8ccf7cf04b
Move UnsafeSetChallenge to VA test
2015-10-02 13:45:18 -04:00
367973122e
Change 'TO DELETE' comments to something more useful
2015-10-01 18:48:15 -07:00
c9aa6eea8e
Improve logging
2015-10-01 18:32:37 -07:00
72bbc8fd1f
Move UnsafeSetToken to /test/
2015-10-01 18:27:17 -07:00
2d0dee4ce1
Daemonize the OCSP updater tool so we are constantly updating OCSP responses.
...
also moves the first OCSP responses generation from the CA to the OCSP updater. This patch lays the
ground work for moving CT submission and adding CT backfill to the OCSP updater.
2015-10-01 16:36:51 -07:00
2ded12838a
Use static key
2015-09-30 14:51:15 -07:00
0c78a5f8ab
Fix unit test failure
2015-09-29 09:43:42 -04:00
0f4ebae6e0
Address @bifurcation comments
2015-09-29 09:33:44 -04:00
ea50be6c50
Change 00 to 01, and drop the underscore
2015-09-29 08:57:43 -04:00
5567d4ae73
Split out cases better and add tests for each
2015-09-28 14:07:41 -07:00
ef8f57863d
Re-add old challenge types to VA
2015-09-28 16:05:44 -04:00
f579863e0e
Purge SimpleHTTP and DVSNI from VA
2015-09-28 14:34:03 -04:00
1a9fd9b455
Update to latest ACME spec
2015-09-28 10:10:06 -04:00
ba5e9cd3a5
Check only one content type is sent
2015-09-27 18:25:21 -07:00
4a32d2c633
Check Content-Type header during SimpleHTTP validation
2015-09-27 18:07:49 -07:00
54c924b436
Merge branch 'master' into sig-reuse
2015-09-27 18:29:14 -04:00
48bbd558a6
Fix imports
2015-09-17 18:20:47 -07:00
91750d925f
Review fixes
2015-09-15 12:02:34 -07:00
325190e573
Val -> AuthzKeys in VA
2015-09-10 21:29:04 -04:00
871a77c4b8
Merge master
2015-09-10 13:00:52 -07:00
e5e947ee09
Better construction
2015-09-03 21:00:51 -07:00
3da1081b02
Merge branch 'master' into block-more
2015-09-03 20:47:34 -07:00
af8299d607
Merge master
2015-09-03 11:36:08 -07:00
37517052c7
Add checks for addresses in the loopback block and a bool to allow them for testing
2015-09-02 15:25:21 -07:00
7e157a5c1a
va: format url as url in errors
...
When a URL couldn't be connected to in validateSimpleHTTP, the
fmt.Sprintf's using the URL would format it as something like:
{https <nil> kuba.us.to:443 .well-known/acme-challenge/-bgTYeerZbjhysBOgwIx_-7uVDnVnsaxagWvCk6lzNc }
Instead of:
https://kuba.us.to:443/.well-known/acme-challenge/-bgTYeerZbjhysBOgwIx_-7uVDnVnsaxagWvCk6lzNc
This would show up in errors like:
Failed authorization procedure. kuba.us.to (simpleHttp): connection :: The server could not connect to the client for DV :: Could not connect to {https <nil> kuba.us.to:443 .well-known/acme-challenge/-bgTYeerZbjhysBOgwIx_-7uVDnVnsaxagWvCk6lzNc }
By passing in a plain URL struct to
Sprintf(), it wasn't using the *url.URL.String() method, but the
built-in struct formatting.
The fix is simple: make the url variable a `*url.URL` instead of a
`url.URL`.
2015-09-02 12:57:26 -07:00
fe00decc92
Merge pull request #697 from letsencrypt/revoke-split
...
Split RA revoke method
2015-09-01 14:08:33 -07:00
d11d1ed774
Rename admin-revoker RA call
2015-08-30 22:33:36 -07:00
e798362748
Merge branch 'master' into metrics-cleanup
2015-08-28 16:49:46 -07:00
5afb1187bf
Merge pull request #664 from letsencrypt/sig-misuse
...
Mitigate signature misuse vulnerability
2015-08-28 16:18:56 -07:00
88c2f95179
Cleanup authority creation
2015-08-28 15:03:02 -07:00
f945bb0efb
Merge master
2015-08-28 14:41:37 -07:00
82ea4aba31
Rest of RPC layer and splitting
2015-08-28 00:00:03 -07:00
a4aa450ee6
Switch to custom revocation code type
2015-08-27 17:09:41 -07:00
d6b09c2cf9
Clean up
2015-08-27 14:50:00 -07:00
11716bfe5a
Add noop client
2015-08-27 14:22:28 -07:00
764169667e
Merge master
2015-08-27 11:21:18 -07:00
b4d717b934
Fixing unit test failures
2015-08-26 16:02:20 -04:00
abc3a7b45e
Merge master
2015-08-26 15:31:33 -04:00
283d8de59b
remove TestMode completely
...
This removes TestMode from the boulder-va command, from ca.Config
(it was only used in the VA) and gets the integration config to specify
the ports it should use explicitly.
(It also removes a DBDriver field from ca.Config that was left over from
letsencrypt/boulder#624.)
Fixes #627 .
2015-08-25 21:57:24 -07:00
5bd820f3c5
avoid copying large ValidationAuthorityImpl struct
...
Saves some allocations
2015-08-25 21:14:59 -07:00
c552984784
Merge master
2015-08-25 19:21:02 -04:00
fa89973681
remove unused VA.hostnameOverride field
2015-08-25 13:46:03 -07:00
8868ac9dad
Remove explicit account key from VA calls
2015-08-25 16:32:32 -04:00
f809806ddb
Use NewValidationAuthorityImpl(false) everywhere.
2015-08-25 11:46:09 -07:00
01787da891
VA test fixes
2015-08-24 12:49:35 -07:00
3a7e53c371
Remove merge artifacts
2015-08-24 12:34:51 -07:00
c2a57436eb
Send A RTT metrics
2015-08-24 12:31:06 -07:00
d6efd496fa
Merge master
2015-08-24 12:27:58 -07:00
93c07c160c
Handle port == 65536 better.
2015-08-21 16:09:58 -07:00
ccbd7a037e
Work around race in hs.Close()
2015-08-21 16:09:58 -07:00
6f60530781
Add hostnameOverride.
2015-08-21 16:09:57 -07:00
178991e811
Add a sleep to placate the race detector.
2015-08-21 16:07:14 -07:00
efa94628c7
Refactor VA test to use Go's httptest.
...
Previously the VA test had race conditions where the various test servers would
not shut down before the next test started its own server, and the necessary port
wouldn't be available.
Go's httptest makes shutdown simpler, and also chooses a random port, which
further helps avoid collisions.
This change required refactoring the VA to specify the ports for various
challenges as fields. This should allow us to fully remove the TestMode bool in
a subsequent change.
Credit to jmhodges for the first version of this patch.
2015-08-21 16:07:10 -07:00
60274cd915
Rebase fixes
2015-08-13 22:55:58 -07:00
f15402282c
Review rework
...
Refactor DNS problem details use
Actually store and log resolved addresses
Less convuluted get adresses function/usage
Store redirects, reconstruct transport on redirect, add redirect + lookup tests
Add another test
Review fixes
Initial bulk of review fixes (cleanups inc)
Comment cleanup
Add some more tests
Cleanups
Give addrFilter a type and add the config wiring
Expose filters
LookupHost cleanups
Remove Resolved Addresses and Redirect chain from replies to client without breaking RPC layer
Switch address/redirect logging method, add redirect loop checking + test
Review fixes + remove IPv6
Remove AddressFilter remnant + constant-ize the VA timeout
Review fixes pt. 1
Initialize validation record
Don't blank out validation reocrds
Add validation record sanity checking
Switch to shared struct
Check port is in valid range
Review fixes
2015-08-13 22:49:33 -07:00
84757bea8a
Change remote IP address without changing requested URL.
2015-08-13 22:45:19 -07:00
9a328b4fd1
Log IPs in a better place, by storing them in the challenge objects!
2015-08-13 22:45:19 -07:00
6a75eb199e
Resolve validation hostnames and log addresses, use first resolved address to construct validation address
2015-08-13 22:45:19 -07:00
6970caa0e8
Various cleans and documentation fixes
2015-08-11 18:00:47 -07:00
8789f925cc
Merge master
2015-08-11 16:39:31 -07:00
bef0dbf99a
Address @jcj comments on #497
2015-07-30 16:24:07 -04:00
7e3058d099
More deterministic token control
2015-07-29 15:35:52 -04:00
2ecdd056de
Re-add tests removed during rebase.
2015-07-29 15:03:12 -04:00
f506da377a
Clean up Challenge.MergeResponse
2015-07-29 12:59:52 -04:00
4f95f66f98
Remove AcmeJWS and move everything over to LE fork of go-jose
2015-07-29 12:44:39 -04:00
9e87cef807
Further test fixes
2015-07-29 12:20:00 -04:00
de5c50739a
Mostly fixed tests
2015-07-29 12:19:12 -04:00
e60df240d8
Update DVSNI and DNS challenges
2015-07-29 12:19:12 -04:00
4cac9da9fd
Refactor simpleHttp challenge
2015-07-29 12:18:09 -04:00
8ec9723166
Do not test CAA lookup behavior for "CNAME+CAA both exist."
2015-07-27 21:51:14 -04:00
a843772736
Follow CNAME and DNAME during CAA lookups, cf. RFC 6844.
2015-07-26 01:25:30 -04:00
d30ea8a4b6
Distinguish between "lookup failed" and "CNAME does not exist" in LookupCNAME.
2015-07-25 05:47:15 -04:00
a6a1e27ac7
Remove useless test function.
2015-07-21 21:40:20 -04:00
2583ce55a5
Verify logs were generated.
2015-07-21 21:37:34 -04:00
e09f9eebf1
Merge remote-tracking branch 'upstream/master' into 414-va-log-redirects
...
Conflicts:
va/validation-authority_test.go
2015-07-21 21:32:50 -04:00
99c339f850
Merge pull request #498 from tomclegg/490-mock-logs
...
Add mock for syslog.
2015-07-21 17:40:06 -07:00
2d0be62966
Use mock syslog in test suites (except core and log). Drop SwitchLog().
2015-07-21 17:06:39 -04:00
55d5488b49
Merge branch 'master' into dnssec-cleanup
2015-07-21 17:14:41 +02:00
d8a12d8073
Addressing @bifurcation comments
2015-07-21 16:42:23 +02:00
0e72f95660
Add mock for syslog.
2015-07-19 05:44:56 -04:00
7b3378fcc1
Change "redirecting" log level from Notice to Info.
2015-07-18 22:17:45 -04:00
d94860b6cb
Log redirects encountered during HTTP validation. Fixes #414
2015-07-16 22:26:11 -04:00
ef54dda46a
add debug http server to services
...
Currently, the debug http server in every service contains just the
net/http/pprof handlers. This allows us to get CPU, blocking, and memory
profiling remotely.
Along the way, remove all the places we use http.DefaultServeMux (which
includes use of http.Handle and http.HandlerFunc) and use a NewServeMux
for each place.
Fixes #457
2015-07-14 01:28:18 -07:00
d403a4224b
Remove another timeout catcher
2015-07-08 22:24:50 +01:00
e50ad76edd
Change tests to indicate testing SERVFAIL not DNSSEC
2015-07-08 22:18:38 +01:00
0cea5dffd0
Remove dangling timeout workarounds
2015-07-08 22:11:56 +01:00
720fc2450d
Remove timeout catching in preparation for #438
2015-07-08 20:57:58 +01:00
3aa6befb0b
Review fixes
2015-07-08 20:57:58 +01:00
e3780d3234
Move CNAME call to getCAA
2015-07-08 20:57:58 +01:00
34bd2a2915
Review fixes
2015-07-08 20:56:59 +01:00
cb1ddfaf78
Add parseDNSError method and use it to provide better problem detail, also add test workaround for timeouts until #401 is fixed
2015-07-08 20:52:40 +01:00
dfed747a99
Put LookupHost back, and re-add checks to validateSimpleHTTP and validateDvsni
2015-07-08 20:48:42 +01:00
2d339651d7
Remove LookupDNSSEC and LookupHosts methods, and their usage, log SERVFAIL from resolver and query type it came from, ignore SERVFAIL from LookupCAA
2015-07-08 20:47:46 +01:00
294a313974
Cleanup rebase/merge artifact
2015-07-07 22:35:39 +01:00
624581518d
Consistent domain usage, DNSResolver comment, and empty CAA test
2015-07-07 22:31:44 +01:00
5b092db5c7
Actually add mock file, and remove unused commented tests
2015-07-07 22:31:44 +01:00
f6248ef279
Flesh out DNS mock methods, and move them to their own sub-module instead of under test/ to avoid import loop, Add Loopback DNS resolver for core/dns_test.go
2015-07-07 22:31:44 +01:00
e4055e4646
WIP
2015-07-07 22:31:43 +01:00
c48f6dfecf
Address review comments.
2015-06-30 06:13:38 +00:00
cebd1eee49
Update tests for TLS simpleHttp.
2015-06-28 09:04:09 +00:00
69a0781139
Allow TLS simpleHttp in test mode.
2015-06-28 06:48:40 +00:00
b4ab015eb4
Better RTT metric names, and initial work on RPC call success/failure metrics
2015-06-26 18:41:23 +01:00
4346e55d8c
Review fixes and rtt cleanups, further cleanup is blocked by #413
2015-06-25 17:55:59 -07:00
12589834a3
Merge master
2015-06-25 15:59:59 -07:00
04770218ac
Remove DNSSEC from simpleHttp and dvsni
2015-06-23 23:33:48 -07:00
9a0d4aef0a
Fix build problem
2015-06-23 12:02:37 -07:00
718920afa3
Enable the VA to send a user-agent header field.
2015-06-23 11:15:51 -07:00
4715b4895a
Fix #386 : `go vet` on VA.
2015-06-22 05:55:57 -07:00
9edd2b8e07
Refactor StatsD metrics collection
...
- Moved HandlerTimer definition from various cmd/ binaries to cmd/shell.go
- Cleaned up HandlerTimer endpoint metrics
- Moved New... counter metrics from WFE to RA and add Updated... and Finalized... ones
- Added error code and problem type counter metrics to WFE
- Added validation type / status counter metrics to VA
- Consistently return the total RTT from LookupCAA, LookupCNAME, and LookupDNSSEC method
- Added DNS RTT timing metrics to VA for the various Loookup... methods
2015-06-21 23:28:10 -07:00
2d92fd92d6
Rework per @rolandshoemaker
2015-06-20 13:27:29 -07:00
ddb4249f18
Fixes #383 - Fix error leg in DNS validation
2015-06-20 10:51:52 -07:00
d712bcc8a8
Fixes #382 : Log more consistently
2015-06-20 10:48:14 -07:00
1b65434256
Merge master
2015-06-19 20:16:16 +01:00
cd10bd4726
Add DNSSEC check for A/AAAA records to validateSimpleHTTP and validateDvsni
2015-06-19 20:03:27 +01:00
5979abb244
Remove unused CAA type definition
2015-06-19 19:20:26 +01:00
948cca7172
Consolidate CAA functions into va/validation-authority.go and core/dns.go
2015-06-19 19:06:50 +01:00
d462d0af43
Purge CAA parsing code, update miekg/dns dep
2015-06-19 18:53:00 +01:00
99d0fd7dc8
Removed straggling debugging code
2015-06-18 16:01:15 -07:00
93ff18b365
Finished addinig validation errors
2015-06-18 14:10:24 -07:00
f19cad3a04
Additional cleanup of error handling
2015-06-18 10:08:59 -07:00
6fac234036
Updated error messages and internal error handling
2015-06-17 10:56:46 -07:00
41f5788c77
Correct most `go lint` warnings. (274 -> 5)
2015-06-16 22:18:28 -05:00
b24f6b23fe
Moved to `miekg/dns` for the VA.
...
- Created some helper methods to run DNSSEC and reduce code reuse
- Support multiple DNS servers, but not in the Config file (yet)
- Fix typo; r=@rolandshoemaker
2015-06-16 19:37:15 -05:00
fcaa6b9530
Issue #11 : Add tests
2015-06-16 09:03:03 -05:00
cc97492a54
Issue #11 : Basic DNS Challenge support
2015-06-16 09:03:03 -05:00
3ca3d9b283
Finished adding basic errors
2015-06-15 19:30:11 -07:00
f4ee29d1d3
Change all references from SimpleHTTPS -> SimpleHTTP
2015-06-12 11:22:04 -07:00
ef3adda09b
Switch TLS to pointer
2015-06-11 22:08:38 -07:00
c301125e93
Add TLS field to core.Challenge per spec
2015-06-11 17:12:50 -07:00
6c0127d1b0
Add some comments, clean up RFC 6844 query order
2015-06-10 17:27:08 -07:00
00053e4232
Remove debug statement
2015-06-10 16:18:52 -07:00
34946c99bb
Fix typo
2015-06-10 15:56:52 -07:00
7029124c75
Add checking for DNSSEC failure at the resolver
2015-06-10 15:50:17 -07:00
e3eb074dd3
Review fixes
2015-06-10 14:16:06 -07:00
0265b6f5d0
Merge upstream/master and fix conflicts
2015-06-10 12:43:11 -07:00
050887bff6
Ignore closed connection errors from httpsServer.Serve
2015-06-08 13:29:29 -07:00
3e43e05553
Don't write to dead simpleSrv/dvsniSrv connections
2015-06-08 12:54:38 -07:00
30d2c0d1c7
Don't try to write to connection after it has been closed
2015-06-08 11:40:21 -07:00
78cbc1a091
Decrease block time so connection doesn't time out
2015-06-08 11:06:16 -07:00
94bbd22f00
Add explicit timeout tests
2015-06-06 09:55:43 -07:00
d145a3dc5a
Add timeout to validateDvsni method
2015-06-05 14:09:28 +01:00
9917ca17f6
Clean up TODOs
2015-06-01 02:05:17 -04:00
5c235e0000
add explicit CAA RDATA length check
2015-05-29 21:39:25 +01:00
2366a4a1a3
Add VA blocker check
2015-05-29 11:26:06 +01:00
81c7466e97
add rpc-wrapper and interface code
2015-05-28 09:58:16 +01:00
0ef15b0b81
cleanup & tests
2015-05-28 09:25:04 +01:00
b2f1dd82b6
vendor miekg/dns dependency
2015-05-27 20:49:58 +01:00
5627f4e69f
add the various caa dns utilities
2015-05-27 19:51:51 +01:00
bc3acca096
Resolved Issue #230
...
- Move setting the core.Registration.Key field from RA.NewRegistration to
WFE.NewRegistration to avoid a chicken-and-egg problem.
- Note: I kept the RPC wrapper object even though it now only has one field.
Seems like it's a good practice to use wrapper objects, even though we don't
everywhere.
2015-05-26 14:44:15 -07:00
e1eeebce52
Only run validations against updated challenges (instead of everything)
2015-05-26 17:08:49 +01:00
cecd097f68
Improve unit testing to resolve Issue #217
...
- Support multiple HTTPserver instances in `validation-authority_test.go`
- Improve coverage of ValidateDvsni and ValidateHttps
- Cover UpdateValidations
2015-05-21 13:59:30 -07:00
1c9837ddf8
Audit all Challenges (success/failure) in VA for Issue #204
...
- Don't ignore entropy underruns in challenges.go
- Correct identity crisis in Policy Authority; hopefully it will remember.
- Add a method `AuditObject` in audit-logger and convert RA/VA to use it
- Fix json typo in registration-authority that caused empty audit logs
- Fix vet issue in WFE where RegID was being printed as a 32-bit int instead of 64-bit
- Unfix the issue in WFE where RegID isn't right, per PR #215
2015-05-21 13:58:40 -07:00
42302541bd
Run `go fmt` for PR #186
2015-05-18 18:44:38 -07:00
3eed9e3f7c
Move to Square's go-jose library.
2015-05-13 17:36:38 -07:00
8acae627eb
Fix sanity checking for challenges.
...
Also add more debug logging.
2015-05-08 15:32:11 -07:00
14fde00182
Merge pull request #162 from rolandshoemaker/enrobe
...
Reduce use of naked returns
2015-05-08 08:59:52 -07:00
ee47c84838
enrobe longer functions + various return semantics cleanups
2015-05-07 18:15:41 -07:00
07310b5fa1
hook sanity check into VA and RA
2015-05-06 15:19:21 -07:00
ca796dd2fe
remove useless test stub
2015-05-05 15:37:04 -07:00
3fddff8dcf
further tests for VA, consistent sendError for verifyPOST in WFE
2015-05-05 15:31:53 -07:00
48296727e2
real errors
2015-05-05 14:38:29 -07:00
4b74a544c5
hacky fix so we don't require sudo
2015-05-05 14:34:25 -07:00
4fc3a1146e
VA tests, WFE tests, plus WFE NewRegistration empty payload fix
2015-05-04 18:43:18 -07:00
a77152e828
Rework Authority "New" methods to obtain AuditLogger from Singleton
...
- Also ran `go fmt` against these files I was touching anyway:
sa/storage-authority.go
va/validation-authority.go
wfe/web-front-end.go
2015-05-01 21:50:07 -07:00
d4aa8c6c78
Close connection after DVSNI.
2015-04-27 15:50:18 -07:00
66cb0fcefe
Fix format strings for serials and DVSNI.
2015-04-27 14:47:06 -07:00
9124b34b31
Improve Validation Authority
...
SimpleHTTPS works in both local test mode and live mode.
Don't keep alive SimpleHTTPS connections after verifying challenge.
2015-04-27 13:18:38 -07:00
e210f2c623
Fix live validation for SimpleHTTPS.
2015-04-24 19:20:58 -07:00
1065b14c9c
Add more logging to boulder.
2015-04-24 18:39:50 -07:00
b9c7efb9f8
Constant-time compare zName.
...
Fixes https://github.com/letsencrypt/boulder/issues/52 .
Note that this is probably not a vulnerability, since the value of zName is not
a secret from the subscriber. But better to eliminate this code smell.
2015-04-13 17:47:58 -04:00
5d155e209b
forgot to remove encoding/hex
2015-04-08 22:40:05 -07:00
f7e3df3f67
fix Z computation
2015-04-08 22:30:12 -07:00
84df10fd6e
Add empty tests where missing.
...
This will bring our coverage numbers down to a more meaningful number, and will
mean that we can start aiming to increase them monotonically.
2015-04-07 11:27:33 -07:00
ccbbeccb00
gofmt
2015-03-25 14:52:50 -07:00
5eac0cda09
Add a "TestMode" config option
...
This makes the same change as PR #59 , but allows test mode to be turned
back on with a config option.
2015-03-25 12:58:57 -07:00
33ac212b70
Add logging infrastructure to all authorities and commands
2015-03-24 19:06:11 -07:00
4e0aa900c9
Rebase 'lint-errcheck-fixes' of git://github.com/mvdan/boulder to letsencrypt/master
...
Conflicts:
cmd/boulder-start/main.go
core/interfaces.go
core/objects.go
core/util.go
ra/registration-authority.go
ra/registration-authority_test.go
rpc/rpc-wrappers.go
va/validation-authority.go
wfe/web-front-end.go
2015-03-20 18:01:03 -07:00
d938deb3fd
Separate resources for challenges [initial]
2015-03-14 19:07:16 -04:00
d66e581736
Replace Https by HTTPS as per golint
2015-03-12 12:21:40 +01:00
880821801e
hash.Hash.Write() never returns an error
2015-03-12 12:18:37 +01:00
37919058e5
Pulling out va module
2015-03-10 14:26:20 -07:00
Richard Barnes