notmain

package
v0.0.0-...-1f9f2bc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 16, 2024 License: MPL-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	CA struct {
		cmd.ServiceConfig

		cmd.HostnamePolicyConfig

		GRPCCA *cmd.GRPCServerConfig

		SAService *cmd.GRPCClientConfig

		// Issuance contains all information necessary to load and initialize issuers.
		Issuance struct {
			// The name of the certificate profile to use if one wasn't provided
			// by the RA during NewOrder and Finalize requests. Must match a
			// configured certificate profile or boulder-ca will fail to start.
			DefaultCertificateProfileName string `validate:"omitempty,alphanum,min=1,max=32"`

			// TODO(#7414) Remove this deprecated field.
			// Deprecated: Use CertProfiles instead. Profile implicitly takes
			// the internal Boulder default value of ca.DefaultCertProfileName.
			Profile issuance.ProfileConfig `validate:"required_without=CertProfiles,structonly"`

			// One of the profile names must match the value of
			// DefaultCertificateProfileName or boulder-ca will fail to start.
			CertProfiles map[string]*issuance.ProfileConfig `validate:"dive,keys,alphanum,min=1,max=32,endkeys,required_without=Profile,structonly"`

			// TODO(#7159): Make this required once all live configs are using it.
			CRLProfile issuance.CRLProfileConfig `validate:"-"`
			Issuers    []issuance.IssuerConfig   `validate:"min=1,dive"`

			// LintConfig is a path to a zlint config file.
			// Deprecated: Use CertProfiles.LintConfig instead.
			LintConfig string
			// IgnoredLints is a list of lint names for which any errors should be
			// ignored.
			// Deprecated: Use CertProfiles.IgnoredLints instead.
			IgnoredLints []string
		}

		// How long issued certificates are valid for.
		// Deprecated: Use Issuance.CertProfiles.MaxValidityPeriod instead.
		Expiry config.Duration

		// How far back certificates should be backdated.
		// Deprecated: Use Issuance.CertProfiles.MaxValidityBackdate instead.
		Backdate config.Duration

		// What digits we should prepend to serials after randomly generating them.
		// Deprecated: Use SerialPrefixHex instead.
		SerialPrefix int `validate:"required_without=SerialPrefixHex,omitempty,min=1,max=127"`

		// SerialPrefixHex is the hex string to prepend to serials after randomly
		// generating them. The minimum value is "01" to ensure that at least
		// one bit in the prefix byte is set. The maximum value is "7f" to
		// ensure that the first bit in the prefix byte is not set. The validate
		// library cannot enforce mix/max values on strings, so that is done in
		// NewCertificateAuthorityImpl.
		//
		// TODO(#7213): Replace `required_without` with `required` when SerialPrefix is removed.
		SerialPrefixHex string `validate:"required_without=SerialPrefix,omitempty,hexadecimal,len=2"`

		// MaxNames is the maximum number of subjectAltNames in a single cert.
		// The value supplied MUST be greater than 0 and no more than 100. These
		// limits are per section 7.1 of our combined CP/CPS, under "DV-SSL
		// Subscriber Certificate". The value must match the RA and WFE
		// configurations.
		MaxNames int `validate:"required,min=1,max=100"`

		// LifespanOCSP is how long OCSP responses are valid for. Per the BRs,
		// Section 4.9.10, it MUST NOT be more than 10 days. Default 96h.
		LifespanOCSP config.Duration

		// LifespanCRL is how long CRLs are valid for. It should be longer than the
		// `period` field of the CRL Updater. Per the BRs, Section 4.9.7, it MUST
		// NOT be more than 10 days.
		// Deprecated: Use Config.CA.Issuance.CRLProfile.ValidityInterval instead.
		LifespanCRL config.Duration `validate:"-"`

		// GoodKey is an embedded config stanza for the goodkey library.
		GoodKey goodkey.Config

		// Maximum length (in bytes) of a line accumulating OCSP audit log entries.
		// Recommended to be around 4000. If this is 0, do not perform OCSP audit
		// logging.
		OCSPLogMaxLength int

		// Maximum period (in Go duration format) to wait to accumulate a max-length
		// OCSP audit log line. We will emit a log line at least once per period,
		// if there is anything to be logged. Keeping this low minimizes the risk
		// of losing logs during a catastrophic failure. Making it too high
		// means logging more often than necessary, which is inefficient in terms
		// of bytes and log system resources.
		// Recommended to be around 500ms.
		OCSPLogPeriod config.Duration

		// CTLogListFile is the path to a JSON file on disk containing the set of
		// all logs trusted by Chrome. The file must match the v3 log list schema:
		// https://www.gstatic.com/ct/log_list/v3/log_list_schema.json
		CTLogListFile string

		// DisableCertService causes the CertificateAuthority gRPC service to not
		// start, preventing any certificates or precertificates from being issued.
		DisableCertService bool
		// DisableCertService causes the OCSPGenerator gRPC service to not start,
		// preventing any OCSP responses from being issued.
		DisableOCSPService bool
		// DisableCRLService causes the CRLGenerator gRPC service to not start,
		// preventing any CRLs from being issued.
		DisableCRLService bool

		Features features.Config
	}

	PA cmd.PAConfig

	Syslog        cmd.SyslogConfig
	OpenTelemetry cmd.OpenTelemetryConfig
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.