vendor c/common@852ca05a1f

Also force an update of c/image to prevent a downgrade. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2025-11-30 01:58:46 +08:00 · 2023-02-20 16:09:01 +01:00
parent bac20d1917
commit adacd3b127
123 changed files with 10220 additions and 10917 deletions
--- a/vendor/github.com/letsencrypt/boulder/core/challenges.go
+++ b/vendor/github.com/letsencrypt/boulder/core/challenges.go
@@ -1,5 +1,7 @@
 package core

+import "fmt"
+
 func newChallenge(challengeType AcmeChallenge, token string) Challenge {
 	return Challenge{
 		Type:   challengeType,
@@ -25,3 +27,19 @@ func DNSChallenge01(token string) Challenge {
 func TLSALPNChallenge01(token string) Challenge {
 	return newChallenge(ChallengeTypeTLSALPN01, token)
 }
+
+// NewChallenge constructs a random challenge of the given kind. It returns an
+// error if the challenge type is unrecognized. If token is empty a random token
+// will be generated, otherwise the provided token is used.
+func NewChallenge(kind AcmeChallenge, token string) (Challenge, error) {
+	switch kind {
+	case ChallengeTypeHTTP01:
+		return HTTPChallenge01(token), nil
+	case ChallengeTypeDNS01:
+		return DNSChallenge01(token), nil
+	case ChallengeTypeTLSALPN01:
+		return TLSALPNChallenge01(token), nil
+	default:
+		return Challenge{}, fmt.Errorf("unrecognized challenge type %q", kind)
+	}
+}
--- a/vendor/github.com/letsencrypt/boulder/core/interfaces.go
+++ b/vendor/github.com/letsencrypt/boulder/core/interfaces.go
@@ -7,7 +7,8 @@ import (
 // PolicyAuthority defines the public interface for the Boulder PA
 // TODO(#5891): Move this interface to a more appropriate location.
 type PolicyAuthority interface {
-	WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
-	ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
-	ChallengeTypeEnabled(t AcmeChallenge) bool
+	WillingToIssueWildcards([]identifier.ACMEIdentifier) error
+	ChallengesFor(identifier.ACMEIdentifier) ([]Challenge, error)
+	ChallengeTypeEnabled(AcmeChallenge) bool
+	CheckAuthz(*Authorization) error
 }
--- a/vendor/github.com/letsencrypt/boulder/core/objects.go
+++ b/vendor/github.com/letsencrypt/boulder/core/objects.go
@@ -2,7 +2,6 @@ package core

 import (
 	"crypto"
-	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -12,7 +11,7 @@ import (
 	"time"

 	"golang.org/x/crypto/ocsp"
-	"gopkg.in/square/go-jose.v2"
+	"gopkg.in/go-jose/go-jose.v2"

 	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/probs"
@@ -53,7 +52,6 @@ const (
 type AcmeChallenge string

 // These types are the available challenges
-// TODO(#5009): Make this a custom type as well.
 const (
 	ChallengeTypeHTTP01    = AcmeChallenge("http-01")
 	ChallengeTypeDNS01     = AcmeChallenge("dns-01")
@@ -87,44 +85,10 @@ var OCSPStatusToInt = map[OCSPStatus]int{
 // DNSPrefix is attached to DNS names in DNS challenges
 const DNSPrefix = "_acme-challenge"

-// CertificateRequest is just a CSR
-//
-// This data is unmarshalled from JSON by way of RawCertificateRequest, which
-// represents the actual structure received from the client.
-type CertificateRequest struct {
-	CSR   *x509.CertificateRequest // The CSR
-	Bytes []byte                   // The original bytes of the CSR, for logging.
-}
-
 type RawCertificateRequest struct {
 	CSR JSONBuffer `json:"csr"` // The encoded CSR
 }

-// UnmarshalJSON provides an implementation for decoding CertificateRequest objects.
-func (cr *CertificateRequest) UnmarshalJSON(data []byte) error {
-	var raw RawCertificateRequest
-	err := json.Unmarshal(data, &raw)
-	if err != nil {
-		return err
-	}
-
-	csr, err := x509.ParseCertificateRequest(raw.CSR)
-	if err != nil {
-		return err
-	}
-
-	cr.CSR = csr
-	cr.Bytes = raw.CSR
-	return nil
-}
-
-// MarshalJSON provides an implementation for encoding CertificateRequest objects.
-func (cr CertificateRequest) MarshalJSON() ([]byte, error) {
-	return json.Marshal(RawCertificateRequest{
-		CSR: cr.CSR.Raw,
-	})
-}
-
 // Registration objects represent non-public metadata attached
 // to account keys.
 type Registration struct {
@@ -373,9 +337,6 @@ type Authorization struct {
 	// slice and the order of these challenges may not be predictable.
 	Challenges []Challenge `json:"challenges,omitempty" db:"-"`

-	// This field is deprecated. It's filled in by WFE for the ACMEv1 API.
-	Combinations [][]int `json:"combinations,omitempty" db:"combinations"`
-
 	// Wildcard is a Boulder-specific Authorization field that indicates the
 	// authorization was created as a result of an order containing a name with
 	// a `*.`wildcard prefix. This will help convey to users that an
@@ -399,38 +360,25 @@ func (authz *Authorization) FindChallengeByStringID(id string) int {
 // SolvedBy will look through the Authorizations challenges, returning the type
 // of the *first* challenge it finds with Status: valid, or an error if no
 // challenge is valid.
-func (authz *Authorization) SolvedBy() (*AcmeChallenge, error) {
+func (authz *Authorization) SolvedBy() (AcmeChallenge, error) {
 	if len(authz.Challenges) == 0 {
-		return nil, fmt.Errorf("Authorization has no challenges")
+		return "", fmt.Errorf("Authorization has no challenges")
 	}
 	for _, chal := range authz.Challenges {
 		if chal.Status == StatusValid {
-			return &chal.Type, nil
+			return chal.Type, nil
 		}
 	}
-	return nil, fmt.Errorf("Authorization not solved by any challenge")
+	return "", fmt.Errorf("Authorization not solved by any challenge")
 }

 // JSONBuffer fields get encoded and decoded JOSE-style, in base64url encoding
 // with stripped padding.
 type JSONBuffer []byte

-// URL-safe base64 encode that strips padding
-func base64URLEncode(data []byte) string {
-	var result = base64.URLEncoding.EncodeToString(data)
-	return strings.TrimRight(result, "=")
-}
-
-// URL-safe base64 decoder that adds padding
-func base64URLDecode(data string) ([]byte, error) {
-	var missing = (4 - len(data)%4) % 4
-	data += strings.Repeat("=", missing)
-	return base64.URLEncoding.DecodeString(data)
-}
-
 // MarshalJSON encodes a JSONBuffer for transmission.
 func (jb JSONBuffer) MarshalJSON() (result []byte, err error) {
-	return json.Marshal(base64URLEncode(jb))
+	return json.Marshal(base64.RawURLEncoding.EncodeToString(jb))
 }

 // UnmarshalJSON decodes a JSONBuffer to an object.
@@ -440,7 +388,7 @@ func (jb *JSONBuffer) UnmarshalJSON(data []byte) (err error) {
 	if err != nil {
 		return err
 	}
-	*jb, err = base64URLDecode(str)
+	*jb, err = base64.RawURLEncoding.DecodeString(strings.TrimRight(str, "="))
 	return
 }

--- a/vendor/github.com/letsencrypt/boulder/core/proto/core.pb.go
+++ b/vendor/github.com/letsencrypt/boulder/core/proto/core.pb.go
--- a/vendor/github.com/letsencrypt/boulder/core/proto/core.proto
+++ b/vendor/github.com/letsencrypt/boulder/core/proto/core.proto
@@ -1,101 +0,0 @@
-syntax = "proto3";
-
-package core;
-option go_package = "github.com/letsencrypt/boulder/core/proto";
-
-message Challenge {
-  int64 id = 1;
-  string type = 2;
-  string status = 6;
-  string uri = 9;
-  string token = 3;
-  string keyAuthorization = 5;
-  repeated ValidationRecord validationrecords = 10;
-  ProblemDetails error = 7;
-  int64 validated = 11;
-}
-
-message ValidationRecord {
-  string hostname = 1;
-  string port = 2;
-  repeated bytes addressesResolved = 3; // net.IP.MarshalText()
-  bytes addressUsed = 4; // net.IP.MarshalText()
-
-  repeated string authorities = 5;
-  string url = 6;
-  // A list of addresses tried before the address used (see
-  // core/objects.go and the comment on the ValidationRecord structure
-  // definition for more information.
-  repeated bytes addressesTried = 7; // net.IP.MarshalText()
-}
-
-message ProblemDetails {
-  string problemType = 1;
-  string detail = 2;
-  int32 httpStatus = 3;
-}
-
-message Certificate {
-  int64 registrationID = 1;
-  string serial = 2;
-  string digest = 3;
-  bytes der = 4;
-  int64 issued = 5;  // Unix timestamp (nanoseconds)
-  int64 expires = 6; // Unix timestamp (nanoseconds)
-}
-
-message CertificateStatus {
-  string serial = 1;
-  reserved 2; // previously subscriberApproved
-  string status = 3;
-  int64 ocspLastUpdated = 4;
-  int64 revokedDate = 5;
-  int64 revokedReason = 6;
-  int64 lastExpirationNagSent = 7;
-  bytes ocspResponse = 8;
-  int64 notAfter = 9;
-  bool isExpired = 10;
-  int64 issuerID = 11;
-}
-
-message Registration {
-  int64 id = 1;
-  bytes key = 2;
-  repeated string contact = 3;
-  bool contactsPresent = 4;
-  string agreement = 5;
-  bytes initialIP = 6;
-  int64 createdAt = 7; // Unix timestamp (nanoseconds)
-  string status = 8;
-}
-
-message Authorization {
-  string id = 1;
-  string identifier = 2;
-  int64 registrationID = 3;
-  string status = 4;
-  int64 expires = 5; // Unix timestamp (nanoseconds)
-  repeated core.Challenge challenges = 6;
-  reserved 7; // previously combinations
-  reserved 8; // previously v2
-}
-
-message Order {
-  int64 id = 1;
-  int64 registrationID = 2;
-  int64 expires = 3;
-  ProblemDetails error = 4;
-  string certificateSerial = 5;
-  reserved 6; // previously authorizations, deprecated in favor of v2Authorizations
-  string status = 7;
-  repeated string names = 8;
-  bool beganProcessing = 9;
-  int64 created = 10;
-  repeated int64 v2Authorizations = 11;
-}
-
-message CRLEntry {
-  string serial = 1;
-  int32 reason = 2;
-  int64 revokedAt = 3; // Unix timestamp (nanoseconds)
-}
--- a/vendor/github.com/letsencrypt/boulder/core/util.go
+++ b/vendor/github.com/letsencrypt/boulder/core/util.go
@@ -23,7 +23,7 @@ import (
 	"time"
 	"unicode"

-	jose "gopkg.in/square/go-jose.v2"
+	jose "gopkg.in/go-jose/go-jose.v2"
 )

 const Unspecified = "Unspecified"