Documentation ¶
Index ¶
- Variables
- func DefaultPrerequisitesChecker(ctx context.Context) (bool, error)
- func GetUnescapedPathSuffix(typ LinkType, provisionerName string, inputs ...string) string
- func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error)
- func KeyToID(jwk *jose.JSONWebKey) (string, error)
- func NewClientContext(ctx context.Context, c Client) context.Context
- func NewContext(ctx context.Context, db DB, client Client, linker Linker, ...) context.Context
- func NewDatabaseContext(ctx context.Context, db DB) context.Context
- func NewLinkerContext(ctx context.Context, v Linker) context.Context
- func NewPrerequisitesCheckerContext(ctx context.Context, fn PrerequisitesChecker) context.Context
- func NewProvisionerContext(ctx context.Context, v Provisioner) context.Context
- type Account
- type AttestationObject
- type Authorization
- type Certificate
- type CertificateAuthority
- type Challenge
- type ChallengeType
- type Client
- type Clock
- type DB
- type Error
- type ExternalAccountKey
- type Identifier
- type IdentifierType
- type LinkType
- type Linker
- type MockDB
- func (m *MockDB) CreateAccount(ctx context.Context, acc *Account) error
- func (m *MockDB) CreateAuthorization(ctx context.Context, az *Authorization) error
- func (m *MockDB) CreateCertificate(ctx context.Context, cert *Certificate) error
- func (m *MockDB) CreateChallenge(ctx context.Context, ch *Challenge) error
- func (m *MockDB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
- func (m *MockDB) CreateNonce(ctx context.Context) (Nonce, error)
- func (m *MockDB) CreateOrder(ctx context.Context, o *Order) error
- func (m *MockDB) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID string) error
- func (m *MockDB) DeleteNonce(ctx context.Context, nonce Nonce) error
- func (m *MockDB) GetAccount(ctx context.Context, id string) (*Account, error)
- func (m *MockDB) GetAccountByKeyID(ctx context.Context, kid string) (*Account, error)
- func (m *MockDB) GetAuthorization(ctx context.Context, id string) (*Authorization, error)
- func (m *MockDB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error)
- func (m *MockDB) GetCertificate(ctx context.Context, id string) (*Certificate, error)
- func (m *MockDB) GetCertificateBySerial(ctx context.Context, serial string) (*Certificate, error)
- func (m *MockDB) GetChallenge(ctx context.Context, chID, azID string) (*Challenge, error)
- func (m *MockDB) GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error)
- func (m *MockDB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error)
- func (m *MockDB) GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
- func (m *MockDB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error)
- func (m *MockDB) GetOrder(ctx context.Context, id string) (*Order, error)
- func (m *MockDB) GetOrdersByAccountID(ctx context.Context, accID string) ([]string, error)
- func (m *MockDB) UpdateAccount(ctx context.Context, acc *Account) error
- func (m *MockDB) UpdateAuthorization(ctx context.Context, az *Authorization) error
- func (m *MockDB) UpdateChallenge(ctx context.Context, ch *Challenge) error
- func (m *MockDB) UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error
- func (m *MockDB) UpdateOrder(ctx context.Context, o *Order) error
- type MockProvisioner
- func (m *MockProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error
- func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) error
- func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error)
- func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration
- func (m *MockProvisioner) GetAttestationRoots() (*x509.CertPool, bool)
- func (m *MockProvisioner) GetID() string
- func (m *MockProvisioner) GetName() string
- func (m *MockProvisioner) GetOptions() *provisioner.Options
- func (m *MockProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
- func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool
- type Nonce
- type Order
- type Payload
- type Policy
- type PolicyNames
- type PrerequisitesChecker
- type ProblemType
- type Provisioner
- type Status
- type X509Policy
Constants ¶
This section is empty.
Variables ¶
var ( // StatusValid -- valid StatusValid = Status("valid") // StatusInvalid -- invalid StatusInvalid = Status("invalid") // StatusPending -- pending; e.g. an Order that is not ready to be finalized. StatusPending = Status("pending") // StatusDeactivated -- deactivated; e.g. for an Account that is not longer valid. StatusDeactivated = Status("deactivated") // StatusReady -- ready; e.g. for an Order that is ready to be finalized. StatusReady = Status("ready") )
var ErrNotFound = errors.New("not found")
ErrNotFound is an error that should be used by the acme.DB interface to indicate that an entity does not exist. For example, in the new-account endpoint, if GetAccountByKeyID returns ErrNotFound we will create the new account.
Functions ¶
func DefaultPrerequisitesChecker ¶ added in v0.20.0
DefaultPrerequisitesChecker is the default PrerequisiteChecker and returns always true.
func GetUnescapedPathSuffix ¶ added in v0.20.0
func KeyAuthorization ¶
func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error)
KeyAuthorization creates the ACME key authorization value from a token and a jwk.
func KeyToID ¶ added in v0.15.12
func KeyToID(jwk *jose.JSONWebKey) (string, error)
KeyToID converts a JWK to a thumbprint.
func NewClientContext ¶ added in v0.20.0
NewClientContext adds the given client to the context.
func NewContext ¶ added in v0.20.0
func NewContext(ctx context.Context, db DB, client Client, linker Linker, fn PrerequisitesChecker) context.Context
NewContext adds the given acme components to the context.
func NewDatabaseContext ¶ added in v0.20.0
NewDatabaseContext adds the given acme database to the context.
func NewLinkerContext ¶ added in v0.20.0
NewLinkerContext adds the given linker to the context.
func NewPrerequisitesCheckerContext ¶ added in v0.20.0
func NewPrerequisitesCheckerContext(ctx context.Context, fn PrerequisitesChecker) context.Context
NewPrerequisitesCheckerContext adds the given PrerequisitesChecker to the context.
func NewProvisionerContext ¶ added in v0.20.0
func NewProvisionerContext(ctx context.Context, v Provisioner) context.Context
NewProvisionerContext adds the given provisioner to the context.
Types ¶
type Account ¶
type Account struct { ID string `json:"-"` Key *jose.JSONWebKey `json:"-"` Contact []string `json:"contact,omitempty"` Status Status `json:"status"` OrdersURL string `json:"orders"` ExternalAccountBinding interface{} `json:"externalAccountBinding,omitempty"` }
Account is a subset of the internal account type containing only those attributes required for responses in the ACME protocol.
type AttestationObject ¶ added in v0.23.0
type Authorization ¶ added in v0.15.12
type Authorization struct { ID string `json:"-"` AccountID string `json:"-"` Token string `json:"-"` Identifier Identifier `json:"identifier"` Status Status `json:"status"` Challenges []*Challenge `json:"challenges"` Wildcard bool `json:"wildcard"` ExpiresAt time.Time `json:"expires"` Error *Error `json:"error,omitempty"` }
Authorization representst an ACME Authorization.
func (*Authorization) ToLog ¶ added in v0.15.12
func (az *Authorization) ToLog() (interface{}, error)
ToLog enables response logging.
func (*Authorization) UpdateStatus ¶ added in v0.15.12
func (az *Authorization) UpdateStatus(ctx context.Context, db DB) error
UpdateStatus updates the ACME Authorization Status if necessary. Changes to the Authorization are saved using the database interface.
type Certificate ¶ added in v0.15.12
type Certificate struct { ID string AccountID string OrderID string Leaf *x509.Certificate Intermediates []*x509.Certificate }
Certificate options with which to create and store a cert object.
type CertificateAuthority ¶ added in v0.15.12
type CertificateAuthority interface { Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) AreSANsAllowed(ctx context.Context, sans []string) error IsRevoked(sn string) (bool, error) Revoke(context.Context, *authority.RevokeOptions) error LoadProvisionerByName(string) (provisioner.Interface, error) }
CertificateAuthority is the interface implemented by a CA authority.
type Challenge ¶
type Challenge struct { ID string `json:"-"` AccountID string `json:"-"` AuthorizationID string `json:"-"` Value string `json:"-"` Type ChallengeType `json:"type"` Status Status `json:"status"` Token string `json:"token"` ValidatedAt string `json:"validated,omitempty"` URL string `json:"url"` Error *Error `json:"error,omitempty"` }
Challenge represents an ACME response Challenge type.
func (*Challenge) Validate ¶ added in v0.15.12
func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey, payload []byte) error
Validate attempts to validate the challenge. Stores changes to the Challenge type using the DB interface. satisfactorily validated, the 'status' and 'validated' attributes are updated.
type ChallengeType ¶ added in v0.16.0
type ChallengeType string
const ( // HTTP01 is the http-01 ACME challenge type HTTP01 ChallengeType = "http-01" // DNS01 is the dns-01 ACME challenge type DNS01 ChallengeType = "dns-01" // TLSALPN01 is the tls-alpn-01 ACME challenge type TLSALPN01 ChallengeType = "tls-alpn-01" // DEVICEATTEST01 is the device-attest-01 ACME challenge type DEVICEATTEST01 ChallengeType = "device-attest-01" )
type Client ¶ added in v0.20.0
type Client interface { // Get issues an HTTP GET to the specified URL. Get(url string) (*http.Response, error) // LookupTXT returns the DNS TXT records for the given domain name. LookupTxt(name string) ([]string, error) // TLSDial connects to the given network address using net.Dialer and then // initiates a TLS handshake, returning the resulting TLS connection. TLSDial(network, addr string, config *tls.Config) (*tls.Conn, error) }
Client is the interface used to verify ACME challenges.
func ClientFromContext ¶ added in v0.20.0
ClientFromContext returns the current client from the given context.
func MustClientFromContext ¶ added in v0.20.0
MustClientFromContext returns the current client from the given context. It will return a new instance of the client if it does not exist.
type DB ¶ added in v0.15.12
type DB interface { CreateAccount(ctx context.Context, acc *Account) error GetAccount(ctx context.Context, id string) (*Account, error) GetAccountByKeyID(ctx context.Context, kid string) (*Account, error) UpdateAccount(ctx context.Context, acc *Account) error CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error) GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID string) error UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error CreateNonce(ctx context.Context) (Nonce, error) DeleteNonce(ctx context.Context, nonce Nonce) error CreateAuthorization(ctx context.Context, az *Authorization) error GetAuthorization(ctx context.Context, id string) (*Authorization, error) UpdateAuthorization(ctx context.Context, az *Authorization) error GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error) CreateCertificate(ctx context.Context, cert *Certificate) error GetCertificate(ctx context.Context, id string) (*Certificate, error) GetCertificateBySerial(ctx context.Context, serial string) (*Certificate, error) CreateChallenge(ctx context.Context, ch *Challenge) error GetChallenge(ctx context.Context, id, authzID string) (*Challenge, error) UpdateChallenge(ctx context.Context, ch *Challenge) error CreateOrder(ctx context.Context, o *Order) error GetOrder(ctx context.Context, id string) (*Order, error) GetOrdersByAccountID(ctx context.Context, accountID string) ([]string, error) UpdateOrder(ctx context.Context, o *Order) error }
DB is the DB interface expected by the step-ca ACME API.
func DatabaseFromContext ¶ added in v0.20.0
DatabaseFromContext returns the current acme database from the given context.
func MustDatabaseFromContext ¶ added in v0.20.0
MustDatabaseFromContext returns the current database from the given context. It will panic if it's not in the context.
type Error ¶
type Error struct { Type string `json:"type"` Detail string `json:"detail"` Subproblems []interface{} `json:"subproblems,omitempty"` Identifier interface{} `json:"identifier,omitempty"` Err error `json:"-"` Status int `json:"-"` }
Error represents an ACME
func NewError ¶ added in v0.15.12
func NewError(pt ProblemType, msg string, args ...interface{}) *Error
NewError creates a new Error type.
func NewErrorISE ¶ added in v0.15.12
NewErrorISE creates a new ErrorServerInternalType Error.
func WrapError ¶ added in v0.15.12
func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error
WrapError attempts to wrap the internal error.
func WrapErrorISE ¶ added in v0.15.12
WrapErrorISE shortcut to wrap an internal server error type.
func (*Error) Render ¶ added in v0.19.0
func (e *Error) Render(w http.ResponseWriter)
Render implements render.RenderableError for Error.
func (*Error) StatusCode ¶
StatusCode returns the status code and implements the StatusCoder interface.
type ExternalAccountKey ¶ added in v0.18.1
type ExternalAccountKey struct { ID string `json:"id"` ProvisionerID string `json:"provisionerID"` Reference string `json:"reference"` AccountID string `json:"-"` HmacKey []byte `json:"-"` CreatedAt time.Time `json:"createdAt"` BoundAt time.Time `json:"boundAt,omitempty"` Policy *Policy `json:"policy,omitempty"` }
ExternalAccountKey is an ACME External Account Binding key.
func (*ExternalAccountKey) AlreadyBound ¶ added in v0.18.1
func (eak *ExternalAccountKey) AlreadyBound() bool
AlreadyBound returns whether this EAK is already bound to an ACME Account or not.
func (*ExternalAccountKey) BindTo ¶ added in v0.18.1
func (eak *ExternalAccountKey) BindTo(account *Account) error
BindTo binds the EAK to an Account. It returns an error if it's already bound.
type Identifier ¶
type Identifier struct { Type IdentifierType `json:"type"` Value string `json:"value"` }
Identifier encodes the type that an order pertains to.
type IdentifierType ¶ added in v0.16.0
type IdentifierType string
const ( // IP is the ACME ip identifier type IP IdentifierType = "ip" // DNS is the ACME dns identifier type DNS IdentifierType = "dns" // PermanentIdentifier is the ACME permanent-identifier identifier type // defined in https://datatracker.ietf.org/doc/html/draft-bweeks-acme-device-attest-00 PermanentIdentifier IdentifierType = "permanent-identifier" )
type LinkType ¶ added in v0.20.0
type LinkType int
LinkType captures the link type.
const ( // NewNonceLinkType new-nonce NewNonceLinkType LinkType = iota // NewAccountLinkType new-account NewAccountLinkType // AccountLinkType account AccountLinkType // OrderLinkType order OrderLinkType // NewOrderLinkType new-order NewOrderLinkType // OrdersByAccountLinkType list of orders owned by account OrdersByAccountLinkType // FinalizeLinkType finalize order FinalizeLinkType // NewAuthzLinkType authz NewAuthzLinkType // AuthzLinkType new-authz AuthzLinkType // ChallengeLinkType challenge ChallengeLinkType // CertificateLinkType certificate CertificateLinkType // DirectoryLinkType directory DirectoryLinkType // RevokeCertLinkType revoke certificate RevokeCertLinkType // KeyChangeLinkType key rollover KeyChangeLinkType )
type Linker ¶ added in v0.20.0
type Linker interface { GetLink(ctx context.Context, typ LinkType, inputs ...string) string Middleware(http.Handler) http.Handler LinkOrder(ctx context.Context, o *Order) LinkAccount(ctx context.Context, o *Account) LinkChallenge(ctx context.Context, o *Challenge, azID string) LinkAuthorization(ctx context.Context, o *Authorization) LinkOrdersByAccountID(ctx context.Context, orders []string) }
Linker interface for generating links for ACME resources.
func LinkerFromContext ¶ added in v0.20.0
LinkerFromContext returns the current linker from the given context.
func MustLinkerFromContext ¶ added in v0.20.0
MustLinkerFromContext returns the current linker from the given context. It will panic if it's not in the context.
type MockDB ¶ added in v0.15.12
type MockDB struct { MockCreateAccount func(ctx context.Context, acc *Account) error MockGetAccount func(ctx context.Context, id string) (*Account, error) MockGetAccountByKeyID func(ctx context.Context, kid string) (*Account, error) MockUpdateAccount func(ctx context.Context, acc *Account) error MockCreateExternalAccountKey func(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) MockGetExternalAccountKey func(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error) MockGetExternalAccountKeys func(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error) MockGetExternalAccountKeyByReference func(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) MockGetExternalAccountKeyByAccountID func(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error) MockDeleteExternalAccountKey func(ctx context.Context, provisionerID, keyID string) error MockUpdateExternalAccountKey func(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error MockCreateNonce func(ctx context.Context) (Nonce, error) MockDeleteNonce func(ctx context.Context, nonce Nonce) error MockCreateAuthorization func(ctx context.Context, az *Authorization) error MockGetAuthorization func(ctx context.Context, id string) (*Authorization, error) MockUpdateAuthorization func(ctx context.Context, az *Authorization) error MockGetAuthorizationsByAccountID func(ctx context.Context, accountID string) ([]*Authorization, error) MockCreateCertificate func(ctx context.Context, cert *Certificate) error MockGetCertificate func(ctx context.Context, id string) (*Certificate, error) MockGetCertificateBySerial func(ctx context.Context, serial string) (*Certificate, error) MockCreateChallenge func(ctx context.Context, ch *Challenge) error MockGetChallenge func(ctx context.Context, id, authzID string) (*Challenge, error) MockUpdateChallenge func(ctx context.Context, ch *Challenge) error MockCreateOrder func(ctx context.Context, o *Order) error MockGetOrder func(ctx context.Context, id string) (*Order, error) MockGetOrdersByAccountID func(ctx context.Context, accountID string) ([]string, error) MockUpdateOrder func(ctx context.Context, o *Order) error MockRet1 interface{} MockError error }
MockDB is an implementation of the DB interface that should only be used as a mock in tests.
func (*MockDB) CreateAccount ¶ added in v0.15.12
CreateAccount mock.
func (*MockDB) CreateAuthorization ¶ added in v0.15.12
func (m *MockDB) CreateAuthorization(ctx context.Context, az *Authorization) error
CreateAuthorization mock
func (*MockDB) CreateCertificate ¶ added in v0.15.12
func (m *MockDB) CreateCertificate(ctx context.Context, cert *Certificate) error
CreateCertificate mock
func (*MockDB) CreateChallenge ¶ added in v0.15.12
CreateChallenge mock
func (*MockDB) CreateExternalAccountKey ¶ added in v0.18.1
func (m *MockDB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
CreateExternalAccountKey mock
func (*MockDB) CreateNonce ¶ added in v0.15.12
CreateNonce mock
func (*MockDB) CreateOrder ¶ added in v0.15.12
CreateOrder mock
func (*MockDB) DeleteExternalAccountKey ¶ added in v0.18.1
DeleteExternalAccountKey mock
func (*MockDB) DeleteNonce ¶ added in v0.15.12
DeleteNonce mock
func (*MockDB) GetAccount ¶ added in v0.15.12
GetAccount mock.
func (*MockDB) GetAccountByKeyID ¶ added in v0.15.12
GetAccountByKeyID mock
func (*MockDB) GetAuthorization ¶ added in v0.15.12
GetAuthorization mock
func (*MockDB) GetAuthorizationsByAccountID ¶ added in v0.18.1
func (m *MockDB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*Authorization, error)
GetAuthorizationsByAccountID mock
func (*MockDB) GetCertificate ¶ added in v0.15.12
GetCertificate mock
func (*MockDB) GetCertificateBySerial ¶ added in v0.18.1
GetCertificateBySerial mock
func (*MockDB) GetChallenge ¶ added in v0.15.12
GetChallenge mock
func (*MockDB) GetExternalAccountKey ¶ added in v0.18.1
func (m *MockDB) GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error)
GetExternalAccountKey mock
func (*MockDB) GetExternalAccountKeyByAccountID ¶ added in v0.20.0
func (m *MockDB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*ExternalAccountKey, error)
GetExternalAccountKeyByAccountID mock
func (*MockDB) GetExternalAccountKeyByReference ¶ added in v0.18.1
func (m *MockDB) GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
GetExternalAccountKeyByReference mock
func (*MockDB) GetExternalAccountKeys ¶ added in v0.18.1
func (m *MockDB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*ExternalAccountKey, string, error)
GetExternalAccountKeys mock
func (*MockDB) GetOrdersByAccountID ¶ added in v0.15.12
GetOrdersByAccountID mock
func (*MockDB) UpdateAccount ¶ added in v0.15.12
UpdateAccount mock
func (*MockDB) UpdateAuthorization ¶ added in v0.15.12
func (m *MockDB) UpdateAuthorization(ctx context.Context, az *Authorization) error
UpdateAuthorization mock
func (*MockDB) UpdateChallenge ¶ added in v0.15.12
UpdateChallenge mock
func (*MockDB) UpdateExternalAccountKey ¶ added in v0.18.1
func (m *MockDB) UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error
UpdateExternalAccountKey mock
type MockProvisioner ¶ added in v0.14.5
type MockProvisioner struct { Mret1 interface{} Merr error MgetID func() string MgetName func() string MisChallengeEnabled func(ctx context.Context, challenge provisioner.ACMEChallenge) bool MisAttFormatEnabled func(ctx context.Context, format provisioner.ACMEAttestationFormat) bool MgetAttestationRoots func() (*x509.CertPool, bool) MdefaultTLSCertDuration func() time.Duration MgetOptions func() *provisioner.Options }
MockProvisioner for testing
func (*MockProvisioner) AuthorizeOrderIdentifier ¶ added in v0.20.0
func (m *MockProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error
AuthorizeOrderIdentifiers mock
func (*MockProvisioner) AuthorizeRevoke ¶ added in v0.18.1
func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) error
AuthorizeRevoke mock
func (*MockProvisioner) AuthorizeSign ¶ added in v0.14.5
func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error)
AuthorizeSign mock
func (*MockProvisioner) DefaultTLSCertDuration ¶ added in v0.14.5
func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration
DefaultTLSCertDuration mock
func (*MockProvisioner) GetAttestationRoots ¶ added in v0.23.0
func (m *MockProvisioner) GetAttestationRoots() (*x509.CertPool, bool)
func (*MockProvisioner) GetID ¶ added in v0.15.12
func (m *MockProvisioner) GetID() string
GetID mock
func (*MockProvisioner) GetName ¶ added in v0.14.5
func (m *MockProvisioner) GetName() string
GetName mock
func (*MockProvisioner) GetOptions ¶ added in v0.15.0
func (m *MockProvisioner) GetOptions() *provisioner.Options
GetOptions mock
func (*MockProvisioner) IsAttestationFormatEnabled ¶ added in v0.23.0
func (m *MockProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
IsAttestationFormatEnabled mock
func (*MockProvisioner) IsChallengeEnabled ¶ added in v0.23.0
func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool
IsChallengeEnabled mock
type Order ¶
type Order struct { ID string `json:"id"` AccountID string `json:"-"` ProvisionerID string `json:"-"` Status Status `json:"status"` ExpiresAt time.Time `json:"expires"` Identifiers []Identifier `json:"identifiers"` NotBefore time.Time `json:"notBefore"` NotAfter time.Time `json:"notAfter"` Error *Error `json:"error,omitempty"` AuthorizationIDs []string `json:"-"` AuthorizationURLs []string `json:"authorizations"` FinalizeURL string `json:"finalize"` CertificateID string `json:"-"` CertificateURL string `json:"certificate,omitempty"` }
Order contains order metadata for the ACME protocol order type.
func (*Order) Finalize ¶
func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateRequest, auth CertificateAuthority, p Provisioner) error
Finalize signs a certificate if the necessary conditions for Order completion have been met.
TODO(mariano): Here or in the challenge validation we should perform some external validation using the identifier value and the attestation data. From a validation service we can get the list of SANs to set in the final certificate.
type Policy ¶ added in v0.20.0
type Policy struct {
X509 X509Policy `json:"x509"`
}
Policy is an ACME Account level policy
func (*Policy) AreWildcardNamesAllowed ¶ added in v0.20.0
AreWildcardNamesAllowed returns if wildcard names like *.example.com are allowed to be signed. Defaults to false.
func (*Policy) GetAllowedNameOptions ¶ added in v0.20.0
func (p *Policy) GetAllowedNameOptions() *policy.X509NameOptions
func (*Policy) GetDeniedNameOptions ¶ added in v0.20.0
func (p *Policy) GetDeniedNameOptions() *policy.X509NameOptions
type PolicyNames ¶ added in v0.20.0
PolicyNames contains ACME account level policy names
type PrerequisitesChecker ¶ added in v0.20.0
PrerequisitesChecker is a function that checks if all prerequisites for serving ACME are met by the CA configuration.
func PrerequisitesCheckerFromContext ¶ added in v0.20.0
func PrerequisitesCheckerFromContext(ctx context.Context) (PrerequisitesChecker, bool)
PrerequisitesCheckerFromContext returns the PrerequisitesChecker in the context.
type ProblemType ¶ added in v0.15.12
type ProblemType int
ProblemType is the type of the ACME problem.
const ( // ErrorAccountDoesNotExistType request specified an account that does not exist ErrorAccountDoesNotExistType ProblemType = iota // ErrorAlreadyRevokedType request specified a certificate to be revoked that has already been revoked ErrorAlreadyRevokedType // ErrorBadAttestationStatementType WebAuthn attestation statement could not be verified ErrorBadAttestationStatementType // ErrorBadCSRType CSR is unacceptable (e.g., due to a short key) ErrorBadCSRType // ErrorBadNonceType client sent an unacceptable anti-replay nonce ErrorBadNonceType // ErrorBadPublicKeyType JWS was signed by a public key the server does not support ErrorBadPublicKeyType // ErrorBadRevocationReasonType revocation reason provided is not allowed by the server ErrorBadRevocationReasonType // ErrorBadSignatureAlgorithmType JWS was signed with an algorithm the server does not support ErrorBadSignatureAlgorithmType // ErrorCaaType Authority Authorization (CAA) records forbid the CA from issuing a certificate ErrorCaaType // ErrorCompoundType error conditions are indicated in the “subproblems” array. ErrorCompoundType // ErrorConnectionType server could not connect to validation target ErrorConnectionType // ErrorDNSType was a problem with a DNS query during identifier validation ErrorDNSType // ErrorExternalAccountRequiredType request must include a value for the “externalAccountBinding” field ErrorExternalAccountRequiredType // ErrorIncorrectResponseType received didn’t match the challenge’s requirements ErrorIncorrectResponseType // ErrorInvalidContactType URL for an account was invalid ErrorInvalidContactType // ErrorMalformedType request message was malformed ErrorMalformedType // ErrorOrderNotReadyType request attempted to finalize an order that is not ready to be finalized ErrorOrderNotReadyType // ErrorRateLimitedType request exceeds a rate limit ErrorRateLimitedType // ErrorRejectedIdentifierType server will not issue certificates for the identifier ErrorRejectedIdentifierType // ErrorServerInternalType server experienced an internal error ErrorServerInternalType // ErrorTLSType server received a TLS error during validation ErrorTLSType ErrorUnauthorizedType // ErrorUnsupportedContactType URL for an account used an unsupported protocol scheme ErrorUnsupportedContactType // ErrorUnsupportedIdentifierType identifier is of an unsupported type ErrorUnsupportedIdentifierType // ErrorUserActionRequiredType the “instance” URL and take actions specified there ErrorUserActionRequiredType // ErrorNotImplementedType operation is not implemented ErrorNotImplementedType )
func (ProblemType) String ¶ added in v0.15.12
func (ap ProblemType) String() string
String returns the string representation of the acme problem type, fulfilling the Stringer interface.
type Provisioner ¶ added in v0.14.5
type Provisioner interface { AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) AuthorizeRevoke(ctx context.Context, token string) error IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool GetAttestationRoots() (*x509.CertPool, bool) GetID() string GetName() string DefaultTLSCertDuration() time.Duration GetOptions() *provisioner.Options }
Provisioner is an interface that implements a subset of the provisioner.Interface -- only those methods required by the ACME api/authority.
func MustProvisionerFromContext ¶ added in v0.20.0
func MustProvisionerFromContext(ctx context.Context) Provisioner
MustLinkerFromContext returns the current provisioner from the given context. It will panic if it's not in the context.
func ProvisionerFromContext ¶ added in v0.14.5
func ProvisionerFromContext(ctx context.Context) (v Provisioner, ok bool)
ProvisionerFromContext returns the current provisioner from the given context.
type X509Policy ¶ added in v0.20.0
type X509Policy struct { Allowed PolicyNames `json:"allow"` Denied PolicyNames `json:"deny"` AllowWildcardNames bool `json:"allowWildcardNames"` }
X509Policy contains ACME account level X.509 policy