Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var BlacklistedError = errors.New("Name is blacklisted")
View Source
var InvalidIdentifierError = errors.New("Invalid identifier type")
View Source
var NonPublicError = errors.New("Name does not end in a public suffix")
View Source
var SyntaxError = errors.New("Syntax error")
Functions ¶
This section is empty.
Types ¶
type PolicyAuthorityImpl ¶
type PolicyAuthorityImpl struct { PublicSuffixList map[string]bool // A copy of the DNS root zone Blacklist map[string]bool // A blacklist of denied names // contains filtered or unexported fields }
func NewPolicyAuthorityImpl ¶
func NewPolicyAuthorityImpl() *PolicyAuthorityImpl
func (PolicyAuthorityImpl) ChallengesFor ¶
func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier) (challenges []core.Challenge, combinations [][]int)
For now, we just issue DVSNI and SimpleHTTPS challenges for everything
func (PolicyAuthorityImpl) WillingToIssue ¶
func (pa PolicyAuthorityImpl) WillingToIssue(id core.AcmeIdentifier) error
We place several criteria on identifiers we are willing to issue for:
- MUST self-identify as DNS identifiers
- MUST contain only bytes in the DNS hostname character set
- MUST NOT have more than maxLabels labels
- MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181 In particular:
- MUST NOT contain underscores
- MUST NOT contain IDN labels (xn--)
- MUST NOT match the syntax of an IP address
- MUST end in a public suffix
- MUST have at least one label in addition to the public suffix
- MUST NOT be a label-wise suffix match for a name on the black list, where comparison is case-independent (normalized to lower case)
XXX: Is there any need for this method to be constant-time? We're
going to refuse to issue anyway, but timing could leak whether names are on the blacklist.
XXX: We should probably fold everything to lower-case somehow.
Click to show internal directories.
Click to hide internal directories.