Documentation ¶
Index ¶
- Variables
- func DefaultPrerequisitesChecker(context.Context) (bool, error)
- func GetUnescapedPathSuffix(typ LinkType, provisionerName string, inputs ...string) string
- func IsErrNotFound(err error) bool
- func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error)
- func KeyToID(jwk *jose.JSONWebKey) (string, error)
- func NewClientContext(ctx context.Context, c Client) context.Context
- func NewContext(ctx context.Context, db DB, client Client, linker Linker, ...) context.Context
- func NewDatabaseContext(ctx context.Context, db DB) context.Context
- func NewLinkerContext(ctx context.Context, v Linker) context.Context
- func NewPrerequisitesCheckerContext(ctx context.Context, fn PrerequisitesChecker) context.Context
- func NewProvisionerContext(ctx context.Context, v Provisioner) context.Context
- type Account
- type Authorization
- type Certificate
- type CertificateAuthority
- type Challenge
- type ChallengeType
- type Client
- type Clock
- type DB
- type Error
- func NewDetailedError(pt ProblemType, msg string, args ...any) *Error
- func NewError(pt ProblemType, msg string, args ...any) *Error
- func NewErrorISE(msg string, args ...any) *Error
- func WrapDetailedError(typ ProblemType, err error, msg string, args ...any) *Error
- func WrapError(typ ProblemType, err error, msg string, args ...any) *Error
- func WrapErrorISE(err error, msg string, args ...any) *Error
- type ExternalAccountKey
- type Identifier
- type IdentifierType
- type LinkType
- type Linker
- type MockDB
- func (m *MockDB) CreateAccount(ctx context.Context, acc *Account) error
- func (m *MockDB) CreateAuthorization(ctx context.Context, az *Authorization) error
- func (m *MockDB) CreateCertificate(ctx context.Context, cert *Certificate) error
- func (m *MockDB) CreateChallenge(ctx context.Context, ch *Challenge) error
- func (m *MockDB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
- func (m *MockDB) CreateNonce(ctx context.Context) (Nonce, error)
- func (m *MockDB) CreateOrder(ctx context.Context, o *Order) error
- func (m *MockDB) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID string) error
- func (m *MockDB) DeleteNonce(ctx context.Context, nonce Nonce) error
- func (m *MockDB) GetAccount(ctx context.Context, id string) (*Account, error)
- func (m *MockDB) GetAccountByKeyID(ctx context.Context, kid string) (*Account, error)
- func (m *MockDB) GetAuthorization(ctx context.Context, id string) (*Authorization, error)
- func (m *MockDB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error)
- func (m *MockDB) GetCertificate(ctx context.Context, id string) (*Certificate, error)
- func (m *MockDB) GetCertificateBySerial(ctx context.Context, serial string) (*Certificate, error)
- func (m *MockDB) GetChallenge(ctx context.Context, chID, azID string) (*Challenge, error)
- func (m *MockDB) GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error)
- func (m *MockDB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error)
- func (m *MockDB) GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
- func (m *MockDB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error)
- func (m *MockDB) GetOrder(ctx context.Context, id string) (*Order, error)
- func (m *MockDB) GetOrdersByAccountID(ctx context.Context, accID string) ([]string, error)
- func (m *MockDB) UpdateAccount(ctx context.Context, acc *Account) error
- func (m *MockDB) UpdateAuthorization(ctx context.Context, az *Authorization) error
- func (m *MockDB) UpdateChallenge(ctx context.Context, ch *Challenge) error
- func (m *MockDB) UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error
- func (m *MockDB) UpdateOrder(ctx context.Context, o *Order) error
- type MockProvisioner
- func (m *MockProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error
- func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) error
- func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error)
- func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration
- func (m *MockProvisioner) GetAttestationRoots() (*x509.CertPool, bool)
- func (m *MockProvisioner) GetID() string
- func (m *MockProvisioner) GetName() string
- func (m *MockProvisioner) GetOptions() *provisioner.Options
- func (m *MockProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
- func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool
- type MockWireDB
- func (m *MockWireDB) CreateDpopToken(ctx context.Context, orderID string, dpop map[string]any) error
- func (m *MockWireDB) CreateOidcToken(ctx context.Context, orderID string, idToken map[string]any) error
- func (m *MockWireDB) GetAllOrdersByAccountID(ctx context.Context, accountID string) ([]string, error)
- func (m *MockWireDB) GetDpopToken(ctx context.Context, orderID string) (map[string]any, error)
- func (m *MockWireDB) GetOidcToken(ctx context.Context, orderID string) (map[string]any, error)
- type Nonce
- type Order
- type Policy
- type PolicyNames
- type PrerequisitesChecker
- type ProblemType
- type Provisioner
- type Status
- type Subproblem
- type WireDB
- type X509Policy
Constants ¶
This section is empty.
Variables ¶
var ( // InsecurePortHTTP01 is the port used to verify http-01 challenges. If not set it // defaults to 80. InsecurePortHTTP01 int // InsecurePortTLSALPN01 is the port used to verify tls-alpn-01 challenges. If not // set it defaults to 443. // // This variable can be used for testing purposes. InsecurePortTLSALPN01 int // StrictFQDN allows to enforce a fully qualified domain name in the DNS // resolution. By default it allows domain resolution using a search list // defined in the resolv.conf or similar configuration. StrictFQDN bool )
var ( // StatusValid -- valid StatusValid = Status("valid") // StatusInvalid -- invalid StatusInvalid = Status("invalid") // StatusPending -- pending; e.g. an Order that is not ready to be finalized. StatusPending = Status("pending") // StatusDeactivated -- deactivated; e.g. for an Account that is not longer valid. StatusDeactivated = Status("deactivated") // StatusReady -- ready; e.g. for an Order that is ready to be finalized. StatusReady = Status("ready") )
var ErrNotFound = errors.New("not found")
ErrNotFound is an error that should be used by the acme.DB interface to indicate that an entity does not exist. For example, in the new-account endpoint, if GetAccountByKeyID returns ErrNotFound we will create the new account.
Functions ¶
func DefaultPrerequisitesChecker ¶ added in v0.20.0
DefaultPrerequisitesChecker is the default PrerequisiteChecker and returns always true.
func GetUnescapedPathSuffix ¶ added in v0.20.0
func IsErrNotFound ¶ added in v0.25.0
IsErrNotFound returns true if the error is a "not found" error. Returns false otherwise.
func KeyAuthorization ¶
func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error)
KeyAuthorization creates the ACME key authorization value from a token and a jwk.
func KeyToID ¶ added in v0.15.12
func KeyToID(jwk *jose.JSONWebKey) (string, error)
KeyToID converts a JWK to a thumbprint.
func NewClientContext ¶ added in v0.20.0
NewClientContext adds the given client to the context.
func NewContext ¶ added in v0.20.0
func NewContext(ctx context.Context, db DB, client Client, linker Linker, fn PrerequisitesChecker) context.Context
NewContext adds the given acme components to the context.
func NewDatabaseContext ¶ added in v0.20.0
NewDatabaseContext adds the given acme database to the context.
func NewLinkerContext ¶ added in v0.20.0
NewLinkerContext adds the given linker to the context.
func NewPrerequisitesCheckerContext ¶ added in v0.20.0
func NewPrerequisitesCheckerContext(ctx context.Context, fn PrerequisitesChecker) context.Context
NewPrerequisitesCheckerContext adds the given PrerequisitesChecker to the context.
func NewProvisionerContext ¶ added in v0.20.0
func NewProvisionerContext(ctx context.Context, v Provisioner) context.Context
NewProvisionerContext adds the given provisioner to the context.
Types ¶
type Account ¶
type Account struct { ID string `json:"-"` Key *jose.JSONWebKey `json:"-"` Contact []string `json:"contact,omitempty"` Status Status `json:"status"` OrdersURL string `json:"orders"` ExternalAccountBinding interface{} `json:"externalAccountBinding,omitempty"` LocationPrefix string `json:"-"` ProvisionerID string `json:"-"` ProvisionerName string `json:"-"` }
Account is a subset of the internal account type containing only those attributes required for responses in the ACME protocol.
func (*Account) GetLocation ¶ added in v0.25.0
GetLocation returns the URL location of the given account.
type Authorization ¶ added in v0.15.12
type Authorization struct { ID string `json:"-"` AccountID string `json:"-"` Token string `json:"-"` Fingerprint string `json:"-"` Identifier Identifier `json:"identifier"` Status Status `json:"status"` Challenges []*Challenge `json:"challenges"` Wildcard bool `json:"wildcard"` ExpiresAt time.Time `json:"expires"` Error *Error `json:"error,omitempty"` }
Authorization representst an ACME Authorization.
func (*Authorization) ToLog ¶ added in v0.15.12
func (az *Authorization) ToLog() (interface{}, error)
ToLog enables response logging.
func (*Authorization) UpdateStatus ¶ added in v0.15.12
func (az *Authorization) UpdateStatus(ctx context.Context, db DB) error
UpdateStatus updates the ACME Authorization Status if necessary. Changes to the Authorization are saved using the database interface.
type Certificate ¶ added in v0.15.12
type Certificate struct { ID string AccountID string OrderID string Leaf *x509.Certificate Intermediates []*x509.Certificate }
Certificate options with which to create and store a cert object.
type CertificateAuthority ¶ added in v0.15.12
type CertificateAuthority interface { SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) AreSANsAllowed(ctx context.Context, sans []string) error IsRevoked(sn string) (bool, error) Revoke(context.Context, *authority.RevokeOptions) error LoadProvisionerByName(string) (provisioner.Interface, error) }
CertificateAuthority is the interface implemented by a CA authority.
type Challenge ¶
type Challenge struct { ID string `json:"-"` AccountID string `json:"-"` AuthorizationID string `json:"-"` Value string `json:"-"` Type ChallengeType `json:"type"` Status Status `json:"status"` Token string `json:"token"` ValidatedAt string `json:"validated,omitempty"` URL string `json:"url"` Target string `json:"target,omitempty"` Error *Error `json:"error,omitempty"` }
Challenge represents an ACME response Challenge type.
func (*Challenge) Validate ¶ added in v0.15.12
func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey, payload []byte) error
Validate attempts to validate the Challenge. Stores changes to the Challenge type using the DB interface. If the Challenge is validated, the 'status' and 'validated' attributes are updated.
type ChallengeType ¶ added in v0.16.0
type ChallengeType string
const ( // HTTP01 is the http-01 ACME challenge type HTTP01 ChallengeType = "http-01" // DNS01 is the dns-01 ACME challenge type DNS01 ChallengeType = "dns-01" // TLSALPN01 is the tls-alpn-01 ACME challenge type TLSALPN01 ChallengeType = "tls-alpn-01" // DEVICEATTEST01 is the device-attest-01 ACME challenge type DEVICEATTEST01 ChallengeType = "device-attest-01" // WIREOIDC01 is the Wire OIDC challenge type WIREOIDC01 ChallengeType = "wire-oidc-01" // WIREDPOP01 is the Wire DPoP challenge type WIREDPOP01 ChallengeType = "wire-dpop-01" )
type Client ¶ added in v0.20.0
type Client interface { // Get issues an HTTP GET to the specified URL. Get(url string) (*http.Response, error) // LookupTXT returns the DNS TXT records for the given domain name. LookupTxt(name string) ([]string, error) // TLSDial connects to the given network address using net.Dialer and then // initiates a TLS handshake, returning the resulting TLS connection. TLSDial(network, addr string, config *tls.Config) (*tls.Conn, error) }
Client is the interface used to verify ACME challenges.
func ClientFromContext ¶ added in v0.20.0
ClientFromContext returns the current client from the given context.
func MustClientFromContext ¶ added in v0.20.0
MustClientFromContext returns the current client from the given context. It will return a new instance of the client if it does not exist.
type DB ¶ added in v0.15.12
type DB interface { CreateAccount(ctx context.Context, acc *Account) error GetAccount(ctx context.Context, id string) (*Account, error) GetAccountByKeyID(ctx context.Context, kid string) (*Account, error) UpdateAccount(ctx context.Context, acc *Account) error CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error) GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID string) error UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error CreateNonce(ctx context.Context) (Nonce, error) DeleteNonce(ctx context.Context, nonce Nonce) error CreateAuthorization(ctx context.Context, az *Authorization) error GetAuthorization(ctx context.Context, id string) (*Authorization, error) UpdateAuthorization(ctx context.Context, az *Authorization) error GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error) CreateCertificate(ctx context.Context, cert *Certificate) error GetCertificate(ctx context.Context, id string) (*Certificate, error) GetCertificateBySerial(ctx context.Context, serial string) (*Certificate, error) CreateChallenge(ctx context.Context, ch *Challenge) error GetChallenge(ctx context.Context, id, authzID string) (*Challenge, error) UpdateChallenge(ctx context.Context, ch *Challenge) error CreateOrder(ctx context.Context, o *Order) error GetOrder(ctx context.Context, id string) (*Order, error) GetOrdersByAccountID(ctx context.Context, accountID string) ([]string, error) UpdateOrder(ctx context.Context, o *Order) error }
DB is the DB interface expected by the step-ca ACME API.
func DatabaseFromContext ¶ added in v0.20.0
DatabaseFromContext returns the current acme database from the given context.
func MustDatabaseFromContext ¶ added in v0.20.0
MustDatabaseFromContext returns the current database from the given context. It will panic if it's not in the context.
type Error ¶
type Error struct { Type string `json:"type"` Detail string `json:"detail"` Subproblems []Subproblem `json:"subproblems,omitempty"` Err error `json:"-"` Status int `json:"-"` }
Error represents an ACME Error
func NewDetailedError ¶ added in v0.25.0
func NewDetailedError(pt ProblemType, msg string, args ...any) *Error
NewDetailedError creates a new Error that includes the error message in the details, providing more information to the ACME client.
func NewError ¶ added in v0.15.12
func NewError(pt ProblemType, msg string, args ...any) *Error
NewError creates a new Error.
func NewErrorISE ¶ added in v0.15.12
NewErrorISE creates a new ErrorServerInternalType Error.
func WrapDetailedError ¶ added in v0.25.0
func WrapDetailedError(typ ProblemType, err error, msg string, args ...any) *Error
func WrapError ¶ added in v0.15.12
func WrapError(typ ProblemType, err error, msg string, args ...any) *Error
WrapError attempts to wrap the internal error.
func WrapErrorISE ¶ added in v0.15.12
WrapErrorISE shortcut to wrap an internal server error type.
func (*Error) AddSubproblems ¶ added in v0.23.2
func (e *Error) AddSubproblems(subproblems ...Subproblem) *Error
AddSubproblems adds the Subproblems to Error. It returns the Error, allowing for fluent addition.
func (*Error) Render ¶ added in v0.19.0
func (e *Error) Render(w http.ResponseWriter, r *http.Request)
Render implements render.RenderableError for Error.
func (*Error) StatusCode ¶
StatusCode returns the status code and implements the StatusCoder interface.
type ExternalAccountKey ¶ added in v0.18.1
type ExternalAccountKey struct { ID string `json:"id"` ProvisionerID string `json:"provisionerID"` Reference string `json:"reference"` AccountID string `json:"-"` HmacKey []byte `json:"-"` CreatedAt time.Time `json:"createdAt"` BoundAt time.Time `json:"boundAt,omitempty"` Policy *Policy `json:"policy,omitempty"` }
ExternalAccountKey is an ACME External Account Binding key.
func (*ExternalAccountKey) AlreadyBound ¶ added in v0.18.1
func (eak *ExternalAccountKey) AlreadyBound() bool
AlreadyBound returns whether this EAK is already bound to an ACME Account or not.
func (*ExternalAccountKey) BindTo ¶ added in v0.18.1
func (eak *ExternalAccountKey) BindTo(account *Account) error
BindTo binds the EAK to an Account. It returns an error if it's already bound.
type Identifier ¶
type Identifier struct { Type IdentifierType `json:"type"` Value string `json:"value"` }
Identifier encodes the type that an order pertains to.
type IdentifierType ¶ added in v0.16.0
type IdentifierType string
const ( // IP is the ACME ip identifier type IP IdentifierType = "ip" // DNS is the ACME dns identifier type DNS IdentifierType = "dns" // PermanentIdentifier is the ACME permanent-identifier identifier type // defined in https://datatracker.ietf.org/doc/html/draft-bweeks-acme-device-attest-00 PermanentIdentifier IdentifierType = "permanent-identifier" // WireUser is the Wire user identifier type WireUser IdentifierType = "wireapp-user" // WireDevice is the Wire device identifier type WireDevice IdentifierType = "wireapp-device" )
type LinkType ¶ added in v0.20.0
type LinkType int
LinkType captures the link type.
const ( // NewNonceLinkType new-nonce NewNonceLinkType LinkType = iota // NewAccountLinkType new-account NewAccountLinkType // AccountLinkType account AccountLinkType // OrderLinkType order OrderLinkType // NewOrderLinkType new-order NewOrderLinkType // OrdersByAccountLinkType list of orders owned by account OrdersByAccountLinkType // FinalizeLinkType finalize order FinalizeLinkType // NewAuthzLinkType authz NewAuthzLinkType // AuthzLinkType new-authz AuthzLinkType // ChallengeLinkType challenge ChallengeLinkType // CertificateLinkType certificate CertificateLinkType // DirectoryLinkType directory DirectoryLinkType // RevokeCertLinkType revoke certificate RevokeCertLinkType // KeyChangeLinkType key rollover KeyChangeLinkType )
type Linker ¶ added in v0.20.0
type Linker interface { GetLink(ctx context.Context, typ LinkType, inputs ...string) string Middleware(http.Handler) http.Handler LinkOrder(ctx context.Context, o *Order) LinkAccount(ctx context.Context, o *Account) LinkChallenge(ctx context.Context, o *Challenge, azID string) LinkAuthorization(ctx context.Context, o *Authorization) LinkOrdersByAccountID(ctx context.Context, orders []string) }
Linker interface for generating links for ACME resources.
func LinkerFromContext ¶ added in v0.20.0
LinkerFromContext returns the current linker from the given context.
func MustLinkerFromContext ¶ added in v0.20.0
MustLinkerFromContext returns the current linker from the given context. It will panic if it's not in the context.
type MockDB ¶ added in v0.15.12
type MockDB struct { MockCreateAccount func(ctx context.Context, acc *Account) error MockGetAccount func(ctx context.Context, id string) (*Account, error) MockGetAccountByKeyID func(ctx context.Context, kid string) (*Account, error) MockUpdateAccount func(ctx context.Context, acc *Account) error MockCreateExternalAccountKey func(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) MockGetExternalAccountKey func(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error) MockGetExternalAccountKeys func(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error) MockGetExternalAccountKeyByReference func(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) MockGetExternalAccountKeyByAccountID func(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error) MockDeleteExternalAccountKey func(ctx context.Context, provisionerID, keyID string) error MockUpdateExternalAccountKey func(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error MockCreateNonce func(ctx context.Context) (Nonce, error) MockDeleteNonce func(ctx context.Context, nonce Nonce) error MockCreateAuthorization func(ctx context.Context, az *Authorization) error MockGetAuthorization func(ctx context.Context, id string) (*Authorization, error) MockUpdateAuthorization func(ctx context.Context, az *Authorization) error MockGetAuthorizationsByAccountID func(ctx context.Context, accountID string) ([]*Authorization, error) MockCreateCertificate func(ctx context.Context, cert *Certificate) error MockGetCertificate func(ctx context.Context, id string) (*Certificate, error) MockGetCertificateBySerial func(ctx context.Context, serial string) (*Certificate, error) MockCreateChallenge func(ctx context.Context, ch *Challenge) error MockGetChallenge func(ctx context.Context, id, authzID string) (*Challenge, error) MockUpdateChallenge func(ctx context.Context, ch *Challenge) error MockCreateOrder func(ctx context.Context, o *Order) error MockGetOrder func(ctx context.Context, id string) (*Order, error) MockGetOrdersByAccountID func(ctx context.Context, accountID string) ([]string, error) MockUpdateOrder func(ctx context.Context, o *Order) error MockRet1 interface{} MockError error }
MockDB is an implementation of the DB interface that should only be used as a mock in tests.
func (*MockDB) CreateAccount ¶ added in v0.15.12
CreateAccount mock.
func (*MockDB) CreateAuthorization ¶ added in v0.15.12
func (m *MockDB) CreateAuthorization(ctx context.Context, az *Authorization) error
CreateAuthorization mock
func (*MockDB) CreateCertificate ¶ added in v0.15.12
func (m *MockDB) CreateCertificate(ctx context.Context, cert *Certificate) error
CreateCertificate mock
func (*MockDB) CreateChallenge ¶ added in v0.15.12
CreateChallenge mock
func (*MockDB) CreateExternalAccountKey ¶ added in v0.18.1
func (m *MockDB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
CreateExternalAccountKey mock
func (*MockDB) CreateNonce ¶ added in v0.15.12
CreateNonce mock
func (*MockDB) CreateOrder ¶ added in v0.15.12
CreateOrder mock
func (*MockDB) DeleteExternalAccountKey ¶ added in v0.18.1
DeleteExternalAccountKey mock
func (*MockDB) DeleteNonce ¶ added in v0.15.12
DeleteNonce mock
func (*MockDB) GetAccount ¶ added in v0.15.12
GetAccount mock.
func (*MockDB) GetAccountByKeyID ¶ added in v0.15.12
GetAccountByKeyID mock
func (*MockDB) GetAuthorization ¶ added in v0.15.12
GetAuthorization mock
func (*MockDB) GetAuthorizationsByAccountID ¶ added in v0.18.1
func (m *MockDB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error)
GetAuthorizationsByAccountID mock
func (*MockDB) GetCertificate ¶ added in v0.15.12
GetCertificate mock
func (*MockDB) GetCertificateBySerial ¶ added in v0.18.1
GetCertificateBySerial mock
func (*MockDB) GetChallenge ¶ added in v0.15.12
GetChallenge mock
func (*MockDB) GetExternalAccountKey ¶ added in v0.18.1
func (m *MockDB) GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error)
GetExternalAccountKey mock
func (*MockDB) GetExternalAccountKeyByAccountID ¶ added in v0.20.0
func (m *MockDB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error)
GetExternalAccountKeyByAccountID mock
func (*MockDB) GetExternalAccountKeyByReference ¶ added in v0.18.1
func (m *MockDB) GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
GetExternalAccountKeyByReference mock
func (*MockDB) GetExternalAccountKeys ¶ added in v0.18.1
func (m *MockDB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error)
GetExternalAccountKeys mock
func (*MockDB) GetOrdersByAccountID ¶ added in v0.15.12
GetOrdersByAccountID mock
func (*MockDB) UpdateAccount ¶ added in v0.15.12
UpdateAccount mock
func (*MockDB) UpdateAuthorization ¶ added in v0.15.12
func (m *MockDB) UpdateAuthorization(ctx context.Context, az *Authorization) error
UpdateAuthorization mock
func (*MockDB) UpdateChallenge ¶ added in v0.15.12
UpdateChallenge mock
func (*MockDB) UpdateExternalAccountKey ¶ added in v0.18.1
func (m *MockDB) UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error
UpdateExternalAccountKey mock
type MockProvisioner ¶ added in v0.14.5
type MockProvisioner struct { Mret1 interface{} Merr error MgetID func() string MgetName func() string MisChallengeEnabled func(ctx context.Context, challenge provisioner.ACMEChallenge) bool MisAttFormatEnabled func(ctx context.Context, format provisioner.ACMEAttestationFormat) bool MgetAttestationRoots func() (*x509.CertPool, bool) MdefaultTLSCertDuration func() time.Duration MgetOptions func() *provisioner.Options }
MockProvisioner for testing
func (*MockProvisioner) AuthorizeOrderIdentifier ¶ added in v0.20.0
func (m *MockProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error
AuthorizeOrderIdentifier mock
func (*MockProvisioner) AuthorizeRevoke ¶ added in v0.18.1
func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) error
AuthorizeRevoke mock
func (*MockProvisioner) AuthorizeSign ¶ added in v0.14.5
func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error)
AuthorizeSign mock
func (*MockProvisioner) DefaultTLSCertDuration ¶ added in v0.14.5
func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration
DefaultTLSCertDuration mock
func (*MockProvisioner) GetAttestationRoots ¶ added in v0.23.0
func (m *MockProvisioner) GetAttestationRoots() (*x509.CertPool, bool)
func (*MockProvisioner) GetID ¶ added in v0.15.12
func (m *MockProvisioner) GetID() string
GetID mock
func (*MockProvisioner) GetName ¶ added in v0.14.5
func (m *MockProvisioner) GetName() string
GetName mock
func (*MockProvisioner) GetOptions ¶ added in v0.15.0
func (m *MockProvisioner) GetOptions() *provisioner.Options
GetOptions mock
func (*MockProvisioner) IsAttestationFormatEnabled ¶ added in v0.23.0
func (m *MockProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
IsAttestationFormatEnabled mock
func (*MockProvisioner) IsChallengeEnabled ¶ added in v0.23.0
func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool
IsChallengeEnabled mock
type MockWireDB ¶ added in v0.27.3
type MockWireDB struct { MockDB MockGetAllOrdersByAccountID func(ctx context.Context, accountID string) ([]string, error) MockGetDpopToken func(ctx context.Context, orderID string) (map[string]interface{}, error) MockCreateDpopToken func(ctx context.Context, orderID string, dpop map[string]interface{}) error MockGetOidcToken func(ctx context.Context, orderID string) (map[string]interface{}, error) MockCreateOidcToken func(ctx context.Context, orderID string, idToken map[string]interface{}) error }
MockWireDB is an implementation of the WireDB interface that should only be used as a mock in tests. It embeds the MockDB, as it is an extension of the existing database methods.
func (*MockWireDB) CreateDpopToken ¶ added in v0.27.3
func (m *MockWireDB) CreateDpopToken(ctx context.Context, orderID string, dpop map[string]any) error
CreateDpop creates DPoP resources and saves them to the DB.
func (*MockWireDB) CreateOidcToken ¶ added in v0.27.3
func (m *MockWireDB) CreateOidcToken(ctx context.Context, orderID string, idToken map[string]any) error
CreateOidcToken creates oidc token resources and saves them to the DB.
func (*MockWireDB) GetAllOrdersByAccountID ¶ added in v0.27.3
func (m *MockWireDB) GetAllOrdersByAccountID(ctx context.Context, accountID string) ([]string, error)
GetAllOrdersByAccountID returns a list of any order IDs owned by the account.
func (*MockWireDB) GetDpopToken ¶ added in v0.27.3
GetDpop retrieves a DPoP from the database.
func (*MockWireDB) GetOidcToken ¶ added in v0.27.3
GetOidcToken retrieves an oidc token from the database.
type Order ¶
type Order struct { ID string `json:"id"` AccountID string `json:"-"` ProvisionerID string `json:"-"` Status Status `json:"status"` ExpiresAt time.Time `json:"expires"` Identifiers []Identifier `json:"identifiers"` NotBefore time.Time `json:"notBefore"` NotAfter time.Time `json:"notAfter"` Error *Error `json:"error,omitempty"` AuthorizationIDs []string `json:"-"` AuthorizationURLs []string `json:"authorizations"` FinalizeURL string `json:"finalize"` CertificateID string `json:"-"` CertificateURL string `json:"certificate,omitempty"` }
Order contains order metadata for the ACME protocol order type.
func (*Order) Finalize ¶
func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateRequest, auth CertificateAuthority, p Provisioner) error
Finalize signs a certificate if the necessary conditions for Order completion have been met.
TODO(mariano): Here or in the challenge validation we should perform some external validation using the identifier value and the attestation data. From a validation service we can get the list of SANs to set in the final certificate.
type Policy ¶ added in v0.20.0
type Policy struct {
X509 X509Policy `json:"x509"`
}
Policy is an ACME Account level policy
func (*Policy) AreWildcardNamesAllowed ¶ added in v0.20.0
AreWildcardNamesAllowed returns if wildcard names like *.example.com are allowed to be signed. Defaults to false.
func (*Policy) GetAllowedNameOptions ¶ added in v0.20.0
func (p *Policy) GetAllowedNameOptions() *policy.X509NameOptions
func (*Policy) GetDeniedNameOptions ¶ added in v0.20.0
func (p *Policy) GetDeniedNameOptions() *policy.X509NameOptions
type PolicyNames ¶ added in v0.20.0
PolicyNames contains ACME account level policy names
type PrerequisitesChecker ¶ added in v0.20.0
PrerequisitesChecker is a function that checks if all prerequisites for serving ACME are met by the CA configuration.
func PrerequisitesCheckerFromContext ¶ added in v0.20.0
func PrerequisitesCheckerFromContext(ctx context.Context) (PrerequisitesChecker, bool)
PrerequisitesCheckerFromContext returns the PrerequisitesChecker in the context.
type ProblemType ¶ added in v0.15.12
type ProblemType int
ProblemType is the type of the ACME problem.
const ( // ErrorAccountDoesNotExistType request specified an account that does not exist ErrorAccountDoesNotExistType ProblemType = iota // ErrorAlreadyRevokedType request specified a certificate to be revoked that has already been revoked ErrorAlreadyRevokedType // ErrorBadAttestationStatementType WebAuthn attestation statement could not be verified ErrorBadAttestationStatementType // ErrorBadCSRType CSR is unacceptable (e.g., due to a short key) ErrorBadCSRType // ErrorBadNonceType client sent an unacceptable anti-replay nonce ErrorBadNonceType // ErrorBadPublicKeyType JWS was signed by a public key the server does not support ErrorBadPublicKeyType // ErrorBadRevocationReasonType revocation reason provided is not allowed by the server ErrorBadRevocationReasonType // ErrorBadSignatureAlgorithmType JWS was signed with an algorithm the server does not support ErrorBadSignatureAlgorithmType // ErrorCaaType Authority Authorization (CAA) records forbid the CA from issuing a certificate ErrorCaaType // ErrorCompoundType error conditions are indicated in the “subproblems” array. ErrorCompoundType // ErrorConnectionType server could not connect to validation target ErrorConnectionType // ErrorDNSType was a problem with a DNS query during identifier validation ErrorDNSType // ErrorExternalAccountRequiredType request must include a value for the “externalAccountBinding” field ErrorExternalAccountRequiredType // ErrorIncorrectResponseType received didn’t match the challenge’s requirements ErrorIncorrectResponseType // ErrorInvalidContactType URL for an account was invalid ErrorInvalidContactType // ErrorMalformedType request message was malformed ErrorMalformedType // ErrorOrderNotReadyType request attempted to finalize an order that is not ready to be finalized ErrorOrderNotReadyType // ErrorRateLimitedType request exceeds a rate limit ErrorRateLimitedType // ErrorRejectedIdentifierType server will not issue certificates for the identifier ErrorRejectedIdentifierType // ErrorServerInternalType server experienced an internal error ErrorServerInternalType // ErrorTLSType server received a TLS error during validation ErrorTLSType ErrorUnauthorizedType // ErrorUnsupportedContactType URL for an account used an unsupported protocol scheme ErrorUnsupportedContactType // ErrorUnsupportedIdentifierType identifier is of an unsupported type ErrorUnsupportedIdentifierType // ErrorUserActionRequiredType the “instance” URL and take actions specified there ErrorUserActionRequiredType // ErrorNotImplementedType operation is not implemented ErrorNotImplementedType )
func (ProblemType) String ¶ added in v0.15.12
func (ap ProblemType) String() string
String returns the string representation of the acme problem type, fulfilling the Stringer interface.
type Provisioner ¶ added in v0.14.5
type Provisioner interface { AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) AuthorizeRevoke(ctx context.Context, token string) error IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool GetAttestationRoots() (*x509.CertPool, bool) GetID() string GetName() string DefaultTLSCertDuration() time.Duration GetOptions() *provisioner.Options }
Provisioner is an interface that implements a subset of the provisioner.Interface -- only those methods required by the ACME api/authority.
func MustProvisionerFromContext ¶ added in v0.20.0
func MustProvisionerFromContext(ctx context.Context) Provisioner
MustProvisionerFromContext returns the current provisioner from the given context. It will panic if it's not in the context.
func ProvisionerFromContext ¶ added in v0.14.5
func ProvisionerFromContext(ctx context.Context) (v Provisioner, ok bool)
ProvisionerFromContext returns the current provisioner from the given context.
type Subproblem ¶ added in v0.23.2
type Subproblem struct { Type string `json:"type"` Detail string `json:"detail"` // The "identifier" field MUST NOT be present at the top level in ACME // problem documents. It can only be present in subproblems. // Subproblems need not all have the same type, and they do not need to // match the top level type. Identifier *Identifier `json:"identifier,omitempty"` }
Subproblem represents an ACME subproblem. It's fairly similar to an ACME error, but differs in that it can't include subproblems itself, the error is reflected in the Detail property and doesn't have a Status.
func NewSubproblem ¶ added in v0.23.2
func NewSubproblem(pt ProblemType, msg string, args ...any) Subproblem
NewSubproblem creates a new Subproblem. The msg and args are used to create a new error, which is set as the Detail, allowing for more detailed error messages to be returned to the ACME client.
func NewSubproblemWithIdentifier ¶ added in v0.23.2
func NewSubproblemWithIdentifier(pt ProblemType, identifier Identifier, msg string, args ...any) Subproblem
NewSubproblemWithIdentifier creates a new Subproblem with a specific ACME Identifier. It calls NewSubproblem and sets the Identifier.
type WireDB ¶ added in v0.27.3
type WireDB interface { DB GetAllOrdersByAccountID(ctx context.Context, accountID string) ([]string, error) CreateDpopToken(ctx context.Context, orderID string, dpop map[string]interface{}) error GetDpopToken(ctx context.Context, orderID string) (map[string]interface{}, error) CreateOidcToken(ctx context.Context, orderID string, idToken map[string]interface{}) error GetOidcToken(ctx context.Context, orderID string) (map[string]interface{}, error) }
WireDB is the interface used for operations on ACME Orders for Wire identifiers. This is not a general purpose interface, and it should only be used when Wire identifiers are enabled in the CA configuration. Currently it provides a runtime assertion only; not at compile time.
type X509Policy ¶ added in v0.20.0
type X509Policy struct { Allowed PolicyNames `json:"allow"` Denied PolicyNames `json:"deny"` AllowWildcardNames bool `json:"allowWildcardNames"` }
X509Policy contains ACME account level X.509 policy