Documentation
¶
Index ¶
- func ValidDomain(domain string) error
- func ValidEmail(address string) error
- func ValidIP(ip string) error
- func WellFormedIdentifiers(idents identifier.ACMEIdentifiers) error
- type AuthorityImpl
- func (pa *AuthorityImpl) ChallengeTypeEnabled(t core.AcmeChallenge) bool
- func (pa *AuthorityImpl) ChallengeTypesFor(ident identifier.ACMEIdentifier) ([]core.AcmeChallenge, error)
- func (pa *AuthorityImpl) CheckAuthzChallenges(authz *core.Authorization) error
- func (pa *AuthorityImpl) IdentifierTypeEnabled(t identifier.IdentifierType) bool
- func (pa *AuthorityImpl) LoadIdentPolicyFile(f string) error
- func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ValidDomain ¶
ValidDomain checks that a domain is valid and that it doesn't contain any invalid wildcard characters. It does NOT ensure that the domain is absent from any PA blocked lists.
func ValidEmail ¶
ValidEmail returns an error if the input doesn't parse as an email address, the domain isn't a valid hostname in Preferred Name Syntax, or its on the list of domains forbidden for mail (because they are often used in examples).
func ValidIP ¶
ValidIP checks that an IP address:
- isn't empty
- is an IPv4 or IPv6 address
- doesn't contain a scope zone (RFC 4007)
- isn't in an IANA special-purpose address registry
It does NOT ensure that the IP address is absent from any PA blocked lists.
func WellFormedIdentifiers ¶
func WellFormedIdentifiers(idents identifier.ACMEIdentifiers) error
WellFormedIdentifiers returns an error if any of the provided identifiers do not meet these criteria:
For DNS identifiers:
- MUST contains only lowercase characters, numbers, hyphens, and dots
- MUST NOT have more than maxLabels labels
- MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181
In particular, DNS identifiers:
- MUST NOT contain underscores
- MUST NOT match the syntax of an IP address
- MUST end in a public suffix
- MUST have at least one label in addition to the public suffix
- MUST NOT be a label-wise suffix match for a name on the block list, where comparison is case-independent (normalized to lower case)
If a DNS identifier contains a *, we additionally require:
- There is at most one `*` wildcard character
- That the wildcard character is the leftmost label
- That the wildcard label is not immediately adjacent to a top level ICANN TLD
For IP identifiers:
- MUST match the syntax of an IP address
- MUST NOT contain a scope zone (RFC 4007)
- MUST NOT be in an IANA special-purpose address registry
If multiple identifiers are invalid, the error will contain suberrors specific to each identifier.
Types ¶
type AuthorityImpl ¶
type AuthorityImpl struct {
// contains filtered or unexported fields
}
AuthorityImpl enforces CA policy decisions.
func New ¶
func New(identifierTypes map[identifier.IdentifierType]bool, challengeTypes map[core.AcmeChallenge]bool, log blog.Logger) (*AuthorityImpl, error)
New constructs a Policy Authority.
func (*AuthorityImpl) ChallengeTypeEnabled ¶
func (pa *AuthorityImpl) ChallengeTypeEnabled(t core.AcmeChallenge) bool
ChallengeTypeEnabled returns whether the specified challenge type is enabled
func (*AuthorityImpl) ChallengeTypesFor ¶
func (pa *AuthorityImpl) ChallengeTypesFor(ident identifier.ACMEIdentifier) ([]core.AcmeChallenge, error)
ChallengeTypesFor determines which challenge types are acceptable for the given identifier. This determination is made purely based on the identifier, and not based on which challenge types are enabled, so that challenge type filtering can happen dynamically at request rather than being set in stone at creation time.
func (*AuthorityImpl) CheckAuthzChallenges ¶
func (pa *AuthorityImpl) CheckAuthzChallenges(authz *core.Authorization) error
CheckAuthzChallenges determines that an authorization was fulfilled by a challenge that is currently enabled and was appropriate for the kind of identifier in the authorization.
func (*AuthorityImpl) IdentifierTypeEnabled ¶
func (pa *AuthorityImpl) IdentifierTypeEnabled(t identifier.IdentifierType) bool
IdentifierTypeEnabled returns whether the specified identifier type is enabled
func (*AuthorityImpl) LoadIdentPolicyFile ¶ added in v0.20250714.0
func (pa *AuthorityImpl) LoadIdentPolicyFile(f string) error
LoadIdentPolicyFile will load the given policy file, returning an error if it fails.
func (*AuthorityImpl) WillingToIssue ¶
func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error
WillingToIssue determines whether the CA is willing to issue for the provided identifiers.
It checks the criteria checked by `WellFormedIdentifiers`, and additionally checks whether any identifier is on a blocklist.
If multiple identifiers are invalid, the error will contain suberrors specific to each identifier.
Precondition: all input identifier values must be in lowercase.
Source Files