Documentation
¶
Index ¶
- Constants
- func B64dec(x string) ([]byte, error)
- func B64enc(x []byte) string
- func Fingerprint256(data []byte) string
- func KeyDigest(key crypto.PublicKey) (string, error)
- func KeyDigestEquals(j, k crypto.PublicKey) bool
- func NewToken() string
- func RandomString(byteLength int) string
- func SerialToString(serial *big.Int) string
- func StringToSerial(serial string) (*big.Int, error)
- func VerifyCSR(csr *x509.CertificateRequest) error
- type AcmeIdentifier
- type AcmeStatus
- type AcmeURL
- type Authorization
- type Buffer
- type Certificate
- type CertificateAuthority
- type CertificateAuthorityDatabase
- type CertificateIssuanceError
- type CertificateRequest
- type CertificateStatus
- type Challenge
- type Crl
- type DeniedCsr
- type IdentifierType
- type JsonBuffer
- type MalformedRequestError
- type NotFoundError
- type NotSupportedError
- type OCSPStatus
- type OcspResponse
- type PolicyAuthority
- type Registration
- type RegistrationAuthority
- type SignatureValidationError
- type StorageAdder
- type StorageAuthority
- type StorageGetter
- type SyntaxError
- type UnauthorizedError
- type ValidationAuthority
- type WebFrontEnd
Constants ¶
View Source
const ( StatusUnknown = AcmeStatus("unknown") // Unknown status; the default StatusPending = AcmeStatus("pending") // In process; client has next action StatusProcessing = AcmeStatus("processing") // In process; server has next action StatusValid = AcmeStatus("valid") // Validation succeeded StatusInvalid = AcmeStatus("invalid") // Validation failed StatusRevoked = AcmeStatus("revoked") // Object no longer valid )
View Source
const ( OCSPStatusGood = OCSPStatus("good") OCSPStatusRevoked = OCSPStatus("revoked") )
View Source
const ( ChallengeTypeSimpleHTTPS = "simpleHttps" ChallengeTypeDVSNI = "dvsni" ChallengeTypeDNS = "dns" ChallengeTypeRecoveryToken = "recoveryToken" )
View Source
const (
IdentifierDNS = IdentifierType("dns")
)
Variables ¶
This section is empty.
Functions ¶
func Fingerprint256 ¶
func KeyDigestEquals ¶
func RandomString ¶
RandomString returns a randomly generated string of the requested length.
func SerialToString ¶
func VerifyCSR ¶
func VerifyCSR(csr *x509.CertificateRequest) error
The missing CertificateRequest.Verify() method
Types ¶
type AcmeIdentifier ¶
type AcmeIdentifier struct {
Type IdentifierType `json:"type"` // The type of identifier being encoded
Value string `json:"value"` // The identifier itself
}
An AcmeIdentifier encodes an identifier that can be validated by ACME. The protocol allows for different types of identifier to be supported (DNS names, IP addresses, etc.), but currently we only support domain names.
type AcmeStatus ¶
type AcmeStatus string
type AcmeURL ¶
URLs that automatically marshal/unmarshal to JSON strings
func (AcmeURL) MarshalJSON ¶
func (AcmeURL) PathSegments ¶
func (*AcmeURL) UnmarshalJSON ¶
type Authorization ¶
type Authorization struct {
// An identifier for this authorization, unique across
// authorizations and certificates within this instance.
ID string `json:"id,omitempty" db:"id"`
// The identifier for which authorization is being given
Identifier AcmeIdentifier `json:"identifier,omitempty" db:"identifier"`
// The registration ID associated with the authorization
RegistrationID int64 `json:"-" db:"registrationID"`
// The status of the validation of this authorization
Status AcmeStatus `json:"status,omitempty" db:"status"`
// The date after which this authorization will be no
// longer be considered valid
Expires time.Time `json:"expires,omitempty" db:"expires"`
// An array of challenges objects used to validate the
// applicant's control of the identifier. For authorizations
// in process, these are challenges to be fulfilled; for
// final authorizations, they describe the evidence that
// the server used in support of granting the authorization.
Challenges []Challenge `json:"challenges,omitempty" db:"challenges"`
// The server may suggest combinations of challenges if it
// requires more than one challenge to be completed.
Combinations [][]int `json:"combinations,omitempty" db:"combinations"`
// The client may provide contact URIs to allow the server
// to push information to it.
Contact []AcmeURL `json:"contact,omitempty" db:"contact"`
}
An ACME authorization object represents the authorization of an account key holder to act on behalf of a domain. This struct is intended to be used both internally and for JSON marshaling on the wire. Any fields that should be suppressed on the wire (e.g., ID) must be made empty before marshaling.
type Certificate ¶
type Certificate struct {
RegistrationID int64 `db:"registrationID"`
// The parsed version of DER. Useful for extracting things like serial number.
ParsedCertificate *x509.Certificate `db:"-"`
// The revocation status of the certificate.
// * "valid" - not revoked
// * "revoked" - revoked
Status AcmeStatus `db:"status"`
Serial string `db:"serial"`
Digest string `db:"digest"`
DER []byte `db:"der"`
Issued time.Time `db:"issued"`
}
Certificate objects are entirely internal to the server. The only thing exposed on the wire is the certificate itself.
type CertificateAuthority ¶
type CertificateAuthority interface {
// [RegistrationAuthority]
IssueCertificate(x509.CertificateRequest, int64) (Certificate, error)
RevokeCertificate(serial string) error
}
type CertificateAuthorityDatabase ¶
type CertificateAuthorityDatabase interface {
Begin() error
Commit() error
Rollback() error
IncrementAndGetSerial() (int, error)
}
CertificateAuthorityDatabase represents an atomic sequence source
type CertificateIssuanceError ¶
type CertificateIssuanceError string
func (CertificateIssuanceError) Error ¶
func (e CertificateIssuanceError) Error() string
type CertificateRequest ¶
type CertificateRequest struct {
CSR *x509.CertificateRequest // The CSR
Authorizations []AcmeURL // Links to Authorization over the account key
}
An ACME certificate request is just a CSR together with URIs pointing to authorizations that should collectively authorize the certificate being requsted.
This type is never marshaled, since we only ever receive it from the client. So it carries some additional information that is useful internally. (We rely on Go's case-insensitive JSON unmarshal to properly unmarshal client requests.)
func (CertificateRequest) MarshalJSON ¶
func (cr CertificateRequest) MarshalJSON() ([]byte, error)
func (*CertificateRequest) UnmarshalJSON ¶
func (cr *CertificateRequest) UnmarshalJSON(data []byte) error
type CertificateStatus ¶
type CertificateStatus struct {
Serial string `db:"serial"`
// subscriberApproved: true iff the subscriber has posted back to the server
// that they accept the certificate, otherwise 0.
SubscriberApproved bool `db:"subscriberApproved"`
// status: 'good' or 'revoked'. Note that good, expired certificates remain
// with status 'good' but don't necessarily get fresh OCSP responses.
Status OCSPStatus `db:"status"`
// ocspLastUpdated: The date and time of the last time we generated an OCSP
// response. If we have never generated one, this has the zero value of
// time.Time, i.e. Jan 1 1970.
OCSPLastUpdated time.Time `db:"ocspLastUpdated"`
// revokedDate: If status is 'revoked', this is the date and time it was
// revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970.
RevokedDate time.Time `db:"revokedDate"`
// revokedReason: If status is 'revoked', this is the reason code for the
// revocation. Otherwise it is zero (which happens to be the reason
// code for 'unspecified').
RevokedReason int `db:"revokedReason"`
LockCol int64 `json:"-"`
}
CertificateStatus structs are internal to the server. They represent the latest data about the status of the certificate, required for OCSP updating and for validating that the subscriber has accepted the certificate.
type Challenge ¶
type Challenge struct {
// The type of challenge
Type string `json:"type"`
// The status of this challenge
Status AcmeStatus `json:"status,omitempty"`
// If successful, the time at which this challenge
// was completed by the server.
Validated *time.Time `json:"validated,omitempty"`
// A URI to which a response can be POSTed
URI AcmeURL `json:"uri"`
// Used by simpleHTTPS, recoveryToken, and dns challenges
Token string `json:"token,omitempty"`
// Used by simpleHTTPS challenges
Path string `json:"path,omitempty"`
// Used by dvsni challenges
R string `json:"r,omitempty"`
S string `json:"s,omitempty"`
Nonce string `json:"nonce,omitempty"`
}
Rather than define individual types for different types of challenge, we just throw all the elements into one bucket, together with the common metadata elements.
func DvsniChallenge ¶
func DvsniChallenge() Challenge
func SimpleHTTPSChallenge ¶
func SimpleHTTPSChallenge() Challenge
func (Challenge) IsSane ¶
Check the sanity of a challenge object before issued to the client (completed = false) and before validation (completed = true).
func (Challenge) MergeResponse ¶
Merge a client-provide response to a challenge with the issued challenge TODO: Remove return type from this method
type Crl ¶
type Crl struct {
// serial: Same as certificate serial.
Serial string `db:"serial"`
// createdAt: The date the CRL was signed.
CreatedAt time.Time `db:"createdAt"`
// crl: The encoded and signed CRL.
Crl string `db:"crl"`
}
A large table of signed CRLs. This contains all historical CRLs we've signed, is append-only, and is likely to get quite large.
type IdentifierType ¶
type IdentifierType string
type JsonBuffer ¶
type JsonBuffer []byte
Fields of this type get encoded and decoded JOSE-style, in base64url encoding with stripped padding.
func (JsonBuffer) MarshalJSON ¶
func (jb JsonBuffer) MarshalJSON() (result []byte, err error)
func (*JsonBuffer) UnmarshalJSON ¶
func (jb *JsonBuffer) UnmarshalJSON(data []byte) (err error)
type MalformedRequestError ¶
type MalformedRequestError string
func (MalformedRequestError) Error ¶
func (e MalformedRequestError) Error() string
type NotFoundError ¶
type NotFoundError string
func (NotFoundError) Error ¶
func (e NotFoundError) Error() string
type NotSupportedError ¶
type NotSupportedError string
func (NotSupportedError) Error ¶
func (e NotSupportedError) Error() string
type OCSPStatus ¶
type OCSPStatus string
type OcspResponse ¶
type OcspResponse struct {
ID int `db:"id"`
// serial: Same as certificate serial.
Serial string `db:"serial"`
// createdAt: The date the response was signed.
CreatedAt time.Time `db:"createdAt"`
// response: The encoded and signed CRL.
Response []byte `db:"response"`
}
A large table of OCSP responses. This contains all historical OCSP responses we've signed, is append-only, and is likely to get quite large. We'll probably want administratively truncate it at some point.
type PolicyAuthority ¶
type PolicyAuthority interface {
WillingToIssue(AcmeIdentifier) error
ChallengesFor(AcmeIdentifier) ([]Challenge, [][]int)
}
type Registration ¶
type Registration struct {
// Unique identifier
ID int64 `json:"-" db:"id"`
// Account key to which the details are attached
Key jose.JsonWebKey `json:"key" db:"key"`
// Recovery Token is used to prove connection to an earlier transaction
RecoveryToken string `json:"recoveryToken" db:"recoveryToken"`
// Contact URIs
Contact []AcmeURL `json:"contact,omitempty" db:"contact"`
// Agreement with terms of service
Agreement string `json:"agreement,omitempty" db:"agreement"`
Thumbprint string `json:"thumbprint" db:"thumbprint"`
LockCol int64 `json:"-"`
}
Registration objects represent non-public metadata attached to account keys.
func (*Registration) MergeUpdate ¶
func (r *Registration) MergeUpdate(input Registration)
type RegistrationAuthority ¶
type RegistrationAuthority interface {
// [WebFrontEnd]
NewRegistration(Registration, jose.JsonWebKey) (Registration, error)
// [WebFrontEnd]
NewAuthorization(Authorization, int64) (Authorization, error)
// [WebFrontEnd]
NewCertificate(CertificateRequest, int64) (Certificate, error)
// [WebFrontEnd]
UpdateRegistration(Registration, Registration) (Registration, error)
// [WebFrontEnd]
UpdateAuthorization(Authorization, int, Challenge) (Authorization, error)
// [WebFrontEnd]
RevokeCertificate(x509.Certificate) error
// [ValidationAuthority]
OnValidationUpdate(Authorization) error
}
type SignatureValidationError ¶
type SignatureValidationError string
func (SignatureValidationError) Error ¶
func (e SignatureValidationError) Error() string
type StorageAdder ¶
type StorageAdder interface {
NewRegistration(Registration) (Registration, error)
UpdateRegistration(Registration) error
NewPendingAuthorization() (string, error)
UpdatePendingAuthorization(Authorization) error
FinalizeAuthorization(Authorization) error
MarkCertificateRevoked(serial string, ocspResponse []byte, reasonCode int) error
AddCertificate([]byte, int64) (string, error)
AddDeniedCSR([]string) error
}
type StorageAuthority ¶
type StorageAuthority interface {
StorageGetter
StorageAdder
}
StorageAuthority interface represents a simple key/value store. It is divided into StorageGetter and StorageUpdater interfaces for privilege separation.
type StorageGetter ¶
type StorageGetter interface {
GetRegistration(int64) (Registration, error)
GetRegistrationByKey(jose.JsonWebKey) (Registration, error)
GetAuthorization(string) (Authorization, error)
GetCertificate(string) ([]byte, error)
GetCertificateByShortSerial(string) ([]byte, error)
GetCertificateStatus(string) (CertificateStatus, error)
AlreadyDeniedCSR([]string) (bool, error)
}
type SyntaxError ¶
type SyntaxError string
func (SyntaxError) Error ¶
func (e SyntaxError) Error() string
type UnauthorizedError ¶
type UnauthorizedError string
func (UnauthorizedError) Error ¶
func (e UnauthorizedError) Error() string
type ValidationAuthority ¶
type ValidationAuthority interface {
// [RegistrationAuthority]
UpdateValidations(Authorization) error
}
type WebFrontEnd ¶
type WebFrontEnd interface {
// Set the base URL for authorizations
SetAuthzBase(path string)
// Set the base URL for certificates
SetCertBase(path string)
// This method represents the ACME new-registration resource
NewRegistration(response http.ResponseWriter, request *http.Request)
// This method represents the ACME new-authorization resource
NewAuthz(response http.ResponseWriter, request *http.Request)
// This method represents the ACME new-certificate resource
NewCert(response http.ResponseWriter, request *http.Request)
// Provide access to requests for registration resources
Registration(response http.ResponseWriter, request *http.Request)
// Provide access to requests for authorization resources
Authz(response http.ResponseWriter, request *http.Request)
// Provide access to requests for authorization resources
Cert(response http.ResponseWriter, request *http.Request)
}
A WebFrontEnd object supplies methods that can be hooked into the Go http module's server functions, principally http.HandleFunc()
It also provides methods to configure the base for authorization and certificate URLs.
It is assumed that the ACME server is laid out as follows: * One URL for new-authorization -> NewAuthz * One URL for new-certificate -> NewCert * One path for authorizations -> Authz * One path for certificates -> Cert
Source Files
Click to show internal directories.
Click to hide internal directories.