va: move remaining http code to http.go
This moves some code and constants only used for HTTP-01 from `va.go` to `http.go`.
This commit is contained in:
Daniel
parent
c2ad80f774
commit
f96ad92e76
41
va/http.go
41
va/http.go
|
|
@ -10,6 +10,7 @@ import (
|
|||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/letsencrypt/boulder/core"
|
||||
|
|
@ -18,6 +19,21 @@ import (
|
|||
"github.com/letsencrypt/boulder/probs"
|
||||
)
|
||||
|
||||
const (
|
||||
// maxRedirect is the maximum number of redirects the VA will follow
|
||||
// processing an HTTP-01 challenge.
|
||||
maxRedirect = 10
|
||||
// maxResponseSize holds the maximum number of bytes that will be read from an
|
||||
// HTTP-01 challenge response. The expected payload should be ~87 bytes. Since
|
||||
// it may be padded by whitespace which we previously allowed accept up to 128
|
||||
// bytes before rejecting a response (32 byte b64 encoded token + . + 32 byte
|
||||
// b64 encoded key fingerprint)
|
||||
maxResponseSize = 128
|
||||
// whitespaceCutset is the set of characters trimmed from the right of an
|
||||
// HTTP-01 key authorization response.
|
||||
whitespaceCutset = "\n\r\t "
|
||||
)
|
||||
|
||||
// preresolvedDialer is a struct type that provides a DialContext function which
|
||||
// will connect to the provided IP and port instead of letting DNS resolve
|
||||
// The hostname of the preresolvedDialer is used to ensure the dial only completes
|
||||
|
|
@ -580,3 +596,28 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
|
|||
}
|
||||
return body, records, nil
|
||||
}
|
||||
|
||||
func (va *ValidationAuthorityImpl) validateHTTP01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
|
||||
if identifier.Type != core.IdentifierDNS {
|
||||
va.log.Infof("Got non-DNS identifier for HTTP validation: %s", identifier)
|
||||
return nil, probs.Malformed("Identifier type for HTTP validation was not DNS")
|
||||
}
|
||||
|
||||
// Perform the fetch
|
||||
path := fmt.Sprintf(".well-known/acme-challenge/%s", challenge.Token)
|
||||
body, validationRecords, prob := va.fetchHTTP(ctx, identifier.Value, "/"+path)
|
||||
if prob != nil {
|
||||
return validationRecords, prob
|
||||
}
|
||||
|
||||
payload := strings.TrimRight(string(body), whitespaceCutset)
|
||||
|
||||
if payload != challenge.ProvidedKeyAuthorization {
|
||||
problem := probs.Unauthorized("The key authorization file from the server did not match this challenge [%v] != [%v]",
|
||||
challenge.ProvidedKeyAuthorization, payload)
|
||||
va.log.Infof("%s for %s", problem.Detail, identifier)
|
||||
return validationRecords, problem
|
||||
}
|
||||
|
||||
return validationRecords, nil
|
||||
}
|
||||
|
|
|
|||
32
va/va.go
32
va/va.go
|
|
@ -37,13 +37,6 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
maxRedirect = 10
|
||||
whitespaceCutset = "\n\r\t "
|
||||
// Payload should be ~87 bytes. Since it may be padded by whitespace which we previously
|
||||
// allowed accept up to 128 bytes before rejecting a response
|
||||
// (32 byte b64 encoded token + . + 32 byte b64 encoded key fingerprint)
|
||||
maxResponseSize = 128
|
||||
|
||||
// ALPN protocol ID for TLS-ALPN-01 challenge
|
||||
// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01#section-5.2
|
||||
ACMETLS1Protocol = "acme-tls/1"
|
||||
|
|
@ -385,31 +378,6 @@ func (va *ValidationAuthorityImpl) tlsDial(ctx context.Context, hostPort string,
|
|||
return conn, nil
|
||||
}
|
||||
|
||||
func (va *ValidationAuthorityImpl) validateHTTP01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
|
||||
if identifier.Type != core.IdentifierDNS {
|
||||
va.log.Infof("Got non-DNS identifier for HTTP validation: %s", identifier)
|
||||
return nil, probs.Malformed("Identifier type for HTTP validation was not DNS")
|
||||
}
|
||||
|
||||
// Perform the fetch
|
||||
path := fmt.Sprintf(".well-known/acme-challenge/%s", challenge.Token)
|
||||
body, validationRecords, prob := va.fetchHTTP(ctx, identifier.Value, "/"+path)
|
||||
if prob != nil {
|
||||
return validationRecords, prob
|
||||
}
|
||||
|
||||
payload := strings.TrimRight(string(body), whitespaceCutset)
|
||||
|
||||
if payload != challenge.ProvidedKeyAuthorization {
|
||||
problem := probs.Unauthorized("The key authorization file from the server did not match this challenge [%v] != [%v]",
|
||||
challenge.ProvidedKeyAuthorization, payload)
|
||||
va.log.Infof("%s for %s", problem.Detail, identifier)
|
||||
return validationRecords, problem
|
||||
}
|
||||
|
||||
return validationRecords, nil
|
||||
}
|
||||
|
||||
func (va *ValidationAuthorityImpl) validateTLSALPN01(ctx context.Context, identifier core.AcmeIdentifier, challenge core.Challenge) ([]core.ValidationRecord, *probs.ProblemDetails) {
|
||||
if identifier.Type != "dns" {
|
||||
va.log.Info(fmt.Sprintf("Identifier type for TLS-ALPN-01 was not DNS: %s", identifier))
|
||||
|
|
|
|||
Loading…
Reference in New Issue