mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 19:11:30 +00:00
shankar0123
9bc845304e
Wires up the actual challenge-validation machinery so profiles in
acme_auth_mode='challenge' resolve end-to-end. After this commit,
cert-manager 1.15+ with `solver: http01: ingress` against a
challenge-mode profile completes a real HTTP-01 flow and gets a cert.
DNS-01 + TLS-ALPN-01 share the same code path with the appropriate
validator selection.
Architecture (the load-bearing parts):
- 3 separate semaphore-bounded worker pools (one per challenge type),
so HTTP-01 and DNS-01 can't starve each other under load. Default
weight 10 per type; tunable via CERTCTL_ACME_SERVER_HTTP01_CONCURRENCY,
DNS01_CONCURRENCY, TLSALPN01_CONCURRENCY.
- 30s per-challenge timeout (configurable via PoolConfig.PerChallengeTimeout).
- HTTP-01 validator runs validation.IsReservedIPForDial (newly
exported wrapper preserving the existing private impl byte-for-byte
for the network scanner + ValidateSafeURL paths) on the resolved
IP — both at the initial dial and every redirect hop. SSRF probes
into private IP space are refused before the connect.
- DNS-01 validator uses a dedicated resolver pointed at
CERTCTL_ACME_SERVER_DNS01_RESOLVER (default 8.8.8.8:53) — does
NOT use the system resolver to keep behavior deterministic across
deployments. Wildcard handling: `*.example.com` queries
_acme-challenge.example.com.
- TLS-ALPN-01 validator (RFC 8737) connects with ALPN `acme-tls/1`,
inspects the id-pe-acmeIdentifier extension (OID 1.3.6.1.5.5.7.1.31),
asserts the ASN.1 OCTET STRING value equals SHA-256 of the key
authorization. Cert chain is intentionally NOT validated
(InsecureSkipVerify=true is correct per RFC 8737 — the proof is
in the extension, not the chain). Documented in docs/tls.md L-001
table + the //nolint:gosec comment carries the justification.
SSRF guard: same posture as HTTP-01.
- Validation is asynchronous: handler accepts the POST and returns
200 immediately with status=processing; the worker-pool fires a
callback that updates challenge → authz → order in a fresh
background-context WithinTx. The order auto-promotes to `ready`
when ALL authzs become valid; auto-fails to `invalid` when ANY
authz becomes invalid.
What ships:
- internal/api/acme/challenge.go: KeyAuthorization (RFC 8555 §8.1) +
DNS01TXTRecordValue (§8.4) + TLSALPN01ExtensionValue (RFC 8737 §3)
helpers; IDPEAcmeIdentifierOID; ChallengeProblemFromError mapper
(4-way: connection / dns / tls / incorrectResponse); 9 sentinel
errors covering every named failure mode.
- internal/api/acme/validators.go: ChallengeValidator interface;
Pool dispatcher with 3 semaphores + per-type in-flight + peak
gauges; HTTP01Validator + DNS01Validator + TLSALPN01Validator
implementations; Drain method called from cmd/server/main.go's
shutdown sequence.
- internal/api/acme/validators_test.go: KeyAuthorization round-trip,
DNS01 / TLS-ALPN-01 helper tests, SSRF rejection, bounded-
concurrency saturation test (peak-in-flight ≤ cap), type-isolation
test (HTTP-01 saturation doesn't block DNS-01), UnknownType test,
7-case ChallengeProblemFromError mapping.
- internal/repository/postgres/acme.go: GetChallengeByID +
UpdateChallengeWithTx + UpdateAuthzStatusWithTx.
- internal/service/acme.go: SetValidatorPool wires the *acme.Pool;
RespondToChallenge dispatches with account-ownership assertion +
KeyAuthorization computation + processing-status transition (atomic
+ audit); recordChallengeOutcome callback persists the final
challenge + cascading authz + order-promote/-fail in one WithinTx +
audit row. 4 new metrics.
- internal/api/handler/acme.go: Challenge handler; round-trips
account.JWKPEM through ParseJWKFromPEM to recover the *jose.JSONWebKey
the validator pool needs.
- internal/api/router/router.go + openapi_parity_test.go +
api/openapi-handler-exceptions.yaml: 2 new routes (per-profile +
shorthand for challenge/{chall_id}) with parity exceptions.
- cmd/server/main.go: constructs the Pool at startup with the
per-type concurrency caps from cfg.ACMEServer; ACMEService.ValidatorPool()
accessor exposed for the shutdown drain sequence.
- internal/validation/ssrf.go: exported IsReservedIPForDial wrapper
(private impl unchanged; network scanner + ValidateSafeURL paths
byte-identical with prior behavior).
- docs/tls.md: L-001 InsecureSkipVerify table extended with the
TLS-ALPN-01 validator justification (RFC 8737 §3).
- docs/acme-server.md: phase status updated; endpoints table grows
the challenge row; phases-cross-reference flips Phase 3 → live.
Tests:
- 80%+ coverage on the new files.
- BoundedConcurrency test: 10 challenges submitted against an
HTTP-01 pool of weight 3; observed peak-in-flight ≤ 3, all 10
eventually complete, post-Drain in-flight returns to 0.
- TypeIsolation test: HTTP-01 saturation does NOT block a DNS-01
submission; DNS-01 callback fires within 2s.
- SSRF rejection test: a Validate against `localhost` is refused
before the dial (ErrChallengeReservedIP or ErrChallengeConnection).
Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-3".
108 lines
4.6 KiB
Go
108 lines
4.6 KiB
Go
// Copyright (c) certctl
|
|
// SPDX-License-Identifier: BSL-1.1
|
|
|
|
package acme
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/sha256"
|
|
"encoding/asn1"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
|
|
jose "github.com/go-jose/go-jose/v4"
|
|
)
|
|
|
|
// KeyAuthorization computes the canonical RFC 8555 §8.1 key authorization
|
|
// string: <token> + "." + base64url(JWK-thumbprint).
|
|
//
|
|
// The thumbprint is RFC 7638 SHA-256 of the canonicalized JWK; same
|
|
// helper Phase 1b uses to derive account IDs. Phase 3's HTTP-01 +
|
|
// DNS-01 + TLS-ALPN-01 validators all consume this string.
|
|
func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error) {
|
|
if jwk == nil {
|
|
return "", errors.New("acme: nil jwk for key authorization")
|
|
}
|
|
thumb, err := jwk.Thumbprint(crypto.SHA256)
|
|
if err != nil {
|
|
return "", fmt.Errorf("acme: thumbprint: %w", err)
|
|
}
|
|
return token + "." + base64.RawURLEncoding.EncodeToString(thumb), nil
|
|
}
|
|
|
|
// DNS01TXTRecordValue computes the value an authoritative DNS server
|
|
// must serve for `_acme-challenge.<domain>` per RFC 8555 §8.4.
|
|
//
|
|
// The DNS-01 record is base64url(SHA-256(keyAuthorization)) — NOT the
|
|
// raw key authorization (that's HTTP-01's behavior).
|
|
func DNS01TXTRecordValue(keyAuthorization string) string {
|
|
h := sha256.Sum256([]byte(keyAuthorization))
|
|
return base64.RawURLEncoding.EncodeToString(h[:])
|
|
}
|
|
|
|
// TLSALPN01ExtensionValue computes the SHA-256 hash of the key
|
|
// authorization that the validator looks for in the responding TLS
|
|
// cert's id-pe-acmeIdentifier extension (RFC 8737 §3).
|
|
//
|
|
// The ASN.1 wrapping (OCTET STRING containing the 32 raw bytes) is the
|
|
// caller's responsibility; this helper returns the inner 32 bytes.
|
|
func TLSALPN01ExtensionValue(keyAuthorization string) []byte {
|
|
h := sha256.Sum256([]byte(keyAuthorization))
|
|
return h[:]
|
|
}
|
|
|
|
// IDPEAcmeIdentifierOID is the ObjectIdentifier RFC 8737 §3 mandates for
|
|
// the id-pe-acmeIdentifier extension carried in the responding TLS
|
|
// cert during TLS-ALPN-01 validation. Exported so the validator can
|
|
// .Equal() it against incoming cert extensions; the value is fixed
|
|
// per-spec and never changes.
|
|
var IDPEAcmeIdentifierOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
|
|
|
|
// ChallengeProblemFromError maps a validator error into the RFC 7807
|
|
// Problem the challenge row's `error` column should record. Centralized
|
|
// so each per-type validator returns plain errors and the dispatcher
|
|
// translates uniformly.
|
|
//
|
|
// The Problem types align with RFC 8555 §6.7:
|
|
// - connection / TCP-level → urn:ietf:params:acme:error:connection
|
|
// - DNS / TXT mismatch → urn:ietf:params:acme:error:dns
|
|
// - TLS handshake / cert mismatch → urn:ietf:params:acme:error:tls
|
|
// - all others → urn:ietf:params:acme:error:incorrectResponse (the
|
|
// RFC-canonical "challenge response was wrong" type)
|
|
func ChallengeProblemFromError(challengeType string, err error) *Problem {
|
|
if err == nil {
|
|
return nil
|
|
}
|
|
switch {
|
|
case errors.Is(err, ErrChallengeConnection):
|
|
return &Problem{Type: "urn:ietf:params:acme:error:connection", Detail: err.Error(), Status: 400}
|
|
case errors.Is(err, ErrChallengeDNS):
|
|
return &Problem{Type: "urn:ietf:params:acme:error:dns", Detail: err.Error(), Status: 400}
|
|
case errors.Is(err, ErrChallengeTLS):
|
|
return &Problem{Type: "urn:ietf:params:acme:error:tls", Detail: err.Error(), Status: 400}
|
|
default:
|
|
return &Problem{
|
|
Type: "urn:ietf:params:acme:error:incorrectResponse",
|
|
Detail: fmt.Sprintf("%s validation failed: %s", challengeType, err.Error()),
|
|
Status: 403,
|
|
}
|
|
}
|
|
}
|
|
|
|
// Validator-side sentinel errors. Each one maps to a specific RFC 8555
|
|
// §6.7 problem type via ChallengeProblemFromError above. Per-validator
|
|
// implementations wrap their failures with these.
|
|
var (
|
|
ErrChallengeConnection = errors.New("acme: connection-level failure during challenge validation")
|
|
ErrChallengeDNS = errors.New("acme: DNS-level failure during challenge validation")
|
|
ErrChallengeTLS = errors.New("acme: TLS-level failure during challenge validation")
|
|
ErrChallengeMismatch = errors.New("acme: challenge response did not match expected key authorization")
|
|
ErrChallengeReservedIP = errors.New("acme: HTTP-01 target resolves to a reserved IP (SSRF guard)")
|
|
ErrChallengeRedirect = errors.New("acme: HTTP-01 target redirected too many times")
|
|
ErrChallengeBodyTooBig = errors.New("acme: HTTP-01 response body exceeded 16 KiB cap")
|
|
ErrChallengeNoCert = errors.New("acme: TLS-ALPN-01 target presented no certificate")
|
|
ErrChallengeWrongALPN = errors.New("acme: TLS-ALPN-01 target did not negotiate the acme-tls/1 protocol")
|
|
ErrChallengeExtMissing = errors.New("acme: TLS-ALPN-01 target's certificate did not carry the id-pe-acmeIdentifier extension")
|
|
)
|