From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <w.bumiller@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 193F5738A4
 for <pmg-devel@lists.proxmox.com>; Fri, 16 Apr 2021 10:15:06 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 0A1FB21C09
 for <pmg-devel@lists.proxmox.com>; Fri, 16 Apr 2021 10:15:06 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 1907321BFE
 for <pmg-devel@lists.proxmox.com>; Fri, 16 Apr 2021 10:15:05 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D611F45ACD
 for <pmg-devel@lists.proxmox.com>; Fri, 16 Apr 2021 10:15:04 +0200 (CEST)
Date: Fri, 16 Apr 2021 10:14:45 +0200 (CEST)
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Stoiko Ivanov <s.ivanov@proxmox.com>, pmg-devel@lists.proxmox.com
Message-ID: <1847872893.3417.1618560885557@webmail.proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.5-Rev5
X-Originating-Client: open-xchange-appsuite
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.027 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [ietf.org, certificates.pm, nodeconfig.pm]
Subject: Re: [pmg-devel] [PATCH pmg-api v3 1/3] acme: handle wildcard dns
 validation
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2021 08:15:06 -0000

took me a bit to "tune" back into "no, it autovivifies,
and no, it won't "panic!()" when indexing with a wrong value
(the deliberate empty string)"
but hey, that's just perl ;-)

lgtm =F0=9F=91=8D

> On 04/15/2021 9:46 PM Stoiko Ivanov <s.ivanov@proxmox.com> wrote:
>=20
> =20
> Wildcard DNS names (*.domain.example) are validated through their
> base-domain (domain.example) according to the ACME RFC [0].
>=20
> We store the indirection while parsing the acme config, and check for
> an extra validation target during ordering.
>=20
> This makes it possible to order wildcard certificates which are not
> valid for the base-domain.
>=20
> [0] https://tools.ietf.org/html/rfc8555#section-7.1.3
>=20
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> v2->v3:
> * add indirection
>  src/PMG/API2/Certificates.pm | 5 +++++
>  src/PMG/NodeConfig.pm        | 6 ++++++
>  2 files changed, 11 insertions(+)
>=20
> diff --git a/src/PMG/API2/Certificates.pm b/src/PMG/API2/Certificates.pm
> index c08deb6..351d1c5 100644
> --- a/src/PMG/API2/Certificates.pm
> +++ b/src/PMG/API2/Certificates.pm
> @@ -359,6 +359,11 @@ my $order_certificate =3D sub {
>  =09    print "The validation for $domain is pending!\n";
> =20
>  =09    my $domain_config =3D $acme_node_config->{domains}->{$domain};
> +=09    if (!defined($domain_config)) {
> +=09=09# wildcard domains are validated through the basedomain
> +=09=09my $vtarget =3D $acme_node_config->{validationtarget}->{$domain} /=
/ '';
> +=09=09$domain_config =3D $acme_node_config->{domains}->{$vtarget};
> +=09    }
>  =09    die "no config for domain '$domain'\n" if !$domain_config;
> =20
>  =09    my $plugin_id =3D $domain_config->{plugin};
> diff --git a/src/PMG/NodeConfig.pm b/src/PMG/NodeConfig.pm
> index 6472a9d..5f96e62 100644
> --- a/src/PMG/NodeConfig.pm
> +++ b/src/PMG/NodeConfig.pm
> @@ -216,6 +216,12 @@ sub get_acme_conf {
>  =09=09if !$plugins->{ids}->{$plugin_id};
>  =09}
> =20
> +=09# validation for wildcard domain names happens on the domain w/o
> +=09# wildcard - see https://tools.ietf.org/html/rfc8555#section-7.1.3
> +=09if ($domain =3D~ /^\*\.(.*)$/ ) {
> +=09    $res->{validationtarget}->{$1} =3D $domain;
> +=09}
> +
>  =09$parsed->{_configkey} =3D "acmedomain$index";
>  =09$res->{domains}->{$domain} =3D $parsed;
>      }
> --=20
> 2.20.1