Documentation
¶
Index ¶
- type AuthorityImpl
- func (pa *AuthorityImpl) ChallengeTypeEnabled(t string, regID int64) bool
- func (pa *AuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, regID int64, revalidation bool) ([]core.Challenge, [][]int, error)
- func (pa *AuthorityImpl) SetChallengesWhitelistFile(f string) error
- func (pa *AuthorityImpl) SetHostnamePolicyFile(f string) error
- func (pa *AuthorityImpl) WillingToIssue(id core.AcmeIdentifier) error
- func (pa *AuthorityImpl) WillingToIssueWildcard(ident core.AcmeIdentifier) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthorityImpl ¶
type AuthorityImpl struct {
// contains filtered or unexported fields
}
AuthorityImpl enforces CA policy decisions.
func New ¶
func New(challengeTypes map[string]bool) (*AuthorityImpl, error)
New constructs a Policy Authority.
func (*AuthorityImpl) ChallengeTypeEnabled ¶
func (pa *AuthorityImpl) ChallengeTypeEnabled(t string, regID int64) bool
ChallengeTypeEnabled returns whether the specified challenge type is enabled
func (*AuthorityImpl) ChallengesFor ¶
func (pa *AuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, regID int64, revalidation bool) ([]core.Challenge, [][]int, error)
ChallengesFor makes a decision of what challenges, and combinations, are acceptable for the given identifier. If the TLSSNIRevalidation feature flag is set, create TLS-SNI-01 challenges for revalidation requests even if TLS-SNI-01 is not among the configured challenges.
func (*AuthorityImpl) SetChallengesWhitelistFile ¶
func (pa *AuthorityImpl) SetChallengesWhitelistFile(f string) error
SetChallengesWhitelistFile will load the given whitelist file, returning error if it fails. It will also start a reloader in case the file changes.
func (*AuthorityImpl) SetHostnamePolicyFile ¶
func (pa *AuthorityImpl) SetHostnamePolicyFile(f string) error
SetHostnamePolicyFile will load the given policy file, returning error if it fails. It will also start a reloader in case the file changes.
func (*AuthorityImpl) WillingToIssue ¶
func (pa *AuthorityImpl) WillingToIssue(id core.AcmeIdentifier) error
WillingToIssue determines whether the CA is willing to issue for the provided identifier. It expects domains in id to be lowercase to prevent mismatched cases breaking queries.
We place several criteria on identifiers we are willing to issue for:
- MUST self-identify as DNS identifiers
- MUST contain only bytes in the DNS hostname character set
- MUST NOT have more than maxLabels labels
- MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181 In particular:
- MUST NOT contain underscores
- MUST NOT match the syntax of an IP address
- MUST end in a public suffix
- MUST have at least one label in addition to the public suffix
- MUST NOT be a label-wise suffix match for a name on the black list, where comparison is case-independent (normalized to lower case)
If WillingToIssue returns an error, it will be of type MalformedRequestError or RejectedIdentifierError
func (*AuthorityImpl) WillingToIssueWildcard ¶
func (pa *AuthorityImpl) WillingToIssueWildcard(ident core.AcmeIdentifier) error
WillingToIssueWildcard is an extension of WillingToIssue that accepts DNS identifiers for well formed wildcard domains. It enforces that:
- The identifer is a DNS type identifier
- There is at most one `*` wildcard character
- That the wildcard character is the leftmost label
- That the wildcard label is not immediately adjacent to a top level ICANN TLD
- That the wildcard wouldn't cover an exact blacklist entry (e.g. an exact blacklist entry for "foo.example.com" should prevent issuance for "*.example.com")
If all of the above is true then the base domain (e.g. without the *.) is run through WillingToIssue to catch other illegal things (blocked hosts, etc).
Source Files