ra

package

v0.0.0-...-94d1468 Latest Latest Go to latest Published: Apr 18, 2024 License: MPL-2.0 Imports: 50 Imported by: 4

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/letsencrypt/boulder

Documentation ¶

Index ¶

type RegistrationAuthorityImpl
- func NewRegistrationAuthorityImpl(clk clock.Clock, logger blog.Logger, stats prometheus.Registerer, ...) *RegistrationAuthorityImpl

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type RegistrationAuthorityImpl ¶

type RegistrationAuthorityImpl struct {
	rapb.UnimplementedRegistrationAuthorityServer
	CA   capb.CertificateAuthorityClient
	OCSP capb.OCSPGeneratorClient
	VA   vapb.VAClient
	SA   sapb.StorageAuthorityClient
	PA   core.PolicyAuthority
	// contains filtered or unexported fields
}

RegistrationAuthorityImpl defines an RA.

NOTE: All of the fields in RegistrationAuthorityImpl need to be populated, or there is a risk of panic.

func NewRegistrationAuthorityImpl ¶

func NewRegistrationAuthorityImpl(
	clk clock.Clock,
	logger blog.Logger,
	stats prometheus.Registerer,
	maxContactsPerReg int,
	keyPolicy goodkey.KeyPolicy,
	limiter *ratelimits.Limiter,
	txnBuilder *ratelimits.TransactionBuilder,
	maxNames int,
	authorizationLifetime time.Duration,
	pendingAuthorizationLifetime time.Duration,
	pubc pubpb.PublisherClient,
	caaClient caaChecker,
	orderLifetime time.Duration,
	finalizeTimeout time.Duration,
	ctp *ctpolicy.CTPolicy,
	purger akamaipb.AkamaiPurgerClient,
	issuers []*issuance.Certificate,
) *RegistrationAuthorityImpl

NewRegistrationAuthorityImpl constructs a new RA object.

func (*RegistrationAuthorityImpl) AdministrativelyRevokeCertificate ¶

func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, req *rapb.AdministrativelyRevokeCertificateRequest) (*emptypb.Empty, error)

AdministrativelyRevokeCertificate terminates trust in the certificate provided and does not require the registration ID of the requester since this method is only called from the admin-revoker tool. It trusts that the admin is doing the right thing, so if the requested reason is keyCompromise, it blocks the key from future issuance even though compromise has not been demonstrated here. It purges the certificate from the Akamai cache, and returns an error if that purge fails, since this method may be called late in the BRs-mandated revocation timeframe.

func (*RegistrationAuthorityImpl) DeactivateAuthorization ¶

func (ra *RegistrationAuthorityImpl) DeactivateAuthorization(ctx context.Context, req *corepb.Authorization) (*emptypb.Empty, error)

DeactivateAuthorization deactivates a currently valid authorization

func (*RegistrationAuthorityImpl) DeactivateRegistration ¶

func (ra *RegistrationAuthorityImpl) DeactivateRegistration(ctx context.Context, reg *corepb.Registration) (*emptypb.Empty, error)

DeactivateRegistration deactivates a valid registration

func (*RegistrationAuthorityImpl) DrainFinalize ¶

func (ra *RegistrationAuthorityImpl) DrainFinalize()

func (*RegistrationAuthorityImpl) FinalizeOrder ¶

func (ra *RegistrationAuthorityImpl) FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error)

FinalizeOrder accepts a request to finalize an order object and, if possible, issues a certificate to satisfy the order. If an order does not have valid, unexpired authorizations for all of its associated names an error is returned. Similarly we vet that all of the names in the order are acceptable based on current policy and return an error if the order can't be fulfilled. If successful the order will be returned in processing status for the client to poll while awaiting finalization to occur.

func (*RegistrationAuthorityImpl) GenerateOCSP ¶

func (ra *RegistrationAuthorityImpl) GenerateOCSP(ctx context.Context, req *rapb.GenerateOCSPRequest) (*capb.OCSPResponse, error)

GenerateOCSP looks up a certificate's status, then requests a signed OCSP response for it from the CA. If the certificate status is not available or the certificate is expired, it returns berrors.NotFoundError.

func (*RegistrationAuthorityImpl) LoadRateLimitPoliciesFile ¶

func (ra *RegistrationAuthorityImpl) LoadRateLimitPoliciesFile(filename string) error

func (*RegistrationAuthorityImpl) NewOrder ¶

func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error)

NewOrder creates a new order object

func (*RegistrationAuthorityImpl) NewRegistration ¶

func (ra *RegistrationAuthorityImpl) NewRegistration(ctx context.Context, request *corepb.Registration) (*corepb.Registration, error)

NewRegistration constructs a new Registration from a request.

func (*RegistrationAuthorityImpl) PerformValidation ¶

func (ra *RegistrationAuthorityImpl) PerformValidation(
	ctx context.Context,
	req *rapb.PerformValidationRequest) (*corepb.Authorization, error)

PerformValidation initiates validation for a specific challenge associated with the given base authorization. The authorization and challenge are updated based on the results.

func (*RegistrationAuthorityImpl) RevokeCertByApplicant ¶

func (ra *RegistrationAuthorityImpl) RevokeCertByApplicant(ctx context.Context, req *rapb.RevokeCertByApplicantRequest) (*emptypb.Empty, error)

RevokeCertByApplicant revokes the certificate in question. It allows any revocation reason from (0, 1, 3, 4, 5, 9), because Subscribers are allowed to request any revocation reason for their own certificates. However, if the requesting RegID is an account which has authorizations for all names in the cert but is *not* the original subscriber, it overrides the revocation reason to be 5 (cessationOfOperation), because that code is used to cover instances where "the certificate subscriber no longer owns the domain names in the certificate". It does not add the key to the blocked keys list, even if reason 1 (keyCompromise) is requested, as it does not demonstrate said compromise. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.

func (*RegistrationAuthorityImpl) RevokeCertByKey ¶

func (ra *RegistrationAuthorityImpl) RevokeCertByKey(ctx context.Context, req *rapb.RevokeCertByKeyRequest) (*emptypb.Empty, error)

RevokeCertByKey revokes the certificate in question. It always uses reason code 1 (keyCompromise). It ensures that they public key is added to the blocked keys list, even if revocation otherwise fails. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.

func (*RegistrationAuthorityImpl) UpdateRegistration ¶

func (ra *RegistrationAuthorityImpl) UpdateRegistration(ctx context.Context, req *rapb.UpdateRegistrationRequest) (*corepb.Registration, error)

UpdateRegistration updates an existing Registration with new values. Caller is responsible for making sure that update.Key is only different from base.Key if it is being called from the WFE key change endpoint. TODO(#5554): Split this into separate methods for updating Contacts vs Key.

Source Files ¶

View all Source files

ra.go

Directories ¶

Path	Synopsis
proto

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL