Archives
/
ncdns
mirror of https://github.com/namecoin/ncdns
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge #46: Apply "gofmt -s"

Browse Source 
cf7518d Travis: Make gotype critical for gometalinter. (JeremyRand)
d058005 Travis: Make gofmt critical for gometalinter. (JeremyRand)
b6cf88d gofmt -s util/util_test.go (JeremyRand)
0da5cd2 gofmt -s util/util.go (JeremyRand)
6e3101e gofmt -s tlsrestrictchromium/tlsrestrict_chromium_tool/main.go (JeremyRand)
e3cd522 gofmt -s tlsrestrictchromium/chromium_test.go (JeremyRand)
2f0e866 gofmt -s tlsrestrictchromium/chromium.go (JeremyRand)
5152222 gofmt -s tlshook/tlshook.go (JeremyRand)
26b4c4c gofmt -s ncdomain/convert.go (JeremyRand)
1fb4007 gofmt -s generate_nmc_cert/main.go (JeremyRand)
53adb64 gofmt -s certinject/file.go (JeremyRand)
f70f23a gofmt -s certinject/cryptoapi_windows.go (JeremyRand)
6557714 gofmt -s certinject/certinject_windows.go (JeremyRand)
b1ab832 gofmt -s certinject_misc.go (JeremyRand)
8ec3281 gofmt -s certdehydrate/certdehydrate_test.go (JeremyRand)
62f0e6a gofmt -s certdehydrate/certdehydrate.go (JeremyRand)
e8feeb3 gofmt -s backend/backend.go (JeremyRand)

Pull request description:

  Based on recommendations from static analysis.

Tree-SHA512: 432d23656e552e93298eab2b3c32cf505aa503639a6cfc9498363b8208b697169392e36247ed029b8d54ddbe4fdfcc2cd36f2497ea22245de3703c95d4edf3b4
pull/51/head
JeremyRand 7 years ago
parent ada23392c6 cf7518de6b
commit 236a432808
No known key found for this signature in database
GPG Key ID: B3F2D165786D6570
16 changed files with 147 additions and 154 deletions
Show Stats Download Patch File Download Diff File

2
.travis/script
Unescape Escape View File

@ -25,11 +25,9 @@ gometalinter.v1 --enable-all \
--disable=errcheck \
--disable=gas \
--disable=gocyclo \
--disable=gofmt \
--disable=goimports \
--disable=golint \
--disable=gosimple \
--disable=gotype \
--disable=ineffassign \
--disable=lll \
--disable=misspell \

4
backend/backend.go
Unescape Escape View File

@ -422,12 +422,12 @@ func (tx *btx) _findNCValue(ncv *ncdomain.Value, isubname, subname string, depth
func (tx *btx) addAnswersUnderNCValueActual(ncv *ncdomain.Value, sn string) (rrs []dns.RR, err error) {
rrs, err = ncv.RRs(nil, dns.Fqdn(tx.qname), dns.Fqdn(tx.basename+"."+tx.rootname))
// TODO: add callback variable "OnValueReferencedFunc" to backend options so that we don't pollute this function with every hook that we want
// might need to add the other attributes of tx, and sn, to the callback variable for flexibility's sake
// This doesn't normally return errors, but any errors during execution will be logged.
tlshook.DomainValueHookTLS(tx.qname, ncv)
return
}

46
certdehydrate/certdehydrate.go
Unescape Escape View File

@ -20,16 +20,16 @@ import "github.com/namecoin/ncdns/x509"
// https://github.com/namecoin/proposals/blob/master/ifa-0003.md
// TODO: add a version field
type DehydratedCertificate struct {
PubkeyB64 string
NotBeforeScaled int64
NotAfterScaled int64
PubkeyB64 string
NotBeforeScaled int64
NotAfterScaled int64
SignatureAlgorithm int64
SignatureB64 string
SignatureB64 string
}
// SerialNumber calculates the certificate serial number according to the
// Dehydrated TLS Certificates specification.
func (dehydrated DehydratedCertificate) SerialNumber(name string) ([]byte, error){
func (dehydrated DehydratedCertificate) SerialNumber(name string) ([]byte, error) {
nameHash := sha256.Sum256([]byte(name))
@ -119,12 +119,12 @@ func ParseDehydratedCert(data interface{}) (*DehydratedCertificate, error) {
return nil, fmt.Errorf("Dehydrated cert signature must be a string")
}
result := DehydratedCertificate {
PubkeyB64: pubkeyB64,
NotBeforeScaled: int64(notBeforeScaled),
NotAfterScaled: int64(notAfterScaled),
SignatureAlgorithm: int64(signatureAlgorithm),
SignatureB64: signatureB64,
result := DehydratedCertificate{
PubkeyB64: pubkeyB64,
NotBeforeScaled: int64(notBeforeScaled),
NotAfterScaled: int64(notAfterScaled),
SignatureAlgorithm: int64(signatureAlgorithm),
SignatureB64: signatureB64,
}
return &result, nil
@ -155,11 +155,11 @@ func DehydrateCert(cert *x509.Certificate) (*DehydratedCertificate, error) {
signatureB64 := base64.StdEncoding.EncodeToString(signatureBytes)
result := DehydratedCertificate{
PubkeyB64: pubkeyB64,
NotBeforeScaled: notBeforeScaled,
NotAfterScaled: notAfterScaled,
SignatureAlgorithm: signatureAlgorithm,
SignatureB64: signatureB64,
PubkeyB64: pubkeyB64,
NotBeforeScaled: notBeforeScaled,
NotAfterScaled: notAfterScaled,
SignatureAlgorithm: signatureAlgorithm,
SignatureB64: signatureB64,
}
return &result, nil
@ -168,7 +168,7 @@ func DehydrateCert(cert *x509.Certificate) (*DehydratedCertificate, error) {
// RehydrateCert converts a dehydrated certificate into a standard x509
// certificate, but does not fill in the domain name or any fields that depend
// on it. The resulting certificate is intended to be used as input to
// FillRehydratedCertTemplate.
// FillRehydratedCertTemplate.
func RehydrateCert(dehydrated *DehydratedCertificate) (*x509.Certificate, error) {
pubkeyBin, err := base64.StdEncoding.DecodeString(dehydrated.PubkeyB64)
@ -198,19 +198,19 @@ func RehydrateCert(dehydrated *DehydratedCertificate) (*x509.Certificate, error)
template := x509.Certificate{
SerialNumber: big.NewInt(1),
NotBefore: notBefore,
NotAfter: notAfter,
NotBefore: notBefore,
NotAfter: notAfter,
// x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template.
//KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
KeyUsage: x509.KeyUsageDigitalSignature,
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
SignatureAlgorithm: signatureAlgorithm,
PublicKey: pubkey,
Signature: signature,
PublicKey: pubkey,
Signature: signature,
}
return &template, nil
@ -222,7 +222,7 @@ func RehydrateCert(dehydrated *DehydratedCertificate) (*x509.Certificate, error)
func FillRehydratedCertTemplate(template x509.Certificate, name string) ([]byte, error) {
template.Subject = pkix.Name{
CommonName: name,
CommonName: name,
SerialNumber: "Namecoin TLS Certificate",
}

17
certdehydrate/certdehydrate_test.go
Unescape Escape View File

@ -1,39 +1,38 @@
package certdehydrate_test
import (
"testing"
"encoding/json"
"reflect"
"github.com/namecoin/ncdns/certdehydrate"
"reflect"
"testing"
)
func TestDehydratedCertIdentityOperation(t *testing.T) {
bytesJson := []byte(`[1, "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/hy1t4jB14ronx6n1m8VQh02jblRfu2cV3/LcyomfVljypUQMGjmuxWNbPI0a3cF6miNOijSCutqTZdb7TLvig==",4944096,5049216,10,"MEQCIGXXk6gYx95vQoknRwiQ4e27I+DXUWkE8L6dmLwAiGncAiBbtEX1nnZINx1YGzT5Fx8SxpjLwNDTUBkq22NpazHLIA=="]`)
var parsedJson []interface{}
if err := json.Unmarshal(bytesJson, &parsedJson); err != nil {
t.Error("Error parsing JSON:", err)
}
dehydrated, err := certdehydrate.ParseDehydratedCert(parsedJson)
if err != nil {
t.Error("Error parsing dehydrated certificate:", err)
}
template, err := certdehydrate.RehydrateCert(dehydrated)
if err != nil {
t.Error("Error rehydrating certificate:", err)
}
dehydrated2, err := certdehydrate.DehydrateCert(template)
if err != nil {
t.Error("Error dehydrating certificate:", err)
}
// Test to make sure that rehydrating and then dehydrating a cert doesn't change it.
if !reflect.DeepEqual(dehydrated, dehydrated2) {
t.Error(dehydrated, "!=", dehydrated2)
}
}

4
certinject/certinject_misc.go
Unescape Escape View File

@ -7,9 +7,9 @@ import "github.com/hlandau/xlog"
var log, Log = xlog.New("ncdns.certinject")
func InjectCert(derBytes []byte) {
}
func CleanCerts() {
}

11
certinject/certinject_windows.go
Unescape Escape View File

@ -1,21 +1,20 @@
package certinject
import (
"gopkg.in/hlandau/easyconfig.v1/cflag"
"github.com/hlandau/xlog"
"gopkg.in/hlandau/easyconfig.v1/cflag"
)
// This package is used to add and remove certificates to the system trust
// This package is used to add and remove certificates to the system trust
// store.
// Currently only supports Windows CryptoAPI.
var log, Log = xlog.New("ncdns.certinject")
var (
flagGroup = cflag.NewGroup(nil, "certstore")
cryptoApiFlag = cflag.Bool(flagGroup, "cryptoapi", false, "Synchronize TLS certs to the CryptoAPI trust store? This enables HTTPS to work with Chromium/Chrome. Only use if you've set up null HPKP in Chromium/Chrome as per documentation. If you haven't set up null HPKP, or if you access ncdns from browsers not based on Chromium or Firefox, this is unsafe and should not be used.")
certExpirePeriod = cflag.Int(flagGroup, "expire", 60 * 30, "Duration (in seconds) after which TLS certs will be removed from the trust store. Making this smaller than the DNS TTL (default 600) may cause TLS errors.")
flagGroup = cflag.NewGroup(nil, "certstore")
cryptoApiFlag = cflag.Bool(flagGroup, "cryptoapi", false, "Synchronize TLS certs to the CryptoAPI trust store? This enables HTTPS to work with Chromium/Chrome. Only use if you've set up null HPKP in Chromium/Chrome as per documentation. If you haven't set up null HPKP, or if you access ncdns from browsers not based on Chromium or Firefox, this is unsafe and should not be used.")
certExpirePeriod = cflag.Int(flagGroup, "expire", 60*30, "Duration (in seconds) after which TLS certs will be removed from the trust store. Making this smaller than the DNS TTL (default 600) may cause TLS errors.")
)
// Injects the given cert into all configured trust stores.

10
certinject/cryptoapi_windows.go
Unescape Escape View File

@ -1,12 +1,12 @@
package certinject
import (
"golang.org/x/sys/windows/registry"
"crypto/sha1"
"encoding/hex"
"fmt"
"strings"
"golang.org/x/sys/windows/registry"
"math"
"strings"
"time"
)
@ -64,7 +64,7 @@ func injectCertCryptoApi(derBytes []byte) {
certLength := len(derBytes)
// Header for a stripped Windows Certificate Registry Blob
certBlobHeader := []byte{0x20, 0, 0, 0, 0x01, 0, 0, 0, byte( (certLength >> 0) & 0xFF), byte( (certLength >> 8) & 0xFF), byte( (certLength >> 16) & 0xFF), byte( (certLength >> 24) & 0xFF) }
certBlobHeader := []byte{0x20, 0, 0, 0, 0x01, 0, 0, 0, byte((certLength >> 0) & 0xFF), byte((certLength >> 8) & 0xFF), byte((certLength >> 16) & 0xFF), byte((certLength >> 24) & 0xFF)}
// Construct the Blob
certBlob := append(certBlobHeader, derBytes...)
@ -99,7 +99,7 @@ func injectCertCryptoApi(derBytes []byte) {
}
defer certKey.Close()
// Add a magic value which indicates that the certificate is a
// Add a magic value which indicates that the certificate is a
// Namecoin cert. This will be used for deleting expired certs.
// However, we have to delete it before we create it, so that we make sure that the "last modified" metadata gets updated.
// If an error occurs during deletion, we ignore it, since it probably just means it wasn't there already.
@ -185,7 +185,7 @@ func checkCertExpiredCryptoApi(certStoreKey registry.Key, subKeyName string) (bo
certKeyModTime := certKeyInfo.ModTime()
// If the cert's last modified timestamp differs too much from the current time in either direction, consider it expired
expired := math.Abs( time.Since(certKeyModTime).Seconds() ) > float64(certExpirePeriod.Value())
expired := math.Abs(time.Since(certKeyModTime).Seconds()) > float64(certExpirePeriod.Value())
return expired, nil
}

2
certinject/file.go
Unescape Escape View File

@ -7,7 +7,7 @@ import (
// Injects a certificate by writing to a file. Might be relevant for non-CryptoAPI trust stores.
func injectCertFile(derBytes []byte, fileName string) {
pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
err := ioutil.WriteFile(fileName, pemBytes, 0644)
if err != nil {

64
generate_nmc_cert/main.go
Unescape Escape View File

@ -5,7 +5,7 @@
// Generate a self-signed X.509 certificate for a TLS server. Outputs to
// 'cert.pem' and 'key.pem' and will overwrite existing files.
// This code has been modified from the stock Go code to generate
// This code has been modified from the stock Go code to generate
// "dehydrated certificates", suitable for inclusion in a Namecoin name.
package main
@ -22,12 +22,12 @@ import (
"encoding/pem"
"flag"
"fmt"
"github.com/namecoin/ncdns/certdehydrate"
"github.com/namecoin/ncdns/x509"
"log"
"math/big"
"os"
"time"
"github.com/namecoin/ncdns/certdehydrate"
"github.com/namecoin/ncdns/x509"
)
var (
@ -106,19 +106,19 @@ func main() {
fmt.Fprintf(os.Stderr, "Failed to parse creation date: %s\n", err)
os.Exit(1)
}
var notAfter time.Time
notAfter, err = time.Parse("Jan 2 15:04:05 2006", *validTo)
if err != nil {
fmt.Fprintf(os.Stderr, "Failed to parse expiry date: %s\n", err)
os.Exit(1)
}
timestampPrecision := int64(5 * 60)
notBeforeFloored := time.Unix( ( notBefore.Unix() / timestampPrecision ) * timestampPrecision, 0 )
notAfterFloored := time.Unix( ( notAfter.Unix() / timestampPrecision ) * timestampPrecision, 0 )
notBeforeFloored := time.Unix((notBefore.Unix()/timestampPrecision)*timestampPrecision, 0)
notAfterFloored := time.Unix((notAfter.Unix()/timestampPrecision)*timestampPrecision, 0)
// Serial components
pubkeyBytes, err := x509.MarshalPKIXPublicKey(publicKey(priv))
if err != nil {
@ -127,12 +127,12 @@ func main() {
pubkeyB64 := base64.StdEncoding.EncodeToString(pubkeyBytes)
notBeforeScaled := notBeforeFloored.Unix() / timestampPrecision
notAfterScaled := notAfterFloored.Unix() / timestampPrecision
// Calculate serial
serialDehydrated := certdehydrate.DehydratedCertificate {
PubkeyB64: pubkeyB64,
serialDehydrated := certdehydrate.DehydratedCertificate{
PubkeyB64: pubkeyB64,
NotBeforeScaled: notBeforeScaled,
NotAfterScaled: notAfterScaled,
NotAfterScaled: notAfterScaled,
}
serialNumber := big.NewInt(1)
serialNumberBytes, err := serialDehydrated.SerialNumber(*host)
@ -144,7 +144,7 @@ func main() {
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: *host,
CommonName: *host,
SerialNumber: "Namecoin TLS Certificate",
},
NotBefore: notBeforeFloored,
@ -152,7 +152,7 @@ func main() {
// x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template.
//KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
KeyUsage: x509.KeyUsageDigitalSignature,
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
@ -180,38 +180,38 @@ func main() {
pem.Encode(keyOut, pemBlockForKey(priv))
keyOut.Close()
log.Print("written key.pem\n")
parsedResult, err := x509.ParseCertificate(derBytes)
if err != nil {
log.Fatal("failed to parse output cert: ", err)
}
dehydrated, err := certdehydrate.DehydrateCert(parsedResult)
if err != nil {
log.Fatal("failed to dehydrate result cert: ", err)
}
rehydrated, err := certdehydrate.RehydrateCert(dehydrated)
if err != nil {
log.Fatal("failed to rehydrate result cert: ", err)
}
rehydratedDerBytes, err := certdehydrate.FillRehydratedCertTemplate(*rehydrated, *host)
if err != nil {
log.Fatal("failed to fill rehydrated result cert: ", err)
}
if ! bytes.Equal(derBytes, rehydratedDerBytes) {
if !bytes.Equal(derBytes, rehydratedDerBytes) {
log.Fatal("ERROR: The cert did not rehydrate to an identical form. This is a bug; do not use the generated certificate.")
}
log.Print("Your Namecoin cert is: {\"d8\":", dehydrated, "}")
log.Print("SUCCESS: The cert rehydrated to an identical form. Place the generated files in your HTTPS server, and place the above JSON in the \"tls\" field for your Namecoin name.");
log.Print("SUCCESS: The cert rehydrated to an identical form. Place the generated files in your HTTPS server, and place the above JSON in the \"tls\" field for your Namecoin name.")
if len(*falseHost) > 0 {
var falsePriv interface{}
switch *ecdsaCurve {
case "P224":
falsePriv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
@ -228,32 +228,32 @@ func main() {
if err != nil {
log.Fatalf("failed to generate false private key: %s", err)
}
falseSerialNumber := big.NewInt(2)
falseTemplate := x509.Certificate{
SerialNumber: falseSerialNumber,
Subject: pkix.Name{
CommonName: *falseHost,
CommonName: *falseHost,
SerialNumber: "Namecoin TLS Certificate",
},
NotBefore: notBefore,
NotAfter: notAfter,
// x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template.
//KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
KeyUsage: x509.KeyUsageDigitalSignature,
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
falseTemplate.DNSNames = append(falseTemplate.DNSNames, *falseHost)
falseDerBytes, err := x509.CreateCertificate(rand.Reader, &falseTemplate, &template, publicKey(falsePriv), priv)
if err != nil {
log.Fatalf("Failed to create false certificate: %s", err)
}
falseCertOut, err := os.Create("falseCert.pem")
if err != nil {
log.Fatalf("failed to open falseCert.pem for writing: %s", err)
@ -261,7 +261,7 @@ func main() {
pem.Encode(falseCertOut, &pem.Block{Type: "CERTIFICATE", Bytes: falseDerBytes})
falseCertOut.Close()
log.Print("written falseCert.pem\n")
falseKeyOut, err := os.OpenFile("falseKey.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
log.Print("failed to open falseKey.pem for writing:", err)

52
ncdomain/convert.go
Unescape Escape View File

@ -31,21 +31,21 @@ const defaultTTL = 600
// Therefore when qualifying names in a Value yourself you must check if the
// input string is "=" and if so, replace it with "" first.
type Value struct {
IP []net.IP
IP6 []net.IP
NS []string
Alias string
HasAlias bool // True if Alias was specified. Necessary as "" is a valid relative alias.
Translate string
HasTranslate bool // True if Translate was specified. Necessary as "" is a valid relative value for Translate.
DS []*dns.DS
TXT [][]string
SRV []*dns.SRV
Hostmaster string // "hostmaster@example.com"
MX []*dns.MX // header name is left blank
TLSA []*dns.TLSA
IP []net.IP
IP6 []net.IP
NS []string
Alias string
HasAlias bool // True if Alias was specified. Necessary as "" is a valid relative alias.
Translate string
HasTranslate bool // True if Translate was specified. Necessary as "" is a valid relative value for Translate.
DS []*dns.DS
TXT [][]string
SRV []*dns.SRV
Hostmaster string // "hostmaster@example.com"
MX []*dns.MX // header name is left blank
TLSA []*dns.TLSA
TLSAGenerated []x509.Certificate // Certs can be dehydrated in the blockchain, they will be put here without SAN values. SAN must be filled in before use.
Map map[string]*Value // may contain and "*", will not contain ""
Map map[string]*Value // may contain and "*", will not contain ""
// set if the value is at the top level (alas necessary for relname interpretation)
IsTopLevel bool
@ -249,28 +249,26 @@ func (v *Value) appendSRVs(out []dns.RR, suffix, apexSuffix string) ([]dns.RR, e
return out, nil
}
func (v *Value) appendTLSA(out []dns.RR, suffix, apexSuffix string) ([]dns.RR, error) {
for _, tlsa := range v.TLSA {
out = append(out, tlsa)
}
for _, cert := range v.TLSAGenerated {
template := cert
_, nameNoPort := util.SplitDomainTail(suffix)
_, nameNoPortOrProtocol := util.SplitDomainTail(nameNoPort)
derBytes, err := certdehydrate.FillRehydratedCertTemplate(template, nameNoPortOrProtocol)
if err != nil {
// TODO: add debug output here
continue
}
derBytesHex := hex.EncodeToString(derBytes)
out = append(out, &dns.TLSA{
Hdr: dns.RR_Header{Name: suffix, Rrtype: dns.TypeTLSA, Class: dns.ClassINET,
Ttl: defaultTTL},
@ -279,9 +277,9 @@ func (v *Value) appendTLSA(out []dns.RR, suffix, apexSuffix string) ([]dns.RR, e
MatchingType: uint8(0),
Certificate: strings.ToUpper(derBytesHex),
})
}
return out, nil
}
@ -854,14 +852,14 @@ func parseTLSADehydrated(tlsa1dehydrated interface{}, v *Value) error {
if err != nil {
return fmt.Errorf("Error parsing dehydrated certificate: %s", err)
}
template, err := certdehydrate.RehydrateCert(dehydrated)
if err != nil {
return fmt.Errorf("Error rehydrating certificate: %s", err)
}
v.TLSAGenerated = append(v.TLSAGenerated, *template)
return nil
}
@ -927,7 +925,7 @@ func parseTLSA(rv map[string]interface{}, v *Value, errFunc ErrorFunc) {
var tlsa1m map[string]interface{}
if _, ok := tlsa1.([]interface{}); ok {
tlsa1m = map[string]interface{} {
tlsa1m = map[string]interface{}{
"dane": tlsa1,
}
} else {

35
tlshook/tlshook.go
Unescape Escape View File

@ -1,58 +1,57 @@
package tlshook
import (
"github.com/hlandau/xlog"
"github.com/namecoin/ncdns/certdehydrate"
"github.com/namecoin/ncdns/certinject"
"github.com/namecoin/ncdns/ncdomain"
"github.com/hlandau/xlog"
)
var log, Log = xlog.New("ncdns.tlshook")
func DomainValueHookTLS(qname string, ncv *ncdomain.Value) (err error) {
log.Info("Intercepted a Value for ", qname)
if protocol, ok := ncv.Map["_tcp"]; ok { // TODO: look into allowing non-TCP protocols
log.Info("Saw a request with TCP")
if port, ok := protocol.Map["_443"]; ok { // TODO: check all ports, not just 443
log.Info("Saw a request with TCP port 443")
// For dehydrated certificates
if len(port.TLSAGenerated) > 0 {
log.Info("Just saw a TLS port 443 capable domain request for ", qname, "!")
for index, cert := range port.TLSAGenerated {
log.Info("Using dehydrated certificate # ", index)
template := cert
var derBytes []byte
derBytes, err = certdehydrate.FillRehydratedCertTemplate(template, qname)
if err != nil {
log.Info("Failed to create certificate: ", err)
continue
}
// TODO: check return value
certinject.InjectCert(derBytes)
}
}
// TODO: support non-dehydrated certificates
}
}
// remove any certs that aren't valid anymore
certinject.CleanCerts()
err = nil
return
}
}

8
tlsrestrictchromium/chromium.go
Unescape Escape View File

@ -1,13 +1,13 @@
package tlsrestrictchromium
import (
"crypto/sha256"
"encoding/base64"
"math/big"
"github.com/miekg/dns"
"encoding/hex"
"fmt"
"encoding/json"
"crypto/sha256"
"fmt"
"github.com/miekg/dns"
"math/big"
)
// DNSHash converts an FQDN to DNS wire format, takes the SHA256 of it, and

2
tlsrestrictchromium/chromium_test.go
Unescape Escape View File

@ -1,8 +1,8 @@
package tlsrestrictchromium_test
import (
"testing"
"github.com/namecoin/ncdns/tlsrestrictchromium"
"testing"
)
func TestDnsHash(t *testing.T) {

6
tlsrestrictchromium/tlsrestrict_chromium_tool/main.go
Unescape Escape View File

@ -1,12 +1,12 @@
package main
import (
"gopkg.in/hlandau/easyconfig.v1/cflag"
"encoding/json"
"github.com/namecoin/ncdns/tlsrestrictchromium"
"gopkg.in/hlandau/easyconfig.v1"
"gopkg.in/hlandau/easyconfig.v1/cflag"
"io/ioutil"
"encoding/json"
"log"
"github.com/namecoin/ncdns/tlsrestrictchromium"
)
var (

2
util/util.go
Unescape Escape View File

@ -79,7 +79,7 @@ func SplitDomainByFloatingAnchor(qname, anchor string) (subname, basename, rootn
return
}
rootname = strings.Join(parts[i:len(parts)], ".")
rootname = strings.Join(parts[i:], ".")
basename = parts[i-1]
subname = strings.Join(parts[0:i-1], ".")
return

36
util/util_test.go
Unescape Escape View File

@ -13,13 +13,13 @@ type item struct {
}
var items = []item{
item{"", "", "", "", ""},
item{"a", "a", "", "a", ""},
item{"alpha", "alpha", "", "alpha", ""},
item{"alpha.beta", "beta", "alpha", "alpha", "beta"},
item{"alpha.beta.gamma", "gamma", "alpha.beta", "alpha", "beta.gamma"},
item{"alpha.beta.gamma.delta", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta"},
item{"alpha.beta.gamma.delta.", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta."},
{"", "", "", "", ""},
{"a", "a", "", "a", ""},
{"alpha", "alpha", "", "alpha", ""},
{"alpha.beta", "beta", "alpha", "alpha", "beta"},
{"alpha.beta.gamma", "gamma", "alpha.beta", "alpha", "beta.gamma"},
{"alpha.beta.gamma.delta", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta"},
{"alpha.beta.gamma.delta.", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta."},
}
func TestSplitDomainHead(t *testing.T) {
@ -51,17 +51,17 @@ type aitem struct {
}
var aitems = []aitem{
aitem{"", "bit", "", "", "", merr.ErrNotInZone},
aitem{".", "bit", "", "", "", merr.ErrNotInZone},
aitem{"d.", "bit", "", "", "", merr.ErrNotInZone},
aitem{"a.b.c.d.", "bit", "", "", "", merr.ErrNotInZone},
aitem{"a.b.c.d.bit.", "bit", "a.b.c", "d", "bit", nil},
aitem{"d.bit.", "bit", "", "d", "bit", nil},
aitem{"bit.", "bit", "", "", "bit", nil},
aitem{"bit.x.y.z.", "bit", "", "", "bit.x.y.z", nil},
aitem{"d.bit.x.y.z.", "bit", "", "d", "bit.x.y.z", nil},
aitem{"c.d.bit.x.y.z.", "bit", "c", "d", "bit.x.y.z", nil},
aitem{"a.b.c.d.bit.x.y.z.", "bit", "a.b.c", "d", "bit.x.y.z", nil},
{"", "bit", "", "", "", merr.ErrNotInZone},
{".", "bit", "", "", "", merr.ErrNotInZone},
{"d.", "bit", "", "", "", merr.ErrNotInZone},
{"a.b.c.d.", "bit", "", "", "", merr.ErrNotInZone},
{"a.b.c.d.bit.", "bit", "a.b.c", "d", "bit", nil},
{"d.bit.", "bit", "", "d", "bit", nil},
{"bit.", "bit", "", "", "bit", nil},
{"bit.x.y.z.", "bit", "", "", "bit.x.y.z", nil},
{"d.bit.x.y.z.", "bit", "", "d", "bit.x.y.z", nil},
{"c.d.bit.x.y.z.", "bit", "c", "d", "bit.x.y.z", nil},
{"a.b.c.d.bit.x.y.z.", "bit", "a.b.c", "d", "bit.x.y.z", nil},
}
func TestSplitDomainByFloatingAnchor(t *testing.T) {

Write Preview
Loading…
Cancel
Save