: jose.JoseHeader{
Algorithm: "ES256",
},
},
},
})
if err != nil {
t.Errorf("ES256 key: Expected nil error, got '%s'", err)
}
_, err = checkAlgorithm(&jose.JsonWebKey{
Key: &ecdsa.PublicKey{
Curve: elliptic.P256(),
},
}, &jose.JsonWebSignature{
Signatures: []jose.Signature{
jose.Signature{
Header: jose.JoseHeader{
Algorithm: "ES256",
},
},
},
})
if err != nil {
t.Errorf("ES256 key: Expected nil error, got '%s'", err)
}
}

12
wfe/web-front-end.go
View File

@ -75,6 +75,9 @@ type WebFrontEndImpl struct {
// Register of anti-replay nonces
nonceService *core.NonceService
// Key policy.
keyPolicy core.KeyPolicy
// Cache settings
CertCacheDuration time.Duration
CertNoCacheExpirationWindow time.Duration
@ -90,7 +93,7 @@ type WebFrontEndImpl struct {
}
// NewWebFrontEndImpl constructs a web service for Boulder
func NewWebFrontEndImpl(stats statsd.Statter, clk clock.Clock) (WebFrontEndImpl, error) {
func NewWebFrontEndImpl(stats statsd.Statter, clk clock.Clock, keyPolicy core.KeyPolicy) (WebFrontEndImpl, error) {
logger := blog.GetAuditLogger()
logger.Notice("Web Front End Starting")
@ -104,6 +107,7 @@ func NewWebFrontEndImpl(stats statsd.Statter, clk clock.Clock) (WebFrontEndImpl,
clk: clk,
nonceService: nonceService,
stats: stats,
keyPolicy: keyPolicy,
}, nil
}
@ -147,7 +151,7 @@ func (wfe *WebFrontEndImpl) HandleFunc(mux *http.ServeMux, pattern string, h wfe
switch request.Method {
case "HEAD":
// Go's net/http (and httptest) servers will strip our the body
// Go's net/http (and httptest) servers will strip out the body
// of responses for us. This keeps the Content-Length for HEAD
// requests as the same as GET requests per the spec.
case "OPTIONS":
@ -355,7 +359,7 @@ func (wfe *WebFrontEndImpl) verifyPOST(logEvent *requestEvent, request *http.Req
// When looking up keys from the registrations DB, we can be confident they
// are "good". But when we are verifying against any submitted key, we want
// to check its quality before doing the verify.
if err = core.GoodKey(submittedKey.Key); err != nil {
if err = wfe.keyPolicy.GoodKey(submittedKey.Key); err != nil {
wfe.stats.Inc("WFE.Errors.JWKRejectedByGoodKey", 1, 1.0)
logEvent.AddError("JWK in request was rejected by GoodKey: %s", err)
return nil, nil, reg, probs.Malformed(err.Error())
@ -719,7 +723,7 @@ func (wfe *WebFrontEndImpl) NewCertificate(logEvent *requestEvent, response http
// bytes on the wire, and (b) the CA logs all rejections as audit events, but
// a bad key from the client is just a malformed request and doesn't need to
// be audited.
if err := core.GoodKey(certificateRequest.CSR.PublicKey); err != nil {
if err := wfe.keyPolicy.GoodKey(certificateRequest.CSR.PublicKey); err != nil {
logEvent.AddError("CSR public key failed GoodKey: %s", err)
wfe.sendError(response, logEvent, probs.Malformed("Invalid key in certificate request :: %s", err), err)
return

84
wfe/web-front-end_test.go
View File

@ -7,6 +7,7 @@ package wfe
import (
"bytes"
"crypto/ecdsa"
"crypto/rsa"
"crypto/x509"
"encoding/json"
@ -111,6 +112,32 @@ TkLlEeVOuQfxTadw05gzKX0jKkMC4igGxvEeilYc6NR6a4nvRulG84Q8VV9Sy9Ie
wk6Oiadty3eQqSBJv0HnpmiEdQVffIK5Pg4M8Dd+aOBnEkbopAJOuA==
-----END RSA PRIVATE KEY-----
`
testE1KeyPublicJSON = `{
"kty":"EC",
"crv":"P-256",
"x":"FwvSZpu06i3frSk_mz9HcD9nETn4wf3mQ-zDtG21Gao",
"y":"S8rR-0dWa8nAcw1fbunF_ajS3PQZ-QwLps-2adgLgPk"
}`
testE1KeyPrivatePEM = `
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIH+p32RUnqT/iICBEGKrLIWFcyButv0S0lU/BLPOyHn2oAoGCCqGSM49
AwEHoUQDQgAEFwvSZpu06i3frSk/mz9HcD9nETn4wf3mQ+zDtG21GapLytH7R1Zr
ycBzDV9u6cX9qNLc9Bn5DAumz7Zp2AuA+Q==
-----END EC PRIVATE KEY-----
`
testE2KeyPublicJSON = `{
"kty":"EC",
"crv":"P-256",
"x":"S8FOmrZ3ywj4yyFqt0etAD90U-EnkNaOBSLfQmf7pNg",
"y":"vMvpDyqFDRHjGfZ1siDOm5LS6xNdR5xTpyoQGLDOX2Q"
}`
testE2KeyPrivatePEM = `
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFRcPxQ989AY6se2RyIoF1ll9O6gHev4oY15SWJ+Jf5eoAoGCCqGSM49
AwEHoUQDQgAES8FOmrZ3ywj4yyFqt0etAD90U+EnkNaOBSLfQmf7pNi8y+kPKoUN
EeMZ9nWyIM6bktLrE11HnFOnKhAYsM5fZA==
-----END EC PRIVATE KEY-----`
)
type MockRegistrationAuthority struct{}
@ -197,10 +224,17 @@ func signRequest(t *testing.T, req string, nonceService *core.NonceService) stri
return ret
}
var testKeyPolicy = core.KeyPolicy{
AllowRSA: true,
AllowECDSANISTP256: true,
AllowECDSANISTP384: true,
}
func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock) {
fc := clock.NewFake()
stats, _ := statsd.NewNoopClient()
wfe, err := NewWebFrontEndImpl(stats, fc)
wfe, err := NewWebFrontEndImpl(stats, fc, testKeyPolicy)
test.AssertNotError(t, err, "Unable to create WFE")
wfe.NewReg = wfe.BaseURL + NewRegPath
@ -546,7 +580,7 @@ func TestIssueCertificate(t *testing.T) {
// TODO: Use a mock RA so we can test various conditions of authorized, not
// authorized, etc.
stats, _ := statsd.NewNoopClient(nil)
ra := ra.NewRegistrationAuthorityImpl(fc, wfe.log, stats, nil, cmd.RateLimitConfig{}, 0)
ra := ra.NewRegistrationAuthorityImpl(fc, wfe.log, stats, nil, cmd.RateLimitConfig{}, 0, testKeyPolicy)
ra.SA = mocks.NewStorageAuthority(fc)
ra.CA = &MockCA{}
ra.PA = &MockPA{}
@ -759,6 +793,52 @@ func TestBadNonce(t *testing.T) {
test.AssertEquals(t, responseWriter.Body.String(), `{"type":"urn:acme:error:badNonce","detail":"JWS has no anti-replay nonce","status":400}`)
}
func TestNewECDSARegistration(t *testing.T) {
wfe, _ := setupWFE(t)
// E1 always exists; E2 never exists
key, err := jose.LoadPrivateKey([]byte(testE2KeyPrivatePEM))
test.AssertNotError(t, err, "Failed to load key")
ecdsaKey, ok := key.(*ecdsa.PrivateKey)
test.Assert(t, ok, "Couldn't load ECDSA key")
signer, err := jose.NewSigner("ES256", ecdsaKey)
test.AssertNotError(t, err, "Failed to make signer")
signer.SetNonceSource(wfe.nonceService)
responseWriter := httptest.NewRecorder()
result, err := signer.Sign([]byte(`{"resource":"new-reg","contact":["tel:123456789"],"agreement":"` + agreementURL + `"}`))
test.AssertNotError(t, err, "Failed to sign")
wfe.NewRegistration(newRequestEvent(), responseWriter, makePostRequest(result.FullSerialize()))
var reg core.Registration
err = json.Unmarshal([]byte(responseWriter.Body.String()), &reg)
test.AssertNotError(t, err, "Couldn't unmarshal returned registration object")
test.Assert(t, len(reg.Contact) >= 1, "No contact field in registration")
test.AssertEquals(t, reg.Contact[0].String(), "tel:123456789")
test.AssertEquals(t, reg.Agreement, "http://example.invalid/terms")
test.AssertEquals(t, reg.InitialIP.String(), "1.1.1.1")
test.AssertEquals(t, responseWriter.Header().Get("Location"), "/acme/reg/0")
key, err = jose.LoadPrivateKey([]byte(testE1KeyPrivatePEM))
test.AssertNotError(t, err, "Failed to load key")
ecdsaKey, ok = key.(*ecdsa.PrivateKey)
test.Assert(t, ok, "Couldn't load ECDSA key")
signer, err = jose.NewSigner("ES256", ecdsaKey)
test.AssertNotError(t, err, "Failed to make signer")
signer.SetNonceSource(wfe.nonceService)
// Reset the body and status code
responseWriter = httptest.NewRecorder()
// POST, Valid JSON, Key already in use
result, err = signer.Sign([]byte(`{"resource":"new-reg","contact":["tel:123456789"],"agreement":"` + agreementURL + `"}`))
wfe.NewRegistration(newRequestEvent(), responseWriter, makePostRequest(result.FullSerialize()))
test.AssertEquals(t, responseWriter.Body.String(), `{"type":"urn:acme:error:malformed","detail":"Registration key is already in use","status":409}`)
test.AssertEquals(t, responseWriter.Header().Get("Location"), "/acme/reg/3")
test.AssertEquals(t, responseWriter.Code, 409)
}
func TestNewRegistration(t *testing.T) {
wfe, _ := setupWFE(t)
mux, err := wfe.Handler()