ra

package
v0.0.0-...-ba624ac Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: MPL-2.0 Imports: 51 Imported by: 52

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type RegistrationAuthorityImpl

type RegistrationAuthorityImpl struct {
	rapb.UnsafeRegistrationAuthorityServer
	CA   capb.CertificateAuthorityClient
	OCSP capb.OCSPGeneratorClient
	VA   va.RemoteClients
	SA   sapb.StorageAuthorityClient
	PA   core.PolicyAuthority
	// contains filtered or unexported fields
}

RegistrationAuthorityImpl defines an RA.

NOTE: All of the fields in RegistrationAuthorityImpl need to be populated, or there is a risk of panic.

func NewRegistrationAuthorityImpl

func NewRegistrationAuthorityImpl(
	clk clock.Clock,
	logger blog.Logger,
	stats prometheus.Registerer,
	maxContactsPerReg int,
	keyPolicy goodkey.KeyPolicy,
	limiter *ratelimits.Limiter,
	txnBuilder *ratelimits.TransactionBuilder,
	maxNames int,
	authorizationLifetime time.Duration,
	pendingAuthorizationLifetime time.Duration,
	pubc pubpb.PublisherClient,
	orderLifetime time.Duration,
	finalizeTimeout time.Duration,
	ctp *ctpolicy.CTPolicy,
	purger akamaipb.AkamaiPurgerClient,
	issuers []*issuance.Certificate,
) *RegistrationAuthorityImpl

NewRegistrationAuthorityImpl constructs a new RA object.

func (*RegistrationAuthorityImpl) AdministrativelyRevokeCertificate

func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, req *rapb.AdministrativelyRevokeCertificateRequest) (*emptypb.Empty, error)

AdministrativelyRevokeCertificate terminates trust in the certificate provided and does not require the registration ID of the requester since this method is only called from the admin-revoker tool. It trusts that the admin is doing the right thing, so if the requested reason is keyCompromise, it blocks the key from future issuance even though compromise has not been demonstrated here. It purges the certificate from the Akamai cache, and returns an error if that purge fails, since this method may be called late in the BRs-mandated revocation timeframe.

func (*RegistrationAuthorityImpl) DeactivateAuthorization

func (ra *RegistrationAuthorityImpl) DeactivateAuthorization(ctx context.Context, req *corepb.Authorization) (*emptypb.Empty, error)

DeactivateAuthorization deactivates a currently valid authorization

func (*RegistrationAuthorityImpl) DeactivateRegistration

func (ra *RegistrationAuthorityImpl) DeactivateRegistration(ctx context.Context, reg *corepb.Registration) (*emptypb.Empty, error)

DeactivateRegistration deactivates a valid registration

func (*RegistrationAuthorityImpl) Drain

func (ra *RegistrationAuthorityImpl) Drain()

Drain blocks until all detached goroutines are done.

The RA runs detached goroutines for challenge validation and finalization, so that ACME responses can be returned to the user promptly while work continues.

The main goroutine should call this before exiting to avoid canceling the work being done in detached goroutines.

func (*RegistrationAuthorityImpl) FinalizeOrder

FinalizeOrder accepts a request to finalize an order object and, if possible, issues a certificate to satisfy the order. If an order does not have valid, unexpired authorizations for all of its associated names an error is returned. Similarly we vet that all of the names in the order are acceptable based on current policy and return an error if the order can't be fulfilled. If successful the order will be returned in processing status for the client to poll while awaiting finalization to occur.

func (*RegistrationAuthorityImpl) GenerateOCSP

GenerateOCSP looks up a certificate's status, then requests a signed OCSP response for it from the CA. If the certificate status is not available or the certificate is expired, it returns berrors.NotFoundError.

func (*RegistrationAuthorityImpl) GetAuthorization

func (*RegistrationAuthorityImpl) LoadRateLimitPoliciesFile

func (ra *RegistrationAuthorityImpl) LoadRateLimitPoliciesFile(filename string) error

func (*RegistrationAuthorityImpl) NewOrder

NewOrder creates a new order object

func (*RegistrationAuthorityImpl) NewRegistration

func (ra *RegistrationAuthorityImpl) NewRegistration(ctx context.Context, request *corepb.Registration) (*corepb.Registration, error)

NewRegistration constructs a new Registration from a request.

func (*RegistrationAuthorityImpl) PerformValidation

PerformValidation initiates validation for a specific challenge associated with the given base authorization. The authorization and challenge are updated based on the results.

func (*RegistrationAuthorityImpl) RevokeCertByApplicant

RevokeCertByApplicant revokes the certificate in question. It allows any revocation reason from (0, 1, 3, 4, 5, 9), because Subscribers are allowed to request any revocation reason for their own certificates. However, if the requesting RegID is an account which has authorizations for all names in the cert but is *not* the original subscriber, it overrides the revocation reason to be 5 (cessationOfOperation), because that code is used to cover instances where "the certificate subscriber no longer owns the domain names in the certificate". It does not add the key to the blocked keys list, even if reason 1 (keyCompromise) is requested, as it does not demonstrate said compromise. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.

func (*RegistrationAuthorityImpl) RevokeCertByKey

RevokeCertByKey revokes the certificate in question. It always uses reason code 1 (keyCompromise). It ensures that they public key is added to the blocked keys list, even if revocation otherwise fails. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.

func (*RegistrationAuthorityImpl) UnpauseAccount

UnpauseAccount receives a validated account unpause request from the SFE and instructs the SA to unpause that account. If the account cannot be unpaused, an error is returned.

func (*RegistrationAuthorityImpl) UpdateRegistration deprecated

UpdateRegistration updates an existing Registration with new values. Caller is responsible for making sure that update.Key is only different from base.Key if it is being called from the WFE key change endpoint.

Deprecated: Use UpdateRegistrationContact or UpdateRegistrationKey instead.

func (*RegistrationAuthorityImpl) UpdateRegistrationContact

UpdateRegistrationContact updates an existing Registration's contact. The updated contacts field may be empty.

func (*RegistrationAuthorityImpl) UpdateRegistrationKey

UpdateRegistrationKey updates an existing Registration's key.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL