▽

Package policy

func ValidDomain ¶

func ValidDomain(domain string) error

ValidDomain checks that a domain isn't:

* empty * prefixed with the wildcard label `*.` * made of invalid DNS characters * longer than the maxDNSIdentifierLength * an IPv4 or IPv6 address * suffixed with just "." * made of too many DNS labels * made of any invalid DNS labels * suffixed with something other than an IANA registered TLD * exactly equal to an IANA registered TLD

It does _not_ check that the domain isn't on any PA blocked lists.

func ValidEmail ¶

func ValidEmail(address string) error

ValidEmail returns an error if the input doesn't parse as an email address, the domain isn't a valid hostname in Preferred Name Syntax, or its on the list of domains forbidden for mail (because they are often used in examples).

type AuthorityImpl ¶

AuthorityImpl enforces CA policy decisions.

type AuthorityImpl struct {
    // contains filtered or unexported fields
}

func New ¶

func New(challengeTypes map[core.AcmeChallenge]bool, log blog.Logger) (*AuthorityImpl, error)

New constructs a Policy Authority.

func (*AuthorityImpl) ChallengeTypeEnabled ¶

func (pa *AuthorityImpl) ChallengeTypeEnabled(t core.AcmeChallenge) bool

ChallengeTypeEnabled returns whether the specified challenge type is enabled

func (*AuthorityImpl) ChallengesFor ¶

func (pa *AuthorityImpl) ChallengesFor(identifier identifier.ACMEIdentifier) ([]core.Challenge, error)

ChallengesFor determines which challenge types are acceptable for the given identifier, and constructs new challenge objects for those challenge types. The resulting challenge objects all share a single challenge token and are returned in a random order.

func (*AuthorityImpl) CheckAuthz ¶

func (pa *AuthorityImpl) CheckAuthz(authz *core.Authorization) error

CheckAuthz determines that an authorization was fulfilled by a challenge that was appropriate for the kind of identifier in the authorization.

func (*AuthorityImpl) LoadHostnamePolicyFile ¶

func (pa *AuthorityImpl) LoadHostnamePolicyFile(f string) error

LoadHostnamePolicyFile will load the given policy file, returning an error if it fails.

func (*AuthorityImpl) WillingToIssueWildcards ¶

func (pa *AuthorityImpl) WillingToIssueWildcards(idents []identifier.ACMEIdentifier) error

WillingToIssueWildcards is an extension of WillingToIssue that accepts DNS identifiers for well formed wildcard domains in addition to regular identifiers.

All provided identifiers are run through WillingToIssue and any errors are returned. In addition to the regular WillingToIssue checks this function also checks each wildcard identifier to enforce that:

• The identifier is a DNS type identifier
• There is at most one `*` wildcard character
• That the wildcard character is the leftmost label
• That the wildcard label is not immediately adjacent to a top level ICANN TLD
• That the wildcard wouldn't cover an exact blocklist entry (e.g. an exact blocklist entry for "foo.example.com" should prevent issuance for "*.example.com")

If any of the identifiers are not valid then an error with suberrors specific to the rejected identifiers will be returned.