RegistrationAuthorityImpl defines an RA.
NOTE: All of the fields in RegistrationAuthorityImpl need to be populated, or there is a risk of panic.
type RegistrationAuthorityImpl struct {
rapb.UnimplementedRegistrationAuthorityServer
CA capb.CertificateAuthorityClient
OCSP capb.OCSPGeneratorClient
VA vapb.VAClient
SA sapb.StorageAuthorityClient
PA core.PolicyAuthority
// contains filtered or unexported fields
}
func NewRegistrationAuthorityImpl(
clk clock.Clock,
logger blog.Logger,
stats prometheus.Registerer,
maxContactsPerReg int,
keyPolicy goodkey.KeyPolicy,
maxNames int,
authorizationLifetime time.Duration,
pendingAuthorizationLifetime time.Duration,
pubc pubpb.PublisherClient,
caaClient caaChecker,
orderLifetime time.Duration,
finalizeTimeout time.Duration,
ctp *ctpolicy.CTPolicy,
purger akamaipb.AkamaiPurgerClient,
issuers []*issuance.Certificate,
) *RegistrationAuthorityImpl
NewRegistrationAuthorityImpl constructs a new RA object.
func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, req *rapb.AdministrativelyRevokeCertificateRequest) (*emptypb.Empty, error)
AdministrativelyRevokeCertificate terminates trust in the certificate provided and does not require the registration ID of the requester since this method is only called from the admin-revoker tool. It trusts that the admin is doing the right thing, so if the requested reason is keyCompromise, it blocks the key from future issuance even though compromise has not been demonstrated here. It purges the certificate from the Akamai cache, and returns an error if that purge fails, since this method may be called late in the BRs-mandated revocation timeframe.
func (ra *RegistrationAuthorityImpl) DeactivateAuthorization(ctx context.Context, req *corepb.Authorization) (*emptypb.Empty, error)
DeactivateAuthorization deactivates a currently valid authorization
func (ra *RegistrationAuthorityImpl) DeactivateRegistration(ctx context.Context, reg *corepb.Registration) (*emptypb.Empty, error)
DeactivateRegistration deactivates a valid registration
func (ra *RegistrationAuthorityImpl) DrainFinalize()
func (ra *RegistrationAuthorityImpl) FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error)
FinalizeOrder accepts a request to finalize an order object and, if possible, issues a certificate to satisfy the order. If an order does not have valid, unexpired authorizations for all of its associated names an error is returned. Similarly we vet that all of the names in the order are acceptable based on current policy and return an error if the order can't be fulfilled. If successful the order will be returned in processing status for the client to poll while awaiting finalization to occur.
func (ra *RegistrationAuthorityImpl) GenerateOCSP(ctx context.Context, req *rapb.GenerateOCSPRequest) (*capb.OCSPResponse, error)
GenerateOCSP looks up a certificate's status, then requests a signed OCSP response for it from the CA. If the certificate status is not available or the certificate is expired, it returns berrors.NotFoundError.
func (ra *RegistrationAuthorityImpl) LoadRateLimitPoliciesFile(filename string) error
func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error)
NewOrder creates a new order object
func (ra *RegistrationAuthorityImpl) NewRegistration(ctx context.Context, request *corepb.Registration) (*corepb.Registration, error)
NewRegistration constructs a new Registration from a request.
func (ra *RegistrationAuthorityImpl) PerformValidation( ctx context.Context, req *rapb.PerformValidationRequest) (*corepb.Authorization, error)
PerformValidation initiates validation for a specific challenge associated with the given base authorization. The authorization and challenge are updated based on the results.
func (ra *RegistrationAuthorityImpl) RevokeCertByApplicant(ctx context.Context, req *rapb.RevokeCertByApplicantRequest) (*emptypb.Empty, error)
RevokeCertByApplicant revokes the certificate in question. It allows any revocation reason from (0, 1, 3, 4, 5, 9), because Subscribers are allowed to request any revocation reason for their own certificates. However, if the requesting RegID is an account which has authorizations for all names in the cert but is *not* the original subscriber, it overrides the revocation reason to be 5 (cessationOfOperation), because that code is used to cover instances where "the certificate subscriber no longer owns the domain names in the certificate". It does not add the key to the blocked keys list, even if reason 1 (keyCompromise) is requested, as it does not demonstrate said compromise. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.
func (ra *RegistrationAuthorityImpl) RevokeCertByKey(ctx context.Context, req *rapb.RevokeCertByKeyRequest) (*emptypb.Empty, error)
RevokeCertByKey revokes the certificate in question. It always uses reason code 1 (keyCompromise). It ensures that they public key is added to the blocked keys list, even if revocation otherwise fails. It attempts to purge the certificate from the Akamai cache, but it does not hard-fail if doing so is not successful, because the cache will drop the old OCSP response in less than 24 hours anyway.
func (ra *RegistrationAuthorityImpl) UpdateRegistration(ctx context.Context, req *rapb.UpdateRegistrationRequest) (*corepb.Registration, error)
UpdateRegistration updates an existing Registration with new values. Caller is responsible for making sure that update.Key is only different from base.Key if it is being called from the WFE key change endpoint. TODO(#5554): Split this into separate methods for updating Contacts vs Key.