diff options
| author | Florian Obser <florian@cvs.openbsd.org> | 2017-11-27 01:58:53 +0000 |
|---|---|---|
| committer | Florian Obser <florian@cvs.openbsd.org> | 2017-11-27 01:58:53 +0000 |
| commit | d972cd2f6f5abae79902ffbacbe8fefe8720461f (patch) | |
| tree | 39abc2a99aa0647b3365d34f02cc2e72efc0eaa2 /usr.sbin | |
| parent | ba89a324d971e1627f85c8be3779546ecd4eaa14 (diff) | |
Deprecate agreement url config option and get the information from the
directory call. This way we don't need to update the acme-client.conf
file every time it changes. Still parse the option, ignore and warn about
it for a release. Sysmerge should be able to handle the removal.
"nice" deraadt@
OK benno
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/acme-client/acme-client.conf.5 | 10 | ||||
| -rw-r--r-- | usr.sbin/acme-client/extern.h | 5 | ||||
| -rw-r--r-- | usr.sbin/acme-client/json.c | 39 | ||||
| -rw-r--r-- | usr.sbin/acme-client/main.c | 8 | ||||
| -rw-r--r-- | usr.sbin/acme-client/netproc.c | 10 | ||||
| -rw-r--r-- | usr.sbin/acme-client/parse.h | 3 | ||||
| -rw-r--r-- | usr.sbin/acme-client/parse.y | 14 |
7 files changed, 54 insertions, 35 deletions
diff --git a/usr.sbin/acme-client/acme-client.conf.5 b/usr.sbin/acme-client/acme-client.conf.5 index 9c65db0ff1e..061fb7ac21b 100644 --- a/usr.sbin/acme-client/acme-client.conf.5 +++ b/usr.sbin/acme-client/acme-client.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: acme-client.conf.5,v 1.10 2017/03/29 17:16:24 tj Exp $ +.\" $OpenBSD: acme-client.conf.5,v 1.11 2017/11/27 01:58:52 florian Exp $ .\" .\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> @@ -17,7 +17,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 29 2017 $ +.Dd $Mdocdate: November 27 2017 $ .Dt ACME-CLIENT.CONF 5 .Os .Sh NAME @@ -86,11 +86,6 @@ It is followed by a block of options enclosed in curly brackets: Specify a .Ar file used to identify the user of this CA. -.It Ic agreement url Ar url -Specify the -.Ar url -of a contract under which the certificates are supplied by the certificate -authority. .It Ic api url Ar url Specify the .Ar url @@ -100,7 +95,6 @@ under which the ACME API is reachable. An example authority block: .Bd -literal -offset indent authority letsencrypt { - agreement url https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf api url "https://acme-v01.api.letsencrypt.org/directory" account key "/etc/ssl/private/my-acme.key" } diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h index 18e53ddd112..dda2edde484 100644 --- a/usr.sbin/acme-client/extern.h +++ b/usr.sbin/acme-client/extern.h @@ -1,4 +1,4 @@ -/* $Id: extern.h,v 1.8 2017/01/21 08:54:26 florian Exp $ */ +/* $Id: extern.h,v 1.9 2017/11/27 01:58:52 florian Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -162,6 +162,7 @@ struct capaths { char *newcert; /* sign certificate */ char *newreg; /* new acme account */ char *revokecert; /* revoke certificate */ + char *agreement; /* terms of service */ }; struct jsmnn; @@ -184,7 +185,7 @@ int keyproc(int, const char *, const char **, size_t, int); int netproc(int, int, int, int, int, int, int, int, struct authority_c *, const char *const *, - size_t, const char *); + size_t); /* * Debugging functions. diff --git a/usr.sbin/acme-client/json.c b/usr.sbin/acme-client/json.c index e800799fbde..d985e200e8d 100644 --- a/usr.sbin/acme-client/json.c +++ b/usr.sbin/acme-client/json.c @@ -1,4 +1,4 @@ -/* $Id: json.c,v 1.9 2017/01/24 13:32:55 jsing Exp $ */ +/* $Id: json.c,v 1.10 2017/11/27 01:58:52 florian Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -257,6 +257,33 @@ json_getarray(struct jsmnn *n, const char *name) } /* + * Extract subtree from the returned JSON object, making sure that it's + * the correct type. + * Returns NULL on failure. + */ +static struct jsmnn * +json_getobj(struct jsmnn *n, const char *name) +{ + size_t i; + + if (n->type != JSMN_OBJECT) + return NULL; + for (i = 0; i < n->fields; i++) { + if (n->d.obj[i].lhs->type != JSMN_STRING && + n->d.obj[i].lhs->type != JSMN_PRIMITIVE) + continue; + else if (strcmp(name, n->d.obj[i].lhs->d.str)) + continue; + break; + } + if (i == n->fields) + return NULL; + if (n->d.obj[i].rhs->type != JSMN_OBJECT) + return NULL; + return n->d.obj[i].rhs; +} + +/* * Extract a single string from the returned JSON object, making sure * that it's the correct type. * Returns NULL on failure. @@ -373,17 +400,24 @@ json_parse_challenge(struct jsmnn *n, struct chng *p) int json_parse_capaths(struct jsmnn *n, struct capaths *p) { + struct jsmnn *meta; if (n == NULL) return 0; + meta = json_getobj(n, "meta"); + + if (meta == NULL) + return 0; + p->newauthz = json_getstr(n, "new-authz"); p->newcert = json_getstr(n, "new-cert"); p->newreg = json_getstr(n, "new-reg"); p->revokecert = json_getstr(n, "revoke-cert"); + p->agreement = json_getstr(meta, "terms-of-service"); return p->newauthz != NULL && p->newcert != NULL && - p->newreg != NULL && p->revokecert != NULL; + p->newreg != NULL && p->revokecert != NULL && p->agreement != NULL; } /* @@ -397,6 +431,7 @@ json_free_capaths(struct capaths *p) free(p->newcert); free(p->newreg); free(p->revokecert); + free(p->agreement); memset(p, 0, sizeof(struct capaths)); } diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c index a6ce6190b8a..58eb0d40175 100644 --- a/usr.sbin/acme-client/main.c +++ b/usr.sbin/acme-client/main.c @@ -1,4 +1,4 @@ -/* $Id: main.c,v 1.35 2017/05/27 08:31:08 florian Exp $ */ +/* $Id: main.c,v 1.36 2017/11/27 01:58:52 florian Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -39,7 +39,7 @@ main(int argc, char *argv[]) char *certdir = NULL, *certfile = NULL; char *chainfile = NULL, *fullchainfile = NULL; char *acctkey = NULL; - char *chngdir = NULL, *auth = NULL, *agreement = NULL; + char *chngdir = NULL, *auth = NULL; char *conffile = CONF_FILE; int key_fds[2], acct_fds[2], chng_fds[2], cert_fds[2]; int file_fds[2], dns_fds[2], rvk_fds[2]; @@ -154,7 +154,6 @@ main(int argc, char *argv[]) errx(EXIT_FAILURE, "authority %s not found", auth); } - agreement = authority->agreement; acctkey = authority->account; if (acctkey == NULL) { @@ -259,8 +258,7 @@ main(int argc, char *argv[]) chng_fds[1], cert_fds[1], dns_fds[1], rvk_fds[1], (popts & ACME_OPT_NEWACCT), revocate, authority, - (const char *const *)alts, altsz, - agreement); + (const char *const *)alts, altsz); free(alts); exit(c ? EXIT_SUCCESS : EXIT_FAILURE); } diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c index a4bcc542dbe..1c2f7f125c9 100644 --- a/usr.sbin/acme-client/netproc.c +++ b/usr.sbin/acme-client/netproc.c @@ -1,4 +1,4 @@ -/* $Id: netproc.c,v 1.13 2017/01/24 13:32:55 jsing Exp $ */ +/* $Id: netproc.c,v 1.14 2017/11/27 01:58:52 florian Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -325,7 +325,7 @@ sreq(struct conn *c, const char *addr, const char *req) * Returns non-zero on success. */ static int -donewreg(struct conn *c, const char *agreement, const struct capaths *p) +donewreg(struct conn *c, const struct capaths *p) { int rc = 0; char *req; @@ -333,7 +333,7 @@ donewreg(struct conn *c, const char *agreement, const struct capaths *p) dodbg("%s: new-reg", p->newreg); - if ((req = json_fmt_newreg(agreement)) == NULL) + if ((req = json_fmt_newreg(p->agreement)) == NULL) warnx("json_fmt_newreg"); else if ((lc = sreq(c, p->newreg, req)) < 0) warnx("%s: bad comm", p->newreg); @@ -567,7 +567,7 @@ dofullchain(struct conn *c, const char *addr) int netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, int newacct, int revocate, struct authority_c *authority, - const char *const *alts,size_t altsz, const char *agreement) + const char *const *alts,size_t altsz) { int rc = 0; size_t i; @@ -673,7 +673,7 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, /* If new, register with the CA server. */ - if (newacct && ! donewreg(&c, agreement, &paths)) + if (newacct && ! donewreg(&c, &paths)) goto out; /* Pre-authorise all domains with CA server. */ diff --git a/usr.sbin/acme-client/parse.h b/usr.sbin/acme-client/parse.h index 4993912830a..fc5d1ae5ec1 100644 --- a/usr.sbin/acme-client/parse.h +++ b/usr.sbin/acme-client/parse.h @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.h,v 1.7 2017/01/21 12:59:06 benno Exp $ */ +/* $OpenBSD: parse.h,v 1.8 2017/11/27 01:58:52 florian Exp $ */ /* * Copyright (c) 2016 Sebastian Benoit <benno@openbsd.org> * @@ -30,7 +30,6 @@ struct authority_c { TAILQ_ENTRY(authority_c) entry; char *name; - char *agreement; char *api; char *account; }; diff --git a/usr.sbin/acme-client/parse.y b/usr.sbin/acme-client/parse.y index 13e71039d9f..7882c24527e 100644 --- a/usr.sbin/acme-client/parse.y +++ b/usr.sbin/acme-client/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.18 2017/10/19 06:49:46 jsg Exp $ */ +/* $OpenBSD: parse.y,v 1.19 2017/11/27 01:58:52 florian Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> @@ -189,14 +189,8 @@ authorityopts_l : authorityopts_l authorityoptsl nl ; authorityoptsl : AGREEMENT URL STRING { - char *s; - if (auth->agreement != NULL) { - yyerror("duplicate agreement"); - YYERROR; - } - if ((s = strdup($3)) == NULL) - err(EXIT_FAILURE, "strdup"); - auth->agreement = s; + warnx("\"agreement url\" is deprecated."); + /* XXX remove after 6.3 */ } | API URL STRING { char *s; @@ -965,8 +959,6 @@ print_config(struct acme_conf *xconf) TAILQ_FOREACH(a, &xconf->authority_list, entry) { printf("authority %s {\n", a->name); - if (a->agreement != NULL) - printf("\tagreement url \"%s\"\n", a->agreement); if (a->api != NULL) printf("\tapi url \"%s\"\n", a->api); if (a->account != NULL) |