Struct krill::daemon::ca::CaManager

pub struct CaManager { /* private fields */ }

Implementations

impl CaManager

pub async fn build( config: Arc<Config>, tasks: Arc<TaskQueue>, signer: Arc<KrillSigner>, system_actor: Actor ) -> KrillResult<Self>

Builds a new CaServer. Will return an error if the CA store cannot be initialized.

pub fn testbed_enabled(&self) -> bool

pub async fn republish_all(&self, force: bool) -> KrillResult<Vec<CaHandle>>

Republish the embedded TA and CAs if needed, i.e. if they are close to their next update time.

impl CaManager

Trust Anchor Support

pub async fn get_trust_anchor_proxy(&self) -> KrillResult<Arc<TrustAnchorProxy>>

Gets the Trust Anchor Proxy, if present. Returns an error if the TA is uninitialized.

pub async fn get_trust_anchor_signer( &self ) -> KrillResult<Arc<TrustAnchorSigner>>

Gets the Trust Anchor Signer, if present. Returns an error if the TA is uninitialized.

pub async fn ta_proxy_init(&self) -> KrillResult<()>

Initialises the (one) Trust Anchor proxy.

Returns an error if:

• ta_support_enabled is false
• the proxy was already initialised

pub async fn ta_signer_init( &self, tal_https: Vec<Https>, tal_rsync: Rsync, private_key_pem: Option<String> ) -> KrillResult<()>

Initialises the embedded Trust Anchor Signer (for testbed). This assumes that the one and only local Trust Anchor Proxy exists and is to be associated with this signer.

pub async fn ta_proxy_id(&self) -> KrillResult<IdCertInfo>

pub async fn ta_proxy_publisher_request(&self) -> KrillResult<PublisherRequest>

Gets the publisher request for the Trust Anchor proxy. Returns an error if the proxy is not initialised.

pub async fn ta_proxy_repository_update( &self, contact: RepositoryContact, actor: &Actor ) -> KrillResult<()>

Add the repository to Trust Anchor proxy. Returns an error if the proxy is not enabled or already has a repository.

pub async fn ta_proxy_repository_contact( &self ) -> KrillResult<RepositoryContact>

Returns the repository contact for the proxy, or an error if there is no proxy, or no repository configured for it.

pub async fn ta_proxy_signer_add( &self, info: TrustAnchorSignerInfo, actor: &Actor ) -> KrillResult<()>

Adds the associated signer to the proxy.

Errors if:

• there is no proxy
• the proxy has a signer

pub async fn ta_proxy_signer_make_request( &self, actor: &Actor ) -> KrillResult<TrustAnchorSignedRequest>

Create a new request for the signer.

Errors if:

• there is no proxy
• the proxy already has a request

pub async fn ta_proxy_signer_get_request( &self ) -> KrillResult<TrustAnchorSignedRequest>

Create a new request for the signer.

Errors if:

• there is no proxy
• the proxy already has a request

pub async fn ta_proxy_signer_process_response( &self, response: TrustAnchorSignedResponse, actor: &Actor ) -> KrillResult<()>

Process a sign response from the signer.

Errors if:

• there is no proxy
• there is no matching request

pub async fn ta_init_fully_embedded( &self, ta_aia: Rsync, ta_uris: Vec<Https>, ta_key_pem: Option<String>, repo_manager: &Arc<RepositoryManager>, actor: &Actor ) -> KrillResult<()>

Initializes an embedded trust anchor with all resources.

pub async fn ta_renew_testbed_ta(&self) -> KrillResult<()>

Renew the embedded testbed TA;

impl CaManager

CA instances and identity

pub fn init_ca(&self, handle: &CaHandle) -> KrillResult<()>

Initializes a CA without a repo, no parents, no children, no nothing

pub async fn ca_update_id( &self, handle: CaHandle, actor: &Actor ) -> KrillResult<()>

Updates the self-signed ID certificate for a CA. Use this with care as RFC 8183 only talks about initial ID exchanges in the form of XML files. It does not talk about updating identity certificates and keys. Krill supports that a new ID key pair and certificate is generated, and has functions to update this for a parent, a child, a repo and a publisher, but other implementations may not support that identities are updated after initialization.

pub fn ca_list(&self, actor: &Actor) -> KrillResult<CertAuthList>

Get the CAs that the given actor is permitted to see.

pub async fn get_ca(&self, handle: &CaHandle) -> KrillResult<Arc<CertAuth>>

Gets a CA by the given handle, returns an Err(ServerError::UnknownCA) if it does not exist.

pub fn has_ca(&self, handle: &CaHandle) -> KrillResult<bool>

Checks whether a CA by the given handle exists.

pub async fn get_ca_status(&self, ca: &CaHandle) -> KrillResult<CaStatus>

Gets current CA status

pub async fn delete_ca( &self, repo_manager: &RepositoryManager, ca_handle: &CaHandle, actor: &Actor ) -> KrillResult<()>

Delete a CA. Let it do best effort revocation requests and withdraw all its objects first. Note that any children of this CA will be left orphaned, and they will only learn of this sad fact when they choose to call home.

impl CaManager

CA History

pub async fn ca_history( &self, handle: &CaHandle, crit: CommandHistoryCriteria ) -> KrillResult<CommandHistory>

Gets the history for a CA.

pub fn ca_command_details( &self, handle: &CaHandle, version: u64 ) -> KrillResult<CaCommandDetails>

Shows the details for a CA command.

impl CaManager

CAs as parents

pub async fn ca_add_child( &self, ca: &CaHandle, req: AddChildRequest, service_uri: &Https, actor: &Actor ) -> KrillResult<ParentResponse>

Adds a child under a CA. If the AddChildRequest contains resources not held by this CA, then an Error::CaChildExtraResources is returned.

pub async fn ca_show_child( &self, ca: &CaHandle, child: &ChildHandle ) -> KrillResult<ChildCaInfo>

Show details for a child under the CA.

pub async fn ca_child_export( &self, ca: &CaHandle, child_handle: &ChildHandle ) -> KrillResult<ExportChild>

Export a child. Fails if:

• the child does not exist
• the child has no received certificate
• the child has more than one received certificate or resource class

Primarily meant for testing that the child import function works.

pub async fn ca_child_import( &self, ca: &CaHandle, import_child: ImportChild, actor: &Actor ) -> KrillResult<()>

Import a child under the given CA. Will fail if:

• the ca does not exist
• the ca has less than, or more than one resource class
• the ca does not hold the resources for the child
• the child already exists

pub async fn ca_parent_contact( &self, ca_handle: &CaHandle, child_handle: ChildHandle, service_uri: &Https ) -> KrillResult<ParentCaContact>

Show a contact for a child.

pub async fn ca_parent_response( &self, ca_handle: &CaHandle, child_handle: ChildHandle, service_uri: &Https ) -> KrillResult<ParentResponse>

Gets an RFC8183 Parent Response for the child.

pub async fn ca_child_update( &self, ca: &CaHandle, child: ChildHandle, req: UpdateChildRequest, actor: &Actor ) -> KrillResult<()>

Update a child under this CA. The submitted UpdateChildRequest can contain a new IdCert, or ResourceSet, or both. When resources are updated, the existing resource entitlements are replaced by the new value - i.e. this is not a delta and it affects all Internet Number Resource (INR) types (IPv4, IPV6, ASN). Setting resource entitlements beyond the resources held by the parent CA will return an Error::CaChildExtraResources.

pub async fn ca_child_remove( &self, ca: &CaHandle, child: ChildHandle, actor: &Actor ) -> KrillResult<()>

Removes a child from this CA. This will also ensure that certificates issued to the child are revoked and withdrawn.

pub async fn rfc6492( &self, ca_handle: &CaHandle, msg_bytes: Bytes, user_agent: Option<String>, actor: &Actor ) -> KrillResult<Bytes>

Processes an RFC 6492 request sent to this CA:

• parses the message bytes
• validates the request
• processes the child request
• signs a response and returns the bytes

pub async fn rfc6492_process_request( &self, ca_handle: &CaHandle, req_msg: Message, user_agent: Option<String>, actor: &Actor ) -> KrillResult<Message>

Process an rfc6492 message and create an unsigned response

impl CaManager

CAs as children

pub async fn ca_parent_add_or_update( &self, handle: CaHandle, parent_req: ParentCaReq, actor: &Actor ) -> KrillResult<()>

Adds a new parent, or updates an existing parent of a CA. Adding a parent will trigger that the CA connects to this new parent in order to learn its resource entitlements and set up the resource class(es) under it, and request certificate(s).

pub async fn ca_parent_remove( &self, handle: CaHandle, parent: ParentHandle, actor: &Actor ) -> KrillResult<()>

Removes a parent from a CA, this will trigger that best effort revocations of existing keys under this parent are requested. Any resource classes under the parent will be removed and all relevant content will be withdrawn from the repository.

pub async fn ca_parent_revoke( &self, handle: &CaHandle, parent: &ParentHandle ) -> KrillResult<()>

Send revocation requests for a parent of a CA when the parent is removed.

pub async fn cas_schedule_refresh_all(&self) -> KrillResult<()>

Schedule refreshing all CAs as soon as possible:

Note: this function can be called manually through the API, but normally the CA refresh process is replanned on the task queue automatically.

pub async fn cas_schedule_refresh_single( &self, ca_handle: CaHandle ) -> KrillResult<()>

Refresh a single CA with its parents, and possibly suspend inactive children.

pub fn cas_schedule_suspend_all(&self) -> KrillResult<()>

Schedule check suspending any children under all CAs as soon as possible:

Note: this function can be called manually through the API, but normally this is replanned on the task queue automatically IF suspension is enabled.

pub async fn ca_suspend_inactive_children( &self, ca_handle: &CaHandle, started: Timestamp, actor: &Actor )

Suspend child CAs

pub async fn ca_sync_parent( &self, handle: &CaHandle, min_ca_version: u64, parent: &ParentHandle, actor: &Actor ) -> KrillResult<bool>

Synchronizes a CA with one of its parents:

• send pending requests if present; otherwise
• get and process updated entitlements

Returns: Ok(true) if successful Ok(false) if premature Err(Error) in case of issues

Note: if new request events are generated as a result of processing updated entitlements then they will trigger that this synchronization is called again so that the pending requests can be sent.

pub async fn sync_ta_proxy_signer_if_possible(&self) -> KrillResult<()>

Synchronise the Trust Anchor Proxy with the Signer - it the Signer is local.

pub async fn send_revoke_requests( &self, handle: &CaHandle, parent: &ParentHandle, revoke_requests: HashMap<ResourceClassName, Vec<RevocationRequest>> ) -> KrillResult<HashMap<ResourceClassName, Vec<RevocationResponse>>>

pub async fn send_revoke_unexpected_key( &self, handle: &CaHandle, rcn: ResourceClassName, revocation: RevocationRequest ) -> KrillResult<HashMap<ResourceClassName, Vec<RevocationResponse>>>

pub async fn get_entitlements_from_contact( &self, ca: &CaHandle, parent: &ParentHandle, contact: &ParentCaContact, existing_parent: bool ) -> KrillResult<ResourceClassListResponse>

pub fn local_parent( service_uri: &ServiceUri, base_uri: &Https ) -> Option<ParentHandle>

Returns the handle of the local parent for this specific ServiceUri, and the configured base (service) URI. Provided that this indeed maps back to this same server and it is an RFC 6492 style Krill URI.

impl CaManager

Publishing

pub fn cas_schedule_repo_sync_all(&self, actor: &Actor) -> KrillResult<()>

Schedule synchronizing all CAs with their repositories.

pub fn cas_schedule_repo_sync(&self, ca_handle: CaHandle) -> KrillResult<()>

Schedule synchronizing all CAs with their repositories.

pub async fn cas_repo_sync_single( &self, repo_manager: &RepositoryManager, ca_handle: &CaHandle, ca_version: u64 ) -> KrillResult<bool>

Synchronize a CA with its repositories.

Returns: Ok(true) in case the synchronization was successful. Ok(false) in case it was premature wrt to given CA version. Err(Error) in case of any issues.

Note typically a CA will have only one active repository, but in case there are multiple during a migration, this function will ensure that they are all synchronized.

In case the CA had deprecated repositories, then a clean up will be attempted. I.e. the CA will try to withdraw all objects from the deprecated repository. If this clean up fails then the number of clean-up attempts for the repository in question is incremented, and this function will fail. When there have been 5 failed attempts, then the old repository is assumed to be unreachable and it will be dropped - i.e. the CA will no longer try to clean up objects.

pub async fn ca_repo_elements( &self, ca: &CaHandle ) -> KrillResult<HashMap<RepositoryContact, Vec<PublishElement>>>

Get the current objects for a CA for each repository that it’s using.

Notes:

• typically a CA will use only one repository, but during migrations there may be multiple.
• these object may not have been published (yet) - check ca_repo_status.

pub fn ca_deprecated_repos( &self, ca: &CaHandle ) -> KrillResult<Vec<DeprecatedRepository>>

Get deprecated repositories so that they can be cleaned.

pub fn ca_deprecated_repo_remove( &self, ca: &CaHandle, to_remove: &RepositoryContact ) -> KrillResult<()>

Remove a deprecated repo

pub fn ca_deprecated_repo_increment_clean_attempts( &self, ca: &CaHandle, contact: &RepositoryContact ) -> KrillResult<()>

Increase the clean attempt counter for a deprecated repository

pub async fn update_repo( &self, repo_manager: &RepositoryManager, ca_handle: CaHandle, new_contact: RepositoryContact, check_repo: bool, actor: &Actor ) -> KrillResult<()>

Update repository where a CA publishes.

pub async fn send_rfc8181_delta( &self, repo_manager: &RepositoryManager, ca_handle: &CaHandle, id_cert: &IdCertInfo, server_info: &PublicationServerInfo, delta: PublishDelta ) -> KrillResult<()>

impl CaManager

Autonomous System Provider Authorization functions

pub async fn ca_aspas_definitions_show( &self, ca: CaHandle ) -> KrillResult<AspaDefinitionList>

Show current ASPA definitions for this CA.

pub async fn ca_aspas_definitions_update( &self, ca: CaHandle, updates: AspaDefinitionUpdates, actor: &Actor ) -> KrillResult<()>

Add a new ASPA definition for this CA and the customer ASN in the update.

pub async fn ca_aspas_update_aspa( &self, ca: CaHandle, customer: CustomerAsn, update: AspaProvidersUpdate, actor: &Actor ) -> KrillResult<()>

Update the ASPA definition for this CA and the customer ASN in the update.

impl CaManager

BGPSec functions

pub async fn ca_bgpsec_definitions_show( &self, ca: CaHandle ) -> KrillResult<BgpSecCsrInfoList>

pub async fn ca_bgpsec_definitions_update( &self, ca: CaHandle, updates: BgpSecDefinitionUpdates, actor: &Actor ) -> KrillResult<()>

impl CaManager

Route Authorization functions

pub async fn ca_routes_update( &self, ca: CaHandle, updates: RoaConfigurationUpdates, actor: &Actor ) -> KrillResult<()>

Update the routes authorized by a CA. This will trigger that ROAs are made in the resource classes that contain the prefixes. If the update is rejected, e.g. because the CA does not have the necessary prefixes then an Error::RoaDeltaError will be returned. If the update is successful, new manifest(s) and CRL(s) will be created, and resynchronization between the CA and its repository will be triggered. Finally note that ROAs may be issues on a per prefix basis, or aggregated by ASN based on the defaults or values configured.

pub async fn renew_objects_all(&self, actor: &Actor) -> KrillResult<()>

Re-issue about to expire objects in all CAs. This is a no-op in case ROAs do not need re-issuance. If new objects are created they will also be published (event will trigger that MFT and CRL are also made, and and the CA in question synchronizes with its repository).

Note: this does not re-issue issued CA certificates, because child CAs are expected to note extended validity eligibility and request updated certificates themselves.

pub async fn force_renew_roas_all(&self, actor: &Actor) -> KrillResult<()>

Force the re-issuance of all ROAs in all CAs. This function was added because we need to re-issue ROAs in Krill 0.9.3 to force that a short subject CN is used for the EE certificate: i.e. the SKI rather than the full public key. But there may also be other cases in future where forcing to re-issue ROAs may be useful.

impl CaManager

Resource Tagged Attestation functions

pub async fn rta_sign( &self, ca: CaHandle, name: RtaName, request: RtaContentRequest, actor: &Actor ) -> KrillResult<()>

Sign a one-off single-signed RTA

pub async fn rta_multi_prep( &self, ca: &CaHandle, name: RtaName, request: RtaPrepareRequest, actor: &Actor ) -> KrillResult<()>

Prepare a multi-singed RTA

pub async fn rta_multi_cosign( &self, ca: CaHandle, name: RtaName, rta: ResourceTaggedAttestation, actor: &Actor ) -> KrillResult<()>

Co-sign an existing RTA

impl CaManager

CA Key Roll functions

pub async fn ca_keyroll_init( &self, handle: CaHandle, max_age: Duration, actor: &Actor ) -> KrillResult<()>

Initiate an RFC 6489 key roll for all active keys in a CA older than the specified duration.

pub async fn ca_keyroll_activate( &self, handle: CaHandle, staging: Duration, actor: &Actor ) -> KrillResult<()>

Activate a new key, as part of the key roll process (RFC 6489). Only new keys that have an age equal to or greater than the staging period are promoted. The RFC mandates a staging period of 24 hours, but we may use a shorter period for testing and/or emergency manual key rolls.