Update Lego

vendor/github.com/xenolf/lego/challenge/tlsalpn01/tls_alpn_challenge.go

@@ -0,0 +1,129 @@
+package tlsalpn01
+
+import (
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"fmt"
+
+	"github.com/xenolf/lego/acme"
+	"github.com/xenolf/lego/acme/api"
+	"github.com/xenolf/lego/certcrypto"
+	"github.com/xenolf/lego/challenge"
+	"github.com/xenolf/lego/log"
+)
+
+// idPeAcmeIdentifierV1 is the SMI Security for PKIX Certification Extension OID referencing the ACME extension.
+// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1
+var idPeAcmeIdentifierV1 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
+
+type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error
+
+type Challenge struct {
+	core     *api.Core
+	validate ValidateFunc
+	provider challenge.Provider
+}
+
+func NewChallenge(core *api.Core, validate ValidateFunc, provider challenge.Provider) *Challenge {
+	return &Challenge{
+		core:     core,
+		validate: validate,
+		provider: provider,
+	}
+}
+
+func (c *Challenge) SetProvider(provider challenge.Provider) {
+	c.provider = provider
+}
+
+// Solve manages the provider to validate and solve the challenge.
+func (c *Challenge) Solve(authz acme.Authorization) error {
+	domain := authz.Identifier.Value
+	log.Infof("[%s] acme: Trying to solve TLS-ALPN-01", challenge.GetTargetedDomain(authz))
+
+	chlng, err := challenge.FindChallenge(challenge.TLSALPN01, authz)
+	if err != nil {
+		return err
+	}
+
+	// Generate the Key Authorization for the challenge
+	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
+	if err != nil {
+		return err
+	}
+
+	err = c.provider.Present(domain, chlng.Token, keyAuth)
+	if err != nil {
+		return fmt.Errorf("[%s] acme: error presenting token: %v", challenge.GetTargetedDomain(authz), err)
+	}
+	defer func() {
+		err := c.provider.CleanUp(domain, chlng.Token, keyAuth)
+		if err != nil {
+			log.Warnf("[%s] acme: error cleaning up: %v", challenge.GetTargetedDomain(authz), err)
+		}
+	}()
+
+	chlng.KeyAuthorization = keyAuth
+	return c.validate(c.core, domain, chlng)
+}
+
+// ChallengeBlocks returns PEM blocks (certPEMBlock, keyPEMBlock) with the acmeValidation-v1 extension
+// and domain name for the `tls-alpn-01` challenge.
+func ChallengeBlocks(domain, keyAuth string) ([]byte, []byte, error) {
+	// Compute the SHA-256 digest of the key authorization.
+	zBytes := sha256.Sum256([]byte(keyAuth))
+
+	value, err := asn1.Marshal(zBytes[:sha256.Size])
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Add the keyAuth digest as the acmeValidation-v1 extension
+	// (marked as critical such that it won't be used by non-ACME software).
+	// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-3
+	extensions := []pkix.Extension{
+		{
+			Id:       idPeAcmeIdentifierV1,
+			Critical: true,
+			Value:    value,
+		},
+	}
+
+	// Generate a new RSA key for the certificates.
+	tempPrivateKey, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	rsaPrivateKey := tempPrivateKey.(*rsa.PrivateKey)
+
+	// Generate the PEM certificate using the provided private key, domain, and extra extensions.
+	tempCertPEM, err := certcrypto.GeneratePemCert(rsaPrivateKey, domain, extensions)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Encode the private key into a PEM format. We'll need to use it to generate the x509 keypair.
+	rsaPrivatePEM := certcrypto.PEMEncode(rsaPrivateKey)
+
+	return tempCertPEM, rsaPrivatePEM, nil
+}
+
+// ChallengeCert returns a certificate with the acmeValidation-v1 extension
+// and domain name for the `tls-alpn-01` challenge.
+func ChallengeCert(domain, keyAuth string) (*tls.Certificate, error) {
+	tempCertPEM, rsaPrivatePEM, err := ChallengeBlocks(domain, keyAuth)
+	if err != nil {
+		return nil, err
+	}
+
+	cert, err := tls.X509KeyPair(tempCertPEM, rsaPrivatePEM)
+	if err != nil {
+		return nil, err
+	}
+
+	return &cert, nil
+}

vendor/github.com/xenolf/lego/challenge/tlsalpn01/tls_alpn_challenge_server.go

@@ -0,0 +1,95 @@
+package tlsalpn01
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+
+	"github.com/xenolf/lego/log"
+)
+
+const (
+	// ACMETLS1Protocol is the ALPN Protocol ID for the ACME-TLS/1 Protocol.
+	ACMETLS1Protocol = "acme-tls/1"
+
+	// defaultTLSPort is the port that the ProviderServer will default to
+	// when no other port is provided.
+	defaultTLSPort = "443"
+)
+
+// ProviderServer implements ChallengeProvider for `TLS-ALPN-01` challenge.
+// It may be instantiated without using the NewProviderServer
+// if you want only to use the default values.
+type ProviderServer struct {
+	iface    string
+	port     string
+	listener net.Listener
+}
+
+// NewProviderServer creates a new ProviderServer on the selected interface and port.
+// Setting iface and / or port to an empty string will make the server fall back to
+// the "any" interface and port 443 respectively.
+func NewProviderServer(iface, port string) *ProviderServer {
+	return &ProviderServer{iface: iface, port: port}
+}
+
+func (s *ProviderServer) GetAddress() string {
+	return net.JoinHostPort(s.iface, s.port)
+}
+
+// Present generates a certificate with a SHA-256 digest of the keyAuth provided
+// as the acmeValidation-v1 extension value to conform to the ACME-TLS-ALPN spec.
+func (s *ProviderServer) Present(domain, token, keyAuth string) error {
+	if s.port == "" {
+		// Fallback to port 443 if the port was not provided.
+		s.port = defaultTLSPort
+	}
+
+	// Generate the challenge certificate using the provided keyAuth and domain.
+	cert, err := ChallengeCert(domain, keyAuth)
+	if err != nil {
+		return err
+	}
+
+	// Place the generated certificate with the extension into the TLS config
+	// so that it can serve the correct details.
+	tlsConf := new(tls.Config)
+	tlsConf.Certificates = []tls.Certificate{*cert}
+
+	// We must set that the `acme-tls/1` application level protocol is supported
+	// so that the protocol negotiation can succeed. Reference:
+	// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01#section-5.2
+	tlsConf.NextProtos = []string{ACMETLS1Protocol}
+
+	// Create the listener with the created tls.Config.
+	s.listener, err = tls.Listen("tcp", s.GetAddress(), tlsConf)
+	if err != nil {
+		return fmt.Errorf("could not start HTTPS server for challenge -> %v", err)
+	}
+
+	// Shut the server down when we're finished.
+	go func() {
+		err := http.Serve(s.listener, nil)
+		if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
+			log.Println(err)
+		}
+	}()
+
+	return nil
+}
+
+// CleanUp closes the HTTPS server.
+func (s *ProviderServer) CleanUp(domain, token, keyAuth string) error {
+	if s.listener == nil {
+		return nil
+	}
+
+	// Server was created, close it.
+	if err := s.listener.Close(); err != nil && err != http.ErrServerClosed {
+		return err
+	}
+
+	return nil
+}