Documentation
¶
Index ¶
- Constants
- Variables
- func Fingerprint256(data []byte) string
- func GetBuildHost() (retID string)
- func GetBuildID() (retID string)
- func GetBuildTime() (retID string)
- func IsASCII(str string) bool
- func KeyDigest(key crypto.PublicKey) (string, error)
- func KeyDigestEquals(j, k crypto.PublicKey) bool
- func LoadCert(filename string) (cert *x509.Certificate, err error)
- func LoadCertBundle(filename string) ([]*x509.Certificate, error)
- func LooksLikeAToken(token string) bool
- func NewToken() string
- func PublicKeysEqual(a, b interface{}) (bool, error)
- func RandomString(byteLength int) string
- func RetryBackoff(retries int, base, max time.Duration, factor float64) time.Duration
- func SerialToString(serial *big.Int) string
- func StringToSerial(serial string) (*big.Int, error)
- func UniqueLowerNames(names []string) (unique []string)
- func ValidChallenge(name string) bool
- func ValidSerial(serial string) bool
- type AcmeIdentifier
- type AcmeResource
- type AcmeStatus
- type Authorization
- type Buffer
- type CRL
- type CertDER
- type Certificate
- type CertificateAuthority
- type CertificateRequest
- type CertificateStatus
- type Challenge
- type FQDNSet
- type IdentifierData
- type IdentifierType
- type JSONBuffer
- type OCSPResponse
- type OCSPSigningRequest
- type OCSPStatus
- type Order
- type PolicyAuthority
- type Precertificate
- type Publisher
- type RawCertificateRequest
- type Registration
- type RegistrationAuthority
- type SCTDERs
- type SignedCertificateTimestamp
- type StorageAdder
- type StorageAuthority
- type StorageGetter
- type ValidationAuthority
- type ValidationRecord
- type WebFrontEnd
Constants ¶
const ( StatusUnknown = AcmeStatus("unknown") // Unknown status; the default StatusPending = AcmeStatus("pending") // In process; client has next action StatusProcessing = AcmeStatus("processing") // In process; server has next action StatusReady = AcmeStatus("ready") // Order is ready for finalization StatusValid = AcmeStatus("valid") // Object is valid StatusInvalid = AcmeStatus("invalid") // Validation failed StatusRevoked = AcmeStatus("revoked") // Object no longer valid StatusDeactivated = AcmeStatus("deactivated") // Object has been deactivated )
These statuses are the states of authorizations, challenges, and registrations
const ( ResourceNewReg = AcmeResource("new-reg") ResourceNewAuthz = AcmeResource("new-authz") ResourceNewCert = AcmeResource("new-cert") ResourceRevokeCert = AcmeResource("revoke-cert") ResourceRegistration = AcmeResource("reg") ResourceChallenge = AcmeResource("challenge") ResourceAuthz = AcmeResource("authz") ResourceKeyChange = AcmeResource("key-change") )
The types of ACME resources
const ( OCSPStatusGood = OCSPStatus("good") OCSPStatusRevoked = OCSPStatus("revoked") )
These status are the states of OCSP
const ( ChallengeTypeHTTP01 = "http-01" ChallengeTypeTLSSNI01 = "tls-sni-01" ChallengeTypeDNS01 = "dns-01" ChallengeTypeTLSALPN01 = "tls-alpn-01" )
These types are the available challenges
const DNSPrefix = "_acme-challenge"
DNSPrefix is attached to DNS names in DNS challenges
const (
IdentifierDNS = IdentifierType("dns")
)
These types are the available identification mechanisms
const TLSSNISuffix = "acme.invalid"
TLSSNISuffix is appended to pseudo-domain names in DVSNI challenges
Variables ¶
var BuildHost string
BuildHost is set by the compiler and is used by GetBuildHost
var BuildID string
BuildID is set by the compiler (using -ldflags "-X core.BuildID $(git rev-parse --short HEAD)") and is used by GetBuildID
var BuildTime string
BuildTime is set by the compiler and is used by GetBuildTime
var RandReader randSource = rand.Reader
RandReader is used so that it can be replaced in tests that require deterministic output
Functions ¶
func Fingerprint256 ¶
Fingerprint256 produces an unpadded, URL-safe Base64-encoded SHA256 digest of the data.
func GetBuildTime ¶
func GetBuildTime() (retID string)
GetBuildTime identifies when this build was made
func IsASCII ¶
IsASCII determines if every character in a string is encoded in the ASCII character set.
func KeyDigest ¶
KeyDigest produces a padded, standard Base64-encoded SHA256 digest of a provided public key.
func KeyDigestEquals ¶
KeyDigestEquals determines whether two public keys have the same digest.
func LoadCert ¶
func LoadCert(filename string) (cert *x509.Certificate, err error)
LoadCert loads a PEM certificate specified by filename or returns an error
func LoadCertBundle ¶
func LoadCertBundle(filename string) ([]*x509.Certificate, error)
LoadCertBundle loads a PEM bundle of certificates from disk
func LooksLikeAToken ¶
LooksLikeAToken checks whether a string represents a 32-octet value in the URL-safe base64 alphabet.
func PublicKeysEqual ¶
PublicKeysEqual determines whether two public keys have the same marshalled bytes as one another
func RandomString ¶
RandomString returns a randomly generated string of the requested length.
func RetryBackoff ¶
RetryBackoff calculates a backoff time based on number of retries, will always add jitter so requests that start in unison won't fall into lockstep. Because of this the returned duration can always be larger than the maximum by a factor of retryJitter. Adapted from https://github.com/grpc/grpc-go/blob/v1.11.3/backoff.go#L77-L96
func SerialToString ¶
SerialToString converts a certificate serial number (big.Int) to a String consistently.
func StringToSerial ¶
StringToSerial converts a string into a certificate serial number (big.Int) consistently.
func UniqueLowerNames ¶
UniqueLowerNames returns the set of all unique names in the input after all of them are lowercased. The returned names will be in their lowercased form and sorted alphabetically.
func ValidChallenge ¶
ValidChallenge tests whether the provided string names a known challenge
func ValidSerial ¶
ValidSerial tests whether the input string represents a syntactically valid serial number, i.e., that it is a valid hex string between 32 and 36 characters long.
Types ¶
type AcmeIdentifier ¶
type AcmeIdentifier struct {
Type IdentifierType `json:"type"` // The type of identifier being encoded
Value string `json:"value"` // The identifier itself
}
An AcmeIdentifier encodes an identifier that can be validated by ACME. The protocol allows for different types of identifier to be supported (DNS names, IP addresses, etc.), but currently we only support domain names.
type AcmeResource ¶
type AcmeResource string
AcmeResource values identify different types of ACME resources
type Authorization ¶
type Authorization struct {
// An identifier for this authorization, unique across
// authorizations and certificates within this instance.
ID string `json:"id,omitempty" db:"id"`
// The identifier for which authorization is being given
Identifier AcmeIdentifier `json:"identifier,omitempty" db:"identifier"`
// The registration ID associated with the authorization
RegistrationID int64 `json:"regId,omitempty" db:"registrationID"`
// The status of the validation of this authorization
Status AcmeStatus `json:"status,omitempty" db:"status"`
// The date after which this authorization will be no
// longer be considered valid. Note: a certificate may be issued even on the
// last day of an authorization's lifetime. The last day for which someone can
// hold a valid certificate based on an authorization is authorization
// lifetime + certificate lifetime.
Expires *time.Time `json:"expires,omitempty" db:"expires"`
// An array of challenges objects used to validate the
// applicant's control of the identifier. For authorizations
// in process, these are challenges to be fulfilled; for
// final authorizations, they describe the evidence that
// the server used in support of granting the authorization.
Challenges []Challenge `json:"challenges,omitempty" db:"-"`
// The server may suggest combinations of challenges if it
// requires more than one challenge to be completed.
Combinations [][]int `json:"combinations,omitempty" db:"combinations"`
// Wildcard is a Boulder-specific Authorization field that indicates the
// authorization was created as a result of an order containing a name with
// a `*.`wildcard prefix. This will help convey to users that an
// Authorization with the identifier `example.com` and one DNS-01 challenge
// corresponds to a name `*.example.com` from an associated order.
Wildcard bool `json:"wildcard,omitempty" db:"-"`
}
Authorization represents the authorization of an account key holder to act on behalf of a domain. This struct is intended to be used both internally and for JSON marshaling on the wire. Any fields that should be suppressed on the wire (e.g., ID, regID) must be made empty before marshaling.
func (*Authorization) FindChallenge ¶
func (authz *Authorization) FindChallenge(challengeID int64) int
FindChallenge will look for the given challenge inside this authorization. If found, it will return the index of that challenge within the Authorization's Challenges array. Otherwise it will return -1.
func (*Authorization) SolvedBy ¶
func (authz *Authorization) SolvedBy() string
SolvedBy will look through the Authorizations challenges, returning the type of the *first* challenge it finds with Status: valid, or "" if no challenge is valid.
type CRL ¶
type CRL struct {
// serial: Same as certificate serial.
Serial string `db:"serial"`
// createdAt: The date the CRL was signed.
CreatedAt time.Time `db:"createdAt"`
// crl: The encoded and signed CRL.
CRL string `db:"crl"`
}
CRL is a large table of signed CRLs. This contains all historical CRLs we've signed, is append-only, and is likely to get quite large. It must be administratively truncated outside of Boulder.
type CertDER ¶
type CertDER []byte
CertDER is a convenience type that helps differentiate what the underlying byte slice contains
type Certificate ¶
type Certificate struct {
RegistrationID int64 `db:"registrationID"`
Serial string `db:"serial"`
Digest string `db:"digest"`
DER []byte `db:"der"`
Issued time.Time `db:"issued"`
Expires time.Time `db:"expires"`
}
Certificate objects are entirely internal to the server. The only thing exposed on the wire is the certificate itself.
type CertificateAuthority ¶
type CertificateAuthority interface {
// [RegistrationAuthority]
IssueCertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (Certificate, error)
// [RegistrationAuthority]
IssuePrecertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (*caPB.IssuePrecertificateResponse, error)
// [RegistrationAuthority]
IssueCertificateForPrecertificate(ctx context.Context, req *caPB.IssueCertificateForPrecertificateRequest) (Certificate, error)
GenerateOCSP(ctx context.Context, ocspReq OCSPSigningRequest) ([]byte, error)
}
CertificateAuthority defines the public interface for the Boulder CA
type CertificateRequest ¶
type CertificateRequest struct {
CSR *x509.CertificateRequest // The CSR
Bytes []byte // The original bytes of the CSR, for logging.
}
CertificateRequest is just a CSR
This data is unmarshalled from JSON by way of RawCertificateRequest, which represents the actual structure received from the client.
func (CertificateRequest) MarshalJSON ¶
func (cr CertificateRequest) MarshalJSON() ([]byte, error)
MarshalJSON provides an implementation for encoding CertificateRequest objects.
func (*CertificateRequest) UnmarshalJSON ¶
func (cr *CertificateRequest) UnmarshalJSON(data []byte) error
UnmarshalJSON provides an implementation for decoding CertificateRequest objects.
type CertificateStatus ¶
type CertificateStatus struct {
Serial string `db:"serial"`
// status: 'good' or 'revoked'. Note that good, expired certificates remain
// with status 'good' but don't necessarily get fresh OCSP responses.
Status OCSPStatus `db:"status"`
// ocspLastUpdated: The date and time of the last time we generated an OCSP
// response. If we have never generated one, this has the zero value of
// time.Time, i.e. Jan 1 1970.
OCSPLastUpdated time.Time `db:"ocspLastUpdated"`
// revokedDate: If status is 'revoked', this is the date and time it was
// revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970.
RevokedDate time.Time `db:"revokedDate"`
// revokedReason: If status is 'revoked', this is the reason code for the
// revocation. Otherwise it is zero (which happens to be the reason
// code for 'unspecified').
RevokedReason revocation.Reason `db:"revokedReason"`
LastExpirationNagSent time.Time `db:"lastExpirationNagSent"`
// The encoded and signed OCSP response.
OCSPResponse []byte `db:"ocspResponse"`
// For performance reasons[0] we duplicate the `Expires` field of the
// `Certificates` object/table in `CertificateStatus` to avoid a costly `JOIN`
// later on just to retrieve this `Time` value. This helps both the OCSP
// updater and the expiration-mailer stay performant.
//
// Similarly, we add an explicit `IsExpired` boolean to `CertificateStatus`
// table that the OCSP updater so that the database can create a meaningful
// index on `(isExpired, ocspLastUpdated)` without a `JOIN` on `certificates`.
// For more detail see Boulder #1864[0].
//
// [0]: https://github.com/letsencrypt/boulder/issues/1864
NotAfter time.Time `db:"notAfter"`
IsExpired bool `db:"isExpired"`
}
CertificateStatus structs are internal to the server. They represent the latest data about the status of the certificate, required for OCSP updating and for validating that the subscriber has accepted the certificate.
type Challenge ¶
type Challenge struct {
ID int64 `json:"id,omitempty"`
// The type of challenge
Type string `json:"type"`
// The status of this challenge
Status AcmeStatus `json:"status,omitempty"`
// Contains the error that occurred during challenge validation, if any
Error *probs.ProblemDetails `json:"error,omitempty"`
// A URI to which a response can be POSTed
URI string `json:"uri,omitempty"`
// For the V2 API the "URI" field is deprecated in favour of URL.
URL string `json:"url,omitempty"`
// Used by http-01, tls-sni-01, tls-alpn-01 and dns-01 challenges
Token string `json:"token,omitempty"`
// The expected KeyAuthorization for validation of the challenge. Populated by
// the RA prior to passing the challenge to the VA. For legacy reasons this
// field is called "ProvidedKeyAuthorization" because it was initially set by
// the content of the challenge update POST from the client. It is no longer
// set that way and should be renamed to "KeyAuthorization".
// TODO(@cpu): Rename `ProvidedKeyAuthorization` to `KeyAuthorization`.
ProvidedKeyAuthorization string `json:"keyAuthorization,omitempty"`
// Contains information about URLs used or redirected to and IPs resolved and
// used
ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"`
}
Challenge is an aggregate of all data needed for any challenges.
Rather than define individual types for different types of challenge, we just throw all the elements into one bucket, together with the common metadata elements.
func DNSChallenge01 ¶
func DNSChallenge01() Challenge
DNSChallenge01 constructs a random dns-01 challenge
func HTTPChallenge01 ¶
func HTTPChallenge01() Challenge
HTTPChallenge01 constructs a random http-01 challenge
func TLSALPNChallenge01 ¶
func TLSALPNChallenge01() Challenge
TLSALPNChallenge01 constructs a random tls-alpn-01 challenge
func TLSSNIChallenge01 ¶
func TLSSNIChallenge01() Challenge
TLSSNIChallenge01 constructs a random tls-sni-01 challenge
func (Challenge) CheckConsistencyForClientOffer ¶
CheckConsistencyForClientOffer checks the fields of a challenge object before it is given to the client.
func (Challenge) CheckConsistencyForValidation ¶
CheckConsistencyForValidation checks the fields of a challenge object before it is given to the VA.
func (Challenge) ExpectedKeyAuthorization ¶
ExpectedKeyAuthorization computes the expected KeyAuthorization value for the challenge.
func (Challenge) RecordsSane ¶
RecordsSane checks the sanity of a ValidationRecord object before sending it back to the RA to be stored.
type FQDNSet ¶
FQDNSet contains the SHA256 hash of the lowercased, comma joined dNSNames contained in a certificate.
type IdentifierData ¶
type IdentifierData struct {
ReversedName string `db:"reversedName"` // The label-wise reverse of an identifier, e.g. com.example or com.example.*
CertSHA1 string `db:"certSHA1"` // The hex encoding of the SHA-1 hash of a cert containing the identifier
}
IdentifierData holds information about what certificates are known for a given identifier. This is used to present Proof of Possession challenges in the case where a certificate already exists. The DB table holding IdentifierData rows contains information about certs issued by Boulder and also information about certs observed from third parties.
type IdentifierType ¶
type IdentifierType string
IdentifierType defines the available identification mechanisms for domains
type JSONBuffer ¶
type JSONBuffer []byte
JSONBuffer fields get encoded and decoded JOSE-style, in base64url encoding with stripped padding.
func (JSONBuffer) MarshalJSON ¶
func (jb JSONBuffer) MarshalJSON() (result []byte, err error)
MarshalJSON encodes a JSONBuffer for transmission.
func (*JSONBuffer) UnmarshalJSON ¶
func (jb *JSONBuffer) UnmarshalJSON(data []byte) (err error)
UnmarshalJSON decodes a JSONBuffer to an object.
type OCSPResponse ¶
type OCSPResponse struct {
ID int `db:"id"`
// serial: Same as certificate serial.
Serial string `db:"serial"`
// createdAt: The date the response was signed.
CreatedAt time.Time `db:"createdAt"`
// response: The encoded and signed CRL.
Response []byte `db:"response"`
}
OCSPResponse is a (large) table of OCSP responses. This contains all historical OCSP responses we've signed, is append-only, and is likely to get quite large. It must be administratively truncated outside of Boulder.
type OCSPSigningRequest ¶
type OCSPSigningRequest struct {
CertDER []byte
Status string
Reason revocation.Reason
RevokedAt time.Time
}
OCSPSigningRequest is a transfer object representing an OCSP Signing Request
type Order ¶
type Order struct {
ID int64
RegistrationID int64
Expires time.Time
Error error
CertificateSerial string
Authorizations []Authorization
Status AcmeStatus
}
Order represents the request object that forms the basis of the v2 style issuance flow
type PolicyAuthority ¶
type PolicyAuthority interface {
WillingToIssue(domain AcmeIdentifier) error
WillingToIssueWildcard(domain AcmeIdentifier) error
ChallengesFor(domain AcmeIdentifier, registrationID int64, revalidation bool) (challenges []Challenge, validCombinations [][]int, err error)
ChallengeTypeEnabled(t string, registrationID int64) bool
}
PolicyAuthority defines the public interface for the Boulder PA
type Precertificate ¶
type Precertificate struct {
DER []byte `db:"der"`
}
Precertificate objects are entirely internal to the server. The only thing exposed on the wire is the precertificate itself.
type Publisher ¶
type Publisher interface {
SubmitToSingleCTWithResult(ctx context.Context, req *pubpb.Request) (*pubpb.Result, error)
}
Publisher defines the public interface for the Boulder Publisher
type RawCertificateRequest ¶
type RawCertificateRequest struct {
CSR JSONBuffer `json:"csr"` // The encoded CSR
}
type Registration ¶
type Registration struct {
// Unique identifier
ID int64 `json:"id" db:"id"`
// Account key to which the details are attached
Key *jose.JSONWebKey `json:"key"`
// Contact URIs
Contact *[]string `json:"contact,omitempty"`
// Agreement with terms of service
Agreement string `json:"agreement,omitempty"`
// InitialIP is the IP address from which the registration was created
InitialIP net.IP `json:"initialIp"`
// CreatedAt is the time the registration was created.
CreatedAt time.Time `json:"createdAt"`
Status AcmeStatus `json:"status"`
}
Registration objects represent non-public metadata attached to account keys.
type RegistrationAuthority ¶
type RegistrationAuthority interface {
// [WebFrontEnd]
NewRegistration(ctx context.Context, reg Registration) (Registration, error)
// [WebFrontEnd]
NewAuthorization(ctx context.Context, authz Authorization, regID int64) (Authorization, error)
// [WebFrontEnd]
NewCertificate(ctx context.Context, csr CertificateRequest, regID int64) (Certificate, error)
// [WebFrontEnd]
UpdateRegistration(ctx context.Context, base, updates Registration) (Registration, error)
// [WebFrontEnd]
UpdateAuthorization(ctx context.Context, authz Authorization, challengeIndex int, response Challenge) (Authorization, error)
// [WebFrontEnd]
RevokeCertificateWithReg(ctx context.Context, cert x509.Certificate, code revocation.Reason, regID int64) error
// [WebFrontEnd]
DeactivateRegistration(ctx context.Context, reg Registration) error
// [WebFrontEnd]
DeactivateAuthorization(ctx context.Context, auth Authorization) error
// [WebFrontEnd]
NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error)
// [WebFrontEnd]
FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error)
// [AdminRevoker]
AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, code revocation.Reason, adminName string) error
}
RegistrationAuthority defines the public interface for the Boulder RA
type SignedCertificateTimestamp ¶
type SignedCertificateTimestamp struct {
ID int `db:"id"`
// The version of the protocol to which the SCT conforms
SCTVersion uint8 `db:"sctVersion"`
// the SHA-256 hash of the log's public key, calculated over
// the DER encoding of the key represented as SubjectPublicKeyInfo.
LogID string `db:"logID"`
// Timestamp (in ms since unix epoc) at which the SCT was issued
Timestamp uint64 `db:"timestamp"`
// For future extensions to the protocol
Extensions []byte `db:"extensions"`
// The Log's signature for this SCT
Signature []byte `db:"signature"`
// The serial of the certificate this SCT is for
CertificateSerial string `db:"certificateSerial"`
LockCol int64
}
SignedCertificateTimestamp is the internal representation of ct.SignedCertificateTimestamp that is used to maintain backwards compatibility with our old CT implementation.
type StorageAdder ¶
type StorageAdder interface {
NewRegistration(ctx context.Context, reg Registration) (created Registration, err error)
UpdateRegistration(ctx context.Context, reg Registration) error
NewPendingAuthorization(ctx context.Context, authz Authorization) (Authorization, error)
UpdatePendingAuthorization(ctx context.Context, authz Authorization) error
FinalizeAuthorization(ctx context.Context, authz Authorization) error
MarkCertificateRevoked(ctx context.Context, serial string, reasonCode revocation.Reason) error
AddCertificate(ctx context.Context, der []byte, regID int64, ocsp []byte, issued *time.Time) (digest string, err error)
RevokeAuthorizationsByDomain(ctx context.Context, domain AcmeIdentifier) (finalized, pending int64, err error)
DeactivateRegistration(ctx context.Context, id int64) error
DeactivateAuthorization(ctx context.Context, id string) error
NewOrder(ctx context.Context, order *corepb.Order) (*corepb.Order, error)
SetOrderProcessing(ctx context.Context, order *corepb.Order) error
FinalizeOrder(ctx context.Context, order *corepb.Order) error
AddPendingAuthorizations(ctx context.Context, req *sapb.AddPendingAuthorizationsRequest) (*sapb.AuthorizationIDs, error)
SetOrderError(ctx context.Context, order *corepb.Order) error
}
StorageAdder are the Boulder SA's write/update methods
type StorageAuthority ¶
type StorageAuthority interface {
StorageGetter
StorageAdder
}
StorageAuthority interface represents a simple key/value store. It is divided into StorageGetter and StorageUpdater interfaces for privilege separation.
type StorageGetter ¶
type StorageGetter interface {
GetRegistration(ctx context.Context, regID int64) (Registration, error)
GetRegistrationByKey(ctx context.Context, jwk *jose.JSONWebKey) (Registration, error)
GetAuthorization(ctx context.Context, authzID string) (Authorization, error)
GetValidAuthorizations(ctx context.Context, regID int64, domains []string, now time.Time) (map[string]*Authorization, error)
GetPendingAuthorization(ctx context.Context, req *sapb.GetPendingAuthorizationRequest) (*Authorization, error)
GetCertificate(ctx context.Context, serial string) (Certificate, error)
GetCertificateStatus(ctx context.Context, serial string) (CertificateStatus, error)
CountCertificatesByNames(ctx context.Context, domains []string, earliest, latest time.Time) (countByDomain []*sapb.CountByNames_MapElement, err error)
CountCertificatesByExactNames(ctx context.Context, domains []string, earliest, latest time.Time) (countByDomain []*sapb.CountByNames_MapElement, err error)
CountRegistrationsByIP(ctx context.Context, ip net.IP, earliest, latest time.Time) (int, error)
CountRegistrationsByIPRange(ctx context.Context, ip net.IP, earliest, latest time.Time) (int, error)
CountPendingAuthorizations(ctx context.Context, regID int64) (int, error)
CountOrders(ctx context.Context, acctID int64, earliest, latest time.Time) (int, error)
CountFQDNSets(ctx context.Context, window time.Duration, domains []string) (count int64, err error)
FQDNSetExists(ctx context.Context, domains []string) (exists bool, err error)
PreviousCertificateExists(ctx context.Context, req *sapb.PreviousCertificateExistsRequest) (exists *sapb.Exists, err error)
GetOrder(ctx context.Context, req *sapb.OrderRequest) (*corepb.Order, error)
GetOrderForNames(ctx context.Context, req *sapb.GetOrderForNamesRequest) (*corepb.Order, error)
GetValidOrderAuthorizations(ctx context.Context, req *sapb.GetValidOrderAuthorizationsRequest) (map[string]*Authorization, error)
CountInvalidAuthorizations(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (count *sapb.Count, err error)
GetAuthorizations(ctx context.Context, req *sapb.GetAuthorizationsRequest) (*sapb.Authorizations, error)
}
StorageGetter are the Boulder SA's read-only methods
type ValidationAuthority ¶
type ValidationAuthority interface {
// PerformValidation checks the challenge with the given index in the
// given Authorization and returns the updated ValidationRecords.
//
// A failure to validate the Challenge will result in a error of type
// *probs.ProblemDetails.
//
// TODO(#1626): remove authz parameter
PerformValidation(ctx context.Context, domain string, challenge Challenge, authz Authorization) ([]ValidationRecord, error)
IsSafeDomain(ctx context.Context, req *vaPB.IsSafeDomainRequest) (resp *vaPB.IsDomainSafe, err error)
}
ValidationAuthority defines the public interface for the Boulder VA
type ValidationRecord ¶
type ValidationRecord struct {
// DNS only
Authorities []string `json:"-"`
// SimpleHTTP only
URL string `json:"url,omitempty"`
// Shared
Hostname string `json:"hostname"`
Port string `json:"port,omitempty"`
AddressesResolved []net.IP `json:"addressesResolved,omitempty"`
AddressUsed net.IP `json:"addressUsed,omitempty"`
// AddressesTried contains a list of addresses tried before the `AddressUsed`.
// Presently this will only ever be one IP from `AddressesResolved` since the
// only retry is in the case of a v6 failure with one v4 fallback. E.g. if
// a record with `AddressesResolved: { 127.0.0.1, ::1 }` were processed for
// a challenge validation with the IPv6 first flag on and the ::1 address
// failed but the 127.0.0.1 retry succeeded then the record would end up
// being:
// {
// ...
// AddressesResolved: [ 127.0.0.1, ::1 ],
// AddressUsed: 127.0.0.1
// AddressesTried: [ ::1 ],
// ...
// }
AddressesTried []net.IP `json:"addressesTried,omitempty"`
}
ValidationRecord represents a validation attempt against a specific URL/hostname and the IP addresses that were resolved and used
type WebFrontEnd ¶
type WebFrontEnd interface {
// Set the base URL for authorizations
SetAuthzBase(ctx context.Context, path string)
// Set the base URL for certificates
SetCertBase(ctx context.Context, path string)
// This method represents the ACME new-registration resource
NewRegistration(ctx context.Context, response http.ResponseWriter, request *http.Request)
// This method represents the ACME new-authorization resource
NewAuthz(ctx context.Context, response http.ResponseWriter, request *http.Request)
// This method represents the ACME new-certificate resource
NewCert(ctx context.Context, response http.ResponseWriter, request *http.Request)
// Provide access to requests for registration resources
Registration(ctx context.Context, response http.ResponseWriter, request *http.Request)
// Provide access to requests for authorization resources
Authz(ctx context.Context, response http.ResponseWriter, request *http.Request)
// Provide access to requests for authorization resources
Cert(ctx context.Context, response http.ResponseWriter, request *http.Request)
}
A WebFrontEnd object supplies methods that can be hooked into the Go http module's server functions, principally http.HandleFunc()
It also provides methods to configure the base for authorization and certificate URLs.
It is assumed that the ACME server is laid out as follows: * One URL for new-authorization -> NewAuthz * One URL for new-certificate -> NewCert * One path for authorizations -> Authz * One path for certificates -> Cert
Source Files
Directories