RA: implement stricter email validation. (letsencrypt#4574)

Daniel McCarney · web-flow · commit fde145ab968a · 2019-11-22T13:39:31.000-05:00
Prev. we weren't checking the domain portion of an email contact address
very strictly in the RA. This updates the PA to export a function that
can be used to validate the domain the same way we validate domain
portions of DNS type identifiers for issuance.

This also changes the RA to use the `invalidEmail` error type in more
places.

A new Go integration test is added that checks these errors end-to-end
for both account creation and account update.
diff --git a/core/interfaces.go b/core/interfaces.go
@@ -108,6 +108,7 @@ type PolicyAuthority interface {
 	WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
 	ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
 	ChallengeTypeEnabled(t string) bool
+	ValidDomain(domain string) error
 }
 
 // StorageGetter are the Boulder SA's read-only methods
diff --git a/csr/csr_test.go b/csr/csr_test.go
@@ -46,6 +46,10 @@ func (pa *mockPA) ChallengeTypeEnabled(t string) bool {
 	return true
 }
 
+func (pa *mockPA) ValidDomain(_ string) error {
+	return nil
+}
+
 func TestVerifyCSR(t *testing.T) {
 	private, err := rsa.GenerateKey(rand.Reader, 2048)
 	test.AssertNotError(t, err, "error generating test key")
diff --git a/policy/pa.go b/policy/pa.go
@@ -199,32 +199,21 @@ var (
 	errWildcardNotSupported = berrors.MalformedError("Wildcard domain names are not supported")
 )
 
-// WillingToIssue determines whether the CA is willing to issue for the provided
-// identifier. It expects domains in id to be lowercase to prevent mismatched
-// cases breaking queries.
+// ValidDomain checks that a domain isn't:
 //
-// We place several criteria on identifiers we are willing to issue for:
-//
-//  * MUST self-identify as DNS identifiers
-//  * MUST contain only bytes in the DNS hostname character set
-//  * MUST NOT have more than maxLabels labels
-//  * MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181
-//    In particular:
-//    * MUST NOT contain underscores
-//  * MUST NOT match the syntax of an IP address
-//  * MUST end in a public suffix
-//  * MUST have at least one label in addition to the public suffix
-//  * MUST NOT be a label-wise suffix match for a name on the block list,
-//    where comparison is case-independent (normalized to lower case)
+// * empty
+// * prefixed with the wildcard label `*.`
+// * made of invalid DNS characters
+// * longer than the maxDNSIdentifierLength
+// * an IPv4 or IPv6 address
+// * suffixed with just "."
+// * made of too many DNS labels
+// * made of any invalid DNS labels
+// * suffixed with something other than an IANA registered TLD
+// * exactly equal to an IANA registered TLD
 //
-// If WillingToIssue returns an error, it will be of type MalformedRequestError
-// or RejectedIdentifierError
-func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
-	if id.Type != identifier.DNS {
-		return errInvalidIdentifier
-	}
-	domain := id.Value
-
+// It does _not_ check that the domain isn't on any PA blocked lists.
+func (pa *AuthorityImpl) ValidDomain(domain string) error {
 	if domain == "" {
 		return errEmptyName
 	}
@@ -300,6 +289,39 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
 		return errICANNTLD
 	}
 
+	return nil
+}
+
+// WillingToIssue determines whether the CA is willing to issue for the provided
+// identifier. It expects domains in id to be lowercase to prevent mismatched
+// cases breaking queries.
+//
+// We place several criteria on identifiers we are willing to issue for:
+//
+//  * MUST self-identify as DNS identifiers
+//  * MUST contain only bytes in the DNS hostname character set
+//  * MUST NOT have more than maxLabels labels
+//  * MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181
+//    In particular:
+//    * MUST NOT contain underscores
+//  * MUST NOT match the syntax of an IP address
+//  * MUST end in a public suffix
+//  * MUST have at least one label in addition to the public suffix
+//  * MUST NOT be a label-wise suffix match for a name on the block list,
+//    where comparison is case-independent (normalized to lower case)
+//
+// If WillingToIssue returns an error, it will be of type MalformedRequestError
+// or RejectedIdentifierError
+func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+	if id.Type != identifier.DNS {
+		return errInvalidIdentifier
+	}
+	domain := id.Value
+
+	if err := pa.ValidDomain(domain); err != nil {
+		return err
+	}
+
 	// Require no match against hostname block lists
 	if err := pa.checkHostLists(domain); err != nil {
 		return err
diff --git a/ra/ra.go b/ra/ra.go
@@ -25,7 +25,6 @@ import (
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
-	"github.com/letsencrypt/boulder/iana"
 	"github.com/letsencrypt/boulder/identifier"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -349,22 +348,22 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
 
 	for _, contact := range *contacts {
 		if contact == "" {
-			return berrors.MalformedError("empty contact")
+			return berrors.InvalidEmailError("empty contact")
 		}
 		parsed, err := url.Parse(contact)
 		if err != nil {
-			return berrors.MalformedError("invalid contact")
+			return berrors.InvalidEmailError("invalid contact")
 		}
 		if parsed.Scheme != "mailto" {
-			return berrors.MalformedError("contact method %s is not supported", parsed.Scheme)
+			return berrors.InvalidEmailError("contact method %q is not supported", parsed.Scheme)
 		}
 		if !core.IsASCII(contact) {
-			return berrors.MalformedError(
-				"contact email [%s] contains non-ASCII characters",
+			return berrors.InvalidEmailError(
+				"contact email [%q] contains non-ASCII characters",
 				contact,
 			)
 		}
-		if err := validateEmail(parsed.Opaque); err != nil {
+		if err := ra.validateEmail(parsed.Opaque); err != nil {
 			return err
 		}
 	}
@@ -385,9 +384,9 @@ var forbiddenMailDomains = map[string]bool{
 }
 
 // validateEmail returns an error if the given address is not parseable as an
-// email address or if the domain portion of the email address is a member of
-// the forbiddenMailDomains map.
-func validateEmail(address string) error {
+// email address or if the domain portion of the email address is invalid or
+// a member of the forbiddenMailDomains map.
+func (ra *RegistrationAuthorityImpl) validateEmail(address string) error {
 	email, err := mail.ParseAddress(address)
 	if err != nil {
 		if len(address) > 254 {
@@ -397,14 +396,16 @@ func validateEmail(address string) error {
 	}
 	splitEmail := strings.SplitN(email.Address, "@", -1)
 	domain := strings.ToLower(splitEmail[len(splitEmail)-1])
+	if err := ra.PA.ValidDomain(domain); err != nil {
+		return berrors.InvalidEmailError(
+			"contact email %q has invalid domain : %s",
+			email.Address, err)
+	}
 	if forbiddenMailDomains[domain] {
 		return berrors.InvalidEmailError(
 			"invalid contact domain. Contact emails @%s are forbidden",
 			domain)
 	}
-	if _, err := iana.ExtractSuffix(domain); err != nil {
-		return berrors.InvalidEmailError("email domain name does not end in a IANA suffix")
-	}
 	return nil
 }
 
diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -3708,7 +3708,9 @@ func TestIssueCertificateInnerErrs(t *testing.T) {
 }
 
 func TestValidateEmailError(t *testing.T) {
-	err := validateEmail("(๑•́ ω •̀๑)")
+	_, _, ra, _, cleanUp := initAuthorities(t)
+	defer cleanUp()
+	err := ra.validateEmail("(๑•́ ω •̀๑)")
 	test.AssertEquals(t, err.Error(), "\"(๑•́ ω •̀๑)\" is not a valid e-mail address")
 }
 
diff --git a/test/config-next/ra.json b/test/config-next/ra.json
@@ -2,7 +2,7 @@
   "ra": {
     "rateLimitPoliciesFilename": "test/rate-limit-policies.yml",
     "maxConcurrentRPCServerRequests": 100000,
-    "maxContactsPerRegistration": 100,
+    "maxContactsPerRegistration": 3,
     "debugAddr": ":8002",
     "hostnamePolicyFile": "test/hostname-policy.yaml",
     "maxNames": 100,
diff --git a/test/config/ra.json b/test/config/ra.json
@@ -2,7 +2,7 @@
   "ra": {
     "rateLimitPoliciesFilename": "test/rate-limit-policies.yml",
     "maxConcurrentRPCServerRequests": 100000,
-    "maxContactsPerRegistration": 100,
+    "maxContactsPerRegistration": 3,
     "debugAddr": ":8002",
     "hostnamePolicyFile": "test/hostname-policy.yaml",
     "maxNames": 100,
diff --git a/test/integration/common_test.go b/test/integration/common_test.go
@@ -41,7 +41,7 @@ type client struct {
 	acme.Client
 }
 
-func makeClient() (*client, error) {
+func makeClient(contacts ...string) (*client, error) {
 	c, err := acme.NewClient(os.Getenv("DIRECTORY"))
 	if err != nil {
 		return nil, fmt.Errorf("Error connecting to acme directory: %v", err)
@@ -50,9 +50,9 @@ func makeClient() (*client, error) {
 	if err != nil {
 		return nil, fmt.Errorf("error creating private key: %v", err)
 	}
-	account, err := c.NewAccount(privKey, false, true, "mailto:example@letsencrypt.org")
+	account, err := c.NewAccount(privKey, false, true, contacts...)
 	if err != nil {
-		return nil, fmt.Errorf("error creating new account: %v", err)
+		return nil, err
 	}
 	return &client{account, c}, nil
 }
diff --git a/test/integration/errors_test.go b/test/integration/errors_test.go
@@ -5,6 +5,7 @@ package integration
 import (
 	"fmt"
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/eggsampler/acme/v3"
@@ -33,3 +34,129 @@ func TestTooBigOrderError(t *testing.T) {
 		test.AssertEquals(t, prob.Detail, "Error creating new order :: Order cannot contain more than 100 DNS names")
 	}
 }
+
+// TestAccountEmailError tests that registering a new account, or updating an
+// account, with invalid contact information produces the expected problem
+// result to ACME clients.
+func TestAccountEmailError(t *testing.T) {
+	t.Parallel()
+	os.Setenv("DIRECTORY", "http://boulder:4001/directory")
+
+	/*
+		  // TODO(@cpu): Uncomment this when the too-long test case is re-added.
+			var longStringBuf strings.Builder
+			for i := 0; i < 254; i++ {
+				longStringBuf.WriteRune('a')
+			}
+	*/
+
+	createErrorPrefix := "Error creating new account :: "
+	updateErrorPrefix := "Unable to update account :: "
+
+	testCases := []struct {
+		name               string
+		contacts           []string
+		expectedProbType   string
+		expectedProbDetail string
+	}{
+		{
+			name:               "empty contact",
+			contacts:           []string{"mailto:valid@valid.com", ""},
+			expectedProbType:   "urn:ietf:params:acme:error:invalidEmail",
+			expectedProbDetail: `empty contact`,
+		},
+		{
+			name:               "empty proto",
+			contacts:           []string{"mailto:valid@valid.com", " "},
+			expectedProbType:   "urn:ietf:params:acme:error:invalidEmail",
+			expectedProbDetail: `contact method "" is not supported`,
+		},
+		{
+			name:               "empty mailto",
+			contacts:           []string{"mailto:valid@valid.com", "mailto:"},
+			expectedProbType:   "urn:ietf:params:acme:error:invalidEmail",
+			expectedProbDetail: `"" is not a valid e-mail address`,
+		},
+		{
+			name:               "non-ascii mailto",
+			contacts:           []string{"mailto:valid@valid.com", "mailto:cpu@l̴etsencrypt.org"},
+			expectedProbType:   "urn:ietf:params:acme:error:invalidEmail",
+			expectedProbDetail: `contact email ["mailto:cpu@l̴etsencrypt.org"] contains non-ASCII characters`,
+		},
+		{
+			name:               "too many contacts",
+			contacts:           []string{"a", "b", "c", "d"},
+			expectedProbType:   "urn:ietf:params:acme:error:malformed",
+			expectedProbDetail: `too many contacts provided: 4 > 3`,
+		},
+		{
+			name:               "invalid contact",
+			contacts:           []string{"mailto:valid@valid.com", "mailto:a@"},
+			expectedProbType:   "urn:ietf:params:acme:error:invalidEmail",
+			expectedProbDetail: `"a@" is not a valid e-mail address`,
+		},
+		{
+			name:               "forbidden contact domain",
+			contacts:           []string{"mailto:valid@valid.com", "mailto:a@example.com"},
+			expectedProbType:   "urn:ietf:params:acme:error:invalidEmail",
+			expectedProbDetail: "invalid contact domain. Contact emails @example.com are forbidden",
+		},
+		{
+			name:               "contact domain invalid TLD",
+			contacts:           []string{"mailto:valid@valid.com", "mailto:a@example.cpu"},
+			expectedProbType:   "urn:ietf:params:acme:error:invalidEmail",
+			expectedProbDetail: `contact email "a@example.cpu" has invalid domain : Domain name does not end with a valid public suffix (TLD)`,
+		},
+		{
+			name:               "contact domain invalid",
+			contacts:           []string{"mailto:valid@valid.com", "mailto:a@example./.com"},
+			expectedProbType:   "urn:ietf:params:acme:error:invalidEmail",
+			expectedProbDetail: "contact email \"a@example./.com\" has invalid domain : Domain name contains an invalid character",
+		},
+		/*
+			// NOTE(@cpu): Disabled for now - causes serverInternal err when SA saves
+			// contacts.
+			{
+				name: "too long contact",
+				contacts: []string{
+					fmt.Sprintf("mailto:%s@a.com", longStringBuf.String()),
+				},
+				expectedProbType:   "urn:ietf:params:acme:error:invalidEmail",
+				expectedProbDetail: "??????",
+			},
+		*/
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// First try registering a new account and ensuring the expected problem occurs
+			if _, err := makeClient(tc.contacts...); err != nil {
+				if prob, ok := err.(acme.Problem); !ok {
+					t.Fatalf("expected acme.Problem error got %#v", err)
+				} else {
+					test.AssertEquals(t, prob.Type, tc.expectedProbType)
+					test.AssertEquals(t, prob.Detail, createErrorPrefix+tc.expectedProbDetail)
+				}
+			} else if err == nil {
+				t.Errorf("expected %s type problem for %q, got nil",
+					tc.expectedProbType, strings.Join(tc.contacts, ","))
+			}
+
+			// Next try making a client with a good contact and updating with the test
+			// case contact info. The same problem should occur.
+			c, err := makeClient("mailto:valid@valid.com")
+			test.AssertNotError(t, err, "failed to create account with valid contact")
+			if _, err := c.UpdateAccount(c.Account, tc.contacts...); err != nil {
+				if prob, ok := err.(acme.Problem); !ok {
+					t.Fatalf("expected acme.Problem error after updating account got %#v", err)
+				} else {
+					test.AssertEquals(t, prob.Type, tc.expectedProbType)
+					test.AssertEquals(t, prob.Detail, updateErrorPrefix+tc.expectedProbDetail)
+				}
+			} else if err == nil {
+				t.Errorf("expected %s type problem after updating account to %q, got nil",
+					tc.expectedProbType, strings.Join(tc.contacts, ","))
+			}
+		})
+	}
+}
diff --git a/test/integration/revocation_test.go b/test/integration/revocation_test.go
@@ -40,7 +40,7 @@ func TestPrecertificateRevocation(t *testing.T) {
 
 	// Create a base account to use for revocation tests.
 	os.Setenv("DIRECTORY", "http://boulder:4001/directory")
-	c, err := makeClient()
+	c, err := makeClient("mailto:example@letsencrypt.org")
 	test.AssertNotError(t, err, "creating acme client")
 
 	// Create a specific key for CSRs so that it is possible to test revocation
diff --git a/wfe/wfe_test.go b/wfe/wfe_test.go
@@ -286,6 +286,10 @@ func (pa *mockPA) ChallengeTypeEnabled(t string) bool {
 	return true
 }
 
+func (pa *mockPA) ValidDomain(_ string) error {
+	return nil
+}
+
 func makeBody(s string) io.ReadCloser {
 	return ioutil.NopCloser(strings.NewReader(s))
 }
diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go
@@ -295,6 +295,10 @@ func (pa *mockPA) WillingToIssueWildcards(idents []identifier.ACMEIdentifier) er
 	return nil
 }
 
+func (pa *mockPA) ValidDomaiN(_ string) error {
+	return nil
+}
+
 func makeBody(s string) io.ReadCloser {
 	return ioutil.NopCloser(strings.NewReader(s))
 }

Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,7 @@ type PolicyAuthority interface {`
`108`	`108`	`WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error`
`109`	`109`	`ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)`
`110`	`110`	`ChallengeTypeEnabled(t string) bool`
	`111`	`+ ValidDomain(domain string) error`
`111`	`112`	`}`
`112`	`113`
`113`	`114`	`// StorageGetter are the Boulder SA's read-only methods`
Original file line number	Diff line number	Diff line change
`@@ -3708,7 +3708,9 @@ func TestIssueCertificateInnerErrs(t *testing.T) {`
`3708`	`3708`	`}`
`3709`	`3709`
`3710`	`3710`	`func TestValidateEmailError(t *testing.T) {`
`3711`		`- err := validateEmail("(๑•́ ω •̀๑)")`
	`3711`	`+ _, _, ra, _, cleanUp := initAuthorities(t)`
	`3712`	`+ defer cleanUp()`
	`3713`	`+ err := ra.validateEmail("(๑•́ ω •̀๑)")`
`3712`	`3714`	`test.AssertEquals(t, err.Error(), "\"(๑•́ ω •̀๑)\" is not a valid e-mail address")`
`3713`	`3715`	`}`
`3714`	`3716`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ type client struct {`
`41`	`41`	`acme.Client`
`42`	`42`	`}`
`43`	`43`
`44`		`-func makeClient() (*client, error) {`
	`44`	`+func makeClient(contacts ...string) (*client, error) {`
`45`	`45`	`c, err := acme.NewClient(os.Getenv("DIRECTORY"))`
`46`	`46`	`if err != nil {`
`47`	`47`	`return nil, fmt.Errorf("Error connecting to acme directory: %v", err)`
`@@ -50,9 +50,9 @@ func makeClient() (*client, error) {`
`50`	`50`	`if err != nil {`
`51`	`51`	`return nil, fmt.Errorf("error creating private key: %v", err)`
`52`	`52`	`}`
`53`		`- account, err := c.NewAccount(privKey, false, true, "mailto:example@letsencrypt.org")`
	`53`	`+ account, err := c.NewAccount(privKey, false, true, contacts...)`
`54`	`54`	`if err != nil {`
`55`		`- return nil, fmt.Errorf("error creating new account: %v", err)`
	`55`	`+ return nil, err`
`56`	`56`	`}`
`57`	`57`	`return &client{account, c}, nil`
`58`	`58`	`}`