boulder: Index | Files | Directories

package core

import ""


Package Files

challenges.go interfaces.go objects.go util.go va.go


const (
    StatusUnknown     = AcmeStatus("unknown")     // Unknown status; the default
    StatusPending     = AcmeStatus("pending")     // In process; client has next action
    StatusProcessing  = AcmeStatus("processing")  // In process; server has next action
    StatusReady       = AcmeStatus("ready")       // Order is ready for finalization
    StatusValid       = AcmeStatus("valid")       // Object is valid
    StatusInvalid     = AcmeStatus("invalid")     // Validation failed
    StatusRevoked     = AcmeStatus("revoked")     // Object no longer valid
    StatusDeactivated = AcmeStatus("deactivated") // Object has been deactivated

These statuses are the states of authorizations, challenges, and registrations

const (
    ResourceNewReg       = AcmeResource("new-reg")
    ResourceNewAuthz     = AcmeResource("new-authz")
    ResourceNewCert      = AcmeResource("new-cert")
    ResourceRevokeCert   = AcmeResource("revoke-cert")
    ResourceRegistration = AcmeResource("reg")
    ResourceChallenge    = AcmeResource("challenge")
    ResourceAuthz        = AcmeResource("authz")
    ResourceKeyChange    = AcmeResource("key-change")

The types of ACME resources

const (
    OCSPStatusGood    = OCSPStatus("good")
    OCSPStatusRevoked = OCSPStatus("revoked")

These status are the states of OCSP

const (
    ChallengeTypeHTTP01    = "http-01"
    ChallengeTypeDNS01     = "dns-01"
    ChallengeTypeTLSALPN01 = "tls-alpn-01"

These types are the available challenges

const DNSPrefix = "_acme-challenge"

DNSPrefix is attached to DNS names in DNS challenges


var BuildHost string

BuildHost is set by the compiler and is used by GetBuildHost

var BuildID string

BuildID is set by the compiler (using -ldflags "-X core.BuildID $(git rev-parse --short HEAD)") and is used by GetBuildID

var BuildTime string

BuildTime is set by the compiler and is used by GetBuildTime

var RandReader randSource = rand.Reader

RandReader is used so that it can be replaced in tests that require deterministic output

func Fingerprint256 Uses

func Fingerprint256(data []byte) string

Fingerprint256 produces an unpadded, URL-safe Base64-encoded SHA256 digest of the data.

func GetBuildHost Uses

func GetBuildHost() (retID string)

GetBuildHost identifies the building host

func GetBuildID Uses

func GetBuildID() (retID string)

GetBuildID identifies what build is running.

func GetBuildTime Uses

func GetBuildTime() (retID string)

GetBuildTime identifies when this build was made

func IsASCII Uses

func IsASCII(str string) bool

IsASCII determines if every character in a string is encoded in the ASCII character set.

func KeyDigestB64 Uses

func KeyDigestB64(key crypto.PublicKey) (string, error)

KeyDigestB64 produces a padded, standard Base64-encoded SHA256 digest of a provided public key.

func KeyDigestEquals Uses

func KeyDigestEquals(j, k crypto.PublicKey) bool

KeyDigestEquals determines whether two public keys have the same digest.

func LoadCert Uses

func LoadCert(filename string) (cert *x509.Certificate, err error)

LoadCert loads a PEM certificate specified by filename or returns an error

func LoadCertBundle Uses

func LoadCertBundle(filename string) ([]*x509.Certificate, error)

LoadCertBundle loads a PEM bundle of certificates from disk

func LooksLikeAToken Uses

func LooksLikeAToken(token string) bool

LooksLikeAToken checks whether a string represents a 32-octet value in the URL-safe base64 alphabet.

func NewToken Uses

func NewToken() string

NewToken produces a random string for Challenges, etc.

func PublicKeysEqual Uses

func PublicKeysEqual(a, b interface{}) (bool, error)

PublicKeysEqual determines whether two public keys have the same marshalled bytes as one another

func RandomString Uses

func RandomString(byteLength int) string

RandomString returns a randomly generated string of the requested length.

func RetryBackoff Uses

func RetryBackoff(retries int, base, max time.Duration, factor float64) time.Duration

RetryBackoff calculates a backoff time based on number of retries, will always add jitter so requests that start in unison won't fall into lockstep. Because of this the returned duration can always be larger than the maximum by a factor of retryJitter. Adapted from

func SerialToString Uses

func SerialToString(serial *big.Int) string

SerialToString converts a certificate serial number (big.Int) to a String consistently.

func StringToSerial Uses

func StringToSerial(serial string) (*big.Int, error)

StringToSerial converts a string into a certificate serial number (big.Int) consistently.

func UniqueLowerNames Uses

func UniqueLowerNames(names []string) (unique []string)

UniqueLowerNames returns the set of all unique names in the input after all of them are lowercased. The returned names will be in their lowercased form and sorted alphabetically.

func ValidChallenge Uses

func ValidChallenge(name string) bool

ValidChallenge tests whether the provided string names a known challenge

func ValidSerial Uses

func ValidSerial(serial string) bool

ValidSerial tests whether the input string represents a syntactically valid serial number, i.e., that it is a valid hex string between 32 and 36 characters long.

type AcmeResource Uses

type AcmeResource string

AcmeResource values identify different types of ACME resources

type AcmeStatus Uses

type AcmeStatus string

AcmeStatus defines the state of a given authorization

type Authorization Uses

type Authorization struct {
    // An identifier for this authorization, unique across
    // authorizations and certificates within this instance.
    ID  string `json:"id,omitempty" db:"id"`

    // The identifier for which authorization is being given
    Identifier identifier.ACMEIdentifier `json:"identifier,omitempty" db:"identifier"`

    // The registration ID associated with the authorization
    RegistrationID int64 `json:"regId,omitempty" db:"registrationID"`

    // The status of the validation of this authorization
    Status AcmeStatus `json:"status,omitempty" db:"status"`

    // The date after which this authorization will be no
    // longer be considered valid. Note: a certificate may be issued even on the
    // last day of an authorization's lifetime. The last day for which someone can
    // hold a valid certificate based on an authorization is authorization
    // lifetime + certificate lifetime.
    Expires *time.Time `json:"expires,omitempty" db:"expires"`

    // An array of challenges objects used to validate the
    // applicant's control of the identifier.  For authorizations
    // in process, these are challenges to be fulfilled; for
    // final authorizations, they describe the evidence that
    // the server used in support of granting the authorization.
    // There should only ever be one challenge of each type in this
    // slice and the order of these challenges may not be predictable.
    Challenges []Challenge `json:"challenges,omitempty" db:"-"`

    // This field is deprecated. It's filled in by WFE for the ACMEv1 API.
    Combinations [][]int `json:"combinations,omitempty" db:"combinations"`

    // Wildcard is a Boulder-specific Authorization field that indicates the
    // authorization was created as a result of an order containing a name with
    // a `*.`wildcard prefix. This will help convey to users that an
    // Authorization with the identifier `` and one DNS-01 challenge
    // corresponds to a name `*` from an associated order.
    Wildcard bool `json:"wildcard,omitempty" db:"-"`

Authorization represents the authorization of an account key holder to act on behalf of a domain. This struct is intended to be used both internally and for JSON marshaling on the wire. Any fields that should be suppressed on the wire (e.g., ID, regID) must be made empty before marshaling.

func (*Authorization) FindChallengeByStringID Uses

func (authz *Authorization) FindChallengeByStringID(id string) int

FindChallengeByStringID will look for a challenge matching the given ID inside this authorization. If found, it will return the index of that challenge within the Authorization's Challenges array. Otherwise it will return -1.

func (*Authorization) SolvedBy Uses

func (authz *Authorization) SolvedBy() string

SolvedBy will look through the Authorizations challenges, returning the type of the *first* challenge it finds with Status: valid, or "" if no challenge is valid.

type CRL Uses

type CRL struct {
    // serial: Same as certificate serial.
    Serial string `db:"serial"`

    // createdAt: The date the CRL was signed.
    CreatedAt time.Time `db:"createdAt"`

    // crl: The encoded and signed CRL.
    CRL string `db:"crl"`

CRL is a large table of signed CRLs. This contains all historical CRLs we've signed, is append-only, and is likely to get quite large. It must be administratively truncated outside of Boulder.

type CertDER Uses

type CertDER []byte

CertDER is a convenience type that helps differentiate what the underlying byte slice contains

type Certificate Uses

type Certificate struct {
    RegistrationID int64 `db:"registrationID"`

    Serial  string    `db:"serial"`
    Digest  string    `db:"digest"`
    DER     []byte    `db:"der"`
    Issued  time.Time `db:"issued"`
    Expires time.Time `db:"expires"`

Certificate objects are entirely internal to the server. The only thing exposed on the wire is the certificate itself.

type CertificateAuthority Uses

type CertificateAuthority interface {
    // [RegistrationAuthority]
    IssuePrecertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (*caPB.IssuePrecertificateResponse, error)

    // [RegistrationAuthority]
    IssueCertificateForPrecertificate(ctx context.Context, req *caPB.IssueCertificateForPrecertificateRequest) (Certificate, error)

    GenerateOCSP(ctx context.Context, ocspReq *caPB.GenerateOCSPRequest) (*caPB.OCSPResponse, error)

CertificateAuthority defines the public interface for the Boulder CA

type CertificateRequest Uses

type CertificateRequest struct {
    CSR   *x509.CertificateRequest // The CSR
    Bytes []byte                   // The original bytes of the CSR, for logging.

CertificateRequest is just a CSR

This data is unmarshalled from JSON by way of RawCertificateRequest, which represents the actual structure received from the client.

func (CertificateRequest) MarshalJSON Uses

func (cr CertificateRequest) MarshalJSON() ([]byte, error)

MarshalJSON provides an implementation for encoding CertificateRequest objects.

func (*CertificateRequest) UnmarshalJSON Uses

func (cr *CertificateRequest) UnmarshalJSON(data []byte) error

UnmarshalJSON provides an implementation for decoding CertificateRequest objects.

type CertificateStatus Uses

type CertificateStatus struct {
    Serial string `db:"serial"`

    // status: 'good' or 'revoked'. Note that good, expired certificates remain
    //   with status 'good' but don't necessarily get fresh OCSP responses.
    Status OCSPStatus `db:"status"`

    // ocspLastUpdated: The date and time of the last time we generated an OCSP
    //   response. If we have never generated one, this has the zero value of
    //   time.Time, i.e. Jan 1 1970.
    OCSPLastUpdated time.Time `db:"ocspLastUpdated"`

    // revokedDate: If status is 'revoked', this is the date and time it was
    //   revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970.
    RevokedDate time.Time `db:"revokedDate"`

    // revokedReason: If status is 'revoked', this is the reason code for the
    //   revocation. Otherwise it is zero (which happens to be the reason
    //   code for 'unspecified').
    RevokedReason revocation.Reason `db:"revokedReason"`

    LastExpirationNagSent time.Time `db:"lastExpirationNagSent"`

    // The encoded and signed OCSP response.
    OCSPResponse []byte `db:"ocspResponse"`

    // For performance reasons[0] we duplicate the `Expires` field of the
    // `Certificates` object/table in `CertificateStatus` to avoid a costly `JOIN`
    // later on just to retrieve this `Time` value. This helps both the OCSP
    // updater and the expiration-mailer stay performant.
    // Similarly, we add an explicit `IsExpired` boolean to `CertificateStatus`
    // table that the OCSP updater so that the database can create a meaningful
    // index on `(isExpired, ocspLastUpdated)` without a `JOIN` on `certificates`.
    // For more detail see Boulder #1864[0].
    // [0]:
    NotAfter  time.Time `db:"notAfter"`
    IsExpired bool      `db:"isExpired"`

    IssuerID *int64

CertificateStatus structs are internal to the server. They represent the latest data about the status of the certificate, required for OCSP updating and for validating that the subscriber has accepted the certificate.

type Challenge Uses

type Challenge struct {
    // The type of challenge
    Type string `json:"type"`

    // The status of this challenge
    Status AcmeStatus `json:"status,omitempty"`

    // Contains the error that occurred during challenge validation, if any
    Error *probs.ProblemDetails `json:"error,omitempty"`

    // A URI to which a response can be POSTed
    URI string `json:"uri,omitempty"`

    // For the V2 API the "URI" field is deprecated in favour of URL.
    URL string `json:"url,omitempty"`

    // Used by http-01, tls-sni-01, tls-alpn-01 and dns-01 challenges
    Token string `json:"token,omitempty"`

    // The expected KeyAuthorization for validation of the challenge. Populated by
    // the RA prior to passing the challenge to the VA. For legacy reasons this
    // field is called "ProvidedKeyAuthorization" because it was initially set by
    // the content of the challenge update POST from the client. It is no longer
    // set that way and should be renamed to "KeyAuthorization".
    // TODO(@cpu): Rename `ProvidedKeyAuthorization` to `KeyAuthorization`.
    ProvidedKeyAuthorization string `json:"keyAuthorization,omitempty"`

    // Contains information about URLs used or redirected to and IPs resolved and
    // used
    ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"`

Challenge is an aggregate of all data needed for any challenges.

Rather than define individual types for different types of challenge, we just throw all the elements into one bucket, together with the common metadata elements.

func DNSChallenge01 Uses

func DNSChallenge01(token string) Challenge

DNSChallenge01 constructs a random dns-01 challenge. If token is empty a random token will be generated, otherwise the provided token is used.

func HTTPChallenge01 Uses

func HTTPChallenge01(token string) Challenge

HTTPChallenge01 constructs a random http-01 challenge. If token is empty a random token will be generated, otherwise the provided token is used.

func TLSALPNChallenge01 Uses

func TLSALPNChallenge01(token string) Challenge

TLSALPNChallenge01 constructs a random tls-alpn-01 challenge. If token is empty a random token will be generated, otherwise the provided token is used.

func (Challenge) CheckConsistencyForClientOffer Uses

func (ch Challenge) CheckConsistencyForClientOffer() error

CheckConsistencyForClientOffer checks the fields of a challenge object before it is given to the client.

func (Challenge) CheckConsistencyForValidation Uses

func (ch Challenge) CheckConsistencyForValidation() error

CheckConsistencyForValidation checks the fields of a challenge object before it is given to the VA.

func (Challenge) ExpectedKeyAuthorization Uses

func (ch Challenge) ExpectedKeyAuthorization(key *jose.JSONWebKey) (string, error)

ExpectedKeyAuthorization computes the expected KeyAuthorization value for the challenge.

func (Challenge) RecordsSane Uses

func (ch Challenge) RecordsSane() bool

RecordsSane checks the sanity of a ValidationRecord object before sending it back to the RA to be stored.

func (Challenge) StringID Uses

func (ch Challenge) StringID() string

StringID is used to generate a ID for challenges associated with new style authorizations. This is necessary as these challenges no longer have a unique non-sequential identifier in the new storage scheme. This identifier is generated by constructing a fnv hash over the challenge token and type and encoding the first 4 bytes of it using the base64 URL encoding.

type FQDNSet Uses

type FQDNSet struct {
    ID      int64
    SetHash []byte
    Serial  string
    Issued  time.Time
    Expires time.Time

FQDNSet contains the SHA256 hash of the lowercased, comma joined dNSNames contained in a certificate.

type JSONBuffer Uses

type JSONBuffer []byte

JSONBuffer fields get encoded and decoded JOSE-style, in base64url encoding with stripped padding.

func (JSONBuffer) MarshalJSON Uses

func (jb JSONBuffer) MarshalJSON() (result []byte, err error)

MarshalJSON encodes a JSONBuffer for transmission.

func (*JSONBuffer) UnmarshalJSON Uses

func (jb *JSONBuffer) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON decodes a JSONBuffer to an object.

type OCSPResponse Uses

type OCSPResponse struct {
    ID  int `db:"id"`

    // serial: Same as certificate serial.
    Serial string `db:"serial"`

    // createdAt: The date the response was signed.
    CreatedAt time.Time `db:"createdAt"`

    // response: The encoded and signed CRL.
    Response []byte `db:"response"`

OCSPResponse is a (large) table of OCSP responses. This contains all historical OCSP responses we've signed, is append-only, and is likely to get quite large. It must be administratively truncated outside of Boulder.

type OCSPSigningRequest Uses

type OCSPSigningRequest struct {
    CertDER   []byte
    Status    string
    Reason    revocation.Reason
    RevokedAt time.Time

OCSPSigningRequest is a transfer object representing an OCSP Signing Request

type OCSPStatus Uses

type OCSPStatus string

OCSPStatus defines the state of OCSP for a domain

type Order Uses

type Order struct {
    ID                int64
    RegistrationID    int64
    Expires           time.Time
    Error             error
    CertificateSerial string
    Authorizations    []Authorization
    Status            AcmeStatus

Order represents the request object that forms the basis of the v2 style issuance flow

type PolicyAuthority Uses

type PolicyAuthority interface {
    WillingToIssue(domain identifier.ACMEIdentifier) error
    WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
    ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
    ChallengeTypeEnabled(t string) bool

PolicyAuthority defines the public interface for the Boulder PA

type Precertificate Uses

type Precertificate struct {
    DER []byte `db:"der"`

Precertificate objects are entirely internal to the server. The only thing exposed on the wire is the precertificate itself.

type Publisher Uses

type Publisher interface {
    SubmitToSingleCTWithResult(ctx context.Context, req *pubpb.Request) (*pubpb.Result, error)

Publisher defines the public interface for the Boulder Publisher

type RawCertificateRequest Uses

type RawCertificateRequest struct {
    CSR JSONBuffer `json:"csr"` // The encoded CSR

type Registration Uses

type Registration struct {
    // Unique identifier
    ID  int64 `json:"id,omitempty" db:"id"`

    // Account key to which the details are attached
    Key *jose.JSONWebKey `json:"key"`

    // Contact URIs
    Contact *[]string `json:"contact,omitempty"`

    // Agreement with terms of service
    Agreement string `json:"agreement,omitempty"`

    // InitialIP is the IP address from which the registration was created
    InitialIP net.IP `json:"initialIp"`

    // CreatedAt is the time the registration was created.
    CreatedAt time.Time `json:"createdAt"`

    Status AcmeStatus `json:"status"`

Registration objects represent non-public metadata attached to account keys.

type RegistrationAuthority Uses

type RegistrationAuthority interface {
    // [WebFrontEnd]
    NewRegistration(ctx context.Context, reg Registration) (Registration, error)

    // [WebFrontEnd]
    NewAuthorization(ctx context.Context, authz Authorization, regID int64) (Authorization, error)

    // [WebFrontEnd]
    NewCertificate(ctx context.Context, csr CertificateRequest, regID int64) (Certificate, error)

    // [WebFrontEnd]
    UpdateRegistration(ctx context.Context, base, updates Registration) (Registration, error)

    // [WebFrontEnd]
    PerformValidation(ctx context.Context, req *rapb.PerformValidationRequest) (*corepb.Authorization, error)

    // [WebFrontEnd]
    RevokeCertificateWithReg(ctx context.Context, cert x509.Certificate, code revocation.Reason, regID int64) error

    // [WebFrontEnd]
    DeactivateRegistration(ctx context.Context, reg Registration) error

    // [WebFrontEnd]
    DeactivateAuthorization(ctx context.Context, auth Authorization) error

    // [WebFrontEnd]
    NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error)

    // [WebFrontEnd]
    FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error)

    // [AdminRevoker]
    AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, code revocation.Reason, adminName string) error

RegistrationAuthority defines the public interface for the Boulder RA

type SCTDERs Uses

type SCTDERs [][]byte

SCTDERs is a convenience type

type Sha256Digest Uses

type Sha256Digest [sha256.Size]byte

func KeyDigest Uses

func KeyDigest(key crypto.PublicKey) (Sha256Digest, error)

KeyDigest produces a Base64-encoded SHA256 digest of a provided public key.

type SignedCertificateTimestamp Uses

type SignedCertificateTimestamp struct {
    ID  int `db:"id"`
    // The version of the protocol to which the SCT conforms
    SCTVersion uint8 `db:"sctVersion"`
    // the SHA-256 hash of the log's public key, calculated over
    // the DER encoding of the key represented as SubjectPublicKeyInfo.
    LogID string `db:"logID"`
    // Timestamp (in ms since unix epoc) at which the SCT was issued
    Timestamp uint64 `db:"timestamp"`
    // For future extensions to the protocol
    Extensions []byte `db:"extensions"`
    // The Log's signature for this SCT
    Signature []byte `db:"signature"`

    // The serial of the certificate this SCT is for
    CertificateSerial string `db:"certificateSerial"`

    LockCol int64

SignedCertificateTimestamp is the internal representation of ct.SignedCertificateTimestamp that is used to maintain backwards compatibility with our old CT implementation.

type StorageAdder Uses

type StorageAdder interface {
    NewRegistration(ctx context.Context, reg Registration) (created Registration, err error)
    UpdateRegistration(ctx context.Context, reg Registration) error
    AddCertificate(ctx context.Context, der []byte, regID int64, ocsp []byte, issued *time.Time) (digest string, err error)
    AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*corepb.Empty, error)
    AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*corepb.Empty, error)
    DeactivateRegistration(ctx context.Context, id int64) error
    NewOrder(ctx context.Context, order *corepb.Order) (*corepb.Order, error)
    SetOrderProcessing(ctx context.Context, order *corepb.Order) error
    FinalizeOrder(ctx context.Context, order *corepb.Order) error
    SetOrderError(ctx context.Context, order *corepb.Order) error
    RevokeCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) error
    // New authz2 methods
    NewAuthorizations2(ctx context.Context, req *sapb.AddPendingAuthorizationsRequest) (*sapb.Authorization2IDs, error)
    FinalizeAuthorization2(ctx context.Context, req *sapb.FinalizeAuthorizationRequest) error
    DeactivateAuthorization2(ctx context.Context, req *sapb.AuthorizationID2) (*corepb.Empty, error)
    AddBlockedKey(ctx context.Context, req *sapb.AddBlockedKeyRequest) (*corepb.Empty, error)

StorageAdder are the Boulder SA's write/update methods

type StorageAuthority Uses

type StorageAuthority interface {

StorageAuthority interface represents a simple key/value store. The add and get interfaces contained within are divided for privilege separation.

type StorageGetter Uses

type StorageGetter interface {
    GetRegistration(ctx context.Context, regID int64) (Registration, error)
    GetRegistrationByKey(ctx context.Context, jwk *jose.JSONWebKey) (Registration, error)
    GetCertificate(ctx context.Context, serial string) (Certificate, error)
    GetPrecertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)
    GetCertificateStatus(ctx context.Context, serial string) (CertificateStatus, error)
    CountCertificatesByNames(ctx context.Context, domains []string, earliest, latest time.Time) (countByDomain []*sapb.CountByNames_MapElement, err error)
    CountRegistrationsByIP(ctx context.Context, ip net.IP, earliest, latest time.Time) (int, error)
    CountRegistrationsByIPRange(ctx context.Context, ip net.IP, earliest, latest time.Time) (int, error)
    CountOrders(ctx context.Context, acctID int64, earliest, latest time.Time) (int, error)
    CountFQDNSets(ctx context.Context, window time.Duration, domains []string) (count int64, err error)
    FQDNSetExists(ctx context.Context, domains []string) (exists bool, err error)
    PreviousCertificateExists(ctx context.Context, req *sapb.PreviousCertificateExistsRequest) (exists *sapb.Exists, err error)
    GetOrder(ctx context.Context, req *sapb.OrderRequest) (*corepb.Order, error)
    GetOrderForNames(ctx context.Context, req *sapb.GetOrderForNamesRequest) (*corepb.Order, error)
    // New authz2 methods
    GetAuthorization2(ctx context.Context, req *sapb.AuthorizationID2) (*corepb.Authorization, error)
    GetAuthorizations2(ctx context.Context, req *sapb.GetAuthorizationsRequest) (*sapb.Authorizations, error)
    GetPendingAuthorization2(ctx context.Context, req *sapb.GetPendingAuthorizationRequest) (*corepb.Authorization, error)
    CountPendingAuthorizations2(ctx context.Context, req *sapb.RegistrationID) (*sapb.Count, error)
    GetValidOrderAuthorizations2(ctx context.Context, req *sapb.GetValidOrderAuthorizationsRequest) (*sapb.Authorizations, error)
    CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (*sapb.Count, error)
    GetValidAuthorizations2(ctx context.Context, req *sapb.GetValidAuthorizationsRequest) (*sapb.Authorizations, error)
    SerialExists(ctx context.Context, req *sapb.Serial) (*sapb.Exists, error)
    KeyBlocked(ctx context.Context, req *sapb.KeyBlockedRequest) (*sapb.Exists, error)

StorageGetter are the Boulder SA's read-only methods

type ValidationAuthority Uses

type ValidationAuthority interface {
    // PerformValidation checks the challenge with the given index in the
    // given Authorization and returns the updated ValidationRecords.
    // A failure to validate the Challenge will result in a error of type
    // *probs.ProblemDetails.
    // TODO(#1626): remove authz parameter
    PerformValidation(ctx context.Context, domain string, challenge Challenge, authz Authorization) ([]ValidationRecord, error)

ValidationAuthority defines the public interface for the Boulder VA

type ValidationRecord Uses

type ValidationRecord struct {
    // SimpleHTTP only
    URL string `json:"url,omitempty"`

    // Shared
    Hostname          string   `json:"hostname"`
    Port              string   `json:"port,omitempty"`
    AddressesResolved []net.IP `json:"addressesResolved,omitempty"`
    AddressUsed       net.IP   `json:"addressUsed,omitempty"`
    // AddressesTried contains a list of addresses tried before the `AddressUsed`.
    // Presently this will only ever be one IP from `AddressesResolved` since the
    // only retry is in the case of a v6 failure with one v4 fallback. E.g. if
    // a record with `AddressesResolved: {, ::1 }` were processed for
    // a challenge validation with the IPv6 first flag on and the ::1 address
    // failed but the retry succeeded then the record would end up
    // being:
    // {
    //   ...
    //   AddressesResolved: [, ::1 ],
    //   AddressUsed:
    //   AddressesTried: [ ::1 ],
    //   ...
    // }
    AddressesTried []net.IP `json:"addressesTried,omitempty"`

ValidationRecord represents a validation attempt against a specific URL/hostname and the IP addresses that were resolved and used

type WebFrontEnd Uses

type WebFrontEnd interface {
    // Set the base URL for authorizations
    SetAuthzBase(ctx context.Context, path string)

    // Set the base URL for certificates
    SetCertBase(ctx context.Context, path string)

    // This method represents the ACME new-registration resource
    NewRegistration(ctx context.Context, response http.ResponseWriter, request *http.Request)

    // This method represents the ACME new-authorization resource
    NewAuthz(ctx context.Context, response http.ResponseWriter, request *http.Request)

    // This method represents the ACME new-certificate resource
    NewCert(ctx context.Context, response http.ResponseWriter, request *http.Request)

    // Provide access to requests for registration resources
    Registration(ctx context.Context, response http.ResponseWriter, request *http.Request)

    // Provide access to requests for authorization resources
    Authz(ctx context.Context, response http.ResponseWriter, request *http.Request)

    // Provide access to requests for authorization resources
    Cert(ctx context.Context, response http.ResponseWriter, request *http.Request)

A WebFrontEnd object supplies methods that can be hooked into the Go http module's server functions, principally http.HandleFunc()

It also provides methods to configure the base for authorization and certificate URLs.

It is assumed that the ACME server is laid out as follows: * One URL for new-authorization -> NewAuthz * One URL for new-certificate -> NewCert * One path for authorizations -> Authz * One path for certificates -> Cert



Package core imports 35 packages (graph) and is imported by 1086 packages. Updated 2020-07-10. Refresh now. Tools for package owners.