aboutsummaryrefslogtreecommitdiff
path: root/vendor/golang.org/x/crypto/acme/autocert
diff options
context:
space:
mode:
authorNiall Sheridan <nsheridan@gmail.com>2019-07-07 21:33:44 +0100
committerNiall Sheridan <nsheridan@gmail.com>2019-07-07 21:33:44 +0100
commit8c12c6939aab9106db14ec2d11d983bc5b29fb2c (patch)
treef9dc8a7d167c6355e47a65c52d4eb7b9ea03e6c8 /vendor/golang.org/x/crypto/acme/autocert
parent0bd454cc448b812da6c693b451d86ff4cadbb6b2 (diff)
Switch to modules
Diffstat (limited to 'vendor/golang.org/x/crypto/acme/autocert')
-rw-r--r--vendor/golang.org/x/crypto/acme/autocert/autocert.go1139
-rw-r--r--vendor/golang.org/x/crypto/acme/autocert/cache.go130
-rw-r--r--vendor/golang.org/x/crypto/acme/autocert/listener.go157
-rw-r--r--vendor/golang.org/x/crypto/acme/autocert/renewal.go141
4 files changed, 0 insertions, 1567 deletions
diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert.go b/vendor/golang.org/x/crypto/acme/autocert/autocert.go
deleted file mode 100644
index 4c2fc07..0000000
--- a/vendor/golang.org/x/crypto/acme/autocert/autocert.go
+++ /dev/null
@@ -1,1139 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package autocert provides automatic access to certificates from Let's Encrypt
-// and any other ACME-based CA.
-//
-// This package is a work in progress and makes no API stability promises.
-package autocert
-
-import (
- "bytes"
- "context"
- "crypto"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rand"
- "crypto/rsa"
- "crypto/tls"
- "crypto/x509"
- "crypto/x509/pkix"
- "encoding/pem"
- "errors"
- "fmt"
- "io"
- mathrand "math/rand"
- "net"
- "net/http"
- "path"
- "strings"
- "sync"
- "time"
-
- "golang.org/x/crypto/acme"
-)
-
-// createCertRetryAfter is how much time to wait before removing a failed state
-// entry due to an unsuccessful createCert call.
-// This is a variable instead of a const for testing.
-// TODO: Consider making it configurable or an exp backoff?
-var createCertRetryAfter = time.Minute
-
-// pseudoRand is safe for concurrent use.
-var pseudoRand *lockedMathRand
-
-func init() {
- src := mathrand.NewSource(time.Now().UnixNano())
- pseudoRand = &lockedMathRand{rnd: mathrand.New(src)}
-}
-
-// AcceptTOS is a Manager.Prompt function that always returns true to
-// indicate acceptance of the CA's Terms of Service during account
-// registration.
-func AcceptTOS(tosURL string) bool { return true }
-
-// HostPolicy specifies which host names the Manager is allowed to respond to.
-// It returns a non-nil error if the host should be rejected.
-// The returned error is accessible via tls.Conn.Handshake and its callers.
-// See Manager's HostPolicy field and GetCertificate method docs for more details.
-type HostPolicy func(ctx context.Context, host string) error
-
-// HostWhitelist returns a policy where only the specified host names are allowed.
-// Only exact matches are currently supported. Subdomains, regexp or wildcard
-// will not match.
-func HostWhitelist(hosts ...string) HostPolicy {
- whitelist := make(map[string]bool, len(hosts))
- for _, h := range hosts {
- whitelist[h] = true
- }
- return func(_ context.Context, host string) error {
- if !whitelist[host] {
- return errors.New("acme/autocert: host not configured")
- }
- return nil
- }
-}
-
-// defaultHostPolicy is used when Manager.HostPolicy is not set.
-func defaultHostPolicy(context.Context, string) error {
- return nil
-}
-
-// Manager is a stateful certificate manager built on top of acme.Client.
-// It obtains and refreshes certificates automatically using "tls-alpn-01",
-// "tls-sni-01", "tls-sni-02" and "http-01" challenge types,
-// as well as providing them to a TLS server via tls.Config.
-//
-// You must specify a cache implementation, such as DirCache,
-// to reuse obtained certificates across program restarts.
-// Otherwise your server is very likely to exceed the certificate
-// issuer's request rate limits.
-type Manager struct {
- // Prompt specifies a callback function to conditionally accept a CA's Terms of Service (TOS).
- // The registration may require the caller to agree to the CA's TOS.
- // If so, Manager calls Prompt with a TOS URL provided by the CA. Prompt should report
- // whether the caller agrees to the terms.
- //
- // To always accept the terms, the callers can use AcceptTOS.
- Prompt func(tosURL string) bool
-
- // Cache optionally stores and retrieves previously-obtained certificates
- // and other state. If nil, certs will only be cached for the lifetime of
- // the Manager. Multiple Managers can share the same Cache.
- //
- // Using a persistent Cache, such as DirCache, is strongly recommended.
- Cache Cache
-
- // HostPolicy controls which domains the Manager will attempt
- // to retrieve new certificates for. It does not affect cached certs.
- //
- // If non-nil, HostPolicy is called before requesting a new cert.
- // If nil, all hosts are currently allowed. This is not recommended,
- // as it opens a potential attack where clients connect to a server
- // by IP address and pretend to be asking for an incorrect host name.
- // Manager will attempt to obtain a certificate for that host, incorrectly,
- // eventually reaching the CA's rate limit for certificate requests
- // and making it impossible to obtain actual certificates.
- //
- // See GetCertificate for more details.
- HostPolicy HostPolicy
-
- // RenewBefore optionally specifies how early certificates should
- // be renewed before they expire.
- //
- // If zero, they're renewed 30 days before expiration.
- RenewBefore time.Duration
-
- // Client is used to perform low-level operations, such as account registration
- // and requesting new certificates.
- //
- // If Client is nil, a zero-value acme.Client is used with acme.LetsEncryptURL
- // as directory endpoint. If the Client.Key is nil, a new ECDSA P-256 key is
- // generated and, if Cache is not nil, stored in cache.
- //
- // Mutating the field after the first call of GetCertificate method will have no effect.
- Client *acme.Client
-
- // Email optionally specifies a contact email address.
- // This is used by CAs, such as Let's Encrypt, to notify about problems
- // with issued certificates.
- //
- // If the Client's account key is already registered, Email is not used.
- Email string
-
- // ForceRSA used to make the Manager generate RSA certificates. It is now ignored.
- //
- // Deprecated: the Manager will request the correct type of certificate based
- // on what each client supports.
- ForceRSA bool
-
- // ExtraExtensions are used when generating a new CSR (Certificate Request),
- // thus allowing customization of the resulting certificate.
- // For instance, TLS Feature Extension (RFC 7633) can be used
- // to prevent an OCSP downgrade attack.
- //
- // The field value is passed to crypto/x509.CreateCertificateRequest
- // in the template's ExtraExtensions field as is.
- ExtraExtensions []pkix.Extension
-
- clientMu sync.Mutex
- client *acme.Client // initialized by acmeClient method
-
- stateMu sync.Mutex
- state map[certKey]*certState
-
- // renewal tracks the set of domains currently running renewal timers.
- renewalMu sync.Mutex
- renewal map[certKey]*domainRenewal
-
- // tokensMu guards the rest of the fields: tryHTTP01, certTokens and httpTokens.
- tokensMu sync.RWMutex
- // tryHTTP01 indicates whether the Manager should try "http-01" challenge type
- // during the authorization flow.
- tryHTTP01 bool
- // httpTokens contains response body values for http-01 challenges
- // and is keyed by the URL path at which a challenge response is expected
- // to be provisioned.
- // The entries are stored for the duration of the authorization flow.
- httpTokens map[string][]byte
- // certTokens contains temporary certificates for tls-sni and tls-alpn challenges
- // and is keyed by token domain name, which matches server name of ClientHello.
- // Keys always have ".acme.invalid" suffix for tls-sni. Otherwise, they are domain names
- // for tls-alpn.
- // The entries are stored for the duration of the authorization flow.
- certTokens map[string]*tls.Certificate
- // nowFunc, if not nil, returns the current time. This may be set for
- // testing purposes.
- nowFunc func() time.Time
-}
-
-// certKey is the key by which certificates are tracked in state, renewal and cache.
-type certKey struct {
- domain string // without trailing dot
- isRSA bool // RSA cert for legacy clients (as opposed to default ECDSA)
- isToken bool // tls-based challenge token cert; key type is undefined regardless of isRSA
-}
-
-func (c certKey) String() string {
- if c.isToken {
- return c.domain + "+token"
- }
- if c.isRSA {
- return c.domain + "+rsa"
- }
- return c.domain
-}
-
-// TLSConfig creates a new TLS config suitable for net/http.Server servers,
-// supporting HTTP/2 and the tls-alpn-01 ACME challenge type.
-func (m *Manager) TLSConfig() *tls.Config {
- return &tls.Config{
- GetCertificate: m.GetCertificate,
- NextProtos: []string{
- "h2", "http/1.1", // enable HTTP/2
- acme.ALPNProto, // enable tls-alpn ACME challenges
- },
- }
-}
-
-// GetCertificate implements the tls.Config.GetCertificate hook.
-// It provides a TLS certificate for hello.ServerName host, including answering
-// tls-alpn-01 and *.acme.invalid (tls-sni-01 and tls-sni-02) challenges.
-// All other fields of hello are ignored.
-//
-// If m.HostPolicy is non-nil, GetCertificate calls the policy before requesting
-// a new cert. A non-nil error returned from m.HostPolicy halts TLS negotiation.
-// The error is propagated back to the caller of GetCertificate and is user-visible.
-// This does not affect cached certs. See HostPolicy field description for more details.
-//
-// If GetCertificate is used directly, instead of via Manager.TLSConfig, package users will
-// also have to add acme.ALPNProto to NextProtos for tls-alpn-01, or use HTTPHandler
-// for http-01. (The tls-sni-* challenges have been deprecated by popular ACME providers
-// due to security issues in the ecosystem.)
-func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
- if m.Prompt == nil {
- return nil, errors.New("acme/autocert: Manager.Prompt not set")
- }
-
- name := hello.ServerName
- if name == "" {
- return nil, errors.New("acme/autocert: missing server name")
- }
- if !strings.Contains(strings.Trim(name, "."), ".") {
- return nil, errors.New("acme/autocert: server name component count invalid")
- }
- if strings.ContainsAny(name, `+/\`) {
- return nil, errors.New("acme/autocert: server name contains invalid character")
- }
-
- // In the worst-case scenario, the timeout needs to account for caching, host policy,
- // domain ownership verification and certificate issuance.
- ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
- defer cancel()
-
- // Check whether this is a token cert requested for TLS-SNI or TLS-ALPN challenge.
- if wantsTokenCert(hello) {
- m.tokensMu.RLock()
- defer m.tokensMu.RUnlock()
- // It's ok to use the same token cert key for both tls-sni and tls-alpn
- // because there's always at most 1 token cert per on-going domain authorization.
- // See m.verify for details.
- if cert := m.certTokens[name]; cert != nil {
- return cert, nil
- }
- if cert, err := m.cacheGet(ctx, certKey{domain: name, isToken: true}); err == nil {
- return cert, nil
- }
- // TODO: cache error results?
- return nil, fmt.Errorf("acme/autocert: no token cert for %q", name)
- }
-
- // regular domain
- ck := certKey{
- domain: strings.TrimSuffix(name, "."), // golang.org/issue/18114
- isRSA: !supportsECDSA(hello),
- }
- cert, err := m.cert(ctx, ck)
- if err == nil {
- return cert, nil
- }
- if err != ErrCacheMiss {
- return nil, err
- }
-
- // first-time
- if err := m.hostPolicy()(ctx, name); err != nil {
- return nil, err
- }
- cert, err = m.createCert(ctx, ck)
- if err != nil {
- return nil, err
- }
- m.cachePut(ctx, ck, cert)
- return cert, nil
-}
-
-// wantsTokenCert reports whether a TLS request with SNI is made by a CA server
-// for a challenge verification.
-func wantsTokenCert(hello *tls.ClientHelloInfo) bool {
- // tls-alpn-01
- if len(hello.SupportedProtos) == 1 && hello.SupportedProtos[0] == acme.ALPNProto {
- return true
- }
- // tls-sni-xx
- return strings.HasSuffix(hello.ServerName, ".acme.invalid")
-}
-
-func supportsECDSA(hello *tls.ClientHelloInfo) bool {
- // The "signature_algorithms" extension, if present, limits the key exchange
- // algorithms allowed by the cipher suites. See RFC 5246, section 7.4.1.4.1.
- if hello.SignatureSchemes != nil {
- ecdsaOK := false
- schemeLoop:
- for _, scheme := range hello.SignatureSchemes {
- const tlsECDSAWithSHA1 tls.SignatureScheme = 0x0203 // constant added in Go 1.10
- switch scheme {
- case tlsECDSAWithSHA1, tls.ECDSAWithP256AndSHA256,
- tls.ECDSAWithP384AndSHA384, tls.ECDSAWithP521AndSHA512:
- ecdsaOK = true
- break schemeLoop
- }
- }
- if !ecdsaOK {
- return false
- }
- }
- if hello.SupportedCurves != nil {
- ecdsaOK := false
- for _, curve := range hello.SupportedCurves {
- if curve == tls.CurveP256 {
- ecdsaOK = true
- break
- }
- }
- if !ecdsaOK {
- return false
- }
- }
- for _, suite := range hello.CipherSuites {
- switch suite {
- case tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
- tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
- return true
- }
- }
- return false
-}
-
-// HTTPHandler configures the Manager to provision ACME "http-01" challenge responses.
-// It returns an http.Handler that responds to the challenges and must be
-// running on port 80. If it receives a request that is not an ACME challenge,
-// it delegates the request to the optional fallback handler.
-//
-// If fallback is nil, the returned handler redirects all GET and HEAD requests
-// to the default TLS port 443 with 302 Found status code, preserving the original
-// request path and query. It responds with 400 Bad Request to all other HTTP methods.
-// The fallback is not protected by the optional HostPolicy.
-//
-// Because the fallback handler is run with unencrypted port 80 requests,
-// the fallback should not serve TLS-only requests.
-//
-// If HTTPHandler is never called, the Manager will only use the "tls-alpn-01"
-// challenge for domain verification.
-func (m *Manager) HTTPHandler(fallback http.Handler) http.Handler {
- m.tokensMu.Lock()
- defer m.tokensMu.Unlock()
- m.tryHTTP01 = true
-
- if fallback == nil {
- fallback = http.HandlerFunc(handleHTTPRedirect)
- }
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- if !strings.HasPrefix(r.URL.Path, "/.well-known/acme-challenge/") {
- fallback.ServeHTTP(w, r)
- return
- }
- // A reasonable context timeout for cache and host policy only,
- // because we don't wait for a new certificate issuance here.
- ctx, cancel := context.WithTimeout(r.Context(), time.Minute)
- defer cancel()
- if err := m.hostPolicy()(ctx, r.Host); err != nil {
- http.Error(w, err.Error(), http.StatusForbidden)
- return
- }
- data, err := m.httpToken(ctx, r.URL.Path)
- if err != nil {
- http.Error(w, err.Error(), http.StatusNotFound)
- return
- }
- w.Write(data)
- })
-}
-
-func handleHTTPRedirect(w http.ResponseWriter, r *http.Request) {
- if r.Method != "GET" && r.Method != "HEAD" {
- http.Error(w, "Use HTTPS", http.StatusBadRequest)
- return
- }
- target := "https://" + stripPort(r.Host) + r.URL.RequestURI()
- http.Redirect(w, r, target, http.StatusFound)
-}
-
-func stripPort(hostport string) string {
- host, _, err := net.SplitHostPort(hostport)
- if err != nil {
- return hostport
- }
- return net.JoinHostPort(host, "443")
-}
-
-// cert returns an existing certificate either from m.state or cache.
-// If a certificate is found in cache but not in m.state, the latter will be filled
-// with the cached value.
-func (m *Manager) cert(ctx context.Context, ck certKey) (*tls.Certificate, error) {
- m.stateMu.Lock()
- if s, ok := m.state[ck]; ok {
- m.stateMu.Unlock()
- s.RLock()
- defer s.RUnlock()
- return s.tlscert()
- }
- defer m.stateMu.Unlock()
- cert, err := m.cacheGet(ctx, ck)
- if err != nil {
- return nil, err
- }
- signer, ok := cert.PrivateKey.(crypto.Signer)
- if !ok {
- return nil, errors.New("acme/autocert: private key cannot sign")
- }
- if m.state == nil {
- m.state = make(map[certKey]*certState)
- }
- s := &certState{
- key: signer,
- cert: cert.Certificate,
- leaf: cert.Leaf,
- }
- m.state[ck] = s
- go m.renew(ck, s.key, s.leaf.NotAfter)
- return cert, nil
-}
-
-// cacheGet always returns a valid certificate, or an error otherwise.
-// If a cached certificate exists but is not valid, ErrCacheMiss is returned.
-func (m *Manager) cacheGet(ctx context.Context, ck certKey) (*tls.Certificate, error) {
- if m.Cache == nil {
- return nil, ErrCacheMiss
- }
- data, err := m.Cache.Get(ctx, ck.String())
- if err != nil {
- return nil, err
- }
-
- // private
- priv, pub := pem.Decode(data)
- if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
- return nil, ErrCacheMiss
- }
- privKey, err := parsePrivateKey(priv.Bytes)
- if err != nil {
- return nil, err
- }
-
- // public
- var pubDER [][]byte
- for len(pub) > 0 {
- var b *pem.Block
- b, pub = pem.Decode(pub)
- if b == nil {
- break
- }
- pubDER = append(pubDER, b.Bytes)
- }
- if len(pub) > 0 {
- // Leftover content not consumed by pem.Decode. Corrupt. Ignore.
- return nil, ErrCacheMiss
- }
-
- // verify and create TLS cert
- leaf, err := validCert(ck, pubDER, privKey, m.now())
- if err != nil {
- return nil, ErrCacheMiss
- }
- tlscert := &tls.Certificate{
- Certificate: pubDER,
- PrivateKey: privKey,
- Leaf: leaf,
- }
- return tlscert, nil
-}
-
-func (m *Manager) cachePut(ctx context.Context, ck certKey, tlscert *tls.Certificate) error {
- if m.Cache == nil {
- return nil
- }
-
- // contains PEM-encoded data
- var buf bytes.Buffer
-
- // private
- switch key := tlscert.PrivateKey.(type) {
- case *ecdsa.PrivateKey:
- if err := encodeECDSAKey(&buf, key); err != nil {
- return err
- }
- case *rsa.PrivateKey:
- b := x509.MarshalPKCS1PrivateKey(key)
- pb := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: b}
- if err := pem.Encode(&buf, pb); err != nil {
- return err
- }
- default:
- return errors.New("acme/autocert: unknown private key type")
- }
-
- // public
- for _, b := range tlscert.Certificate {
- pb := &pem.Block{Type: "CERTIFICATE", Bytes: b}
- if err := pem.Encode(&buf, pb); err != nil {
- return err
- }
- }
-
- return m.Cache.Put(ctx, ck.String(), buf.Bytes())
-}
-
-func encodeECDSAKey(w io.Writer, key *ecdsa.PrivateKey) error {
- b, err := x509.MarshalECPrivateKey(key)
- if err != nil {
- return err
- }
- pb := &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
- return pem.Encode(w, pb)
-}
-
-// createCert starts the domain ownership verification and returns a certificate
-// for that domain upon success.
-//
-// If the domain is already being verified, it waits for the existing verification to complete.
-// Either way, createCert blocks for the duration of the whole process.
-func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate, error) {
- // TODO: maybe rewrite this whole piece using sync.Once
- state, err := m.certState(ck)
- if err != nil {
- return nil, err
- }
- // state may exist if another goroutine is already working on it
- // in which case just wait for it to finish
- if !state.locked {
- state.RLock()
- defer state.RUnlock()
- return state.tlscert()
- }
-
- // We are the first; state is locked.
- // Unblock the readers when domain ownership is verified
- // and we got the cert or the process failed.
- defer state.Unlock()
- state.locked = false
-
- der, leaf, err := m.authorizedCert(ctx, state.key, ck)
- if err != nil {
- // Remove the failed state after some time,
- // making the manager call createCert again on the following TLS hello.
- time.AfterFunc(createCertRetryAfter, func() {
- defer testDidRemoveState(ck)
- m.stateMu.Lock()
- defer m.stateMu.Unlock()
- // Verify the state hasn't changed and it's still invalid
- // before deleting.
- s, ok := m.state[ck]
- if !ok {
- return
- }
- if _, err := validCert(ck, s.cert, s.key, m.now()); err == nil {
- return
- }
- delete(m.state, ck)
- })
- return nil, err
- }
- state.cert = der
- state.leaf = leaf
- go m.renew(ck, state.key, state.leaf.NotAfter)
- return state.tlscert()
-}
-
-// certState returns a new or existing certState.
-// If a new certState is returned, state.exist is false and the state is locked.
-// The returned error is non-nil only in the case where a new state could not be created.
-func (m *Manager) certState(ck certKey) (*certState, error) {
- m.stateMu.Lock()
- defer m.stateMu.Unlock()
- if m.state == nil {
- m.state = make(map[certKey]*certState)
- }
- // existing state
- if state, ok := m.state[ck]; ok {
- return state, nil
- }
-
- // new locked state
- var (
- err error
- key crypto.Signer
- )
- if ck.isRSA {
- key, err = rsa.GenerateKey(rand.Reader, 2048)
- } else {
- key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- }
- if err != nil {
- return nil, err
- }
-
- state := &certState{
- key: key,
- locked: true,
- }
- state.Lock() // will be unlocked by m.certState caller
- m.state[ck] = state
- return state, nil
-}
-
-// authorizedCert starts the domain ownership verification process and requests a new cert upon success.
-// The key argument is the certificate private key.
-func (m *Manager) authorizedCert(ctx context.Context, key crypto.Signer, ck certKey) (der [][]byte, leaf *x509.Certificate, err error) {
- client, err := m.acmeClient(ctx)
- if err != nil {
- return nil, nil, err
- }
-
- if err := m.verify(ctx, client, ck.domain); err != nil {
- return nil, nil, err
- }
- csr, err := certRequest(key, ck.domain, m.ExtraExtensions)
- if err != nil {
- return nil, nil, err
- }
- der, _, err = client.CreateCert(ctx, csr, 0, true)
- if err != nil {
- return nil, nil, err
- }
- leaf, err = validCert(ck, der, key, m.now())
- if err != nil {
- return nil, nil, err
- }
- return der, leaf, nil
-}
-
-// revokePendingAuthz revokes all authorizations idenfied by the elements of uri slice.
-// It ignores revocation errors.
-func (m *Manager) revokePendingAuthz(ctx context.Context, uri []string) {
- client, err := m.acmeClient(ctx)
- if err != nil {
- return
- }
- for _, u := range uri {
- client.RevokeAuthorization(ctx, u)
- }
-}
-
-// verify runs the identifier (domain) authorization flow
-// using each applicable ACME challenge type.
-func (m *Manager) verify(ctx context.Context, client *acme.Client, domain string) error {
- // The list of challenge types we'll try to fulfill
- // in this specific order.
- challengeTypes := []string{"tls-alpn-01", "tls-sni-02", "tls-sni-01"}
- m.tokensMu.RLock()
- if m.tryHTTP01 {
- challengeTypes = append(challengeTypes, "http-01")
- }
- m.tokensMu.RUnlock()
-
- // Keep track of pending authzs and revoke the ones that did not validate.
- pendingAuthzs := make(map[string]bool)
- defer func() {
- var uri []string
- for k, pending := range pendingAuthzs {
- if pending {
- uri = append(uri, k)
- }
- }
- if len(uri) > 0 {
- // Use "detached" background context.
- // The revocations need not happen in the current verification flow.
- go m.revokePendingAuthz(context.Background(), uri)
- }
- }()
-
- // errs accumulates challenge failure errors, printed if all fail
- errs := make(map[*acme.Challenge]error)
- var nextTyp int // challengeType index of the next challenge type to try
- for {
- // Start domain authorization and get the challenge.
- authz, err := client.Authorize(ctx, domain)
- if err != nil {
- return err
- }
- // No point in accepting challenges if the authorization status
- // is in a final state.
- switch authz.Status {
- case acme.StatusValid:
- return nil // already authorized
- case acme.StatusInvalid:
- return fmt.Errorf("acme/autocert: invalid authorization %q", authz.URI)
- }
-
- pendingAuthzs[authz.URI] = true
-
- // Pick the next preferred challenge.
- var chal *acme.Challenge
- for chal == nil && nextTyp < len(challengeTypes) {
- chal = pickChallenge(challengeTypes[nextTyp], authz.Challenges)
- nextTyp++
- }
- if chal == nil {
- errorMsg := fmt.Sprintf("acme/autocert: unable to authorize %q", domain)
- for chal, err := range errs {
- errorMsg += fmt.Sprintf("; challenge %q failed with error: %v", chal.Type, err)
- }
- return errors.New(errorMsg)
- }
- cleanup, err := m.fulfill(ctx, client, chal, domain)
- if err != nil {
- errs[chal] = err
- continue
- }
- defer cleanup()
- if _, err := client.Accept(ctx, chal); err != nil {
- errs[chal] = err
- continue
- }
-
- // A challenge is fulfilled and accepted: wait for the CA to validate.
- if _, err := client.WaitAuthorization(ctx, authz.URI); err != nil {
- errs[chal] = err
- continue
- }
- delete(pendingAuthzs, authz.URI)
- return nil
- }
-}
-
-// fulfill provisions a response to the challenge chal.
-// The cleanup is non-nil only if provisioning succeeded.
-func (m *Manager) fulfill(ctx context.Context, client *acme.Client, chal *acme.Challenge, domain string) (cleanup func(), err error) {
- switch chal.Type {
- case "tls-alpn-01":
- cert, err := client.TLSALPN01ChallengeCert(chal.Token, domain)
- if err != nil {
- return nil, err
- }
- m.putCertToken(ctx, domain, &cert)
- return func() { go m.deleteCertToken(domain) }, nil
- case "tls-sni-01":
- cert, name, err := client.TLSSNI01ChallengeCert(chal.Token)
- if err != nil {
- return nil, err
- }
- m.putCertToken(ctx, name, &cert)
- return func() { go m.deleteCertToken(name) }, nil
- case "tls-sni-02":
- cert, name, err := client.TLSSNI02ChallengeCert(chal.Token)
- if err != nil {
- return nil, err
- }
- m.putCertToken(ctx, name, &cert)
- return func() { go m.deleteCertToken(name) }, nil
- case "http-01":
- resp, err := client.HTTP01ChallengeResponse(chal.Token)
- if err != nil {
- return nil, err
- }
- p := client.HTTP01ChallengePath(chal.Token)
- m.putHTTPToken(ctx, p, resp)
- return func() { go m.deleteHTTPToken(p) }, nil
- }
- return nil, fmt.Errorf("acme/autocert: unknown challenge type %q", chal.Type)
-}
-
-func pickChallenge(typ string, chal []*acme.Challenge) *acme.Challenge {
- for _, c := range chal {
- if c.Type == typ {
- return c
- }
- }
- return nil
-}
-
-// putCertToken stores the token certificate with the specified name
-// in both m.certTokens map and m.Cache.
-func (m *Manager) putCertToken(ctx context.Context, name string, cert *tls.Certificate) {
- m.tokensMu.Lock()
- defer m.tokensMu.Unlock()
- if m.certTokens == nil {
- m.certTokens = make(map[string]*tls.Certificate)
- }
- m.certTokens[name] = cert
- m.cachePut(ctx, certKey{domain: name, isToken: true}, cert)
-}
-
-// deleteCertToken removes the token certificate with the specified name
-// from both m.certTokens map and m.Cache.
-func (m *Manager) deleteCertToken(name string) {
- m.tokensMu.Lock()
- defer m.tokensMu.Unlock()
- delete(m.certTokens, name)
- if m.Cache != nil {
- ck := certKey{domain: name, isToken: true}
- m.Cache.Delete(context.Background(), ck.String())
- }
-}
-
-// httpToken retrieves an existing http-01 token value from an in-memory map
-// or the optional cache.
-func (m *Manager) httpToken(ctx context.Context, tokenPath string) ([]byte, error) {
- m.tokensMu.RLock()
- defer m.tokensMu.RUnlock()
- if v, ok := m.httpTokens[tokenPath]; ok {
- return v, nil
- }
- if m.Cache == nil {
- return nil, fmt.Errorf("acme/autocert: no token at %q", tokenPath)
- }
- return m.Cache.Get(ctx, httpTokenCacheKey(tokenPath))
-}
-
-// putHTTPToken stores an http-01 token value using tokenPath as key
-// in both in-memory map and the optional Cache.
-//
-// It ignores any error returned from Cache.Put.
-func (m *Manager) putHTTPToken(ctx context.Context, tokenPath, val string) {
- m.tokensMu.Lock()
- defer m.tokensMu.Unlock()
- if m.httpTokens == nil {
- m.httpTokens = make(map[string][]byte)
- }
- b := []byte(val)
- m.httpTokens[tokenPath] = b
- if m.Cache != nil {
- m.Cache.Put(ctx, httpTokenCacheKey(tokenPath), b)
- }
-}
-
-// deleteHTTPToken removes an http-01 token value from both in-memory map
-// and the optional Cache, ignoring any error returned from the latter.
-//
-// If m.Cache is non-nil, it blocks until Cache.Delete returns without a timeout.
-func (m *Manager) deleteHTTPToken(tokenPath string) {
- m.tokensMu.Lock()
- defer m.tokensMu.Unlock()
- delete(m.httpTokens, tokenPath)
- if m.Cache != nil {
- m.Cache.Delete(context.Background(), httpTokenCacheKey(tokenPath))
- }
-}
-
-// httpTokenCacheKey returns a key at which an http-01 token value may be stored
-// in the Manager's optional Cache.
-func httpTokenCacheKey(tokenPath string) string {
- return path.Base(tokenPath) + "+http-01"
-}
-
-// renew starts a cert renewal timer loop, one per domain.
-//
-// The loop is scheduled in two cases:
-// - a cert was fetched from cache for the first time (wasn't in m.state)
-// - a new cert was created by m.createCert
-//
-// The key argument is a certificate private key.
-// The exp argument is the cert expiration time (NotAfter).
-func (m *Manager) renew(ck certKey, key crypto.Signer, exp time.Time) {
- m.renewalMu.Lock()
- defer m.renewalMu.Unlock()
- if m.renewal[ck] != nil {
- // another goroutine is already on it
- return
- }
- if m.renewal == nil {
- m.renewal = make(map[certKey]*domainRenewal)
- }
- dr := &domainRenewal{m: m, ck: ck, key: key}
- m.renewal[ck] = dr
- dr.start(exp)
-}
-
-// stopRenew stops all currently running cert renewal timers.
-// The timers are not restarted during the lifetime of the Manager.
-func (m *Manager) stopRenew() {
- m.renewalMu.Lock()
- defer m.renewalMu.Unlock()
- for name, dr := range m.renewal {
- delete(m.renewal, name)
- dr.stop()
- }
-}
-
-func (m *Manager) accountKey(ctx context.Context) (crypto.Signer, error) {
- const keyName = "acme_account+key"
-
- // Previous versions of autocert stored the value under a different key.
- const legacyKeyName = "acme_account.key"
-
- genKey := func() (*ecdsa.PrivateKey, error) {
- return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- }
-
- if m.Cache == nil {
- return genKey()
- }
-
- data, err := m.Cache.Get(ctx, keyName)
- if err == ErrCacheMiss {
- data, err = m.Cache.Get(ctx, legacyKeyName)
- }
- if err == ErrCacheMiss {
- key, err := genKey()
- if err != nil {
- return nil, err
- }
- var buf bytes.Buffer
- if err := encodeECDSAKey(&buf, key); err != nil {
- return nil, err
- }
- if err := m.Cache.Put(ctx, keyName, buf.Bytes()); err != nil {
- return nil, err
- }
- return key, nil
- }
- if err != nil {
- return nil, err
- }
-
- priv, _ := pem.Decode(data)
- if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
- return nil, errors.New("acme/autocert: invalid account key found in cache")
- }
- return parsePrivateKey(priv.Bytes)
-}
-
-func (m *Manager) acmeClient(ctx context.Context) (*acme.Client, error) {
- m.clientMu.Lock()
- defer m.clientMu.Unlock()
- if m.client != nil {
- return m.client, nil
- }
-
- client := m.Client
- if client == nil {
- client = &acme.Client{DirectoryURL: acme.LetsEncryptURL}
- }
- if client.Key == nil {
- var err error
- client.Key, err = m.accountKey(ctx)
- if err != nil {
- return nil, err
- }
- }
- var contact []string
- if m.Email != "" {
- contact = []string{"mailto:" + m.Email}
- }
- a := &acme.Account{Contact: contact}
- _, err := client.Register(ctx, a, m.Prompt)
- if ae, ok := err.(*acme.Error); err == nil || ok && ae.StatusCode == http.StatusConflict {
- // conflict indicates the key is already registered
- m.client = client
- err = nil
- }
- return m.client, err
-}
-
-func (m *Manager) hostPolicy() HostPolicy {
- if m.HostPolicy != nil {
- return m.HostPolicy
- }
- return defaultHostPolicy
-}
-
-func (m *Manager) renewBefore() time.Duration {
- if m.RenewBefore > renewJitter {
- return m.RenewBefore
- }
- return 720 * time.Hour // 30 days
-}
-
-func (m *Manager) now() time.Time {
- if m.nowFunc != nil {
- return m.nowFunc()
- }
- return time.Now()
-}
-
-// certState is ready when its mutex is unlocked for reading.
-type certState struct {
- sync.RWMutex
- locked bool // locked for read/write
- key crypto.Signer // private key for cert
- cert [][]byte // DER encoding
- leaf *x509.Certificate // parsed cert[0]; always non-nil if cert != nil
-}
-
-// tlscert creates a tls.Certificate from s.key and s.cert.
-// Callers should wrap it in s.RLock() and s.RUnlock().
-func (s *certState) tlscert() (*tls.Certificate, error) {
- if s.key == nil {
- return nil, errors.New("acme/autocert: missing signer")
- }
- if len(s.cert) == 0 {
- return nil, errors.New("acme/autocert: missing certificate")
- }
- return &tls.Certificate{
- PrivateKey: s.key,
- Certificate: s.cert,
- Leaf: s.leaf,
- }, nil
-}
-
-// certRequest generates a CSR for the given common name cn and optional SANs.
-func certRequest(key crypto.Signer, cn string, ext []pkix.Extension, san ...string) ([]byte, error) {
- req := &x509.CertificateRequest{
- Subject: pkix.Name{CommonName: cn},
- DNSNames: san,
- ExtraExtensions: ext,
- }
- return x509.CreateCertificateRequest(rand.Reader, req, key)
-}
-
-// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
-// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
-// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
-//
-// Inspired by parsePrivateKey in crypto/tls/tls.go.
-func parsePrivateKey(der []byte) (crypto.Signer, error) {
- if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
- return key, nil
- }
- if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
- switch key := key.(type) {
- case *rsa.PrivateKey:
- return key, nil
- case *ecdsa.PrivateKey:
- return key, nil
- default:
- return nil, errors.New("acme/autocert: unknown private key type in PKCS#8 wrapping")
- }
- }
- if key, err := x509.ParseECPrivateKey(der); err == nil {
- return key, nil
- }
-
- return nil, errors.New("acme/autocert: failed to parse private key")
-}
-
-// validCert parses a cert chain provided as der argument and verifies the leaf and der[0]
-// correspond to the private key, the domain and key type match, and expiration dates
-// are valid. It doesn't do any revocation checking.
-//
-// The returned value is the verified leaf cert.
-func validCert(ck certKey, der [][]byte, key crypto.Signer, now time.Time) (leaf *x509.Certificate, err error) {
- // parse public part(s)
- var n int
- for _, b := range der {
- n += len(b)
- }
- pub := make([]byte, n)
- n = 0
- for _, b := range der {
- n += copy(pub[n:], b)
- }
- x509Cert, err := x509.ParseCertificates(pub)
- if err != nil || len(x509Cert) == 0 {
- return nil, errors.New("acme/autocert: no public key found")
- }
- // verify the leaf is not expired and matches the domain name
- leaf = x509Cert[0]
- if now.Before(leaf.NotBefore) {
- return nil, errors.New("acme/autocert: certificate is not valid yet")
- }
- if now.After(leaf.NotAfter) {
- return nil, errors.New("acme/autocert: expired certificate")
- }
- if err := leaf.VerifyHostname(ck.domain); err != nil {
- return nil, err
- }
- // ensure the leaf corresponds to the private key and matches the certKey type
- switch pub := leaf.PublicKey.(type) {
- case *rsa.PublicKey:
- prv, ok := key.(*rsa.PrivateKey)
- if !ok {
- return nil, errors.New("acme/autocert: private key type does not match public key type")
- }
- if pub.N.Cmp(prv.N) != 0 {
- return nil, errors.New("acme/autocert: private key does not match public key")
- }
- if !ck.isRSA && !ck.isToken {
- return nil, errors.New("acme/autocert: key type does not match expected value")
- }
- case *ecdsa.PublicKey:
- prv, ok := key.(*ecdsa.PrivateKey)
- if !ok {
- return nil, errors.New("acme/autocert: private key type does not match public key type")
- }
- if pub.X.Cmp(prv.X) != 0 || pub.Y.Cmp(prv.Y) != 0 {
- return nil, errors.New("acme/autocert: private key does not match public key")
- }
- if ck.isRSA && !ck.isToken {
- return nil, errors.New("acme/autocert: key type does not match expected value")
- }
- default:
- return nil, errors.New("acme/autocert: unknown public key algorithm")
- }
- return leaf, nil
-}
-
-type lockedMathRand struct {
- sync.Mutex
- rnd *mathrand.Rand
-}
-
-func (r *lockedMathRand) int63n(max int64) int64 {
- r.Lock()
- n := r.rnd.Int63n(max)
- r.Unlock()
- return n
-}
-
-// For easier testing.
-var (
- // Called when a state is removed.
- testDidRemoveState = func(certKey) {}
-)
diff --git a/vendor/golang.org/x/crypto/acme/autocert/cache.go b/vendor/golang.org/x/crypto/acme/autocert/cache.go
deleted file mode 100644
index aa9aa84..0000000
--- a/vendor/golang.org/x/crypto/acme/autocert/cache.go
+++ /dev/null
@@ -1,130 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert
-
-import (
- "context"
- "errors"
- "io/ioutil"
- "os"
- "path/filepath"
-)
-
-// ErrCacheMiss is returned when a certificate is not found in cache.
-var ErrCacheMiss = errors.New("acme/autocert: certificate cache miss")
-
-// Cache is used by Manager to store and retrieve previously obtained certificates
-// and other account data as opaque blobs.
-//
-// Cache implementations should not rely on the key naming pattern. Keys can
-// include any printable ASCII characters, except the following: \/:*?"<>|
-type Cache interface {
- // Get returns a certificate data for the specified key.
- // If there's no such key, Get returns ErrCacheMiss.
- Get(ctx context.Context, key string) ([]byte, error)
-
- // Put stores the data in the cache under the specified key.
- // Underlying implementations may use any data storage format,
- // as long as the reverse operation, Get, results in the original data.
- Put(ctx context.Context, key string, data []byte) error
-
- // Delete removes a certificate data from the cache under the specified key.
- // If there's no such key in the cache, Delete returns nil.
- Delete(ctx context.Context, key string) error
-}
-
-// DirCache implements Cache using a directory on the local filesystem.
-// If the directory does not exist, it will be created with 0700 permissions.
-type DirCache string
-
-// Get reads a certificate data from the specified file name.
-func (d DirCache) Get(ctx context.Context, name string) ([]byte, error) {
- name = filepath.Join(string(d), name)
- var (
- data []byte
- err error
- done = make(chan struct{})
- )
- go func() {
- data, err = ioutil.ReadFile(name)
- close(done)
- }()
- select {
- case <-ctx.Done():
- return nil, ctx.Err()
- case <-done:
- }
- if os.IsNotExist(err) {
- return nil, ErrCacheMiss
- }
- return data, err
-}
-
-// Put writes the certificate data to the specified file name.
-// The file will be created with 0600 permissions.
-func (d DirCache) Put(ctx context.Context, name string, data []byte) error {
- if err := os.MkdirAll(string(d), 0700); err != nil {
- return err
- }
-
- done := make(chan struct{})
- var err error
- go func() {
- defer close(done)
- var tmp string
- if tmp, err = d.writeTempFile(name, data); err != nil {
- return
- }
- select {
- case <-ctx.Done():
- // Don't overwrite the file if the context was canceled.
- default:
- newName := filepath.Join(string(d), name)
- err = os.Rename(tmp, newName)
- }
- }()
- select {
- case <-ctx.Done():
- return ctx.Err()
- case <-done:
- }
- return err
-}
-
-// Delete removes the specified file name.
-func (d DirCache) Delete(ctx context.Context, name string) error {
- name = filepath.Join(string(d), name)
- var (
- err error
- done = make(chan struct{})
- )
- go func() {
- err = os.Remove(name)
- close(done)
- }()
- select {
- case <-ctx.Done():
- return ctx.Err()
- case <-done:
- }
- if err != nil && !os.IsNotExist(err) {
- return err
- }
- return nil
-}
-
-// writeTempFile writes b to a temporary file, closes the file and returns its path.
-func (d DirCache) writeTempFile(prefix string, b []byte) (string, error) {
- // TempFile uses 0600 permissions
- f, err := ioutil.TempFile(string(d), prefix)
- if err != nil {
- return "", err
- }
- if _, err := f.Write(b); err != nil {
- f.Close()
- return "", err
- }
- return f.Name(), f.Close()
-}
diff --git a/vendor/golang.org/x/crypto/acme/autocert/listener.go b/vendor/golang.org/x/crypto/acme/autocert/listener.go
deleted file mode 100644
index 1e06981..0000000
--- a/vendor/golang.org/x/crypto/acme/autocert/listener.go
+++ /dev/null
@@ -1,157 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert
-
-import (
- "crypto/tls"
- "log"
- "net"
- "os"
- "path/filepath"
- "runtime"
- "time"
-)
-
-// NewListener returns a net.Listener that listens on the standard TLS
-// port (443) on all interfaces and returns *tls.Conn connections with
-// LetsEncrypt certificates for the provided domain or domains.
-//
-// It enables one-line HTTPS servers:
-//
-// log.Fatal(http.Serve(autocert.NewListener("example.com"), handler))
-//
-// NewListener is a convenience function for a common configuration.
-// More complex or custom configurations can use the autocert.Manager
-// type instead.
-//
-// Use of this function implies acceptance of the LetsEncrypt Terms of
-// Service. If domains is not empty, the provided domains are passed
-// to HostWhitelist. If domains is empty, the listener will do
-// LetsEncrypt challenges for any requested domain, which is not
-// recommended.
-//
-// Certificates are cached in a "golang-autocert" directory under an
-// operating system-specific cache or temp directory. This may not
-// be suitable for servers spanning multiple machines.
-//
-// The returned listener uses a *tls.Config that enables HTTP/2, and
-// should only be used with servers that support HTTP/2.
-//
-// The returned Listener also enables TCP keep-alives on the accepted
-// connections. The returned *tls.Conn are returned before their TLS
-// handshake has completed.
-func NewListener(domains ...string) net.Listener {
- m := &Manager{
- Prompt: AcceptTOS,
- }
- if len(domains) > 0 {
- m.HostPolicy = HostWhitelist(domains...)
- }
- dir := cacheDir()
- if err := os.MkdirAll(dir, 0700); err != nil {
- log.Printf("warning: autocert.NewListener not using a cache: %v", err)
- } else {
- m.Cache = DirCache(dir)
- }
- return m.Listener()
-}
-
-// Listener listens on the standard TLS port (443) on all interfaces
-// and returns a net.Listener returning *tls.Conn connections.
-//
-// The returned listener uses a *tls.Config that enables HTTP/2, and
-// should only be used with servers that support HTTP/2.
-//
-// The returned Listener also enables TCP keep-alives on the accepted
-// connections. The returned *tls.Conn are returned before their TLS
-// handshake has completed.
-//
-// Unlike NewListener, it is the caller's responsibility to initialize
-// the Manager m's Prompt, Cache, HostPolicy, and other desired options.
-func (m *Manager) Listener() net.Listener {
- ln := &listener{
- m: m,
- conf: m.TLSConfig(),
- }
- ln.tcpListener, ln.tcpListenErr = net.Listen("tcp", ":443")
- return ln
-}
-
-type listener struct {
- m *Manager
- conf *tls.Config
-
- tcpListener net.Listener
- tcpListenErr error
-}
-
-func (ln *listener) Accept() (net.Conn, error) {
- if ln.tcpListenErr != nil {
- return nil, ln.tcpListenErr
- }
- conn, err := ln.tcpListener.Accept()
- if err != nil {
- return nil, err
- }
- tcpConn := conn.(*net.TCPConn)
-
- // Because Listener is a convenience function, help out with
- // this too. This is not possible for the caller to set once
- // we return a *tcp.Conn wrapping an inaccessible net.Conn.
- // If callers don't want this, they can do things the manual
- // way and tweak as needed. But this is what net/http does
- // itself, so copy that. If net/http changes, we can change
- // here too.
- tcpConn.SetKeepAlive(true)
- tcpConn.SetKeepAlivePeriod(3 * time.Minute)
-
- return tls.Server(tcpConn, ln.conf), nil
-}
-
-func (ln *listener) Addr() net.Addr {
- if ln.tcpListener != nil {
- return ln.tcpListener.Addr()
- }
- // net.Listen failed. Return something non-nil in case callers
- // call Addr before Accept:
- return &net.TCPAddr{IP: net.IP{0, 0, 0, 0}, Port: 443}
-}
-
-func (ln *listener) Close() error {
- if ln.tcpListenErr != nil {
- return ln.tcpListenErr
- }
- return ln.tcpListener.Close()
-}
-
-func homeDir() string {
- if runtime.GOOS == "windows" {
- return os.Getenv("HOMEDRIVE") + os.Getenv("HOMEPATH")
- }
- if h := os.Getenv("HOME"); h != "" {
- return h
- }
- return "/"
-}
-
-func cacheDir() string {
- const base = "golang-autocert"
- switch runtime.GOOS {
- case "darwin":
- return filepath.Join(homeDir(), "Library", "Caches", base)
- case "windows":
- for _, ev := range []string{"APPDATA", "CSIDL_APPDATA", "TEMP", "TMP"} {
- if v := os.Getenv(ev); v != "" {
- return filepath.Join(v, base)
- }
- }
- // Worst case:
- return filepath.Join(homeDir(), base)
- }
- if xdg := os.Getenv("XDG_CACHE_HOME"); xdg != "" {
- return filepath.Join(xdg, base)
- }
- return filepath.Join(homeDir(), ".cache", base)
-}
diff --git a/vendor/golang.org/x/crypto/acme/autocert/renewal.go b/vendor/golang.org/x/crypto/acme/autocert/renewal.go
deleted file mode 100644
index 665f870..0000000
--- a/vendor/golang.org/x/crypto/acme/autocert/renewal.go
+++ /dev/null
@@ -1,141 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package autocert
-
-import (
- "context"
- "crypto"
- "sync"
- "time"
-)
-
-// renewJitter is the maximum deviation from Manager.RenewBefore.
-const renewJitter = time.Hour
-
-// domainRenewal tracks the state used by the periodic timers
-// renewing a single domain's cert.
-type domainRenewal struct {
- m *Manager
- ck certKey
- key crypto.Signer
-
- timerMu sync.Mutex
- timer *time.Timer
-}
-
-// start starts a cert renewal timer at the time
-// defined by the certificate expiration time exp.
-//
-// If the timer is already started, calling start is a noop.
-func (dr *domainRenewal) start(exp time.Time) {
- dr.timerMu.Lock()
- defer dr.timerMu.Unlock()
- if dr.timer != nil {
- return
- }
- dr.timer = time.AfterFunc(dr.next(exp), dr.renew)
-}
-
-// stop stops the cert renewal timer.
-// If the timer is already stopped, calling stop is a noop.
-func (dr *domainRenewal) stop() {
- dr.timerMu.Lock()
- defer dr.timerMu.Unlock()
- if dr.timer == nil {
- return
- }
- dr.timer.Stop()
- dr.timer = nil
-}
-
-// renew is called periodically by a timer.
-// The first renew call is kicked off by dr.start.
-func (dr *domainRenewal) renew() {
- dr.timerMu.Lock()
- defer dr.timerMu.Unlock()
- if dr.timer == nil {
- return
- }
-
- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
- defer cancel()
- // TODO: rotate dr.key at some point?
- next, err := dr.do(ctx)
- if err != nil {
- next = renewJitter / 2
- next += time.Duration(pseudoRand.int63n(int64(next)))
- }
- dr.timer = time.AfterFunc(next, dr.renew)
- testDidRenewLoop(next, err)
-}
-
-// updateState locks and replaces the relevant Manager.state item with the given
-// state. It additionally updates dr.key with the given state's key.
-func (dr *domainRenewal) updateState(state *certState) {
- dr.m.stateMu.Lock()
- defer dr.m.stateMu.Unlock()
- dr.key = state.key
- dr.m.state[dr.ck] = state
-}
-
-// do is similar to Manager.createCert but it doesn't lock a Manager.state item.
-// Instead, it requests a new certificate independently and, upon success,
-// replaces dr.m.state item with a new one and updates cache for the given domain.
-//
-// It may lock and update the Manager.state if the expiration date of the currently
-// cached cert is far enough in the future.
-//
-// The returned value is a time interval after which the renewal should occur again.
-func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) {
- // a race is likely unavoidable in a distributed environment
- // but we try nonetheless
- if tlscert, err := dr.m.cacheGet(ctx, dr.ck); err == nil {
- next := dr.next(tlscert.Leaf.NotAfter)
- if next > dr.m.renewBefore()+renewJitter {
- signer, ok := tlscert.PrivateKey.(crypto.Signer)
- if ok {
- state := &certState{
- key: signer,
- cert: tlscert.Certificate,
- leaf: tlscert.Leaf,
- }
- dr.updateState(state)
- return next, nil
- }
- }
- }
-
- der, leaf, err := dr.m.authorizedCert(ctx, dr.key, dr.ck)
- if err != nil {
- return 0, err
- }
- state := &certState{
- key: dr.key,
- cert: der,
- leaf: leaf,
- }
- tlscert, err := state.tlscert()
- if err != nil {
- return 0, err
- }
- if err := dr.m.cachePut(ctx, dr.ck, tlscert); err != nil {
- return 0, err
- }
- dr.updateState(state)
- return dr.next(leaf.NotAfter), nil
-}
-
-func (dr *domainRenewal) next(expiry time.Time) time.Duration {
- d := expiry.Sub(dr.m.now()) - dr.m.renewBefore()
- // add a bit of randomness to renew deadline
- n := pseudoRand.int63n(int64(renewJitter))
- d -= time.Duration(n)
- if d < 0 {
- return 0
- }
- return d
-}
-
-var testDidRenewLoop = func(next time.Duration, err error) {}