letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
boulder/va/caa.go

702 lines
25 KiB
Go
Raw Blame History

package va
import (
"context"
"fmt"
"math/rand/v2"
"net/url"
"regexp"
"strings"
"sync"
"time"
"github.com/miekg/dns"
"github.com/prometheus/client_golang/prometheus"
"github.com/letsencrypt/boulder/bdns"
"github.com/letsencrypt/boulder/canceled"
"github.com/letsencrypt/boulder/core"
corepb "github.com/letsencrypt/boulder/core/proto"
berrors "github.com/letsencrypt/boulder/errors"
"github.com/letsencrypt/boulder/features"
bgrpc "github.com/letsencrypt/boulder/grpc"
"github.com/letsencrypt/boulder/identifier"
"github.com/letsencrypt/boulder/probs"
vapb "github.com/letsencrypt/boulder/va/proto"
)
type caaParams struct {
accountURIID int64
validationMethod core.AcmeChallenge
}
// IsCAAValid checks requested CAA records from a VA, and recursively any RVAs
// configured in the VA. It returns a response or an error.
func (va *ValidationAuthorityImpl) IsCAAValid(ctx context.Context, req *vapb.IsCAAValidRequest) (*vapb.IsCAAValidResponse, error) {
if core.IsAnyNilOrZero(req.Domain, req.ValidationMethod, req.AccountURIID) {
return nil, berrors.InternalServerError("incomplete IsCAAValid request")
}
logEvent := verificationRequestEvent{
// TODO(#7061) Plumb req.Authz.Id as "ID:" through from the RA to
// correlate which authz triggered this request.
Requester: req.AccountURIID,
Hostname: req.Domain,
}
checkStartTime := va.clk.Now()
validationMethod := core.AcmeChallenge(req.ValidationMethod)
if !validationMethod.IsValid() {
return nil, berrors.InternalServerError("unrecognized validation method %q", req.ValidationMethod)
}
acmeID := identifier.NewDNS(req.Domain)
params := &caaParams{
accountURIID: req.AccountURIID,
validationMethod: validationMethod,
}
var remoteCAAResults chan *remoteVAResult
if features.Get().EnforceMultiCAA {
if remoteVACount := len(va.remoteVAs); remoteVACount > 0 {
remoteCAAResults = make(chan *remoteVAResult, remoteVACount)
go va.performRemoteCAACheck(ctx, req, remoteCAAResults)
}
}
checkResult := "success"
err := va.checkCAA(ctx, acmeID, params)
localCheckLatency := time.Since(checkStartTime)
var prob *probs.ProblemDetails
if err != nil {
prob = detailedError(err)
logEvent.Error = prob.Error()
logEvent.InternalError = err.Error()
prob.Detail = fmt.Sprintf("While processing CAA for %s: %s", req.Domain, prob.Detail)
checkResult = "failure"
} else if remoteCAAResults != nil {
if !features.Get().EnforceMultiCAA && features.Get().MultiCAAFullResults {
// If we're not going to enforce multi CAA but we are logging the
// differentials then collect and log the remote results in a separate go
// routine to avoid blocking the primary VA.
go func() {
_ = va.processRemoteCAAResults(
req.Domain,
req.AccountURIID,
string(validationMethod),
remoteCAAResults)
}()
} else if features.Get().EnforceMultiCAA {
remoteProb := va.processRemoteCAAResults(
req.Domain,
req.AccountURIID,
string(validationMethod),
remoteCAAResults)
// If the remote result was a non-nil problem then fail the CAA check
if remoteProb != nil {
prob = remoteProb
// We only set .Error here, not InternalError, because the remote VA doesn't send
// us the internal error. But that's okay, because it got logged at the remote VA.
logEvent.Error = remoteProb.Error()
checkResult = "failure"
va.log.Infof("CAA check failed due to remote failures: identifier=%v err=%s",
req.Domain, remoteProb)
va.metrics.remoteCAACheckFailures.Inc()
}
}
}
checkLatency := time.Since(checkStartTime)
logEvent.ValidationLatency = checkLatency.Round(time.Millisecond).Seconds()
va.metrics.localCAACheckTime.With(prometheus.Labels{
"result": checkResult,
}).Observe(localCheckLatency.Seconds())
va.metrics.caaCheckTime.With(prometheus.Labels{
"result": checkResult,
}).Observe(checkLatency.Seconds())
va.log.AuditObject("CAA check result", logEvent)
if prob != nil {
// The ProblemDetails will be serialized through gRPC, which requires UTF-8.
// It will also later be serialized in JSON, which defaults to UTF-8. Make
// sure it is UTF-8 clean now.
prob = filterProblemDetails(prob)
return &vapb.IsCAAValidResponse{Problem: &corepb.ProblemDetails{
ProblemType: string(prob.Type),
Detail: replaceInvalidUTF8([]byte(prob.Detail)),
}}, nil
} else {
return &vapb.IsCAAValidResponse{}, nil
}
}
// processRemoteCAAResults evaluates a primary VA result, and a channel of
// remote VA problems to produce a single overall validation result based on
// configured feature flags. The overall result is calculated based on the VA's
// configured `maxRemoteFailures` value.
//
// If the `MultiCAAFullResults` feature is enabled then
// `processRemoteCAAResults` will expect to read a result from the
// `remoteResultsChan` channel for each VA and will not produce an overall
// result until all remote VAs have responded. In this case
// `logRemoteDifferentials` will also be called to describe the differential
// between the primary and all of the remote VAs.
//
// If the `MultiCAAFullResults` feature flag is not enabled then
// `processRemoteCAAResults` will potentially return before all remote VAs have
// had a chance to respond. This happens if the success or failure threshold is
// met. This doesn't allow for logging the differential between the primary and
// remote VAs but is more performant.
func (va *ValidationAuthorityImpl) processRemoteCAAResults(
domain string,
acctID int64,
challengeType string,
remoteResultsChan <-chan *remoteVAResult) *probs.ProblemDetails {
state := "failure"
start := va.clk.Now()
defer func() {
va.metrics.remoteCAACheckTime.With(prometheus.Labels{
"result": state,
}).Observe(va.clk.Since(start).Seconds())
}()
required := len(va.remoteVAs) - va.maxRemoteFailures
good := 0
bad := 0
var remoteResults []*remoteVAResult
var firstProb *probs.ProblemDetails
// Due to channel behavior this could block indefinitely and we rely on gRPC
// honoring the context deadline used in client calls to prevent that from
// happening.
for result := range remoteResultsChan {
// Add the result to the slice
remoteResults = append(remoteResults, result)
if result.Problem == nil {
good++
} else {
bad++
// Store the first non-nil problem to return later (if `MultiCAAFullResults`
// is enabled).
if firstProb == nil {
firstProb = result.Problem
}
}
// If MultiCAAFullResults isn't enabled then return early whenever the
// success or failure threshold is met.
if !features.Get().MultiCAAFullResults {
if good >= required {
state = "success"
return nil
} else if bad > va.maxRemoteFailures {
modifiedProblem := *result.Problem
modifiedProblem.Detail = "During secondary CAA checking: " + firstProb.Detail
return &modifiedProblem
}
}
// If we haven't returned early because of MultiCAAFullResults being
// enabled we need to break the loop once all of the VAs have returned a
// result.
if len(remoteResults) == len(va.remoteVAs) {
break
}
}
// If we are using `features.MultiCAAFullResults` then we haven't returned
// early and can now log the differential between what the primary VA saw and
// what all of the remote VAs saw.
va.logRemoteResults(
domain,
acctID,
challengeType,
remoteResults)
// Based on the threshold of good/bad return nil or a problem.
if good >= required {
state = "success"
return nil
} else if bad > va.maxRemoteFailures {
modifiedProblem := *firstProb
modifiedProblem.Detail = "During secondary CAA checking: " + firstProb.Detail
va.metrics.prospectiveRemoteCAACheckFailures.Inc()
return &modifiedProblem
}
// This condition should not occur - it indicates the good/bad counts didn't
// meet either the required threshold or the maxRemoteFailures threshold.
return probs.ServerInternal("Too few remote IsCAAValid RPC results")
}
// performRemoteCAACheck calls `isCAAValid` for each of the configured remoteVAs
// in a random order. The provided `results` chan should have an equal size to
// the number of remote VAs. The CAA checks will be performed in separate
// go-routines. If the result `error` from a remote `isCAAValid` RPC is nil or a
// nil `ProblemDetails` instance it is written directly to the `results` chan.
// If the err is a cancelled error it is treated as a nil error. Otherwise the
// error/problem is written to the results channel as-is.
func (va *ValidationAuthorityImpl) performRemoteCAACheck(
ctx context.Context,
req *vapb.IsCAAValidRequest,
results chan<- *remoteVAResult) {
for _, i := range rand.Perm(len(va.remoteVAs)) {
remoteVA := va.remoteVAs[i]
go func(rva RemoteVA) {
result := &remoteVAResult{
VAHostname: rva.Address,
}
res, err := rva.IsCAAValid(ctx, req)
if err != nil {
if canceled.Is(err) {
// Handle the cancellation error.
result.Problem = probs.ServerInternal("Remote VA IsCAAValid RPC cancelled")
} else {
// Handle validation error.
va.log.Errf("Remote VA %q.IsCAAValid failed: %s", rva.Address, err)
result.Problem = probs.ServerInternal("Remote VA IsCAAValid RPC failed")
}
} else if res.Problem != nil {
prob, err := bgrpc.PBToProblemDetails(res.Problem)
if err != nil {
va.log.Infof("Remote VA %q.IsCAAValid returned malformed problem: %s", rva.Address, err)
result.Problem = probs.ServerInternal(
fmt.Sprintf("Remote VA IsCAAValid RPC returned malformed result: %s", err))
} else {
va.log.Infof("Remote VA %q.IsCAAValid returned problem: %s", rva.Address, prob)
result.Problem = prob
}
}
results <- result
}(remoteVA)
}
}
// checkCAA performs a CAA lookup & validation for the provided identifier. If
// the CAA lookup & validation fail a problem is returned.
func (va *ValidationAuthorityImpl) checkCAA(
ctx context.Context,
identifier identifier.ACMEIdentifier,
params *caaParams) error {
if core.IsAnyNilOrZero(params, params.validationMethod, params.accountURIID) {
return probs.ServerInternal("expected validationMethod or accountURIID not provided to checkCAA")
}
foundAt, valid, response, err := va.checkCAARecords(ctx, identifier, params)
if err != nil {
return berrors.DNSError("%s", err)
}
va.log.AuditInfof("Checked CAA records for %s, [Present: %t, Account ID: %d, Challenge: %s, Valid for issuance: %t, Found at: %q] Response=%q",
identifier.Value, foundAt != "", params.accountURIID, params.validationMethod, valid, foundAt, response)
if !valid {
return berrors.CAAError("CAA record for %s prevents issuance", foundAt)
}
return nil
}
// caaResult represents the result of querying CAA for a single name. It breaks
// the CAA resource records down by category, keeping only the issue and
// issuewild records. It also records whether any unrecognized RRs were marked
// critical, and stores the raw response text for logging and debugging.
type caaResult struct {
name string
present bool
issue []*dns.CAA
issuewild []*dns.CAA
criticalUnknown bool
dig string
resolvers bdns.ResolverAddrs
err error
}
// filterCAA processes a set of CAA resource records and picks out the only bits
// we care about. It returns two slices of CAA records, representing the issue
// records and the issuewild records respectively, and a boolean indicating
// whether any unrecognized records had the critical bit set.
func filterCAA(rrs []*dns.CAA) ([]*dns.CAA, []*dns.CAA, bool) {
var issue, issuewild []*dns.CAA
var criticalUnknown bool
for _, caaRecord := range rrs {
switch strings.ToLower(caaRecord.Tag) {
case "issue":
issue = append(issue, caaRecord)
case "issuewild":
issuewild = append(issuewild, caaRecord)
case "iodef":
// We support the iodef property tag insofar as we recognize it, but we
// never choose to send notifications to the specified addresses. So we
// do not store the contents of the property tag, but also avoid setting
// the criticalUnknown bit if there are critical iodef tags.
continue
case "issuemail":
// We support the issuemail property tag insofar as we recognize it and
// therefore do not bail out if someone has a critical issuemail tag. But
// of course we do not do any further processing, as we do not issue
// S/MIME certificates.
continue
default:
// The critical flag is the bit with significance 128. However, many CAA
// record users have misinterpreted the RFC and concluded that the bit
// with significance 1 is the critical bit. This is sufficiently
// widespread that that bit must reasonably be considered an alias for
// the critical bit. The remaining bits are 0/ignore as proscribed by the
// RFC.
if (caaRecord.Flag & (128 | 1)) != 0 {
criticalUnknown = true
}
}
}
return issue, issuewild, criticalUnknown
}
// parallelCAALookup makes parallel requests for the target name and all parent
// names. It returns a slice of CAA results, with the results from querying the
// FQDN in the zeroth index, and the results from querying the TLD in the last
// index.
func (va *ValidationAuthorityImpl) parallelCAALookup(ctx context.Context, name string) []caaResult {
labels := strings.Split(name, ".")
results := make([]caaResult, len(labels))
var wg sync.WaitGroup
for i := range len(labels) {
// Start the concurrent DNS lookup.
wg.Add(1)
go func(name string, r *caaResult) {
r.name = name
var records []*dns.CAA
records, r.dig, r.resolvers, r.err = va.dnsClient.LookupCAA(ctx, name)
if len(records) > 0 {
r.present = true
}
r.issue, r.issuewild, r.criticalUnknown = filterCAA(records)
wg.Done()
}(strings.Join(labels[i:], "."), &results[i])
}
wg.Wait()
return results
}
// selectCAA picks the relevant CAA resource record set to be used, i.e. the set
// for the "closest parent" of the FQDN in question, including the domain
// itself. If we encountered an error for a lookup before we found a successful,
// non-empty response, assume there could have been real records hidden by it,
// and return that error.
func selectCAA(rrs []caaResult) (*caaResult, error) {
for _, res := range rrs {
if res.err != nil {
return nil, res.err
}
if res.present {
return &res, nil
}
}
return nil, nil
}
// getCAA returns the CAA Relevant Resource Set[1] for the given FQDN, i.e. the
// first CAA RRSet found by traversing upwards from the FQDN by removing the
// leftmost label. It returns nil if no RRSet is found on any parent of the
// given FQDN. The returned result also contains the raw CAA response, and an
// error if one is encountered while querying or parsing the records.
//
// [1]: https://datatracker.ietf.org/doc/html/rfc8659#name-relevant-resource-record-se
func (va *ValidationAuthorityImpl) getCAA(ctx context.Context, hostname string) (*caaResult, error) {
hostname = strings.TrimRight(hostname, ".")
// See RFC 6844 "Certification Authority Processing" for pseudocode, as
// amended by https://www.rfc-editor.org/errata/eid5065.
// Essentially: check CAA records for the FDQN to be issued, and all
// parent domains.
//
// The lookups are performed in parallel in order to avoid timing out
// the RPC call.
//
// We depend on our resolver to snap CNAME and DNAME records.
results := va.parallelCAALookup(ctx, hostname)
return selectCAA(results)
}
// checkCAARecords fetches the CAA records for the given identifier and then
// validates them. If the identifier argument's value has a wildcard prefix then
// the prefix is stripped and validation will be performed against the base
// domain, honouring any issueWild CAA records encountered as appropriate.
// checkCAARecords returns four values: the first is a string indicating at
// which name (i.e. FQDN or parent thereof) CAA records were found, if any. The
// second is a bool indicating whether issuance for the identifier is valid. The
// unmodified *dns.CAA records that were processed/filtered are returned as the
// third argument. Any errors encountered are returned as the fourth return
// value (or nil).
func (va *ValidationAuthorityImpl) checkCAARecords(
ctx context.Context,
identifier identifier.ACMEIdentifier,
params *caaParams) (string, bool, string, error) {
hostname := strings.ToLower(identifier.Value)
// If this is a wildcard name, remove the prefix
var wildcard bool
if strings.HasPrefix(hostname, `*.`) {
hostname = strings.TrimPrefix(identifier.Value, `*.`)
wildcard = true
}
caaSet, err := va.getCAA(ctx, hostname)
if err != nil {
return "", false, "", err
}
raw := ""
if caaSet != nil {
raw = caaSet.dig
}
valid, foundAt := va.validateCAA(caaSet, wildcard, params)
return foundAt, valid, raw, nil
}
// validateCAA checks a provided *caaResult. When the wildcard argument is true
// this means the issueWild records must be validated as well. This function
// returns a boolean indicating whether issuance is allowed by this set of CAA
// records, and a string indicating the name at which the CAA records allowing
// issuance were found (if any -- since finding no records at all allows
// issuance).
func (va *ValidationAuthorityImpl) validateCAA(caaSet *caaResult, wildcard bool, params *caaParams) (bool, string) {
if caaSet == nil {
// No CAA records found, can issue
va.metrics.caaCounter.WithLabelValues("no records").Inc()
return true, ""
}
if caaSet.criticalUnknown {
// Contains unknown critical directives
va.metrics.caaCounter.WithLabelValues("record with unknown critical directive").Inc()
return false, caaSet.name
}
if len(caaSet.issue) == 0 && !wildcard {
// Although CAA records exist, none of them pertain to issuance in this case.
// (e.g. there is only an issuewild directive, but we are checking for a
// non-wildcard identifier, or there is only an iodef or non-critical unknown
// directive.)
va.metrics.caaCounter.WithLabelValues("no relevant records").Inc()
return true, caaSet.name
}
// Per RFC 8659 Section 5.3:
// - "Each issuewild Property MUST be ignored when processing a request for
// an FQDN that is not a Wildcard Domain Name."; and
// - "If at least one issuewild Property is specified in the Relevant RRset
// for a Wildcard Domain Name, each issue Property MUST be ignored when
// processing a request for that Wildcard Domain Name."
// So we default to checking the `caaSet.Issue` records and only check
// `caaSet.Issuewild` when `wildcard` is true and there are 1 or more
// `Issuewild` records.
records := caaSet.issue
if wildcard && len(caaSet.issuewild) > 0 {
records = caaSet.issuewild
}
// There are CAA records pertaining to issuance in our case. Note that this
// includes the case of the unsatisfiable CAA record value ";", used to
// prevent issuance by any CA under any circumstance.
//
// Our CAA identity must be found in the chosen checkSet.
for _, caa := range records {
parsedDomain, parsedParams, err := parseCAARecord(caa)
if err != nil {
continue
}
if !caaDomainMatches(parsedDomain, va.issuerDomain) {
continue
}
if !caaAccountURIMatches(parsedParams, va.accountURIPrefixes, params.accountURIID) {
continue
}
if !caaValidationMethodMatches(parsedParams, params.validationMethod) {
continue
}
va.metrics.caaCounter.WithLabelValues("authorized").Inc()
return true, caaSet.name
}
// The list of authorized issuers is non-empty, but we are not in it. Fail.
va.metrics.caaCounter.WithLabelValues("unauthorized").Inc()
return false, caaSet.name
}
// caaParameter is a key-value pair parsed from a single CAA RR.
type caaParameter struct {
tag string
val string
}
// parseCAARecord extracts the domain and parameters (if any) from a
// issue/issuewild CAA record. This follows RFC 8659 Section 4.2 and Section 4.3
// (https://www.rfc-editor.org/rfc/rfc8659.html#section-4). It returns the
// domain name (which may be the empty string if the record forbids issuance)
// and a slice of CAA parameters, or a descriptive error if the record is
// malformed.
func parseCAARecord(caa *dns.CAA) (string, []caaParameter, error) {
isWSP := func(r rune) bool {
return r == '\t' || r == ' '
}
// Semi-colons (ASCII 0x3B) are prohibited from being specified in the
// parameter tag or value, hence we can simply split on semi-colons.
parts := strings.Split(caa.Value, ";")
// See https://www.rfc-editor.org/rfc/rfc8659.html#section-4.2
//
// issuer-domain-name = label *("." label)
// label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
issuerDomainName := strings.TrimFunc(parts[0], isWSP)
paramList := parts[1:]
// Handle the case where a semi-colon is specified following the domain
// but no parameters are given.
if len(paramList) == 1 && strings.TrimFunc(paramList[0], isWSP) == "" {
return issuerDomainName, nil, nil
}
var caaParameters []caaParameter
for _, parameter := range paramList {
// A parameter tag cannot include equal signs (ASCII 0x3D),
// however they are permitted in the value itself.
tv := strings.SplitN(parameter, "=", 2)
if len(tv) != 2 {
return "", nil, fmt.Errorf("parameter not formatted as tag=value: %q", parameter)
}
tag := strings.TrimFunc(tv[0], isWSP)
//lint:ignore S1029,SA6003 we iterate over runes because the RFC specifies ascii codepoints.
for _, r := range []rune(tag) {
// ASCII alpha/digits.
// tag = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
if r < 0x30 || (r > 0x39 && r < 0x41) || (r > 0x5a && r < 0x61) || r > 0x7a {
return "", nil, fmt.Errorf("tag contains disallowed character: %q", tag)
}
}
value := strings.TrimFunc(tv[1], isWSP)
//lint:ignore S1029,SA6003 we iterate over runes because the RFC specifies ascii codepoints.
for _, r := range []rune(value) {
// ASCII without whitespace/semi-colons.
// value = *(%x21-3A / %x3C-7E)
if r < 0x21 || (r > 0x3a && r < 0x3c) || r > 0x7e {
return "", nil, fmt.Errorf("value contains disallowed character: %q", value)
}
}
caaParameters = append(caaParameters, caaParameter{
tag: tag,
val: value,
})
}
return issuerDomainName, caaParameters, nil
}
// caaDomainMatches checks that the issuer domain name listed in the parsed
// CAA record matches the domain name we expect.
func caaDomainMatches(caaDomain string, issuerDomain string) bool {
return caaDomain == issuerDomain
}
// caaAccountURIMatches checks that the accounturi CAA parameter, if present,
// matches one of the specific account URIs we expect. We support multiple
// account URI prefixes to handle accounts which were registered under ACMEv1.
// We accept only a single "accounturi" parameter and will fail if multiple are
// found in the CAA RR.
// See RFC 8657 Section 3: https://www.rfc-editor.org/rfc/rfc8657.html#section-3
func caaAccountURIMatches(caaParams []caaParameter, accountURIPrefixes []string, accountID int64) bool {
var found bool
var accountURI string
for _, c := range caaParams {
if c.tag == "accounturi" {
if found {
// A Property with multiple "accounturi" parameters is
// unsatisfiable.
return false
}
accountURI = c.val
found = true
}
}
if !found {
// A Property without an "accounturi" parameter matches any account.
return true
}
// If the accounturi is not formatted according to RFC 3986, reject it.
_, err := url.Parse(accountURI)
if err != nil {
return false
}
for _, prefix := range accountURIPrefixes {
if accountURI == fmt.Sprintf("%s%d", prefix, accountID) {
return true
}
}
return false
}
var validationMethodRegexp = regexp.MustCompile(`^[[:alnum:]-]+$`)
// caaValidationMethodMatches checks that the validationmethods CAA parameter,
// if present, contains the exact name of the ACME validation method used to
// validate this domain. We accept only a single "validationmethods" parameter
// and will fail if multiple are found in the CAA RR, even if all tag-value
// pairs would be valid. See RFC 8657 Section 4:
// https://www.rfc-editor.org/rfc/rfc8657.html#section-4.
func caaValidationMethodMatches(caaParams []caaParameter, method core.AcmeChallenge) bool {
var validationMethods string
var found bool
for _, param := range caaParams {
if param.tag == "validationmethods" {
if found {
// RFC 8657 does not define what behavior to take when multiple
// "validationmethods" parameters exist, but we make the
// conscious choice to fail validation similar to how multiple
// "accounturi" parameters are "unsatisfiable". Subscribers
// should be aware of RFC 8657 Section 5.8:
// https://www.rfc-editor.org/rfc/rfc8657.html#section-5.8
return false
}
validationMethods = param.val
found = true
}
}
if !found {
return true
}
for _, m := range strings.Split(validationMethods, ",") {
// The value of the "validationmethods" parameter MUST comply with the
// following ABNF [RFC5234]:
//
// value = [*(label ",") label]
// label = 1*(ALPHA / DIGIT / "-")
if !validationMethodRegexp.MatchString(m) {
return false
}
caaMethod := core.AcmeChallenge(m)
if !caaMethod.IsValid() {
continue
}
if caaMethod == method {
return true
}
}
return false
}
Reference in New Issue View Git Blame Copy Permalink