summaryrefslogtreecommitdiffstats
path: root/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge.go')
-rw-r--r--vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge.go305
1 files changed, 0 insertions, 305 deletions
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge.go
deleted file mode 100644
index 30f2170ff..000000000
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge.go
+++ /dev/null
@@ -1,305 +0,0 @@
-package acme
-
-import (
- "crypto/sha256"
- "encoding/base64"
- "errors"
- "fmt"
- "log"
- "net"
- "strings"
- "time"
-
- "github.com/miekg/dns"
- "golang.org/x/net/publicsuffix"
-)
-
-type preCheckDNSFunc func(fqdn, value string) (bool, error)
-
-var (
- // PreCheckDNS checks DNS propagation before notifying ACME that
- // the DNS challenge is ready.
- PreCheckDNS preCheckDNSFunc = checkDNSPropagation
- fqdnToZone = map[string]string{}
-)
-
-const defaultResolvConf = "/etc/resolv.conf"
-
-var defaultNameservers = []string{
- "google-public-dns-a.google.com:53",
- "google-public-dns-b.google.com:53",
-}
-
-var RecursiveNameservers = getNameservers(defaultResolvConf, defaultNameservers)
-
-// DNSTimeout is used to override the default DNS timeout of 10 seconds.
-var DNSTimeout = 10 * time.Second
-
-// getNameservers attempts to get systems nameservers before falling back to the defaults
-func getNameservers(path string, defaults []string) []string {
- config, err := dns.ClientConfigFromFile(path)
- if err != nil || len(config.Servers) == 0 {
- return defaults
- }
-
- systemNameservers := []string{}
- for _, server := range config.Servers {
- // ensure all servers have a port number
- if _, _, err := net.SplitHostPort(server); err != nil {
- systemNameservers = append(systemNameservers, net.JoinHostPort(server, "53"))
- } else {
- systemNameservers = append(systemNameservers, server)
- }
- }
- return systemNameservers
-}
-
-// DNS01Record returns a DNS record which will fulfill the `dns-01` challenge
-func DNS01Record(domain, keyAuth string) (fqdn string, value string, ttl int) {
- keyAuthShaBytes := sha256.Sum256([]byte(keyAuth))
- // base64URL encoding without padding
- keyAuthSha := base64.URLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size])
- value = strings.TrimRight(keyAuthSha, "=")
- ttl = 120
- fqdn = fmt.Sprintf("_acme-challenge.%s.", domain)
- return
-}
-
-// dnsChallenge implements the dns-01 challenge according to ACME 7.5
-type dnsChallenge struct {
- jws *jws
- validate validateFunc
- provider ChallengeProvider
-}
-
-func (s *dnsChallenge) Solve(chlng challenge, domain string) error {
- logf("[INFO][%s] acme: Trying to solve DNS-01", domain)
-
- if s.provider == nil {
- return errors.New("No DNS Provider configured")
- }
-
- // Generate the Key Authorization for the challenge
- keyAuth, err := getKeyAuthorization(chlng.Token, s.jws.privKey)
- if err != nil {
- return err
- }
-
- err = s.provider.Present(domain, chlng.Token, keyAuth)
- if err != nil {
- return fmt.Errorf("Error presenting token: %s", err)
- }
- defer func() {
- err := s.provider.CleanUp(domain, chlng.Token, keyAuth)
- if err != nil {
- log.Printf("Error cleaning up %s: %v ", domain, err)
- }
- }()
-
- fqdn, value, _ := DNS01Record(domain, keyAuth)
-
- logf("[INFO][%s] Checking DNS record propagation using %+v", domain, RecursiveNameservers)
-
- var timeout, interval time.Duration
- switch provider := s.provider.(type) {
- case ChallengeProviderTimeout:
- timeout, interval = provider.Timeout()
- default:
- timeout, interval = 60*time.Second, 2*time.Second
- }
-
- err = WaitFor(timeout, interval, func() (bool, error) {
- return PreCheckDNS(fqdn, value)
- })
- if err != nil {
- return err
- }
-
- return s.validate(s.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth})
-}
-
-// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
-func checkDNSPropagation(fqdn, value string) (bool, error) {
- // Initial attempt to resolve at the recursive NS
- r, err := dnsQuery(fqdn, dns.TypeTXT, RecursiveNameservers, true)
- if err != nil {
- return false, err
- }
- if r.Rcode == dns.RcodeSuccess {
- // If we see a CNAME here then use the alias
- for _, rr := range r.Answer {
- if cn, ok := rr.(*dns.CNAME); ok {
- if cn.Hdr.Name == fqdn {
- fqdn = cn.Target
- break
- }
- }
- }
- }
-
- authoritativeNss, err := lookupNameservers(fqdn)
- if err != nil {
- return false, err
- }
-
- return checkAuthoritativeNss(fqdn, value, authoritativeNss)
-}
-
-// checkAuthoritativeNss queries each of the given nameservers for the expected TXT record.
-func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, error) {
- for _, ns := range nameservers {
- r, err := dnsQuery(fqdn, dns.TypeTXT, []string{net.JoinHostPort(ns, "53")}, false)
- if err != nil {
- return false, err
- }
-
- if r.Rcode != dns.RcodeSuccess {
- return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
- }
-
- var found bool
- for _, rr := range r.Answer {
- if txt, ok := rr.(*dns.TXT); ok {
- if strings.Join(txt.Txt, "") == value {
- found = true
- break
- }
- }
- }
-
- if !found {
- return false, fmt.Errorf("NS %s did not return the expected TXT record", ns)
- }
- }
-
- return true, nil
-}
-
-// dnsQuery will query a nameserver, iterating through the supplied servers as it retries
-// The nameserver should include a port, to facilitate testing where we talk to a mock dns server.
-func dnsQuery(fqdn string, rtype uint16, nameservers []string, recursive bool) (in *dns.Msg, err error) {
- m := new(dns.Msg)
- m.SetQuestion(fqdn, rtype)
- m.SetEdns0(4096, false)
-
- if !recursive {
- m.RecursionDesired = false
- }
-
- // Will retry the request based on the number of servers (n+1)
- for i := 1; i <= len(nameservers)+1; i++ {
- ns := nameservers[i%len(nameservers)]
- udp := &dns.Client{Net: "udp", Timeout: DNSTimeout}
- in, _, err = udp.Exchange(m, ns)
-
- if err == dns.ErrTruncated {
- tcp := &dns.Client{Net: "tcp", Timeout: DNSTimeout}
- // If the TCP request suceeds, the err will reset to nil
- in, _, err = tcp.Exchange(m, ns)
- }
-
- if err == nil {
- break
- }
- }
- return
-}
-
-// lookupNameservers returns the authoritative nameservers for the given fqdn.
-func lookupNameservers(fqdn string) ([]string, error) {
- var authoritativeNss []string
-
- zone, err := FindZoneByFqdn(fqdn, RecursiveNameservers)
- if err != nil {
- return nil, fmt.Errorf("Could not determine the zone: %v", err)
- }
-
- r, err := dnsQuery(zone, dns.TypeNS, RecursiveNameservers, true)
- if err != nil {
- return nil, err
- }
-
- for _, rr := range r.Answer {
- if ns, ok := rr.(*dns.NS); ok {
- authoritativeNss = append(authoritativeNss, strings.ToLower(ns.Ns))
- }
- }
-
- if len(authoritativeNss) > 0 {
- return authoritativeNss, nil
- }
- return nil, fmt.Errorf("Could not determine authoritative nameservers")
-}
-
-// FindZoneByFqdn determines the zone apex for the given fqdn by recursing up the
-// domain labels until the nameserver returns a SOA record in the answer section.
-func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) {
- // Do we have it cached?
- if zone, ok := fqdnToZone[fqdn]; ok {
- return zone, nil
- }
-
- labelIndexes := dns.Split(fqdn)
- for _, index := range labelIndexes {
- domain := fqdn[index:]
- // Give up if we have reached the TLD
- if isTLD(domain) {
- break
- }
-
- in, err := dnsQuery(domain, dns.TypeSOA, nameservers, true)
- if err != nil {
- return "", err
- }
-
- // Any response code other than NOERROR and NXDOMAIN is treated as error
- if in.Rcode != dns.RcodeNameError && in.Rcode != dns.RcodeSuccess {
- return "", fmt.Errorf("Unexpected response code '%s' for %s",
- dns.RcodeToString[in.Rcode], domain)
- }
-
- // Check if we got a SOA RR in the answer section
- if in.Rcode == dns.RcodeSuccess {
- for _, ans := range in.Answer {
- if soa, ok := ans.(*dns.SOA); ok {
- zone := soa.Hdr.Name
- fqdnToZone[fqdn] = zone
- return zone, nil
- }
- }
- }
- }
-
- return "", fmt.Errorf("Could not find the start of authority")
-}
-
-func isTLD(domain string) bool {
- publicsuffix, _ := publicsuffix.PublicSuffix(UnFqdn(domain))
- if publicsuffix == UnFqdn(domain) {
- return true
- }
- return false
-}
-
-// ClearFqdnCache clears the cache of fqdn to zone mappings. Primarily used in testing.
-func ClearFqdnCache() {
- fqdnToZone = map[string]string{}
-}
-
-// ToFqdn converts the name into a fqdn appending a trailing dot.
-func ToFqdn(name string) string {
- n := len(name)
- if n == 0 || name[n-1] == '.' {
- return name
- }
- return name + "."
-}
-
-// UnFqdn converts the fqdn into a name removing the trailing dot.
-func UnFqdn(name string) string {
- n := len(name)
- if n != 0 && name[n-1] == '.' {
- return name[:n-1]
- }
- return name
-}
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-05-20 15:26:01 +0000