From e8feeb3b0047fe0064b99de7512b11b929055b89 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 07:56:21 +0000 Subject: [PATCH 01/17] gofmt -s backend/backend.go --- backend/backend.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/backend.go b/backend/backend.go index b472e3d..1b76292 100644 --- a/backend/backend.go +++ b/backend/backend.go @@ -422,12 +422,12 @@ func (tx *btx) _findNCValue(ncv *ncdomain.Value, isubname, subname string, depth func (tx *btx) addAnswersUnderNCValueActual(ncv *ncdomain.Value, sn string) (rrs []dns.RR, err error) { rrs, err = ncv.RRs(nil, dns.Fqdn(tx.qname), dns.Fqdn(tx.basename+"."+tx.rootname)) - + // TODO: add callback variable "OnValueReferencedFunc" to backend options so that we don't pollute this function with every hook that we want // might need to add the other attributes of tx, and sn, to the callback variable for flexibility's sake // This doesn't normally return errors, but any errors during execution will be logged. tlshook.DomainValueHookTLS(tx.qname, ncv) - + return } From 62f0e6aa90ead0328d59a47822095782a08e3344 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 07:56:56 +0000 Subject: [PATCH 02/17] gofmt -s certdehydrate/certdehydrate.go --- certdehydrate/certdehydrate.go | 46 +++++++++++++++++----------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/certdehydrate/certdehydrate.go b/certdehydrate/certdehydrate.go index 76d9ba9..7edaa5f 100644 --- a/certdehydrate/certdehydrate.go +++ b/certdehydrate/certdehydrate.go @@ -20,16 +20,16 @@ import "github.com/namecoin/ncdns/x509" // https://github.com/namecoin/proposals/blob/master/ifa-0003.md // TODO: add a version field type DehydratedCertificate struct { - PubkeyB64 string - NotBeforeScaled int64 - NotAfterScaled int64 + PubkeyB64 string + NotBeforeScaled int64 + NotAfterScaled int64 SignatureAlgorithm int64 - SignatureB64 string + SignatureB64 string } // SerialNumber calculates the certificate serial number according to the // Dehydrated TLS Certificates specification. -func (dehydrated DehydratedCertificate) SerialNumber(name string) ([]byte, error){ +func (dehydrated DehydratedCertificate) SerialNumber(name string) ([]byte, error) { nameHash := sha256.Sum256([]byte(name)) @@ -119,12 +119,12 @@ func ParseDehydratedCert(data interface{}) (*DehydratedCertificate, error) { return nil, fmt.Errorf("Dehydrated cert signature must be a string") } - result := DehydratedCertificate { - PubkeyB64: pubkeyB64, - NotBeforeScaled: int64(notBeforeScaled), - NotAfterScaled: int64(notAfterScaled), - SignatureAlgorithm: int64(signatureAlgorithm), - SignatureB64: signatureB64, + result := DehydratedCertificate{ + PubkeyB64: pubkeyB64, + NotBeforeScaled: int64(notBeforeScaled), + NotAfterScaled: int64(notAfterScaled), + SignatureAlgorithm: int64(signatureAlgorithm), + SignatureB64: signatureB64, } return &result, nil @@ -155,11 +155,11 @@ func DehydrateCert(cert *x509.Certificate) (*DehydratedCertificate, error) { signatureB64 := base64.StdEncoding.EncodeToString(signatureBytes) result := DehydratedCertificate{ - PubkeyB64: pubkeyB64, - NotBeforeScaled: notBeforeScaled, - NotAfterScaled: notAfterScaled, - SignatureAlgorithm: signatureAlgorithm, - SignatureB64: signatureB64, + PubkeyB64: pubkeyB64, + NotBeforeScaled: notBeforeScaled, + NotAfterScaled: notAfterScaled, + SignatureAlgorithm: signatureAlgorithm, + SignatureB64: signatureB64, } return &result, nil @@ -168,7 +168,7 @@ func DehydrateCert(cert *x509.Certificate) (*DehydratedCertificate, error) { // RehydrateCert converts a dehydrated certificate into a standard x509 // certificate, but does not fill in the domain name or any fields that depend // on it. The resulting certificate is intended to be used as input to -// FillRehydratedCertTemplate. +// FillRehydratedCertTemplate. func RehydrateCert(dehydrated *DehydratedCertificate) (*x509.Certificate, error) { pubkeyBin, err := base64.StdEncoding.DecodeString(dehydrated.PubkeyB64) @@ -198,19 +198,19 @@ func RehydrateCert(dehydrated *DehydratedCertificate) (*x509.Certificate, error) template := x509.Certificate{ SerialNumber: big.NewInt(1), - NotBefore: notBefore, - NotAfter: notAfter, + NotBefore: notBefore, + NotAfter: notAfter, // x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template. //KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - KeyUsage: x509.KeyUsageDigitalSignature, + KeyUsage: x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, SignatureAlgorithm: signatureAlgorithm, - PublicKey: pubkey, - Signature: signature, + PublicKey: pubkey, + Signature: signature, } return &template, nil @@ -222,7 +222,7 @@ func RehydrateCert(dehydrated *DehydratedCertificate) (*x509.Certificate, error) func FillRehydratedCertTemplate(template x509.Certificate, name string) ([]byte, error) { template.Subject = pkix.Name{ - CommonName: name, + CommonName: name, SerialNumber: "Namecoin TLS Certificate", } From 8ec3281780d1519ec4343063e0c1d93431a7d498 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 07:57:17 +0000 Subject: [PATCH 03/17] gofmt -s certdehydrate/certdehydrate_test.go --- certdehydrate/certdehydrate_test.go | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/certdehydrate/certdehydrate_test.go b/certdehydrate/certdehydrate_test.go index 5377879..efbba9e 100644 --- a/certdehydrate/certdehydrate_test.go +++ b/certdehydrate/certdehydrate_test.go @@ -1,39 +1,38 @@ package certdehydrate_test import ( - "testing" "encoding/json" - "reflect" "github.com/namecoin/ncdns/certdehydrate" + "reflect" + "testing" ) func TestDehydratedCertIdentityOperation(t *testing.T) { bytesJson := []byte(`[1, "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/hy1t4jB14ronx6n1m8VQh02jblRfu2cV3/LcyomfVljypUQMGjmuxWNbPI0a3cF6miNOijSCutqTZdb7TLvig==",4944096,5049216,10,"MEQCIGXXk6gYx95vQoknRwiQ4e27I+DXUWkE8L6dmLwAiGncAiBbtEX1nnZINx1YGzT5Fx8SxpjLwNDTUBkq22NpazHLIA=="]`) - + var parsedJson []interface{} - + if err := json.Unmarshal(bytesJson, &parsedJson); err != nil { t.Error("Error parsing JSON:", err) } - + dehydrated, err := certdehydrate.ParseDehydratedCert(parsedJson) if err != nil { t.Error("Error parsing dehydrated certificate:", err) } - + template, err := certdehydrate.RehydrateCert(dehydrated) if err != nil { t.Error("Error rehydrating certificate:", err) } - + dehydrated2, err := certdehydrate.DehydrateCert(template) if err != nil { t.Error("Error dehydrating certificate:", err) } - + // Test to make sure that rehydrating and then dehydrating a cert doesn't change it. if !reflect.DeepEqual(dehydrated, dehydrated2) { t.Error(dehydrated, "!=", dehydrated2) } } - From b1ab83275409fe08ac631d3ac435ee4dd1fa9915 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 07:57:38 +0000 Subject: [PATCH 04/17] gofmt -s certinject_misc.go --- certinject/certinject_misc.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/certinject/certinject_misc.go b/certinject/certinject_misc.go index d2d4e4c..ff40bc5 100644 --- a/certinject/certinject_misc.go +++ b/certinject/certinject_misc.go @@ -7,9 +7,9 @@ import "github.com/hlandau/xlog" var log, Log = xlog.New("ncdns.certinject") func InjectCert(derBytes []byte) { - + } func CleanCerts() { - + } From 65577146fc5b804434e82156c6b17ec1c7e2cded Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 07:57:58 +0000 Subject: [PATCH 05/17] gofmt -s certinject/certinject_windows.go --- certinject/certinject_windows.go | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/certinject/certinject_windows.go b/certinject/certinject_windows.go index 2764a4f..8811560 100644 --- a/certinject/certinject_windows.go +++ b/certinject/certinject_windows.go @@ -1,21 +1,20 @@ package certinject import ( - "gopkg.in/hlandau/easyconfig.v1/cflag" "github.com/hlandau/xlog" + "gopkg.in/hlandau/easyconfig.v1/cflag" ) - -// This package is used to add and remove certificates to the system trust +// This package is used to add and remove certificates to the system trust // store. // Currently only supports Windows CryptoAPI. var log, Log = xlog.New("ncdns.certinject") var ( - flagGroup = cflag.NewGroup(nil, "certstore") - cryptoApiFlag = cflag.Bool(flagGroup, "cryptoapi", false, "Synchronize TLS certs to the CryptoAPI trust store? This enables HTTPS to work with Chromium/Chrome. Only use if you've set up null HPKP in Chromium/Chrome as per documentation. If you haven't set up null HPKP, or if you access ncdns from browsers not based on Chromium or Firefox, this is unsafe and should not be used.") - certExpirePeriod = cflag.Int(flagGroup, "expire", 60 * 30, "Duration (in seconds) after which TLS certs will be removed from the trust store. Making this smaller than the DNS TTL (default 600) may cause TLS errors.") + flagGroup = cflag.NewGroup(nil, "certstore") + cryptoApiFlag = cflag.Bool(flagGroup, "cryptoapi", false, "Synchronize TLS certs to the CryptoAPI trust store? This enables HTTPS to work with Chromium/Chrome. Only use if you've set up null HPKP in Chromium/Chrome as per documentation. If you haven't set up null HPKP, or if you access ncdns from browsers not based on Chromium or Firefox, this is unsafe and should not be used.") + certExpirePeriod = cflag.Int(flagGroup, "expire", 60*30, "Duration (in seconds) after which TLS certs will be removed from the trust store. Making this smaller than the DNS TTL (default 600) may cause TLS errors.") ) // Injects the given cert into all configured trust stores. From f70f23aff049e80f2ef7821e1ef693e0d8c10749 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 07:58:31 +0000 Subject: [PATCH 06/17] gofmt -s certinject/cryptoapi_windows.go --- certinject/cryptoapi_windows.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/certinject/cryptoapi_windows.go b/certinject/cryptoapi_windows.go index 3ae044a..5451e50 100644 --- a/certinject/cryptoapi_windows.go +++ b/certinject/cryptoapi_windows.go @@ -1,12 +1,12 @@ package certinject import ( - "golang.org/x/sys/windows/registry" "crypto/sha1" "encoding/hex" "fmt" - "strings" + "golang.org/x/sys/windows/registry" "math" + "strings" "time" ) @@ -64,7 +64,7 @@ func injectCertCryptoApi(derBytes []byte) { certLength := len(derBytes) // Header for a stripped Windows Certificate Registry Blob - certBlobHeader := []byte{0x20, 0, 0, 0, 0x01, 0, 0, 0, byte( (certLength >> 0) & 0xFF), byte( (certLength >> 8) & 0xFF), byte( (certLength >> 16) & 0xFF), byte( (certLength >> 24) & 0xFF) } + certBlobHeader := []byte{0x20, 0, 0, 0, 0x01, 0, 0, 0, byte((certLength >> 0) & 0xFF), byte((certLength >> 8) & 0xFF), byte((certLength >> 16) & 0xFF), byte((certLength >> 24) & 0xFF)} // Construct the Blob certBlob := append(certBlobHeader, derBytes...) @@ -99,7 +99,7 @@ func injectCertCryptoApi(derBytes []byte) { } defer certKey.Close() - // Add a magic value which indicates that the certificate is a + // Add a magic value which indicates that the certificate is a // Namecoin cert. This will be used for deleting expired certs. // However, we have to delete it before we create it, so that we make sure that the "last modified" metadata gets updated. // If an error occurs during deletion, we ignore it, since it probably just means it wasn't there already. @@ -185,7 +185,7 @@ func checkCertExpiredCryptoApi(certStoreKey registry.Key, subKeyName string) (bo certKeyModTime := certKeyInfo.ModTime() // If the cert's last modified timestamp differs too much from the current time in either direction, consider it expired - expired := math.Abs( time.Since(certKeyModTime).Seconds() ) > float64(certExpirePeriod.Value()) + expired := math.Abs(time.Since(certKeyModTime).Seconds()) > float64(certExpirePeriod.Value()) return expired, nil } From 53adb64d850a2395011fe78df295d64e2e19987e Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 07:58:54 +0000 Subject: [PATCH 07/17] gofmt -s certinject/file.go --- certinject/file.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certinject/file.go b/certinject/file.go index 33d9b16..cb97609 100644 --- a/certinject/file.go +++ b/certinject/file.go @@ -7,7 +7,7 @@ import ( // Injects a certificate by writing to a file. Might be relevant for non-CryptoAPI trust stores. func injectCertFile(derBytes []byte, fileName string) { - + pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) err := ioutil.WriteFile(fileName, pemBytes, 0644) if err != nil { From 1fb4007fa7734d180cd41e444ad44e813b523096 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 07:59:13 +0000 Subject: [PATCH 08/17] gofmt -s generate_nmc_cert/main.go --- generate_nmc_cert/main.go | 64 +++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/generate_nmc_cert/main.go b/generate_nmc_cert/main.go index 5665815..3db2284 100644 --- a/generate_nmc_cert/main.go +++ b/generate_nmc_cert/main.go @@ -5,7 +5,7 @@ // Generate a self-signed X.509 certificate for a TLS server. Outputs to // 'cert.pem' and 'key.pem' and will overwrite existing files. -// This code has been modified from the stock Go code to generate +// This code has been modified from the stock Go code to generate // "dehydrated certificates", suitable for inclusion in a Namecoin name. package main @@ -22,12 +22,12 @@ import ( "encoding/pem" "flag" "fmt" + "github.com/namecoin/ncdns/certdehydrate" + "github.com/namecoin/ncdns/x509" "log" "math/big" "os" "time" - "github.com/namecoin/ncdns/certdehydrate" - "github.com/namecoin/ncdns/x509" ) var ( @@ -106,19 +106,19 @@ func main() { fmt.Fprintf(os.Stderr, "Failed to parse creation date: %s\n", err) os.Exit(1) } - + var notAfter time.Time notAfter, err = time.Parse("Jan 2 15:04:05 2006", *validTo) if err != nil { fmt.Fprintf(os.Stderr, "Failed to parse expiry date: %s\n", err) os.Exit(1) } - + timestampPrecision := int64(5 * 60) - - notBeforeFloored := time.Unix( ( notBefore.Unix() / timestampPrecision ) * timestampPrecision, 0 ) - notAfterFloored := time.Unix( ( notAfter.Unix() / timestampPrecision ) * timestampPrecision, 0 ) - + + notBeforeFloored := time.Unix((notBefore.Unix()/timestampPrecision)*timestampPrecision, 0) + notAfterFloored := time.Unix((notAfter.Unix()/timestampPrecision)*timestampPrecision, 0) + // Serial components pubkeyBytes, err := x509.MarshalPKIXPublicKey(publicKey(priv)) if err != nil { @@ -127,12 +127,12 @@ func main() { pubkeyB64 := base64.StdEncoding.EncodeToString(pubkeyBytes) notBeforeScaled := notBeforeFloored.Unix() / timestampPrecision notAfterScaled := notAfterFloored.Unix() / timestampPrecision - + // Calculate serial - serialDehydrated := certdehydrate.DehydratedCertificate { - PubkeyB64: pubkeyB64, + serialDehydrated := certdehydrate.DehydratedCertificate{ + PubkeyB64: pubkeyB64, NotBeforeScaled: notBeforeScaled, - NotAfterScaled: notAfterScaled, + NotAfterScaled: notAfterScaled, } serialNumber := big.NewInt(1) serialNumberBytes, err := serialDehydrated.SerialNumber(*host) @@ -144,7 +144,7 @@ func main() { template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ - CommonName: *host, + CommonName: *host, SerialNumber: "Namecoin TLS Certificate", }, NotBefore: notBeforeFloored, @@ -152,7 +152,7 @@ func main() { // x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template. //KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - KeyUsage: x509.KeyUsageDigitalSignature, + KeyUsage: x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } @@ -180,38 +180,38 @@ func main() { pem.Encode(keyOut, pemBlockForKey(priv)) keyOut.Close() log.Print("written key.pem\n") - + parsedResult, err := x509.ParseCertificate(derBytes) if err != nil { log.Fatal("failed to parse output cert: ", err) } - + dehydrated, err := certdehydrate.DehydrateCert(parsedResult) if err != nil { log.Fatal("failed to dehydrate result cert: ", err) } - + rehydrated, err := certdehydrate.RehydrateCert(dehydrated) if err != nil { log.Fatal("failed to rehydrate result cert: ", err) } - + rehydratedDerBytes, err := certdehydrate.FillRehydratedCertTemplate(*rehydrated, *host) if err != nil { log.Fatal("failed to fill rehydrated result cert: ", err) } - - if ! bytes.Equal(derBytes, rehydratedDerBytes) { + + if !bytes.Equal(derBytes, rehydratedDerBytes) { log.Fatal("ERROR: The cert did not rehydrate to an identical form. This is a bug; do not use the generated certificate.") } - + log.Print("Your Namecoin cert is: {\"d8\":", dehydrated, "}") - log.Print("SUCCESS: The cert rehydrated to an identical form. Place the generated files in your HTTPS server, and place the above JSON in the \"tls\" field for your Namecoin name."); + log.Print("SUCCESS: The cert rehydrated to an identical form. Place the generated files in your HTTPS server, and place the above JSON in the \"tls\" field for your Namecoin name.") if len(*falseHost) > 0 { var falsePriv interface{} - + switch *ecdsaCurve { case "P224": falsePriv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader) @@ -228,32 +228,32 @@ func main() { if err != nil { log.Fatalf("failed to generate false private key: %s", err) } - + falseSerialNumber := big.NewInt(2) falseTemplate := x509.Certificate{ SerialNumber: falseSerialNumber, Subject: pkix.Name{ - CommonName: *falseHost, + CommonName: *falseHost, SerialNumber: "Namecoin TLS Certificate", }, NotBefore: notBefore, NotAfter: notAfter, - + // x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template. //KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - KeyUsage: x509.KeyUsageDigitalSignature, + KeyUsage: x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } - + falseTemplate.DNSNames = append(falseTemplate.DNSNames, *falseHost) - + falseDerBytes, err := x509.CreateCertificate(rand.Reader, &falseTemplate, &template, publicKey(falsePriv), priv) if err != nil { log.Fatalf("Failed to create false certificate: %s", err) } - + falseCertOut, err := os.Create("falseCert.pem") if err != nil { log.Fatalf("failed to open falseCert.pem for writing: %s", err) @@ -261,7 +261,7 @@ func main() { pem.Encode(falseCertOut, &pem.Block{Type: "CERTIFICATE", Bytes: falseDerBytes}) falseCertOut.Close() log.Print("written falseCert.pem\n") - + falseKeyOut, err := os.OpenFile("falseKey.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) if err != nil { log.Print("failed to open falseKey.pem for writing:", err) From 26b4c4c637deadb56e58241b035586f907b377f2 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 07:59:45 +0000 Subject: [PATCH 09/17] gofmt -s ncdomain/convert.go --- ncdomain/convert.go | 52 ++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/ncdomain/convert.go b/ncdomain/convert.go index 941450f..6f0a1ce 100644 --- a/ncdomain/convert.go +++ b/ncdomain/convert.go @@ -31,21 +31,21 @@ const defaultTTL = 600 // Therefore when qualifying names in a Value yourself you must check if the // input string is "=" and if so, replace it with "" first. type Value struct { - IP []net.IP - IP6 []net.IP - NS []string - Alias string - HasAlias bool // True if Alias was specified. Necessary as "" is a valid relative alias. - Translate string - HasTranslate bool // True if Translate was specified. Necessary as "" is a valid relative value for Translate. - DS []*dns.DS - TXT [][]string - SRV []*dns.SRV - Hostmaster string // "hostmaster@example.com" - MX []*dns.MX // header name is left blank - TLSA []*dns.TLSA + IP []net.IP + IP6 []net.IP + NS []string + Alias string + HasAlias bool // True if Alias was specified. Necessary as "" is a valid relative alias. + Translate string + HasTranslate bool // True if Translate was specified. Necessary as "" is a valid relative value for Translate. + DS []*dns.DS + TXT [][]string + SRV []*dns.SRV + Hostmaster string // "hostmaster@example.com" + MX []*dns.MX // header name is left blank + TLSA []*dns.TLSA TLSAGenerated []x509.Certificate // Certs can be dehydrated in the blockchain, they will be put here without SAN values. SAN must be filled in before use. - Map map[string]*Value // may contain and "*", will not contain "" + Map map[string]*Value // may contain and "*", will not contain "" // set if the value is at the top level (alas necessary for relname interpretation) IsTopLevel bool @@ -249,28 +249,26 @@ func (v *Value) appendSRVs(out []dns.RR, suffix, apexSuffix string) ([]dns.RR, e return out, nil } - - func (v *Value) appendTLSA(out []dns.RR, suffix, apexSuffix string) ([]dns.RR, error) { for _, tlsa := range v.TLSA { out = append(out, tlsa) } for _, cert := range v.TLSAGenerated { - + template := cert - + _, nameNoPort := util.SplitDomainTail(suffix) _, nameNoPortOrProtocol := util.SplitDomainTail(nameNoPort) - + derBytes, err := certdehydrate.FillRehydratedCertTemplate(template, nameNoPortOrProtocol) if err != nil { // TODO: add debug output here continue } - + derBytesHex := hex.EncodeToString(derBytes) - + out = append(out, &dns.TLSA{ Hdr: dns.RR_Header{Name: suffix, Rrtype: dns.TypeTLSA, Class: dns.ClassINET, Ttl: defaultTTL}, @@ -279,9 +277,9 @@ func (v *Value) appendTLSA(out []dns.RR, suffix, apexSuffix string) ([]dns.RR, e MatchingType: uint8(0), Certificate: strings.ToUpper(derBytesHex), }) - + } - + return out, nil } @@ -854,14 +852,14 @@ func parseTLSADehydrated(tlsa1dehydrated interface{}, v *Value) error { if err != nil { return fmt.Errorf("Error parsing dehydrated certificate: %s", err) } - + template, err := certdehydrate.RehydrateCert(dehydrated) if err != nil { return fmt.Errorf("Error rehydrating certificate: %s", err) } - + v.TLSAGenerated = append(v.TLSAGenerated, *template) - + return nil } @@ -927,7 +925,7 @@ func parseTLSA(rv map[string]interface{}, v *Value, errFunc ErrorFunc) { var tlsa1m map[string]interface{} if _, ok := tlsa1.([]interface{}); ok { - tlsa1m = map[string]interface{} { + tlsa1m = map[string]interface{}{ "dane": tlsa1, } } else { From 5152222000109dc97464562bff14da38296d0727 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 08:00:09 +0000 Subject: [PATCH 10/17] gofmt -s tlshook/tlshook.go --- tlshook/tlshook.go | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/tlshook/tlshook.go b/tlshook/tlshook.go index 88ca979..a911f7b 100644 --- a/tlshook/tlshook.go +++ b/tlshook/tlshook.go @@ -1,58 +1,57 @@ package tlshook import ( + "github.com/hlandau/xlog" "github.com/namecoin/ncdns/certdehydrate" "github.com/namecoin/ncdns/certinject" "github.com/namecoin/ncdns/ncdomain" - "github.com/hlandau/xlog" ) var log, Log = xlog.New("ncdns.tlshook") func DomainValueHookTLS(qname string, ncv *ncdomain.Value) (err error) { - + log.Info("Intercepted a Value for ", qname) if protocol, ok := ncv.Map["_tcp"]; ok { // TODO: look into allowing non-TCP protocols log.Info("Saw a request with TCP") if port, ok := protocol.Map["_443"]; ok { // TODO: check all ports, not just 443 log.Info("Saw a request with TCP port 443") - - + // For dehydrated certificates if len(port.TLSAGenerated) > 0 { - + log.Info("Just saw a TLS port 443 capable domain request for ", qname, "!") - + for index, cert := range port.TLSAGenerated { - + log.Info("Using dehydrated certificate # ", index) - + template := cert - + var derBytes []byte - + derBytes, err = certdehydrate.FillRehydratedCertTemplate(template, qname) if err != nil { log.Info("Failed to create certificate: ", err) continue } - + // TODO: check return value certinject.InjectCert(derBytes) - + } - + } - + // TODO: support non-dehydrated certificates } } - + // remove any certs that aren't valid anymore certinject.CleanCerts() - + err = nil - + return -} \ No newline at end of file +} From 2f0e866870cc36aceed1f1341807f2c5e0a864cc Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 08:00:31 +0000 Subject: [PATCH 11/17] gofmt -s tlsrestrictchromium/chromium.go --- tlsrestrictchromium/chromium.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tlsrestrictchromium/chromium.go b/tlsrestrictchromium/chromium.go index b53a90b..2d54794 100644 --- a/tlsrestrictchromium/chromium.go +++ b/tlsrestrictchromium/chromium.go @@ -1,13 +1,13 @@ package tlsrestrictchromium import ( + "crypto/sha256" "encoding/base64" - "math/big" - "github.com/miekg/dns" "encoding/hex" - "fmt" "encoding/json" - "crypto/sha256" + "fmt" + "github.com/miekg/dns" + "math/big" ) // DNSHash converts an FQDN to DNS wire format, takes the SHA256 of it, and From e3cd52290a3fc17397076befc9bbd253c4c151f4 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 08:00:50 +0000 Subject: [PATCH 12/17] gofmt -s tlsrestrictchromium/chromium_test.go --- tlsrestrictchromium/chromium_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tlsrestrictchromium/chromium_test.go b/tlsrestrictchromium/chromium_test.go index 9d0df66..373f294 100644 --- a/tlsrestrictchromium/chromium_test.go +++ b/tlsrestrictchromium/chromium_test.go @@ -1,8 +1,8 @@ package tlsrestrictchromium_test import ( - "testing" "github.com/namecoin/ncdns/tlsrestrictchromium" + "testing" ) func TestDnsHash(t *testing.T) { From 6e3101ea76e57369dc4dc48adf6f126196cbaa68 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 08:01:21 +0000 Subject: [PATCH 13/17] gofmt -s tlsrestrictchromium/tlsrestrict_chromium_tool/main.go --- tlsrestrictchromium/tlsrestrict_chromium_tool/main.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tlsrestrictchromium/tlsrestrict_chromium_tool/main.go b/tlsrestrictchromium/tlsrestrict_chromium_tool/main.go index b699410..f043a23 100644 --- a/tlsrestrictchromium/tlsrestrict_chromium_tool/main.go +++ b/tlsrestrictchromium/tlsrestrict_chromium_tool/main.go @@ -1,12 +1,12 @@ package main import ( - "gopkg.in/hlandau/easyconfig.v1/cflag" + "encoding/json" + "github.com/namecoin/ncdns/tlsrestrictchromium" "gopkg.in/hlandau/easyconfig.v1" + "gopkg.in/hlandau/easyconfig.v1/cflag" "io/ioutil" - "encoding/json" "log" - "github.com/namecoin/ncdns/tlsrestrictchromium" ) var ( From 0da5cd28abc1b5930ed511775f0d4cdb71b0f3e5 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 08:01:40 +0000 Subject: [PATCH 14/17] gofmt -s util/util.go --- util/util.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/util.go b/util/util.go index ce94e1d..e57d436 100644 --- a/util/util.go +++ b/util/util.go @@ -79,7 +79,7 @@ func SplitDomainByFloatingAnchor(qname, anchor string) (subname, basename, rootn return } - rootname = strings.Join(parts[i:len(parts)], ".") + rootname = strings.Join(parts[i:], ".") basename = parts[i-1] subname = strings.Join(parts[0:i-1], ".") return From b6cf88d290008871d301cebd35a9ebb442366497 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 08:01:56 +0000 Subject: [PATCH 15/17] gofmt -s util/util_test.go --- util/util_test.go | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/util/util_test.go b/util/util_test.go index 5b782c4..5dd8ab8 100644 --- a/util/util_test.go +++ b/util/util_test.go @@ -13,13 +13,13 @@ type item struct { } var items = []item{ - item{"", "", "", "", ""}, - item{"a", "a", "", "a", ""}, - item{"alpha", "alpha", "", "alpha", ""}, - item{"alpha.beta", "beta", "alpha", "alpha", "beta"}, - item{"alpha.beta.gamma", "gamma", "alpha.beta", "alpha", "beta.gamma"}, - item{"alpha.beta.gamma.delta", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta"}, - item{"alpha.beta.gamma.delta.", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta."}, + {"", "", "", "", ""}, + {"a", "a", "", "a", ""}, + {"alpha", "alpha", "", "alpha", ""}, + {"alpha.beta", "beta", "alpha", "alpha", "beta"}, + {"alpha.beta.gamma", "gamma", "alpha.beta", "alpha", "beta.gamma"}, + {"alpha.beta.gamma.delta", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta"}, + {"alpha.beta.gamma.delta.", "delta", "alpha.beta.gamma", "alpha", "beta.gamma.delta."}, } func TestSplitDomainHead(t *testing.T) { @@ -51,17 +51,17 @@ type aitem struct { } var aitems = []aitem{ - aitem{"", "bit", "", "", "", merr.ErrNotInZone}, - aitem{".", "bit", "", "", "", merr.ErrNotInZone}, - aitem{"d.", "bit", "", "", "", merr.ErrNotInZone}, - aitem{"a.b.c.d.", "bit", "", "", "", merr.ErrNotInZone}, - aitem{"a.b.c.d.bit.", "bit", "a.b.c", "d", "bit", nil}, - aitem{"d.bit.", "bit", "", "d", "bit", nil}, - aitem{"bit.", "bit", "", "", "bit", nil}, - aitem{"bit.x.y.z.", "bit", "", "", "bit.x.y.z", nil}, - aitem{"d.bit.x.y.z.", "bit", "", "d", "bit.x.y.z", nil}, - aitem{"c.d.bit.x.y.z.", "bit", "c", "d", "bit.x.y.z", nil}, - aitem{"a.b.c.d.bit.x.y.z.", "bit", "a.b.c", "d", "bit.x.y.z", nil}, + {"", "bit", "", "", "", merr.ErrNotInZone}, + {".", "bit", "", "", "", merr.ErrNotInZone}, + {"d.", "bit", "", "", "", merr.ErrNotInZone}, + {"a.b.c.d.", "bit", "", "", "", merr.ErrNotInZone}, + {"a.b.c.d.bit.", "bit", "a.b.c", "d", "bit", nil}, + {"d.bit.", "bit", "", "d", "bit", nil}, + {"bit.", "bit", "", "", "bit", nil}, + {"bit.x.y.z.", "bit", "", "", "bit.x.y.z", nil}, + {"d.bit.x.y.z.", "bit", "", "d", "bit.x.y.z", nil}, + {"c.d.bit.x.y.z.", "bit", "c", "d", "bit.x.y.z", nil}, + {"a.b.c.d.bit.x.y.z.", "bit", "a.b.c", "d", "bit.x.y.z", nil}, } func TestSplitDomainByFloatingAnchor(t *testing.T) { From d058005c2653769ed78fb004f93ad61f68b722c2 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 08:12:38 +0000 Subject: [PATCH 16/17] Travis: Make gofmt critical for gometalinter. --- .travis/script | 1 - 1 file changed, 1 deletion(-) diff --git a/.travis/script b/.travis/script index c491101..c4e6f18 100644 --- a/.travis/script +++ b/.travis/script @@ -25,7 +25,6 @@ gometalinter.v1 --enable-all \ --disable=errcheck \ --disable=gas \ --disable=gocyclo \ ---disable=gofmt \ --disable=goimports \ --disable=golint \ --disable=gosimple \ From cf7518de6b1e6cbb8bbf7fa40ee4a9682d825ca8 Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Sat, 4 Nov 2017 08:16:28 +0000 Subject: [PATCH 17/17] Travis: Make gotype critical for gometalinter. --- .travis/script | 1 - 1 file changed, 1 deletion(-) diff --git a/.travis/script b/.travis/script index c4e6f18..b070f21 100644 --- a/.travis/script +++ b/.travis/script @@ -28,7 +28,6 @@ gometalinter.v1 --enable-all \ --disable=goimports \ --disable=golint \ --disable=gosimple \ ---disable=gotype \ --disable=ineffassign \ --disable=lll \ --disable=misspell \