va: move remaining http code to http.go
This moves some code and constants only used for HTTP-01 from `va.go` to `http.go`.
This commit is contained in:
parent
c2ad80f774
commit
f96ad92e76
41
va/http.go
41
va/http.go
|
@ -10,6 +10,7 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/letsencrypt/boulder/core"
|
"github.com/letsencrypt/boulder/core"
|
||||||
|
@ -18,6 +19,21 @@ import (
|
||||||
"github.com/letsencrypt/boulder/probs"
|
"github.com/letsencrypt/boulder/probs"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// maxRedirect is the maximum number of redirects the VA will follow
|
||||||
|
// processing an HTTP-01 challenge.
|
||||||
|
maxRedirect = 10
|
||||||
|
// maxResponseSize holds the maximum number of bytes that will be read from an
|
||||||
|
// HTTP-01 challenge response. The expected payload should be ~87 bytes. Since
|
||||||
|
// it may be padded by whitespace which we previously allowed accept up to 128
|
||||||
|
// bytes before rejecting a response (32 byte b64 encoded token + . + 32 byte
|
||||||
|
// b64 encoded key fingerprint)
|
||||||
|
maxResponseSize = 128
|
||||||
|
// whitespaceCutset is the set of characters trimmed from the right of an
|
||||||
|
// HTTP-01 key authorization response.
|
||||||
|
whitespaceCutset = "\n\r\t "
|
||||||
|
)
|
||||||
|
|
||||||
// preresolvedDialer is a struct type that provides a DialContext function which
|
// preresolvedDialer is a struct type that provides a DialContext function which
|
||||||
// will connect to the provided IP and port instead of letting DNS resolve
|
// will connect to the provided IP and port instead of letting DNS resolve
|
||||||
// The hostname of the preresolvedDialer is used to ensure the dial only completes
|
// The hostname of the preresolvedDialer is used to ensure the dial only completes
|
||||||
|
@ -580,3 +596,28 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
|
||||||
}
|
}
|
||||||
return body, records, nil
|
return body, records, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (va *ValidationAuthorityImpl) validateHTTP01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
|
||||||
|
if identifier.Type != core.IdentifierDNS {
|
||||||
|
va.log.Infof("Got non-DNS identifier for HTTP validation: %s", identifier)
|
||||||
|
return nil, probs.Malformed("Identifier type for HTTP validation was not DNS")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Perform the fetch
|
||||||
|
path := fmt.Sprintf(".well-known/acme-challenge/%s", challenge.Token)
|
||||||
|
body, validationRecords, prob := va.fetchHTTP(ctx, identifier.Value, "/"+path)
|
||||||
|
if prob != nil {
|
||||||
|
return validationRecords, prob
|
||||||
|
}
|
||||||
|
|
||||||
|
payload := strings.TrimRight(string(body), whitespaceCutset)
|
||||||
|
|
||||||
|
if payload != challenge.ProvidedKeyAuthorization {
|
||||||
|
problem := probs.Unauthorized("The key authorization file from the server did not match this challenge [%v] != [%v]",
|
||||||
|
challenge.ProvidedKeyAuthorization, payload)
|
||||||
|
va.log.Infof("%s for %s", problem.Detail, identifier)
|
||||||
|
return validationRecords, problem
|
||||||
|
}
|
||||||
|
|
||||||
|
return validationRecords, nil
|
||||||
|
}
|
||||||
|
|
32
va/va.go
32
va/va.go
|
@ -37,13 +37,6 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
maxRedirect = 10
|
|
||||||
whitespaceCutset = "\n\r\t "
|
|
||||||
// Payload should be ~87 bytes. Since it may be padded by whitespace which we previously
|
|
||||||
// allowed accept up to 128 bytes before rejecting a response
|
|
||||||
// (32 byte b64 encoded token + . + 32 byte b64 encoded key fingerprint)
|
|
||||||
maxResponseSize = 128
|
|
||||||
|
|
||||||
// ALPN protocol ID for TLS-ALPN-01 challenge
|
// ALPN protocol ID for TLS-ALPN-01 challenge
|
||||||
// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01#section-5.2
|
// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01#section-5.2
|
||||||
ACMETLS1Protocol = "acme-tls/1"
|
ACMETLS1Protocol = "acme-tls/1"
|
||||||
|
@ -385,31 +378,6 @@ func (va *ValidationAuthorityImpl) tlsDial(ctx context.Context, hostPort string,
|
||||||
return conn, nil
|
return conn, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (va *ValidationAuthorityImpl) validateHTTP01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
|
|
||||||
if identifier.Type != core.IdentifierDNS {
|
|
||||||
va.log.Infof("Got non-DNS identifier for HTTP validation: %s", identifier)
|
|
||||||
return nil, probs.Malformed("Identifier type for HTTP validation was not DNS")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Perform the fetch
|
|
||||||
path := fmt.Sprintf(".well-known/acme-challenge/%s", challenge.Token)
|
|
||||||
body, validationRecords, prob := va.fetchHTTP(ctx, identifier.Value, "/"+path)
|
|
||||||
if prob != nil {
|
|
||||||
return validationRecords, prob
|
|
||||||
}
|
|
||||||
|
|
||||||
payload := strings.TrimRight(string(body), whitespaceCutset)
|
|
||||||
|
|
||||||
if payload != challenge.ProvidedKeyAuthorization {
|
|
||||||
problem := probs.Unauthorized("The key authorization file from the server did not match this challenge [%v] != [%v]",
|
|
||||||
challenge.ProvidedKeyAuthorization, payload)
|
|
||||||
va.log.Infof("%s for %s", problem.Detail, identifier)
|
|
||||||
return validationRecords, problem
|
|
||||||
}
|
|
||||||
|
|
||||||
return validationRecords, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (va *ValidationAuthorityImpl) validateTLSALPN01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
|
func (va *ValidationAuthorityImpl) validateTLSALPN01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
|
||||||
if identifier.Type != "dns" {
|
if identifier.Type != "dns" {
|
||||||
va.log.Info(fmt.Sprintf("Identifier type for TLS-ALPN-01 was not DNS: %s", identifier))
|
va.log.Info(fmt.Sprintf("Identifier type for TLS-ALPN-01 was not DNS: %s", identifier))
|
||||||
|
|
Loading…
Reference in New Issue