aboutsummaryrefslogtreecommitdiffstats
path: root/src/dma/vendor/golang.org/x/crypto
diff options
context:
space:
mode:
Diffstat (limited to 'src/dma/vendor/golang.org/x/crypto')
-rw-r--r--src/dma/vendor/golang.org/x/crypto/acme/acme.go43
-rw-r--r--src/dma/vendor/golang.org/x/crypto/acme/autocert/autocert.go23
-rw-r--r--src/dma/vendor/golang.org/x/crypto/acme/jws.go29
3 files changed, 71 insertions, 24 deletions
diff --git a/src/dma/vendor/golang.org/x/crypto/acme/acme.go b/src/dma/vendor/golang.org/x/crypto/acme/acme.go
index 7df64764..00ee9555 100644
--- a/src/dma/vendor/golang.org/x/crypto/acme/acme.go
+++ b/src/dma/vendor/golang.org/x/crypto/acme/acme.go
@@ -77,6 +77,10 @@ const (
type Client struct {
// Key is the account key used to register with a CA and sign requests.
// Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey.
+ //
+ // The following algorithms are supported:
+ // RS256, ES256, ES384 and ES512.
+ // See RFC7518 for more details about the algorithms.
Key crypto.Signer
// HTTPClient optionally specifies an HTTP client to use
@@ -124,11 +128,7 @@ func (c *Client) Discover(ctx context.Context) (Directory, error) {
return *c.dir, nil
}
- dirURL := c.DirectoryURL
- if dirURL == "" {
- dirURL = LetsEncryptURL
- }
- res, err := c.get(ctx, dirURL, wantStatus(http.StatusOK))
+ res, err := c.get(ctx, c.directoryURL(), wantStatus(http.StatusOK))
if err != nil {
return Directory{}, err
}
@@ -161,6 +161,13 @@ func (c *Client) Discover(ctx context.Context) (Directory, error) {
return *c.dir, nil
}
+func (c *Client) directoryURL() string {
+ if c.DirectoryURL != "" {
+ return c.DirectoryURL
+ }
+ return LetsEncryptURL
+}
+
// CreateCert requests a new certificate using the Certificate Signing Request csr encoded in DER format.
// The exp argument indicates the desired certificate validity duration. CA may issue a certificate
// with a different duration.
@@ -319,6 +326,20 @@ func (c *Client) UpdateReg(ctx context.Context, a *Account) (*Account, error) {
// a valid authorization (Authorization.Status is StatusValid). If so, the caller
// need not fulfill any challenge and can proceed to requesting a certificate.
func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, error) {
+ return c.authorize(ctx, "dns", domain)
+}
+
+// AuthorizeIP is the same as Authorize but requests IP address authorization.
+// Clients which successfully obtain such authorization may request to issue
+// a certificate for IP addresses.
+//
+// See the ACME spec extension for more details about IP address identifiers:
+// https://tools.ietf.org/html/draft-ietf-acme-ip.
+func (c *Client) AuthorizeIP(ctx context.Context, ipaddr string) (*Authorization, error) {
+ return c.authorize(ctx, "ip", ipaddr)
+}
+
+func (c *Client) authorize(ctx context.Context, typ, val string) (*Authorization, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
@@ -332,7 +353,7 @@ func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization,
Identifier authzID `json:"identifier"`
}{
Resource: "new-authz",
- Identifier: authzID{Type: "dns", Value: domain},
+ Identifier: authzID{Type: typ, Value: val},
}
res, err := c.post(ctx, c.Key, c.dir.AuthzURL, req, wantStatus(http.StatusCreated))
if err != nil {
@@ -693,12 +714,18 @@ func (c *Client) doReg(ctx context.Context, url string, typ string, acct *Accoun
}
// popNonce returns a nonce value previously stored with c.addNonce
-// or fetches a fresh one from the given URL.
+// or fetches a fresh one from a URL by issuing a HEAD request.
+// It first tries c.directoryURL() and then the provided url if the former fails.
func (c *Client) popNonce(ctx context.Context, url string) (string, error) {
c.noncesMu.Lock()
defer c.noncesMu.Unlock()
if len(c.nonces) == 0 {
- return c.fetchNonce(ctx, url)
+ dirURL := c.directoryURL()
+ v, err := c.fetchNonce(ctx, dirURL)
+ if err != nil && url != dirURL {
+ v, err = c.fetchNonce(ctx, url)
+ }
+ return v, err
}
var nonce string
for nonce = range c.nonces {
diff --git a/src/dma/vendor/golang.org/x/crypto/acme/autocert/autocert.go b/src/dma/vendor/golang.org/x/crypto/acme/autocert/autocert.go
index 4c2fc072..e562609c 100644
--- a/src/dma/vendor/golang.org/x/crypto/acme/autocert/autocert.go
+++ b/src/dma/vendor/golang.org/x/crypto/acme/autocert/autocert.go
@@ -32,6 +32,7 @@ import (
"time"
"golang.org/x/crypto/acme"
+ "golang.org/x/net/idna"
)
// createCertRetryAfter is how much time to wait before removing a failed state
@@ -62,14 +63,20 @@ type HostPolicy func(ctx context.Context, host string) error
// HostWhitelist returns a policy where only the specified host names are allowed.
// Only exact matches are currently supported. Subdomains, regexp or wildcard
// will not match.
+//
+// Note that all hosts will be converted to Punycode via idna.Lookup.ToASCII so that
+// Manager.GetCertificate can handle the Unicode IDN and mixedcase hosts correctly.
+// Invalid hosts will be silently ignored.
func HostWhitelist(hosts ...string) HostPolicy {
whitelist := make(map[string]bool, len(hosts))
for _, h := range hosts {
- whitelist[h] = true
+ if h, err := idna.Lookup.ToASCII(h); err == nil {
+ whitelist[h] = true
+ }
}
return func(_ context.Context, host string) error {
if !whitelist[host] {
- return errors.New("acme/autocert: host not configured")
+ return fmt.Errorf("acme/autocert: host %q not configured in HostWhitelist", host)
}
return nil
}
@@ -243,7 +250,17 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
if !strings.Contains(strings.Trim(name, "."), ".") {
return nil, errors.New("acme/autocert: server name component count invalid")
}
- if strings.ContainsAny(name, `+/\`) {
+
+ // Note that this conversion is necessary because some server names in the handshakes
+ // started by some clients (such as cURL) are not converted to Punycode, which will
+ // prevent us from obtaining certificates for them. In addition, we should also treat
+ // example.com and EXAMPLE.COM as equivalent and return the same certificate for them.
+ // Fortunately, this conversion also helped us deal with this kind of mixedcase problems.
+ //
+ // Due to the "σςΣ" problem (see https://unicode.org/faq/idn.html#22), we can't use
+ // idna.Punycode.ToASCII (or just idna.ToASCII) here.
+ name, err := idna.Lookup.ToASCII(name)
+ if err != nil {
return nil, errors.New("acme/autocert: server name contains invalid character")
}
diff --git a/src/dma/vendor/golang.org/x/crypto/acme/jws.go b/src/dma/vendor/golang.org/x/crypto/acme/jws.go
index 6cbca25d..1093b503 100644
--- a/src/dma/vendor/golang.org/x/crypto/acme/jws.go
+++ b/src/dma/vendor/golang.org/x/crypto/acme/jws.go
@@ -25,7 +25,7 @@ func jwsEncodeJSON(claimset interface{}, key crypto.Signer, nonce string) ([]byt
if err != nil {
return nil, err
}
- alg, sha := jwsHasher(key)
+ alg, sha := jwsHasher(key.Public())
if alg == "" || !sha.Available() {
return nil, ErrUnsupportedKey
}
@@ -97,13 +97,16 @@ func jwkEncode(pub crypto.PublicKey) (string, error) {
}
// jwsSign signs the digest using the given key.
-// It returns ErrUnsupportedKey if the key type is unknown.
-// The hash is used only for RSA keys.
+// The hash is unused for ECDSA keys.
+//
+// Note: non-stdlib crypto.Signer implementations are expected to return
+// the signature in the format as specified in RFC7518.
+// See https://tools.ietf.org/html/rfc7518 for more details.
func jwsSign(key crypto.Signer, hash crypto.Hash, digest []byte) ([]byte, error) {
- switch key := key.(type) {
- case *rsa.PrivateKey:
- return key.Sign(rand.Reader, digest, hash)
- case *ecdsa.PrivateKey:
+ if key, ok := key.(*ecdsa.PrivateKey); ok {
+ // The key.Sign method of ecdsa returns ASN1-encoded signature.
+ // So, we use the package Sign function instead
+ // to get R and S values directly and format the result accordingly.
r, s, err := ecdsa.Sign(rand.Reader, key, digest)
if err != nil {
return nil, err
@@ -118,18 +121,18 @@ func jwsSign(key crypto.Signer, hash crypto.Hash, digest []byte) ([]byte, error)
copy(sig[size*2-len(sb):], sb)
return sig, nil
}
- return nil, ErrUnsupportedKey
+ return key.Sign(rand.Reader, digest, hash)
}
// jwsHasher indicates suitable JWS algorithm name and a hash function
// to use for signing a digest with the provided key.
// It returns ("", 0) if the key is not supported.
-func jwsHasher(key crypto.Signer) (string, crypto.Hash) {
- switch key := key.(type) {
- case *rsa.PrivateKey:
+func jwsHasher(pub crypto.PublicKey) (string, crypto.Hash) {
+ switch pub := pub.(type) {
+ case *rsa.PublicKey:
return "RS256", crypto.SHA256
- case *ecdsa.PrivateKey:
- switch key.Params().Name {
+ case *ecdsa.PublicKey:
+ switch pub.Params().Name {
case "P-256":
return "ES256", crypto.SHA256
case "P-384":