Documentation ¶
Index ¶
- Variables
- func BoulderDirectory(root *url.URL) *protocol.Directory
- func NewHTTPServer(s Server, d *protocol.Directory) protocol.HTTPServer
- func RegisterAccount(dirURI string, accountKey crypto.PrivateKey, opts ...RegistrationOpt) (*ClientAccount, *Registration, error)
- func RegisterBoulderHTTP(h protocol.HTTPHandlerHandler, root *url.URL, s Server, ...)
- type Authorization
- type AuthorizationError
- type Certificate
- type CertificateIssuer
- type ClientAccount
- func (a *ClientAccount) Authorization(uri string) (*Authorization, error)
- func (a *ClientAccount) AuthorizationURIs() ([]string, error)
- func (a *ClientAccount) AuthorizeIdentity(id Identifier) (*Authorization, error)
- func (a *ClientAccount) Certificate(uri string) (*Certificate, error)
- func (a *ClientAccount) CertificateURIs() ([]string, error)
- func (a *ClientAccount) IssueCertificate(csr []byte) (*Certificate, error)
- func (a *ClientAccount) Registration() (*Registration, error)
- func (a *ClientAccount) RevokeCertificate(cert []byte) error
- func (a *ClientAccount) UpdateRegistration(opts ...RegistrationOpt) (*Registration, error)
- func (a *ClientAccount) ValidateChallenge(uri string, req protocol.Response) (protocol.Challenge, error)
- type DNSIdentifier
- type Identifier
- type IssuingAccount
- type Registration
- type RegistrationOpt
- type Server
- type ServerAccount
- type Solver
- type TypeSolver
Constants ¶
This section is empty.
Variables ¶
var ( ErrCanceled = errors.New("operation canceled") ErrUnsolvable = errors.New("unsolvable challenge") )
var (
ErrUnsupported = errors.New("unsupported operation")
)
Functions ¶
func BoulderDirectory ¶
BoulderDirectory creates a directory for use with protocol.RegisterBoulderHTTP. The root URI must be absolute.
func NewHTTPServer ¶
func NewHTTPServer(s Server, d *protocol.Directory) protocol.HTTPServer
NewHTTPServer creates an HTTPServer from a high-level Server.
func RegisterAccount ¶
func RegisterAccount(dirURI string, accountKey crypto.PrivateKey, opts ...RegistrationOpt) (*ClientAccount, *Registration, error)
RegisterAccount performs an account registration and returns a client account on success. dirURI is the ACME directory URI.
func RegisterBoulderHTTP ¶
func RegisterBoulderHTTP(h protocol.HTTPHandlerHandler, root *url.URL, s Server, ns protocol.NonceSource)
RegisterBoulderHTTP registers the given server under the http.ServeMux h with Boulder-compatible paths. The root URI must be absolute and point to the root of h.
Types ¶
type Authorization ¶
type Authorization struct { protocol.Authorization Status protocol.Status Identifier Identifier URI string RetryAfter time.Duration }
type AuthorizationError ¶
type AuthorizationError struct { Err error Authorizations []*Authorization }
An AuthorizationError wraps another error and adds information about what authorizations were being attempted.
func (*AuthorizationError) Error ¶
func (e *AuthorizationError) Error() string
type Certificate ¶
type CertificateIssuer ¶
type CertificateIssuer struct {
// contains filtered or unexported fields
}
A CertificateIssuer can authorize and issue certificates in one go. A currently running issuer can be canceled.
func NewCertificateIssuer ¶
func NewCertificateIssuer(ia IssuingAccount) *CertificateIssuer
func (*CertificateIssuer) AuthorizeAndIssue ¶
func (ci *CertificateIssuer) AuthorizeAndIssue(csr []byte, s Solver) (*Certificate, error)
AuthorizeAndIssue issues a certificate based on a signing request after completing any necessary identity authorization challenges. The certificate will be tied to the issuing account on success. The solvers are used to solve challenges. Solvers are chosen to minimize the solver cost. Note that the function does not care about the cost unit, but it needs to be consistent across all solvers.
If one solver instance is used for multiple types, and the server requests solving all types, they may be lumped together in the same call to Solve.
func (*CertificateIssuer) Cancel ¶
func (ci *CertificateIssuer) Cancel()
Cancel stops any running invocation of AuthorizeAndIssue and causes new invocations to fail early. A canceled issuer should not be reused.
type ClientAccount ¶
type ClientAccount struct { // URI is the registration URI of the account. URI string Key crypto.PublicKey // contains filtered or unexported fields }
ClientAccount represents a client for connecting to an ACME account. Instances are not concurrency-safe.
func NewClientAccount ¶
func NewClientAccount(dirURI, regURI string, accountKey crypto.PrivateKey) (*ClientAccount, error)
NewClientAccount creates a new account client by supplying the directory URI, account registration URI and the account key.
func (*ClientAccount) Authorization ¶
func (a *ClientAccount) Authorization(uri string) (*Authorization, error)
Authorization returns information about an existing authorization. It is up to the server to decide what authorizations are available to fetch (pending/valid/invalid).
func (*ClientAccount) AuthorizationURIs ¶
func (a *ClientAccount) AuthorizationURIs() ([]string, error)
AuthorizationURIs returns the list of pending and/or valid authorizations, depending on the ACME server implementation. A returned URI can be used in a call to Authorization to get more information.
func (*ClientAccount) AuthorizeIdentity ¶
func (a *ClientAccount) AuthorizeIdentity(id Identifier) (*Authorization, error)
AuthorizeIdentity starts an authorization flow for the given identifier. The returned *Authorization may be in pending state and require further action through solving returned challenges.
func (*ClientAccount) Certificate ¶
func (a *ClientAccount) Certificate(uri string) (*Certificate, error)
Certificate returns an existing certificate. This blocks while the certificate is pending.
func (*ClientAccount) CertificateURIs ¶
func (a *ClientAccount) CertificateURIs() ([]string, error)
CertificateURIs returns the list of certificates known for this account by the ACME server. Returned URIs can be used in calls to Certificate to get more information.
func (*ClientAccount) IssueCertificate ¶
func (a *ClientAccount) IssueCertificate(csr []byte) (*Certificate, error)
IssueCertificate signs a certificate signing request if authorized. This function will block until the requst is completed by the ACME server.
func (*ClientAccount) Registration ¶
func (a *ClientAccount) Registration() (*Registration, error)
Registration fetches the current registration resource. If the account registration is not complete, this returns ErrPending.
func (*ClientAccount) RevokeCertificate ¶
func (a *ClientAccount) RevokeCertificate(cert []byte) error
RevokeCertificate requests a revocation. The given cert should be exactly the same as returned by IssueCertificate.
func (*ClientAccount) UpdateRegistration ¶
func (a *ClientAccount) UpdateRegistration(opts ...RegistrationOpt) (*Registration, error)
UpdateRegistration allows changing one or more aspects of the registration. Takes the same options as RegisterAccount.
func (*ClientAccount) ValidateChallenge ¶
func (a *ClientAccount) ValidateChallenge(uri string, req protocol.Response) (protocol.Challenge, error)
ValidateChallenge notifies the ACME server that a challenge is ready to be validated. The ACME client should keep the challenge solver running until the associated Authorization stops being pending.
type DNSIdentifier ¶
type DNSIdentifier string
func (DNSIdentifier) Protocol ¶
func (u DNSIdentifier) Protocol() *protocol.Identifier
func (DNSIdentifier) String ¶
func (i DNSIdentifier) String() string
type Identifier ¶
type Identifier interface { Protocol() *protocol.Identifier String() string }
type IssuingAccount ¶
type IssuingAccount interface { AuthorizeIdentity(id Identifier) (*Authorization, error) Authorization(uri string) (*Authorization, error) ValidateChallenge(uri string, resp protocol.Response) (protocol.Challenge, error) IssueCertificate(csr []byte) (*Certificate, error) }
An IssuingAccount is an interface to something that can issue ACME certificates given a registered account. A ClientAccount fulfills this interface.
type Registration ¶
type Registration struct { protocol.Registration URI string RecoveryKey []byte TermsOfServiceURI string }
type RegistrationOpt ¶
type RegistrationOpt func(*protocol.Registration)
func WithAgreementURI ¶
func WithAgreementURI(u string) RegistrationOpt
func WithContactURIs ¶
func WithContactURIs(contacts ...string) RegistrationOpt
func WithRecoveryKeyMaterial ¶
func WithRecoveryKeyMaterial(key *ecdsa.PrivateKey, len int) RegistrationOpt
type Server ¶
type Server interface { // RegisterAccount associates the given key with an account and // sets registration information. Returns the complete // registration resource. RegisterAccount(accountKey crypto.PublicKey, reg *Registration) (*Registration, error) // Authorization returns the authorization resource associated // with the given URI. It was previously started by // ServerAccount.AuthorizeIdentity. Authorization(uri string) (*Authorization, error) // Certificate returns the certificate resource associated // with the given URI. It was issued by ServerAccount.IssueCertificate. Certificate(uri string) (*Certificate, error) // Account creates a server-side representation of an account. This is called often // by the HTTP handler and should be lightweight. The key has been authenticated // by verifying the signature of the associated request body. Account(accountKey crypto.PublicKey) ServerAccount }
A Server provides high-level entrypoints for ACME requests. Normally functions must be concurrency-safe. Returning a protocol.ServerError from any function allows control over HTTP error status codes.
type ServerAccount ¶
type ServerAccount interface { // AuthorizeIdentity starts an identity authorization for the given identifier. AuthorizeIdentity(id Identifier) (*Authorization, error) // IssueCertificate issues a certificate based on the certificate signing request. IssueCertificate(csr []byte) (*Certificate, error) // RevokeCertificate revokes the previously issued DER-encoded X.509 certificate. RevokeCertificate(cert []byte) error // UpdateRegistration updates the registration resource and returns the resulting complete resource. UpdateRegistration(reg *Registration) (*Registration, error) // ValidateChallenge informs the ACME server a challenge has been accepted. ValidateChallenge(uri string, req protocol.Response) (protocol.Challenge, error) }
A ServerAccount provides high-level entrypoints for ACME requests on an account. These have an implicit account key.
type Solver ¶
type Solver interface { // Cost describes the cost to solve the set of challenges. The // returned cost is a number in some (consistent) unit. It // should be fast to evaluate the cost. The function should // return ErrUnsolvable if any challenge cannot be solved. Cost([]protocol.Challenge) (float64, error) // Solve is a function that starts a solver for some // challenges. The returned stop function will be called to // stop the solver and release resources. The same solver can // be used to solve multiple challenges at once. Each returned // response must correspond to the challenge of the same // index and len(ch) == len(resps). // // If err != nil, the stop function must not be called. Solve([]protocol.Challenge) (resps []protocol.Response, stop func() error, err error) }
Solver is a way to produce responses to one or more challenges. Solver object functions must be concurrency-safe.
type TypeSolver ¶
type TypeSolver map[protocol.ChallengeType]Solver
A TypeSolver is a Solver split by challenge type. Each solver is assigned challenges by type. If the same solver object is used for multiple types, the challenges may be merged into a single call to Solve.