pub struct CaManager { /* private fields */ }
Implementations§
source§impl CaManager
impl CaManager
sourcepub async fn build(
config: Arc<Config>,
tasks: Arc<TaskQueue>,
signer: Arc<KrillSigner>,
system_actor: Actor
) -> KrillResult<Self>
pub async fn build( config: Arc<Config>, tasks: Arc<TaskQueue>, signer: Arc<KrillSigner>, system_actor: Actor ) -> KrillResult<Self>
Builds a new CaServer. Will return an error if the CA store cannot be initialized.
pub fn testbed_enabled(&self) -> bool
sourcepub async fn republish_all(&self, force: bool) -> KrillResult<Vec<CaHandle>>
pub async fn republish_all(&self, force: bool) -> KrillResult<Vec<CaHandle>>
Republish the embedded TA and CAs if needed, i.e. if they are close to their next update time.
source§impl CaManager
impl CaManager
sourcepub async fn get_trust_anchor_proxy(&self) -> KrillResult<Arc<TrustAnchorProxy>>
pub async fn get_trust_anchor_proxy(&self) -> KrillResult<Arc<TrustAnchorProxy>>
Gets the Trust Anchor Proxy, if present. Returns an error if the TA is uninitialized.
sourcepub async fn get_trust_anchor_signer(
&self
) -> KrillResult<Arc<TrustAnchorSigner>>
pub async fn get_trust_anchor_signer( &self ) -> KrillResult<Arc<TrustAnchorSigner>>
Gets the Trust Anchor Signer, if present. Returns an error if the TA is uninitialized.
sourcepub async fn ta_proxy_init(&self) -> KrillResult<()>
pub async fn ta_proxy_init(&self) -> KrillResult<()>
Initialises the (one) Trust Anchor proxy.
Returns an error if:
- ta_support_enabled is false
- the proxy was already initialised
sourcepub async fn ta_signer_init(
&self,
tal_https: Vec<Https>,
tal_rsync: Rsync,
private_key_pem: Option<String>
) -> KrillResult<()>
pub async fn ta_signer_init( &self, tal_https: Vec<Https>, tal_rsync: Rsync, private_key_pem: Option<String> ) -> KrillResult<()>
Initialises the embedded Trust Anchor Signer (for testbed). This assumes that the one and only local Trust Anchor Proxy exists and is to be associated with this signer.
pub async fn ta_proxy_id(&self) -> KrillResult<IdCertInfo>
sourcepub async fn ta_proxy_publisher_request(&self) -> KrillResult<PublisherRequest>
pub async fn ta_proxy_publisher_request(&self) -> KrillResult<PublisherRequest>
Gets the publisher request for the Trust Anchor proxy. Returns an error if the proxy is not initialised.
sourcepub async fn ta_proxy_repository_update(
&self,
contact: RepositoryContact,
actor: &Actor
) -> KrillResult<()>
pub async fn ta_proxy_repository_update( &self, contact: RepositoryContact, actor: &Actor ) -> KrillResult<()>
Add the repository to Trust Anchor proxy. Returns an error if the proxy is not enabled or already has a repository.
sourcepub async fn ta_proxy_repository_contact(
&self
) -> KrillResult<RepositoryContact>
pub async fn ta_proxy_repository_contact( &self ) -> KrillResult<RepositoryContact>
Returns the repository contact for the proxy, or an error if there is no proxy, or no repository configured for it.
sourcepub async fn ta_proxy_signer_add(
&self,
info: TrustAnchorSignerInfo,
actor: &Actor
) -> KrillResult<()>
pub async fn ta_proxy_signer_add( &self, info: TrustAnchorSignerInfo, actor: &Actor ) -> KrillResult<()>
Adds the associated signer to the proxy.
Errors if:
- there is no proxy
- the proxy has a signer
sourcepub async fn ta_proxy_signer_make_request(
&self,
actor: &Actor
) -> KrillResult<TrustAnchorSignedRequest>
pub async fn ta_proxy_signer_make_request( &self, actor: &Actor ) -> KrillResult<TrustAnchorSignedRequest>
Create a new request for the signer.
Errors if:
- there is no proxy
- the proxy already has a request
sourcepub async fn ta_proxy_signer_get_request(
&self
) -> KrillResult<TrustAnchorSignedRequest>
pub async fn ta_proxy_signer_get_request( &self ) -> KrillResult<TrustAnchorSignedRequest>
Create a new request for the signer.
Errors if:
- there is no proxy
- the proxy already has a request
sourcepub async fn ta_proxy_signer_process_response(
&self,
response: TrustAnchorSignedResponse,
actor: &Actor
) -> KrillResult<()>
pub async fn ta_proxy_signer_process_response( &self, response: TrustAnchorSignedResponse, actor: &Actor ) -> KrillResult<()>
Process a sign response from the signer.
Errors if:
- there is no proxy
- there is no matching request
sourcepub async fn ta_init_fully_embedded(
&self,
ta_aia: Rsync,
ta_uris: Vec<Https>,
ta_key_pem: Option<String>,
repo_manager: &Arc<RepositoryManager>,
actor: &Actor
) -> KrillResult<()>
pub async fn ta_init_fully_embedded( &self, ta_aia: Rsync, ta_uris: Vec<Https>, ta_key_pem: Option<String>, repo_manager: &Arc<RepositoryManager>, actor: &Actor ) -> KrillResult<()>
Initializes an embedded trust anchor with all resources.
sourcepub async fn ta_renew_testbed_ta(&self) -> KrillResult<()>
pub async fn ta_renew_testbed_ta(&self) -> KrillResult<()>
Renew the embedded testbed TA;
source§impl CaManager
impl CaManager
sourcepub fn init_ca(&self, handle: &CaHandle) -> KrillResult<()>
pub fn init_ca(&self, handle: &CaHandle) -> KrillResult<()>
Initializes a CA without a repo, no parents, no children, no nothing
sourcepub async fn ca_update_id(
&self,
handle: CaHandle,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_update_id( &self, handle: CaHandle, actor: &Actor ) -> KrillResult<()>
Updates the self-signed ID certificate for a CA. Use this with care as RFC 8183 only talks about initial ID exchanges in the form of XML files. It does not talk about updating identity certificates and keys. Krill supports that a new ID key pair and certificate is generated, and has functions to update this for a parent, a child, a repo and a publisher, but other implementations may not support that identities are updated after initialization.
sourcepub fn ca_list(&self, actor: &Actor) -> KrillResult<CertAuthList>
pub fn ca_list(&self, actor: &Actor) -> KrillResult<CertAuthList>
Get the CAs that the given actor is permitted to see.
sourcepub async fn get_ca(&self, handle: &CaHandle) -> KrillResult<Arc<CertAuth>>
pub async fn get_ca(&self, handle: &CaHandle) -> KrillResult<Arc<CertAuth>>
Gets a CA by the given handle, returns an Err(ServerError::UnknownCA)
if it
does not exist.
sourcepub fn has_ca(&self, handle: &CaHandle) -> KrillResult<bool>
pub fn has_ca(&self, handle: &CaHandle) -> KrillResult<bool>
Checks whether a CA by the given handle exists.
sourcepub async fn get_ca_status(&self, ca: &CaHandle) -> KrillResult<CaStatus>
pub async fn get_ca_status(&self, ca: &CaHandle) -> KrillResult<CaStatus>
Gets current CA status
sourcepub async fn delete_ca(
&self,
repo_manager: &RepositoryManager,
ca_handle: &CaHandle,
actor: &Actor
) -> KrillResult<()>
pub async fn delete_ca( &self, repo_manager: &RepositoryManager, ca_handle: &CaHandle, actor: &Actor ) -> KrillResult<()>
Delete a CA. Let it do best effort revocation requests and withdraw all its objects first. Note that any children of this CA will be left orphaned, and they will only learn of this sad fact when they choose to call home.
source§impl CaManager
impl CaManager
sourcepub async fn ca_history(
&self,
handle: &CaHandle,
crit: CommandHistoryCriteria
) -> KrillResult<CommandHistory>
pub async fn ca_history( &self, handle: &CaHandle, crit: CommandHistoryCriteria ) -> KrillResult<CommandHistory>
Gets the history for a CA.
sourcepub fn ca_command_details(
&self,
handle: &CaHandle,
version: u64
) -> KrillResult<CaCommandDetails>
pub fn ca_command_details( &self, handle: &CaHandle, version: u64 ) -> KrillResult<CaCommandDetails>
Shows the details for a CA command.
source§impl CaManager
impl CaManager
sourcepub async fn ca_add_child(
&self,
ca: &CaHandle,
req: AddChildRequest,
service_uri: &Https,
actor: &Actor
) -> KrillResult<ParentResponse>
pub async fn ca_add_child( &self, ca: &CaHandle, req: AddChildRequest, service_uri: &Https, actor: &Actor ) -> KrillResult<ParentResponse>
Adds a child under a CA. If the AddChildRequest
contains resources not held
by this CA, then an Error::CaChildExtraResources
is returned.
sourcepub async fn ca_show_child(
&self,
ca: &CaHandle,
child: &ChildHandle
) -> KrillResult<ChildCaInfo>
pub async fn ca_show_child( &self, ca: &CaHandle, child: &ChildHandle ) -> KrillResult<ChildCaInfo>
Show details for a child under the CA.
sourcepub async fn ca_child_export(
&self,
ca: &CaHandle,
child_handle: &ChildHandle
) -> KrillResult<ExportChild>
pub async fn ca_child_export( &self, ca: &CaHandle, child_handle: &ChildHandle ) -> KrillResult<ExportChild>
Export a child. Fails if:
- the child does not exist
- the child has no received certificate
- the child has more than one received certificate or resource class
Primarily meant for testing that the child import function works.
sourcepub async fn ca_child_import(
&self,
ca: &CaHandle,
import_child: ImportChild,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_child_import( &self, ca: &CaHandle, import_child: ImportChild, actor: &Actor ) -> KrillResult<()>
Import a child under the given CA. Will fail if:
- the ca does not exist
- the ca has less than, or more than one resource class
- the ca does not hold the resources for the child
- the child already exists
sourcepub async fn ca_parent_contact(
&self,
ca_handle: &CaHandle,
child_handle: ChildHandle,
service_uri: &Https
) -> KrillResult<ParentCaContact>
pub async fn ca_parent_contact( &self, ca_handle: &CaHandle, child_handle: ChildHandle, service_uri: &Https ) -> KrillResult<ParentCaContact>
Show a contact for a child.
sourcepub async fn ca_parent_response(
&self,
ca_handle: &CaHandle,
child_handle: ChildHandle,
service_uri: &Https
) -> KrillResult<ParentResponse>
pub async fn ca_parent_response( &self, ca_handle: &CaHandle, child_handle: ChildHandle, service_uri: &Https ) -> KrillResult<ParentResponse>
Gets an RFC8183 Parent Response for the child.
sourcepub async fn ca_child_update(
&self,
ca: &CaHandle,
child: ChildHandle,
req: UpdateChildRequest,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_child_update( &self, ca: &CaHandle, child: ChildHandle, req: UpdateChildRequest, actor: &Actor ) -> KrillResult<()>
Update a child under this CA. The submitted UpdateChildRequest
can contain a
new IdCert
, or ResourceSet
, or both. When resources are updated, the existing
resource entitlements are replaced by the new value - i.e. this is not a delta
and it affects all Internet Number Resource (INR) types (IPv4, IPV6, ASN). Setting
resource entitlements beyond the resources held by the parent CA will return
an Error::CaChildExtraResources
.
sourcepub async fn ca_child_remove(
&self,
ca: &CaHandle,
child: ChildHandle,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_child_remove( &self, ca: &CaHandle, child: ChildHandle, actor: &Actor ) -> KrillResult<()>
Removes a child from this CA. This will also ensure that certificates issued to the child are revoked and withdrawn.
sourcepub async fn rfc6492(
&self,
ca_handle: &CaHandle,
msg_bytes: Bytes,
user_agent: Option<String>,
actor: &Actor
) -> KrillResult<Bytes>
pub async fn rfc6492( &self, ca_handle: &CaHandle, msg_bytes: Bytes, user_agent: Option<String>, actor: &Actor ) -> KrillResult<Bytes>
Processes an RFC 6492 request sent to this CA:
- parses the message bytes
- validates the request
- processes the child request
- signs a response and returns the bytes
sourcepub async fn rfc6492_process_request(
&self,
ca_handle: &CaHandle,
req_msg: Message,
user_agent: Option<String>,
actor: &Actor
) -> KrillResult<Message>
pub async fn rfc6492_process_request( &self, ca_handle: &CaHandle, req_msg: Message, user_agent: Option<String>, actor: &Actor ) -> KrillResult<Message>
Process an rfc6492 message and create an unsigned response
source§impl CaManager
impl CaManager
sourcepub async fn ca_parent_add_or_update(
&self,
handle: CaHandle,
parent_req: ParentCaReq,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_parent_add_or_update( &self, handle: CaHandle, parent_req: ParentCaReq, actor: &Actor ) -> KrillResult<()>
Adds a new parent, or updates an existing parent of a CA. Adding a parent will trigger that the CA connects to this new parent in order to learn its resource entitlements and set up the resource class(es) under it, and request certificate(s).
sourcepub async fn ca_parent_remove(
&self,
handle: CaHandle,
parent: ParentHandle,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_parent_remove( &self, handle: CaHandle, parent: ParentHandle, actor: &Actor ) -> KrillResult<()>
Removes a parent from a CA, this will trigger that best effort revocations of existing keys under this parent are requested. Any resource classes under the parent will be removed and all relevant content will be withdrawn from the repository.
sourcepub async fn ca_parent_revoke(
&self,
handle: &CaHandle,
parent: &ParentHandle
) -> KrillResult<()>
pub async fn ca_parent_revoke( &self, handle: &CaHandle, parent: &ParentHandle ) -> KrillResult<()>
Send revocation requests for a parent of a CA when the parent is removed.
sourcepub async fn cas_schedule_refresh_all(&self) -> KrillResult<()>
pub async fn cas_schedule_refresh_all(&self) -> KrillResult<()>
Schedule refreshing all CAs as soon as possible:
Note: this function can be called manually through the API, but normally the CA refresh process is replanned on the task queue automatically.
sourcepub async fn cas_schedule_refresh_single(
&self,
ca_handle: CaHandle
) -> KrillResult<()>
pub async fn cas_schedule_refresh_single( &self, ca_handle: CaHandle ) -> KrillResult<()>
Refresh a single CA with its parents, and possibly suspend inactive children.
sourcepub fn cas_schedule_suspend_all(&self) -> KrillResult<()>
pub fn cas_schedule_suspend_all(&self) -> KrillResult<()>
Schedule check suspending any children under all CAs as soon as possible:
Note: this function can be called manually through the API, but normally this is replanned on the task queue automatically IF suspension is enabled.
sourcepub async fn ca_suspend_inactive_children(
&self,
ca_handle: &CaHandle,
started: Timestamp,
actor: &Actor
)
pub async fn ca_suspend_inactive_children( &self, ca_handle: &CaHandle, started: Timestamp, actor: &Actor )
Suspend child CAs
sourcepub async fn ca_sync_parent(
&self,
handle: &CaHandle,
min_ca_version: u64,
parent: &ParentHandle,
actor: &Actor
) -> KrillResult<bool>
pub async fn ca_sync_parent( &self, handle: &CaHandle, min_ca_version: u64, parent: &ParentHandle, actor: &Actor ) -> KrillResult<bool>
Synchronizes a CA with one of its parents:
- send pending requests if present; otherwise
- get and process updated entitlements
Returns: Ok(true) if successful Ok(false) if premature Err(Error) in case of issues
Note: if new request events are generated as a result of processing updated entitlements then they will trigger that this synchronization is called again so that the pending requests can be sent.
sourcepub async fn sync_ta_proxy_signer_if_possible(&self) -> KrillResult<()>
pub async fn sync_ta_proxy_signer_if_possible(&self) -> KrillResult<()>
Synchronise the Trust Anchor Proxy with the Signer - it the Signer is local.
pub async fn send_revoke_requests( &self, handle: &CaHandle, parent: &ParentHandle, revoke_requests: HashMap<ResourceClassName, Vec<RevocationRequest>> ) -> KrillResult<HashMap<ResourceClassName, Vec<RevocationResponse>>>
pub async fn send_revoke_unexpected_key( &self, handle: &CaHandle, rcn: ResourceClassName, revocation: RevocationRequest ) -> KrillResult<HashMap<ResourceClassName, Vec<RevocationResponse>>>
pub async fn get_entitlements_from_contact( &self, ca: &CaHandle, parent: &ParentHandle, contact: &ParentCaContact, existing_parent: bool ) -> KrillResult<ResourceClassListResponse>
sourcepub fn local_parent(
service_uri: &ServiceUri,
base_uri: &Https
) -> Option<ParentHandle>
pub fn local_parent( service_uri: &ServiceUri, base_uri: &Https ) -> Option<ParentHandle>
Returns the handle of the local parent for this specific ServiceUri, and the configured base (service) URI. Provided that this indeed maps back to this same server and it is an RFC 6492 style Krill URI.
source§impl CaManager
impl CaManager
sourcepub fn cas_schedule_repo_sync_all(&self, actor: &Actor) -> KrillResult<()>
pub fn cas_schedule_repo_sync_all(&self, actor: &Actor) -> KrillResult<()>
Schedule synchronizing all CAs with their repositories.
sourcepub fn cas_schedule_repo_sync(&self, ca_handle: CaHandle) -> KrillResult<()>
pub fn cas_schedule_repo_sync(&self, ca_handle: CaHandle) -> KrillResult<()>
Schedule synchronizing all CAs with their repositories.
sourcepub async fn cas_repo_sync_single(
&self,
repo_manager: &RepositoryManager,
ca_handle: &CaHandle,
ca_version: u64
) -> KrillResult<bool>
pub async fn cas_repo_sync_single( &self, repo_manager: &RepositoryManager, ca_handle: &CaHandle, ca_version: u64 ) -> KrillResult<bool>
Synchronize a CA with its repositories.
Returns: Ok(true) in case the synchronization was successful. Ok(false) in case it was premature wrt to given CA version. Err(Error) in case of any issues.
Note typically a CA will have only one active repository, but in case there are multiple during a migration, this function will ensure that they are all synchronized.
In case the CA had deprecated repositories, then a clean up will be attempted. I.e. the CA will try to withdraw all objects from the deprecated repository. If this clean up fails then the number of clean-up attempts for the repository in question is incremented, and this function will fail. When there have been 5 failed attempts, then the old repository is assumed to be unreachable and it will be dropped - i.e. the CA will no longer try to clean up objects.
sourcepub async fn ca_repo_elements(
&self,
ca: &CaHandle
) -> KrillResult<HashMap<RepositoryContact, Vec<PublishElement>>>
pub async fn ca_repo_elements( &self, ca: &CaHandle ) -> KrillResult<HashMap<RepositoryContact, Vec<PublishElement>>>
Get the current objects for a CA for each repository that it’s using.
Notes:
- typically a CA will use only one repository, but during migrations there may be multiple.
- these object may not have been published (yet) - check
ca_repo_status
.
sourcepub fn ca_deprecated_repos(
&self,
ca: &CaHandle
) -> KrillResult<Vec<DeprecatedRepository>>
pub fn ca_deprecated_repos( &self, ca: &CaHandle ) -> KrillResult<Vec<DeprecatedRepository>>
Get deprecated repositories so that they can be cleaned.
sourcepub fn ca_deprecated_repo_remove(
&self,
ca: &CaHandle,
to_remove: &RepositoryContact
) -> KrillResult<()>
pub fn ca_deprecated_repo_remove( &self, ca: &CaHandle, to_remove: &RepositoryContact ) -> KrillResult<()>
Remove a deprecated repo
sourcepub fn ca_deprecated_repo_increment_clean_attempts(
&self,
ca: &CaHandle,
contact: &RepositoryContact
) -> KrillResult<()>
pub fn ca_deprecated_repo_increment_clean_attempts( &self, ca: &CaHandle, contact: &RepositoryContact ) -> KrillResult<()>
Increase the clean attempt counter for a deprecated repository
sourcepub async fn update_repo(
&self,
repo_manager: &RepositoryManager,
ca_handle: CaHandle,
new_contact: RepositoryContact,
check_repo: bool,
actor: &Actor
) -> KrillResult<()>
pub async fn update_repo( &self, repo_manager: &RepositoryManager, ca_handle: CaHandle, new_contact: RepositoryContact, check_repo: bool, actor: &Actor ) -> KrillResult<()>
Update repository where a CA publishes.
pub async fn send_rfc8181_delta( &self, repo_manager: &RepositoryManager, ca_handle: &CaHandle, id_cert: &IdCertInfo, server_info: &PublicationServerInfo, delta: PublishDelta ) -> KrillResult<()>
source§impl CaManager
impl CaManager
sourcepub async fn ca_aspas_definitions_show(
&self,
ca: CaHandle
) -> KrillResult<AspaDefinitionList>
pub async fn ca_aspas_definitions_show( &self, ca: CaHandle ) -> KrillResult<AspaDefinitionList>
Show current ASPA definitions for this CA.
sourcepub async fn ca_aspas_definitions_update(
&self,
ca: CaHandle,
updates: AspaDefinitionUpdates,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_aspas_definitions_update( &self, ca: CaHandle, updates: AspaDefinitionUpdates, actor: &Actor ) -> KrillResult<()>
Add a new ASPA definition for this CA and the customer ASN in the update.
sourcepub async fn ca_aspas_update_aspa(
&self,
ca: CaHandle,
customer: CustomerAsn,
update: AspaProvidersUpdate,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_aspas_update_aspa( &self, ca: CaHandle, customer: CustomerAsn, update: AspaProvidersUpdate, actor: &Actor ) -> KrillResult<()>
Update the ASPA definition for this CA and the customer ASN in the update.
source§impl CaManager
impl CaManager
pub async fn ca_bgpsec_definitions_show( &self, ca: CaHandle ) -> KrillResult<BgpSecCsrInfoList>
pub async fn ca_bgpsec_definitions_update( &self, ca: CaHandle, updates: BgpSecDefinitionUpdates, actor: &Actor ) -> KrillResult<()>
source§impl CaManager
impl CaManager
sourcepub async fn ca_routes_update(
&self,
ca: CaHandle,
updates: RoaConfigurationUpdates,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_routes_update( &self, ca: CaHandle, updates: RoaConfigurationUpdates, actor: &Actor ) -> KrillResult<()>
Update the routes authorized by a CA. This will trigger that ROAs
are made in the resource classes that contain the prefixes. If the
update is rejected, e.g. because the CA does not have the necessary
prefixes then an Error::RoaDeltaError
will be returned.
If the update is successful, new manifest(s) and CRL(s) will be created,
and resynchronization between the CA and its repository will be triggered.
Finally note that ROAs may be issues on a per prefix basis, or aggregated
by ASN based on the defaults or values configured.
sourcepub async fn renew_objects_all(&self, actor: &Actor) -> KrillResult<()>
pub async fn renew_objects_all(&self, actor: &Actor) -> KrillResult<()>
Re-issue about to expire objects in all CAs. This is a no-op in case ROAs do not need re-issuance. If new objects are created they will also be published (event will trigger that MFT and CRL are also made, and and the CA in question synchronizes with its repository).
Note: this does not re-issue issued CA certificates, because child CAs are expected to note extended validity eligibility and request updated certificates themselves.
sourcepub async fn force_renew_roas_all(&self, actor: &Actor) -> KrillResult<()>
pub async fn force_renew_roas_all(&self, actor: &Actor) -> KrillResult<()>
Force the re-issuance of all ROAs in all CAs. This function was added because we need to re-issue ROAs in Krill 0.9.3 to force that a short subject CN is used for the EE certificate: i.e. the SKI rather than the full public key. But there may also be other cases in future where forcing to re-issue ROAs may be useful.
source§impl CaManager
impl CaManager
sourcepub async fn rta_sign(
&self,
ca: CaHandle,
name: RtaName,
request: RtaContentRequest,
actor: &Actor
) -> KrillResult<()>
pub async fn rta_sign( &self, ca: CaHandle, name: RtaName, request: RtaContentRequest, actor: &Actor ) -> KrillResult<()>
Sign a one-off single-signed RTA
sourcepub async fn rta_multi_prep(
&self,
ca: &CaHandle,
name: RtaName,
request: RtaPrepareRequest,
actor: &Actor
) -> KrillResult<()>
pub async fn rta_multi_prep( &self, ca: &CaHandle, name: RtaName, request: RtaPrepareRequest, actor: &Actor ) -> KrillResult<()>
Prepare a multi-singed RTA
sourcepub async fn rta_multi_cosign(
&self,
ca: CaHandle,
name: RtaName,
rta: ResourceTaggedAttestation,
actor: &Actor
) -> KrillResult<()>
pub async fn rta_multi_cosign( &self, ca: CaHandle, name: RtaName, rta: ResourceTaggedAttestation, actor: &Actor ) -> KrillResult<()>
Co-sign an existing RTA
source§impl CaManager
impl CaManager
CA Key Roll functions
sourcepub async fn ca_keyroll_init(
&self,
handle: CaHandle,
max_age: Duration,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_keyroll_init( &self, handle: CaHandle, max_age: Duration, actor: &Actor ) -> KrillResult<()>
Initiate an RFC 6489 key roll for all active keys in a CA older than the specified duration.
sourcepub async fn ca_keyroll_activate(
&self,
handle: CaHandle,
staging: Duration,
actor: &Actor
) -> KrillResult<()>
pub async fn ca_keyroll_activate( &self, handle: CaHandle, staging: Duration, actor: &Actor ) -> KrillResult<()>
Activate a new key, as part of the key roll process (RFC 6489). Only new keys that have an age equal to or greater than the staging period are promoted. The RFC mandates a staging period of 24 hours, but we may use a shorter period for testing and/or emergency manual key rolls.