Documentation
¶
Index ¶
- Constants
- type DomainCheck
- type RegistrationAuthorityImpl
- func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, revocationCode core.RevocationCode, ...) error
- func (ra *RegistrationAuthorityImpl) MatchesCSR(cert core.Certificate, csr *x509.CertificateRequest) (err error)
- func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, request core.Authorization, regID int64) (authz core.Authorization, err error)
- func (ra *RegistrationAuthorityImpl) NewCertificate(ctx context.Context, req core.CertificateRequest, regID int64) (cert core.Certificate, err error)
- func (ra *RegistrationAuthorityImpl) NewRegistration(ctx context.Context, init core.Registration) (reg core.Registration, err error)
- func (ra *RegistrationAuthorityImpl) OnValidationUpdate(ctx context.Context, authz core.Authorization) error
- func (ra *RegistrationAuthorityImpl) RevokeCertificateWithReg(ctx context.Context, cert x509.Certificate, revocationCode core.RevocationCode, ...) (err error)
- func (ra *RegistrationAuthorityImpl) UpdateAuthorization(ctx context.Context, base core.Authorization, challengeIndex int, ...) (authz core.Authorization, err error)
- func (ra *RegistrationAuthorityImpl) UpdateRegistration(ctx context.Context, base core.Registration, update core.Registration) (reg core.Registration, err error)
Constants ¶
const DefaultAuthorizationLifetime = 300 * 24 * time.Hour
DefaultAuthorizationLifetime is the 10 month default authorization lifetime. When used with a 90-day cert lifetime, this allows creation of certs that will cover a whole year, plus a grace period of a month. TODO(jsha): Read from a config file.
const DefaultPendingAuthorizationLifetime = 7 * 24 * time.Hour
DefaultPendingAuthorizationLifetime is one week. If you can't respond to a challenge this quickly, then you need to request a new challenge. TODO(rlb): Read from a config file
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DomainCheck ¶
type DomainCheck struct {
VA core.ValidationAuthority
}
DomainCheck is a little struct that allows the RA to call the VA's IsSafeDomain if its not-nil, or fails open if not. This is so that the RA can be deployed before the VA can respond to the IsSafeDomain RPC.
type RegistrationAuthorityImpl ¶
type RegistrationAuthorityImpl struct {
CA core.CertificateAuthority
VA core.ValidationAuthority
SA core.StorageAuthority
PA core.PolicyAuthority
DNSResolver bdns.DNSResolver
// contains filtered or unexported fields
}
RegistrationAuthorityImpl defines an RA.
NOTE: All of the fields in RegistrationAuthorityImpl need to be populated, or there is a risk of panic.
func NewRegistrationAuthorityImpl ¶
func NewRegistrationAuthorityImpl(clk clock.Clock, logger blog.Logger, stats statsd.Statter, dc *DomainCheck, policies cmd.RateLimitConfig, maxContactsPerReg int, keyPolicy core.KeyPolicy, newVARPC bool) *RegistrationAuthorityImpl
NewRegistrationAuthorityImpl constructs a new RA object.
func (*RegistrationAuthorityImpl) AdministrativelyRevokeCertificate ¶
func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, revocationCode core.RevocationCode, user string) error
AdministrativelyRevokeCertificate terminates trust in the certificate provided and does not require the registration ID of the requester since this method is only called from the admin-revoker tool.
func (*RegistrationAuthorityImpl) MatchesCSR ¶
func (ra *RegistrationAuthorityImpl) MatchesCSR(cert core.Certificate, csr *x509.CertificateRequest) (err error)
MatchesCSR tests the contents of a generated certificate to make sure that the PublicKey, CommonName, and DNSNames match those provided in the CSR that was used to generate the certificate. It also checks the following fields for:
- notBefore is not more than 24 hours ago
- BasicConstraintsValid is true
- IsCA is false
- ExtKeyUsage only contains ExtKeyUsageServerAuth & ExtKeyUsageClientAuth
- Subject only contains CommonName & Names
func (*RegistrationAuthorityImpl) NewAuthorization ¶
func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, request core.Authorization, regID int64) (authz core.Authorization, err error)
NewAuthorization constructs a new Authz from a request. Values (domains) in request.Identifier will be lowercased before storage.
func (*RegistrationAuthorityImpl) NewCertificate ¶
func (ra *RegistrationAuthorityImpl) NewCertificate(ctx context.Context, req core.CertificateRequest, regID int64) (cert core.Certificate, err error)
NewCertificate requests the issuance of a certificate.
func (*RegistrationAuthorityImpl) NewRegistration ¶
func (ra *RegistrationAuthorityImpl) NewRegistration(ctx context.Context, init core.Registration) (reg core.Registration, err error)
NewRegistration constructs a new Registration from a request.
func (*RegistrationAuthorityImpl) OnValidationUpdate ¶
func (ra *RegistrationAuthorityImpl) OnValidationUpdate(ctx context.Context, authz core.Authorization) error
OnValidationUpdate is called when a given Authorization is updated by the VA.
func (*RegistrationAuthorityImpl) RevokeCertificateWithReg ¶
func (ra *RegistrationAuthorityImpl) RevokeCertificateWithReg(ctx context.Context, cert x509.Certificate, revocationCode core.RevocationCode, regID int64) (err error)
RevokeCertificateWithReg terminates trust in the certificate provided.
func (*RegistrationAuthorityImpl) UpdateAuthorization ¶
func (ra *RegistrationAuthorityImpl) UpdateAuthorization(ctx context.Context, base core.Authorization, challengeIndex int, response core.Challenge) (authz core.Authorization, err error)
UpdateAuthorization updates an authorization with new values.
func (*RegistrationAuthorityImpl) UpdateRegistration ¶
func (ra *RegistrationAuthorityImpl) UpdateRegistration(ctx context.Context, base core.Registration, update core.Registration) (reg core.Registration, err error)
UpdateRegistration updates an existing Registration with new values.
Source Files