boulder: Index | Files | Directories

package ca

import ""


Package Files


type CertificateAuthorityImpl Uses

type CertificateAuthorityImpl struct {
    // contains filtered or unexported fields

CertificateAuthorityImpl represents a CA that signs certificates, CRLs, and OCSP responses.

func NewCertificateAuthorityImpl Uses

func NewCertificateAuthorityImpl(
    config ca_config.CAConfig,
    sa certificateStorage,
    pa core.PolicyAuthority,
    clk clock.Clock,
    stats prometheus.Registerer,
    issuers []Issuer,
    keyPolicy goodkey.KeyPolicy,
    logger blog.Logger,
    orphanQueue *goque.Queue,
) (*CertificateAuthorityImpl, error)

NewCertificateAuthorityImpl creates a CA instance that can sign certificates from a single issuer (the first first in the issuers slice), and can sign OCSP for any of the issuer certificates provided.

func (*CertificateAuthorityImpl) GenerateOCSP Uses

func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, req *caPB.GenerateOCSPRequest) (*caPB.OCSPResponse, error)

GenerateOCSP produces a new OCSP response and returns it

func (*CertificateAuthorityImpl) IssueCertificateForPrecertificate Uses

func (ca *CertificateAuthorityImpl) IssueCertificateForPrecertificate(ctx context.Context, req *caPB.IssueCertificateForPrecertificateRequest) (core.Certificate, error)

IssueCertificateForPrecertificate takes a precertificate and a set of SCTs for that precertificate and uses the signer to create and sign a certificate from them. The poison extension is removed and a SCT list extension is inserted in its place. Except for this and the signature the certificate exactly matches the precertificate. After the certificate is signed a OCSP response is generated and the response and certificate are stored in the database.

It's critical not to sign two different final certificates for the same precertificate. This can happen, for instance, if the caller provides a different set of SCTs on subsequent calls to IssueCertificateForPrecertificate. We rely on the RA not to call IssueCertificateForPrecertificate twice for the same serial. This is accomplished by the fact that IssueCertificateForPrecertificate is only ever called in a straight-through RPC path without retries. If there is any error, including a networking error, the whole certificate issuance attempt fails and any subsequent issuance will use a different serial number.

We also check that the provided serial number does not already exist as a final certificate, but this is just a belt-and-suspenders measure, since there could be race conditions where two goroutines are issuing for the same serial number at the same time.

func (*CertificateAuthorityImpl) IssuePrecertificate Uses

func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (*caPB.IssuePrecertificateResponse, error)

func (*CertificateAuthorityImpl) OrphanIntegrationLoop Uses

func (ca *CertificateAuthorityImpl) OrphanIntegrationLoop()

OrphanIntegrationLoop runs a loop executing integrateOrphans and then waiting a minute. It is split out into a separate function called directly by boulder-ca in order to make testing the orphan queue functionality somewhat more simple.

type Issuer Uses

type Issuer struct {
    Signer crypto.Signer
    Cert   *x509.Certificate

Issuer represents a single issuer certificate, along with its key.



Package ca imports 38 packages (graph) and is imported by 50 packages. Updated 2020-01-20. Refresh now. Tools for package owners.