acme

package module
v0.0.0-...-4ad0245 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 25, 2018 License: MIT Imports: 15 Imported by: 2

README

An ACME client implementation in Go

A library more true to the protocol elements than Lego.

Distributed under the MIT license.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrCanceled   = errors.New("operation canceled")
	ErrUnsolvable = errors.New("unsolvable challenge")
)
View Source 
var (
	ErrUnsupported = errors.New("unsupported operation")
)

Functions

func BoulderDirectory 

func BoulderDirectory(root *url.URL) *protocol.Directory

BoulderDirectory creates a directory for use with protocol.RegisterBoulderHTTP. The root URI must be absolute.

func NewHTTPServer 

func NewHTTPServer(s Server, d *protocol.Directory) protocol.HTTPServer

NewHTTPServer creates an HTTPServer from a high-level Server.

func RegisterAccount 

func RegisterAccount(dirURI string, accountKey crypto.PrivateKey, opts ...RegistrationOpt) (*ClientAccount, *Registration, error)

RegisterAccount performs an account registration and returns a client account on success. dirURI is the ACME directory URI.

func RegisterBoulderHTTP 

func RegisterBoulderHTTP(h protocol.HTTPHandlerHandler, root *url.URL, s Server, ns protocol.NonceSource)

RegisterBoulderHTTP registers the given server under the http.ServeMux h with Boulder-compatible paths. The root URI must be absolute and point to the root of h.

Types

type Authorization 

type Authorization struct {
	protocol.Authorization

	Status     protocol.Status
	Identifier Identifier
	URI        string
	RetryAfter time.Duration
}

type AuthorizationError 

type AuthorizationError struct {
	Err            error
	Authorizations []*Authorization
}

An AuthorizationError wraps another error and adds information about what authorizations were being attempted.

func (*AuthorizationError) Error 

func (e *AuthorizationError) Error() string

type Certificate 

type Certificate struct {
	Bytes      []byte
	URI        string
	IssuerURIs []string
	RetryAfter time.Duration
}

type CertificateIssuer 

type CertificateIssuer struct {
	// contains filtered or unexported fields
}

A CertificateIssuer can authorize and issue certificates in one go. A currently running issuer can be canceled.

func NewCertificateIssuer 

func NewCertificateIssuer(ia IssuingAccount) *CertificateIssuer

func (*CertificateIssuer) AuthorizeAndIssue 

func (ci *CertificateIssuer) AuthorizeAndIssue(csr []byte, s Solver) (*Certificate, error)

AuthorizeAndIssue issues a certificate based on a signing request after completing any necessary identity authorization challenges. The certificate will be tied to the issuing account on success. The solvers are used to solve challenges. Solvers are chosen to minimize the solver cost. Note that the function does not care about the cost unit, but it needs to be consistent across all solvers.

If one solver instance is used for multiple types, and the server requests solving all types, they may be lumped together in the same call to Solve.

func (*CertificateIssuer) Cancel 

func (ci *CertificateIssuer) Cancel()

Cancel stops any running invocation of AuthorizeAndIssue and causes new invocations to fail early. A canceled issuer should not be reused.

type ClientAccount 

type ClientAccount struct {
	// URI is the registration URI of the account.
	URI string
	Key crypto.PublicKey
	// contains filtered or unexported fields
}

ClientAccount represents a client for connecting to an ACME account. Instances are not concurrency-safe.

func NewClientAccount 

func NewClientAccount(dirURI, regURI string, accountKey crypto.PrivateKey) (*ClientAccount, error)

NewClientAccount creates a new account client by supplying the directory URI, account registration URI and the account key.

func (*ClientAccount) Authorization 

func (a *ClientAccount) Authorization(uri string) (*Authorization, error)

Authorization returns information about an existing authorization. It is up to the server to decide what authorizations are available to fetch (pending/valid/invalid).

func (*ClientAccount) AuthorizationURIs 

func (a *ClientAccount) AuthorizationURIs() ([]string, error)

AuthorizationURIs returns the list of pending and/or valid authorizations, depending on the ACME server implementation. A returned URI can be used in a call to Authorization to get more information.

func (*ClientAccount) AuthorizeIdentity 

func (a *ClientAccount) AuthorizeIdentity(id Identifier) (*Authorization, error)

AuthorizeIdentity starts an authorization flow for the given identifier. The returned *Authorization may be in pending state and require further action through solving returned challenges.

func (*ClientAccount) Certificate 

func (a *ClientAccount) Certificate(uri string) (*Certificate, error)

Certificate returns an existing certificate. This blocks while the certificate is pending.

func (*ClientAccount) CertificateURIs 

func (a *ClientAccount) CertificateURIs() ([]string, error)

CertificateURIs returns the list of certificates known for this account by the ACME server. Returned URIs can be used in calls to Certificate to get more information.

func (*ClientAccount) IssueCertificate 

func (a *ClientAccount) IssueCertificate(csr []byte) (*Certificate, error)

IssueCertificate signs a certificate signing request if authorized. This function will block until the requst is completed by the ACME server.

func (*ClientAccount) Registration 

func (a *ClientAccount) Registration() (*Registration, error)

Registration fetches the current registration resource. If the account registration is not complete, this returns ErrPending.

func (*ClientAccount) RevokeCertificate 

func (a *ClientAccount) RevokeCertificate(cert []byte) error

RevokeCertificate requests a revocation. The given cert should be exactly the same as returned by IssueCertificate.

func (*ClientAccount) UpdateRegistration 

func (a *ClientAccount) UpdateRegistration(opts ...RegistrationOpt) (*Registration, error)

UpdateRegistration allows changing one or more aspects of the registration. Takes the same options as RegisterAccount.

func (*ClientAccount) ValidateChallenge 

func (a *ClientAccount) ValidateChallenge(uri string, req protocol.Response) (protocol.Challenge, error)

ValidateChallenge notifies the ACME server that a challenge is ready to be validated. The ACME client should keep the challenge solver running until the associated Authorization stops being pending.

type DNSIdentifier 

type DNSIdentifier string

func (DNSIdentifier) Protocol 

func (u DNSIdentifier) Protocol() *protocol.Identifier

func (DNSIdentifier) String 

func (i DNSIdentifier) String() string

type Identifier 

type Identifier interface {
	Protocol() *protocol.Identifier
	String() string
}

type IssuingAccount 

type IssuingAccount interface {
	AuthorizeIdentity(id Identifier) (*Authorization, error)
	Authorization(uri string) (*Authorization, error)
	ValidateChallenge(uri string, resp protocol.Response) (protocol.Challenge, error)
	IssueCertificate(csr []byte) (*Certificate, error)
}

An IssuingAccount is an interface to something that can issue ACME certificates given a registered account. A ClientAccount fulfills this interface.

type Registration 

type Registration struct {
	protocol.Registration
	URI               string
	RecoveryKey       []byte
	TermsOfServiceURI string
}

type RegistrationOpt 

type RegistrationOpt func(*protocol.Registration)

func WithAgreementURI 

func WithAgreementURI(u string) RegistrationOpt

func WithContactURIs 

func WithContactURIs(contacts ...string) RegistrationOpt

func WithRecoveryKeyMaterial 

func WithRecoveryKeyMaterial(key *ecdsa.PrivateKey, len int) RegistrationOpt

type Server 

type Server interface {
	// RegisterAccount associates the given key with an account and
	// sets registration information. Returns the complete
	// registration resource.
	RegisterAccount(accountKey crypto.PublicKey, reg *Registration) (*Registration, error)

	// Authorization returns the authorization resource associated
	// with the given URI. It was previously started by
	// ServerAccount.AuthorizeIdentity.
	Authorization(uri string) (*Authorization, error)

	// Certificate returns the certificate resource associated
	// with the given URI. It was issued by ServerAccount.IssueCertificate.
	Certificate(uri string) (*Certificate, error)

	// Account creates a server-side representation of an account. This is called often
	// by the HTTP handler and should be lightweight. The key has been authenticated
	// by verifying the signature of the associated request body.
	Account(accountKey crypto.PublicKey) ServerAccount
}

A Server provides high-level entrypoints for ACME requests. Normally functions must be concurrency-safe. Returning a protocol.ServerError from any function allows control over HTTP error status codes.

type ServerAccount 

type ServerAccount interface {
	// AuthorizeIdentity starts an identity authorization for the given identifier.
	AuthorizeIdentity(id Identifier) (*Authorization, error)
	// IssueCertificate issues a certificate based on the certificate signing request.
	IssueCertificate(csr []byte) (*Certificate, error)
	// RevokeCertificate revokes the previously issued DER-encoded X.509 certificate.
	RevokeCertificate(cert []byte) error
	// UpdateRegistration updates the registration resource and returns the resulting complete resource.
	UpdateRegistration(reg *Registration) (*Registration, error)
	// ValidateChallenge informs the ACME server a challenge has been accepted.
	ValidateChallenge(uri string, req protocol.Response) (protocol.Challenge, error)
}

A ServerAccount provides high-level entrypoints for ACME requests on an account. These have an implicit account key.

type Solver 

type Solver interface {
	// Cost describes the cost to solve the set of challenges. The
	// returned cost is a number in some (consistent) unit. It
	// should be fast to evaluate the cost. The function should
	// return ErrUnsolvable if any challenge cannot be solved.
	Cost([]protocol.Challenge) (float64, error)

	// Solve is a function that starts a solver for some
	// challenges. The returned stop function will be called to
	// stop the solver and release resources. The same solver can
	// be used to solve multiple challenges at once. Each returned
	// response must correspond to the challenge of the same
	// index and len(ch) == len(resps).
	//
	// If err != nil, the stop function must not be called.
	Solve([]protocol.Challenge) (resps []protocol.Response, stop func() error, err error)
}

Solver is a way to produce responses to one or more challenges. Solver object functions must be concurrency-safe.

type TypeSolver 

type TypeSolver map[protocol.ChallengeType]Solver

A TypeSolver is a Solver split by challenge type. Each solver is assigned challenges by type. If the same solver object is used for multiple types, the challenges may be merged into a single call to Solve.

func (TypeSolver) Cost 

func (s TypeSolver) Cost(cs []protocol.Challenge) (float64, error)

func (TypeSolver) Solve 

func (s TypeSolver) Solve(cs []protocol.Challenge) ([]protocol.Response, func() error, error)

Source Files

View all Source files

Directories

Path Synopsis
Package protocol provides low-level primitives for working with the ACME protocol.
 Package protocol provides low-level primitives for working with the ACME protocol.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.