eefa8005c4
Fix LookupTXT
2015-08-12 17:21:08 -07:00
4a26a515c9
Switch to shared struct
2015-08-10 16:20:11 -07:00
d7b0b11648
Fixing more merge issues
2015-08-10 12:19:04 -07:00
e9b24cfafd
Merge remote-tracking branch 'origin/master' into existing-cert
...
Conflicts:
cmd/boulder-ra/main.go
cmd/boulder/main.go
cmd/shell.go
core/objects.go
policy/policy-authority_test.go
test/boulder-config.json
2015-08-10 12:02:01 -07:00
212bf67670
Add validation record sanity checking
2015-08-07 16:41:40 -07:00
3d540cf4b4
Merge branch 'master' into store-ips
2015-08-07 15:09:43 -07:00
c41cda04f7
Review fixes pt. 1
2015-08-07 15:09:08 -07:00
390464ddf4
correct unique indexing of Registrations
...
Fixes #579 (which blocks #132 ).
This changes the SA to use a unique index on the sha256 of a
Registration's JWK's public key data instead of on the full serialized
JSON of the JWK. This corrects multiple problems:
1. MySQL/Mariadb no longer complain about key's being larger than the
largest allowed key size in an index
2. We no longer have to worry about large keys not being seen as unique
3. We no longer have to worry about the JWK's JSON being serialized with its inner keys in different orders and causing incorrectly empty queries or non-unique writes.
This change also hides the details of how Registrations are stored in
the database from the other services outside of SA. This will give us
greater flexibility if we need to move them to another database, or
change their schema, etc.
Also, adds some tests for NoSuchRegistration in the SA.
2015-08-06 14:19:19 -07:00
0f03494d56
use pointer to AcmeURL everywhere
...
This has the benefit of not requiring us to copy very fat url.URL
objects when we pass them to funcs or call their methods.
2015-08-05 18:23:38 -07:00
8d046a6e0d
Review fixes + remove IPv6
2015-08-05 13:47:59 -07:00
1ee8a9d755
Fixing some more small code style issues--changes should only be cosmetic
2015-08-04 14:06:08 -07:00
70347b4f9a
Fixing "go fmt" errors
2015-08-04 13:57:54 -07:00
ec409463db
Adding the schemas for the external certs and the identifiers to db_schema-main.sql, and also removing the lastUpdate timestamp from the code and the import format document (since we don't really need it for anything).
2015-08-04 13:45:07 -07:00
8805f7e6e9
Switch address/redirect logging method, add redirect loop checking + test
2015-08-03 20:31:32 -07:00
aeba06dcd9
Remove Resolved Addresses and Redirect chain from replies to client without breaking RPC layer
2015-08-03 11:02:23 -07:00
881ce95a5e
LookupHost cleanups
2015-07-31 21:42:07 -07:00
778c0daae5
Expose filters
2015-07-31 16:19:25 -07:00
5a1a3c7e0d
Give addrFilter a type and add the config wiring
2015-07-31 15:47:03 -07:00
94095796b9
Cleanups
2015-07-31 14:40:54 -07:00
bc4069db05
Add some more tests
2015-07-31 13:46:24 -07:00
0041283960
Comment cleanup
2015-07-31 11:32:53 -07:00
e12564bb11
Initial bulk of review fixes (cleanups inc)
2015-07-30 18:09:16 -07:00
f5acc4e260
Merge master
2015-07-30 14:07:03 -07:00
46573e93a2
Merge pull request #497 from letsencrypt/update-challenges
...
Update challenges to match the spec
2015-07-30 15:06:32 -04:00
652702bd7f
Merge master
2015-07-30 13:47:10 -04:00
726d59cb52
Merge master
2015-07-29 16:35:37 -07:00
5ea17d980a
Merge master
2015-07-29 16:37:39 -04:00
272fbbd480
Merge pull request #541 from r0ro/remove-authz-newcert
...
Remove the need for a client to send authorizations url when requesting new certificate
2015-07-29 13:10:46 -07:00
6777b276a7
Merge branch 'master' into store-ips
2015-07-29 12:24:20 -07:00
08c86e560e
Fix test failures in core
2015-07-29 14:40:41 -04:00
f506da377a
Clean up Challenge.MergeResponse
2015-07-29 12:59:52 -04:00
4f95f66f98
Remove AcmeJWS and move everything over to LE fork of go-jose
2015-07-29 12:44:39 -04:00
9e87cef807
Further test fixes
2015-07-29 12:20:00 -04:00
de5c50739a
Mostly fixed tests
2015-07-29 12:19:12 -04:00
e60df240d8
Update DVSNI and DNS challenges
2015-07-29 12:19:12 -04:00
4cac9da9fd
Refactor simpleHttp challenge
2015-07-29 12:18:09 -04:00
26b140b0cc
Removing unused literals and exposing more error info
2015-07-29 11:17:26 -04:00
965be920a6
Enforce 'resource' field
2015-07-29 10:19:14 -04:00
27708be2c3
Merge pull request #532 from tomclegg/cname-nxdomain
...
Fix authz always failing when CAA record is not present + fix CAA lookup algorithm per RFC
2015-07-28 20:58:17 -07:00
4f177d34af
Return actual rtt for nxdomain/nxrrset responses, not 0.
2015-07-28 23:28:19 -04:00
289dfeabe6
Fixing go formatting issues (ran go fmt on the files below)
2015-07-28 17:07:36 -07:00
65c923d547
we now ignore duplicate additions and require three different command line args
2015-07-28 14:03:56 -07:00
36cba96fb2
update tests after jwk encoding fix.
2015-07-28 16:25:30 +02:00
1993dc44c6
Allow DNS cache to follow CNAME/DNAME for us when looking up CAA.
...
Only if the cache returns nothing for the CNAME query do we need to
look up CNAME/DNAME explicitly, in order to check CAAs on the parent
of the CNAME target rather than the parent of the original name.
2015-07-27 22:10:44 -04:00
abd06564ec
Merge branch 'master' into mailer
2015-07-27 12:46:19 -07:00
145790d9c3
Review fixes
2015-07-27 12:46:09 -07:00
2b275405c1
remove authorizations member for certificate request.
2015-07-27 20:26:56 +02:00
4bbd0fdccd
Remove the need for a client to submit authorization urls when requesting a certificate.
2015-07-27 20:26:56 +02:00
aef83a3d02
Change core.Certificate.DER to []byte.
...
Fixes https://github.com/letsencrypt/boulder/issues/519 .
The previous type, JSONBuffer, was triggering a subtle bug when scanning
multiple rows from MySQL. Since this struct is not serialized as JOSE it
doesn't need to have the JSONBuffer type.
The test for this fix is blocked on
https://github.com/letsencrypt/boulder/issues/132 , so I filed a separate issue
to follow up with a test:
https://github.com/letsencrypt/boulder/issues/536
2015-07-26 01:34:02 -07:00
a843772736
Follow CNAME and DNAME during CAA lookups, cf. RFC 6844.
2015-07-26 01:25:30 -04:00
d30ea8a4b6
Distinguish between "lookup failed" and "CNAME does not exist" in LookupCNAME.
2015-07-25 05:47:15 -04:00
8a577df190
Merge master
2015-07-24 17:41:14 -07:00
bd9286dd5b
Merge branch 'master' into mailer
2015-07-24 16:36:50 -07:00
9423467142
Switch to our own fork of go-jose.
...
This is the result of `godep save -r ./...` and
`git rm -r -f Godeps/_workspace/src/github.com/square`
Our fork is currently at the head of go-jose when Richard made the local nonce
changes, with the nonce changes added on top. In other words, the newly created
files are exactly equal to the deleted files.
In a separate commit I will bring our own go-jose fork up to the remote head,
then update our deps.
Also note: Square's go-jose repo contains a `cipher` package. Since we don't
make any changes to that package, we leave it imported as-is.
2015-07-24 14:39:00 -07:00
620a012c62
Rewrite go-jose dependencies to our fork.
2015-07-24 14:16:01 -07:00
7f5da3b8bc
Merge pull request #521 from letsencrypt/remove_v
...
remove incorrect uses of %v, use specific verbs
2015-07-24 13:00:29 -07:00
a960fa0393
Store redirects, reconstruct transport on redirect, add redirect + lookup tests
2015-07-24 12:05:27 -07:00
8975601d5e
correct bodyStr->body
2015-07-23 17:41:15 -07:00
6c2f3ea8cc
Merge branch 'master' into mailer
2015-07-23 15:33:43 -07:00
b5f519d22d
Rework how the expiration mailer looks for certificates
2015-07-23 15:33:28 -07:00
5face2bf08
Merge master
2015-07-23 00:13:24 -07:00
941df62ad4
Switch to AuditObject for CSR logging.
...
This allows us to log the remote address and registration object along with the
CSR.
Also, restore part of a comment on CertificateRequest that was deleted.
2015-07-22 16:32:11 -07:00
6952aebeb3
Record initial application CSR.
...
Fixes https://github.com/letsencrypt/boulder/issues/493 .
Also, modify MockSyslogWriter so that it implements the SyslogWriter interface
(no pointer receivers).
2015-07-22 15:34:59 -07:00
31f0674f03
Replace net.LookupMX with core.LookupMX using defined resolver
2015-07-21 22:36:29 -07:00
d0049adb4c
Log IPs in a better place, by storing them in the challenge objects!
2015-07-21 19:45:40 -07:00
d8a12d8073
Addressing @bifurcation comments
2015-07-21 16:42:23 +02:00
867ce685f8
First cut of command-line tool for importing certs from other external sources like the SSL Observatory, Certificate Transparency, and scans.io
2015-07-15 18:38:35 -07:00
0cea5dffd0
Remove dangling timeout workarounds
2015-07-08 22:11:56 +01:00
a767daed4d
Rebase on #438 and cleanup
2015-07-08 22:07:21 +01:00
3aa6befb0b
Review fixes
2015-07-08 20:57:58 +01:00
34bd2a2915
Review fixes
2015-07-08 20:56:59 +01:00
b8bc60ddfb
Remove core.DNSSECProblem definition
2015-07-08 20:52:40 +01:00
cb1ddfaf78
Add parseDNSError method and use it to provide better problem detail, also add test workaround for timeouts until #401 is fixed
2015-07-08 20:52:40 +01:00
dfed747a99
Put LookupHost back, and re-add checks to validateSimpleHTTP and validateDvsni
2015-07-08 20:48:42 +01:00
a4eaf65741
Clarify comments
2015-07-08 20:48:42 +01:00
2d339651d7
Remove LookupDNSSEC and LookupHosts methods, and their usage, log SERVFAIL from resolver and query type it came from, ignore SERVFAIL from LookupCAA
2015-07-08 20:47:46 +01:00
624581518d
Consistent domain usage, DNSResolver comment, and empty CAA test
2015-07-07 22:31:44 +01:00
1fb48d1fd4
Extend DNS tests and fix miekg/dns bug
2015-07-07 22:31:44 +01:00
94a77b421d
Remove debug statement
2015-07-07 22:31:44 +01:00
f6248ef279
Flesh out DNS mock methods, and move them to their own sub-module instead of under test/ to avoid import loop, Add Loopback DNS resolver for core/dns_test.go
2015-07-07 22:31:44 +01:00
ebaad0f727
Add nonce error propagation to nonce.go
2015-06-23 12:14:23 -07:00
5e11d333d4
Add implementation of ChallengesFor ProofOfPosession.f
2015-06-22 18:01:18 -07:00
70bb5e8364
Add a PA test.
2015-06-22 16:33:09 -07:00
c301b87e3d
Merge branch 'master' into existing-cert
2015-06-22 14:54:28 -07:00
d712bcc8a8
Fixes #382 : Log more consistently
2015-06-20 10:48:14 -07:00
c092d41348
Merge remote-tracking branch 'upstream/master' into errors
2015-06-19 13:25:38 -07:00
cd1acd0462
Merge remote-tracking branch 'upstream/master' into errors
2015-06-19 12:51:19 -07:00
9312fb7eae
Allowed for more detailed error messages:
2015-06-19 12:51:09 -07:00
1b65434256
Merge master
2015-06-19 20:16:16 +01:00
ccb46eb967
Fix comment typo
2015-06-19 20:10:22 +01:00
cd10bd4726
Add DNSSEC check for A/AAAA records to validateSimpleHTTP and validateDvsni
2015-06-19 20:03:27 +01:00
2ed840e4c3
Add better CNAME/CAA comments
2015-06-19 19:18:18 +01:00
948cca7172
Consolidate CAA functions into va/validation-authority.go and core/dns.go
2015-06-19 19:06:50 +01:00
d6ed289e05
Remove duplicate error check
2015-06-18 16:36:39 -07:00
7e4b52e69a
Merge pull request #369 from bradmw/errors
...
Validation Errors
2015-06-18 16:33:30 -07:00
4e7818ac7f
Merge pull request #370 from letsencrypt/dns_lookuptxt_error_nilptr
...
Fix null pointer panic when LookupTXT fails at the DNS Resolver
2015-06-18 16:03:39 -07:00
d6e64835cc
Store data on existing certs.
2015-06-18 15:35:23 -07:00
1b484608f4
Fix null pointer panic when LookupTXT fails at the DNS Resolver
...
Seen in https://travis-ci.org/letsencrypt/boulder/builds/67439063
(Update: Don't send a nil duration)
2015-06-18 15:25:10 -07:00
d7968f2163
Merge remote-tracking branch 'upstream/master' into errors
2015-06-18 14:49:33 -07:00
609b534e98
Merge pull request #366 from letsencrypt/match-ip-email
...
Check IPAddresses and EmailAddresses in Certificate.MatchesCSR
2015-06-18 14:36:16 -07:00
38b8701ae9
Merge remote-tracking branch 'upstream/master' into errors
2015-06-18 14:10:43 -07:00
93ff18b365
Finished addinig validation errors
2015-06-18 14:10:24 -07:00
f19cad3a04
Additional cleanup of error handling
2015-06-18 10:08:59 -07:00
f89b32b420
Check IPAddresses and EmailAddresses in Certificate.MatchesCSR
2015-06-17 18:53:02 -07:00
403af37a39
Hide Authorization.Expires field when uninitialized
2015-06-17 18:34:30 -07:00
6fac234036
Updated error messages and internal error handling
2015-06-17 10:56:46 -07:00
41f5788c77
Correct most `go lint` warnings. (274 -> 5)
2015-06-16 22:18:28 -05:00
b24f6b23fe
Moved to `miekg/dns` for the VA.
...
- Created some helper methods to run DNSSEC and reduce code reuse
- Support multiple DNS servers, but not in the Config file (yet)
- Fix typo; r=@rolandshoemaker
2015-06-16 19:37:15 -05:00
b094c81371
Merge remote-tracking branch 'upstream/master' into errors
2015-06-16 10:59:16 -07:00
cc97492a54
Issue #11 : Basic DNS Challenge support
2015-06-16 09:03:03 -05:00
3ca3d9b283
Finished adding basic errors
2015-06-15 19:30:11 -07:00
01c41c1bd0
Merge pull request #354 from letsencrypt/344-internal_server_errors
...
Resolves Issue #344 : Only send InternalServerError when needed
2015-06-15 15:57:04 -07:00
80d5e50e42
Enable revocation by account key.
...
In addition to cert private key. This required modifying the GetCertificate*
functions to return core.Certificate instead of certificate bytes.
2015-06-15 12:33:50 -07:00
1474b7f21f
Resolves Issue #344 : Only send InternalServerError when needed
...
Basically, just send InternalServerError when it indicates an internal state
was broken.
2015-06-13 00:21:44 -05:00
f4ee29d1d3
Change all references from SimpleHTTPS -> SimpleHTTP
2015-06-12 11:22:04 -07:00
ef3adda09b
Switch TLS to pointer
2015-06-11 22:08:38 -07:00
c301125e93
Add TLS field to core.Challenge per spec
2015-06-11 17:12:50 -07:00
2ad15a4a85
Issue #309 : Produce OCSP Responses immediately upon issuance, if at all possible.
...
This approach performs a best-effort generation of the first OCSP response during
certificate issuance. In the event that OCSP generation fails, it logs a warning at
the Boulder-CA console, but returns successfully since the Certificate was itself
issued.
2015-06-11 11:31:04 -05:00
b38ebe18fc
Merge remote-tracking branch 'upstream/master' into better-caa
2015-06-10 15:57:05 -07:00
676ebf721f
Merge pull request #325 from letsencrypt/anti-replay
...
Add an anti-replay nonce facility
2015-06-10 16:55:20 -04:00
0265b6f5d0
Merge upstream/master and fix conflicts
2015-06-10 12:43:11 -07:00
801810d2bd
Removing extraneous printfs
2015-06-10 15:28:25 -04:00
22bff4e537
Transition from random nonces to encrypted counters (for real)
2015-06-09 17:43:04 -04:00
76f7b1c1e4
Improve build identification
...
New example:
2015/06/09 09:20:13 Versions: boulder=(generate_ocsp +0c101f2 Tue Jun 9 16:20:06 UTC 2015) Golang=(devel +46b4f67 Thu Apr 16 20:01:13 2015 +0000) BuildHost=(user@vm.local )
2015-06-09 09:22:29 -07:00
603e625758
Remove debug statement
2015-06-08 18:09:02 -07:00
bc2c28a5ce
Check Challenge.Path isn't malformed in Challenge.IsSane
2015-06-08 18:02:01 -07:00
370b6f9bf9
Return error from core.GoodKey
2015-06-06 17:12:16 -07:00
75a40e3597
Fix typo
2015-06-06 06:15:19 -07:00
bb5c042cef
Fix tests and various other cleanup
2015-06-06 02:06:35 +01:00
d6591ada58
Speed up test
2015-06-05 19:03:45 +01:00
0bfc50b7e5
Add check for max key size
2015-06-05 19:02:10 +01:00
6a4aa8de3c
Merge pull request #304 from letsencrypt/296-ca_tx_move
...
Issue #296 : Fix erroneous transaction handling in CA
2015-06-03 22:10:43 -07:00
a3521bcb61
Merge pull request #277 from rolandshoemaker/check-cert
...
Check generated certificate matches CSR
2015-06-03 22:10:35 -07:00
27f5aebbcd
Updates per review
2015-06-03 21:57:01 -07:00
abdc174be8
Issue #296 : Fix erroneous transaction handling in CA
...
- Moved the transaction handling up to the `certificate-authority.go` file
- Simplified `certificate-authority-data.go`
- Created a mocks file in `test/` and reworked RA and CA to use it
- More audit logging to CA
2015-06-03 19:23:24 -07:00
78e621c95f
further review fixes
2015-06-03 00:27:08 +01:00
04479eca5c
Merge pull request #291 from letsencrypt/fix-revocation
...
Revert change to revocation from #275
2015-06-02 17:52:35 -04:00
7a60d431d6
Revert "Supporess the 'expires' field in public Authorizations"
...
This reverts commit d47b7c12ac
2015-06-02 12:02:05 -07:00
026cb424fc
Revert "Replace RevokeCertficate with something more in line with the spec"
...
This reverts commit b1bad40fe6
2015-06-02 10:45:54 -07:00
51890a9626
Move cert-csr check to boulder/core and review fixes
2015-06-02 17:56:28 +01:00
e5bf16711c
Add generated cert checks
2015-06-01 14:00:49 +01:00
bfd9e4ac20
Fixing JCJ nits
2015-06-01 02:11:10 -04:00
b1bad40fe6
Replace RevokeCertficate with something more in line with the spec
2015-06-01 02:11:10 -04:00
d47b7c12ac
Supporess the 'expires' field in public Authorizations
2015-06-01 02:08:47 -04:00
e8edbf5f21
Making capitalization consistent with Go standards
2015-06-01 02:08:47 -04:00
acc6963a90
Some simplifications to good_key.go
2015-06-01 02:05:17 -04:00
9917ca17f6
Clean up TODOs
2015-06-01 02:05:17 -04:00
c0bacc3fb6
Add more detailed error code reporting
2015-05-31 15:58:08 -04:00
c3c52eda17
Merge branch 'master' into check-validity2
2015-05-31 13:32:44 -04:00
3e593d73c9
Merge pull request #262 from letsencrypt/ra-tests
...
Miscellaneous Fixes
2015-05-30 22:08:49 -07:00
Roland Shoemaker
Jeremy Gillula
Jeff Hodges
bifurcation
Richard Barnes
Tom Clegg
Romain Fliedel
Jacob Hoffman-Andrews
J.C. Jones
Brad Warren
James 'J.C.' Jones