acme

package
v0.18.1-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 29, 2021 License: Apache-2.0 Imports: 30 Imported by: 21

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// StatusValid -- valid
	StatusValid = Status("valid")
	// StatusInvalid -- invalid
	StatusInvalid = Status("invalid")
	// StatusPending -- pending; e.g. an Order that is not ready to be finalized.
	StatusPending = Status("pending")
	// StatusDeactivated -- deactivated; e.g. for an Account that is not longer valid.
	StatusDeactivated = Status("deactivated")
	// StatusReady -- ready; e.g. for an Order that is ready to be finalized.
	StatusReady = Status("ready")
)
View Source
var ErrNotFound = errors.New("not found")

ErrNotFound is an error that should be used by the acme.DB interface to indicate that an entity does not exist. For example, in the new-account endpoint, if GetAccountByKeyID returns ErrNotFound we will create the new account.

Functions

func KeyAuthorization

func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error)

KeyAuthorization creates the ACME key authorization value from a token and a jwk.

func KeyToID added in v0.15.12

func KeyToID(jwk *jose.JSONWebKey) (string, error)

KeyToID converts a JWK to a thumbprint.

func WriteError added in v0.15.12

func WriteError(w http.ResponseWriter, err *Error)

WriteError writes to w a JSON representation of the given error.

Types

type Account

type Account struct {
	ID        string           `json:"-"`
	Key       *jose.JSONWebKey `json:"-"`
	Contact   []string         `json:"contact,omitempty"`
	Status    Status           `json:"status"`
	OrdersURL string           `json:"orders"`
}

Account is a subset of the internal account type containing only those attributes required for responses in the ACME protocol.

func (*Account) IsValid

func (a *Account) IsValid() bool

IsValid returns true if the Account is valid.

func (*Account) ToLog

func (a *Account) ToLog() (interface{}, error)

ToLog enables response logging.

type Authorization added in v0.15.12

type Authorization struct {
	ID         string       `json:"-"`
	AccountID  string       `json:"-"`
	Token      string       `json:"-"`
	Identifier Identifier   `json:"identifier"`
	Status     Status       `json:"status"`
	Challenges []*Challenge `json:"challenges"`
	Wildcard   bool         `json:"wildcard"`
	ExpiresAt  time.Time    `json:"expires"`
	Error      *Error       `json:"error,omitempty"`
}

Authorization representst an ACME Authorization.

func (*Authorization) ToLog added in v0.15.12

func (az *Authorization) ToLog() (interface{}, error)

ToLog enables response logging.

func (*Authorization) UpdateStatus added in v0.15.12

func (az *Authorization) UpdateStatus(ctx context.Context, db DB) error

UpdateStatus updates the ACME Authorization Status if necessary. Changes to the Authorization are saved using the database interface.

type Certificate added in v0.15.12

type Certificate struct {
	ID            string
	AccountID     string
	OrderID       string
	Leaf          *x509.Certificate
	Intermediates []*x509.Certificate
}

Certificate options with which to create and store a cert object.

type CertificateAuthority added in v0.15.12

type CertificateAuthority interface {
	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
	IsRevoked(sn string) (bool, error)
	Revoke(context.Context, *authority.RevokeOptions) error
	LoadProvisionerByName(string) (provisioner.Interface, error)
}

CertificateAuthority is the interface implemented by a CA authority.

type Challenge

type Challenge struct {
	ID              string        `json:"-"`
	AccountID       string        `json:"-"`
	AuthorizationID string        `json:"-"`
	Value           string        `json:"-"`
	Type            ChallengeType `json:"type"`
	Status          Status        `json:"status"`
	Token           string        `json:"token"`
	ValidatedAt     string        `json:"validated,omitempty"`
	URL             string        `json:"url"`
	Error           *Error        `json:"error,omitempty"`
}

Challenge represents an ACME response Challenge type.

func (*Challenge) ToLog

func (ch *Challenge) ToLog() (interface{}, error)

ToLog enables response logging.

func (*Challenge) Validate added in v0.15.12

func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey, vo *ValidateChallengeOptions) error

Validate attempts to validate the challenge. Stores changes to the Challenge type using the DB interface. satisfactorily validated, the 'status' and 'validated' attributes are updated.

type ChallengeType added in v0.16.0

type ChallengeType string
const (
	// HTTP01 is the http-01 ACME challenge type
	HTTP01 ChallengeType = "http-01"
	// DNS01 is the dns-01 ACME challenge type
	DNS01 ChallengeType = "dns-01"
	// TLSALPN01 is the tls-alpn-01 ACME challenge type
	TLSALPN01 ChallengeType = "tls-alpn-01"
)

type Clock

type Clock struct{}

Clock that returns time in UTC rounded to seconds.

func (*Clock) Now

func (c *Clock) Now() time.Time

Now returns the UTC time rounded to seconds.

type DB added in v0.15.12

type DB interface {
	CreateAccount(ctx context.Context, acc *Account) error
	GetAccount(ctx context.Context, id string) (*Account, error)
	GetAccountByKeyID(ctx context.Context, kid string) (*Account, error)
	UpdateAccount(ctx context.Context, acc *Account) error

	CreateNonce(ctx context.Context) (Nonce, error)
	DeleteNonce(ctx context.Context, nonce Nonce) error

	CreateAuthorization(ctx context.Context, az *Authorization) error
	GetAuthorization(ctx context.Context, id string) (*Authorization, error)
	UpdateAuthorization(ctx context.Context, az *Authorization) error
	GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error)

	CreateCertificate(ctx context.Context, cert *Certificate) error
	GetCertificate(ctx context.Context, id string) (*Certificate, error)
	GetCertificateBySerial(ctx context.Context, serial string) (*Certificate, error)

	CreateChallenge(ctx context.Context, ch *Challenge) error
	GetChallenge(ctx context.Context, id, authzID string) (*Challenge, error)
	UpdateChallenge(ctx context.Context, ch *Challenge) error

	CreateOrder(ctx context.Context, o *Order) error
	GetOrder(ctx context.Context, id string) (*Order, error)
	GetOrdersByAccountID(ctx context.Context, accountID string) ([]string, error)
	UpdateOrder(ctx context.Context, o *Order) error
}

DB is the DB interface expected by the step-ca ACME API.

type Error

type Error struct {
	Type        string        `json:"type"`
	Detail      string        `json:"detail"`
	Subproblems []interface{} `json:"subproblems,omitempty"`
	Identifier  interface{}   `json:"identifier,omitempty"`
	Err         error         `json:"-"`
	Status      int           `json:"-"`
}

Error represents an ACME

func NewError added in v0.15.12

func NewError(pt ProblemType, msg string, args ...interface{}) *Error

NewError creates a new Error type.

func NewErrorISE added in v0.15.12

func NewErrorISE(msg string, args ...interface{}) *Error

NewErrorISE creates a new ErrorServerInternalType Error.

func WrapError added in v0.15.12

func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error

WrapError attempts to wrap the internal error.

func WrapErrorISE added in v0.15.12

func WrapErrorISE(err error, msg string, args ...interface{}) *Error

WrapErrorISE shortcut to wrap an internal server error type.

func (*Error) Cause

func (e *Error) Cause() error

Cause returns the internal error and implements the Causer interface.

func (*Error) Error

func (e *Error) Error() string

Error allows AError to implement the error interface.

func (*Error) StatusCode

func (e *Error) StatusCode() int

StatusCode returns the status code and implements the StatusCoder interface.

func (*Error) ToLog added in v0.15.12

func (e *Error) ToLog() (interface{}, error)

ToLog implements the EnableLogger interface.

type Identifier

type Identifier struct {
	Type  IdentifierType `json:"type"`
	Value string         `json:"value"`
}

Identifier encodes the type that an order pertains to.

type IdentifierType added in v0.16.0

type IdentifierType string
const (
	// IP is the ACME ip identifier type
	IP IdentifierType = "ip"
	// DNS is the ACME dns identifier type
	DNS IdentifierType = "dns"
)

type MockDB added in v0.15.12

type MockDB struct {
	MockCreateAccount     func(ctx context.Context, acc *Account) error
	MockGetAccount        func(ctx context.Context, id string) (*Account, error)
	MockGetAccountByKeyID func(ctx context.Context, kid string) (*Account, error)
	MockUpdateAccount     func(ctx context.Context, acc *Account) error

	MockCreateNonce func(ctx context.Context) (Nonce, error)
	MockDeleteNonce func(ctx context.Context, nonce Nonce) error

	MockCreateAuthorization          func(ctx context.Context, az *Authorization) error
	MockGetAuthorization             func(ctx context.Context, id string) (*Authorization, error)
	MockUpdateAuthorization          func(ctx context.Context, az *Authorization) error
	MockGetAuthorizationsByAccountID func(ctx context.Context, accountID string) ([]*Authorization, error)

	MockCreateCertificate      func(ctx context.Context, cert *Certificate) error
	MockGetCertificate         func(ctx context.Context, id string) (*Certificate, error)
	MockGetCertificateBySerial func(ctx context.Context, serial string) (*Certificate, error)

	MockCreateChallenge func(ctx context.Context, ch *Challenge) error
	MockGetChallenge    func(ctx context.Context, id, authzID string) (*Challenge, error)
	MockUpdateChallenge func(ctx context.Context, ch *Challenge) error

	MockCreateOrder          func(ctx context.Context, o *Order) error
	MockGetOrder             func(ctx context.Context, id string) (*Order, error)
	MockGetOrdersByAccountID func(ctx context.Context, accountID string) ([]string, error)
	MockUpdateOrder          func(ctx context.Context, o *Order) error

	MockRet1  interface{}
	MockError error
}

MockDB is an implementation of the DB interface that should only be used as a mock in tests.

func (*MockDB) CreateAccount added in v0.15.12

func (m *MockDB) CreateAccount(ctx context.Context, acc *Account) error

CreateAccount mock.

func (*MockDB) CreateAuthorization added in v0.15.12

func (m *MockDB) CreateAuthorization(ctx context.Context, az *Authorization) error

CreateAuthorization mock

func (*MockDB) CreateCertificate added in v0.15.12

func (m *MockDB) CreateCertificate(ctx context.Context, cert *Certificate) error

CreateCertificate mock

func (*MockDB) CreateChallenge added in v0.15.12

func (m *MockDB) CreateChallenge(ctx context.Context, ch *Challenge) error

CreateChallenge mock

func (*MockDB) CreateNonce added in v0.15.12

func (m *MockDB) CreateNonce(ctx context.Context) (Nonce, error)

CreateNonce mock

func (*MockDB) CreateOrder added in v0.15.12

func (m *MockDB) CreateOrder(ctx context.Context, o *Order) error

CreateOrder mock

func (*MockDB) DeleteNonce added in v0.15.12

func (m *MockDB) DeleteNonce(ctx context.Context, nonce Nonce) error

DeleteNonce mock

func (*MockDB) GetAccount added in v0.15.12

func (m *MockDB) GetAccount(ctx context.Context, id string) (*Account, error)

GetAccount mock.

func (*MockDB) GetAccountByKeyID added in v0.15.12

func (m *MockDB) GetAccountByKeyID(ctx context.Context, kid string) (*Account, error)

GetAccountByKeyID mock

func (*MockDB) GetAuthorization added in v0.15.12

func (m *MockDB) GetAuthorization(ctx context.Context, id string) (*Authorization, error)

GetAuthorization mock

func (*MockDB) GetAuthorizationsByAccountID added in v0.18.1

func (m *MockDB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error)

GetAuthorizationsByAccountID mock

func (*MockDB) GetCertificate added in v0.15.12

func (m *MockDB) GetCertificate(ctx context.Context, id string) (*Certificate, error)

GetCertificate mock

func (*MockDB) GetCertificateBySerial added in v0.18.1

func (m *MockDB) GetCertificateBySerial(ctx context.Context, serial string) (*Certificate, error)

GetCertificateBySerial mock

func (*MockDB) GetChallenge added in v0.15.12

func (m *MockDB) GetChallenge(ctx context.Context, chID, azID string) (*Challenge, error)

GetChallenge mock

func (*MockDB) GetOrder added in v0.15.12

func (m *MockDB) GetOrder(ctx context.Context, id string) (*Order, error)

GetOrder mock

func (*MockDB) GetOrdersByAccountID added in v0.15.12

func (m *MockDB) GetOrdersByAccountID(ctx context.Context, accID string) ([]string, error)

GetOrdersByAccountID mock

func (*MockDB) UpdateAccount added in v0.15.12

func (m *MockDB) UpdateAccount(ctx context.Context, acc *Account) error

UpdateAccount mock

func (*MockDB) UpdateAuthorization added in v0.15.12

func (m *MockDB) UpdateAuthorization(ctx context.Context, az *Authorization) error

UpdateAuthorization mock

func (*MockDB) UpdateChallenge added in v0.15.12

func (m *MockDB) UpdateChallenge(ctx context.Context, ch *Challenge) error

UpdateChallenge mock

func (*MockDB) UpdateOrder added in v0.15.12

func (m *MockDB) UpdateOrder(ctx context.Context, o *Order) error

UpdateOrder mock

type MockProvisioner added in v0.14.5

type MockProvisioner struct {
	Mret1                   interface{}
	Merr                    error
	MgetID                  func() string
	MgetName                func() string
	MauthorizeSign          func(ctx context.Context, ott string) ([]provisioner.SignOption, error)
	MauthorizeRevoke        func(ctx context.Context, token string) error
	MdefaultTLSCertDuration func() time.Duration
	MgetOptions             func() *provisioner.Options
}

MockProvisioner for testing

func (*MockProvisioner) AuthorizeRevoke added in v0.18.1

func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke mock

func (*MockProvisioner) AuthorizeSign added in v0.14.5

func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error)

AuthorizeSign mock

func (*MockProvisioner) DefaultTLSCertDuration added in v0.14.5

func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration mock

func (*MockProvisioner) GetID added in v0.15.12

func (m *MockProvisioner) GetID() string

GetID mock

func (*MockProvisioner) GetName added in v0.14.5

func (m *MockProvisioner) GetName() string

GetName mock

func (*MockProvisioner) GetOptions added in v0.15.0

func (m *MockProvisioner) GetOptions() *provisioner.Options

GetOptions mock

type Nonce added in v0.15.12

type Nonce string

Nonce represents an ACME nonce type.

func (Nonce) String added in v0.15.12

func (n Nonce) String() string

String implements the ToString interface.

type Order

type Order struct {
	ID                string       `json:"id"`
	AccountID         string       `json:"-"`
	ProvisionerID     string       `json:"-"`
	Status            Status       `json:"status"`
	ExpiresAt         time.Time    `json:"expires"`
	Identifiers       []Identifier `json:"identifiers"`
	NotBefore         time.Time    `json:"notBefore"`
	NotAfter          time.Time    `json:"notAfter"`
	Error             *Error       `json:"error,omitempty"`
	AuthorizationIDs  []string     `json:"-"`
	AuthorizationURLs []string     `json:"authorizations"`
	FinalizeURL       string       `json:"finalize"`
	CertificateID     string       `json:"-"`
	CertificateURL    string       `json:"certificate,omitempty"`
}

Order contains order metadata for the ACME protocol order type.

func (*Order) Finalize

func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateRequest, auth CertificateAuthority, p Provisioner) error

Finalize signs a certificate if the necessary conditions for Order completion have been met.

func (*Order) ToLog

func (o *Order) ToLog() (interface{}, error)

ToLog enables response logging.

func (*Order) UpdateStatus added in v0.15.12

func (o *Order) UpdateStatus(ctx context.Context, db DB) error

UpdateStatus updates the ACME Order Status if necessary. Changes to the order are saved using the database interface.

type ProblemType added in v0.15.12

type ProblemType int

ProblemType is the type of the ACME problem.

const (
	// ErrorAccountDoesNotExistType request specified an account that does not exist
	ErrorAccountDoesNotExistType ProblemType = iota
	// ErrorAlreadyRevokedType request specified a certificate to be revoked that has already been revoked
	ErrorAlreadyRevokedType
	// ErrorBadCSRType CSR is unacceptable (e.g., due to a short key)
	ErrorBadCSRType
	// ErrorBadNonceType client sent an unacceptable anti-replay nonce
	ErrorBadNonceType
	// ErrorBadPublicKeyType JWS was signed by a public key the server does not support
	ErrorBadPublicKeyType
	// ErrorBadRevocationReasonType revocation reason provided is not allowed by the server
	ErrorBadRevocationReasonType
	// ErrorBadSignatureAlgorithmType JWS was signed with an algorithm the server does not support
	ErrorBadSignatureAlgorithmType
	// ErrorCaaType Authority Authorization (CAA) records forbid the CA from issuing a certificate
	ErrorCaaType
	// ErrorCompoundType error conditions are indicated in the “subproblems” array.
	ErrorCompoundType
	// ErrorConnectionType server could not connect to validation target
	ErrorConnectionType
	// ErrorDNSType was a problem with a DNS query during identifier validation
	ErrorDNSType
	// ErrorExternalAccountRequiredType request must include a value for the “externalAccountBinding” field
	ErrorExternalAccountRequiredType
	// ErrorIncorrectResponseType received didn’t match the challenge’s requirements
	ErrorIncorrectResponseType
	// ErrorInvalidContactType URL for an account was invalid
	ErrorInvalidContactType
	// ErrorMalformedType request message was malformed
	ErrorMalformedType
	// ErrorOrderNotReadyType request attempted to finalize an order that is not ready to be finalized
	ErrorOrderNotReadyType
	// ErrorRateLimitedType request exceeds a rate limit
	ErrorRateLimitedType
	// ErrorRejectedIdentifierType server will not issue certificates for the identifier
	ErrorRejectedIdentifierType
	// ErrorServerInternalType server experienced an internal error
	ErrorServerInternalType
	// ErrorTLSType server received a TLS error during validation
	ErrorTLSType
	// ErrorUnauthorizedType client lacks sufficient authorization
	ErrorUnauthorizedType
	// ErrorUnsupportedContactType URL for an account used an unsupported protocol scheme
	ErrorUnsupportedContactType
	// ErrorUnsupportedIdentifierType identifier is of an unsupported type
	ErrorUnsupportedIdentifierType
	// ErrorUserActionRequiredType the “instance” URL and take actions specified there
	ErrorUserActionRequiredType
	// ErrorNotImplementedType operation is not implemented
	ErrorNotImplementedType
)

func (ProblemType) String added in v0.15.12

func (ap ProblemType) String() string

String returns the string representation of the acme problem type, fulfilling the Stringer interface.

type Provisioner added in v0.14.5

type Provisioner interface {
	AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
	AuthorizeRevoke(ctx context.Context, token string) error
	GetID() string
	GetName() string
	DefaultTLSCertDuration() time.Duration
	GetOptions() *provisioner.Options
}

Provisioner is an interface that implements a subset of the provisioner.Interface -- only those methods required by the ACME api/authority.

type Status added in v0.15.12

type Status string

Status represents an ACME status.

type ValidateChallengeOptions added in v0.15.12

type ValidateChallengeOptions struct {
	HTTPGet   httpGetter
	LookupTxt lookupTxt
	TLSDial   tlsDialer
}

ValidateChallengeOptions are ACME challenge validator functions.

Directories

Path Synopsis
db

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL