Documentation ¶
Index ¶
- Constants
- Variables
- func Backend(conf *logical.BackendConfig) *backend
- func CBDelete(b *backend, s logical.Storage, path string) (*logical.Response, error)
- func CBHeader(b *backend, s logical.Storage, path string) (*logical.Response, error)
- func CBList(b *backend, s logical.Storage, path string) (*logical.Response, error)
- func CBPatch(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error)
- func CBRead(b *backend, s logical.Storage, path string) (*logical.Response, error)
- func CBReq(b *backend, s logical.Storage, operation logical.Operation, path string, ...) (*logical.Response, error)
- func CBWrite(b *backend, s logical.Storage, path string, data map[string]interface{}) (*logical.Response, error)
- func CreateBackendWithStorage(t testing.TB) (*backend, logical.Storage)
- func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func FindType(given error) (err error, id string, code int, found bool)
- func NewACMEState() *acmeState
- func NewIssuerUsageFromNames(names []string) (issuerUsage, error)
- func TranslateError(given error) (*logical.Response, error)
- func UnmarshalEabJwsJson(eabBytes []byte) (*jwsCtx, error)
- func ValidateDNS01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error)
- func ValidateHTTP01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error)
- func ValidateKeyAuthorization(keyAuthz string, token string, thumbprint string) (bool, error)
- func ValidateRawSHA256KeyAuthorization(keyAuthz []byte, token string, thumbprint string) (bool, error)
- func ValidateSHA256KeyAuthorization(keyAuthz string, token string, thumbprint string) (bool, error)
- func ValidateTLSALPN01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error)
- type ACMEAccountStatus
- type ACMEAuthorization
- type ACMEAuthorizationStatusType
- type ACMEChallenge
- type ACMEChallengeEngine
- func (ace *ACMEChallengeEngine) AcceptChallenge(sc *storageContext, account string, authz *ACMEAuthorization, ...) error
- func (ace *ACMEChallengeEngine) LoadFromStorage(b *backend, sc *storageContext) error
- func (ace *ACMEChallengeEngine) Run(b *backend, state *acmeState, sc *storageContext)
- func (ace *ACMEChallengeEngine) VerifyChallenge(runnerSc *storageContext, id string, validationQueueRetries int, ...)
- type ACMEChallengeStatusType
- type ACMEChallengeType
- type ACMEIdentifier
- type ACMEIdentifierType
- type ACMEOrderStatusType
- type ChallengeQueueEntry
- type ChallengeValidation
- type DefaultDirectoryPolicyType
- type EabPolicy
- type EabPolicyName
- type ErrorResponse
- type IfModifiedSinceHelper
- type NameKey
- type UUIDKey
Constants ¶
const ( DNSChallengePrefix = "_acme-challenge." ALPNProtocol = "acme-tls/1" )
const ( IssuerRefNotFound = issuerID("not-found") KeyRefNotFound = keyID("not-found") )
const ( ReadOnlyUsage issuerUsage = iota IssuanceUsage issuerUsage = 1 << iota CRLSigningUsage issuerUsage = 1 << iota OCSPSigningUsage issuerUsage = 1 << iota // When adding a new usage in the future, we'll need to create a usage // mask field on the IssuerEntry and handle migrations to a newer mask, // inferring a value for the new bits. AllIssuerUsages = ReadOnlyUsage | IssuanceUsage | CRLSigningUsage | OCSPSigningUsage )
const ChallengeAttemptFailedMsg = "" /* 140-byte string literal not displayed */
const ErrorContentType = "application/problem+json"
const ErrorPrefix = "urn:ietf:params:acme:error:"
Error prefix; see RFC 8555 Section 6.7. Errors.
const MaxRetryAttempts = 5
const SecretCertsType = "pki"
SecretCertsType is the name used to identify this type
Variables ¶
var ( ErrAlreadyRevoked = errors.New("The request specified a certificate to be revoked that has already been revoked") ErrBadCSR = errors.New("The CSR is unacceptable") ErrBadNonce = errors.New("The client sent an unacceptable anti-replay nonce") ErrBadPublicKey = errors.New("The JWS was signed by a public key the server does not support") ErrBadRevocationReason = errors.New("The revocation reason provided is not allowed by the server") ErrBadSignatureAlgorithm = errors.New("The JWS was signed with an algorithm the server does not support") ErrCAA = errors.New("Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate") ErrCompound = errors.New("Specific error conditions are indicated in the 'subproblems' array") ErrConnection = errors.New("The server could not connect to validation target") ErrDNS = errors.New("There was a problem with a DNS query during identifier validation") ErrExternalAccountRequired = errors.New("The request must include a value for the 'externalAccountBinding' field") ErrIncorrectResponse = errors.New("Response received didn't match the challenge's requirements") ErrInvalidContact = errors.New("A contact URL for an account was invalid") ErrMalformed = errors.New("The request message was malformed") ErrOrderNotReady = errors.New("The request attempted to finalize an order that is not ready to be finalized") ErrRateLimited = errors.New("The request exceeds a rate limit") ErrRejectedIdentifier = errors.New("The server will not issue certificates for the identifier") ErrServerInternal = errors.New("The server experienced an internal error") ErrTLS = errors.New("The server received a TLS error during validation") ErrUnsupportedContact = errors.New("A contact URL for an account used an unsupported protocol scheme") ErrUnsupportedIdentifier = errors.New("An identifier is of an unsupported type") ErrUserActionRequired = errors.New("Visit the 'instance' URL and take actions specified there") )
var ( string]interface{}{ logical.HTTPContentType: ocspResponseContentType, logical.HTTPStatusCode: http.StatusUnauthorized, logical.HTTPRawBody: ocsp.UnauthorizedErrorResponse, }, } OcspMalformedResponse = &logical.Response{ Data: map[string]interface{}{ logical.HTTPContentType: ocspResponseContentType, logical.HTTPStatusCode: http.StatusBadRequest, logical.HTTPRawBody: ocsp.MalformedRequestErrorResponse, }, } OcspInternalErrorResponse = &logical.Response{ Data: map[string]interface{}{ logical.HTTPContentType: ocspResponseContentType, logical.HTTPStatusCode: http.StatusInternalServerError, logical.HTTPRawBody: ocsp.InternalErrorErrorResponse, }, } ErrMissingOcspUsage = errors.New("issuer entry did not have the OCSPSigning usage") ErrIssuerHasNoKey = errors.New("issuer has no key") ErrUnknownIssuer = errors.New("unknown issuer") )Data: map[
These response variables should not be mutated, instead treat them as constants
var ALPNPort = "443"
While this should be a constant, there's no way to do a low-level test of ValidateTLSALPN01Challenge without spinning up a complicated Docker instance to build a custom responder. Because we already have a local toolchain, it is far easier to drive this through Go tests with a custom (high) port, rather than requiring permission to bind to port 443 (root-run tests are even worse).
var AllowedEabJWSTypes = map[string]interface{}{ "HS256": true, "HS384": true, "HS512": true, }
var AllowedOuterJWSTypes = map[string]interface{}{ "RS256": true, "RS384": true, "RS512": true, "PS256": true, "PS384": true, "PS512": true, "ES256": true, "ES384": true, "ES512": true, "EdDSA2": true, }
var ErrAccountDoesNotExist = errors.New("The request specified an account that does not exist")
See RFC 8555 Section 6.7. Errors.
var ErrAcmeDisabled = errors.New("ACME feature is disabled")
var ErrStorageItemNotFound = errors.New("storage item not found")
var MaxChallengeTimeout = 1 * time.Minute
var OIDACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
OID of the acmeIdentifier X.509 Certificate Extension.
Functions ¶
func Backend ¶
func Backend(conf *logical.BackendConfig) *backend
Backend returns a new Backend framework struct
func CBReq ¶ added in v1.10.5
func CBReq(b *backend, s logical.Storage, operation logical.Operation, path string, data map[string]interface{}) (*logical.Response, error)
Direct storage backend helpers (b, s := createBackendWithStorage(t)) which are mostly compatible with client.Logical() operations. The main difference is that the JSON round-tripping hasn't occurred, so values are as the backend returns them (e.g., []string instead of []interface{}).
func CreateBackendWithStorage ¶ added in v1.13.0
Setup helpers
func NewACMEState ¶ added in v1.14.0
func NewACMEState() *acmeState
func NewIssuerUsageFromNames ¶ added in v1.11.0
func UnmarshalEabJwsJson ¶ added in v1.14.0
func ValidateDNS01Challenge ¶ added in v1.14.0
func ValidateHTTP01Challenge ¶ added in v1.14.0
func ValidateHTTP01Challenge(domain string, token string, thumbprint string, config *acmeConfigEntry) (bool, error)
Validates a given ACME http-01 challenge against the specified domain, per RFC 8555.
We attempt to be defensive here against timeouts, extra redirects, &c.
func ValidateKeyAuthorization ¶ added in v1.14.0
ValidateKeyAuthorization validates that the given keyAuthz from a challenge matches our expectation, returning (true, nil) if so, or (false, err) if not.
func ValidateRawSHA256KeyAuthorization ¶ added in v1.14.0
func ValidateRawSHA256KeyAuthorization(keyAuthz []byte, token string, thumbprint string) (bool, error)
ValidateRawSHA256KeyAuthorization validates that the given keyAuthz from a challenge matches our expectation, returning (true, nil) if so, or (false, err) if not.
This is for use with TLS challenges, which require the raw hash output.
func ValidateSHA256KeyAuthorization ¶ added in v1.14.0
ValidateSHA256KeyAuthorization validates that the given keyAuthz from a challenge matches our expectation, returning (true, nil) if so, or (false, err) if not.
This is for use with DNS challenges, which require base64 encoding.
Types ¶
type ACMEAccountStatus ¶ added in v1.14.0
type ACMEAccountStatus string
const ( AccountStatusValid ACMEAccountStatus = "valid" AccountStatusDeactivated ACMEAccountStatus = "deactivated" AccountStatusRevoked ACMEAccountStatus = "revoked" )
func (ACMEAccountStatus) String ¶ added in v1.14.0
func (aas ACMEAccountStatus) String() string
type ACMEAuthorization ¶ added in v1.14.0
type ACMEAuthorization struct { Id string `json:"id"` AccountId string `json:"account_id"` Identifier *ACMEIdentifier `json:"identifier"` Status ACMEAuthorizationStatusType `json:"status"` // Per RFC 8555 Section 7.1.4. Authorization Objects: // // > This field is REQUIRED for objects with "valid" in the "status" // > field. Expires string `json:"expires,optional"` Challenges []*ACMEChallenge `json:"challenges"` Wildcard bool `json:"wildcard"` }
func (*ACMEAuthorization) GetExpires ¶ added in v1.14.0
func (aa *ACMEAuthorization) GetExpires() (time.Time, error)
func (*ACMEAuthorization) NetworkMarshal ¶ added in v1.14.0
func (aa *ACMEAuthorization) NetworkMarshal(acmeCtx *acmeContext) map[string]interface{}
type ACMEAuthorizationStatusType ¶ added in v1.14.0
type ACMEAuthorizationStatusType string
const ( ACMEAuthorizationPending ACMEAuthorizationStatusType = "pending" ACMEAuthorizationValid ACMEAuthorizationStatusType = "valid" ACMEAuthorizationInvalid ACMEAuthorizationStatusType = "invalid" ACMEAuthorizationDeactivated ACMEAuthorizationStatusType = "deactivated" ACMEAuthorizationExpired ACMEAuthorizationStatusType = "expired" ACMEAuthorizationRevoked ACMEAuthorizationStatusType = "revoked" )
type ACMEChallenge ¶ added in v1.14.0
type ACMEChallenge struct { Type ACMEChallengeType `json:"type"` Status ACMEChallengeStatusType `json:"status"` Validated string `json:"validated,optional"` Error map[string]interface{} `json:"error,optional"` ChallengeFields map[string]interface{} `json:"challenge_fields"` }
func (*ACMEChallenge) NetworkMarshal ¶ added in v1.14.0
func (ac *ACMEChallenge) NetworkMarshal(acmeCtx *acmeContext, authId string) map[string]interface{}
type ACMEChallengeEngine ¶ added in v1.14.0
type ACMEChallengeEngine struct { NumWorkers int ValidationLock sync.Mutex NewValidation chan string Closing chan struct{} Validations *list.List }
func NewACMEChallengeEngine ¶ added in v1.14.0
func NewACMEChallengeEngine() *ACMEChallengeEngine
func (*ACMEChallengeEngine) AcceptChallenge ¶ added in v1.14.0
func (ace *ACMEChallengeEngine) AcceptChallenge(sc *storageContext, account string, authz *ACMEAuthorization, challenge *ACMEChallenge, thumbprint string) error
func (*ACMEChallengeEngine) LoadFromStorage ¶ added in v1.14.0
func (ace *ACMEChallengeEngine) LoadFromStorage(b *backend, sc *storageContext) error
func (*ACMEChallengeEngine) Run ¶ added in v1.14.0
func (ace *ACMEChallengeEngine) Run(b *backend, state *acmeState, sc *storageContext)
func (*ACMEChallengeEngine) VerifyChallenge ¶ added in v1.14.0
func (ace *ACMEChallengeEngine) VerifyChallenge(runnerSc *storageContext, id string, validationQueueRetries int, finished chan bool, config *acmeConfigEntry)
type ACMEChallengeStatusType ¶ added in v1.14.0
type ACMEChallengeStatusType string
const ( ACMEChallengePending ACMEChallengeStatusType = "pending" ACMEChallengeProcessing ACMEChallengeStatusType = "processing" ACMEChallengeValid ACMEChallengeStatusType = "valid" ACMEChallengeInvalid ACMEChallengeStatusType = "invalid" )
type ACMEChallengeType ¶ added in v1.14.0
type ACMEChallengeType string
const ( ACMEHTTPChallenge ACMEChallengeType = "http-01" ACMEDNSChallenge ACMEChallengeType = "dns-01" ACMEALPNChallenge ACMEChallengeType = "tls-alpn-01" )
type ACMEIdentifier ¶ added in v1.14.0
type ACMEIdentifier struct { Type ACMEIdentifierType `json:"type"` Value string `json:"value"` OriginalValue string `json:"original_value"` IsWildcard bool `json:"is_wildcard"` }
func (*ACMEIdentifier) MaybeParseWildcard ¶ added in v1.14.0
func (ai *ACMEIdentifier) MaybeParseWildcard() (bool, string, error)
func (*ACMEIdentifier) NetworkMarshal ¶ added in v1.14.0
func (ai *ACMEIdentifier) NetworkMarshal(useOriginalValue bool) map[string]interface{}
type ACMEIdentifierType ¶ added in v1.14.0
type ACMEIdentifierType string
const ( ACMEDNSIdentifier ACMEIdentifierType = "dns" ACMEIPIdentifier ACMEIdentifierType = "ip" )
type ACMEOrderStatusType ¶ added in v1.14.0
type ACMEOrderStatusType string
const ( ACMEOrderPending ACMEOrderStatusType = "pending" ACMEOrderProcessing ACMEOrderStatusType = "processing" ACMEOrderValid ACMEOrderStatusType = "valid" ACMEOrderInvalid ACMEOrderStatusType = "invalid" ACMEOrderReady ACMEOrderStatusType = "ready" )
type ChallengeQueueEntry ¶ added in v1.14.0
type ChallengeValidation ¶ added in v1.14.0
type ChallengeValidation struct { // Account KID that this validation attempt is recorded under. Account string `json:"account"` // The authorization ID that this validation attempt is for. Authorization string `json:"authorization"` ChallengeType ACMEChallengeType `json:"challenge_type"` // The token of this challenge and the JWS thumbprint of the account // we're validating against. Token string `json:"token"` Thumbprint string `json:"thumbprint"` Initiated time.Time `json:"initiated"` FirstValidation time.Time `json:"first_validation,omitempty"` RetryCount int `json:"retry_count,omitempty"` LastRetry time.Time `json:"last_retry,omitempty"` RetryAfter time.Time `json:"retry_after,omitempty"` }
type DefaultDirectoryPolicyType ¶ added in v1.14.0
type DefaultDirectoryPolicyType int
const ( Forbid DefaultDirectoryPolicyType = iota SignVerbatim Role )
type EabPolicy ¶ added in v1.14.0
type EabPolicy struct {
Name EabPolicyName
}
func (EabPolicy) EnforceForExistingAccount ¶ added in v1.14.0
EnforceForExistingAccount for all operations within ACME, does the account being used require an EAB attached to it.
func (EabPolicy) EnforceForNewAccount ¶ added in v1.14.0
EnforceForNewAccount for new account creations, should we require an EAB.
func (EabPolicy) IsExternalAccountRequired ¶ added in v1.14.0
IsExternalAccountRequired for new accounts incoming does is an EAB required
func (EabPolicy) OverrideEnvDisablingPublicAcme ¶ added in v1.14.0
OverrideEnvDisablingPublicAcme determines if ACME is enabled but the OS environment variable has said to disable public acme support, if we can override that environment variable to turn on ACME support
type EabPolicyName ¶ added in v1.14.0
type EabPolicyName string
type ErrorResponse ¶ added in v1.14.0
type ErrorResponse struct { StatusCode int `json:"-"` Type string `json:"type"` Detail string `json:"detail"` Subproblems []*ErrorResponse `json:"subproblems"` }
func TranslateErrorToErrorResponse ¶ added in v1.14.0
func TranslateErrorToErrorResponse(given error) ErrorResponse
func (*ErrorResponse) Marshal ¶ added in v1.14.0
func (e *ErrorResponse) Marshal() (*logical.Response, error)
func (*ErrorResponse) MarshalForStorage ¶ added in v1.14.0
func (e *ErrorResponse) MarshalForStorage() map[string]interface{}
type IfModifiedSinceHelper ¶ added in v1.12.0
type IfModifiedSinceHelper struct {
// contains filtered or unexported fields
}
Source Files ¶
- acme_authorizations.go
- acme_billing.go
- acme_challenge_engine.go
- acme_challenges.go
- acme_eab_policy.go
- acme_errors.go
- acme_jws.go
- acme_state.go
- acme_wrappers.go
- backend.go
- ca_util.go
- cert_util.go
- chain_util.go
- config_util.go
- crl_util.go
- fields.go
- key_util.go
- managed_key_util.go
- path_acme_account.go
- path_acme_authorizations.go
- path_acme_challenges.go
- path_acme_directory.go
- path_acme_eab.go
- path_acme_nonce.go
- path_acme_order.go
- path_acme_revoke.go
- path_config_acme.go
- path_config_ca.go
- path_config_cluster.go
- path_config_crl.go
- path_config_urls.go
- path_fetch.go
- path_fetch_issuers.go
- path_fetch_keys.go
- path_intermediate.go
- path_issue_sign.go
- path_manage_issuers.go
- path_manage_keys.go
- path_ocsp.go
- path_resign_crls.go
- path_revoke.go
- path_roles.go
- path_root.go
- path_sign_issuers.go
- path_tidy.go
- periodic.go
- secret_certs.go
- storage.go
- storage_migrations.go
- storage_unified.go
- test_helpers.go
- util.go