letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat(va): Add routing for dns-account-01 challenge validation 

Passes the account URI to the VA's validateChallenge function
and adds a case to route dns-account-01 challenges (when enabled)
to a new validateDNSAccount01 function.

Updates the caller in DoDCV and adjusts tests.
This commit is contained in:
Shiloh Heurich 2025-04-28 17:30:20 +00:00
parent 3f737cd8c3
commit db7d2f110c
No known key found for this signature in database
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
va/va.go
View File

@ -407,12 +407,15 @@ func (va *ValidationAuthorityImpl) isPrimaryVA() bool {
// validateChallenge simply passes through to the appropriate validation method
// depending on the challenge type.
// The accountURI parameter is required for dns-account-01 challenges to
// calculate the account-specific label.
func (va *ValidationAuthorityImpl) validateChallenge(
ctx context.Context,
ident identifier.ACMEIdentifier,
kind core.AcmeChallenge,
token string,
keyAuthorization string,
accountURI string,
) ([]core.ValidationRecord, error) {
switch kind {
case core.ChallengeTypeHTTP01:
@ -423,6 +426,12 @@ func (va *ValidationAuthorityImpl) validateChallenge(
return va.validateDNS01(ctx, ident, keyAuthorization)
case core.ChallengeTypeTLSALPN01:
return va.validateTLSALPN01(ctx, ident, keyAuthorization)
case core.ChallengeTypeDNSAccount01:
if features.Get().DNSAccount01Enabled {
// Strip a (potential) leading wildcard token from the identifier.
ident.Value = strings.TrimPrefix(ident.Value, "*.")
return va.validateDNSAccount01(ctx, ident, keyAuthorization, accountURI)
}
}
return nil, berrors.MalformedError("invalid challenge type %s", kind)
}
@ -716,6 +725,7 @@ func (va *ValidationAuthorityImpl) DoDCV(ctx context.Context, req *vapb.PerformV
chall.Type,
chall.Token,
req.ExpectedKeyAuthorization,
req.AccountURI,
)
// Stop the clock for local validation latency.

2
va/va_test.go
View File

@ -377,7 +377,7 @@ func TestPerformValidationWithMismatchedRemoteVARIRs(t *testing.T) {
func TestValidateMalformedChallenge(t *testing.T) {
va, _ := setup(nil, "", nil, nil)
_, err := va.validateChallenge(ctx, identifier.NewDNS("example.com"), "fake-type-01", expectedToken, expectedKeyAuthorization)
_, err := va.validateChallenge(ctx, identifier.NewDNS("example.com"), "fake-type-01", expectedToken, expectedKeyAuthorization, testAccountURL)
prob := detailedError(err)
test.AssertEquals(t, prob.Type, probs.MalformedProblem)