boulder

module
v0.0.0-...-31455dc Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 6, 2016 License: MPL-2.0

README

Boulder - An ACME CA

This is an implementation of an ACME-based CA. The ACME protocol allows the CA to automatically verify that an applicant for a certificate actually controls an identifier, and allows domain holders to issue and revoke certificates for their domains.

Build Status Coverage Status

Quickstart

Boulder has a Dockerfile to make it easy to install and set up all its dependencies. This approach is most suitable if you just need to set up Boulder for the purpose of testing client software against it. To start Boulder in a Docker container, run:

./test/run-docker.sh

Slow start

This approach is better if you intend to develop on Boulder frequently, because it's challenging to develop inside the Docker container.

We recommend setting git's fsckObjects setting for better integrity guarantees when getting updates.

Boulder requires an installation of RabbitMQ, libtool-ltdl, goose, and MariaDB 10 to work correctly. On Ubuntu and CentOS, you may have to install RabbitMQ from https://rabbitmq.com/download.html to get a recent version.

Also, Boulder requires Go 1.5. As of September 2015 this version is not yet available in OS repositories, so you will have to install from https://golang.org/dl/. Add ${GOPATH}/bin to your path.

Ubuntu:

sudo apt-get install libltdl3-dev mariadb-server rabbitmq-server

CentOS:

sudo yum install libtool-ltdl-devel MariaDB-server MariaDB-client rabbitmq-server

Arch Linux:

sudo pacman -S libtool mariadb rabbitmq --needed

OS X:

brew install libtool mariadb rabbitmq

or

sudo port install libtool mariadb-server rabbitmq-server

(On OS X, using port, you will have to add CGO_CFLAGS="-I/opt/local/include" CGO_LDFLAGS="-L/opt/local/lib" to your environment or go invocations.)

Edit /etc/hosts to add this line:

127.0.0.1 boulder boulder-rabbitmq boulder-mysql

Resolve Go-dependencies, set up a database and RabbitMQ:

./test/setup.sh

Note: setup.sh calls create_db.sh, which uses the root MariaDB user with the default password, so if you have disabled that account or changed the password you may have to adjust the file or recreate the commands.

Start each boulder component with test configs (Ctrl-C kills all):

./start.py

Run tests:

./test.sh

Working with a client:

Check out the official Let's Encrypt client from https://github.com/letsencrypt/letsencrypt/ and follow the setup instructions there. Once you've got the client set up, you'll probably want to run it against your local Boulder. There are a number of command line flags that are necessary to run the client against a local Boulder, and without root access. The simplest way to run the client locally is to source a file that provides an alias for letsencrypt that has all those flags:

source ~/letsencrypt/tests/integration/_common.sh
letsencrypt_test certonly -a standalone -d example.com

Your local Boulder instance uses a fake DNS server that returns 127.0.0.1 for any query, so you can use any value for the -d flag.

Component Model

The CA is divided into the following main components:

  1. Web Front End
  2. Registration Authority
  3. Validation Authority
  4. Certificate Authority
  5. Storage Authority

This component model lets us separate the function of the CA by security context. The Web Front End and Validation Authority need access to the Internet, which puts them at greater risk of compromise. The Registration Authority can live without Internet connectivity, but still needs to talk to the Web Front End and Validation Authority. The Certificate Authority need only receive instructions from the Registration Authority.


client <--ACME--> WFE ---+
  .                      |
  .                      +--- RA --- CA
  .                      |
client <-checks->  VA ---+

Internally, the logic of the system is based around four types of objects: registrations, authorizations, challenges, and certificates, mapping directly to the resources of the same name in ACME.

Requests from ACME clients result in new objects and changes to objects. The Storage Authority maintains persistent copies of the current set of objects.

Objects are also passed from one component to another on change events. For example, when a client provides a successful response to a validation challenge, it results in a change to the corresponding validation object. The Validation Authority forwards the new validation object to the Storage Authority for storage, and to the Registration Authority for any updates to a related Authorization object.

Boulder uses AMQP as a message bus. For components that you want to be remote, it is necessary to instantiate a "client" and "server" for that component. The client implements the component's Go interface, while the server has the actual logic for the component. More details in amqp-rpc.go.

The full details of how the various ACME operations happen in Boulder are laid out in DESIGN.md

Dependencies

All Go dependencies are vendored under the Godeps directory, to make dependency management easier.

Local development also requires a RabbitMQ installation and MariaDB 10 installation (see above). MariaDB should be run on port 3306 for the default integration tests.

To update the Go dependencies:

# Fetch godep
go get -u github.com/tools/godep
# Check out the currently vendorized version of each dependency.
godep restore
# Update to the latest version of a dependency. Alternately you can cd to the
# directory under GOPATH and check out a specific revision. Here's an example
# using cfssl:
go get -u github.com/cloudflare/cfssl/...
# Update the Godep config to the appropriate version.
godep update github.com/cloudflare/cfssl/...
# Save the dependencies, rewriting any internal or external dependencies that
# may have been added.
godep save -r ./...
git add Godeps
git commit

Directories

Path Synopsis
Godeps
_workspace/src/github.com/cactus/go-statsd-client/statsd
Package statsd provides a StatsD client implementation that is safe for concurrent use by multiple goroutines and for efficiency can be created and reused.
Package statsd provides a StatsD client implementation that is safe for concurrent use by multiple goroutines and for efficiency can be created and reused.
_workspace/src/github.com/cloudflare/cfssl/auth
Package auth implements an interface for providing CFSSL authentication.
Package auth implements an interface for providing CFSSL authentication.
_workspace/src/github.com/cloudflare/cfssl/config
Package config contains the configuration logic for CFSSL.
Package config contains the configuration logic for CFSSL.
_workspace/src/github.com/cloudflare/cfssl/crypto/pkcs7
Package pkcs7 implements the subset of the CMS PKCS #7 datatype that is typically used to package certificates and CRLs.
Package pkcs7 implements the subset of the CMS PKCS #7 datatype that is typically used to package certificates and CRLs.
_workspace/src/github.com/cloudflare/cfssl/csr
Package csr implements certificate requests for CFSSL.
Package csr implements certificate requests for CFSSL.
_workspace/src/github.com/cloudflare/cfssl/errors
Package errors provides error types returned in CF SSL.
Package errors provides error types returned in CF SSL.
_workspace/src/github.com/cloudflare/cfssl/helpers
Package helpers implements utility functionality common to many CFSSL packages.
Package helpers implements utility functionality common to many CFSSL packages.
_workspace/src/github.com/cloudflare/cfssl/helpers/derhelpers
Package derhelpers implements common functionality on DER encoded data
Package derhelpers implements common functionality on DER encoded data
_workspace/src/github.com/cloudflare/cfssl/info
Package info contains the definitions for the info endpoint
Package info contains the definitions for the info endpoint
_workspace/src/github.com/cloudflare/cfssl/log
Package log implements a wrapper around the Go standard library's logging package.
Package log implements a wrapper around the Go standard library's logging package.
_workspace/src/github.com/cloudflare/cfssl/ocsp
Package ocsp exposes OCSP signing functionality, much like the signer package does for certificate signing.
Package ocsp exposes OCSP signing functionality, much like the signer package does for certificate signing.
_workspace/src/github.com/cloudflare/cfssl/ocsp/config
Package config in the ocsp directory provides configuration data for an OCSP signer.
Package config in the ocsp directory provides configuration data for an OCSP signer.
_workspace/src/github.com/cloudflare/cfssl/signer
Package signer implements certificate signature functionality for CFSSL.
Package signer implements certificate signature functionality for CFSSL.
_workspace/src/github.com/cloudflare/cfssl/signer/local
Package local implements certificate signature functionality for CFSSL.
Package local implements certificate signature functionality for CFSSL.
_workspace/src/github.com/codegangsta/cli
Package cli provides a minimal framework for creating and organizing command line Go applications.
Package cli provides a minimal framework for creating and organizing command line Go applications.
_workspace/src/github.com/facebookgo/httpdown
Package httpdown provides http.ConnState enabled graceful termination of http.Server.
Package httpdown provides http.ConnState enabled graceful termination of http.Server.
_workspace/src/github.com/facebookgo/stats
Package stats defines a lightweight interface for collecting statistics.
Package stats defines a lightweight interface for collecting statistics.
_workspace/src/github.com/go-sql-driver/mysql
Package mysql provides a MySQL driver for Go's database/sql package
Package mysql provides a MySQL driver for Go's database/sql package
_workspace/src/github.com/golang/mock/gomock
GoMock - a mock framework for Go.
GoMock - a mock framework for Go.
_workspace/src/github.com/golang/protobuf/proto
Package proto converts data structures to and from the wire format of protocol buffers.
Package proto converts data structures to and from the wire format of protocol buffers.
_workspace/src/github.com/golang/protobuf/proto/proto3_proto
Package proto3_proto is a generated protocol buffer package.
Package proto3_proto is a generated protocol buffer package.
_workspace/src/github.com/google/certificate-transparency/go/asn1
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
Package asn1 implements parsing of DER-encoded ASN.1 data structures, as defined in ITU-T Rec X.690.
_workspace/src/github.com/google/certificate-transparency/go/client
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
Package client is a CT log client implementation and contains types and code for interacting with RFC6962-compliant CT Log instances.
_workspace/src/github.com/google/certificate-transparency/go/x509
Package x509 parses X.509-encoded keys and certificates.
Package x509 parses X.509-encoded keys and certificates.
_workspace/src/github.com/google/certificate-transparency/go/x509/pkix
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
_workspace/src/github.com/jmhodges/clock
Package clock provides an abstraction for system time that enables testing of time-sensitive code.
Package clock provides an abstraction for system time that enables testing of time-sensitive code.
_workspace/src/github.com/letsencrypt/go-safe-browsing-api
Package safebrowsing is a generated protocol buffer package.
Package safebrowsing is a generated protocol buffer package.
_workspace/src/github.com/letsencrypt/net/publicsuffix
Package publicsuffix provides a public suffix list based on data from http://publicsuffix.org/.
Package publicsuffix provides a public suffix list based on data from http://publicsuffix.org/.
_workspace/src/github.com/letsencrypt/pkcs11key
Package pkcs11key implements crypto.Signer for PKCS #11 private keys.
Package pkcs11key implements crypto.Signer for PKCS #11 private keys.
_workspace/src/github.com/miekg/dns
Package dns implements a full featured interface to the Domain Name System.
Package dns implements a full featured interface to the Domain Name System.
_workspace/src/github.com/miekg/dns/idn
Package idn implements encoding from and to punycode as speficied by RFC 3492.
Package idn implements encoding from and to punycode as speficied by RFC 3492.
_workspace/src/github.com/miekg/pkcs11
Package pkcs11 is a wrapper around the PKCS#11 cryptographic library.
Package pkcs11 is a wrapper around the PKCS#11 cryptographic library.
_workspace/src/github.com/mreiferson/go-httpclient
Provides an HTTP Transport that implements the `RoundTripper` interface and can be used as a built in replacement for the standard library's, providing:
Provides an HTTP Transport that implements the `RoundTripper` interface and can be used as a built in replacement for the standard library's, providing:
_workspace/src/github.com/square/go-jose
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards.
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards.
_workspace/src/github.com/square/go-jose/json
Package json implements encoding and decoding of JSON objects as defined in RFC 4627.
Package json implements encoding and decoding of JSON objects as defined in RFC 4627.
_workspace/src/github.com/streadway/amqp
AMQP 0.9.1 client with RabbitMQ extensions
AMQP 0.9.1 client with RabbitMQ extensions
_workspace/src/golang.org/x/crypto/ocsp
Package ocsp parses OCSP responses as specified in RFC 2560.
Package ocsp parses OCSP responses as specified in RFC 2560.
_workspace/src/golang.org/x/crypto/pkcs12
Package pkcs12 implements some of PKCS#12.
Package pkcs12 implements some of PKCS#12.
_workspace/src/golang.org/x/crypto/pkcs12/internal/rc2
Package rc2 implements the RC2 cipher
Package rc2 implements the RC2 cipher
_workspace/src/golang.org/x/net/context
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
_workspace/src/golang.org/x/net/context/ctxhttp
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
_workspace/src/gopkg.in/gorp.v1
Package gorp provides a simple way to marshal Go structs to and from SQL databases.
Package gorp provides a simple way to marshal Go structs to and from SQL databases.
_workspace/src/gopkg.in/yaml.v2
Package yaml implements YAML support for the Go language.
Package yaml implements YAML support for the Go language.
cmd
Package reloader provides a method to load a file whenever it changes.
Package reloader provides a method to load a file whenever it changes.
sa
ct-test-srv
This is a test server that implements the subset of RFC6962 APIs needed to run Boulder's CT log submission code.
This is a test server that implements the subset of RFC6962 APIs needed to run Boulder's CT log submission code.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL