Documentation
¶
Index ¶
- func NewValidationProfiles(defaultName string, configs map[string]*ValidationProfileConfig) (*validationProfiles, error)
- type RegistrationAuthorityImpl
- func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, req *rapb.AdministrativelyRevokeCertificateRequest) (*emptypb.Empty, error)
- func (ra *RegistrationAuthorityImpl) DeactivateAuthorization(ctx context.Context, req *corepb.Authorization) (*emptypb.Empty, error)
- func (ra *RegistrationAuthorityImpl) DeactivateRegistration(ctx context.Context, reg *corepb.Registration) (*emptypb.Empty, error)
- func (ra *RegistrationAuthorityImpl) Drain()
- func (ra *RegistrationAuthorityImpl) FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error)
- func (ra *RegistrationAuthorityImpl) GenerateOCSP(ctx context.Context, req *rapb.GenerateOCSPRequest) (*capb.OCSPResponse, error)
- func (ra *RegistrationAuthorityImpl) GetAuthorization(ctx context.Context, req *rapb.GetAuthorizationRequest) (*corepb.Authorization, error)
- func (ra *RegistrationAuthorityImpl) GetSCTs(ctx context.Context, sctRequest *rapb.SCTRequest) (*rapb.SCTResponse, error)
- func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error)
- func (ra *RegistrationAuthorityImpl) NewRegistration(ctx context.Context, request *corepb.Registration) (*corepb.Registration, error)
- func (ra *RegistrationAuthorityImpl) PerformValidation(ctx context.Context, req *rapb.PerformValidationRequest) (*corepb.Authorization, error)
- func (ra *RegistrationAuthorityImpl) RevokeCertByApplicant(ctx context.Context, req *rapb.RevokeCertByApplicantRequest) (*emptypb.Empty, error)
- func (ra *RegistrationAuthorityImpl) RevokeCertByKey(ctx context.Context, req *rapb.RevokeCertByKeyRequest) (*emptypb.Empty, error)
- func (ra *RegistrationAuthorityImpl) UnpauseAccount(ctx context.Context, request *rapb.UnpauseAccountRequest) (*rapb.UnpauseAccountResponse, error)
- func (ra *RegistrationAuthorityImpl) UpdateRegistrationContact(ctx context.Context, req *rapb.UpdateRegistrationContactRequest) (*corepb.Registration, error)
- func (ra *RegistrationAuthorityImpl) UpdateRegistrationKey(ctx context.Context, req *rapb.UpdateRegistrationKeyRequest) (*corepb.Registration, error)
- type ValidationProfileConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewValidationProfiles ¶
func NewValidationProfiles(defaultName string, configs map[string]*ValidationProfileConfig) (*validationProfiles, error)
NewValidationProfiles builds a new validationProfiles struct from the given configs and default name. It enforces that the given authorization lifetimes are within the bounds mandated by the Baseline Requirements.
Types ¶
type RegistrationAuthorityImpl ¶
type RegistrationAuthorityImpl struct {
rapb.UnsafeRegistrationAuthorityServer
rapb.UnsafeSCTProviderServer
CA capb.CertificateAuthorityClient
OCSP capb.OCSPGeneratorClient
VA va.RemoteClients
SA sapb.StorageAuthorityClient
PA core.PolicyAuthority
// contains filtered or unexported fields
}
RegistrationAuthorityImpl defines an RA.
NOTE: All of the fields in RegistrationAuthorityImpl need to be populated, or there is a risk of panic.
func NewRegistrationAuthorityImpl ¶
func NewRegistrationAuthorityImpl( clk clock.Clock, logger blog.Logger, stats prometheus.Registerer, maxContactsPerReg int, keyPolicy goodkey.KeyPolicy, limiter *ratelimits.Limiter, txnBuilder *ratelimits.TransactionBuilder, maxNames int, profiles *validationProfiles, mustStapleAllowList *allowlist.List[int64], pubc pubpb.PublisherClient, finalizeTimeout time.Duration, ctp *ctpolicy.CTPolicy, purger akamaipb.AkamaiPurgerClient, issuers []*issuance.Certificate, ) *RegistrationAuthorityImpl
NewRegistrationAuthorityImpl constructs a new RA object.
func (*RegistrationAuthorityImpl) AdministrativelyRevokeCertificate ¶
func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, req *rapb.AdministrativelyRevokeCertificateRequest) (*emptypb.Empty, error)
AdministrativelyRevokeCertificate terminates trust in the certificate provided and does not require the registration ID of the requester since this method is only called from the `admin` tool. It trusts that the admin is doing the right thing, so if the requested reason is keyCompromise, it blocks the key from future issuance even though compromise has not been demonstrated here. It purges the certificate from the Akamai cache, and returns an error if that purge fails, since this method may be called late in the BRs-mandated revocation timeframe.
func (*RegistrationAuthorityImpl) DeactivateAuthorization ¶
func (ra *RegistrationAuthorityImpl) DeactivateAuthorization(ctx context.Context, req *corepb.Authorization) (*emptypb.Empty, error)
DeactivateAuthorization deactivates a currently valid authorization
func (*RegistrationAuthorityImpl) DeactivateRegistration ¶
func (ra *RegistrationAuthorityImpl) DeactivateRegistration(ctx context.Context, reg *corepb.Registration) (*emptypb.Empty, error)
DeactivateRegistration deactivates a valid registration
func (*RegistrationAuthorityImpl) Drain ¶
func (ra *RegistrationAuthorityImpl) Drain()
Drain blocks until all detached goroutines are done.
The RA runs detached goroutines for challenge validation and finalization, so that ACME responses can be returned to the user promptly while work continues.
The main goroutine should call this before exiting to avoid canceling the work being done in detached goroutines.
func (*RegistrationAuthorityImpl) FinalizeOrder ¶
func (ra *RegistrationAuthorityImpl) FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error)
FinalizeOrder accepts a request to finalize an order object and, if possible, issues a certificate to satisfy the order. If an order does not have valid, unexpired authorizations for all of its associated names an error is returned. Similarly we vet that all of the names in the order are acceptable based on current policy and return an error if the order can't be fulfilled. If successful the order will be returned in processing status for the client to poll while awaiting finalization to occur.
func (*RegistrationAuthorityImpl) GenerateOCSP ¶
func (ra *RegistrationAuthorityImpl) GenerateOCSP(ctx context.Context, req *rapb.GenerateOCSPRequest) (*capb.OCSPResponse, error)
GenerateOCSP looks up a certificate's status, then requests a signed OCSP response for it from the CA. If the certificate status is not available or the certificate is expired, it returns berrors.NotFoundError.
func (*RegistrationAuthorityImpl) GetAuthorization ¶
func (ra *RegistrationAuthorityImpl) GetAuthorization(ctx context.Context, req *rapb.GetAuthorizationRequest) (*corepb.Authorization, error)
func (*RegistrationAuthorityImpl) GetSCTs ¶
func (ra *RegistrationAuthorityImpl) GetSCTs(ctx context.Context, sctRequest *rapb.SCTRequest) (*rapb.SCTResponse, error)
func (*RegistrationAuthorityImpl) NewOrder ¶
func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error)
NewOrder creates a new order object
func (*RegistrationAuthorityImpl) NewRegistration ¶
func (ra *RegistrationAuthorityImpl) NewRegistration(ctx context.Context, request *corepb.Registration) (*corepb.Registration, error)
NewRegistration constructs a new Registration from a request.
func (*RegistrationAuthorityImpl) PerformValidation ¶
func (ra *RegistrationAuthorityImpl) PerformValidation( ctx context.Context, req *rapb.PerformValidationRequest) (*corepb.Authorization, error)
PerformValidation initiates validation for a specific challenge associated with the given base authorization. The authorization and challenge are updated based on the results.
func (*RegistrationAuthorityImpl) RevokeCertByApplicant ¶
func (ra *RegistrationAuthorityImpl) RevokeCertByApplicant(ctx context.Context, req *rapb.RevokeCertByApplicantRequest) (*emptypb.Empty, error)
RevokeCertByApplicant revokes the certificate in question. It allows any revocation reason from (0, 1, 3, 4, 5, 9), because Subscribers are allowed to request any revocation reason for their own certificates. However, if the requesting RegID is an account which has authorizations for all names in the cert but is *not* the original subscriber, it overrides the revocation reason to be 5 (cessationOfOperation), because that code is used to cover instances where "the certificate subscriber no longer owns the domain names in the certificate". It does not add the key to the blocked keys list, even if reason 1 (keyCompromise) is requested, as it does not demonstrate said compromise. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.
func (*RegistrationAuthorityImpl) RevokeCertByKey ¶
func (ra *RegistrationAuthorityImpl) RevokeCertByKey(ctx context.Context, req *rapb.RevokeCertByKeyRequest) (*emptypb.Empty, error)
RevokeCertByKey revokes the certificate in question. It always uses reason code 1 (keyCompromise). It ensures that they public key is added to the blocked keys list, even if revocation otherwise fails. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.
func (*RegistrationAuthorityImpl) UnpauseAccount ¶
func (ra *RegistrationAuthorityImpl) UnpauseAccount(ctx context.Context, request *rapb.UnpauseAccountRequest) (*rapb.UnpauseAccountResponse, error)
UnpauseAccount receives a validated account unpause request from the SFE and instructs the SA to unpause that account. If the account cannot be unpaused, an error is returned.
func (*RegistrationAuthorityImpl) UpdateRegistrationContact ¶
func (ra *RegistrationAuthorityImpl) UpdateRegistrationContact(ctx context.Context, req *rapb.UpdateRegistrationContactRequest) (*corepb.Registration, error)
UpdateRegistrationContact updates an existing Registration's contact. The updated contacts field may be empty.
func (*RegistrationAuthorityImpl) UpdateRegistrationKey ¶
func (ra *RegistrationAuthorityImpl) UpdateRegistrationKey(ctx context.Context, req *rapb.UpdateRegistrationKeyRequest) (*corepb.Registration, error)
UpdateRegistrationKey updates an existing Registration's key.
type ValidationProfileConfig ¶
type ValidationProfileConfig struct {
// PendingAuthzLifetime defines how far in the future an authorization's
// "expires" timestamp is set when it is first created, i.e. how much
// time the applicant has to attempt the challenge.
PendingAuthzLifetime config.Duration `validate:"required"`
// ValidAuthzLifetime defines how far in the future an authorization's
// "expires" timestamp is set when one of its challenges is fulfilled,
// i.e. how long a validated authorization may be reused.
ValidAuthzLifetime config.Duration `validate:"required"`
// OrderLifetime defines how far in the future an order's "expires"
// timestamp is set when it is first created, i.e. how much time the
// applicant has to fulfill all challenges and finalize the order. This is
// a maximum time: if the order reuses an authorization and that authz
// expires earlier than this OrderLifetime would otherwise set, then the
// order's expiration is brought in to match that authorization.
OrderLifetime config.Duration `validate:"required"`
// MaxNames is the maximum number of subjectAltNames in a single cert.
// The value supplied MUST be greater than 0 and no more than 100. These
// limits are per section 7.1 of our combined CP/CPS, under "DV-SSL
// Subscriber Certificate". The value must be less than or equal to the
// global (i.e. not per-profile) value configured in the CA.
MaxNames int `validate:"omitempty,min=1,max=100"`
// AllowList specifies the path to a YAML file containing a list of
// account IDs permitted to use this profile. If no path is
// specified, the profile is open to all accounts. If the file
// exists but is empty, the profile is closed to all accounts.
AllowList string `validate:"omitempty"`
}
ValidationProfileConfig is a config struct which can be used to create a ValidationProfile.
Source Files
Directories