ra

package
v0.0.0-...-6229936 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2024 License: MPL-2.0 Imports: 51 Imported by: 52

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type RegistrationAuthorityImpl 

type RegistrationAuthorityImpl struct {
	rapb.UnsafeRegistrationAuthorityServer
	CA   capb.CertificateAuthorityClient
	OCSP capb.OCSPGeneratorClient
	VA   va.RemoteClients
	SA   sapb.StorageAuthorityClient
	PA   core.PolicyAuthority
	// contains filtered or unexported fields
}

RegistrationAuthorityImpl defines an RA.

NOTE: All of the fields in RegistrationAuthorityImpl need to be populated, or there is a risk of panic.

func NewRegistrationAuthorityImpl 

func NewRegistrationAuthorityImpl(
	clk clock.Clock,
	logger blog.Logger,
	stats prometheus.Registerer,
	maxContactsPerReg int,
	keyPolicy goodkey.KeyPolicy,
	limiter *ratelimits.Limiter,
	txnBuilder *ratelimits.TransactionBuilder,
	maxNames int,
	authorizationLifetime time.Duration,
	pendingAuthorizationLifetime time.Duration,
	pubc pubpb.PublisherClient,
	orderLifetime time.Duration,
	finalizeTimeout time.Duration,
	ctp *ctpolicy.CTPolicy,
	purger akamaipb.AkamaiPurgerClient,
	issuers []*issuance.Certificate,
) *RegistrationAuthorityImpl

NewRegistrationAuthorityImpl constructs a new RA object.

func (*RegistrationAuthorityImpl) AdministrativelyRevokeCertificate 

func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, req *rapb.AdministrativelyRevokeCertificateRequest) (*emptypb.Empty, error)

AdministrativelyRevokeCertificate terminates trust in the certificate provided and does not require the registration ID of the requester since this method is only called from the admin-revoker tool. It trusts that the admin is doing the right thing, so if the requested reason is keyCompromise, it blocks the key from future issuance even though compromise has not been demonstrated here. It purges the certificate from the Akamai cache, and returns an error if that purge fails, since this method may be called late in the BRs-mandated revocation timeframe.

func (*RegistrationAuthorityImpl) DeactivateAuthorization 

func (ra *RegistrationAuthorityImpl) DeactivateAuthorization(ctx context.Context, req *corepb.Authorization) (*emptypb.Empty, error)

DeactivateAuthorization deactivates a currently valid authorization

func (*RegistrationAuthorityImpl) DeactivateRegistration 

func (ra *RegistrationAuthorityImpl) DeactivateRegistration(ctx context.Context, reg *corepb.Registration) (*emptypb.Empty, error)

DeactivateRegistration deactivates a valid registration

func (*RegistrationAuthorityImpl) Drain 

func (ra *RegistrationAuthorityImpl) Drain()

Drain blocks until all detached goroutines are done.

The RA runs detached goroutines for challenge validation and finalization, so that ACME responses can be returned to the user promptly while work continues.

The main goroutine should call this before exiting to avoid canceling the work being done in detached goroutines.

func (*RegistrationAuthorityImpl) FinalizeOrder 

func (ra *RegistrationAuthorityImpl) FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error)

FinalizeOrder accepts a request to finalize an order object and, if possible, issues a certificate to satisfy the order. If an order does not have valid, unexpired authorizations for all of its associated names an error is returned. Similarly we vet that all of the names in the order are acceptable based on current policy and return an error if the order can't be fulfilled. If successful the order will be returned in processing status for the client to poll while awaiting finalization to occur.

func (*RegistrationAuthorityImpl) GenerateOCSP 

func (ra *RegistrationAuthorityImpl) GenerateOCSP(ctx context.Context, req *rapb.GenerateOCSPRequest) (*capb.OCSPResponse, error)

GenerateOCSP looks up a certificate's status, then requests a signed OCSP response for it from the CA. If the certificate status is not available or the certificate is expired, it returns berrors.NotFoundError.

func (*RegistrationAuthorityImpl) GetAuthorization 

func (ra *RegistrationAuthorityImpl) GetAuthorization(ctx context.Context, req *rapb.GetAuthorizationRequest) (*corepb.Authorization, error)

func (*RegistrationAuthorityImpl) LoadRateLimitPoliciesFile 

func (ra *RegistrationAuthorityImpl) LoadRateLimitPoliciesFile(filename string) error

func (*RegistrationAuthorityImpl) NewOrder 

func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error)

NewOrder creates a new order object

func (*RegistrationAuthorityImpl) NewRegistration 

func (ra *RegistrationAuthorityImpl) NewRegistration(ctx context.Context, request *corepb.Registration) (*corepb.Registration, error)

NewRegistration constructs a new Registration from a request.

func (*RegistrationAuthorityImpl) PerformValidation 

func (ra *RegistrationAuthorityImpl) PerformValidation(
	ctx context.Context,
	req *rapb.PerformValidationRequest) (*corepb.Authorization, error)

PerformValidation initiates validation for a specific challenge associated with the given base authorization. The authorization and challenge are updated based on the results.

func (*RegistrationAuthorityImpl) RevokeCertByApplicant 

func (ra *RegistrationAuthorityImpl) RevokeCertByApplicant(ctx context.Context, req *rapb.RevokeCertByApplicantRequest) (*emptypb.Empty, error)

RevokeCertByApplicant revokes the certificate in question. It allows any revocation reason from (0, 1, 3, 4, 5, 9), because Subscribers are allowed to request any revocation reason for their own certificates. However, if the requesting RegID is an account which has authorizations for all names in the cert but is *not* the original subscriber, it overrides the revocation reason to be 5 (cessationOfOperation), because that code is used to cover instances where "the certificate subscriber no longer owns the domain names in the certificate". It does not add the key to the blocked keys list, even if reason 1 (keyCompromise) is requested, as it does not demonstrate said compromise. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.

func (*RegistrationAuthorityImpl) RevokeCertByKey 

func (ra *RegistrationAuthorityImpl) RevokeCertByKey(ctx context.Context, req *rapb.RevokeCertByKeyRequest) (*emptypb.Empty, error)

RevokeCertByKey revokes the certificate in question. It always uses reason code 1 (keyCompromise). It ensures that they public key is added to the blocked keys list, even if revocation otherwise fails. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.

func (*RegistrationAuthorityImpl) UnpauseAccount 

func (ra *RegistrationAuthorityImpl) UnpauseAccount(ctx context.Context, request *rapb.UnpauseAccountRequest) (*rapb.UnpauseAccountResponse, error)

UnpauseAccount receives a validated account unpause request from the SFE and instructs the SA to unpause that account. If the account cannot be unpaused, an error is returned.

func (*RegistrationAuthorityImpl) UpdateRegistration deprecated 

func (ra *RegistrationAuthorityImpl) UpdateRegistration(ctx context.Context, req *rapb.UpdateRegistrationRequest) (*corepb.Registration, error)

UpdateRegistration updates an existing Registration with new values. Caller is responsible for making sure that update.Key is only different from base.Key if it is being called from the WFE key change endpoint.

Deprecated: Use UpdateRegistrationContact or UpdateRegistrationKey instead.

func (*RegistrationAuthorityImpl) UpdateRegistrationContact 

func (ra *RegistrationAuthorityImpl) UpdateRegistrationContact(ctx context.Context, req *rapb.UpdateRegistrationContactRequest) (*corepb.Registration, error)

UpdateRegistrationContact updates an existing Registration's contact. The updated contacts field may be empty.

func (*RegistrationAuthorityImpl) UpdateRegistrationKey 

func (ra *RegistrationAuthorityImpl) UpdateRegistrationKey(ctx context.Context, req *rapb.UpdateRegistrationKeyRequest) (*corepb.Registration, error)

UpdateRegistrationKey updates an existing Registration's key.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.