From d06d0e79f839a26ab2cf81b00ba2d180623c57a9 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Fri, 25 Mar 2022 11:28:54 -0600 Subject: go.mod: Upgrade CertMagic to v0.16.0 Includes several breaking changes; code base updated accordingly. - Added lots of context arguments - Use fs.ErrNotExist - Rename ACMEManager -> ACMEIssuer; CertificateManager -> Manager --- modules/caddyhttp/autohttps.go | 4 ++-- modules/caddypki/ca.go | 24 +++++++++++++--------- modules/caddytls/acmeissuer.go | 14 ++++++------- modules/caddytls/automation.go | 6 +++--- modules/caddytls/certmanagers.go | 12 +++++------ .../caddytls/distributedstek/distributedstek.go | 10 +++++---- modules/caddytls/storageloader.go | 7 +++++-- modules/caddytls/tls.go | 4 ++-- modules/caddytls/zerosslissuer.go | 8 ++++---- 9 files changed, 49 insertions(+), 40 deletions(-) (limited to 'modules') diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go index eb66114..f1d99ce 100644 --- a/modules/caddyhttp/autohttps.go +++ b/modules/caddyhttp/autohttps.go @@ -480,7 +480,7 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri if err != nil { return err } - ap.Managers = []certmagic.CertificateManager{ts} + ap.Managers = []certmagic.Manager{ts} } // while we're here, is this the catch-all/base policy? @@ -497,7 +497,7 @@ func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames []stri return err } basePolicy = &caddytls.AutomationPolicy{ - Managers: []certmagic.CertificateManager{ts}, + Managers: []certmagic.Manager{ts}, } } diff --git a/modules/caddypki/ca.go b/modules/caddypki/ca.go index 7fefee6..c9bdeee 100644 --- a/modules/caddypki/ca.go +++ b/modules/caddypki/ca.go @@ -18,7 +18,9 @@ import ( "crypto" "crypto/x509" "encoding/json" + "errors" "fmt" + "io/fs" "path" "sync" "time" @@ -76,12 +78,14 @@ type CA struct { rootCertPath string // mainly used for logging purposes if trusting log *zap.Logger + ctx caddy.Context } // Provision sets up the CA. func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error { ca.mu = new(sync.RWMutex) ca.log = log.Named("ca." + id) + ca.ctx = ctx if id == "" { return fmt.Errorf("CA ID is required (use 'local' for the default CA)") @@ -215,9 +219,9 @@ func (ca CA) NewAuthority(authorityConfig AuthorityConfig) (*authority.Authority } func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey interface{}, err error) { - rootCertPEM, err := ca.storage.Load(ca.storageKeyRootCert()) + rootCertPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyRootCert()) if err != nil { - if _, ok := err.(certmagic.ErrNotExist); !ok { + if !errors.Is(err, fs.ErrNotExist) { return nil, nil, fmt.Errorf("loading root cert: %v", err) } @@ -235,7 +239,7 @@ func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey interface{}, e } } if rootKey == nil { - rootKeyPEM, err := ca.storage.Load(ca.storageKeyRootKey()) + rootKeyPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyRootKey()) if err != nil { return nil, nil, fmt.Errorf("loading root key: %v", err) } @@ -259,7 +263,7 @@ func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey interface{}, err err if err != nil { return nil, nil, fmt.Errorf("encoding root certificate: %v", err) } - err = ca.storage.Store(ca.storageKeyRootCert(), rootCertPEM) + err = ca.storage.Store(ca.ctx, ca.storageKeyRootCert(), rootCertPEM) if err != nil { return nil, nil, fmt.Errorf("saving root certificate: %v", err) } @@ -267,7 +271,7 @@ func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey interface{}, err err if err != nil { return nil, nil, fmt.Errorf("encoding root key: %v", err) } - err = ca.storage.Store(ca.storageKeyRootKey(), rootKeyPEM) + err = ca.storage.Store(ca.ctx, ca.storageKeyRootKey(), rootKeyPEM) if err != nil { return nil, nil, fmt.Errorf("saving root key: %v", err) } @@ -276,9 +280,9 @@ func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey interface{}, err err } func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateKey) (interCert *x509.Certificate, interKey crypto.PrivateKey, err error) { - interCertPEM, err := ca.storage.Load(ca.storageKeyIntermediateCert()) + interCertPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyIntermediateCert()) if err != nil { - if _, ok := err.(certmagic.ErrNotExist); !ok { + if !errors.Is(err, fs.ErrNotExist) { return nil, nil, fmt.Errorf("loading intermediate cert: %v", err) } @@ -297,7 +301,7 @@ func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Pr } if interKey == nil { - interKeyPEM, err := ca.storage.Load(ca.storageKeyIntermediateKey()) + interKeyPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyIntermediateKey()) if err != nil { return nil, nil, fmt.Errorf("loading intermediate key: %v", err) } @@ -321,7 +325,7 @@ func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateK if err != nil { return nil, nil, fmt.Errorf("encoding intermediate certificate: %v", err) } - err = ca.storage.Store(ca.storageKeyIntermediateCert(), interCertPEM) + err = ca.storage.Store(ca.ctx, ca.storageKeyIntermediateCert(), interCertPEM) if err != nil { return nil, nil, fmt.Errorf("saving intermediate certificate: %v", err) } @@ -329,7 +333,7 @@ func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateK if err != nil { return nil, nil, fmt.Errorf("encoding intermediate key: %v", err) } - err = ca.storage.Store(ca.storageKeyIntermediateKey(), interKeyPEM) + err = ca.storage.Store(ca.ctx, ca.storageKeyIntermediateKey(), interKeyPEM) if err != nil { return nil, nil, fmt.Errorf("saving intermediate key: %v", err) } diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 48a961f..fd60cc8 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -85,7 +85,7 @@ type ACMEIssuer struct { PreferredChains *ChainPreference `json:"preferred_chains,omitempty"` rootPool *x509.CertPool - template certmagic.ACMEManager + template certmagic.ACMEIssuer magic *certmagic.Config logger *zap.Logger } @@ -172,8 +172,8 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error { return nil } -func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) { - template := certmagic.ACMEManager{ +func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEIssuer, error) { + template := certmagic.ACMEIssuer{ CA: iss.CA, TestCA: iss.TestCA, Email: iss.Email, @@ -224,22 +224,22 @@ func (iss *ACMEIssuer) SetConfig(cfg *certmagic.Config) { // PreCheck implements the certmagic.PreChecker interface. func (iss *ACMEIssuer) PreCheck(ctx context.Context, names []string, interactive bool) error { - return certmagic.NewACMEManager(iss.magic, iss.template).PreCheck(ctx, names, interactive) + return certmagic.NewACMEIssuer(iss.magic, iss.template).PreCheck(ctx, names, interactive) } // Issue obtains a certificate for the given csr. func (iss *ACMEIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error) { - return certmagic.NewACMEManager(iss.magic, iss.template).Issue(ctx, csr) + return certmagic.NewACMEIssuer(iss.magic, iss.template).Issue(ctx, csr) } // IssuerKey returns the unique issuer key for the configured CA endpoint. func (iss *ACMEIssuer) IssuerKey() string { - return certmagic.NewACMEManager(iss.magic, iss.template).IssuerKey() + return certmagic.NewACMEIssuer(iss.magic, iss.template).IssuerKey() } // Revoke revokes the given certificate. func (iss *ACMEIssuer) Revoke(ctx context.Context, cert certmagic.CertificateResource, reason int) error { - return certmagic.NewACMEManager(iss.magic, iss.template).Revoke(ctx, cert, reason) + return certmagic.NewACMEIssuer(iss.magic, iss.template).Revoke(ctx, cert, reason) } // GetACMEIssuer returns iss. This is useful when other types embed ACMEIssuer, because diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index eb97c82..26884bc 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -141,8 +141,8 @@ type AutomationPolicy struct { // they are only used to populate an underlying certmagic.Config's // fields during provisioning so that the modules can survive a // re-provisioning. - Issuers []certmagic.Issuer `json:"-"` - Managers []certmagic.CertificateManager `json:"-"` + Issuers []certmagic.Issuer `json:"-"` + Managers []certmagic.Manager `json:"-"` magic *certmagic.Config storage certmagic.Storage @@ -199,7 +199,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { return fmt.Errorf("loading external certificate manager modules: %v", err) } for _, getCertVal := range vals.([]interface{}) { - ap.Managers = append(ap.Managers, getCertVal.(certmagic.CertificateManager)) + ap.Managers = append(ap.Managers, getCertVal.(certmagic.Manager)) } } diff --git a/modules/caddytls/certmanagers.go b/modules/caddytls/certmanagers.go index 653e9f5..8c8d701 100644 --- a/modules/caddytls/certmanagers.go +++ b/modules/caddytls/certmanagers.go @@ -198,11 +198,11 @@ func (hcg *HTTPCertGetter) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { // Interface guards var ( - _ certmagic.CertificateManager = (*Tailscale)(nil) - _ caddy.Provisioner = (*Tailscale)(nil) - _ caddyfile.Unmarshaler = (*Tailscale)(nil) + _ certmagic.Manager = (*Tailscale)(nil) + _ caddy.Provisioner = (*Tailscale)(nil) + _ caddyfile.Unmarshaler = (*Tailscale)(nil) - _ certmagic.CertificateManager = (*HTTPCertGetter)(nil) - _ caddy.Provisioner = (*HTTPCertGetter)(nil) - _ caddyfile.Unmarshaler = (*HTTPCertGetter)(nil) + _ certmagic.Manager = (*HTTPCertGetter)(nil) + _ caddy.Provisioner = (*HTTPCertGetter)(nil) + _ caddyfile.Unmarshaler = (*HTTPCertGetter)(nil) ) diff --git a/modules/caddytls/distributedstek/distributedstek.go b/modules/caddytls/distributedstek/distributedstek.go index e76fc47..18ed694 100644 --- a/modules/caddytls/distributedstek/distributedstek.go +++ b/modules/caddytls/distributedstek/distributedstek.go @@ -26,7 +26,9 @@ import ( "bytes" "encoding/gob" "encoding/json" + "errors" "fmt" + "io/fs" "log" "runtime/debug" "time" @@ -115,7 +117,7 @@ func (s *Provider) Next(doneChan <-chan struct{}) <-chan [][32]byte { func (s *Provider) loadSTEK() (distributedSTEK, error) { var sg distributedSTEK - gobBytes, err := s.storage.Load(stekFileName) + gobBytes, err := s.storage.Load(s.ctx, stekFileName) if err != nil { return sg, err // don't wrap, in case error is certmagic.ErrNotExist } @@ -133,7 +135,7 @@ func (s *Provider) storeSTEK(dstek distributedSTEK) error { if err != nil { return fmt.Errorf("encoding STEK gob: %v", err) } - err = s.storage.Store(stekFileName, buf.Bytes()) + err = s.storage.Store(s.ctx, stekFileName, buf.Bytes()) if err != nil { return fmt.Errorf("storing STEK gob: %v", err) } @@ -151,11 +153,11 @@ func (s *Provider) getSTEK() (distributedSTEK, error) { } //nolint:errcheck - defer s.storage.Unlock(stekLockName) + defer s.storage.Unlock(s.ctx, stekLockName) // load the current STEKs from storage dstek, err := s.loadSTEK() - if _, isNotExist := err.(certmagic.ErrNotExist); isNotExist { + if errors.Is(err, fs.ErrNotExist) { // if there is none, then make some right away dstek, err = s.rotateKeys(dstek) if err != nil { diff --git a/modules/caddytls/storageloader.go b/modules/caddytls/storageloader.go index e78996f..ef9d51e 100644 --- a/modules/caddytls/storageloader.go +++ b/modules/caddytls/storageloader.go @@ -35,6 +35,8 @@ type StorageLoader struct { // Reference to the globally configured storage module. storage certmagic.Storage + + ctx caddy.Context } // CaddyModule returns the Caddy module information. @@ -48,6 +50,7 @@ func (StorageLoader) CaddyModule() caddy.ModuleInfo { // Provision loads the storage module for sl. func (sl *StorageLoader) Provision(ctx caddy.Context) error { sl.storage = ctx.Storage() + sl.ctx = ctx return nil } @@ -55,11 +58,11 @@ func (sl *StorageLoader) Provision(ctx caddy.Context) error { func (sl StorageLoader) LoadCertificates() ([]Certificate, error) { certs := make([]Certificate, 0, len(sl.Pairs)) for _, pair := range sl.Pairs { - certData, err := sl.storage.Load(pair.Certificate) + certData, err := sl.storage.Load(sl.ctx, pair.Certificate) if err != nil { return nil, err } - keyData, err := sl.storage.Load(pair.Key) + keyData, err := sl.storage.Load(sl.ctx, pair.Key) if err != nil { return nil, err } diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 31c559c..9fe30fe 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -199,7 +199,7 @@ func (t *TLS) Provision(ctx caddy.Context) error { return fmt.Errorf("loading certificates: %v", err) } for _, cert := range certs { - err := magic.CacheUnmanagedTLSCertificate(cert.Certificate, cert.Tags) + err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags) if err != nil { return fmt.Errorf("caching unmanaged certificate: %v", err) } @@ -336,7 +336,7 @@ func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool { for _, iss := range ap.magic.Issuers { if am, ok := iss.(acmeCapable); ok { iss := am.GetACMEIssuer() - if certmagic.NewACMEManager(iss.magic, iss.template).HandleHTTPChallenge(w, r) { + if certmagic.NewACMEIssuer(iss.magic, iss.template).HandleHTTPChallenge(w, r) { return true } } diff --git a/modules/caddytls/zerosslissuer.go b/modules/caddytls/zerosslissuer.go index a8830a0..a75063b 100644 --- a/modules/caddytls/zerosslissuer.go +++ b/modules/caddytls/zerosslissuer.go @@ -69,12 +69,12 @@ func (iss *ZeroSSLIssuer) Provision(ctx caddy.Context) error { } // newAccountCallback generates EAB if not already provided. It also sets a valid default contact on the account if not set. -func (iss *ZeroSSLIssuer) newAccountCallback(ctx context.Context, am *certmagic.ACMEManager, acct acme.Account) (acme.Account, error) { - if am.ExternalAccount != nil { +func (iss *ZeroSSLIssuer) newAccountCallback(ctx context.Context, acmeIss *certmagic.ACMEIssuer, acct acme.Account) (acme.Account, error) { + if acmeIss.ExternalAccount != nil { return acct, nil } var err error - am.ExternalAccount, acct, err = iss.generateEABCredentials(ctx, acct) + acmeIss.ExternalAccount, acct, err = iss.generateEABCredentials(ctx, acct) return acct, err } @@ -153,7 +153,7 @@ func (iss *ZeroSSLIssuer) generateEABCredentials(ctx context.Context, acct acme. }, acct, nil } -// initialize modifies the template for the underlying ACMEManager +// initialize modifies the template for the underlying ACMEIssuer // values by setting the CA endpoint to the ZeroSSL directory and // setting the NewAccountFunc callback to one which allows us to // generate EAB credentials only if a new account is being made. -- cgit v1.2.3