boulder

History

Daniel McCarney 1c99f91733 Policy based issuance for wildcard identifiers (Round two) (#3252 ) This PR implements issuance for wildcard names in the V2 order flow. By policy, pending authorizations for wildcard names only receive a DNS-01 challenge for the base domain. We do not re-use authorizations for the base domain that do not come from a previous wildcard issuance (e.g. a normal authorization for example.com turned valid by way of a DNS-01 challenge will not be reused for a .example.com order). The wildcard prefix is stripped off of the authorization identifier value in two places: When presenting the authorization to the user - ACME forbids having a wildcard character in an authorization identifier. When performing validation - We validate the base domain name without the . prefix. This PR is largely a rewrite/extension of #3231. Instead of using a pseudo-challenge-type (DNS-01-Wildcard) to indicate an authorization & identifier correspond to the base name of a wildcard order name we instead allow the identifier to take the wildcard order name with the *. prefix.	2017-12-04 12:18:10 -08:00
..
csr.go	Policy based issuance for wildcard identifiers (Round two) (#3252 )	2017-12-04 12:18:10 -08:00
csr_test.go	Policy based issuance for wildcard identifiers (Round two) (#3252 )	2017-12-04 12:18:10 -08:00

Daniel McCarney 1c99f91733 Policy based issuance for wildcard identifiers (Round two) (#3252 )

This PR implements issuance for wildcard names in the V2 order flow. By policy, pending authorizations for wildcard names only receive a DNS-01 challenge for the base domain. We do not re-use authorizations for the base domain that do not come from a previous wildcard issuance (e.g. a normal authorization for example.com turned valid by way of a DNS-01 challenge will not be reused for a *.example.com order).

The wildcard prefix is stripped off of the authorization identifier value in two places:

When presenting the authorization to the user - ACME forbids having a wildcard character in an authorization identifier.
When performing validation - We validate the base domain name without the *. prefix.
This PR is largely a rewrite/extension of #3231. Instead of using a pseudo-challenge-type (DNS-01-Wildcard) to indicate an authorization & identifier correspond to the base name of a wildcard order name we instead allow the identifier to take the wildcard order name with the *. prefix.

2017-12-04 12:18:10 -08:00

csr.go

Policy based issuance for wildcard identifiers (Round two) (#3252 )

2017-12-04 12:18:10 -08:00

csr_test.go

Policy based issuance for wildcard identifiers (Round two) (#3252 )

2017-12-04 12:18:10 -08:00