Documentation ¶
Index ¶
- Constants
- Variables
- func BaseURLFromContext(ctx context.Context) *url.URL
- func JwkFromContext(ctx context.Context) (*jose.JSONWebKey, error)
- func JwsFromContext(ctx context.Context) (*jose.JSONWebSignature, error)
- func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error)
- type AError
- type Account
- type AccountOptions
- type Authority
- func (a *Authority) DeactivateAccount(ctx context.Context, id string) (*Account, error)
- func (a *Authority) FinalizeOrder(ctx context.Context, accID, orderID string, csr *x509.CertificateRequest) (*Order, error)
- func (a *Authority) GetAccount(ctx context.Context, id string) (*Account, error)
- func (a *Authority) GetAccountByKey(ctx context.Context, jwk *jose.JSONWebKey) (*Account, error)
- func (a *Authority) GetAuthz(ctx context.Context, accID, authzID string) (*Authz, error)
- func (a *Authority) GetCertificate(accID, certID string) ([]byte, error)
- func (a *Authority) GetDirectory(ctx context.Context) (*Directory, error)
- func (a *Authority) GetLink(ctx context.Context, typ Link, abs bool, inputs ...string) string
- func (a *Authority) GetLinkExplicit(typ Link, provName string, abs bool, baseURL *url.URL, inputs ...string) string
- func (a *Authority) GetOrder(ctx context.Context, accID, orderID string) (*Order, error)
- func (a *Authority) GetOrdersByAccount(ctx context.Context, id string) ([]string, error)
- func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)
- func (a *Authority) NewAccount(ctx context.Context, ao AccountOptions) (*Account, error)
- func (a *Authority) NewNonce() (string, error)
- func (a *Authority) NewOrder(ctx context.Context, ops OrderOptions) (*Order, error)
- func (a *Authority) UpdateAccount(ctx context.Context, id string, contact []string) (*Account, error)
- func (a *Authority) UseNonce(nonce string) error
- func (a *Authority) ValidateChallenge(ctx context.Context, accID, chID string, jwk *jose.JSONWebKey) (*Challenge, error)
- type AuthorityOptions
- type Authz
- type CertOptions
- type Challenge
- type ChallengeOptions
- type Clock
- type ContextKey
- type Directory
- type Error
- func AccountDoesNotExistErr(err error) *Error
- func AlreadyRevokedErr(err error) *Error
- func BadCSRErr(err error) *Error
- func BadNonceErr(err error) *Error
- func BadPublicKeyErr(err error) *Error
- func BadRevocationReasonErr(err error) *Error
- func BadSignatureAlgorithmErr(err error) *Error
- func CaaErr(err error) *Error
- func CompoundErr(err error) *Error
- func ConnectionErr(err error) *Error
- func DNSErr(err error) *Error
- func ExternalAccountRequiredErr(err error) *Error
- func IncorrectResponseErr(err error) *Error
- func InvalidContactErr(err error) *Error
- func MalformedErr(err error) *Error
- func NotImplemented(err error) *Error
- func OrderNotReadyErr(err error) *Error
- func RateLimitedErr(err error) *Error
- func RejectedIdentifierErr(err error) *Error
- func ServerInternalErr(err error) *Error
- func TLSErr(err error) *Error
- func UnauthorizedErr(err error) *Error
- func UnsupportedContactErr(err error) *Error
- func UnsupportedIdentifierErr(err error) *Error
- func UserActionRequiredErr(err error) *Error
- func Wrap(err error, wrap string) *Error
- type Identifier
- type Interface
- type Link
- type MockProvisioner
- type Order
- type OrderOptions
- type ProbType
- type Provisioner
- type SignAuthority
Constants ¶
const ( // AccContextKey account key AccContextKey = ContextKey("acc") // BaseURLContextKey baseURL key BaseURLContextKey = ContextKey("baseURL") // JwsContextKey jws key JwsContextKey = ContextKey("jws") // JwkContextKey jwk key JwkContextKey = ContextKey("jwk") // PayloadContextKey payload key PayloadContextKey = ContextKey("payload") // ProvisionerContextKey provisioner key ProvisionerContextKey = ContextKey("provisioner") )
Variables ¶
var ( // StatusValid -- valid StatusValid = "valid" // StatusInvalid -- invalid StatusInvalid = "invalid" // StatusPending -- pending; e.g. an Order that is not ready to be finalized. StatusPending = "pending" // StatusDeactivated -- deactivated; e.g. for an Account that is not longer valid. StatusDeactivated = "deactivated" // StatusReady -- ready; e.g. for an Order that is ready to be finalized. StatusReady = "ready" )
Functions ¶
func BaseURLFromContext ¶ added in v0.14.5
BaseURLFromContext returns the baseURL if one is stored in the context.
func JwkFromContext ¶ added in v0.14.5
func JwkFromContext(ctx context.Context) (*jose.JSONWebKey, error)
JwkFromContext searches the context for a JWK. Returns the JWK or an error.
func JwsFromContext ¶ added in v0.14.5
func JwsFromContext(ctx context.Context) (*jose.JSONWebSignature, error)
JwsFromContext searches the context for a JWS. Returns the JWS or an error.
func KeyAuthorization ¶
func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error)
KeyAuthorization creates the ACME key authorization value from a token and a jwk.
Types ¶
type AError ¶
type AError struct { Type string `json:"type"` Detail string `json:"detail"` Identifier interface{} `json:"identifier,omitempty"` Subproblems []interface{} `json:"subproblems,omitempty"` Status int `json:"-"` }
AError is the error type as seen in acme request/responses.
func (*AError) StatusCode ¶
StatusCode returns the status code and implements the StatusCode interface.
type Account ¶
type Account struct { Contact []string `json:"contact,omitempty"` Status string `json:"status"` Orders string `json:"orders"` ID string `json:"-"` Key *jose.JSONWebKey `json:"-"` }
Account is a subset of the internal account type containing only those attributes required for responses in the ACME protocol.
func AccountFromContext ¶ added in v0.14.5
AccountFromContext searches the context for an ACME account. Returns the account or an error.
func (*Account) GetKey ¶
func (a *Account) GetKey() *jose.JSONWebKey
GetKey returns the JWK associated with the account.
type AccountOptions ¶
type AccountOptions struct { Key *jose.JSONWebKey Contact []string }
AccountOptions are the options needed to create a new ACME account.
type Authority ¶
type Authority struct {
// contains filtered or unexported fields
}
Authority is the layer that handles all ACME interactions.
func New ¶ added in v0.14.5
func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error)
New returns a new Autohrity that implements the ACME interface.
func NewAuthority
deprecated
func (*Authority) DeactivateAccount ¶
DeactivateAccount deactivates an ACME account.
func (*Authority) FinalizeOrder ¶
func (a *Authority) FinalizeOrder(ctx context.Context, accID, orderID string, csr *x509.CertificateRequest) (*Order, error)
FinalizeOrder attempts to finalize an order and generate a new certificate.
func (*Authority) GetAccount ¶
GetAccount returns an ACME account.
func (*Authority) GetAccountByKey ¶
GetAccountByKey returns the ACME associated with the jwk id.
func (*Authority) GetAuthz ¶
GetAuthz retrieves and attempts to update the status on an ACME authz before returning.
func (*Authority) GetCertificate ¶
GetCertificate retrieves the Certificate by ID.
func (*Authority) GetDirectory ¶
GetDirectory returns the ACME directory object.
func (*Authority) GetLinkExplicit ¶ added in v0.14.5
func (a *Authority) GetLinkExplicit(typ Link, provName string, abs bool, baseURL *url.URL, inputs ...string) string
GetLinkExplicit returns the requested link from the directory.
func (*Authority) GetOrdersByAccount ¶
GetOrdersByAccount returns the list of order urls owned by the account.
func (*Authority) LoadProvisionerByID ¶
func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)
LoadProvisionerByID calls out to the SignAuthority interface to load a provisioner by ID.
func (*Authority) NewAccount ¶
NewAccount creates, stores, and returns a new ACME account.
func (*Authority) UpdateAccount ¶
func (a *Authority) UpdateAccount(ctx context.Context, id string, contact []string) (*Account, error)
UpdateAccount updates an ACME account.
func (*Authority) UseNonce ¶
UseNonce consumes the given nonce if it is valid, returns error otherwise.
func (*Authority) ValidateChallenge ¶
func (a *Authority) ValidateChallenge(ctx context.Context, accID, chID string, jwk *jose.JSONWebKey) (*Challenge, error)
ValidateChallenge attempts to validate the challenge.
type AuthorityOptions ¶ added in v0.14.5
type AuthorityOptions struct { Backdate provisioner.Duration // DB is the database used by nosql. DB nosql.DB // DNS the host used to generate accurate ACME links. By default the authority // will use the Host from the request, so this value will only be used if // request.Host is empty. DNS string // Prefix is a URL path prefix under which the ACME api is served. This // prefix is required to generate accurate ACME links. // E.g. https://ca.smallstep.com/acme/my-acme-provisioner/new-account -- // "acme" is the prefix from which the ACME api is accessed. Prefix string }
AuthorityOptions required to create a new ACME Authority.
type Authz ¶
type Authz struct { Identifier Identifier `json:"identifier"` Status string `json:"status"` Expires string `json:"expires"` Challenges []*Challenge `json:"challenges"` Wildcard bool `json:"wildcard"` ID string `json:"-"` }
Authz is a subset of the Authz type containing only those attributes required for responses in the ACME protocol.
type CertOptions ¶
type CertOptions struct { AccountID string OrderID string Leaf *x509.Certificate Intermediates []*x509.Certificate }
CertOptions options with which to create and store a cert object.
type Challenge ¶
type Challenge struct { Type string `json:"type"` Status string `json:"status"` Token string `json:"token"` Validated string `json:"validated,omitempty"` URL string `json:"url"` Error *AError `json:"error,omitempty"` ID string `json:"-"` AuthzID string `json:"-"` }
Challenge is a subset of the challenge type containing only those attributes required for responses in the ACME protocol.
func (*Challenge) GetAuthzID ¶
GetAuthzID returns the parent Authz ID that owns the Challenge.
type ChallengeOptions ¶
type ChallengeOptions struct { AccountID string AuthzID string Identifier Identifier }
ChallengeOptions is the type used to created a new Challenge.
type ContextKey ¶ added in v0.14.5
type ContextKey string
ContextKey is the key type for storing and searching for ACME request essentials in the context of a request.
type Directory ¶
type Directory struct { NewNonce string `json:"newNonce,omitempty"` NewAccount string `json:"newAccount,omitempty"` NewOrder string `json:"newOrder,omitempty"` NewAuthz string `json:"newAuthz,omitempty"` RevokeCert string `json:"revokeCert,omitempty"` KeyChange string `json:"keyChange,omitempty"` }
Directory represents an ACME directory for configuring clients.
type Error ¶
type Error struct { Type ProbType Detail string Err error Status int Sub []*Error Identifier *Identifier }
Error is an ACME error type complete with problem document.
func AccountDoesNotExistErr ¶
AccountDoesNotExistErr returns a new acme error.
func AlreadyRevokedErr ¶
AlreadyRevokedErr returns a new acme error.
func BadPublicKeyErr ¶
BadPublicKeyErr returns a new acme error.
func BadRevocationReasonErr ¶
BadRevocationReasonErr returns a new acme error.
func BadSignatureAlgorithmErr ¶
BadSignatureAlgorithmErr returns a new acme error.
func ExternalAccountRequiredErr ¶
ExternalAccountRequiredErr returns a new acme error.
func IncorrectResponseErr ¶
IncorrectResponseErr returns a new acme error.
func InvalidContactErr ¶
InvalidContactErr returns a new acme error.
func NotImplemented ¶ added in v0.14.5
NotImplemented returns a new acme error.
func OrderNotReadyErr ¶
OrderNotReadyErr returns a new acme error.
func RateLimitedErr ¶
RateLimitedErr returns a new acme error.
func RejectedIdentifierErr ¶
RejectedIdentifierErr returns a new acme error.
func ServerInternalErr ¶
ServerInternalErr returns a new acme error.
func UnauthorizedErr ¶
UnauthorizedErr returns a new acme error.
func UnsupportedContactErr ¶
UnsupportedContactErr returns a new acme error.
func UnsupportedIdentifierErr ¶
UnsupportedIdentifierErr returns a new acme error.
func UserActionRequiredErr ¶
UserActionRequiredErr returns a new acme error.
func (*Error) Official ¶ added in v0.14.5
Official returns true if this error's type is listed in §6.7 of RFC 8555. Error types in §6.7 are registered under IETF urn namespace:
"urn:ietf:params:acme:error:"
and should include the namespace as a prefix when appearing as a problem document.
RFC 8555 also says:
This list is not exhaustive. The server MAY return errors whose "type" field is set to a URI other than those defined above. Servers MUST NOT use the ACME URN namespace for errors not listed in the appropriate IANA registry (see Section 9.6). Clients SHOULD display the "detail" field of all errors.
In this case Official returns `false` so that a different namespace can be used.
func (*Error) StatusCode ¶
StatusCode returns the status code and implements the StatusCode interface.
type Identifier ¶
Identifier encodes the type that an order pertains to.
type Interface ¶
type Interface interface { GetDirectory(ctx context.Context) (*Directory, error) NewNonce() (string, error) UseNonce(string) error DeactivateAccount(ctx context.Context, accID string) (*Account, error) GetAccount(ctx context.Context, accID string) (*Account, error) GetAccountByKey(ctx context.Context, key *jose.JSONWebKey) (*Account, error) NewAccount(ctx context.Context, ao AccountOptions) (*Account, error) UpdateAccount(context.Context, string, []string) (*Account, error) GetAuthz(ctx context.Context, accID string, authzID string) (*Authz, error) ValidateChallenge(ctx context.Context, accID string, chID string, key *jose.JSONWebKey) (*Challenge, error) FinalizeOrder(ctx context.Context, accID string, orderID string, csr *x509.CertificateRequest) (*Order, error) GetOrder(ctx context.Context, accID string, orderID string) (*Order, error) GetOrdersByAccount(ctx context.Context, accID string) ([]string, error) NewOrder(ctx context.Context, oo OrderOptions) (*Order, error) GetCertificate(string, string) ([]byte, error) LoadProvisionerByID(string) (provisioner.Interface, error) GetLink(ctx context.Context, linkType Link, absoluteLink bool, inputs ...string) string GetLinkExplicit(linkType Link, provName string, absoluteLink bool, baseURL *url.URL, inputs ...string) string }
Interface is the acme authority interface.
type Link ¶
type Link int
Link captures the link type.
const ( // NewNonceLink new-nonce NewNonceLink Link = iota // NewAccountLink new-account NewAccountLink // AccountLink account AccountLink // OrderLink order OrderLink // NewOrderLink new-order NewOrderLink // OrdersByAccountLink list of orders owned by account OrdersByAccountLink // FinalizeLink finalize order FinalizeLink // NewAuthzLink authz NewAuthzLink // AuthzLink new-authz AuthzLink // ChallengeLink challenge ChallengeLink // CertificateLink certificate CertificateLink // DirectoryLink directory DirectoryLink // RevokeCertLink revoke certificate RevokeCertLink // KeyChangeLink key rollover KeyChangeLink )
type MockProvisioner ¶ added in v0.14.5
type MockProvisioner struct { Mret1 interface{} Merr error MgetName func() string MdefaultTLSCertDuration func() time.Duration }
MockProvisioner for testing
func (*MockProvisioner) AuthorizeSign ¶ added in v0.14.5
func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error)
AuthorizeSign mock
func (*MockProvisioner) DefaultTLSCertDuration ¶ added in v0.14.5
func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration
DefaultTLSCertDuration mock
func (*MockProvisioner) GetName ¶ added in v0.14.5
func (m *MockProvisioner) GetName() string
GetName mock
type Order ¶
type Order struct { Status string `json:"status"` Expires string `json:"expires,omitempty"` Identifiers []Identifier `json:"identifiers"` NotBefore string `json:"notBefore,omitempty"` NotAfter string `json:"notAfter,omitempty"` Error interface{} `json:"error,omitempty"` Authorizations []string `json:"authorizations"` Finalize string `json:"finalize"` Certificate string `json:"certificate,omitempty"` ID string `json:"-"` }
Order contains order metadata for the ACME protocol order type.
type OrderOptions ¶
type OrderOptions struct { AccountID string `json:"accID"` Identifiers []Identifier `json:"identifiers"` NotBefore time.Time `json:"notBefore"` NotAfter time.Time `json:"notAfter"` // contains filtered or unexported fields }
OrderOptions options with which to create a new Order.
type Provisioner ¶ added in v0.14.5
type Provisioner interface { AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) GetName() string DefaultTLSCertDuration() time.Duration }
Provisioner is an interface that implements a subset of the provisioner.Interface -- only those methods required by the ACME api/authority.
func ProvisionerFromContext ¶ added in v0.14.5
func ProvisionerFromContext(ctx context.Context) (Provisioner, error)
ProvisionerFromContext searches the context for a provisioner. Returns the provisioner or an error.
type SignAuthority ¶
type SignAuthority interface { Sign(cr *x509.CertificateRequest, opts provisioner.Options, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) LoadProvisionerByID(string) (provisioner.Interface, error) }
SignAuthority is the interface implemented by a CA authority.