policy

package
v0.0.0-...-242d746 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: MPL-2.0 Imports: 19 Imported by: 149

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ValidDomain

func ValidDomain(domain string) error

ValidDomain checks that a domain is valid and that it doesn't contain any invalid wildcard characters. It does NOT ensure that the domain is absent from any PA blocked lists.

func ValidEmail

func ValidEmail(address string) error

ValidEmail returns an error if the input doesn't parse as an email address, the domain isn't a valid hostname in Preferred Name Syntax, or its on the list of domains forbidden for mail (because they are often used in examples).

func WellFormedDomainNames

func WellFormedDomainNames(domains []string) error

WellFormedDomainNames returns an error if any of the provided domains do not meet these criteria:

  • MUST contains only lowercase characters, numbers, hyphens, and dots
  • MUST NOT have more than maxLabels labels
  • MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181

In particular, it:

  • MUST NOT contain underscores
  • MUST NOT match the syntax of an IP address
  • MUST end in a public suffix
  • MUST have at least one label in addition to the public suffix
  • MUST NOT be a label-wise suffix match for a name on the block list, where comparison is case-independent (normalized to lower case)

If a domain contains a *, we additionally require:

  • There is at most one `*` wildcard character
  • That the wildcard character is the leftmost label
  • That the wildcard label is not immediately adjacent to a top level ICANN TLD

If multiple domains are invalid, the error will contain suberrors specific to each domain.

Types

type AuthorityImpl

type AuthorityImpl struct {
	// contains filtered or unexported fields
}

AuthorityImpl enforces CA policy decisions.

func New

func New(challengeTypes map[core.AcmeChallenge]bool, log blog.Logger) (*AuthorityImpl, error)

New constructs a Policy Authority.

func (*AuthorityImpl) ChallengeTypeEnabled

func (pa *AuthorityImpl) ChallengeTypeEnabled(t core.AcmeChallenge) bool

ChallengeTypeEnabled returns whether the specified challenge type is enabled

func (*AuthorityImpl) ChallengeTypesFor

func (pa *AuthorityImpl) ChallengeTypesFor(ident identifier.ACMEIdentifier) ([]core.AcmeChallenge, error)

ChallengeTypesFor determines which challenge types are acceptable for the given identifier. This determination is made purely based on the identifier, and not based on which challenge types are enabled, so that challenge type filtering can happen dynamically at request rather than being set in stone at creation time.

func (*AuthorityImpl) CheckAuthzChallenges

func (pa *AuthorityImpl) CheckAuthzChallenges(authz *core.Authorization) error

CheckAuthzChallenges determines that an authorization was fulfilled by a challenge that is currently enabled and was appropriate for the kind of identifier in the authorization.

func (*AuthorityImpl) LoadHostnamePolicyFile

func (pa *AuthorityImpl) LoadHostnamePolicyFile(f string) error

LoadHostnamePolicyFile will load the given policy file, returning an error if it fails.

func (*AuthorityImpl) WillingToIssue

func (pa *AuthorityImpl) WillingToIssue(domains []string) error

WillingToIssue determines whether the CA is willing to issue for the provided domain names.

It checks the criteria checked by `WellFormedDomainNames`, and additionally checks whether any domain is on a blocklist.

If multiple domains are invalid, the error will contain suberrors specific to each domain.

Precondition: all input domain names must be in lowercase.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL