Add /acme/issuer-cert endpoint and up links to it
In /acme/new-cert and /acme/cert/<serial>.
This commit is contained in:
Roland Shoemaker
Jacob Hoffman-Andrews
parent
2359e02000
commit
1276d82146
|
|
@ -34,7 +34,7 @@ type Config struct {
|
||||||
DBDriver string
|
DBDriver string
|
||||||
DBName string
|
DBName string
|
||||||
SerialPrefix int
|
SerialPrefix int
|
||||||
// A PEM-encoded copy of the issuer certificate.
|
// Path to a PEM-encoded copy of the issuer certificate.
|
||||||
IssuerCert string
|
IssuerCert string
|
||||||
// This field is only allowed if TestMode is true, indicating that we are
|
// This field is only allowed if TestMode is true, indicating that we are
|
||||||
// signing with a local key. In production we will use an HSM and this
|
// signing with a local key. In production we will use an HSM and this
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ package main
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
|
|
||||||
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cactus/go-statsd-client/statsd"
|
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cactus/go-statsd-client/statsd"
|
||||||
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/streadway/amqp"
|
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/streadway/amqp"
|
||||||
|
|
@ -81,6 +82,9 @@ func main() {
|
||||||
wfe.SA = &sac
|
wfe.SA = &sac
|
||||||
wfe.Stats = stats
|
wfe.Stats = stats
|
||||||
|
|
||||||
|
wfe.IssuerCert, err = cmd.LoadCert(c.CA.IssuerCert)
|
||||||
|
cmd.FailOnError(err, fmt.Sprintf("Couldn't read issuer cert [%s]", c.CA.IssuerCert))
|
||||||
|
|
||||||
go cmd.ProfileCmd("WFE", stats)
|
go cmd.ProfileCmd("WFE", stats)
|
||||||
|
|
||||||
go func() {
|
go func() {
|
||||||
|
|
|
||||||
|
|
@ -88,6 +88,10 @@ func main() {
|
||||||
wfe.RA = &ra
|
wfe.RA = &ra
|
||||||
wfe.SA = sa
|
wfe.SA = sa
|
||||||
wfe.Stats = stats
|
wfe.Stats = stats
|
||||||
|
|
||||||
|
wfe.IssuerCert, err = cmd.LoadCert(c.CA.IssuerCert)
|
||||||
|
cmd.FailOnError(err, fmt.Sprintf("Couldn't read issuer cert [%s]", c.CA.IssuerCert))
|
||||||
|
|
||||||
ra.CA = ca
|
ra.CA = ca
|
||||||
ra.SA = sa
|
ra.SA = sa
|
||||||
ra.VA = &va
|
ra.VA = &va
|
||||||
|
|
|
||||||
22
cmd/shell.go
22
cmd/shell.go
|
|
@ -23,6 +23,8 @@ package cmd
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"encoding/pem"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
|
|
@ -195,3 +197,23 @@ func ProfileCmd(profileName string, stats statsd.Statter) {
|
||||||
time.Sleep(time.Second)
|
time.Sleep(time.Second)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func LoadCert(path string) (cert []byte, err error) {
|
||||||
|
if path == "" {
|
||||||
|
err = errors.New("Issuer certificate was not provided in config.")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pemBytes, err := ioutil.ReadFile(path)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
block, _ := pem.Decode(pemBytes)
|
||||||
|
if block == nil || block.Type != "CERTIFICATE" {
|
||||||
|
err = errors.New("Invalid certificate value returned")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
cert = block.Bytes
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -44,6 +44,10 @@ type WebFrontEndImpl struct {
|
||||||
CertBase string
|
CertBase string
|
||||||
CertPath string
|
CertPath string
|
||||||
TermsPath string
|
TermsPath string
|
||||||
|
IssuerPath string
|
||||||
|
|
||||||
|
// Issuer certificate (DER) for /acme/issuer-cert
|
||||||
|
IssuerCert []byte
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewWebFrontEndImpl() WebFrontEndImpl {
|
func NewWebFrontEndImpl() WebFrontEndImpl {
|
||||||
|
|
@ -58,6 +62,7 @@ func NewWebFrontEndImpl() WebFrontEndImpl {
|
||||||
NewCertPath: "/acme/new-cert",
|
NewCertPath: "/acme/new-cert",
|
||||||
CertPath: "/acme/cert/",
|
CertPath: "/acme/cert/",
|
||||||
TermsPath: "/terms",
|
TermsPath: "/terms",
|
||||||
|
IssuerPath: "/acme/issuer-cert",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -77,6 +82,7 @@ func (wfe *WebFrontEndImpl) HandlePaths() {
|
||||||
http.HandleFunc(wfe.AuthzPath, wfe.Authorization)
|
http.HandleFunc(wfe.AuthzPath, wfe.Authorization)
|
||||||
http.HandleFunc(wfe.CertPath, wfe.Certificate)
|
http.HandleFunc(wfe.CertPath, wfe.Certificate)
|
||||||
http.HandleFunc(wfe.TermsPath, wfe.Terms)
|
http.HandleFunc(wfe.TermsPath, wfe.Terms)
|
||||||
|
http.HandleFunc(wfe.IssuerPath, wfe.Issuer)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Method implementations
|
// Method implementations
|
||||||
|
|
@ -312,6 +318,7 @@ func (wfe *WebFrontEndImpl) NewCertificate(response http.ResponseWriter, request
|
||||||
// TODO The spec says a client should send an Accept: application/pkix-cert
|
// TODO The spec says a client should send an Accept: application/pkix-cert
|
||||||
// header; either explicitly insist or tolerate
|
// header; either explicitly insist or tolerate
|
||||||
response.Header().Add("Location", certURL)
|
response.Header().Add("Location", certURL)
|
||||||
|
response.Header().Add("Link", link(wfe.IssuerPath, "up"))
|
||||||
response.Header().Set("Content-Type", "application/pkix-cert")
|
response.Header().Set("Content-Type", "application/pkix-cert")
|
||||||
response.WriteHeader(http.StatusCreated)
|
response.WriteHeader(http.StatusCreated)
|
||||||
if _, err = response.Write(cert.DER); err != nil {
|
if _, err = response.Write(cert.DER); err != nil {
|
||||||
|
|
@ -530,8 +537,8 @@ func (wfe *WebFrontEndImpl) Certificate(response http.ResponseWriter, request *h
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Content negotiation
|
// TODO: Content negotiation
|
||||||
// TODO: Link header
|
|
||||||
response.Header().Set("Content-Type", "application/pkix-cert")
|
response.Header().Set("Content-Type", "application/pkix-cert")
|
||||||
|
response.Header().Add("Link", link(wfe.IssuerPath, "up"))
|
||||||
response.WriteHeader(http.StatusOK)
|
response.WriteHeader(http.StatusOK)
|
||||||
if _, err = response.Write(cert); err != nil {
|
if _, err = response.Write(cert); err != nil {
|
||||||
wfe.log.Warning(fmt.Sprintf("Could not write response: %s", err))
|
wfe.log.Warning(fmt.Sprintf("Could not write response: %s", err))
|
||||||
|
|
@ -548,3 +555,12 @@ func (wfe *WebFrontEndImpl) Certificate(response http.ResponseWriter, request *h
|
||||||
func (wfe *WebFrontEndImpl) Terms(w http.ResponseWriter, r *http.Request) {
|
func (wfe *WebFrontEndImpl) Terms(w http.ResponseWriter, r *http.Request) {
|
||||||
fmt.Fprintf(w, "You agree to do the right thing")
|
fmt.Fprintf(w, "You agree to do the right thing")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (wfe *WebFrontEndImpl) Issuer(w http.ResponseWriter, r *http.Request) {
|
||||||
|
w.Header().Add("Location", wfe.IssuerPath)
|
||||||
|
w.Header().Set("Content-Type", "application/pkix-cert")
|
||||||
|
w.WriteHeader(http.StatusOK)
|
||||||
|
if _, err := w.Write(wfe.IssuerCert); err != nil {
|
||||||
|
wfe.log.Warning(fmt.Sprintf("Could not write response: %s", err))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue