dab8a71b0e
Simplify the WFE `RevokeCertificate` API method in three ways: - Remove most of the logic checking if the requester is authorized to revoke the certificate in question (based on who is making the request, what authorizations they have, and what reason they're requesting). That checking is now done by the RA. Instead, simply verify that the JWS is authenticated. - Remove the hard-to-read `authorizedToRevoke` callbacks, and make the `revokeCertBySubscriberKey` (nee `revokeCertByKeyID`) and `revokeCertByCertKey` (nee `revokeCertByJWK`) helpers much more straight-line in their execution logic. - Call the RA's new `RevokeCertByApplicant` and `RevokeCertByKey` gRPC methods, rather than the deprecated `RevokeCertificateWithReg`. This change, without any flag flips, should be invisible to the end-user. It will slightly change some of our log message formats. However, by now relying on the new RA gRPC revocation methods, this change allows us to change our revocation policies by enabling the `AllowDoubleRevocation` and `MozRevocationReasons` feature flags, which affect the behavior of those new helpers. Fixes #5936 |
||
|---|---|---|
| .. | ||
| test | ||
| README.md | ||
| cache.go | ||
| cache_test.go | ||
| prod_aia.go | ||
| stale.go | ||
| stale_test.go | ||
| stats.go | ||
| test_aia.go | ||
| verify.go | ||
| verify_test.go | ||
| wfe.go | ||
| wfe_test.go | ||
README.md
WFE v2
The wfe2 package is copied from the wfe package in order to implement the
"ACME v2" API. This design choice
was made to facilitate a clean separation between v1 and v2 code and to support
running a separate API process on a different port alongside the v1 API process.