acme

package
v0.28.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 20, 2024 License: Apache-2.0 Imports: 45 Imported by: 21

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// InsecurePortHTTP01 is the port used to verify http-01 challenges. If not set it
	// defaults to 80.
	InsecurePortHTTP01 int

	// InsecurePortTLSALPN01 is the port used to verify tls-alpn-01 challenges. If not
	// set it defaults to 443.
	//
	// This variable can be used for testing purposes.
	InsecurePortTLSALPN01 int

	// StrictFQDN allows to enforce a fully qualified domain name in the DNS
	// resolution. By default it allows domain resolution using a search list
	// defined in the resolv.conf or similar configuration.
	StrictFQDN bool
)
View Source
var (
	// StatusValid -- valid
	StatusValid = Status("valid")
	// StatusInvalid -- invalid
	StatusInvalid = Status("invalid")
	// StatusPending -- pending; e.g. an Order that is not ready to be finalized.
	StatusPending = Status("pending")
	// StatusDeactivated -- deactivated; e.g. for an Account that is not longer valid.
	StatusDeactivated = Status("deactivated")
	// StatusReady -- ready; e.g. for an Order that is ready to be finalized.
	StatusReady = Status("ready")
)
View Source
var ErrNotFound = errors.New("not found")

ErrNotFound is an error that should be used by the acme.DB interface to indicate that an entity does not exist. For example, in the new-account endpoint, if GetAccountByKeyID returns ErrNotFound we will create the new account.

Functions

func DefaultPrerequisitesChecker added in v0.20.0

func DefaultPrerequisitesChecker(context.Context) (bool, error)

DefaultPrerequisitesChecker is the default PrerequisiteChecker and returns always true.

func GetUnescapedPathSuffix added in v0.20.0

func GetUnescapedPathSuffix(typ LinkType, provisionerName string, inputs ...string) string

func IsErrNotFound added in v0.25.0

func IsErrNotFound(err error) bool

IsErrNotFound returns true if the error is a "not found" error. Returns false otherwise.

func KeyAuthorization

func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error)

KeyAuthorization creates the ACME key authorization value from a token and a jwk.

func KeyToID added in v0.15.12

func KeyToID(jwk *jose.JSONWebKey) (string, error)

KeyToID converts a JWK to a thumbprint.

func NewClientContext added in v0.20.0

func NewClientContext(ctx context.Context, c Client) context.Context

NewClientContext adds the given client to the context.

func NewContext added in v0.20.0

func NewContext(ctx context.Context, db DB, client Client, linker Linker, fn PrerequisitesChecker) context.Context

NewContext adds the given acme components to the context.

func NewDatabaseContext added in v0.20.0

func NewDatabaseContext(ctx context.Context, db DB) context.Context

NewDatabaseContext adds the given acme database to the context.

func NewLinkerContext added in v0.20.0

func NewLinkerContext(ctx context.Context, v Linker) context.Context

NewLinkerContext adds the given linker to the context.

func NewPrerequisitesCheckerContext added in v0.20.0

func NewPrerequisitesCheckerContext(ctx context.Context, fn PrerequisitesChecker) context.Context

NewPrerequisitesCheckerContext adds the given PrerequisitesChecker to the context.

func NewProvisionerContext added in v0.20.0

func NewProvisionerContext(ctx context.Context, v Provisioner) context.Context

NewProvisionerContext adds the given provisioner to the context.

Types

type Account

type Account struct {
	ID                     string           `json:"-"`
	Key                    *jose.JSONWebKey `json:"-"`
	Contact                []string         `json:"contact,omitempty"`
	Status                 Status           `json:"status"`
	OrdersURL              string           `json:"orders"`
	ExternalAccountBinding interface{}      `json:"externalAccountBinding,omitempty"`
	LocationPrefix         string           `json:"-"`
	ProvisionerID          string           `json:"-"`
	ProvisionerName        string           `json:"-"`
}

Account is a subset of the internal account type containing only those attributes required for responses in the ACME protocol.

func (*Account) GetLocation added in v0.25.0

func (a *Account) GetLocation() string

GetLocation returns the URL location of the given account.

func (*Account) IsValid

func (a *Account) IsValid() bool

IsValid returns true if the Account is valid.

func (*Account) ToLog

func (a *Account) ToLog() (interface{}, error)

ToLog enables response logging.

type Authorization added in v0.15.12

type Authorization struct {
	ID          string       `json:"-"`
	AccountID   string       `json:"-"`
	Token       string       `json:"-"`
	Fingerprint string       `json:"-"`
	Identifier  Identifier   `json:"identifier"`
	Status      Status       `json:"status"`
	Challenges  []*Challenge `json:"challenges"`
	Wildcard    bool         `json:"wildcard"`
	ExpiresAt   time.Time    `json:"expires"`
	Error       *Error       `json:"error,omitempty"`
}

Authorization representst an ACME Authorization.

func (*Authorization) ToLog added in v0.15.12

func (az *Authorization) ToLog() (interface{}, error)

ToLog enables response logging.

func (*Authorization) UpdateStatus added in v0.15.12

func (az *Authorization) UpdateStatus(ctx context.Context, db DB) error

UpdateStatus updates the ACME Authorization Status if necessary. Changes to the Authorization are saved using the database interface.

type Certificate added in v0.15.12

type Certificate struct {
	ID            string
	AccountID     string
	OrderID       string
	Leaf          *x509.Certificate
	Intermediates []*x509.Certificate
}

Certificate options with which to create and store a cert object.

type CertificateAuthority added in v0.15.12

type CertificateAuthority interface {
	SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
	AreSANsAllowed(ctx context.Context, sans []string) error
	IsRevoked(sn string) (bool, error)
	Revoke(context.Context, *authority.RevokeOptions) error
	LoadProvisionerByName(string) (provisioner.Interface, error)
}

CertificateAuthority is the interface implemented by a CA authority.

type Challenge

type Challenge struct {
	ID              string        `json:"-"`
	AccountID       string        `json:"-"`
	AuthorizationID string        `json:"-"`
	Value           string        `json:"-"`
	Type            ChallengeType `json:"type"`
	Status          Status        `json:"status"`
	Token           string        `json:"token"`
	ValidatedAt     string        `json:"validated,omitempty"`
	URL             string        `json:"url"`
	Target          string        `json:"target,omitempty"`
	Error           *Error        `json:"error,omitempty"`
}

Challenge represents an ACME response Challenge type.

func (*Challenge) ToLog

func (ch *Challenge) ToLog() (interface{}, error)

ToLog enables response logging.

func (*Challenge) Validate added in v0.15.12

func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey, payload []byte) error

Validate attempts to validate the Challenge. Stores changes to the Challenge type using the DB interface. If the Challenge is validated, the 'status' and 'validated' attributes are updated.

type ChallengeType added in v0.16.0

type ChallengeType string
const (
	// HTTP01 is the http-01 ACME challenge type
	HTTP01 ChallengeType = "http-01"
	// DNS01 is the dns-01 ACME challenge type
	DNS01 ChallengeType = "dns-01"
	// TLSALPN01 is the tls-alpn-01 ACME challenge type
	TLSALPN01 ChallengeType = "tls-alpn-01"
	// DEVICEATTEST01 is the device-attest-01 ACME challenge type
	DEVICEATTEST01 ChallengeType = "device-attest-01"
	// WIREOIDC01 is the Wire OIDC challenge type
	WIREOIDC01 ChallengeType = "wire-oidc-01"
	// WIREDPOP01 is the Wire DPoP challenge type
	WIREDPOP01 ChallengeType = "wire-dpop-01"
)

type Client added in v0.20.0

type Client interface {
	// Get issues an HTTP GET to the specified URL.
	Get(url string) (*http.Response, error)

	// LookupTXT returns the DNS TXT records for the given domain name.
	LookupTxt(name string) ([]string, error)

	// TLSDial connects to the given network address using net.Dialer and then
	// initiates a TLS handshake, returning the resulting TLS connection.
	TLSDial(network, addr string, config *tls.Config) (*tls.Conn, error)
}

Client is the interface used to verify ACME challenges.

func ClientFromContext added in v0.20.0

func ClientFromContext(ctx context.Context) (c Client, ok bool)

ClientFromContext returns the current client from the given context.

func MustClientFromContext added in v0.20.0

func MustClientFromContext(ctx context.Context) Client

MustClientFromContext returns the current client from the given context. It will return a new instance of the client if it does not exist.

func NewClient added in v0.20.0

func NewClient() Client

NewClient returns an implementation of Client for verifying ACME challenges.

type Clock

type Clock struct{}

Clock that returns time in UTC rounded to seconds.

func (*Clock) Now

func (c *Clock) Now() time.Time

Now returns the UTC time rounded to seconds.

type DB added in v0.15.12

type DB interface {
	CreateAccount(ctx context.Context, acc *Account) error
	GetAccount(ctx context.Context, id string) (*Account, error)
	GetAccountByKeyID(ctx context.Context, kid string) (*Account, error)
	UpdateAccount(ctx context.Context, acc *Account) error

	CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
	GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error)
	GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error)
	GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
	GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error)
	DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID string) error
	UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error

	CreateNonce(ctx context.Context) (Nonce, error)
	DeleteNonce(ctx context.Context, nonce Nonce) error

	CreateAuthorization(ctx context.Context, az *Authorization) error
	GetAuthorization(ctx context.Context, id string) (*Authorization, error)
	UpdateAuthorization(ctx context.Context, az *Authorization) error
	GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error)

	CreateCertificate(ctx context.Context, cert *Certificate) error
	GetCertificate(ctx context.Context, id string) (*Certificate, error)
	GetCertificateBySerial(ctx context.Context, serial string) (*Certificate, error)

	CreateChallenge(ctx context.Context, ch *Challenge) error
	GetChallenge(ctx context.Context, id, authzID string) (*Challenge, error)
	UpdateChallenge(ctx context.Context, ch *Challenge) error

	CreateOrder(ctx context.Context, o *Order) error
	GetOrder(ctx context.Context, id string) (*Order, error)
	GetOrdersByAccountID(ctx context.Context, accountID string) ([]string, error)
	UpdateOrder(ctx context.Context, o *Order) error
}

DB is the DB interface expected by the step-ca ACME API.

func DatabaseFromContext added in v0.20.0

func DatabaseFromContext(ctx context.Context) (db DB, ok bool)

DatabaseFromContext returns the current acme database from the given context.

func MustDatabaseFromContext added in v0.20.0

func MustDatabaseFromContext(ctx context.Context) DB

MustDatabaseFromContext returns the current database from the given context. It will panic if it's not in the context.

type Error

type Error struct {
	Type        string       `json:"type"`
	Detail      string       `json:"detail"`
	Subproblems []Subproblem `json:"subproblems,omitempty"`
	Err         error        `json:"-"`
	Status      int          `json:"-"`
}

Error represents an ACME Error

func NewDetailedError added in v0.25.0

func NewDetailedError(pt ProblemType, msg string, args ...any) *Error

NewDetailedError creates a new Error that includes the error message in the details, providing more information to the ACME client.

func NewError added in v0.15.12

func NewError(pt ProblemType, msg string, args ...any) *Error

NewError creates a new Error.

func NewErrorISE added in v0.15.12

func NewErrorISE(msg string, args ...any) *Error

NewErrorISE creates a new ErrorServerInternalType Error.

func WrapDetailedError added in v0.25.0

func WrapDetailedError(typ ProblemType, err error, msg string, args ...any) *Error

func WrapError added in v0.15.12

func WrapError(typ ProblemType, err error, msg string, args ...any) *Error

WrapError attempts to wrap the internal error.

func WrapErrorISE added in v0.15.12

func WrapErrorISE(err error, msg string, args ...any) *Error

WrapErrorISE shortcut to wrap an internal server error type.

func (*Error) AddSubproblems added in v0.23.2

func (e *Error) AddSubproblems(subproblems ...Subproblem) *Error

AddSubproblems adds the Subproblems to Error. It returns the Error, allowing for fluent addition.

func (*Error) Cause

func (e *Error) Cause() error

Cause returns the internal error and implements the Causer interface.

func (*Error) Error

func (e *Error) Error() string

Error implements the error interface.

func (*Error) Render added in v0.19.0

func (e *Error) Render(w http.ResponseWriter, r *http.Request)

Render implements render.RenderableError for Error.

func (*Error) StatusCode

func (e *Error) StatusCode() int

StatusCode returns the status code and implements the StatusCoder interface.

func (*Error) ToLog added in v0.15.12

func (e *Error) ToLog() (any, error)

ToLog implements the EnableLogger interface.

type ExternalAccountKey added in v0.18.1

type ExternalAccountKey struct {
	ID            string    `json:"id"`
	ProvisionerID string    `json:"provisionerID"`
	Reference     string    `json:"reference"`
	AccountID     string    `json:"-"`
	HmacKey       []byte    `json:"-"`
	CreatedAt     time.Time `json:"createdAt"`
	BoundAt       time.Time `json:"boundAt,omitempty"`
	Policy        *Policy   `json:"policy,omitempty"`
}

ExternalAccountKey is an ACME External Account Binding key.

func (*ExternalAccountKey) AlreadyBound added in v0.18.1

func (eak *ExternalAccountKey) AlreadyBound() bool

AlreadyBound returns whether this EAK is already bound to an ACME Account or not.

func (*ExternalAccountKey) BindTo added in v0.18.1

func (eak *ExternalAccountKey) BindTo(account *Account) error

BindTo binds the EAK to an Account. It returns an error if it's already bound.

type Identifier

type Identifier struct {
	Type  IdentifierType `json:"type"`
	Value string         `json:"value"`
}

Identifier encodes the type that an order pertains to.

type IdentifierType added in v0.16.0

type IdentifierType string
const (
	// IP is the ACME ip identifier type
	IP IdentifierType = "ip"
	// DNS is the ACME dns identifier type
	DNS IdentifierType = "dns"
	// PermanentIdentifier is the ACME permanent-identifier identifier type
	// defined in https://datatracker.ietf.org/doc/html/draft-bweeks-acme-device-attest-00
	PermanentIdentifier IdentifierType = "permanent-identifier"
	// WireUser is the Wire user identifier type
	WireUser IdentifierType = "wireapp-user"
	// WireDevice is the Wire device identifier type
	WireDevice IdentifierType = "wireapp-device"
)

type LinkType added in v0.20.0

type LinkType int

LinkType captures the link type.

const (
	// NewNonceLinkType new-nonce
	NewNonceLinkType LinkType = iota
	// NewAccountLinkType new-account
	NewAccountLinkType
	// AccountLinkType account
	AccountLinkType
	// OrderLinkType order
	OrderLinkType
	// NewOrderLinkType new-order
	NewOrderLinkType
	// OrdersByAccountLinkType list of orders owned by account
	OrdersByAccountLinkType
	// FinalizeLinkType finalize order
	FinalizeLinkType
	// NewAuthzLinkType authz
	NewAuthzLinkType
	// AuthzLinkType new-authz
	AuthzLinkType
	// ChallengeLinkType challenge
	ChallengeLinkType
	// CertificateLinkType certificate
	CertificateLinkType
	// DirectoryLinkType directory
	DirectoryLinkType
	// RevokeCertLinkType revoke certificate
	RevokeCertLinkType
	// KeyChangeLinkType key rollover
	KeyChangeLinkType
)

func (LinkType) String added in v0.20.0

func (l LinkType) String() string

type Linker added in v0.20.0

type Linker interface {
	GetLink(ctx context.Context, typ LinkType, inputs ...string) string
	Middleware(http.Handler) http.Handler
	LinkOrder(ctx context.Context, o *Order)
	LinkAccount(ctx context.Context, o *Account)
	LinkChallenge(ctx context.Context, o *Challenge, azID string)
	LinkAuthorization(ctx context.Context, o *Authorization)
	LinkOrdersByAccountID(ctx context.Context, orders []string)
}

Linker interface for generating links for ACME resources.

func LinkerFromContext added in v0.20.0

func LinkerFromContext(ctx context.Context) (v Linker, ok bool)

LinkerFromContext returns the current linker from the given context.

func MustLinkerFromContext added in v0.20.0

func MustLinkerFromContext(ctx context.Context) Linker

MustLinkerFromContext returns the current linker from the given context. It will panic if it's not in the context.

func NewLinker added in v0.20.0

func NewLinker(dns, prefix string) Linker

NewLinker returns a new Directory type.

type MockDB added in v0.15.12

type MockDB struct {
	MockCreateAccount     func(ctx context.Context, acc *Account) error
	MockGetAccount        func(ctx context.Context, id string) (*Account, error)
	MockGetAccountByKeyID func(ctx context.Context, kid string) (*Account, error)
	MockUpdateAccount     func(ctx context.Context, acc *Account) error

	MockCreateExternalAccountKey         func(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
	MockGetExternalAccountKey            func(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error)
	MockGetExternalAccountKeys           func(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error)
	MockGetExternalAccountKeyByReference func(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
	MockGetExternalAccountKeyByAccountID func(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error)
	MockDeleteExternalAccountKey         func(ctx context.Context, provisionerID, keyID string) error
	MockUpdateExternalAccountKey         func(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error

	MockCreateNonce func(ctx context.Context) (Nonce, error)
	MockDeleteNonce func(ctx context.Context, nonce Nonce) error

	MockCreateAuthorization          func(ctx context.Context, az *Authorization) error
	MockGetAuthorization             func(ctx context.Context, id string) (*Authorization, error)
	MockUpdateAuthorization          func(ctx context.Context, az *Authorization) error
	MockGetAuthorizationsByAccountID func(ctx context.Context, accountID string) ([]*Authorization, error)

	MockCreateCertificate      func(ctx context.Context, cert *Certificate) error
	MockGetCertificate         func(ctx context.Context, id string) (*Certificate, error)
	MockGetCertificateBySerial func(ctx context.Context, serial string) (*Certificate, error)

	MockCreateChallenge func(ctx context.Context, ch *Challenge) error
	MockGetChallenge    func(ctx context.Context, id, authzID string) (*Challenge, error)
	MockUpdateChallenge func(ctx context.Context, ch *Challenge) error

	MockCreateOrder          func(ctx context.Context, o *Order) error
	MockGetOrder             func(ctx context.Context, id string) (*Order, error)
	MockGetOrdersByAccountID func(ctx context.Context, accountID string) ([]string, error)
	MockUpdateOrder          func(ctx context.Context, o *Order) error

	MockRet1  interface{}
	MockError error
}

MockDB is an implementation of the DB interface that should only be used as a mock in tests.

func (*MockDB) CreateAccount added in v0.15.12

func (m *MockDB) CreateAccount(ctx context.Context, acc *Account) error

CreateAccount mock.

func (*MockDB) CreateAuthorization added in v0.15.12

func (m *MockDB) CreateAuthorization(ctx context.Context, az *Authorization) error

CreateAuthorization mock

func (*MockDB) CreateCertificate added in v0.15.12

func (m *MockDB) CreateCertificate(ctx context.Context, cert *Certificate) error

CreateCertificate mock

func (*MockDB) CreateChallenge added in v0.15.12

func (m *MockDB) CreateChallenge(ctx context.Context, ch *Challenge) error

CreateChallenge mock

func (*MockDB) CreateExternalAccountKey added in v0.18.1

func (m *MockDB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)

CreateExternalAccountKey mock

func (*MockDB) CreateNonce added in v0.15.12

func (m *MockDB) CreateNonce(ctx context.Context) (Nonce, error)

CreateNonce mock

func (*MockDB) CreateOrder added in v0.15.12

func (m *MockDB) CreateOrder(ctx context.Context, o *Order) error

CreateOrder mock

func (*MockDB) DeleteExternalAccountKey added in v0.18.1

func (m *MockDB) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID string) error

DeleteExternalAccountKey mock

func (*MockDB) DeleteNonce added in v0.15.12

func (m *MockDB) DeleteNonce(ctx context.Context, nonce Nonce) error

DeleteNonce mock

func (*MockDB) GetAccount added in v0.15.12

func (m *MockDB) GetAccount(ctx context.Context, id string) (*Account, error)

GetAccount mock.

func (*MockDB) GetAccountByKeyID added in v0.15.12

func (m *MockDB) GetAccountByKeyID(ctx context.Context, kid string) (*Account, error)

GetAccountByKeyID mock

func (*MockDB) GetAuthorization added in v0.15.12

func (m *MockDB) GetAuthorization(ctx context.Context, id string) (*Authorization, error)

GetAuthorization mock

func (*MockDB) GetAuthorizationsByAccountID added in v0.18.1

func (m *MockDB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error)

GetAuthorizationsByAccountID mock

func (*MockDB) GetCertificate added in v0.15.12

func (m *MockDB) GetCertificate(ctx context.Context, id string) (*Certificate, error)

GetCertificate mock

func (*MockDB) GetCertificateBySerial added in v0.18.1

func (m *MockDB) GetCertificateBySerial(ctx context.Context, serial string) (*Certificate, error)

GetCertificateBySerial mock

func (*MockDB) GetChallenge added in v0.15.12

func (m *MockDB) GetChallenge(ctx context.Context, chID, azID string) (*Challenge, error)

GetChallenge mock

func (*MockDB) GetExternalAccountKey added in v0.18.1

func (m *MockDB) GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error)

GetExternalAccountKey mock

func (*MockDB) GetExternalAccountKeyByAccountID added in v0.20.0

func (m *MockDB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error)

GetExternalAccountKeyByAccountID mock

func (*MockDB) GetExternalAccountKeyByReference added in v0.18.1

func (m *MockDB) GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)

GetExternalAccountKeyByReference mock

func (*MockDB) GetExternalAccountKeys added in v0.18.1

func (m *MockDB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error)

GetExternalAccountKeys mock

func (*MockDB) GetOrder added in v0.15.12

func (m *MockDB) GetOrder(ctx context.Context, id string) (*Order, error)

GetOrder mock

func (*MockDB) GetOrdersByAccountID added in v0.15.12

func (m *MockDB) GetOrdersByAccountID(ctx context.Context, accID string) ([]string, error)

GetOrdersByAccountID mock

func (*MockDB) UpdateAccount added in v0.15.12

func (m *MockDB) UpdateAccount(ctx context.Context, acc *Account) error

UpdateAccount mock

func (*MockDB) UpdateAuthorization added in v0.15.12

func (m *MockDB) UpdateAuthorization(ctx context.Context, az *Authorization) error

UpdateAuthorization mock

func (*MockDB) UpdateChallenge added in v0.15.12

func (m *MockDB) UpdateChallenge(ctx context.Context, ch *Challenge) error

UpdateChallenge mock

func (*MockDB) UpdateExternalAccountKey added in v0.18.1

func (m *MockDB) UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error

UpdateExternalAccountKey mock

func (*MockDB) UpdateOrder added in v0.15.12

func (m *MockDB) UpdateOrder(ctx context.Context, o *Order) error

UpdateOrder mock

type MockProvisioner added in v0.14.5

type MockProvisioner struct {
	Mret1                     interface{}
	Merr                      error
	MgetID                    func() string
	MgetName                  func() string
	MauthorizeOrderIdentifier func(ctx context.Context, identifier provisioner.ACMEIdentifier) error
	MauthorizeSign            func(ctx context.Context, ott string) ([]provisioner.SignOption, error)
	MauthorizeRevoke          func(ctx context.Context, token string) error
	MisChallengeEnabled       func(ctx context.Context, challenge provisioner.ACMEChallenge) bool
	MisAttFormatEnabled       func(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
	MgetAttestationRoots      func() (*x509.CertPool, bool)
	MdefaultTLSCertDuration   func() time.Duration
	MgetOptions               func() *provisioner.Options
}

MockProvisioner for testing

func (*MockProvisioner) AuthorizeOrderIdentifier added in v0.20.0

func (m *MockProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error

AuthorizeOrderIdentifier mock

func (*MockProvisioner) AuthorizeRevoke added in v0.18.1

func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke mock

func (*MockProvisioner) AuthorizeSign added in v0.14.5

func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error)

AuthorizeSign mock

func (*MockProvisioner) DefaultTLSCertDuration added in v0.14.5

func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration mock

func (*MockProvisioner) GetAttestationRoots added in v0.23.0

func (m *MockProvisioner) GetAttestationRoots() (*x509.CertPool, bool)

func (*MockProvisioner) GetID added in v0.15.12

func (m *MockProvisioner) GetID() string

GetID mock

func (*MockProvisioner) GetName added in v0.14.5

func (m *MockProvisioner) GetName() string

GetName mock

func (*MockProvisioner) GetOptions added in v0.15.0

func (m *MockProvisioner) GetOptions() *provisioner.Options

GetOptions mock

func (*MockProvisioner) IsAttestationFormatEnabled added in v0.23.0

func (m *MockProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool

IsAttestationFormatEnabled mock

func (*MockProvisioner) IsChallengeEnabled added in v0.23.0

func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool

IsChallengeEnabled mock

type MockWireDB added in v0.27.3

type MockWireDB struct {
	MockDB
	MockGetAllOrdersByAccountID func(ctx context.Context, accountID string) ([]string, error)
	MockGetDpopToken            func(ctx context.Context, orderID string) (map[string]interface{}, error)
	MockCreateDpopToken         func(ctx context.Context, orderID string, dpop map[string]interface{}) error
	MockGetOidcToken            func(ctx context.Context, orderID string) (map[string]interface{}, error)
	MockCreateOidcToken         func(ctx context.Context, orderID string, idToken map[string]interface{}) error
}

MockWireDB is an implementation of the WireDB interface that should only be used as a mock in tests. It embeds the MockDB, as it is an extension of the existing database methods.

func (*MockWireDB) CreateDpopToken added in v0.27.3

func (m *MockWireDB) CreateDpopToken(ctx context.Context, orderID string, dpop map[string]any) error

CreateDpop creates DPoP resources and saves them to the DB.

func (*MockWireDB) CreateOidcToken added in v0.27.3

func (m *MockWireDB) CreateOidcToken(ctx context.Context, orderID string, idToken map[string]any) error

CreateOidcToken creates oidc token resources and saves them to the DB.

func (*MockWireDB) GetAllOrdersByAccountID added in v0.27.3

func (m *MockWireDB) GetAllOrdersByAccountID(ctx context.Context, accountID string) ([]string, error)

GetAllOrdersByAccountID returns a list of any order IDs owned by the account.

func (*MockWireDB) GetDpopToken added in v0.27.3

func (m *MockWireDB) GetDpopToken(ctx context.Context, orderID string) (map[string]any, error)

GetDpop retrieves a DPoP from the database.

func (*MockWireDB) GetOidcToken added in v0.27.3

func (m *MockWireDB) GetOidcToken(ctx context.Context, orderID string) (map[string]any, error)

GetOidcToken retrieves an oidc token from the database.

type Nonce added in v0.15.12

type Nonce string

Nonce represents an ACME nonce type.

func (Nonce) String added in v0.15.12

func (n Nonce) String() string

String implements the ToString interface.

type Order

type Order struct {
	ID                string       `json:"id"`
	AccountID         string       `json:"-"`
	ProvisionerID     string       `json:"-"`
	Status            Status       `json:"status"`
	ExpiresAt         time.Time    `json:"expires"`
	Identifiers       []Identifier `json:"identifiers"`
	NotBefore         time.Time    `json:"notBefore"`
	NotAfter          time.Time    `json:"notAfter"`
	Error             *Error       `json:"error,omitempty"`
	AuthorizationIDs  []string     `json:"-"`
	AuthorizationURLs []string     `json:"authorizations"`
	FinalizeURL       string       `json:"finalize"`
	CertificateID     string       `json:"-"`
	CertificateURL    string       `json:"certificate,omitempty"`
}

Order contains order metadata for the ACME protocol order type.

func (*Order) Finalize

func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateRequest, auth CertificateAuthority, p Provisioner) error

Finalize signs a certificate if the necessary conditions for Order completion have been met.

TODO(mariano): Here or in the challenge validation we should perform some external validation using the identifier value and the attestation data. From a validation service we can get the list of SANs to set in the final certificate.

func (*Order) ToLog

func (o *Order) ToLog() (interface{}, error)

ToLog enables response logging.

func (*Order) UpdateStatus added in v0.15.12

func (o *Order) UpdateStatus(ctx context.Context, db DB) error

UpdateStatus updates the ACME Order Status if necessary. Changes to the order are saved using the database interface.

type Policy added in v0.20.0

type Policy struct {
	X509 X509Policy `json:"x509"`
}

Policy is an ACME Account level policy

func (*Policy) AreWildcardNamesAllowed added in v0.20.0

func (p *Policy) AreWildcardNamesAllowed() bool

AreWildcardNamesAllowed returns if wildcard names like *.example.com are allowed to be signed. Defaults to false.

func (*Policy) GetAllowedNameOptions added in v0.20.0

func (p *Policy) GetAllowedNameOptions() *policy.X509NameOptions

func (*Policy) GetDeniedNameOptions added in v0.20.0

func (p *Policy) GetDeniedNameOptions() *policy.X509NameOptions

type PolicyNames added in v0.20.0

type PolicyNames struct {
	DNSNames []string `json:"dns"`
	IPRanges []string `json:"ips"`
}

PolicyNames contains ACME account level policy names

type PrerequisitesChecker added in v0.20.0

type PrerequisitesChecker func(ctx context.Context) (bool, error)

PrerequisitesChecker is a function that checks if all prerequisites for serving ACME are met by the CA configuration.

func PrerequisitesCheckerFromContext added in v0.20.0

func PrerequisitesCheckerFromContext(ctx context.Context) (PrerequisitesChecker, bool)

PrerequisitesCheckerFromContext returns the PrerequisitesChecker in the context.

type ProblemType added in v0.15.12

type ProblemType int

ProblemType is the type of the ACME problem.

const (
	// ErrorAccountDoesNotExistType request specified an account that does not exist
	ErrorAccountDoesNotExistType ProblemType = iota
	// ErrorAlreadyRevokedType request specified a certificate to be revoked that has already been revoked
	ErrorAlreadyRevokedType
	// ErrorBadAttestationStatementType WebAuthn attestation statement could not be verified
	ErrorBadAttestationStatementType
	// ErrorBadCSRType CSR is unacceptable (e.g., due to a short key)
	ErrorBadCSRType
	// ErrorBadNonceType client sent an unacceptable anti-replay nonce
	ErrorBadNonceType
	// ErrorBadPublicKeyType JWS was signed by a public key the server does not support
	ErrorBadPublicKeyType
	// ErrorBadRevocationReasonType revocation reason provided is not allowed by the server
	ErrorBadRevocationReasonType
	// ErrorBadSignatureAlgorithmType JWS was signed with an algorithm the server does not support
	ErrorBadSignatureAlgorithmType
	// ErrorCaaType Authority Authorization (CAA) records forbid the CA from issuing a certificate
	ErrorCaaType
	// ErrorCompoundType error conditions are indicated in the “subproblems” array.
	ErrorCompoundType
	// ErrorConnectionType server could not connect to validation target
	ErrorConnectionType
	// ErrorDNSType was a problem with a DNS query during identifier validation
	ErrorDNSType
	// ErrorExternalAccountRequiredType request must include a value for the “externalAccountBinding” field
	ErrorExternalAccountRequiredType
	// ErrorIncorrectResponseType received didn’t match the challenge’s requirements
	ErrorIncorrectResponseType
	// ErrorInvalidContactType URL for an account was invalid
	ErrorInvalidContactType
	// ErrorMalformedType request message was malformed
	ErrorMalformedType
	// ErrorOrderNotReadyType request attempted to finalize an order that is not ready to be finalized
	ErrorOrderNotReadyType
	// ErrorRateLimitedType request exceeds a rate limit
	ErrorRateLimitedType
	// ErrorRejectedIdentifierType server will not issue certificates for the identifier
	ErrorRejectedIdentifierType
	// ErrorServerInternalType server experienced an internal error
	ErrorServerInternalType
	// ErrorTLSType server received a TLS error during validation
	ErrorTLSType
	// ErrorUnauthorizedType client lacks sufficient authorization
	ErrorUnauthorizedType
	// ErrorUnsupportedContactType URL for an account used an unsupported protocol scheme
	ErrorUnsupportedContactType
	// ErrorUnsupportedIdentifierType identifier is of an unsupported type
	ErrorUnsupportedIdentifierType
	// ErrorUserActionRequiredType the “instance” URL and take actions specified there
	ErrorUserActionRequiredType
	// ErrorNotImplementedType operation is not implemented
	ErrorNotImplementedType
)

func (ProblemType) String added in v0.15.12

func (ap ProblemType) String() string

String returns the string representation of the acme problem type, fulfilling the Stringer interface.

type Provisioner added in v0.14.5

type Provisioner interface {
	AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error
	AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
	AuthorizeRevoke(ctx context.Context, token string) error
	IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool
	IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
	GetAttestationRoots() (*x509.CertPool, bool)
	GetID() string
	GetName() string
	DefaultTLSCertDuration() time.Duration
	GetOptions() *provisioner.Options
}

Provisioner is an interface that implements a subset of the provisioner.Interface -- only those methods required by the ACME api/authority.

func MustProvisionerFromContext added in v0.20.0

func MustProvisionerFromContext(ctx context.Context) Provisioner

MustProvisionerFromContext returns the current provisioner from the given context. It will panic if it's not in the context.

func ProvisionerFromContext added in v0.14.5

func ProvisionerFromContext(ctx context.Context) (v Provisioner, ok bool)

ProvisionerFromContext returns the current provisioner from the given context.

type Status added in v0.15.12

type Status string

Status represents an ACME status.

type Subproblem added in v0.23.2

type Subproblem struct {
	Type   string `json:"type"`
	Detail string `json:"detail"`
	// The "identifier" field MUST NOT be present at the top level in ACME
	// problem documents.  It can only be present in subproblems.
	// Subproblems need not all have the same type, and they do not need to
	// match the top level type.
	Identifier *Identifier `json:"identifier,omitempty"`
}

Subproblem represents an ACME subproblem. It's fairly similar to an ACME error, but differs in that it can't include subproblems itself, the error is reflected in the Detail property and doesn't have a Status.

func NewSubproblem added in v0.23.2

func NewSubproblem(pt ProblemType, msg string, args ...any) Subproblem

NewSubproblem creates a new Subproblem. The msg and args are used to create a new error, which is set as the Detail, allowing for more detailed error messages to be returned to the ACME client.

func NewSubproblemWithIdentifier added in v0.23.2

func NewSubproblemWithIdentifier(pt ProblemType, identifier Identifier, msg string, args ...any) Subproblem

NewSubproblemWithIdentifier creates a new Subproblem with a specific ACME Identifier. It calls NewSubproblem and sets the Identifier.

type WireDB added in v0.27.3

type WireDB interface {
	DB
	GetAllOrdersByAccountID(ctx context.Context, accountID string) ([]string, error)
	CreateDpopToken(ctx context.Context, orderID string, dpop map[string]interface{}) error
	GetDpopToken(ctx context.Context, orderID string) (map[string]interface{}, error)
	CreateOidcToken(ctx context.Context, orderID string, idToken map[string]interface{}) error
	GetOidcToken(ctx context.Context, orderID string) (map[string]interface{}, error)
}

WireDB is the interface used for operations on ACME Orders for Wire identifiers. This is not a general purpose interface, and it should only be used when Wire identifiers are enabled in the CA configuration. Currently it provides a runtime assertion only; not at compile time.

type X509Policy added in v0.20.0

type X509Policy struct {
	Allowed            PolicyNames `json:"allow"`
	Denied             PolicyNames `json:"deny"`
	AllowWildcardNames bool        `json:"allowWildcardNames"`
}

X509Policy contains ACME account level X.509 policy

Directories

Path Synopsis
db

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL