Defines which clients are allowed access to the various CA endpoints.
Each endpoint has a sub-section containing the client whitelist.
Currently we only control access to the certificate_status(es) endpoints.

Inputs: [extension :- Extension]

A predicate that answers if an extension is allowed or not.
This logic is copied out of the ruby CA.

Inputs: [cert-or-csr :- CertificateOrCSR]
Returns: #:schema{Str schema/Str}

Get the authorization extensions for the certificate or CSR.
These are extensions that fall under the ppAuthCert OID arc.
Returns a map of OIDS to values.

Inputs: [subject :- schema/Str csr :- CertificateRequest {:keys [cacert cakey signeddir ca-ttl allow-auto-renewal auto-renewal-cert-ttl], :as ca-settings} :- CaSettings report-activity]

Given a subject name, their certificate request, and the CA settings
from Puppet, auto-sign the request and write the certificate to disk.

Inputs: ([autosign :- AutoSignInput subject :- schema/Str csr-stream :- InputStream] [autosign :- AutoSignInput subject :- schema/Str csr-stream :- InputStream ruby-load-path :- [schema/Str] gem-path :- schema/Str])
Returns: schema/Bool

Return true if the CSR should be automatically signed given
Puppet's autosign setting, and false otherwise.

Inputs: [serial :- schema/Str]
Returns: BigInteger

Given a base-16 string with a leading 0x, return the result as a BigInteger

Inputs: [ca-cert-file :- schema/Str]

Returns of a map of subject names of certs in the CA bundle
to their expiration dates.

Settings from Puppet that are necessary for CA initialization
and request handling during normal Puppet operation.
Most of these are Puppet configuration settings.

Inputs: [incoming-cert :- X509Certificate ca-cert :- X509Certificate]
Returns: schema/Bool

Given a certificate, and the ca-cert, validate that the certificate was signed by the CA provided

Inputs: [ca-ttl :- schema/Int]
Returns: {:not-before Date, :not-after Date}

Calculate the not-before & not-after dates that define a certificate's
 period of validity. The value of `ca-ttl` is expected to be in seconds,
 and the dates will be based on the current time. Returns a map in the
 form {:not-before Date :not-after Date}.

Inputs: [{:keys [signeddir]} :- CaSettings subject :- schema/Str]
Returns: schema/Bool

Do we have a certificate for the given subject?

Inputs: [cert-or-csr :- CertificateOrCSR crl :- CertificateRevocationList]
Returns: CertificateState

Determine the state a certificate is in.

CA and client certificate details; notAfter, notBefore and serial values.

The list of states a certificate may be in.

Various information about the state of a certificate or
certificate request that is provided by the certificate
status endpoint.

Inputs: [{:keys [puppetserver jruby-puppet certificate-authority authorization]}]
Returns: CaSettings

Given the configuration map from the Puppet Server config
 service return a map with of all the CA settings.

Inputs: [{:keys [puppetserver]}]
Returns: MasterSettings

Given the configuration map from the Puppet Server config
service return a map with of all the master settings.

Does the given string contain any uppercase letters?

Inputs: [csr :- CertificateRequest cacert :- Certificate]
Returns: (schema/pred utils/extension-list?)

Given a certificate signing request, generate a list of extensions that
should be signed onto the certificate. This includes a base set of standard
extensions in addition to any valid extensions found on the signing request.

Inputs: [issuer-public-key :- (schema/pred utils/public-key?) ca-public-key :- (schema/pred utils/public-key?)]
Returns: (schema/pred utils/extension-list?)

Create a list of extensions to be added to the CA certificate.

Inputs: [csr-attributes-file :- schema/Str]
Returns: (schema/maybe (schema/pred utils/extension-list?))

Parse the CSR attributes yaml file at the given path and create a list of
certificate extensions from the `extensions_requests` section.

Inputs: [path :- schema/Str permissions :- schema/Str]
Returns: File

Create a new empty file which has the provided posix file permissions. The
permissions string is in the form of the standard 9 character posix format. 

Inputs: [master-certname :- schema/Str master-public-key :- (schema/pred utils/public-key?) ca-cert :- Certificate {:keys [dns-alt-names csr-attributes]} :- MasterSettings]
Returns: (schema/pred utils/extension-list?)

Create a list of extensions to be added to the master certificate.

Create all intermediate directories present in each of the file paths.
Throws an exception if the directory cannot be created.

Inputs: [host-name :- schema/Str alt-names :- schema/Str]
Returns: Extension

Given a hostname and a comma-separated list of DNS (and possibly IP) alt names,
 create a Subject Alternative Names extension. If there are no alt names
 provided then defaults will be used.

Inputs: [crl-chain-file :- schema/Str]

Inputs: [crl-path {:keys [crl-lock crl-lock-timeout-seconds]} :- CaSettings days :- schema/Int]

Text used in exceptions to help identify locking issues

Inputs: [{:keys [csrdir]} :- CaSettings subject :- schema/Str]
Returns: schema/Bool

Do we have a CSR for the given subject?

Does the given object represent a CSR validation failure?
(thrown from one of the CSR validate-* function, using slingshot)

Inputs: [{signeddir :signeddir} :- CaSettings subject :- schema/Str]

Delete the certificate for the given subject.
 Note this does not revoke the certificate.

Inputs: [{:keys [csrdir]} :- CaSettings subject :- schema/Str]
Returns: OutcomeInfo

Delete pending certificate requests for subject

Inputs: [ca-settings :- CaSettings subjects :- [schema/Str]]

Delete each of the given certificates.
Note that this does not revoke the certs.

The pair of states that may be submitted to the certificate
status endpoint for signing and revoking certificates.

Inputs: [cert-or-csr :- CertificateOrCSR]
Returns: [schema/Str]

Get the list of DNS alt names on the provided certificate or CSR.
 Each name will be prepended with 'DNS:'.

Converts a string containing any combination of duration string pairs in the format '<num>y' '<num>d' '<num>m' '<num>h' '<num>s'
to a total number of seconds.
nil is returned if the input is not a string or not a string containing any valid duration string pairs.

Returns true if string is formatted with duration string pairs only, otherwise returns nil.
Ignores whitespace.

Inputs: [settings :- CaSettings]

Ensure that the CA's private key file has the correct permissions set. If it
does not, then correct them.

Inputs: [extension :- utils/SSLExtension cn :- schema/Str]
Returns: utils/SSLExtension

Given the SSLExtension for subject alt names and a common name, ensure that the CN is listed in the SAN dns name list.

Inputs: [settings :- CaSettings]

Create any directories used by the CA if they don't already exist.

Inputs: [cn :- schema/Str extensions :- (schema/pred utils/extension-list?)]

Given a list of extensions to be signed onto a certificate, ensure that a CN is provided
 as a subject alternative name; if no subject alternative name extension is found, generate a new
 extension and add it to the list with the CN supplied

Inputs: [csr :- CertificateRequest allow-authorization-extensions :- schema/Bool]

Throws an exception if the CSR contains authorization exceptions AND the user
 has chosen to disallow authorization-extensions.  This ensures that
 certificates with authentication extensions can only be signed intentionally.

Inputs: [csr :- CertificateRequest allow-subject-alt-names :- schema/Bool]

Throws an exception if the CSR contains subject-alt-names AND the user has
 chosen to disallow subject-alt-names. Subject alt names can be allowed by
 setting allow-subject-alt-names to true in the ca.conf file. Always allows
 a single subject alt name that matches the CSR subject, which may be
 present to comply with RFC 2818 (see SERVER-2338).

Inputs: [executable :- schema/Str subject :- schema/Str csr-stream :- InputStream ruby-load-path :- [schema/Str] gem-path :- schema/Str]
Returns: shell-utils/ExecutionResult

Execute the autosign script and return a map containing the standard-out,
 standard-err, and exit code. The subject will be passed in as input, and
 the CSR stream will be provided on standard-in. The ruby-load-path will be
 prepended to the RUBYLIB found in the environment, and is intended to make
 the Puppet and Facter Ruby libraries available to the autosign script.
 All output (stdout & stderr) will be logged at the debug level. Warnings are
 issued for nonzero exit code or if stderr is generated by the autosign
 script.

Inputs: [{:keys [cert-inventory inventory-lock inventory-lock-timeout-seconds]} :- CaSettings]
Returns: [BigInteger]

Inputs: [{:keys [infra-nodes-path signeddir], :as settings} :- CaSettings]
Returns: [BigInteger]

Read the infra nodes file to determine which nodes are infrastructure nodes.
For each node, check the inventory file for any serial numbers for that node,
Also check the filesystem for a signed cert for that node.  Return a sorted unique
set of serial numbers for nodes in the infra file

Inputs: [serials :- [BigInteger] crl :- X509CRL]
Returns: [BigInteger]

Given a list of serials and Puppet's CA CRL, returns vector of serials with
 any already-revoked serials removed.

Inputs: [{:keys [csrdir signeddir cacert cacrl cakey]} :- CaSettings state :- schema/Str]
Returns: [CertificateStatusResult]

Get the status of all certificates in the given state.

Inputs: [{:keys [cert-inventory inventory-lock inventory-lock-timeout-seconds]} :- CaSettings certname :- schema/Str]
Returns: [BigInteger]

Inputs: [cert-or-csr :- CertificateOrCSR algorithm :- schema/Str]
Returns: schema/Str

Calculate the hash of the certificate or CSR using the given
 algorithm, which must be one of SHA-1, SHA-256, or SHA-512.

Inputs: [date-time :- Date]
Returns: schema/Str

Formats a date-time into the format expected by the ruby puppet code.

Inputs: [serial-number :- schema/Int]
Returns: schema/Str

Converts a serial number to the format it needs to be written in on disk.
This function has to write serial numbers in the same format that the puppet
ruby code does, to maintain compatibility with things like 'puppet cert';
for whatever arcane reason, that format is 0-padding up to 4 digits.

Extract params from request and create successful cert signing message.
Returns message, subject, certname and ip address

Inputs: [{:keys [infra-node-serials-path], :as settings} :- CaSettings]

Given a list of infra nodes it will create a file containing
 serial numbers of their certificates (listed on separate lines).
 It is expected have at least one entry (MoM)

Inputs: [settings :- MasterSettings certname :- schema/Str ca-settings :- CaSettings]

Given master configuration settings, certname, and CA settings,
 generate and write to disk all of the necessary SSL files for
 the master. Any existing files will be replaced.

Inputs: [{:keys [hostprivkey hostpubkey], :as settings} :- MasterSettings]
Returns: (schema/pred utils/public-key?)

Generate and store ssl public and private keys for the master to disk.  If
the files are both already present, new ones will not be generated to replace
them.  Returns the public key.

Inputs: [{:keys [hostprivkey hostpubkey keylength]} :- MasterSettings]
Returns: (schema/pred utils/public-key?)

Generate and store ssl public and private keys for the master to disk.
Returns the public key.

Inputs: [ca-settings :- CaSettings]

Given the CA settings, generate and write to disk all of the necessary
SSL files for the CA. Any existing files will be replaced.

Inputs: [crl :- X509CRL]

Returns ca-ttl value as an integer. If a value is set in certificate-authority that value is returned.
Otherwise puppet config setting is returned

Inputs: [{:keys [csrdir signeddir cacert cacrl cakey]} :- CaSettings]
Returns: [CertificateStatusResult]

Get the status of all certificates and certificate requests.

Inputs: [{:keys [csrdir signeddir cacert cacrl cakey]} :- CaSettings subject :- schema/Str]
Returns: CertificateStatusResult

Get the status of the subject's certificate or certificate request.
 The status includes the state of the certificate (signed, revoked, requested),
 DNS alt names, and several different fingerprint hashes of the certificate.

Inputs: [crl :- CertificateRevocationList is-cert? :- schema/Bool subject :- schema/Str cert-or-csr :- CertificateOrCSR]

Inputs: [dir :- schema/Str crl :- CertificateRevocationList fetch-cert? :- schema/Bool]
Returns: [CertificateStatusResult]

Get the statuses of either all the CSR or all the certificate.

Inputs: [path-to-cert]
Returns: BigInteger

Inputs: [subject :- schema/Str cacert :- schema/Str signeddir :- schema/Str]
Returns: (schema/maybe schema/Str)

Given a subject name and path to the certificate directory and the CA
certificate, return the subject's certificate as a string, or nil if not found.
If the subject is 'ca', then use the `cacert` path instead.

Inputs: [cert]
Returns: CertificateDetails

Return details from a X509 certificate.

Inputs: [subject :- schema/Str cacert :- schema/Str signeddir :- schema/Str]
Returns: (schema/maybe schema/Str)

Given a subject name and paths to the CA certificate and path
to the certificate directory return the path to the subject's
certificate as a string, or nil if not found.
If the subject is 'ca', then use the `cacert` path instead.

Inputs: [subject :- schema/Str csrdir :- schema/Str]
Returns: (schema/maybe schema/Str)

Given a subject name, return their certificate request as a string, or nil if
not found.  Looks for certificate requests in `csrdir`.

Inputs: [cacrl :- schema/Str lock :- ReentrantReadWriteLock lock-descriptor :- schema/Str lock-timeout :- PosInt]
Returns: schema/Str

Given the value of the 'cacrl' setting from Puppet,
return the CRL from the .pem file on disk.

Inputs: [csr :- PKCS10CertificationRequest]
Returns: utils/SSLMultiValueAttributeList

Inputs: [csr :- CertificateRequest]
Returns: schema/Str

Inputs: [custom-oid-mapping-file :- schema/Str]
Returns: (schema/maybe OIDMappings)

Given a path to a custom OID mappings file, return a map of all oids to
shortnames

Inputs: ([path :- schema/Str] [path :- schema/Str lock :- ReentrantReadWriteLock lock-descriptor :- schema/Str lock-timeout :- PosInt])
Returns: DateTime

Given a path to a file, return a Joda DateTime instance of when the file was last modified.
 an optional lock, description, and timeout may be passed to serialize access to files.

Inputs: [crls :- [CertificateRevocationList]]
Returns: CertificateRevocationList

Determine the newest CRL by looking for the highest CRL Number. This assumes
all given CRLs have the same issuer. Fails if more than one CRL has the
highest CRL Number.

Inputs: [custom-oid-mapping-file :- (schema/maybe schema/Str)]
Returns: OIDMappings

Inputs: [csrdir :- schema/Str]
Returns: [Path]

Given a csr directory, return Path entries to all the files that could be CSRs

Inputs: [{:keys [serial serial-lock serial-lock-timeout-seconds]} :- CaSettings]
Returns: schema/Int

Reads the serial number file from disk and returns the serial number.

Inputs: [glob :- schema/Str subject :- schema/Str]
Returns: schema/Bool

Test if a subject matches the domain-name glob from the autosign whitelist.
 The glob is expected to start with a '*' and be in a form like `*.foo.bar`.
 The subject is expected to contain only lowercase characters and be in a
 form like `agent.foo.bar`. Capitalization in the glob will be ignored.
 Examples:
   (glob-matches? *.foo.bar agent.foo.bar) => true
   (glob-matches? *.baz baz) => true
   (glob-matches? *.QUX 0.1.qux) => true

Inputs: [{:keys [cert-inventory inventory-lock inventory-lock-timeout-seconds]} :- CaSettings certname :- schema/Str]
Returns: schema/Bool

Inputs: [settings :- CaSettings]

Given the CA configuration settings, ensure that all
 required SSL files exist. If all files exist,
 new ones will not be generated. If only some are found
 (but others are missing), an exception is thrown.

Inputs: [ca-data]

Adds in default ca config keys/values, which may be overwritten if a value for
any of those keys already exists in the ca-data

Inputs: [{:keys [hostprivkey hostcert], :as settings} :- MasterSettings certname :- schema/Str ca-settings :- CaSettings]

Given configuration settings, certname, and CA settings, ensure all
 necessary SSL files exist on disk by regenerating all of them if any
 are found to be missing.

Inputs: [{:keys [serial serial-lock serial-lock-timeout-seconds]} :- CaSettings]

Initializes the serial number file on disk.  Serial numbers start at 1.

Text used in exceptions to help identify locking issues

Inputs: [now :- DateTime [_serial _not-before not-after _row-subject] :- [schema/Str]]
Returns: schema/Bool

Inputs: [now :- DateTime [_serial _not-before not-after _row-subject] :- [schema/Str]]
Returns: schema/Bool

Inputs: [cert :- X509Certificate {:keys [cacert cacrl crl-lock crl-lock-timeout-seconds cakey]} :- CaSettings]
Returns: schema/Bool

Inputs: [extension]

Inputs: [cn-subject :- utils/ValidX500Name [_serial _not-before _not-after row-subject] :- [schema/Str]]
Returns: schema/Bool

Inputs: [whitelist :- schema/Str subject :- schema/Str line :- schema/Str]
Returns: schema/Bool

Test if the subject matches the line from the autosign whitelist.
 The line is expected to be an exact certname or a domain-name glob.
 A single line with the character '*' will match all subjects.
 If the line contains invalid characters it will be logged and
 false will be returned.

Inputs: [settings :- CaSettings certname :- schema/Str]
Returns: [BigInteger]

Settings from Puppet that are necessary for SSL initialization on the master.
Most of these are files and directories within the SSL directory, excluding
the CA directory and its contents; see `CaSettings` for more information.
All of these are Puppet configuration settings.

The longest valid duration for CA certs, in seconds. 50 standard years.

Inputs: [crl :- CertificateRevocationList key-crl-map :- {KeyIdExtension [CertificateRevocationList]}]
Returns: CertificateRevocationList

Given a CRL and a map of key identifiers to CRLs, determine the
newest CRL with the key-id of the given CRL. Warn if the newest CRL
is the given CRL. Never replaces the CRL corresponding to the Puppet
CA signing cert.

Inputs: [subject :- schema/Str csr-path :- schema/Str cacert :- Certificate casubject :- schema/Str ca-private-key :- PrivateKey {:keys [signeddir ca-ttl allow-auto-renewal allow-subject-alt-names allow-authorization-extensions auto-renewal-cert-ttl], :as ca-settings} :- CaSettings]
Returns: (schema/enum :signed :signing-errors)

Inputs: [{:keys [cacrl enable-infra-crl infra-crl-path], :as settings} :- CaSettings]

Inputs: [serial :- BigInteger certname :- schema/Str {:keys [infra-nodes-path infra-node-serials-path]} :- CaSettings]

Determine if the host in question is an infra host, and if it is, add the provided serial number to the
infra-serials file

Standard value applied to the Netscape Comment extension for certificates

Inputs: [{:keys [serial serial-lock serial-lock-timeout-seconds], :as ca-settings} :- CaSettings]
Returns: schema/Int

Returns the next serial number to be used when signing a certificate request.
Reads the serial number as a hex value from the given file and replaces the
contents of `serial-file` with the next serial number for a subsequent call.
Puppet's $serial setting defines the location of the serial number file.

Generic map of outcome & message for API consumers

Inputs: [crl :- X509CRL rest-of-full-chain capub :- schema/Str cakey :- schema/Str cacert :- X509Certificate valid-serials :- [BigInteger] crl-path :- schema/Str]

Inputs: [date-time :- schema/Str]
Returns: DateTime

parses a date-time string into a DateTime instance

Inputs: [serial-number :- schema/Str]
Returns: schema/Int

Parses a serial number from its format on disk.  See `format-serial-number`
for the awful, gory details.

Inputs: [master-or-ca :- schema/Str found-files :- [schema/Str] missing-files :- [schema/Str]]
Returns: Exception

Construct an exception appropriate for the end-user to signify that there
 are missing SSL files and the master or CA cannot start until action is taken.

Return a path to the `subject`s certificate file under the `signeddir`.

Return a path to the `subject`s certificate request file under the `csrdir`.

Any integer z in Z where z > 0.

The OID for the extension with shortname 'ppAuthCertExt'.

The OID for the extension with shortname 'ppPrivCertExt'.

The OID for the extension with shortname 'ppRegCertExt'.

Posix permissions for the private key directory on disk.

Posix permissions for all private keys on disk.

Inputs: [subject :- schema/Str certificate-request :- InputStream {:keys [autosign csrdir ruby-load-path gem-path allow-subject-alt-names allow-authorization-extensions], :as settings} :- CaSettings report-activity]

Given a CSR for a subject (typically from the HTTP endpoint),
 perform policy checks and sign or save the CSR (based on autosign).
 Throws a slingshot exception if the CSR is invalid.

Posix permissions for all public keys on disk.

The parent OID for all Puppet Labs specific X.509 certificate extensions.

A mapping of Puppet extension short names to their OIDs. These appear in
csr_attributes.yaml.

Inputs: [infra-file-reader :- Reader]

Returns a list of infra nodes or infra node serials from the specified file organized as one item per line.

Inputs: [crl :- CertificateRevocationList]

Inputs: [certificate :- X509Certificate {:keys [cacert cakey auto-renewal-cert-ttl signeddir], :as ca-settings} :- CaSettings report-activity]
Returns: X509Certificate

Given a certificate and CaSettings create a new signed certificate using the public key from the certificate.
It recreates all the extensions in the original certificate.

Inputs: [extensions :- utils/SSLExtensionList ca-cert :- X509Certificate]
Returns: utils/SSLExtensionList

Inputs: [extensions :- utils/SSLExtensionList subject-public-key :- PublicKey]
Returns: utils/SSLExtensionList

Log message and report to the activity service if available about cert activties, ie signing and revoking.

The set of SSL related files that are required on the CA.

Inputs: [cacert :- schema/Str localcacert :- schema/Str]

Ensure a local copy of the CA cert is available on disk.  cacert is the base
CA cert file to copy from and localcacert is where the CA cert file should be
copied to.

Inputs: [cacrl :- schema/Str localcacrl :- schema/Str]

Ensure a local copy of the CA CRL, if one exists, is available on disk.
cacrl is the base CRL file to copy from and localcacrl is where the CRL file
should be copied to.

Inputs: [{:keys [cacert cacrl cakey infra-crl-path crl-lock crl-lock-timeout-seconds infra-node-serials-path enable-infra-crl], :as settings} :- CaSettings subjects :- [schema/Str] report-activity]

Revoke the subjects' certificates. Note this does not destroy the certificates.
 The certificates will remain in the signed directory despite being revoked.

Inputs: [path-to-cert]
Returns: [BigInteger]

Inputs: [subject :- schema/Str csr :- CertificateRequest csrdir :- schema/Str]

Write the subject's certificate request to disk under the CSR directory.

Text used in exceptions to help identify locking issues

Inputs: [settings :- CaSettings subject :- schema/Str desired-state :- DesiredCertificateState report-activity]

Sign or revoke the certificate for the given subject.

Inputs: [ca-settings :- CaSettings]

Trim down the CA settings to include only paths to files and directories.
These paths are necessary during CA initialization for determining what needs
to be created and where they should be placed.

Inputs: [master-settings :- MasterSettings]

Remove all keys from the master settings map which are not file or directory
 paths. These paths are necessary during initialization for determining what
 needs to be created and where.

Inputs: [{:keys [csrdir], :as settings} :- CaSettings subject :- schema/Str report-activity]

Sign the subject's certificate request.

Inputs: [subjects :- [schema/Str] {:keys [cacert cakey csrdir inventory-lock inventory-lock-timeout-seconds serial-lock serial-lock-timeout-seconds], :as ca-settings} :- CaSettings report-activity]
Returns: {:signed [schema/Str], :no-csr [schema/Str], :signing-errors [schema/Str]}

Inputs: [hostnames :- (schema/maybe schema/Str)]
Returns: (schema/maybe [schema/Str])

Given a comma-separated list of hostnames, return a list of the
individual dns alt names with all surrounding whitespace removed. If
hostnames is empty or nil, then nil is returned.

OID which indicates that a certificate can be used as an SSL client
certificate.

OID which indicates that a certificate can be used as an SSL server
certificate.

Inputs: [cert-or-csr :- CertificateOrCSR]
Returns: [schema/Str]

Get the list of both DNS and IP alt names on the provided certificate or CSR.
 Each name will be prepended with 'DNS:' or 'IP:'.

Inputs: [csr]
Returns: schema/Bool

Given a csr, determine if the requester is capable of supporting auto-renewal by looking for a specific attribute

Symlinks the new cadir that ends in 'puppetserver/ca' to the old cadir
of 'puppet/ssl/ca' for backwards compatibility. Will delete the old cadir
if it exists. Does nothing if set to a custom value.

Inputs: [path-to-crl {:keys [crl-lock crl-lock-timeout-seconds cacert cakey capub], :as settings} :- CaSettings]

Given a path to a CRL, and the ca-settings, update the CRl with all known valid serials that have been revoked

Inputs: [incoming-crls :- [X509CRL] crl-path :- schema/Str cert-chain-path :- schema/Str]

Given a collection of CRLs, update the CRL chain and confirm that
all CRLs are currently valid.
NOTE: assumes appropriate locking is in place

Inputs: [incoming-crls :- [X509CRL] crl-path :- schema/Str cacert :- schema/Str {:keys [crl-lock crl-lock-timeout-seconds enable-infra-crl infra-crl-path]} :- CaSettings]

Apply write locking to the crls, and update the crls as appropriate.

Inputs: [extensions :- utils/SSLExtensionList ca-cert :- X509Certificate subject-public-key :- PublicKey]
Returns: utils/SSLExtensionList

Inputs: [cert-chain :- [Certificate] crl-chain :- [CertificateRevocationList]]

Given a list of certificates and a list of CRLs, validate the certificate
 chain, i.e. ensure that none of the certs have been revoked by checking the
 appropriate CRL, which must be present and currently valid. Delta CRLs are
 not supported. Returns nil if successful.

Inputs: [{:keys [csrdir allow-subject-alt-names allow-authorization-extensions], :as _settings} :- CaSettings subject :- schema/Str]

Validates the CSR (on disk) for the specified subject.
 Assumes existence of the CSR on disk; duplicate CSR or
 certificate policy will not be checked.
 If the CSR is invalid, returns a user-facing message.
 Otherwise, returns nil.

Inputs: [certificate-request :- CertificateRequest]

Throws an exception when the CSR's signature is invalid.
See `signature-valid?` for more detail.

Inputs: [csr :- CertificateRequest {:keys [allow-duplicate-certs csrdir signeddir], :as settings} :- CaSettings]

Throw a slingshot exception if allow-duplicate-certs is false,
 and we already have a certificate or CSR for the subject.
 The exception map will look like:
 {:kind :duplicate-cert
  :msg  <specific error message>}

Inputs: [extensions :- (schema/pred utils/extension-list?)]

Throws an error if the extensions list contains any invalid extensions,
according to `allowed-extension?`

Inputs: [settings :- CaSettings]

Ensure config values are valid for basic CA behaviors.

Inputs: [hostname :- schema/Str subject :- schema/Str]

Validate the CSR or certificate's subject name.  The subject name must:
  * match the hostname specified in the HTTP request (the `subject` parameter)
  * not contain any non-printable characters or slashes
  * not contain any capital letters
  * not contain the wildcard character (*)

Inputs: [{value :value} :- Extension]

Validate that the provided Subject Alternative Names extension is valid for
a cert signed by this CA. This entails:
  * Only DNS and IP alternative names are allowed, no other types
  * Each DNS name does not contain a wildcard character (*)

Inputs: [whitelist :- schema/Str subject :- schema/Str]
Returns: schema/Bool

Test if the whitelist file contains an entry that matches the subject.
 Each line of the file is expected to contain a single entry, either as
 an exact certname or a domain-name glob, and will be evaluated verbatim.
 All blank lines and comment lines (starting with '#') will be ignored.
 If an invalid pattern is encountered, it will be logged and ignored.

Inputs: [cert :- Certificate path :- schema/Str]

Encode a certificate to PEM format and write it to a file atomically and with
appropriate permissions.

Inputs: [cert :- Certificate {:keys [inventory-lock inventory-lock-timeout-seconds], :as settings} :- CaSettings]

Same behavior as `write-cert-to-inventory-unlocked! but acquires the inventory lock prior to doing the work.
Writes an entry into Puppet's inventory file for a given certificate.
The location of this file is defined by Puppet's 'cert_inventory' setting.
The inventory is a text file where each line represents a certificate in the
following format:
$SN $NB $NA /$S
where:
  * $SN = The serial number of the cert.  The serial number is formatted as a
          hexadecimal number, with a leading 0x, and zero-padded up to four
          digits, eg. 0x002f.
  * $NB = The 'not before' field of the cert, as a date/timestamp in UTC.
  * $NA = The 'not after' field of the cert, as a date/timestamp in UTC.
  * $S  = The distinguished name of the cert's subject.

Inputs: [cert :- Certificate {:keys [cert-inventory], :as settings} :- CaSettings]

Writes an entry into Puppet's inventory file for a given certificate.
The location of this file is defined by Puppet's 'cert_inventory' setting.
The inventory is a text file where each line represents a certificate in the
following format:
$SN $NB $NA /$S
where:
  * $SN = The serial number of the cert.  The serial number is formatted as a
          hexadecimal number, with a leading 0x, and zero-padded up to four
          digits, eg. 0x002f.
  * $NB = The 'not before' field of the cert, as a date/timestamp in UTC.
  * $NA = The 'not after' field of the cert, as a date/timestamp in UTC.
  * $S  = The distinguished name of the cert's subject.

Inputs: [crl :- CertificateRevocationList path :- schema/Str]

Encode a CRL to PEM format and write it to a file atomically and with
appropriate permissions.

Inputs: [crls :- [CertificateRevocationList] path :- schema/Str]

Encode a list of CRLS to PEM format and write it to a file atomically and
with appropriate permissions.  Note, assumes proper locking is done.

Inputs: [csr :- CertificateRequest path :- schema/Str]

Encode a CSR to PEM format and write it to a file atomically and with
appropriate permissions.

Inputs: [writer :- BufferedWriter settings :- CaSettings]

Inputs: [localcacrl-path :- schema/Str cacrl-contents :- schema/Str]
Returns: (schema/maybe Exception)

Spits the contents of 'cacrl-contents' string to the 'localcacrl' file
location if the 'cacrl' string contains valid CRL pem data. On success, return
nil. On failure, return the Exception captured from the failed attempt to
parse the CRL pem data.

Inputs: [key :- PrivateKey path :- schema/Str]

Encode a key to PEM format and write it to a file atomically and with
appropriate permissions for a private key.

Inputs: [key :- PublicKey path :- schema/Str]

Encode a key to PEM format and write it to a file atomically and with
appropriate permissions for a public key.