Struct krill::daemon::ca::CaServer

pub struct CaServer<S: Signer> { /* fields omitted */ }

Implementations

impl<S: Signer> CaServer<S>

pub fn build(
    work_dir: &PathBuf,
    rfc8181_log_dir: Option<&PathBuf>,
    rfc6492_log_dir: Option<&PathBuf>,
    events_queue: Arc<EventQueueListener>,
    signer: Arc<RwLock<S>>
) -> KrillResult<Self>

Builds a new CaServer. Will return an error if the TA store cannot be initialised.

pub fn get_trust_anchor(&self) -> KrillResult<Arc<CertAuth<S>>>

Gets the TrustAnchor, if present. Returns an error if the TA is uninitialized.

pub fn init_ta(
    &self,
    info: RepoInfo,
    ta_aia: Rsync,
    ta_uris: Vec<Https>
) -> KrillResult<()>

Initialises an embedded trust anchor with all resources.

pub fn republish_all(&self) -> KrillResult<()>

Republish the embedded TA and CAs if needed, i.e. if they are close to their next update time.

pub fn republish(&self, handle: &Handle) -> KrillResult<()>

Republish a CA, this is a no-op when there is nothing to publish.

pub fn update_repo(
    &self,
    handle: Handle,
    new_contact: RepositoryContact
) -> KrillResult<()>

Update repository where a CA publishes.

pub fn remove_old_repo(&self, handle: &Handle) -> KrillResult<()>

Clean up old repo, if present.

pub async fn refresh_all<'_>(&'_ self)

Refresh all CAs: ask for updates and shrink as needed.

pub fn ca_add_child(
    &self,
    parent: &ParentHandle,
    req: AddChildRequest,
    service_uri: &Https
) -> KrillResult<ParentCaContact>

Adds a child under an embedded CA

pub fn ca_parent_contact(
    &self,
    parent: &ParentHandle,
    child_handle: ChildHandle,
    tag: Option<String>,
    service_uri: &Https
) -> KrillResult<ParentCaContact>

Show a contact for a child. Shows "embedded" if the parent does not know any id cert for the child.

pub fn ca_parent_response(
    &self,
    parent: &ParentHandle,
    child_handle: ChildHandle,
    tag: Option<String>,
    service_uri: &Https
) -> KrillResult<ParentResponse>

Gets an RFC8183 Parent Response for the child, regardless of whether the parent knows the ID certificate for this child. Note: a child can be updated and an ID cert can be added at all times.

pub fn ca_show_child(
    &self,
    parent: &ParentHandle,
    child: &ChildHandle
) -> KrillResult<ChildCaInfo>

Show details for a child under the TA.

pub fn ca_child_update(
    &self,
    handle: &Handle,
    child: ChildHandle,
    req: UpdateChildRequest
) -> KrillResult<()>

Update a child under this CA.

pub fn ca_child_remove(
    &self,
    handle: &Handle,
    child: ChildHandle
) -> KrillResult<()>

Update a child under this CA.

impl<S: Signer> CaServer<S>

CA support

pub fn get_ca(&self, handle: &Handle) -> KrillResult<Arc<CertAuth<S>>>

Gets a CA by the given handle, returns an Err(ServerError::UnknownCA) if it does not exist.

pub fn get_ca_history(
    &self,
    handle: &Handle,
    crit: CommandHistoryCriteria
) -> KrillResult<CommandHistory>

Gets the history for a CA.

pub fn get_ca_command_details(
    &self,
    handle: &Handle,
    command: CommandKey
) -> KrillResult<Option<CaCommandDetails>>

Shows the details for a CA command

pub fn has_ca(&self, handle: &Handle) -> bool

Checks whether a CA by the given handle exists.

pub fn rfc6492(
    &self,
    ca_handle: &Handle,
    msg_bytes: Bytes
) -> KrillResult<Bytes>

Processes an RFC6492 sent to this CA.

pub fn list(&self, parent: &Handle, child: &Handle) -> KrillResult<Entitlements>

List the entitlements for a child: 3.3.2 of RFC6492

pub fn issue(
    &self,
    parent: &Handle,
    child: &ChildHandle,
    issue_req: IssuanceRequest
) -> KrillResult<IssuanceResponse>

Issue a Certificate in response to a Certificate Issuance request

See: https://tools.ietf.org/html/rfc6492#section3.4.1-2

pub fn revoke(
    &self,
    ca_handle: &Handle,
    child: ChildHandle,
    revoke_request: RevocationRequest
) -> KrillResult<RevocationResponse>

See: https://tools.ietf.org/html/rfc6492#section3.5.1-2

pub fn ca_list(&self) -> CertAuthList

Get the current CAs

pub fn init_ca(&self, handle: &Handle) -> KrillResult<()>

Initialises a CA without a repo, no parents, no children, no nothing

pub fn ca_update_id(&self, handle: Handle) -> KrillResult<()>

pub fn ca_parent_add(
    &self,
    handle: Handle,
    parent: ParentCaReq
) -> KrillResult<()>

Adds a parent to a CA

pub fn ca_parent_update(
    &self,
    handle: Handle,
    parent: ParentHandle,
    contact: ParentCaContact
) -> KrillResult<()>

Updates a parent of a CA

pub fn ca_parent_remove(
    &self,
    handle: Handle,
    parent: ParentHandle
) -> KrillResult<()>

Removes a parent from a CA

pub fn ca_keyroll_init(
    &self,
    handle: Handle,
    max_age: Duration
) -> KrillResult<()>

Perform a key roll for all active keys in a CA older than the specified duration.

pub fn ca_keyroll_activate(
    &self,
    handle: Handle,
    staging: Duration
) -> KrillResult<()>

Activate a new key, as part of the key roll process (RFC6489). Only new keys that have an age equal to or greater than the staging period are promoted. The RFC mandates a staging period of 24 hours, but we may use a shorter period for testing and/or emergency manual key rolls.

pub async fn get_updates_for_all_cas<'_>(&'_ self) -> KrillResult<()>

Try to get updates for all embedded CAs, will skip the TA and/or CAs that have no parents. Will try to process all and log possible errors, i.e. do not bail out because of issues with one CA.

pub async fn get_delayed_updates<'_, '_>(
    &'_ self,
    ca_handle: &'_ Handle
) -> KrillResult<()>

Try to get update for parents, if they were delayed because there was no repository configured when they were added

pub async fn get_updates_from_parent<'_, '_, '_>(
    &'_ self,
    handle: &'_ Handle,
    parent: &'_ ParentHandle
) -> KrillResult<()>

Try to update a specific CA

pub async fn send_requests<'_, '_, '_>(
    &'_ self,
    handle: &'_ Handle,
    parent: &'_ ParentHandle
) -> KrillResult<()>

Sends requests to a specific parent for the CA matching handle.

pub async fn send_all_requests<'_, '_>(
    &'_ self,
    handle: &'_ Handle
) -> KrillResult<()>

Sends requests to all parents for the CA matching the handle.

pub async fn send_revoke_requests<'_, '_, '_>(
    &'_ self,
    handle: &'_ Handle,
    parent: &'_ ParentHandle,
    revoke_requests: HashMap<ResourceClassName, Vec<RevocationRequest>>
) -> KrillResult<HashMap<ResourceClassName, Vec<RevocationResponse>>>

pub async fn send_revoke_unexpected_key<'_, '_>(
    &'_ self,
    handle: &'_ Handle,
    rcn: ResourceClassName,
    revocation: RevocationRequest
) -> KrillResult<HashMap<ResourceClassName, Vec<RevocationResponse>>>

pub async fn get_entitlements_from_parent_and_contact<'_, '_, '_, '_>(
    &'_ self,
    handle: &'_ Handle,
    parent: &'_ ParentHandle,
    contact: &'_ ParentCaContact
) -> KrillResult<Entitlements>

impl<S: Signer> CaServer<S>

Support sending publication messages, and verifying responses.

pub async fn send_rfc8181_list<'_, '_, '_>(
    &'_ self,
    ca_handle: &'_ Handle,
    repository: &'_ RepositoryResponse
) -> KrillResult<ListReply>

pub async fn send_rfc8181_delta<'_, '_, '_>(
    &'_ self,
    ca_handle: &'_ Handle,
    repository: &'_ RepositoryResponse,
    delta: PublishDelta
) -> KrillResult<()>

impl<S: Signer> CaServer<S>

Support Route Authorization functions

pub fn ca_routes_update(
    &self,
    handle: Handle,
    updates: RouteAuthorizationUpdates
) -> KrillResult<()>

Update the routes authorized by a CA

Trait Implementations

impl<S: Clone + Signer> Clone for CaServer<S>

fn clone(&self) -> CaServer<S>

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.