sa

package
v0.0.0-...-242d746 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: MPL-2.0 Imports: 41 Imported by: 414

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ClearEmail

func ClearEmail(ctx context.Context, dbMap db.DatabaseMap, regID int64, email string) error

ClearEmail removes the provided email address from one specified registration. If there are multiple email addresses present, it does not modify other ones. If the email address is not present, it does not modify the registration and will return a nil error.

func DBMapForTest

func DBMapForTest(dbConnect string) (*boulderDB.WrappedMap, error)

DBMapForTest creates a wrapped root borp mapping object. Create one of these for each database schema you wish to map. Each DbMap contains a list of mapped tables. It automatically maps the tables for the primary parts of Boulder around the Storage Authority.

func DBMapForTestWithLog

func DBMapForTestWithLog(dbConnect string, log blog.Logger) (*boulderDB.WrappedMap, error)

DBMapForTestWithLog does the same as DBMapForTest but also routes the debug logs from the database driver to the given log (usually a `blog.NewMock`).

func InitWrappedDb

func InitWrappedDb(config cmd.DBConfig, scope prometheus.Registerer, logger blog.Logger) (*boulderDB.WrappedMap, error)

InitWrappedDb constructs a wrapped borp mapping object with the provided settings. If scope is non-nil, Prometheus metrics will be exported. If logger is non-nil, SQL debug-level logging will be enabled. The only required parameter is config.

func ReverseName

func ReverseName(domain string) string

func SelectAuthzsMatchingIssuance

func SelectAuthzsMatchingIssuance(
	ctx context.Context,
	s db.Selector,
	regID int64,
	issued time.Time,
	dnsNames []string,
) ([]*corepb.Authorization, error)

SelectAuthzsMatchingIssuance looks for a set of authzs that would have authorized a given issuance that is known to have occurred. The returned authzs will all belong to the given regID, will have potentially been valid at the time of issuance, and will have the appropriate identifier type and value. This may return multiple authzs for the same identifier type and value.

This returns "potentially" valid authzs because a client may have set an authzs status to deactivated after issuance, so we return both valid and deactivated authzs. It also uses a small amount of leeway (1s) to account for possible clock skew.

This function doesn't do anything special for authzs with an expiration in the past. If the stored authz has a valid status, it is returned with a valid status regardless of whether it is also expired.

func SelectCertificate

func SelectCertificate(ctx context.Context, s db.OneSelector, serial string) (core.Certificate, error)

SelectCertificate selects all fields of one certificate object identified by a serial. If more than one row contains the same serial only the first is returned.

func SelectCertificateStatus

func SelectCertificateStatus(ctx context.Context, s db.OneSelector, serial string) (core.CertificateStatus, error)

SelectCertificateStatus selects all fields of one certificate status model identified by serial

func SelectPrecertificate

func SelectPrecertificate(ctx context.Context, s db.OneSelector, serial string) (core.Certificate, error)

SelectPrecertificate selects all fields of one precertificate object identified by serial.

func SelectRevocationStatus

func SelectRevocationStatus(ctx context.Context, s db.OneSelector, serial string) (*sapb.RevocationStatus, error)

SelectRevocationStatus returns the authoritative revocation information for the certificate with the given serial.

Types

type BoulderTypeConverter

type BoulderTypeConverter struct{}

BoulderTypeConverter is used by borp for storing objects in DB.

func (BoulderTypeConverter) FromDb

func (tc BoulderTypeConverter) FromDb(target interface{}) (borp.CustomScanner, bool)

FromDb converts a DB representation back into a Boulder object.

func (BoulderTypeConverter) ToDb

func (tc BoulderTypeConverter) ToDb(val interface{}) (interface{}, error)

ToDb converts a Boulder object to one suitable for the DB representation.

type CertStatusMetadata

type CertStatusMetadata struct {
	ID                    int64             `db:"id"`
	Serial                string            `db:"serial"`
	Status                core.OCSPStatus   `db:"status"`
	OCSPLastUpdated       time.Time         `db:"ocspLastUpdated"`
	RevokedDate           time.Time         `db:"revokedDate"`
	RevokedReason         revocation.Reason `db:"revokedReason"`
	LastExpirationNagSent time.Time         `db:"lastExpirationNagSent"`
	NotAfter              time.Time         `db:"notAfter"`
	IsExpired             bool              `db:"isExpired"`
	IssuerID              int64             `db:"issuerID"`
}

type CertWithID

type CertWithID struct {
	ID int64
	core.Certificate
}

func SelectCertificates

func SelectCertificates(ctx context.Context, s db.Selector, q string, args map[string]interface{}) ([]CertWithID, error)

SelectCertificates selects all fields of multiple certificate objects

func SelectPrecertificates

func SelectPrecertificates(ctx context.Context, s db.Selector, q string, args map[string]interface{}) ([]CertWithID, error)

SelectPrecertificates selects all fields of multiple precertificate objects.

type DbSettings

type DbSettings struct {
	// MaxOpenConns sets the maximum number of open connections to the
	// database. If MaxIdleConns is greater than 0 and MaxOpenConns is
	// less than MaxIdleConns, then MaxIdleConns will be reduced to
	// match the new MaxOpenConns limit. If n < 0, then there is no
	// limit on the number of open connections.
	MaxOpenConns int

	// MaxIdleConns sets the maximum number of connections in the idle
	// connection pool. If MaxOpenConns is greater than 0 but less than
	// MaxIdleConns, then MaxIdleConns will be reduced to match the
	// MaxOpenConns limit. If n < 0, no idle connections are retained.
	MaxIdleConns int

	// ConnMaxLifetime sets the maximum amount of time a connection may
	// be reused. Expired connections may be closed lazily before reuse.
	// If d < 0, connections are not closed due to a connection's age.
	ConnMaxLifetime time.Duration

	// ConnMaxIdleTime sets the maximum amount of time a connection may
	// be idle. Expired connections may be closed lazily before reuse.
	// If d < 0, connections are not closed due to a connection's idle
	// time.
	ConnMaxIdleTime time.Duration
}

DbSettings contains settings for the database/sql driver. The zero value of each field means use the default setting from database/sql. ConnMaxIdleTime and ConnMaxLifetime should be set lower than their mariab counterparts interactive_timeout and wait_timeout.

type RevocationStatusModel

type RevocationStatusModel struct {
	Status        core.OCSPStatus   `db:"status"`
	RevokedDate   time.Time         `db:"revokedDate"`
	RevokedReason revocation.Reason `db:"revokedReason"`
}

RevocationStatusModel represents a small subset of the columns in the certificateStatus table, used to determine the authoritative revocation status of a certificate.

type SQLLogger

type SQLLogger struct {
	blog.Logger
}

SQLLogger adapts the Boulder Logger to a format borp can use.

func (*SQLLogger) Printf

func (log *SQLLogger) Printf(format string, v ...interface{})

Printf adapts the Logger to borp's interface

type SQLStorageAuthority

type SQLStorageAuthority struct {
	sapb.UnsafeStorageAuthorityServer

	*SQLStorageAuthorityRO
	// contains filtered or unexported fields
}

SQLStorageAuthority defines a Storage Authority.

Note that although SQLStorageAuthority does have methods wrapping all of the read-only methods provided by the SQLStorageAuthorityRO, those wrapper implementations are in saro.go, next to the real implementations.

func NewSQLStorageAuthority

func NewSQLStorageAuthority(
	dbMap *db.WrappedMap,
	dbReadOnlyMap *db.WrappedMap,
	dbIncidentsMap *db.WrappedMap,
	parallelismPerRPC int,
	lagFactor time.Duration,
	clk clock.Clock,
	logger blog.Logger,
	stats prometheus.Registerer,
) (*SQLStorageAuthority, error)

NewSQLStorageAuthority provides persistence using a SQL backend for Boulder. It constructs its own read-only storage authority to wrap.

func NewSQLStorageAuthorityWrapping

func NewSQLStorageAuthorityWrapping(
	ssaro *SQLStorageAuthorityRO,
	dbMap *db.WrappedMap,
	stats prometheus.Registerer,
) (*SQLStorageAuthority, error)

NewSQLStorageAuthorityWrapping provides persistence using a SQL backend for Boulder. It takes a read-only storage authority to wrap, which is useful if you are constructing both types of implementations and want to share read-only database connections between them.

func (*SQLStorageAuthority) AddBlockedKey

func (ssa *SQLStorageAuthority) AddBlockedKey(ctx context.Context, req *sapb.AddBlockedKeyRequest) (*emptypb.Empty, error)

AddBlockedKey adds a key hash to the blockedKeys table

func (*SQLStorageAuthority) AddCertificate

func (ssa *SQLStorageAuthority) AddCertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*emptypb.Empty, error)

AddCertificate stores an issued certificate, returning an error if it is a duplicate or if any other failure occurs.

func (*SQLStorageAuthority) AddPrecertificate

func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*emptypb.Empty, error)

AddPrecertificate writes a record of a linting certificate to the database.

Note: The name "AddPrecertificate" is a historical artifact, and this is now always called with a linting certificate. See #6807.

Note: this is not idempotent: it does not protect against inserting the same certificate multiple times. Calling code needs to first insert the cert's serial into the Serials table to ensure uniqueness.

func (*SQLStorageAuthority) AddSerial

AddSerial writes a record of a serial number generation to the DB.

func (*SQLStorageAuthority) DeactivateAuthorization2

func (ssa *SQLStorageAuthority) DeactivateAuthorization2(ctx context.Context, req *sapb.AuthorizationID2) (*emptypb.Empty, error)

DeactivateAuthorization2 deactivates a currently valid or pending authorization.

func (*SQLStorageAuthority) DeactivateRegistration

func (ssa *SQLStorageAuthority) DeactivateRegistration(ctx context.Context, req *sapb.RegistrationID) (*emptypb.Empty, error)

DeactivateRegistration deactivates a currently valid registration and removes its contact field

func (*SQLStorageAuthority) FinalizeAuthorization2

func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req *sapb.FinalizeAuthorizationRequest) (*emptypb.Empty, error)

FinalizeAuthorization2 moves a pending authorization to either the valid or invalid status. If the authorization is being moved to invalid the validationError field must be set. If the authorization is being moved to valid the validationRecord and expires fields must be set.

func (*SQLStorageAuthority) FinalizeOrder

func (ssa *SQLStorageAuthority) FinalizeOrder(ctx context.Context, req *sapb.FinalizeOrderRequest) (*emptypb.Empty, error)

FinalizeOrder finalizes a provided *corepb.Order by persisting the CertificateSerial and a valid status to the database. No fields other than CertificateSerial and the order ID on the provided order are processed (e.g. this is not a generic update RPC).

func (*SQLStorageAuthority) Health

func (ssa *SQLStorageAuthority) Health(ctx context.Context) error

Health implements the grpc.checker interface.

func (*SQLStorageAuthority) LeaseCRLShard

LeaseCRLShard marks a single crlShards row as leased until the given time. If the request names a specific shard, this function will return an error if that shard is already leased. Otherwise, this function will return the index of the oldest shard for the given issuer.

func (*SQLStorageAuthority) NewOrderAndAuthzs

func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb.NewOrderAndAuthzsRequest) (*corepb.Order, error)

NewOrderAndAuthzs adds the given authorizations to the database, adds their autogenerated IDs to the given order, and then adds the order to the db. This is done inside a single transaction to prevent situations where new authorizations are created, but then their corresponding order is never created, leading to "invisible" pending authorizations.

func (*SQLStorageAuthority) NewRegistration

func (ssa *SQLStorageAuthority) NewRegistration(ctx context.Context, req *corepb.Registration) (*corepb.Registration, error)

NewRegistration stores a new Registration

func (*SQLStorageAuthority) PauseIdentifiers

PauseIdentifiers pauses a set of identifiers for the provided account. If an identifier is currently paused, this is a no-op. If an identifier was previously paused and unpaused, it will be repaused unless it was unpaused less than two weeks ago. The response will indicate how many identifiers were paused and how many were repaused. All work is accomplished in a transaction to limit possible race conditions.

func (*SQLStorageAuthority) RevokeCertificate

func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) (*emptypb.Empty, error)

RevokeCertificate stores revocation information about a certificate. It will only store this information if the certificate is not already marked as revoked.

func (*SQLStorageAuthority) SetCertificateStatusReady

func (ssa *SQLStorageAuthority) SetCertificateStatusReady(ctx context.Context, req *sapb.Serial) (*emptypb.Empty, error)

SetCertificateStatusReady changes a serial's OCSP status from core.OCSPStatusNotReady to core.OCSPStatusGood. Called when precertificate issuance succeeds. returns an error if the serial doesn't have status core.OCSPStatusNotReady.

func (*SQLStorageAuthority) SetOrderError

func (ssa *SQLStorageAuthority) SetOrderError(ctx context.Context, req *sapb.SetOrderErrorRequest) (*emptypb.Empty, error)

SetOrderError updates a provided Order's error field.

func (*SQLStorageAuthority) SetOrderProcessing

func (ssa *SQLStorageAuthority) SetOrderProcessing(ctx context.Context, req *sapb.OrderRequest) (*emptypb.Empty, error)

SetOrderProcessing updates an order from pending status to processing status by updating the `beganProcessing` field of the corresponding Order table row in the DB.

func (*SQLStorageAuthority) UnpauseAccount

func (ssa *SQLStorageAuthority) UnpauseAccount(ctx context.Context, req *sapb.RegistrationID) (*sapb.Count, error)

UnpauseAccount uses up to 5 iterations of UPDATE queries each with a LIMIT of 10,000 to unpause up to 50,000 identifiers and returns a count of identifiers unpaused. If the returned count is 50,000 there may be more paused identifiers.

func (*SQLStorageAuthority) UpdateCRLShard

func (ssa *SQLStorageAuthority) UpdateCRLShard(ctx context.Context, req *sapb.UpdateCRLShardRequest) (*emptypb.Empty, error)

UpdateCRLShard updates the thisUpdate and nextUpdate timestamps of a CRL shard. It rejects the update if it would cause the thisUpdate timestamp to move backwards, but if thisUpdate would stay the same (for instance, multiple CRL generations within a single second), it will succeed.

It does *not* reject the update if the shard is no longer leased: although this would be unexpected (because the lease timestamp should be the same as the crl-updater's context expiration), it's not inherently a sign of an update that should be skipped. It does reject the update if the identified CRL shard does not exist in the database (it should exist, as rows are created if necessary when leased). It also sets the leasedUntil time to be equal to thisUpdate, to indicate that the shard is no longer leased.

func (*SQLStorageAuthority) UpdateRegistration deprecated

func (ssa *SQLStorageAuthority) UpdateRegistration(ctx context.Context, req *corepb.Registration) (*emptypb.Empty, error)

UpdateRegistration stores an updated Registration

Deprecated: Use UpdateRegistrationContact or UpdateRegistrationKey instead.

func (*SQLStorageAuthority) UpdateRegistrationContact

func (ssa *SQLStorageAuthority) UpdateRegistrationContact(ctx context.Context, req *sapb.UpdateRegistrationContactRequest) (*corepb.Registration, error)

UpdateRegistrationContact stores an updated contact in a Registration. The updated contacts field may be empty.

func (*SQLStorageAuthority) UpdateRegistrationKey

UpdateRegistrationKey stores an updated key in a Registration.

func (*SQLStorageAuthority) UpdateRevokedCertificate

func (ssa *SQLStorageAuthority) UpdateRevokedCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) (*emptypb.Empty, error)

UpdateRevokedCertificate stores new revocation information about an already-revoked certificate. It will only store this information if the cert is already revoked, if the new revocation reason is `KeyCompromise`, and if the revokedDate is identical to the current revokedDate.

type SQLStorageAuthorityRO

type SQLStorageAuthorityRO struct {
	sapb.UnsafeStorageAuthorityReadOnlyServer
	// contains filtered or unexported fields
}

SQLStorageAuthorityRO defines a read-only subset of a Storage Authority

func NewSQLStorageAuthorityRO

func NewSQLStorageAuthorityRO(
	dbReadOnlyMap *db.WrappedMap,
	dbIncidentsMap *db.WrappedMap,
	stats prometheus.Registerer,
	parallelismPerRPC int,
	lagFactor time.Duration,
	clk clock.Clock,
	logger blog.Logger,
) (*SQLStorageAuthorityRO, error)

NewSQLStorageAuthorityRO provides persistence using a SQL backend for Boulder. It will modify the given borp.DbMap by adding relevant tables.

func (*SQLStorageAuthorityRO) CheckIdentifiersPaused

func (ssa *SQLStorageAuthorityRO) CheckIdentifiersPaused(ctx context.Context, req *sapb.PauseRequest) (*sapb.Identifiers, error)

CheckIdentifiersPaused takes a slice of identifiers and returns a slice of the first 15 identifier values which are currently paused for the provided account. If no matches are found, an empty slice is returned.

func (*SQLStorageAuthorityRO) CountCertificatesByNames

func (ssa *SQLStorageAuthorityRO) CountCertificatesByNames(ctx context.Context, req *sapb.CountCertificatesByNamesRequest) (*sapb.CountByNames, error)

CountCertificatesByNames counts, for each input domain, the number of certificates issued in the given time range for that domain and its subdomains. It returns a map from domains to counts and a timestamp. The map of domains to counts is guaranteed to contain an entry for each input domain, so long as err is nil. The timestamp is the earliest time a certificate was issued for any of the domains during the provided range of time. Queries will be run in parallel. If any of them error, only one error will be returned.

func (*SQLStorageAuthorityRO) CountInvalidAuthorizations2

func (ssa *SQLStorageAuthorityRO) CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (*sapb.Count, error)

CountInvalidAuthorizations2 counts invalid authorizations for a user expiring in a given time range. This method only supports DNS identifier types.

func (*SQLStorageAuthorityRO) CountOrders

func (ssa *SQLStorageAuthorityRO) CountOrders(ctx context.Context, req *sapb.CountOrdersRequest) (*sapb.Count, error)

func (*SQLStorageAuthorityRO) CountPendingAuthorizations2

func (ssa *SQLStorageAuthorityRO) CountPendingAuthorizations2(ctx context.Context, req *sapb.RegistrationID) (*sapb.Count, error)

CountPendingAuthorizations2 returns the number of pending, unexpired authorizations for the given registration.

func (*SQLStorageAuthorityRO) FQDNSetExists

func (ssa *SQLStorageAuthorityRO) FQDNSetExists(ctx context.Context, req *sapb.FQDNSetExistsRequest) (*sapb.Exists, error)

FQDNSetExists returns a bool indicating if one or more FQDN sets |names| exists in the database

func (*SQLStorageAuthorityRO) FQDNSetTimestampsForWindow

func (ssa *SQLStorageAuthorityRO) FQDNSetTimestampsForWindow(ctx context.Context, req *sapb.CountFQDNSetsRequest) (*sapb.Timestamps, error)

FQDNSetTimestampsForWindow returns the issuance timestamps for each certificate, issued for a set of domains, during a given window of time, starting from the most recent issuance.

func (*SQLStorageAuthorityRO) GetAuthorization2

func (ssa *SQLStorageAuthorityRO) GetAuthorization2(ctx context.Context, req *sapb.AuthorizationID2) (*corepb.Authorization, error)

GetAuthorization2 returns the authz2 style authorization identified by the provided ID or an error. If no authorization is found matching the ID a berrors.NotFound type error is returned.

func (*SQLStorageAuthorityRO) GetAuthorizations2 deprecated

GetAuthorizations2 returns a single pending or valid authorization owned by the given account for all given identifiers. If both a valid and pending authorization exist only the valid one will be returned. Currently only dns identifiers are supported.

Deprecated: Use GetValidAuthorizations2, as we stop pending authz reuse.

func (*SQLStorageAuthorityRO) GetCertificate

func (ssa *SQLStorageAuthorityRO) GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)

GetCertificate takes a serial number and returns the corresponding certificate, or error if it does not exist.

func (*SQLStorageAuthorityRO) GetCertificateStatus

func (ssa *SQLStorageAuthorityRO) GetCertificateStatus(ctx context.Context, req *sapb.Serial) (*corepb.CertificateStatus, error)

GetCertificateStatus takes a hexadecimal string representing the full 128-bit serial number of a certificate and returns data about that certificate's current validity.

func (*SQLStorageAuthorityRO) GetLintPrecertificate

func (ssa *SQLStorageAuthorityRO) GetLintPrecertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)

GetLintPrecertificate takes a serial number and returns the corresponding linting precertificate, or error if it does not exist. The returned precert is identical to the actual submitted-to-CT-logs precertificate, except for its signature.

func (*SQLStorageAuthorityRO) GetMaxExpiration

func (ssa *SQLStorageAuthorityRO) GetMaxExpiration(ctx context.Context, req *emptypb.Empty) (*timestamppb.Timestamp, error)

GetMaxExpiration returns the timestamp of the farthest-future notAfter date found in the certificateStatus table. This provides an upper bound on how far forward operations that need to cover all currently-unexpired certificates have to look.

func (*SQLStorageAuthorityRO) GetOrder

func (ssa *SQLStorageAuthorityRO) GetOrder(ctx context.Context, req *sapb.OrderRequest) (*corepb.Order, error)

GetOrder is used to retrieve an already existing order object

func (*SQLStorageAuthorityRO) GetOrderForNames

func (ssa *SQLStorageAuthorityRO) GetOrderForNames(ctx context.Context, req *sapb.GetOrderForNamesRequest) (*corepb.Order, error)

GetOrderForNames tries to find a **pending** or **ready** order with the exact set of names requested, associated with the given accountID. Only unexpired orders are considered. If no order meeting these requirements is found a nil corepb.Order pointer is returned.

func (*SQLStorageAuthorityRO) GetPausedIdentifiers

func (ssa *SQLStorageAuthorityRO) GetPausedIdentifiers(ctx context.Context, req *sapb.RegistrationID) (*sapb.Identifiers, error)

GetPausedIdentifiers returns a slice of paused identifiers for the provided account. If no paused identifiers are found, an empty slice is returned. The results are limited to the first 15 paused identifiers.

func (*SQLStorageAuthorityRO) GetRegistration

func (ssa *SQLStorageAuthorityRO) GetRegistration(ctx context.Context, req *sapb.RegistrationID) (*corepb.Registration, error)

GetRegistration obtains a Registration by ID

func (*SQLStorageAuthorityRO) GetRegistrationByKey

func (ssa *SQLStorageAuthorityRO) GetRegistrationByKey(ctx context.Context, req *sapb.JSONWebKey) (*corepb.Registration, error)

GetRegistrationByKey obtains a Registration by JWK

func (*SQLStorageAuthorityRO) GetRevocationStatus

func (ssa *SQLStorageAuthorityRO) GetRevocationStatus(ctx context.Context, req *sapb.Serial) (*sapb.RevocationStatus, error)

GetRevocationStatus takes a hexadecimal string representing the full serial number of a certificate and returns a minimal set of data about that cert's current validity.

func (*SQLStorageAuthorityRO) GetRevokedCerts

GetRevokedCerts gets a request specifying an issuer and a period of time, and writes to the output stream the set of all certificates issued by that issuer which expire during that period of time and which have been revoked. The starting timestamp is treated as inclusive (certs with exactly that notAfter date are included), but the ending timestamp is exclusive (certs with exactly that notAfter date are *not* included).

func (*SQLStorageAuthorityRO) GetSerialMetadata

func (ssa *SQLStorageAuthorityRO) GetSerialMetadata(ctx context.Context, req *sapb.Serial) (*sapb.SerialMetadata, error)

GetSerialMetadata returns metadata stored alongside the serial number, such as the RegID whose certificate request created that serial, and when the certificate with that serial will expire.

func (*SQLStorageAuthorityRO) GetSerialsByAccount

func (ssa *SQLStorageAuthorityRO) GetSerialsByAccount(req *sapb.RegistrationID, stream grpc.ServerStreamingServer[sapb.Serial]) error

GetSerialsByAccount returns a stream of all serials for all unexpired certificates issued to the given RegID. This is useful for revoking all of an account's certs upon their request.

func (*SQLStorageAuthorityRO) GetSerialsByKey

func (ssa *SQLStorageAuthorityRO) GetSerialsByKey(req *sapb.SPKIHash, stream grpc.ServerStreamingServer[sapb.Serial]) error

GetSerialsByKey returns a stream of serials for all unexpired certificates whose public key matches the given SPKIHash. This is useful for revoking all certificates affected by a key compromise.

func (*SQLStorageAuthorityRO) GetValidAuthorizations2

GetValidAuthorizations2 returns a single valid authorization owned by the given account for all given identifiers. If more than one valid authorization exists, only the one with the latest expiry will be returned. Currently only dns identifiers are supported.

func (*SQLStorageAuthorityRO) GetValidOrderAuthorizations2

func (ssa *SQLStorageAuthorityRO) GetValidOrderAuthorizations2(ctx context.Context, req *sapb.GetValidOrderAuthorizationsRequest) (*sapb.Authorizations, error)

GetValidOrderAuthorizations2 is used to get all authorizations associated with the given Order ID. NOTE: The name is outdated. It does *not* filter out invalid or expired authorizations; that it left to the caller. It also ignores the RegID field of the input: ensuring that the returned authorizations match the same RegID as the Order is also left to the caller. This is because the caller is generally in a better position to provide insightful error messages, whereas simply omitting an authz from this method's response would leave the caller wondering why that authz was omitted.

func (*SQLStorageAuthorityRO) Health

func (ssa *SQLStorageAuthorityRO) Health(ctx context.Context) error

Health implements the grpc.checker interface.

func (*SQLStorageAuthorityRO) IncidentsForSerial

func (ssa *SQLStorageAuthorityRO) IncidentsForSerial(ctx context.Context, req *sapb.Serial) (*sapb.Incidents, error)

IncidentsForSerial queries each active incident table and returns every incident that currently impacts `req.Serial`.

func (*SQLStorageAuthorityRO) KeyBlocked

func (ssa *SQLStorageAuthorityRO) KeyBlocked(ctx context.Context, req *sapb.SPKIHash) (*sapb.Exists, error)

KeyBlocked checks if a key, indicated by a hash, is present in the blockedKeys table

func (*SQLStorageAuthorityRO) ReplacementOrderExists

func (ssa *SQLStorageAuthorityRO) ReplacementOrderExists(ctx context.Context, req *sapb.Serial) (*sapb.Exists, error)

ReplacementOrderExists returns whether a valid replacement order exists for the given certificate serial number. An existing but expired or otherwise invalid replacement order is not considered to exist.

func (*SQLStorageAuthorityRO) SerialsForIncident

SerialsForIncident queries the provided incident table and returns the resulting rows as a stream of `*sapb.IncidentSerial`s. An `io.EOF` error signals that there are no more serials to send. If the incident table in question contains zero rows, only an `io.EOF` error is returned. The IncidentSerial messages returned may have the zero-value for their OrderID, RegistrationID, and LastNoticeSent fields, if those are NULL in the database.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL