Migrate to go-acme/lego.

2019-03-14 11:04:04 +01:00 · 2019-03-14 11:04:04 +01:00 · 87da7520de
commit 87da7520de
parent 4a68d29ce2
286 changed files with 14021 additions and 2501 deletions
--- a/vendor/github.com/go-acme/lego/acme/api/internal/nonces/nonce_manager.go
+++ b/vendor/github.com/go-acme/lego/acme/api/internal/nonces/nonce_manager.go
@ -0,0 +1,78 @@
+package nonces
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"sync"
+
+	"github.com/go-acme/lego/acme/api/internal/sender"
+)
+
+// Manager Manages nonces.
+type Manager struct {
+	do       *sender.Doer
+	nonceURL string
+	nonces   []string
+	sync.Mutex
+}
+
+// NewManager Creates a new Manager.
+func NewManager(do *sender.Doer, nonceURL string) *Manager {
+	return &Manager{
+		do:       do,
+		nonceURL: nonceURL,
+	}
+}
+
+// Pop Pops a nonce.
+func (n *Manager) Pop() (string, bool) {
+	n.Lock()
+	defer n.Unlock()
+
+	if len(n.nonces) == 0 {
+		return "", false
+	}
+
+	nonce := n.nonces[len(n.nonces)-1]
+	n.nonces = n.nonces[:len(n.nonces)-1]
+	return nonce, true
+}
+
+// Push Pushes a nonce.
+func (n *Manager) Push(nonce string) {
+	n.Lock()
+	defer n.Unlock()
+	n.nonces = append(n.nonces, nonce)
+}
+
+// Nonce implement jose.NonceSource
+func (n *Manager) Nonce() (string, error) {
+	if nonce, ok := n.Pop(); ok {
+		return nonce, nil
+	}
+	return n.getNonce()
+}
+
+func (n *Manager) getNonce() (string, error) {
+	resp, err := n.do.Head(n.nonceURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to get nonce from HTTP HEAD -> %v", err)
+	}
+
+	return GetFromResponse(resp)
+}
+
+// GetFromResponse Extracts a nonce from a HTTP response.
+func GetFromResponse(resp *http.Response) (string, error) {
+	if resp == nil {
+		return "", errors.New("nil response")
+	}
+
+	nonce := resp.Header.Get("Replay-Nonce")
+	if nonce == "" {
+		return "", fmt.Errorf("server did not respond with a proper nonce header")
+	}
+
+	return nonce, nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/internal/secure/jws.go
+++ b/vendor/github.com/go-acme/lego/acme/api/internal/secure/jws.go
@ -0,0 +1,134 @@
+package secure
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	"github.com/go-acme/lego/acme/api/internal/nonces"
+	jose "gopkg.in/square/go-jose.v2"
+)
+
+// JWS Represents a JWS.
+type JWS struct {
+	privKey crypto.PrivateKey
+	kid     string // Key identifier
+	nonces  *nonces.Manager
+}
+
+// NewJWS Create a new JWS.
+func NewJWS(privateKey crypto.PrivateKey, kid string, nonceManager *nonces.Manager) *JWS {
+	return &JWS{
+		privKey: privateKey,
+		nonces:  nonceManager,
+		kid:     kid,
+	}
+}
+
+// SetKid Sets a key identifier.
+func (j *JWS) SetKid(kid string) {
+	j.kid = kid
+}
+
+// SignContent Signs a content with the JWS.
+func (j *JWS) SignContent(url string, content []byte) (*jose.JSONWebSignature, error) {
+	var alg jose.SignatureAlgorithm
+	switch k := j.privKey.(type) {
+	case *rsa.PrivateKey:
+		alg = jose.RS256
+	case *ecdsa.PrivateKey:
+		if k.Curve == elliptic.P256() {
+			alg = jose.ES256
+		} else if k.Curve == elliptic.P384() {
+			alg = jose.ES384
+		}
+	}
+
+	signKey := jose.SigningKey{
+		Algorithm: alg,
+		Key:       jose.JSONWebKey{Key: j.privKey, KeyID: j.kid},
+	}
+
+	options := jose.SignerOptions{
+		NonceSource: j.nonces,
+		ExtraHeaders: map[jose.HeaderKey]interface{}{
+			"url": url,
+		},
+	}
+
+	if j.kid == "" {
+		options.EmbedJWK = true
+	}
+
+	signer, err := jose.NewSigner(signKey, &options)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create jose signer -> %v", err)
+	}
+
+	signed, err := signer.Sign(content)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign content -> %v", err)
+	}
+	return signed, nil
+}
+
+// SignEABContent Signs an external account binding content with the JWS.
+func (j *JWS) SignEABContent(url, kid string, hmac []byte) (*jose.JSONWebSignature, error) {
+	jwk := jose.JSONWebKey{Key: j.privKey}
+	jwkJSON, err := jwk.Public().MarshalJSON()
+	if err != nil {
+		return nil, fmt.Errorf("acme: error encoding eab jwk key: %v", err)
+	}
+
+	signer, err := jose.NewSigner(
+		jose.SigningKey{Algorithm: jose.HS256, Key: hmac},
+		&jose.SignerOptions{
+			EmbedJWK: false,
+			ExtraHeaders: map[jose.HeaderKey]interface{}{
+				"kid": kid,
+				"url": url,
+			},
+		},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create External Account Binding jose signer -> %v", err)
+	}
+
+	signed, err := signer.Sign(jwkJSON)
+	if err != nil {
+		return nil, fmt.Errorf("failed to External Account Binding sign content -> %v", err)
+	}
+
+	return signed, nil
+}
+
+// GetKeyAuthorization Gets the key authorization for a token.
+func (j *JWS) GetKeyAuthorization(token string) (string, error) {
+	var publicKey crypto.PublicKey
+	switch k := j.privKey.(type) {
+	case *ecdsa.PrivateKey:
+		publicKey = k.Public()
+	case *rsa.PrivateKey:
+		publicKey = k.Public()
+	}
+
+	// Generate the Key Authorization for the challenge
+	jwk := &jose.JSONWebKey{Key: publicKey}
+	if jwk == nil {
+		return "", errors.New("could not generate JWK from key")
+	}
+
+	thumbBytes, err := jwk.Thumbprint(crypto.SHA256)
+	if err != nil {
+		return "", err
+	}
+
+	// unpad the base64URL
+	keyThumb := base64.RawURLEncoding.EncodeToString(thumbBytes)
+
+	return token + "." + keyThumb, nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/internal/sender/sender.go
+++ b/vendor/github.com/go-acme/lego/acme/api/internal/sender/sender.go
@ -0,0 +1,146 @@
+package sender
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"runtime"
+	"strings"
+
+	"github.com/go-acme/lego/acme"
+)
+
+type RequestOption func(*http.Request) error
+
+func contentType(ct string) RequestOption {
+	return func(req *http.Request) error {
+		req.Header.Set("Content-Type", ct)
+		return nil
+	}
+}
+
+type Doer struct {
+	httpClient *http.Client
+	userAgent  string
+}
+
+// NewDoer Creates a new Doer.
+func NewDoer(client *http.Client, userAgent string) *Doer {
+	return &Doer{
+		httpClient: client,
+		userAgent:  userAgent,
+	}
+}
+
+// Get performs a GET request with a proper User-Agent string.
+// If "response" is not provided, callers should close resp.Body when done reading from it.
+func (d *Doer) Get(url string, response interface{}) (*http.Response, error) {
+	req, err := d.newRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return d.do(req, response)
+}
+
+// Head performs a HEAD request with a proper User-Agent string.
+// The response body (resp.Body) is already closed when this function returns.
+func (d *Doer) Head(url string) (*http.Response, error) {
+	req, err := d.newRequest(http.MethodHead, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return d.do(req, nil)
+}
+
+// Post performs a POST request with a proper User-Agent string.
+// If "response" is not provided, callers should close resp.Body when done reading from it.
+func (d *Doer) Post(url string, body io.Reader, bodyType string, response interface{}) (*http.Response, error) {
+	req, err := d.newRequest(http.MethodPost, url, body, contentType(bodyType))
+	if err != nil {
+		return nil, err
+	}
+
+	return d.do(req, response)
+}
+
+func (d *Doer) newRequest(method, uri string, body io.Reader, opts ...RequestOption) (*http.Request, error) {
+	req, err := http.NewRequest(method, uri, body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %v", err)
+	}
+
+	req.Header.Set("User-Agent", d.formatUserAgent())
+
+	for _, opt := range opts {
+		err = opt(req)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create request: %v", err)
+		}
+	}
+
+	return req, nil
+}
+
+func (d *Doer) do(req *http.Request, response interface{}) (*http.Response, error) {
+	resp, err := d.httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = checkError(req, resp); err != nil {
+		return resp, err
+	}
+
+	if response != nil {
+		raw, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return resp, err
+		}
+
+		defer resp.Body.Close()
+
+		err = json.Unmarshal(raw, response)
+		if err != nil {
+			return resp, fmt.Errorf("failed to unmarshal %q to type %T: %v", raw, response, err)
+		}
+	}
+
+	return resp, nil
+}
+
+// formatUserAgent builds and returns the User-Agent string to use in requests.
+func (d *Doer) formatUserAgent() string {
+	ua := fmt.Sprintf("%s %s (%s; %s; %s)", d.userAgent, ourUserAgent, ourUserAgentComment, runtime.GOOS, runtime.GOARCH)
+	return strings.TrimSpace(ua)
+}
+
+func checkError(req *http.Request, resp *http.Response) error {
+	if resp.StatusCode >= http.StatusBadRequest {
+
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return fmt.Errorf("%d :: %s :: %s :: %v", resp.StatusCode, req.Method, req.URL, err)
+		}
+
+		var errorDetails *acme.ProblemDetails
+		err = json.Unmarshal(body, &errorDetails)
+		if err != nil {
+			return fmt.Errorf("%d ::%s :: %s :: %v :: %s", resp.StatusCode, req.Method, req.URL, err, string(body))
+		}
+
+		errorDetails.Method = req.Method
+		errorDetails.URL = req.URL.String()
+
+		// Check for errors we handle specifically
+		if errorDetails.HTTPStatus == http.StatusBadRequest && errorDetails.Type == acme.BadNonceErr {
+			return &acme.NonceError{ProblemDetails: errorDetails}
+		}
+
+		return errorDetails
+	}
+	return nil
+}
--- a/vendor/github.com/go-acme/lego/acme/api/internal/sender/useragent.go
+++ b/vendor/github.com/go-acme/lego/acme/api/internal/sender/useragent.go
@ -0,0 +1,14 @@
+package sender
+
+// CODE GENERATED AUTOMATICALLY
+// THIS FILE MUST NOT BE EDITED BY HAND
+
+const (
+	// ourUserAgent is the User-Agent of this underlying library package.
+	ourUserAgent = "xenolf-acme/2.3.0"
+
+	// ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package.
+	// values: detach|release
+	// NOTE: Update this with each tagged release.
+	ourUserAgentComment = "detach"
+)