diff options
Diffstat (limited to 'vendor/golang.org/x/crypto/acme')
| -rw-r--r-- | vendor/golang.org/x/crypto/acme/acme.go | 89 | ||||
| -rw-r--r-- | vendor/golang.org/x/crypto/acme/autocert/autocert.go | 35 | ||||
| -rw-r--r-- | vendor/golang.org/x/crypto/acme/autocert/cache.go | 3 | ||||
| -rw-r--r-- | vendor/golang.org/x/crypto/acme/autocert/listener.go | 153 | ||||
| -rw-r--r-- | vendor/golang.org/x/crypto/acme/autocert/renewal.go | 7 |
5 files changed, 243 insertions, 44 deletions
diff --git a/vendor/golang.org/x/crypto/acme/acme.go b/vendor/golang.org/x/crypto/acme/acme.go index 8619508..140d422 100644 --- a/vendor/golang.org/x/crypto/acme/acme.go +++ b/vendor/golang.org/x/crypto/acme/acme.go @@ -15,6 +15,7 @@ package acme import ( "bytes" + "context" "crypto" "crypto/ecdsa" "crypto/elliptic" @@ -36,9 +37,6 @@ import ( "strings" "sync" "time" - - "golang.org/x/net/context" - "golang.org/x/net/context/ctxhttp" ) // LetsEncryptURL is the Directory endpoint of Let's Encrypt CA. @@ -133,7 +131,7 @@ func (c *Client) Discover(ctx context.Context) (Directory, error) { if dirURL == "" { dirURL = LetsEncryptURL } - res, err := ctxhttp.Get(ctx, c.HTTPClient, dirURL) + res, err := c.get(ctx, dirURL) if err != nil { return Directory{}, err } @@ -216,7 +214,7 @@ func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, return cert, curl, err } // slurp issued cert and CA chain, if requested - cert, err := responseCert(ctx, c.HTTPClient, res, bundle) + cert, err := c.responseCert(ctx, res, bundle) return cert, curl, err } @@ -231,13 +229,13 @@ func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, // and has expected features. func (c *Client) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) { for { - res, err := ctxhttp.Get(ctx, c.HTTPClient, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } defer res.Body.Close() if res.StatusCode == http.StatusOK { - return responseCert(ctx, c.HTTPClient, res, bundle) + return c.responseCert(ctx, res, bundle) } if res.StatusCode > 299 { return nil, responseError(res) @@ -387,7 +385,7 @@ func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, // If a caller needs to poll an authorization until its status is final, // see the WaitAuthorization method. func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) { - res, err := ctxhttp.Get(ctx, c.HTTPClient, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } @@ -456,7 +454,7 @@ func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorizat } for { - res, err := ctxhttp.Get(ctx, c.HTTPClient, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } @@ -493,7 +491,7 @@ func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorizat // // A client typically polls a challenge status using this method. func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) { - res, err := ctxhttp.Get(ctx, c.HTTPClient, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } @@ -708,7 +706,7 @@ func (c *Client) postJWS(ctx context.Context, key crypto.Signer, url string, bod if err != nil { return nil, err } - res, err := ctxhttp.Post(ctx, c.HTTPClient, url, "application/jose+json", bytes.NewReader(b)) + res, err := c.post(ctx, url, "application/jose+json", bytes.NewReader(b)) if err != nil { return nil, err } @@ -722,7 +720,7 @@ func (c *Client) popNonce(ctx context.Context, url string) (string, error) { c.noncesMu.Lock() defer c.noncesMu.Unlock() if len(c.nonces) == 0 { - return fetchNonce(ctx, c.HTTPClient, url) + return c.fetchNonce(ctx, url) } var nonce string for nonce = range c.nonces { @@ -749,8 +747,58 @@ func (c *Client) addNonce(h http.Header) { c.nonces[v] = struct{}{} } -func fetchNonce(ctx context.Context, client *http.Client, url string) (string, error) { - resp, err := ctxhttp.Head(ctx, client, url) +func (c *Client) httpClient() *http.Client { + if c.HTTPClient != nil { + return c.HTTPClient + } + return http.DefaultClient +} + +func (c *Client) get(ctx context.Context, urlStr string) (*http.Response, error) { + req, err := http.NewRequest("GET", urlStr, nil) + if err != nil { + return nil, err + } + return c.do(ctx, req) +} + +func (c *Client) head(ctx context.Context, urlStr string) (*http.Response, error) { + req, err := http.NewRequest("HEAD", urlStr, nil) + if err != nil { + return nil, err + } + return c.do(ctx, req) +} + +func (c *Client) post(ctx context.Context, urlStr, contentType string, body io.Reader) (*http.Response, error) { + req, err := http.NewRequest("POST", urlStr, body) + if err != nil { + return nil, err + } + req.Header.Set("Content-Type", contentType) + return c.do(ctx, req) +} + +func (c *Client) do(ctx context.Context, req *http.Request) (*http.Response, error) { + res, err := c.httpClient().Do(req.WithContext(ctx)) + if err != nil { + select { + case <-ctx.Done(): + // Prefer the unadorned context error. + // (The acme package had tests assuming this, previously from ctxhttp's + // behavior, predating net/http supporting contexts natively) + // TODO(bradfitz): reconsider this in the future. But for now this + // requires no test updates. + return nil, ctx.Err() + default: + return nil, err + } + } + return res, nil +} + +func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) { + resp, err := c.head(ctx, url) if err != nil { return "", err } @@ -769,7 +817,7 @@ func nonceFromHeader(h http.Header) string { return h.Get("Replay-Nonce") } -func responseCert(ctx context.Context, client *http.Client, res *http.Response, bundle bool) ([][]byte, error) { +func (c *Client) responseCert(ctx context.Context, res *http.Response, bundle bool) ([][]byte, error) { b, err := ioutil.ReadAll(io.LimitReader(res.Body, maxCertSize+1)) if err != nil { return nil, fmt.Errorf("acme: response stream: %v", err) @@ -793,7 +841,7 @@ func responseCert(ctx context.Context, client *http.Client, res *http.Response, return nil, errors.New("acme: rel=up link is too large") } for _, url := range up { - cc, err := chainCert(ctx, client, url, 0) + cc, err := c.chainCert(ctx, url, 0) if err != nil { return nil, err } @@ -836,12 +884,12 @@ func responseError(resp *http.Response) error { // if the recursion level reaches maxChainLen. // // First chainCert call starts with depth of 0. -func chainCert(ctx context.Context, client *http.Client, url string, depth int) ([][]byte, error) { +func (c *Client) chainCert(ctx context.Context, url string, depth int) ([][]byte, error) { if depth >= maxChainLen { return nil, errors.New("acme: certificate chain is too deep") } - res, err := ctxhttp.Get(ctx, client, url) + res, err := c.get(ctx, url) if err != nil { return nil, err } @@ -863,7 +911,7 @@ func chainCert(ctx context.Context, client *http.Client, url string, depth int) return nil, errors.New("acme: certificate chain is too large") } for _, up := range uplink { - cc, err := chainCert(ctx, client, up, depth+1) + cc, err := c.chainCert(ctx, up, depth+1) if err != nil { return nil, err } @@ -974,7 +1022,8 @@ func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) { NotBefore: time.Now(), NotAfter: time.Now().Add(24 * time.Hour), BasicConstraintsValid: true, - KeyUsage: x509.KeyUsageKeyEncipherment, + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, } } tmpl.DNSNames = san diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert.go b/vendor/golang.org/x/crypto/acme/autocert/autocert.go index 4b15816..f50c88e 100644 --- a/vendor/golang.org/x/crypto/acme/autocert/autocert.go +++ b/vendor/golang.org/x/crypto/acme/autocert/autocert.go @@ -10,6 +10,7 @@ package autocert import ( "bytes" + "context" "crypto" "crypto/ecdsa" "crypto/elliptic" @@ -30,7 +31,6 @@ import ( "time" "golang.org/x/crypto/acme" - "golang.org/x/net/context" ) // pseudoRand is safe for concurrent use. @@ -41,8 +41,9 @@ func init() { pseudoRand = &lockedMathRand{rnd: mathrand.New(src)} } -// AcceptTOS always returns true to indicate the acceptance of a CA Terms of Service -// during account registration. +// AcceptTOS is a Manager.Prompt function that always returns true to +// indicate acceptance of the CA's Terms of Service during account +// registration. func AcceptTOS(tosURL string) bool { return true } // HostPolicy specifies which host names the Manager is allowed to respond to. @@ -178,6 +179,9 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, return nil, errors.New("acme/autocert: missing server name") } + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) + defer cancel() + // check whether this is a token cert requested for TLS-SNI challenge if strings.HasSuffix(name, ".acme.invalid") { m.tokenCertMu.RLock() @@ -185,7 +189,7 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, if cert := m.tokenCert[name]; cert != nil { return cert, nil } - if cert, err := m.cacheGet(name); err == nil { + if cert, err := m.cacheGet(ctx, name); err == nil { return cert, nil } // TODO: cache error results? @@ -194,7 +198,7 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, // regular domain name = strings.TrimSuffix(name, ".") // golang.org/issue/18114 - cert, err := m.cert(name) + cert, err := m.cert(ctx, name) if err == nil { return cert, nil } @@ -203,7 +207,6 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, } // first-time - ctx := context.Background() // TODO: use a deadline? if err := m.hostPolicy()(ctx, name); err != nil { return nil, err } @@ -211,14 +214,14 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, if err != nil { return nil, err } - m.cachePut(name, cert) + m.cachePut(ctx, name, cert) return cert, nil } // cert returns an existing certificate either from m.state or cache. // If a certificate is found in cache but not in m.state, the latter will be filled // with the cached value. -func (m *Manager) cert(name string) (*tls.Certificate, error) { +func (m *Manager) cert(ctx context.Context, name string) (*tls.Certificate, error) { m.stateMu.Lock() if s, ok := m.state[name]; ok { m.stateMu.Unlock() @@ -227,7 +230,7 @@ func (m *Manager) cert(name string) (*tls.Certificate, error) { return s.tlscert() } defer m.stateMu.Unlock() - cert, err := m.cacheGet(name) + cert, err := m.cacheGet(ctx, name) if err != nil { return nil, err } @@ -249,12 +252,10 @@ func (m *Manager) cert(name string) (*tls.Certificate, error) { } // cacheGet always returns a valid certificate, or an error otherwise. -func (m *Manager) cacheGet(domain string) (*tls.Certificate, error) { +func (m *Manager) cacheGet(ctx context.Context, domain string) (*tls.Certificate, error) { if m.Cache == nil { return nil, ErrCacheMiss } - // TODO: might want to define a cache timeout on m - ctx := context.Background() data, err := m.Cache.Get(ctx, domain) if err != nil { return nil, err @@ -297,7 +298,7 @@ func (m *Manager) cacheGet(domain string) (*tls.Certificate, error) { return tlscert, nil } -func (m *Manager) cachePut(domain string, tlscert *tls.Certificate) error { +func (m *Manager) cachePut(ctx context.Context, domain string, tlscert *tls.Certificate) error { if m.Cache == nil { return nil } @@ -329,8 +330,6 @@ func (m *Manager) cachePut(domain string, tlscert *tls.Certificate) error { } } - // TODO: might want to define a cache timeout on m - ctx := context.Background() return m.Cache.Put(ctx, domain, buf.Bytes()) } @@ -494,7 +493,7 @@ func (m *Manager) verify(ctx context.Context, domain string) error { if err != nil { return err } - m.putTokenCert(name, &cert) + m.putTokenCert(ctx, name, &cert) defer func() { // verification has ended at this point // don't need token cert anymore @@ -512,14 +511,14 @@ func (m *Manager) verify(ctx context.Context, domain string) error { // putTokenCert stores the cert under the named key in both m.tokenCert map // and m.Cache. -func (m *Manager) putTokenCert(name string, cert *tls.Certificate) { +func (m *Manager) putTokenCert(ctx context.Context, name string, cert *tls.Certificate) { m.tokenCertMu.Lock() defer m.tokenCertMu.Unlock() if m.tokenCert == nil { m.tokenCert = make(map[string]*tls.Certificate) } m.tokenCert[name] = cert - m.cachePut(name, cert) + m.cachePut(ctx, name, cert) } // deleteTokenCert removes the token certificate for the specified domain name diff --git a/vendor/golang.org/x/crypto/acme/autocert/cache.go b/vendor/golang.org/x/crypto/acme/autocert/cache.go index 9b184aa..9f3e9d1 100644 --- a/vendor/golang.org/x/crypto/acme/autocert/cache.go +++ b/vendor/golang.org/x/crypto/acme/autocert/cache.go @@ -5,12 +5,11 @@ package autocert import ( + "context" "errors" "io/ioutil" "os" "path/filepath" - - "golang.org/x/net/context" ) // ErrCacheMiss is returned when a certificate is not found in cache. diff --git a/vendor/golang.org/x/crypto/acme/autocert/listener.go b/vendor/golang.org/x/crypto/acme/autocert/listener.go new file mode 100644 index 0000000..d4c93d2 --- /dev/null +++ b/vendor/golang.org/x/crypto/acme/autocert/listener.go @@ -0,0 +1,153 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package autocert + +import ( + "crypto/tls" + "log" + "net" + "os" + "path/filepath" + "runtime" + "time" +) + +// NewListener returns a net.Listener that listens on the standard TLS +// port (443) on all interfaces and returns *tls.Conn connections with +// LetsEncrypt certificates for the provided domain or domains. +// +// It enables one-line HTTPS servers: +// +// log.Fatal(http.Serve(autocert.NewListener("example.com"), handler)) +// +// NewListener is a convenience function for a common configuration. +// More complex or custom configurations can use the autocert.Manager +// type instead. +// +// Use of this function implies acceptance of the LetsEncrypt Terms of +// Service. If domains is not empty, the provided domains are passed +// to HostWhitelist. If domains is empty, the listener will do +// LetsEncrypt challenges for any requested domain, which is not +// recommended. +// +// Certificates are cached in a "golang-autocert" directory under an +// operating system-specific cache or temp directory. This may not +// be suitable for servers spanning multiple machines. +// +// The returned Listener also enables TCP keep-alives on the accepted +// connections. The returned *tls.Conn are returned before their TLS +// handshake has completed. +func NewListener(domains ...string) net.Listener { + m := &Manager{ + Prompt: AcceptTOS, + } + if len(domains) > 0 { + m.HostPolicy = HostWhitelist(domains...) + } + dir := cacheDir() + if err := os.MkdirAll(dir, 0700); err != nil { + log.Printf("warning: autocert.NewListener not using a cache: %v", err) + } else { + m.Cache = DirCache(dir) + } + return m.Listener() +} + +// Listener listens on the standard TLS port (443) on all interfaces +// and returns a net.Listener returning *tls.Conn connections. +// +// The returned Listener also enables TCP keep-alives on the accepted +// connections. The returned *tls.Conn are returned before their TLS +// handshake has completed. +// +// Unlike NewListener, it is the caller's responsibility to initialize +// the Manager m's Prompt, Cache, HostPolicy, and other desired options. +func (m *Manager) Listener() net.Listener { + ln := &listener{ + m: m, + conf: &tls.Config{ + GetCertificate: m.GetCertificate, // bonus: panic on nil m + }, + } + ln.tcpListener, ln.tcpListenErr = net.Listen("tcp", ":443") + return ln +} + +type listener struct { + m *Manager + conf *tls.Config + + tcpListener net.Listener + tcpListenErr error +} + +func (ln *listener) Accept() (net.Conn, error) { + if ln.tcpListenErr != nil { + return nil, ln.tcpListenErr + } + conn, err := ln.tcpListener.Accept() + if err != nil { + return nil, err + } + tcpConn := conn.(*net.TCPConn) + + // Because Listener is a convenience function, help out with + // this too. This is not possible for the caller to set once + // we return a *tcp.Conn wrapping an inaccessible net.Conn. + // If callers don't want this, they can do things the manual + // way and tweak as needed. But this is what net/http does + // itself, so copy that. If net/http changes, we can change + // here too. + tcpConn.SetKeepAlive(true) + tcpConn.SetKeepAlivePeriod(3 * time.Minute) + + return tls.Server(tcpConn, ln.conf), nil +} + +func (ln *listener) Addr() net.Addr { + if ln.tcpListener != nil { + return ln.tcpListener.Addr() + } + // net.Listen failed. Return something non-nil in case callers + // call Addr before Accept: + return &net.TCPAddr{IP: net.IP{0, 0, 0, 0}, Port: 443} +} + +func (ln *listener) Close() error { + if ln.tcpListenErr != nil { + return ln.tcpListenErr + } + return ln.tcpListener.Close() +} + +func homeDir() string { + if runtime.GOOS == "windows" { + return os.Getenv("HOMEDRIVE") + os.Getenv("HOMEPATH") + } + if h := os.Getenv("HOME"); h != "" { + return h + } + return "/" +} + +func cacheDir() string { + const base = "golang-autocert" + switch runtime.GOOS { + case "darwin": + return filepath.Join(homeDir(), "Library", "Caches", base) + case "windows": + for _, ev := range []string{"APPDATA", "CSIDL_APPDATA", "TEMP", "TMP"} { + if v := os.Getenv(ev); v != "" { + return filepath.Join(v, base) + } + } + // Worst case: + return filepath.Join(homeDir(), base) + } + if xdg := os.Getenv("XDG_CACHE_HOME"); xdg != "" { + return filepath.Join(xdg, base) + } + return filepath.Join(homeDir(), ".cache", base) +} diff --git a/vendor/golang.org/x/crypto/acme/autocert/renewal.go b/vendor/golang.org/x/crypto/acme/autocert/renewal.go index 1a5018c..14ac905 100644 --- a/vendor/golang.org/x/crypto/acme/autocert/renewal.go +++ b/vendor/golang.org/x/crypto/acme/autocert/renewal.go @@ -5,11 +5,10 @@ package autocert import ( + "context" "crypto" "sync" "time" - - "golang.org/x/net/context" ) // maxRandRenew is a maximum deviation from Manager.RenewBefore. @@ -83,7 +82,7 @@ func (dr *domainRenewal) renew() { func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) { // a race is likely unavoidable in a distributed environment // but we try nonetheless - if tlscert, err := dr.m.cacheGet(dr.domain); err == nil { + if tlscert, err := dr.m.cacheGet(ctx, dr.domain); err == nil { next := dr.next(tlscert.Leaf.NotAfter) if next > dr.m.renewBefore()+maxRandRenew { return next, nil @@ -103,7 +102,7 @@ func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) { if err != nil { return 0, err } - dr.m.cachePut(dr.domain, tlscert) + dr.m.cachePut(ctx, dr.domain, tlscert) dr.m.stateMu.Lock() defer dr.m.stateMu.Unlock() // m.state is guaranteed to be non-nil at this point |