letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

va: move remaining http code to http.go 

This moves some code and constants only used for HTTP-01 from `va.go` to
`http.go`.
This commit is contained in:
Daniel 2019-04-19 10:43:51 -04:00
parent c2ad80f774
commit f96ad92e76
No known key found for this signature in database
GPG Key ID: 08FB2BFC470E75B4
2 changed files with 41 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
va/http.go
View File

@ -10,6 +10,7 @@ import (
"net/http" "net/http"
"net/url" "net/url"
"strconv" "strconv"
"strings"
"time" "time"
"github.com/letsencrypt/boulder/core" "github.com/letsencrypt/boulder/core"
@ -18,6 +19,21 @@ import (
"github.com/letsencrypt/boulder/probs" "github.com/letsencrypt/boulder/probs"
) )
const (
// maxRedirect is the maximum number of redirects the VA will follow
// processing an HTTP-01 challenge.
maxRedirect = 10
// maxResponseSize holds the maximum number of bytes that will be read from an
// HTTP-01 challenge response. The expected payload should be ~87 bytes. Since
// it may be padded by whitespace which we previously allowed accept up to 128
// bytes before rejecting a response (32 byte b64 encoded token + . + 32 byte
// b64 encoded key fingerprint)
maxResponseSize = 128
// whitespaceCutset is the set of characters trimmed from the right of an
// HTTP-01 key authorization response.
whitespaceCutset = "\n\r\t "
)
// preresolvedDialer is a struct type that provides a DialContext function which // preresolvedDialer is a struct type that provides a DialContext function which
// will connect to the provided IP and port instead of letting DNS resolve // will connect to the provided IP and port instead of letting DNS resolve
// The hostname of the preresolvedDialer is used to ensure the dial only completes // The hostname of the preresolvedDialer is used to ensure the dial only completes
@ -580,3 +596,28 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
} }
return body, records, nil return body, records, nil
} }
func (va *ValidationAuthorityImpl) validateHTTP01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
if identifier.Type != core.IdentifierDNS {
va.log.Infof("Got non-DNS identifier for HTTP validation: %s", identifier)
return nil, probs.Malformed("Identifier type for HTTP validation was not DNS")
}
// Perform the fetch
path := fmt.Sprintf(".well-known/acme-challenge/%s", challenge.Token)
body, validationRecords, prob := va.fetchHTTP(ctx, identifier.Value, "/"+path)
if prob != nil {
return validationRecords, prob
}
payload := strings.TrimRight(string(body), whitespaceCutset)
if payload != challenge.ProvidedKeyAuthorization {
problem := probs.Unauthorized("The key authorization file from the server did not match this challenge [%v] != [%v]",
challenge.ProvidedKeyAuthorization, payload)
va.log.Infof("%s for %s", problem.Detail, identifier)
return validationRecords, problem
}
return validationRecords, nil
}

32
va/va.go
View File

@ -37,13 +37,6 @@ import (
) )
const ( const (
maxRedirect = 10
whitespaceCutset = "\n\r\t "
// Payload should be ~87 bytes. Since it may be padded by whitespace which we previously
// allowed accept up to 128 bytes before rejecting a response
// (32 byte b64 encoded token + . + 32 byte b64 encoded key fingerprint)
maxResponseSize = 128
// ALPN protocol ID for TLS-ALPN-01 challenge // ALPN protocol ID for TLS-ALPN-01 challenge
// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01#section-5.2 // https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01#section-5.2
ACMETLS1Protocol = "acme-tls/1" ACMETLS1Protocol = "acme-tls/1"
@ -385,31 +378,6 @@ func (va *ValidationAuthorityImpl) tlsDial(ctx context.Context, hostPort string,
return conn, nil return conn, nil
} }
func (va *ValidationAuthorityImpl) validateHTTP01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
if identifier.Type != core.IdentifierDNS {
va.log.Infof("Got non-DNS identifier for HTTP validation: %s", identifier)
return nil, probs.Malformed("Identifier type for HTTP validation was not DNS")
}
// Perform the fetch
path := fmt.Sprintf(".well-known/acme-challenge/%s", challenge.Token)
body, validationRecords, prob := va.fetchHTTP(ctx, identifier.Value, "/"+path)
if prob != nil {
return validationRecords, prob
}
payload := strings.TrimRight(string(body), whitespaceCutset)
if payload != challenge.ProvidedKeyAuthorization {
problem := probs.Unauthorized("The key authorization file from the server did not match this challenge [%v] != [%v]",
challenge.ProvidedKeyAuthorization, payload)
va.log.Infof("%s for %s", problem.Detail, identifier)
return validationRecords, problem
}
return validationRecords, nil
}
func (va *ValidationAuthorityImpl) validateTLSALPN01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) { func (va *ValidationAuthorityImpl) validateTLSALPN01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
if identifier.Type != "dns" { if identifier.Type != "dns" {
va.log.Info(fmt.Sprintf("Identifier type for TLS-ALPN-01 was not DNS: %s", identifier)) va.log.Info(fmt.Sprintf("Identifier type for TLS-ALPN-01 was not DNS: %s", identifier))