pki

package
v1.14.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 20, 2023 License: MPL-2.0 Imports: 65 Imported by: 102

Documentation

Index

Constants

View Source
const (
	DNSChallengePrefix = "_acme-challenge."
	ALPNProtocol       = "acme-tls/1"
)
View Source
const (
	IssuerRefNotFound = issuerID("not-found")
	KeyRefNotFound    = keyID("not-found")
)
View Source
const (
	ReadOnlyUsage    issuerUsage = iota
	IssuanceUsage    issuerUsage = 1 << iota
	CRLSigningUsage  issuerUsage = 1 << iota
	OCSPSigningUsage issuerUsage = 1 << iota

	// When adding a new usage in the future, we'll need to create a usage
	// mask field on the IssuerEntry and handle migrations to a newer mask,
	// inferring a value for the new bits.
	AllIssuerUsages = ReadOnlyUsage | IssuanceUsage | CRLSigningUsage | OCSPSigningUsage
)
View Source
const ChallengeAttemptFailedMsg = "" /* 140-byte string literal not displayed */
View Source
const ErrorContentType = "application/problem+json"
View Source
const ErrorPrefix = "urn:ietf:params:acme:error:"

Error prefix; see RFC 8555 Section 6.7. Errors.

View Source
const MaxRetryAttempts = 5
View Source
const SecretCertsType = "pki"

SecretCertsType is the name used to identify this type

Variables

View Source
var (
	ErrAlreadyRevoked          = errors.New("The request specified a certificate to be revoked that has already been revoked")
	ErrBadCSR                  = errors.New("The CSR is unacceptable")
	ErrBadNonce                = errors.New("The client sent an unacceptable anti-replay nonce")
	ErrBadPublicKey            = errors.New("The JWS was signed by a public key the server does not support")
	ErrBadRevocationReason     = errors.New("The revocation reason provided is not allowed by the server")
	ErrBadSignatureAlgorithm   = errors.New("The JWS was signed with an algorithm the server does not support")
	ErrCAA                     = errors.New("Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate")
	ErrCompound                = errors.New("Specific error conditions are indicated in the 'subproblems' array")
	ErrConnection              = errors.New("The server could not connect to validation target")
	ErrDNS                     = errors.New("There was a problem with a DNS query during identifier validation")
	ErrExternalAccountRequired = errors.New("The request must include a value for the 'externalAccountBinding' field")
	ErrIncorrectResponse       = errors.New("Response received didn't match the challenge's requirements")
	ErrInvalidContact          = errors.New("A contact URL for an account was invalid")
	ErrMalformed               = errors.New("The request message was malformed")
	ErrOrderNotReady           = errors.New("The request attempted to finalize an order that is not ready to be finalized")
	ErrRateLimited             = errors.New("The request exceeds a rate limit")
	ErrRejectedIdentifier      = errors.New("The server will not issue certificates for the identifier")
	ErrServerInternal          = errors.New("The server experienced an internal error")
	ErrTLS                     = errors.New("The server received a TLS error during validation")
	ErrUnauthorized            = errors.New("The client lacks sufficient authorization")
	ErrUnsupportedContact      = errors.New("A contact URL for an account used an unsupported protocol scheme")
	ErrUnsupportedIdentifier   = errors.New("An identifier is of an unsupported type")
	ErrUserActionRequired      = errors.New("Visit the 'instance' URL and take actions specified there")
)
View Source
var (
	OcspUnauthorizedResponse = &logical.Response{
		Data: map[string]interface{}{
			logical.HTTPContentType: ocspResponseContentType,
			logical.HTTPStatusCode:  http.StatusUnauthorized,
			logical.HTTPRawBody:     ocsp.UnauthorizedErrorResponse,
		},
	}
	OcspMalformedResponse = &logical.Response{
		Data: map[string]interface{}{
			logical.HTTPContentType: ocspResponseContentType,
			logical.HTTPStatusCode:  http.StatusBadRequest,
			logical.HTTPRawBody:     ocsp.MalformedRequestErrorResponse,
		},
	}
	OcspInternalErrorResponse = &logical.Response{
		Data: map[string]interface{}{
			logical.HTTPContentType: ocspResponseContentType,
			logical.HTTPStatusCode:  http.StatusInternalServerError,
			logical.HTTPRawBody:     ocsp.InternalErrorErrorResponse,
		},
	}

	ErrMissingOcspUsage = errors.New("issuer entry did not have the OCSPSigning usage")
	ErrIssuerHasNoKey   = errors.New("issuer has no key")
	ErrUnknownIssuer    = errors.New("unknown issuer")
)

These response variables should not be mutated, instead treat them as constants

View Source
var ALPNPort = "443"

While this should be a constant, there's no way to do a low-level test of ValidateTLSALPN01Challenge without spinning up a complicated Docker instance to build a custom responder. Because we already have a local toolchain, it is far easier to drive this through Go tests with a custom (high) port, rather than requiring permission to bind to port 443 (root-run tests are even worse).

View Source
var AllowedEabJWSTypes = map[string]interface{}{
	"HS256": true,
	"HS384": true,
	"HS512": true,
}
View Source
var AllowedOuterJWSTypes = map[string]interface{}{
	"RS256":  true,
	"RS384":  true,
	"RS512":  true,
	"PS256":  true,
	"PS384":  true,
	"PS512":  true,
	"ES256":  true,
	"ES384":  true,
	"ES512":  true,
	"EdDSA2": true,
}
View Source
var ErrAccountDoesNotExist = errors.New("The request specified an account that does not exist")

See RFC 8555 Section 6.7. Errors.

View Source
var ErrAcmeDisabled = errors.New("ACME feature is disabled")
View Source
var ErrStorageItemNotFound = errors.New("storage item not found")
View Source
var MaxChallengeTimeout = 1 * time.Minute
View Source
var OIDACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}

OID of the acmeIdentifier X.509 Certificate Extension.

Functions

func Backend

func Backend(conf *logical.BackendConfig) *backend

Backend returns a new Backend framework struct

func CBDelete added in v1.10.5

func CBDelete(b *backend, s logical.Storage, path string) (*logical.Response, error)

func CBHeader added in v1.14.0

func CBHeader(b *backend, s logical.Storage, path string) (*logical.Response, error)

func CBList added in v1.10.5

func CBList(b *backend, s logical.Storage, path string) (*logical.Response, error)

func CBPatch added in v1.11.7

func CBPatch(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error)

func CBRead added in v1.10.5

func CBRead(b *backend, s logical.Storage, path string) (*logical.Response, error)

func CBReq added in v1.10.5

func CBReq(b *backend, s logical.Storage, operation logical.Operation, path string, data map[string]interface{}) (*logical.Response, error)

Direct storage backend helpers (b, s := createBackendWithStorage(t)) which are mostly compatible with client.Logical() operations. The main difference is that the JSON round-tripping hasn't occurred, so values are as the backend returns them (e.g., []string instead of []interface{}).

func CBWrite added in v1.10.5

func CBWrite(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error)

func CreateBackendWithStorage added in v1.13.0

func CreateBackendWithStorage(t testing.TB) (*backend, logical.Storage)

Setup helpers

func Factory

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Factory creates a new backend implementing the logical.Backend interface

func FindType added in v1.14.0

func FindType(given error) (err error, id string, code int, found bool)

func NewACMEState added in v1.14.0

func NewACMEState() *acmeState

func NewIssuerUsageFromNames added in v1.11.0

func NewIssuerUsageFromNames(names []string) (issuerUsage, error)

func TranslateError added in v1.14.0

func TranslateError(given error) (*logical.Response, error)

func UnmarshalEabJwsJson added in v1.14.0

func UnmarshalEabJwsJson(eabBytes []byte) (*jwsCtx, error)

func ValidateDNS01Challenge added in v1.14.0

func ValidateDNS01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error)

func ValidateHTTP01Challenge added in v1.14.0

func ValidateHTTP01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error)

Validates a given ACME http-01 challenge against the specified domain, per RFC 8555.

We attempt to be defensive here against timeouts, extra redirects, &c.

func ValidateKeyAuthorization added in v1.14.0

func ValidateKeyAuthorization(keyAuthz string, token string, thumbprint string) (bool, error)

ValidateKeyAuthorization validates that the given keyAuthz from a challenge matches our expectation, returning (true, nil) if so, or (false, err) if not.

func ValidateRawSHA256KeyAuthorization added in v1.14.0

func ValidateRawSHA256KeyAuthorization(keyAuthz []byte, token string, thumbprint string) (bool, error)

ValidateRawSHA256KeyAuthorization validates that the given keyAuthz from a challenge matches our expectation, returning (true, nil) if so, or (false, err) if not.

This is for use with TLS challenges, which require the raw hash output.

func ValidateSHA256KeyAuthorization added in v1.14.0

func ValidateSHA256KeyAuthorization(keyAuthz string, token string, thumbprint string) (bool, error)

ValidateSHA256KeyAuthorization validates that the given keyAuthz from a challenge matches our expectation, returning (true, nil) if so, or (false, err) if not.

This is for use with DNS challenges, which require base64 encoding.

func ValidateTLSALPN01Challenge added in v1.14.0

func ValidateTLSALPN01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error)

Types

type ACMEAccountStatus added in v1.14.0

type ACMEAccountStatus string
const (
	AccountStatusValid       ACMEAccountStatus = "valid"
	AccountStatusDeactivated ACMEAccountStatus = "deactivated"
	AccountStatusRevoked     ACMEAccountStatus = "revoked"
)

func (ACMEAccountStatus) String added in v1.14.0

func (aas ACMEAccountStatus) String() string

type ACMEAuthorization added in v1.14.0

type ACMEAuthorization struct {
	Id        string `json:"id"`
	AccountId string `json:"account_id"`

	Identifier *ACMEIdentifier             `json:"identifier"`
	Status     ACMEAuthorizationStatusType `json:"status"`

	// Per RFC 8555 Section 7.1.4. Authorization Objects:
	//
	// > This field is REQUIRED for objects with "valid" in the "status"
	// > field.
	Expires string `json:"expires,optional"`

	Challenges []*ACMEChallenge `json:"challenges"`
	Wildcard   bool             `json:"wildcard"`
}

func (*ACMEAuthorization) GetExpires added in v1.14.0

func (aa *ACMEAuthorization) GetExpires() (time.Time, error)

func (*ACMEAuthorization) NetworkMarshal added in v1.14.0

func (aa *ACMEAuthorization) NetworkMarshal(acmeCtx *acmeContext) map[string]interface{}

type ACMEAuthorizationStatusType added in v1.14.0

type ACMEAuthorizationStatusType string
const (
	ACMEAuthorizationPending     ACMEAuthorizationStatusType = "pending"
	ACMEAuthorizationValid       ACMEAuthorizationStatusType = "valid"
	ACMEAuthorizationInvalid     ACMEAuthorizationStatusType = "invalid"
	ACMEAuthorizationDeactivated ACMEAuthorizationStatusType = "deactivated"
	ACMEAuthorizationExpired     ACMEAuthorizationStatusType = "expired"
	ACMEAuthorizationRevoked     ACMEAuthorizationStatusType = "revoked"
)

type ACMEChallenge added in v1.14.0

type ACMEChallenge struct {
	Type            ACMEChallengeType       `json:"type"`
	Status          ACMEChallengeStatusType `json:"status"`
	Validated       string                  `json:"validated,optional"`
	Error           map[string]interface{}  `json:"error,optional"`
	ChallengeFields map[string]interface{}  `json:"challenge_fields"`
}

func (*ACMEChallenge) NetworkMarshal added in v1.14.0

func (ac *ACMEChallenge) NetworkMarshal(acmeCtx *acmeContext, authId string) map[string]interface{}

type ACMEChallengeEngine added in v1.14.0

type ACMEChallengeEngine struct {
	NumWorkers int

	ValidationLock sync.Mutex
	NewValidation  chan string
	Closing        chan struct{}
	Validations    *list.List
}

func NewACMEChallengeEngine added in v1.14.0

func NewACMEChallengeEngine() *ACMEChallengeEngine

func (*ACMEChallengeEngine) AcceptChallenge added in v1.14.0

func (ace *ACMEChallengeEngine) AcceptChallenge(sc *storageContext, account string, authz *ACMEAuthorization, challenge *ACMEChallenge, thumbprint string) error

func (*ACMEChallengeEngine) LoadFromStorage added in v1.14.0

func (ace *ACMEChallengeEngine) LoadFromStorage(b *backend, sc *storageContext) error

func (*ACMEChallengeEngine) Run added in v1.14.0

func (ace *ACMEChallengeEngine) Run(b *backend, state *acmeState, sc *storageContext)

func (*ACMEChallengeEngine) VerifyChallenge added in v1.14.0

func (ace *ACMEChallengeEngine) VerifyChallenge(runnerSc *storageContext, id string, validationQueueRetries int, finished chan bool, config *acmeConfigEntry)

type ACMEChallengeStatusType added in v1.14.0

type ACMEChallengeStatusType string
const (
	ACMEChallengePending    ACMEChallengeStatusType = "pending"
	ACMEChallengeProcessing ACMEChallengeStatusType = "processing"
	ACMEChallengeValid      ACMEChallengeStatusType = "valid"
	ACMEChallengeInvalid    ACMEChallengeStatusType = "invalid"
)

type ACMEChallengeType added in v1.14.0

type ACMEChallengeType string
const (
	ACMEHTTPChallenge ACMEChallengeType = "http-01"
	ACMEDNSChallenge  ACMEChallengeType = "dns-01"
	ACMEALPNChallenge ACMEChallengeType = "tls-alpn-01"
)

type ACMEIdentifier added in v1.14.0

type ACMEIdentifier struct {
	Type          ACMEIdentifierType `json:"type"`
	Value         string             `json:"value"`
	OriginalValue string             `json:"original_value"`
	IsWildcard    bool               `json:"is_wildcard"`
}

func (*ACMEIdentifier) MaybeParseWildcard added in v1.14.0

func (ai *ACMEIdentifier) MaybeParseWildcard() (bool, string, error)

func (*ACMEIdentifier) NetworkMarshal added in v1.14.0

func (ai *ACMEIdentifier) NetworkMarshal(useOriginalValue bool) map[string]interface{}

type ACMEIdentifierType added in v1.14.0

type ACMEIdentifierType string
const (
	ACMEDNSIdentifier ACMEIdentifierType = "dns"
	ACMEIPIdentifier  ACMEIdentifierType = "ip"
)

type ACMEOrderStatusType added in v1.14.0

type ACMEOrderStatusType string
const (
	ACMEOrderPending    ACMEOrderStatusType = "pending"
	ACMEOrderProcessing ACMEOrderStatusType = "processing"
	ACMEOrderValid      ACMEOrderStatusType = "valid"
	ACMEOrderInvalid    ACMEOrderStatusType = "invalid"
	ACMEOrderReady      ACMEOrderStatusType = "ready"
)

type ChallengeQueueEntry added in v1.14.0

type ChallengeQueueEntry struct {
	Identifier string
	RetryAfter time.Time
	NumRetries int // Track if we are spinning on a corrupted challenge
}

type ChallengeValidation added in v1.14.0

type ChallengeValidation struct {
	// Account KID that this validation attempt is recorded under.
	Account string `json:"account"`

	// The authorization ID that this validation attempt is for.
	Authorization string            `json:"authorization"`
	ChallengeType ACMEChallengeType `json:"challenge_type"`

	// The token of this challenge and the JWS thumbprint of the account
	// we're validating against.
	Token      string `json:"token"`
	Thumbprint string `json:"thumbprint"`

	Initiated       time.Time `json:"initiated"`
	FirstValidation time.Time `json:"first_validation,omitempty"`
	RetryCount      int       `json:"retry_count,omitempty"`
	LastRetry       time.Time `json:"last_retry,omitempty"`
	RetryAfter      time.Time `json:"retry_after,omitempty"`
}

type DefaultDirectoryPolicyType added in v1.14.0

type DefaultDirectoryPolicyType int
const (
	Forbid DefaultDirectoryPolicyType = iota
	SignVerbatim
	Role
)

type EabPolicy added in v1.14.0

type EabPolicy struct {
	Name EabPolicyName
}

func (EabPolicy) EnforceForExistingAccount added in v1.14.0

func (ep EabPolicy) EnforceForExistingAccount(account *acmeAccount) error

EnforceForExistingAccount for all operations within ACME, does the account being used require an EAB attached to it.

func (EabPolicy) EnforceForNewAccount added in v1.14.0

func (ep EabPolicy) EnforceForNewAccount(eabData *eabType) error

EnforceForNewAccount for new account creations, should we require an EAB.

func (EabPolicy) IsExternalAccountRequired added in v1.14.0

func (ep EabPolicy) IsExternalAccountRequired() bool

IsExternalAccountRequired for new accounts incoming does is an EAB required

func (EabPolicy) OverrideEnvDisablingPublicAcme added in v1.14.0

func (ep EabPolicy) OverrideEnvDisablingPublicAcme() bool

OverrideEnvDisablingPublicAcme determines if ACME is enabled but the OS environment variable has said to disable public acme support, if we can override that environment variable to turn on ACME support

type EabPolicyName added in v1.14.0

type EabPolicyName string

type ErrorResponse added in v1.14.0

type ErrorResponse struct {
	StatusCode  int              `json:"-"`
	Type        string           `json:"type"`
	Detail      string           `json:"detail"`
	Subproblems []*ErrorResponse `json:"subproblems"`
}

func TranslateErrorToErrorResponse added in v1.14.0

func TranslateErrorToErrorResponse(given error) ErrorResponse

func (*ErrorResponse) Marshal added in v1.14.0

func (e *ErrorResponse) Marshal() (*logical.Response, error)

func (*ErrorResponse) MarshalForStorage added in v1.14.0

func (e *ErrorResponse) MarshalForStorage() map[string]interface{}

type IfModifiedSinceHelper added in v1.12.0

type IfModifiedSinceHelper struct {
	// contains filtered or unexported fields
}

type NameKey added in v1.10.0

type NameKey string

func (NameKey) String added in v1.10.0

func (n NameKey) String() string

type UUIDKey added in v1.10.0

type UUIDKey string

func (UUIDKey) String added in v1.10.0

func (u UUIDKey) String() string

Directories

Path Synopsis
cmd
pki

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL