Documentation ¶
Index ¶
- Constants
- type DomainCheck
- type RegistrationAuthorityImpl
- func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(cert x509.Certificate, revocationCode core.RevocationCode, user string) error
- func (ra *RegistrationAuthorityImpl) MatchesCSR(cert core.Certificate, csr *x509.CertificateRequest) (err error)
- func (ra *RegistrationAuthorityImpl) NewAuthorization(request core.Authorization, regID int64) (authz core.Authorization, err error)
- func (ra *RegistrationAuthorityImpl) NewCertificate(req core.CertificateRequest, regID int64) (cert core.Certificate, err error)
- func (ra *RegistrationAuthorityImpl) NewRegistration(init core.Registration) (reg core.Registration, err error)
- func (ra *RegistrationAuthorityImpl) OnValidationUpdate(authz core.Authorization) error
- func (ra *RegistrationAuthorityImpl) RevokeCertificateWithReg(cert x509.Certificate, revocationCode core.RevocationCode, regID int64) (err error)
- func (ra *RegistrationAuthorityImpl) UpdateAuthorization(base core.Authorization, challengeIndex int, response core.Challenge) (authz core.Authorization, err error)
- func (ra *RegistrationAuthorityImpl) UpdateRegistration(base core.Registration, update core.Registration) (reg core.Registration, err error)
Constants ¶
const DefaultAuthorizationLifetime = 300 * 24 * time.Hour
DefaultAuthorizationLifetime is the 10 month default authorization lifetime. When used with a 90-day cert lifetime, this allows creation of certs that will cover a whole year, plus a grace period of a month. TODO(jsha): Read from a config file.
const DefaultPendingAuthorizationLifetime = 7 * 24 * time.Hour
DefaultPendingAuthorizationLifetime is one week. If you can't respond to a challenge this quickly, then you need to request a new challenge. TODO(rlb): Read from a config file
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DomainCheck ¶
type DomainCheck struct {
VA core.ValidationAuthority
}
DomainCheck is a little struct that allows the RA to call the VA's IsSafeDomain if its not-nil, or fails open if not. This is so that the RA can be deployed before the VA can respond to the IsSafeDomain RPC.
type RegistrationAuthorityImpl ¶
type RegistrationAuthorityImpl struct { CA core.CertificateAuthority VA core.ValidationAuthority SA core.StorageAuthority PA core.PolicyAuthority DNSResolver bdns.DNSResolver // contains filtered or unexported fields }
RegistrationAuthorityImpl defines an RA.
NOTE: All of the fields in RegistrationAuthorityImpl need to be populated, or there is a risk of panic.
func NewRegistrationAuthorityImpl ¶
func NewRegistrationAuthorityImpl(clk clock.Clock, logger *blog.AuditLogger, stats statsd.Statter, dc *DomainCheck, policies cmd.RateLimitConfig, maxContactsPerReg int, keyPolicy core.KeyPolicy, newVARPC bool) *RegistrationAuthorityImpl
NewRegistrationAuthorityImpl constructs a new RA object.
func (*RegistrationAuthorityImpl) AdministrativelyRevokeCertificate ¶
func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(cert x509.Certificate, revocationCode core.RevocationCode, user string) error
AdministrativelyRevokeCertificate terminates trust in the certificate provided and does not require the registration ID of the requester since this method is only called from the admin-revoker tool.
func (*RegistrationAuthorityImpl) MatchesCSR ¶
func (ra *RegistrationAuthorityImpl) MatchesCSR(cert core.Certificate, csr *x509.CertificateRequest) (err error)
MatchesCSR tests the contents of a generated certificate to make sure that the PublicKey, CommonName, and DNSNames match those provided in the CSR that was used to generate the certificate. It also checks the following fields for:
- notBefore is not more than 24 hours ago
- BasicConstraintsValid is true
- IsCA is false
- ExtKeyUsage only contains ExtKeyUsageServerAuth & ExtKeyUsageClientAuth
- Subject only contains CommonName & Names
func (*RegistrationAuthorityImpl) NewAuthorization ¶
func (ra *RegistrationAuthorityImpl) NewAuthorization(request core.Authorization, regID int64) (authz core.Authorization, err error)
NewAuthorization constructs a new Authz from a request. Values (domains) in request.Identifier will be lowercased before storage.
func (*RegistrationAuthorityImpl) NewCertificate ¶
func (ra *RegistrationAuthorityImpl) NewCertificate(req core.CertificateRequest, regID int64) (cert core.Certificate, err error)
NewCertificate requests the issuance of a certificate.
func (*RegistrationAuthorityImpl) NewRegistration ¶
func (ra *RegistrationAuthorityImpl) NewRegistration(init core.Registration) (reg core.Registration, err error)
NewRegistration constructs a new Registration from a request.
func (*RegistrationAuthorityImpl) OnValidationUpdate ¶
func (ra *RegistrationAuthorityImpl) OnValidationUpdate(authz core.Authorization) error
OnValidationUpdate is called when a given Authorization is updated by the VA.
func (*RegistrationAuthorityImpl) RevokeCertificateWithReg ¶
func (ra *RegistrationAuthorityImpl) RevokeCertificateWithReg(cert x509.Certificate, revocationCode core.RevocationCode, regID int64) (err error)
RevokeCertificateWithReg terminates trust in the certificate provided.
func (*RegistrationAuthorityImpl) UpdateAuthorization ¶
func (ra *RegistrationAuthorityImpl) UpdateAuthorization(base core.Authorization, challengeIndex int, response core.Challenge) (authz core.Authorization, err error)
UpdateAuthorization updates an authorization with new values.
func (*RegistrationAuthorityImpl) UpdateRegistration ¶
func (ra *RegistrationAuthorityImpl) UpdateRegistration(base core.Registration, update core.Registration) (reg core.Registration, err error)
UpdateRegistration updates an existing Registration with new values.