diff options
| author | Sean Liao <sean@liao.dev> | 2025-11-09 12:55:47 +0000 |
|---|---|---|
| committer | Sean Liao <sean@liao.dev> | 2026-02-13 09:12:11 -0800 |
| commit | a408498e55412f2ae2a058336f78889fb1ba6115 (patch) | |
| tree | 9bb721b4642324d10b8184b4429eef82c8d4c1eb | |
| parent | cab0f718548e8a858701b7b48161f44748532f58 (diff) | |
| download | go-x-crypto-a408498e55412f2ae2a058336f78889fb1ba6115.tar.xz | |
acme: only require prompt if server has terms of service
Fixes golang/go#64881
Change-Id: I2b4415e6f987aab258c26c090ac7b1a465aa1697
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/719001
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
| -rw-r--r-- | acme/autocert/autocert.go | 4 | ||||
| -rw-r--r-- | acme/autocert/autocert_test.go | 2 | ||||
| -rw-r--r-- | acme/autocert/internal/acmetest/ca.go | 4 | ||||
| -rw-r--r-- | acme/rfc8555.go | 3 |
4 files changed, 7 insertions, 6 deletions
diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go index cde9066..69461e3 100644 --- a/acme/autocert/autocert.go +++ b/acme/autocert/autocert.go @@ -248,10 +248,6 @@ func (m *Manager) TLSConfig() *tls.Config { // If GetCertificate is used directly, instead of via Manager.TLSConfig, package users will // also have to add acme.ALPNProto to NextProtos for tls-alpn-01, or use HTTPHandler for http-01. func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { - if m.Prompt == nil { - return nil, errors.New("acme/autocert: Manager.Prompt not set") - } - name := hello.ServerName if name == "" { return nil, errors.New("acme/autocert: missing server name") diff --git a/acme/autocert/autocert_test.go b/acme/autocert/autocert_test.go index 8ca8e2b..d9f19c2 100644 --- a/acme/autocert/autocert_test.go +++ b/acme/autocert/autocert_test.go @@ -201,7 +201,7 @@ func TestGetCertificate(t *testing.T) { prepare: func(t *testing.T, man *Manager, s *acmetest.CAServer) { man.Prompt = nil }, - expectError: "Manager.Prompt not set", + expectError: "missing Manager.Prompt", }, { name: "trailingDot", diff --git a/acme/autocert/internal/acmetest/ca.go b/acme/autocert/internal/acmetest/ca.go index c7ddd3d..c80a81c 100644 --- a/acme/autocert/internal/acmetest/ca.go +++ b/acme/autocert/internal/acmetest/ca.go @@ -239,7 +239,8 @@ type discovery struct { } type discoveryMeta struct { - ExternalAccountRequired bool `json:"externalAccountRequired,omitempty"` + Terms string `json:"termsOfService,omitempty"` + ExternalAccountRequired bool `json:"externalAccountRequired,omitempty"` } type challenge struct { @@ -281,6 +282,7 @@ func (ca *CAServer) handle(w http.ResponseWriter, r *http.Request) { NewAccount: ca.serverURL("/new-account"), NewOrder: ca.serverURL("/new-order"), Meta: discoveryMeta{ + Terms: ca.serverURL("/terms"), ExternalAccountRequired: ca.eabRequired, }, } diff --git a/acme/rfc8555.go b/acme/rfc8555.go index 976b277..1fb110e 100644 --- a/acme/rfc8555.go +++ b/acme/rfc8555.go @@ -53,6 +53,9 @@ func (c *Client) registerRFC(ctx context.Context, acct *Account, prompt func(tos Contact: acct.Contact, } if c.dir.Terms != "" { + if prompt == nil { + return nil, errors.New("acme: missing Manager.Prompt to accept server's terms of service") + } req.TermsAgreed = prompt(c.dir.Terms) } |