unpause

package

v0.0.0-...-d6e163c Latest Latest Go to latest Published: Dec 20, 2024 License: MPL-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/letsencrypt/boulder

Documentation ¶

Index ¶

Constants
Variables
func GenerateJWT(signer JWTSigner, regID int64, identifiers []string, lifetime time.Duration, ...) (string, error)
type JWTClaims
- func RedeemJWT(token string, key []byte, version string, clk clock.Clock) (JWTClaims, error)
type JWTSigner
- func NewJWTSigner(hmacKey cmd.HMACKeyConfig) (JWTSigner, error)

Constants ¶

View Source

const (

	// Changing this value will invalidate all existing JWTs.
	APIVersion = "v1"
	APIPrefix  = "/sfe/" + APIVersion
	GetForm    = APIPrefix + "/unpause"

	// BatchSize is the maximum number of identifiers that the SA will unpause
	// in a single batch.
	BatchSize = 10000

	// MaxBatches is the maximum number of batches that the SA will unpause in a
	// single request.
	MaxBatches = 5

	// RequestLimit is the maximum number of identifiers that the SA will
	// unpause in a single request. This is used by the SFE to infer whether
	// there are more identifiers to unpause.
	RequestLimit = BatchSize * MaxBatches
)

Variables ¶

View Source

var ErrMalformedJWT = errors.New("malformed JWT")

ErrMalformedJWT is returned when the JWT is malformed.

Functions ¶

func GenerateJWT ¶

func GenerateJWT(signer JWTSigner, regID int64, identifiers []string, lifetime time.Duration, clk clock.Clock) (string, error)

GenerateJWT generates a serialized unpause JWT with the provided claims.

Types ¶

type JWTClaims ¶

type JWTClaims struct {
	jwt.Claims

	// V is the API version this JWT was created for.
	V string `json:"version"`

	// I is set of comma separated ACME identifiers.
	I string `json:"identifiers"`
}

JWTClaims represents the claims of a JWT token issued by the WFE for redemption by the SFE. The following claims required for unpausing:

Subject: the account ID of the Subscriber
V: the API version this JWT was created for
I: a set of ACME identifier values. Identifier types are omitted since DNS and IP string representations do not overlap.

func RedeemJWT ¶

func RedeemJWT(token string, key []byte, version string, clk clock.Clock) (JWTClaims, error)

RedeemJWT deserializes an unpause JWT and returns the validated claims. The key is used to validate the signature of the JWT. The version is the expected API version of the JWT. This function validates that the JWT is:

well-formed,
valid for the current time (+/- 1 minute leeway),
issued by the WFE,
intended for the SFE,
contains an Account ID as the 'Subject',
subject can be parsed as a 64-bit integer,
contains a set of paused identifiers as 'Identifiers', and
contains the API the expected version as 'Version'.

If the JWT is malformed or invalid in any way, ErrMalformedJWT is returned.

type JWTSigner ¶

type JWTSigner = jose.Signer

JWTSigner is a type alias for jose.Signer. To create a JWTSigner instance, use the NewJWTSigner function provided in this package.

func NewJWTSigner ¶

func NewJWTSigner(hmacKey cmd.HMACKeyConfig) (JWTSigner, error)

NewJWTSigner loads the HMAC key from the provided configuration and returns a new JWT signer.

Source Files ¶

View all Source files

unpause.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL