Bump cfssl to 56268a6

2018-08-08 21:22:01 -07:00
parent 952fc9f6f8
commit ed7304b30c
45 changed files with 7832 additions and 241 deletions
--- a/vendor/github.com/cloudflare/cfssl/cli/config.go
+++ b/vendor/github.com/cloudflare/cfssl/cli/config.go
@@ -30,6 +30,7 @@ type Config struct {
 	IntBundleFile     string
 	Address           string
 	Port              int
+	MinTLSVersion     string
 	Password          string
 	ConfigFile        string
 	CFG               *config.Config
@@ -68,6 +69,7 @@ type Config struct {
 	AKI               string
 	DBConfigFile      string
 	CRLExpiration     time.Duration
+	Disable     	  string
 }

 // registerFlags defines all cfssl command flags and associates their values with variables.
@@ -90,6 +92,7 @@ func registerFlags(c *Config, f *flag.FlagSet) {
 	f.StringVar(&c.IntBundleFile, "int-bundle", "", "path to intermediate certificate store")
 	f.StringVar(&c.Address, "address", "127.0.0.1", "Address to bind")
 	f.IntVar(&c.Port, "port", 8888, "Port to bind")
+	f.StringVar(&c.MinTLSVersion, "min-tls-version", "", "Minimum version of TLS to use, defaults to 1.0")
 	f.StringVar(&c.ConfigFile, "config", "", "path to configuration file")
 	f.StringVar(&c.Profile, "profile", "", "signing profile to use")
 	f.BoolVar(&c.IsCA, "initca", false, "initialise new CA")
@@ -128,6 +131,7 @@ func registerFlags(c *Config, f *flag.FlagSet) {
 	f.StringVar(&c.DBConfigFile, "db-config", "", "certificate db configuration file")
 	f.DurationVar(&c.CRLExpiration, "expiry", 7*helpers.OneDay, "time from now after which the CRL will expire (default: one week)")
 	f.IntVar(&log.Level, "loglevel", log.LevelInfo, "Log level (0 = DEBUG, 5 = FATAL)")
+	f.StringVar(&c.Disable, "disable", "", "endpoints to disable")
 }

 // RootFromConfig returns a universal signer Root structure that can
--- a/vendor/github.com/cloudflare/cfssl/cli/serve/BUILD
+++ b/vendor/github.com/cloudflare/cfssl/cli/serve/BUILD
@@ -14,6 +14,7 @@ go_library(
        "//vendor/github.com/cloudflare/cfssl/api/crl:go_default_library",
        "//vendor/github.com/cloudflare/cfssl/api/gencrl:go_default_library",
        "//vendor/github.com/cloudflare/cfssl/api/generator:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/api/health:go_default_library",
        "//vendor/github.com/cloudflare/cfssl/api/info:go_default_library",
        "//vendor/github.com/cloudflare/cfssl/api/initca:go_default_library",
        "//vendor/github.com/cloudflare/cfssl/api/ocsp:go_default_library",
--- a/vendor/github.com/cloudflare/cfssl/cli/serve/serve.go
+++ b/vendor/github.com/cloudflare/cfssl/cli/serve/serve.go
@@ -20,6 +20,7 @@ import (
 	"github.com/cloudflare/cfssl/api/crl"
 	"github.com/cloudflare/cfssl/api/gencrl"
 	"github.com/cloudflare/cfssl/api/generator"
+	"github.com/cloudflare/cfssl/api/health"
 	"github.com/cloudflare/cfssl/api/info"
 	"github.com/cloudflare/cfssl/api/initca"
 	apiocsp "github.com/cloudflare/cfssl/api/ocsp"
@@ -45,21 +46,21 @@ import (
 var serverUsageText = `cfssl serve -- set up a HTTP server handles CF SSL requests

 Usage of serve:
-        cfssl serve [-address address] [-ca cert] [-ca-bundle bundle] \
+        cfssl serve [-address address] [-min-tls-version version] [-ca cert] [-ca-bundle bundle] \
                    [-ca-key key] [-int-bundle bundle] [-int-dir dir] [-port port] \
                    [-metadata file] [-remote remote_host] [-config config] \
-                    [-responder cert] [-responder-key key] [-tls-cert cert] [-tls-key key] \
-                    [-mutual-tls-ca ca] [-mutual-tls-cn regex] \
+                    [-responder cert] [-responder-key key] \
+                    [-tls-cert cert] [-tls-key key] [-mutual-tls-ca ca] [-mutual-tls-cn regex] \
                    [-tls-remote-ca ca] [-mutual-tls-client-cert cert] [-mutual-tls-client-key key] \
-                    [-db-config db-config]
+                    [-db-config db-config] [-disable endpoint[,endpoint]]

 Flags:
 `

 // Flags used by 'cfssl serve'
-var serverFlags = []string{"address", "port", "ca", "ca-key", "ca-bundle", "int-bundle", "int-dir", "metadata",
-	"remote", "config", "responder", "responder-key", "tls-key", "tls-cert", "mutual-tls-ca", "mutual-tls-cn",
-	"tls-remote-ca", "mutual-tls-client-cert", "mutual-tls-client-key", "db-config"}
+var serverFlags = []string{"address", "port", "min-tls-version", "ca", "ca-key", "ca-bundle", "int-bundle", "int-dir",
+	"metadata", "remote", "config", "responder", "responder-key", "tls-key", "tls-cert", "mutual-tls-ca",
+	"mutual-tls-cn", "tls-remote-ca", "mutual-tls-client-cert", "mutual-tls-client-key", "db-config", "disable"}

 var (
 	conf       cli.Config
@@ -80,7 +81,7 @@ func v1APIPath(path string) string {
 }

 // httpBox implements http.FileSystem which allows the use of Box with a http.FileServer.
-// Atempting to Open an API endpoint will result in an error.
+// Attempting to Open an API endpoint will result in an error.
 type httpBox struct {
 	*rice.Box
 	redirects map[string]string
@@ -241,13 +242,27 @@ var endpoints = map[string]func() (http.Handler, error){

 		return http.FileServer(staticBox), nil
 	},
+
+	"health": func() (http.Handler, error) {
+		return health.NewHealthCheck(), nil
+	},
 }

 // registerHandlers instantiates various handlers and associate them to corresponding endpoints.
 func registerHandlers() {
+	disabled := make(map[string]bool)
+	if conf.Disable != "" {
+		for _, endpoint := range strings.Split(conf.Disable, ",") {
+			disabled[endpoint] = true
+		}
+	}
+
 	for path, getHandler := range endpoints {
 		log.Debugf("getHandler for %s", path)
-		if handler, err := getHandler(); err != nil {
+
+		if _, ok := disabled[path]; ok {
+			log.Infof("endpoint '%s' is explicitly disabled", path)
+		} else if handler, err := getHandler(); err != nil {
 			log.Warningf("endpoint '%s' is disabled: %v", path, err)
 		} else {
 			if path, handler, err = wrapHandler(path, handler, err); err != nil {
@@ -298,6 +313,11 @@ func serverMain(args []string, c cli.Config) error {

 	addr := net.JoinHostPort(conf.Address, strconv.Itoa(conf.Port))

+	tlscfg := tls.Config{}
+	if conf.MinTLSVersion != "" {
+		tlscfg.MinVersion = helpers.StringTLSVersion(conf.MinTLSVersion)
+	}
+
 	if conf.TLSCertFile == "" || conf.TLSKeyFile == "" {
 		log.Info("Now listening on ", addr)
 		return http.ListenAndServe(addr, nil)
@@ -308,12 +328,12 @@ func serverMain(args []string, c cli.Config) error {
 			return fmt.Errorf("failed to load mutual TLS CA file: %s", err)
 		}

+		tlscfg.ClientAuth = tls.RequireAndVerifyClientCert
+		tlscfg.ClientCAs = clientPool
+
 		server := http.Server{
-			Addr: addr,
-			TLSConfig: &tls.Config{
-				ClientAuth: tls.RequireAndVerifyClientCert,
-				ClientCAs:  clientPool,
-			},
+			Addr:      addr,
+			TLSConfig: &tlscfg,
 		}

 		if conf.MutualTLSCNRegex != "" {
@@ -338,7 +358,11 @@ func serverMain(args []string, c cli.Config) error {
 		return server.ListenAndServeTLS(conf.TLSCertFile, conf.TLSKeyFile)
 	}
 	log.Info("Now listening on https://", addr)
-	return http.ListenAndServeTLS(addr, conf.TLSCertFile, conf.TLSKeyFile, nil)
+	server := http.Server{
+		Addr:      addr,
+		TLSConfig: &tlscfg,
+	}
+	return server.ListenAndServeTLS(conf.TLSCertFile, conf.TLSKeyFile)

 }

--- a/vendor/github.com/cloudflare/cfssl/cli/version/version.go
+++ b/vendor/github.com/cloudflare/cfssl/cli/version/version.go
@@ -14,7 +14,7 @@ var version = struct {
 	Minor    int
 	Patch    int
 	Revision string
-}{1, 3, 0, "release"}
+}{1, 3, 2, "release"}

 func versionString() string {
 	return fmt.Sprintf("%d.%d.%d", version.Major, version.Minor, version.Patch)