diff --git a/.travis/script b/.travis/script index 0cac64c..5e6ca41 100644 --- a/.travis/script +++ b/.travis/script @@ -25,11 +25,9 @@ gometalinter.v1 --enable-all \ --disable=errcheck \ --disable=gas \ --disable=gocyclo \ ---disable=gofmt \ --disable=goimports \ --disable=golint \ --disable=gosimple \ ---disable=gotype \ --disable=ineffassign \ --disable=lll \ --disable=misspell \ diff --git a/backend/backend.go b/backend/backend.go index b472e3d..1b76292 100644 --- a/backend/backend.go +++ b/backend/backend.go @@ -422,12 +422,12 @@ func (tx *btx) _findNCValue(ncv *ncdomain.Value, isubname, subname string, depth func (tx *btx) addAnswersUnderNCValueActual(ncv *ncdomain.Value, sn string) (rrs []dns.RR, err error) { rrs, err = ncv.RRs(nil, dns.Fqdn(tx.qname), dns.Fqdn(tx.basename+"."+tx.rootname)) - + // TODO: add callback variable "OnValueReferencedFunc" to backend options so that we don't pollute this function with every hook that we want // might need to add the other attributes of tx, and sn, to the callback variable for flexibility's sake // This doesn't normally return errors, but any errors during execution will be logged. tlshook.DomainValueHookTLS(tx.qname, ncv) - + return } diff --git a/certdehydrate/certdehydrate.go b/certdehydrate/certdehydrate.go index 76d9ba9..7edaa5f 100644 --- a/certdehydrate/certdehydrate.go +++ b/certdehydrate/certdehydrate.go @@ -20,16 +20,16 @@ import "github.com/namecoin/ncdns/x509" // https://github.com/namecoin/proposals/blob/master/ifa-0003.md // TODO: add a version field type DehydratedCertificate struct { - PubkeyB64 string - NotBeforeScaled int64 - NotAfterScaled int64 + PubkeyB64 string + NotBeforeScaled int64 + NotAfterScaled int64 SignatureAlgorithm int64 - SignatureB64 string + SignatureB64 string } // SerialNumber calculates the certificate serial number according to the // Dehydrated TLS Certificates specification. -func (dehydrated DehydratedCertificate) SerialNumber(name string) ([]byte, error){ +func (dehydrated DehydratedCertificate) SerialNumber(name string) ([]byte, error) { nameHash := sha256.Sum256([]byte(name)) @@ -119,12 +119,12 @@ func ParseDehydratedCert(data interface{}) (*DehydratedCertificate, error) { return nil, fmt.Errorf("Dehydrated cert signature must be a string") } - result := DehydratedCertificate { - PubkeyB64: pubkeyB64, - NotBeforeScaled: int64(notBeforeScaled), - NotAfterScaled: int64(notAfterScaled), - SignatureAlgorithm: int64(signatureAlgorithm), - SignatureB64: signatureB64, + result := DehydratedCertificate{ + PubkeyB64: pubkeyB64, + NotBeforeScaled: int64(notBeforeScaled), + NotAfterScaled: int64(notAfterScaled), + SignatureAlgorithm: int64(signatureAlgorithm), + SignatureB64: signatureB64, } return &result, nil @@ -155,11 +155,11 @@ func DehydrateCert(cert *x509.Certificate) (*DehydratedCertificate, error) { signatureB64 := base64.StdEncoding.EncodeToString(signatureBytes) result := DehydratedCertificate{ - PubkeyB64: pubkeyB64, - NotBeforeScaled: notBeforeScaled, - NotAfterScaled: notAfterScaled, - SignatureAlgorithm: signatureAlgorithm, - SignatureB64: signatureB64, + PubkeyB64: pubkeyB64, + NotBeforeScaled: notBeforeScaled, + NotAfterScaled: notAfterScaled, + SignatureAlgorithm: signatureAlgorithm, + SignatureB64: signatureB64, } return &result, nil @@ -168,7 +168,7 @@ func DehydrateCert(cert *x509.Certificate) (*DehydratedCertificate, error) { // RehydrateCert converts a dehydrated certificate into a standard x509 // certificate, but does not fill in the domain name or any fields that depend // on it. The resulting certificate is intended to be used as input to -// FillRehydratedCertTemplate. +// FillRehydratedCertTemplate. func RehydrateCert(dehydrated *DehydratedCertificate) (*x509.Certificate, error) { pubkeyBin, err := base64.StdEncoding.DecodeString(dehydrated.PubkeyB64) @@ -198,19 +198,19 @@ func RehydrateCert(dehydrated *DehydratedCertificate) (*x509.Certificate, error) template := x509.Certificate{ SerialNumber: big.NewInt(1), - NotBefore: notBefore, - NotAfter: notAfter, + NotBefore: notBefore, + NotAfter: notAfter, // x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template. //KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - KeyUsage: x509.KeyUsageDigitalSignature, + KeyUsage: x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, SignatureAlgorithm: signatureAlgorithm, - PublicKey: pubkey, - Signature: signature, + PublicKey: pubkey, + Signature: signature, } return &template, nil @@ -222,7 +222,7 @@ func RehydrateCert(dehydrated *DehydratedCertificate) (*x509.Certificate, error) func FillRehydratedCertTemplate(template x509.Certificate, name string) ([]byte, error) { template.Subject = pkix.Name{ - CommonName: name, + CommonName: name, SerialNumber: "Namecoin TLS Certificate", } diff --git a/certdehydrate/certdehydrate_test.go b/certdehydrate/certdehydrate_test.go index 5377879..efbba9e 100644 --- a/certdehydrate/certdehydrate_test.go +++ b/certdehydrate/certdehydrate_test.go @@ -1,39 +1,38 @@ package certdehydrate_test import ( - "testing" "encoding/json" - "reflect" "github.com/namecoin/ncdns/certdehydrate" + "reflect" + "testing" ) func TestDehydratedCertIdentityOperation(t *testing.T) { bytesJson := []byte(`[1, "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/hy1t4jB14ronx6n1m8VQh02jblRfu2cV3/LcyomfVljypUQMGjmuxWNbPI0a3cF6miNOijSCutqTZdb7TLvig==",4944096,5049216,10,"MEQCIGXXk6gYx95vQoknRwiQ4e27I+DXUWkE8L6dmLwAiGncAiBbtEX1nnZINx1YGzT5Fx8SxpjLwNDTUBkq22NpazHLIA=="]`) - + var parsedJson []interface{} - + if err := json.Unmarshal(bytesJson, &parsedJson); err != nil { t.Error("Error parsing JSON:", err) } - + dehydrated, err := certdehydrate.ParseDehydratedCert(parsedJson) if err != nil { t.Error("Error parsing dehydrated certificate:", err) } - + template, err := certdehydrate.RehydrateCert(dehydrated) if err != nil { t.Error("Error rehydrating certificate:", err) } - + dehydrated2, err := certdehydrate.DehydrateCert(template) if err != nil { t.Error("Error dehydrating certificate:", err) } - + // Test to make sure that rehydrating and then dehydrating a cert doesn't change it. if !reflect.DeepEqual(dehydrated, dehydrated2) { t.Error(dehydrated, "!=", dehydrated2) } } - diff --git a/certinject/certinject_misc.go b/certinject/certinject_misc.go index d2d4e4c..ff40bc5 100644 --- a/certinject/certinject_misc.go +++ b/certinject/certinject_misc.go @@ -7,9 +7,9 @@ import "github.com/hlandau/xlog" var log, Log = xlog.New("ncdns.certinject") func InjectCert(derBytes []byte) { - + } func CleanCerts() { - + } diff --git a/certinject/certinject_windows.go b/certinject/certinject_windows.go index 2764a4f..8811560 100644 --- a/certinject/certinject_windows.go +++ b/certinject/certinject_windows.go @@ -1,21 +1,20 @@ package certinject import ( - "gopkg.in/hlandau/easyconfig.v1/cflag" "github.com/hlandau/xlog" + "gopkg.in/hlandau/easyconfig.v1/cflag" ) - -// This package is used to add and remove certificates to the system trust +// This package is used to add and remove certificates to the system trust // store. // Currently only supports Windows CryptoAPI. var log, Log = xlog.New("ncdns.certinject") var ( - flagGroup = cflag.NewGroup(nil, "certstore") - cryptoApiFlag = cflag.Bool(flagGroup, "cryptoapi", false, "Synchronize TLS certs to the CryptoAPI trust store? This enables HTTPS to work with Chromium/Chrome. Only use if you've set up null HPKP in Chromium/Chrome as per documentation. If you haven't set up null HPKP, or if you access ncdns from browsers not based on Chromium or Firefox, this is unsafe and should not be used.") - certExpirePeriod = cflag.Int(flagGroup, "expire", 60 * 30, "Duration (in seconds) after which TLS certs will be removed from the trust store. Making this smaller than the DNS TTL (default 600) may cause TLS errors.") + flagGroup = cflag.NewGroup(nil, "certstore") + cryptoApiFlag = cflag.Bool(flagGroup, "cryptoapi", false, "Synchronize TLS certs to the CryptoAPI trust store? This enables HTTPS to work with Chromium/Chrome. Only use if you've set up null HPKP in Chromium/Chrome as per documentation. If you haven't set up null HPKP, or if you access ncdns from browsers not based on Chromium or Firefox, this is unsafe and should not be used.") + certExpirePeriod = cflag.Int(flagGroup, "expire", 60*30, "Duration (in seconds) after which TLS certs will be removed from the trust store. Making this smaller than the DNS TTL (default 600) may cause TLS errors.") ) // Injects the given cert into all configured trust stores. diff --git a/certinject/cryptoapi_windows.go b/certinject/cryptoapi_windows.go index 3ae044a..5451e50 100644 --- a/certinject/cryptoapi_windows.go +++ b/certinject/cryptoapi_windows.go @@ -1,12 +1,12 @@ package certinject import ( - "golang.org/x/sys/windows/registry" "crypto/sha1" "encoding/hex" "fmt" - "strings" + "golang.org/x/sys/windows/registry" "math" + "strings" "time" ) @@ -64,7 +64,7 @@ func injectCertCryptoApi(derBytes []byte) { certLength := len(derBytes) // Header for a stripped Windows Certificate Registry Blob - certBlobHeader := []byte{0x20, 0, 0, 0, 0x01, 0, 0, 0, byte( (certLength >> 0) & 0xFF), byte( (certLength >> 8) & 0xFF), byte( (certLength >> 16) & 0xFF), byte( (certLength >> 24) & 0xFF) } + certBlobHeader := []byte{0x20, 0, 0, 0, 0x01, 0, 0, 0, byte((certLength >> 0) & 0xFF), byte((certLength >> 8) & 0xFF), byte((certLength >> 16) & 0xFF), byte((certLength >> 24) & 0xFF)} // Construct the Blob certBlob := append(certBlobHeader, derBytes...) @@ -99,7 +99,7 @@ func injectCertCryptoApi(derBytes []byte) { } defer certKey.Close() - // Add a magic value which indicates that the certificate is a + // Add a magic value which indicates that the certificate is a // Namecoin cert. This will be used for deleting expired certs. // However, we have to delete it before we create it, so that we make sure that the "last modified" metadata gets updated. // If an error occurs during deletion, we ignore it, since it probably just means it wasn't there already. @@ -185,7 +185,7 @@ func checkCertExpiredCryptoApi(certStoreKey registry.Key, subKeyName string) (bo certKeyModTime := certKeyInfo.ModTime() // If the cert's last modified timestamp differs too much from the current time in either direction, consider it expired - expired := math.Abs( time.Since(certKeyModTime).Seconds() ) > float64(certExpirePeriod.Value()) + expired := math.Abs(time.Since(certKeyModTime).Seconds()) > float64(certExpirePeriod.Value()) return expired, nil } diff --git a/certinject/file.go b/certinject/file.go index 33d9b16..cb97609 100644 --- a/certinject/file.go +++ b/certinject/file.go @@ -7,7 +7,7 @@ import ( // Injects a certificate by writing to a file. Might be relevant for non-CryptoAPI trust stores. func injectCertFile(derBytes []byte, fileName string) { - + pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) err := ioutil.WriteFile(fileName, pemBytes, 0644) if err != nil { diff --git a/generate_nmc_cert/main.go b/generate_nmc_cert/main.go index 5665815..3db2284 100644 --- a/generate_nmc_cert/main.go +++ b/generate_nmc_cert/main.go @@ -5,7 +5,7 @@ // Generate a self-signed X.509 certificate for a TLS server. Outputs to // 'cert.pem' and 'key.pem' and will overwrite existing files. -// This code has been modified from the stock Go code to generate +// This code has been modified from the stock Go code to generate // "dehydrated certificates", suitable for inclusion in a Namecoin name. package main @@ -22,12 +22,12 @@ import ( "encoding/pem" "flag" "fmt" + "github.com/namecoin/ncdns/certdehydrate" + "github.com/namecoin/ncdns/x509" "log" "math/big" "os" "time" - "github.com/namecoin/ncdns/certdehydrate" - "github.com/namecoin/ncdns/x509" ) var ( @@ -106,19 +106,19 @@ func main() { fmt.Fprintf(os.Stderr, "Failed to parse creation date: %s\n", err) os.Exit(1) } - + var notAfter time.Time notAfter, err = time.Parse("Jan 2 15:04:05 2006", *validTo) if err != nil { fmt.Fprintf(os.Stderr, "Failed to parse expiry date: %s\n", err) os.Exit(1) } - + timestampPrecision := int64(5 * 60) - - notBeforeFloored := time.Unix( ( notBefore.Unix() / timestampPrecision ) * timestampPrecision, 0 ) - notAfterFloored := time.Unix( ( notAfter.Unix() / timestampPrecision ) * timestampPrecision, 0 ) - + + notBeforeFloored := time.Unix((notBefore.Unix()/timestampPrecision)*timestampPrecision, 0) + notAfterFloored := time.Unix((notAfter.Unix()/timestampPrecision)*timestampPrecision, 0) + // Serial components pubkeyBytes, err := x509.MarshalPKIXPublicKey(publicKey(priv)) if err != nil { @@ -127,12 +127,12 @@ func main() { pubkeyB64 := base64.StdEncoding.EncodeToString(pubkeyBytes) notBeforeScaled := notBeforeFloored.Unix() / timestampPrecision notAfterScaled := notAfterFloored.Unix() / timestampPrecision - + // Calculate serial - serialDehydrated := certdehydrate.DehydratedCertificate { - PubkeyB64: pubkeyB64, + serialDehydrated := certdehydrate.DehydratedCertificate{ + PubkeyB64: pubkeyB64, NotBeforeScaled: notBeforeScaled, - NotAfterScaled: notAfterScaled, + NotAfterScaled: notAfterScaled, } serialNumber := big.NewInt(1) serialNumberBytes, err := serialDehydrated.SerialNumber(*host) @@ -144,7 +144,7 @@ func main() { template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ - CommonName: *host, + CommonName: *host, SerialNumber: "Namecoin TLS Certificate", }, NotBefore: notBeforeFloored, @@ -152,7 +152,7 @@ func main() { // x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template. //KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - KeyUsage: x509.KeyUsageDigitalSignature, + KeyUsage: x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } @@ -180,38 +180,38 @@ func main() { pem.Encode(keyOut, pemBlockForKey(priv)) keyOut.Close() log.Print("written key.pem\n") - + parsedResult, err := x509.ParseCertificate(derBytes) if err != nil { log.Fatal("failed to parse output cert: ", err) } - + dehydrated, err := certdehydrate.DehydrateCert(parsedResult) if err != nil { log.Fatal("failed to dehydrate result cert: ", err) } - + rehydrated, err := certdehydrate.RehydrateCert(dehydrated) if err != nil { log.Fatal("failed to rehydrate result cert: ", err) } - + rehydratedDerBytes, err := certdehydrate.FillRehydratedCertTemplate(*rehydrated, *host) if err != nil { log.Fatal("failed to fill rehydrated result cert: ", err) } - - if ! bytes.Equal(derBytes, rehydratedDerBytes) { + + if !bytes.Equal(derBytes, rehydratedDerBytes) { log.Fatal("ERROR: The cert did not rehydrate to an identical form. This is a bug; do not use the generated certificate.") } - + log.Print("Your Namecoin cert is: {\"d8\":", dehydrated, "}") - log.Print("SUCCESS: The cert rehydrated to an identical form. Place the generated files in your HTTPS server, and place the above JSON in the \"tls\" field for your Namecoin name."); + log.Print("SUCCESS: The cert rehydrated to an identical form. Place the generated files in your HTTPS server, and place the above JSON in the \"tls\" field for your Namecoin name.") if len(*falseHost) > 0 { var falsePriv interface{} - + switch *ecdsaCurve { case "P224": falsePriv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader) @@ -228,32 +228,32 @@ func main() { if err != nil { log.Fatalf("failed to generate false private key: %s", err) } - + falseSerialNumber := big.NewInt(2) falseTemplate := x509.Certificate{ SerialNumber: falseSerialNumber, Subject: pkix.Name{ - CommonName: *falseHost, + CommonName: *falseHost, SerialNumber: "Namecoin TLS Certificate", }, NotBefore: notBefore, NotAfter: notAfter, - + // x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template. //KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - KeyUsage: x509.KeyUsageDigitalSignature, + KeyUsage: x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } - + falseTemplate.DNSNames = append(falseTemplate.DNSNames, *falseHost) - + falseDerBytes, err := x509.CreateCertificate(rand.Reader, &falseTemplate, &template, publicKey(falsePriv), priv) if err != nil { log.Fatalf("Failed to create false certificate: %s", err) } - + falseCertOut, err := os.Create("falseCert.pem") if err != nil { log.Fatalf("failed to open falseCert.pem for writing: %s", err) @@ -261,7 +261,7 @@ func main() { pem.Encode(falseCertOut, &pem.Block{Type: "CERTIFICATE", Bytes: falseDerBytes}) falseCertOut.Close() log.Print("written falseCert.pem\n") - + falseKeyOut, err := os.OpenFile("falseKey.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) if err != nil { log.Print("failed to open falseKey.pem for writing:", err) diff --git a/ncdomain/convert.go b/ncdomain/convert.go index 941450f..6f0a1ce 100644 --- a/ncdomain/convert.go +++ b/ncdomain/convert.go @@ -31,21 +31,21 @@ const defaultTTL = 600 // Therefore when qualifying names in a Value yourself you must check if the // input string is "=" and if so, replace it with "" first. type Value struct { - IP []net.IP - IP6 []net.IP - NS []string - Alias string - HasAlias bool // True if Alias was specified. Necessary as "" is a valid relative alias. - Translate string - HasTranslate bool // True if Translate was specified. Necessary as "" is a valid relative value for Translate. - DS []*dns.DS - TXT [][]string - SRV []*dns.SRV - Hostmaster string // "hostmaster@example.com" - MX []*dns.MX // header name is left blank - TLSA []*dns.TLSA + IP []net.IP + IP6 []net.IP + NS []string + Alias string + HasAlias bool // True if Alias was specified. Necessary as "" is a valid relative alias. + Translate string + HasTranslate bool // True if Translate was specified. Necessary as "" is a valid relative value for Translate. + DS []*dns.DS + TXT [][]string + SRV []*dns.SRV + Hostmaster string // "hostmaster@example.com" + MX []*dns.MX // header name is left blank + TLSA []*dns.TLSA TLSAGenerated []x509.Certificate // Certs can be dehydrated in the blockchain, they will be put here without SAN values. SAN must be filled in before use. - Map map[string]*Value // may contain and "*", will not contain "" + Map map[string]*Value // may contain and "*", will not contain "" // set if the value is at the top level (alas necessary for relname interpretation) IsTopLevel bool @@ -249,28 +249,26 @@ func (v *Value) appendSRVs(out []dns.RR, suffix, apexSuffix string) ([]dns.RR, e return out, nil } - - func (v *Value) appendTLSA(out []dns.RR, suffix, apexSuffix string) ([]dns.RR, error) { for _, tlsa := range v.TLSA { out = append(out, tlsa) } for _, cert := range v.TLSAGenerated { - + template := cert - + _, nameNoPort := util.SplitDomainTail(suffix) _, nameNoPortOrProtocol := util.SplitDomainTail(nameNoPort) - + derBytes, err := certdehydrate.FillRehydratedCertTemplate(template, nameNoPortOrProtocol) if err != nil { // TODO: add debug output here continue } - + derBytesHex := hex.EncodeToString(derBytes) - + out = append(out, &dns.TLSA{ Hdr: dns.RR_Header{Name: suffix, Rrtype: dns.TypeTLSA, Class: dns.ClassINET, Ttl: defaultTTL}, @@ -279,9 +277,9 @@ func (v *Value) appendTLSA(out []dns.RR, suffix, apexSuffix string) ([]dns.RR, e MatchingType: uint8(0), Certificate: strings.ToUpper(derBytesHex), }) - + } - + return out, nil } @@ -854,14 +852,14 @@ func parseTLSADehydrated(tlsa1dehydrated interface{}, v *Value) error { if err != nil { return fmt.Errorf("Error parsing dehydrated certificate: %s", err) } - + template, err := certdehydrate.RehydrateCert(dehydrated) if err != nil { return fmt.Errorf("Error rehydrating certificate: %s", err) } - + v.TLSAGenerated = append(v.TLSAGenerated, *template) - + return nil } @@ -927,7 +925,7 @@ func parseTLSA(rv map[string]interface{}, v *Value, errFunc ErrorFunc) { var tlsa1m map[string]interface{} if _, ok := tlsa1.([]interface{}); ok { - tlsa1m = map[string]interface{} { + tlsa1m = map[string]interface{}{ "dane": tlsa1, } } else { diff --git a/tlshook/tlshook.go b/tlshook/tlshook.go index 88ca979..a911f7b 100644 --- a/tlshook/tlshook.go +++ b/tlshook/tlshook.go @@ -1,58 +1,57 @@ package tlshook import ( + "github.com/hlandau/xlog" "github.com/namecoin/ncdns/certdehydrate" "github.com/namecoin/ncdns/certinject" "github.com/namecoin/ncdns/ncdomain" - "github.com/hlandau/xlog" ) var log, Log = xlog.New("ncdns.tlshook") func DomainValueHookTLS(qname string, ncv *ncdomain.Value) (err error) { - + log.Info("Intercepted a Value for ", qname) if protocol, ok := ncv.Map["_tcp"]; ok { // TODO: look into allowing non-TCP protocols log.Info("Saw a request with TCP") if port, ok := protocol.Map["_443"]; ok { // TODO: check all ports, not just 443 log.Info("Saw a request with TCP port 443") - - + // For dehydrated certificates if len(port.TLSAGenerated) > 0 { - + log.Info("Just saw a TLS port 443 capable domain request for ", qname, "!") - + for index, cert := range port.TLSAGenerated { - + log.Info("Using dehydrated certificate # ", index) - + template := cert - + var derBytes []byte - + derBytes, err = certdehydrate.FillRehydratedCertTemplate(template, qname) if err != nil { log.Info("Failed to create certificate: ", err) continue } - + // TODO: check return value certinject.InjectCert(derBytes) - + } - + } - + // TODO: support non-dehydrated certificates } } - + // remove any certs that aren't valid anymore certinject.CleanCerts() - + err = nil - + return -} \ No newline at end of file +} diff --git a/tlsrestrictchromium/chromium.go b/tlsrestrictchromium/chromium.go index b53a90b..2d54794 100644 --- a/tlsrestrictchromium/chromium.go +++ b/tlsrestrictchromium/chromium.go @@ -1,13 +1,13 @@ package tlsrestrictchromium import ( + "crypto/sha256" "encoding/base64" - "math/big" - "github.com/miekg/dns" "encoding/hex" - "fmt" "encoding/json" - "crypto/sha256" + "fmt" + "github.com/miekg/dns" + "math/big" ) // DNSHash converts an FQDN to DNS wire format, takes the SHA256 of it, and diff --git a/tlsrestrictchromium/chromium_test.go b/tlsrestrictchromium/chromium_test.go index 9d0df66..373f294 100644 --- a/tlsrestrictchromium/chromium_test.go +++ b/tlsrestrictchromium/chromium_test.go @@ -1,8 +1,8 @@ package tlsrestrictchromium_test import ( - "testing" "github.com/namecoin/ncdns/tlsrestrictchromium" + "testing" ) func TestDnsHash(t *testing.T) { diff --git a/tlsrestrictchromium/tlsrestrict_chromium_tool/main.go b/tlsrestrictchromium/tlsrestrict_chromium_tool/main.go index b699410..f043a23 100644 --- a/tlsrestrictchromium/tlsrestrict_chromium_tool/main.go +++ b/tlsrestrictchromium/tlsrestrict_chromium_tool/main.go @@ -1,12 +1,12 @@ package main import ( - "gopkg.in/hlandau/easyconfig.v1/cflag" + "encoding/json" + "github.com/namecoin/ncdns/tlsrestrictchromium" "gopkg.in/hlandau/easyconfig.v1" + "gopkg.in/hlandau/easyconfig.v1/cflag" "io/ioutil" - "encoding/json" "log" - "github.com/namecoin/ncdns/tlsrestrictchromium" ) var ( diff --git a/util/util.go b/util/util.go index ce94e1d..e57d436 100644 --- a/util/util.go +++ b/util/util.go @@ -79,7 +79,7 @@ func SplitDomainByFloatingAnchor(qname, anchor string) (subname, basename, rootn return } - rootname = strings.Join(parts[i:len(parts)], ".") + rootname = strings.Join(parts[i:], ".") basename = parts[i-1] subname = strings.Join(parts[0:i-1], ".") return diff --git a/util/util_test.go b/util/util_test.go index 5b782c4..5dd8ab8 100644 --- a/util/util_test.go +++ b/util/util_test.go @@ -13,13 +13,13 @@ type item struct { } var items = []item{ - item{"", "", "", "", ""}, - item{"a", "a", "", "a", ""}, - item{"alpha", "alpha", "", "alpha", ""}, - item{"alpha.beta", "beta", "alpha", "alpha", "beta"}, - item{"alpha.beta.gamma", "gamma", "alpha.beta", "alpha", "beta.gamma"}, - item{"alpha.beta.gamma.delta", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta"}, - item{"alpha.beta.gamma.delta.", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta."}, + {"", "", "", "", ""}, + {"a", "a", "", "a", ""}, + {"alpha", "alpha", "", "alpha", ""}, + {"alpha.beta", "beta", "alpha", "alpha", "beta"}, + {"alpha.beta.gamma", "gamma", "alpha.beta", "alpha", "beta.gamma"}, + {"alpha.beta.gamma.delta", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta"}, + {"alpha.beta.gamma.delta.", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta."}, } func TestSplitDomainHead(t *testing.T) { @@ -51,17 +51,17 @@ type aitem struct { } var aitems = []aitem{ - aitem{"", "bit", "", "", "", merr.ErrNotInZone}, - aitem{".", "bit", "", "", "", merr.ErrNotInZone}, - aitem{"d.", "bit", "", "", "", merr.ErrNotInZone}, - aitem{"a.b.c.d.", "bit", "", "", "", merr.ErrNotInZone}, - aitem{"a.b.c.d.bit.", "bit", "a.b.c", "d", "bit", nil}, - aitem{"d.bit.", "bit", "", "d", "bit", nil}, - aitem{"bit.", "bit", "", "", "bit", nil}, - aitem{"bit.x.y.z.", "bit", "", "", "bit.x.y.z", nil}, - aitem{"d.bit.x.y.z.", "bit", "", "d", "bit.x.y.z", nil}, - aitem{"c.d.bit.x.y.z.", "bit", "c", "d", "bit.x.y.z", nil}, - aitem{"a.b.c.d.bit.x.y.z.", "bit", "a.b.c", "d", "bit.x.y.z", nil}, + {"", "bit", "", "", "", merr.ErrNotInZone}, + {".", "bit", "", "", "", merr.ErrNotInZone}, + {"d.", "bit", "", "", "", merr.ErrNotInZone}, + {"a.b.c.d.", "bit", "", "", "", merr.ErrNotInZone}, + {"a.b.c.d.bit.", "bit", "a.b.c", "d", "bit", nil}, + {"d.bit.", "bit", "", "d", "bit", nil}, + {"bit.", "bit", "", "", "bit", nil}, + {"bit.x.y.z.", "bit", "", "", "bit.x.y.z", nil}, + {"d.bit.x.y.z.", "bit", "", "d", "bit.x.y.z", nil}, + {"c.d.bit.x.y.z.", "bit", "c", "d", "bit.x.y.z", nil}, + {"a.b.c.d.bit.x.y.z.", "bit", "a.b.c", "d", "bit.x.y.z", nil}, } func TestSplitDomainByFloatingAnchor(t *testing.T) {