Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RA: Don't reuse authzs with mismatched profiles #7967

Merged
merged 3 commits into from
Feb 3, 2025
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
RA: Don't reuse authzs with mismatched profiles
aarongable committed Jan 29, 2025
commit b1551026c190a6c71f7eddbbbdbae196c33a8f22
5 changes: 5 additions & 0 deletions ra/ra.go
Original file line number Diff line number Diff line change
@@ -2264,6 +2264,11 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
missingAuthzIdents = append(missingAuthzIdents, ident)
continue
}
// If the authz is associated with the wrong profile, don't reuse it.
if authz.CertificateProfileName != req.CertificateProfileName {
missingAuthzIdents = append(missingAuthzIdents, ident)
continue
}
authzAge := (ra.authorizationLifetime - authz.Expires.Sub(ra.clk.Now())).Seconds()
// If the identifier is a wildcard and the existing authz only has one
// DNS-01 type challenge we can reuse it. In theory we will
17 changes: 13 additions & 4 deletions ra/ra_test.go
Original file line number Diff line number Diff line change
@@ -1379,10 +1379,10 @@ func TestNewOrder(t *testing.T) {
test.AssertEquals(t, err.Error(), "Cannot issue for \"a\": Domain name needs at least one dot")
}

// TestNewOrderReuse tests that subsequent requests by an ACME account to create
// TestNewOrder_OrderReuse tests that subsequent requests by an ACME account to create
// an identical order results in only one order being created & subsequently
// reused.
func TestNewOrder_OrderReusex(t *testing.T) {
func TestNewOrder_OrderReuse(t *testing.T) {
_, _, ra, _, _, cleanUp := initAuthorities(t)
defer cleanUp()

@@ -1590,6 +1590,7 @@ func TestNewOrder_AuthzReuse(t *testing.T) {
Name string
RegistrationID int64
DnsName string
Profile string
ExpectReuse bool
}{
{
@@ -1610,6 +1611,13 @@ func TestNewOrder_AuthzReuse(t *testing.T) {
DnsName: invalid,
ExpectReuse: false,
},
{
Name: "Don't reuse valid authz with wrong profile",
RegistrationID: Registration.Id,
DnsName: valid,
Profile: "test",
ExpectReuse: false,
},
{
Name: "Don't reuse valid authz from other acct",
RegistrationID: secondReg.Id,
@@ -1621,8 +1629,9 @@ func TestNewOrder_AuthzReuse(t *testing.T) {
for _, tc := range testCases {
t.Run(tc.Name, func(t *testing.T) {
new, err := ra.NewOrder(context.Background(), &rapb.NewOrderRequest{
RegistrationID: tc.RegistrationID,
DnsNames: []string{tc.DnsName},
RegistrationID: tc.RegistrationID,
DnsNames: []string{tc.DnsName},
CertificateProfileName: tc.Profile,
})
test.AssertNotError(t, err, "creating test order")
test.AssertNotEquals(t, new.Id, extant.Id)