sa

package
v0.20251216.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 15, 2025 License: MPL-2.0 Imports: 39 Imported by: 414

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DBMapForTest 

func DBMapForTest(dbConnect string) (*boulderDB.WrappedMap, error)

DBMapForTest creates a wrapped root borp mapping object. Create one of these for each database schema you wish to map. Each DbMap contains a list of mapped tables. It automatically maps the tables for the primary parts of Boulder around the Storage Authority.

func DBMapForTestWithLog 

func DBMapForTestWithLog(dbConnect string, log blog.Logger) (*boulderDB.WrappedMap, error)

DBMapForTestWithLog does the same as DBMapForTest but also routes the debug logs from the database driver to the given log (usually a `blog.NewMock`).

func EncodeIssuedName 

func EncodeIssuedName(name string) string

EncodeIssuedName translates a FQDN to/from the issuedNames table by reversing its dot-separated elements, and translates an IP address by returning its normal string form.

This is for strings of ambiguous identifier values. If you know your string is a FQDN, use reverseFQDN(). If you have an IP address, use netip.Addr.String() or net.IP.String().

func InitWrappedDb 

func InitWrappedDb(config cmd.DBConfig, scope prometheus.Registerer, logger blog.Logger) (*boulderDB.WrappedMap, error)

InitWrappedDb constructs a wrapped borp mapping object with the provided settings. If scope is non-nil, Prometheus metrics will be exported. If logger is non-nil, SQL debug-level logging will be enabled. The only required parameter is config.

func SelectAuthzsMatchingIssuance 

func SelectAuthzsMatchingIssuance(
	ctx context.Context,
	s db.Selector,
	regID int64,
	issued time.Time,
	idents identifier.ACMEIdentifiers,
) ([]*corepb.Authorization, error)

SelectAuthzsMatchingIssuance looks for a set of authzs that would have authorized a given issuance that is known to have occurred. The returned authzs will all belong to the given regID, will have potentially been valid at the time of issuance, and will have the appropriate identifier type and value. This may return multiple authzs for the same identifier type and value.

This returns "potentially" valid authzs because a client may have set an authzs status to deactivated after issuance, so we return both valid and deactivated authzs. It also uses a small amount of leeway (1s) to account for possible clock skew.

This function doesn't do anything special for authzs with an expiration in the past. If the stored authz has a valid status, it is returned with a valid status regardless of whether it is also expired.

func SelectCertificate 

func SelectCertificate(ctx context.Context, s db.OneSelector, serial string) (*corepb.Certificate, error)

SelectCertificate selects all fields of one certificate object identified by a serial. If more than one row contains the same serial only the first is returned.

func SelectCertificateStatus 

func SelectCertificateStatus(ctx context.Context, s db.OneSelector, serial string) (*corepb.CertificateStatus, error)

SelectCertificateStatus selects all fields of one certificate status model identified by serial

func SelectCertificates 

func SelectCertificates(ctx context.Context, s db.Selector, q string, args map[string]any) ([]*corepb.Certificate, int64, error)

SelectCertificates selects all fields of multiple certificate objects

Returns a slice of *corepb.Certificate along with the highest ID field seen (which can be used as input to a subsequent query when iterating in primary key order).

func SelectPrecertificate 

func SelectPrecertificate(ctx context.Context, s db.OneSelector, serial string) (*corepb.Certificate, error)

SelectPrecertificate selects all fields of one precertificate object identified by serial.

func SelectRevocationStatus 

func SelectRevocationStatus(ctx context.Context, s db.OneSelector, serial string) (*sapb.RevocationStatus, error)

SelectRevocationStatus returns the authoritative revocation information for the certificate with the given serial.

Types

type BoulderTypeConverter 

type BoulderTypeConverter struct{}

BoulderTypeConverter is used by borp for storing objects in DB.

func (BoulderTypeConverter) FromDb 

func (tc BoulderTypeConverter) FromDb(target any) (borp.CustomScanner, bool)

FromDb converts a DB representation back into a Boulder object.

func (BoulderTypeConverter) ToDb 

func (tc BoulderTypeConverter) ToDb(val any) (any, error)

ToDb converts a Boulder object to one suitable for the DB representation.

type CertStatusMetadata 

type CertStatusMetadata struct {
	ID                    int64             `db:"id"`
	Serial                string            `db:"serial"`
	Status                core.OCSPStatus   `db:"status"`
	OCSPLastUpdated       time.Time         `db:"ocspLastUpdated"`
	RevokedDate           time.Time         `db:"revokedDate"`
	RevokedReason         revocation.Reason `db:"revokedReason"`
	LastExpirationNagSent time.Time         `db:"lastExpirationNagSent"`
	NotAfter              time.Time         `db:"notAfter"`
	IsExpired             bool              `db:"isExpired"`
	IssuerID              int64             `db:"issuerID"`
}

type DbSettings 

type DbSettings struct {
	// MaxOpenConns sets the maximum number of open connections to the
	// database. If MaxIdleConns is greater than 0 and MaxOpenConns is
	// less than MaxIdleConns, then MaxIdleConns will be reduced to
	// match the new MaxOpenConns limit. If n < 0, then there is no
	// limit on the number of open connections.
	MaxOpenConns int

	// MaxIdleConns sets the maximum number of connections in the idle
	// connection pool. If MaxOpenConns is greater than 0 but less than
	// MaxIdleConns, then MaxIdleConns will be reduced to match the
	// MaxOpenConns limit. If n < 0, no idle connections are retained.
	MaxIdleConns int

	// ConnMaxLifetime sets the maximum amount of time a connection may
	// be reused. Expired connections may be closed lazily before reuse.
	// If d < 0, connections are not closed due to a connection's age.
	ConnMaxLifetime time.Duration

	// ConnMaxIdleTime sets the maximum amount of time a connection may
	// be idle. Expired connections may be closed lazily before reuse.
	// If d < 0, connections are not closed due to a connection's idle
	// time.
	ConnMaxIdleTime time.Duration
}

DbSettings contains settings for the database/sql driver. The zero value of each field means use the default setting from database/sql. ConnMaxIdleTime and ConnMaxLifetime should be set lower than their mariab counterparts interactive_timeout and wait_timeout.

type RevocationStatusModel 

type RevocationStatusModel struct {
	Status        core.OCSPStatus   `db:"status"`
	RevokedDate   time.Time         `db:"revokedDate"`
	RevokedReason revocation.Reason `db:"revokedReason"`
}

RevocationStatusModel represents a small subset of the columns in the certificateStatus table, used to determine the authoritative revocation status of a certificate.

type SQLLogger 

type SQLLogger struct {
	blog.Logger
}

SQLLogger adapts the Boulder Logger to a format borp can use.

func (*SQLLogger) Printf 

func (log *SQLLogger) Printf(format string, v ...any)

Printf adapts the Logger to borp's interface

type SQLStorageAuthority 

type SQLStorageAuthority struct {
	sapb.UnsafeStorageAuthorityServer

	*SQLStorageAuthorityRO
	// contains filtered or unexported fields
}

SQLStorageAuthority defines a Storage Authority.

Note that although SQLStorageAuthority does have methods wrapping all of the read-only methods provided by the SQLStorageAuthorityRO, those wrapper implementations are in saro.go, next to the real implementations.

func NewSQLStorageAuthority 

func NewSQLStorageAuthority(
	dbMap *db.WrappedMap,
	dbReadOnlyMap *db.WrappedMap,
	dbIncidentsMap *db.WrappedMap,
	parallelismPerRPC int,
	lagFactor time.Duration,
	clk clock.Clock,
	logger blog.Logger,
	stats prometheus.Registerer,
) (*SQLStorageAuthority, error)

NewSQLStorageAuthority provides persistence using a SQL backend for Boulder. It constructs its own read-only storage authority to wrap.

func NewSQLStorageAuthorityWrapping 

func NewSQLStorageAuthorityWrapping(
	ssaro *SQLStorageAuthorityRO,
	dbMap *db.WrappedMap,
	stats prometheus.Registerer,
) (*SQLStorageAuthority, error)

NewSQLStorageAuthorityWrapping provides persistence using a SQL backend for Boulder. It takes a read-only storage authority to wrap, which is useful if you are constructing both types of implementations and want to share read-only database connections between them.

func (*SQLStorageAuthority) AddBlockedKey 

func (ssa *SQLStorageAuthority) AddBlockedKey(ctx context.Context, req *sapb.AddBlockedKeyRequest) (*emptypb.Empty, error)

AddBlockedKey adds a key hash to the blockedKeys table

func (*SQLStorageAuthority) AddCertificate 

func (ssa *SQLStorageAuthority) AddCertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*emptypb.Empty, error)

AddCertificate stores an issued certificate, returning an error if it is a duplicate or if any other failure occurs.

func (*SQLStorageAuthority) AddPrecertificate 

func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*emptypb.Empty, error)

AddPrecertificate writes a record of a linting certificate to the database.

Note: The name "AddPrecertificate" is a historical artifact, and this is now always called with a linting certificate. See #6807.

Note: this is not idempotent: it does not protect against inserting the same certificate multiple times. Calling code needs to first insert the cert's serial into the Serials table to ensure uniqueness.

func (*SQLStorageAuthority) AddRateLimitOverride 

func (ssa *SQLStorageAuthority) AddRateLimitOverride(ctx context.Context, req *sapb.AddRateLimitOverrideRequest) (*sapb.AddRateLimitOverrideResponse, error)

AddRateLimitOverride adds a rate limit override to the database. If the override already exists, it will be updated. If the override does not exist, it will be inserted and enabled. If the override exists but has been disabled, it will be updated but not be re-enabled. The status of the override is returned in Enabled field of the response. To re-enable an override, use the EnableRateLimitOverride method.

func (*SQLStorageAuthority) AddSerial 

func (ssa *SQLStorageAuthority) AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*emptypb.Empty, error)

AddSerial writes a record of a serial number generation to the DB.

func (*SQLStorageAuthority) DeactivateAuthorization2 

func (ssa *SQLStorageAuthority) DeactivateAuthorization2(ctx context.Context, req *sapb.AuthorizationID2) (*emptypb.Empty, error)

DeactivateAuthorization2 deactivates a currently valid or pending authorization.

func (*SQLStorageAuthority) DeactivateRegistration 

func (ssa *SQLStorageAuthority) DeactivateRegistration(ctx context.Context, req *sapb.RegistrationID) (*corepb.Registration, error)

DeactivateRegistration deactivates a currently valid registration

func (*SQLStorageAuthority) DisableRateLimitOverride 

func (ssa *SQLStorageAuthority) DisableRateLimitOverride(ctx context.Context, req *sapb.DisableRateLimitOverrideRequest) (*emptypb.Empty, error)

DisableRateLimitOverride disables a rate limit override. If the override does not exist, a NotFoundError is returned. If the override exists but is already disabled, this is a no-op.

func (*SQLStorageAuthority) EnableRateLimitOverride 

func (ssa *SQLStorageAuthority) EnableRateLimitOverride(ctx context.Context, req *sapb.EnableRateLimitOverrideRequest) (*emptypb.Empty, error)

EnableRateLimitOverride enables a rate limit override. If the override does not exist, a NotFoundError is returned. If the override exists but is already enabled, this is a no-op.

func (*SQLStorageAuthority) FinalizeAuthorization2 

func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req *sapb.FinalizeAuthorizationRequest) (*emptypb.Empty, error)

FinalizeAuthorization2 moves a pending authorization to either the valid or invalid status. If the authorization is being moved to invalid the validationError field must be set. If the authorization is being moved to valid the validationRecord and expires fields must be set.

func (*SQLStorageAuthority) FinalizeOrder 

func (ssa *SQLStorageAuthority) FinalizeOrder(ctx context.Context, req *sapb.FinalizeOrderRequest) (*emptypb.Empty, error)

FinalizeOrder finalizes a provided *corepb.Order by persisting the CertificateSerial and a valid status to the database. No fields other than CertificateSerial and the order ID on the provided order are processed (e.g. this is not a generic update RPC).

func (*SQLStorageAuthority) Health 

func (ssa *SQLStorageAuthority) Health(ctx context.Context) error

Health implements the grpc.checker interface.

func (*SQLStorageAuthority) LeaseCRLShard 

func (ssa *SQLStorageAuthority) LeaseCRLShard(ctx context.Context, req *sapb.LeaseCRLShardRequest) (*sapb.LeaseCRLShardResponse, error)

LeaseCRLShard marks a single crlShards row as leased until the given time. If the request names a specific shard, this function will return an error if that shard is already leased. Otherwise, this function will return the index of the oldest shard for the given issuer.

func (*SQLStorageAuthority) NewOrderAndAuthzs 

func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb.NewOrderAndAuthzsRequest) (*corepb.Order, error)

NewOrderAndAuthzs adds the given authorizations to the database, adds their autogenerated IDs to the given order, and then adds the order to the db. This is done inside a single transaction to prevent situations where new authorizations are created, but then their corresponding order is never created, leading to "invisible" pending authorizations.

func (*SQLStorageAuthority) NewRegistration 

func (ssa *SQLStorageAuthority) NewRegistration(ctx context.Context, req *corepb.Registration) (*corepb.Registration, error)

NewRegistration stores a new Registration

func (*SQLStorageAuthority) PauseIdentifiers 

func (ssa *SQLStorageAuthority) PauseIdentifiers(ctx context.Context, req *sapb.PauseRequest) (*sapb.PauseIdentifiersResponse, error)

PauseIdentifiers pauses a set of identifiers for the provided account. If an identifier is currently paused, this is a no-op. If an identifier was previously paused and unpaused, it will be repaused unless it was unpaused less than two weeks ago. The response will indicate how many identifiers were paused and how many were repaused. All work is accomplished in a transaction to limit possible race conditions.

func (*SQLStorageAuthority) RevokeCertificate 

func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) (*emptypb.Empty, error)

RevokeCertificate stores revocation information about a certificate. It will only store this information if the certificate is not already marked as revoked.

If ShardIdx is non-zero, RevokeCertificate also writes an entry for this certificate to the revokedCertificates table, with the provided shard number.

func (*SQLStorageAuthority) SetOrderError 

func (ssa *SQLStorageAuthority) SetOrderError(ctx context.Context, req *sapb.SetOrderErrorRequest) (*emptypb.Empty, error)

SetOrderError updates a provided Order's error field.

func (*SQLStorageAuthority) SetOrderProcessing 

func (ssa *SQLStorageAuthority) SetOrderProcessing(ctx context.Context, req *sapb.OrderRequest) (*emptypb.Empty, error)

SetOrderProcessing updates an order from pending status to processing status by updating the `beganProcessing` field of the corresponding Order table row in the DB.

func (*SQLStorageAuthority) UnpauseAccount 

func (ssa *SQLStorageAuthority) UnpauseAccount(ctx context.Context, req *sapb.RegistrationID) (*sapb.Count, error)

UnpauseAccount uses up to 5 iterations of UPDATE queries each with a LIMIT of 10,000 to unpause up to 50,000 identifiers and returns a count of identifiers unpaused. If the returned count is 50,000 there may be more paused identifiers.

func (*SQLStorageAuthority) UpdateCRLShard 

func (ssa *SQLStorageAuthority) UpdateCRLShard(ctx context.Context, req *sapb.UpdateCRLShardRequest) (*emptypb.Empty, error)

UpdateCRLShard updates the thisUpdate and nextUpdate timestamps of a CRL shard. It rejects the update if it would cause the thisUpdate timestamp to move backwards, but if thisUpdate would stay the same (for instance, multiple CRL generations within a single second), it will succeed.

It does *not* reject the update if the shard is no longer leased: although this would be unexpected (because the lease timestamp should be the same as the crl-updater's context expiration), it's not inherently a sign of an update that should be skipped. It does reject the update if the identified CRL shard does not exist in the database (it should exist, as rows are created if necessary when leased). It also sets the leasedUntil time to be equal to thisUpdate, to indicate that the shard is no longer leased.

func (*SQLStorageAuthority) UpdateRegistrationKey 

func (ssa *SQLStorageAuthority) UpdateRegistrationKey(ctx context.Context, req *sapb.UpdateRegistrationKeyRequest) (*corepb.Registration, error)

UpdateRegistrationKey stores an updated key in a Registration.

func (*SQLStorageAuthority) UpdateRevokedCertificate 

func (ssa *SQLStorageAuthority) UpdateRevokedCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) (*emptypb.Empty, error)

UpdateRevokedCertificate stores new revocation information about an already-revoked certificate. It will only store this information if the cert is already revoked, if the new revocation reason is `KeyCompromise`, and if the revokedDate is identical to the current revokedDate.

type SQLStorageAuthorityRO 

type SQLStorageAuthorityRO struct {
	sapb.UnsafeStorageAuthorityReadOnlyServer
	// contains filtered or unexported fields
}

SQLStorageAuthorityRO defines a read-only subset of a Storage Authority

func NewSQLStorageAuthorityRO 

func NewSQLStorageAuthorityRO(
	dbReadOnlyMap *db.WrappedMap,
	dbIncidentsMap *db.WrappedMap,
	stats prometheus.Registerer,
	parallelismPerRPC int,
	lagFactor time.Duration,
	clk clock.Clock,
	logger blog.Logger,
) (*SQLStorageAuthorityRO, error)

NewSQLStorageAuthorityRO provides persistence using a SQL backend for Boulder. It will modify the given borp.DbMap by adding relevant tables.

func (*SQLStorageAuthorityRO) CheckIdentifiersPaused 

func (ssa *SQLStorageAuthorityRO) CheckIdentifiersPaused(ctx context.Context, req *sapb.PauseRequest) (*sapb.Identifiers, error)

CheckIdentifiersPaused takes a slice of identifiers and returns a slice of the first 15 identifier values which are currently paused for the provided account. If no matches are found, an empty slice is returned.

func (*SQLStorageAuthorityRO) CountInvalidAuthorizations2 

func (ssa *SQLStorageAuthorityRO) CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (*sapb.Count, error)

CountInvalidAuthorizations2 counts invalid authorizations for a user expiring in a given time range.

func (*SQLStorageAuthorityRO) CountPendingAuthorizations2 

func (ssa *SQLStorageAuthorityRO) CountPendingAuthorizations2(ctx context.Context, req *sapb.RegistrationID) (*sapb.Count, error)

CountPendingAuthorizations2 returns the number of pending, unexpired authorizations for the given registration.

func (*SQLStorageAuthorityRO) FQDNSetExists 

func (ssa *SQLStorageAuthorityRO) FQDNSetExists(ctx context.Context, req *sapb.FQDNSetExistsRequest) (*sapb.Exists, error)

FQDNSetExists returns a bool indicating if one or more FQDN sets |names| exists in the database

func (*SQLStorageAuthorityRO) FQDNSetTimestampsForWindow 

func (ssa *SQLStorageAuthorityRO) FQDNSetTimestampsForWindow(ctx context.Context, req *sapb.CountFQDNSetsRequest) (*sapb.Timestamps, error)

FQDNSetTimestampsForWindow returns the issuance timestamps for each certificate, issued for a set of identifiers, during a given window of time, starting from the most recent issuance.

If req.Limit is nonzero, it returns only the most recent `Limit` results

func (*SQLStorageAuthorityRO) GetAuthorization2 

func (ssa *SQLStorageAuthorityRO) GetAuthorization2(ctx context.Context, req *sapb.AuthorizationID2) (*corepb.Authorization, error)

GetAuthorization2 returns the authz2 style authorization identified by the provided ID or an error. If no authorization is found matching the ID a berrors.NotFound type error is returned.

func (*SQLStorageAuthorityRO) GetCertificate 

func (ssa *SQLStorageAuthorityRO) GetCertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)

GetCertificate takes a serial number and returns the corresponding certificate, or error if it does not exist.

func (*SQLStorageAuthorityRO) GetCertificateStatus 

func (ssa *SQLStorageAuthorityRO) GetCertificateStatus(ctx context.Context, req *sapb.Serial) (*corepb.CertificateStatus, error)

GetCertificateStatus takes a hexadecimal string representing the full 128-bit serial number of a certificate and returns data about that certificate's current validity.

func (*SQLStorageAuthorityRO) GetEnabledRateLimitOverrides 

func (ssa *SQLStorageAuthorityRO) GetEnabledRateLimitOverrides(_ *emptypb.Empty, stream sapb.StorageAuthorityReadOnly_GetEnabledRateLimitOverridesServer) error

GetEnabledRateLimitOverrides retrieves all enabled rate limit overrides from the database. The results are returned as a stream. If no enabled overrides are found, an empty stream is returned.

func (*SQLStorageAuthorityRO) GetLintPrecertificate 

func (ssa *SQLStorageAuthorityRO) GetLintPrecertificate(ctx context.Context, req *sapb.Serial) (*corepb.Certificate, error)

GetLintPrecertificate takes a serial number and returns the corresponding linting precertificate, or error if it does not exist. The returned precert is identical to the actual submitted-to-CT-logs precertificate, except for its signature.

func (*SQLStorageAuthorityRO) GetOrder 

func (ssa *SQLStorageAuthorityRO) GetOrder(ctx context.Context, req *sapb.OrderRequest) (*corepb.Order, error)

GetOrder is used to retrieve an already existing order object

func (*SQLStorageAuthorityRO) GetOrderForNames 

func (ssa *SQLStorageAuthorityRO) GetOrderForNames(ctx context.Context, req *sapb.GetOrderForNamesRequest) (*corepb.Order, error)

GetOrderForNames tries to find a **pending** or **ready** order with the exact set of names requested, associated with the given accountID. Only unexpired orders are considered. If no order meeting these requirements is found a nil corepb.Order pointer is returned.

func (*SQLStorageAuthorityRO) GetPausedIdentifiers 

func (ssa *SQLStorageAuthorityRO) GetPausedIdentifiers(ctx context.Context, req *sapb.RegistrationID) (*sapb.Identifiers, error)

GetPausedIdentifiers returns a slice of paused identifiers for the provided account. If no paused identifiers are found, an empty slice is returned. The results are limited to the first 15 paused identifiers.

func (*SQLStorageAuthorityRO) GetRateLimitOverride 

func (ssa *SQLStorageAuthorityRO) GetRateLimitOverride(ctx context.Context, req *sapb.GetRateLimitOverrideRequest) (*sapb.RateLimitOverrideResponse, error)

GetRateLimitOverride retrieves a rate limit override for the given bucket key and limit. If no override is found, a NotFound error is returned.

func (*SQLStorageAuthorityRO) GetRegistration 

func (ssa *SQLStorageAuthorityRO) GetRegistration(ctx context.Context, req *sapb.RegistrationID) (*corepb.Registration, error)

GetRegistration obtains a Registration by ID

func (*SQLStorageAuthorityRO) GetRegistrationByKey 

func (ssa *SQLStorageAuthorityRO) GetRegistrationByKey(ctx context.Context, req *sapb.JSONWebKey) (*corepb.Registration, error)

GetRegistrationByKey obtains a Registration by JWK

func (*SQLStorageAuthorityRO) GetRevocationStatus 

func (ssa *SQLStorageAuthorityRO) GetRevocationStatus(ctx context.Context, req *sapb.Serial) (*sapb.RevocationStatus, error)

GetRevocationStatus takes a hexadecimal string representing the full serial number of a certificate and returns a minimal set of data about that cert's current validity.

func (*SQLStorageAuthorityRO) GetRevokedCertsByShard 

func (ssa *SQLStorageAuthorityRO) GetRevokedCertsByShard(req *sapb.GetRevokedCertsByShardRequest, stream grpc.ServerStreamingServer[corepb.CRLEntry]) error

GetRevokedCertsByShard returns revoked certificates by explicit sharding.

It returns all unexpired certificates from the revokedCertificates table with the given shardIdx. It limits the results those revoked before req.RevokedBefore.

func (*SQLStorageAuthorityRO) GetSerialMetadata 

func (ssa *SQLStorageAuthorityRO) GetSerialMetadata(ctx context.Context, req *sapb.Serial) (*sapb.SerialMetadata, error)

GetSerialMetadata returns metadata stored alongside the serial number, such as the RegID whose certificate request created that serial, and when the certificate with that serial will expire.

func (*SQLStorageAuthorityRO) GetSerialsByAccount 

func (ssa *SQLStorageAuthorityRO) GetSerialsByAccount(req *sapb.RegistrationID, stream grpc.ServerStreamingServer[sapb.Serial]) error

GetSerialsByAccount returns a stream of all serials for all unexpired certificates issued to the given RegID. This is useful for revoking all of an account's certs upon their request.

func (*SQLStorageAuthorityRO) GetSerialsByKey 

func (ssa *SQLStorageAuthorityRO) GetSerialsByKey(req *sapb.SPKIHash, stream grpc.ServerStreamingServer[sapb.Serial]) error

GetSerialsByKey returns a stream of serials for all unexpired certificates whose public key matches the given SPKIHash. This is useful for revoking all certificates affected by a key compromise.

func (*SQLStorageAuthorityRO) GetValidAuthorizations2 

func (ssa *SQLStorageAuthorityRO) GetValidAuthorizations2(ctx context.Context, req *sapb.GetValidAuthorizationsRequest) (*sapb.Authorizations, error)

GetValidAuthorizations2 returns a single valid authorization owned by the given account for all given identifiers. If more than one valid authorization exists, only the one with the latest expiry will be returned.

func (*SQLStorageAuthorityRO) GetValidOrderAuthorizations2 

func (ssa *SQLStorageAuthorityRO) GetValidOrderAuthorizations2(ctx context.Context, req *sapb.GetValidOrderAuthorizationsRequest) (*sapb.Authorizations, error)

GetValidOrderAuthorizations2 is used to get all authorizations associated with the given Order ID. NOTE: The name is outdated. It does *not* filter out invalid or expired authorizations; that it left to the caller. It also ignores the RegID field of the input: ensuring that the returned authorizations match the same RegID as the Order is also left to the caller. This is because the caller is generally in a better position to provide insightful error messages, whereas simply omitting an authz from this method's response would leave the caller wondering why that authz was omitted.

func (*SQLStorageAuthorityRO) Health 

func (ssa *SQLStorageAuthorityRO) Health(ctx context.Context) error

Health implements the grpc.checker interface.

func (*SQLStorageAuthorityRO) IncidentsForSerial 

func (ssa *SQLStorageAuthorityRO) IncidentsForSerial(ctx context.Context, req *sapb.Serial) (*sapb.Incidents, error)

IncidentsForSerial queries each active incident table and returns every incident that currently impacts `req.Serial`.

func (*SQLStorageAuthorityRO) KeyBlocked 

func (ssa *SQLStorageAuthorityRO) KeyBlocked(ctx context.Context, req *sapb.SPKIHash) (*sapb.Exists, error)

KeyBlocked checks if a key, indicated by a hash, is present in the blockedKeys table

func (*SQLStorageAuthorityRO) ReplacementOrderExists 

func (ssa *SQLStorageAuthorityRO) ReplacementOrderExists(ctx context.Context, req *sapb.Serial) (*sapb.Exists, error)

ReplacementOrderExists returns whether a valid replacement order exists for the given certificate serial number. An existing but expired or otherwise invalid replacement order is not considered to exist.

func (*SQLStorageAuthorityRO) SerialsForIncident 

func (ssa *SQLStorageAuthorityRO) SerialsForIncident(req *sapb.SerialsForIncidentRequest, stream grpc.ServerStreamingServer[sapb.IncidentSerial]) error

SerialsForIncident queries the provided incident table and returns the resulting rows as a stream of `*sapb.IncidentSerial`s. An `io.EOF` error signals that there are no more serials to send. If the incident table in question contains zero rows, only an `io.EOF` error is returned. The IncidentSerial messages returned may have the zero-value for their OrderID, RegistrationID, and LastNoticeSent fields, if those are NULL in the database.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.