letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into more-revoker

This commit is contained in:
Jeff Hodges 2016-01-04 17:02:51 -08:00
parent 4512f764cb be7a7018f1
commit 9913eb61ba
37 changed files with 1249 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CONTRIBUTING.md
View File

@ -1,7 +1,7 @@
# Contributing to Boulder
> **Note:** We are currently in a *General Availability* only merge window, meaning
> we will only be reviewing & merging patches which close a issue tagged with the *General
> we will only be reviewing & merging patches which close an issue tagged with the *General
> Availability* milestone.
Thanks for helping us build Boulder, if you haven't already had a chance to look

4
DESIGN.md
View File

@ -214,7 +214,7 @@ Notes:
* 7-8: WFE does the following:
* Create a URL from the certificate's serial number
* Return the certificate with it's URL
* Return the certificate with its URL
## Revoke Certificate
@ -244,4 +244,4 @@ Notes:
* Log the success or failure of the revocation
* 5-6: WFE does the following:
* Return an indication of the sucess or failure of the revocation
* Return an indication of the success or failure of the revocation

49
Godeps/Godeps.json generated
View File

@ -1,6 +1,6 @@
{
"ImportPath": "github.com/letsencrypt/boulder",
"GoVersion": "go1.5.1",
"GoVersion": "go1.5.2",
"Packages": [
"./..."
],
@ -12,58 +12,58 @@
},
{
"ImportPath": "github.com/cloudflare/cfssl/auth",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/config",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/crypto/pkcs11key",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/crypto/pkcs7",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/csr",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/errors",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/helpers",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/info",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/log",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/ocsp",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/cloudflare/cfssl/signer",
"Comment": "1.1.0-237-g4f2d8d1",
"Rev": "4f2d8d1740dca01033b1568c17324e146a004e40"
"Comment": "1.1.0-268-ge32101b",
"Rev": "e32101b1ae6cb0e1f1653c8ebec92c0113908136"
},
{
"ImportPath": "github.com/codegangsta/cli",
@ -141,6 +141,9 @@
"Rev": "beef0f4390813b96e8e68fd78570396d0f4751fc"
},
{
"ImportPath": "golang.org/x/net/context",
"Rev": "ce84af2e5bf21582345e478b116afc7d4efaba3d"
},
"ImportPath": "gopkg.in/gorp.v1",
"Comment": "v1.7.1",
"Rev": "c87af80f3cc5036b55b83d77171e156791085e2e"

7
Godeps/_workspace/src/github.com/cloudflare/cfssl/config/config.go generated vendored
View File

@ -77,6 +77,7 @@ type SigningProfile struct {
NameWhitelistString string `json:"name_whitelist"`
AuthRemote AuthRemote `json:"auth_remote"`
CTLogServers []string `json:"ct_log_servers"`
AllowedExtensions []OID `json:"allowed_extensions"`
Policies []CertificatePolicy
Expiry time.Duration
@ -86,6 +87,7 @@ type SigningProfile struct {
RemoteServer string
CSRWhitelist *CSRWhitelist
NameWhitelist *regexp.Regexp
ExtensionWhitelist map[string]bool
ClientProvidesSerialNumbers bool
}
@ -264,6 +266,11 @@ func (p *SigningProfile) populate(cfg *Config) error {
p.NameWhitelist = rule
}
p.ExtensionWhitelist = map[string]bool{}
for _, oid := range p.AllowedExtensions {
p.ExtensionWhitelist[asn1.ObjectIdentifier(oid).String()] = true
}
return nil
}

7
Godeps/_workspace/src/github.com/cloudflare/cfssl/helpers/pkcs11uri/pkcs11uri.go generated vendored
View File

@ -24,10 +24,9 @@ func setIfPresent(val url.Values, k string, target *string) {
// ErrInvalidURI is returned if the PKCS #11 URI is invalid.
var ErrInvalidURI = errors.New(errors.PrivateKeyError, errors.ParseFailed)
// ParsePKCS11URI parses a PKCS #11 URI into a PKCS #11
// configuration. Note that the module path will override the module
// name if present.
func ParsePKCS11URI(uri string) (*pkcs11key.Config, error) {
// Parse parses a PKCS #11 URI into a PKCS #11 configuration. Note that
// the module path will override the module name if present.
func Parse(uri string) (*pkcs11key.Config, error) {
u, err := url.Parse(uri)
if err != nil || u.Scheme != "pkcs11" {
return nil, ErrInvalidURI

21
Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/local/local.go generated vendored
View File

@ -7,6 +7,7 @@ import (
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/hex"
"encoding/pem"
"errors"
"fmt"
@ -260,6 +261,26 @@ func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
safeTemplate.SerialNumber = serialNumber
}
if len(req.Extensions) > 0 {
for _, ext := range req.Extensions {
oid := asn1.ObjectIdentifier(ext.ID)
if !profile.ExtensionWhitelist[oid.String()] {
return nil, cferr.New(cferr.CertificateError, cferr.InvalidRequest)
}
rawValue, err := hex.DecodeString(ext.Value)
if err != nil {
return nil, cferr.Wrap(cferr.CertificateError, cferr.InvalidRequest, err)
}
safeTemplate.ExtraExtensions = append(safeTemplate.ExtraExtensions, pkix.Extension{
Id: oid,
Critical: ext.Critical,
Value: rawValue,
})
}
}
var certTBS = safeTemplate
if len(profile.CTLogServers) > 0 {

26
Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/signer.go generated vendored
View File

@ -32,15 +32,29 @@ type Subject struct {
Names []csr.Name `json:"names"`
}
// Extension represents a raw extension to be included in the certificate. The
// "value" field must be hex encoded.
type Extension struct {
ID config.OID `json:"id"`
Critical bool `json:"critical"`
Value string `json:"value"`
}
// SignRequest stores a signature request, which contains the hostname,
// the CSR, optional subject information, and the signature profile.
//
// Extensions provided in the signRequest are copied into the certificate, as
// long as they are in the ExtensionWhitelist for the signer's policy.
// Extensions requested in the CSR are ignored, except for those processed by
// ParseCertificateRequest (mainly subjectAltName).
type SignRequest struct {
Hosts []string `json:"hosts"`
Request string `json:"certificate_request"`
Subject *Subject `json:"subject,omitempty"`
Profile string `json:"profile"`
Label string `json:"label"`
Serial *big.Int `json:"serial,omitempty"`
Hosts []string `json:"hosts"`
Request string `json:"certificate_request"`
Subject *Subject `json:"subject,omitempty"`
Profile string `json:"profile"`
Label string `json:"label"`
Serial *big.Int `json:"serial,omitempty"`
Extensions []Extension `json:"extensions,omitempty"`
}
// appendIf appends to a if s is not an empty string.

447
Godeps/_workspace/src/golang.org/x/net/context/context.go generated vendored Normal file
View File

@ -0,0 +1,447 @@
// Copyright 2014 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package context defines the Context type, which carries deadlines,
// cancelation signals, and other request-scoped values across API boundaries
// and between processes.
//
// Incoming requests to a server should create a Context, and outgoing calls to
// servers should accept a Context. The chain of function calls between must
// propagate the Context, optionally replacing it with a modified copy created
// using WithDeadline, WithTimeout, WithCancel, or WithValue.
//
// Programs that use Contexts should follow these rules to keep interfaces
// consistent across packages and enable static analysis tools to check context
// propagation:
//
// Do not store Contexts inside a struct type; instead, pass a Context
// explicitly to each function that needs it. The Context should be the first
// parameter, typically named ctx:
//
// func DoSomething(ctx context.Context, arg Arg) error {
// // ... use ctx ...
// }
//
// Do not pass a nil Context, even if a function permits it. Pass context.TODO
// if you are unsure about which Context to use.
//
// Use context Values only for request-scoped data that transits processes and
// APIs, not for passing optional parameters to functions.
//
// The same Context may be passed to functions running in different goroutines;
// Contexts are safe for simultaneous use by multiple goroutines.
//
// See http://blog.golang.org/context for example code for a server that uses
// Contexts.
package context
import (
"errors"
"fmt"
"sync"
"time"
)
// A Context carries a deadline, a cancelation signal, and other values across
// API boundaries.
//
// Context's methods may be called by multiple goroutines simultaneously.
type Context interface {
// Deadline returns the time when work done on behalf of this context
// should be canceled. Deadline returns ok==false when no deadline is
// set. Successive calls to Deadline return the same results.
Deadline() (deadline time.Time, ok bool)
// Done returns a channel that's closed when work done on behalf of this
// context should be canceled. Done may return nil if this context can
// never be canceled. Successive calls to Done return the same value.
//
// WithCancel arranges for Done to be closed when cancel is called;
// WithDeadline arranges for Done to be closed when the deadline
// expires; WithTimeout arranges for Done to be closed when the timeout
// elapses.
//
// Done is provided for use in select statements:
//
// // Stream generates values with DoSomething and sends them to out
// // until DoSomething returns an error or ctx.Done is closed.
// func Stream(ctx context.Context, out <-chan Value) error {
// for {
// v, err := DoSomething(ctx)
// if err != nil {
// return err
// }
// select {
// case <-ctx.Done():
// return ctx.Err()
// case out <- v:
// }
// }
// }
//
// See http://blog.golang.org/pipelines for more examples of how to use
// a Done channel for cancelation.
Done() <-chan struct{}
// Err returns a non-nil error value after Done is closed. Err returns
// Canceled if the context was canceled or DeadlineExceeded if the
// context's deadline passed. No other values for Err are defined.
// After Done is closed, successive calls to Err return the same value.
Err() error
// Value returns the value associated with this context for key, or nil
// if no value is associated with key. Successive calls to Value with
// the same key returns the same result.
//
// Use context values only for request-scoped data that transits
// processes and API boundaries, not for passing optional parameters to
// functions.
//
// A key identifies a specific value in a Context. Functions that wish
// to store values in Context typically allocate a key in a global
// variable then use that key as the argument to context.WithValue and
// Context.Value. A key can be any type that supports equality;
// packages should define keys as an unexported type to avoid
// collisions.
//
// Packages that define a Context key should provide type-safe accessors
// for the values stores using that key:
//
// // Package user defines a User type that's stored in Contexts.
// package user
//
// import "golang.org/x/net/context"
//
// // User is the type of value stored in the Contexts.
// type User struct {...}
//
// // key is an unexported type for keys defined in this package.
// // This prevents collisions with keys defined in other packages.
// type key int
//
// // userKey is the key for user.User values in Contexts. It is
// // unexported; clients use user.NewContext and user.FromContext
// // instead of using this key directly.
// var userKey key = 0
//
// // NewContext returns a new Context that carries value u.
// func NewContext(ctx context.Context, u *User) context.Context {
// return context.WithValue(ctx, userKey, u)
// }
//
// // FromContext returns the User value stored in ctx, if any.
// func FromContext(ctx context.Context) (*User, bool) {
// u, ok := ctx.Value(userKey).(*User)
// return u, ok
// }
Value(key interface{}) interface{}
}
// Canceled is the error returned by Context.Err when the context is canceled.
var Canceled = errors.New("context canceled")
// DeadlineExceeded is the error returned by Context.Err when the context's
// deadline passes.
var DeadlineExceeded = errors.New("context deadline exceeded")
// An emptyCtx is never canceled, has no values, and has no deadline. It is not
// struct{}, since vars of this type must have distinct addresses.
type emptyCtx int
func (*emptyCtx) Deadline() (deadline time.Time, ok bool) {
return
}
func (*emptyCtx) Done() <-chan struct{} {
return nil
}
func (*emptyCtx) Err() error {
return nil
}
func (*emptyCtx) Value(key interface{}) interface{} {
return nil
}
func (e *emptyCtx) String() string {
switch e {
case background:
return "context.Background"
case todo:
return "context.TODO"
}
return "unknown empty Context"
}
var (
background = new(emptyCtx)
todo = new(emptyCtx)
)
// Background returns a non-nil, empty Context. It is never canceled, has no
// values, and has no deadline. It is typically used by the main function,
// initialization, and tests, and as the top-level Context for incoming
// requests.
func Background() Context {
return background
}
// TODO returns a non-nil, empty Context. Code should use context.TODO when
// it's unclear which Context to use or it's is not yet available (because the
// surrounding function has not yet been extended to accept a Context
// parameter). TODO is recognized by static analysis tools that determine
// whether Contexts are propagated correctly in a program.
func TODO() Context {
return todo
}
// A CancelFunc tells an operation to abandon its work.
// A CancelFunc does not wait for the work to stop.
// After the first call, subsequent calls to a CancelFunc do nothing.
type CancelFunc func()
// WithCancel returns a copy of parent with a new Done channel. The returned
// context's Done channel is closed when the returned cancel function is called
// or when the parent context's Done channel is closed, whichever happens first.
//
// Canceling this context releases resources associated with it, so code should
// call cancel as soon as the operations running in this Context complete.
func WithCancel(parent Context) (ctx Context, cancel CancelFunc) {
c := newCancelCtx(parent)
propagateCancel(parent, &c)
return &c, func() { c.cancel(true, Canceled) }
}
// newCancelCtx returns an initialized cancelCtx.
func newCancelCtx(parent Context) cancelCtx {
return cancelCtx{
Context: parent,
done: make(chan struct{}),
}
}
// propagateCancel arranges for child to be canceled when parent is.
func propagateCancel(parent Context, child canceler) {
if parent.Done() == nil {
return // parent is never canceled
}
if p, ok := parentCancelCtx(parent); ok {
p.mu.Lock()
if p.err != nil {
// parent has already been canceled
child.cancel(false, p.err)
} else {
if p.children == nil {
p.children = make(map[canceler]bool)
}
p.children[child] = true
}
p.mu.Unlock()
} else {
go func() {
select {
case <-parent.Done():
child.cancel(false, parent.Err())
case <-child.Done():
}
}()
}
}
// parentCancelCtx follows a chain of parent references until it finds a
// *cancelCtx. This function understands how each of the concrete types in this
// package represents its parent.
func parentCancelCtx(parent Context) (*cancelCtx, bool) {
for {
switch c := parent.(type) {
case *cancelCtx:
return c, true
case *timerCtx:
return &c.cancelCtx, true
case *valueCtx:
parent = c.Context
default:
return nil, false
}
}
}
// removeChild removes a context from its parent.
func removeChild(parent Context, child canceler) {
p, ok := parentCancelCtx(parent)
if !ok {
return
}
p.mu.Lock()
if p.children != nil {
delete(p.children, child)
}
p.mu.Unlock()
}
// A canceler is a context type that can be canceled directly. The
// implementations are *cancelCtx and *timerCtx.
type canceler interface {
cancel(removeFromParent bool, err error)
Done() <-chan struct{}
}
// A cancelCtx can be canceled. When canceled, it also cancels any children
// that implement canceler.
type cancelCtx struct {
Context
done chan struct{} // closed by the first cancel call.
mu sync.Mutex
children map[canceler]bool // set to nil by the first cancel call
err error // set to non-nil by the first cancel call
}
func (c *cancelCtx) Done() <-chan struct{} {
return c.done
}
func (c *cancelCtx) Err() error {
c.mu.Lock()
defer c.mu.Unlock()
return c.err
}
func (c *cancelCtx) String() string {
return fmt.Sprintf("%v.WithCancel", c.Context)
}
// cancel closes c.done, cancels each of c's children, and, if
// removeFromParent is true, removes c from its parent's children.
func (c *cancelCtx) cancel(removeFromParent bool, err error) {
if err == nil {
panic("context: internal error: missing cancel error")
}
c.mu.Lock()
if c.err != nil {
c.mu.Unlock()
return // already canceled
}
c.err = err
close(c.done)
for child := range c.children {
// NOTE: acquiring the child's lock while holding parent's lock.
child.cancel(false, err)
}
c.children = nil
c.mu.Unlock()
if removeFromParent {
removeChild(c.Context, c)
}
}
// WithDeadline returns a copy of the parent context with the deadline adjusted
// to be no later than d. If the parent's deadline is already earlier than d,
// WithDeadline(parent, d) is semantically equivalent to parent. The returned
// context's Done channel is closed when the deadline expires, when the returned
// cancel function is called, or when the parent context's Done channel is
// closed, whichever happens first.
//
// Canceling this context releases resources associated with it, so code should
// call cancel as soon as the operations running in this Context complete.
func WithDeadline(parent Context, deadline time.Time) (Context, CancelFunc) {
if cur, ok := parent.Deadline(); ok && cur.Before(deadline) {
// The current deadline is already sooner than the new one.
return WithCancel(parent)
}
c := &timerCtx{
cancelCtx: newCancelCtx(parent),
deadline: deadline,
}
propagateCancel(parent, c)
d := deadline.Sub(time.Now())
if d <= 0 {
c.cancel(true, DeadlineExceeded) // deadline has already passed
return c, func() { c.cancel(true, Canceled) }
}
c.mu.Lock()
defer c.mu.Unlock()
if c.err == nil {
c.timer = time.AfterFunc(d, func() {
c.cancel(true, DeadlineExceeded)
})
}
return c, func() { c.cancel(true, Canceled) }
}
// A timerCtx carries a timer and a deadline. It embeds a cancelCtx to
// implement Done and Err. It implements cancel by stopping its timer then
// delegating to cancelCtx.cancel.
type timerCtx struct {
cancelCtx
timer *time.Timer // Under cancelCtx.mu.
deadline time.Time
}
func (c *timerCtx) Deadline() (deadline time.Time, ok bool) {
return c.deadline, true
}
func (c *timerCtx) String() string {
return fmt.Sprintf("%v.WithDeadline(%s [%s])", c.cancelCtx.Context, c.deadline, c.deadline.Sub(time.Now()))
}
func (c *timerCtx) cancel(removeFromParent bool, err error) {
c.cancelCtx.cancel(false, err)
if removeFromParent {
// Remove this timerCtx from its parent cancelCtx's children.
removeChild(c.cancelCtx.Context, c)
}
c.mu.Lock()
if c.timer != nil {
c.timer.Stop()
c.timer = nil
}
c.mu.Unlock()
}
// WithTimeout returns WithDeadline(parent, time.Now().Add(timeout)).
//
// Canceling this context releases resources associated with it, so code should
// call cancel as soon as the operations running in this Context complete:
//
// func slowOperationWithTimeout(ctx context.Context) (Result, error) {
// ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
// defer cancel() // releases resources if slowOperation completes before timeout elapses
// return slowOperation(ctx)
// }
func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) {
return WithDeadline(parent, time.Now().Add(timeout))
}
// WithValue returns a copy of parent in which the value associated with key is
// val.
//
// Use context Values only for request-scoped data that transits processes and
// APIs, not for passing optional parameters to functions.
func WithValue(parent Context, key interface{}, val interface{}) Context {
return &valueCtx{parent, key, val}
}
// A valueCtx carries a key-value pair. It implements Value for that key and
// delegates all other calls to the embedded Context.
type valueCtx struct {
Context
key, val interface{}
}
func (c *valueCtx) String() string {
return fmt.Sprintf("%v.WithValue(%#v, %#v)", c.Context, c.key, c.val)
}
func (c *valueCtx) Value(key interface{}) interface{} {
if c.key == key {
return c.val
}
return c.Context.Value(key)
}

18
Godeps/_workspace/src/golang.org/x/net/context/ctxhttp/cancelreq.go generated vendored Normal file
View File

@ -0,0 +1,18 @@
// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build go1.5
package ctxhttp
import "net/http"
func canceler(client *http.Client, req *http.Request) func() {
ch := make(chan struct{})
req.Cancel = ch
return func() {
close(ch)
}
}

23
Godeps/_workspace/src/golang.org/x/net/context/ctxhttp/cancelreq_go14.go generated vendored Normal file
View File

@ -0,0 +1,23 @@
// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build !go1.5
package ctxhttp
import "net/http"
type requestCanceler interface {
CancelRequest(*http.Request)
}
func canceler(client *http.Client, req *http.Request) func() {
rc, ok := client.Transport.(requestCanceler)
if !ok {
return func() {}
}
return func() {
rc.CancelRequest(req)
}
}

79
Godeps/_workspace/src/golang.org/x/net/context/ctxhttp/ctxhttp.go generated vendored Normal file
View File

@ -0,0 +1,79 @@
// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package ctxhttp provides helper functions for performing context-aware HTTP requests.
package ctxhttp
import (
"io"
"net/http"
"net/url"
"strings"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
)
// Do sends an HTTP request with the provided http.Client and returns an HTTP response.
// If the client is nil, http.DefaultClient is used.
// If the context is canceled or times out, ctx.Err() will be returned.
func Do(ctx context.Context, client *http.Client, req *http.Request) (*http.Response, error) {
if client == nil {
client = http.DefaultClient
}
// Request cancelation changed in Go 1.5, see cancelreq.go and cancelreq_go14.go.
cancel := canceler(client, req)
type responseAndError struct {
resp *http.Response
err error
}
result := make(chan responseAndError, 1)
go func() {
resp, err := client.Do(req)
result <- responseAndError{resp, err}
}()
select {
case <-ctx.Done():
cancel()
return nil, ctx.Err()
case r := <-result:
return r.resp, r.err
}
}
// Get issues a GET request via the Do function.
func Get(ctx context.Context, client *http.Client, url string) (*http.Response, error) {
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return nil, err
}
return Do(ctx, client, req)
}
// Head issues a HEAD request via the Do function.
func Head(ctx context.Context, client *http.Client, url string) (*http.Response, error) {
req, err := http.NewRequest("HEAD", url, nil)
if err != nil {
return nil, err
}
return Do(ctx, client, req)
}
// Post issues a POST request via the Do function.
func Post(ctx context.Context, client *http.Client, url string, bodyType string, body io.Reader) (*http.Response, error) {
req, err := http.NewRequest("POST", url, body)
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", bodyType)
return Do(ctx, client, req)
}
// PostForm issues a POST request via the Do function.
func PostForm(ctx context.Context, client *http.Client, url string, data url.Values) (*http.Response, error) {
return Post(ctx, client, url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode()))
}

137
bdns/dns.go
View File

@ -12,7 +12,9 @@ import (
"strings"
"time"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/miekg/dns"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/metrics"
)
@ -114,19 +116,21 @@ var (
}
)
// DNSResolver defines methods used for DNS resolution
// DNSResolver queries for DNS records
type DNSResolver interface {
LookupTXT(string) ([]string, error)
LookupHost(string) ([]net.IP, error)
LookupCAA(string) ([]*dns.CAA, error)
LookupMX(string) ([]string, error)
LookupTXT(context.Context, string) ([]string, error)
LookupHost(context.Context, string) ([]net.IP, error)
LookupCAA(context.Context, string) ([]*dns.CAA, error)
LookupMX(context.Context, string) ([]string, error)
}
// DNSResolverImpl represents a client that talks to an external resolver
type DNSResolverImpl struct {
DNSClient *dns.Client
DNSClient exchanger
Servers []string
allowRestrictedAddresses bool
maxTries int
clk clock.Clock
stats metrics.Scope
txtStats metrics.Scope
aStats metrics.Scope
@ -136,9 +140,14 @@ type DNSResolverImpl struct {
var _ DNSResolver = &DNSResolverImpl{}
type exchanger interface {
Exchange(m *dns.Msg, a string) (*dns.Msg, time.Duration, error)
}
// NewDNSResolverImpl constructs a new DNS resolver object that utilizes the
// provided list of DNS servers for resolution.
func NewDNSResolverImpl(readTimeout time.Duration, servers []string, stats metrics.Scope) *DNSResolverImpl {
func NewDNSResolverImpl(readTimeout time.Duration, servers []string, stats metrics.Scope, clk clock.Clock, maxTries int) *DNSResolverImpl {
// TODO(jmhodges): make constructor use an Option func pattern
dnsClient := new(dns.Client)
// Set timeout for underlying net.Conn
@ -149,19 +158,21 @@ func NewDNSResolverImpl(readTimeout time.Duration, servers []string, stats metri
DNSClient: dnsClient,
Servers: servers,
allowRestrictedAddresses: false,
stats: stats,
txtStats: stats.NewScope("TXT"),
aStats: stats.NewScope("A"),
caaStats: stats.NewScope("CAA"),
mxStats: stats.NewScope("MX"),
maxTries: maxTries,
clk: clk,
stats: stats,
txtStats: stats.NewScope("TXT"),
aStats: stats.NewScope("A"),
caaStats: stats.NewScope("CAA"),
mxStats: stats.NewScope("MX"),
}
}
// NewTestDNSResolverImpl constructs a new DNS resolver object that utilizes the
// provided list of DNS servers for resolution and will allow loopback addresses.
// This constructor should *only* be called from tests (unit or integration).
func NewTestDNSResolverImpl(readTimeout time.Duration, servers []string, stats metrics.Scope) *DNSResolverImpl {
resolver := NewDNSResolverImpl(readTimeout, servers, stats)
func NewTestDNSResolverImpl(readTimeout time.Duration, servers []string, stats metrics.Scope, clk clock.Clock, maxTries int) *DNSResolverImpl {
resolver := NewDNSResolverImpl(readTimeout, servers, stats, clk, maxTries)
resolver.allowRestrictedAddresses = true
return resolver
}
@ -170,7 +181,7 @@ func NewTestDNSResolverImpl(readTimeout time.Duration, servers []string, stats m
// out of the server list, returning the response, time, and error (if any).
// This method sets the DNSSEC OK bit on the message to true before sending
// it to the resolver in case validation isn't the resolvers default behaviour.
func (dnsResolver *DNSResolverImpl) exchangeOne(hostname string, qtype uint16, msgStats metrics.Scope) (rsp *dns.Msg, err error) {
func (dnsResolver *DNSResolverImpl) exchangeOne(ctx context.Context, hostname string, qtype uint16, msgStats metrics.Scope) (*dns.Msg, error) {
m := new(dns.Msg)
// Set question type
m.SetQuestion(dns.Fqdn(hostname), qtype)
@ -178,8 +189,7 @@ func (dnsResolver *DNSResolverImpl) exchangeOne(hostname string, qtype uint16, m
m.SetEdns0(4096, true)
if len(dnsResolver.Servers) < 1 {
err = fmt.Errorf("Not configured with at least one DNS Server")
return
return nil, fmt.Errorf("Not configured with at least one DNS Server")
}
dnsResolver.stats.Inc("Rate", 1)
@ -187,21 +197,58 @@ func (dnsResolver *DNSResolverImpl) exchangeOne(hostname string, qtype uint16, m
// Randomly pick a server
chosenServer := dnsResolver.Servers[rand.Intn(len(dnsResolver.Servers))]
msg, rtt, err := dnsResolver.DNSClient.Exchange(m, chosenServer)
msgStats.TimingDuration("RTT", rtt)
if err == nil {
msgStats.Inc("Successes", 1)
} else {
msgStats.Inc("Errors", 1)
client := dnsResolver.DNSClient
tries := 1
start := dnsResolver.clk.Now()
msgStats.Inc("Calls", 1)
defer msgStats.TimingDuration("Latency", dnsResolver.clk.Now().Sub(start))
for {
msgStats.Inc("Tries", 1)
ch := make(chan dnsResp, 1)
go func() {
rsp, rtt, err := client.Exchange(m, chosenServer)
msgStats.TimingDuration("SingleTryLatency", rtt)
ch <- dnsResp{m: rsp, err: err}
}()
select {
case <-ctx.Done():
msgStats.Inc("Cancels", 1)
msgStats.Inc("Errors", 1)
return nil, ctx.Err()
case r := <-ch:
if r.err != nil {
msgStats.Inc("Errors", 1)
operr, ok := r.err.(*net.OpError)
isRetryable := ok && operr.Temporary()
hasRetriesLeft := tries < dnsResolver.maxTries
if isRetryable && hasRetriesLeft {
tries++
continue
} else if isRetryable && !hasRetriesLeft {
msgStats.Inc("RanOutOfTries", 1)
}
} else {
msgStats.Inc("Successes", 1)
}
return r.m, r.err
}
}
return msg, err
}
// LookupTXT sends a DNS query to find all TXT records associated with
// the provided hostname.
func (dnsResolver *DNSResolverImpl) LookupTXT(hostname string) ([]string, error) {
type dnsResp struct {
m *dns.Msg
err error
}
// LookupTXT sends a DNS query to find all TXT records associated with the
// provided hostname. It will retry requests in the case of temporary network
// errors. It can return net package, context.Canceled, and
// context.DeadlineExceeded errors.
func (dnsResolver *DNSResolverImpl) LookupTXT(ctx context.Context, hostname string) ([]string, error) {
var txt []string
r, err := dnsResolver.exchangeOne(hostname, dns.TypeTXT, dnsResolver.txtStats)
r, err := dnsResolver.exchangeOne(ctx, hostname, dns.TypeTXT, dnsResolver.txtStats)
if err != nil {
return nil, err
}
@ -230,13 +277,15 @@ func isPrivateV4(ip net.IP) bool {
return false
}
// LookupHost sends a DNS query to find all A records associated with the provided
// hostname. This method assumes that the external resolver will chase CNAME/DNAME
// aliases and return relevant A records.
func (dnsResolver *DNSResolverImpl) LookupHost(hostname string) ([]net.IP, error) {
// LookupHost sends a DNS query to find all A records associated with the
// provided hostname. This method assumes that the external resolver will chase
// CNAME/DNAME aliases and return relevant A records. It will retry requests in
// the case of temporary network errors. It can return net package,
// context.Canceled, and context.DeadlineExceeded errors.
func (dnsResolver *DNSResolverImpl) LookupHost(ctx context.Context, hostname string) ([]net.IP, error) {
var addrs []net.IP
r, err := dnsResolver.exchangeOne(hostname, dns.TypeA, dnsResolver.aStats)
r, err := dnsResolver.exchangeOne(ctx, hostname, dns.TypeA, dnsResolver.aStats)
if err != nil {
return addrs, err
}
@ -256,11 +305,13 @@ func (dnsResolver *DNSResolverImpl) LookupHost(hostname string) ([]net.IP, error
return addrs, nil
}
// LookupCAA sends a DNS query to find all CAA records associated with
// the provided hostname. If the response code from the resolver is
// SERVFAIL an empty slice of CAA records is returned.
func (dnsResolver *DNSResolverImpl) LookupCAA(hostname string) ([]*dns.CAA, error) {
r, err := dnsResolver.exchangeOne(hostname, dns.TypeCAA, dnsResolver.caaStats)
// LookupCAA sends a DNS query to find all CAA records associated with the
// provided hostname. If the response code from the resolver is SERVFAIL an
// empty slice of CAA records is returned. It will retry requests in the case
// of temporary network errors. It can return net package, context.Canceled, and
// context.DeadlineExceeded errors.
func (dnsResolver *DNSResolverImpl) LookupCAA(ctx context.Context, hostname string) ([]*dns.CAA, error) {
r, err := dnsResolver.exchangeOne(ctx, hostname, dns.TypeCAA, dnsResolver.caaStats)
if err != nil {
return nil, err
}
@ -282,10 +333,12 @@ func (dnsResolver *DNSResolverImpl) LookupCAA(hostname string) ([]*dns.CAA, erro
return CAAs, nil
}
// LookupMX sends a DNS query to find a MX record associated hostname and returns the
// record target.
func (dnsResolver *DNSResolverImpl) LookupMX(hostname string) ([]string, error) {
r, err := dnsResolver.exchangeOne(hostname, dns.TypeMX, dnsResolver.mxStats)
// LookupMX sends a DNS query to find a MX record associated hostname and
// returns the record target. It will retry requests in the case of temporary
// network errors. It can return net package, context.Canceled, and
// context.DeadlineExceeded errors.
func (dnsResolver *DNSResolverImpl) LookupMX(ctx context.Context, hostname string) ([]string, error) {
r, err := dnsResolver.exchangeOne(ctx, hostname, dns.TypeMX, dnsResolver.mxStats)
if err != nil {
return nil, err
}

231
bdns/dns_test.go
View File

@ -6,14 +6,19 @@
package bdns
import (
"errors"
"fmt"
"net"
"os"
"strings"
"sync"
"testing"
"time"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cactus/go-statsd-client/statsd"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/miekg/dns"
"github.com/letsencrypt/boulder/metrics"
"github.com/letsencrypt/boulder/test"
@ -151,67 +156,67 @@ func newTestStats() metrics.Scope {
var testStats = newTestStats()
func TestDNSNoServers(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Hour, []string{}, testStats)
obj := NewTestDNSResolverImpl(time.Hour, []string{}, testStats, clock.NewFake(), 1)
_, err := obj.LookupHost("letsencrypt.org")
_, err := obj.LookupHost(context.Background(), "letsencrypt.org")
test.AssertError(t, err, "No servers")
}
func TestDNSOneServer(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats)
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
_, err := obj.LookupHost("letsencrypt.org")
_, err := obj.LookupHost(context.Background(), "letsencrypt.org")
test.AssertNotError(t, err, "No message")
}
func TestDNSDuplicateServers(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr, dnsLoopbackAddr}, testStats)
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr, dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
_, err := obj.LookupHost("letsencrypt.org")
_, err := obj.LookupHost(context.Background(), "letsencrypt.org")
test.AssertNotError(t, err, "No message")
}
func TestDNSLookupsNoServer(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{}, testStats)
obj := NewTestDNSResolverImpl(time.Second*10, []string{}, testStats, clock.NewFake(), 1)
_, err := obj.LookupTXT("letsencrypt.org")
_, err := obj.LookupTXT(context.Background(), "letsencrypt.org")
test.AssertError(t, err, "No servers")
_, err = obj.LookupHost("letsencrypt.org")
_, err = obj.LookupHost(context.Background(), "letsencrypt.org")
test.AssertError(t, err, "No servers")
_, err = obj.LookupCAA("letsencrypt.org")
_, err = obj.LookupCAA(context.Background(), "letsencrypt.org")
test.AssertError(t, err, "No servers")
}
func TestDNSServFail(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats)
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
bad := "servfail.com"
_, err := obj.LookupTXT(bad)
_, err := obj.LookupTXT(context.Background(), bad)
test.AssertError(t, err, "LookupTXT didn't return an error")
_, err = obj.LookupHost(bad)
_, err = obj.LookupHost(context.Background(), bad)
test.AssertError(t, err, "LookupHost didn't return an error")
// CAA lookup ignores validation failures from the resolver for now
// and returns an empty list of CAA records.
emptyCaa, err := obj.LookupCAA(bad)
emptyCaa, err := obj.LookupCAA(context.Background(), bad)
test.Assert(t, len(emptyCaa) == 0, "Query returned non-empty list of CAA records")
test.AssertNotError(t, err, "LookupCAA returned an error")
}
func TestDNSLookupTXT(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats)
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
a, err := obj.LookupTXT("letsencrypt.org")
a, err := obj.LookupTXT(context.Background(), "letsencrypt.org")
t.Logf("A: %v", a)
test.AssertNotError(t, err, "No message")
a, err = obj.LookupTXT("split-txt.letsencrypt.org")
a, err = obj.LookupTXT(context.Background(), "split-txt.letsencrypt.org")
t.Logf("A: %v ", a)
test.AssertNotError(t, err, "No message")
test.AssertEquals(t, len(a), 1)
@ -219,47 +224,219 @@ func TestDNSLookupTXT(t *testing.T) {
}
func TestDNSLookupHost(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats)
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
ip, err := obj.LookupHost("servfail.com")
ip, err := obj.LookupHost(context.Background(), "servfail.com")
t.Logf("servfail.com - IP: %s, Err: %s", ip, err)
test.AssertError(t, err, "Server failure")
test.Assert(t, len(ip) == 0, "Should not have IPs")
ip, err = obj.LookupHost("nonexistent.letsencrypt.org")
ip, err = obj.LookupHost(context.Background(), "nonexistent.letsencrypt.org")
t.Logf("nonexistent.letsencrypt.org - IP: %s, Err: %s", ip, err)
test.AssertNotError(t, err, "Not an error to not exist")
test.Assert(t, len(ip) == 0, "Should not have IPs")
// Single IPv4 address
ip, err = obj.LookupHost("cps.letsencrypt.org")
ip, err = obj.LookupHost(context.Background(), "cps.letsencrypt.org")
t.Logf("cps.letsencrypt.org - IP: %s, Err: %s", ip, err)
test.AssertNotError(t, err, "Not an error to exist")
test.Assert(t, len(ip) == 1, "Should have IP")
ip, err = obj.LookupHost("cps.letsencrypt.org")
ip, err = obj.LookupHost(context.Background(), "cps.letsencrypt.org")
t.Logf("cps.letsencrypt.org - IP: %s, Err: %s", ip, err)
test.AssertNotError(t, err, "Not an error to exist")
test.Assert(t, len(ip) == 1, "Should have IP")
// No IPv6
ip, err = obj.LookupHost("v6.letsencrypt.org")
ip, err = obj.LookupHost(context.Background(), "v6.letsencrypt.org")
t.Logf("v6.letsencrypt.org - IP: %s, Err: %s", ip, err)
test.AssertNotError(t, err, "Not an error to exist")
test.Assert(t, len(ip) == 0, "Should not have IPs")
}
func TestDNSLookupCAA(t *testing.T) {
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats)
obj := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 1)
caas, err := obj.LookupCAA("bracewel.net")
caas, err := obj.LookupCAA(context.Background(), "bracewel.net")
test.AssertNotError(t, err, "CAA lookup failed")
test.Assert(t, len(caas) > 0, "Should have CAA records")
caas, err = obj.LookupCAA("nonexistent.letsencrypt.org")
caas, err = obj.LookupCAA(context.Background(), "nonexistent.letsencrypt.org")
test.AssertNotError(t, err, "CAA lookup failed")
test.Assert(t, len(caas) == 0, "Shouldn't have CAA records")
caas, err = obj.LookupCAA("cname.example.com")
caas, err = obj.LookupCAA(context.Background(), "cname.example.com")
test.AssertNotError(t, err, "CAA lookup failed")
test.Assert(t, len(caas) > 0, "Should follow CNAME to find CAA")
}
type testExchanger struct {
sync.Mutex
count int
errs []error
}
var errTooManyRequests = errors.New("too many requests")
func (te *testExchanger) Exchange(m *dns.Msg, a string) (*dns.Msg, time.Duration, error) {
te.Lock()
defer te.Unlock()
msg := &dns.Msg{
MsgHdr: dns.MsgHdr{Rcode: dns.RcodeSuccess},
}
if len(te.errs) <= te.count {
return nil, 0, errTooManyRequests
}
err := te.errs[te.count]
te.count++
return msg, 2 * time.Millisecond, err
}
func TestRetry(t *testing.T) {
isTempErr := &net.OpError{Op: "read", Err: tempError(true)}
nonTempErr := &net.OpError{Op: "read", Err: tempError(false)}
type testCase struct {
maxTries int
expected int
te *testExchanger
}
tests := []*testCase{
// The success on first try case
{
maxTries: 3,
expected: 1,
te: &testExchanger{
errs: []error{nil},
},
},
// Immediate non-OpError, error returns immediately
{
maxTries: 3,
expected: 1,
te: &testExchanger{
errs: []error{errors.New("nope")},
},
},
// Temporary err, then non-OpError stops at two tries
{
maxTries: 3,
expected: 2,
te: &testExchanger{
errs: []error{isTempErr, errors.New("nope")},
},
},
// Temporary error given always
{
maxTries: 3,
expected: 3,
te: &testExchanger{
errs: []error{
isTempErr,
isTempErr,
isTempErr,
},
},
},
// Even with maxTries at 0, we should still let a single request go
// through
{
maxTries: 0,
expected: 1,
te: &testExchanger{
errs: []error{nil},
},
},
// Temporary error given just once causes two tries
{
maxTries: 3,
expected: 2,
te: &testExchanger{
errs: []error{
isTempErr,
nil,
},
},
},
// Temporary error given twice causes three tries
{
maxTries: 3,
expected: 3,
te: &testExchanger{
errs: []error{
isTempErr,
isTempErr,
nil,
},
},
},
// Temporary error given thrice causes three tries and fails
{
maxTries: 3,
expected: 3,
te: &testExchanger{
errs: []error{
isTempErr,
isTempErr,
isTempErr,
},
},
},
// temporary then non-Temporary error causes two retries
{
maxTries: 3,
expected: 2,
te: &testExchanger{
errs: []error{
isTempErr,
nonTempErr,
},
},
},
}
for i, tc := range tests {
dr := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), tc.maxTries)
dr.DNSClient = tc.te
_, err := dr.LookupTXT(context.Background(), "example.com")
if err == errTooManyRequests {
t.Errorf("#%d, sent more requests than the test case handles", i)
}
expectedErr := tc.te.errs[tc.expected-1]
if err != expectedErr {
t.Errorf("#%d, error, expected %v, got %v", i, expectedErr, err)
}
if tc.expected != tc.te.count {
t.Errorf("#%d, count, expected %d, got %d", i, tc.expected, tc.te.count)
}
}
dr := NewTestDNSResolverImpl(time.Second*10, []string{dnsLoopbackAddr}, testStats, clock.NewFake(), 3)
dr.DNSClient = &testExchanger{errs: []error{isTempErr, isTempErr, nil}}
ctx, cancel := context.WithCancel(context.Background())
cancel()
_, err := dr.LookupTXT(ctx, "example.com")
if err != context.Canceled {
t.Errorf("expected %s, got %s", context.Canceled, err)
}
dr.DNSClient = &testExchanger{errs: []error{isTempErr, isTempErr, nil}}
ctx, _ = context.WithTimeout(context.Background(), -10*time.Hour)
_, err = dr.LookupTXT(ctx, "example.com")
if err != context.DeadlineExceeded {
t.Errorf("expected %s, got %s", context.DeadlineExceeded, err)
}
dr.DNSClient = &testExchanger{errs: []error{isTempErr, isTempErr, nil}}
ctx, deadlineCancel := context.WithTimeout(context.Background(), -10*time.Hour)
deadlineCancel()
_, err = dr.LookupTXT(ctx, "example.com")
if err != context.DeadlineExceeded {
t.Errorf("expected %s, got %s", context.DeadlineExceeded, err)
}
}
type tempError bool
func (t tempError) Temporary() bool { return bool(t) }
func (t tempError) Error() string { return fmt.Sprintf("Temporary: %t", t) }

26
bdns/problem.go
View File

@ -6,6 +6,7 @@
package bdns
import (
"fmt"
"net"
"github.com/letsencrypt/boulder/probs"
@ -15,20 +16,23 @@ const detailDNSTimeout = "DNS query timed out"
const detailDNSNetFailure = "DNS networking error"
const detailServerFailure = "Server failure at resolver"
// ProblemDetailsFromDNSError checks the error returned from Lookup...
// methods and tests if the error was an underlying net.OpError or an error
// caused by resolver returning SERVFAIL or other invalid Rcodes and returns
// the relevant core.ProblemDetails.
func ProblemDetailsFromDNSError(err error) *probs.ProblemDetails {
problem := &probs.ProblemDetails{Type: probs.ConnectionProblem}
// ProblemDetailsFromDNSError checks the error returned from Lookup... methods
// and tests if the error was an underlying net.OpError or an error caused by
// resolver returning SERVFAIL or other invalid Rcodes and returns the relevant
// core.ProblemDetails. The detail string will contain a mention of the DNS
// record type and domain given.
func ProblemDetailsFromDNSError(recordType, domain string, err error) *probs.ProblemDetails {
detail := detailServerFailure
if netErr, ok := err.(*net.OpError); ok {
if netErr.Timeout() {
problem.Detail = detailDNSTimeout
detail = detailDNSTimeout
} else {
problem.Detail = detailDNSNetFailure
detail = detailDNSNetFailure
}
} else {
problem.Detail = detailServerFailure
}
return problem
detail = fmt.Sprintf("%s during %s-record lookup of %s", detail, recordType, domain)
return &probs.ProblemDetails{
Type: probs.ConnectionProblem,
Detail: detail,
}
}

5
bdns/problem_test.go
View File

@ -31,11 +31,12 @@ func TestProblemDetailsFromDNSError(t *testing.T) {
},
}
for _, tc := range testCases {
err := ProblemDetailsFromDNSError(tc.err)
err := ProblemDetailsFromDNSError("TXT", "example.com", tc.err)
if err.Type != probs.ConnectionProblem {
t.Errorf("ProblemDetailsFromDNSError(%q).Type = %q, expected %q", tc.err, err.Type, probs.ConnectionProblem)
}
if err.Detail != tc.expected {
exp := tc.expected + " during TXT-record lookup of example.com"
if err.Detail != exp {
t.Errorf("ProblemDetailsFromDNSError(%q).Detail = %q, expected %q", tc.err, err.Detail, tc.expected)
}
}

6
cmd/admin-revoker/main.go
View File

@ -155,7 +155,7 @@ func main() {
// 1: serial, 2: reasonCode (3: deny flag)
serial := c.Args().First()
reasonCode, err := strconv.Atoi(c.Args().Get(1))
cmd.FailOnError(err, "Reason code argument must be a integer")
cmd.FailOnError(err, "Reason code argument must be an integer")
deny := c.GlobalBool("deny")
cac, auditlogger, dbMap, _ := setupContext(c)
@ -182,9 +182,9 @@ func main() {
Action: func(c *cli.Context) {
// 1: registration ID, 2: reasonCode (3: deny flag)
regID, err := strconv.ParseInt(c.Args().First(), 10, 64)
cmd.FailOnError(err, "Registration ID argument must be a integer")
cmd.FailOnError(err, "Registration ID argument must be an integer")
reasonCode, err := strconv.Atoi(c.Args().Get(1))
cmd.FailOnError(err, "Reason code argument must be a integer")
cmd.FailOnError(err, "Reason code argument must be an integer")
deny := c.GlobalBool("deny")
cac, auditlogger, dbMap, sac := setupContext(c)

8
cmd/boulder-ra/main.go
View File

@ -64,10 +64,14 @@ func main() {
raDNSTimeout, err := time.ParseDuration(c.Common.DNSTimeout)
cmd.FailOnError(err, "Couldn't parse RA DNS timeout")
scoped := metrics.NewStatsdScope(stats, "RA", "DNS")
dnsTries := c.RA.DNSTries
if dnsTries < 1 {
dnsTries = 1
}
if !c.Common.DNSAllowLoopbackAddresses {
rai.DNSResolver = bdns.NewDNSResolverImpl(raDNSTimeout, []string{c.Common.DNSResolver}, scoped)
rai.DNSResolver = bdns.NewDNSResolverImpl(raDNSTimeout, []string{c.Common.DNSResolver}, scoped, clock.Default(), dnsTries)
} else {
rai.DNSResolver = bdns.NewTestDNSResolverImpl(raDNSTimeout, []string{c.Common.DNSResolver}, scoped)
rai.DNSResolver = bdns.NewTestDNSResolverImpl(raDNSTimeout, []string{c.Common.DNSResolver}, scoped, clock.Default(), dnsTries)
}
rai.VA = vac

11
cmd/boulder-va/main.go
View File

@ -42,15 +42,20 @@ func main() {
if c.VA.PortConfig.TLSPort != 0 {
pc.TLSPort = c.VA.PortConfig.TLSPort
}
clk := clock.Default()
sbc := newGoogleSafeBrowsing(c.VA.GoogleSafeBrowsing)
vai := va.NewValidationAuthorityImpl(pc, sbc, stats, clock.Default())
vai := va.NewValidationAuthorityImpl(pc, sbc, stats, clk)
dnsTimeout, err := time.ParseDuration(c.Common.DNSTimeout)
cmd.FailOnError(err, "Couldn't parse DNS timeout")
scoped := metrics.NewStatsdScope(stats, "VA", "DNS")
dnsTries := c.VA.DNSTries
if dnsTries < 1 {
dnsTries = 1
}
if !c.Common.DNSAllowLoopbackAddresses {
vai.DNSResolver = bdns.NewDNSResolverImpl(dnsTimeout, []string{c.Common.DNSResolver}, scoped)
vai.DNSResolver = bdns.NewDNSResolverImpl(dnsTimeout, []string{c.Common.DNSResolver}, scoped, clk, dnsTries)
} else {
vai.DNSResolver = bdns.NewTestDNSResolverImpl(dnsTimeout, []string{c.Common.DNSResolver}, scoped)
vai.DNSResolver = bdns.NewTestDNSResolverImpl(dnsTimeout, []string{c.Common.DNSResolver}, scoped, clk, dnsTries)
}
vai.UserAgent = c.VA.UserAgent
vai.IssuerDomain = c.VA.IssuerDomain

12
cmd/config.go
View File

@ -62,6 +62,11 @@ type Config struct {
// UseIsSafeDomain determines whether to call VA.IsSafeDomain
UseIsSafeDomain bool // TODO(jmhodges): remove after va IsSafeDomain deploy
// The number of times to try a DNS query (that has a temporary error)
// before giving up. May be short-circuited by deadlines. A zero value
// will be turned into 1.
DNSTries int
}
SA struct {
@ -83,6 +88,11 @@ type Config struct {
MaxConcurrentRPCServerRequests int64
GoogleSafeBrowsing *GoogleSafeBrowsingConfig
// The number of times to try a DNS query (that has a temporary error)
// before giving up. May be short-circuited by deadlines. A zero value
// will be turned into 1.
DNSTries int
}
SQL struct {
@ -131,7 +141,7 @@ type Config struct {
Path string
ListenAddress string
// MaxAge is the max-age to set in the Cache-Controler response
// MaxAge is the max-age to set in the Cache-Control response
// header. It is a time.Duration formatted string.
MaxAge ConfigDuration

2
cmd/expiration-mailer/main.go
View File

@ -110,7 +110,7 @@ func (m *mailer) updateCertStatus(serial string) error {
err = tx.Commit()
if err != nil {
m.log.Err(fmt.Sprintf("Error commiting transaction for certificate %s: %s", serial, err))
m.log.Err(fmt.Sprintf("Error committing transaction for certificate %s: %s", serial, err))
tx.Rollback()
return err
}

2
cmd/shell.go
View File

@ -157,7 +157,7 @@ func (as *AppShell) Run() {
FailOnError(err, "Failed to run application")
}
// StatsAndLogging constructs a Statter and and AuditLogger based on its config
// StatsAndLogging constructs a Statter and an AuditLogger based on its config
// parameters, and return them both. Crashes if any setup fails.
// Also sets the constructed AuditLogger as the default logger.
func StatsAndLogging(statConf StatsdConfig, logConf SyslogConfig) (statsd.Statter, *blog.AuditLogger) {

4
core/objects.go
View File

@ -294,7 +294,7 @@ type Challenge struct {
// The status of this challenge
Status AcmeStatus `json:"status,omitempty"`
// Contains the error that occured during challenge validation, if any
// Contains the error that occurred during challenge validation, if any
Error *probs.ProblemDetails `json:"error,omitempty"`
// If successful, the time at which this challenge
@ -487,7 +487,7 @@ type Certificate struct {
}
// IdentifierData holds information about what certificates are known for a
// given identifier. This is used to present Proof of Posession challenges in
// given identifier. This is used to present Proof of Possession challenges in
// the case where a certificate already exists. The DB table holding
// IdentifierData rows contains information about certs issued by Boulder and
// also information about certs observed from third parties.

2
core/util.go
View File

@ -460,7 +460,7 @@ func LoadCertBundle(filename string) ([]*x509.Certificate, error) {
return bundle, nil
}
// LoadCert loads a PEM certificate specified by filename or returns a error
// LoadCert loads a PEM certificate specified by filename or returns an error
func LoadCert(filename string) (cert *x509.Certificate, err error) {
certPEM, err := ioutil.ReadFile(filename)
if err != nil {

4
log/audit-logger.go
View File

@ -119,7 +119,7 @@ func SetAuditLogger(logger *AuditLogger) (err error) {
// GetAuditLogger obtains the singleton audit logger. If SetAuditLogger
// has not been called first, this method initializes with basic defaults.
// The basic defaults cannot error, and subequent access to an already-set
// The basic defaults cannot error, and subsequent access to an already-set
// AuditLogger also cannot error, so this method is error-safe.
func GetAuditLogger() *AuditLogger {
_Singleton.once.Do(func() {
@ -271,7 +271,7 @@ func (log *AuditLogger) AuditObject(msg string, obj interface{}) (err error) {
return log.auditAtLevel(syslog.LOG_NOTICE, formattedEvent)
}
// InfoObject sends a INFO-severity JSON-serialized object message.
// InfoObject sends an INFO-severity JSON-serialized object message.
func (log *AuditLogger) InfoObject(msg string, obj interface{}) (err error) {
formattedEvent, logErr := log.formatObjectMessage(msg, obj)
if logErr != nil {

17
mocks/mocks.go
View File

@ -24,6 +24,7 @@ import (
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/miekg/dns"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/core"
)
@ -33,14 +34,20 @@ type DNSResolver struct {
}
// LookupTXT is a mock
func (mock *DNSResolver) LookupTXT(hostname string) ([]string, error) {
func (mock *DNSResolver) LookupTXT(ctx context.Context, hostname string) ([]string, error) {
if hostname == "_acme-challenge.servfail.com" {
return nil, fmt.Errorf("SERVFAIL")
}
if hostname == "_acme-challenge.good-dns01.com" {
// base64(sha256("LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
// + "." + "9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI"))
// expected token + test account jwk thumbprint
return []string{"LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo"}, nil
}
return []string{"hostname"}, nil
}
// TimeoutError returns a a net.OpError for which Timeout() returns true.
// TimeoutError returns a net.OpError for which Timeout() returns true.
func TimeoutError() *net.OpError {
return &net.OpError{
Err: os.NewSyscallError("ugh timeout", timeoutError{}),
@ -60,7 +67,7 @@ func (t timeoutError) Timeout() bool {
//
// Note: see comments on LookupMX regarding email.only
//
func (mock *DNSResolver) LookupHost(hostname string) ([]net.IP, error) {
func (mock *DNSResolver) LookupHost(ctx context.Context, hostname string) ([]net.IP, error) {
if hostname == "always.invalid" ||
hostname == "invalid.invalid" ||
hostname == "email.only" {
@ -79,7 +86,7 @@ func (mock *DNSResolver) LookupHost(hostname string) ([]net.IP, error) {
}
// LookupCAA is a mock
func (mock *DNSResolver) LookupCAA(domain string) ([]*dns.CAA, error) {
func (mock *DNSResolver) LookupCAA(ctx context.Context, domain string) ([]*dns.CAA, error) {
var results []*dns.CAA
var record dns.CAA
switch strings.TrimRight(domain, ".") {
@ -115,7 +122,7 @@ func (mock *DNSResolver) LookupCAA(domain string) ([]*dns.CAA, error) {
// all domains except for special cases, so MX-only domains must be
// handled in both LookupHost and LookupMX.
//
func (mock *DNSResolver) LookupMX(domain string) ([]string, error) {
func (mock *DNSResolver) LookupMX(ctx context.Context, domain string) ([]string, error) {
switch strings.TrimRight(domain, ".") {
case "letsencrypt.org":
fallthrough

2
publisher/publisher.go
View File

@ -25,7 +25,7 @@ type Log struct {
verifier *ct.SignatureVerifier
}
// NewLog returns a initialized Log struct
// NewLog returns an initialized Log struct
func NewLog(uri, b64PK string) (*Log, error) {
if strings.HasSuffix(uri, "/") {
uri = uri[0 : len(uri)-2]

32
ra/registration-authority.go
View File

@ -20,6 +20,7 @@ import (
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cactus/go-statsd-client/statsd"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/net/publicsuffix"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/probs"
"github.com/letsencrypt/boulder/bdns"
@ -84,7 +85,7 @@ const (
emptyDNSResponseDetail = "empty DNS response"
)
func validateEmail(address string, resolver bdns.DNSResolver) (prob *probs.ProblemDetails) {
func validateEmail(ctx context.Context, address string, resolver bdns.DNSResolver) (prob *probs.ProblemDetails) {
_, err := mail.ParseAddress(address)
if err != nil {
return &probs.ProblemDetails{
@ -96,10 +97,11 @@ func validateEmail(address string, resolver bdns.DNSResolver) (prob *probs.Probl
domain := strings.ToLower(splitEmail[len(splitEmail)-1])
var resultMX []string
var resultA []net.IP
resultMX, err = resolver.LookupMX(domain)
resultMX, err = resolver.LookupMX(ctx, domain)
recQ := "MX"
if err == nil && len(resultMX) == 0 {
resultA, err = resolver.LookupHost(domain)
resultA, err = resolver.LookupHost(ctx, domain)
recQ = "A"
if err == nil && len(resultA) == 0 {
return &probs.ProblemDetails{
Type: probs.InvalidEmailProblem,
@ -108,11 +110,9 @@ func validateEmail(address string, resolver bdns.DNSResolver) (prob *probs.Probl
}
}
if err != nil {
dnsProblem := bdns.ProblemDetailsFromDNSError(err)
return &probs.ProblemDetails{
Type: probs.InvalidEmailProblem,
Detail: dnsProblem.Detail,
}
prob := bdns.ProblemDetailsFromDNSError(recQ, domain, err)
prob.Type = probs.InvalidEmailProblem
return prob
}
return nil
@ -210,7 +210,8 @@ func (ra *RegistrationAuthorityImpl) NewRegistration(init core.Registration) (re
// MergeUpdate. But we need to fill it in for new registrations.
reg.InitialIP = init.InitialIP
err = ra.validateContacts(reg.Contact)
// TODO(#1292): add a proper deadline here
err = ra.validateContacts(context.TODO(), reg.Contact)
if err != nil {
return
}
@ -227,7 +228,7 @@ func (ra *RegistrationAuthorityImpl) NewRegistration(init core.Registration) (re
return
}
func (ra *RegistrationAuthorityImpl) validateContacts(contacts []*core.AcmeURL) (err error) {
func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, contacts []*core.AcmeURL) (err error) {
if ra.maxContactsPerReg > 0 && len(contacts) > ra.maxContactsPerReg {
return core.MalformedRequestError(fmt.Sprintf("Too many contacts provided: %d > %d",
len(contacts), ra.maxContactsPerReg))
@ -243,7 +244,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []*core.AcmeURL)
case "mailto":
start := ra.clk.Now()
ra.stats.Inc("RA.ValidateEmail.Calls", 1, 1.0)
problem := validateEmail(contact.Opaque, ra.DNSResolver)
problem := validateEmail(ctx, contact.Opaque, ra.DNSResolver)
ra.stats.TimingDuration("RA.ValidateEmail.Latency", ra.clk.Now().Sub(start), 1.0)
if problem != nil {
ra.stats.Inc("RA.ValidateEmail.Errors", 1, 1.0)
@ -268,14 +269,14 @@ func checkPendingAuthorizationLimit(sa core.StorageGetter, limit *cmd.RateLimitP
// Most rate limits have a key for overrides, but there is no meaningful key
// here.
noKey := ""
if count > limit.GetThreshold(noKey, regID) {
if count >= limit.GetThreshold(noKey, regID) {
return core.RateLimitedError("Too many currently pending authorizations.")
}
}
return nil
}
// NewAuthorization constuct a new Authz from a request. Values (domains) in
// NewAuthorization constructs a new Authz from a request. Values (domains) in
// request.Identifier will be lowercased before storage.
func (ra *RegistrationAuthorityImpl) NewAuthorization(request core.Authorization, regID int64) (authz core.Authorization, err error) {
reg, err := ra.SA.GetRegistration(regID)
@ -639,7 +640,8 @@ func (ra *RegistrationAuthorityImpl) checkLimits(names []string, regID int64) er
func (ra *RegistrationAuthorityImpl) UpdateRegistration(base core.Registration, update core.Registration) (reg core.Registration, err error) {
base.MergeUpdate(update)
err = ra.validateContacts(base.Contact)
// TODO(#1292): add a proper deadline here
err = ra.validateContacts(context.TODO(), base.Contact)
if err != nil {
return
}

54
ra/registration-authority_test.go
View File

@ -22,6 +22,7 @@ import (
cfsslConfig "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/config"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
jose "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/ca"
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"
@ -288,25 +289,25 @@ func TestValidateContacts(t *testing.T) {
validEmail, _ := core.ParseAcmeURL("mailto:admin@email.com")
malformedEmail, _ := core.ParseAcmeURL("mailto:admin.com")
err := ra.validateContacts([]*core.AcmeURL{})
err := ra.validateContacts(context.Background(), []*core.AcmeURL{})
test.AssertNotError(t, err, "No Contacts")
err = ra.validateContacts([]*core.AcmeURL{tel, validEmail})
err = ra.validateContacts(context.Background(), []*core.AcmeURL{tel, validEmail})
test.AssertError(t, err, "Too Many Contacts")
err = ra.validateContacts([]*core.AcmeURL{tel})
err = ra.validateContacts(context.Background(), []*core.AcmeURL{tel})
test.AssertNotError(t, err, "Simple Telephone")
err = ra.validateContacts([]*core.AcmeURL{validEmail})
err = ra.validateContacts(context.Background(), []*core.AcmeURL{validEmail})
test.AssertNotError(t, err, "Valid Email")
err = ra.validateContacts([]*core.AcmeURL{malformedEmail})
err = ra.validateContacts(context.Background(), []*core.AcmeURL{malformedEmail})
test.AssertError(t, err, "Malformed Email")
err = ra.validateContacts([]*core.AcmeURL{ansible})
err = ra.validateContacts(context.Background(), []*core.AcmeURL{ansible})
test.AssertError(t, err, "Unknown scheme")
err = ra.validateContacts([]*core.AcmeURL{nil})
err = ra.validateContacts(context.Background(), []*core.AcmeURL{nil})
test.AssertError(t, err, "Nil AcmeURL")
}
@ -317,15 +318,16 @@ func TestValidateEmail(t *testing.T) {
}{
{"an email`", unparseableEmailDetail},
{"a@always.invalid", emptyDNSResponseDetail},
{"a@always.timeout", "DNS query timed out"},
{"a@always.error", "DNS networking error"},
{"a@always.timeout", "DNS query timed out during A-record lookup of always.timeout"},
{"a@always.error", "DNS networking error during A-record lookup of always.error"},
}
testSuccesses := []string{
"a@email.com",
"b@email.only",
}
for _, tc := range testFailures {
problem := validateEmail(tc.input, &mocks.DNSResolver{})
problem := validateEmail(context.Background(), tc.input, &mocks.DNSResolver{})
if problem.Type != probs.InvalidEmailProblem {
t.Errorf("validateEmail(%q): got problem type %#v, expected %#v", tc.input, problem.Type, probs.InvalidEmailProblem)
}
@ -336,7 +338,7 @@ func TestValidateEmail(t *testing.T) {
}
for _, addr := range testSuccesses {
if prob := validateEmail(addr, &mocks.DNSResolver{}); prob != nil {
if prob := validateEmail(context.Background(), addr, &mocks.DNSResolver{}); prob != nil {
t.Errorf("validateEmail(%q): expected success, but it failed: %s",
addr, prob)
}
@ -722,6 +724,36 @@ func TestTotalCertRateLimit(t *testing.T) {
test.AssertError(t, err, "Total certificate rate limit failed")
}
func TestAuthzRateLimiting(t *testing.T) {
_, _, ra, fc, cleanUp := initAuthorities(t)
defer cleanUp()
ra.rlPolicies = cmd.RateLimitConfig{
PendingAuthorizationsPerAccount: cmd.RateLimitPolicy{
Threshold: 1,
Window: cmd.ConfigDuration{Duration: 24 * 90 * time.Hour},
},
}
fc.Add(24 * 90 * time.Hour)
// Should be able to create an authzRequest
authz, err := ra.NewAuthorization(AuthzRequest, Registration.ID)
test.AssertNotError(t, err, "NewAuthorization failed")
fc.Add(time.Hour)
// Second one should trigger rate limit
_, err = ra.NewAuthorization(AuthzRequest, Registration.ID)
test.AssertError(t, err, "Pending Authorization rate limit failed.")
// Finalize pending authz
ra.OnValidationUpdate(authz)
// Try to create a new authzRequest, should be fine now.
_, err = ra.NewAuthorization(AuthzRequest, Registration.ID)
test.AssertNotError(t, err, "NewAuthorization failed")
}
func TestDomainsForRateLimiting(t *testing.T) {
domains, err := domainsForRateLimiting([]string{})
test.AssertNotError(t, err, "failed on empty")

4
rpc/amqp-rpc.go
View File

@ -192,7 +192,7 @@ type rpcError struct {
HTTPStatus int `json:"status,omitempty"`
}
// Wraps a error in a rpcError so it can be marshalled to
// Wraps an error in a rpcError so it can be marshalled to
// JSON.
func wrapError(err error) *rpcError {
if err != nil {
@ -298,7 +298,7 @@ func (r rpcResponse) debugString() string {
return fmt.Sprintf("%s, RPCERR: %v", ret, r.Error)
}
// makeAmqpChannel sets a AMQP connection up using SSL if configuration is provided
// makeAmqpChannel sets an AMQP connection up using SSL if configuration is provided
func makeAmqpChannel(conf *cmd.AMQPConfig) (*amqp.Channel, error) {
var conn *amqp.Connection
var err error

12
sa/storage-authority.go
View File

@ -52,7 +52,7 @@ type authzModel struct {
}
// NewSQLStorageAuthority provides persistence using a SQL backend for
// Boulder. It will modify the given gorp.DbMap by adding relevent tables.
// Boulder. It will modify the given gorp.DbMap by adding relevant tables.
func NewSQLStorageAuthority(dbMap *gorp.DbMap, clk clock.Clock) (*SQLStorageAuthority, error) {
logger := blog.GetAuditLogger()
@ -340,7 +340,7 @@ func (t TooManyCertificatesError) Error() string {
// subdomains. It returns a map from domains to counts, which is guaranteed to
// contain an entry for each input domain, so long as err is nil.
// The highest count this function can return is 10,000. If there are more
// certificates than that matching one ofthe provided domain names, it will return
// certificates than that matching one of the provided domain names, it will return
// TooManyCertificatesError.
func (ssa *SQLStorageAuthority) CountCertificatesByNames(domains []string, earliest, latest time.Time) (map[string]int, error) {
ret := make(map[string]int, len(domains))
@ -358,7 +358,7 @@ func (ssa *SQLStorageAuthority) CountCertificatesByNames(domains []string, earli
// certificates issued in the given time range for that domain and its
// subdomains.
// The highest count this function can return is 10,000. If there are more
// certificates than that matching one ofthe provided domain names, it will return
// certificates than that matching one of the provided domain names, it will return
// TooManyCertificatesError.
func (ssa *SQLStorageAuthority) countCertificatesByName(domain string, earliest, latest time.Time) (int, error) {
var count int64
@ -655,7 +655,7 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization(authz core.Authorization)
// Check that a pending authz exists
if !existingPending(tx, authz.ID) {
err = errors.New("Cannot finalize a authorization that is not pending")
err = errors.New("Cannot finalize an authorization that is not pending")
tx.Rollback()
return
}
@ -851,7 +851,7 @@ func (ssa *SQLStorageAuthority) CountPendingAuthorizations(regID int64) (count i
return
}
// ErrNoReceipt is a error type for non-existent SCT receipt
// ErrNoReceipt is an error type for non-existent SCT receipt
type ErrNoReceipt string
func (e ErrNoReceipt) Error() string {
@ -878,7 +878,7 @@ func (ssa *SQLStorageAuthority) GetSCTReceipt(serial string, logID string) (rece
return
}
// ErrDuplicateReceipt is a error type for duplicate SCT receipts
// ErrDuplicateReceipt is an error type for duplicate SCT receipts
type ErrDuplicateReceipt string
func (e ErrDuplicateReceipt) Error() string {

2
test/boulder-config.json
View File

@ -123,6 +123,7 @@
"rateLimitPoliciesFilename": "test/rate-limit-policies.yml",
"maxConcurrentRPCServerRequests": 16,
"maxContactsPerRegistration": 100,
"dnsTries": 3,
"debugAddr": "localhost:8002",
"amqp": {
"serverURLFile": "test/secrets/amqp_url",
@ -165,6 +166,7 @@
"tlsPort": 5001
},
"maxConcurrentRPCServerRequests": 16,
"dnsTries": 3,
"amqp": {
"serverURLFile": "test/secrets/amqp_url",
"insecure": true,

2
test/create_db.sh
View File

@ -3,7 +3,7 @@ set -o errexit
cd $(dirname $0)/..
source test/db-common.sh
# set db connection for if running in a seperate container or not
# set db connection for if running in a separate container or not
dbconn="-u root"
if [[ ! -z "$MYSQL_CONTAINER" ]]; then
dbconn="-u root -h 127.0.0.1 --port 3306"

3
test/js/test.js
View File

@ -17,6 +17,7 @@
var colors = require("colors");
var cli = require("cli");
var cryptoUtil = require("./crypto-util");
var crypto = require("crypto");
var child_process = require('child_process');
var fs = require('fs');
var http = require('http');
@ -388,7 +389,7 @@ function validateDns01(challenge) {
method: "POST",
json: {
"host": recordName,
"value": cryptoUtil.sha256(new Buffer(keyAuthorization))
"value": util.b64enc(crypto.createHash('sha256').update(keyAuthorization).digest())
}
}, txtCallback);
}

94
va/validation-authority.go
View File

@ -9,6 +9,7 @@ import (
"crypto/sha256"
"crypto/subtle"
"crypto/tls"
"encoding/base64"
"encoding/hex"
"fmt"
"io/ioutil"
@ -23,6 +24,7 @@ import (
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/net/publicsuffix"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/miekg/dns"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/probs"
"github.com/letsencrypt/boulder/bdns"
@ -84,28 +86,28 @@ type verificationRequestEvent struct {
}
// getAddr will query for all A records associated with hostname and return the
// prefered address, the first net.IP in the addrs slice, and all addresses resolved.
// preferred address, the first net.IP in the addrs slice, and all addresses resolved.
// This is the same choice made by the Go internal resolution library used by
// net/http, except we only send A queries and accept IPv4 addresses.
// TODO(#593): Add IPv6 support
func (va ValidationAuthorityImpl) getAddr(hostname string) (addr net.IP, addrs []net.IP, problem *probs.ProblemDetails) {
addrs, err := va.DNSResolver.LookupHost(hostname)
func (va ValidationAuthorityImpl) getAddr(ctx context.Context, hostname string) (net.IP, []net.IP, *probs.ProblemDetails) {
addrs, err := va.DNSResolver.LookupHost(ctx, hostname)
if err != nil {
problem = bdns.ProblemDetailsFromDNSError(err)
va.log.Debug(fmt.Sprintf("%s DNS failure: %s", hostname, err))
return
problem := bdns.ProblemDetailsFromDNSError("A", hostname, err)
return net.IP{}, nil, problem
}
if len(addrs) == 0 {
problem = &probs.ProblemDetails{
problem := &probs.ProblemDetails{
Type: probs.UnknownHostProblem,
Detail: fmt.Sprintf("No IPv4 addresses found for %s", hostname),
}
return
return net.IP{}, nil, problem
}
addr = addrs[0]
addr := addrs[0]
va.log.Info(fmt.Sprintf("Resolved addresses for %s [using %s]: %s", hostname, addr, addrs))
return
return addr, addrs, nil
}
type dialer struct {
@ -117,9 +119,9 @@ func (d *dialer) Dial(_, _ string) (net.Conn, error) {
return realDialer.Dial("tcp", net.JoinHostPort(d.record.AddressUsed.String(), d.record.Port))
}
// resolveAndConstructDialer gets the prefered address using va.getAddr and returns
// resolveAndConstructDialer gets the preferred address using va.getAddr and returns
// the chosen address and dialer for that address and correct port.
func (va *ValidationAuthorityImpl) resolveAndConstructDialer(name string, port int) (dialer, *probs.ProblemDetails) {
func (va *ValidationAuthorityImpl) resolveAndConstructDialer(ctx context.Context, name string, port int) (dialer, *probs.ProblemDetails) {
d := dialer{
record: core.ValidationRecord{
Hostname: name,
@ -127,7 +129,7 @@ func (va *ValidationAuthorityImpl) resolveAndConstructDialer(name string, port i
},
}
addr, allAddrs, err := va.getAddr(name)
addr, allAddrs, err := va.getAddr(ctx, name)
if err != nil {
return d, err
}
@ -138,7 +140,7 @@ func (va *ValidationAuthorityImpl) resolveAndConstructDialer(name string, port i
// Validation methods
func (va *ValidationAuthorityImpl) fetchHTTP(identifier core.AcmeIdentifier, path string, useTLS bool, input core.Challenge) ([]byte, []core.ValidationRecord, *probs.ProblemDetails) {
func (va *ValidationAuthorityImpl) fetchHTTP(ctx context.Context, identifier core.AcmeIdentifier, path string, useTLS bool, input core.Challenge) ([]byte, []core.ValidationRecord, *probs.ProblemDetails) {
challenge := input
host := identifier.Value
@ -176,7 +178,7 @@ func (va *ValidationAuthorityImpl) fetchHTTP(identifier core.AcmeIdentifier, pat
httpRequest.Header["User-Agent"] = []string{va.UserAgent}
}
dialer, prob := va.resolveAndConstructDialer(host, port)
dialer, prob := va.resolveAndConstructDialer(ctx, host, port)
dialer.record.URL = url.String()
validationRecords := []core.ValidationRecord{dialer.record}
if prob != nil {
@ -235,7 +237,7 @@ func (va *ValidationAuthorityImpl) fetchHTTP(identifier core.AcmeIdentifier, pat
reqPort = 80
}
dialer, err := va.resolveAndConstructDialer(reqHost, reqPort)
dialer, err := va.resolveAndConstructDialer(ctx, reqHost, reqPort)
dialer.record.URL = req.URL.String()
validationRecords = append(validationRecords, dialer.record)
if err != nil {
@ -278,8 +280,8 @@ func (va *ValidationAuthorityImpl) fetchHTTP(identifier core.AcmeIdentifier, pat
return body, validationRecords, nil
}
func (va *ValidationAuthorityImpl) validateTLSWithZName(identifier core.AcmeIdentifier, challenge core.Challenge, zName string) ([]core.ValidationRecord, *probs.ProblemDetails) {
addr, allAddrs, problem := va.getAddr(identifier.Value)
func (va *ValidationAuthorityImpl) validateTLSWithZName(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge, zName string) ([]core.ValidationRecord, *probs.ProblemDetails) {
addr, allAddrs, problem := va.getAddr(ctx, identifier.Value)
validationRecords := []core.ValidationRecord{
core.ValidationRecord{
Hostname: identifier.Value,
@ -331,7 +333,7 @@ func (va *ValidationAuthorityImpl) validateTLSWithZName(identifier core.AcmeIden
}
}
func (va *ValidationAuthorityImpl) validateHTTP01(identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
func (va *ValidationAuthorityImpl) validateHTTP01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
if identifier.Type != core.IdentifierDNS {
va.log.Debug(fmt.Sprintf("%s [%s] Identifier failure", challenge.Type, identifier))
return nil, &probs.ProblemDetails{
@ -342,7 +344,7 @@ func (va *ValidationAuthorityImpl) validateHTTP01(identifier core.AcmeIdentifier
// Perform the fetch
path := fmt.Sprintf(".well-known/acme-challenge/%s", challenge.Token)
body, validationRecords, err := va.fetchHTTP(identifier, path, false, challenge)
body, validationRecords, err := va.fetchHTTP(ctx, identifier, path, false, challenge)
if err != nil {
return validationRecords, err
}
@ -373,7 +375,7 @@ func (va *ValidationAuthorityImpl) validateHTTP01(identifier core.AcmeIdentifier
return validationRecords, nil
}
func (va *ValidationAuthorityImpl) validateTLSSNI01(identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
func (va *ValidationAuthorityImpl) validateTLSSNI01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
if identifier.Type != "dns" {
va.log.Debug(fmt.Sprintf("TLS-SNI [%s] Identifier failure", identifier))
return nil, &probs.ProblemDetails{
@ -388,7 +390,7 @@ func (va *ValidationAuthorityImpl) validateTLSSNI01(identifier core.AcmeIdentifi
Z := hex.EncodeToString(h.Sum(nil))
ZName := fmt.Sprintf("%s.%s.%s", Z[:32], Z[32:], core.TLSSNISuffix)
return va.validateTLSWithZName(identifier, challenge, ZName)
return va.validateTLSWithZName(ctx, identifier, challenge, ZName)
}
// parseHTTPConnError returns the ACME ProblemType corresponding to an error
@ -413,7 +415,7 @@ func parseHTTPConnError(err error) probs.ProblemType {
return probs.ConnectionProblem
}
func (va *ValidationAuthorityImpl) validateDNS01(identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
func (va *ValidationAuthorityImpl) validateDNS01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
if identifier.Type != core.IdentifierDNS {
va.log.Debug(fmt.Sprintf("DNS [%s] Identifier failure", identifier))
return nil, &probs.ProblemDetails{
@ -425,15 +427,16 @@ func (va *ValidationAuthorityImpl) validateDNS01(identifier core.AcmeIdentifier,
// Compute the digest of the key authorization file
h := sha256.New()
h.Write([]byte(challenge.KeyAuthorization.String()))
authorizedKeysDigest := hex.EncodeToString(h.Sum(nil))
authorizedKeysDigest := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
// Look for the required record in the DNS
challengeSubdomain := fmt.Sprintf("%s.%s", core.DNSPrefix, identifier.Value)
txts, err := va.DNSResolver.LookupTXT(challengeSubdomain)
txts, err := va.DNSResolver.LookupTXT(ctx, challengeSubdomain)
if err != nil {
va.log.Debug(fmt.Sprintf("%s [%s] DNS failure: %s", challenge.Type, identifier, err))
return nil, bdns.ProblemDetailsFromDNSError(err)
return nil, bdns.ProblemDetailsFromDNSError("TXT", challengeSubdomain, err)
}
for _, element := range txts {
@ -449,19 +452,19 @@ func (va *ValidationAuthorityImpl) validateDNS01(identifier core.AcmeIdentifier,
}
}
func (va *ValidationAuthorityImpl) checkCAA(identifier core.AcmeIdentifier, regID int64) *probs.ProblemDetails {
func (va *ValidationAuthorityImpl) checkCAA(ctx context.Context, identifier core.AcmeIdentifier, regID int64) *probs.ProblemDetails {
// Check CAA records for the requested identifier
present, valid, err := va.CheckCAARecords(identifier)
present, valid, err := va.checkCAARecords(ctx, identifier)
if err != nil {
va.log.Warning(fmt.Sprintf("Problem checking CAA: %s", err))
return bdns.ProblemDetailsFromDNSError(err)
return bdns.ProblemDetailsFromDNSError("CAA", identifier.Value, err)
}
// AUDIT[ Certificate Requests ] 11917fa4-10ef-4e0d-9105-bacbe7836a3c
va.log.Audit(fmt.Sprintf("Checked CAA records for %s, registration ID %d [Present: %t, Valid for issuance: %t]", identifier.Value, regID, present, valid))
if !valid {
return &probs.ProblemDetails{
Type: probs.ConnectionProblem,
Detail: "CAA check for identifier failed",
Detail: fmt.Sprintf("CAA check for %s failed", identifier.Value),
}
}
return nil
@ -469,7 +472,7 @@ func (va *ValidationAuthorityImpl) checkCAA(identifier core.AcmeIdentifier, regI
// Overall validation process
func (va *ValidationAuthorityImpl) validate(authz core.Authorization, challengeIndex int) {
func (va *ValidationAuthorityImpl) validate(ctx context.Context, authz core.Authorization, challengeIndex int) {
logEvent := verificationRequestEvent{
ID: authz.ID,
Requester: authz.RegistrationID,
@ -477,7 +480,7 @@ func (va *ValidationAuthorityImpl) validate(authz core.Authorization, challengeI
}
challenge := &authz.Challenges[challengeIndex]
vStart := va.clk.Now()
validationRecords, prob := va.validateChallengeAndCAA(authz.Identifier, *challenge, authz.RegistrationID)
validationRecords, prob := va.validateChallengeAndCAA(ctx, authz.Identifier, *challenge, authz.RegistrationID)
va.stats.TimingDuration(fmt.Sprintf("VA.Validations.%s.%s", challenge.Type, challenge.Status), time.Since(vStart), 1.0)
challenge.ValidationRecord = validationRecords
@ -503,13 +506,14 @@ func (va *ValidationAuthorityImpl) validate(authz core.Authorization, challengeI
va.RA.OnValidationUpdate(authz)
}
func (va *ValidationAuthorityImpl) validateChallengeAndCAA(identifier core.AcmeIdentifier, challenge core.Challenge, regID int64) ([]core.ValidationRecord, *probs.ProblemDetails) {
func (va *ValidationAuthorityImpl) validateChallengeAndCAA(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge, regID int64) ([]core.ValidationRecord, *probs.ProblemDetails) {
ch := make(chan *probs.ProblemDetails, 1)
go func() {
ch <- va.checkCAA(identifier, regID)
ch <- va.checkCAA(ctx, identifier, regID)
}()
validationRecords, err := va.validateChallenge(identifier, challenge)
// TODO(#1292): send into another goroutine
validationRecords, err := va.validateChallenge(ctx, identifier, challenge)
if err != nil {
return validationRecords, err
}
@ -521,7 +525,7 @@ func (va *ValidationAuthorityImpl) validateChallengeAndCAA(identifier core.AcmeI
return validationRecords, nil
}
func (va *ValidationAuthorityImpl) validateChallenge(identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
func (va *ValidationAuthorityImpl) validateChallenge(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
if !challenge.IsSane(true) {
return nil, &probs.ProblemDetails{
Type: probs.MalformedProblem,
@ -530,11 +534,11 @@ func (va *ValidationAuthorityImpl) validateChallenge(identifier core.AcmeIdentif
}
switch challenge.Type {
case core.ChallengeTypeHTTP01:
return va.validateHTTP01(identifier, challenge)
return va.validateHTTP01(ctx, identifier, challenge)
case core.ChallengeTypeTLSSNI01:
return va.validateTLSSNI01(identifier, challenge)
return va.validateTLSSNI01(ctx, identifier, challenge)
case core.ChallengeTypeDNS01:
return va.validateDNS01(identifier, challenge)
return va.validateDNS01(ctx, identifier, challenge)
}
return nil, &probs.ProblemDetails{
Type: probs.MalformedProblem,
@ -544,7 +548,8 @@ func (va *ValidationAuthorityImpl) validateChallenge(identifier core.AcmeIdentif
// UpdateValidations runs the validate() method asynchronously using goroutines.
func (va *ValidationAuthorityImpl) UpdateValidations(authz core.Authorization, challengeIndex int) error {
go va.validate(authz, challengeIndex)
// TODO(#1292): add a proper deadline here
go va.validate(context.TODO(), authz, challengeIndex)
return nil
}
@ -591,7 +596,7 @@ func newCAASet(CAAs []*dns.CAA) *CAASet {
return &filtered
}
func (va *ValidationAuthorityImpl) getCAASet(hostname string) (*CAASet, error) {
func (va *ValidationAuthorityImpl) getCAASet(ctx context.Context, hostname string) (*CAASet, error) {
hostname = strings.TrimRight(hostname, ".")
labels := strings.Split(hostname, ".")
// See RFC 6844 "Certification Authority Processing" for pseudocode.
@ -604,7 +609,7 @@ func (va *ValidationAuthorityImpl) getCAASet(hostname string) (*CAASet, error) {
if tld, err := publicsuffix.ICANNTLD(name); err != nil || tld == name {
break
}
CAAs, err := va.DNSResolver.LookupCAA(name)
CAAs, err := va.DNSResolver.LookupCAA(ctx, name)
if err != nil {
return nil, err
}
@ -619,8 +624,13 @@ func (va *ValidationAuthorityImpl) getCAASet(hostname string) (*CAASet, error) {
// CheckCAARecords verifies that, if the indicated subscriber domain has any CAA
// records, they authorize the configured CA domain to issue a certificate
func (va *ValidationAuthorityImpl) CheckCAARecords(identifier core.AcmeIdentifier) (present, valid bool, err error) {
// TODO(#1292): add a proper deadline here
return va.checkCAARecords(context.TODO(), identifier)
}
func (va *ValidationAuthorityImpl) checkCAARecords(ctx context.Context, identifier core.AcmeIdentifier) (present, valid bool, err error) {
hostname := strings.ToLower(identifier.Value)
caaSet, err := va.getCAASet(hostname)
caaSet, err := va.getCAASet(ctx, hostname)
if err != nil {
return
}

119
va/validation-authority_test.go
View File

@ -28,6 +28,7 @@ import (
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cactus/go-statsd-client/statsd"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/net/context"
"github.com/letsencrypt/boulder/bdns"
"github.com/letsencrypt/boulder/metrics"
"github.com/letsencrypt/boulder/probs"
@ -122,7 +123,7 @@ func httpSrv(t *testing.T, token string) *httptest.Server {
test.AssertNotError(t, err, "failed to get server test port")
http.Redirect(w, r, fmt.Sprintf("http://other.valid:%d/path", port), 302)
} else if strings.HasSuffix(r.URL.Path, pathReLookupInvalid) {
t.Logf("HTTPSRV: Got a redirect req to a invalid hostname\n")
t.Logf("HTTPSRV: Got a redirect req to an invalid hostname\n")
http.Redirect(w, r, "http://invalid.invalid/path", 302)
} else if strings.HasSuffix(r.URL.Path, pathLooper) {
t.Logf("HTTPSRV: Got a loop req\n")
@ -223,7 +224,7 @@ func TestHTTP(t *testing.T) {
va := NewValidationAuthorityImpl(&PortConfig{HTTPPort: badPort}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
_, prob := va.validateHTTP01(ident, chall)
_, prob := va.validateHTTP01(context.Background(), ident, chall)
if prob == nil {
t.Fatalf("Server's down; expected refusal. Where did we connect?")
}
@ -234,7 +235,7 @@ func TestHTTP(t *testing.T) {
log.Clear()
t.Logf("Trying to validate: %+v\n", chall)
_, prob = va.validateHTTP01(ident, chall)
_, prob = va.validateHTTP01(context.Background(), ident, chall)
if prob != nil {
t.Errorf("Unexpected failure in HTTP validation: %s", prob)
}
@ -242,7 +243,7 @@ func TestHTTP(t *testing.T) {
log.Clear()
setChallengeToken(&chall, path404)
_, prob = va.validateHTTP01(ident, chall)
_, prob = va.validateHTTP01(context.Background(), ident, chall)
if prob == nil {
t.Fatalf("Should have found a 404 for the challenge.")
}
@ -253,7 +254,7 @@ func TestHTTP(t *testing.T) {
setChallengeToken(&chall, pathWrongToken)
// The "wrong token" will actually be the expectedToken. It's wrong
// because it doesn't match pathWrongToken.
_, prob = va.validateHTTP01(ident, chall)
_, prob = va.validateHTTP01(context.Background(), ident, chall)
if prob == nil {
t.Fatalf("Should have found the wrong token value.")
}
@ -262,7 +263,7 @@ func TestHTTP(t *testing.T) {
log.Clear()
setChallengeToken(&chall, pathMoved)
_, prob = va.validateHTTP01(ident, chall)
_, prob = va.validateHTTP01(context.Background(), ident, chall)
if prob != nil {
t.Fatalf("Failed to follow 301 redirect")
}
@ -270,7 +271,7 @@ func TestHTTP(t *testing.T) {
log.Clear()
setChallengeToken(&chall, pathFound)
_, prob = va.validateHTTP01(ident, chall)
_, prob = va.validateHTTP01(context.Background(), ident, chall)
if prob != nil {
t.Fatalf("Failed to follow 302 redirect")
}
@ -278,13 +279,13 @@ func TestHTTP(t *testing.T) {
test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/`+pathMoved+`" to ".*/`+pathValid+`"`)), 1)
ipIdentifier := core.AcmeIdentifier{Type: core.IdentifierType("ip"), Value: "127.0.0.1"}
_, prob = va.validateHTTP01(ipIdentifier, chall)
_, prob = va.validateHTTP01(context.Background(), ipIdentifier, chall)
if prob == nil {
t.Fatalf("IdentifierType IP shouldn't have worked.")
}
test.AssertEquals(t, prob.Type, probs.MalformedProblem)
_, prob = va.validateHTTP01(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "always.invalid"}, chall)
_, prob = va.validateHTTP01(context.Background(), core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "always.invalid"}, chall)
if prob == nil {
t.Fatalf("Domain name is invalid.")
}
@ -292,7 +293,7 @@ func TestHTTP(t *testing.T) {
setChallengeToken(&chall, pathWaitLong)
started := time.Now()
_, prob = va.validateHTTP01(ident, chall)
_, prob = va.validateHTTP01(context.Background(), ident, chall)
took := time.Since(started)
// Check that the HTTP connection times out after 5 seconds and doesn't block for 10 seconds
test.Assert(t, (took > (time.Second * 5)), "HTTP timed out before 5 seconds")
@ -318,7 +319,7 @@ func TestHTTPRedirectLookup(t *testing.T) {
log.Clear()
setChallengeToken(&chall, pathMoved)
_, prob := va.validateHTTP01(ident, chall)
_, prob := va.validateHTTP01(context.Background(), ident, chall)
if prob != nil {
t.Fatalf("Unexpected failure in redirect (%s): %s", pathMoved, prob)
}
@ -327,7 +328,7 @@ func TestHTTPRedirectLookup(t *testing.T) {
log.Clear()
setChallengeToken(&chall, pathFound)
_, prob = va.validateHTTP01(ident, chall)
_, prob = va.validateHTTP01(context.Background(), ident, chall)
if prob != nil {
t.Fatalf("Unexpected failure in redirect (%s): %s", pathFound, prob)
}
@ -337,14 +338,14 @@ func TestHTTPRedirectLookup(t *testing.T) {
log.Clear()
setChallengeToken(&chall, pathReLookupInvalid)
_, err = va.validateHTTP01(ident, chall)
_, err = va.validateHTTP01(context.Background(), ident, chall)
test.AssertError(t, err, chall.Token)
test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1)
test.AssertEquals(t, len(log.GetAllMatching(`No IPv4 addresses found for invalid.invalid`)), 1)
log.Clear()
setChallengeToken(&chall, pathReLookup)
_, prob = va.validateHTTP01(ident, chall)
_, prob = va.validateHTTP01(context.Background(), ident, chall)
if prob != nil {
t.Fatalf("Unexpected error in redirect (%s): %s", pathReLookup, prob)
}
@ -354,7 +355,7 @@ func TestHTTPRedirectLookup(t *testing.T) {
log.Clear()
setChallengeToken(&chall, pathRedirectPort)
_, err = va.validateHTTP01(ident, chall)
_, err = va.validateHTTP01(context.Background(), ident, chall)
test.AssertError(t, err, chall.Token)
test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/port-redirect" to ".*other.valid:8080/path"`)), 1)
test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1)
@ -375,7 +376,7 @@ func TestHTTPRedirectLoop(t *testing.T) {
va.DNSResolver = &mocks.DNSResolver{}
log.Clear()
_, prob := va.validateHTTP01(ident, chall)
_, prob := va.validateHTTP01(context.Background(), ident, chall)
if prob == nil {
t.Fatalf("Challenge should have failed for %s", chall.Token)
}
@ -396,13 +397,13 @@ func TestHTTPRedirectUserAgent(t *testing.T) {
va.UserAgent = rejectUserAgent
setChallengeToken(&chall, pathMoved)
_, prob := va.validateHTTP01(ident, chall)
_, prob := va.validateHTTP01(context.Background(), ident, chall)
if prob == nil {
t.Fatalf("Challenge with rejectUserAgent should have failed (%s).", pathMoved)
}
setChallengeToken(&chall, pathFound)
_, prob = va.validateHTTP01(ident, chall)
_, prob = va.validateHTTP01(context.Background(), ident, chall)
if prob == nil {
t.Fatalf("Challenge with rejectUserAgent should have failed (%s).", pathFound)
}
@ -437,14 +438,14 @@ func TestTLSSNI(t *testing.T) {
va.DNSResolver = &mocks.DNSResolver{}
log.Clear()
_, prob := va.validateTLSSNI01(ident, chall)
_, prob := va.validateTLSSNI01(context.Background(), ident, chall)
if prob != nil {
t.Fatalf("Unexpected failre in validateTLSSNI01: %s", prob)
}
test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1)
log.Clear()
_, prob = va.validateTLSSNI01(core.AcmeIdentifier{
_, prob = va.validateTLSSNI01(context.Background(), core.AcmeIdentifier{
Type: core.IdentifierType("ip"),
Value: net.JoinHostPort("127.0.0.1", fmt.Sprintf("%d", port)),
}, chall)
@ -454,7 +455,7 @@ func TestTLSSNI(t *testing.T) {
test.AssertEquals(t, prob.Type, probs.MalformedProblem)
log.Clear()
_, prob = va.validateTLSSNI01(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "always.invalid"}, chall)
_, prob = va.validateTLSSNI01(context.Background(), core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "always.invalid"}, chall)
if prob == nil {
t.Fatalf("Domain name was supposed to be invalid.")
}
@ -467,7 +468,7 @@ func TestTLSSNI(t *testing.T) {
log.Clear()
started := time.Now()
_, prob = va.validateTLSSNI01(ident, chall)
_, prob = va.validateTLSSNI01(context.Background(), ident, chall)
took := time.Since(started)
// Check that the HTTP connection times out after 5 seconds and doesn't block for 10 seconds
test.Assert(t, (took > (time.Second * 5)), "HTTP timed out before 5 seconds")
@ -480,7 +481,7 @@ func TestTLSSNI(t *testing.T) {
// Take down validation server and check that validation fails.
hs.Close()
_, err = va.validateTLSSNI01(ident, chall)
_, err = va.validateTLSSNI01(context.Background(), ident, chall)
if err == nil {
t.Fatalf("Server's down; expected refusal. Where did we connect?")
}
@ -508,7 +509,7 @@ func TestTLSError(t *testing.T) {
va := NewValidationAuthorityImpl(&PortConfig{TLSPort: port}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
_, prob := va.validateTLSSNI01(ident, chall)
_, prob := va.validateTLSSNI01(context.Background(), ident, chall)
if prob == nil {
t.Fatalf("TLS validation should have failed: What cert was used?")
}
@ -537,7 +538,7 @@ func TestValidateHTTP(t *testing.T) {
Identifier: ident,
Challenges: []core.Challenge{chall},
}
va.validate(authz, 0)
va.validate(context.Background(), authz, 0)
test.AssertEquals(t, core.StatusValid, mockRA.lastAuthz.Challenges[0].Status)
}
@ -592,7 +593,7 @@ func TestValidateTLSSNI01(t *testing.T) {
Identifier: ident,
Challenges: []core.Challenge{chall},
}
va.validate(authz, 0)
va.validate(context.Background(), authz, 0)
test.AssertEquals(t, core.StatusValid, mockRA.lastAuthz.Challenges[0].Status)
}
@ -614,7 +615,7 @@ func TestValidateTLSSNINotSane(t *testing.T) {
Identifier: ident,
Challenges: []core.Challenge{chall},
}
va.validate(authz, 0)
va.validate(context.Background(), authz, 0)
test.AssertEquals(t, core.StatusInvalid, mockRA.lastAuthz.Challenges[0].Status)
}
@ -651,13 +652,13 @@ func TestCAATimeout(t *testing.T) {
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
va.IssuerDomain = "letsencrypt.org"
err := va.checkCAA(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "caa-timeout.com"}, 101)
err := va.checkCAA(context.Background(), core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "caa-timeout.com"}, 101)
if err.Type != probs.ConnectionProblem {
t.Errorf("Expected timeout error type %s, got %s", probs.ConnectionProblem, err.Type)
}
expected := "DNS query timed out"
expected := "DNS query timed out during CAA-record lookup of caa-timeout.com"
if err.Detail != expected {
t.Errorf("checkCAA: got %s, expected %s", err.Detail, expected)
t.Errorf("checkCAA: got %#v, expected %#v", err.Detail, expected)
}
}
@ -724,7 +725,7 @@ func TestDNSValidationFailure(t *testing.T) {
Identifier: ident,
Challenges: []core.Challenge{chalDNS},
}
va.validate(authz, 0)
va.validate(context.Background(), authz, 0)
t.Logf("Resulting Authz: %+v", authz)
test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization")
@ -753,7 +754,7 @@ func TestDNSValidationInvalid(t *testing.T) {
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
va.validate(authz, 0)
va.validate(context.Background(), authz, 0)
test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization")
test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.")
@ -781,7 +782,7 @@ func TestDNSValidationNotSane(t *testing.T) {
}
for i := 0; i < len(authz.Challenges); i++ {
va.validate(authz, i)
va.validate(context.Background(), authz, i)
test.AssertEquals(t, authz.Challenges[i].Status, core.StatusInvalid)
test.AssertEquals(t, authz.Challenges[i].Error.Type, probs.MalformedProblem)
}
@ -806,7 +807,7 @@ func TestDNSValidationServFail(t *testing.T) {
Identifier: badIdent,
Challenges: []core.Challenge{chalDNS},
}
va.validate(authz, 0)
va.validate(context.Background(), authz, 0)
test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization")
test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.")
@ -817,7 +818,7 @@ func TestDNSValidationNoServer(t *testing.T) {
c, _ := statsd.NewNoopClient()
stats := metrics.NewNoopScope()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, c, clock.Default())
va.DNSResolver = bdns.NewTestDNSResolverImpl(time.Second*5, []string{}, stats)
va.DNSResolver = bdns.NewTestDNSResolverImpl(time.Second*5, []string{}, stats, clock.Default(), 1)
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -829,15 +830,46 @@ func TestDNSValidationNoServer(t *testing.T) {
Identifier: ident,
Challenges: []core.Challenge{chalDNS},
}
va.validate(authz, 0)
va.validate(context.Background(), authz, 0)
test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization")
test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.")
test.AssertEquals(t, authz.Challenges[0].Error.Type, probs.ConnectionProblem)
}
func TestDNSValidationOK(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
// create a challenge with well known token
chalDNS := core.DNSChallenge01(accountKey)
chalDNS.Token = expectedToken
keyAuthorization, _ := core.NewKeyAuthorization(chalDNS.Token, accountKey)
chalDNS.KeyAuthorization = &keyAuthorization
goodIdent := core.AcmeIdentifier{
Type: core.IdentifierDNS,
Value: "good-dns01.com",
}
var authz = core.Authorization{
ID: core.NewToken(),
RegistrationID: 1,
Identifier: goodIdent,
Challenges: []core.Challenge{chalDNS},
}
va.validate(context.Background(), authz, 0)
test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization")
test.Assert(t, authz.Challenges[0].Status == core.StatusValid, "Should be valid.")
}
// TestDNSValidationLive is an integration test, depending on
// the existance of some Internet resources. Because of that,
// the existence of some Internet resources. Because of that,
// it asserts nothing; it is intended for coverage.
func TestDNSValidationLive(t *testing.T) {
stats, _ := statsd.NewNoopClient()
@ -847,8 +879,9 @@ func TestDNSValidationLive(t *testing.T) {
va.RA = mockRA
goodChalDNS := core.DNSChallenge01(accountKey)
// This token is set at _acme-challenge.good.bin.coffee
goodChalDNS.Token = "yfCBb-bRTLz8Wd1C0lTUQK3qlKj3-t2tYGwx5Hj7r_w"
// The matching value LPsIwTo7o8BoG0-vjCyGQGBWSVIPxI-i_X336eUOQZo
// is set at _acme-challenge.good.bin.coffee
goodChalDNS.Token = expectedToken
var goodIdent = core.AcmeIdentifier{
Type: core.IdentifierDNS,
@ -867,14 +900,14 @@ func TestDNSValidationLive(t *testing.T) {
Challenges: []core.Challenge{goodChalDNS},
}
va.validate(authzGood, 0)
va.validate(context.Background(), authzGood, 0)
if authzGood.Challenges[0].Status != core.StatusValid {
t.Logf("TestDNSValidationLive on Good did not succeed.")
}
badChalDNS := core.DNSChallenge01(accountKey)
// This token is NOT set at _acme-challenge.bad.bin.coffee
// The matching value is NOT set at _acme-challenge.bad.bin.coffee
badChalDNS.Token = "yfCBb-bRTLz8Wd1C0lTUQK3qlKj3-t2tYGwx5Hj7r_w"
var authzBad = core.Authorization{
@ -884,7 +917,7 @@ func TestDNSValidationLive(t *testing.T) {
Challenges: []core.Challenge{badChalDNS},
}
va.validate(authzBad, 0)
va.validate(context.Background(), authzBad, 0)
if authzBad.Challenges[0].Status != core.StatusInvalid {
t.Logf("TestDNSValidationLive on Bad did succeed inappropriately.")
}
@ -911,7 +944,7 @@ func TestCAAFailure(t *testing.T) {
Identifier: ident,
Challenges: []core.Challenge{chall},
}
va.validate(authz, 0)
va.validate(context.Background(), authz, 0)
test.AssertEquals(t, core.StatusInvalid, mockRA.lastAuthz.Challenges[0].Status)
}

21
wfe/web-front-end.go
View File

@ -107,16 +107,6 @@ func NewWebFrontEndImpl(stats statsd.Statter, clk clock.Clock) (WebFrontEndImpl,
}, nil
}
// BodylessResponseWriter wraps http.ResponseWriter, discarding
// anything written to the body.
type BodylessResponseWriter struct {
http.ResponseWriter
}
func (mrw BodylessResponseWriter) Write(buf []byte) (int, error) {
return len(buf), nil
}
// HandleFunc registers a handler at the given path. It's
// http.HandleFunc(), but with a wrapper around the handler that
// provides some generic per-request functionality:
@ -157,10 +147,9 @@ func (wfe *WebFrontEndImpl) HandleFunc(mux *http.ServeMux, pattern string, h wfe
switch request.Method {
case "HEAD":
// Whether or not we're sending a 405 error,
// we should comply with HTTP spec by not
// sending a body.
response = BodylessResponseWriter{response}
// Go's net/http (and httptest) servers will strip our the body
// of responses for us. This keeps the Content-Length for HEAD
// requests as the same as GET requests per the spec.
case "OPTIONS":
wfe.Options(response, request, methodsStr, methodsMap)
return
@ -296,7 +285,7 @@ const (
// the key in the JWS headers, and return the key plus a dummy registration if
// successful. If a caller passes regCheck = false, it should plan on validating
// the key itself. verifyPOST also appends its errors to requestEvent.Errors so
// code calling it does not need to if they imediately return a response to the
// code calling it does not need to if they immediately return a response to the
// user.
func (wfe *WebFrontEndImpl) verifyPOST(logEvent *requestEvent, request *http.Request, regCheck bool, resource core.AcmeResource) ([]byte, *jose.JsonWebKey, core.Registration, *probs.ProblemDetails) {
// TODO: We should return a pointer to a registration, which can be nil,
@ -608,7 +597,7 @@ func (wfe *WebFrontEndImpl) NewAuthorization(logEvent *requestEvent, response ht
// RevokeCertificate is used by clients to request the revocation of a cert.
func (wfe *WebFrontEndImpl) RevokeCertificate(logEvent *requestEvent, response http.ResponseWriter, request *http.Request) {
// We don't ask verifyPOST to verify there is a correponding registration,
// We don't ask verifyPOST to verify there is a corresponding registration,
// because anyone with the right private key can revoke a certificate.
body, requestKey, registration, prob := wfe.verifyPOST(logEvent, request, false, core.ResourceRevokeCert)
if prob != nil {

33
wfe/web-front-end_test.go
View File

@ -19,6 +19,7 @@ import (
"net/http/httptest"
"net/url"
"sort"
"strconv"
"strings"
"testing"
"time"
@ -327,7 +328,7 @@ func TestHandleFunc(t *testing.T) {
test.AssertEquals(t, rw.Code, http.StatusMethodNotAllowed)
test.AssertEquals(t, rw.Header().Get("Content-Type"), "application/problem+json")
test.AssertEquals(t, rw.Header().Get("Allow"), "POST")
test.AssertEquals(t, rw.Body.String(), "")
test.AssertEquals(t, rw.Body.String(), `{"type":"urn:acme:error:malformed","detail":"Method not allowed","status":405}`)
wfe.AllowOrigins = []string{"*"}
testOrigin := "https://example.com"
@ -605,7 +606,7 @@ func TestIssueCertificate(t *testing.T) {
responseWriter.Body.String(),
`{"type":"urn:acme:error:malformed","detail":"Error unmarshaling certificate request","status":400}`)
// Valid, signed JWS body, payload has a invalid signature on CSR and no authorizations:
// Valid, signed JWS body, payload has an invalid signature on CSR and no authorizations:
// alias b64url="base64 -w0 | sed -e 's,+,-,g' -e 's,/,_,g'"
// openssl req -outform der -new -nodes -key wfe/test/178.key -subj /CN=foo.com | \
// sed 's/foo.com/fob.com/' | b64url
@ -1400,6 +1401,34 @@ func TestBadKeyCSR(t *testing.T) {
`{"type":"urn:acme:error:malformed","detail":"Invalid key in certificate request :: Key too small: 512","status":400}`)
}
// This uses httptest.NewServer because ServeMux.ServeHTTP won't prevent the
// body from being sent like the net/http Server's actually do.
func TestGetCertificateHEADHasCorrectBodyLength(t *testing.T) {
wfe, _ := setupWFE(t)
certPemBytes, _ := ioutil.ReadFile("test/178.crt")
certBlock, _ := pem.Decode(certPemBytes)
mockLog := wfe.log.SyslogWriter.(*mocks.SyslogWriter)
mockLog.Clear()
mux, _ := wfe.Handler()
s := httptest.NewServer(mux)
req, _ := http.NewRequest("HEAD", s.URL+"/acme/cert/0000000000000000000000000000000000b2", nil)
resp, err := http.DefaultClient.Do(req)
if err != nil {
test.AssertNotError(t, err, "do error")
}
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
test.AssertNotEquals(t, err, "readall error")
}
defer resp.Body.Close()
test.AssertEquals(t, resp.StatusCode, 200)
test.AssertEquals(t, strconv.Itoa(len(certBlock.Bytes)), resp.Header.Get("Content-Length"))
test.AssertEquals(t, 0, len(body))
}
func newRequestEvent() *requestEvent {
return &requestEvent{Extra: make(map[string]interface{})}
}