policy

package

v0.0.0-...-94d1468 Latest Latest Go to latest Published: Apr 18, 2024 License: MPL-2.0 Imports: 20 Imported by: 13

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/letsencrypt/boulder

Documentation ¶

Index ¶

func ValidDomain(domain string) error
func ValidEmail(address string) error
func ValidNonWildcardDomain(domain string) error
type AuthorityImpl
- func New(challengeTypes map[core.AcmeChallenge]bool, log blog.Logger) (*AuthorityImpl, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ValidDomain ¶

func ValidDomain(domain string) error

ValidDomain checks that a domain is valid and that it doesn't contain any invalid wildcard characters. It does NOT ensure that the domain is absent from any PA blocked lists.

func ValidEmail ¶

func ValidEmail(address string) error

ValidEmail returns an error if the input doesn't parse as an email address, the domain isn't a valid hostname in Preferred Name Syntax, or its on the list of domains forbidden for mail (because they are often used in examples).

func ValidNonWildcardDomain ¶

func ValidNonWildcardDomain(domain string) error

ValidNonWildcardDomain checks that a domain isn't:

empty
prefixed with the wildcard label `*.`
made of invalid DNS characters
longer than the maxDNSIdentifierLength
an IPv4 or IPv6 address
suffixed with just "."
made of too many DNS labels
made of any invalid DNS labels
suffixed with something other than an IANA registered TLD
exactly equal to an IANA registered TLD

It does NOT ensure that the domain is absent from any PA blocked lists.

Types ¶

type AuthorityImpl ¶

type AuthorityImpl struct {
	// contains filtered or unexported fields
}

AuthorityImpl enforces CA policy decisions.

func New ¶

func New(challengeTypes map[core.AcmeChallenge]bool, log blog.Logger) (*AuthorityImpl, error)

New constructs a Policy Authority.

func (*AuthorityImpl) ChallengeTypeEnabled ¶

func (pa *AuthorityImpl) ChallengeTypeEnabled(t core.AcmeChallenge) bool

ChallengeTypeEnabled returns whether the specified challenge type is enabled

func (*AuthorityImpl) ChallengesFor ¶

func (pa *AuthorityImpl) ChallengesFor(identifier identifier.ACMEIdentifier) ([]core.Challenge, error)

ChallengesFor determines which challenge types are acceptable for the given identifier, and constructs new challenge objects for those challenge types. The resulting challenge objects all share a single challenge token and are returned in a random order.

func (*AuthorityImpl) CheckAuthz ¶

func (pa *AuthorityImpl) CheckAuthz(authz *core.Authorization) error

CheckAuthz determines that an authorization was fulfilled by a challenge that was appropriate for the kind of identifier in the authorization.

func (*AuthorityImpl) LoadHostnamePolicyFile ¶

func (pa *AuthorityImpl) LoadHostnamePolicyFile(f string) error

LoadHostnamePolicyFile will load the given policy file, returning an error if it fails.

func (*AuthorityImpl) WillingToIssue ¶

func (pa *AuthorityImpl) WillingToIssue(domains []string) error

WillingToIssue determines whether the CA is willing to issue for the provided domains. It expects each domain to be lowercase to prevent mismatched cases breaking queries.

We place several criteria on domains we are willing to issue for:

MUST contain only bytes in the DNS hostname character set
MUST NOT have more than maxLabels labels
MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181

In particular, it:

MUST NOT contain underscores
MUST NOT match the syntax of an IP address
MUST end in a public suffix
MUST have at least one label in addition to the public suffix
MUST NOT be a label-wise suffix match for a name on the block list, where comparison is case-independent (normalized to lower case)

If a domain contains a *, we additionally require:

There is at most one `*` wildcard character
That the wildcard character is the leftmost label
That the wildcard label is not immediately adjacent to a top level ICANN TLD
That the wildcard wouldn't cover an exact blocklist entry (e.g. an exact blocklist entry for "foo.example.com" should prevent issuance for "*.example.com")

If any of the domains are not valid then an error with suberrors specific to the rejected domains will be returned.

Source Files ¶

View all Source files

pa.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL