From e12d6674a2fe980ec43b703c848904bfbd32a178 Mon Sep 17 00:00:00 2001
From: grindsa <grindelsack@gmail.com>
Date: Fri, 20 Dec 2024 16:17:48 +0100
Subject: [PATCH] [fix] allowed_domainlist check in est handler

---
 .github/workflows/ca_handler_tests_cmp.yml | 71 ++++++++++++++++++++++
 .github/workflows/ca_handler_tests_est.yml | 13 ++++
 examples/ca_handler/est_ca_handler.py      | 14 ++---
 3 files changed, 91 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ca_handler_tests_cmp.yml b/.github/workflows/ca_handler_tests_cmp.yml
index 39381416..bedb6017 100644
--- a/.github/workflows/ca_handler_tests_cmp.yml
+++ b/.github/workflows/ca_handler_tests_cmp.yml
@@ -78,6 +78,7 @@ jobs:
         sudo echo "cmp_key: volume/ra_key.pem" >> examples/Docker/data/acme_srv.cfg
         sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
         sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
       env:
@@ -105,6 +106,23 @@ jobs:
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
         sudo rm -rf acme-sh/*
 
+    - name: "Allowed domainlist feature - Enroll lego (fail)"
+      continue-on-error: true
+      id: legofail01
+      run: |
+        docker run -i --rm -v $PWD/lego:/.lego/ --name lego --network acme goacme/lego -s  http://acme-srv -a --email "lego@example.com" -d lego --tls run
+
+    - name: "Allowed domainlist feature - check  result "
+      if: ${{ steps.legofail01.outcome != 'failure' }}
+      run: |
+        echo "legofail outcome is ${{steps.legofail01.outcome }}"
+        exit 1
+
+    - name: "Verify allowed_domainlist error"
+      run: |
+        cd examples/Docker
+        docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration"
+
     - name: "Setup a2c with cmp_ca_handler with PSK refnum authentication"
       run: |
         sudo touch examples/Docker/data/ca_bundle.pem
@@ -127,6 +145,7 @@ jobs:
         sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg
         sudo echo "cmp_ref: $CMP_REF" >> examples/Docker/data/acme_srv.cfg
         sudo echo "cmp_secret: $CMP_SECRET" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
       env:
@@ -158,6 +177,24 @@ jobs:
         docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
+
+    - name: "Allowed domainlist feature - Enroll lego (fail)"
+      continue-on-error: true
+      id: legofail02
+      run: |
+        docker run -i --rm -v $PWD/lego:/.lego/ --name lego --network acme goacme/lego -s  http://acme-srv -a --email "lego@example.com" -d lego --tls run
+
+    - name: "Allowed domainlist feature - check  result "
+      if: ${{ steps.legofail02.outcome != 'failure' }}
+      run: |
+        echo "legofail outcome is ${{steps.legofail02.outcome }}"
+        exit 1
+
+    - name: "Verify allowed_domainlist error"
+      run: |
+        cd examples/Docker
+        docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration"
+
     - name: "Check container configuration"
       uses: ./.github/actions/container_check
       with:
@@ -254,6 +291,7 @@ jobs:
         sudo echo "cmp_key: /opt/acme2certifier/volume/acme_ca/ra_key.pem" >> data/acme_srv.cfg
         sudo echo "cmp_trusted: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
         sudo echo "cmp_recipient: $CMP_RECIPIENT" >> data/acme_srv.cfg
+        sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg
       env:
         RUNNER_IP: ${{ env.RUNNER_IP }}
         CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }}
@@ -282,6 +320,22 @@ jobs:
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
+    - name: "Allowed domainlist feature - Enroll lego (fail)"
+      continue-on-error: true
+      id: legofail01
+      run: |
+        docker run -i --rm -v $PWD/lego:/.lego/ --name lego --network acme goacme/lego -s  http://acme-srv -a --email "lego@example.com" -d lego --tls run
+
+    - name: "Allowed domainlist feature - check  result "
+      if: ${{ steps.legofail01.outcome != 'failure' }}
+      run: |
+        echo "legofail outcome is ${{steps.legofail01.outcome }}"
+        exit 1
+
+    - name: "Verify allowed_domainlist error"
+      run: |
+        docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages
+
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
       run: |
@@ -370,6 +424,7 @@ jobs:
         sudo echo "cmp_recipient: $CMP_RECIPIENT" >> data/acme_srv.cfg
         sudo echo "cmp_ref: $CMP_REF" >> data/acme_srv.cfg
         sudo echo "cmp_secret: $CMP_SECRET" >> data/acme_srv.cfg
+        sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg
       env:
         RUNNER_IP: ${{ env.RUNNER_IP }}
         CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }}
@@ -399,6 +454,22 @@ jobs:
         awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
         openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
 
+    - name: "Allowed domainlist feature - Enroll lego (fail)"
+      continue-on-error: true
+      id: legofail01
+      run: |
+        docker run -i --rm -v $PWD/lego:/.lego/ --name lego --network acme goacme/lego -s  http://acme-srv -a --email "lego@example.com" -d lego --tls run
+
+    - name: "Allowed domainlist feature - check  result "
+      if: ${{ steps.legofail01.outcome != 'failure' }}
+      run: |
+        echo "legofail outcome is ${{steps.legofail01.outcome }}"
+        exit 1
+
+    - name: "Verify allowed_domainlist error"
+      run: |
+        docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages
+
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
       run: |
diff --git a/.github/workflows/ca_handler_tests_est.yml b/.github/workflows/ca_handler_tests_est.yml
index efdbf079..4780f7ca 100644
--- a/.github/workflows/ca_handler_tests_est.yml
+++ b/.github/workflows/ca_handler_tests_est.yml
@@ -41,6 +41,7 @@ jobs:
         sudo echo "est_password: estpwd" >> examples/Docker/data/acme_srv.cfg
         sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg
         sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg
+        sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg
         sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg
         cd examples/Docker/
         docker-compose restart
@@ -51,6 +52,12 @@ jobs:
         REVOCATION: "false"
         VERIFY_CERT: "false"
         USE_CERTBOT: "false"
+        TEST_ADL: "true"
+
+    - name: "Verify allowed_domainlist error"
+      run: |
+        cd examples/Docker
+        docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration"
 
     - name: "Check container configuration"
       uses: ./.github/actions/container_check
@@ -104,6 +111,7 @@ jobs:
         sudo echo "est_password: estpwd" >> data/acme_srv.cfg
         sudo echo "ca_bundle: False" >> data/acme_srv.cfg
         sudo echo "request_timeout: 30" >> data/acme_srv.cfg
+        sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg
         sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg
 
     - name: "Execute install scipt"
@@ -116,6 +124,11 @@ jobs:
         REVOCATION: "false"
         VERIFY_CERT: "false"
         USE_CERTBOT: "false"
+        TEST_ADL: "true"
+
+    - name: "Verify allowed_domainlist error"
+      run: |
+        docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages
 
     - name: "[ * ] collecting test logs"
       if: ${{ failure() }}
diff --git a/examples/ca_handler/est_ca_handler.py b/examples/ca_handler/est_ca_handler.py
index cd45eedf..0b570b33 100644
--- a/examples/ca_handler/est_ca_handler.py
+++ b/examples/ca_handler/est_ca_handler.py
@@ -293,15 +293,15 @@ def enroll(self, csr: str) -> Tuple[str, str, str, bool]:
         error = None
         cert_raw = None
 
-        # recode csr
-        csr = textwrap.fill(b64_url_recode(self.logger, csr), 64) + '\n'
-
-        if self.est_host:
-            (error, ca_pem) = self._cacerts_get()
+        # check for allowed domainlist
+        error = allowed_domainlist_check_error(self.logger, csr, self.allowed_domainlist)
 
         if not error:
-            # check for allowed domainlist
-            error = allowed_domainlist_check_error(self.logger, csr, self.allowed_domainlist)
+            # recode csr
+            csr = textwrap.fill(b64_url_recode(self.logger, csr), 64) + '\n'
+
+            if self.est_host:
+                (error, ca_pem) = self._cacerts_get()
 
             if not error:
                 if ca_pem: