ra.go

Documentation: github.com/letsencrypt/boulder/ra

     1  package ra
     2  
     3  import (
     4  	"context"
     5  	"crypto"
     6  	"crypto/x509"
     7  	"encoding/json"
     8  	"errors"
     9  	"fmt"
    10  	"math/big"
    11  	"net"
    12  	"net/url"
    13  	"os"
    14  	"slices"
    15  	"sort"
    16  	"strconv"
    17  	"strings"
    18  	"sync"
    19  	"time"
    20  
    21  	"github.com/jmhodges/clock"
    22  	"github.com/prometheus/client_golang/prometheus"
    23  	"github.com/weppos/publicsuffix-go/publicsuffix"
    24  	"golang.org/x/crypto/ocsp"
    25  	"google.golang.org/grpc"
    26  	"google.golang.org/protobuf/proto"
    27  	"google.golang.org/protobuf/types/known/durationpb"
    28  	"google.golang.org/protobuf/types/known/emptypb"
    29  	"google.golang.org/protobuf/types/known/timestamppb"
    30  	"gopkg.in/go-jose/go-jose.v2"
    31  
    32  	"github.com/letsencrypt/boulder/akamai"
    33  	akamaipb "github.com/letsencrypt/boulder/akamai/proto"
    34  	capb "github.com/letsencrypt/boulder/ca/proto"
    35  	"github.com/letsencrypt/boulder/core"
    36  	corepb "github.com/letsencrypt/boulder/core/proto"
    37  	csrlib "github.com/letsencrypt/boulder/csr"
    38  	"github.com/letsencrypt/boulder/ctpolicy"
    39  	berrors "github.com/letsencrypt/boulder/errors"
    40  	"github.com/letsencrypt/boulder/features"
    41  	"github.com/letsencrypt/boulder/goodkey"
    42  	bgrpc "github.com/letsencrypt/boulder/grpc"
    43  	"github.com/letsencrypt/boulder/identifier"
    44  	"github.com/letsencrypt/boulder/issuance"
    45  	blog "github.com/letsencrypt/boulder/log"
    46  	"github.com/letsencrypt/boulder/metrics"
    47  	"github.com/letsencrypt/boulder/policy"
    48  	"github.com/letsencrypt/boulder/probs"
    49  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
    50  	rapb "github.com/letsencrypt/boulder/ra/proto"
    51  	"github.com/letsencrypt/boulder/ratelimit"
    52  	"github.com/letsencrypt/boulder/ratelimits"
    53  	"github.com/letsencrypt/boulder/revocation"
    54  	sapb "github.com/letsencrypt/boulder/sa/proto"
    55  	vapb "github.com/letsencrypt/boulder/va/proto"
    56  	"github.com/letsencrypt/boulder/web"
    57  )
    58  
    59  var (
    60  	errIncompleteGRPCRequest  = errors.New("incomplete gRPC request message")
    61  	errIncompleteGRPCResponse = errors.New("incomplete gRPC response message")
    62  
    63  	// caaRecheckDuration is the amount of time after a CAA check that we will
    64  	// recheck the CAA records for a domain. Per Baseline Requirements, we must
    65  	// recheck CAA records within 8 hours of issuance. We set this to 7 hours to
    66  	// stay on the safe side.
    67  	caaRecheckDuration = -7 * time.Hour
    68  )
    69  
    70  type caaChecker interface {
    71  	IsCAAValid(
    72  		ctx context.Context,
    73  		in *vapb.IsCAAValidRequest,
    74  		opts ...grpc.CallOption,
    75  	) (*vapb.IsCAAValidResponse, error)
    76  }
    77  
    78  // RegistrationAuthorityImpl defines an RA.
    79  //
    80  // NOTE: All of the fields in RegistrationAuthorityImpl need to be
    81  // populated, or there is a risk of panic.
    82  type RegistrationAuthorityImpl struct {
    83  	rapb.UnimplementedRegistrationAuthorityServer
    84  	CA        capb.CertificateAuthorityClient
    85  	OCSP      capb.OCSPGeneratorClient
    86  	VA        vapb.VAClient
    87  	SA        sapb.StorageAuthorityClient
    88  	PA        core.PolicyAuthority
    89  	publisher pubpb.PublisherClient
    90  	caa       caaChecker
    91  
    92  	clk       clock.Clock
    93  	log       blog.Logger
    94  	keyPolicy goodkey.KeyPolicy
    95  	// How long before a newly created authorization expires.
    96  	authorizationLifetime        time.Duration
    97  	pendingAuthorizationLifetime time.Duration
    98  	rlPolicies                   ratelimit.Limits
    99  	maxContactsPerReg            int
   100  	maxNames                     int
   101  	orderLifetime                time.Duration
   102  	finalizeTimeout              time.Duration
   103  	finalizeWG                   sync.WaitGroup
   104  
   105  	issuersByNameID map[issuance.IssuerNameID]*issuance.Certificate
   106  	issuersByID     map[issuance.IssuerID]*issuance.Certificate
   107  	purger          akamaipb.AkamaiPurgerClient
   108  
   109  	ctpolicy *ctpolicy.CTPolicy
   110  
   111  	ctpolicyResults             *prometheus.HistogramVec
   112  	revocationReasonCounter     *prometheus.CounterVec
   113  	namesPerCert                *prometheus.HistogramVec
   114  	rlCheckLatency              *prometheus.HistogramVec
   115  	rlOverrideUsageGauge        *prometheus.GaugeVec
   116  	newRegCounter               prometheus.Counter
   117  	recheckCAACounter           prometheus.Counter
   118  	newCertCounter              prometheus.Counter
   119  	recheckCAAUsedAuthzLifetime prometheus.Counter
   120  	authzAges                   *prometheus.HistogramVec
   121  	orderAges                   *prometheus.HistogramVec
   122  	inflightFinalizes           prometheus.Gauge
   123  }
   124  
   125  // NewRegistrationAuthorityImpl constructs a new RA object.
   126  func NewRegistrationAuthorityImpl(
   127  	clk clock.Clock,
   128  	logger blog.Logger,
   129  	stats prometheus.Registerer,
   130  	maxContactsPerReg int,
   131  	keyPolicy goodkey.KeyPolicy,
   132  	maxNames int,
   133  	authorizationLifetime time.Duration,
   134  	pendingAuthorizationLifetime time.Duration,
   135  	pubc pubpb.PublisherClient,
   136  	caaClient caaChecker,
   137  	orderLifetime time.Duration,
   138  	finalizeTimeout time.Duration,
   139  	ctp *ctpolicy.CTPolicy,
   140  	purger akamaipb.AkamaiPurgerClient,
   141  	issuers []*issuance.Certificate,
   142  ) *RegistrationAuthorityImpl {
   143  	ctpolicyResults := prometheus.NewHistogramVec(
   144  		prometheus.HistogramOpts{
   145  			Name:    "ctpolicy_results",
   146  			Help:    "Histogram of latencies of ctpolicy.GetSCTs calls with success/failure/deadlineExceeded labels",
   147  			Buckets: metrics.InternetFacingBuckets,
   148  		},
   149  		[]string{"result"},
   150  	)
   151  	stats.MustRegister(ctpolicyResults)
   152  
   153  	namesPerCert := prometheus.NewHistogramVec(
   154  		prometheus.HistogramOpts{
   155  			Name: "names_per_cert",
   156  			Help: "Histogram of the number of SANs in requested and issued certificates",
   157  			// The namesPerCert buckets are chosen based on the current Let's Encrypt
   158  			// limit of 100 SANs per certificate.
   159  			Buckets: []float64{1, 5, 10, 20, 30, 40, 50, 60, 70, 80, 90, 100},
   160  		},
   161  		// Type label value is either "requested" or "issued".
   162  		[]string{"type"},
   163  	)
   164  	stats.MustRegister(namesPerCert)
   165  
   166  	rlCheckLatency := prometheus.NewHistogramVec(prometheus.HistogramOpts{
   167  		Name: "ratelimitsv1_check_latency_seconds",
   168  		Help: fmt.Sprintf("Latency of ratelimit checks labeled by limit=[name] and decision=[%s|%s], in seconds", ratelimits.Allowed, ratelimits.Denied),
   169  	}, []string{"limit", "decision"})
   170  	stats.MustRegister(rlCheckLatency)
   171  
   172  	overrideUsageGauge := prometheus.NewGaugeVec(prometheus.GaugeOpts{
   173  		Name: "ratelimitsv1_override_usage",
   174  		Help: "Proportion of override limit used, by limit name and client identifier.",
   175  	}, []string{"limit", "override_key"})
   176  	stats.MustRegister(overrideUsageGauge)
   177  
   178  	newRegCounter := prometheus.NewCounter(prometheus.CounterOpts{
   179  		Name: "new_registrations",
   180  		Help: "A counter of new registrations",
   181  	})
   182  	stats.MustRegister(newRegCounter)
   183  
   184  	recheckCAACounter := prometheus.NewCounter(prometheus.CounterOpts{
   185  		Name: "recheck_caa",
   186  		Help: "A counter of CAA rechecks",
   187  	})
   188  	stats.MustRegister(recheckCAACounter)
   189  
   190  	recheckCAAUsedAuthzLifetime := prometheus.NewCounter(prometheus.CounterOpts{
   191  		Name: "recheck_caa_used_authz_lifetime",
   192  		Help: "A counter times the old codepath was used for CAA recheck time",
   193  	})
   194  	stats.MustRegister(recheckCAAUsedAuthzLifetime)
   195  
   196  	newCertCounter := prometheus.NewCounter(prometheus.CounterOpts{
   197  		Name: "new_certificates",
   198  		Help: "A counter of new certificates",
   199  	})
   200  	stats.MustRegister(newCertCounter)
   201  
   202  	revocationReasonCounter := prometheus.NewCounterVec(prometheus.CounterOpts{
   203  		Name: "revocation_reason",
   204  		Help: "A counter of certificate revocation reasons",
   205  	}, []string{"reason"})
   206  	stats.MustRegister(revocationReasonCounter)
   207  
   208  	authzAges := prometheus.NewHistogramVec(prometheus.HistogramOpts{
   209  		Name: "authz_ages",
   210  		Help: "Histogram of ages, in seconds, of Authorization objects, labelled by method and type",
   211  		// authzAges keeps track of how old, in seconds, authorizations are when
   212  		// we attach them to a new order and again when we finalize that order.
   213  		// We give it a non-standard bucket distribution so that the leftmost
   214  		// (closest to zero) bucket can be used exclusively for brand-new (i.e.
   215  		// not reused) authzs. Our buckets are: one nanosecond, one second, one
   216  		// minute, one hour, 7 hours (our CAA reuse time), 1 day, 2 days, 7
   217  		// days, 30 days, +inf (should be empty).
   218  		Buckets: []float64{0.000000001, 1, 60, 3600, 25200, 86400, 172800, 604800, 2592000, 7776000},
   219  	}, []string{"method", "type"})
   220  	stats.MustRegister(authzAges)
   221  
   222  	orderAges := prometheus.NewHistogramVec(prometheus.HistogramOpts{
   223  		Name: "order_ages",
   224  		Help: "Histogram of ages, in seconds, of Order objects when they're reused and finalized, labelled by method",
   225  		// Orders currently have a max age of 7 days (168hrs), so our buckets
   226  		// are: one nanosecond (new), 1 second, 10 seconds, 1 minute, 10
   227  		// minutes, 1 hour, 7 hours (our CAA reuse time), 1 day, 2 days, 7 days, +inf.
   228  		Buckets: []float64{0.000000001, 1, 10, 60, 600, 3600, 25200, 86400, 172800, 604800},
   229  	}, []string{"method"})
   230  	stats.MustRegister(orderAges)
   231  
   232  	inflightFinalizes := prometheus.NewGauge(prometheus.GaugeOpts{
   233  		Name: "inflight_finalizes",
   234  		Help: "Gauge of the number of current asynchronous finalize goroutines",
   235  	})
   236  	stats.MustRegister(inflightFinalizes)
   237  
   238  	issuersByNameID := make(map[issuance.IssuerNameID]*issuance.Certificate)
   239  	issuersByID := make(map[issuance.IssuerID]*issuance.Certificate)
   240  	for _, issuer := range issuers {
   241  		issuersByNameID[issuer.NameID()] = issuer
   242  		issuersByID[issuer.ID()] = issuer
   243  	}
   244  
   245  	ra := &RegistrationAuthorityImpl{
   246  		clk:                          clk,
   247  		log:                          logger,
   248  		authorizationLifetime:        authorizationLifetime,
   249  		pendingAuthorizationLifetime: pendingAuthorizationLifetime,
   250  		rlPolicies:                   ratelimit.New(),
   251  		maxContactsPerReg:            maxContactsPerReg,
   252  		keyPolicy:                    keyPolicy,
   253  		maxNames:                     maxNames,
   254  		publisher:                    pubc,
   255  		caa:                          caaClient,
   256  		orderLifetime:                orderLifetime,
   257  		finalizeTimeout:              finalizeTimeout,
   258  		ctpolicy:                     ctp,
   259  		ctpolicyResults:              ctpolicyResults,
   260  		purger:                       purger,
   261  		issuersByNameID:              issuersByNameID,
   262  		issuersByID:                  issuersByID,
   263  		namesPerCert:                 namesPerCert,
   264  		rlCheckLatency:               rlCheckLatency,
   265  		rlOverrideUsageGauge:         overrideUsageGauge,
   266  		newRegCounter:                newRegCounter,
   267  		recheckCAACounter:            recheckCAACounter,
   268  		newCertCounter:               newCertCounter,
   269  		revocationReasonCounter:      revocationReasonCounter,
   270  		recheckCAAUsedAuthzLifetime:  recheckCAAUsedAuthzLifetime,
   271  		authzAges:                    authzAges,
   272  		orderAges:                    orderAges,
   273  		inflightFinalizes:            inflightFinalizes,
   274  	}
   275  	return ra
   276  }
   277  
   278  func (ra *RegistrationAuthorityImpl) LoadRateLimitPoliciesFile(filename string) error {
   279  	configBytes, err := os.ReadFile(filename)
   280  	if err != nil {
   281  		return err
   282  	}
   283  	err = ra.rlPolicies.LoadPolicies(configBytes)
   284  	if err != nil {
   285  		return err
   286  	}
   287  
   288  	return nil
   289  }
   290  
   291  // certificateRequestAuthz is a struct for holding information about a valid
   292  // authz referenced during a certificateRequestEvent. It holds both the
   293  // authorization ID and the challenge type that made the authorization valid. We
   294  // specifically include the challenge type that solved the authorization to make
   295  // some common analysis easier.
   296  type certificateRequestAuthz struct {
   297  	ID            string
   298  	ChallengeType core.AcmeChallenge
   299  }
   300  
   301  // certificateRequestEvent is a struct for holding information that is logged as
   302  // JSON to the audit log as the result of an issuance event.
   303  type certificateRequestEvent struct {
   304  	ID string `json:",omitempty"`
   305  	// Requester is the associated account ID
   306  	Requester int64 `json:",omitempty"`
   307  	// OrderID is the associated order ID (may be empty for an ACME v1 issuance)
   308  	OrderID int64 `json:",omitempty"`
   309  	// SerialNumber is the string representation of the issued certificate's
   310  	// serial number
   311  	SerialNumber string `json:",omitempty"`
   312  	// VerifiedFields are required by the baseline requirements and are always
   313  	// a static value for Boulder.
   314  	VerifiedFields []string `json:",omitempty"`
   315  	// CommonName is the subject common name from the issued cert
   316  	CommonName string `json:",omitempty"`
   317  	// Names are the DNS SAN entries from the issued cert
   318  	Names []string `json:",omitempty"`
   319  	// NotBefore is the starting timestamp of the issued cert's validity period
   320  	NotBefore time.Time `json:",omitempty"`
   321  	// NotAfter is the ending timestamp of the issued cert's validity period
   322  	NotAfter time.Time `json:",omitempty"`
   323  	// RequestTime and ResponseTime are for tracking elapsed time during issuance
   324  	RequestTime  time.Time `json:",omitempty"`
   325  	ResponseTime time.Time `json:",omitempty"`
   326  	// Error contains any encountered errors
   327  	Error string `json:",omitempty"`
   328  	// Authorizations is a map of identifier names to certificateRequestAuthz
   329  	// objects. It can be used to understand how the names in a certificate
   330  	// request were authorized.
   331  	Authorizations map[string]certificateRequestAuthz
   332  }
   333  
   334  // certificateRevocationEvent is a struct for holding information that is logged
   335  // as JSON to the audit log as the result of a revocation event.
   336  type certificateRevocationEvent struct {
   337  	ID string `json:",omitempty"`
   338  	// SerialNumber is the string representation of the revoked certificate's
   339  	// serial number.
   340  	SerialNumber string `json:",omitempty"`
   341  	// Reason is the integer representing the revocation reason used.
   342  	Reason int64 `json:",omitempty"`
   343  	// Method is the way in which revocation was requested.
   344  	// It will be one of the strings: "applicant", "subscriber", "control", "key", or "admin".
   345  	Method string `json:",omitempty"`
   346  	// RequesterID is the account ID of the requester.
   347  	// Will be zero for admin revocations.
   348  	RequesterID int64 `json:",omitempty"`
   349  	// AdminName is the name of the admin requester.
   350  	// Will be zero for subscriber revocations.
   351  	AdminName string `json:",omitempty"`
   352  	// Error contains any error encountered during revocation.
   353  	Error string `json:",omitempty"`
   354  }
   355  
   356  // finalizationCAACheckEvent is a struct for holding information logged as JSON
   357  // to the info log as the result of an issuance event. It is logged when the RA
   358  // performs the final CAA check of a certificate finalization request.
   359  type finalizationCAACheckEvent struct {
   360  	// Requester is the associated account ID.
   361  	Requester int64 `json:",omitempty"`
   362  	// Reused is a count of Authz where the original CAA check was performed in
   363  	// the last 7 hours.
   364  	Reused int `json:",omitempty"`
   365  	// Rechecked is a count of Authz where a new CAA check was performed because
   366  	// the original check was older than 7 hours.
   367  	Rechecked int `json:",omitempty"`
   368  }
   369  
   370  // noRegistrationID is used for the regID parameter to GetThreshold when no
   371  // registration-based overrides are necessary.
   372  const noRegistrationID = -1
   373  
   374  // registrationCounter is a type to abstract the use of `CountRegistrationsByIP`
   375  // or `CountRegistrationsByIPRange` SA methods.
   376  type registrationCounter func(context.Context, *sapb.CountRegistrationsByIPRequest, ...grpc.CallOption) (*sapb.Count, error)
   377  
   378  // checkRegistrationIPLimit checks a specific registraton limit by using the
   379  // provided registrationCounter function to determine if the limit has been
   380  // exceeded for a given IP or IP range
   381  func (ra *RegistrationAuthorityImpl) checkRegistrationIPLimit(ctx context.Context, limit ratelimit.RateLimitPolicy, ip net.IP, counter registrationCounter) error {
   382  	now := ra.clk.Now()
   383  	count, err := counter(ctx, &sapb.CountRegistrationsByIPRequest{
   384  		Ip: ip,
   385  		Range: &sapb.Range{
   386  			EarliestNS: limit.WindowBegin(now).UnixNano(),
   387  			Earliest:   timestamppb.New(limit.WindowBegin(now)),
   388  			LatestNS:   now.UnixNano(),
   389  			Latest:     timestamppb.New(now),
   390  		},
   391  	})
   392  	if err != nil {
   393  		return err
   394  	}
   395  
   396  	threshold, overrideKey := limit.GetThreshold(ip.String(), noRegistrationID)
   397  	if overrideKey != "" {
   398  		// We do not support overrides for the NewRegistrationsPerIPRange limit.
   399  		utilization := float64(count.Count) / float64(threshold)
   400  		ra.rlOverrideUsageGauge.WithLabelValues(ratelimit.RegistrationsPerIP, overrideKey).Set(utilization)
   401  	}
   402  
   403  	if count.Count >= threshold {
   404  		return berrors.RegistrationsPerIPError(0, "too many registrations for this IP")
   405  	}
   406  
   407  	return nil
   408  }
   409  
   410  // checkRegistrationLimits enforces the RegistrationsPerIP and
   411  // RegistrationsPerIPRange limits
   412  func (ra *RegistrationAuthorityImpl) checkRegistrationLimits(ctx context.Context, ip net.IP) error {
   413  	// Check the registrations per IP limit using the CountRegistrationsByIP SA
   414  	// function that matches IP addresses exactly
   415  	exactRegLimit := ra.rlPolicies.RegistrationsPerIP()
   416  	if exactRegLimit.Enabled() {
   417  		started := ra.clk.Now()
   418  		err := ra.checkRegistrationIPLimit(ctx, exactRegLimit, ip, ra.SA.CountRegistrationsByIP)
   419  		elapsed := ra.clk.Since(started)
   420  		if err != nil {
   421  			if errors.Is(err, berrors.RateLimit) {
   422  				ra.rlCheckLatency.WithLabelValues(ratelimit.RegistrationsPerIP, ratelimits.Denied).Observe(elapsed.Seconds())
   423  				ra.log.Infof("Rate limit exceeded, RegistrationsPerIP, by IP: %q", ip)
   424  			}
   425  			return err
   426  		}
   427  		ra.rlCheckLatency.WithLabelValues(ratelimit.RegistrationsPerIP, ratelimits.Allowed).Observe(elapsed.Seconds())
   428  	}
   429  
   430  	// We only apply the fuzzy reg limit to IPv6 addresses.
   431  	// Per https://golang.org/pkg/net/#IP.To4 "If ip is not an IPv4 address, To4
   432  	// returns nil"
   433  	if ip.To4() != nil {
   434  		return nil
   435  	}
   436  
   437  	// Check the registrations per IP range limit using the
   438  	// CountRegistrationsByIPRange SA function that fuzzy-matches IPv6 addresses
   439  	// within a larger address range
   440  	fuzzyRegLimit := ra.rlPolicies.RegistrationsPerIPRange()
   441  	if fuzzyRegLimit.Enabled() {
   442  		started := ra.clk.Now()
   443  		err := ra.checkRegistrationIPLimit(ctx, fuzzyRegLimit, ip, ra.SA.CountRegistrationsByIPRange)
   444  		elapsed := ra.clk.Since(started)
   445  		if err != nil {
   446  			if errors.Is(err, berrors.RateLimit) {
   447  				ra.rlCheckLatency.WithLabelValues(ratelimit.RegistrationsPerIPRange, ratelimits.Denied).Observe(elapsed.Seconds())
   448  				ra.log.Infof("Rate limit exceeded, RegistrationsByIPRange, IP: %q", ip)
   449  
   450  				// For the fuzzyRegLimit we use a new error message that specifically
   451  				// mentions that the limit being exceeded is applied to a *range* of IPs
   452  				return berrors.RateLimitError(0, "too many registrations for this IP range")
   453  			}
   454  			return err
   455  		}
   456  		ra.rlCheckLatency.WithLabelValues(ratelimit.RegistrationsPerIPRange, ratelimits.Allowed).Observe(elapsed.Seconds())
   457  	}
   458  
   459  	return nil
   460  }
   461  
   462  // NewRegistration constructs a new Registration from a request.
   463  func (ra *RegistrationAuthorityImpl) NewRegistration(ctx context.Context, request *corepb.Registration) (*corepb.Registration, error) {
   464  	// Error if the request is nil, there is no account key or IP address
   465  	if request == nil || len(request.Key) == 0 || len(request.InitialIP) == 0 {
   466  		return nil, errIncompleteGRPCRequest
   467  	}
   468  
   469  	// Check if account key is acceptable for use.
   470  	var key jose.JSONWebKey
   471  	err := key.UnmarshalJSON(request.Key)
   472  	if err != nil {
   473  		return nil, berrors.InternalServerError("failed to unmarshal account key: %s", err.Error())
   474  	}
   475  	err = ra.keyPolicy.GoodKey(ctx, key.Key)
   476  	if err != nil {
   477  		return nil, berrors.MalformedError("invalid public key: %s", err.Error())
   478  	}
   479  
   480  	// Check IP address rate limits.
   481  	var ipAddr net.IP
   482  	err = ipAddr.UnmarshalText(request.InitialIP)
   483  	if err != nil {
   484  		return nil, berrors.InternalServerError("failed to unmarshal ip address: %s", err.Error())
   485  	}
   486  	err = ra.checkRegistrationLimits(ctx, ipAddr)
   487  	if err != nil {
   488  		return nil, err
   489  	}
   490  
   491  	// Check that contacts conform to our expectations.
   492  	err = validateContactsPresent(request.Contact, request.ContactsPresent)
   493  	if err != nil {
   494  		return nil, err
   495  	}
   496  	err = ra.validateContacts(request.Contact)
   497  	if err != nil {
   498  		return nil, err
   499  	}
   500  
   501  	// Don't populate ID or CreatedAt because those will be set by the SA.
   502  	req := &corepb.Registration{
   503  		Key:             request.Key,
   504  		Contact:         request.Contact,
   505  		ContactsPresent: request.ContactsPresent,
   506  		Agreement:       request.Agreement,
   507  		InitialIP:       request.InitialIP,
   508  		Status:          string(core.StatusValid),
   509  	}
   510  
   511  	// Store the registration object, then return the version that got stored.
   512  	res, err := ra.SA.NewRegistration(ctx, req)
   513  	if err != nil {
   514  		return nil, err
   515  	}
   516  
   517  	ra.newRegCounter.Inc()
   518  	return res, nil
   519  }
   520  
   521  // validateContacts checks the provided list of contacts, returning an error if
   522  // any are not acceptable. Unacceptable contacts lists include:
   523  // * An empty list
   524  // * A list has more than maxContactsPerReg contacts
   525  // * A list containing an empty contact
   526  // * A list containing a contact that does not parse as a URL
   527  // * A list containing a contact that has a URL scheme other than mailto
   528  // * A list containing a mailto contact that contains hfields
   529  // * A list containing a contact that has non-ascii characters
   530  // * A list containing a contact that doesn't pass `policy.ValidEmail`
   531  func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
   532  	if len(contacts) == 0 {
   533  		return nil // Nothing to validate
   534  	}
   535  	if ra.maxContactsPerReg > 0 && len(contacts) > ra.maxContactsPerReg {
   536  		return berrors.MalformedError(
   537  			"too many contacts provided: %d > %d",
   538  			len(contacts),
   539  			ra.maxContactsPerReg,
   540  		)
   541  	}
   542  
   543  	for _, contact := range contacts {
   544  		if contact == "" {
   545  			return berrors.InvalidEmailError("empty contact")
   546  		}
   547  		parsed, err := url.Parse(contact)
   548  		if err != nil {
   549  			return berrors.InvalidEmailError("invalid contact")
   550  		}
   551  		if parsed.Scheme != "mailto" {
   552  			return berrors.UnsupportedContactError("contact method %q is not supported", parsed.Scheme)
   553  		}
   554  		if parsed.RawQuery != "" || contact[len(contact)-1] == '?' {
   555  			return berrors.InvalidEmailError("contact email %q contains a question mark", contact)
   556  		}
   557  		if parsed.Fragment != "" || contact[len(contact)-1] == '#' {
   558  			return berrors.InvalidEmailError("contact email %q contains a '#'", contact)
   559  		}
   560  		if !core.IsASCII(contact) {
   561  			return berrors.InvalidEmailError(
   562  				"contact email [%q] contains non-ASCII characters",
   563  				contact,
   564  			)
   565  		}
   566  		err = policy.ValidEmail(parsed.Opaque)
   567  		if err != nil {
   568  			return err
   569  		}
   570  	}
   571  
   572  	// NOTE(@cpu): For historical reasons (</3) we store ACME account contact
   573  	// information de-normalized in a fixed size `contact` field on the
   574  	// `registrations` table. At the time of writing this field is VARCHAR(191)
   575  	// That means the largest marshalled JSON value we can store is 191 bytes.
   576  	const maxContactBytes = 191
   577  	if jsonBytes, err := json.Marshal(contacts); err != nil {
   578  		// This shouldn't happen with a simple []string but if it does we want the
   579  		// error to be logged internally but served as a 500 to the user so we
   580  		// return a bare error and not a berror here.
   581  		return fmt.Errorf("failed to marshal reg.Contact to JSON: %#v", contacts)
   582  	} else if len(jsonBytes) >= maxContactBytes {
   583  		return berrors.InvalidEmailError(
   584  			"too many/too long contact(s). Please use shorter or fewer email addresses")
   585  	}
   586  
   587  	return nil
   588  }
   589  
   590  func (ra *RegistrationAuthorityImpl) checkPendingAuthorizationLimit(ctx context.Context, regID int64, limit ratelimit.RateLimitPolicy) error {
   591  	// This rate limit's threshold can only be overridden on a per-regID basis,
   592  	// not based on any other key.
   593  	threshold, overrideKey := limit.GetThreshold("", regID)
   594  	if threshold == -1 {
   595  		return nil
   596  	}
   597  	countPB, err := ra.SA.CountPendingAuthorizations2(ctx, &sapb.RegistrationID{
   598  		Id: regID,
   599  	})
   600  	if err != nil {
   601  		return err
   602  	}
   603  	if overrideKey != "" {
   604  		utilization := float64(countPB.Count) / float64(threshold)
   605  		ra.rlOverrideUsageGauge.WithLabelValues(ratelimit.PendingAuthorizationsPerAccount, overrideKey).Set(utilization)
   606  	}
   607  	if countPB.Count >= threshold {
   608  		ra.log.Infof("Rate limit exceeded, PendingAuthorizationsByRegID, regID: %d", regID)
   609  		return berrors.RateLimitError(0, "too many currently pending authorizations: %d", countPB.Count)
   610  	}
   611  	return nil
   612  }
   613  
   614  // checkInvalidAuthorizationLimits checks the failed validation limit for each
   615  // of the provided hostnames. It returns the first error.
   616  func (ra *RegistrationAuthorityImpl) checkInvalidAuthorizationLimits(ctx context.Context, regID int64, hostnames []string, limits ratelimit.RateLimitPolicy) error {
   617  	results := make(chan error, len(hostnames))
   618  	for _, hostname := range hostnames {
   619  		go func(hostname string) {
   620  			results <- ra.checkInvalidAuthorizationLimit(ctx, regID, hostname, limits)
   621  		}(hostname)
   622  	}
   623  	// We don't have to wait for all of the goroutines to finish because there's
   624  	// enough capacity in the chan for them all to write their result even if
   625  	// nothing is reading off the chan anymore.
   626  	for i := 0; i < len(hostnames); i++ {
   627  		err := <-results
   628  		if err != nil {
   629  			return err
   630  		}
   631  	}
   632  	return nil
   633  }
   634  
   635  func (ra *RegistrationAuthorityImpl) checkInvalidAuthorizationLimit(ctx context.Context, regID int64, hostname string, limit ratelimit.RateLimitPolicy) error {
   636  	latest := ra.clk.Now().Add(ra.pendingAuthorizationLifetime)
   637  	earliest := latest.Add(-limit.Window.Duration)
   638  	req := &sapb.CountInvalidAuthorizationsRequest{
   639  		RegistrationID: regID,
   640  		Hostname:       hostname,
   641  		Range: &sapb.Range{
   642  			EarliestNS: earliest.UnixNano(),
   643  			Earliest:   timestamppb.New(earliest),
   644  			LatestNS:   latest.UnixNano(),
   645  			Latest:     timestamppb.New(latest),
   646  		},
   647  	}
   648  	count, err := ra.SA.CountInvalidAuthorizations2(ctx, req)
   649  	if err != nil {
   650  		return err
   651  	}
   652  	// Most rate limits have a key for overrides, but there is no meaningful key
   653  	// here.
   654  	noKey := ""
   655  	threshold, overrideKey := limit.GetThreshold(noKey, regID)
   656  	if overrideKey != "" {
   657  		utilization := float64(count.Count) / float64(threshold)
   658  		ra.rlOverrideUsageGauge.WithLabelValues(ratelimit.InvalidAuthorizationsPerAccount, overrideKey).Set(utilization)
   659  	}
   660  	if count.Count >= threshold {
   661  		ra.log.Infof("Rate limit exceeded, InvalidAuthorizationsByRegID, regID: %d", regID)
   662  		return berrors.FailedValidationError(0, "too many failed authorizations recently")
   663  	}
   664  	return nil
   665  }
   666  
   667  // checkNewOrdersPerAccountLimit enforces the rlPolicies `NewOrdersPerAccount`
   668  // rate limit. This rate limit ensures a client can not create more than the
   669  // specified threshold of new orders within the specified time window.
   670  func (ra *RegistrationAuthorityImpl) checkNewOrdersPerAccountLimit(ctx context.Context, acctID int64, limit ratelimit.RateLimitPolicy) error {
   671  	now := ra.clk.Now()
   672  	count, err := ra.SA.CountOrders(ctx, &sapb.CountOrdersRequest{
   673  		AccountID: acctID,
   674  		Range: &sapb.Range{
   675  			EarliestNS: now.Add(-limit.Window.Duration).UnixNano(),
   676  			Earliest:   timestamppb.New(now.Add(-limit.Window.Duration)),
   677  			LatestNS:   now.UnixNano(),
   678  			Latest:     timestamppb.New(now),
   679  		},
   680  	})
   681  	if err != nil {
   682  		return err
   683  	}
   684  	// There is no meaningful override key to use for this rate limit
   685  	noKey := ""
   686  	threshold, overrideKey := limit.GetThreshold(noKey, acctID)
   687  	if overrideKey != "" {
   688  		utilization := float64(count.Count) / float64(threshold)
   689  		ra.rlOverrideUsageGauge.WithLabelValues(ratelimit.NewOrdersPerAccount, overrideKey).Set(utilization)
   690  	}
   691  
   692  	if count.Count >= threshold {
   693  		return berrors.RateLimitError(0, "too many new orders recently")
   694  	}
   695  	return nil
   696  }
   697  
   698  // matchesCSR tests the contents of a generated certificate to make sure
   699  // that the PublicKey, CommonName, and DNSNames match those provided in
   700  // the CSR that was used to generate the certificate. It also checks the
   701  // following fields for:
   702  //   - notBefore is not more than 24 hours ago
   703  //   - BasicConstraintsValid is true
   704  //   - IsCA is false
   705  //   - ExtKeyUsage only contains ExtKeyUsageServerAuth & ExtKeyUsageClientAuth
   706  //   - Subject only contains CommonName & Names
   707  func (ra *RegistrationAuthorityImpl) matchesCSR(parsedCertificate *x509.Certificate, csr *x509.CertificateRequest) error {
   708  	if !core.KeyDigestEquals(parsedCertificate.PublicKey, csr.PublicKey) {
   709  		return berrors.InternalServerError("generated certificate public key doesn't match CSR public key")
   710  	}
   711  
   712  	csrNames := csrlib.NamesFromCSR(csr)
   713  	if parsedCertificate.Subject.CommonName != "" {
   714  		// Only check that the issued common name matches one of the SANs if there
   715  		// is an issued CN at all: this allows flexibility on whether we include
   716  		// the CN.
   717  		if !slices.Contains(csrNames.SANs, parsedCertificate.Subject.CommonName) {
   718  			return berrors.InternalServerError("generated certificate CommonName doesn't match any CSR name")
   719  		}
   720  	}
   721  
   722  	parsedNames := parsedCertificate.DNSNames
   723  	sort.Strings(parsedNames)
   724  	if !slices.Equal(parsedNames, csrNames.SANs) {
   725  		return berrors.InternalServerError("generated certificate DNSNames don't match CSR DNSNames")
   726  	}
   727  
   728  	if !slices.EqualFunc(parsedCertificate.IPAddresses, csr.IPAddresses, func(l, r net.IP) bool { return l.Equal(r) }) {
   729  		return berrors.InternalServerError("generated certificate IPAddresses don't match CSR IPAddresses")
   730  	}
   731  	if !slices.Equal(parsedCertificate.EmailAddresses, csr.EmailAddresses) {
   732  		return berrors.InternalServerError("generated certificate EmailAddresses don't match CSR EmailAddresses")
   733  	}
   734  
   735  	if len(parsedCertificate.Subject.Country) > 0 || len(parsedCertificate.Subject.Organization) > 0 ||
   736  		len(parsedCertificate.Subject.OrganizationalUnit) > 0 || len(parsedCertificate.Subject.Locality) > 0 ||
   737  		len(parsedCertificate.Subject.Province) > 0 || len(parsedCertificate.Subject.StreetAddress) > 0 ||
   738  		len(parsedCertificate.Subject.PostalCode) > 0 {
   739  		return berrors.InternalServerError("generated certificate Subject contains fields other than CommonName, or SerialNumber")
   740  	}
   741  	now := ra.clk.Now()
   742  	if now.Sub(parsedCertificate.NotBefore) > time.Hour*24 {
   743  		return berrors.InternalServerError("generated certificate is back dated %s", now.Sub(parsedCertificate.NotBefore))
   744  	}
   745  	if !parsedCertificate.BasicConstraintsValid {
   746  		return berrors.InternalServerError("generated certificate doesn't have basic constraints set")
   747  	}
   748  	if parsedCertificate.IsCA {
   749  		return berrors.InternalServerError("generated certificate can sign other certificates")
   750  	}
   751  	if !slices.Equal(parsedCertificate.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}) {
   752  		return berrors.InternalServerError("generated certificate doesn't have correct key usage extensions")
   753  	}
   754  
   755  	return nil
   756  }
   757  
   758  // checkOrderAuthorizations verifies that a provided set of names associated
   759  // with a specific order and account has all of the required valid, unexpired
   760  // authorizations to proceed with issuance. It returns the authorizations that
   761  // satisfied the set of names or it returns an error. If it returns an error, it
   762  // will be of type BoulderError.
   763  func (ra *RegistrationAuthorityImpl) checkOrderAuthorizations(
   764  	ctx context.Context,
   765  	names []string,
   766  	acctID accountID,
   767  	orderID orderID) (map[string]*core.Authorization, error) {
   768  	// Get all of the valid authorizations for this account/order
   769  	req := &sapb.GetValidOrderAuthorizationsRequest{
   770  		Id:     int64(orderID),
   771  		AcctID: int64(acctID),
   772  	}
   773  	authzMapPB, err := ra.SA.GetValidOrderAuthorizations2(ctx, req)
   774  	if err != nil {
   775  		return nil, berrors.InternalServerError("error in GetValidOrderAuthorizations: %s", err)
   776  	}
   777  	authzs, err := bgrpc.PBToAuthzMap(authzMapPB)
   778  	if err != nil {
   779  		return nil, err
   780  	}
   781  
   782  	// Ensure the names from the CSR are free of duplicates & lowercased.
   783  	names = core.UniqueLowerNames(names)
   784  
   785  	// Check the authorizations to ensure validity for the names required.
   786  	err = ra.checkAuthorizationsCAA(ctx, int64(acctID), names, authzs, ra.clk.Now())
   787  	if err != nil {
   788  		return nil, err
   789  	}
   790  
   791  	// Check the challenges themselves too.
   792  	for _, authz := range authzs {
   793  		err = ra.PA.CheckAuthz(authz)
   794  		if err != nil {
   795  			return nil, err
   796  		}
   797  	}
   798  
   799  	return authzs, nil
   800  }
   801  
   802  // validatedBefore checks if a given authorization's challenge was
   803  // validated before a given time. Returns a bool.
   804  func validatedBefore(authz *core.Authorization, caaRecheckTime time.Time) (bool, error) {
   805  	numChallenges := len(authz.Challenges)
   806  	if numChallenges != 1 {
   807  		return false, fmt.Errorf("authorization has incorrect number of challenges. 1 expected, %d found for: id %s", numChallenges, authz.ID)
   808  	}
   809  	if authz.Challenges[0].Validated == nil {
   810  		return false, fmt.Errorf("authorization's challenge has no validated timestamp for: id %s", authz.ID)
   811  	}
   812  	return authz.Challenges[0].Validated.Before(caaRecheckTime), nil
   813  }
   814  
   815  // checkAuthorizationsCAA implements the common logic of validating a set of
   816  // authorizations against a set of names that is used by both
   817  // `checkAuthorizations` and `checkOrderAuthorizations`. If required CAA will be
   818  // rechecked for authorizations that are too old.
   819  // If it returns an error, it will be of type BoulderError.
   820  func (ra *RegistrationAuthorityImpl) checkAuthorizationsCAA(
   821  	ctx context.Context,
   822  	acctID int64,
   823  	names []string,
   824  	authzs map[string]*core.Authorization,
   825  	now time.Time) error {
   826  	// badNames contains the names that were unauthorized
   827  	var badNames []string
   828  	// recheckAuthzs is a list of authorizations that must have their CAA records rechecked
   829  	var recheckAuthzs []*core.Authorization
   830  
   831  	// Per Baseline Requirements, CAA must be checked within 8 hours of
   832  	// issuance. CAA is checked when an authorization is validated, so as
   833  	// long as that was less than 8 hours ago, we're fine. We recheck if
   834  	// that was more than 7 hours ago, to be on the safe side. We can
   835  	// check to see if the authorized challenge `AttemptedAt`
   836  	// (`Validated`) value from the database is before our caaRecheckTime.
   837  	// Set the recheck time to 7 hours ago.
   838  	caaRecheckAfter := now.Add(caaRecheckDuration)
   839  
   840  	// Set a CAA recheck time based on the assumption of a 30 day authz
   841  	// lifetime. This has been deprecated in favor of a new check based
   842  	// off the Validated time stored in the database, but we want to check
   843  	// both for a time and increment a stat if this code path is hit for
   844  	// compliance safety.
   845  	caaRecheckTime := now.Add(ra.authorizationLifetime).Add(caaRecheckDuration)
   846  
   847  	for _, name := range names {
   848  		authz := authzs[name]
   849  		if authz == nil {
   850  			badNames = append(badNames, name)
   851  		} else if authz.Expires == nil {
   852  			return berrors.InternalServerError("found an authorization with a nil Expires field: id %s", authz.ID)
   853  		} else if authz.Expires.Before(now) {
   854  			badNames = append(badNames, name)
   855  		} else if staleCAA, err := validatedBefore(authz, caaRecheckAfter); err != nil {
   856  			return berrors.InternalServerError(err.Error())
   857  		} else if staleCAA {
   858  			// Ensure that CAA is rechecked for this name
   859  			recheckAuthzs = append(recheckAuthzs, authz)
   860  		} else if authz.Expires.Before(caaRecheckTime) {
   861  			// Ensure that CAA is rechecked for this name
   862  			recheckAuthzs = append(recheckAuthzs, authz)
   863  			// This codepath should not be used, but is here as a safety
   864  			// net until the new codepath is proven. Increment metric if
   865  			// it is used.
   866  			ra.recheckCAAUsedAuthzLifetime.Add(1)
   867  		}
   868  	}
   869  
   870  	if len(recheckAuthzs) > 0 {
   871  		err := ra.recheckCAA(ctx, recheckAuthzs)
   872  		if err != nil {
   873  			return err
   874  		}
   875  	}
   876  
   877  	if len(badNames) > 0 {
   878  		return berrors.UnauthorizedError(
   879  			"authorizations for these names not found or expired: %s",
   880  			strings.Join(badNames, ", "),
   881  		)
   882  	}
   883  
   884  	caaEvent := &finalizationCAACheckEvent{
   885  		Requester: acctID,
   886  		Reused:    len(authzs) - len(recheckAuthzs),
   887  		Rechecked: len(recheckAuthzs),
   888  	}
   889  	ra.log.InfoObject("FinalizationCaaCheck", caaEvent)
   890  
   891  	return nil
   892  }
   893  
   894  // recheckCAA accepts a list of of names that need to have their CAA records
   895  // rechecked because their associated authorizations are sufficiently old and
   896  // performs the CAA checks required for each. If any of the rechecks fail an
   897  // error is returned.
   898  func (ra *RegistrationAuthorityImpl) recheckCAA(ctx context.Context, authzs []*core.Authorization) error {
   899  	ra.recheckCAACounter.Add(float64(len(authzs)))
   900  
   901  	type authzCAAResult struct {
   902  		authz *core.Authorization
   903  		err   error
   904  	}
   905  	ch := make(chan authzCAAResult, len(authzs))
   906  	for _, authz := range authzs {
   907  		go func(authz *core.Authorization) {
   908  			name := authz.Identifier.Value
   909  
   910  			// If an authorization has multiple valid challenges,
   911  			// the type of the first valid challenge is used for
   912  			// the purposes of CAA rechecking.
   913  			var method string
   914  			for _, challenge := range authz.Challenges {
   915  				if challenge.Status == core.StatusValid {
   916  					method = string(challenge.Type)
   917  					break
   918  				}
   919  			}
   920  			if method == "" {
   921  				ch <- authzCAAResult{
   922  					authz: authz,
   923  					err: berrors.InternalServerError(
   924  						"Internal error determining validation method for authorization ID %v (%v)",
   925  						authz.ID, name),
   926  				}
   927  				return
   928  			}
   929  
   930  			resp, err := ra.caa.IsCAAValid(ctx, &vapb.IsCAAValidRequest{
   931  				Domain:           name,
   932  				ValidationMethod: method,
   933  				AccountURIID:     authz.RegistrationID,
   934  			})
   935  			if err != nil {
   936  				ra.log.AuditErrf("Rechecking CAA: %s", err)
   937  				err = berrors.InternalServerError(
   938  					"Internal error rechecking CAA for authorization ID %v (%v)",
   939  					authz.ID, name,
   940  				)
   941  			} else if resp.Problem != nil {
   942  				err = berrors.CAAError(resp.Problem.Detail)
   943  			}
   944  			ch <- authzCAAResult{
   945  				authz: authz,
   946  				err:   err,
   947  			}
   948  		}(authz)
   949  	}
   950  	var subErrors []berrors.SubBoulderError
   951  	// Read a recheckResult for each authz from the results channel
   952  	for i := 0; i < len(authzs); i++ {
   953  		recheckResult := <-ch
   954  		// If the result had a CAA boulder error, construct a suberror with the
   955  		// identifier from the authorization that was checked.
   956  		err := recheckResult.err
   957  		if err != nil {
   958  			var bErr *berrors.BoulderError
   959  			if errors.As(err, &bErr) && bErr.Type == berrors.CAA {
   960  				subErrors = append(subErrors, berrors.SubBoulderError{
   961  					Identifier:   recheckResult.authz.Identifier,
   962  					BoulderError: bErr})
   963  			} else {
   964  				return err
   965  			}
   966  		}
   967  	}
   968  	if len(subErrors) > 0 {
   969  		var detail string
   970  		// If there was only one error, then use it as the top level error that is
   971  		// returned.
   972  		if len(subErrors) == 1 {
   973  			return subErrors[0].BoulderError
   974  		}
   975  		detail = fmt.Sprintf(
   976  			"Rechecking CAA for %q and %d more identifiers failed. "+
   977  				"Refer to sub-problems for more information",
   978  			subErrors[0].Identifier.Value,
   979  			len(subErrors)-1)
   980  		return (&berrors.BoulderError{
   981  			Type:   berrors.CAA,
   982  			Detail: detail,
   983  		}).WithSubErrors(subErrors)
   984  	}
   985  	return nil
   986  }
   987  
   988  // failOrder marks an order as failed by setting the problem details field of
   989  // the order & persisting it through the SA. If an error occurs doing this we
   990  // log it and don't modify the input order. There aren't any alternatives if we
   991  // can't add the error to the order. This function MUST only be called when we
   992  // are already returning an error for another reason.
   993  func (ra *RegistrationAuthorityImpl) failOrder(
   994  	ctx context.Context,
   995  	order *corepb.Order,
   996  	prob *probs.ProblemDetails) {
   997  	// Use a separate context with its own timeout, since the error we encountered
   998  	// may have been a context cancellation or timeout, and these operations still
   999  	// need to succeed.
  1000  	ctx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 1*time.Second)
  1001  	defer cancel()
  1002  
  1003  	// Convert the problem to a protobuf problem for the *corepb.Order field
  1004  	pbProb, err := bgrpc.ProblemDetailsToPB(prob)
  1005  	if err != nil {
  1006  		ra.log.AuditErrf("Could not convert order error problem to PB: %q", err)
  1007  		return
  1008  	}
  1009  
  1010  	// Assign the protobuf problem to the field and save it via the SA
  1011  	order.Error = pbProb
  1012  	_, err = ra.SA.SetOrderError(ctx, &sapb.SetOrderErrorRequest{
  1013  		Id:    order.Id,
  1014  		Error: order.Error,
  1015  	})
  1016  	if err != nil {
  1017  		ra.log.AuditErrf("Could not persist order error: %q", err)
  1018  	}
  1019  }
  1020  
  1021  // To help minimize the chance that an accountID would be used as an order ID
  1022  // (or vice versa) when calling functions that use both we define internal
  1023  // `accountID` and `orderID` types so that callers must explicitly cast.
  1024  type accountID int64
  1025  type orderID int64
  1026  
  1027  // FinalizeOrder accepts a request to finalize an order object and, if possible,
  1028  // issues a certificate to satisfy the order. If an order does not have valid,
  1029  // unexpired authorizations for all of its associated names an error is
  1030  // returned. Similarly we vet that all of the names in the order are acceptable
  1031  // based on current policy and return an error if the order can't be fulfilled.
  1032  // If successful the order will be returned in processing status for the client
  1033  // to poll while awaiting finalization to occur.
  1034  func (ra *RegistrationAuthorityImpl) FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error) {
  1035  	// Step 1: Set up logging/tracing and validate the Order
  1036  	if req == nil || req.Order == nil || len(req.Csr) == 0 {
  1037  		return nil, errIncompleteGRPCRequest
  1038  	}
  1039  
  1040  	logEvent := certificateRequestEvent{
  1041  		ID:          core.NewToken(),
  1042  		OrderID:     req.Order.Id,
  1043  		Requester:   req.Order.RegistrationID,
  1044  		RequestTime: ra.clk.Now(),
  1045  	}
  1046  	csr, err := ra.validateFinalizeRequest(ctx, req, &logEvent)
  1047  	if err != nil {
  1048  		return nil, err
  1049  	}
  1050  
  1051  	// Observe the age of this order, so we know how quickly most clients complete
  1052  	// issuance flows.
  1053  	ra.orderAges.WithLabelValues("FinalizeOrder").Observe(ra.clk.Since(time.Unix(0, req.Order.CreatedNS)).Seconds())
  1054  
  1055  	// Step 2: Set the Order to Processing status
  1056  	//
  1057  	// We do this separately from the issuance process itself so that, when we
  1058  	// switch to doing issuance asynchronously, we aren't lying to the client
  1059  	// when we say that their order is already Processing.
  1060  	//
  1061  	// NOTE(@cpu): After this point any errors that are encountered must update
  1062  	// the state of the order to invalid by setting the order's error field.
  1063  	// Otherwise the order will be "stuck" in processing state. It can not be
  1064  	// finalized because it isn't pending, but we aren't going to process it
  1065  	// further because we already did and encountered an error.
  1066  	_, err = ra.SA.SetOrderProcessing(ctx, &sapb.OrderRequest{Id: req.Order.Id})
  1067  	if err != nil {
  1068  		// Fail the order with a server internal error - we weren't able to set the
  1069  		// status to processing and that's unexpected & weird.
  1070  		ra.failOrder(ctx, req.Order, probs.ServerInternal("Error setting order processing"))
  1071  		return nil, err
  1072  	}
  1073  
  1074  	// Update the order status locally since the SA doesn't return the updated
  1075  	// order itself after setting the status
  1076  	order := req.Order
  1077  	order.Status = string(core.StatusProcessing)
  1078  
  1079  	// Steps 3 (issuance) and 4 (cleanup) are done inside a helper function so
  1080  	// that we can control whether or not that work happens asynchronously.
  1081  	if features.Enabled(features.AsyncFinalize) {
  1082  		// We do this work in a goroutine so that we can better handle latency from
  1083  		// getting SCTs and writing the (pre)certificate to the database. This lets
  1084  		// us return the order in the Processing state to the client immediately,
  1085  		// prompting them to poll the Order object and wait for it to be put into
  1086  		// its final state.
  1087  		//
  1088  		// We track this goroutine's lifetime in a waitgroup global to this RA, so
  1089  		// that it can wait for all goroutines to drain during shutdown.
  1090  		ra.finalizeWG.Add(1)
  1091  		go func() {
  1092  			_, err := ra.issueCertificateOuter(ctx, proto.Clone(order).(*corepb.Order), csr, logEvent)
  1093  			if err != nil {
  1094  				// We only log here, because this is in a background goroutine with
  1095  				// no parent goroutine waiting for it to receive the error.
  1096  				ra.log.AuditErrf("Asynchronous finalization failed: %s", err.Error())
  1097  			}
  1098  			ra.finalizeWG.Done()
  1099  		}()
  1100  		return order, nil
  1101  	} else {
  1102  		return ra.issueCertificateOuter(ctx, order, csr, logEvent)
  1103  	}
  1104  }
  1105  
  1106  // validateFinalizeRequest checks that a FinalizeOrder request is fully correct
  1107  // and ready for issuance.
  1108  func (ra *RegistrationAuthorityImpl) validateFinalizeRequest(
  1109  	ctx context.Context,
  1110  	req *rapb.FinalizeOrderRequest,
  1111  	logEvent *certificateRequestEvent) (*x509.CertificateRequest, error) {
  1112  	if req.Order.Id <= 0 {
  1113  		return nil, berrors.MalformedError("invalid order ID: %d", req.Order.Id)
  1114  	}
  1115  
  1116  	if req.Order.RegistrationID <= 0 {
  1117  		return nil, berrors.MalformedError("invalid account ID: %d", req.Order.RegistrationID)
  1118  	}
  1119  
  1120  	if core.AcmeStatus(req.Order.Status) != core.StatusReady {
  1121  		return nil, berrors.OrderNotReadyError(
  1122  			"Order's status (%q) is not acceptable for finalization",
  1123  			req.Order.Status)
  1124  	}
  1125  
  1126  	// There should never be an order with 0 names at the stage, but we check to
  1127  	// be on the safe side, throwing an internal server error if this assumption
  1128  	// is ever violated.
  1129  	if len(req.Order.Names) == 0 {
  1130  		return nil, berrors.InternalServerError("Order has no associated names")
  1131  	}
  1132  
  1133  	// Parse the CSR from the request
  1134  	csr, err := x509.ParseCertificateRequest(req.Csr)
  1135  	if err != nil {
  1136  		return nil, berrors.BadCSRError("unable to parse CSR: %s", err.Error())
  1137  	}
  1138  
  1139  	err = csrlib.VerifyCSR(ctx, csr, ra.maxNames, &ra.keyPolicy, ra.PA)
  1140  	if err != nil {
  1141  		// VerifyCSR returns berror instances that can be passed through as-is
  1142  		// without wrapping.
  1143  		return nil, err
  1144  	}
  1145  
  1146  	// Dedupe, lowercase and sort both the names from the CSR and the names in the
  1147  	// order.
  1148  	csrNames := csrlib.NamesFromCSR(csr).SANs
  1149  	orderNames := core.UniqueLowerNames(req.Order.Names)
  1150  
  1151  	// Immediately reject the request if the number of names differ
  1152  	if len(orderNames) != len(csrNames) {
  1153  		return nil, berrors.UnauthorizedError("Order includes different number of names than CSR specifies")
  1154  	}
  1155  
  1156  	// Check that the order names and the CSR names are an exact match
  1157  	for i, name := range orderNames {
  1158  		if name != csrNames[i] {
  1159  			return nil, berrors.UnauthorizedError("CSR is missing Order domain %q", name)
  1160  		}
  1161  	}
  1162  
  1163  	// Get the originating account for use in the next check.
  1164  	regPB, err := ra.SA.GetRegistration(ctx, &sapb.RegistrationID{Id: req.Order.RegistrationID})
  1165  	if err != nil {
  1166  		return nil, err
  1167  	}
  1168  
  1169  	account, err := bgrpc.PbToRegistration(regPB)
  1170  	if err != nil {
  1171  		return nil, err
  1172  	}
  1173  
  1174  	// Make sure they're not using their account key as the certificate key too.
  1175  	if core.KeyDigestEquals(csr.PublicKey, account.Key) {
  1176  		return nil, berrors.MalformedError("certificate public key must be different than account key")
  1177  	}
  1178  
  1179  	// Double-check that all authorizations on this order are also associated with
  1180  	// the same account as the order itself.
  1181  	authzs, err := ra.checkOrderAuthorizations(ctx, csrNames, accountID(req.Order.RegistrationID), orderID(req.Order.Id))
  1182  	if err != nil {
  1183  		// Pass through the error without wrapping it because the called functions
  1184  		// return BoulderError and we don't want to lose the type.
  1185  		return nil, err
  1186  	}
  1187  
  1188  	// Collect up a certificateRequestAuthz that stores the ID and challenge type
  1189  	// of each of the valid authorizations we used for this issuance.
  1190  	logEventAuthzs := make(map[string]certificateRequestAuthz, len(csrNames))
  1191  	for name, authz := range authzs {
  1192  		// No need to check for error here because we know this same call just
  1193  		// succeeded inside ra.checkOrderAuthorizations
  1194  		solvedByChallengeType, _ := authz.SolvedBy()
  1195  		logEventAuthzs[name] = certificateRequestAuthz{
  1196  			ID:            authz.ID,
  1197  			ChallengeType: solvedByChallengeType,
  1198  		}
  1199  		authzAge := (ra.authorizationLifetime - authz.Expires.Sub(ra.clk.Now())).Seconds()
  1200  		ra.authzAges.WithLabelValues("FinalizeOrder", string(authz.Status)).Observe(authzAge)
  1201  	}
  1202  	logEvent.Authorizations = logEventAuthzs
  1203  
  1204  	// Mark that we verified the CN and SANs
  1205  	logEvent.VerifiedFields = []string{"subject.commonName", "subjectAltName"}
  1206  
  1207  	return csr, nil
  1208  }
  1209  
  1210  // issueCertificateOuter exists solely to ensure that all calls to
  1211  // issueCertificateInner have their result handled uniformly, no matter what
  1212  // return path that inner function takes. It takes ownership of the logEvent,
  1213  // mutates it, and is responsible for outputting its final state.
  1214  func (ra *RegistrationAuthorityImpl) issueCertificateOuter(
  1215  	ctx context.Context,
  1216  	order *corepb.Order,
  1217  	csr *x509.CertificateRequest,
  1218  	logEvent certificateRequestEvent,
  1219  ) (*corepb.Order, error) {
  1220  	ra.inflightFinalizes.Inc()
  1221  	defer ra.inflightFinalizes.Dec()
  1222  
  1223  	// Step 3: Issue the Certificate
  1224  	cert, err := ra.issueCertificateInner(
  1225  		ctx, csr, accountID(order.RegistrationID), orderID(order.Id))
  1226  
  1227  	// Step 4: Fail the order if necessary, and update metrics and log fields
  1228  	var result string
  1229  	if err != nil {
  1230  		// The problem is computed using `web.ProblemDetailsForError`, the same
  1231  		// function the WFE uses to convert between `berrors` and problems. This
  1232  		// will turn normal expected berrors like berrors.UnauthorizedError into the
  1233  		// correct `urn:ietf:params:acme:error:unauthorized` problem while not
  1234  		// letting anything like a server internal error through with sensitive
  1235  		// info.
  1236  		ra.failOrder(ctx, order, web.ProblemDetailsForError(err, "Error finalizing order"))
  1237  		order.Status = string(core.StatusInvalid)
  1238  
  1239  		logEvent.Error = err.Error()
  1240  		result = "error"
  1241  	} else {
  1242  		order.CertificateSerial = core.SerialToString(cert.SerialNumber)
  1243  		order.Status = string(core.StatusValid)
  1244  
  1245  		ra.namesPerCert.With(
  1246  			prometheus.Labels{"type": "issued"},
  1247  		).Observe(float64(len(order.Names)))
  1248  
  1249  		ra.newCertCounter.Inc()
  1250  
  1251  		logEvent.SerialNumber = core.SerialToString(cert.SerialNumber)
  1252  		logEvent.CommonName = cert.Subject.CommonName
  1253  		logEvent.Names = cert.DNSNames
  1254  		logEvent.NotBefore = cert.NotBefore
  1255  		logEvent.NotAfter = cert.NotAfter
  1256  
  1257  		result = "successful"
  1258  	}
  1259  
  1260  	logEvent.ResponseTime = ra.clk.Now()
  1261  	ra.log.AuditObject(fmt.Sprintf("Certificate request - %s", result), logEvent)
  1262  
  1263  	return order, err
  1264  }
  1265  
  1266  // issueCertificateInner handles the heavy lifting aspects of certificate
  1267  // issuance.
  1268  //
  1269  // This function is responsible for ensuring that we never try to issue a final
  1270  // certificate twice for the same precertificate, because that has the potential
  1271  // to create certificates with duplicate serials. For instance, this could
  1272  // happen if final certificates were created with different sets of SCTs. This
  1273  // function accomplishes that by bailing on issuance if there is any error in
  1274  // IssueCertificateForPrecertificate; there are no retries, and serials are
  1275  // generated in IssuePrecertificate, so serials with errors are dropped and
  1276  // never have final certificates issued for them (because there is a possibility
  1277  // that the certificate was actually issued but there was an error returning
  1278  // it).
  1279  func (ra *RegistrationAuthorityImpl) issueCertificateInner(
  1280  	ctx context.Context,
  1281  	csr *x509.CertificateRequest,
  1282  	acctID accountID,
  1283  	oID orderID) (*x509.Certificate, error) {
  1284  	if features.Enabled(features.AsyncFinalize) {
  1285  		// If we're in async mode, use a context with a much longer timeout.
  1286  		var cancel func()
  1287  		ctx, cancel = context.WithTimeout(context.WithoutCancel(ctx), ra.finalizeTimeout)
  1288  		defer cancel()
  1289  	}
  1290  
  1291  	// wrapError adds a prefix to an error. If the error is a boulder error then
  1292  	// the problem detail is updated with the prefix. Otherwise a new error is
  1293  	// returned with the message prefixed using `fmt.Errorf`
  1294  	wrapError := func(e error, prefix string) error {
  1295  		if berr, ok := e.(*berrors.BoulderError); ok {
  1296  			berr.Detail = fmt.Sprintf("%s: %s", prefix, berr.Detail)
  1297  			return berr
  1298  		}
  1299  		return fmt.Errorf("%s: %s", prefix, e)
  1300  	}
  1301  
  1302  	issueReq := &capb.IssueCertificateRequest{
  1303  		Csr:            csr.Raw,
  1304  		RegistrationID: int64(acctID),
  1305  		OrderID:        int64(oID),
  1306  	}
  1307  	precert, err := ra.CA.IssuePrecertificate(ctx, issueReq)
  1308  	if err != nil {
  1309  		return nil, wrapError(err, "issuing precertificate")
  1310  	}
  1311  
  1312  	parsedPrecert, err := x509.ParseCertificate(precert.DER)
  1313  	if err != nil {
  1314  		return nil, wrapError(err, "parsing precertificate")
  1315  	}
  1316  
  1317  	scts, err := ra.getSCTs(ctx, precert.DER, parsedPrecert.NotAfter)
  1318  	if err != nil {
  1319  		return nil, wrapError(err, "getting SCTs")
  1320  	}
  1321  
  1322  	cert, err := ra.CA.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
  1323  		DER:            precert.DER,
  1324  		SCTs:           scts,
  1325  		RegistrationID: int64(acctID),
  1326  		OrderID:        int64(oID),
  1327  	})
  1328  	if err != nil {
  1329  		return nil, wrapError(err, "issuing certificate for precertificate")
  1330  	}
  1331  
  1332  	parsedCertificate, err := x509.ParseCertificate(cert.Der)
  1333  	if err != nil {
  1334  		return nil, wrapError(err, "parsing final certificate")
  1335  	}
  1336  
  1337  	// Asynchronously submit the final certificate to any configured logs
  1338  	go ra.ctpolicy.SubmitFinalCert(cert.Der, parsedCertificate.NotAfter)
  1339  
  1340  	// TODO(#6587): Make this error case Very Alarming
  1341  	err = ra.matchesCSR(parsedCertificate, csr)
  1342  	if err != nil {
  1343  		return nil, err
  1344  	}
  1345  
  1346  	_, err = ra.SA.FinalizeOrder(ctx, &sapb.FinalizeOrderRequest{
  1347  		Id:                int64(oID),
  1348  		CertificateSerial: core.SerialToString(parsedCertificate.SerialNumber),
  1349  	})
  1350  	if err != nil {
  1351  		return nil, wrapError(err, "persisting finalized order")
  1352  	}
  1353  
  1354  	return parsedCertificate, nil
  1355  }
  1356  
  1357  func (ra *RegistrationAuthorityImpl) getSCTs(ctx context.Context, cert []byte, expiration time.Time) (core.SCTDERs, error) {
  1358  	started := ra.clk.Now()
  1359  	scts, err := ra.ctpolicy.GetSCTs(ctx, cert, expiration)
  1360  	took := ra.clk.Since(started)
  1361  	// The final cert has already been issued so actually return it to the
  1362  	// user even if this fails since we aren't actually doing anything with
  1363  	// the SCTs yet.
  1364  	if err != nil {
  1365  		state := "failure"
  1366  		if err == context.DeadlineExceeded {
  1367  			state = "deadlineExceeded"
  1368  			// Convert the error to a missingSCTsError to communicate the timeout,
  1369  			// otherwise it will be a generic serverInternalError
  1370  			err = berrors.MissingSCTsError(err.Error())
  1371  		}
  1372  		ra.log.Warningf("ctpolicy.GetSCTs failed: %s", err)
  1373  		ra.ctpolicyResults.With(prometheus.Labels{"result": state}).Observe(took.Seconds())
  1374  		return nil, err
  1375  	}
  1376  	ra.ctpolicyResults.With(prometheus.Labels{"result": "success"}).Observe(took.Seconds())
  1377  	return scts, nil
  1378  }
  1379  
  1380  // domainsForRateLimiting transforms a list of FQDNs into a list of eTLD+1's
  1381  // for the purpose of rate limiting. It also de-duplicates the output
  1382  // domains. Exact public suffix matches are included.
  1383  func domainsForRateLimiting(names []string) []string {
  1384  	var domains []string
  1385  	for _, name := range names {
  1386  		domain, err := publicsuffix.Domain(name)
  1387  		if err != nil {
  1388  			// The only possible errors are:
  1389  			// (1) publicsuffix.Domain is giving garbage values
  1390  			// (2) the public suffix is the domain itself
  1391  			// We assume 2 and include the original name in the result.
  1392  			domains = append(domains, name)
  1393  		} else {
  1394  			domains = append(domains, domain)
  1395  		}
  1396  	}
  1397  	return core.UniqueLowerNames(domains)
  1398  }
  1399  
  1400  // enforceNameCounts uses the provided count RPC to find a count of certificates
  1401  // for each of the names. If the count for any of the names exceeds the limit
  1402  // for the given registration then the names out of policy are returned to be
  1403  // used for a rate limit error.
  1404  func (ra *RegistrationAuthorityImpl) enforceNameCounts(ctx context.Context, names []string, limit ratelimit.RateLimitPolicy, regID int64) ([]string, time.Time, error) {
  1405  	now := ra.clk.Now()
  1406  	req := &sapb.CountCertificatesByNamesRequest{
  1407  		Names: names,
  1408  		Range: &sapb.Range{
  1409  			EarliestNS: limit.WindowBegin(now).UnixNano(),
  1410  			Earliest:   timestamppb.New(limit.WindowBegin(now)),
  1411  			LatestNS:   now.UnixNano(),
  1412  			Latest:     timestamppb.New(now),
  1413  		},
  1414  	}
  1415  
  1416  	response, err := ra.SA.CountCertificatesByNames(ctx, req)
  1417  	if err != nil {
  1418  		return nil, time.Time{}, err
  1419  	}
  1420  
  1421  	if len(response.Counts) == 0 {
  1422  		return nil, time.Time{}, errIncompleteGRPCResponse
  1423  	}
  1424  
  1425  	var badNames []string
  1426  	// Find the names that have counts at or over the threshold. Range
  1427  	// over the names slice input to ensure the order of badNames will
  1428  	// return the badNames in the same order they were input.
  1429  	for _, name := range names {
  1430  		threshold, overrideKey := limit.GetThreshold(name, regID)
  1431  		if overrideKey != "" {
  1432  			utilization := float64(response.Counts[name]) / float64(threshold)
  1433  			ra.rlOverrideUsageGauge.WithLabelValues(ratelimit.CertificatesPerName, overrideKey).Set(utilization)
  1434  		}
  1435  		if response.Counts[name] >= threshold {
  1436  			badNames = append(badNames, name)
  1437  		}
  1438  	}
  1439  	return badNames, response.Earliest.AsTime(), nil
  1440  }
  1441  
  1442  func (ra *RegistrationAuthorityImpl) checkCertificatesPerNameLimit(ctx context.Context, names []string, limit ratelimit.RateLimitPolicy, regID int64) error {
  1443  	// check if there is already an existing certificate for
  1444  	// the exact name set we are issuing for. If so bypass the
  1445  	// the certificatesPerName limit.
  1446  	exists, err := ra.SA.FQDNSetExists(ctx, &sapb.FQDNSetExistsRequest{Domains: names})
  1447  	if err != nil {
  1448  		return fmt.Errorf("checking renewal exemption for %q: %s", names, err)
  1449  	}
  1450  	if exists.Exists {
  1451  		return nil
  1452  	}
  1453  
  1454  	tldNames := domainsForRateLimiting(names)
  1455  	namesOutOfLimit, earliest, err := ra.enforceNameCounts(ctx, tldNames, limit, regID)
  1456  	if err != nil {
  1457  		return fmt.Errorf("checking certificates per name limit for %q: %s",
  1458  			names, err)
  1459  	}
  1460  
  1461  	if len(namesOutOfLimit) > 0 {
  1462  		// Determine the amount of time until the earliest event would fall out
  1463  		// of the window.
  1464  		retryAfter := earliest.Add(limit.Window.Duration).Sub(ra.clk.Now())
  1465  		retryString := earliest.Add(limit.Window.Duration).Format(time.RFC3339)
  1466  
  1467  		ra.log.Infof("Rate limit exceeded, CertificatesForDomain, regID: %d, domains: %s", regID, strings.Join(namesOutOfLimit, ", "))
  1468  		if len(namesOutOfLimit) > 1 {
  1469  			var subErrors []berrors.SubBoulderError
  1470  			for _, name := range namesOutOfLimit {
  1471  				subErrors = append(subErrors, berrors.SubBoulderError{
  1472  					Identifier:   identifier.DNSIdentifier(name),
  1473  					BoulderError: berrors.RateLimitError(retryAfter, "too many certificates already issued. Retry after %s", retryString).(*berrors.BoulderError),
  1474  				})
  1475  			}
  1476  			return berrors.RateLimitError(retryAfter, "too many certificates already issued for multiple names (%q and %d others). Retry after %s", namesOutOfLimit[0], len(namesOutOfLimit), retryString).(*berrors.BoulderError).WithSubErrors(subErrors)
  1477  		}
  1478  		return berrors.RateLimitError(retryAfter, "too many certificates already issued for %q. Retry after %s", namesOutOfLimit[0], retryString)
  1479  	}
  1480  
  1481  	return nil
  1482  }
  1483  
  1484  func (ra *RegistrationAuthorityImpl) checkCertificatesPerFQDNSetLimit(ctx context.Context, names []string, limit ratelimit.RateLimitPolicy, regID int64) error {
  1485  	names = core.UniqueLowerNames(names)
  1486  	threshold, overrideKey := limit.GetThreshold(strings.Join(names, ","), regID)
  1487  	if threshold <= 0 {
  1488  		// No limit configured.
  1489  		return nil
  1490  	}
  1491  
  1492  	prevIssuances, err := ra.SA.FQDNSetTimestampsForWindow(ctx, &sapb.CountFQDNSetsRequest{
  1493  		Domains:  names,
  1494  		WindowNS: limit.Window.Duration.Nanoseconds(),
  1495  		Window:   durationpb.New(limit.Window.Duration),
  1496  	})
  1497  	if err != nil {
  1498  		return fmt.Errorf("checking duplicate certificate limit for %q: %s", names, err)
  1499  	}
  1500  
  1501  	if overrideKey != "" {
  1502  		utilization := float64(len(prevIssuances.TimestampsNS)) / float64(threshold)
  1503  		ra.rlOverrideUsageGauge.WithLabelValues(ratelimit.CertificatesPerFQDNSet, overrideKey).Set(utilization)
  1504  	}
  1505  
  1506  	if int64(len(prevIssuances.TimestampsNS)) < threshold {
  1507  		// Issuance in window is below the threshold, no need to limit.
  1508  		return nil
  1509  	} else {
  1510  		// Evaluate the rate limit using a leaky bucket algorithm. The bucket
  1511  		// has a capacity of threshold and is refilled at a rate of 1 token per
  1512  		// limit.Window/threshold from the time of each issuance timestamp.
  1513  		now := ra.clk.Now()
  1514  		nsPerToken := limit.Window.Nanoseconds() / threshold
  1515  		for i, timestamp := range prevIssuances.TimestampsNS {
  1516  			tokensGeneratedSince := now.Add(-time.Duration(int64(i+1) * nsPerToken))
  1517  			if time.Unix(0, timestamp).Before(tokensGeneratedSince) {
  1518  				// We know `i+1` tokens were generated since `tokenGeneratedSince`,
  1519  				// and only `i` certificates were issued, so there's room to allow
  1520  				// for an additional issuance.
  1521  				return nil
  1522  			}
  1523  		}
  1524  		retryTime := time.Unix(0, prevIssuances.TimestampsNS[0]).Add(time.Duration(nsPerToken))
  1525  		retryAfter := retryTime.Sub(now)
  1526  		return berrors.DuplicateCertificateError(
  1527  			retryAfter,
  1528  			"too many certificates (%d) already issued for this exact set of domains in the last %.0f hours: %s, retry after %s",
  1529  			threshold, limit.Window.Duration.Hours(), strings.Join(names, ","), retryTime.Format(time.RFC3339),
  1530  		)
  1531  	}
  1532  }
  1533  
  1534  func (ra *RegistrationAuthorityImpl) checkNewOrderLimits(ctx context.Context, names []string, regID int64) error {
  1535  	newOrdersPerAccountLimits := ra.rlPolicies.NewOrdersPerAccount()
  1536  	if newOrdersPerAccountLimits.Enabled() {
  1537  		started := ra.clk.Now()
  1538  		err := ra.checkNewOrdersPerAccountLimit(ctx, regID, newOrdersPerAccountLimits)
  1539  		elapsed := ra.clk.Since(started)
  1540  		if err != nil {
  1541  			if errors.Is(err, berrors.RateLimit) {
  1542  				ra.rlCheckLatency.WithLabelValues(ratelimit.NewOrdersPerAccount, ratelimits.Denied).Observe(elapsed.Seconds())
  1543  			}
  1544  			return err
  1545  		}
  1546  		ra.rlCheckLatency.WithLabelValues(ratelimit.NewOrdersPerAccount, ratelimits.Allowed).Observe(elapsed.Seconds())
  1547  	}
  1548  
  1549  	certNameLimits := ra.rlPolicies.CertificatesPerName()
  1550  	if certNameLimits.Enabled() {
  1551  		started := ra.clk.Now()
  1552  		err := ra.checkCertificatesPerNameLimit(ctx, names, certNameLimits, regID)
  1553  		elapsed := ra.clk.Since(started)
  1554  		if err != nil {
  1555  			if errors.Is(err, berrors.RateLimit) {
  1556  				ra.rlCheckLatency.WithLabelValues(ratelimit.CertificatesPerName, ratelimits.Denied).Observe(elapsed.Seconds())
  1557  			}
  1558  			return err
  1559  		}
  1560  		ra.rlCheckLatency.WithLabelValues(ratelimit.CertificatesPerName, ratelimits.Allowed).Observe(elapsed.Seconds())
  1561  	}
  1562  
  1563  	fqdnLimitsFast := ra.rlPolicies.CertificatesPerFQDNSetFast()
  1564  	if fqdnLimitsFast.Enabled() {
  1565  		started := ra.clk.Now()
  1566  		err := ra.checkCertificatesPerFQDNSetLimit(ctx, names, fqdnLimitsFast, regID)
  1567  		elapsed := ra.clk.Since(started)
  1568  		if err != nil {
  1569  			if errors.Is(err, berrors.RateLimit) {
  1570  				ra.rlCheckLatency.WithLabelValues(ratelimit.CertificatesPerFQDNSetFast, ratelimits.Denied).Observe(elapsed.Seconds())
  1571  			}
  1572  			return err
  1573  		}
  1574  		ra.rlCheckLatency.WithLabelValues(ratelimit.CertificatesPerFQDNSetFast, ratelimits.Allowed).Observe(elapsed.Seconds())
  1575  	}
  1576  
  1577  	fqdnLimits := ra.rlPolicies.CertificatesPerFQDNSet()
  1578  	if fqdnLimits.Enabled() {
  1579  		started := ra.clk.Now()
  1580  		err := ra.checkCertificatesPerFQDNSetLimit(ctx, names, fqdnLimits, regID)
  1581  		elapsed := ra.clk.Since(started)
  1582  		if err != nil {
  1583  			if errors.Is(err, berrors.RateLimit) {
  1584  				ra.rlCheckLatency.WithLabelValues(ratelimit.CertificatesPerFQDNSet, ratelimits.Denied).Observe(elapsed.Seconds())
  1585  			}
  1586  			return err
  1587  		}
  1588  		ra.rlCheckLatency.WithLabelValues(ratelimit.CertificatesPerFQDNSet, ratelimits.Allowed).Observe(elapsed.Seconds())
  1589  	}
  1590  
  1591  	invalidAuthzPerAccountLimits := ra.rlPolicies.InvalidAuthorizationsPerAccount()
  1592  	if invalidAuthzPerAccountLimits.Enabled() {
  1593  		started := ra.clk.Now()
  1594  		err := ra.checkInvalidAuthorizationLimits(ctx, regID, names, invalidAuthzPerAccountLimits)
  1595  		elapsed := ra.clk.Since(started)
  1596  		if err != nil {
  1597  			if errors.Is(err, berrors.RateLimit) {
  1598  				ra.rlCheckLatency.WithLabelValues(ratelimit.InvalidAuthorizationsPerAccount, ratelimits.Denied).Observe(elapsed.Seconds())
  1599  			}
  1600  			return err
  1601  		}
  1602  		ra.rlCheckLatency.WithLabelValues(ratelimit.InvalidAuthorizationsPerAccount, ratelimits.Allowed).Observe(elapsed.Seconds())
  1603  	}
  1604  
  1605  	return nil
  1606  }
  1607  
  1608  // UpdateRegistration updates an existing Registration with new values. Caller
  1609  // is responsible for making sure that update.Key is only different from base.Key
  1610  // if it is being called from the WFE key change endpoint.
  1611  // TODO(#5554): Split this into separate methods for updating Contacts vs Key.
  1612  func (ra *RegistrationAuthorityImpl) UpdateRegistration(ctx context.Context, req *rapb.UpdateRegistrationRequest) (*corepb.Registration, error) {
  1613  	// Error if the request is nil, there is no account key or IP address
  1614  	if req.Base == nil || len(req.Base.Key) == 0 || len(req.Base.InitialIP) == 0 || req.Base.Id == 0 {
  1615  		return nil, errIncompleteGRPCRequest
  1616  	}
  1617  
  1618  	err := validateContactsPresent(req.Base.Contact, req.Base.ContactsPresent)
  1619  	if err != nil {
  1620  		return nil, err
  1621  	}
  1622  	err = validateContactsPresent(req.Update.Contact, req.Update.ContactsPresent)
  1623  	if err != nil {
  1624  		return nil, err
  1625  	}
  1626  	err = ra.validateContacts(req.Update.Contact)
  1627  	if err != nil {
  1628  		return nil, err
  1629  	}
  1630  
  1631  	update, changed := mergeUpdate(req.Base, req.Update)
  1632  	if !changed {
  1633  		// If merging the update didn't actually change the base then our work is
  1634  		// done, we can return before calling ra.SA.UpdateRegistration since there's
  1635  		// nothing for the SA to do
  1636  		return req.Base, nil
  1637  	}
  1638  
  1639  	_, err = ra.SA.UpdateRegistration(ctx, update)
  1640  	if err != nil {
  1641  		// berrors.InternalServerError since the user-data was validated before being
  1642  		// passed to the SA.
  1643  		err = berrors.InternalServerError("Could not update registration: %s", err)
  1644  		return nil, err
  1645  	}
  1646  
  1647  	return update, nil
  1648  }
  1649  
  1650  func contactsEqual(a []string, b []string) bool {
  1651  	if len(a) != len(b) {
  1652  		return false
  1653  	}
  1654  
  1655  	// If there is an existing contact slice and it has the same length as the
  1656  	// new contact slice we need to look at each contact to determine if there
  1657  	// is a change being made. Use `sort.Strings` here to ensure a consistent
  1658  	// comparison
  1659  	sort.Strings(a)
  1660  	sort.Strings(b)
  1661  	for i := 0; i < len(b); i++ {
  1662  		// If the contact's string representation differs at any index they aren't
  1663  		// equal
  1664  		if a[i] != b[i] {
  1665  			return false
  1666  		}
  1667  	}
  1668  
  1669  	// They are equal!
  1670  	return true
  1671  }
  1672  
  1673  // MergeUpdate returns a new corepb.Registration with the majority of its fields
  1674  // copies from the base Registration, and a subset (Contact, Agreement, and Key)
  1675  // copied from the update Registration. It also returns a boolean indicating
  1676  // whether or not this operation resulted in a Registration which differs from
  1677  // the base.
  1678  func mergeUpdate(base *corepb.Registration, update *corepb.Registration) (*corepb.Registration, bool) {
  1679  	var changed bool
  1680  
  1681  	// Start by copying all of the fields.
  1682  	res := &corepb.Registration{
  1683  		Id:              base.Id,
  1684  		Key:             base.Key,
  1685  		Contact:         base.Contact,
  1686  		ContactsPresent: base.ContactsPresent,
  1687  		Agreement:       base.Agreement,
  1688  		InitialIP:       base.InitialIP,
  1689  		CreatedAtNS:     base.CreatedAtNS,
  1690  		CreatedAt:       base.CreatedAt,
  1691  		Status:          base.Status,
  1692  	}
  1693  
  1694  	// Note: we allow update.Contact to overwrite base.Contact even if the former
  1695  	// is empty in order to allow users to remove the contact associated with
  1696  	// a registration. If the update has ContactsPresent set to false, then we
  1697  	// know it is not attempting to update the contacts field.
  1698  	if update.ContactsPresent && !contactsEqual(base.Contact, update.Contact) {
  1699  		res.Contact = update.Contact
  1700  		res.ContactsPresent = update.ContactsPresent
  1701  		changed = true
  1702  	}
  1703  
  1704  	if len(update.Agreement) > 0 && update.Agreement != base.Agreement {
  1705  		res.Agreement = update.Agreement
  1706  		changed = true
  1707  	}
  1708  
  1709  	if len(update.Key) > 0 {
  1710  		if len(update.Key) != len(base.Key) {
  1711  			res.Key = update.Key
  1712  			changed = true
  1713  		} else {
  1714  			for i := 0; i < len(base.Key); i++ {
  1715  				if update.Key[i] != base.Key[i] {
  1716  					res.Key = update.Key
  1717  					changed = true
  1718  					break
  1719  				}
  1720  			}
  1721  		}
  1722  	}
  1723  
  1724  	return res, changed
  1725  }
  1726  
  1727  // recordValidation records an authorization validation event,
  1728  // it should only be used on v2 style authorizations.
  1729  func (ra *RegistrationAuthorityImpl) recordValidation(ctx context.Context, authID string, authExpires *time.Time, challenge *core.Challenge) error {
  1730  	authzID, err := strconv.ParseInt(authID, 10, 64)
  1731  	if err != nil {
  1732  		return err
  1733  	}
  1734  	var expires time.Time
  1735  	if challenge.Status == core.StatusInvalid {
  1736  		expires = *authExpires
  1737  	} else {
  1738  		expires = ra.clk.Now().Add(ra.authorizationLifetime)
  1739  	}
  1740  	vr, err := bgrpc.ValidationResultToPB(challenge.ValidationRecord, challenge.Error)
  1741  	if err != nil {
  1742  		return err
  1743  	}
  1744  	var validatedInt int64 = 0
  1745  	validatedTS := timestamppb.New(time.Time{})
  1746  	if challenge.Validated != nil {
  1747  		validatedInt = challenge.Validated.UTC().UnixNano()
  1748  		validatedTS = timestamppb.New(*challenge.Validated)
  1749  	}
  1750  	_, err = ra.SA.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
  1751  		Id:                authzID,
  1752  		Status:            string(challenge.Status),
  1753  		ExpiresNS:         expires.UnixNano(),
  1754  		Expires:           timestamppb.New(expires),
  1755  		Attempted:         string(challenge.Type),
  1756  		AttemptedAtNS:     validatedInt,
  1757  		AttemptedAt:       validatedTS,
  1758  		ValidationRecords: vr.Records,
  1759  		ValidationError:   vr.Problems,
  1760  	})
  1761  	if err != nil {
  1762  		return err
  1763  	}
  1764  	return nil
  1765  }
  1766  
  1767  // PerformValidation initiates validation for a specific challenge associated
  1768  // with the given base authorization. The authorization and challenge are
  1769  // updated based on the results.
  1770  func (ra *RegistrationAuthorityImpl) PerformValidation(
  1771  	ctx context.Context,
  1772  	req *rapb.PerformValidationRequest) (*corepb.Authorization, error) {
  1773  
  1774  	// Clock for start of PerformValidation.
  1775  	vStart := ra.clk.Now()
  1776  
  1777  	if req.Authz == nil || req.Authz.Id == "" || req.Authz.Identifier == "" || req.Authz.Status == "" || req.Authz.ExpiresNS == 0 {
  1778  		return nil, errIncompleteGRPCRequest
  1779  	}
  1780  
  1781  	authz, err := bgrpc.PBToAuthz(req.Authz)
  1782  	if err != nil {
  1783  		return nil, err
  1784  	}
  1785  
  1786  	// Refuse to update expired authorizations
  1787  	if authz.Expires == nil || authz.Expires.Before(ra.clk.Now()) {
  1788  		return nil, berrors.MalformedError("expired authorization")
  1789  	}
  1790  
  1791  	challIndex := int(req.ChallengeIndex)
  1792  	if challIndex >= len(authz.Challenges) {
  1793  		return nil,
  1794  			berrors.MalformedError("invalid challenge index '%d'", challIndex)
  1795  	}
  1796  
  1797  	ch := &authz.Challenges[challIndex]
  1798  
  1799  	// This challenge type may have been disabled since the challenge was created.
  1800  	if !ra.PA.ChallengeTypeEnabled(ch.Type) {
  1801  		return nil, berrors.MalformedError("challenge type %q no longer allowed", ch.Type)
  1802  	}
  1803  
  1804  	// We expect some clients to try and update a challenge for an authorization
  1805  	// that is already valid. In this case we don't need to process the
  1806  	// challenge update. It wouldn't be helpful, the overall authorization is
  1807  	// already good! We return early for the valid authz reuse case.
  1808  	if authz.Status == core.StatusValid {
  1809  		return req.Authz, nil
  1810  	}
  1811  
  1812  	if authz.Status != core.StatusPending {
  1813  		return nil, berrors.MalformedError("authorization must be pending")
  1814  	}
  1815  
  1816  	// Look up the account key for this authorization
  1817  	regPB, err := ra.SA.GetRegistration(ctx, &sapb.RegistrationID{Id: authz.RegistrationID})
  1818  	if err != nil {
  1819  		return nil, berrors.InternalServerError(err.Error())
  1820  	}
  1821  	reg, err := bgrpc.PbToRegistration(regPB)
  1822  	if err != nil {
  1823  		return nil, berrors.InternalServerError(err.Error())
  1824  	}
  1825  
  1826  	// Compute the key authorization field based on the registration key
  1827  	expectedKeyAuthorization, err := ch.ExpectedKeyAuthorization(reg.Key)
  1828  	if err != nil {
  1829  		return nil, berrors.InternalServerError("could not compute expected key authorization value")
  1830  	}
  1831  
  1832  	// Populate the ProvidedKeyAuthorization such that the VA can confirm the
  1833  	// expected vs actual without needing the registration key. Historically this
  1834  	// was done with the value from the challenge response and so the field name
  1835  	// is called "ProvidedKeyAuthorization", in reality this is just
  1836  	// "KeyAuthorization".
  1837  	// TODO(@cpu): Rename ProvidedKeyAuthorization to KeyAuthorization
  1838  	ch.ProvidedKeyAuthorization = expectedKeyAuthorization
  1839  
  1840  	// Double check before sending to VA
  1841  	if cErr := ch.CheckConsistencyForValidation(); cErr != nil {
  1842  		return nil, berrors.MalformedError(cErr.Error())
  1843  	}
  1844  
  1845  	// Dispatch to the VA for service
  1846  	vaCtx := context.Background()
  1847  	go func(authz core.Authorization) {
  1848  		// We will mutate challenges later in this goroutine to change status and
  1849  		// add error, but we also return a copy of authz immediately. To avoid a
  1850  		// data race, make a copy of the challenges slice here for mutation.
  1851  		challenges := make([]core.Challenge, len(authz.Challenges))
  1852  		copy(challenges, authz.Challenges)
  1853  		authz.Challenges = challenges
  1854  		chall, _ := bgrpc.ChallengeToPB(authz.Challenges[challIndex])
  1855  
  1856  		req := vapb.PerformValidationRequest{
  1857  			Domain:    authz.Identifier.Value,
  1858  			Challenge: chall,
  1859  			Authz: &vapb.AuthzMeta{
  1860  				Id:    authz.ID,
  1861  				RegID: authz.RegistrationID,
  1862  			},
  1863  		}
  1864  		res, err := ra.VA.PerformValidation(vaCtx, &req)
  1865  
  1866  		challenge := &authz.Challenges[challIndex]
  1867  		var prob *probs.ProblemDetails
  1868  
  1869  		if err != nil {
  1870  			prob = probs.ServerInternal("Could not communicate with VA")
  1871  			ra.log.AuditErrf("Could not communicate with VA: %s", err)
  1872  		} else {
  1873  			if res.Problems != nil {
  1874  				prob, err = bgrpc.PBToProblemDetails(res.Problems)
  1875  				if err != nil {
  1876  					prob = probs.ServerInternal("Could not communicate with VA")
  1877  					ra.log.AuditErrf("Could not communicate with VA: %s", err)
  1878  				}
  1879  			}
  1880  
  1881  			// Save the updated records
  1882  			records := make([]core.ValidationRecord, len(res.Records))
  1883  			for i, r := range res.Records {
  1884  				records[i], err = bgrpc.PBToValidationRecord(r)
  1885  				if err != nil {
  1886  					prob = probs.ServerInternal("Records for validation corrupt")
  1887  				}
  1888  			}
  1889  			challenge.ValidationRecord = records
  1890  		}
  1891  
  1892  		if !challenge.RecordsSane() && prob == nil {
  1893  			prob = probs.ServerInternal("Records for validation failed sanity check")
  1894  		}
  1895  
  1896  		if prob != nil {
  1897  			challenge.Status = core.StatusInvalid
  1898  			challenge.Error = prob
  1899  		} else {
  1900  			challenge.Status = core.StatusValid
  1901  		}
  1902  		challenge.Validated = &vStart
  1903  		authz.Challenges[challIndex] = *challenge
  1904  
  1905  		err = ra.recordValidation(vaCtx, authz.ID, authz.Expires, challenge)
  1906  		if err != nil {
  1907  			ra.log.AuditErrf("Could not record updated validation: regID=[%d] authzID=[%s] err=[%s]",
  1908  				authz.RegistrationID, authz.ID, err)
  1909  		}
  1910  	}(authz)
  1911  	return bgrpc.AuthzToPB(authz)
  1912  }
  1913  
  1914  // revokeCertificate updates the database to mark the certificate as revoked,
  1915  // with the given reason and current timestamp.
  1916  // TODO(#5152) make the issuerID argument an issuance.IssuerNameID
  1917  func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, serial *big.Int, issuerID int64, reason revocation.Reason) error {
  1918  	serialString := core.SerialToString(serial)
  1919  	now := ra.clk.Now()
  1920  
  1921  	_, err := ra.SA.RevokeCertificate(ctx, &sapb.RevokeCertificateRequest{
  1922  		Serial:   serialString,
  1923  		Reason:   int64(reason),
  1924  		DateNS:   now.UnixNano(),
  1925  		Date:     timestamppb.New(now),
  1926  		IssuerID: issuerID,
  1927  	})
  1928  	if err != nil {
  1929  		return err
  1930  	}
  1931  
  1932  	ra.revocationReasonCounter.WithLabelValues(revocation.ReasonToString[reason]).Inc()
  1933  	return nil
  1934  }
  1935  
  1936  // updateRevocationForKeyCompromise updates the database to mark the certificate
  1937  // as revoked, with the given reason and current timestamp. This only works for
  1938  // certificates that were previously revoked for a reason other than
  1939  // keyCompromise, and which are now being updated to keyCompromise instead.
  1940  // TODO(#5152) make the issuerID argument an issuance.IssuerNameID
  1941  func (ra *RegistrationAuthorityImpl) updateRevocationForKeyCompromise(ctx context.Context, serial *big.Int, issuerID int64) error {
  1942  	serialString := core.SerialToString(serial)
  1943  	now := ra.clk.Now()
  1944  
  1945  	status, err := ra.SA.GetCertificateStatus(ctx, &sapb.Serial{Serial: serialString})
  1946  	if err != nil {
  1947  		return berrors.NotFoundError("unable to confirm that serial %q was ever issued: %s", serialString, err)
  1948  	}
  1949  
  1950  	if status.Status != string(core.OCSPStatusRevoked) {
  1951  		// Internal server error, because we shouldn't be in the function at all
  1952  		// unless the cert was already revoked.
  1953  		return fmt.Errorf("unable to re-revoke serial %q which is not currently revoked", serialString)
  1954  	}
  1955  	if status.RevokedReason == ocsp.KeyCompromise {
  1956  		return berrors.AlreadyRevokedError("unable to re-revoke serial %q which is already revoked for keyCompromise", serialString)
  1957  	}
  1958  
  1959  	_, err = ra.SA.UpdateRevokedCertificate(ctx, &sapb.RevokeCertificateRequest{
  1960  		Serial:     serialString,
  1961  		Reason:     int64(ocsp.KeyCompromise),
  1962  		DateNS:     now.UnixNano(),
  1963  		Date:       timestamppb.New(now),
  1964  		BackdateNS: status.RevokedDateNS,
  1965  		Backdate:   timestamppb.New(time.Unix(0, status.RevokedDateNS)),
  1966  		IssuerID:   issuerID,
  1967  	})
  1968  	if err != nil {
  1969  		return err
  1970  	}
  1971  
  1972  	ra.revocationReasonCounter.WithLabelValues(revocation.ReasonToString[ocsp.KeyCompromise]).Inc()
  1973  	return nil
  1974  }
  1975  
  1976  // purgeOCSPCache makes a request to akamai-purger to purge the cache entries
  1977  // for the given certificate.
  1978  // TODO(#5152) make the issuerID argument an issuance.IssuerNameID
  1979  func (ra *RegistrationAuthorityImpl) purgeOCSPCache(ctx context.Context, cert *x509.Certificate, issuerID int64) error {
  1980  	issuer, ok := ra.issuersByNameID[issuance.IssuerNameID(issuerID)]
  1981  	if !ok {
  1982  		// TODO(#5152): Remove this fallback (which only gets used when revoking by
  1983  		// serial, so the issuer ID had to be read from the db).
  1984  		issuer, ok = ra.issuersByID[issuance.IssuerID(issuerID)]
  1985  		if !ok {
  1986  			return fmt.Errorf("unable to identify issuer of cert with serial %q", core.SerialToString(cert.SerialNumber))
  1987  		}
  1988  	}
  1989  
  1990  	purgeURLs, err := akamai.GeneratePurgeURLs(cert, issuer.Certificate)
  1991  	if err != nil {
  1992  		return err
  1993  	}
  1994  
  1995  	_, err = ra.purger.Purge(ctx, &akamaipb.PurgeRequest{Urls: purgeURLs})
  1996  	if err != nil {
  1997  		return err
  1998  	}
  1999  
  2000  	return nil
  2001  }
  2002  
  2003  // RevokeCertByApplicant revokes the certificate in question. It allows any
  2004  // revocation reason from (0, 1, 3, 4, 5, 9), because Subscribers are allowed to
  2005  // request any revocation reason for their own certificates. However, if the
  2006  // requesting RegID is an account which has authorizations for all names in the
  2007  // cert but is *not* the original subscriber, it overrides the revocation reason
  2008  // to be 5 (cessationOfOperation), because that code is used to cover instances
  2009  // where "the certificate subscriber no longer owns the domain names in the
  2010  // certificate". It does not add the key to the blocked keys list, even if
  2011  // reason 1 (keyCompromise) is requested, as it does not demonstrate said
  2012  // compromise. It attempts to purge the certificate from the Akamai cache, but
  2013  // it does not hard-fail if doing so is not successful, because the cache will
  2014  // drop the old OCSP response in less than 24 hours anyway.
  2015  func (ra *RegistrationAuthorityImpl) RevokeCertByApplicant(ctx context.Context, req *rapb.RevokeCertByApplicantRequest) (*emptypb.Empty, error) {
  2016  	if req == nil || req.Cert == nil || req.RegID == 0 {
  2017  		return nil, errIncompleteGRPCRequest
  2018  	}
  2019  
  2020  	if _, present := revocation.UserAllowedReasons[revocation.Reason(req.Code)]; !present {
  2021  		return nil, berrors.BadRevocationReasonError(req.Code)
  2022  	}
  2023  
  2024  	cert, err := x509.ParseCertificate(req.Cert)
  2025  	if err != nil {
  2026  		return nil, err
  2027  	}
  2028  
  2029  	serialString := core.SerialToString(cert.SerialNumber)
  2030  
  2031  	logEvent := certificateRevocationEvent{
  2032  		ID:           core.NewToken(),
  2033  		SerialNumber: serialString,
  2034  		Reason:       req.Code,
  2035  		Method:       "applicant",
  2036  		RequesterID:  req.RegID,
  2037  	}
  2038  
  2039  	// Below this point, do not re-declare `err` (i.e. type `err :=`) in a
  2040  	// nested scope. Doing so will create a new `err` variable that is not
  2041  	// captured by this closure.
  2042  	defer func() {
  2043  		if err != nil {
  2044  			logEvent.Error = err.Error()
  2045  		}
  2046  		ra.log.AuditObject("Revocation request:", logEvent)
  2047  	}()
  2048  
  2049  	metadata, err := ra.SA.GetSerialMetadata(ctx, &sapb.Serial{Serial: serialString})
  2050  	if err != nil {
  2051  		return nil, err
  2052  	}
  2053  
  2054  	if req.RegID == metadata.RegistrationID {
  2055  		// The requester is the original subscriber. They can revoke for any reason.
  2056  		logEvent.Method = "subscriber"
  2057  	} else {
  2058  		// The requester is a different account. We need to confirm that they have
  2059  		// authorizations for all names in the cert.
  2060  		logEvent.Method = "control"
  2061  
  2062  		now := ra.clk.Now()
  2063  		var authzMapPB *sapb.Authorizations
  2064  		authzMapPB, err = ra.SA.GetValidAuthorizations2(ctx, &sapb.GetValidAuthorizationsRequest{
  2065  			RegistrationID: req.RegID,
  2066  			Domains:        cert.DNSNames,
  2067  			NowNS:          now.UnixNano(),
  2068  			Now:            timestamppb.New(now),
  2069  		})
  2070  		if err != nil {
  2071  			return nil, err
  2072  		}
  2073  
  2074  		m := make(map[string]struct{})
  2075  		for _, authz := range authzMapPB.Authz {
  2076  			m[authz.Domain] = struct{}{}
  2077  		}
  2078  		for _, name := range cert.DNSNames {
  2079  			if _, present := m[name]; !present {
  2080  				return nil, berrors.UnauthorizedError("requester does not control all names in cert with serial %q", serialString)
  2081  			}
  2082  		}
  2083  
  2084  		// Applicants who are not the original Subscriber are not allowed to
  2085  		// revoke for any reason other than cessationOfOperation, which covers
  2086  		// circumstances where "the certificate subscriber no longer owns the
  2087  		// domain names in the certificate". Override the reason code to match.
  2088  		req.Code = ocsp.CessationOfOperation
  2089  		logEvent.Reason = req.Code
  2090  	}
  2091  
  2092  	issuerID := issuance.GetIssuerNameID(cert)
  2093  	err = ra.revokeCertificate(
  2094  		ctx,
  2095  		cert.SerialNumber,
  2096  		int64(issuerID),
  2097  		revocation.Reason(req.Code),
  2098  	)
  2099  	if err != nil {
  2100  		return nil, err
  2101  	}
  2102  
  2103  	// Don't propagate purger errors to the client.
  2104  	_ = ra.purgeOCSPCache(ctx, cert, int64(issuerID))
  2105  
  2106  	return &emptypb.Empty{}, nil
  2107  }
  2108  
  2109  // addToBlockedKeys initiates a GRPC call to have the Base64-encoded SHA256
  2110  // digest of a provided public key added to the blockedKeys table.
  2111  func (ra *RegistrationAuthorityImpl) addToBlockedKeys(ctx context.Context, key crypto.PublicKey, src string, comment string) error {
  2112  	var digest core.Sha256Digest
  2113  	digest, err := core.KeyDigest(key)
  2114  	if err != nil {
  2115  		return err
  2116  	}
  2117  
  2118  	// Add the public key to the blocked keys list.
  2119  	now := ra.clk.Now()
  2120  	_, err = ra.SA.AddBlockedKey(ctx, &sapb.AddBlockedKeyRequest{
  2121  		KeyHash: digest[:],
  2122  		AddedNS: now.UnixNano(),
  2123  		Added:   timestamppb.New(now),
  2124  		Source:  src,
  2125  		Comment: comment,
  2126  	})
  2127  	if err != nil {
  2128  		return err
  2129  	}
  2130  
  2131  	return nil
  2132  }
  2133  
  2134  // RevokeCertByKey revokes the certificate in question. It always uses
  2135  // reason code 1 (keyCompromise). It ensures that they public key is added to
  2136  // the blocked keys list, even if revocation otherwise fails. It attempts to
  2137  // purge the certificate from the Akamai cache, but it does not hard-fail if
  2138  // doing so is not successful, because the cache will drop the old OCSP response
  2139  // in less than 24 hours anyway.
  2140  func (ra *RegistrationAuthorityImpl) RevokeCertByKey(ctx context.Context, req *rapb.RevokeCertByKeyRequest) (*emptypb.Empty, error) {
  2141  	if req == nil || req.Cert == nil {
  2142  		return nil, errIncompleteGRPCRequest
  2143  	}
  2144  
  2145  	cert, err := x509.ParseCertificate(req.Cert)
  2146  	if err != nil {
  2147  		return nil, err
  2148  	}
  2149  
  2150  	issuerID := issuance.GetIssuerNameID(cert)
  2151  
  2152  	logEvent := certificateRevocationEvent{
  2153  		ID:           core.NewToken(),
  2154  		SerialNumber: core.SerialToString(cert.SerialNumber),
  2155  		Reason:       ocsp.KeyCompromise,
  2156  		Method:       "key",
  2157  		RequesterID:  0,
  2158  	}
  2159  
  2160  	// Below this point, do not re-declare `err` (i.e. type `err :=`) in a
  2161  	// nested scope. Doing so will create a new `err` variable that is not
  2162  	// captured by this closure.
  2163  	defer func() {
  2164  		if err != nil {
  2165  			logEvent.Error = err.Error()
  2166  		}
  2167  		ra.log.AuditObject("Revocation request:", logEvent)
  2168  	}()
  2169  
  2170  	// We revoke the cert before adding it to the blocked keys list, to avoid a
  2171  	// race between this and the bad-key-revoker. But we don't check the error
  2172  	// from this operation until after we add the key to the blocked keys list,
  2173  	// since that addition needs to happen no matter what.
  2174  	revokeErr := ra.revokeCertificate(
  2175  		ctx,
  2176  		cert.SerialNumber,
  2177  		int64(issuerID),
  2178  		revocation.Reason(ocsp.KeyCompromise),
  2179  	)
  2180  
  2181  	// Failing to add the key to the blocked keys list is a worse failure than
  2182  	// failing to revoke in the first place, because it means that
  2183  	// bad-key-revoker won't revoke the cert anyway.
  2184  	err = ra.addToBlockedKeys(ctx, cert.PublicKey, "API", "")
  2185  	if err != nil {
  2186  		return nil, err
  2187  	}
  2188  
  2189  	// Check the error returned from revokeCertificate itself.
  2190  	err = revokeErr
  2191  	if err == nil {
  2192  		// If the revocation and blocked keys list addition were successful, then
  2193  		// just purge and return.
  2194  		// Don't propagate purger errors to the client.
  2195  		_ = ra.purgeOCSPCache(ctx, cert, int64(issuerID))
  2196  		return &emptypb.Empty{}, nil
  2197  	} else if errors.Is(err, berrors.AlreadyRevoked) {
  2198  		// If it was an AlreadyRevoked error, try to re-revoke the cert in case
  2199  		// it was revoked for a reason other than keyCompromise.
  2200  		err = ra.updateRevocationForKeyCompromise(ctx, cert.SerialNumber, int64(issuerID))
  2201  
  2202  		// Perform an Akamai cache purge to handle occurrences of a client
  2203  		// previously successfully revoking a certificate, but the cache purge had
  2204  		// unexpectedly failed. Allows clients to re-attempt revocation and purge the
  2205  		// Akamai cache.
  2206  		_ = ra.purgeOCSPCache(ctx, cert, int64(issuerID))
  2207  		if err != nil {
  2208  			return nil, err
  2209  		}
  2210  		return &emptypb.Empty{}, nil
  2211  	} else {
  2212  		// Error out if the error was anything other than AlreadyRevoked.
  2213  		return nil, err
  2214  	}
  2215  }
  2216  
  2217  // AdministrativelyRevokeCertificate terminates trust in the certificate
  2218  // provided and does not require the registration ID of the requester since this
  2219  // method is only called from the admin-revoker tool. It trusts that the admin
  2220  // is doing the right thing, so if the requested reason is keyCompromise, it
  2221  // blocks the key from future issuance even though compromise has not been
  2222  // demonstrated here. It purges the certificate from the Akamai cache, and
  2223  // returns an error if that purge fails, since this method may be called late
  2224  // in the BRs-mandated revocation timeframe.
  2225  func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, req *rapb.AdministrativelyRevokeCertificateRequest) (*emptypb.Empty, error) {
  2226  	if req == nil || req.AdminName == "" {
  2227  		return nil, errIncompleteGRPCRequest
  2228  	}
  2229  	if req.Serial == "" {
  2230  		return nil, errIncompleteGRPCRequest
  2231  	}
  2232  
  2233  	reasonCode := revocation.Reason(req.Code)
  2234  	if reasonCode == ocsp.KeyCompromise && req.Cert == nil && !req.SkipBlockKey {
  2235  		return nil, fmt.Errorf("cannot revoke and block for KeyCompromise by serial alone")
  2236  	}
  2237  	if req.SkipBlockKey && reasonCode != ocsp.KeyCompromise {
  2238  		return nil, fmt.Errorf("cannot skip key blocking for reasons other than KeyCompromise")
  2239  	}
  2240  
  2241  	if _, present := revocation.AdminAllowedReasons[reasonCode]; !present {
  2242  		return nil, fmt.Errorf("cannot revoke for reason %d", reasonCode)
  2243  	}
  2244  
  2245  	// If we weren't passed a cert in the request, find IssuerID from the db.
  2246  	// We could instead look up and parse the certificate itself, but we avoid
  2247  	// that in case we are administratively revoking the certificate because it is
  2248  	// so badly malformed that it can't be parsed.
  2249  	var cert *x509.Certificate
  2250  	var issuerID int64 // TODO(#5152) make this an issuance.IssuerNameID
  2251  	var err error
  2252  	if req.Cert == nil {
  2253  		status, err := ra.SA.GetCertificateStatus(ctx, &sapb.Serial{Serial: req.Serial})
  2254  		if err != nil {
  2255  			return nil, fmt.Errorf("unable to confirm that serial %q was ever issued: %w", req.Serial, err)
  2256  		}
  2257  		issuerID = status.IssuerID
  2258  	} else {
  2259  		cert, err = x509.ParseCertificate(req.Cert)
  2260  		if err != nil {
  2261  			return nil, err
  2262  		}
  2263  		issuerID = int64(issuance.GetIssuerNameID(cert))
  2264  	}
  2265  
  2266  	logEvent := certificateRevocationEvent{
  2267  		ID:           core.NewToken(),
  2268  		Method:       "key",
  2269  		AdminName:    req.AdminName,
  2270  		SerialNumber: req.Serial,
  2271  	}
  2272  
  2273  	// Below this point, do not re-declare `err` (i.e. type `err :=`) in a
  2274  	// nested scope. Doing so will create a new `err` variable that is not
  2275  	// captured by this closure.
  2276  	defer func() {
  2277  		if err != nil {
  2278  			logEvent.Error = err.Error()
  2279  		}
  2280  		ra.log.AuditObject("Revocation request:", logEvent)
  2281  	}()
  2282  
  2283  	var serialInt *big.Int
  2284  	serialInt, err = core.StringToSerial(req.Serial)
  2285  	if err != nil {
  2286  		return nil, err
  2287  	}
  2288  
  2289  	err = ra.revokeCertificate(ctx, serialInt, issuerID, revocation.Reason(req.Code))
  2290  	// Perform an Akamai cache purge to handle occurrences of a client
  2291  	// successfully revoking a certificate, but the initial cache purge failing.
  2292  	if errors.Is(err, berrors.AlreadyRevoked) {
  2293  		if cert != nil {
  2294  			err = ra.purgeOCSPCache(ctx, cert, issuerID)
  2295  			if err != nil {
  2296  				err = fmt.Errorf("OCSP cache purge for already revoked serial %v failed: %w", serialInt, err)
  2297  				return nil, err
  2298  			}
  2299  		}
  2300  	}
  2301  	if err != nil {
  2302  		if req.Code == ocsp.KeyCompromise && errors.Is(err, berrors.AlreadyRevoked) {
  2303  			err = ra.updateRevocationForKeyCompromise(ctx, serialInt, issuerID)
  2304  			if err != nil {
  2305  				return nil, err
  2306  			}
  2307  		}
  2308  		return nil, err
  2309  	}
  2310  
  2311  	if req.Code == ocsp.KeyCompromise && !req.SkipBlockKey {
  2312  		if cert == nil {
  2313  			return nil, errors.New("revoking for key compromise requires providing the certificate's DER")
  2314  		}
  2315  		err = ra.addToBlockedKeys(ctx, cert.PublicKey, "admin-revoker", fmt.Sprintf("revoked by %s", req.AdminName))
  2316  		if err != nil {
  2317  			return nil, err
  2318  		}
  2319  	}
  2320  
  2321  	if cert != nil {
  2322  		err = ra.purgeOCSPCache(ctx, cert, issuerID)
  2323  		if err != nil {
  2324  			err = fmt.Errorf("OCSP cache purge for serial %v failed: %w", serialInt, err)
  2325  			return nil, err
  2326  		}
  2327  	}
  2328  
  2329  	return &emptypb.Empty{}, nil
  2330  }
  2331  
  2332  // DeactivateRegistration deactivates a valid registration
  2333  func (ra *RegistrationAuthorityImpl) DeactivateRegistration(ctx context.Context, reg *corepb.Registration) (*emptypb.Empty, error) {
  2334  	if reg == nil || reg.Id == 0 {
  2335  		return nil, errIncompleteGRPCRequest
  2336  	}
  2337  	if reg.Status != string(core.StatusValid) {
  2338  		return nil, berrors.MalformedError("only valid registrations can be deactivated")
  2339  	}
  2340  	_, err := ra.SA.DeactivateRegistration(ctx, &sapb.RegistrationID{Id: reg.Id})
  2341  	if err != nil {
  2342  		return nil, berrors.InternalServerError(err.Error())
  2343  	}
  2344  	return &emptypb.Empty{}, nil
  2345  }
  2346  
  2347  // DeactivateAuthorization deactivates a currently valid authorization
  2348  func (ra *RegistrationAuthorityImpl) DeactivateAuthorization(ctx context.Context, req *corepb.Authorization) (*emptypb.Empty, error) {
  2349  	if req == nil || req.Id == "" || req.Status == "" {
  2350  		return nil, errIncompleteGRPCRequest
  2351  	}
  2352  	authzID, err := strconv.ParseInt(req.Id, 10, 64)
  2353  	if err != nil {
  2354  		return nil, err
  2355  	}
  2356  	if _, err := ra.SA.DeactivateAuthorization2(ctx, &sapb.AuthorizationID2{Id: authzID}); err != nil {
  2357  		return nil, err
  2358  	}
  2359  	return &emptypb.Empty{}, nil
  2360  }
  2361  
  2362  // checkOrderNames validates that the RA's policy authority allows issuing for
  2363  // each of the names in an order. If any of the names are unacceptable a
  2364  // malformed or rejectedIdentifier error with suberrors for each rejected
  2365  // identifier is returned.
  2366  func (ra *RegistrationAuthorityImpl) checkOrderNames(names []string) error {
  2367  	idents := make([]identifier.ACMEIdentifier, len(names))
  2368  	for i, name := range names {
  2369  		idents[i] = identifier.DNSIdentifier(name)
  2370  	}
  2371  	err := ra.PA.WillingToIssueWildcards(idents)
  2372  	if err != nil {
  2373  		return err
  2374  	}
  2375  	return nil
  2376  }
  2377  
  2378  // GenerateOCSP looks up a certificate's status, then requests a signed OCSP
  2379  // response for it from the CA. If the certificate status is not available
  2380  // or the certificate is expired, it returns berrors.NotFoundError.
  2381  func (ra *RegistrationAuthorityImpl) GenerateOCSP(ctx context.Context, req *rapb.GenerateOCSPRequest) (*capb.OCSPResponse, error) {
  2382  	status, err := ra.SA.GetCertificateStatus(ctx, &sapb.Serial{Serial: req.Serial})
  2383  	if err != nil {
  2384  		return nil, err
  2385  	}
  2386  
  2387  	// If we get an OCSP query for a certificate where the status is still
  2388  	// OCSPStatusNotReady, that means an error occurred, not here but at issuance
  2389  	// time. Specifically, we succeeded in storing the linting certificate (and
  2390  	// corresponding certificateStatus row), but failed before calling
  2391  	// SetCertificateStatusReady. We expect this to be rare, and we expect such
  2392  	// certificates not to get OCSP queries, so InternalServerError is appropriate.
  2393  	if status.Status == string(core.OCSPStatusNotReady) {
  2394  		return nil, errors.New("serial belongs to a certificate that errored during issuance")
  2395  	}
  2396  
  2397  	notAfter := time.Unix(0, status.NotAfterNS).UTC()
  2398  	if ra.clk.Now().After(notAfter) {
  2399  		return nil, berrors.NotFoundError("certificate is expired")
  2400  	}
  2401  
  2402  	return ra.OCSP.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
  2403  		Serial:      req.Serial,
  2404  		Status:      status.Status,
  2405  		Reason:      int32(status.RevokedReason),
  2406  		RevokedAtNS: status.RevokedDateNS,
  2407  		RevokedAt:   timestamppb.New(time.Unix(0, status.RevokedDateNS)),
  2408  		IssuerID:    status.IssuerID,
  2409  	})
  2410  }
  2411  
  2412  // NewOrder creates a new order object
  2413  func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error) {
  2414  	if req == nil || req.RegistrationID == 0 {
  2415  		return nil, errIncompleteGRPCRequest
  2416  	}
  2417  
  2418  	newOrder := &sapb.NewOrderRequest{
  2419  		RegistrationID: req.RegistrationID,
  2420  		Names:          core.UniqueLowerNames(req.Names),
  2421  	}
  2422  
  2423  	if len(newOrder.Names) > ra.maxNames {
  2424  		return nil, berrors.MalformedError(
  2425  			"Order cannot contain more than %d DNS names", ra.maxNames)
  2426  	}
  2427  
  2428  	// Validate that our policy allows issuing for each of the names in the order
  2429  	err := ra.checkOrderNames(newOrder.Names)
  2430  	if err != nil {
  2431  		return nil, err
  2432  	}
  2433  
  2434  	err = wildcardOverlap(newOrder.Names)
  2435  	if err != nil {
  2436  		return nil, err
  2437  	}
  2438  
  2439  	// See if there is an existing unexpired pending (or ready) order that can be reused
  2440  	// for this account
  2441  	existingOrder, err := ra.SA.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
  2442  		AcctID: newOrder.RegistrationID,
  2443  		Names:  newOrder.Names,
  2444  	})
  2445  	// If there was an error and it wasn't an acceptable "NotFound" error, return
  2446  	// immediately
  2447  	if err != nil && !errors.Is(err, berrors.NotFound) {
  2448  		return nil, err
  2449  	}
  2450  
  2451  	// If there was an order, make sure it has expected fields and return it
  2452  	// Error if an incomplete order is returned.
  2453  	if existingOrder != nil {
  2454  		// Check to see if the expected fields of the existing order are set.
  2455  		if existingOrder.Id == 0 || existingOrder.CreatedNS == 0 || existingOrder.Status == "" || existingOrder.RegistrationID == 0 || existingOrder.ExpiresNS == 0 || len(existingOrder.Names) == 0 {
  2456  			return nil, errIncompleteGRPCResponse
  2457  		}
  2458  		// Track how often we reuse an existing order and how old that order is.
  2459  		ra.orderAges.WithLabelValues("NewOrder").Observe(ra.clk.Since(time.Unix(0, existingOrder.CreatedNS)).Seconds())
  2460  		return existingOrder, nil
  2461  	}
  2462  
  2463  	// Check if there is rate limit space for issuing a certificate.
  2464  	err = ra.checkNewOrderLimits(ctx, newOrder.Names, newOrder.RegistrationID)
  2465  	if err != nil {
  2466  		return nil, err
  2467  	}
  2468  
  2469  	// An order's lifetime is effectively bound by the shortest remaining lifetime
  2470  	// of its associated authorizations. For that reason it would be Uncool if
  2471  	// `sa.GetAuthorizations` returned an authorization that was very close to
  2472  	// expiry. The resulting pending order that references it would itself end up
  2473  	// expiring very soon.
  2474  	// To prevent this we only return authorizations that are at least 1 day away
  2475  	// from expiring.
  2476  	authzExpiryCutoff := ra.clk.Now().AddDate(0, 0, 1)
  2477  
  2478  	getAuthReq := &sapb.GetAuthorizationsRequest{
  2479  		RegistrationID: newOrder.RegistrationID,
  2480  		NowNS:          authzExpiryCutoff.UnixNano(),
  2481  		Now:            timestamppb.New(authzExpiryCutoff),
  2482  		Domains:        newOrder.Names,
  2483  	}
  2484  	existingAuthz, err := ra.SA.GetAuthorizations2(ctx, getAuthReq)
  2485  	if err != nil {
  2486  		return nil, err
  2487  	}
  2488  
  2489  	// Collect up the authorizations we found into a map keyed by the domains the
  2490  	// authorizations correspond to
  2491  	nameToExistingAuthz := make(map[string]*corepb.Authorization, len(newOrder.Names))
  2492  	for _, v := range existingAuthz.Authz {
  2493  		nameToExistingAuthz[v.Domain] = v.Authz
  2494  	}
  2495  
  2496  	// For each of the names in the order, if there is an acceptable
  2497  	// existing authz, append it to the order to reuse it. Otherwise track
  2498  	// that there is a missing authz for that name.
  2499  	var missingAuthzNames []string
  2500  	for _, name := range newOrder.Names {
  2501  		// If there isn't an existing authz, note that its missing and continue
  2502  		if _, exists := nameToExistingAuthz[name]; !exists {
  2503  			missingAuthzNames = append(missingAuthzNames, name)
  2504  			continue
  2505  		}
  2506  		authz := nameToExistingAuthz[name]
  2507  		authzAge := (ra.authorizationLifetime - time.Unix(0, authz.ExpiresNS).Sub(ra.clk.Now())).Seconds()
  2508  		// If the identifier is a wildcard and the existing authz only has one
  2509  		// DNS-01 type challenge we can reuse it. In theory we will
  2510  		// never get back an authorization for a domain with a wildcard prefix
  2511  		// that doesn't meet this criteria from SA.GetAuthorizations but we verify
  2512  		// again to be safe.
  2513  		if strings.HasPrefix(name, "*.") &&
  2514  			len(authz.Challenges) == 1 && core.AcmeChallenge(authz.Challenges[0].Type) == core.ChallengeTypeDNS01 {
  2515  			authzID, err := strconv.ParseInt(authz.Id, 10, 64)
  2516  			if err != nil {
  2517  				return nil, err
  2518  			}
  2519  			newOrder.V2Authorizations = append(newOrder.V2Authorizations, authzID)
  2520  			ra.authzAges.WithLabelValues("NewOrder", authz.Status).Observe(authzAge)
  2521  			continue
  2522  		} else if !strings.HasPrefix(name, "*.") {
  2523  			// If the identifier isn't a wildcard, we can reuse any authz
  2524  			authzID, err := strconv.ParseInt(authz.Id, 10, 64)
  2525  			if err != nil {
  2526  				return nil, err
  2527  			}
  2528  			newOrder.V2Authorizations = append(newOrder.V2Authorizations, authzID)
  2529  			ra.authzAges.WithLabelValues("NewOrder", authz.Status).Observe(authzAge)
  2530  			continue
  2531  		}
  2532  
  2533  		// Delete the authz from the nameToExistingAuthz map since we are not reusing it.
  2534  		delete(nameToExistingAuthz, name)
  2535  		// If we reached this point then the existing authz was not acceptable for
  2536  		// reuse and we need to mark the name as requiring a new pending authz
  2537  		missingAuthzNames = append(missingAuthzNames, name)
  2538  	}
  2539  
  2540  	// If the order isn't fully authorized we need to check that the client has
  2541  	// rate limit room for more pending authorizations
  2542  	if len(missingAuthzNames) > 0 {
  2543  		pendingAuthzLimits := ra.rlPolicies.PendingAuthorizationsPerAccount()
  2544  		if pendingAuthzLimits.Enabled() {
  2545  			started := ra.clk.Now()
  2546  			err := ra.checkPendingAuthorizationLimit(ctx, newOrder.RegistrationID, pendingAuthzLimits)
  2547  			elapsed := ra.clk.Since(started)
  2548  			if err != nil {
  2549  				if errors.Is(err, berrors.RateLimit) {
  2550  					ra.rlCheckLatency.WithLabelValues(ratelimit.PendingAuthorizationsPerAccount, ratelimits.Denied).Observe(elapsed.Seconds())
  2551  				}
  2552  				return nil, err
  2553  			}
  2554  			ra.rlCheckLatency.WithLabelValues(ratelimit.PendingAuthorizationsPerAccount, ratelimits.Allowed).Observe(elapsed.Seconds())
  2555  		}
  2556  	}
  2557  
  2558  	// Loop through each of the names missing authzs and create a new pending
  2559  	// authorization for each.
  2560  	var newAuthzs []*corepb.Authorization
  2561  	for _, name := range missingAuthzNames {
  2562  		pb, err := ra.createPendingAuthz(newOrder.RegistrationID, identifier.ACMEIdentifier{
  2563  			Type:  identifier.DNS,
  2564  			Value: name,
  2565  		})
  2566  		if err != nil {
  2567  			return nil, err
  2568  		}
  2569  		newAuthzs = append(newAuthzs, pb)
  2570  		ra.authzAges.WithLabelValues("NewOrder", pb.Status).Observe(0)
  2571  	}
  2572  
  2573  	// Start with the order's own expiry as the minExpiry. We only care
  2574  	// about authz expiries that are sooner than the order's expiry
  2575  	minExpiry := ra.clk.Now().Add(ra.orderLifetime)
  2576  
  2577  	// Check the reused authorizations to see if any have an expiry before the
  2578  	// minExpiry (the order's lifetime)
  2579  	for _, authz := range nameToExistingAuthz {
  2580  		// An authz without an expiry is an unexpected internal server event
  2581  		if authz.ExpiresNS == 0 {
  2582  			return nil, berrors.InternalServerError(
  2583  				"SA.GetAuthorizations returned an authz (%s) with zero expiry",
  2584  				authz.Id)
  2585  		}
  2586  		// If the reused authorization expires before the minExpiry, it's expiry
  2587  		// is the new minExpiry.
  2588  		authzExpiry := time.Unix(0, authz.ExpiresNS)
  2589  		if authzExpiry.Before(minExpiry) {
  2590  			minExpiry = authzExpiry
  2591  		}
  2592  	}
  2593  	// If the newly created pending authz's have an expiry closer than the
  2594  	// minExpiry the minExpiry is the pending authz expiry.
  2595  	if len(newAuthzs) > 0 {
  2596  		newPendingAuthzExpires := ra.clk.Now().Add(ra.pendingAuthorizationLifetime)
  2597  		if newPendingAuthzExpires.Before(minExpiry) {
  2598  			minExpiry = newPendingAuthzExpires
  2599  		}
  2600  	}
  2601  	// Set the order's expiry to the minimum expiry. The db doesn't store
  2602  	// sub-second values, so truncate here.
  2603  	newOrder.ExpiresNS = minExpiry.Truncate(time.Second).UnixNano()
  2604  	newOrder.Expires = timestamppb.New(minExpiry.Truncate(time.Second))
  2605  
  2606  	newOrderAndAuthzsReq := &sapb.NewOrderAndAuthzsRequest{
  2607  		NewOrder:  newOrder,
  2608  		NewAuthzs: newAuthzs,
  2609  	}
  2610  	storedOrder, err := ra.SA.NewOrderAndAuthzs(ctx, newOrderAndAuthzsReq)
  2611  	if err != nil {
  2612  		return nil, err
  2613  	}
  2614  	if storedOrder.Id == 0 || storedOrder.CreatedNS == 0 || storedOrder.Status == "" || storedOrder.RegistrationID == 0 || storedOrder.ExpiresNS == 0 || len(storedOrder.Names) == 0 {
  2615  		return nil, errIncompleteGRPCResponse
  2616  	}
  2617  	ra.orderAges.WithLabelValues("NewOrder").Observe(0)
  2618  
  2619  	// Note how many names are being requested in this certificate order.
  2620  	ra.namesPerCert.With(prometheus.Labels{"type": "requested"}).Observe(float64(len(storedOrder.Names)))
  2621  
  2622  	return storedOrder, nil
  2623  }
  2624  
  2625  // createPendingAuthz checks that a name is allowed for issuance and creates the
  2626  // necessary challenges for it and puts this and all of the relevant information
  2627  // into a corepb.Authorization for transmission to the SA to be stored
  2628  func (ra *RegistrationAuthorityImpl) createPendingAuthz(reg int64, identifier identifier.ACMEIdentifier) (*corepb.Authorization, error) {
  2629  	expires := ra.clk.Now().Add(ra.pendingAuthorizationLifetime).Truncate(time.Second)
  2630  	authz := &corepb.Authorization{
  2631  		Identifier:     identifier.Value,
  2632  		RegistrationID: reg,
  2633  		Status:         string(core.StatusPending),
  2634  		ExpiresNS:      expires.UnixNano(),
  2635  		Expires:        timestamppb.New(expires),
  2636  	}
  2637  
  2638  	// Create challenges. The WFE will update them with URIs before sending them out.
  2639  	challenges, err := ra.PA.ChallengesFor(identifier)
  2640  	if err != nil {
  2641  		// The only time ChallengesFor errors it is a fatal configuration error
  2642  		// where challenges required by policy for an identifier are not enabled. We
  2643  		// want to treat this as an internal server error.
  2644  		return nil, berrors.InternalServerError(err.Error())
  2645  	}
  2646  	// Check each challenge for sanity.
  2647  	for _, challenge := range challenges {
  2648  		err := challenge.CheckConsistencyForClientOffer()
  2649  		if err != nil {
  2650  			// berrors.InternalServerError because we generated these challenges, they should
  2651  			// be OK.
  2652  			err = berrors.InternalServerError("challenge didn't pass sanity check: %+v", challenge)
  2653  			return nil, err
  2654  		}
  2655  		challPB, err := bgrpc.ChallengeToPB(challenge)
  2656  		if err != nil {
  2657  			return nil, err
  2658  		}
  2659  		authz.Challenges = append(authz.Challenges, challPB)
  2660  	}
  2661  	return authz, nil
  2662  }
  2663  
  2664  // wildcardOverlap takes a slice of domain names and returns an error if any of
  2665  // them is a non-wildcard FQDN that overlaps with a wildcard domain in the map.
  2666  func wildcardOverlap(dnsNames []string) error {
  2667  	nameMap := make(map[string]bool, len(dnsNames))
  2668  	for _, v := range dnsNames {
  2669  		nameMap[v] = true
  2670  	}
  2671  	for name := range nameMap {
  2672  		if name[0] == '*' {
  2673  			continue
  2674  		}
  2675  		labels := strings.Split(name, ".")
  2676  		labels[0] = "*"
  2677  		if nameMap[strings.Join(labels, ".")] {
  2678  			return berrors.MalformedError(
  2679  				"Domain name %q is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.", name)
  2680  		}
  2681  	}
  2682  	return nil
  2683  }
  2684  
  2685  // validateContactsPresent will return an error if the contacts []string
  2686  // len is greater than zero and the contactsPresent bool is false. We
  2687  // don't care about any other cases. If the length of the contacts is zero
  2688  // and contactsPresent is true, it seems like a mismatch but we have to
  2689  // assume that the client is requesting to update the contacts field with
  2690  // by removing the existing contacts value so we don't want to return an
  2691  // error here.
  2692  func validateContactsPresent(contacts []string, contactsPresent bool) error {
  2693  	if len(contacts) > 0 && !contactsPresent {
  2694  		return berrors.InternalServerError("account contacts present but contactsPresent false")
  2695  	}
  2696  	return nil
  2697  }
  2698  
  2699  func (ra *RegistrationAuthorityImpl) DrainFinalize() {
  2700  	ra.finalizeWG.Wait()
  2701  }
  2702
View as plain text