Documentation
¶
Index ¶
- Constants
- Variables
- func CanSignHttpExchanges(cert *x509.Certificate) error
- func CertName(cert *x509.Certificate) string
- func CertificateMatches(cert *x509.Certificate, priv crypto.PrivateKey, domain string) error
- func GetDurationToExpiry(cert *x509.Certificate, certExpiryDeadline time.Time) (time.Duration, error)
- func ParsePrivateKey(keyPem []byte) (crypto.PrivateKey, error)
- func QuotedString(input string) (string, error)
- func RemoveHopByHopHeaders(h http.Header)
- func TrimHeaderValue(s string) string
- func ValidateFetchURLPattern(pattern *URLPattern) error
- func ValidateForwardedRequestHeaders(hs []string) error
- func ValidateSignURLPattern(pattern *URLPattern) error
- func ValidateURLPattern(pattern *URLPattern) error
- type ACMEConfig
- type ACMEServerConfig
- type Config
- type HTTPError
- type URLPattern
- type URLSet
Constants ¶
const CertURLPrefix = "/amppkg/cert"
const HealthzPath = "/healthz"
const MetricsPath = "/metrics"
const SignerURLPrefix = "/priv/doc"
const ValidityMapPath = "/amppkg/validity"
Variables ¶
var Comma *regexp.Regexp = regexp.MustCompile(`[ \t]*,[ \t]*`)
A comma, as defined in https://tools.ietf.org/html/rfc7230#section-7, with OWS defined in https://tools.ietf.org/html/rfc7230#appendix-B. This is commonly used as a separator in header field value definitions.
var ConditionalRequestHeaders = map[string]bool{ "If-Match": true, "If-None-Match": true, "If-Modified-Since": true, "If-Unmodified-Since": true, "If-Range": true, }
Conditional request headers that ServeHTTP may receive and need to be sent with fetchURL. https://developer.mozilla.org/en-US/docs/Web/HTTP/Conditional_requests#Conditional_headers
Functions ¶
func CanSignHttpExchanges ¶
func CanSignHttpExchanges(cert *x509.Certificate) error
CanSignHttpExchanges returns nil if the given certificate has the CanSignHttpExchanges extension, and a valid lifetime per the SXG spec; otherwise it returns an error. These are not the only requirements for SXGs; it also needs to use the right public key type, which is not checked here.
func CertName ¶
func CertName(cert *x509.Certificate) string
CertName returns the basename for the given cert, as served by this packager's cert cache. Should be stable and unique (e.g. content-addressing). Clients should url.PathEscape this, just in case its format changes to need escaping in the future.
Given a PEM-encoded certificate, this is equivalent to: $ openssl x509 -in cert.pem -outform DER |
openssl dgst -sha256 -binary | base64 | tr /+ _- | tr -d =
func CertificateMatches ¶
func CertificateMatches(cert *x509.Certificate, priv crypto.PrivateKey, domain string) error
Returns nil if the certificate matches the private key and domain, else the appropriate error.
func GetDurationToExpiry ¶
func GetDurationToExpiry(cert *x509.Certificate, certExpiryDeadline time.Time) (time.Duration, error)
Returns the Duration of time before cert expires with given deadline. Note that the certExpiryDeadline should be the expected SXG expiration time. Returns error if cert is already expired. This will be used to periodically check if cert is still within validity range.
func ParsePrivateKey ¶
func ParsePrivateKey(keyPem []byte) (crypto.PrivateKey, error)
ParsePrivateKey returns the first PEM block that looks like a private key.
func QuotedString ¶
Escapes the input and surrounds it in quotes, so it's a valid quoted-string, per https://tools.ietf.org/html/rfc7230#section-3.2.6. Returns error if the input contains any chars outside of HTAB / SP / VCHAR (https://tools.ietf.org/html/rfc5234#appendix-B.1) and thus isn't even quotable.
func RemoveHopByHopHeaders ¶
Remove hop-by-hop headers, per https://tools.ietf.org/html/rfc7230#section-6.1.
func TrimHeaderValue ¶
Trim optional whitespace from a header value, adhering to https://tools.ietf.org/html/rfc7230#section-7 with OWS defined in https://tools.ietf.org/html/rfc7230#appendix-B.
func ValidateFetchURLPattern ¶
func ValidateFetchURLPattern(pattern *URLPattern) error
func ValidateSignURLPattern ¶
func ValidateSignURLPattern(pattern *URLPattern) error
Types ¶
type ACMEConfig ¶
type ACMEConfig struct {
Production *ACMEServerConfig
Development *ACMEServerConfig
}
type ACMEServerConfig ¶
type ACMEServerConfig struct {
// ACME Directory Resource URL
AccountURL string
// ACME Account URL. If non-empty, we will auto-renew cert via ACME.
DiscoURL string
// Email address registered with ACME CA.
EmailAddress string
// Key Identifier from ACME CA. Used for External Account Binding.
EABKid string
// MAC Key from ACME CA. Used for External Account Binding. Should be in
// Base64 URL Encoding without padding format.
EABHmac string
// See: https://letsencrypt.org/docs/challenge-types/
// For non-wildcard domains, only one of HttpChallengePort, HttpWebRootDir or
// TlsChallengePort needs to be present.
// HttpChallengePort means AmpPackager will respond to HTTP challenges via this port.
// HttpWebRootDir means AmpPackager will deposit challenge token in this directory.
// TlsChallengePort means AmpPackager will respond to TLS challenges via this port.
// For wildcard domains, DnsProvider must be set to one of the support LEGO configs:
// https://go-acme.github.io/lego/dns/
HttpChallengePort int // ACME HTTP challenge port.
HttpWebRootDir string // ACME HTTP web root directory where challenge token will be deposited.
TlsChallengePort int // ACME TLS challenge port.
DnsProvider string // ACME DNS Provider used for challenge.
}
type Config ¶
type Config struct {
LocalOnly bool
Port int
CertFile string // This must be the full certificate chain.
KeyFile string // Just for the first cert, obviously.
CSRFile string // Certificate Signing Request.
// When set, both CertFile and NewCertFile will be read/write. CertFile and
// NewCertFile will be set when both are valid and that once CertFile becomes
// invalid, NewCertFile will replace it (CertFile = NewCertFile) and NewCertFile
// will be set to empty. This will also apply to disk copies as well (which
// we may require to be some sort of shared filesystem, if multiple replicas of
// ammpackager are running).
NewCertFile string // The new full certificate chain replacing the expired one.
OCSPCache string
ForwardedRequestHeaders []string
URLSet []URLSet
ACMEConfig *ACMEConfig
}
func ReadConfig ¶
ReadConfig reads the config file specified at --config and validates it.
type HTTPError ¶
type HTTPError struct {
// contains filtered or unexported fields
}
HTTPError encodes an internal message to be logged and an HTTP status code to be used for the external error message. External errors should only be used to signal misconfiguration of the packager. For errors that are transient or a result of downstream server errors, the signer should fall back to proxying the content unsigned.
func NewHTTPError ¶
func (*HTTPError) LogAndRespond ¶
func (e *HTTPError) LogAndRespond(resp http.ResponseWriter)
type URLPattern ¶
type URLSet ¶
type URLSet struct {
Fetch *URLPattern
Sign *URLPattern
}
Source Files