// NewCertificate requests the issuance of a certificate.
func (ra *RegistrationAuthorityImpl) NewCertificate(req core.CertificateRequest, regID int64) (cert core.Certificate, err error) {
emptyCert := core.Certificate{}
var logEventResult string
// Assume the worst
logEventResult = "error"
// Construct the log event
logEvent := certificateRequestEvent{
ID: core.NewToken(),
Requester: regID,
RequestMethod: "online",
RequestTime: ra.clk.Now(),
}
// No matter what, log the request
defer func() {
// AUDIT[ Certificate Requests ] 11917fa4-10ef-4e0d-9105-bacbe7836a3c
ra.log.AuditObject(fmt.Sprintf("Certificate request - %s", logEventResult), logEvent)
}()
if regID <= 0 {
err = core.MalformedRequestError(fmt.Sprintf("Invalid registration ID: %d", regID))
return emptyCert, err
}
registration, err := ra.SA.GetRegistration(regID)
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
// Verify the CSR
csr := req.CSR
if err = core.VerifyCSR(csr); err != nil {
logEvent.Error = err.Error()
err = core.UnauthorizedError("Invalid signature on CSR")
return emptyCert, err
}
logEvent.CommonName = csr.Subject.CommonName
logEvent.Names = csr.DNSNames
// Validate that authorization key is authorized for all domains
names := make([]string, len(csr.DNSNames))
copy(names, csr.DNSNames)
if len(csr.Subject.CommonName) > 0 {
names = append(names, csr.Subject.CommonName)
}
if len(names) == 0 {
err = core.UnauthorizedError("CSR has no names in it")
logEvent.Error = err.Error()
return emptyCert, err
}
csrPreviousDenied, err := ra.SA.AlreadyDeniedCSR(names)
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
if csrPreviousDenied {
err = core.UnauthorizedError("CSR has already been revoked/denied")
logEvent.Error = err.Error()
return emptyCert, err
}
if core.KeyDigestEquals(csr.PublicKey, registration.Key) {
err = core.MalformedRequestError("Certificate public key must be different than account key")
return emptyCert, err
}
// Check rate limits before checking authorizations. If someone is unable to
// issue a cert due to rate limiting, we don't want to tell them to go get the
// necessary authorizations, only to later fail the rate limit check.
err = ra.checkLimits(names, registration.ID)
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
err = ra.checkAuthorizations(names, ®istration)
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
// Mark that we verified the CN and SANs
logEvent.VerifiedFields = []string{"subject.commonName", "subjectAltName"}
// Create the certificate and log the result
if cert, err = ra.CA.IssueCertificate(*csr, regID); err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
err = ra.MatchesCSR(cert, csr)
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
parsedCertificate, err := x509.ParseCertificate([]byte(cert.DER))
if err != nil {
// InternalServerError because the certificate from the CA should be
// parseable.
err = core.InternalServerError(err.Error())
logEvent.Error = err.Error()
return emptyCert, err
}
logEvent.SerialNumber = core.SerialToString(parsedCertificate.SerialNumber)
logEvent.CommonName = parsedCertificate.Subject.CommonName
logEvent.NotBefore = parsedCertificate.NotBefore
logEvent.NotAfter = parsedCertificate.NotAfter
logEvent.ResponseTime = ra.clk.Now()
logEventResult = "successful"
ra.stats.Inc("RA.NewCertificates", 1, 1.0)
return cert, nil
}
// NewCertificate requests the issuance of a certificate.
func (ra *RegistrationAuthorityImpl) NewCertificate(req core.CertificateRequest, regID int64) (cert core.Certificate, err error) {
emptyCert := core.Certificate{}
var logEventResult string
// Assume the worst
logEventResult = "error"
// Construct the log event
logEvent := certificateRequestEvent{
ID: core.NewToken(),
Requester: regID,
RequestMethod: "online",
RequestTime: time.Now(),
}
// No matter what, log the request
defer func() {
// AUDIT[ Certificate Requests ] 11917fa4-10ef-4e0d-9105-bacbe7836a3c
ra.log.AuditObject(fmt.Sprintf("Certificate request - %s", logEventResult), logEvent)
}()
if regID <= 0 {
err = core.MalformedRequestError(fmt.Sprintf("Invalid registration ID: %d", regID))
return emptyCert, err
}
registration, err := ra.SA.GetRegistration(regID)
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
// Verify the CSR
csr := req.CSR
if err = core.VerifyCSR(csr); err != nil {
logEvent.Error = err.Error()
err = core.UnauthorizedError("Invalid signature on CSR")
return emptyCert, err
}
logEvent.CommonName = csr.Subject.CommonName
logEvent.Names = csr.DNSNames
// Validate that authorization key is authorized for all domains
names := make([]string, len(csr.DNSNames))
copy(names, csr.DNSNames)
if len(csr.Subject.CommonName) > 0 {
names = append(names, csr.Subject.CommonName)
}
if len(names) == 0 {
err = core.UnauthorizedError("CSR has no names in it")
logEvent.Error = err.Error()
return emptyCert, err
}
csrPreviousDenied, err := ra.SA.AlreadyDeniedCSR(names)
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
if csrPreviousDenied {
err = core.UnauthorizedError("CSR has already been revoked/denied")
logEvent.Error = err.Error()
return emptyCert, err
}
if core.KeyDigestEquals(csr.PublicKey, registration.Key) {
err = core.MalformedRequestError("Certificate public key must be different than account key")
return emptyCert, err
}
// Check that each requested name has a valid authorization
now := time.Now()
earliestExpiry := time.Date(2100, 01, 01, 0, 0, 0, 0, time.UTC)
for _, name := range names {
authz, err := ra.SA.GetLatestValidAuthorization(registration.ID, core.AcmeIdentifier{Type: core.IdentifierDNS, Value: name})
if err != nil || authz.Expires.Before(now) {
// unable to find a valid authorization or authz is expired
err = core.UnauthorizedError(fmt.Sprintf("Key not authorized for name %s", name))
logEvent.Error = err.Error()
return emptyCert, err
}
if authz.Expires.Before(earliestExpiry) {
earliestExpiry = *authz.Expires
}
}
// Mark that we verified the CN and SANs
logEvent.VerifiedFields = []string{"subject.commonName", "subjectAltName"}
// Create the certificate and log the result
if cert, err = ra.CA.IssueCertificate(*csr, regID, earliestExpiry); err != nil {
// While this could be InternalServerError for certain conditions, most
// of the failure reasons (such as GoodKey failing) are caused by malformed
// requests.
logEvent.Error = err.Error()
err = core.MalformedRequestError("Certificate request was invalid")
return emptyCert, err
}
err = cert.MatchesCSR(csr, earliestExpiry)
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
parsedCertificate, err := x509.ParseCertificate([]byte(cert.DER))
if err != nil {
// InternalServerError because the certificate from the CA should be
// parseable.
err = core.InternalServerError(err.Error())
logEvent.Error = err.Error()
return emptyCert, err
}
logEvent.SerialNumber = core.SerialToString(parsedCertificate.SerialNumber)
logEvent.CommonName = parsedCertificate.Subject.CommonName
logEvent.NotBefore = parsedCertificate.NotBefore
logEvent.NotAfter = parsedCertificate.NotAfter
logEvent.ResponseTime = time.Now()
logEventResult = "successful"
return cert, nil
}
func (ra *RegistrationAuthorityImpl) NewCertificate(req core.CertificateRequest, regID int64) (core.Certificate, error) {
emptyCert := core.Certificate{}
var err error
var logEventResult string
// Assume the worst
logEventResult = "error"
// Construct the log event
logEvent := certificateRequestEvent{
ID: core.NewToken(),
Requester: regID,
RequestMethod: "online",
RequestTime: time.Now(),
}
// No matter what, log the request
defer func() {
// AUDIT[ Certificate Requests ] 11917fa4-10ef-4e0d-9105-bacbe7836a3c
ra.log.AuditObject(fmt.Sprintf("Certificate request - %s", logEventResult), logEvent)
}()
if regID <= 0 {
err = fmt.Errorf("Invalid registration ID")
return emptyCert, err
}
// Verify the CSR
// TODO: Verify that other aspects of the CSR are appropriate
csr := req.CSR
if err = core.VerifyCSR(csr); err != nil {
logEvent.Error = err.Error()
err = core.UnauthorizedError("Invalid signature on CSR")
return emptyCert, err
}
logEvent.CommonName = csr.Subject.CommonName
logEvent.Names = csr.DNSNames
csrPreviousDenied, err := ra.SA.AlreadyDeniedCSR(append(csr.DNSNames, csr.Subject.CommonName))
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
if csrPreviousDenied {
err = core.UnauthorizedError("CSR has already been revoked/denied")
logEvent.Error = err.Error()
return emptyCert, err
}
registration, err := ra.SA.GetRegistration(regID)
if err != nil {
logEvent.Error = err.Error()
return emptyCert, err
}
if core.KeyDigestEquals(csr.PublicKey, registration.Key) {
err = core.MalformedRequestError("Certificate public key must be different than account key")
return emptyCert, err
}
// Gather authorized domains from the referenced authorizations
authorizedDomains := map[string]bool{}
verificationMethodSet := map[string]bool{}
now := time.Now()
for _, url := range req.Authorizations {
id := lastPathSegment(url)
authz, err := ra.SA.GetAuthorization(id)
if err != nil || // Couldn't find authorization
authz.RegistrationID != registration.ID ||
authz.Status != core.StatusValid || // Not finalized or not successful
authz.Expires.Before(now) || // Expired
authz.Identifier.Type != core.IdentifierDNS {
// XXX: It may be good to fail here instead of ignoring invalid authorizations.
// However, it seems like this treatment is more in the spirit of Postel's
// law, and it hides information from attackers.
continue
}
for _, challenge := range authz.Challenges {
if challenge.Status == core.StatusValid {
verificationMethodSet[challenge.Type] = true
}
}
authorizedDomains[authz.Identifier.Value] = true
}
verificationMethods := []string{}
for method, _ := range verificationMethodSet {
verificationMethods = append(verificationMethods, method)
}
logEvent.VerificationMethods = verificationMethods
// Validate that authorization key is authorized for all domains
names := csr.DNSNames
if len(csr.Subject.CommonName) > 0 {
names = append(names, csr.Subject.CommonName)
}
// Validate all domains
for _, name := range names {
if !authorizedDomains[name] {
err = core.UnauthorizedError(fmt.Sprintf("Key not authorized for name %s", name))
logEvent.Error = err.Error()
return emptyCert, err
}
}
// Mark that we verified the CN and SANs
logEvent.VerifiedFields = []string{"subject.commonName", "subjectAltName"}
// Create the certificate and log the result
var cert core.Certificate
if cert, err = ra.CA.IssueCertificate(*csr, regID); err != nil {
logEvent.Error = err.Error()
return emptyCert, nil
}
cert.ParsedCertificate, err = x509.ParseCertificate([]byte(cert.DER))
logEvent.SerialNumber = cert.ParsedCertificate.SerialNumber
logEvent.CommonName = cert.ParsedCertificate.Subject.CommonName
logEvent.NotBefore = cert.ParsedCertificate.NotBefore
logEvent.NotAfter = cert.ParsedCertificate.NotAfter
logEvent.ResponseTime = time.Now()
logEventResult = "successful"
return cert, nil
}
