Documentation ¶
Index ¶
- Constants
- Variables
- func Fingerprint256(data []byte) string
- func GetBuildHost() (retID string)
- func GetBuildID() (retID string)
- func GetBuildTime() (retID string)
- func KeyDigest(key crypto.PublicKey) (string, error)
- func KeyDigestEquals(j, k crypto.PublicKey) bool
- func LoadCert(filename string) (cert *x509.Certificate, err error)
- func LoadCertBundle(filename string) ([]*x509.Certificate, error)
- func LooksLikeAToken(token string) bool
- func NewToken() string
- func ProblemDetailsForError(err error, msg string) *probs.ProblemDetails
- func RandomString(byteLength int) string
- func RetryBackoff(retries int, base, max time.Duration, factor float64) time.Duration
- func ReverseName(domain string) string
- func SerialToString(serial *big.Int) string
- func StringToSerial(serial string) (*big.Int, error)
- func UniqueLowerNames(names []string) (unique []string)
- func ValidChallenge(name string) bool
- func ValidSerial(serial string) bool
- type AcmeIdentifier
- type AcmeResource
- type AcmeStatus
- type AcmeURL
- type Authorization
- type BadNonceError
- type Buffer
- type CRL
- type Certificate
- type CertificateAuthority
- type CertificateIssuanceError
- type CertificateRequest
- type CertificateStatus
- type Challenge
- type DeniedCSR
- type ExternalCert
- type FQDNSet
- type IdentifierData
- type IdentifierType
- type InternalServerError
- type IsSafeDomainRequest
- type IsSafeDomainResponse
- type JSONBuffer
- type KeyAuthorization
- type KeyPolicy
- type LengthRequiredError
- type MalformedRequestError
- type NoSuchRegistrationError
- type NonceService
- type NotFoundError
- type NotSupportedError
- type OCSPResponse
- type OCSPSigningRequest
- type OCSPStatus
- type PolicyAuthority
- type Publisher
- type RateLimitedError
- type Registration
- type RegistrationAuthority
- type RevocationCode
- type SignatureValidationError
- type SignedCertificateTimestamp
- type StorageAdder
- type StorageAuthority
- type StorageGetter
- type TooManyRPCRequestsError
- type UnauthorizedError
- type ValidationAuthority
- type ValidationRecord
- type WebFrontEnd
Constants ¶
const ( StatusUnknown = AcmeStatus("unknown") // Unknown status; the default StatusPending = AcmeStatus("pending") // In process; client has next action StatusProcessing = AcmeStatus("processing") // In process; server has next action StatusValid = AcmeStatus("valid") // Validation succeeded StatusInvalid = AcmeStatus("invalid") // Validation failed StatusRevoked = AcmeStatus("revoked") // Object no longer valid )
These statuses are the states of authorizations
const ( ResourceNewReg = AcmeResource("new-reg") ResourceNewAuthz = AcmeResource("new-authz") ResourceNewCert = AcmeResource("new-cert") ResourceRevokeCert = AcmeResource("revoke-cert") ResourceRegistration = AcmeResource("reg") ResourceChallenge = AcmeResource("challenge") )
The types of ACME resources
const ( OCSPStatusGood = OCSPStatus("good") OCSPStatusRevoked = OCSPStatus("revoked") )
These status are the states of OCSP
const ( ChallengeTypeHTTP01 = "http-01" ChallengeTypeTLSSNI01 = "tls-sni-01" ChallengeTypeDNS01 = "dns-01" )
These types are the available challenges
const DNSPrefix = "_acme-challenge"
DNSPrefix is attached to DNS names in DNS challenges
const (
IdentifierDNS = IdentifierType("dns")
)
These types are the available identification mechanisms
const MaxUsed = 65536
MaxUsed defines the maximum number of Nonces we're willing to hold in memory.
const TLSSNISuffix = "acme.invalid"
TLSSNISuffix is appended to pseudo-domain names in DVSNI challenges
Variables ¶
var BuildHost string
BuildHost is set by the compiler and is used by GetBuildHost
var BuildID string
BuildID is set by the compiler (using -ldflags "-X core.BuildID $(git rev-parse --short HEAD)") and is used by GetBuildID
var BuildTime string
BuildTime is set by the compiler and is used by GetBuildTime
var RevocationReasons = map[RevocationCode]string{
0: "unspecified",
1: "keyCompromise",
2: "cACompromise",
3: "affiliationChanged",
4: "superseded",
5: "cessationOfOperation",
6: "certificateHold",
8: "removeFromCRL",
9: "privilegeWithdrawn",
10: "aAcompromise",
}
RevocationReasons provides a map from reason code to string explaining the code
Functions ¶
func Fingerprint256 ¶
Fingerprint256 produces an unpadded, URL-safe Base64-encoded SHA256 digest of the data.
func GetBuildTime ¶
func GetBuildTime() (retID string)
GetBuildTime identifies when this build was made
func KeyDigest ¶
KeyDigest produces a padded, standard Base64-encoded SHA256 digest of a provided public key.
func KeyDigestEquals ¶
KeyDigestEquals determines whether two public keys have the same digest.
func LoadCert ¶
func LoadCert(filename string) (cert *x509.Certificate, err error)
LoadCert loads a PEM certificate specified by filename or returns an error
func LoadCertBundle ¶
func LoadCertBundle(filename string) ([]*x509.Certificate, error)
LoadCertBundle loads a PEM bundle of certificates from disk
func LooksLikeAToken ¶
LooksLikeAToken checks whether a string represents a 32-octet value in the URL-safe base64 alphabet.
func ProblemDetailsForError ¶
func ProblemDetailsForError(err error, msg string) *probs.ProblemDetails
ProblemDetailsForError turns an error into a ProblemDetails with the special case of returning the same error back if its already a ProblemDetails. If the error is of an type unknown to ProblemDetailsForError, it will return a ServerInternal ProblemDetails.
func RandomString ¶
RandomString returns a randomly generated string of the requested length.
func RetryBackoff ¶
RetryBackoff calculates a backoff time based on number of retries, will always add jitter so requests that start in unison won't fall into lockstep. Because of this the returned duration can always be larger than the maximum by a factor of retryJitter. Adapted from https://github.com/grpc/grpc-go/blob/master/rpc_util.go#L311
func ReverseName ¶
ReverseName takes a domain name and returns a label-wise reversed version of it. Example: ReverseName("www.example.com") == "com.example.www" This is useful for storing domain names in a DB such than subdomains of the same parent domain are near each other.
func SerialToString ¶
SerialToString converts a certificate serial number (big.Int) to a String consistently.
func StringToSerial ¶
StringToSerial converts a string into a certificate serial number (big.Int) consistently.
func UniqueLowerNames ¶
UniqueLowerNames returns the set of all unique names in the input after all of them are lowercased. The returned names will be in their lowercased form and sorted alphabetically.
func ValidChallenge ¶
ValidChallenge tests whether the provided string names a known challenge
func ValidSerial ¶
ValidSerial tests whether the input string represents a syntactically valid serial number, i.e., that it is a valid hex string between 32 and 36 characters long.
Types ¶
type AcmeIdentifier ¶
type AcmeIdentifier struct { Type IdentifierType `json:"type"` // The type of identifier being encoded Value string `json:"value"` // The identifier itself }
An AcmeIdentifier encodes an identifier that can be validated by ACME. The protocol allows for different types of identifier to be supported (DNS names, IP addresses, etc.), but currently we only support domain names.
type AcmeResource ¶
type AcmeResource string
AcmeResource values identify different types of ACME resources
type AcmeURL ¶
AcmeURL is a URL that automatically marshal/unmarshal to JSON strings
func ParseAcmeURL ¶
ParseAcmeURL is just a wrapper around url.Parse that returns an *AcmeURL
func (*AcmeURL) MarshalJSON ¶
MarshalJSON encodes an AcmeURL for transfer
func (*AcmeURL) PathSegments ¶
PathSegments splits an AcmeURL into segments on the '/' characters
func (*AcmeURL) UnmarshalJSON ¶
UnmarshalJSON decodes an AcmeURL from transfer
type Authorization ¶
type Authorization struct { // An identifier for this authorization, unique across // authorizations and certificates within this instance. ID string `json:"id,omitempty" db:"id"` // The identifier for which authorization is being given Identifier AcmeIdentifier `json:"identifier,omitempty" db:"identifier"` // The registration ID associated with the authorization RegistrationID int64 `json:"regId,omitempty" db:"registrationID"` // The status of the validation of this authorization Status AcmeStatus `json:"status,omitempty" db:"status"` // The date after which this authorization will be no // longer be considered valid. Note: a certificate may be issued even on the // last day of an authorization's lifetime. The last day for which someone can // hold a valid certificate based on an authorization is authorization // lifetime + certificate lifetime. Expires *time.Time `json:"expires,omitempty" db:"expires"` // An array of challenges objects used to validate the // applicant's control of the identifier. For authorizations // in process, these are challenges to be fulfilled; for // final authorizations, they describe the evidence that // the server used in support of granting the authorization. Challenges []Challenge `json:"challenges,omitempty" db:"-"` // The server may suggest combinations of challenges if it // requires more than one challenge to be completed. Combinations [][]int `json:"combinations,omitempty" db:"combinations"` }
Authorization represents the authorization of an account key holder to act on behalf of a domain. This struct is intended to be used both internally and for JSON marshaling on the wire. Any fields that should be suppressed on the wire (e.g., ID, regID) must be made empty before marshaling.
func (*Authorization) FindChallenge ¶
func (authz *Authorization) FindChallenge(challengeID int64) int
FindChallenge will look for the given challenge inside this authorization. If found, it will return the index of that challenge within the Authorization's Challenges array. Otherwise it will return -1.
type BadNonceError ¶
type BadNonceError string
BadNonceError indicates an empty of invalid nonce was provided
func (BadNonceError) Error ¶
func (e BadNonceError) Error() string
type CRL ¶
type CRL struct { // serial: Same as certificate serial. Serial string `db:"serial"` // createdAt: The date the CRL was signed. CreatedAt time.Time `db:"createdAt"` // crl: The encoded and signed CRL. CRL string `db:"crl"` }
CRL is a large table of signed CRLs. This contains all historical CRLs we've signed, is append-only, and is likely to get quite large. It must be administratively truncated outside of Boulder.
type Certificate ¶
type Certificate struct { RegistrationID int64 `db:"registrationID"` Serial string `db:"serial"` Digest string `db:"digest"` DER []byte `db:"der"` Issued time.Time `db:"issued"` Expires time.Time `db:"expires"` }
Certificate objects are entirely internal to the server. The only thing exposed on the wire is the certificate itself.
type CertificateAuthority ¶
type CertificateAuthority interface { // [RegistrationAuthority] IssueCertificate(x509.CertificateRequest, int64) (Certificate, error) GenerateOCSP(OCSPSigningRequest) ([]byte, error) }
CertificateAuthority defines the public interface for the Boulder CA
type CertificateIssuanceError ¶
type CertificateIssuanceError string
CertificateIssuanceError indicates the certificate failed to be issued for some reason.
func (CertificateIssuanceError) Error ¶
func (e CertificateIssuanceError) Error() string
type CertificateRequest ¶
type CertificateRequest struct { CSR *x509.CertificateRequest // The CSR Bytes []byte // The original bytes of the CSR, for logging. }
CertificateRequest is just a CSR
This data is unmarshalled from JSON by way of rawCertificateRequest, which represents the actual structure received from the client.
func (CertificateRequest) MarshalJSON ¶
func (cr CertificateRequest) MarshalJSON() ([]byte, error)
MarshalJSON provides an implementation for encoding CertificateRequest objects.
func (*CertificateRequest) UnmarshalJSON ¶
func (cr *CertificateRequest) UnmarshalJSON(data []byte) error
UnmarshalJSON provides an implementation for decoding CertificateRequest objects.
type CertificateStatus ¶
type CertificateStatus struct { Serial string `db:"serial"` // subscriberApproved: true iff the subscriber has posted back to the server // that they accept the certificate, otherwise 0. SubscriberApproved bool `db:"subscriberApproved"` // status: 'good' or 'revoked'. Note that good, expired certificates remain // with status 'good' but don't necessarily get fresh OCSP responses. Status OCSPStatus `db:"status"` // ocspLastUpdated: The date and time of the last time we generated an OCSP // response. If we have never generated one, this has the zero value of // time.Time, i.e. Jan 1 1970. OCSPLastUpdated time.Time `db:"ocspLastUpdated"` // revokedDate: If status is 'revoked', this is the date and time it was // revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970. RevokedDate time.Time `db:"revokedDate"` // revokedReason: If status is 'revoked', this is the reason code for the // revocation. Otherwise it is zero (which happens to be the reason // code for 'unspecified'). RevokedReason RevocationCode `db:"revokedReason"` LastExpirationNagSent time.Time `db:"lastExpirationNagSent"` // The encoded and signed OCSP response. OCSPResponse []byte `db:"ocspResponse"` LockCol int64 `json:"-"` }
CertificateStatus structs are internal to the server. They represent the latest data about the status of the certificate, required for OCSP updating and for validating that the subscriber has accepted the certificate.
type Challenge ¶
type Challenge struct { ID int64 `json:"id,omitempty"` // The type of challenge Type string `json:"type"` // The status of this challenge Status AcmeStatus `json:"status,omitempty"` // Contains the error that occurred during challenge validation, if any Error *probs.ProblemDetails `json:"error,omitempty"` // If successful, the time at which this challenge // was completed by the server. Validated *time.Time `json:"validated,omitempty"` // A URI to which a response can be POSTed URI string `json:"uri"` // Used by http-01, tls-sni-01, and dns-01 challenges Token string `json:"token,omitempty"` // Used by http-00, tls-sni-00, and dns-00 challenges // Used by http-01, tls-sni-01, and dns-01 challenges KeyAuthorization *KeyAuthorization `json:"keyAuthorization,omitempty"` // Contains information about URLs used or redirected to and IPs resolved and // used ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"` // The account key used to create this challenge. This is not part of the // spec, but clients are required to ignore unknown fields, so it's harmless // to include. // // Boulder needs to remember what key was used to create a challenge in order // to prevent an attacker from re-using a validation signature with a different, // unauthorized key. See: // https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf-4Yc AccountKey *jose.JsonWebKey `json:"accountKey,omitempty"` }
Challenge is an aggregate of all data needed for any challenges.
Rather than define individual types for different types of challenge, we just throw all the elements into one bucket, together with the common metadata elements.
func DNSChallenge01 ¶
func DNSChallenge01(accountKey *jose.JsonWebKey) Challenge
DNSChallenge01 constructs a random DNS challenge
func HTTPChallenge01 ¶
func HTTPChallenge01(accountKey *jose.JsonWebKey) Challenge
HTTPChallenge01 constructs a random http-01 challenge
func TLSSNIChallenge01 ¶
func TLSSNIChallenge01(accountKey *jose.JsonWebKey) Challenge
TLSSNIChallenge01 constructs a random tls-sni-00 challenge
func (Challenge) IsSane ¶
IsSane checks the sanity of a challenge object before issued to the client (completed = false) and before validation (completed = true).
func (Challenge) RecordsSane ¶
RecordsSane checks the sanity of a ValidationRecord object before sending it back to the RA to be stored.
type ExternalCert ¶
type ExternalCert struct { SHA1 string `db:"sha1"` // The hex encoding of the SHA-1 hash of this cert Issuer string `db:"issuer"` // The Issuer field of this cert Subject string `db:"subject"` // The Subject field of this cert NotAfter time.Time `db:"notAfter"` // Date after which this cert should be considered invalid SPKI []byte `db:"spki"` // The hex encoding of the certificate's SubjectPublicKeyInfo in DER form Valid bool `db:"valid"` // Whether this certificate was valid at LastUpdated time EV bool `db:"ev"` // Whether this cert was EV valid CertDER []byte `db:"rawDERCert"` // DER (binary) encoding of the raw certificate }
ExternalCert holds information about certificates issued by other CAs, obtained through Certificate Transparency, the SSL Observatory, or scans.io.
type FQDNSet ¶
FQDNSet contains the SHA256 hash of the lowercased, comma joined dNSNames contained in a certificate.
type IdentifierData ¶
type IdentifierData struct { ReversedName string `db:"reversedName"` // The label-wise reverse of an identifier, e.g. com.example or com.example.* CertSHA1 string `db:"certSHA1"` // The hex encoding of the SHA-1 hash of a cert containing the identifier }
IdentifierData holds information about what certificates are known for a given identifier. This is used to present Proof of Possession challenges in the case where a certificate already exists. The DB table holding IdentifierData rows contains information about certs issued by Boulder and also information about certs observed from third parties.
type IdentifierType ¶
type IdentifierType string
IdentifierType defines the available identification mechanisms for domains
type InternalServerError ¶
type InternalServerError string
InternalServerError indicates that something has gone wrong unrelated to the user's input, and will be considered by the Load Balancer as an indication that this Boulder instance may be malfunctioning. Minimally, returning this will cause an error page to be generated at the CDN/LB for the client. Consequently, you should only use this error when Boulder's internal constraints have been violated.
func (InternalServerError) Error ¶
func (e InternalServerError) Error() string
type IsSafeDomainRequest ¶
type IsSafeDomainRequest struct {
Domain string
}
IsSafeDomainRequest is the request struct for the IsSafeDomain call. The Domain field should be just a domain with no leading scheme or trailing path.
type IsSafeDomainResponse ¶
type IsSafeDomainResponse struct {
IsSafe bool
}
IsSafeDomainResponse is the response struct for the IsSafeDomain call. The IsSafe bool is true if and only if the third-party safe browing API says the domain is safe.
type JSONBuffer ¶
type JSONBuffer []byte
JSONBuffer fields get encoded and decoded JOSE-style, in base64url encoding with stripped padding.
func (JSONBuffer) MarshalJSON ¶
func (jb JSONBuffer) MarshalJSON() (result []byte, err error)
MarshalJSON encodes a JSONBuffer for transmission.
func (*JSONBuffer) UnmarshalJSON ¶
func (jb *JSONBuffer) UnmarshalJSON(data []byte) (err error)
UnmarshalJSON decodes a JSONBuffer to an object.
type KeyAuthorization ¶
KeyAuthorization represents a domain holder's authorization for a specific account key to satisfy a specific challenge.
func NewKeyAuthorization ¶
func NewKeyAuthorization(token string, key *jose.JsonWebKey) (KeyAuthorization, error)
NewKeyAuthorization computes the thumbprint and assembles the object
func NewKeyAuthorizationFromString ¶
func NewKeyAuthorizationFromString(input string) (ka KeyAuthorization, err error)
NewKeyAuthorizationFromString parses the string and composes a key authorization struct
func (KeyAuthorization) MarshalJSON ¶
func (ka KeyAuthorization) MarshalJSON() (result []byte, err error)
MarshalJSON packs a key authorization into its string representation
func (KeyAuthorization) Match ¶
func (ka KeyAuthorization) Match(token string, key *jose.JsonWebKey) bool
Match determines whether this KeyAuthorization matches the given token and key
func (KeyAuthorization) String ¶
func (ka KeyAuthorization) String() string
String produces the string representation of a key authorization
func (*KeyAuthorization) UnmarshalJSON ¶
func (ka *KeyAuthorization) UnmarshalJSON(data []byte) (err error)
UnmarshalJSON unpacks a key authorization from a string
type KeyPolicy ¶
type KeyPolicy struct { AllowRSA bool // Whether RSA keys should be allowed. AllowECDSANISTP256 bool // Whether ECDSA NISTP256 keys should be allowed. AllowECDSANISTP384 bool // Whether ECDSA NISTP384 keys should be allowed. AllowECDSANISTP521 bool // Whether ECDSA NISTP521 keys should be allowed. }
KeyPolicy etermines which types of key may be used with various boulder operations.
type LengthRequiredError ¶
type LengthRequiredError string
LengthRequiredError indicates a POST was sent with no Content-Length.
func (LengthRequiredError) Error ¶
func (e LengthRequiredError) Error() string
type MalformedRequestError ¶
type MalformedRequestError string
MalformedRequestError indicates the user data was improper
func (MalformedRequestError) Error ¶
func (e MalformedRequestError) Error() string
type NoSuchRegistrationError ¶
type NoSuchRegistrationError string
NoSuchRegistrationError indicates that a registration could not be found.
func (NoSuchRegistrationError) Error ¶
func (e NoSuchRegistrationError) Error() string
type NonceService ¶
type NonceService struct {
// contains filtered or unexported fields
}
NonceService generates, cancels, and tracks Nonces.
func NewNonceService ¶
func NewNonceService() (*NonceService, error)
NewNonceService constructs a NonceService with defaults
func (*NonceService) Nonce ¶
func (ns *NonceService) Nonce() (string, error)
Nonce provides a new Nonce.
func (*NonceService) Valid ¶
func (ns *NonceService) Valid(nonce string) bool
Valid determines whether the provided Nonce string is valid, returning true if so.
type NotFoundError ¶
type NotFoundError string
NotFoundError indicates the destination was unknown. Whoa oh oh ohhh.
func (NotFoundError) Error ¶
func (e NotFoundError) Error() string
type NotSupportedError ¶
type NotSupportedError string
NotSupportedError indicates a method is not yet supported
func (NotSupportedError) Error ¶
func (e NotSupportedError) Error() string
type OCSPResponse ¶
type OCSPResponse struct { ID int `db:"id"` // serial: Same as certificate serial. Serial string `db:"serial"` // createdAt: The date the response was signed. CreatedAt time.Time `db:"createdAt"` // response: The encoded and signed CRL. Response []byte `db:"response"` }
OCSPResponse is a (large) table of OCSP responses. This contains all historical OCSP responses we've signed, is append-only, and is likely to get quite large. It must be administratively truncated outside of Boulder.
type OCSPSigningRequest ¶
type OCSPSigningRequest struct { CertDER []byte Status string Reason RevocationCode RevokedAt time.Time }
OCSPSigningRequest is a transfer object representing an OCSP Signing Request
type PolicyAuthority ¶
type PolicyAuthority interface { WillingToIssue(id AcmeIdentifier, regID int64) error ChallengesFor(AcmeIdentifier, *jose.JsonWebKey) ([]Challenge, [][]int) }
PolicyAuthority defines the public interface for the Boulder PA
type RateLimitedError ¶
type RateLimitedError string
RateLimitedError indicates the user has hit a rate limit
func (RateLimitedError) Error ¶
func (e RateLimitedError) Error() string
type Registration ¶
type Registration struct { // Unique identifier ID int64 `json:"id" db:"id"` // Account key to which the details are attached Key jose.JsonWebKey `json:"key"` // Contact URIs Contact []*AcmeURL `json:"contact,omitempty"` // Agreement with terms of service Agreement string `json:"agreement,omitempty"` // InitialIP is the IP address from which the registration was created InitialIP net.IP `json:"initialIp"` // CreatedAt is the time the registration was created. CreatedAt time.Time `json:"createdAt"` }
Registration objects represent non-public metadata attached to account keys.
func (*Registration) MergeUpdate ¶
func (r *Registration) MergeUpdate(input Registration)
MergeUpdate copies a subset of information from the input Registration into this one.
type RegistrationAuthority ¶
type RegistrationAuthority interface { // [WebFrontEnd] NewRegistration(Registration) (Registration, error) // [WebFrontEnd] NewAuthorization(Authorization, int64) (Authorization, error) // [WebFrontEnd] NewCertificate(CertificateRequest, int64) (Certificate, error) // [WebFrontEnd] UpdateRegistration(Registration, Registration) (Registration, error) // [WebFrontEnd] UpdateAuthorization(Authorization, int, Challenge) (Authorization, error) // [WebFrontEnd] RevokeCertificateWithReg(x509.Certificate, RevocationCode, int64) error // [AdminRevoker] AdministrativelyRevokeCertificate(x509.Certificate, RevocationCode, string) error // [ValidationAuthority] OnValidationUpdate(Authorization) error }
RegistrationAuthority defines the public interface for the Boulder RA
type RevocationCode ¶
type RevocationCode int
RevocationCode is used to specify a certificate revocation reason
type SignatureValidationError ¶
type SignatureValidationError string
SignatureValidationError indicates that the user's signature could not be verified, either through adversarial activity, or misconfiguration of the user client.
func (SignatureValidationError) Error ¶
func (e SignatureValidationError) Error() string
type SignedCertificateTimestamp ¶
type SignedCertificateTimestamp struct { ID int `db:"id"` // The version of the protocol to which the SCT conforms SCTVersion uint8 `db:"sctVersion"` // the SHA-256 hash of the log's public key, calculated over // the DER encoding of the key represented as SubjectPublicKeyInfo. LogID string `db:"logID"` // Timestamp (in ms since unix epoc) at which the SCT was issued Timestamp uint64 `db:"timestamp"` // For future extensions to the protocol Extensions []byte `db:"extensions"` // The Log's signature for this SCT Signature []byte `db:"signature"` // The serial of the certificate this SCT is for CertificateSerial string `db:"certificateSerial"` LockCol int64 }
SignedCertificateTimestamp is the internal representation of ct.SignedCertificateTimestamp that is used to maintain backwards compatibility with our old CT implementation.
type StorageAdder ¶
type StorageAdder interface { NewRegistration(Registration) (Registration, error) UpdateRegistration(Registration) error NewPendingAuthorization(Authorization) (Authorization, error) UpdatePendingAuthorization(Authorization) error FinalizeAuthorization(Authorization) error MarkCertificateRevoked(serial string, reasonCode RevocationCode) error UpdateOCSP(serial string, ocspResponse []byte) error AddCertificate([]byte, int64) (string, error) AddSCTReceipt(SignedCertificateTimestamp) error RevokeAuthorizationsByDomain(AcmeIdentifier) (int64, int64, error) }
StorageAdder are the Boulder SA's write/update methods
type StorageAuthority ¶
type StorageAuthority interface { StorageGetter StorageAdder }
StorageAuthority interface represents a simple key/value store. It is divided into StorageGetter and StorageUpdater interfaces for privilege separation.
type StorageGetter ¶
type StorageGetter interface { GetRegistration(int64) (Registration, error) GetRegistrationByKey(jose.JsonWebKey) (Registration, error) GetAuthorization(string) (Authorization, error) GetLatestValidAuthorization(int64, AcmeIdentifier) (Authorization, error) GetValidAuthorizations(int64, []string, time.Time) (map[string]*Authorization, error) GetCertificate(string) (Certificate, error) GetCertificateStatus(string) (CertificateStatus, error) AlreadyDeniedCSR([]string) (bool, error) CountCertificatesRange(time.Time, time.Time) (int64, error) CountCertificatesByNames([]string, time.Time, time.Time) (map[string]int, error) CountRegistrationsByIP(net.IP, time.Time, time.Time) (int, error) CountPendingAuthorizations(regID int64) (int, error) GetSCTReceipt(string, string) (SignedCertificateTimestamp, error) CountFQDNSets(time.Duration, []string) (int64, error) FQDNSetExists([]string) (bool, error) }
StorageGetter are the Boulder SA's read-only methods
type TooManyRPCRequestsError ¶
type TooManyRPCRequestsError string
TooManyRPCRequestsError indicates an RPC server has hit it's concurrent request limit
func (TooManyRPCRequestsError) Error ¶
func (e TooManyRPCRequestsError) Error() string
type UnauthorizedError ¶
type UnauthorizedError string
UnauthorizedError indicates the user did not satisfactorily prove identity
func (UnauthorizedError) Error ¶
func (e UnauthorizedError) Error() string
type ValidationAuthority ¶
type ValidationAuthority interface { // [RegistrationAuthority] // TODO(#1167): remove UpdateValidations(Authorization, int) error // PerformValidation checks the challenge with the given index in the // given Authorization and returns the updated ValidationRecords. // // A failure to validate the Challenge will result in a error of type // *probs.ProblemDetails. // // TODO(#1626): remove authz parameter PerformValidation(string, Challenge, Authorization) ([]ValidationRecord, error) IsSafeDomain(*IsSafeDomainRequest) (*IsSafeDomainResponse, error) }
ValidationAuthority defines the public interface for the Boulder VA
type ValidationRecord ¶
type ValidationRecord struct { // DNS only Authorities []string `json:",omitempty"` // SimpleHTTP only URL string `json:"url,omitempty"` // Shared Hostname string `json:"hostname"` Port string `json:"port"` AddressesResolved []net.IP `json:"addressesResolved"` AddressUsed net.IP `json:"addressUsed"` }
ValidationRecord represents a validation attempt against a specific URL/hostname and the IP addresses that were resolved and used
type WebFrontEnd ¶
type WebFrontEnd interface { // Set the base URL for authorizations SetAuthzBase(path string) // Set the base URL for certificates SetCertBase(path string) // This method represents the ACME new-registration resource NewRegistration(response http.ResponseWriter, request *http.Request) // This method represents the ACME new-authorization resource NewAuthz(response http.ResponseWriter, request *http.Request) // This method represents the ACME new-certificate resource NewCert(response http.ResponseWriter, request *http.Request) // Provide access to requests for registration resources Registration(response http.ResponseWriter, request *http.Request) // Provide access to requests for authorization resources Authz(response http.ResponseWriter, request *http.Request) // Provide access to requests for authorization resources Cert(response http.ResponseWriter, request *http.Request) }
A WebFrontEnd object supplies methods that can be hooked into the Go http module's server functions, principally http.HandleFunc()
It also provides methods to configure the base for authorization and certificate URLs.
It is assumed that the ACME server is laid out as follows: * One URL for new-authorization -> NewAuthz * One URL for new-certificate -> NewCert * One path for authorizations -> Authz * One path for certificates -> Cert