policy

package
v0.0.0-...-81542c4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 16, 2017 License: MPL-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthorityImpl

type AuthorityImpl struct {
	// contains filtered or unexported fields
}

AuthorityImpl enforces CA policy decisions.

func New

func New(challengeTypes map[string]bool) (*AuthorityImpl, error)

New constructs a Policy Authority. TODO(https://github.com/letsencrypt/boulder/issues/1616): Remove the _ bool argument (used to be enforceWhitelist). Update all callers.

func (*AuthorityImpl) ChallengesFor

func (pa *AuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier) ([]core.Challenge, [][]int)

ChallengesFor makes a decision of what challenges, and combinations, are acceptable for the given identifier.

Note: Current implementation is static, but future versions may not be.

func (*AuthorityImpl) SetHostnamePolicyFile

func (pa *AuthorityImpl) SetHostnamePolicyFile(f string) error

SetHostnamePolicyFile will load the given policy file, returning error if it fails. It will also start a reloader in case the file changes.

func (*AuthorityImpl) WillingToIssue

func (pa *AuthorityImpl) WillingToIssue(id core.AcmeIdentifier) error

WillingToIssue determines whether the CA is willing to issue for the provided identifier. It expects domains in id to be lowercase to prevent mismatched cases breaking queries.

We place several criteria on identifiers we are willing to issue for:

  • MUST self-identify as DNS identifiers
  • MUST contain only bytes in the DNS hostname character set
  • MUST NOT have more than maxLabels labels
  • MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181 In particular:
  • MUST NOT contain underscores
  • MUST NOT contain IDN labels (xn--)
  • MUST NOT match the syntax of an IP address
  • MUST end in a public suffix
  • MUST have at least one label in addition to the public suffix
  • MUST NOT be a label-wise suffix match for a name on the black list, where comparison is case-independent (normalized to lower case)

If WillingToIssue returns an error, it will be of type MalformedRequestError.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL