summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2022-03-25 11:28:54 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2022-03-25 11:28:54 -0600
commitd06d0e79f839a26ab2cf81b00ba2d180623c57a9 (patch)
treec215c3c16ad9280df4721b53460bd36aa5893489 /modules
parenta58f240d3ecbb59285303746406cab50217f8d24 (diff)
go.mod: Upgrade CertMagic to v0.16.0
Includes several breaking changes; code base updated accordingly. - Added lots of context arguments - Use fs.ErrNotExist - Rename ACMEManager -> ACMEIssuer; CertificateManager -> Manager
Diffstat (limited to 'modules')
-rw-r--r--modules/caddyhttp/autohttps.go4
-rw-r--r--modules/caddypki/ca.go24
-rw-r--r--modules/caddytls/acmeissuer.go14
-rw-r--r--modules/caddytls/automation.go6
-rw-r--r--modules/caddytls/certmanagers.go12
-rw-r--r--modules/caddytls/distributedstek/distributedstek.go10
-rw-r--r--modules/caddytls/storageloader.go7
-rw-r--r--modules/caddytls/tls.go4
-rw-r--r--modules/caddytls/zerosslissuer.go8
9 files changed, 49 insertions, 40 deletions
diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go
index eb66114..f1d99ce 100644
--- a/modules/caddyhttp/autohttps.go
+++ b/modules/caddyhttp/autohttps.go
@@ -480,7 +480,7 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri
if err != nil {
return err
}
- ap.Managers = []certmagic.CertificateManager{ts}
+ ap.Managers = []certmagic.Manager{ts}
}
// while we're here, is this the catch-all/base policy?
@@ -497,7 +497,7 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri
return err
}
basePolicy = &caddytls.AutomationPolicy{
- Managers: []certmagic.CertificateManager{ts},
+ Managers: []certmagic.Manager{ts},
}
}
diff --git a/modules/caddypki/ca.go b/modules/caddypki/ca.go
index 7fefee6..c9bdeee 100644
--- a/modules/caddypki/ca.go
+++ b/modules/caddypki/ca.go
@@ -18,7 +18,9 @@ import (
"crypto"
"crypto/x509"
"encoding/json"
+ "errors"
"fmt"
+ "io/fs"
"path"
"sync"
"time"
@@ -76,12 +78,14 @@ type CA struct {
rootCertPath string // mainly used for logging purposes if trusting
log *zap.Logger
+ ctx caddy.Context
}
// Provision sets up the CA.
func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
ca.mu = new(sync.RWMutex)
ca.log = log.Named("ca." + id)
+ ca.ctx = ctx
if id == "" {
return fmt.Errorf("CA ID is required (use 'local' for the default CA)")
@@ -215,9 +219,9 @@ func (ca CA) NewAuthority(authorityConfig AuthorityConfig) (*authority.Authority
}
func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey interface{}, err error) {
- rootCertPEM, err := ca.storage.Load(ca.storageKeyRootCert())
+ rootCertPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyRootCert())
if err != nil {
- if _, ok := err.(certmagic.ErrNotExist); !ok {
+ if !errors.Is(err, fs.ErrNotExist) {
return nil, nil, fmt.Errorf("loading root cert: %v", err)
}
@@ -235,7 +239,7 @@ func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey interface{}, e
}
}
if rootKey == nil {
- rootKeyPEM, err := ca.storage.Load(ca.storageKeyRootKey())
+ rootKeyPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyRootKey())
if err != nil {
return nil, nil, fmt.Errorf("loading root key: %v", err)
}
@@ -259,7 +263,7 @@ func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey interface{}, err err
if err != nil {
return nil, nil, fmt.Errorf("encoding root certificate: %v", err)
}
- err = ca.storage.Store(ca.storageKeyRootCert(), rootCertPEM)
+ err = ca.storage.Store(ca.ctx, ca.storageKeyRootCert(), rootCertPEM)
if err != nil {
return nil, nil, fmt.Errorf("saving root certificate: %v", err)
}
@@ -267,7 +271,7 @@ func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey interface{}, err err
if err != nil {
return nil, nil, fmt.Errorf("encoding root key: %v", err)
}
- err = ca.storage.Store(ca.storageKeyRootKey(), rootKeyPEM)
+ err = ca.storage.Store(ca.ctx, ca.storageKeyRootKey(), rootKeyPEM)
if err != nil {
return nil, nil, fmt.Errorf("saving root key: %v", err)
}
@@ -276,9 +280,9 @@ func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey interface{}, err err
}
func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateKey) (interCert *x509.Certificate, interKey crypto.PrivateKey, err error) {
- interCertPEM, err := ca.storage.Load(ca.storageKeyIntermediateCert())
+ interCertPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyIntermediateCert())
if err != nil {
- if _, ok := err.(certmagic.ErrNotExist); !ok {
+ if !errors.Is(err, fs.ErrNotExist) {
return nil, nil, fmt.Errorf("loading intermediate cert: %v", err)
}
@@ -297,7 +301,7 @@ func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Pr
}
if interKey == nil {
- interKeyPEM, err := ca.storage.Load(ca.storageKeyIntermediateKey())
+ interKeyPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyIntermediateKey())
if err != nil {
return nil, nil, fmt.Errorf("loading intermediate key: %v", err)
}
@@ -321,7 +325,7 @@ func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateK
if err != nil {
return nil, nil, fmt.Errorf("encoding intermediate certificate: %v", err)
}
- err = ca.storage.Store(ca.storageKeyIntermediateCert(), interCertPEM)
+ err = ca.storage.Store(ca.ctx, ca.storageKeyIntermediateCert(), interCertPEM)
if err != nil {
return nil, nil, fmt.Errorf("saving intermediate certificate: %v", err)
}
@@ -329,7 +333,7 @@ func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateK
if err != nil {
return nil, nil, fmt.Errorf("encoding intermediate key: %v", err)
}
- err = ca.storage.Store(ca.storageKeyIntermediateKey(), interKeyPEM)
+ err = ca.storage.Store(ca.ctx, ca.storageKeyIntermediateKey(), interKeyPEM)
if err != nil {
return nil, nil, fmt.Errorf("saving intermediate key: %v", err)
}
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 48a961f..fd60cc8 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -85,7 +85,7 @@ type ACMEIssuer struct {
PreferredChains *ChainPreference `json:"preferred_chains,omitempty"`
rootPool *x509.CertPool
- template certmagic.ACMEManager
+ template certmagic.ACMEIssuer
magic *certmagic.Config
logger *zap.Logger
}
@@ -172,8 +172,8 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error {
return nil
}
-func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) {
- template := certmagic.ACMEManager{
+func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEIssuer, error) {
+ template := certmagic.ACMEIssuer{
CA: iss.CA,
TestCA: iss.TestCA,
Email: iss.Email,
@@ -224,22 +224,22 @@ func (iss *ACMEIssuer) SetConfig(cfg *certmagic.Config) {
// PreCheck implements the certmagic.PreChecker interface.
func (iss *ACMEIssuer) PreCheck(ctx context.Context, names []string, interactive bool) error {
- return certmagic.NewACMEManager(iss.magic, iss.template).PreCheck(ctx, names, interactive)
+ return certmagic.NewACMEIssuer(iss.magic, iss.template).PreCheck(ctx, names, interactive)
}
// Issue obtains a certificate for the given csr.
func (iss *ACMEIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error) {
- return certmagic.NewACMEManager(iss.magic, iss.template).Issue(ctx, csr)
+ return certmagic.NewACMEIssuer(iss.magic, iss.template).Issue(ctx, csr)
}
// IssuerKey returns the unique issuer key for the configured CA endpoint.
func (iss *ACMEIssuer) IssuerKey() string {
- return certmagic.NewACMEManager(iss.magic, iss.template).IssuerKey()
+ return certmagic.NewACMEIssuer(iss.magic, iss.template).IssuerKey()
}
// Revoke revokes the given certificate.
func (iss *ACMEIssuer) Revoke(ctx context.Context, cert certmagic.CertificateResource, reason int) error {
- return certmagic.NewACMEManager(iss.magic, iss.template).Revoke(ctx, cert, reason)
+ return certmagic.NewACMEIssuer(iss.magic, iss.template).Revoke(ctx, cert, reason)
}
// GetACMEIssuer returns iss. This is useful when other types embed ACMEIssuer, because
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index eb97c82..26884bc 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -141,8 +141,8 @@ type AutomationPolicy struct {
// they are only used to populate an underlying certmagic.Config's
// fields during provisioning so that the modules can survive a
// re-provisioning.
- Issuers []certmagic.Issuer `json:"-"`
- Managers []certmagic.CertificateManager `json:"-"`
+ Issuers []certmagic.Issuer `json:"-"`
+ Managers []certmagic.Manager `json:"-"`
magic *certmagic.Config
storage certmagic.Storage
@@ -199,7 +199,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
return fmt.Errorf("loading external certificate manager modules: %v", err)
}
for _, getCertVal := range vals.([]interface{}) {
- ap.Managers = append(ap.Managers, getCertVal.(certmagic.CertificateManager))
+ ap.Managers = append(ap.Managers, getCertVal.(certmagic.Manager))
}
}
diff --git a/modules/caddytls/certmanagers.go b/modules/caddytls/certmanagers.go
index 653e9f5..8c8d701 100644
--- a/modules/caddytls/certmanagers.go
+++ b/modules/caddytls/certmanagers.go
@@ -198,11 +198,11 @@ func (hcg *HTTPCertGetter) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
// Interface guards
var (
- _ certmagic.CertificateManager = (*Tailscale)(nil)
- _ caddy.Provisioner = (*Tailscale)(nil)
- _ caddyfile.Unmarshaler = (*Tailscale)(nil)
+ _ certmagic.Manager = (*Tailscale)(nil)
+ _ caddy.Provisioner = (*Tailscale)(nil)
+ _ caddyfile.Unmarshaler = (*Tailscale)(nil)
- _ certmagic.CertificateManager = (*HTTPCertGetter)(nil)
- _ caddy.Provisioner = (*HTTPCertGetter)(nil)
- _ caddyfile.Unmarshaler = (*HTTPCertGetter)(nil)
+ _ certmagic.Manager = (*HTTPCertGetter)(nil)
+ _ caddy.Provisioner = (*HTTPCertGetter)(nil)
+ _ caddyfile.Unmarshaler = (*HTTPCertGetter)(nil)
)
diff --git a/modules/caddytls/distributedstek/distributedstek.go b/modules/caddytls/distributedstek/distributedstek.go
index e76fc47..18ed694 100644
--- a/modules/caddytls/distributedstek/distributedstek.go
+++ b/modules/caddytls/distributedstek/distributedstek.go
@@ -26,7 +26,9 @@ import (
"bytes"
"encoding/gob"
"encoding/json"
+ "errors"
"fmt"
+ "io/fs"
"log"
"runtime/debug"
"time"
@@ -115,7 +117,7 @@ func (s *Provider) Next(doneChan <-chan struct{}) <-chan [][32]byte {
func (s *Provider) loadSTEK() (distributedSTEK, error) {
var sg distributedSTEK
- gobBytes, err := s.storage.Load(stekFileName)
+ gobBytes, err := s.storage.Load(s.ctx, stekFileName)
if err != nil {
return sg, err // don't wrap, in case error is certmagic.ErrNotExist
}
@@ -133,7 +135,7 @@ func (s *Provider) storeSTEK(dstek distributedSTEK) error {
if err != nil {
return fmt.Errorf("encoding STEK gob: %v", err)
}
- err = s.storage.Store(stekFileName, buf.Bytes())
+ err = s.storage.Store(s.ctx, stekFileName, buf.Bytes())
if err != nil {
return fmt.Errorf("storing STEK gob: %v", err)
}
@@ -151,11 +153,11 @@ func (s *Provider) getSTEK() (distributedSTEK, error) {
}
//nolint:errcheck
- defer s.storage.Unlock(stekLockName)
+ defer s.storage.Unlock(s.ctx, stekLockName)
// load the current STEKs from storage
dstek, err := s.loadSTEK()
- if _, isNotExist := err.(certmagic.ErrNotExist); isNotExist {
+ if errors.Is(err, fs.ErrNotExist) {
// if there is none, then make some right away
dstek, err = s.rotateKeys(dstek)
if err != nil {
diff --git a/modules/caddytls/storageloader.go b/modules/caddytls/storageloader.go
index e78996f..ef9d51e 100644
--- a/modules/caddytls/storageloader.go
+++ b/modules/caddytls/storageloader.go
@@ -35,6 +35,8 @@ type StorageLoader struct {
// Reference to the globally configured storage module.
storage certmagic.Storage
+
+ ctx caddy.Context
}
// CaddyModule returns the Caddy module information.
@@ -48,6 +50,7 @@ func (StorageLoader) CaddyModule() caddy.ModuleInfo {
// Provision loads the storage module for sl.
func (sl *StorageLoader) Provision(ctx caddy.Context) error {
sl.storage = ctx.Storage()
+ sl.ctx = ctx
return nil
}
@@ -55,11 +58,11 @@ func (sl *StorageLoader) Provision(ctx caddy.Context) error {
func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
certs := make([]Certificate, 0, len(sl.Pairs))
for _, pair := range sl.Pairs {
- certData, err := sl.storage.Load(pair.Certificate)
+ certData, err := sl.storage.Load(sl.ctx, pair.Certificate)
if err != nil {
return nil, err
}
- keyData, err := sl.storage.Load(pair.Key)
+ keyData, err := sl.storage.Load(sl.ctx, pair.Key)
if err != nil {
return nil, err
}
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 31c559c..9fe30fe 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -199,7 +199,7 @@ func (t *TLS) Provision(ctx caddy.Context) error {
return fmt.Errorf("loading certificates: %v", err)
}
for _, cert := range certs {
- err := magic.CacheUnmanagedTLSCertificate(cert.Certificate, cert.Tags)
+ err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
if err != nil {
return fmt.Errorf("caching unmanaged certificate: %v", err)
}
@@ -336,7 +336,7 @@ func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool {
for _, iss := range ap.magic.Issuers {
if am, ok := iss.(acmeCapable); ok {
iss := am.GetACMEIssuer()
- if certmagic.NewACMEManager(iss.magic, iss.template).HandleHTTPChallenge(w, r) {
+ if certmagic.NewACMEIssuer(iss.magic, iss.template).HandleHTTPChallenge(w, r) {
return true
}
}
diff --git a/modules/caddytls/zerosslissuer.go b/modules/caddytls/zerosslissuer.go
index a8830a0..a75063b 100644
--- a/modules/caddytls/zerosslissuer.go
+++ b/modules/caddytls/zerosslissuer.go
@@ -69,12 +69,12 @@ func (iss *ZeroSSLIssuer) Provision(ctx caddy.Context) error {
}
// newAccountCallback generates EAB if not already provided. It also sets a valid default contact on the account if not set.
-func (iss *ZeroSSLIssuer) newAccountCallback(ctx context.Context, am *certmagic.ACMEManager, acct acme.Account) (acme.Account, error) {
- if am.ExternalAccount != nil {
+func (iss *ZeroSSLIssuer) newAccountCallback(ctx context.Context, acmeIss *certmagic.ACMEIssuer, acct acme.Account) (acme.Account, error) {
+ if acmeIss.ExternalAccount != nil {
return acct, nil
}
var err error
- am.ExternalAccount, acct, err = iss.generateEABCredentials(ctx, acct)
+ acmeIss.ExternalAccount, acct, err = iss.generateEABCredentials(ctx, acct)
return acct, err
}
@@ -153,7 +153,7 @@ func (iss *ZeroSSLIssuer) generateEABCredentials(ctx context.Context, acct acme.
}, acct, nil
}
-// initialize modifies the template for the underlying ACMEManager
+// initialize modifies the template for the underlying ACMEIssuer
// values by setting the CA endpoint to the ZeroSSL directory and
// setting the NewAccountFunc callback to one which allows us to
// generate EAB credentials only if a new account is being made.