diff options
Diffstat (limited to 'modules/caddytls')
| -rw-r--r-- | modules/caddytls/connpolicy.go | 1 | ||||
| -rw-r--r-- | modules/caddytls/distributedstek/distributedstek.go | 7 | ||||
| -rw-r--r-- | modules/caddytls/folderloader.go | 20 | ||||
| -rw-r--r-- | modules/caddytls/internalissuer.go | 16 | ||||
| -rw-r--r-- | modules/caddytls/tls.go | 2 | ||||
| -rw-r--r-- | modules/caddytls/values.go | 1 |
6 files changed, 36 insertions, 11 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index 7eda002..de929cc 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -80,6 +80,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config { } return &tls.Config{ + MinVersion: tls.VersionTLS12, GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) { // filter policies by SNI first, if possible, to speed things up // when there may be lots of policies diff --git a/modules/caddytls/distributedstek/distributedstek.go b/modules/caddytls/distributedstek/distributedstek.go index f29db29..e76fc47 100644 --- a/modules/caddytls/distributedstek/distributedstek.go +++ b/modules/caddytls/distributedstek/distributedstek.go @@ -145,7 +145,12 @@ func (s *Provider) storeSTEK(dstek distributedSTEK) error { // current STEK is outdated (NextRotation time is in the past), // then it is rotated and persisted. The resulting STEK is returned. func (s *Provider) getSTEK() (distributedSTEK, error) { - s.storage.Lock(s.ctx, stekLockName) + err := s.storage.Lock(s.ctx, stekLockName) + if err != nil { + return distributedSTEK{}, fmt.Errorf("failed to acquire storage lock: %v", err) + } + + //nolint:errcheck defer s.storage.Unlock(stekLockName) // load the current STEKs from storage diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go index f1a742d..10b017e 100644 --- a/modules/caddytls/folderloader.go +++ b/modules/caddytls/folderloader.go @@ -97,26 +97,38 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) { if derBlock.Type == "CERTIFICATE" { // Re-encode certificate as PEM, appending to certificate chain - pem.Encode(certBuilder, derBlock) + err = pem.Encode(certBuilder, derBlock) + if err != nil { + return tls.Certificate{}, err + } } else if derBlock.Type == "EC PARAMETERS" { // EC keys generated from openssl can be composed of two blocks: // parameters and key (parameter block should come first) if !foundKey { // Encode parameters - pem.Encode(keyBuilder, derBlock) + err = pem.Encode(keyBuilder, derBlock) + if err != nil { + return tls.Certificate{}, err + } // Key must immediately follow derBlock, bundle = pem.Decode(bundle) if derBlock == nil || derBlock.Type != "EC PRIVATE KEY" { return tls.Certificate{}, fmt.Errorf("%s: expected elliptic private key to immediately follow EC parameters", fpath) } - pem.Encode(keyBuilder, derBlock) + err = pem.Encode(keyBuilder, derBlock) + if err != nil { + return tls.Certificate{}, err + } foundKey = true } } else if derBlock.Type == "PRIVATE KEY" || strings.HasSuffix(derBlock.Type, " PRIVATE KEY") { // RSA key if !foundKey { - pem.Encode(keyBuilder, derBlock) + err = pem.Encode(keyBuilder, derBlock) + if err != nil { + return tls.Certificate{}, err + } foundKey = true } } else { diff --git a/modules/caddytls/internalissuer.go b/modules/caddytls/internalissuer.go index 6f228ea..416369f 100644 --- a/modules/caddytls/internalissuer.go +++ b/modules/caddytls/internalissuer.go @@ -27,6 +27,7 @@ import ( "github.com/caddyserver/caddy/v2/modules/caddypki" "github.com/caddyserver/certmagic" "github.com/smallstep/certificates/authority/provisioner" + "go.uber.org/zap" ) func init() { @@ -51,7 +52,8 @@ type InternalIssuer struct { // validate certificate chains. SignWithRoot bool `json:"sign_with_root,omitempty"` - ca *caddypki.CA + ca *caddypki.CA + logger *zap.Logger } // CaddyModule returns the Caddy module information. @@ -64,6 +66,8 @@ func (InternalIssuer) CaddyModule() caddy.ModuleInfo { // Provision sets up the issuer. func (iss *InternalIssuer) Provision(ctx caddy.Context) error { + iss.logger = ctx.Logger(iss) + // get a reference to the configured CA appModule, err := ctx.App("pki") if err != nil { @@ -115,11 +119,15 @@ func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateReques // ensure issued certificate does not expire later than its issuer lifetime := time.Duration(iss.Lifetime) if time.Now().Add(lifetime).After(issuerCert.NotAfter) { - // TODO: log this - lifetime = issuerCert.NotAfter.Sub(time.Now()) + lifetime = time.Until(issuerCert.NotAfter) + iss.logger.Warn("cert lifetime would exceed issuer NotAfter, clamping lifetime", + zap.Duration("orig_lifetime", time.Duration(iss.Lifetime)), + zap.Duration("lifetime", lifetime), + zap.Time("not_after", issuerCert.NotAfter), + ) } - certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(iss.Lifetime)) + certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(caddy.Duration(lifetime))) if err != nil { return nil, err } diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 146eed4..fd3473e 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -498,8 +498,6 @@ var ( storageCleanMu sync.Mutex ) -const automateKey = "automate" - // Interface guards var ( _ caddy.App = (*TLS)(nil) diff --git a/modules/caddytls/values.go b/modules/caddytls/values.go index f0944a3..dea0013 100644 --- a/modules/caddytls/values.go +++ b/modules/caddytls/values.go @@ -122,6 +122,7 @@ var SupportedProtocols = map[string]uint16{ // unsupportedProtocols is a map of unsupported protocols. // Used for logging only, not enforcement. var unsupportedProtocols = map[string]uint16{ + //nolint:staticcheck "ssl3.0": tls.VersionSSL30, "tls1.0": tls.VersionTLS10, "tls1.1": tls.VersionTLS11, |