176 lines
8.5 KiB
Go
176 lines
8.5 KiB
Go
package core
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"net"
|
|
"net/http"
|
|
"time"
|
|
|
|
"golang.org/x/net/context"
|
|
jose "gopkg.in/square/go-jose.v2"
|
|
|
|
caPB "github.com/letsencrypt/boulder/ca/proto"
|
|
corepb "github.com/letsencrypt/boulder/core/proto"
|
|
pubpb "github.com/letsencrypt/boulder/publisher/proto"
|
|
rapb "github.com/letsencrypt/boulder/ra/proto"
|
|
"github.com/letsencrypt/boulder/revocation"
|
|
sapb "github.com/letsencrypt/boulder/sa/proto"
|
|
)
|
|
|
|
// A WebFrontEnd object supplies methods that can be hooked into
|
|
// the Go http module's server functions, principally http.HandleFunc()
|
|
//
|
|
// It also provides methods to configure the base for authorization and
|
|
// certificate URLs.
|
|
//
|
|
// It is assumed that the ACME server is laid out as follows:
|
|
// * One URL for new-authorization -> NewAuthz
|
|
// * One URL for new-certificate -> NewCert
|
|
// * One path for authorizations -> Authz
|
|
// * One path for certificates -> Cert
|
|
type WebFrontEnd interface {
|
|
// Set the base URL for authorizations
|
|
SetAuthzBase(ctx context.Context, path string)
|
|
|
|
// Set the base URL for certificates
|
|
SetCertBase(ctx context.Context, path string)
|
|
|
|
// This method represents the ACME new-registration resource
|
|
NewRegistration(ctx context.Context, response http.ResponseWriter, request *http.Request)
|
|
|
|
// This method represents the ACME new-authorization resource
|
|
NewAuthz(ctx context.Context, response http.ResponseWriter, request *http.Request)
|
|
|
|
// This method represents the ACME new-certificate resource
|
|
NewCert(ctx context.Context, response http.ResponseWriter, request *http.Request)
|
|
|
|
// Provide access to requests for registration resources
|
|
Registration(ctx context.Context, response http.ResponseWriter, request *http.Request)
|
|
|
|
// Provide access to requests for authorization resources
|
|
Authz(ctx context.Context, response http.ResponseWriter, request *http.Request)
|
|
|
|
// Provide access to requests for authorization resources
|
|
Cert(ctx context.Context, response http.ResponseWriter, request *http.Request)
|
|
}
|
|
|
|
// RegistrationAuthority defines the public interface for the Boulder RA
|
|
type RegistrationAuthority interface {
|
|
// [WebFrontEnd]
|
|
NewRegistration(ctx context.Context, reg Registration) (Registration, error)
|
|
|
|
// [WebFrontEnd]
|
|
NewAuthorization(ctx context.Context, authz Authorization, regID int64) (Authorization, error)
|
|
|
|
// [WebFrontEnd]
|
|
NewCertificate(ctx context.Context, csr CertificateRequest, regID int64) (Certificate, error)
|
|
|
|
// [WebFrontEnd]
|
|
UpdateRegistration(ctx context.Context, base, updates Registration) (Registration, error)
|
|
|
|
// [WebFrontEnd]
|
|
UpdateAuthorization(ctx context.Context, authz Authorization, challengeIndex int, response Challenge) (Authorization, error)
|
|
|
|
// [WebFrontEnd]
|
|
RevokeCertificateWithReg(ctx context.Context, cert x509.Certificate, code revocation.Reason, regID int64) error
|
|
|
|
// [WebFrontEnd]
|
|
DeactivateRegistration(ctx context.Context, reg Registration) error
|
|
|
|
// [WebFrontEnd]
|
|
DeactivateAuthorization(ctx context.Context, auth Authorization) error
|
|
|
|
// [WebFrontEnd]
|
|
NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error)
|
|
|
|
// [WebFrontEnd]
|
|
FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error)
|
|
|
|
// [AdminRevoker]
|
|
AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, code revocation.Reason, adminName string) error
|
|
}
|
|
|
|
// CertificateAuthority defines the public interface for the Boulder CA
|
|
type CertificateAuthority interface {
|
|
// [RegistrationAuthority]
|
|
IssueCertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (Certificate, error)
|
|
|
|
// [RegistrationAuthority]
|
|
IssuePrecertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (*caPB.IssuePrecertificateResponse, error)
|
|
|
|
// [RegistrationAuthority]
|
|
IssueCertificateForPrecertificate(ctx context.Context, req *caPB.IssueCertificateForPrecertificateRequest) (Certificate, error)
|
|
|
|
GenerateOCSP(ctx context.Context, ocspReq OCSPSigningRequest) ([]byte, error)
|
|
}
|
|
|
|
// PolicyAuthority defines the public interface for the Boulder PA
|
|
type PolicyAuthority interface {
|
|
WillingToIssue(domain AcmeIdentifier) error
|
|
WillingToIssueWildcard(domain AcmeIdentifier) error
|
|
ChallengesFor(domain AcmeIdentifier, registrationID int64, revalidation bool) (challenges []Challenge, validCombinations [][]int, err error)
|
|
ChallengeTypeEnabled(t string, registrationID int64) bool
|
|
}
|
|
|
|
// StorageGetter are the Boulder SA's read-only methods
|
|
type StorageGetter interface {
|
|
GetRegistration(ctx context.Context, regID int64) (Registration, error)
|
|
GetRegistrationByKey(ctx context.Context, jwk *jose.JSONWebKey) (Registration, error)
|
|
GetAuthorization(ctx context.Context, authzID string) (Authorization, error)
|
|
GetValidAuthorizations(ctx context.Context, regID int64, domains []string, now time.Time) (map[string]*Authorization, error)
|
|
GetPendingAuthorization(ctx context.Context, req *sapb.GetPendingAuthorizationRequest) (*Authorization, error)
|
|
GetCertificate(ctx context.Context, serial string) (Certificate, error)
|
|
GetCertificateStatus(ctx context.Context, serial string) (CertificateStatus, error)
|
|
CountCertificatesRange(ctx context.Context, earliest, latest time.Time) (int64, error)
|
|
CountCertificatesByNames(ctx context.Context, domains []string, earliest, latest time.Time) (countByDomain []*sapb.CountByNames_MapElement, err error)
|
|
CountCertificatesByExactNames(ctx context.Context, domains []string, earliest, latest time.Time) (countByDomain []*sapb.CountByNames_MapElement, err error)
|
|
CountRegistrationsByIP(ctx context.Context, ip net.IP, earliest, latest time.Time) (int, error)
|
|
CountRegistrationsByIPRange(ctx context.Context, ip net.IP, earliest, latest time.Time) (int, error)
|
|
CountPendingAuthorizations(ctx context.Context, regID int64) (int, error)
|
|
CountOrders(ctx context.Context, acctID int64, earliest, latest time.Time) (int, error)
|
|
GetSCTReceipt(ctx context.Context, serial, logID string) (SignedCertificateTimestamp, error)
|
|
CountFQDNSets(ctx context.Context, window time.Duration, domains []string) (count int64, err error)
|
|
FQDNSetExists(ctx context.Context, domains []string) (exists bool, err error)
|
|
PreviousCertificateExists(ctx context.Context, req *sapb.PreviousCertificateExistsRequest) (exists *sapb.Exists, err error)
|
|
GetOrder(ctx context.Context, req *sapb.OrderRequest) (*corepb.Order, error)
|
|
GetOrderForNames(ctx context.Context, req *sapb.GetOrderForNamesRequest) (*corepb.Order, error)
|
|
GetValidOrderAuthorizations(ctx context.Context, req *sapb.GetValidOrderAuthorizationsRequest) (map[string]*Authorization, error)
|
|
CountInvalidAuthorizations(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (count *sapb.Count, err error)
|
|
GetAuthorizations(ctx context.Context, req *sapb.GetAuthorizationsRequest) (*sapb.Authorizations, error)
|
|
}
|
|
|
|
// StorageAdder are the Boulder SA's write/update methods
|
|
type StorageAdder interface {
|
|
NewRegistration(ctx context.Context, reg Registration) (created Registration, err error)
|
|
UpdateRegistration(ctx context.Context, reg Registration) error
|
|
NewPendingAuthorization(ctx context.Context, authz Authorization) (Authorization, error)
|
|
UpdatePendingAuthorization(ctx context.Context, authz Authorization) error
|
|
FinalizeAuthorization(ctx context.Context, authz Authorization) error
|
|
MarkCertificateRevoked(ctx context.Context, serial string, reasonCode revocation.Reason) error
|
|
AddCertificate(ctx context.Context, der []byte, regID int64, ocsp []byte) (digest string, err error)
|
|
AddSCTReceipt(ctx context.Context, sct SignedCertificateTimestamp) error
|
|
RevokeAuthorizationsByDomain(ctx context.Context, domain AcmeIdentifier) (finalized, pending int64, err error)
|
|
DeactivateRegistration(ctx context.Context, id int64) error
|
|
DeactivateAuthorization(ctx context.Context, id string) error
|
|
NewOrder(ctx context.Context, order *corepb.Order) (*corepb.Order, error)
|
|
SetOrderProcessing(ctx context.Context, order *corepb.Order) error
|
|
FinalizeOrder(ctx context.Context, order *corepb.Order) error
|
|
AddPendingAuthorizations(ctx context.Context, req *sapb.AddPendingAuthorizationsRequest) (*sapb.AuthorizationIDs, error)
|
|
SetOrderError(ctx context.Context, order *corepb.Order) error
|
|
}
|
|
|
|
// StorageAuthority interface represents a simple key/value
|
|
// store. It is divided into StorageGetter and StorageUpdater
|
|
// interfaces for privilege separation.
|
|
type StorageAuthority interface {
|
|
StorageGetter
|
|
StorageAdder
|
|
}
|
|
|
|
// Publisher defines the public interface for the Boulder Publisher
|
|
type Publisher interface {
|
|
SubmitToCT(ctx context.Context, der []byte) error
|
|
SubmitToSingleCT(ctx context.Context, logURL, logPublicKey string, der []byte) error
|
|
SubmitToSingleCTWithResult(ctx context.Context, req *pubpb.Request) (*pubpb.Result, error)
|
|
}
|