caddytls: Add support for externalAccountBinding ACME extension

This commit is contained in:
Matthew Holt 2020-03-31 21:08:02 -06:00
parent 244b839f98
commit 9fb0b1e838
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
3 changed files with 42 additions and 9 deletions

4
go.mod
View file

@ -5,7 +5,7 @@ go 1.14
require ( require (
github.com/Masterminds/sprig/v3 v3.0.2 github.com/Masterminds/sprig/v3 v3.0.2
github.com/alecthomas/chroma v0.7.2-0.20200305040604-4f3623dce67a github.com/alecthomas/chroma v0.7.2-0.20200305040604-4f3623dce67a
github.com/caddyserver/certmagic v0.10.5 github.com/caddyserver/certmagic v0.10.6
github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
github.com/go-acme/lego/v3 v3.5.0 github.com/go-acme/lego/v3 v3.5.0
github.com/google/cel-go v0.4.1 github.com/google/cel-go v0.4.1
@ -21,7 +21,7 @@ require (
github.com/smallstep/cli v0.14.0-rc.3 github.com/smallstep/cli v0.14.0-rc.3
github.com/smallstep/truststore v0.9.4 github.com/smallstep/truststore v0.9.4
github.com/vulcand/oxy v1.1.0 github.com/vulcand/oxy v1.1.0
github.com/yuin/goldmark v1.1.26 github.com/yuin/goldmark v1.1.27
github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691 github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691
go.uber.org/zap v1.14.1 go.uber.org/zap v1.14.1
golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59

8
go.sum
View file

@ -120,8 +120,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK
github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
github.com/caddyserver/certmagic v0.10.5 h1:Dg4ipO1y23rWvFmiiRqhtUTh5Hy7PmfoFvPfDpnE8Z8= github.com/caddyserver/certmagic v0.10.6 h1:sCya6FmfaN74oZE46kqfaFOVoROD/mF36rTQfjN7TZc=
github.com/caddyserver/certmagic v0.10.5/go.mod h1:Y8jcUBctgk/IhpAzlHKfimZNyXCkfGgRTC0orl8gROQ= github.com/caddyserver/certmagic v0.10.6/go.mod h1:Y8jcUBctgk/IhpAzlHKfimZNyXCkfGgRTC0orl8gROQ=
github.com/cenkalti/backoff/v4 v4.0.0 h1:6VeaLF9aI+MAUQ95106HwWzYZgJJpZ4stumjj6RFYAU= github.com/cenkalti/backoff/v4 v4.0.0 h1:6VeaLF9aI+MAUQ95106HwWzYZgJJpZ4stumjj6RFYAU=
github.com/cenkalti/backoff/v4 v4.0.0/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg= github.com/cenkalti/backoff/v4 v4.0.0/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg=
github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@ -758,8 +758,8 @@ github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQ
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
github.com/yuin/goldmark v1.1.22/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.22/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.1.26 h1:81MfIApzizD8JqKIjnWy2Vxj7GgmQUrJlh/jYWH8yGk= github.com/yuin/goldmark v1.1.27 h1:nqDD4MMMQA0lmWq03Z2/myGPYLQoXtmi0rGVs95ntbo=
github.com/yuin/goldmark v1.1.26/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691 h1:VWSxtAiQNh3zgHJpdpkpVYjTPqRE3P6UZCOPa1nRDio= github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691 h1:VWSxtAiQNh3zgHJpdpkpVYjTPqRE3P6UZCOPa1nRDio=
github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691/go.mod h1:YLF3kDffRfUH/bTxOxHhV6lxwIB3Vfj91rEwNMS9MXo= github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691/go.mod h1:YLF3kDffRfUH/bTxOxHhV6lxwIB3Vfj91rEwNMS9MXo=
go.etcd.io/bbolt v1.3.2 h1:Z/90sZLPOeCy2PwprqkFa25PdkusRzaj9P8zm/KNyvk= go.etcd.io/bbolt v1.3.2 h1:Z/90sZLPOeCy2PwprqkFa25PdkusRzaj9P8zm/KNyvk=

View file

@ -17,6 +17,7 @@ package caddytls
import ( import (
"context" "context"
"crypto/x509" "crypto/x509"
"encoding/base64"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net/url" "net/url"
@ -54,6 +55,10 @@ type ACMEIssuer struct {
// other than ACME transactions. // other than ACME transactions.
Email string `json:"email,omitempty"` Email string `json:"email,omitempty"`
// If using an ACME CA that requires an external account
// binding, specify the CA-provided credentials here.
ExternalAccount *ExternalAccountBinding `json:"external_account,omitempty"`
// Time to wait before timing out an ACME operation. // Time to wait before timing out an ACME operation.
ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"` ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"`
@ -107,12 +112,16 @@ func (m *ACMEIssuer) Provision(ctx caddy.Context) error {
} }
} }
m.template = m.makeIssuerTemplate() var err error
m.template, err = m.makeIssuerTemplate()
if err != nil {
return err
}
return nil return nil
} }
func (m *ACMEIssuer) makeIssuerTemplate() certmagic.ACMEManager { func (m *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) {
template := certmagic.ACMEManager{ template := certmagic.ACMEManager{
CA: m.CA, CA: m.CA,
Email: m.Email, Email: m.Email,
@ -120,6 +129,20 @@ func (m *ACMEIssuer) makeIssuerTemplate() certmagic.ACMEManager {
TrustedRoots: m.rootPool, TrustedRoots: m.rootPool,
} }
if m.ExternalAccount != nil {
hmac, err := base64.StdEncoding.DecodeString(m.ExternalAccount.EncodedHMAC)
if err != nil {
return template, err
}
if m.ExternalAccount.KeyID == "" || len(hmac) == 0 {
return template, fmt.Errorf("when an external account binding is specified, both key ID and HMAC are required")
}
template.ExternalAccount = &certmagic.ExternalAccountBinding{
KeyID: m.ExternalAccount.KeyID,
HMAC: hmac,
}
}
if m.Challenges != nil { if m.Challenges != nil {
if m.Challenges.HTTP != nil { if m.Challenges.HTTP != nil {
template.DisableHTTPChallenge = m.Challenges.HTTP.Disabled template.DisableHTTPChallenge = m.Challenges.HTTP.Disabled
@ -132,7 +155,7 @@ func (m *ACMEIssuer) makeIssuerTemplate() certmagic.ACMEManager {
template.DNSProvider = m.Challenges.DNS template.DNSProvider = m.Challenges.DNS
} }
return template return template, nil
} }
// SetConfig sets the associated certmagic config for this issuer. // SetConfig sets the associated certmagic config for this issuer.
@ -201,6 +224,16 @@ type DNSProviderMaker interface {
NewDNSProvider() (challenge.Provider, error) NewDNSProvider() (challenge.Provider, error)
} }
// ExternalAccountBinding contains information for
// binding an external account to an ACME account.
type ExternalAccountBinding struct {
// The key identifier.
KeyID string `json:"key_id,omitempty"`
// The base64-encoded HMAC.
EncodedHMAC string `json:"hmac,omitempty"`
}
// Interface guards // Interface guards
var ( var (
_ certmagic.PreChecker = (*ACMEIssuer)(nil) _ certmagic.PreChecker = (*ACMEIssuer)(nil)