core

package
v0.0.0-...-e166e8c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 23, 2015 License: MPL-2.0 Imports: 36 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	StatusUnknown    = AcmeStatus("unknown")    // Unknown status; the default
	StatusPending    = AcmeStatus("pending")    // In process; client has next action
	StatusProcessing = AcmeStatus("processing") // In process; server has next action
	StatusValid      = AcmeStatus("valid")      // Validation succeeded
	StatusInvalid    = AcmeStatus("invalid")    // Validation failed
	StatusRevoked    = AcmeStatus("revoked")    // Object no longer valid
)

These statuses are the states of authorizations

View Source 
const (
	ResourceNewReg       = AcmeResource("new-reg")
	ResourceNewAuthz     = AcmeResource("new-authz")
	ResourceNewCert      = AcmeResource("new-cert")
	ResourceRevokeCert   = AcmeResource("revoke-cert")
	ResourceRegistration = AcmeResource("reg")
	ResourceChallenge    = AcmeResource("challenge")
)

The types of ACME resources

View Source 
const (
	OCSPStatusGood    = OCSPStatus("good")
	OCSPStatusRevoked = OCSPStatus("revoked")
)

These status are the states of OCSP

View Source 
const (
	ConnectionProblem     = ProblemType("urn:acme:error:connection")
	MalformedProblem      = ProblemType("urn:acme:error:malformed")
	ServerInternalProblem = ProblemType("urn:acme:error:serverInternal")
	TLSProblem            = ProblemType("urn:acme:error:tls")
	UnauthorizedProblem   = ProblemType("urn:acme:error:unauthorized")
	UnknownHostProblem    = ProblemType("urn:acme:error:unknownHost")
	RateLimitedProblem    = ProblemType("urn:acme:error:rateLimited")
)

Error types that can be used in ACME payloads

View Source 
const (
	ChallengeTypeSimpleHTTP = "simpleHttp"
	ChallengeTypeDVSNI      = "dvsni"
	ChallengeTypeHTTP01     = "http-01"
	ChallengeTypeTLSSNI01   = "tls-sni-01"
	ChallengeTypeDNS01      = "dns-01"
)

These types are the available challenges

View Source 
const DNSPrefix = "_acme-challenge"

DNSPrefix is attached to DNS names in DNS challenges

View Source 
const (
	IdentifierDNS = IdentifierType("dns")
)

These types are the available identification mechanisms

View Source 
const MaxUsed = 65536

MaxUsed defines the maximum number of Nonces we're willing to hold in memory.

View Source 
const TLSSNISuffix = "acme.invalid"

TLSSNISuffix is appended to pseudo-domain names in DVSNI challenges

Variables

View Source 
var BuildHost string

BuildHost is set by the compiler and is used by GetBuildHost

View Source 
var BuildID string

BuildID is set by the compiler (using -ldflags "-X core.BuildID $(git rev-parse --short HEAD)") and is used by GetBuildID

View Source 
var BuildTime string

BuildTime is set by the compiler and is used by GetBuildTime

View Source 
var RevocationReasons = map[RevocationCode]string{
	0: "unspecified",
	1: "keyCompromise",
	2: "cACompromise",
	3: "affiliationChanged",
	4: "superseded",
	5: "cessationOfOperation",
	6: "certificateHold",

	8:  "removeFromCRL",
	9:  "privilegeWithdrawn",
	10: "aAcompromise",
}

RevocationReasons provides a map from reason code to string explaining the code

Functions

func B64dec 

func B64dec(x string) ([]byte, error)

B64dec decodes a byte array from unpadded, URL-safe Base64

func B64enc 

func B64enc(x []byte) string

B64enc encodes a byte array as unpadded, URL-safe Base64

func Fingerprint256 

func Fingerprint256(data []byte) string

Fingerprint256 produces an unpadded, URL-safe Base64-encoded SHA256 digest of the data.

func GetBuildHost 

func GetBuildHost() (retID string)

GetBuildHost identifies the building host

func GetBuildID 

func GetBuildID() (retID string)

GetBuildID identifies what build is running.

func GetBuildTime 

func GetBuildTime() (retID string)

GetBuildTime identifies when this build was made

func GoodKey 

func GoodKey(key crypto.PublicKey) error

GoodKey returns true iff the key is acceptable for both TLS use and account key use (our requirements are the same for either one), according to basic strength and algorithm checking. TODO: Support JsonWebKeys once go-jose migration is done.

func GoodKeyECDSA 

func GoodKeyECDSA(key ecdsa.PublicKey) (err error)

GoodKeyECDSA determines if an ECDSA pubkey meets our requirements

func GoodKeyRSA 

func GoodKeyRSA(key rsa.PublicKey) (err error)

GoodKeyRSA determines if a RSA pubkey meets our requirements

func KeyDigest 

func KeyDigest(key crypto.PublicKey) (string, error)

KeyDigest produces a padded, standard Base64-encoded SHA256 digest of a provided public key.

func KeyDigestEquals 

func KeyDigestEquals(j, k crypto.PublicKey) bool

KeyDigestEquals determines whether two public keys have the same digest.

func LoadCert 

func LoadCert(filename string) (cert *x509.Certificate, err error)

LoadCert loads a PEM certificate specified by filename or returns a error

func LoadCertBundle 

func LoadCertBundle(filename string) ([]*x509.Certificate, error)

LoadCertBundle loads a PEM bundle of certificates from disk

func LooksLikeAToken 

func LooksLikeAToken(token string) bool

LooksLikeAToken checks whether a string represents a 32-octet value in the URL-safe base64 alphabet.

func NewToken 

func NewToken() string

NewToken produces a random string for Challenges, etc.

func RandomString 

func RandomString(byteLength int) string

RandomString returns a randomly generated string of the requested length.

func RetryBackoff 

func RetryBackoff(retries int, base, max time.Duration, factor float64) time.Duration

RetryBackoff calculates a backoff time based on number of retries, will always add jitter so requests that start in unison won't fall into lockstep. Because of this the returned duration can always be larger than the maximum by a factor of retryJitter. Adapted from https://github.com/grpc/grpc-go/blob/master/rpc_util.go#L311

func ReverseName 

func ReverseName(domain string) string

ReverseName takes a domain name and returns a label-wise reversed version of it. Example: ReverseName("www.example.com") == "com.example.www" This is useful for storing domain names in a DB such than subdomains of the same parent domain are near each other.

func SerialToString 

func SerialToString(serial *big.Int) string

SerialToString converts a certificate serial number (big.Int) to a String consistently.

func StringToSerial 

func StringToSerial(serial string) (*big.Int, error)

StringToSerial converts a string into a certificate serial number (big.Int) consistently.

func Thumbprint 

func Thumbprint(k *jose.JsonWebKey) (string, error)

Thumbprint computes the JWK Thumbprint of a key using the indicated hash algorithm.

func UniqueLowerNames 

func UniqueLowerNames(names []string) (unique []string)

UniqueLowerNames returns the set of all unique names in the input after all of them are lowercased. The returned names will be in their lowercased form.

func ValidChallenge 

func ValidChallenge(name string) bool

ValidChallenge tests whether the provided string names a known challenge

func ValidSerial 

func ValidSerial(serial string) bool

ValidSerial tests whether the input string represents a syntactically valid serial number, i.e., that it is a valid hex string between 32 and 36 characters long.

func VerifyCSR 

func VerifyCSR(csr *x509.CertificateRequest) error

VerifyCSR verifies that a Certificate Signature Request is well-formed.

Note: this is the missing CertificateRequest.Verify() method

Types

type AcmeIdentifier 

type AcmeIdentifier struct {
	Type  IdentifierType `json:"type"`  // The type of identifier being encoded
	Value string         `json:"value"` // The identifier itself
}

An AcmeIdentifier encodes an identifier that can be validated by ACME. The protocol allows for different types of identifier to be supported (DNS names, IP addresses, etc.), but currently we only support domain names.

type AcmeResource 

type AcmeResource string

AcmeResource values identify different types of ACME resources

type AcmeStatus 

type AcmeStatus string

AcmeStatus defines the state of a given authorization

type AcmeURL 

type AcmeURL url.URL

AcmeURL is a URL that automatically marshal/unmarshal to JSON strings

func ParseAcmeURL 

func ParseAcmeURL(s string) (*AcmeURL, error)

ParseAcmeURL is just a wrapper around url.Parse that returns an *AcmeURL

func (*AcmeURL) MarshalJSON 

func (u *AcmeURL) MarshalJSON() ([]byte, error)

MarshalJSON encodes an AcmeURL for transfer

func (*AcmeURL) PathSegments 

func (u *AcmeURL) PathSegments() (segments []string)

PathSegments splits an AcmeURL into segments on the '/' characters

func (*AcmeURL) String 

func (u *AcmeURL) String() string

func (*AcmeURL) UnmarshalJSON 

func (u *AcmeURL) UnmarshalJSON(data []byte) error

UnmarshalJSON decodes an AcmeURL from transfer

type Authorization 

type Authorization struct {
	// An identifier for this authorization, unique across
	// authorizations and certificates within this instance.
	ID string `json:"id,omitempty" db:"id"`

	// The identifier for which authorization is being given
	Identifier AcmeIdentifier `json:"identifier,omitempty" db:"identifier"`

	// The registration ID associated with the authorization
	RegistrationID int64 `json:"regId,omitempty" db:"registrationID"`

	// The status of the validation of this authorization
	Status AcmeStatus `json:"status,omitempty" db:"status"`

	// The date after which this authorization will be no
	// longer be considered valid. Note: a certificate may be issued even on the
	// last day of an authorization's lifetime. The last day for which someone can
	// hold a valid certificate based on an authorization is authorization
	// lifetime + certificate lifetime.
	Expires *time.Time `json:"expires,omitempty" db:"expires"`

	// An array of challenges objects used to validate the
	// applicant's control of the identifier.  For authorizations
	// in process, these are challenges to be fulfilled; for
	// final authorizations, they describe the evidence that
	// the server used in support of granting the authorization.
	Challenges []Challenge `json:"challenges,omitempty" db:"-"`

	// The server may suggest combinations of challenges if it
	// requires more than one challenge to be completed.
	Combinations [][]int `json:"combinations,omitempty" db:"combinations"`
}

Authorization represents the authorization of an account key holder to act on behalf of a domain. This struct is intended to be used both internally and for JSON marshaling on the wire. Any fields that should be suppressed on the wire (e.g., ID, regID) must be made empty before marshaling.

func (*Authorization) FindChallenge 

func (authz *Authorization) FindChallenge(challengeID int64) int

FindChallenge will look for the given challenge inside this authorization. If found, it will return the index of that challenge within the Authorization's Challenges array. Otherwise it will return -1.

type Buffer 

type Buffer []byte

Buffer is a variable-length collection of bytes

type CRL 

type CRL struct {
	// serial: Same as certificate serial.
	Serial string `db:"serial"`

	// createdAt: The date the CRL was signed.
	CreatedAt time.Time `db:"createdAt"`

	// crl: The encoded and signed CRL.
	CRL string `db:"crl"`
}

CRL is a large table of signed CRLs. This contains all historical CRLs we've signed, is append-only, and is likely to get quite large. It must be administratively truncated outside of Boulder.

type Certificate 

type Certificate struct {
	RegistrationID int64 `db:"registrationID"`

	Serial  string    `db:"serial"`
	Digest  string    `db:"digest"`
	DER     []byte    `db:"der"`
	Issued  time.Time `db:"issued"`
	Expires time.Time `db:"expires"`
}

Certificate objects are entirely internal to the server. The only thing exposed on the wire is the certificate itself.

type CertificateAuthority 

type CertificateAuthority interface {
	// [RegistrationAuthority]
	IssueCertificate(x509.CertificateRequest, int64) (Certificate, error)
	RevokeCertificate(string, RevocationCode) error
	GenerateOCSP(OCSPSigningRequest) ([]byte, error)
}

CertificateAuthority defines the public interface for the Boulder CA

type CertificateAuthorityDatabase 

type CertificateAuthorityDatabase interface {
	IncrementAndGetSerial(*gorp.Transaction) (int64, error)
	Begin() (*gorp.Transaction, error)
}

CertificateAuthorityDatabase represents an atomic sequence source

type CertificateIssuanceError 

type CertificateIssuanceError string

CertificateIssuanceError indicates the certificate failed to be issued for some reason.

func (CertificateIssuanceError) Error 

func (e CertificateIssuanceError) Error() string

type CertificateRequest 

type CertificateRequest struct {
	CSR   *x509.CertificateRequest // The CSR
	Bytes []byte                   // The original bytes of the CSR, for logging.
}

CertificateRequest is just a CSR

This data is unmarshalled from JSON by way of rawCertificateRequest, which represents the actual structure received from the client.

func (CertificateRequest) MarshalJSON 

func (cr CertificateRequest) MarshalJSON() ([]byte, error)

MarshalJSON provides an implementation for encoding CertificateRequest objects.

func (*CertificateRequest) UnmarshalJSON 

func (cr *CertificateRequest) UnmarshalJSON(data []byte) error

UnmarshalJSON provides an implementation for decoding CertificateRequest objects.

type CertificateStatus 

type CertificateStatus struct {
	Serial string `db:"serial"`

	// subscriberApproved: true iff the subscriber has posted back to the server
	//   that they accept the certificate, otherwise 0.
	SubscriberApproved bool `db:"subscriberApproved"`

	// status: 'good' or 'revoked'. Note that good, expired certificates remain
	//   with status 'good' but don't necessarily get fresh OCSP responses.
	Status OCSPStatus `db:"status"`

	// ocspLastUpdated: The date and time of the last time we generated an OCSP
	//   response. If we have never generated one, this has the zero value of
	//   time.Time, i.e. Jan 1 1970.
	OCSPLastUpdated time.Time `db:"ocspLastUpdated"`

	// revokedDate: If status is 'revoked', this is the date and time it was
	//   revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970.
	RevokedDate time.Time `db:"revokedDate"`

	// revokedReason: If status is 'revoked', this is the reason code for the
	//   revocation. Otherwise it is zero (which happens to be the reason
	//   code for 'unspecified').
	RevokedReason RevocationCode `db:"revokedReason"`

	LastExpirationNagSent time.Time `db:"lastExpirationNagSent"`

	// The encoded and signed OCSP response.
	OCSPResponse []byte `db:"ocspResponse"`

	LockCol int64 `json:"-"`
}

CertificateStatus structs are internal to the server. They represent the latest data about the status of the certificate, required for OCSP updating and for validating that the subscriber has accepted the certificate.

type Challenge 

type Challenge struct {
	ID int64 `json:"id,omitempty"`

	// The type of challenge
	Type string `json:"type"`

	// The status of this challenge
	Status AcmeStatus `json:"status,omitempty"`

	// Contains the error that occured during challenge validation, if any
	Error *ProblemDetails `json:"error,omitempty"`

	// If successful, the time at which this challenge
	// was completed by the server.
	Validated *time.Time `json:"validated,omitempty"`

	// A URI to which a response can be POSTed
	URI string `json:"uri"`

	// Used by simpleHttp, http-00, tls-sni-00, and dns-00 challenges
	Token string `json:"token,omitempty"`

	// Used by simpleHttp challenges
	TLS *bool `json:"tls,omitempty"`

	// Used by dvsni challenges
	Validation *jose.JsonWebSignature `json:"validation,omitempty"`

	// Used by http-00, tls-sni-00, and dns-00 challenges
	KeyAuthorization *KeyAuthorization `json:"keyAuthorization,omitempty"`

	// Contains information about URLs used or redirected to and IPs resolved and
	// used
	ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"`

	// The account key used to create this challenge.  This is not part of the
	// spec, but clients are required to ignore unknown fields, so it's harmless
	// to include.
	//
	// Boulder needs to remember what key was used to create a challenge in order
	// to prevent an attacker from re-using a validation signature with a different,
	// unauthorized key. See:
	//   https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf-4Yc
	AccountKey *jose.JsonWebKey `json:"accountKey,omitempty"`
}

Challenge is an aggregate of all data needed for any challenges.

Rather than define individual types for different types of challenge, we just throw all the elements into one bucket, together with the common metadata elements.

func DNSChallenge01 

func DNSChallenge01(accountKey *jose.JsonWebKey) Challenge

DNSChallenge01 constructs a random DNS challenge

func DvsniChallenge 

func DvsniChallenge(accountKey *jose.JsonWebKey) Challenge

DvsniChallenge constructs a random DVSNI challenge TODO(https://github.com/letsencrypt/boulder/issues/894): Delete this method

func HTTPChallenge01 

func HTTPChallenge01(accountKey *jose.JsonWebKey) Challenge

HTTPChallenge01 constructs a random http-01 challenge

func SimpleHTTPChallenge 

func SimpleHTTPChallenge(accountKey *jose.JsonWebKey) Challenge

SimpleHTTPChallenge constructs a random HTTP challenge TODO(https://github.com/letsencrypt/boulder/issues/894): Delete this method

func TLSSNIChallenge01 

func TLSSNIChallenge01(accountKey *jose.JsonWebKey) Challenge

TLSSNIChallenge01 constructs a random tls-sni-00 challenge

func (Challenge) IsSane 

func (ch Challenge) IsSane(completed bool) bool

IsSane checks the sanity of a challenge object before issued to the client (completed = false) and before validation (completed = true).

func (Challenge) MergeResponse 

func (ch Challenge) MergeResponse(resp Challenge) Challenge

MergeResponse copies a subset of client-provided data to the current Challenge. Note: This method does not update the challenge on the left side of the '.'

func (Challenge) RecordsSane 

func (ch Challenge) RecordsSane() bool

RecordsSane checks the sanity of a ValidationRecord object before sending it back to the RA to be stored.

type DNSResolver 

type DNSResolver interface {
	ExchangeOne(string, uint16) (*dns.Msg, time.Duration, error)
	LookupTXT(string) ([]string, time.Duration, error)
	LookupHost(string) ([]net.IP, time.Duration, error)
	LookupCAA(string) ([]*dns.CAA, time.Duration, error)
	LookupMX(string) ([]string, time.Duration, error)
}

DNSResolver defines methods used for DNS resolution

type DNSResolverImpl 

type DNSResolverImpl struct {
	DNSClient *dns.Client
	Servers   []string
	// contains filtered or unexported fields
}

DNSResolverImpl represents a client that talks to an external resolver

func NewDNSResolverImpl 

func NewDNSResolverImpl(readTimeout time.Duration, servers []string) *DNSResolverImpl

NewDNSResolverImpl constructs a new DNS resolver object that utilizes the provided list of DNS servers for resolution.

func NewTestDNSResolverImpl 

func NewTestDNSResolverImpl(readTimeout time.Duration, servers []string) *DNSResolverImpl

NewTestDNSResolverImpl constructs a new DNS resolver object that utilizes the provided list of DNS servers for resolution and will allow loopback addresses. This constructor should *only* be called from tests (unit or integration).

func (*DNSResolverImpl) ExchangeOne 

func (dnsResolver *DNSResolverImpl) ExchangeOne(hostname string, qtype uint16) (rsp *dns.Msg, rtt time.Duration, err error)

ExchangeOne performs a single DNS exchange with a randomly chosen server out of the server list, returning the response, time, and error (if any). This method sets the DNSSEC OK bit on the message to true before sending it to the resolver in case validation isn't the resolvers default behaviour.

func (*DNSResolverImpl) LookupCAA 

func (dnsResolver *DNSResolverImpl) LookupCAA(hostname string) ([]*dns.CAA, time.Duration, error)

LookupCAA sends a DNS query to find all CAA records associated with the provided hostname. If the response code from the resolver is SERVFAIL an empty slice of CAA records is returned.

func (*DNSResolverImpl) LookupHost 

func (dnsResolver *DNSResolverImpl) LookupHost(hostname string) ([]net.IP, time.Duration, error)

LookupHost sends a DNS query to find all A records associated with the provided hostname. This method assumes that the external resolver will chase CNAME/DNAME aliases and return relevant A records.

func (*DNSResolverImpl) LookupMX 

func (dnsResolver *DNSResolverImpl) LookupMX(hostname string) ([]string, time.Duration, error)

LookupMX sends a DNS query to find a MX record associated hostname and returns the record target.

func (*DNSResolverImpl) LookupTXT 

func (dnsResolver *DNSResolverImpl) LookupTXT(hostname string) ([]string, time.Duration, error)

LookupTXT sends a DNS query to find all TXT records associated with the provided hostname.

type DeniedCSR 

type DeniedCSR struct {
	ID int `db:"id"`

	Names string `db:"names"`
}

DeniedCSR is a list of names we deny issuing.

type ExternalCert 

type ExternalCert struct {
	SHA1     string    `db:"sha1"`       // The hex encoding of the SHA-1 hash of this cert
	Issuer   string    `db:"issuer"`     // The Issuer field of this cert
	Subject  string    `db:"subject"`    // The Subject field of this cert
	NotAfter time.Time `db:"notAfter"`   // Date after which this cert should be considered invalid
	SPKI     []byte    `db:"spki"`       // The hex encoding of the certificate's SubjectPublicKeyInfo in DER form
	Valid    bool      `db:"valid"`      // Whether this certificate was valid at LastUpdated time
	EV       bool      `db:"ev"`         // Whether this cert was EV valid
	CertDER  []byte    `db:"rawDERCert"` // DER (binary) encoding of the raw certificate
}

ExternalCert holds information about certificates issued by other CAs, obtained through Certificate Transparency, the SSL Observatory, or scans.io.

type IdentifierData 

type IdentifierData struct {
	ReversedName string `db:"reversedName"` // The label-wise reverse of an identifier, e.g. com.example or com.example.*
	CertSHA1     string `db:"certSHA1"`     // The hex encoding of the SHA-1 hash of a cert containing the identifier
}

IdentifierData holds information about what certificates are known for a given identifier. This is used to present Proof of Posession challenges in the case where a certificate already exists. The DB table holding IdentifierData rows contains information about certs issued by Boulder and also information about certs observed from third parties.

type IdentifierType 

type IdentifierType string

IdentifierType defines the available identification mechanisms for domains

type InternalServerError 

type InternalServerError string

InternalServerError indicates that something has gone wrong unrelated to the user's input, and will be considered by the Load Balancer as an indication that this Boulder instance may be malfunctioning. Minimally, returning this will cause an error page to be generated at the CDN/LB for the client. Consequently, you should only use this error when Boulder's internal constraints have been violated.

func (InternalServerError) Error 

func (e InternalServerError) Error() string

type IsSafeDomainRequest 

type IsSafeDomainRequest struct {
	Domain string
}

IsSafeDomainRequest is the request struct for the IsSafeDomain call. The Domain field should be just a domain with no leading scheme or trailing path.

type IsSafeDomainResponse 

type IsSafeDomainResponse struct {
	IsSafe bool
}

IsSafeDomainResponse is the response struct for the IsSafeDomain call. The IsSafe bool is true if and only if the third-party safe browing API says the domain is safe.

type JSONBuffer 

type JSONBuffer []byte

JSONBuffer fields get encoded and decoded JOSE-style, in base64url encoding with stripped padding.

func (JSONBuffer) MarshalJSON 

func (jb JSONBuffer) MarshalJSON() (result []byte, err error)

MarshalJSON encodes a JSONBuffer for transmission.

func (*JSONBuffer) UnmarshalJSON 

func (jb *JSONBuffer) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON decodes a JSONBuffer to an object.

type KeyAuthorization 

type KeyAuthorization struct {
	Token      string
	Thumbprint string
}

KeyAuthorization represents a domain holder's authorization for a specific account key to satisfy a specific challenge.

func NewKeyAuthorization 

func NewKeyAuthorization(token string, key *jose.JsonWebKey) (KeyAuthorization, error)

NewKeyAuthorization computes the thumbprint and assembles the object

func NewKeyAuthorizationFromString 

func NewKeyAuthorizationFromString(input string) (ka KeyAuthorization, err error)

NewKeyAuthorizationFromString parses the string and composes a key authorization struct

func (KeyAuthorization) MarshalJSON 

func (ka KeyAuthorization) MarshalJSON() (result []byte, err error)

MarshalJSON packs a key authorization into its string representation

func (KeyAuthorization) Match 

func (ka KeyAuthorization) Match(token string, key *jose.JsonWebKey) bool

Match determines whether this KeyAuthorization matches the given token and key

func (KeyAuthorization) String 

func (ka KeyAuthorization) String() string

String produces the string representation of a key authorization

func (*KeyAuthorization) UnmarshalJSON 

func (ka *KeyAuthorization) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON unpacks a key authorization from a string

type LengthRequiredError 

type LengthRequiredError string

LengthRequiredError indicates a POST was sent with no Content-Length.

func (LengthRequiredError) Error 

func (e LengthRequiredError) Error() string

type MalformedRequestError 

type MalformedRequestError string

MalformedRequestError indicates the user data was improper

func (MalformedRequestError) Error 

func (e MalformedRequestError) Error() string

type NoSuchRegistrationError 

type NoSuchRegistrationError string

NoSuchRegistrationError indicates that a registration could not be found.

func (NoSuchRegistrationError) Error 

func (e NoSuchRegistrationError) Error() string

type NonceService 

type NonceService struct {
	// contains filtered or unexported fields
}

NonceService generates, cancels, and tracks Nonces.

func NewNonceService 

func NewNonceService() (*NonceService, error)

NewNonceService constructs a NonceService with defaults

func (*NonceService) Nonce 

func (ns *NonceService) Nonce() (string, error)

Nonce provides a new Nonce.

func (*NonceService) Valid 

func (ns *NonceService) Valid(nonce string) bool

Valid determines whether the provided Nonce string is valid, returning true if so.

type NotFoundError 

type NotFoundError string

NotFoundError indicates the destination was unknown. Whoa oh oh ohhh.

func (NotFoundError) Error 

func (e NotFoundError) Error() string

type NotSupportedError 

type NotSupportedError string

NotSupportedError indicates a method is not yet supported

func (NotSupportedError) Error 

func (e NotSupportedError) Error() string

type OCSPResponse 

type OCSPResponse struct {
	ID int `db:"id"`

	// serial: Same as certificate serial.
	Serial string `db:"serial"`

	// createdAt: The date the response was signed.
	CreatedAt time.Time `db:"createdAt"`

	// response: The encoded and signed CRL.
	Response []byte `db:"response"`
}

OCSPResponse is a (large) table of OCSP responses. This contains all historical OCSP responses we've signed, is append-only, and is likely to get quite large. It must be administratively truncated outside of Boulder.

type OCSPSigningRequest 

type OCSPSigningRequest struct {
	CertDER   []byte
	Status    string
	Reason    RevocationCode
	RevokedAt time.Time
}

OCSPSigningRequest is a transfer object representing an OCSP Signing Request

type OCSPStatus 

type OCSPStatus string

OCSPStatus defines the state of OCSP for a domain

type PolicyAuthority 

type PolicyAuthority interface {
	WillingToIssue(id AcmeIdentifier, regID int64) error
	ChallengesFor(AcmeIdentifier, *jose.JsonWebKey) ([]Challenge, [][]int, error)
}

PolicyAuthority defines the public interface for the Boulder PA

type ProblemDetails 

type ProblemDetails struct {
	Type   ProblemType `json:"type,omitempty"`
	Detail string      `json:"detail,omitempty"`
}

ProblemDetails objects represent problem documents https://tools.ietf.org/html/draft-ietf-appsawg-http-problem-00

func (*ProblemDetails) Error 

func (pd *ProblemDetails) Error() string

type ProblemType 

type ProblemType string

ProblemType defines the error types in the ACME protocol

type Publisher 

type Publisher interface {
	SubmitToCT([]byte) error
}

Publisher defines the public interface for the Boulder Publisher

type RPCSignedCertificateTimestamp 

type RPCSignedCertificateTimestamp SignedCertificateTimestamp

RPCSignedCertificateTimestamp is a wrapper around SignedCertificateTimestamp so that it can be passed through the RPC layer properly. Without this wrapper the UnmarshalJSON method below will be used when marshaling/unmarshaling the object, which is not what we want as it is not symmetrical (as it is intended to unmarshal a rawSignedCertificateTimestamp into a SignedCertificateTimestamp)

type RateLimitedError 

type RateLimitedError string

RateLimitedError indicates the user has hit a rate limit

func (RateLimitedError) Error 

func (e RateLimitedError) Error() string

type Registration 

type Registration struct {
	// Unique identifier
	ID int64 `json:"id" db:"id"`

	// Account key to which the details are attached
	Key jose.JsonWebKey `json:"key"`

	// Contact URIs
	Contact []*AcmeURL `json:"contact,omitempty"`

	// Agreement with terms of service
	Agreement string `json:"agreement,omitempty"`

	// InitialIP is the IP address from which the registration was created
	InitialIP net.IP `json:"initialIp"`

	// CreatedAt is the time the registration was created.
	CreatedAt time.Time `json:"createdAt"`
}

Registration objects represent non-public metadata attached to account keys.

func (*Registration) MergeUpdate 

func (r *Registration) MergeUpdate(input Registration)

MergeUpdate copies a subset of information from the input Registration into this one.

type RegistrationAuthority 

type RegistrationAuthority interface {
	// [WebFrontEnd]
	NewRegistration(Registration) (Registration, error)

	// [WebFrontEnd]
	NewAuthorization(Authorization, int64) (Authorization, error)

	// [WebFrontEnd]
	NewCertificate(CertificateRequest, int64) (Certificate, error)

	// [WebFrontEnd]
	UpdateRegistration(Registration, Registration) (Registration, error)

	// [WebFrontEnd]
	UpdateAuthorization(Authorization, int, Challenge) (Authorization, error)

	// [WebFrontEnd]
	RevokeCertificateWithReg(x509.Certificate, RevocationCode, int64) error

	// [AdminRevoker]
	AdministrativelyRevokeCertificate(x509.Certificate, RevocationCode, string) error

	// [ValidationAuthority]
	OnValidationUpdate(Authorization) error
}

RegistrationAuthority defines the public interface for the Boulder RA

type RevocationCode 

type RevocationCode int

RevocationCode is used to specify a certificate revocation reason

type ServiceUnavailableError 

type ServiceUnavailableError string

ServiceUnavailableError indicates that a component is not available to satisfy a request

func (ServiceUnavailableError) Error 

func (e ServiceUnavailableError) Error() string

type SignatureValidationError 

type SignatureValidationError string

SignatureValidationError indicates that the user's signature could not be verified, either through adversarial activity, or misconfiguration of the user client.

func (SignatureValidationError) Error 

func (e SignatureValidationError) Error() string

type SignedCertificateTimestamp 

type SignedCertificateTimestamp struct {
	ID int `db:"id"`
	// The version of the protocol to which the SCT conforms
	SCTVersion uint8 `db:"sctVersion"`
	// the SHA-256 hash of the log's public key, calculated over
	// the DER encoding of the key represented as SubjectPublicKeyInfo.
	LogID string `db:"logID"`
	// Timestamp (in ms since unix epoc) at which the SCT was issued
	Timestamp uint64 `db:"timestamp"`
	// For future extensions to the protocol
	Extensions []byte `db:"extensions"`
	// The Log's signature for this SCT
	Signature []byte `db:"signature"`

	// The serial of the certificate this SCT is for
	CertificateSerial string `db:"certificateSerial"`

	LockCol int64
}

SignedCertificateTimestamp represents objects used by Certificate Transparency to demonstrate that a certificate was submitted to a CT log. See RFC 6962.

func (*SignedCertificateTimestamp) CheckSignature 

func (sct *SignedCertificateTimestamp) CheckSignature() error

CheckSignature validates that the returned SCT signature is a valid SHA256 + ECDSA signature but does not verify that a specific public key signed it.

func (*SignedCertificateTimestamp) UnmarshalJSON 

func (sct *SignedCertificateTimestamp) UnmarshalJSON(data []byte) error

UnmarshalJSON parses the add-chain response from a CT log. It fills all of the fields in the SignedCertificateTimestamp struct except for ID and CertificateSerial, which are used for local recordkeeping in the Boulder DB.

type StorageAdder 

type StorageAdder interface {
	NewRegistration(Registration) (Registration, error)
	UpdateRegistration(Registration) error

	NewPendingAuthorization(Authorization) (Authorization, error)
	UpdatePendingAuthorization(Authorization) error
	FinalizeAuthorization(Authorization) error
	MarkCertificateRevoked(serial string, reasonCode RevocationCode) error
	UpdateOCSP(serial string, ocspResponse []byte) error

	AddCertificate([]byte, int64) (string, error)

	AddSCTReceipt(SignedCertificateTimestamp) error
}

StorageAdder are the Boulder SA's write/update methods

type StorageAuthority 

type StorageAuthority interface {
	StorageGetter
	StorageAdder
}

StorageAuthority interface represents a simple key/value store. It is divided into StorageGetter and StorageUpdater interfaces for privilege separation.

type StorageGetter 

type StorageGetter interface {
	GetRegistration(int64) (Registration, error)
	GetRegistrationByKey(jose.JsonWebKey) (Registration, error)
	GetAuthorization(string) (Authorization, error)
	GetLatestValidAuthorization(int64, AcmeIdentifier) (Authorization, error)
	GetCertificate(string) (Certificate, error)
	GetCertificateStatus(string) (CertificateStatus, error)
	AlreadyDeniedCSR([]string) (bool, error)
	CountCertificatesRange(time.Time, time.Time) (int64, error)
	CountCertificatesByNames([]string, time.Time, time.Time) (map[string]int, error)
	CountRegistrationsByIP(net.IP, time.Time, time.Time) (int, error)
	CountPendingAuthorizations(regID int64) (int, error)
	GetSCTReceipt(string, string) (SignedCertificateTimestamp, error)
}

StorageGetter are the Boulder SA's read-only methods

type SyntaxError 

type SyntaxError string

SyntaxError indicates the user improperly formatted their data.

func (SyntaxError) Error 

func (e SyntaxError) Error() string

type TooManyRPCRequestsError 

type TooManyRPCRequestsError string

TooManyRPCRequestsError indicates an RPC server has hit it's concurrent request limit

func (TooManyRPCRequestsError) Error 

func (e TooManyRPCRequestsError) Error() string

type UnauthorizedError 

type UnauthorizedError string

UnauthorizedError indicates the user did not satisfactorily prove identity

func (UnauthorizedError) Error 

func (e UnauthorizedError) Error() string

type ValidationAuthority 

type ValidationAuthority interface {
	// [RegistrationAuthority]
	UpdateValidations(Authorization, int) error
	CheckCAARecords(AcmeIdentifier) (bool, bool, error)
	IsSafeDomain(*IsSafeDomainRequest) (*IsSafeDomainResponse, error)
}

ValidationAuthority defines the public interface for the Boulder VA

type ValidationRecord 

type ValidationRecord struct {
	// SimpleHTTP only
	URL string `json:"url,omitempty"`

	// Shared
	Hostname          string   `json:"hostname"`
	Port              string   `json:"port"`
	AddressesResolved []net.IP `json:"addressesResolved"`
	AddressUsed       net.IP   `json:"addressUsed"`
}

ValidationRecord represents a validation attempt against a specific URL/hostname and the IP addresses that were resolved and used

type WebFrontEnd 

type WebFrontEnd interface {
	// Set the base URL for authorizations
	SetAuthzBase(path string)

	// Set the base URL for certificates
	SetCertBase(path string)

	// This method represents the ACME new-registration resource
	NewRegistration(response http.ResponseWriter, request *http.Request)

	// This method represents the ACME new-authorization resource
	NewAuthz(response http.ResponseWriter, request *http.Request)

	// This method represents the ACME new-certificate resource
	NewCert(response http.ResponseWriter, request *http.Request)

	// Provide access to requests for registration resources
	Registration(response http.ResponseWriter, request *http.Request)

	// Provide access to requests for authorization resources
	Authz(response http.ResponseWriter, request *http.Request)

	// Provide access to requests for authorization resources
	Cert(response http.ResponseWriter, request *http.Request)
}

A WebFrontEnd object supplies methods that can be hooked into the Go http module's server functions, principally http.HandleFunc()

It also provides methods to configure the base for authorization and certificate URLs.

It is assumed that the ACME server is laid out as follows: * One URL for new-authorization -> NewAuthz * One URL for new-certificate -> NewCert * One path for authorizations -> Authz * One path for certificates -> Cert

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.