Add wildcard exact blacklist to PA.#3318
Conversation
This commit adds a new "wildcardExactBlacklist" map to the PA's `AuthorityImpl` that is used by `WillingToIssueWildcard` to decide if a wildcard issuance would cover a high value domain. This prevents getting a wildcard for "*.example.com" if "highvalue.example.com" were on the exact blacklist since it would circumvent the intention of the exact blacklist by minting a certificate that could be used for "highvalue.example.com".
jsha
left a comment
There was a problem hiding this comment.
There's a question of whether an ExactBlacklist entry for highvalue.example.org should block *.highvalue.example.org in addition to *.example.org. This is mainly based on an implementation difficulty: Since WillingToIssueWildcard calls WillingToIssue on the base domain, an issuance attempt for *.highvalue.example.org winds up calling WillingToIssue(highvalue.example.org), which hits the exact blacklist.
I think we can remedy this by calling prepending an example label, like "x", so we wind up calling WillingToIssue(x.highvalue.example.org) (which would pass). This is a little silly, but I think it's better than creating surprising semantics for ExactBlacklist. Note that I propose a single-letter prefix ("x") instead of "example" to avoid edge cases around super long domain names.
| // | ||
| // First, split the domain into two parts: the first label (including the | ||
| // ".") and the rest of the domain. | ||
| parts := strings.SplitAfterN(v, ".", 2) |
There was a problem hiding this comment.
I think SplitN works just as well here and is slightly clearer (you can remove the "including the ." comment above).
| return errICANNTLDWildcard | ||
| } | ||
| // The base domain can't be in the wildcard exact blacklist | ||
| if pa.wildcardExactBlacklist[baseDomain] { |
There was a problem hiding this comment.
I think you need to lock the mutex before this access.
There was a problem hiding this comment.
Good catch - you're right 👍
|
Ready for another 🔍 round |
| // Since the base domain without the "*." may trip the exact hostname policy | ||
| // blacklist when the "*." is removed we replace it with a single "x" | ||
| // character to differentiate "*.example.com" from "example.com" for the | ||
| // exact hostname check. |
There was a problem hiding this comment.
Just to immortalize an OOB conversation: this is a bit hacky, and should probably be done in a different way, but doing so would require separating the valid domain structure logic from the policy/blacklist logic. If we want to push that work to another sprint can we add a TODO with the relevant ticket.
|
Generally LGTM, conflicts + TODO for the followup work. |
This commit adds a new
wildcardExactBlacklistmap to the PA'sAuthorityImplthat is used byWillingToIssueWildcardto decide ifa wildcard issuance would cover a high value domain.
This prevents getting a wildcard for
"*.example.com"if"highvalue.example.com"is on the exact blacklist since it wouldcircumvent the intention of the exact blacklist by minting a certificate
that could be used for
"highvalue.example.com".Resolves #3239