Loading Gopkg.lock +2 −2 Original line number Diff line number Diff line Loading @@ -519,14 +519,14 @@ version = "v1.9.0" [[projects]] digest = "1:cae234a803b78380e4d769db6036b9fcc8c08ed4ff862571ffc1a958edc1f629" digest = "1:887074c37fcefc2f49b5ae9c6f9f36107341aec23185613d0e9f1ee81db7f94a" name = "golang.org/x/crypto" packages = [ "bcrypt", "blowfish", ] pruneopts = "" revision = "c126467f60eb25f8f27e5a981f32a87e3965053f" revision = "505ab145d0a99da450461ae2c1a9f6cd10d1f447" [[projects]] branch = "master" Loading Gopkg.toml +1 −1 Original line number Diff line number Diff line Loading @@ -48,7 +48,7 @@ [[constraint]] name = "golang.org/x/crypto" revision = "c126467f60eb25f8f27e5a981f32a87e3965053f" revision = "505ab145d0a99da450461ae2c1a9f6cd10d1f447" [[constraint]] name = "github.com/gobuffalo/packr" Loading vendor/golang.org/x/crypto/acme/acme.go +7 −2 Original line number Diff line number Diff line Loading @@ -46,8 +46,9 @@ const ( // ALPNProto is the ALPN protocol name used by a CA server when validating // tls-alpn-01 challenges. // // Package users must ensure their servers can negotiate the ACME ALPN // in order for tls-alpn-01 challenge verifications to succeed. // Package users must ensure their servers can negotiate the ACME ALPN in // order for tls-alpn-01 challenge verifications to succeed. // See the crypto/tls package's Config.NextProtos field. ALPNProto = "acme-tls/1" ) Loading Loading @@ -76,6 +77,10 @@ const ( type Client struct { // Key is the account key used to register with a CA and sign requests. // Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey. // // The following algorithms are supported: // RS256, ES256, ES384 and ES512. // See RFC7518 for more details about the algorithms. Key crypto.Signer // HTTPClient optionally specifies an HTTP client to use Loading vendor/golang.org/x/crypto/acme/autocert/autocert.go +23 −11 Original line number Diff line number Diff line Loading @@ -44,7 +44,7 @@ var createCertRetryAfter = time.Minute var pseudoRand *lockedMathRand func init() { src := mathrand.NewSource(timeNow().UnixNano()) src := mathrand.NewSource(time.Now().UnixNano()) pseudoRand = &lockedMathRand{rnd: mathrand.New(src)} } Loading @@ -69,7 +69,7 @@ func HostWhitelist(hosts ...string) HostPolicy { } return func(_ context.Context, host string) error { if !whitelist[host] { return errors.New("acme/autocert: host not configured") return fmt.Errorf("acme/autocert: host %q not configured in HostWhitelist", host) } return nil } Loading Loading @@ -183,6 +183,9 @@ type Manager struct { // for tls-alpn. // The entries are stored for the duration of the authorization flow. certTokens map[string]*tls.Certificate // nowFunc, if not nil, returns the current time. This may be set for // testing purposes. nowFunc func() time.Time } // certKey is the key by which certificates are tracked in state, renewal and cache. Loading Loading @@ -223,6 +226,11 @@ func (m *Manager) TLSConfig() *tls.Config { // a new cert. A non-nil error returned from m.HostPolicy halts TLS negotiation. // The error is propagated back to the caller of GetCertificate and is user-visible. // This does not affect cached certs. See HostPolicy field description for more details. // // If GetCertificate is used directly, instead of via Manager.TLSConfig, package users will // also have to add acme.ALPNProto to NextProtos for tls-alpn-01, or use HTTPHandler // for http-01. (The tls-sni-* challenges have been deprecated by popular ACME providers // due to security issues in the ecosystem.) func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { if m.Prompt == nil { return nil, errors.New("acme/autocert: Manager.Prompt not set") Loading Loading @@ -356,8 +364,8 @@ func supportsECDSA(hello *tls.ClientHelloInfo) bool { // Because the fallback handler is run with unencrypted port 80 requests, // the fallback should not serve TLS-only requests. // // If HTTPHandler is never called, the Manager will only use TLS SNI // challenges for domain verification. // If HTTPHandler is never called, the Manager will only use the "tls-alpn-01" // challenge for domain verification. func (m *Manager) HTTPHandler(fallback http.Handler) http.Handler { m.tokensMu.Lock() defer m.tokensMu.Unlock() Loading Loading @@ -475,7 +483,7 @@ func (m *Manager) cacheGet(ctx context.Context, ck certKey) (*tls.Certificate, e } // verify and create TLS cert leaf, err := validCert(ck, pubDER, privKey) leaf, err := validCert(ck, pubDER, privKey, m.now()) if err != nil { return nil, ErrCacheMiss } Loading Loading @@ -570,7 +578,7 @@ func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate, if !ok { return } if _, err := validCert(ck, s.cert, s.key); err == nil { if _, err := validCert(ck, s.cert, s.key, m.now()); err == nil { return } delete(m.state, ck) Loading Loading @@ -639,7 +647,7 @@ func (m *Manager) authorizedCert(ctx context.Context, key crypto.Signer, ck cert if err != nil { return nil, nil, err } leaf, err = validCert(ck, der, key) leaf, err = validCert(ck, der, key, m.now()) if err != nil { return nil, nil, err } Loading Loading @@ -983,6 +991,13 @@ func (m *Manager) renewBefore() time.Duration { return 720 * time.Hour // 30 days } func (m *Manager) now() time.Time { if m.nowFunc != nil { return m.nowFunc() } return time.Now() } // certState is ready when its mutex is unlocked for reading. type certState struct { sync.RWMutex Loading Loading @@ -1049,7 +1064,7 @@ func parsePrivateKey(der []byte) (crypto.Signer, error) { // are valid. It doesn't do any revocation checking. // // The returned value is the verified leaf cert. func validCert(ck certKey, der [][]byte, key crypto.Signer) (leaf *x509.Certificate, err error) { func validCert(ck certKey, der [][]byte, key crypto.Signer, now time.Time) (leaf *x509.Certificate, err error) { // parse public part(s) var n int for _, b := range der { Loading @@ -1066,7 +1081,6 @@ func validCert(ck certKey, der [][]byte, key crypto.Signer) (leaf *x509.Certific } // verify the leaf is not expired and matches the domain name leaf = x509Cert[0] now := timeNow() if now.Before(leaf.NotBefore) { return nil, errors.New("acme/autocert: certificate is not valid yet") } Loading Loading @@ -1120,8 +1134,6 @@ func (r *lockedMathRand) int63n(max int64) int64 { // For easier testing. var ( timeNow = time.Now // Called when a state is removed. testDidRemoveState = func(certKey) {} ) vendor/golang.org/x/crypto/acme/autocert/autocert_test.go +1 −1 Original line number Diff line number Diff line Loading @@ -986,7 +986,7 @@ func TestValidCert(t *testing.T) { {certKey{domain: "example.org"}, key3, [][]byte{cert3}, false}, } for i, test := range tt { leaf, err := validCert(test.ck, test.cert, test.key) leaf, err := validCert(test.ck, test.cert, test.key, now) if err != nil && test.ok { t.Errorf("%d: err = %v", i, err) } Loading Loading
Gopkg.lock +2 −2 Original line number Diff line number Diff line Loading @@ -519,14 +519,14 @@ version = "v1.9.0" [[projects]] digest = "1:cae234a803b78380e4d769db6036b9fcc8c08ed4ff862571ffc1a958edc1f629" digest = "1:887074c37fcefc2f49b5ae9c6f9f36107341aec23185613d0e9f1ee81db7f94a" name = "golang.org/x/crypto" packages = [ "bcrypt", "blowfish", ] pruneopts = "" revision = "c126467f60eb25f8f27e5a981f32a87e3965053f" revision = "505ab145d0a99da450461ae2c1a9f6cd10d1f447" [[projects]] branch = "master" Loading
Gopkg.toml +1 −1 Original line number Diff line number Diff line Loading @@ -48,7 +48,7 @@ [[constraint]] name = "golang.org/x/crypto" revision = "c126467f60eb25f8f27e5a981f32a87e3965053f" revision = "505ab145d0a99da450461ae2c1a9f6cd10d1f447" [[constraint]] name = "github.com/gobuffalo/packr" Loading
vendor/golang.org/x/crypto/acme/acme.go +7 −2 Original line number Diff line number Diff line Loading @@ -46,8 +46,9 @@ const ( // ALPNProto is the ALPN protocol name used by a CA server when validating // tls-alpn-01 challenges. // // Package users must ensure their servers can negotiate the ACME ALPN // in order for tls-alpn-01 challenge verifications to succeed. // Package users must ensure their servers can negotiate the ACME ALPN in // order for tls-alpn-01 challenge verifications to succeed. // See the crypto/tls package's Config.NextProtos field. ALPNProto = "acme-tls/1" ) Loading Loading @@ -76,6 +77,10 @@ const ( type Client struct { // Key is the account key used to register with a CA and sign requests. // Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey. // // The following algorithms are supported: // RS256, ES256, ES384 and ES512. // See RFC7518 for more details about the algorithms. Key crypto.Signer // HTTPClient optionally specifies an HTTP client to use Loading
vendor/golang.org/x/crypto/acme/autocert/autocert.go +23 −11 Original line number Diff line number Diff line Loading @@ -44,7 +44,7 @@ var createCertRetryAfter = time.Minute var pseudoRand *lockedMathRand func init() { src := mathrand.NewSource(timeNow().UnixNano()) src := mathrand.NewSource(time.Now().UnixNano()) pseudoRand = &lockedMathRand{rnd: mathrand.New(src)} } Loading @@ -69,7 +69,7 @@ func HostWhitelist(hosts ...string) HostPolicy { } return func(_ context.Context, host string) error { if !whitelist[host] { return errors.New("acme/autocert: host not configured") return fmt.Errorf("acme/autocert: host %q not configured in HostWhitelist", host) } return nil } Loading Loading @@ -183,6 +183,9 @@ type Manager struct { // for tls-alpn. // The entries are stored for the duration of the authorization flow. certTokens map[string]*tls.Certificate // nowFunc, if not nil, returns the current time. This may be set for // testing purposes. nowFunc func() time.Time } // certKey is the key by which certificates are tracked in state, renewal and cache. Loading Loading @@ -223,6 +226,11 @@ func (m *Manager) TLSConfig() *tls.Config { // a new cert. A non-nil error returned from m.HostPolicy halts TLS negotiation. // The error is propagated back to the caller of GetCertificate and is user-visible. // This does not affect cached certs. See HostPolicy field description for more details. // // If GetCertificate is used directly, instead of via Manager.TLSConfig, package users will // also have to add acme.ALPNProto to NextProtos for tls-alpn-01, or use HTTPHandler // for http-01. (The tls-sni-* challenges have been deprecated by popular ACME providers // due to security issues in the ecosystem.) func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { if m.Prompt == nil { return nil, errors.New("acme/autocert: Manager.Prompt not set") Loading Loading @@ -356,8 +364,8 @@ func supportsECDSA(hello *tls.ClientHelloInfo) bool { // Because the fallback handler is run with unencrypted port 80 requests, // the fallback should not serve TLS-only requests. // // If HTTPHandler is never called, the Manager will only use TLS SNI // challenges for domain verification. // If HTTPHandler is never called, the Manager will only use the "tls-alpn-01" // challenge for domain verification. func (m *Manager) HTTPHandler(fallback http.Handler) http.Handler { m.tokensMu.Lock() defer m.tokensMu.Unlock() Loading Loading @@ -475,7 +483,7 @@ func (m *Manager) cacheGet(ctx context.Context, ck certKey) (*tls.Certificate, e } // verify and create TLS cert leaf, err := validCert(ck, pubDER, privKey) leaf, err := validCert(ck, pubDER, privKey, m.now()) if err != nil { return nil, ErrCacheMiss } Loading Loading @@ -570,7 +578,7 @@ func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate, if !ok { return } if _, err := validCert(ck, s.cert, s.key); err == nil { if _, err := validCert(ck, s.cert, s.key, m.now()); err == nil { return } delete(m.state, ck) Loading Loading @@ -639,7 +647,7 @@ func (m *Manager) authorizedCert(ctx context.Context, key crypto.Signer, ck cert if err != nil { return nil, nil, err } leaf, err = validCert(ck, der, key) leaf, err = validCert(ck, der, key, m.now()) if err != nil { return nil, nil, err } Loading Loading @@ -983,6 +991,13 @@ func (m *Manager) renewBefore() time.Duration { return 720 * time.Hour // 30 days } func (m *Manager) now() time.Time { if m.nowFunc != nil { return m.nowFunc() } return time.Now() } // certState is ready when its mutex is unlocked for reading. type certState struct { sync.RWMutex Loading Loading @@ -1049,7 +1064,7 @@ func parsePrivateKey(der []byte) (crypto.Signer, error) { // are valid. It doesn't do any revocation checking. // // The returned value is the verified leaf cert. func validCert(ck certKey, der [][]byte, key crypto.Signer) (leaf *x509.Certificate, err error) { func validCert(ck certKey, der [][]byte, key crypto.Signer, now time.Time) (leaf *x509.Certificate, err error) { // parse public part(s) var n int for _, b := range der { Loading @@ -1066,7 +1081,6 @@ func validCert(ck certKey, der [][]byte, key crypto.Signer) (leaf *x509.Certific } // verify the leaf is not expired and matches the domain name leaf = x509Cert[0] now := timeNow() if now.Before(leaf.NotBefore) { return nil, errors.New("acme/autocert: certificate is not valid yet") } Loading Loading @@ -1120,8 +1134,6 @@ func (r *lockedMathRand) int63n(max int64) int64 { // For easier testing. var ( timeNow = time.Now // Called when a state is removed. testDidRemoveState = func(certKey) {} )
vendor/golang.org/x/crypto/acme/autocert/autocert_test.go +1 −1 Original line number Diff line number Diff line Loading @@ -986,7 +986,7 @@ func TestValidCert(t *testing.T) { {certKey{domain: "example.org"}, key3, [][]byte{cert3}, false}, } for i, test := range tt { leaf, err := validCert(test.ck, test.cert, test.key) leaf, err := validCert(test.ck, test.cert, test.key, now) if err != nil && test.ok { t.Errorf("%d: err = %v", i, err) } Loading
