Issue #11: Basic DNS Challenge support

2015-06-13 09:36:35 -05:00 · 2015-06-13 09:36:35 -05:00 · cc97492a54
parent 01c41c1bd0
commit cc97492a54
5 changed files with 63 additions and 0 deletions
--- a/core/challenges.go
+++ b/core/challenges.go
@ -38,3 +38,11 @@ func DvsniChallenge() Challenge {
 		Nonce:  hex.EncodeToString(nonce),
 	}
 }
+
+func DNSChallenge() Challenge {
+	return Challenge{
+		Type:   ChallengeTypeDNS,
+		Status: StatusPending,
+		Token:  NewToken(),
+	}
+}
--- a/core/objects.go
+++ b/core/objects.go
@ -265,6 +265,20 @@ func (ch Challenge) IsSane(completed bool) bool {
 				return false
 			}
 		}
+	case ChallengeTypeDNS:
+		// check extra fields aren't used
+		if ch.R != "" || ch.S != "" || ch.Nonce != "" || ch.TLS != nil {
+			return false
+		}
+
+		// check token is present, corrent length, and contains b64 encoded string
+		if ch.Token == "" || len(ch.Token) != 43 {
+			return false
+		}
+		if _, err := B64dec(ch.Token); err != nil {
+			return false
+		}
+
 	default:
 		return false
 	}
--- a/policy/policy-authority.go
+++ b/policy/policy-authority.go
@ -145,10 +145,12 @@ func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier) (cha
 	challenges = []core.Challenge{
 		core.SimpleHTTPChallenge(),
 		core.DvsniChallenge(),
+		core.DNSChallenge(),
 	}
 	combinations = [][]int{
 		[]int{0},
 		[]int{1},
+		[]int{2},
 	}
 	return
 }
--- a/va/validation-authority.go
+++ b/va/validation-authority.go
@ -191,6 +191,38 @@ func (va ValidationAuthorityImpl) validateDvsni(identifier core.AcmeIdentifier,
 	return challenge, err
 }

+func (va ValidationAuthorityImpl) validateDNS(identifier core.AcmeIdentifier, input core.Challenge) (core.Challenge, error) {
+	challenge := input
+
+	if identifier.Type != core.IdentifierDNS {
+		challenge.Status = core.StatusInvalid
+		err := fmt.Errorf("Identifier type for DNS was not itself DNS")
+		return challenge, err
+	}
+
+	const DNSPrefix = "_acme-challenge"
+
+	challengeSubdomain := fmt.Sprintf("%s.%s", DNSPrefix, identifier.Value)
+	txts, err := net.LookupTXT(challengeSubdomain)
+
+	if err != nil {
+		challenge.Status = core.StatusInvalid
+		return challenge, err
+	}
+
+	byteToken := []byte(challenge.Token)
+	for _, element := range txts {
+		if subtle.ConstantTimeCompare([]byte(element), byteToken) == 1 {
+			challenge.Status = core.StatusValid
+			return challenge, nil
+		}
+	}
+
+	err = fmt.Errorf("Correct value not found for DNS challenge")
+	challenge.Status = core.StatusInvalid
+	return challenge, err
+}
+
 // Overall validation process

 func (va ValidationAuthorityImpl) validate(authz core.Authorization, challengeIndex int) {
@ -216,6 +248,9 @@ func (va ValidationAuthorityImpl) validate(authz core.Authorization, challengeIn
 		case core.ChallengeTypeDVSNI:
 			authz.Challenges[challengeIndex], err = va.validateDvsni(authz.Identifier, authz.Challenges[challengeIndex])
 			break
+		case core.ChallengeTypeDNS:
+			authz.Challenges[challengeIndex], err = va.validateDNS(authz.Identifier, authz.Challenges[challengeIndex])
+			break
 		}

 		logEvent.Challenge = authz.Challenges[challengeIndex]
--- a/va/validation-authority_test.go
+++ b/va/validation-authority_test.go
@ -437,6 +437,10 @@ func TestCAAChecking(t *testing.T) {
 	test.Assert(t, !valid, "Valid should be false")
 }

+func TestDNSValidation(t *testing.T) {
+	t.Skip("DNS not yet implemented.")
+}
+
 type MockRegistrationAuthority struct {
 	lastAuthz *core.Authorization
 }