Skip to content

Commit

Permalink
Merge pull request #146 from anxolerd/normalize-wildcard
Browse files Browse the repository at this point in the history 
Perform domain normalization for wildcard domains
  • Loading branch information
@dopey
dopey committed Dec 20, 2019
2 parents 9ec2fe7 + ec8ff0b commit 37d3396
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 2 deletions.
13 changes: 11 additions & 2 deletions acme/challenge.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -385,11 +385,20 @@ func (dc *dns01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo validat
return dc, nil
}

txtRecords, err := vo.lookupTxt("_acme-challenge." + dc.Value)
// Normalize domain for wildcard DNS names
// This is done to avoid making TXT lookups for domains like
// _acme-challenge.*.example.com
// Instead perform txt lookup for _acme-challenge.example.com
domain := dc.Value
if strings.HasPrefix(domain, "*") {
domain = strings.TrimPrefix(domain, "*.")
}

txtRecords, err := vo.lookupTxt("_acme-challenge." + domain)
if err != nil {
if err = dc.storeError(db,
DNSErr(errors.Wrapf(err, "error looking up TXT "+
"records for domain %s", dc.Value))); err != nil {
"records for domain %s", domain))); err != nil {
return nil, err
}
return dc, nil
Expand Down
41 changes: 41 additions & 0 deletions acme/challenge_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -930,6 +930,47 @@ func TestDNS01Validate(t *testing.T) {
res: ch,
}
},
"ok/lookup-txt-wildcard": func(t *testing.T) test {
ch, err := newDNSCh()
assert.FatalError(t, err)
_ch, ok := ch.(*dns01Challenge)
assert.Fatal(t, ok)
_ch.baseChallenge.Value = "*.zap.internal"

jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)

expKeyAuth, err := KeyAuthorization(ch.getToken(), jwk)
assert.FatalError(t, err)
h := sha256.Sum256([]byte(expKeyAuth))
expected := base64.RawURLEncoding.EncodeToString(h[:])

baseClone := ch.clone()
baseClone.Status = StatusValid
baseClone.Error = nil
newCh := &dns01Challenge{baseClone}

return test{
ch: ch,
res: newCh,
vo: validateOptions{
lookupTxt: func(url string) ([]string, error) {
assert.Equals(t, url, "_acme-challenge.zap.internal")
return []string{"foo", expected}, nil
},
},
jwk: jwk,
db: &db.MockNoSQLDB{
MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
dnsCh, err := unmarshalChallenge(newval)
assert.FatalError(t, err)
assert.Equals(t, dnsCh.getStatus(), StatusValid)
baseClone.Validated = dnsCh.getValidated()
return nil, true, nil
},
},
}
},
"fail/key-authorization-gen-error": func(t *testing.T) test {
ch, err := newDNSCh()
assert.FatalError(t, err)
Expand Down

0 comments on commit 37d3396

Please sign in to comment.