sing-box/common/tls/acme.go

//go:build with_acme

package tls

import (
	"context"
	"crypto/tls"
	"os"
	"strings"

	"github.com/sagernet/sing-box/adapter"
	C "github.com/sagernet/sing-box/constant"
	"github.com/sagernet/sing-box/option"
	E "github.com/sagernet/sing/common/exceptions"

	"github.com/caddyserver/certmagic"
	"github.com/libdns/alidns"
	"github.com/libdns/cloudflare"
	"github.com/mholt/acmez/acme"
	"go.uber.org/zap"
	"go.uber.org/zap/zapcore"
)

type acmeWrapper struct {
	ctx    context.Context
	cfg    *certmagic.Config
	cache  *certmagic.Cache
	domain []string
}

func (w *acmeWrapper) Start() error {
	return w.cfg.ManageSync(w.ctx, w.domain)
}

func (w *acmeWrapper) Close() error {
	w.cache.Stop()
	return nil
}

func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
	var acmeServer string
	switch options.Provider {
	case "", "letsencrypt":
		acmeServer = certmagic.LetsEncryptProductionCA
	case "zerossl":
		acmeServer = certmagic.ZeroSSLProductionCA
	default:
		if !strings.HasPrefix(options.Provider, "https://") {
			return nil, nil, E.New("unsupported acme provider: " + options.Provider)
		}
		acmeServer = options.Provider
	}
	var storage certmagic.Storage
	if options.DataDirectory != "" {
		storage = &certmagic.FileStorage{
			Path: options.DataDirectory,
		}
	} else {
		storage = certmagic.Default.Storage
	}
	config := &certmagic.Config{
		DefaultServerName: options.DefaultServerName,
		Storage:           storage,
		Logger: zap.New(zapcore.NewCore(
			zapcore.NewConsoleEncoder(zap.NewProductionEncoderConfig()),
			os.Stderr,
			zap.InfoLevel,
		)),
	}
	acmeConfig := certmagic.ACMEIssuer{
		CA:                      acmeServer,
		Email:                   options.Email,
		Agreed:                  true,
		DisableHTTPChallenge:    options.DisableHTTPChallenge,
		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
		AltHTTPPort:             int(options.AlternativeHTTPPort),
		AltTLSALPNPort:          int(options.AlternativeTLSPort),
		Logger:                  config.Logger,
	}
	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
		var solver certmagic.DNS01Solver
		switch dnsOptions.Provider {
		case C.DNSProviderAliDNS:
			solver.DNSProvider = &alidns.Provider{
				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
				RegionID:     dnsOptions.AliDNSOptions.RegionID,
			}
		case C.DNSProviderCloudflare:
			solver.DNSProvider = &cloudflare.Provider{
				APIToken: dnsOptions.CloudflareOptions.APIToken,
			}
		default:
			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
		}
		acmeConfig.DNS01Solver = &solver
	}
	if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {
		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
	}
	config.Issuers = []certmagic.Issuer{certmagic.NewACMEIssuer(config, acmeConfig)}
	cache := certmagic.NewCache(certmagic.CacheOptions{
		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
			return config, nil
		},
	})
	config = certmagic.New(cache, *config)
	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
}
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`//go:build with_acme`

Refactor TLS 2022-09-09 10:45:10 +00:00			`package tls`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00
			`import (`
			`"context"`
			`"crypto/tls"`
Fix acme config 2022-12-06 05:36:42 +00:00			`"os"`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`"strings"`

			`"github.com/sagernet/sing-box/adapter"`
Add ACME DNS01 challenge support via libdns 2023-09-16 13:37:22 +00:00			`C "github.com/sagernet/sing-box/constant"`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`"github.com/sagernet/sing-box/option"`
			`E "github.com/sagernet/sing/common/exceptions"`
Add ACME EAB support 2022-08-24 09:04:15 +00:00
Refactor to miekg/dns 2022-09-13 08:18:39 +00:00			`"github.com/caddyserver/certmagic"`
Add ACME DNS01 challenge support via libdns 2023-09-16 13:37:22 +00:00			`"github.com/libdns/alidns"`
			`"github.com/libdns/cloudflare"`
Add ACME EAB support 2022-08-24 09:04:15 +00:00			`"github.com/mholt/acmez/acme"`
Fix acme config 2022-12-06 05:36:42 +00:00			`"go.uber.org/zap"`
			`"go.uber.org/zap/zapcore"`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`)`

			`type acmeWrapper struct {`
			`ctx context.Context`
			`cfg *certmagic.Config`
Fix certmagic usage 2023-07-20 12:03:20 +00:00			`cache *certmagic.Cache`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`domain []string`
			`}`

			`func (w *acmeWrapper) Start() error {`
			`return w.cfg.ManageSync(w.ctx, w.domain)`
			`}`

			`func (w *acmeWrapper) Close() error {`
Fix certmagic usage 2023-07-20 12:03:20 +00:00			`w.cache.Stop()`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`return nil`
			`}`

Add ssh outbound 2022-08-21 11:36:08 +00:00			`func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`var acmeServer string`
			`switch options.Provider {`
			`case "", "letsencrypt":`
			`acmeServer = certmagic.LetsEncryptProductionCA`
			`case "zerossl":`
			`acmeServer = certmagic.ZeroSSLProductionCA`
			`default:`
			`if !strings.HasPrefix(options.Provider, "https://") {`
			`return nil, nil, E.New("unsupported acme provider: " + options.Provider)`
			`}`
			`acmeServer = options.Provider`
			`}`
			`var storage certmagic.Storage`
			`if options.DataDirectory != "" {`
			`storage = &certmagic.FileStorage{`
			`Path: options.DataDirectory,`
			`}`
Fix acme issuer 2022-08-19 10:05:26 +00:00			`} else {`
			`storage = certmagic.Default.Storage`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`}`
Fix acme issuer 2022-08-19 10:05:26 +00:00			`config := &certmagic.Config{`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`DefaultServerName: options.DefaultServerName,`
Fix acme issuer 2022-08-19 10:05:26 +00:00			`Storage: storage,`
Fix acme config 2022-12-06 05:36:42 +00:00			`Logger: zap.New(zapcore.NewCore(`
			`zapcore.NewConsoleEncoder(zap.NewProductionEncoderConfig()),`
			`os.Stderr,`
			`zap.InfoLevel,`
			`)),`
Fix acme issuer 2022-08-19 10:05:26 +00:00			`}`
Add ACME EAB support 2022-08-24 09:04:15 +00:00			`acmeConfig := certmagic.ACMEIssuer{`
			`CA: acmeServer,`
			`Email: options.Email,`
			`Agreed: true,`
			`DisableHTTPChallenge: options.DisableHTTPChallenge,`
			`DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,`
			`AltHTTPPort: int(options.AlternativeHTTPPort),`
			`AltTLSALPNPort: int(options.AlternativeTLSPort),`
Fix acme config 2022-12-06 05:36:42 +00:00			`Logger: config.Logger,`
Add ACME EAB support 2022-08-24 09:04:15 +00:00			`}`
Add ACME DNS01 challenge support via libdns 2023-09-16 13:37:22 +00:00			`if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {`
			`var solver certmagic.DNS01Solver`
			`switch dnsOptions.Provider {`
			`case C.DNSProviderAliDNS:`
			`solver.DNSProvider = &alidns.Provider{`
			`AccKeyID: dnsOptions.AliDNSOptions.AccessKeyID,`
			`AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,`
			`RegionID: dnsOptions.AliDNSOptions.RegionID,`
			`}`
			`case C.DNSProviderCloudflare:`
			`solver.DNSProvider = &cloudflare.Provider{`
			`APIToken: dnsOptions.CloudflareOptions.APIToken,`
			`}`
Fix ACME DNS01 DNS challenge 2023-09-23 09:49:56 +00:00			`default:`
			`return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)`
Add ACME DNS01 challenge support via libdns 2023-09-16 13:37:22 +00:00			`}`
Fix ACME DNS01 DNS challenge 2023-09-23 09:49:56 +00:00			`acmeConfig.DNS01Solver = &solver`
Add ACME DNS01 challenge support via libdns 2023-09-16 13:37:22 +00:00			`}`
Fix acme config 2022-12-06 05:36:42 +00:00			`if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {`
Add ACME EAB support 2022-08-24 09:04:15 +00:00			`acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)`
Fix acme issuer 2022-08-19 10:05:26 +00:00			`}`
Add ACME EAB support 2022-08-24 09:04:15 +00:00			`config.Issuers = []certmagic.Issuer{certmagic.NewACMEIssuer(config, acmeConfig)}`
Fix certmagic usage 2023-07-20 12:03:20 +00:00			`cache := certmagic.NewCache(certmagic.CacheOptions{`
Fix acme issuer 2022-08-19 10:05:26 +00:00			`GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {`
			`return config, nil`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`},`
Fix certmagic usage 2023-07-20 12:03:20 +00:00			`})`
			`config = certmagic.New(cache, *config)`
			`return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil`
Add hysteria and acme TLS certificate issuer (#18) * Add hysteria client/server * Add acme TLS certificate issuer 2022-08-19 07:42:57 +00:00			`}`