Remove hyphens from ACME-CAA parameters (letsencrypt#3772)

Roland Bracewell Shoemaker · jsha · commit 1e6699d03eae · 2018-06-21T13:49:48.000-07:00
The hyphens were incompatible with RFC 6844 (but not RFC 6844bis), and broke some CAA-processing software in practice. Hugo revised the ACME-CAA draft (https://datatracker.ietf.org/doc/html/draft-ietf-acme-caa-05) to remove the hyphens.
diff --git a/features/features.go b/features/features.go
@@ -39,9 +39,9 @@ const (
 	EnforceOverlappingWildcards
 	// Set orders to status "ready" when they are awaiting finalization
 	OrderReadyStatus
-	// Check CAA and respect validation-methods parameter.
+	// Check CAA and respect validationmethods parameter.
 	CAAValidationMethods
-	// Check CAA and respect account-uri parameter.
+	// Check CAA and respect accounturi parameter.
 	CAAAccountURI
 )
 
diff --git a/test/challtestsrv/dnsone.go b/test/challtestsrv/dnsone.go
@@ -102,9 +102,9 @@ func (s *ChallSrv) dnsHandler(w dns.ResponseWriter, r *dns.Msg) {
 				value = "sad-hacker-ca.invalid"
 			case "good-caa-reserved.com.":
 				value = "happy-hacker-ca.invalid"
-			case "account-uri.good-caa-reserved.com.":
+			case "accounturi.good-caa-reserved.com.":
 				uri := os.Getenv("ACCOUNT_URI")
-				value = fmt.Sprintf("happy-hacker-ca.invalid; account-uri=%s", uri)
+				value = fmt.Sprintf("happy-hacker-ca.invalid; accounturi=%s", uri)
 			case "recheck.good-caa-reserved.com.":
 				// Allow issuance when we're running in the past
 				// (under FAKECLOCK), otherwise deny issuance.
@@ -114,11 +114,11 @@ func (s *ChallSrv) dnsHandler(w dns.ResponseWriter, r *dns.Msg) {
 					value = "sad-hacker-ca.invalid"
 				}
 			case "dns-01-only.good-caa-reserved.com.":
-				value = "happy-hacker-ca.invalid; validation-methods=dns-01"
+				value = "happy-hacker-ca.invalid; validationmethods=dns-01"
 			case "http-01-only.good-caa-reserved.com.":
-				value = "happy-hacker-ca.invalid; validation-methods=http-01"
+				value = "happy-hacker-ca.invalid; validationmethods=http-01"
 			case "dns-01-or-http-01.good-caa-reserved.com.":
-				value = "happy-hacker-ca.invalid; validation-methods=dns-01,http-01"
+				value = "happy-hacker-ca.invalid; validationmethods=dns-01,http-01"
 			default:
 				addCAARecord = false
 			}
diff --git a/test/integration-test.py b/test/integration-test.py
@@ -309,7 +309,7 @@ def test_revoke_by_account():
 
 def test_caa():
     """Request issuance for two CAA domains, one where we are permitted and one where we are not.
-       Two further sub-domains have restricted validation-methods.
+       Two further sub-domains have restricted validationmethods.
     """
     if len(caa_authzs) == 0:
         raise Exception("CAA authzs not prepared for test_caa")
@@ -346,8 +346,8 @@ def test_caa():
     auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "http-01-only.good-caa-reserved.com"], chall_type="http-01")
 
     # CAA should fail with an arbitrary account, but succeed with the caa_client.
-    chisel.expect_problem("urn:acme:error:caa", lambda: auth_and_issue(["account-uri.good-caa-reserved.com"]))
-    auth_and_issue(["account-uri.good-caa-reserved.com"], client=caa_client)
+    chisel.expect_problem("urn:acme:error:caa", lambda: auth_and_issue(["accounturi.good-caa-reserved.com"]))
+    auth_and_issue(["accounturi.good-caa-reserved.com"], client=caa_client)
 
 def test_account_update():
     """
diff --git a/va/caa.go b/va/caa.go
@@ -269,10 +269,10 @@ func (va *ValidationAuthorityImpl) validateCAASet(caaSet *CAASet, wildcard bool,
 		}
 
 		if features.Enabled(features.CAAAccountURI) {
-			// Check the account-uri CAA parameter as defined
+			// Check the accounturi CAA parameter as defined
 			// in section 3 of the draft CAA ACME RFC:
 			// https://tools.ietf.org/html/draft-ietf-acme-caa-04
-			caaAccountURI, ok := caaParameters["account-uri"]
+			caaAccountURI, ok := caaParameters["accounturi"]
 			if ok {
 				if params.accountURIID == nil {
 					continue
@@ -283,10 +283,10 @@ func (va *ValidationAuthorityImpl) validateCAASet(caaSet *CAASet, wildcard bool,
 			}
 		}
 		if features.Enabled(features.CAAValidationMethods) {
-			// Check the validation-methods CAA parameter as defined
+			// Check the validationmethods CAA parameter as defined
 			// in section 4 of the draft CAA ACME RFC:
 			// https://tools.ietf.org/html/draft-ietf-acme-caa-04
-			caaMethods, ok := caaParameters["validation-methods"]
+			caaMethods, ok := caaParameters["validationmethods"]
 			if ok {
 				if params.validationMethod == nil {
 					continue
diff --git a/va/caa_test.go b/va/caa_test.go
@@ -93,31 +93,31 @@ func (mock caaMockDNS) LookupCAA(_ context.Context, domain string) ([]*dns.CAA,
 		results = append(results, &record)
 	case "present-dns-only.com":
 		record.Tag = "issue"
-		record.Value = "letsencrypt.org; validation-methods=dns-01"
+		record.Value = "letsencrypt.org; validationmethods=dns-01"
 		results = append(results, &record)
 	case "present-http-only.com":
 		record.Tag = "issue"
-		record.Value = "letsencrypt.org; validation-methods=http-01"
+		record.Value = "letsencrypt.org; validationmethods=http-01"
 		results = append(results, &record)
 	case "present-http-or-dns.com":
 		record.Tag = "issue"
-		record.Value = "letsencrypt.org; validation-methods=http-01,dns-01"
+		record.Value = "letsencrypt.org; validationmethods=http-01,dns-01"
 		results = append(results, &record)
-	case "present-correct-account-uri.com":
+	case "present-correct-accounturi.com":
 		record.Tag = "issue"
-		record.Value = "letsencrypt.org; account-uri=https://letsencrypt.org/acct/reg/123"
+		record.Value = "letsencrypt.org; accounturi=https://letsencrypt.org/acct/reg/123"
 		results = append(results, &record)
-	case "present-incorrect-account-uri.com":
+	case "present-incorrect-accounturi.com":
 		record.Tag = "issue"
-		record.Value = "letsencrypt.org; account-uri=https://letsencrypt.org/acct/reg/321"
+		record.Value = "letsencrypt.org; accounturi=https://letsencrypt.org/acct/reg/321"
 		results = append(results, &record)
-	case "present-multiple-account-uri.com":
+	case "present-multiple-accounturi.com":
 		record.Tag = "issue"
-		record.Value = "letsencrypt.org; account-uri=https://letsencrypt.org/acct/reg/321"
+		record.Value = "letsencrypt.org; accounturi=https://letsencrypt.org/acct/reg/321"
 		results = append(results, &record)
 		secondRecord := record
 		secondRecord.Tag = "issue"
-		secondRecord.Value = "letsencrypt.org; account-uri=https://letsencrypt.org/acct/reg/123"
+		secondRecord.Value = "letsencrypt.org; accounturi=https://letsencrypt.org/acct/reg/123"
 		results = append(results, &secondRecord)
 	case "unsatisfiable.com":
 		record.Tag = "issue"
@@ -286,20 +286,20 @@ func TestCAAChecking(t *testing.T) {
 			Valid:   true,
 		},
 		{
-			Name:    "Good (restricts to account-uri, tested with correct account)",
-			Domain:  "present-correct-account-uri.com",
+			Name:    "Good (restricts to accounturi, tested with correct account)",
+			Domain:  "present-correct-accounturi.com",
 			Present: true,
 			Valid:   true,
 		},
 		{
-			Name:    "Bad (restricts to account-uri, tested with incorrect account)",
-			Domain:  "present-incorrect-account-uri.com",
+			Name:    "Bad (restricts to accounturi, tested with incorrect account)",
+			Domain:  "present-incorrect-accounturi.com",
 			Present: true,
 			Valid:   false,
 		},
 		{
-			Name:    "Good (restricts to multiple account-uri, tested with a correct account)",
-			Domain:  "present-multiple-account-uri.com",
+			Name:    "Good (restricts to multiple accounturi, tested with a correct account)",
+			Domain:  "present-multiple-accounturi.com",
 			Present: true,
 			Valid:   true,
 		},
@@ -382,10 +382,10 @@ func TestCAAChecking(t *testing.T) {
 	test.Assert(t, present, "Present should be true")
 	test.Assert(t, valid, "Valid should be true")
 
-	// present-incorrect-account-uri.com should now be also be valid
-	ident = core.AcmeIdentifier{Type: "dns", Value: "present-incorrect-account-uri.com"}
+	// present-incorrect-accounturi.com should now be also be valid
+	ident = core.AcmeIdentifier{Type: "dns", Value: "present-incorrect-accounturi.com"}
 	present, valid, _, err = va.checkCAARecords(ctx, ident, params)
-	test.AssertNotError(t, err, "present-incorrect-account-uri.com")
+	test.AssertNotError(t, err, "present-incorrect-accounturi.com")
 	test.Assert(t, present, "Present should be true")
 	test.Assert(t, valid, "Valid should be true")
 
