metacrypt/internal/acme/types.go

package acme

import "time"

// Account represents an ACME account (RFC 8555 §7.1.2).
type Account struct {
	CreatedAt     time.Time `json:"created_at"`
	ID            string    `json:"id"`
	Status        string    `json:"status"`
	MCIASUsername string    `json:"mcias_username"`
	Contact       []string  `json:"contact,omitempty"`
	JWK           []byte    `json:"jwk"`
}

// EABCredential is an External Account Binding credential (RFC 8555 §7.3.4).
type EABCredential struct {
	CreatedAt time.Time `json:"created_at"`
	KID       string    `json:"kid"`
	CreatedBy string    `json:"created_by"`
	HMACKey   []byte    `json:"hmac_key"`
	Used      bool      `json:"used"`
}

// Order represents an ACME certificate order (RFC 8555 §7.1.3).
type Order struct {
	ExpiresAt   time.Time    `json:"expires_at"`
	CreatedAt   time.Time    `json:"created_at"`
	NotBefore   *time.Time   `json:"not_before,omitempty"`
	NotAfter    *time.Time   `json:"not_after,omitempty"`
	ID          string       `json:"id"`
	AccountID   string       `json:"account_id"`
	Status      string       `json:"status"`
	CertID      string       `json:"cert_id,omitempty"`
	IssuerName  string       `json:"issuer_name"`
	Identifiers []Identifier `json:"identifiers"`
	AuthzIDs    []string     `json:"authz_ids"`
}

// Identifier is a domain name or IP address in an order.
type Identifier struct {
	Type  string `json:"type"` // "dns" or "ip"
	Value string `json:"value"`
}

// Authorization represents an ACME authorization (RFC 8555 §7.1.4).
type Authorization struct {
	ExpiresAt    time.Time  `json:"expires_at"`
	Identifier   Identifier `json:"identifier"`
	ID           string     `json:"id"`
	AccountID    string     `json:"account_id"`
	Status       string     `json:"status"`
	ChallengeIDs []string   `json:"challenge_ids"`
}

// Challenge represents an ACME challenge (RFC 8555 §8).
type Challenge struct {
	Error       *ProblemDetail `json:"error,omitempty"`
	ValidatedAt *time.Time     `json:"validated_at,omitempty"`
	ID          string         `json:"id"`
	AuthzID     string         `json:"authz_id"`
	Type        string         `json:"type"`
	Status      string         `json:"status"`
	Token       string         `json:"token"`
}

// ProblemDetail is an RFC 7807 problem detail for ACME errors.
type ProblemDetail struct {
	Type   string `json:"type"`
	Detail string `json:"detail"`
}

// IssuedCert stores the PEM and metadata for a certificate issued via ACME.
type IssuedCert struct {
	IssuedAt  time.Time `json:"issued_at"`
	ExpiresAt time.Time `json:"expires_at"`
	ID        string    `json:"id"`
	OrderID   string    `json:"order_id"`
	AccountID string    `json:"account_id"`
	CertPEM   string    `json:"cert_pem"`
	Revoked   bool      `json:"revoked"`
}

// ACMEConfig is per-mount ACME configuration stored in the barrier.
type ACMEConfig struct {
	DefaultIssuer string `json:"default_issuer"` // CA issuer name to use for ACME certs
}

// Status constants.
const (
	StatusValid       = "valid"
	StatusPending     = "pending"
	StatusProcessing  = "processing"
	StatusReady       = "ready"
	StatusInvalid     = "invalid"
	StatusDeactivated = "deactivated"
	StatusRevoked     = "revoked"

	ChallengeHTTP01 = "http-01"
	ChallengeDNS01  = "dns-01"

	IdentifierDNS = "dns"
	IdentifierIP  = "ip"
)

// ACME problem type URIs (RFC 8555 §6.7).
const (
	ProblemAccountDoesNotExist     = "urn:ietf:params:acme:error:accountDoesNotExist"
	ProblemAlreadyRevoked          = "urn:ietf:params:acme:error:alreadyRevoked"
	ProblemBadCSR                  = "urn:ietf:params:acme:error:badCSR"
	ProblemBadNonce                = "urn:ietf:params:acme:error:badNonce"
	ProblemBadPublicKey            = "urn:ietf:params:acme:error:badPublicKey"
	ProblemBadRevocationReason     = "urn:ietf:params:acme:error:badRevocationReason"
	ProblemBadSignatureAlg         = "urn:ietf:params:acme:error:badSignatureAlgorithm"
	ProblemCAA                     = "urn:ietf:params:acme:error:caa"
	ProblemConnection              = "urn:ietf:params:acme:error:connection"
	ProblemDNS                     = "urn:ietf:params:acme:error:dns"
	ProblemExternalAccountRequired = "urn:ietf:params:acme:error:externalAccountRequired"
	ProblemIncorrectResponse       = "urn:ietf:params:acme:error:incorrectResponse"
	ProblemInvalidContact          = "urn:ietf:params:acme:error:invalidContact"
	ProblemMalformed               = "urn:ietf:params:acme:error:malformed"
	ProblemOrderNotReady           = "urn:ietf:params:acme:error:orderNotReady"
	ProblemRateLimited             = "urn:ietf:params:acme:error:rateLimited"
	ProblemRejectedIdentifier      = "urn:ietf:params:acme:error:rejectedIdentifier"
	ProblemServerInternal          = "urn:ietf:params:acme:error:serverInternal"
	ProblemTLS                     = "urn:ietf:params:acme:error:tls"
	ProblemUnauthorized            = "urn:ietf:params:acme:error:unauthorized"
	ProblemUnsupportedContact      = "urn:ietf:params:acme:error:unsupportedContact"
	ProblemUnsupportedIdentifier   = "urn:ietf:params:acme:error:unsupportedIdentifier"
	ProblemUserActionRequired      = "urn:ietf:params:acme:error:userActionRequired"
)