00b617b59a
Switch to upstream square/go-jose + pull latest
2016-03-15 13:54:22 -07:00
821414e967
Check that modulus length is divisible by 8.
...
Serial numbers in the CT logs that have non-divisible-by-8 modulus length:
https://crt.sh/?serial=017af157d77b1413a239902834178e72bb20
https://crt.sh/?serial=0173c209ff6792316c3e0cab55968f351cc5
https://crt.sh/?serial=01431cb7f9470ee45b6f4b319102553d3a38
https://crt.sh/?serial=01bcd7c197d51a603c930ec09b55e1d69eed
https://crt.sh/?serial=013f51353565895a67fe253c8f4983d5c82f
https://crt.sh/?serial=01a35299515cb75409169d9e0a6627ccc597
https://crt.sh/?serial=011e0adddca49ee0b786813ec2b49154bdf7
https://crt.sh/?serial=01eebb9e9a9108979b3a47217e29b391eb99
https://crt.sh/?serial=01c64e5cda78a9d0f578d6e1cc61c785af7c
https://crt.sh/?serial=0145dda768e38137c8596560b15d52d56e8a
https://crt.sh/?serial=01524fd91b9177ef3adcaf5e9eb832f25b4d
https://crt.sh/?serial=01275f34e47ce1a2df9f0f2b124b72a622f1
https://crt.sh/?serial=018544846d192a1652a549cf4ccb584d397c
https://crt.sh/?serial=01ab9f4b503e8ab947906336053c287a9c10
https://crt.sh/?serial=0166de8ca507dcaa724c74e94d259b4e8ca6
https://crt.sh/?serial=018f3a50178f77d0b41fac0e11867a405151
https://crt.sh/?serial=01d0b50c60f0282c350f2f1928c8229263f6
https://crt.sh/?serial=01ec8978d09bcb2141bea31a3a87d1f121ff
https://crt.sh/?serial=01c7f2ef18a58b9dd3347aab41df0bf9c683
https://crt.sh/?serial=0178783968354b800e99c14eb40c62105e8a
https://crt.sh/?serial=01bb0c96d7ccd5109ed702430cb95500ebe9
https://crt.sh/?serial=016c8263a384d5a4dc07dd97341f5541d008
https://crt.sh/?serial=01f94a33fa393a412213f21c0237b35f4164
https://crt.sh/?serial=01961af313383a735ff249244c974d19cdce
https://crt.sh/?serial=0151d15074797912559203d37f547ab05982
https://crt.sh/?serial=01381e15c57bb71b70449790ea10c6eef499
https://crt.sh/?serial=01dd1b47443c2d9f3a2132a8c77f3c9afe6f
https://crt.sh/?serial=018b36bca7a19f688d8e10d40963701f1921
https://crt.sh/?serial=01fa24288bc7c536d1b4b0cbf75f9d532288
https://crt.sh/?serial=0144c0826a57df425bda751b974823a6c7ec
https://crt.sh/?serial=01e1ddf3fad5db4da5d6a0466076fb5b149d
https://crt.sh/?serial=01bc18004b4fd44d671d1b0b68736eacfe39
https://crt.sh/?serial=01883492513641e5971dfea02f360fdfc3ee
https://crt.sh/?serial=01a3ce708f71ab16dbe3eac66451d9657ae7
https://crt.sh/?serial=018a078bb7ee336d645d2dbb4a15643cd63c
https://crt.sh/?serial=01be4bde2b3811493e902580bbb9ed41a289
https://crt.sh/?serial=015acd1d2052b6febd3517e06fbc3c044be2
https://crt.sh/?serial=01b9c9b5bbde0e0fafafaebea7f940238385
https://crt.sh/?serial=0108c061334fe22f20035f041727fd9f6cca
https://crt.sh/?serial=017d0806db5a1948bd5958984d794da8e760
https://crt.sh/?serial=01e0c375d8ae91a633e161c5e711889edc12
https://crt.sh/?serial=014513db6c2b0e5fc9b01bd3e16c5a301f20
https://crt.sh/?serial=01fe3c857949c085bb9f835d41ebfbc79502
https://crt.sh/?serial=015bb41be9a46f0df2e2335fc1efd35ac0f0
https://crt.sh/?serial=0116674dfc27cfdbb2eadd26cf4ea157d943
https://crt.sh/?serial=013660f7d53adc2f037da825e7b35a29f6b8
https://crt.sh/?serial=01fbb17a9df2644e7941ac07d5e0df44a1a6
https://crt.sh/?serial=01dd34ea3b6d7feac0721edeca78c9bd88d0
https://crt.sh/?serial=012c5988711884e9d55dadb1638d7ad1df52
https://crt.sh/?serial=01c444b69d012963779163e91ee0b91c1a01
https://crt.sh/?serial=01516e6e00180b95fbf547fbb46e4e47b0b6
https://crt.sh/?serial=01e5d33aa90a735d2c29bedc78d7817b312a
https://crt.sh/?serial=0125f110e63dc999257e598ba39335c7dff8
https://crt.sh/?serial=01f8c9f7a2172c12adf04427c45b80288ad4
https://crt.sh/?serial=01f6701c5b7136a31629b5e6c1765c60320b
https://crt.sh/?serial=0191dc216d7b60635234cae78a1435bb5b3c
https://crt.sh/?serial=01ebcb1969e94c6d3bf0dd44cc6a4b5f5ab2
https://crt.sh/?serial=0109c156ec04afb57324ed6c6b1f2a5ce1f8
https://crt.sh/?serial=01f60c6f42fa140fe42853e023450f756416
https://crt.sh/?serial=01f35430bd4f9694e37d840a5556815b79f2
https://crt.sh/?serial=016427f1cafff52874f25b15a6e4fdba10de
https://crt.sh/?serial=01ff6175eb17edf908025dbf493865ba95d4
https://crt.sh/?serial=01ebc2be4a25a16403fb4beab7a40249c522
https://crt.sh/?serial=01362ecda73b646c1a8049a8033f1bd0ba78
https://crt.sh/?serial=015e71d8961c18b0f6b78415f60a30b29d27
https://crt.sh/?serial=015d0bb44d282d072ff242ba803a33275c93
https://crt.sh/?serial=019a7f3ee9e4e31b9007562323189c8a380c
https://crt.sh/?serial=0274a695c57a3e2a50b9f57b4f2deb628038
https://crt.sh/?serial=025cd371a47b72b296770cbc7828444fc1da
https://crt.sh/?serial=0260909d0b06ff102e423212e14355998336
https://crt.sh/?serial=02db0eb690a65d32b627905899a6849f62ee
https://crt.sh/?serial=02a562288c440698a57b212cc711d4094cf5
https://crt.sh/?serial=02475901b9647ce788ac13367714ad2a61bd
https://crt.sh/?serial=022ec8409c3ffd22fff04d2d621b8d1eb36c
https://crt.sh/?serial=02e8ae9030d45c56f32e1b676c004c01ed09
https://crt.sh/?serial=02b8fd0e373feefe408b77869ec7b4c39365
https://crt.sh/?serial=02fb6e63231ccfb98aa26fe486de59ab5620
https://crt.sh/?serial=028751f4757cd98c94a56c9ddf7c87e7fbf3
https://crt.sh/?serial=02255c1a9b63982992c3b9af91f144774989
2016-03-14 15:41:11 -07:00
91bc75b0e3
Add GetValidAuthorizations to batch authz checks
...
By performing only one query to MySQL, we should be able to avoid
blowing the timeouts.
Fixes #1567
2016-03-11 10:26:55 -08:00
56c45d1330
Bypass per domain rate limit if FQDN set was previously issued
...
In ra.checkCertificatesPerName allow a bypass of the rate limit
if the exact name set has previously been issued for. This should
make a few current scenarios people have been running into slightly
less painful.
2016-03-09 13:03:07 -08:00
c4dd3506aa
Remove CA HSM lockout and make the OCSP updater CA backoff more HSM specific
2016-03-01 14:22:12 -08:00
e4a18a8738
Review fixes
2016-02-26 14:20:06 -08:00
ee7a86e07d
Review fixes
2016-02-22 22:56:07 -08:00
8fb87b7e7f
Add exact FQDN set rate limit
...
Adds a new rate limit, certficatesPerFQDNSet, which counts certificates
with the same set of FQDNS using a table containing the hash of the dNSNames
mapped to a certificate serial. A new method is added to the SA in AddCertificate
to add this hash to the fqdnSets table, which is gated by a config bool.
2016-02-19 15:58:07 -08:00
a3aac300b9
Merge branch 'master' into ChallengesFor_remove_error_type_return
2016-02-17 09:24:44 +01:00
3df2e942be
go fmt fixes
...
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-02-16 12:19:15 -08:00
01cee65079
Changed return type for "ChallengesFor".
2016-02-13 23:01:28 +01:00
c36bc382dd
remove unused CheckCAA RPC
...
Helpful for #1486 and was already in my local repo.
2016-02-12 13:01:05 -08:00
cb8085541e
Merge branch 'master' into more-revoker
2016-01-27 13:57:55 -08:00
6f3a275c87
Fixed usage of wrong err object
2016-01-27 18:02:27 +01:00
e2025cd5b6
Merge branch 'master' into more-revoker
2016-01-21 17:17:28 -08:00
e592485229
add omitempty on ValidationRecord Authorities
2016-01-21 21:59:36 +01:00
ee36b5f2b4
don't expect all txt dns replies to contain an authority section
...
Server *MAY* return an authority section, especially on NXDOMAIN
the server will return an SOA authority response in order to
provide the nxdomain ttl value.
Otherwise there is no need for such section.
Dns client should be checking the header aa flags to check if the
response is authoritative and not check the presence of authority
section.
2016-01-21 15:25:31 +01:00
a39be0a85d
Remove superfluous VerifyCSR method
2016-01-20 10:32:01 -05:00
11661bab9e
Merge branch 'master' into more-revoker
2016-01-15 13:41:55 -08:00
a77c8e3d5b
Switch to single RevokeAuthorizationsByDomain SA method
2016-01-12 11:49:51 -08:00
cbdf0444b6
review fixes
2016-01-08 16:21:12 -08:00
f218e314f8
Add good key testing for ECDSA.
2016-01-07 22:48:38 +00:00
21f20b1430
Merge branch 'master' into delete_ca_revokecertificate
2016-01-07 12:34:39 -08:00
f6473efcc2
delete ca.RevokeCertificate
...
Also, delete the unused core.CertificateAuthorityDatabase while we're
here.
Fixes #1319
2016-01-04 23:59:21 -08:00
9913eb61ba
Merge branch 'master' into more-revoker
2016-01-04 17:02:51 -08:00
a00094faa8
Merge branch 'master' into dns-meta
2016-01-04 16:16:33 -08:00
cbeffe96a6
Fixed a bunch of typos
2016-01-04 18:39:34 -05:00
d18b8a536d
Add DNS ValidationRecord metadata
2016-01-04 12:20:45 -08:00
6eb9c87dcb
Add RPC to get all authorizations for a domain
2016-01-04 10:56:27 -08:00
4c47b2aa75
Add RevokeAuthorization RPC method
2015-12-31 16:13:06 +00:00
70ac73ca58
Remove unneeded code in core.
...
B64enc and B64dec can be replaced by base64.RawURLEncoding.
Thumbprint is now implemented in go-jose, and we have the relevant version
imported already, so we can use that.
SyntaxError isn't used anywhere and can be deleted.
2015-12-17 13:36:24 -08:00
d8110a425a
Add DNS challenge integration test
...
Adds a dns-01 type validation to test.js and reworks dns-test-srv to allow changing TXT record values.
Also makes some changes to how integration-test.py works in order to reduce complexity now the
ct-test-srv is working again.
2015-12-16 17:57:15 -08:00
6b0e53b8e0
use ProblemDetails inside of wfe
...
This uses ProblemDetails throughout the wfe. This is the last step in
allowing the backend services to pass ProblemDetails from RPCs through
to the user.
Updates #1153 .
Fixes #1161 .
2015-12-15 11:44:33 -08:00
b31165444f
move dns code to dns pkg and rename to bdns
...
Moves the DNS code from core to dns and renames the dns package to bdns
to be clearer.
Fixes #1260 and will be good to have while we add retries and such.
2015-12-14 11:21:43 -08:00
8300b06ad6
Merge branch 'master' into delete_old_challenges
2015-12-10 23:04:00 -08:00
c6d6a3edd8
Merge branch 'master' into google-ct
2015-12-10 18:12:55 -08:00
c9010744b4
delete old challenge code
...
Specifically, delete the simpleHttp and dvsni.
Hooray!
Fixes #894
2015-12-10 15:41:40 -08:00
568dd72f00
require a valid challenge type in RecordsSane
...
This is a change to ValidationRecord. This case is unlikely to be
trigged by code, but was allowing tests to pass in a branch that deleted
the simpleHttp and dvsni challenge types and is a good check to have in
place.
Updates #894
2015-12-07 12:56:55 -08:00
b19ea71dbf
Merge branch 'master' into google-ct
2015-12-04 16:17:27 -08:00
d5bb20561f
Fix nil dereference in AcmeURL unmarshal and in validateContacts.
2015-12-04 09:46:46 -08:00
7e093c3ed4
Merge branch 'master' into google-ct
2015-11-30 12:05:17 -08:00
52b7effa5d
Review fixes pt. 2
2015-11-25 12:56:44 -08:00
2114f5d5cc
move ProblemDetails into its own package
...
Part of #1161
2015-11-24 23:14:38 -08:00
444c3ff8cb
Merge branch 'master' into google-ct
2015-11-24 17:25:56 -08:00
169a0b79e3
Export BuildID via expvars.
2015-11-24 14:24:51 -08:00
3ae32d4d61
Switch back to using an internal SCT representation to make life easier
2015-11-23 14:27:06 -08:00
01895a13d0
Switch to google, part 1
2015-11-23 12:42:50 -08:00
2d1339f5f5
Merge branch 'master' into nonce-err
2015-11-23 12:02:49 -08:00
3463d72554
Replace DialTimeout with ReadTimeout.
...
Generally Dial will be very fast because our resolver is local, so there's no
need to override its default of 2s. However, since our resolver recurses more or
less every time, getting the answer back is very slow. So we want to be able to
set a high ReadTimeout.
2015-11-22 14:34:23 -08:00
458c7e2b4a
Add badNonce error as described in the specification
2015-11-20 15:57:22 -08:00
Roland Shoemaker