boulder: Index | Files

package policy

import ""


Package Files


type AuthorityImpl Uses

type AuthorityImpl struct {
    // contains filtered or unexported fields

AuthorityImpl enforces CA policy decisions.

func New Uses

func New(challengeTypes map[string]bool) (*AuthorityImpl, error)

New constructs a Policy Authority.

func (*AuthorityImpl) ChallengeTypeEnabled Uses

func (pa *AuthorityImpl) ChallengeTypeEnabled(t string) bool

ChallengeTypeEnabled returns whether the specified challenge type is enabled

func (*AuthorityImpl) ChallengesFor Uses

func (pa *AuthorityImpl) ChallengesFor(identifier identifier.ACMEIdentifier) ([]core.Challenge, error)

ChallengesFor makes a decision of what challenges are acceptable for the given identifier.

func (*AuthorityImpl) SetHostnamePolicyFile Uses

func (pa *AuthorityImpl) SetHostnamePolicyFile(f string) error

SetHostnamePolicyFile will load the given policy file, returning error if it fails. It will also start a reloader in case the file changes

func (*AuthorityImpl) ValidDomain Uses

func (pa *AuthorityImpl) ValidDomain(domain string) error

ValidDomain checks that a domain isn't:

* empty * prefixed with the wildcard label `*.` * made of invalid DNS characters * longer than the maxDNSIdentifierLength * an IPv4 or IPv6 address * suffixed with just "." * made of too many DNS labels * made of any invalid DNS labels * suffixed with something other than an IANA registered TLD * exactly equal to an IANA registered TLD

It does _not_ check that the domain isn't on any PA blocked lists.

func (*AuthorityImpl) WillingToIssue Uses

func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error

WillingToIssue determines whether the CA is willing to issue for the provided identifier. It expects domains in id to be lowercase to prevent mismatched cases breaking queries.

We place several criteria on identifiers we are willing to issue for:

* MUST self-identify as DNS identifiers
* MUST contain only bytes in the DNS hostname character set
* MUST NOT have more than maxLabels labels
* MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181
  In particular:
  * MUST NOT contain underscores
* MUST NOT match the syntax of an IP address
* MUST end in a public suffix
* MUST have at least one label in addition to the public suffix
* MUST NOT be a label-wise suffix match for a name on the block list,
  where comparison is case-independent (normalized to lower case)

If WillingToIssue returns an error, it will be of type MalformedRequestError or RejectedIdentifierError

func (*AuthorityImpl) WillingToIssueWildcards Uses

func (pa *AuthorityImpl) WillingToIssueWildcards(idents []identifier.ACMEIdentifier) error

WillingToIssueWildcards is an extension of WillingToIssue that accepts DNS identifiers for well formed wildcard domains in addition to regular identifiers.

All provided identifiers are run through WillingToIssue and any errors are returned. In addition to the regular WillingToIssue checks this function also checks each wildcard identifier to enforce that:

* The identifier is a DNS type identifier * There is at most one `*` wildcard character * That the wildcard character is the leftmost label * That the wildcard label is not immediately adjacent to a top level ICANN


* That the wildcard wouldn't cover an exact blocklist entry (e.g. an exact

blocklist entry for "" should prevent issuance for

If any of the identifiers are not valid then an error with suberrors specific to the rejected identifiers will be returned.

Package policy imports 17 packages (graph) and is imported by 147 packages. Updated 2020-04-12. Refresh now. Tools for package owners.