From 730318a7558c9f2323fd528d1ce5521289fc009d Mon Sep 17 00:00:00 2001 From: Roland Bracewell Shoemaker Date: Mon, 8 May 2017 14:13:35 -0700 Subject: [PATCH] Add GREASE to directory (#2731) Randomly generates and adds a key to the directory object with the value grease. Fixes #2415. --- features/featureflag_string.go | 4 ++-- features/features.go | 2 ++ test/config-next/wfe.json | 3 ++- wfe/wfe.go | 12 ++++++++++++ 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/features/featureflag_string.go b/features/featureflag_string.go index 94cff3c8d..2d62143ce 100644 --- a/features/featureflag_string.go +++ b/features/featureflag_string.go @@ -4,9 +4,9 @@ package features import "fmt" -const _FeatureFlag_name = "unusedIDNASupportAllowAccountDeactivationAllowKeyRolloverResubmitMissingSCTsOnlyGoogleSafeBrowsingV4UseAIAIssuerURLAllowTLS02ChallengesGenerateOCSPEarlyCountCertificatesExactIPv6First" +const _FeatureFlag_name = "unusedIDNASupportAllowAccountDeactivationAllowKeyRolloverResubmitMissingSCTsOnlyGoogleSafeBrowsingV4UseAIAIssuerURLAllowTLS02ChallengesGenerateOCSPEarlyCountCertificatesExactRandomDirectoryEntryIPv6First" -var _FeatureFlag_index = [...]uint8{0, 6, 17, 41, 57, 80, 100, 115, 135, 152, 174, 183} +var _FeatureFlag_index = [...]uint8{0, 6, 17, 41, 57, 80, 100, 115, 135, 152, 174, 194, 203} func (i FeatureFlag) String() string { if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) { diff --git a/features/features.go b/features/features.go index dd6c3cc89..ec67bc72c 100644 --- a/features/features.go +++ b/features/features.go @@ -21,6 +21,7 @@ const ( AllowTLS02Challenges GenerateOCSPEarly CountCertificatesExact + RandomDirectoryEntry IPv6First ) @@ -36,6 +37,7 @@ var features = map[FeatureFlag]bool{ AllowTLS02Challenges: false, GenerateOCSPEarly: false, CountCertificatesExact: false, + RandomDirectoryEntry: false, IPv6First: false, } diff --git a/test/config-next/wfe.json b/test/config-next/wfe.json index cd0d9e86d..1f349db48 100644 --- a/test/config-next/wfe.json +++ b/test/config-next/wfe.json @@ -32,7 +32,8 @@ "features": { "AllowAccountDeactivation": true, "AllowKeyRollover": true, - "UseAIAIssuerURL": true + "UseAIAIssuerURL": true, + "RandomDirectoryEntry": true } }, diff --git a/wfe/wfe.go b/wfe/wfe.go index 945356059..b3edf4282 100644 --- a/wfe/wfe.go +++ b/wfe/wfe.go @@ -262,6 +262,8 @@ func (wfe *WebFrontEndImpl) relativeEndpoint(request *http.Request, endpoint str return result } +const randomDirKeyExplanationLink = "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417" + func (wfe *WebFrontEndImpl) relativeDirectory(request *http.Request, directory map[string]string) ([]byte, error) { // Create an empty map sized equal to the provided directory to store the // relative-ized result @@ -272,6 +274,9 @@ func (wfe *WebFrontEndImpl) relativeDirectory(request *http.Request, directory m // the `BaseURL`. Otherwise, prefix each endpoint using the request protocol // & host. for k, v := range directory { + if features.Enabled(features.RandomDirectoryEntry) && v == randomDirKeyExplanationLink { + continue + } relativeDir[k] = wfe.relativeEndpoint(request, v) } @@ -373,6 +378,13 @@ func (wfe *WebFrontEndImpl) Directory(ctx context.Context, logEvent *requestEven // field on a User-Agent header that doesn't start with 'LetsEncryptPythonClient' directoryEndpoints["key-change"] = rolloverPath } + if features.Enabled(features.RandomDirectoryEntry) && !strings.HasPrefix(request.UserAgent(), "LetsEncryptPythonClient") { + // Add a random key to the directory in order to make sure that clients don't hardcode an + // expected set of keys. This ensures that we can properly extend the directory when we + // need to add a new endpoint or meta element. Gate on UA not being one of the pre-0.6.0 + // Certbot clients that we know will be broken by this change. + directoryEndpoints[core.RandomString(8)] = randomDirKeyExplanationLink + } response.Header().Set("Content-Type", "application/json")